1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - http between two ports])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
37 3 packets transmitted, 3 received, 0% packet loss, time 0ms
40 OVS_START_L7([at_ns1], [http])
41 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
43 OVS_TRAFFIC_VSWITCHD_STOP
46 AT_SETUP([datapath - ping between two ports on vlan])
47 OVS_TRAFFIC_VSWITCHD_START()
49 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
51 ADD_NAMESPACES(at_ns0, at_ns1)
53 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
56 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
59 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
60 3 packets transmitted, 3 received, 0% packet loss, time 0ms
62 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
63 3 packets transmitted, 3 received, 0% packet loss, time 0ms
65 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
66 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 OVS_TRAFFIC_VSWITCHD_STOP
72 AT_SETUP([datapath - ping between two ports on cvlan])
73 OVS_TRAFFIC_VSWITCHD_START()
75 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
77 ADD_NAMESPACES(at_ns0, at_ns1)
79 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
80 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
82 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
83 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
85 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
86 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
88 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
90 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
91 3 packets transmitted, 3 received, 0% packet loss, time 0ms
93 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
94 3 packets transmitted, 3 received, 0% packet loss, time 0ms
96 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
97 3 packets transmitted, 3 received, 0% packet loss, time 0ms
100 OVS_TRAFFIC_VSWITCHD_STOP
103 AT_SETUP([datapath - ping6 between two ports])
104 OVS_TRAFFIC_VSWITCHD_START()
106 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
108 ADD_NAMESPACES(at_ns0, at_ns1)
110 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
111 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
113 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
114 dnl waiting, we get occasional failures due to the following error:
115 dnl "connect: Cannot assign requested address"
116 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
118 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
121 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
122 3 packets transmitted, 3 received, 0% packet loss, time 0ms
124 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
125 3 packets transmitted, 3 received, 0% packet loss, time 0ms
128 OVS_TRAFFIC_VSWITCHD_STOP
131 AT_SETUP([datapath - ping6 between two ports on vlan])
132 OVS_TRAFFIC_VSWITCHD_START()
134 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
136 ADD_NAMESPACES(at_ns0, at_ns1)
138 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
139 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
141 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
142 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
144 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
145 dnl waiting, we get occasional failures due to the following error:
146 dnl "connect: Cannot assign requested address"
147 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
149 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
150 3 packets transmitted, 3 received, 0% packet loss, time 0ms
152 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
153 3 packets transmitted, 3 received, 0% packet loss, time 0ms
155 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
156 3 packets transmitted, 3 received, 0% packet loss, time 0ms
159 OVS_TRAFFIC_VSWITCHD_STOP
162 AT_SETUP([datapath - ping6 between two ports on cvlan])
163 OVS_TRAFFIC_VSWITCHD_START()
165 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
167 ADD_NAMESPACES(at_ns0, at_ns1)
169 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
170 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
172 ADD_SVLAN(p0, at_ns0, 4094, "fc00:ffff::1/96")
173 ADD_SVLAN(p1, at_ns1, 4094, "fc00:ffff::2/96")
175 ADD_CVLAN(p0.4094, at_ns0, 100, "fc00:1::1/96")
176 ADD_CVLAN(p1.4094, at_ns1, 100, "fc00:1::2/96")
178 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
180 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
181 3 packets transmitted, 3 received, 0% packet loss, time 0ms
183 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
184 3 packets transmitted, 3 received, 0% packet loss, time 0ms
186 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
187 3 packets transmitted, 3 received, 0% packet loss, time 0ms
190 OVS_TRAFFIC_VSWITCHD_STOP
193 AT_SETUP([datapath - ping over bond])
194 OVS_TRAFFIC_VSWITCHD_START()
196 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
198 ADD_NAMESPACES(at_ns0, at_ns1)
200 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
201 ADD_VETH_BOND(p1 p2, at_ns1, br0, bond0, lacp=active bond_mode=balance-tcp, "10.1.1.2/24")
203 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2])
205 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
206 3 packets transmitted, 3 received, 0% packet loss, time 0ms
208 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
209 3 packets transmitted, 3 received, 0% packet loss, time 0ms
211 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
212 3 packets transmitted, 3 received, 0% packet loss, time 0ms
215 OVS_TRAFFIC_VSWITCHD_STOP
218 AT_SETUP([datapath - ping over vxlan tunnel])
221 OVS_TRAFFIC_VSWITCHD_START()
222 ADD_BR([br-underlay])
224 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
225 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
227 ADD_NAMESPACES(at_ns0)
229 dnl Set up underlay link from host into the namespace using veth pair.
230 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
231 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
232 AT_CHECK([ip link set dev br-underlay up])
234 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
235 dnl linux device inside the namespace.
236 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
237 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
240 dnl First, check the underlay
241 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
242 3 packets transmitted, 3 received, 0% packet loss, time 0ms
245 dnl Okay, now check the overlay with different packet sizes
246 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
247 3 packets transmitted, 3 received, 0% packet loss, time 0ms
249 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
250 3 packets transmitted, 3 received, 0% packet loss, time 0ms
252 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
253 3 packets transmitted, 3 received, 0% packet loss, time 0ms
256 OVS_TRAFFIC_VSWITCHD_STOP
259 AT_SETUP([datapath - ping over vxlan6 tunnel])
260 OVS_CHECK_VXLAN_UDP6ZEROCSUM()
262 OVS_TRAFFIC_VSWITCHD_START()
263 ADD_BR([br-underlay])
265 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
266 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
268 ADD_NAMESPACES(at_ns0)
270 dnl Set up underlay link from host into the namespace using veth pair.
271 ADD_VETH(p0, at_ns0, br-underlay, "fc00::1/64", [], [], "nodad")
272 AT_CHECK([ip addr add dev br-underlay "fc00::100/64" nodad])
273 AT_CHECK([ip link set dev br-underlay up])
275 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
276 dnl linux device inside the namespace.
277 ADD_OVS_TUNNEL6([vxlan], [br0], [at_vxlan0], [fc00::1], [10.1.1.100/24])
278 ADD_NATIVE_TUNNEL6([vxlan], [at_vxlan1], [at_ns0], [fc00::100], [10.1.1.1/24],
279 [id 0 dstport 4789 udp6zerocsumtx udp6zerocsumrx])
281 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::100])
283 dnl First, check the underlay
284 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::100 | FORMAT_PING], [0], [dnl
285 3 packets transmitted, 3 received, 0% packet loss, time 0ms
288 dnl Okay, now check the overlay with different packet sizes
289 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
290 3 packets transmitted, 3 received, 0% packet loss, time 0ms
292 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
293 3 packets transmitted, 3 received, 0% packet loss, time 0ms
295 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
296 3 packets transmitted, 3 received, 0% packet loss, time 0ms
299 OVS_TRAFFIC_VSWITCHD_STOP
302 AT_SETUP([datapath - ping over gre tunnel])
303 OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
306 OVS_TRAFFIC_VSWITCHD_START()
307 ADD_BR([br-underlay])
309 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
310 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
312 ADD_NAMESPACES(at_ns0)
314 dnl Set up underlay link from host into the namespace using veth pair.
315 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
316 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
317 AT_CHECK([ip link set dev br-underlay up])
319 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
320 dnl linux device inside the namespace.
321 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
322 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
324 dnl First, check the underlay
325 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
326 3 packets transmitted, 3 received, 0% packet loss, time 0ms
329 dnl Okay, now check the overlay with different packet sizes
330 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
331 3 packets transmitted, 3 received, 0% packet loss, time 0ms
333 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
334 3 packets transmitted, 3 received, 0% packet loss, time 0ms
336 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
337 3 packets transmitted, 3 received, 0% packet loss, time 0ms
340 OVS_TRAFFIC_VSWITCHD_STOP
343 AT_SETUP([datapath - ping over erspan v1 tunnel])
344 OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
348 OVS_TRAFFIC_VSWITCHD_START()
349 ADD_BR([br-underlay])
351 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
352 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
354 ADD_NAMESPACES(at_ns0)
356 dnl Set up underlay link from host into the namespace using veth pair.
357 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
358 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
359 AT_CHECK([ip link set dev br-underlay up])
361 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
362 dnl linux device inside the namespace.
363 ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=1 options:erspan_idx=7])
364 ADD_NATIVE_TUNNEL([erspan], [ns_erspan0], [at_ns0], [172.31.1.100], [10.1.1.1/24], [seq key 1 erspan_ver 1 erspan 7])
366 dnl First, check the underlay
367 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
368 3 packets transmitted, 3 received, 0% packet loss, time 0ms
371 dnl Okay, now check the overlay with different packet sizes
372 dnl NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
373 NS_CHECK_EXEC([at_ns0], [ping -s 1200 -i 0.3 -c 3 10.1.1.100 | FORMAT_PING], [0], [dnl
374 3 packets transmitted, 3 received, 0% packet loss, time 0ms
376 OVS_TRAFFIC_VSWITCHD_STOP
379 AT_SETUP([datapath - ping over erspan v2 tunnel])
380 OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
384 OVS_TRAFFIC_VSWITCHD_START()
385 ADD_BR([br-underlay])
387 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
388 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
390 ADD_NAMESPACES(at_ns0)
392 dnl Set up underlay link from host into the namespace using veth pair.
393 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
394 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
395 AT_CHECK([ip link set dev br-underlay up])
397 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
398 dnl linux device inside the namespace.
399 ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=2 options:erspan_dir=1 options:erspan_hwid=0x7])
400 ADD_NATIVE_TUNNEL([erspan], [ns_erspan0], [at_ns0], [172.31.1.100], [10.1.1.1/24], [seq key 1 erspan_ver 2 erspan_dir egress erspan_hwid 7])
402 dnl First, check the underlay
403 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
404 3 packets transmitted, 3 received, 0% packet loss, time 0ms
407 dnl Okay, now check the overlay with different packet sizes
408 dnl NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
409 NS_CHECK_EXEC([at_ns0], [ping -s 1200 -i 0.3 -c 3 10.1.1.100 | FORMAT_PING], [0], [dnl
410 3 packets transmitted, 3 received, 0% packet loss, time 0ms
412 OVS_TRAFFIC_VSWITCHD_STOP
415 AT_SETUP([datapath - ping over ip6erspan v1 tunnel])
416 OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
420 OVS_TRAFFIC_VSWITCHD_START()
421 ADD_BR([br-underlay])
423 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
424 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
426 ADD_NAMESPACES(at_ns0)
428 dnl Set up underlay link from host into the namespace using veth pair.
429 ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", [], [], nodad)
430 AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
431 AT_CHECK([ip link set dev br-underlay up])
433 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
434 dnl linux device inside the namespace.
435 ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
436 [options:key=123 options:erspan_ver=1 options:erspan_idx=0x7])
437 ADD_NATIVE_TUNNEL6([ip6erspan], [ns_erspan0], [at_ns0], [fc00:100::100],
438 [10.1.1.1/24], [local fc00:100::1 seq key 123 erspan_ver 1 erspan 7])
440 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
442 dnl First, check the underlay
443 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
444 3 packets transmitted, 3 received, 0% packet loss, time 0ms
447 dnl Okay, now check the overlay with different packet sizes
448 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
449 3 packets transmitted, 3 received, 0% packet loss, time 0ms
451 OVS_TRAFFIC_VSWITCHD_STOP
454 AT_SETUP([datapath - ping over ip6erspan v2 tunnel])
455 OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
459 OVS_TRAFFIC_VSWITCHD_START()
460 ADD_BR([br-underlay])
462 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
463 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
465 ADD_NAMESPACES(at_ns0)
467 dnl Set up underlay link from host into the namespace using veth pair.
468 ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", [], [], nodad)
469 AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
470 AT_CHECK([ip link set dev br-underlay up])
472 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
473 dnl linux device inside the namespace.
474 ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
475 [options:key=121 options:erspan_ver=2 options:erspan_dir=0 options:erspan_hwid=0x7])
476 ADD_NATIVE_TUNNEL6([ip6erspan], [ns_erspan0], [at_ns0], [fc00:100::100],
478 [local fc00:100::1 seq key 121 erspan_ver 2 erspan_dir ingress erspan_hwid 0x7])
480 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
482 dnl First, check the underlay
483 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
484 3 packets transmitted, 3 received, 0% packet loss, time 0ms
487 dnl Okay, now check the overlay with different packet sizes
488 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
489 3 packets transmitted, 3 received, 0% packet loss, time 0ms
491 OVS_TRAFFIC_VSWITCHD_STOP
494 AT_SETUP([datapath - ping over geneve tunnel])
497 OVS_TRAFFIC_VSWITCHD_START()
498 ADD_BR([br-underlay])
500 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
501 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
503 ADD_NAMESPACES(at_ns0)
505 dnl Set up underlay link from host into the namespace using veth pair.
506 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
507 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
508 AT_CHECK([ip link set dev br-underlay up])
510 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
511 dnl linux device inside the namespace.
512 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
513 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
516 dnl First, check the underlay
517 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
518 3 packets transmitted, 3 received, 0% packet loss, time 0ms
521 dnl Okay, now check the overlay with different packet sizes
522 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
523 3 packets transmitted, 3 received, 0% packet loss, time 0ms
525 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
526 3 packets transmitted, 3 received, 0% packet loss, time 0ms
528 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
529 3 packets transmitted, 3 received, 0% packet loss, time 0ms
532 OVS_TRAFFIC_VSWITCHD_STOP
535 AT_SETUP([datapath - flow resume with geneve tun_metadata])
538 OVS_TRAFFIC_VSWITCHD_START()
539 ADD_BR([br-underlay])
541 AT_CHECK([ovs-ofctl monitor br0 resume --detach --no-chdir --pidfile 2> /dev/null])
543 ADD_NAMESPACES(at_ns0)
545 dnl Set up underlay link from host into the namespace using veth pair.
546 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
547 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
548 AT_CHECK([ip link set dev br-underlay up])
550 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
551 dnl linux device inside the namespace.
552 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
553 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
557 AT_DATA([flows.txt], [dnl
558 table=0, arp action=NORMAL
559 table=0, in_port=LOCAL icmp action=output:at_gnv0
560 table=0, in_port=at_gnv0 icmp action=set_field:0xa->tun_metadata0,resubmit(,1)
561 table=1, icmp action=controller(pause), resubmit(,2)
562 table=2, tun_metadata0=0xa, icmp action=output:LOCAL
564 AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0,len=4}->tun_metadata0"])
565 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
566 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
568 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 10.1.1.100 | FORMAT_PING], [0], [dnl
569 3 packets transmitted, 3 received, 0% packet loss, time 0ms
572 OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
573 OVS_TRAFFIC_VSWITCHD_STOP
576 AT_SETUP([datapath - ping over geneve6 tunnel])
577 OVS_CHECK_GENEVE_UDP6ZEROCSUM()
579 OVS_TRAFFIC_VSWITCHD_START()
580 ADD_BR([br-underlay])
582 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
583 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
585 ADD_NAMESPACES(at_ns0)
587 dnl Set up underlay link from host into the namespace using veth pair.
588 ADD_VETH(p0, at_ns0, br-underlay, "fc00::1/64", [], [], "nodad")
589 AT_CHECK([ip addr add dev br-underlay "fc00::100/64" nodad])
590 AT_CHECK([ip link set dev br-underlay up])
592 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
593 dnl linux device inside the namespace.
594 ADD_OVS_TUNNEL6([geneve], [br0], [at_gnv0], [fc00::1], [10.1.1.100/24])
595 ADD_NATIVE_TUNNEL6([geneve], [ns_gnv0], [at_ns0], [fc00::100], [10.1.1.1/24],
596 [vni 0 udp6zerocsumtx udp6zerocsumrx])
598 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::100])
600 dnl First, check the underlay
601 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::100 | FORMAT_PING], [0], [dnl
602 3 packets transmitted, 3 received, 0% packet loss, time 0ms
605 dnl Okay, now check the overlay with different packet sizes
606 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
607 3 packets transmitted, 3 received, 0% packet loss, time 0ms
609 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
610 3 packets transmitted, 3 received, 0% packet loss, time 0ms
612 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
613 3 packets transmitted, 3 received, 0% packet loss, time 0ms
616 OVS_TRAFFIC_VSWITCHD_STOP
619 AT_SETUP([datapath - ping over gre tunnel by simulated packets])
620 OVS_CHECK_KERNEL(3, 10, 4, 18)
622 OVS_TRAFFIC_VSWITCHD_START()
623 AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
624 ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
626 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
627 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
629 ADD_NAMESPACES(at_ns0)
631 dnl Set up underlay link from host into the namespace using veth pair.
632 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03)
633 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
634 AT_CHECK([ip link set dev br-underlay up])
636 dnl Set up tunnel endpoints on OVS outside the namespace.
637 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
639 dnl Certain Linux distributions, like CentOS, have default iptable rules
640 dnl to reject input traffic from br-underlay. Here we add a rule to walk
642 iptables -I INPUT 1 -i br-underlay -j ACCEPT
643 on_exit 'iptables -D INPUT 1'
645 ip netns exec at_ns0 tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap &
648 dnl First, check the underlay.
649 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
650 3 packets transmitted, 3 received, 0% packet loss, time 0ms
653 dnl We don't actually add gretap port as below, instead, we will
654 dnl emulate one that sends packets. Suppose its mac address is f2:ff:00:00:00:04.
655 dnl ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
657 dnl Now, check the overlay by sending out raw arp and icmp packets.
658 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff00000003080045000042ec2c4000402ff3bcac1f0101ac1f016400006558fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=NORMAL"
660 OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0, length 46: ARP, Reply 10.1.1.100 is-at f2:ff:00:00:00:01.* length 28" 2>&1 1>/dev/null])
662 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500007aec8e4000402ff322ac1f0101ac1f016400006558f2ff00000001f2ff00000004080045000054548f40004001cfb30a0101010a0101640800e6e829270003e1a3435b00000000ff1a050000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 actions=NORMAL"
664 OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0, length 102: IP 10.1.1.100 > 10.1.1.1: ICMP echo reply,.* length 64$" 2>&1 1>/dev/null])
666 OVS_TRAFFIC_VSWITCHD_STOP
669 AT_SETUP([datapath - ping over erspan v1 tunnel by simulated packets])
670 OVS_CHECK_KERNEL(3, 10, 4, 18)
672 OVS_TRAFFIC_VSWITCHD_START()
673 AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
674 ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
676 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
677 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
679 ADD_NAMESPACES(at_ns0)
681 dnl Set up underlay link from host into the namespace using veth pair.
682 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03)
683 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
684 AT_CHECK([ip link set dev br-underlay up])
686 dnl Set up tunnel endpoints on OVS outside the namespace and emulate a native
687 dnl linux device inside the namespace.
688 ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=1 options:erspan_idx=7])
690 dnl Certain Linux distributions, like CentOS, have default iptable rules
691 dnl to reject input traffic from br-underlay. Here we add a rule to walk
693 iptables -I INPUT 1 -i br-underlay -j ACCEPT
694 on_exit 'iptables -D INPUT 1'
696 ip netns exec at_ns0 tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap &
699 dnl First, check the underlay
700 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
701 3 packets transmitted, 3 received, 0% packet loss, time 0ms
704 dnl Okay, now send out an arp request from 10.1.1.1 for 10.1.1.100 in erspan.
705 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500004e151d4000402fcac0ac1f0101ac1f0164100088be000000061000000100000007fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
707 dnl 0002 is arp reply, followed by mac address of 10.1.1.100.
708 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0030: 0806 0001 0800 0604 0002 f2ff 0000 0001" 2>&1 1>/dev/null])
709 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0a01 0164 f2ff 0000 0004 0a01 0101" 2>&1 1>/dev/null])
711 dnl Okay, now check the overlay with raw icmp packets.
712 AT_FAIL_IF([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 122" 2>&1 1>/dev/null])
714 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500008e70cb4000402f6ed2ac1f0101ac1f0164100088be000000051000000100000007f2ff00000001f2ff0000000408004500005c4a3340004001da070a0101010a010164080084f238fb0001f36a6b5b0000000021870e0000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f actions=normal"
716 OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 122" 2>&1 1>/dev/null])
718 OVS_TRAFFIC_VSWITCHD_STOP
721 AT_SETUP([datapath - ping over erspan v2 tunnel by simulated packets])
722 OVS_CHECK_KERNEL(3, 10, 4, 18)
724 OVS_TRAFFIC_VSWITCHD_START()
725 AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
726 ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
728 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
729 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
731 ADD_NAMESPACES(at_ns0)
733 dnl Set up underlay link from host into the namespace using veth pair.
734 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03)
735 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
736 AT_CHECK([ip link set dev br-underlay up])
738 dnl Set up tunnel endpoints on OVS outside the namespace and simulate a native
739 dnl linux device inside the namespace.
740 ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=2 options:erspan_dir=1 options:erspan_hwid=0x7])
742 dnl Certain Linux distributions, like CentOS, have default iptable rules
743 dnl to reject input traffic from br-underlay. Here we add a rule to walk
745 iptables -I INPUT 1 -i br-underlay -j ACCEPT
746 on_exit 'iptables -D INPUT 1'
748 ip netns exec at_ns0 tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap &
751 dnl First, check the underlay.
752 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
753 3 packets transmitted, 3 received, 0% packet loss, time 0ms
756 dnl Okay, send raw arp request and icmp echo request.
757 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff00000003080045000052373d4000402fa89cac1f0101ac1f0164100088be00000006200000016f54b41700008078fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
759 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0030: 0000 0001 0806 0001 0800 0604 0002 f2ff" 2>&1 1>/dev/null])
760 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0000 0001 0a01 0164 f2ff 0000 0004 0a01" 2>&1 1>/dev/null])
761 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0050: 0101" 2>&1 1>/dev/null])
763 dnl Because tcpdump might not be able to parse erspan headers, we check icmp echo reply
764 dnl by packet length.
765 AT_FAIL_IF([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 126" 2>&1 1>/dev/null])
767 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500009287e14000402f57b8ac1f0101ac1f0164100088be0000000520000001144cd5a400008078f2ff00000001f2ff0000000408004500005c38d640004001eb640a0101010a01016408005e57585f0001df6c6b5b0000000045bc050000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f actions=normal"
769 OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 126" 2>&1 1>/dev/null])
771 OVS_TRAFFIC_VSWITCHD_STOP
774 AT_SETUP([datapath - ping over ip6erspan v1 tunnel by simulated packets])
775 OVS_CHECK_KERNEL(3, 10, 4, 18)
777 OVS_TRAFFIC_VSWITCHD_START()
778 AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
779 ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
781 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
782 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
784 ADD_NAMESPACES(at_ns0)
786 dnl Set up underlay link from host into the namespace using veth pair.
787 ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", f2:ff:00:00:00:03, [], nodad)
788 AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
789 AT_CHECK([ip link set dev br-underlay up])
791 dnl Set up tunnel endpoints on OVS outside the namespace and simulate a native
792 dnl linux device inside the namespace.
793 ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
794 [options:key=123 options:erspan_ver=1 options:erspan_idx=0x7])
796 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
798 dnl Certain Linux distributions, like CentOS, have default iptable rules
799 dnl to reject input traffic from br-underlay. Here we add a rule to walk
801 ip6tables -I INPUT 1 -i br-underlay -j ACCEPT
802 on_exit 'ip6tables -D INPUT 1'
804 ip netns exec at_ns0 tcpdump -n -x -i p0 dst host fc00:100::1 -l > p0.pcap &
807 dnl First, check the underlay.
808 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
809 3 packets transmitted, 3 received, 0% packet loss, time 0ms
812 dnl Okay, now send raw arp request and icmp echo request.
813 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531003a2f40fc000100000000000000000000000001fc000100000000000000000000000100100088be000000051000007b00000007fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
816 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0000 0001 0806 0001 0800 0604 0002 f2ff" 2>&1 1>/dev/null])
817 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0050: 0000 0001 0a01 0164 f2ff 0000 0004 0a01" 2>&1 1>/dev/null])
818 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0060: 0101" 2>&1 1>/dev/null])
820 AT_FAIL_IF([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0,.* length 114" 2>&1 1>/dev/null])
822 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531007a3c40fc000100000000000000000000000001fc0001000000000000000000000001002f00040104010100100088be000000061000407b00000007f2ff00000001f2ff0000000408004500005429b640004001fa8c0a0101010a01016408005c2c7526000118d3685b00000000e4aa020000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 actions=normal"
824 OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0,.* length 114" 2>&1 1>/dev/null])
826 OVS_TRAFFIC_VSWITCHD_STOP
829 AT_SETUP([datapath - ping over ip6erspan v2 tunnel by simulated packets])
830 OVS_CHECK_KERNEL(3, 10, 4, 18)
832 OVS_TRAFFIC_VSWITCHD_START()
833 AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
834 ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
836 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
837 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
839 ADD_NAMESPACES(at_ns0)
841 dnl Set up underlay link from host into the namespace using veth pair.
842 ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", f2:ff:00:00:00:03, [], nodad)
843 AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
844 AT_CHECK([ip link set dev br-underlay up])
846 dnl Set up tunnel endpoints on OVS outside the namespace and simulate a native
847 dnl linux device inside the namespace.
848 ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
849 [options:key=121 options:erspan_ver=2 options:erspan_dir=0 options:erspan_hwid=0x7])
851 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
853 dnl Certain Linux distributions, like CentOS, have default iptable rules
854 dnl to reject input traffic from br-underlay. Here we add a rule to walk
856 ip6tables -I INPUT 1 -i br-underlay -j ACCEPT
857 on_exit 'ip6tables -D INPUT 1'
859 ip netns exec at_ns0 tcpdump -n -x -i p0 dst host fc00:100::1 -l > p0.pcap &
862 dnl First, check the underlay.
863 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
864 3 packets transmitted, 3 received, 0% packet loss, time 0ms
867 dnl Okay, now send raw arp request and icmp echo request.
868 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531003e2f40fc000100000000000000000000000001fc000100000000000000000000000100100088be0000000620000079af514f9900008070fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
870 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0004 f2ff 0000 0001 0806 0001 0800 0604" 2>&1 1>/dev/null])
871 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0050: 0002 f2ff 0000 0001 0a01 0164 f2ff 0000" 2>&1 1>/dev/null])
872 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0060: 0004 0a01 0101" 2>&1 1>/dev/null])
874 AT_FAIL_IF([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0, .* length 118" 2>&1 1>/dev/null])
876 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531007e3c40fc000100000000000000000000000001fc0001000000000000000000000001002f00040104010100100088be0000000720004079af514f9b00008070f2ff00000001f2ff00000004080045000054ffcb4000400124770a0101010a0101640800419e23ac000112d7685b000000004caf0c0000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 actions=normal"
878 OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0, .* length 118" 2>&1 1>/dev/null])
880 OVS_TRAFFIC_VSWITCHD_STOP
883 AT_SETUP([datapath - clone action])
884 OVS_TRAFFIC_VSWITCHD_START()
886 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2)
888 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
889 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
891 AT_CHECK([ovs-vsctl -- set interface ovs-p0 ofport_request=1 \
892 -- set interface ovs-p1 ofport_request=2])
894 AT_DATA([flows.txt], [dnl
895 priority=1 actions=NORMAL
896 priority=10 in_port=1,ip,actions=clone(mod_dl_dst(50:54:00:00:00:0a),set_field:192.168.3.3->ip_dst), output:2
897 priority=10 in_port=2,ip,actions=clone(mod_dl_src(ae:c6:7e:54:8d:4d),mod_dl_dst(50:54:00:00:00:0b),set_field:192.168.4.4->ip_dst, controller), output:1
899 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
901 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
902 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
903 3 packets transmitted, 3 received, 0% packet loss, time 0ms
906 OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
908 AT_CHECK([cat ofctl_monitor.log | STRIP_MONITOR_CSUM], [0], [dnl
909 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
910 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
911 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
914 OVS_TRAFFIC_VSWITCHD_STOP
917 AT_SETUP([datapath - mpls actions])
918 OVS_TRAFFIC_VSWITCHD_START([_ADD_BR([br1])])
920 ADD_NAMESPACES(at_ns0, at_ns1)
922 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
923 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
925 AT_CHECK([ip link add patch0 type veth peer name patch1])
926 on_exit 'ip link del patch0'
928 AT_CHECK([ip link set dev patch0 up])
929 AT_CHECK([ip link set dev patch1 up])
930 AT_CHECK([ovs-vsctl add-port br0 patch0])
931 AT_CHECK([ovs-vsctl add-port br1 patch1])
933 AT_DATA([flows.txt], [dnl
934 table=0,priority=100,dl_type=0x0800 actions=push_mpls:0x8847,set_mpls_label:3,resubmit(,1)
935 table=0,priority=100,dl_type=0x8847,mpls_label=3 actions=pop_mpls:0x0800,resubmit(,1)
936 table=0,priority=10 actions=resubmit(,1)
937 table=1,priority=10 actions=normal
940 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
941 AT_CHECK([ovs-ofctl add-flows br1 flows.txt])
943 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
944 3 packets transmitted, 3 received, 0% packet loss, time 0ms
947 NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
948 3 packets transmitted, 3 received, 0% packet loss, time 0ms
951 OVS_TRAFFIC_VSWITCHD_STOP
953 AT_SETUP([datapath - basic truncate action])
954 AT_SKIP_IF([test $HAVE_NC = no])
955 OVS_TRAFFIC_VSWITCHD_START()
956 AT_CHECK([ovs-ofctl del-flows br0])
958 dnl Create p0 and ovs-p0(1)
959 ADD_NAMESPACES(at_ns0)
960 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
961 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
962 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
964 dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
965 AT_CHECK([ip link add p1 type veth peer name ovs-p1])
966 on_exit 'ip link del ovs-p1'
967 AT_CHECK([ip link set dev ovs-p1 up])
968 AT_CHECK([ip link set dev p1 up])
969 AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
970 dnl Use p1 to check the truncated packet
971 AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
973 dnl Create p2(5) and ovs-p2(4)
974 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
975 on_exit 'ip link del ovs-p2'
976 AT_CHECK([ip link set dev ovs-p2 up])
977 AT_CHECK([ip link set dev p2 up])
978 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
979 dnl Use p2 to check the truncated packet
980 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
983 AT_CHECK([ovs-ofctl del-flows br0])
984 AT_DATA([flows.txt], [dnl
985 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
986 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
987 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
989 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
991 dnl use this file as payload file for ncat
992 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
993 on_exit 'rm -f payload200.bin'
994 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
996 dnl packet with truncated size
997 AT_CHECK([ovs-appctl revalidator/purge], [0])
998 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1001 dnl packet with original size
1002 AT_CHECK([ovs-appctl revalidator/purge], [0])
1003 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1007 dnl more complicated output actions
1008 AT_CHECK([ovs-ofctl del-flows br0])
1009 AT_DATA([flows.txt], [dnl
1010 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
1011 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
1012 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
1014 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1016 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
1018 dnl 100 + 100 + 242 + min(65535,242) = 684
1019 AT_CHECK([ovs-appctl revalidator/purge], [0])
1020 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1023 dnl 242 + 100 + min(242,200) = 542
1024 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1028 dnl SLOW_ACTION: disable kernel datapath truncate support
1029 dnl Repeat the test above, but exercise the SLOW_ACTION code path
1030 AT_CHECK([ovs-appctl dpif/set-dp-features br0 trunc false], [0])
1032 dnl SLOW_ACTION test1: check datapatch actions
1033 AT_CHECK([ovs-ofctl del-flows br0])
1034 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1036 AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,dl_type=0x800,dl_src=e6:66:c1:11:11:11,dl_dst=e6:66:c1:22:22:22,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,tp_src=8,tp_dst=9"], [0], [stdout])
1037 AT_CHECK([tail -3 stdout], [0],
1038 [Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
1039 This flow is handled by the userspace slow path because it:
1040 - Uses action(s) not supported by datapath.
1043 dnl SLOW_ACTION test2: check actual packet truncate
1044 AT_CHECK([ovs-ofctl del-flows br0])
1045 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1046 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
1048 dnl 100 + 100 + 242 + min(65535,242) = 684
1049 AT_CHECK([ovs-appctl revalidator/purge], [0])
1050 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1054 dnl 242 + 100 + min(242,200) = 542
1055 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1059 OVS_TRAFFIC_VSWITCHD_STOP
1062 dnl Create 2 bridges and 2 namespaces to test truncate over
1064 dnl br0: overlay bridge
1065 dnl ns1: connect to br0, with IP:10.1.1.2
1066 dnl br-underlay: with IP: 172.31.1.100
1067 dnl ns0: connect to br-underlay, with IP: 10.1.1.1
1068 AT_SETUP([datapath - truncate and output to gre tunnel by simulated packets])
1069 OVS_CHECK_KERNEL(3, 10, 4, 18)
1070 AT_SKIP_IF([test $HAVE_NC = no])
1071 OVS_TRAFFIC_VSWITCHD_START()
1073 ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"02:90:8c:a8:a1:49\"])
1074 ADD_NAMESPACES(at_ns0)
1075 ADD_NAMESPACES(at_ns1)
1076 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
1077 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1079 dnl Set up underlay link from host into the namespace using veth pair.
1080 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", fa:ad:fa:25:05:60)
1081 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1082 AT_CHECK([ip link set dev br-underlay up])
1084 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1085 dnl linux device inside the namespace.
1086 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
1088 dnl The below native tunnel isn't actually added. We simulate it to send
1089 dnl and receive packets.
1090 dnl ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1091 dnl [], [address e6:66:c1:11:11:11])
1092 dnl AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
1093 dnl NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
1095 dnl Set up (p1 and ovs-p1) at br0
1096 ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
1097 AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
1098 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
1099 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
1101 dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
1102 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
1103 on_exit 'ip link del ovs-p2'
1104 AT_CHECK([ip link set dev ovs-p2 up])
1105 AT_CHECK([ip link set dev p2 up])
1106 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
1107 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
1109 dnl use this file as payload file for ncat
1110 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
1111 on_exit 'rm -f payload200.bin'
1113 AT_CHECK([ovs-ofctl del-flows br0])
1114 AT_DATA([flows.txt], [dnl
1115 priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
1116 priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
1117 priority=1,in_port=4,ip,actions=drop
1118 priority=1,actions=drop
1120 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1122 AT_CHECK([ovs-ofctl del-flows br-underlay])
1123 AT_DATA([flows-underlay.txt], [dnl
1124 priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
1125 priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
1126 priority=1,actions=drop
1129 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1131 dnl check tunnel push path, from at_ns1 to at_ns0
1132 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
1133 AT_CHECK([ovs-appctl revalidator/purge], [0])
1135 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1136 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1139 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1140 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1144 dnl check tunnel pop path, from at_ns0 to at_ns1
1145 dnl This 200-byte packet is simulated on behalf of ns_gre0
1146 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=02908ca8a149faadfa25056008004500010a9e9d4000402f4084ac1f0101ac1f016400006558e666c1222222e666c11111110800450000e46f8e40004011b4760a0101010a010102e026162e00d016e6a366ebf904c74132c6fed42a9e9e46240b4d9fd13c9b47d9704a388e70a5e77db16934a6188dc01d86aa20007ace2cf9cdb111f208474b88ffc851c871f0e3fb4fff138c1d288d437efff487e2b86a9c99fbf4229a6485e133bcf3e16f6e345207fda0932d9eeb602740456fd077b4847d25481337bd716155cc245be129ccc11bf82b834767b3760b52fe913c0e24f31c0e1b27f88acf7bba6b985fb64ee2cd6fc6bba1a9c1f021e253e1728b046fd4d023307e3296361a37ea2617ebcb2537e0284a81050dd0ee actions=LOCAL"
1148 dnl After truncation = 100 byte at loopback device p2(4)
1149 AT_CHECK([ovs-appctl revalidator/purge], [0])
1150 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1151 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
1154 dnl SLOW_ACTION: disable datapath truncate support
1155 dnl Repeat the test above, but exercise the SLOW_ACTION code path
1156 AT_CHECK([ovs-appctl dpif/set-dp-features br0 trunc false], [0])
1158 dnl SLOW_ACTION test1: check datapatch actions
1159 AT_CHECK([ovs-ofctl del-flows br0])
1160 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1162 dnl SLOW_ACTION test2: check actual packet truncate
1163 AT_CHECK([ovs-ofctl del-flows br0])
1164 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1165 AT_CHECK([ovs-ofctl del-flows br-underlay])
1166 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1168 dnl check tunnel push path, from at_ns1 to at_ns0
1169 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
1170 AT_CHECK([ovs-appctl revalidator/purge], [0])
1172 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1173 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1176 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1177 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1181 dnl check tunnel pop path, from at_ns0 to at_ns1
1182 dnl This 200-byte packet is simulated on behalf of ns_gre0
1183 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=02908ca8a149faadfa25056008004500010a9e9d4000402f4084ac1f0101ac1f016400006558e666c1222222e666c11111110800450000e46f8e40004011b4760a0101010a010102e026162e00d016e6a366ebf904c74132c6fed42a9e9e46240b4d9fd13c9b47d9704a388e70a5e77db16934a6188dc01d86aa20007ace2cf9cdb111f208474b88ffc851c871f0e3fb4fff138c1d288d437efff487e2b86a9c99fbf4229a6485e133bcf3e16f6e345207fda0932d9eeb602740456fd077b4847d25481337bd716155cc245be129ccc11bf82b834767b3760b52fe913c0e24f31c0e1b27f88acf7bba6b985fb64ee2cd6fc6bba1a9c1f021e253e1728b046fd4d023307e3296361a37ea2617ebcb2537e0284a81050dd0ee actions=LOCAL"
1185 dnl After truncation = 100 byte at loopback device p2(4)
1186 AT_CHECK([ovs-appctl revalidator/purge], [0])
1187 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1188 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
1191 OVS_TRAFFIC_VSWITCHD_STOP
1194 dnl Create 2 bridges and 2 namespaces to test truncate over
1196 dnl br0: overlay bridge
1197 dnl ns1: connect to br0, with IP:10.1.1.2
1198 dnl br-underlay: with IP: 172.31.1.100
1199 dnl ns0: connect to br-underlay, with IP: 10.1.1.1
1200 AT_SETUP([datapath - truncate and output to gre tunnel])
1201 AT_SKIP_IF([test $HAVE_NC = no])
1202 OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
1204 OVS_TRAFFIC_VSWITCHD_START()
1206 ADD_BR([br-underlay])
1207 ADD_NAMESPACES(at_ns0)
1208 ADD_NAMESPACES(at_ns1)
1209 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
1210 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1212 dnl Set up underlay link from host into the namespace using veth pair.
1213 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1214 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1215 AT_CHECK([ip link set dev br-underlay up])
1217 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1218 dnl linux device inside the namespace.
1219 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
1220 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1221 [], [address e6:66:c1:11:11:11])
1222 AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
1223 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
1225 dnl Set up (p1 and ovs-p1) at br0
1226 ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
1227 AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
1228 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
1229 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
1231 dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
1232 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
1233 on_exit 'ip link del ovs-p2'
1234 AT_CHECK([ip link set dev ovs-p2 up])
1235 AT_CHECK([ip link set dev p2 up])
1236 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
1237 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
1239 dnl use this file as payload file for ncat
1240 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
1241 on_exit 'rm -f payload200.bin'
1243 AT_CHECK([ovs-ofctl del-flows br0])
1244 AT_DATA([flows.txt], [dnl
1245 priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
1246 priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
1247 priority=1,in_port=4,ip,actions=drop
1248 priority=1,actions=drop
1250 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1252 AT_CHECK([ovs-ofctl del-flows br-underlay])
1253 AT_DATA([flows-underlay.txt], [dnl
1254 priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
1255 priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
1256 priority=1,actions=drop
1259 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1261 dnl check tunnel push path, from at_ns1 to at_ns0
1262 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
1263 AT_CHECK([ovs-appctl revalidator/purge], [0])
1265 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1266 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1269 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1270 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1274 dnl check tunnel pop path, from at_ns0 to at_ns1
1275 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
1276 dnl After truncation = 100 byte at loopback device p2(4)
1277 AT_CHECK([ovs-appctl revalidator/purge], [0])
1278 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1279 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
1282 dnl SLOW_ACTION: disable datapath truncate support
1283 dnl Repeat the test above, but exercise the SLOW_ACTION code path
1284 AT_CHECK([ovs-appctl dpif/set-dp-features br0 trunc false], [0])
1286 dnl SLOW_ACTION test1: check datapatch actions
1287 AT_CHECK([ovs-ofctl del-flows br0])
1288 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1290 dnl SLOW_ACTION test2: check actual packet truncate
1291 AT_CHECK([ovs-ofctl del-flows br0])
1292 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1293 AT_CHECK([ovs-ofctl del-flows br-underlay])
1294 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1296 dnl check tunnel push path, from at_ns1 to at_ns0
1297 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
1298 AT_CHECK([ovs-appctl revalidator/purge], [0])
1300 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1301 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1304 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1305 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1309 dnl check tunnel pop path, from at_ns0 to at_ns1
1310 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
1311 dnl After truncation = 100 byte at loopback device p2(4)
1312 AT_CHECK([ovs-appctl revalidator/purge], [0])
1313 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1314 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
1317 OVS_TRAFFIC_VSWITCHD_STOP
1320 AT_BANNER([conntrack])
1322 AT_SETUP([conntrack - controller])
1324 OVS_TRAFFIC_VSWITCHD_START()
1325 AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg ofproto_dpif_upcall:dbg])
1327 ADD_NAMESPACES(at_ns0, at_ns1)
1329 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1330 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1332 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1333 AT_DATA([flows.txt], [dnl
1334 priority=1,action=drop
1335 priority=10,arp,action=normal
1336 priority=100,in_port=1,udp,action=ct(commit),controller
1337 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
1338 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
1341 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1343 AT_CAPTURE_FILE([ofctl_monitor.log])
1344 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1346 dnl Send an unsolicited reply from port 2. This should be dropped.
1347 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
1349 dnl OK, now start a new connection from port 1.
1350 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000'])
1352 dnl Now try a reply from port 2.
1353 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
1355 OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
1357 dnl Check this output. We only see the latter two packets, not the first.
1358 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1359 NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
1360 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
1361 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=17,ct_tp_src=1,ct_tp_dst=2,ip,in_port=2 (via action) data_len=42 (unbuffered)
1362 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
1365 OVS_TRAFFIC_VSWITCHD_STOP
1368 AT_SETUP([conntrack - force commit])
1370 OVS_TRAFFIC_VSWITCHD_START()
1371 AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg ofproto_dpif_upcall:dbg])
1373 ADD_NAMESPACES(at_ns0, at_ns1)
1375 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1376 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1378 AT_DATA([flows.txt], [dnl
1379 priority=1,action=drop
1380 priority=10,arp,action=normal
1381 priority=100,in_port=1,udp,action=ct(force,commit),controller
1382 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
1383 priority=100,in_port=2,ct_state=+trk+est,udp,action=ct(force,commit,table=1)
1384 table=1,in_port=2,ct_state=+trk,udp,action=controller
1387 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1389 AT_CAPTURE_FILE([ofctl_monitor.log])
1390 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1392 dnl Send an unsolicited reply from port 2. This should be dropped.
1393 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 actions=resubmit(,0)"])
1395 dnl OK, now start a new connection from port 1.
1396 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
1398 dnl Now try a reply from port 2.
1399 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 actions=resubmit(,0)"])
1401 AT_CHECK([ovs-appctl revalidator/purge], [0])
1403 OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
1405 dnl Check this output. We only see the latter two packets, not the first.
1406 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1407 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
1408 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
1409 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=new|trk,ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=17,ct_tp_src=2,ct_tp_dst=1,ip,in_port=2 (via action) data_len=42 (unbuffered)
1410 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
1414 dnl Check that the directionality has been changed by force commit.
1416 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [], [dnl
1417 udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2)
1420 dnl OK, now send another packet from port 1 and see that it switches again
1421 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
1422 AT_CHECK([ovs-appctl revalidator/purge], [0])
1424 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], [], [dnl
1425 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
1428 OVS_TRAFFIC_VSWITCHD_STOP
1431 AT_SETUP([conntrack - ct flush by 5-tuple])
1433 OVS_TRAFFIC_VSWITCHD_START()
1435 ADD_NAMESPACES(at_ns0, at_ns1)
1437 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1438 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1440 AT_DATA([flows.txt], [dnl
1441 priority=1,action=drop
1442 priority=10,arp,action=normal
1443 priority=100,in_port=1,udp,action=ct(commit),2
1444 priority=100,in_port=2,udp,action=ct(zone=5,commit),1
1445 priority=100,in_port=1,icmp,action=ct(commit),2
1446 priority=100,in_port=2,icmp,action=ct(zone=5,commit),1
1449 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1451 dnl Test UDP from port 1
1452 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
1454 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], [], [dnl
1455 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
1458 AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=17,ct_tp_src=2,ct_tp_dst=1'])
1460 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], [1], [dnl
1463 dnl Test UDP from port 2
1464 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 actions=resubmit(,0)"])
1466 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [0], [dnl
1467 udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),zone=5
1470 AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=5 'ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=17,ct_tp_src=1,ct_tp_dst=2'])
1472 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1475 dnl Test ICMP traffic
1476 NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
1477 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1480 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [0], [stdout])
1481 AT_CHECK([cat stdout | FORMAT_CT(10.1.1.1)], [0],[dnl
1482 icmp,orig=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=8,code=0),reply=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=0,code=0),zone=5
1485 ICMP_ID=`cat stdout | cut -d ',' -f4 | cut -d '=' -f2`
1486 ICMP_TUPLE=ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=1,icmp_id=$ICMP_ID,icmp_type=8,icmp_code=0
1487 AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=5 $ICMP_TUPLE])
1489 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [1], [dnl
1492 OVS_TRAFFIC_VSWITCHD_STOP
1495 AT_SETUP([conntrack - IPv4 ping])
1497 OVS_TRAFFIC_VSWITCHD_START()
1499 ADD_NAMESPACES(at_ns0, at_ns1)
1501 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1502 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1504 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1505 AT_DATA([flows.txt], [dnl
1506 priority=1,action=drop
1507 priority=10,arp,action=normal
1508 priority=100,in_port=1,icmp,action=ct(commit),2
1509 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1510 priority=100,in_port=2,icmp,ct_state=+trk+est,action=1
1513 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1515 dnl Pings from ns0->ns1 should work fine.
1516 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1517 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1520 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1521 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0)
1524 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1526 dnl Pings from ns1->ns0 should fail.
1527 NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
1528 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1531 OVS_TRAFFIC_VSWITCHD_STOP
1534 AT_SETUP([conntrack - get_nconns and get/set_maxconns])
1536 CHECK_CT_DPIF_SET_GET_MAXCONNS()
1537 CHECK_CT_DPIF_GET_NCONNS()
1538 OVS_TRAFFIC_VSWITCHD_START()
1540 ADD_NAMESPACES(at_ns0, at_ns1)
1542 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1543 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1545 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1546 AT_DATA([flows.txt], [dnl
1547 priority=1,action=drop
1548 priority=10,arp,action=normal
1549 priority=100,in_port=1,icmp,action=ct(commit),2
1550 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1551 priority=100,in_port=2,icmp,ct_state=+trk+est,action=1
1554 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1556 dnl Pings from ns0->ns1 should work fine.
1557 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1558 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1561 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1562 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0)
1565 AT_CHECK([ovs-appctl dpctl/ct-set-maxconns one-bad-dp], [2], [], [dnl
1566 ovs-vswitchd: maxconns missing or malformed (Invalid argument)
1567 ovs-appctl: ovs-vswitchd: server returned an error
1570 AT_CHECK([ovs-appctl dpctl/ct-set-maxconns a], [2], [], [dnl
1571 ovs-vswitchd: maxconns missing or malformed (Invalid argument)
1572 ovs-appctl: ovs-vswitchd: server returned an error
1575 AT_CHECK([ovs-appctl dpctl/ct-set-maxconns one-bad-dp 10], [2], [], [dnl
1576 ovs-vswitchd: datapath not found (Invalid argument)
1577 ovs-appctl: ovs-vswitchd: server returned an error
1580 AT_CHECK([ovs-appctl dpctl/ct-get-maxconns one-bad-dp], [2], [], [dnl
1581 ovs-vswitchd: datapath not found (Invalid argument)
1582 ovs-appctl: ovs-vswitchd: server returned an error
1585 AT_CHECK([ovs-appctl dpctl/ct-get-nconns one-bad-dp], [2], [], [dnl
1586 ovs-vswitchd: datapath not found (Invalid argument)
1587 ovs-appctl: ovs-vswitchd: server returned an error
1590 AT_CHECK([ovs-appctl dpctl/ct-get-nconns], [], [dnl
1594 AT_CHECK([ovs-appctl dpctl/ct-get-maxconns], [], [dnl
1598 AT_CHECK([ovs-appctl dpctl/ct-set-maxconns 10], [], [dnl
1599 setting maxconns successful
1602 AT_CHECK([ovs-appctl dpctl/ct-get-maxconns], [], [dnl
1606 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1608 AT_CHECK([ovs-appctl dpctl/ct-get-nconns], [], [dnl
1612 AT_CHECK([ovs-appctl dpctl/ct-get-maxconns], [], [dnl
1616 OVS_TRAFFIC_VSWITCHD_STOP
1619 AT_SETUP([conntrack - IPv6 ping])
1621 OVS_TRAFFIC_VSWITCHD_START()
1623 ADD_NAMESPACES(at_ns0, at_ns1)
1625 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1626 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1628 AT_DATA([flows.txt], [dnl
1630 dnl ICMPv6 echo request and reply go to table 1. The rest of the traffic goes
1631 dnl through normal action.
1632 table=0,priority=10,icmp6,icmp_type=128,action=goto_table:1
1633 table=0,priority=10,icmp6,icmp_type=129,action=goto_table:1
1634 table=0,priority=1,action=normal
1636 dnl Allow everything from ns0->ns1. Only allow return traffic from ns1->ns0.
1637 table=1,priority=100,in_port=1,icmp6,action=ct(commit),2
1638 table=1,priority=100,in_port=2,icmp6,ct_state=-trk,action=ct(table=0)
1639 table=1,priority=100,in_port=2,icmp6,ct_state=+trk+est,action=1
1640 table=1,priority=1,action=drop
1643 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1645 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1647 dnl The above ping creates state in the connection tracker. We're not
1648 dnl interested in that state.
1649 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1651 dnl Pings from ns1->ns0 should fail.
1652 NS_CHECK_EXEC([at_ns1], [ping6 -q -c 3 -i 0.3 -w 2 fc00::1 | FORMAT_PING], [0], [dnl
1653 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1656 dnl Pings from ns0->ns1 should work fine.
1657 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1658 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1661 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
1662 icmpv6,orig=(src=fc00::1,dst=fc00::2,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0)
1665 OVS_TRAFFIC_VSWITCHD_STOP
1668 AT_SETUP([conntrack - preserve registers])
1670 OVS_TRAFFIC_VSWITCHD_START()
1672 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1674 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1675 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1676 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1677 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1679 dnl Allow any traffic from ns0->ns1, ns2->ns3.
1680 AT_DATA([flows.txt], [dnl
1681 priority=1,action=drop
1682 priority=10,arp,action=normal
1683 priority=10,icmp,action=normal
1684 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
1685 priority=100,in_port=1,tcp,ct_state=+trk,action=2
1686 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1687 priority=100,in_port=2,tcp,ct_state=+trk,action=1
1688 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
1689 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
1690 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
1691 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
1692 priority=100,in_port=4,tcp,ct_state=+trk,action=3
1695 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1697 OVS_START_L7([at_ns1], [http])
1698 OVS_START_L7([at_ns3], [http])
1700 dnl HTTP requests from p0->p1 should work fine.
1701 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1703 dnl HTTP requests from p2->p3 should work fine.
1704 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
1706 OVS_TRAFFIC_VSWITCHD_STOP
1709 AT_SETUP([conntrack - invalid])
1711 OVS_TRAFFIC_VSWITCHD_START()
1713 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1715 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1716 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1717 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1718 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1720 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
1721 dnl the opposite direction. This should fail.
1722 dnl Pass traffic from ns3->ns4 without committing, and this time match
1723 dnl invalid traffic and allow it through.
1724 AT_DATA([flows.txt], [dnl
1725 priority=1,action=drop
1726 priority=10,arp,action=normal
1727 priority=10,icmp,action=normal
1728 priority=100,in_port=1,tcp,action=ct(),2
1729 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1730 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
1731 priority=100,in_port=3,tcp,action=ct(),4
1732 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1733 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
1734 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
1737 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1739 dnl We set up our rules to allow the request without committing. The return
1740 dnl traffic can't be identified, because the initial request wasn't committed.
1741 dnl For the first pair of ports, this means that the connection fails.
1742 OVS_START_L7([at_ns1], [http])
1743 OVS_START_L7([at_ns3], [http])
1744 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
1746 dnl For the second pair, we allow packets from invalid connections, so it works.
1747 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
1749 OVS_TRAFFIC_VSWITCHD_STOP
1752 AT_SETUP([conntrack - zones])
1754 OVS_TRAFFIC_VSWITCHD_START()
1756 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1758 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1759 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1760 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1761 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1763 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
1764 dnl For ns2->ns3, use a different zone and see that the match fails.
1765 AT_DATA([flows.txt], [dnl
1766 priority=1,action=drop
1767 priority=10,arp,action=normal
1768 priority=10,icmp,action=normal
1769 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
1770 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
1771 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1772 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
1773 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
1774 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
1777 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1779 OVS_START_L7([at_ns1], [http])
1780 OVS_START_L7([at_ns3], [http])
1782 dnl HTTP requests from p0->p1 should work fine.
1783 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1785 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1786 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1789 dnl HTTP requests from p2->p3 should fail due to network failure.
1790 dnl Try 3 times, in 1 second intervals.
1791 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1793 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1794 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1797 OVS_TRAFFIC_VSWITCHD_STOP
1800 AT_SETUP([conntrack - zones from field])
1802 OVS_TRAFFIC_VSWITCHD_START()
1804 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1806 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1807 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1808 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1809 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1811 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1812 AT_DATA([flows.txt], [dnl
1813 priority=1,action=drop
1814 priority=10,arp,action=normal
1815 priority=10,icmp,action=normal
1816 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
1817 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
1818 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
1819 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
1820 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
1821 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
1824 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1826 OVS_START_L7([at_ns1], [http])
1827 OVS_START_L7([at_ns3], [http])
1829 dnl HTTP requests from p0->p1 should work fine.
1830 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1832 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1833 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
1836 dnl HTTP requests from p2->p3 should fail due to network failure.
1837 dnl Try 3 times, in 1 second intervals.
1838 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1840 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1841 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
1844 OVS_TRAFFIC_VSWITCHD_STOP
1847 AT_SETUP([conntrack - multiple bridges])
1849 OVS_TRAFFIC_VSWITCHD_START(
1851 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
1852 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
1854 ADD_NAMESPACES(at_ns0, at_ns1)
1856 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1857 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
1859 dnl Allow any traffic from ns0->br1, allow established in reverse.
1860 AT_DATA([flows-br0.txt], [dnl
1861 priority=1,action=drop
1862 priority=10,arp,action=normal
1863 priority=10,icmp,action=normal
1864 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
1865 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1866 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
1869 dnl Allow any traffic from br0->ns1, allow established in reverse.
1870 AT_DATA([flows-br1.txt], [dnl
1871 priority=1,action=drop
1872 priority=10,arp,action=normal
1873 priority=10,icmp,action=normal
1874 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1875 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
1876 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
1877 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1878 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
1881 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
1882 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
1884 dnl HTTP requests from p0->p1 should work fine.
1885 OVS_START_L7([at_ns1], [http])
1886 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1888 OVS_TRAFFIC_VSWITCHD_STOP
1891 AT_SETUP([conntrack - multiple zones])
1893 OVS_TRAFFIC_VSWITCHD_START()
1895 ADD_NAMESPACES(at_ns0, at_ns1)
1897 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1898 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1900 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1901 AT_DATA([flows.txt], [dnl
1902 priority=1,action=drop
1903 priority=10,arp,action=normal
1904 priority=10,icmp,action=normal
1905 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
1906 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
1907 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
1910 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1912 OVS_START_L7([at_ns1], [http])
1914 dnl HTTP requests from p0->p1 should work fine.
1915 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1917 dnl (again) HTTP requests from p0->p1 should work fine.
1918 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1920 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1921 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1922 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1925 OVS_TRAFFIC_VSWITCHD_STOP
1928 AT_SETUP([conntrack - multiple namespaces, internal ports])
1930 CHECK_CONNTRACK_LOCAL_STACK()
1931 OVS_TRAFFIC_VSWITCHD_START(
1932 [set-fail-mode br0 secure -- ])
1934 ADD_NAMESPACES(at_ns0, at_ns1)
1936 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
1937 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
1939 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1941 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
1942 AT_DATA([flows.txt], [dnl
1943 priority=1,action=drop
1944 priority=10,arp,action=normal
1945 priority=10,icmp,action=normal
1946 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
1947 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
1948 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1951 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1953 OVS_START_L7([at_ns1], [http])
1955 dnl HTTP requests from p0->p1 should work fine.
1956 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1958 dnl (again) HTTP requests from p0->p1 should work fine.
1959 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1961 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1962 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1965 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
1966 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
1967 /removing policing failed: No such device/d"])
1970 AT_SETUP([conntrack - ct_mark])
1972 OVS_TRAFFIC_VSWITCHD_START()
1974 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1976 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1977 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1978 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1979 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1981 dnl Allow traffic between ns0<->ns1 using the ct_mark.
1982 dnl Check that different marks do not match for traffic between ns2<->ns3.
1983 AT_DATA([flows.txt], [dnl
1984 priority=1,action=drop
1985 priority=10,arp,action=normal
1986 priority=10,icmp,action=normal
1987 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
1988 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1989 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1990 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
1991 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1992 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1995 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1997 OVS_START_L7([at_ns1], [http])
1998 OVS_START_L7([at_ns3], [http])
2000 dnl HTTP requests from p0->p1 should work fine.
2001 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2002 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2003 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
2006 dnl HTTP requests from p2->p3 should fail due to network failure.
2007 dnl Try 3 times, in 1 second intervals.
2008 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
2009 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
2010 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
2013 OVS_TRAFFIC_VSWITCHD_STOP
2016 AT_SETUP([conntrack - ct_mark bit-fiddling])
2018 OVS_TRAFFIC_VSWITCHD_START()
2020 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2022 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2023 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2025 dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
2026 dnl cause an additional bit to be set in the connection (and be allowed).
2027 AT_DATA([flows.txt], [dnl
2028 table=0,priority=1,action=drop
2029 table=0,priority=10,arp,action=normal
2030 table=0,priority=10,icmp,action=normal
2031 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
2032 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
2033 table=1,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
2034 table=1,in_port=1,ct_state=-new,tcp,action=2
2035 table=1,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
2038 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2040 OVS_START_L7([at_ns1], [http])
2042 dnl HTTP requests from p0->p1 should work fine.
2043 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2045 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2046 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
2049 OVS_TRAFFIC_VSWITCHD_STOP
2052 AT_SETUP([conntrack - ct_mark from register])
2054 OVS_TRAFFIC_VSWITCHD_START()
2056 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2058 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2059 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2060 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
2061 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
2063 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2064 AT_DATA([flows.txt], [dnl
2065 priority=1,action=drop
2066 priority=10,arp,action=normal
2067 priority=10,icmp,action=normal
2068 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
2069 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
2070 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
2071 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
2072 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
2073 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
2076 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2078 OVS_START_L7([at_ns1], [http])
2079 OVS_START_L7([at_ns3], [http])
2081 dnl HTTP requests from p0->p1 should work fine.
2082 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2083 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2084 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
2087 dnl HTTP requests from p2->p3 should fail due to network failure.
2088 dnl Try 3 times, in 1 second intervals.
2089 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
2090 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
2091 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
2094 OVS_TRAFFIC_VSWITCHD_STOP
2097 AT_SETUP([conntrack - ct_label])
2099 OVS_TRAFFIC_VSWITCHD_START()
2101 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2103 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2104 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2105 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
2106 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
2108 dnl Allow traffic between ns0<->ns1 using the ct_label.
2109 dnl Check that different labels do not match for traffic between ns2<->ns3.
2110 AT_DATA([flows.txt], [dnl
2111 priority=1,action=drop
2112 priority=10,arp,action=normal
2113 priority=10,icmp,action=normal
2114 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
2115 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
2116 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
2117 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
2118 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
2119 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
2122 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2124 OVS_START_L7([at_ns1], [http])
2125 OVS_START_L7([at_ns3], [http])
2127 dnl HTTP requests from p0->p1 should work fine.
2128 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2130 dnl HTTP requests from p2->p3 should fail due to network failure.
2131 dnl Try 3 times, in 1 second intervals.
2132 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
2134 OVS_TRAFFIC_VSWITCHD_STOP
2137 AT_SETUP([conntrack - ct_label bit-fiddling])
2139 OVS_TRAFFIC_VSWITCHD_START()
2141 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2143 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2144 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2146 dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
2147 dnl cause an additional bit to be set in the connection labels (and be allowed)
2148 AT_DATA([flows.txt], [dnl
2149 table=0,priority=1,action=drop
2150 table=0,priority=10,arp,action=normal
2151 table=0,priority=10,icmp,action=normal
2152 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
2153 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
2154 table=1,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
2155 table=1,in_port=1,tcp,ct_state=-new,action=2
2156 table=1,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
2159 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2161 OVS_START_L7([at_ns1], [http])
2163 dnl HTTP requests from p0->p1 should work fine.
2164 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2166 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2167 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
2170 OVS_TRAFFIC_VSWITCHD_STOP
2173 AT_SETUP([conntrack - ct metadata, multiple zones])
2175 OVS_TRAFFIC_VSWITCHD_START()
2177 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2179 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2180 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2182 dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
2183 dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
2184 dnl and we should see that the conntrack entries only apply the ct_mark and
2185 dnl ct_labels to the connection in zone=1.
2186 AT_DATA([flows.txt], [dnl
2187 table=0,priority=1,action=drop
2188 table=0,priority=10,arp,action=normal
2189 table=0,priority=10,icmp,action=normal
2190 table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
2191 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
2192 table=1,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
2193 table=1,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
2194 table=1,in_port=2,tcp,action=ct(zone=2),1
2197 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2199 OVS_START_L7([at_ns1], [http])
2201 dnl HTTP requests from p0->p1 should work fine.
2202 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2204 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2205 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
2206 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
2209 OVS_TRAFFIC_VSWITCHD_STOP
2212 AT_SETUP([conntrack - ICMP related])
2213 AT_SKIP_IF([test $HAVE_NC = no])
2215 OVS_TRAFFIC_VSWITCHD_START()
2217 ADD_NAMESPACES(at_ns0, at_ns1)
2219 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2220 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2222 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2223 AT_DATA([flows.txt], [dnl
2224 priority=1,action=drop
2225 priority=10,arp,action=normal
2226 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
2227 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
2228 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
2231 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2233 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
2234 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
2236 AT_CHECK([ovs-appctl revalidator/purge], [0])
2237 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2238 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
2239 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
2240 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
2241 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
2245 OVS_TRAFFIC_VSWITCHD_STOP
2248 AT_SETUP([conntrack - ICMP related to original direction])
2249 AT_SKIP_IF([test $HAVE_NC = no])
2251 OVS_TRAFFIC_VSWITCHD_START()
2253 ADD_NAMESPACES(at_ns0, at_ns1)
2255 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2256 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2258 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2259 AT_DATA([flows.txt], [dnl
2260 priority=1000,arp,action=normal
2261 priority=100,ip,action=ct(table=1)
2262 priority=1,action=drop
2263 table=1,ip,action=ct(zone=34673,table=2)
2264 table=2,in_port=2,udp,action=ct(commit,zone=34673),1
2265 table=2,in_port=1,udp,action=ct(commit,zone=34673),2
2266 table=2,in_port=2,ct_state=+rel,icmp,action=1
2269 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2271 dnl 1. Send and UDP packet to port 53 (src=192.100.1.8,dst=192.100.2.5)
2272 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '00010200020400232211223308004500001c000100004011f6fac0640108c06402050035003500087b9e'])
2274 dnl 2. Send and UDP packet to port 53 (src=192.100.2.5,dst=192.100.1.8)
2275 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) '00232211223300010200020408004500001c000100004011f6fac0640205c06401080035003500087b9e'])
2277 dnl 3. Send an ICMP port unreach reply for port 53, related to the 2nd
2278 dnl packet, but in the original direction of the conntrack entry created
2279 dnl for the 1st packet.
2280 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '000102000204002322112233080045000038000100003f01f7eec0640108c0640205030a80e5ffffffff4500001c000100003f11f7fac0640205c06401080035003500087b9e'])
2282 AT_CHECK([ovs-appctl revalidator/purge], [0])
2285 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '000102000204002322112233080045000038000100003f01f7eec0640108c0640205030a80e5ffffffff4500001c000100003f11f7fac0640205c06401080035003500087b9e'])
2287 AT_CHECK([ovs-appctl revalidator/purge], [0])
2289 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2290 n_packets=4, n_bytes=224, priority=100,ip actions=ct(table=1)
2291 priority=1000,arp actions=NORMAL
2292 table=1, n_packets=4, n_bytes=224, ip actions=ct(table=2,zone=34673)
2293 table=2, n_packets=1, n_bytes=42, udp,in_port=1 actions=ct(commit,zone=34673),output:2
2294 table=2, n_packets=1, n_bytes=42, udp,in_port=2 actions=ct(commit,zone=34673),output:1
2295 table=2, n_packets=2, n_bytes=140, ct_state=+rel,icmp,in_port=2 actions=output:1
2299 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.100.1.8)], [0], [dnl
2300 udp,orig=(src=192.100.1.8,dst=192.100.2.5,sport=<cleared>,dport=<cleared>),reply=(src=192.100.2.5,dst=192.100.1.8,sport=<cleared>,dport=<cleared>),zone=34673
2303 OVS_TRAFFIC_VSWITCHD_STOP
2306 AT_SETUP([conntrack - ICMP related 2])
2308 OVS_TRAFFIC_VSWITCHD_START()
2310 ADD_NAMESPACES(at_ns0, at_ns1)
2312 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
2313 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
2315 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2316 AT_DATA([flows.txt], [dnl
2317 table=0,ip,action=ct(commit,table=1)
2318 table=1,ip,action=controller
2321 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
2323 AT_CAPTURE_FILE([ofctl_monitor.log])
2324 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
2326 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
2327 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f351ac100004ac1000030303da490000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
2329 dnl 2. Send and UDP packet to port 5555
2330 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
2332 dnl 3. Send an ICMP port unreach reply from a path midpoint for port 5555, related to the first packet
2333 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f354ac100003ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
2335 OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
2337 dnl Check this output. We only see the latter two packets, not the first.
2338 AT_CHECK([cat ofctl_monitor.log | grep -v ff02 | grep -v fe80 | grep -v no_match], [0], [dnl
2339 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=inv|trk,ip,in_port=2 (via action) data_len=75 (unbuffered)
2340 icmp,vlan_tci=0x0000,dl_src=c6:f5:4e:cb:72:db,dl_dst=f6:4c:47:35:28:c9,nw_src=172.16.0.4,nw_dst=172.16.0.3,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:da49
2341 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=47 ct_state=new|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=1 (via action) data_len=47 (unbuffered)
2342 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
2343 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=rel|rpl|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=2 (via action) data_len=75 (unbuffered)
2344 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.3,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
2347 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.1)], [0], [dnl
2348 udp,orig=(src=172.16.0.1,dst=172.16.0.2,sport=<cleared>,dport=<cleared>),reply=(src=172.16.0.2,dst=172.16.0.1,sport=<cleared>,dport=<cleared>)
2351 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.3)], [0], [dnl
2354 OVS_TRAFFIC_VSWITCHD_STOP
2357 AT_SETUP([conntrack - IPv4 fragmentation])
2359 OVS_TRAFFIC_VSWITCHD_START()
2361 ADD_NAMESPACES(at_ns0, at_ns1)
2363 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2364 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2366 dnl Sending ping through conntrack
2367 AT_DATA([flows.txt], [dnl
2368 priority=1,action=drop
2369 priority=10,arp,action=normal
2370 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
2371 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2372 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2375 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2377 dnl Modify userspace conntrack fragmentation handling.
2378 DPCTL_MODIFY_FRAGMENTATION()
2380 dnl Ipv4 fragmentation connectivity check.
2381 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
2382 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2385 dnl Ipv4 larger fragmentation connectivity check.
2386 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
2387 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2390 dnl Check userspace conntrack fragmentation counters.
2391 DPCTL_CHECK_FRAGMENTATION_PASS()
2393 OVS_TRAFFIC_VSWITCHD_STOP
2396 AT_SETUP([conntrack - IPv4 fragmentation expiry])
2398 OVS_TRAFFIC_VSWITCHD_START()
2400 ADD_NAMESPACES(at_ns0, at_ns1)
2402 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2403 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2405 AT_DATA([flows.txt], [dnl
2406 priority=1,action=drop
2407 priority=10,arp,action=normal
2409 dnl Only allow non-fragmented messages and 1st fragments of each message
2410 priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
2411 priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
2412 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2413 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2416 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2418 dnl Modify userspace conntrack fragmentation handling.
2419 DPCTL_MODIFY_FRAGMENTATION()
2421 dnl Ipv4 fragmentation connectivity check.
2422 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
2423 7 packets transmitted, 0 received, 100% packet loss, time 0ms
2426 dnl Check userspace conntrack fragmentation counters.
2427 DPCTL_CHECK_FRAGMENTATION_FAIL()
2429 OVS_TRAFFIC_VSWITCHD_STOP
2432 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
2434 OVS_TRAFFIC_VSWITCHD_START()
2436 ADD_NAMESPACES(at_ns0, at_ns1)
2438 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2439 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2440 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
2441 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
2443 dnl Sending ping through conntrack
2444 AT_DATA([flows.txt], [dnl
2445 priority=1,action=drop
2446 priority=10,arp,action=normal
2447 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
2448 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2449 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2452 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2454 dnl Modify userspace conntrack fragmentation handling.
2455 DPCTL_MODIFY_FRAGMENTATION()
2457 dnl Ipv4 fragmentation connectivity check.
2458 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
2459 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2462 dnl Ipv4 larger fragmentation connectivity check.
2463 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
2464 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2467 dnl Check userspace conntrack fragmentation counters.
2468 DPCTL_CHECK_FRAGMENTATION_PASS()
2470 OVS_TRAFFIC_VSWITCHD_STOP
2473 AT_SETUP([conntrack - IPv4 fragmentation + cvlan])
2475 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
2478 ADD_NAMESPACES(at_ns0, at_ns1)
2480 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2481 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2483 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
2484 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
2486 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
2487 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
2489 dnl Sending ping through conntrack
2490 AT_DATA([flows.txt], [dnl
2491 priority=1,action=drop
2492 priority=10,arp,action=normal
2493 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
2494 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2495 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2498 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2500 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
2502 dnl Ipv4 fragmentation connectivity check.
2503 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
2504 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2507 dnl Ipv4 fragmentation connectivity check. (outer svlan)
2508 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.255.2.2 | FORMAT_PING], [0], [dnl
2509 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2512 dnl Ipv4 larger fragmentation connectivity check.
2513 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
2514 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2517 dnl Ipv4 larger fragmentation connectivity check. (outer svlan)
2518 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.255.2.2 | FORMAT_PING], [0], [dnl
2519 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2522 OVS_TRAFFIC_VSWITCHD_STOP
2525 AT_SETUP([conntrack - IPv4 fragmentation incomplete reassembled packet])
2527 OVS_TRAFFIC_VSWITCHD_START()
2528 DPCTL_SET_MIN_FRAG_SIZE()
2531 ADD_NAMESPACES(at_ns0, at_ns1)
2533 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2534 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2536 AT_DATA([bundle.txt], [dnl
2537 packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2540 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2542 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2545 OVS_TRAFFIC_VSWITCHD_STOP
2548 dnl Uses same first fragment as above 'incomplete reassembled packet' test.
2549 AT_SETUP([conntrack - IPv4 fragmentation with fragments specified])
2551 OVS_TRAFFIC_VSWITCHD_START()
2552 DPCTL_SET_MIN_FRAG_SIZE()
2554 ADD_NAMESPACES(at_ns0, at_ns1)
2556 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2557 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2559 AT_DATA([bundle.txt], [dnl
2560 packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2561 packet-out in_port=1, packet=50540000000a505400000009080045000030000100320011a4860a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2564 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2566 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2567 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>)
2570 OVS_TRAFFIC_VSWITCHD_STOP
2573 AT_SETUP([conntrack - IPv4 fragmentation out of order])
2575 OVS_TRAFFIC_VSWITCHD_START()
2576 DPCTL_SET_MIN_FRAG_SIZE()
2578 ADD_NAMESPACES(at_ns0, at_ns1)
2580 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2581 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2583 AT_DATA([bundle.txt], [dnl
2584 packet-out in_port=1, packet=50540000000a505400000009080045000030000100320011a4860a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2585 packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2588 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2590 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2591 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>)
2594 OVS_TRAFFIC_VSWITCHD_STOP
2597 AT_SETUP([conntrack - IPv4 fragmentation overlapping fragments by 1 octet])
2599 CHECK_CONNTRACK_FRAG_OVERLAP()
2600 OVS_TRAFFIC_VSWITCHD_START()
2601 DPCTL_SET_MIN_FRAG_SIZE()
2603 ADD_NAMESPACES(at_ns0, at_ns1)
2605 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2606 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2608 AT_DATA([bundle.txt], [dnl
2609 packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2610 packet-out in_port=1, packet=50540000000a505400000009080045000030000100310011a4870a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2613 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2614 # There is one byte of overlap, hence the no packet gets thru. conntrack.
2615 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2618 OVS_TRAFFIC_VSWITCHD_STOP
2621 AT_SETUP([conntrack - IPv4 fragmentation overlapping fragments by 1 octet out of order])
2623 CHECK_CONNTRACK_FRAG_OVERLAP()
2624 OVS_TRAFFIC_VSWITCHD_START()
2625 DPCTL_SET_MIN_FRAG_SIZE()
2627 ADD_NAMESPACES(at_ns0, at_ns1)
2629 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2630 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2632 AT_DATA([bundle.txt], [dnl
2633 packet-out in_port=1, packet=50540000000a505400000009080045000030000100310011a4870a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2634 packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2637 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2638 # There is one byte of overlap, hence the no packet gets thru. conntrack.
2639 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2642 OVS_TRAFFIC_VSWITCHD_STOP
2645 AT_SETUP([conntrack - IPv6 fragmentation])
2647 OVS_TRAFFIC_VSWITCHD_START()
2649 ADD_NAMESPACES(at_ns0, at_ns1)
2651 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2652 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2654 dnl Sending ping through conntrack
2655 AT_DATA([flows.txt], [dnl
2656 priority=1,action=drop
2657 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
2658 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2659 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2660 priority=100,icmp6,icmp_type=135,action=normal
2661 priority=100,icmp6,icmp_type=136,action=normal
2664 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2666 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2667 dnl waiting, we get occasional failures due to the following error:
2668 dnl "connect: Cannot assign requested address"
2669 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2671 dnl Ipv6 fragmentation connectivity check.
2672 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
2673 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2676 dnl Ipv6 larger fragmentation connectivity check.
2677 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
2678 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2681 OVS_TRAFFIC_VSWITCHD_STOP
2684 AT_SETUP([conntrack - IPv6 fragmentation expiry])
2686 OVS_TRAFFIC_VSWITCHD_START()
2688 ADD_NAMESPACES(at_ns0, at_ns1)
2690 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2691 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2693 AT_DATA([flows.txt], [dnl
2694 priority=1,action=drop
2696 dnl Only allow non-fragmented messages and 1st fragments of each message
2697 priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
2698 priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
2699 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2700 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2702 dnl Neighbour Discovery
2703 priority=100,icmp6,icmp_type=135,action=normal
2704 priority=100,icmp6,icmp_type=136,action=normal
2707 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2709 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2710 dnl waiting, we get occasional failures due to the following error:
2711 dnl "connect: Cannot assign requested address"
2712 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2714 dnl Send an IPv6 fragment. Some time later, it should expire.
2715 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
2716 7 packets transmitted, 0 received, 100% packet loss, time 0ms
2719 dnl At this point, the kernel will either crash or everything is OK.
2721 OVS_TRAFFIC_VSWITCHD_STOP
2724 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
2726 OVS_TRAFFIC_VSWITCHD_START()
2728 ADD_NAMESPACES(at_ns0, at_ns1)
2730 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2731 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2733 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
2734 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
2736 dnl Sending ping through conntrack
2737 AT_DATA([flows.txt], [dnl
2738 priority=1,action=drop
2739 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
2740 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2741 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2742 priority=100,icmp6,icmp_type=135,action=normal
2743 priority=100,icmp6,icmp_type=136,action=normal
2746 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2748 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2749 dnl waiting, we get occasional failures due to the following error:
2750 dnl "connect: Cannot assign requested address"
2751 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2753 dnl Ipv4 fragmentation connectivity check.
2754 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
2755 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2758 dnl Ipv4 larger fragmentation connectivity check.
2759 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
2760 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2763 OVS_TRAFFIC_VSWITCHD_STOP
2766 AT_SETUP([conntrack - IPv6 fragmentation + cvlan])
2768 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
2771 ADD_NAMESPACES(at_ns0, at_ns1)
2773 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2774 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2776 ADD_SVLAN(p0, at_ns0, 4094, "fc00:ffff::3/96")
2777 ADD_SVLAN(p1, at_ns1, 4094, "fc00:ffff::4/96")
2779 ADD_CVLAN(p0.4094, at_ns0, 100, "fc00:1::3/96")
2780 ADD_CVLAN(p1.4094, at_ns1, 100, "fc00:1::4/96")
2782 dnl Sending ping through conntrack
2783 AT_DATA([flows.txt], [dnl
2784 priority=1,action=drop
2785 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
2786 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2787 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2788 priority=100,icmp6,icmp_type=135,action=normal
2789 priority=100,icmp6,icmp_type=136,action=normal
2792 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2794 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::4])
2796 dnl Ipv6 fragmentation connectivity check.
2797 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
2798 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2801 dnl Ipv6 fragmentation connectivity check. (outer svlan)
2802 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:ffff::4 | FORMAT_PING], [0], [dnl
2803 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2806 dnl Ipv6 larger fragmentation connectivity check.
2807 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
2808 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2811 dnl Ipv6 larger fragmentation connectivity check. (outer svlan)
2812 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:ffff::4 | FORMAT_PING], [0], [dnl
2813 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2816 OVS_TRAFFIC_VSWITCHD_STOP
2819 AT_SETUP([conntrack - IPv6 fragmentation incomplete reassembled packet])
2821 OVS_TRAFFIC_VSWITCHD_START()
2822 DPCTL_SET_MIN_FRAG_SIZE()
2824 ADD_NAMESPACES(at_ns0, at_ns1)
2826 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2827 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2829 AT_DATA([bundle.txt], [dnl
2830 packet-out in_port=1, packet=50540000000a50540000000986dd6000000001a02cfffc000000000000000000000000000001fc0000000000000000000000000000021100000100000001000100020008f62900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2833 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2835 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2838 OVS_TRAFFIC_VSWITCHD_STOP
2841 AT_SETUP([conntrack - IPv6 fragmentation with fragments specified])
2843 OVS_TRAFFIC_VSWITCHD_START()
2844 DPCTL_SET_MIN_FRAG_SIZE()
2846 ADD_NAMESPACES(at_ns0, at_ns1)
2848 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2849 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2851 AT_DATA([bundle.txt], [dnl
2852 packet-out in_port=1, packet=50540000000a50540000000986dd6000000001a02cfffc000000000000000000000000000001fc0000000000000000000000000000021100000100000001000100020008ba0200010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2853 packet-out in_port=1, packet=50540000000a50540000000986dd6000000000242cfffc000000000000000000000000000001fc000000000000000000000000000002110001980000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
2856 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2858 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2859 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2862 OVS_TRAFFIC_VSWITCHD_STOP
2865 AT_SETUP([conntrack - IPv6 fragmentation out of order])
2867 OVS_TRAFFIC_VSWITCHD_START()
2868 DPCTL_SET_MIN_FRAG_SIZE()
2870 ADD_NAMESPACES(at_ns0, at_ns1)
2872 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2873 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2875 AT_DATA([bundle.txt], [dnl
2876 packet-out in_port=1, packet=50540000000a50540000000986dd6000000000242cfffc000000000000000000000000000001fc000000000000000000000000000002110001980000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
2877 packet-out in_port=1, packet=50540000000a50540000000986dd6000000001a02cfffc000000000000000000000000000001fc0000000000000000000000000000021100000100000001000100020008ba0200010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2880 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2882 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2883 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2886 OVS_TRAFFIC_VSWITCHD_STOP
2889 AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers])
2891 CHECK_CONNTRACK_FRAG_IPV6_MULT_EXTEN()
2892 OVS_TRAFFIC_VSWITCHD_START()
2893 DPCTL_SET_MIN_FRAG_SIZE()
2895 ADD_NAMESPACES(at_ns0, at_ns1)
2897 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2898 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2900 # Add different extension headers
2901 AT_DATA([bundle.txt], [dnl
2902 packet-out in_port=1, packet=50540000000a50540000000986dd60000000019800fffc000000000000000000000000000001fc0000000000000000000000000000022c000000000000001100000100000001000100020008d62c00010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607, actions=ct(commit)
2903 packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000000000000110001880000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
2906 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2908 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2909 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2912 OVS_TRAFFIC_VSWITCHD_STOP
2915 AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers + out of order])
2917 CHECK_CONNTRACK_FRAG_IPV6_MULT_EXTEN()
2918 OVS_TRAFFIC_VSWITCHD_START()
2919 DPCTL_SET_MIN_FRAG_SIZE()
2921 ADD_NAMESPACES(at_ns0, at_ns1)
2923 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2924 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2926 # Add different extension headers
2927 AT_DATA([bundle.txt], [dnl
2928 packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000000000000110001880000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
2929 packet-out in_port=1, packet=50540000000a50540000000986dd60000000019800fffc000000000000000000000000000001fc0000000000000000000000000000022c000000000000001100000100000001000100020008d62c00010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607, actions=ct(commit)
2932 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2934 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2935 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2938 OVS_TRAFFIC_VSWITCHD_STOP
2941 AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers 2])
2943 CHECK_CONNTRACK_FRAG_IPV6_MULT_EXTEN()
2944 OVS_TRAFFIC_VSWITCHD_START()
2945 DPCTL_SET_MIN_FRAG_SIZE()
2947 ADD_NAMESPACES(at_ns0, at_ns1)
2949 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2950 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2952 # Add different extension headers
2953 AT_DATA([bundle.txt], [dnl
2954 packet-out in_port=1, packet=50540000000a50540000000986dd60000000019800fffc000000000000000000000000000001fc0000000000000000000000000000022c000000050200001100000100000001000100020008d62c00010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607, actions=ct(commit)
2955 packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000005020000110001880000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
2958 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2960 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2961 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2964 OVS_TRAFFIC_VSWITCHD_STOP
2967 AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers 2 + out of order])
2969 CHECK_CONNTRACK_FRAG_IPV6_MULT_EXTEN()
2970 OVS_TRAFFIC_VSWITCHD_START()
2971 DPCTL_SET_MIN_FRAG_SIZE()
2973 ADD_NAMESPACES(at_ns0, at_ns1)
2975 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2976 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2978 # Add different extension headers
2979 AT_DATA([bundle.txt], [dnl
2980 packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000005020000110001880000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
2981 packet-out in_port=1, packet=50540000000a50540000000986dd60000000019800fffc000000000000000000000000000001fc0000000000000000000000000000022c000000050200001100000100000001000100020008d62c00010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607, actions=ct(commit)
2984 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2986 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2987 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
2990 OVS_TRAFFIC_VSWITCHD_STOP
2993 AT_SETUP([conntrack - Fragmentation over vxlan])
2996 CHECK_CONNTRACK_LOCAL_STACK()
2998 OVS_TRAFFIC_VSWITCHD_START()
2999 ADD_BR([br-underlay])
3000 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
3002 ADD_NAMESPACES(at_ns0)
3004 dnl Sending ping through conntrack
3005 AT_DATA([flows.txt], [dnl
3006 priority=1,action=drop
3007 priority=10,arp,action=normal
3008 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
3009 priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
3010 table=1,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
3013 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3015 dnl Set up underlay link from host into the namespace using veth pair.
3016 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
3017 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
3018 AT_CHECK([ip link set dev br-underlay up])
3020 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
3021 dnl linux device inside the namespace.
3022 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
3023 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
3024 [id 0 dstport 4789])
3026 dnl First, check the underlay
3027 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
3028 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3031 dnl Okay, now check the overlay with different packet sizes
3032 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3033 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3035 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3036 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3038 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3039 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3042 OVS_TRAFFIC_VSWITCHD_STOP
3045 AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
3048 CHECK_CONNTRACK_LOCAL_STACK()
3050 OVS_TRAFFIC_VSWITCHD_START()
3051 ADD_BR([br-underlay])
3052 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
3054 ADD_NAMESPACES(at_ns0)
3056 dnl Sending ping through conntrack
3057 AT_DATA([flows.txt], [dnl
3058 priority=1,action=drop
3059 priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
3060 priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
3061 table=1,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
3063 dnl Neighbour Discovery
3064 priority=1000,icmp6,icmp_type=135,action=normal
3065 priority=1000,icmp6,icmp_type=136,action=normal
3068 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3070 dnl Set up underlay link from host into the namespace using veth pair.
3071 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
3072 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
3073 AT_CHECK([ip link set dev br-underlay up])
3075 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
3076 dnl linux device inside the namespace.
3077 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
3078 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
3079 [id 0 dstport 4789])
3081 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3082 dnl waiting, we get occasional failures due to the following error:
3083 dnl "connect: Cannot assign requested address"
3084 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
3086 dnl First, check the underlay
3087 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
3088 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3091 dnl Okay, now check the overlay with different packet sizes
3092 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
3093 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3095 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
3096 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3098 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
3099 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3102 OVS_TRAFFIC_VSWITCHD_STOP
3105 AT_SETUP([conntrack - resubmit to ct multiple times])
3108 OVS_TRAFFIC_VSWITCHD_START(
3109 [set-fail-mode br0 secure -- ])
3111 ADD_NAMESPACES(at_ns0, at_ns1)
3113 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3114 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3116 AT_DATA([flows.txt], [dnl
3117 table=0,priority=150,arp,action=normal
3118 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
3120 table=1,ip,action=ct(table=3)
3121 table=2,ip,action=ct(table=3)
3123 table=3,ip,action=drop
3126 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
3128 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
3129 1 packets transmitted, 0 received, 100% packet loss, time 0ms
3132 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
3133 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
3134 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
3135 table=1, n_packets=1, n_bytes=98, ip actions=ct(table=3)
3136 table=2, n_packets=1, n_bytes=98, ip actions=ct(table=3)
3137 table=3, n_packets=2, n_bytes=196, ip actions=drop
3141 OVS_TRAFFIC_VSWITCHD_STOP
3144 AT_BANNER([conntrack - L7])
3146 AT_SETUP([conntrack - IPv4 HTTP])
3148 OVS_TRAFFIC_VSWITCHD_START()
3150 ADD_NAMESPACES(at_ns0, at_ns1)
3152 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3153 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3155 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3156 AT_DATA([flows.txt], [dnl
3157 priority=1,action=drop
3158 priority=10,arp,action=normal
3159 priority=10,icmp,action=normal
3160 priority=100,in_port=1,tcp,action=ct(commit),2
3161 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
3162 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
3165 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3167 OVS_START_L7([at_ns0], [http])
3168 OVS_START_L7([at_ns1], [http])
3170 dnl HTTP requests from ns0->ns1 should work fine.
3171 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3172 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3173 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3176 dnl HTTP requests from ns1->ns0 should fail due to network failure.
3177 dnl Try 3 times, in 1 second intervals.
3178 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
3180 OVS_TRAFFIC_VSWITCHD_STOP
3183 AT_SETUP([conntrack - IPv6 HTTP])
3185 OVS_TRAFFIC_VSWITCHD_START()
3187 ADD_NAMESPACES(at_ns0, at_ns1)
3189 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3190 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3192 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3193 AT_DATA([flows.txt], [dnl
3194 priority=1,action=drop
3195 priority=10,icmp6,action=normal
3196 priority=100,in_port=1,tcp6,action=ct(commit),2
3197 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
3198 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
3201 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3203 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3204 dnl waiting, we get occasional failures due to the following error:
3205 dnl "connect: Cannot assign requested address"
3206 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
3208 OVS_START_L7([at_ns0], [http6])
3209 OVS_START_L7([at_ns1], [http6])
3211 dnl HTTP requests from ns0->ns1 should work fine.
3212 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3213 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3214 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3217 dnl HTTP requests from ns1->ns0 should fail due to network failure.
3218 dnl Try 3 times, in 1 second intervals.
3219 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
3221 OVS_TRAFFIC_VSWITCHD_STOP
3224 AT_SETUP([conntrack - commit, recirc])
3226 OVS_TRAFFIC_VSWITCHD_START()
3228 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
3230 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3231 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3232 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
3233 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
3235 dnl Allow any traffic from ns0->ns1, ns2->ns3.
3236 AT_DATA([flows.txt], [dnl
3237 priority=1,action=drop
3238 priority=10,arp,action=normal
3239 priority=10,icmp,action=normal
3240 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
3241 priority=100,in_port=1,tcp,ct_state=+trk,action=2
3242 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
3243 priority=100,in_port=2,tcp,ct_state=+trk,action=1
3244 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
3245 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
3246 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
3247 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
3248 priority=100,in_port=4,tcp,ct_state=+trk,action=3
3251 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3253 OVS_START_L7([at_ns1], [http])
3254 OVS_START_L7([at_ns3], [http])
3256 dnl HTTP requests from p0->p1 should work fine.
3257 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3259 dnl HTTP requests from p2->p3 should work fine.
3260 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
3262 OVS_TRAFFIC_VSWITCHD_STOP
3265 AT_SETUP([conntrack - multiple zones, local])
3267 CHECK_CONNTRACK_LOCAL_STACK()
3268 OVS_TRAFFIC_VSWITCHD_START()
3270 ADD_NAMESPACES(at_ns0)
3272 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
3273 AT_CHECK([ip link set dev br0 up])
3274 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
3275 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
3277 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
3278 dnl return traffic from ns0 back to the local stack.
3279 AT_DATA([flows.txt], [dnl
3280 priority=1,action=drop
3281 priority=10,arp,action=normal
3282 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
3283 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
3284 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
3285 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
3286 table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
3287 table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
3290 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3292 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3293 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3296 OVS_START_L7([at_ns0], [http])
3298 dnl HTTP requests from root namespace to p0 should work fine.
3299 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3301 dnl (again) HTTP requests from root namespace to p0 should work fine.
3302 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3304 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
3305 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
3306 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=2
3307 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3308 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
3311 OVS_TRAFFIC_VSWITCHD_STOP
3314 AT_SETUP([conntrack - multi-stage pipeline, local])
3316 CHECK_CONNTRACK_LOCAL_STACK()
3317 OVS_TRAFFIC_VSWITCHD_START()
3319 ADD_NAMESPACES(at_ns0)
3321 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
3322 AT_CHECK([ip link set dev br0 up])
3323 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
3324 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
3326 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
3327 dnl return traffic from ns0 back to the local stack.
3328 AT_DATA([flows.txt], [dnl
3330 table=0,priority=1,action=drop
3331 table=0,priority=10,arp,action=normal
3333 dnl Load the output port to REG0
3334 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
3335 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
3337 dnl Ingress pipeline
3338 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
3339 dnl - All other connections go through conntracker using the input port as
3340 dnl a connection tracking zone.
3341 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,table=2,zone=OXM_OF_IN_PORT[[0..15]])
3342 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
3343 table=1,priority=1,action=drop
3346 dnl - Allow all connections from LOCAL port (commit and skip to output)
3347 dnl - Allow other established connections to go through conntracker using
3348 dnl output port as a connection tracking zone.
3349 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,table=4,zone=NXM_NX_REG0[[0..15]])
3350 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
3351 table=2,priority=1,action=drop
3353 dnl Only allow established traffic from egress ct lookup
3354 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
3355 table=3,priority=1,action=drop
3358 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
3361 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3363 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3364 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3367 OVS_START_L7([at_ns0], [http])
3369 dnl HTTP requests from root namespace to p0 should work fine.
3370 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3372 dnl (again) HTTP requests from root namespace to p0 should work fine.
3373 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3375 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
3376 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
3377 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=65534
3378 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3379 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
3382 OVS_TRAFFIC_VSWITCHD_STOP
3385 AT_SETUP([conntrack - limit by zone])
3387 CHECK_CT_DPIF_PER_ZONE_LIMIT()
3388 OVS_TRAFFIC_VSWITCHD_START()
3390 ADD_NAMESPACES(at_ns0, at_ns1)
3392 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3393 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3395 AT_DATA([flows.txt], [dnl
3396 priority=1,action=drop
3397 priority=10,arp,action=normal
3398 priority=100,in_port=1,udp,action=ct(commit),2
3399 priority=100,in_port=2,udp,action=ct(zone=3,commit),1
3402 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3404 AT_CHECK([ovs-appctl dpctl/ct-set-limits default=10 zone=0,limit=5 zone=1,limit=15 zone=2,limit=3 zone=3,limit=3])
3405 AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=1,2,4])
3406 AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,1,2,3], [],[dnl
3408 zone=0,limit=5,count=0
3409 zone=1,limit=10,count=0
3410 zone=2,limit=10,count=0
3411 zone=3,limit=3,count=0
3414 dnl Test UDP from port 1
3415 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
3416 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000300080000 actions=resubmit(,0)"])
3417 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000400080000 actions=resubmit(,0)"])
3418 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000500080000 actions=resubmit(,0)"])
3419 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000600080000 actions=resubmit(,0)"])
3420 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000700080000 actions=resubmit(,0)"])
3421 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000800080000 actions=resubmit(,0)"])
3422 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000900080000 actions=resubmit(,0)"])
3423 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000a00080000 actions=resubmit(,0)"])
3425 AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,1,2,3,4,5], [0], [dnl
3427 zone=0,limit=5,count=5
3428 zone=1,limit=10,count=0
3429 zone=2,limit=10,count=0
3430 zone=3,limit=3,count=0
3431 zone=4,limit=10,count=0
3432 zone=5,limit=10,count=0
3435 dnl Test ct-get-limits for all zoens
3436 AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
3438 zone=0,limit=5,count=5
3439 zone=3,limit=3,count=0
3442 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1," | sort ], [0], [dnl
3443 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
3444 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=3),reply=(src=10.1.1.2,dst=10.1.1.1,sport=3,dport=1)
3445 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=4),reply=(src=10.1.1.2,dst=10.1.1.1,sport=4,dport=1)
3446 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=5),reply=(src=10.1.1.2,dst=10.1.1.1,sport=5,dport=1)
3447 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=6),reply=(src=10.1.1.2,dst=10.1.1.1,sport=6,dport=1)
3450 dnl Test UDP from port 2
3451 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101030a0101040001000200080000 actions=resubmit(,0)"])
3452 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101030a0101040001000300080000 actions=resubmit(,0)"])
3453 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101030a0101040001000400080000 actions=resubmit(,0)"])
3454 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101030a0101040001000500080000 actions=resubmit(,0)"])
3455 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101030a0101040001000600080000 actions=resubmit(,0)"])
3457 AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,3], [0], [dnl
3459 zone=0,limit=5,count=5
3460 zone=3,limit=3,count=3
3463 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.3," | sort ], [0], [dnl
3464 udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=2),reply=(src=10.1.1.4,dst=10.1.1.3,sport=2,dport=1),zone=3
3465 udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=3),reply=(src=10.1.1.4,dst=10.1.1.3,sport=3,dport=1),zone=3
3466 udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=4),reply=(src=10.1.1.4,dst=10.1.1.3,sport=4,dport=1),zone=3
3469 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
3470 /could not create datapath/d
3471 /(Cannot allocate memory) on packet/d"])
3474 AT_SETUP([FTP - no conntrack])
3475 AT_SKIP_IF([test $HAVE_FTP = no])
3476 OVS_TRAFFIC_VSWITCHD_START()
3478 ADD_NAMESPACES(at_ns0, at_ns1)
3480 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3481 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3483 AT_DATA([flows.txt], [dnl
3484 table=0,action=normal
3487 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
3489 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
3490 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
3491 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
3493 dnl FTP requests from p0->p1 should work fine.
3494 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3496 AT_CHECK([find -name index.html], [0], [dnl
3500 OVS_TRAFFIC_VSWITCHD_STOP
3503 AT_SETUP([conntrack - FTP])
3504 AT_SKIP_IF([test $HAVE_FTP = no])
3506 CHECK_CONNTRACK_ALG()
3507 OVS_TRAFFIC_VSWITCHD_START()
3509 ADD_NAMESPACES(at_ns0, at_ns1)
3511 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3512 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3514 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3515 AT_DATA([flows1.txt], [dnl
3516 table=0,priority=1,action=drop
3517 table=0,priority=10,arp,action=normal
3518 table=0,priority=10,icmp,action=normal
3519 table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
3520 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
3521 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
3522 table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
3525 dnl Similar policy but without allowing all traffic from ns0->ns1.
3526 AT_DATA([flows2.txt], [dnl
3527 table=0,priority=1,action=drop
3528 table=0,priority=10,arp,action=normal
3529 table=0,priority=10,icmp,action=normal
3531 dnl Allow outgoing TCP connections, and treat them as FTP
3532 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
3533 table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
3534 table=1,in_port=1,tcp,ct_state=+trk+est,action=2
3536 dnl Allow incoming FTP data connections and responses to existing connections
3537 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
3538 table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
3539 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
3540 table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1
3543 dnl flows3 is same as flows1, except no ALG is specified.
3544 AT_DATA([flows3.txt], [dnl
3545 table=0,priority=1,action=drop
3546 table=0,priority=10,arp,action=normal
3547 table=0,priority=10,icmp,action=normal
3548 table=0,priority=100,in_port=1,tcp,action=ct(commit),2
3549 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
3550 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
3551 table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
3554 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
3556 OVS_START_L7([at_ns0], [ftp])
3557 OVS_START_L7([at_ns1], [ftp])
3559 dnl FTP requests from p1->p0 should fail due to network failure.
3560 dnl Try 3 times, in 1 second intervals.
3561 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
3562 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3565 dnl FTP requests from p0->p1 should work fine.
3566 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3567 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3568 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3571 dnl Try the second set of flows.
3572 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
3573 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3575 dnl FTP requests from p1->p0 should fail due to network failure.
3576 dnl Try 3 times, in 1 second intervals.
3577 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
3578 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3581 dnl Active FTP requests from p0->p1 should work fine.
3582 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
3583 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3584 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3585 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3588 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3590 dnl Passive FTP requests from p0->p1 should work fine.
3591 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
3592 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3593 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3596 dnl Try the third set of flows, without alg specifier.
3597 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt])
3598 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3600 dnl FTP control requests from p0->p1 should work fine, but helper will not be assigned.
3601 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-3.log], [4])
3602 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3603 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3606 OVS_TRAFFIC_VSWITCHD_STOP
3609 AT_SETUP([conntrack - FTP over IPv6])
3610 AT_SKIP_IF([test $HAVE_FTP = no])
3612 CHECK_CONNTRACK_ALG()
3613 OVS_TRAFFIC_VSWITCHD_START()
3615 ADD_NAMESPACES(at_ns0, at_ns1)
3617 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3618 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3620 dnl Allow any traffic from ns0->ns1.
3621 dnl Only allow nd, return traffic from ns1->ns0.
3622 AT_DATA([flows.txt], [dnl
3623 dnl Track all IPv6 traffic and drop the rest.
3624 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
3625 table=0 priority=100 in_port=1 icmp6, action=2
3626 table=0 priority=100 in_port=2 icmp6, action=1
3627 table=0 priority=10 ip6, action=ct(table=1)
3628 table=0 priority=0 action=drop
3632 dnl Allow new TCPv6 FTP control connections from port 1.
3633 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
3634 dnl Allow related TCPv6 connections from port 2.
3635 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
3636 dnl Allow established TCPv6 connections both ways.
3637 table=1 in_port=1 ct_state=+est, tcp6, action=2
3638 table=1 in_port=2 ct_state=+est, tcp6, action=1
3639 dnl Drop everything else.
3640 table=1 priority=0, action=drop
3643 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3645 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3646 dnl waiting, we get occasional failures due to the following error:
3647 dnl "connect: Cannot assign requested address"
3648 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3650 OVS_START_L7([at_ns1], [ftp])
3652 dnl FTP requests from p0->p1 should work fine.
3653 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3655 dnl Discards CLOSE_WAIT and CLOSING
3656 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3657 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3658 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3661 OVS_TRAFFIC_VSWITCHD_STOP
3664 AT_SETUP([conntrack - IPv6 FTP Passive])
3665 AT_SKIP_IF([test $HAVE_FTP = no])
3667 CHECK_CONNTRACK_ALG()
3668 OVS_TRAFFIC_VSWITCHD_START()
3670 ADD_NAMESPACES(at_ns0, at_ns1)
3672 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3673 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3674 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3675 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:99])
3676 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:99 dev p0])
3677 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:88 dev p1])
3679 dnl Allow any traffic from ns0->ns1.
3680 dnl Only allow nd, return traffic from ns1->ns0.
3681 AT_DATA([flows.txt], [dnl
3682 dnl Track all IPv6 traffic and drop the rest.
3683 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
3684 table=0 priority=100 in_port=1 icmp6, action=2
3685 table=0 priority=100 in_port=2 icmp6, action=1
3686 table=0 priority=10 ip6, action=ct(table=1)
3687 table=0 priority=0 action=drop
3691 dnl Allow new TCPv6 FTP control connections from port 1.
3692 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
3693 dnl Allow related TCPv6 connections from port 1.
3694 table=1 in_port=1 ct_state=+new+rel, tcp6, action=ct(commit),2
3695 dnl Allow established TCPv6 connections both ways.
3696 table=1 in_port=1 ct_state=+est, tcp6, action=2
3697 table=1 in_port=2 ct_state=+est, tcp6, action=1
3698 dnl Drop everything else.
3699 table=1 priority=0, action=drop
3702 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3704 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3705 dnl waiting, we get occasional failures due to the following error:
3706 dnl "connect: Cannot assign requested address"
3707 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3709 OVS_START_L7([at_ns1], [ftp])
3711 dnl FTP passive requests from p0->p1 should work fine.
3712 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3714 dnl Discards CLOSE_WAIT and CLOSING
3715 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3716 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3717 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3720 OVS_TRAFFIC_VSWITCHD_STOP
3723 AT_SETUP([conntrack - FTP with multiple expectations])
3724 AT_SKIP_IF([test $HAVE_FTP = no])
3726 CHECK_CONNTRACK_ALG()
3727 OVS_TRAFFIC_VSWITCHD_START()
3729 ADD_NAMESPACES(at_ns0, at_ns1)
3731 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3732 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3734 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
3735 AT_DATA([flows.txt], [dnl
3736 table=0,priority=1,action=drop
3737 table=0,priority=10,arp,action=normal
3738 table=0,priority=10,icmp,action=normal
3740 dnl Traffic from ns1
3741 table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1)
3742 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
3743 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2
3744 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2)
3745 table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
3747 dnl Traffic from ns2
3748 table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2)
3749 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
3750 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1)
3751 table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
3752 table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
3755 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3757 OVS_START_L7([at_ns0], [ftp])
3758 OVS_START_L7([at_ns1], [ftp])
3760 dnl FTP requests from p1->p0 should fail due to network failure.
3761 dnl Try 3 times, in 1 second intervals.
3762 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
3763 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3766 dnl Active FTP requests from p0->p1 should work fine.
3767 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3768 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3769 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
3770 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
3771 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3772 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
3775 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3777 dnl Passive FTP requests from p0->p1 should work fine.
3778 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3779 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3780 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3781 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
3782 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
3783 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
3786 OVS_TRAFFIC_VSWITCHD_STOP
3789 AT_SETUP([conntrack - TFTP])
3790 AT_SKIP_IF([test $HAVE_TFTP = no])
3792 CHECK_CONNTRACK_ALG()
3793 OVS_TRAFFIC_VSWITCHD_START()
3795 ADD_NAMESPACES(at_ns0, at_ns1)
3797 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3798 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3800 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3801 AT_DATA([flows1.txt], [dnl
3802 table=0,priority=1,action=drop
3803 table=0,priority=10,arp,action=normal
3804 table=0,priority=10,icmp,action=normal
3805 table=0,priority=100,in_port=1,udp,action=ct(alg=tftp,commit),2
3806 table=0,priority=100,in_port=2,udp,action=ct(table=1)
3807 table=1,in_port=2,udp,ct_state=+trk+est,action=1
3808 table=1,in_port=2,udp,ct_state=+trk+rel,action=1
3811 dnl Similar policy but without allowing all traffic from ns0->ns1.
3812 AT_DATA([flows2.txt], [dnl
3813 table=0,priority=1,action=drop
3814 table=0,priority=10,arp,action=normal
3815 table=0,priority=10,icmp,action=normal
3817 dnl Allow outgoing UDP connections, and treat them as TFTP
3818 table=0,priority=100,in_port=1,udp,action=ct(table=1)
3819 table=1,in_port=1,udp,ct_state=+trk+new-rel,action=ct(commit,alg=tftp),2
3820 table=1,in_port=1,udp,ct_state=+trk+new+rel,action=ct(commit),2
3821 table=1,in_port=1,udp,ct_state=+trk+est,action=2
3823 dnl Allow incoming TFTP data connections and responses to existing connections
3824 table=0,priority=100,in_port=2,udp,action=ct(table=1)
3825 table=1,in_port=2,udp,ct_state=+trk+est,action=1
3826 table=1,in_port=2,udp,ct_state=+trk+new+rel,action=1
3829 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
3831 OVS_START_L7([at_ns0], [tftp])
3832 OVS_START_L7([at_ns1], [tftp])
3834 dnl TFTP requests from p1->p0 should fail due to network failure.
3835 NS_CHECK_EXEC([at_ns1], [[curl $CURL_OPT tftp://10.1.1.1/flows1.txt -o foo 2>curl0.log]], [28])
3836 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3839 dnl TFTP requests from p0->p1 should work fine.
3840 NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows1.txt -o foo 2>curl1.log]])
3841 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3842 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),helper=tftp
3845 dnl Try the second set of flows.
3846 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
3847 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3849 dnl TFTP requests from p1->p0 should fail due to network failure.
3850 NS_CHECK_EXEC([at_ns1], [[curl $CURL_OPT tftp://10.1.1.1/flows1.txt -o foo 2>curl2.log]], [28])
3851 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3854 dnl TFTP requests from p0->p1 should work fine.
3855 NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows1.txt -o foo 2>curl3.log]])
3856 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3857 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),helper=tftp
3860 OVS_TRAFFIC_VSWITCHD_STOP
3863 AT_BANNER([conntrack - NAT])
3865 AT_SETUP([conntrack - simple SNAT])
3867 CHECK_CONNTRACK_NAT()
3868 OVS_TRAFFIC_VSWITCHD_START()
3870 ADD_NAMESPACES(at_ns0, at_ns1)
3872 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3873 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3874 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3876 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3877 AT_DATA([flows.txt], [dnl
3878 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
3879 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
3880 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
3883 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3884 priority=10 arp action=normal
3885 priority=0,action=drop
3887 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3888 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3889 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3890 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3892 dnl Swaps the fields of the ARP message to turn a query to a response.
3893 table=10 priority=100 arp xreg0=0 action=normal
3894 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3895 table=10 priority=0 action=drop
3898 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3900 dnl HTTP requests from p0->p1 should work fine.
3901 OVS_START_L7([at_ns1], [http])
3902 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
3904 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
3905 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3908 OVS_TRAFFIC_VSWITCHD_STOP
3911 AT_SETUP([conntrack - SNAT with ct_mark change on reply])
3913 CHECK_CONNTRACK_NAT()
3914 OVS_TRAFFIC_VSWITCHD_START()
3916 ADD_NAMESPACES(at_ns0, at_ns1)
3918 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3919 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
3920 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
3922 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3923 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
3924 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
3926 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3927 AT_DATA([flows.txt], [dnl
3928 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240)),2
3929 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
3931 dnl Setting the mark fails if the datapath can't find the existing conntrack
3932 dnl entry after NAT has been reversed and the skb was lost due to an upcall.
3934 in_port=2,ct_state=+trk,ct_zone=1,ip,action=ct(table=1,commit,zone=1,exec(set_field:1->ct_mark)),1
3935 table=1,in_port=2,ct_mark=1,ct_state=+rpl,ct_zone=1,ip,action=1
3937 priority=0,action=drop
3940 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3942 dnl ICMP requests from p0->p1 should work fine.
3943 NS_CHECK_EXEC([at_ns0], [ping -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
3944 1 packets transmitted, 1 received, 0% packet loss, time 0ms
3947 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
3948 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.2XX,id=<cleared>,type=0,code=0),zone=1,mark=1
3951 OVS_TRAFFIC_VSWITCHD_STOP
3954 AT_SETUP([conntrack - SNAT with port range])
3956 CHECK_CONNTRACK_NAT()
3957 OVS_TRAFFIC_VSWITCHD_START()
3959 ADD_NAMESPACES(at_ns0, at_ns1)
3961 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3962 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3963 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3965 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3966 AT_DATA([flows.txt], [dnl
3967 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
3968 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
3969 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
3970 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
3973 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
3974 priority=10 arp action=normal
3975 priority=0,action=drop
3977 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
3978 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
3979 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
3980 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
3982 dnl Swaps the fields of the ARP message to turn a query to a response.
3983 table=10 priority=100 arp xreg0=0 action=normal
3984 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
3985 table=10 priority=0 action=drop
3988 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3990 dnl HTTP requests from p0->p1 should work fine.
3991 OVS_START_L7([at_ns1], [http])
3992 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
3994 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
3995 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3998 OVS_TRAFFIC_VSWITCHD_STOP
4002 AT_SETUP([conntrack - more complex SNAT])
4004 CHECK_CONNTRACK_NAT()
4005 OVS_TRAFFIC_VSWITCHD_START()
4007 ADD_NAMESPACES(at_ns0, at_ns1)
4009 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4010 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4011 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4013 AT_DATA([flows.txt], [dnl
4014 dnl Track all IP traffic, NAT existing connections.
4015 priority=100 ip action=ct(table=1,zone=1,nat)
4017 dnl Allow ARP, but generate responses for NATed addresses
4018 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4019 priority=10 arp action=normal
4020 priority=0 action=drop
4022 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
4023 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
4024 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
4025 dnl Only allow established traffic from ns1->ns0.
4026 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
4027 table=1 priority=0 action=drop
4029 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4030 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4031 dnl Zero result means not found.
4032 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
4033 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4034 dnl ARP TPA IP in reg2.
4035 table=10 priority=100 arp xreg0=0 action=normal
4036 dnl Swaps the fields of the ARP message to turn a query to a response.
4037 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4038 table=10 priority=0 action=drop
4041 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4043 dnl HTTP requests from p0->p1 should work fine.
4044 OVS_START_L7([at_ns1], [http])
4045 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4047 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
4048 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4051 OVS_TRAFFIC_VSWITCHD_STOP
4054 AT_SETUP([conntrack - simple DNAT])
4056 CHECK_CONNTRACK_NAT()
4057 OVS_TRAFFIC_VSWITCHD_START()
4059 ADD_NAMESPACES(at_ns0, at_ns1)
4061 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4062 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4063 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
4065 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4066 AT_DATA([flows.txt], [dnl
4067 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
4068 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
4069 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
4070 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
4073 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4074 priority=10 arp action=normal
4075 priority=0,action=drop
4077 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4078 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4079 dnl Zero result means not found.
4080 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4081 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4083 table=10 priority=100 arp xreg0=0 action=normal
4084 dnl Swaps the fields of the ARP message to turn a query to a response.
4085 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4086 table=10 priority=0 action=drop
4089 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4091 dnl Should work with the virtual IP address through NAT
4092 OVS_START_L7([at_ns1], [http])
4093 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4095 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
4096 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4099 dnl Should work with the assigned IP address as well
4100 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4102 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4103 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4106 OVS_TRAFFIC_VSWITCHD_STOP
4109 AT_SETUP([conntrack - more complex DNAT])
4111 CHECK_CONNTRACK_NAT()
4112 OVS_TRAFFIC_VSWITCHD_START()
4114 ADD_NAMESPACES(at_ns0, at_ns1)
4116 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4117 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4118 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
4120 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4121 AT_DATA([flows.txt], [dnl
4122 dnl Track all IP traffic
4123 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
4125 dnl Allow ARP, but generate responses for NATed addresses
4126 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4127 table=0 priority=10 arp action=normal
4128 table=0 priority=0 action=drop
4130 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
4131 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
4132 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
4133 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
4134 dnl Only allow established traffic from ns1->ns0.
4135 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
4136 table=1 priority=0 action=drop
4138 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4139 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4140 dnl Zero result means not found.
4141 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4142 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4144 table=10 priority=100 arp xreg0=0 action=normal
4145 dnl Swaps the fields of the ARP message to turn a query to a response.
4146 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4147 table=10 priority=0 action=drop
4150 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4152 dnl Should work with the virtual IP address through NAT
4153 OVS_START_L7([at_ns1], [http])
4154 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4156 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
4157 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4160 dnl Should work with the assigned IP address as well
4161 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4163 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4164 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4167 OVS_TRAFFIC_VSWITCHD_STOP
4170 AT_SETUP([conntrack - ICMP related with NAT])
4171 AT_SKIP_IF([test $HAVE_NC = no])
4172 AT_SKIP_IF([test $HAVE_TCPDUMP = no])
4174 CHECK_CONNTRACK_NAT()
4175 OVS_TRAFFIC_VSWITCHD_START()
4177 ADD_NAMESPACES(at_ns0, at_ns1)
4179 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4180 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4181 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4183 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
4184 dnl Make sure ICMP responses are reverse-NATted.
4185 AT_DATA([flows.txt], [dnl
4186 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
4187 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
4188 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
4191 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4192 priority=10 arp action=normal
4193 priority=0,action=drop
4195 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4196 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4197 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4198 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4200 dnl Swaps the fields of the ARP message to turn a query to a response.
4201 table=10 priority=100 arp xreg0=0 action=normal
4202 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4203 table=10 priority=0 action=drop
4206 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4209 tcpdump -U -i ovs-p0 -w p0.pcap &
4212 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
4213 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
4215 AT_CHECK([ovs-appctl revalidator/purge], [0])
4216 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
4217 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
4218 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
4219 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
4220 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
4221 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4222 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
4223 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
4224 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
4225 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
4226 OFPST_FLOW reply (OF1.5):
4229 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
4230 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
4233 AT_CHECK([tcpdump -v "icmp" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
4235 OVS_TRAFFIC_VSWITCHD_STOP
4238 dnl CHECK_FTP_NAT(TITLE, IP_ADDR, FLOWS, CT_DUMP)
4240 dnl Checks the implementation of conntrack with FTP ALGs in combination with
4241 dnl NAT, using the provided flow table.
4242 m4_define([CHECK_FTP_NAT],
4243 [AT_SETUP([conntrack - FTP $1])
4244 AT_SKIP_IF([test $HAVE_FTP = no])
4245 AT_SKIP_IF([test $HAVE_LFTP = no])
4247 CHECK_CONNTRACK_NAT()
4248 CHECK_CONNTRACK_ALG()
4250 OVS_TRAFFIC_VSWITCHD_START()
4252 ADD_NAMESPACES(at_ns0, at_ns1)
4254 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4255 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4256 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4258 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4259 AT_DATA([flows.txt], [$3])
4261 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4263 OVS_START_L7([at_ns1], [ftp])
4265 dnl FTP requests from p0->p1 should work fine.
4266 AT_DATA([ftp.cmd], [dnl
4267 set net:max-retries 1
4269 set ftp:passive-mode off
4271 connect ftp://anonymous:@10.1.1.2
4277 NS_CHECK_EXEC([at_ns0], [lftp -f ftp.cmd > lftp.log])
4279 dnl Discards CLOSE_WAIT and CLOSING
4280 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [$4])
4282 OVS_TRAFFIC_VSWITCHD_STOP
4285 dnl CHECK_FTP_SNAT_PRE_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
4287 dnl Checks the implementation of conntrack with FTP ALGs in combination with
4288 dnl NAT, with flow tables that implement the NATing as part of handling of
4289 dnl initial incoming packets - ie, the first flow is ct(nat,table=foo).
4291 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
4292 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
4293 m4_define([CHECK_FTP_SNAT_PRE_RECIRC], [dnl
4294 CHECK_FTP_NAT([SNAT prerecirc $1], [$2], [dnl
4295 dnl track all IP traffic, de-mangle non-NEW connections
4296 table=0 in_port=1, ip, action=ct(table=1,nat)
4297 table=0 in_port=2, ip, action=ct(table=2,nat)
4301 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4302 table=0 priority=10 arp action=normal
4303 table=0 priority=0 action=drop
4305 dnl Table 1: port 1 -> 2
4307 dnl Allow new FTP connections. These need to be commited.
4308 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=$2)),2
4309 dnl Allow established TCP connections, make sure they are NATted already.
4310 table=1 ct_state=+est, tcp, nw_src=$2, action=2
4312 dnl Table 1: droppers
4314 table=1 priority=10, tcp, action=drop
4315 table=1 priority=0,action=drop
4317 dnl Table 2: port 2 -> 1
4319 dnl Allow established TCP connections, make sure they are reverse NATted
4320 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
4321 dnl Allow (new) related (data) connections. These need to be commited.
4322 table=2 ct_state=+new+rel, tcp, nw_dst=$2, action=ct(commit,nat),1
4323 dnl Allow related ICMP packets, make sure they are reverse NATted
4324 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
4326 dnl Table 2: droppers
4328 table=2 priority=10, tcp, action=drop
4329 table=2 priority=0, action=drop
4331 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4333 table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4334 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4335 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4337 dnl Swaps the fields of the ARP message to turn a query to a response.
4338 table=10 priority=100 arp xreg0=0 action=normal
4339 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4340 table=10 priority=0 action=drop
4342 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4343 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4347 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
4348 CHECK_FTP_SNAT_PRE_RECIRC([], [10.1.1.9], [0x0a010109])
4350 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
4352 dnl The FTP PORT command includes the ASCII representation of the address,
4353 dnl so when these messages need to be NATed between addresses that have
4354 dnl different lengths when represented in ASCII (such as the original address
4355 dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
4356 dnl resize the packet and adjust TCP sequence numbers. This test is kept
4357 dnl separate from the above to easier identify issues in this code on different
4359 CHECK_FTP_SNAT_PRE_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
4361 dnl CHECK_FTP_SNAT_POST_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
4363 dnl Checks the implementation of conntrack with FTP ALGs in combination with
4364 dnl NAT, with flow tables that implement the NATing after the first round
4365 dnl of recirculation - that is, the first flow ct(table=foo) then a subsequent
4366 dnl flow will implement the NATing with ct(nat..),output:foo.
4368 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
4369 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
4370 m4_define([CHECK_FTP_SNAT_POST_RECIRC], [dnl
4371 CHECK_FTP_NAT([SNAT postrecirc $1], [$2], [dnl
4372 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
4373 table=0 ip, action=ct(table=1)
4377 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4378 table=0 priority=10 arp action=normal
4379 table=0 priority=0 action=drop
4383 dnl Allow new FTP connections. These need to be commited.
4384 dnl This does helper for new packets.
4385 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=$2)),2
4386 dnl Allow and NAT established TCP connections
4387 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
4388 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
4389 dnl Allow and NAT (new) related active (data) connections.
4390 dnl These need to be commited.
4391 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
4392 dnl Allow related ICMP packets.
4393 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
4394 dnl Drop everything else.
4395 table=1 priority=0, action=drop
4397 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4399 table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4400 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4401 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4403 dnl Swaps the fields of the ARP message to turn a query to a response.
4404 table=10 priority=100 arp xreg0=0 action=normal
4405 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4406 table=10 priority=0 action=drop
4408 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4409 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4413 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
4414 CHECK_FTP_SNAT_POST_RECIRC([], [10.1.1.9], [0x0a010109])
4416 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
4418 dnl The FTP PORT command includes the ASCII representation of the address,
4419 dnl so when these messages need to be NATed between addresses that have
4420 dnl different lengths when represented in ASCII (such as the original address
4421 dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
4422 dnl resize the packet and adjust TCP sequence numbers. This test is kept
4423 dnl separate from the above to easier identify issues in this code on different
4425 CHECK_FTP_SNAT_POST_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
4428 dnl CHECK_FTP_SNAT_ORIG_TUPLE(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
4430 dnl Checks the implementation of conntrack original direction tuple matching
4431 dnl with FTP ALGs in combination with NAT, with flow tables that implement
4432 dnl the NATing before the first round of recirculation - that is, the first
4433 dnl flow ct(nat, table=foo) then a subsequent flow will implement the
4434 dnl commiting of NATed and other connections with ct(nat..),output:foo.
4436 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
4437 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
4438 m4_define([CHECK_FTP_SNAT_ORIG_TUPLE], [dnl
4439 CHECK_FTP_NAT([SNAT orig tuple $1], [$2], [dnl
4440 dnl Store zone in reg4 and packet direction in reg3 (IN=1, OUT=2).
4441 dnl NAT is only applied to OUT-direction packets, so that ACL
4442 dnl processing can be done with non-NATted headers.
4444 dnl Track all IP traffic in the IN-direction (IN from Port 1).
4445 table=0 in_port=1, ip, action=set_field:1->reg4,set_field:1->reg3,ct(zone=NXM_NX_REG4[[0..15]],table=1)
4446 dnl Track all IP traffic in the OUT-direction (OUT to the Port 1).
4447 table=0 in_port=2, ip, action=set_field:1->reg4,set_field:2->reg3,ct(zone=NXM_NX_REG4[[0..15]],nat,table=1)
4451 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4452 table=0 priority=10 arp action=normal
4453 table=0 priority=0 action=drop
4455 dnl Pass tracked traffic through ACL, drop everything else.
4456 dnl Non-REPLY/RELATED packets get the ACL lookup with the packet headers
4457 dnl in the actual packet direction in reg0 (IN=1, OUT=2). REPLY packets
4458 dnl get the ACL lookup using the conntrack tuple and the inverted direction.
4459 dnl RELATED packets get ACL lookup using the conntrack tuple in the direction
4460 dnl of the master connection, as stored in ct_label[0].
4462 dnl Incoming non-related packet in the original direction (ACL IN)
4463 table=1 reg3=1, ip, ct_state=-rel-rpl+trk-inv action=set_field:1->reg0,resubmit(,3),goto_table:5
4464 dnl Incoming non-related reply packet (CT ACL OUT)
4465 table=1 reg3=1, ip, ct_state=-rel+rpl+trk-inv action=set_field:2->reg0,resubmit(,3,ct),goto_table:4
4466 dnl Outgoing non-related packet (ACL OUT)
4467 table=1 reg3=2, ip, ct_state=-rel-rpl+trk-inv action=set_field:2->reg0,resubmit(,3),goto_table:5
4468 dnl Outgoing non-related reply packet (CT ACL IN)
4469 table=1 reg3=2, ip, ct_state=-rel+rpl+trk-inv action=set_field:1->reg0,resubmit(,3,ct),goto_table:4
4471 dnl Related packet (CT ACL in the direction of the master connection.)
4472 table=1 ip, ct_state=+rel+trk-inv, action=move:NXM_NX_CT_LABEL[[0]]->NXM_NX_REG0[[0]],resubmit(,3,ct),goto_table:4
4473 dnl Drop everything else.
4474 table=1 priority=0, action=drop
4478 dnl Stateful accept (1->reg2) all incoming (reg0=1) IP connections with
4479 dnl IP source address '10.1.1.1'. Store rule ID (1234) in reg1, verdict
4481 table=3 priority=10, reg0=1, ip, nw_src=10.1.1.1 action=set_field:1234->reg1,set_field:1->reg2
4482 dnl Stateless drop (0->reg2) everything else in both directions. (Rule ID: 1235)
4483 table=3 priority=0, action=set_field:1235->reg1,set_field:0->reg2
4485 dnl Re-process stateful traffic that was not accepted by a stateful rule as
4486 dnl normal traffic in the current direction. This should also delete the
4487 dnl now stale conntrack state, so that new state can be created in it's place.
4489 dnl Stateful accepts go to next table.
4490 table=4 priority=100 reg2=1, action=goto_table:5
4491 dnl Everything else is reprocessed disregarding the CT state, using the actual
4492 dnl packet direction.
4493 table=4 priority=0 action=move:NXM_NX_REG3[[]]->NXM_NX_REG0[[]],resubmit(,3),goto_table:5
4495 dnl "ACL verdict processing table."
4497 dnl Handle stateful (reg2=1) / stateless (reg2=2) accepts and drops (reg2=0)
4499 dnl Drop all non-accepted packets.
4500 table=5 reg2=0 priority=1000 action=drop
4502 dnl Commit new incoming FTP control connections with SNAT range. Must match on
4503 dnl 'tcp' when setting 'alg=ftp'. Store the directionality of non-related
4504 dnl connections to ct_label[0] Store the rule ID to ct_label[96..127].
4505 table=5 priority=100 reg2=1 reg3=1 ct_state=+new-rel, tcp, tp_dst=21, action=ct(zone=NXM_NX_REG4[[0..15]],alg=ftp,commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
4506 dnl Commit other new incoming non-related IP connections with SNAT range.
4507 table=5 priority=10 reg2=1 reg3=1 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
4508 dnl Commit non-related outgoing new IP connections with DNAT range.
4509 dnl (This should not get any packets in this test.)
4510 table=5 priority=10 reg2=1 reg3=2 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(dst=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
4511 dnl Commit new related connections in either direction, which need 'nat'
4512 dnl and which inherit the label (the direction of the original direction
4513 dnl master tuple) from the master connection.
4514 table=5 priority=10 reg2=1 ct_state=+new+rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat,exec(move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
4516 dnl NAT incoming non-NEW packets. Outgoing packets were NATted in table 0.
4518 table=5 priority=10 ct_state=-new+trk-inv reg3=1 ip, action=ct(zone=NXM_NX_REG4[[0..15]],nat),goto_table:6
4519 dnl Forward everything else, including stateless accepts.
4520 table=5 priority=0 action=goto_table:6
4522 dnl "Forwarding table"
4524 table=6 in_port=1 action=2
4525 table=6 in_port=2 action=1
4527 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4529 table=8,reg2=$3,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4530 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4531 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4533 dnl Swaps the fields of the ARP message to turn a query to a response.
4534 table=10 priority=100 arp xreg0=0 action=normal
4535 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4536 table=10 priority=0 action=drop
4538 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),zone=1,labels=0x4d2000000000000000000000001,protoinfo=(state=<cleared>),helper=ftp
4539 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,labels=0x4d2000000000000000000000001,protoinfo=(state=<cleared>)
4543 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment with
4544 dnl an ACL table based on matching on conntrack original direction tuple only.
4545 CHECK_FTP_SNAT_ORIG_TUPLE([], [10.1.1.9], [0x0a010109])
4547 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment with
4548 dnl an ACL table based on matching on conntrack original direction tuple only.
4549 CHECK_FTP_SNAT_ORIG_TUPLE([seqadj], [10.1.1.240], [0x0a0101f0])
4551 AT_SETUP([conntrack - IPv4 FTP Passive with SNAT])
4552 AT_SKIP_IF([test $HAVE_FTP = no])
4554 CHECK_CONNTRACK_NAT()
4555 CHECK_CONNTRACK_ALG()
4557 OVS_TRAFFIC_VSWITCHD_START()
4559 ADD_NAMESPACES(at_ns0, at_ns1)
4561 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4562 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4563 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
4565 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4566 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4567 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4568 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
4570 dnl Allow any traffic from ns0->ns1.
4571 AT_DATA([flows.txt], [dnl
4572 dnl track all IPv4 traffic and NAT any established traffic.
4573 table=0 priority=10 ip, action=ct(nat,table=1)
4574 table=0 priority=0 action=drop
4578 dnl Allow new FTP control connections.
4579 table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
4580 dnl Allow related TCP connections from port 1.
4581 table=1 in_port=1 ct_state=+new+rel tcp nw_src=10.1.1.1 action=ct(commit,nat),2
4582 dnl Allow established TCP connections both ways, post-NAT match.
4583 table=1 in_port=1 ct_state=+est tcp nw_src=10.1.1.240 action=2
4584 table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4586 dnl Allow ICMP both ways.
4587 table=1 priority=100 in_port=1 icmp, action=2
4588 table=1 priority=100 in_port=2 icmp, action=1
4589 table=1 priority=0, action=drop
4592 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4594 dnl Check that the stacks working to avoid races.
4595 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null])
4597 OVS_START_L7([at_ns1], [ftp])
4599 dnl FTP requests from p0->p1 should work fine.
4600 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4602 dnl Discards CLOSE_WAIT and CLOSING
4603 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4604 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4605 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4608 OVS_TRAFFIC_VSWITCHD_STOP
4611 AT_SETUP([conntrack - IPv4 FTP Passive with DNAT])
4612 AT_SKIP_IF([test $HAVE_FTP = no])
4614 CHECK_CONNTRACK_NAT()
4615 CHECK_CONNTRACK_ALG()
4617 OVS_TRAFFIC_VSWITCHD_START()
4619 ADD_NAMESPACES(at_ns0, at_ns1)
4621 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4622 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4623 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
4624 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.240 e6:66:c1:22:22:22])
4626 ADD_VETH(p1, at_ns1, br0, "10.1.1.240/24")
4627 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4628 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4630 dnl Allow any traffic from ns0->ns1.
4631 AT_DATA([flows.txt], [dnl
4632 dnl track all IPv4 traffic and NAT any established traffic.
4633 table=0 priority=10 ip, action=ct(nat,table=1)
4634 table=0 priority=0 action=drop
4638 dnl Allow new FTP control connections.
4639 table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.1.240)),2
4640 dnl Allow related TCP connections from port 1.
4641 table=1 in_port=1 ct_state=+new+rel tcp nw_src=10.1.1.1 action=ct(commit,nat),2
4642 dnl Allow established TCP connections both ways, post-NAT match.
4643 table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.1.240 action=2
4644 table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4646 dnl Allow ICMP both ways.
4647 table=1 priority=100 in_port=1 icmp, action=2
4648 table=1 priority=100 in_port=2 icmp, action=1
4649 table=1 priority=0, action=drop
4652 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4654 dnl Check that the stacks working to avoid races.
4655 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null])
4657 OVS_START_L7([at_ns1], [ftp])
4659 dnl FTP requests from p0->p1 should work fine.
4660 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4662 dnl Discards CLOSE_WAIT and CLOSING
4663 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4664 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4665 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4668 OVS_TRAFFIC_VSWITCHD_STOP
4671 AT_SETUP([conntrack - IPv4 FTP Passive with DNAT 2])
4672 AT_SKIP_IF([test $HAVE_FTP = no])
4674 CHECK_CONNTRACK_NAT()
4675 CHECK_CONNTRACK_ALG()
4677 OVS_TRAFFIC_VSWITCHD_START()
4679 ADD_NAMESPACES(at_ns0, at_ns1)
4681 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/16")
4682 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4683 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.200 e6:66:c1:22:22:22])
4684 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.100.1 e6:66:c1:22:22:22])
4686 ADD_VETH(p1, at_ns1, br0, "10.1.100.1/16")
4687 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4688 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4690 dnl Allow any traffic from ns0->ns1.
4691 AT_DATA([flows.txt], [dnl
4692 dnl track all IPv4 traffic and NAT any established traffic.
4693 table=0 priority=10 ip, action=ct(nat,table=1)
4694 table=0 priority=0 action=drop
4698 dnl Allow new FTP control connections.
4699 table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.100.1)),2
4700 dnl Allow related TCP connections from port 1.
4701 table=1 in_port=1 ct_state=+new+rel tcp nw_src=10.1.1.1 action=ct(commit,nat),2
4702 dnl Allow established TCP connections both ways, post-NAT match.
4703 table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.100.1 action=2
4704 table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4706 dnl Allow ICMP both ways.
4707 table=1 priority=100 in_port=1 icmp, action=2
4708 table=1 priority=100 in_port=2 icmp, action=1
4709 table=1 priority=0, action=drop
4712 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4714 dnl Check that the stacks working to avoid races.
4715 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.100.1 >/dev/null])
4717 OVS_START_L7([at_ns1], [ftp])
4719 dnl FTP requests from p0->p1 should work fine.
4720 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.200 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4722 dnl Discards CLOSE_WAIT and CLOSING
4723 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.200)], [0], [dnl
4724 tcp,orig=(src=10.1.1.1,dst=10.1.1.200,sport=<cleared>,dport=<cleared>),reply=(src=10.1.100.1,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4725 tcp,orig=(src=10.1.1.1,dst=10.1.1.200,sport=<cleared>,dport=<cleared>),reply=(src=10.1.100.1,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4728 OVS_TRAFFIC_VSWITCHD_STOP
4731 AT_SETUP([conntrack - IPv4 FTP Active with DNAT])
4732 AT_SKIP_IF([test $HAVE_FTP = no])
4734 CHECK_CONNTRACK_NAT()
4735 CHECK_CONNTRACK_ALG()
4737 OVS_TRAFFIC_VSWITCHD_START()
4739 ADD_NAMESPACES(at_ns0, at_ns1)
4741 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4742 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4743 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
4744 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.240 e6:66:c1:22:22:22])
4746 ADD_VETH(p1, at_ns1, br0, "10.1.1.240/24")
4747 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4748 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4750 dnl Allow any traffic from ns0->ns1.
4751 AT_DATA([flows.txt], [dnl
4752 dnl track all IPv4 traffic and NAT any established traffic.
4753 table=0 priority=10 ip, action=ct(nat,table=1)
4754 table=0 priority=0 action=drop
4758 dnl Allow new FTP control connections.
4759 table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.1.240)),2
4760 dnl Allow related TCP connections from port 1.
4761 table=1 in_port=2 ct_state=+new+rel tcp nw_src=10.1.1.240 action=ct(commit,nat),1
4762 dnl Allow established TCP connections both ways, post-NAT match.
4763 table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.1.240 action=2
4764 table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4766 dnl Allow ICMP both ways.
4767 table=1 priority=100 in_port=1 icmp, action=2
4768 table=1 priority=100 in_port=2 icmp, action=1
4769 table=1 priority=0, action=drop
4772 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4774 dnl Check that the stacks working to avoid races.
4775 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null])
4777 OVS_START_L7([at_ns1], [ftp])
4779 dnl FTP requests from p0->p1 should work fine.
4780 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4782 dnl Discards CLOSE_WAIT and CLOSING
4783 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4784 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4785 tcp,orig=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4788 OVS_TRAFFIC_VSWITCHD_STOP
4791 AT_SETUP([conntrack - IPv4 FTP Active with DNAT with reverse skew])
4792 AT_SKIP_IF([test $HAVE_FTP = no])
4794 CHECK_CONNTRACK_NAT()
4795 CHECK_CONNTRACK_ALG()
4797 OVS_TRAFFIC_VSWITCHD_START()
4799 ADD_NAMESPACES(at_ns0, at_ns1)
4801 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/16")
4802 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4803 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
4804 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.120.240 e6:66:c1:22:22:22])
4806 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/16")
4807 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4808 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4810 dnl Allow any traffic from ns0->ns1.
4811 AT_DATA([flows.txt], [dnl
4812 dnl track all IPv4 traffic and NAT any established traffic.
4813 table=0 priority=10 ip, action=ct(nat,table=1)
4814 table=0 priority=0 action=drop
4818 dnl Allow new FTP control connections.
4819 table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.1.2)),2
4820 dnl Allow related TCP connections from port 1.
4821 table=1 in_port=2 ct_state=+new+rel tcp nw_src=10.1.1.2 action=ct(commit,nat),1
4822 dnl Allow established TCP connections both ways, post-NAT match.
4823 table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.1.2 action=2
4824 table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4826 dnl Allow ICMP both ways.
4827 table=1 priority=100 in_port=1 icmp, action=2
4828 table=1 priority=100 in_port=2 icmp, action=1
4829 table=1 priority=0, action=drop
4832 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4834 dnl Check that the stacks working to avoid races.
4835 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null])
4837 OVS_START_L7([at_ns1], [ftp])
4839 dnl FTP requests from p0->p1 should work fine.
4840 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.120.240 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4842 dnl Discards CLOSE_WAIT and CLOSING
4843 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.120.240)], [0], [dnl
4844 tcp,orig=(src=10.1.1.1,dst=10.1.120.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4845 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.120.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4848 OVS_TRAFFIC_VSWITCHD_STOP
4851 AT_SETUP([conntrack - IPv6 HTTP with SNAT])
4853 CHECK_CONNTRACK_NAT()
4854 OVS_TRAFFIC_VSWITCHD_START()
4856 ADD_NAMESPACES(at_ns0, at_ns1)
4858 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
4859 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4860 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
4861 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
4862 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::241 lladdr 80:88:88:88:88:88 dev p1])
4864 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4865 AT_DATA([flows.txt], [dnl
4866 priority=1,action=drop
4867 priority=10,icmp6,action=normal
4868 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240-fc00::241)),2
4869 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
4870 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
4871 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
4872 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::241,action=ct(commit,nat(dst=fc00::1)),1
4875 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4877 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
4878 dnl waiting, we get occasional failures due to the following error:
4879 dnl "connect: Cannot assign requested address"
4880 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
4882 dnl HTTP requests from ns0->ns1 should work fine.
4883 OVS_START_L7([at_ns1], [http6])
4885 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4887 dnl HTTP requests from ns1->ns0 should fail due to network failure.
4888 dnl Try 3 times, in 1 second intervals.
4889 OVS_START_L7([at_ns0], [http6])
4890 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
4892 OVS_TRAFFIC_VSWITCHD_STOP
4895 AT_SETUP([conntrack - IPv6 HTTP with DNAT])
4897 CHECK_CONNTRACK_NAT()
4898 OVS_TRAFFIC_VSWITCHD_START()
4900 ADD_NAMESPACES(at_ns0, at_ns1)
4902 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
4903 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
4904 NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
4905 NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
4906 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p0])
4907 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
4909 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4910 AT_DATA([flows.txt], [dnl
4911 priority=100 in_port=1,ip6,ipv6_dst=fc00::240,action=ct(zone=1,nat(dst=fc00::2),commit),2
4912 priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat,zone=1)
4913 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip6,action=1
4916 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4918 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
4919 dnl waiting, we get occasional failures due to the following error:
4920 dnl "connect: Cannot assign requested address"
4921 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::240])
4923 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::240 | FORMAT_PING], [0], [dnl
4924 3 packets transmitted, 3 received, 0% packet loss, time 0ms
4927 dnl Should work with the virtual IP address through NAT
4928 OVS_START_L7([at_ns1], [http6])
4929 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::240]] -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4931 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::1)], [0], [dnl
4932 icmpv6,orig=(src=fc00::1,dst=fc00::240,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0),zone=1
4933 tcp,orig=(src=fc00::1,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4936 OVS_TRAFFIC_VSWITCHD_STOP
4939 AT_SETUP([conntrack - IPv6 ICMP6 Related with SNAT])
4940 AT_SKIP_IF([test $HAVE_TCPDUMP = no])
4942 CHECK_CONNTRACK_NAT()
4943 OVS_TRAFFIC_VSWITCHD_START()
4945 ADD_NAMESPACES(at_ns0, at_ns1)
4947 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
4948 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
4949 NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
4950 NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
4952 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:88 dev p0])
4953 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::3 lladdr 80:88:88:88:88:88 dev p0])
4954 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:77 dev p1])
4955 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
4957 NS_CHECK_EXEC([at_ns0], [ip -6 route add default via fc00::2])
4959 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4960 AT_DATA([flows.txt], [dnl
4961 priority=100 in_port=1,ip6,action=ct(nat(src=fc00::240),commit),2
4962 priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat)
4963 priority=100 in_port=2,ct_state=+trk+est,ip6,action=1
4964 priority=100 in_port=2,ct_state=+trk+rel,ip6,action=1
4967 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4969 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
4970 dnl waiting, we get occasional failures due to the following error:
4971 dnl "connect: Cannot assign requested address"
4972 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
4974 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
4977 tcpdump -U -i ovs-p0 -w p0.pcap &
4980 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
4981 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -6 $NC_EOF_OPT -u fc00::2 1"])
4983 AT_CHECK([tcpdump -v "icmp6" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
4985 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
4986 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>)
4989 OVS_TRAFFIC_VSWITCHD_STOP
4992 AT_SETUP([conntrack - IPv6 FTP with SNAT])
4993 AT_SKIP_IF([test $HAVE_FTP = no])
4995 CHECK_CONNTRACK_NAT()
4996 CHECK_CONNTRACK_ALG()
4998 OVS_TRAFFIC_VSWITCHD_START()
5000 ADD_NAMESPACES(at_ns0, at_ns1)
5002 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5003 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
5004 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5005 dnl Would be nice if NAT could translate neighbor discovery messages, too.
5006 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
5008 dnl Allow any traffic from ns0->ns1.
5009 dnl Only allow nd, return traffic from ns1->ns0.
5010 AT_DATA([flows.txt], [dnl
5011 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
5012 table=0 priority=10 ip6, action=ct(nat,table=1)
5013 table=0 priority=0 action=drop
5017 dnl Allow new TCPv6 FTP control connections.
5018 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
5019 dnl Allow related TCPv6 connections from port 2 to the NATted address.
5020 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
5021 dnl Allow established TCPv6 connections both ways, enforce NATting
5022 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
5023 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
5024 dnl Allow other ICMPv6 both ways (without commit).
5025 table=1 priority=100 in_port=1 icmp6, action=2
5026 table=1 priority=100 in_port=2 icmp6, action=1
5027 dnl Drop everything else.
5028 table=1 priority=0, action=drop
5031 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5033 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5034 dnl waiting, we get occasional failures due to the following error:
5035 dnl "connect: Cannot assign requested address"
5036 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
5038 OVS_START_L7([at_ns1], [ftp])
5040 dnl FTP requests from p0->p1 should work fine.
5041 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
5043 dnl Discards CLOSE_WAIT and CLOSING
5044 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5045 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5046 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5049 OVS_TRAFFIC_VSWITCHD_STOP
5052 AT_SETUP([conntrack - IPv6 FTP Passive with SNAT])
5053 AT_SKIP_IF([test $HAVE_FTP = no])
5055 CHECK_CONNTRACK_NAT()
5056 CHECK_CONNTRACK_ALG()
5058 OVS_TRAFFIC_VSWITCHD_START()
5060 ADD_NAMESPACES(at_ns0, at_ns1)
5062 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5063 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
5064 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5065 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:99])
5066 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:99 dev p0])
5067 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
5069 dnl Allow any traffic from ns0->ns1.
5070 dnl Only allow nd, return traffic from ns1->ns0.
5071 AT_DATA([flows.txt], [dnl
5072 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
5073 table=0 priority=10 ip6, action=ct(nat,table=1)
5074 table=0 priority=0 action=drop
5078 dnl Allow new TCPv6 FTP control connections.
5079 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
5080 dnl Allow related TCPv6 connections from port 1.
5081 table=1 in_port=1 ct_state=+new+rel tcp6 ipv6_dst=fc00::2 action=ct(commit,nat),2
5082 dnl Allow established TCPv6 connections both ways, enforce NATting
5083 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
5084 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
5085 dnl Allow other ICMPv6 both ways (without commit).
5086 table=1 priority=100 in_port=1 icmp6, action=2
5087 table=1 priority=100 in_port=2 icmp6, action=1
5088 dnl Drop everything else.
5089 table=1 priority=0, action=drop
5092 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5094 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5095 dnl waiting, we get occasional failures due to the following error:
5096 dnl "connect: Cannot assign requested address"
5097 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
5099 OVS_START_L7([at_ns1], [ftp])
5101 dnl FTP requests from p0->p1 should work fine.
5102 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
5104 dnl Discards CLOSE_WAIT and CLOSING
5105 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5106 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5107 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5110 OVS_TRAFFIC_VSWITCHD_STOP
5113 AT_SETUP([conntrack - IPv6 FTP with SNAT - orig tuple])
5114 AT_SKIP_IF([test $HAVE_FTP = no])
5116 CHECK_CONNTRACK_NAT()
5117 CHECK_CONNTRACK_ALG()
5118 OVS_TRAFFIC_VSWITCHD_START()
5120 ADD_NAMESPACES(at_ns0, at_ns1)
5122 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5123 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
5124 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5125 dnl Would be nice if NAT could translate neighbor discovery messages, too.
5126 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
5128 dnl Allow any traffic from ns0->ns1.
5129 dnl Only allow nd, return traffic from ns1->ns0.
5130 AT_DATA([flows.txt], [dnl
5131 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
5132 table=0 priority=10 ip6, action=ct(nat,table=1)
5133 table=0 priority=0 action=drop
5137 dnl Allow other ICMPv6 both ways (without commit).
5138 table=1 priority=100 in_port=1 icmp6, action=2
5139 table=1 priority=100 in_port=2 icmp6, action=1
5140 dnl Allow new TCPv6 FTP control connections.
5141 table=1 priority=10 in_port=1 ct_state=+new+trk-inv tcp6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
5142 dnl Allow related TCPv6 connections from port 2 to the NATted address.
5143 table=1 priority=10 in_port=2 ct_state=+new+rel+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=ct(commit,nat),1
5144 dnl Allow established TCPv6 connections both ways, enforce NATting
5145 table=1 priority=10 in_port=1 ct_state=+est+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=2
5146 table=1 priority=10 in_port=2 ct_state=+est+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=1
5147 dnl Drop everything else.
5148 table=1 priority=0, action=drop
5151 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5153 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5154 dnl waiting, we get occasional failures due to the following error:
5155 dnl "connect: Cannot assign requested address"
5156 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
5158 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
5159 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
5161 dnl FTP requests from p0->p1 should work fine.
5162 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
5164 dnl Discards CLOSE_WAIT and CLOSING
5165 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5166 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5167 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5170 OVS_TRAFFIC_VSWITCHD_STOP
5173 AT_SETUP([conntrack - IPv4 TFTP with SNAT])
5174 AT_SKIP_IF([test $HAVE_TFTP = no])
5176 CHECK_CONNTRACK_NAT()
5177 CHECK_CONNTRACK_ALG()
5179 OVS_TRAFFIC_VSWITCHD_START()
5181 ADD_NAMESPACES(at_ns0, at_ns1)
5183 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
5184 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
5185 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
5187 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
5188 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
5189 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
5190 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
5192 dnl Allow any traffic from ns0->ns1.
5193 AT_DATA([flows.txt], [dnl
5194 dnl track all IPv4 traffic.
5195 table=0 priority=10 ip, action=ct(table=1)
5196 dnl drop everything else.
5197 table=0 priority=0 action=drop
5200 dnl Allow ICMP both ways.
5201 table=1 priority=100 in_port=1 icmp, action=2
5202 table=1 priority=100 in_port=2 icmp, action=1
5204 dnl Allow new TFTP control connections.
5205 table=1 in_port=1 ct_state=+new udp nw_src=10.1.1.1 tp_dst=69 action=ct(alg=tftp,commit,nat(src=10.1.1.240)),2
5206 dnl Allow related UDP connections from port 1.
5207 table=1 in_port=2 ct_state=+new+rel udp nw_src=10.1.1.2 action=ct(commit,nat),1
5208 dnl Allow established and NAT them.
5209 table=1 in_port=1 ct_state=+est udp nw_src=10.1.1.1 action=ct(nat,table=2)
5210 table=1 in_port=2 ct_state=+est udp nw_src=10.1.1.2 action=ct(nat,table=2)
5212 table=1 priority=0, action=drop
5214 table=2 in_port=1 ct_state=+est udp nw_src=10.1.1.240 action=2
5215 table=2 in_port=2 ct_state=+est udp nw_dst=10.1.1.1 action=1
5218 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5220 dnl Check that the stacks working to avoid races.
5221 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null])
5223 OVS_START_L7([at_ns0], [tftp])
5224 OVS_START_L7([at_ns1], [tftp])
5226 dnl TFTP requests from p0->p1 should work fine.
5227 NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows.txt -o foo 2>curl0.log]])
5229 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
5230 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),helper=tftp
5231 udp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>)
5234 OVS_TRAFFIC_VSWITCHD_STOP
5237 AT_SETUP([conntrack - DNAT load balancing])
5239 CHECK_CONNTRACK_NAT()
5240 OVS_TRAFFIC_VSWITCHD_START()
5242 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
5244 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
5245 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
5246 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
5247 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
5248 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
5249 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
5250 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
5251 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
5253 dnl Select group for load balancing. One bucket per server. Each bucket
5254 dnl tracks and NATs the connection and recirculates to table 4 for egress
5255 dnl routing. Packets of existing connections are always NATted based on
5256 dnl connection state, only new connections are NATted according to the
5257 dnl specific NAT parameters in each bucket.
5258 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
5260 AT_DATA([flows.txt], [dnl
5261 dnl Track connections to the virtual IP address.
5262 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
5263 dnl All other IP traffic is allowed but the connection state is no commited.
5264 table=0 priority=90 ip action=ct(table=4,nat)
5266 dnl Allow ARP, but generate responses for virtual addresses
5267 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
5268 table=0 priority=10 arp action=normal
5269 table=0 priority=0 action=drop
5273 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
5274 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
5275 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
5276 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
5277 table=4 priority=0 action=drop
5279 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
5280 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
5281 dnl Zero result means not found.
5282 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
5283 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
5285 table=10 priority=100 arp xreg0=0 action=normal
5286 dnl Swaps the fields of the ARP message to turn a query to a response.
5287 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
5288 table=10 priority=0 action=controller
5291 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5293 dnl Start web servers
5294 OVS_START_L7([at_ns2], [http])
5295 OVS_START_L7([at_ns3], [http])
5296 OVS_START_L7([at_ns4], [http])
5298 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
5299 on_exit 'ovs-appctl revalidator/purge'
5300 on_exit 'ovs-appctl dpif/dump-flows br0'
5302 dnl Should work with the virtual IP address through NAT
5303 for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
5305 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
5308 dnl Each server should have at least one connection.
5309 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
5310 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5311 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5312 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5315 ovs-appctl dpif/dump-flows br0
5316 ovs-appctl revalidator/purge
5317 ovs-ofctl -O OpenFlow15 dump-flows br0
5318 ovs-ofctl -O OpenFlow15 dump-group-stats br0
5320 OVS_TRAFFIC_VSWITCHD_STOP
5324 AT_SETUP([conntrack - DNAT load balancing with NC])
5325 AT_SKIP_IF([test $HAVE_NC = no])
5327 CHECK_CONNTRACK_NAT()
5328 OVS_TRAFFIC_VSWITCHD_START()
5330 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
5332 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
5333 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
5334 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
5335 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
5336 ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
5337 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
5338 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
5339 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
5340 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
5341 NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
5343 dnl Select group for load balancing. One bucket per server. Each bucket
5344 dnl tracks and NATs the connection and recirculates to table 4 for egress
5345 dnl routing. Packets of existing connections are always NATted based on
5346 dnl connection state, only new connections are NATted according to the
5347 dnl specific NAT parameters in each bucket.
5348 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
5350 AT_DATA([flows.txt], [dnl
5351 dnl Track connections to the virtual IP address.
5352 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
5353 dnl All other IP traffic is allowed but the connection state is no commited.
5354 table=0 priority=90 ip action=ct(table=4,nat)
5356 dnl Allow ARP, but generate responses for virtual addresses
5357 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
5358 table=0 priority=10 arp action=normal
5359 table=0 priority=0 action=drop
5363 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
5364 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
5365 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
5366 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
5367 table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
5368 table=4 priority=0 action=drop
5370 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
5371 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
5372 dnl Zero result means not found.
5373 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
5374 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
5376 table=10 priority=100 arp xreg0=0 action=normal
5377 dnl Swaps the fields of the ARP message to turn a query to a response.
5378 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
5379 table=10 priority=0 action=controller
5382 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5384 dnl Start web servers
5385 OVS_START_L7([at_ns2], [http])
5386 OVS_START_L7([at_ns3], [http])
5387 OVS_START_L7([at_ns4], [http])
5389 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
5390 on_exit 'ovs-appctl revalidator/purge'
5391 on_exit 'ovs-appctl dpif/dump-flows br0'
5395 dnl Should work with the virtual IP address through NAT
5396 for i in 1 2 3 4 5 6 7 8 9; do
5398 NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
5399 NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
5404 ovs-appctl dpif/dump-flows br0
5405 ovs-appctl revalidator/purge
5406 ovs-ofctl -O OpenFlow15 dump-flows br0
5407 ovs-ofctl -O OpenFlow15 dump-group-stats br0
5409 OVS_TRAFFIC_VSWITCHD_STOP
5412 AT_SETUP([conntrack - floating IP])
5413 AT_SKIP_IF([test $HAVE_NC = no])
5415 OVS_TRAFFIC_VSWITCHD_START()
5416 OVS_CHECK_CT_CLEAR()
5418 ADD_NAMESPACES(at_ns0, at_ns1)
5419 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24", "f0:00:00:01:01:01") dnl FIP 10.254.254.1
5420 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24", "f0:00:00:01:01:02") dnl FIP 10.254.254.2
5423 NS_CHECK_EXEC([at_ns0], [ip neigh add 10.1.1.2 lladdr f0:00:00:01:01:02 dev p0])
5424 NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.1 lladdr f0:00:00:01:01:01 dev p1])
5426 dnl Static ARP and route entries for the FIP "gateway"
5427 NS_CHECK_EXEC([at_ns0], [ip neigh add 10.1.1.254 lladdr f0:00:00:01:01:FE dev p0])
5428 NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.254 lladdr f0:00:00:01:01:FE dev p1])
5429 NS_CHECK_EXEC([at_ns0], [ip route add default nexthop via 10.1.1.254])
5430 NS_CHECK_EXEC([at_ns1], [ip route add default nexthop via 10.1.1.254])
5432 NETNS_DAEMONIZE([at_ns0], [nc -l -k 1234 > /dev/null], [nc0.pid])
5434 AT_DATA([flows.txt], [dnl
5435 table=0,priority=10 ip action=ct(table=1)
5436 table=0,priority=1 action=drop
5438 table=1,priority=20 ip,ct_state=+trk+est,nw_dst=10.254.254.0/24 action=goto_table:10
5439 table=1,priority=20 ip,ct_state=+trk+new,nw_dst=10.254.254.0/24 action=ct(commit,table=10)
5441 table=1,priority=10 ip,ct_state=+trk+est action=goto_table:20
5442 table=1,priority=10 ip,ct_state=+trk+new action=ct(commit,table=20)
5443 table=1,priority=1 ip,ct_state=+trk+inv action=drop
5445 dnl FIP translation (dst FIP, src local) --> (dst local, src FIP)
5446 table=10 ip,nw_dst=10.254.254.1 action=set_field:10.1.1.1->nw_dst,goto_table:11
5447 table=10 ip,nw_dst=10.254.254.2 action=set_field:10.1.1.2->nw_dst,goto_table:11
5448 table=11 ip,nw_src=10.1.1.1 action=set_field:10.254.254.1->nw_src,goto_table:12
5449 table=11 ip,nw_src=10.1.1.2 action=set_field:10.254.254.2->nw_src,goto_table:12
5450 dnl clear conntrack and do another lookup since we changed the tuple
5451 table=12,priority=10 ip action=ct_clear,ct(table=13)
5452 table=12,priority=1 action=drop
5453 table=13 ip,ct_state=+trk+est action=goto_table:20
5454 table=13 ip,ct_state=+trk+new action=ct(commit,table=20)
5455 table=13 ip,ct_state=+trk+inv action=drop
5458 table=20 ip,nw_src=10.1.1.1 action=set_field:f0:00:00:01:01:01->eth_src,goto_table:21
5459 table=20 ip,nw_src=10.1.1.2 action=set_field:f0:00:00:01:01:02->eth_src,goto_table:21
5460 table=20 ip,nw_src=10.254.254.0/24 action=set_field:f0:00:00:01:01:FE->eth_src,goto_table:21
5461 table=21 ip,nw_dst=10.1.1.1 action=set_field:f0:00:00:01:01:01->eth_dst,output:ovs-p0
5462 table=21 ip,nw_dst=10.1.1.2 action=set_field:f0:00:00:01:01:02->eth_dst,output:ovs-p1
5465 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5468 NS_CHECK_EXEC([at_ns1], [echo "foobar" |nc $NC_EOF_OPT 10.1.1.1 1234])
5469 OVS_WAIT_UNTIL([[ovs-appctl dpctl/dump-conntrack | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/id=[0-9]*/id=<cleared>/g' |
5470 grep "tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)"
5473 dnl Check that the full session ends as expected (i.e. TIME_WAIT). Otherwise it
5474 dnl means the datapath didn't process the ct_clear action. Ending in SYN_RECV
5475 dnl (OVS maps to ESTABLISHED) means the initial frame was committed, but not a
5476 dnl second time after the FIP translation (because ct_clear didn't occur).
5477 NS_CHECK_EXEC([at_ns1], [echo "foobar" |nc $NC_EOF_OPT 10.254.254.1 1234])
5478 OVS_WAIT_UNTIL([[ovs-appctl dpctl/dump-conntrack | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/id=[0-9]*/id=<cleared>/g' |
5479 grep "tcp,orig=(src=10.254.254.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.254.254.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)"
5482 OVS_TRAFFIC_VSWITCHD_STOP
5485 AT_BANNER([802.1ad])
5487 AT_SETUP([802.1ad - vlan_limit])
5488 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5491 ADD_NAMESPACES(at_ns0, at_ns1)
5493 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
5494 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
5496 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
5497 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
5499 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
5500 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
5502 AT_CHECK([ovs-ofctl add-flow br0 "priority=1 action=normal"])
5504 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5506 dnl CVLAN traffic should match the flow and drop
5507 AT_CHECK([ovs-appctl revalidator/purge])
5508 AT_CHECK([ovs-vsctl set Open_vSwitch . other_config:vlan-limit=1])
5509 AT_CHECK([ovs-ofctl add-flow br0 "priority=100 dl_type=0x8100 action=drop"])
5510 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 -w 3 10.2.2.2], [1], [ignore])
5512 OVS_TRAFFIC_VSWITCHD_STOP
5516 AT_SETUP([802.1ad - push/pop outer 802.1ad])
5517 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5522 ADD_NAMESPACES(at_ns0, at_ns1)
5524 AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
5525 AT_CHECK([ip link set dev ovs-p0 up])
5526 AT_CHECK([ip link set dev ovs-p1 up])
5527 AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
5528 AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
5529 on_exit 'ip link del ovs-p0'
5531 AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
5532 AT_CHECK([ip link set dev ovs-p2 up])
5533 AT_CHECK([ip link set dev ovs-p3 up])
5534 AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
5535 AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
5536 on_exit 'ip link del ovs-p2'
5538 ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
5539 ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
5540 ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
5541 ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
5543 AT_DATA([flows-br0.txt], [dnl
5544 priority=1 action=drop
5545 priority=100 in_port=1 action=push_vlan:0x88a8,mod_vlan_vid=4094,output:2
5546 priority=100 in_port=2 action=push_vlan:0x88a8,mod_vlan_vid=4094,output:1
5549 AT_DATA([flows-customer-br.txt], [dnl
5550 priority=1 action=normal
5551 priority=100 in_port=1 vlan_tci=0x1000/0x1000 action=pop_vlan,normal
5554 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
5555 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-customer-br.txt])
5556 AT_CHECK([ovs-ofctl --bundle add-flows br2 flows-customer-br.txt])
5558 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5560 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
5561 3 packets transmitted, 3 received, 0% packet loss, time 0ms
5564 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
5565 3 packets transmitted, 3 received, 0% packet loss, time 0ms
5568 OVS_TRAFFIC_VSWITCHD_STOP
5572 AT_SETUP([802.1ad - push/pop outer 802.1q])
5573 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5578 ADD_NAMESPACES(at_ns0, at_ns1)
5580 AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
5581 AT_CHECK([ip link set dev ovs-p0 up])
5582 AT_CHECK([ip link set dev ovs-p1 up])
5583 AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
5584 AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
5585 on_exit 'ip link del ovs-p0'
5587 AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
5588 AT_CHECK([ip link set dev ovs-p2 up])
5589 AT_CHECK([ip link set dev ovs-p3 up])
5590 AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
5591 AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
5592 on_exit 'ip link del ovs-p2'
5594 ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
5595 ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
5596 ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
5597 ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
5599 AT_DATA([flows-br0.txt], [dnl
5600 priority=1 action=drop
5601 priority=100 in_port=1 action=push_vlan:0x8100,mod_vlan_vid=4094,output:2
5602 priority=100 in_port=2 action=push_vlan:0x8100,mod_vlan_vid=4094,output:1
5605 AT_DATA([flows-customer-br.txt], [dnl
5606 priority=1 action=normal
5607 priority=100 in_port=1 vlan_tci=0x1000/0x1000 action=pop_vlan,normal
5610 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
5611 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-customer-br.txt])
5612 AT_CHECK([ovs-ofctl --bundle add-flows br2 flows-customer-br.txt])
5614 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5616 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
5617 3 packets transmitted, 3 received, 0% packet loss, time 0ms
5620 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
5621 3 packets transmitted, 3 received, 0% packet loss, time 0ms
5624 OVS_TRAFFIC_VSWITCHD_STOP
5628 AT_SETUP([802.1ad - 802.1q tunnel])
5629 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5634 ADD_NAMESPACES(at_ns0, at_ns1)
5636 AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
5637 AT_CHECK([ip link set dev ovs-p0 up])
5638 AT_CHECK([ip link set dev ovs-p1 up])
5639 AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
5640 AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
5641 on_exit 'ip link del ovs-p0'
5643 AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
5644 AT_CHECK([ip link set dev ovs-p2 up])
5645 AT_CHECK([ip link set dev ovs-p3 up])
5646 AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
5647 AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
5648 on_exit 'ip link del ovs-p2'
5650 ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
5651 ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
5652 ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
5653 ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
5654 ADD_CVLAN(p4, at_ns0, 200, "10.3.2.1/24")
5655 ADD_CVLAN(p5, at_ns1, 200, "10.3.2.2/24")
5656 ADD_CVLAN(p4, at_ns0, 300, "10.4.2.1/24")
5657 ADD_CVLAN(p5, at_ns1, 300, "10.4.2.2/24")
5659 AT_CHECK([ovs-ofctl add-flow br0 action=normal])
5660 AT_CHECK([ovs-ofctl add-flow br1 action=normal])
5661 AT_CHECK([ovs-ofctl add-flow br2 action=normal])
5662 AT_CHECK([ovs-vsctl set port ovs-p0 vlan_mode=dot1q-tunnel tag=4094 cvlans=100,200])
5663 AT_CHECK([ovs-vsctl set port ovs-p2 vlan_mode=dot1q-tunnel tag=4094 cvlans=100,200])
5665 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5666 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.3.2.2])
5668 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
5669 3 packets transmitted, 3 received, 0% packet loss, time 0ms
5672 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.3.2.2 | FORMAT_PING], [0], [dnl
5673 3 packets transmitted, 3 received, 0% packet loss, time 0ms
5676 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
5677 3 packets transmitted, 3 received, 0% packet loss, time 0ms
5680 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.3.2.2 | FORMAT_PING], [0], [dnl
5681 3 packets transmitted, 3 received, 0% packet loss, time 0ms
5684 dnl CVLAN 300 is not permitted by dot1q-tunnel
5685 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 -w 3 10.4.2.2], [1], [ignore])
5687 OVS_TRAFFIC_VSWITCHD_STOP(["/dropping VLAN \(0\|300\) packet received on dot1q-tunnel port/d"])
5690 AT_SETUP([802.1ad - double vlan match])
5691 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5694 ADD_NAMESPACES(at_ns0, at_ns1)
5696 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
5697 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
5699 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
5700 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
5702 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
5703 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
5705 AT_DATA([flows-br0.txt], [dnl
5706 table=0,priority=1 action=drop
5707 table=0,priority=100 dl_vlan=4094 action=pop_vlan,goto_table:1
5708 table=1,priority=100 dl_vlan=100 action=push_vlan:0x88a8,mod_vlan_vid:4094,normal
5710 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
5712 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5714 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
5715 3 packets transmitted, 3 received, 0% packet loss, time 0ms
5718 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
5719 3 packets transmitted, 3 received, 0% packet loss, time 0ms
5722 OVS_TRAFFIC_VSWITCHD_STOP
5726 AT_BANNER([nsh-datapath])
5728 AT_SETUP([nsh - encap header])
5729 OVS_TRAFFIC_VSWITCHD_START()
5731 ADD_NAMESPACES(at_ns0, at_ns1)
5733 ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
5734 ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
5736 dnl The flow will encap a nsh header to the TCP syn packet
5737 dnl eth/ip/tcp --> OVS --> eth/nsh/eth/ip/tcp
5738 AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,ip,actions=encap(nsh(md_type=1)),set_field:0x1234->nsh_spi,set_field:0x11223344->nsh_c1,encap(ethernet),set_field:f2:ff:00:00:00:02->dl_dst,set_field:f2:ff:00:00:00:01->dl_src,ovs-p1"])
5741 tcpdump -U -i ovs-p1 -w ovs-p1.pcap &
5744 dnl The hex dump is a TCP syn packet. pkt=eth/ip/tcp
5745 dnl The packet is sent from p0(at_ns0) interface directed to
5746 dnl p1(at_ns1) interface
5747 NS_CHECK_EXEC([at_ns0], [$PYTHON $srcdir/sendpkt.py p0 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
5751 dnl Check the expected nsh encapsulated packet on the egress interface
5752 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000 *0001 *894f *0fc6" 2>&1 1>/dev/null])
5753 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0010: *0103 *0012 *34ff *1122 *3344 *0000 *0000 *0000" 2>&1 1>/dev/null])
5754 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0020: *0000 *0000 *0000 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
5755 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
5756 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
5757 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
5760 OVS_TRAFFIC_VSWITCHD_STOP
5763 AT_SETUP([nsh - decap header])
5764 OVS_TRAFFIC_VSWITCHD_START()
5766 ADD_NAMESPACES(at_ns0, at_ns1)
5768 ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
5769 ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
5771 dnl The flow will decap a nsh header which in turn carries a TCP syn packet
5772 dnl eth/nsh/eth/ip/tcp --> OVS --> eth/ip/tcp
5773 AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,dl_type=0x894f, actions=decap(),decap(), ovs-p1"])
5776 tcpdump -U -i ovs-p1 -w ovs-p1.pcap &
5779 dnl The hex dump is NSH packet with TCP syn payload. pkt=eth/nsh/eth/ip/tcp
5780 dnl The packet is sent from p0(at_ns0) interface directed to
5781 dnl p1(at_ns1) interface
5782 NS_CHECK_EXEC([at_ns0], [$PYTHON $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 02 06 01 03 00 00 64 03 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
5786 dnl Check the expected de-capsulated TCP packet on the egress interface
5787 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0000: *f200 *0000 *0002 *f200 *0000 *0001 *0800 *4500" 2>&1 1>/dev/null])
5788 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0010: *0028 *0001 *0000 *4006 *b013 *c0a8 *000a *0a00" 2>&1 1>/dev/null])
5789 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0020: *000a *0400 *0800 *0000 *00c8 *0000 *0000 *5002" 2>&1 1>/dev/null])
5790 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0030: *2000 *b85e *0000" 2>&1 1>/dev/null])
5793 OVS_TRAFFIC_VSWITCHD_STOP
5796 AT_SETUP([nsh - replace header])
5797 OVS_TRAFFIC_VSWITCHD_START()
5799 ADD_NAMESPACES(at_ns0, at_ns1)
5801 ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
5802 ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
5804 dnl The flow will decap a nsh header and encap a new nsh header
5805 dnl eth/nsh-X/eth/ip/tcp --> OVS --> eth/nsh-Y/eth/ip/tcp
5806 dnl The flow will add another NSH header with nsh_spi=0x101, nsh_si=4,
5807 dnl nsh_ttl=7 and change the md1 context
5808 AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x03,actions=decap(),decap(),encap(nsh(md_type=1)),set_field:0x07->nsh_ttl,set_field:0x0101->nsh_spi,set_field:0x04->nsh_si,set_field:0x100f0e0d->nsh_c1,set_field:0x0c0b0a09->nsh_c2,set_field:0x08070605->nsh_c3,set_field:0x04030201->nsh_c4,encap(ethernet),set_field:f2:ff:00:00:00:02->dl_dst,set_field:f2:ff:00:00:00:01->dl_src,ovs-p1"])
5811 tcpdump -U -i ovs-p1 -w ovs-p1.pcap &
5814 dnl The hex dump is NSH packet with TCP syn payload. pkt=eth/nsh/eth/ip/tcp
5815 dnl The nsh_ttl is 8, nsh_spi is 0x100 and nsh_si is 3
5816 dnl The packet is sent from p0(at_ns0) interface directed to
5817 dnl p1(at_ns1) interface
5818 NS_CHECK_EXEC([at_ns0], [$PYTHON $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 02 06 01 03 00 01 00 03 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
5822 dnl Check the expected NSH packet with new fields in the header
5823 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000* 0001 *894f *01c6" 2>&1 1>/dev/null])
5824 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0010: *0103 *0001 *0104 *100f *0e0d *0c0b *0a09 *0807" 2>&1 1>/dev/null])
5825 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0020: *0605 *0403 *0201 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
5826 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
5827 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
5828 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
5830 OVS_TRAFFIC_VSWITCHD_STOP
5834 AT_SETUP([nsh - forward])
5835 OVS_TRAFFIC_VSWITCHD_START()
5837 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2)
5839 ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
5840 ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
5841 ADD_VETH(p2, at_ns2, br0, "0.0.0.0")
5843 dnl Push two flows to OVS. #1 will check on SPI=0X100, SI=2 and send the
5844 dnl packet to at_ns1. #2 will check on SPI=0X100, SI=1 and send the
5845 dnl packet to to at_ns2.
5846 AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x02,actions=ovs-p1"])
5847 AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x01,actions=ovs-p2"])
5852 tcpdump -U -i ovs-p1 -w ovs-p1.pcap &
5853 tcpdump -U -i ovs-p2 -w ovs-p2.pcap &
5856 dnl First send packet from at_ns0 --> OVS with SPI=0x100 and SI=2
5857 NS_CHECK_EXEC([at_ns0], [$PYTHON $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 02 06 01 03 00 01 00 02 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
5861 dnl Check for the above packet on ovs-p1 interface
5862 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000 *0001 *894f *0206" 2>&1 1>/dev/null])
5863 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0010: *0103 *0001 *0002 *0102 *0304 *0506 *0708 *090a" 2>&1 1>/dev/null])
5864 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0020: *0b0c *0d0e *0f10 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
5865 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
5866 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
5867 AT_CHECK([tcpdump -xx -r ovs-p1.pcap 2>&1 | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
5870 dnl Send the second packet from at_ns1 --> OVS with SPI=0x100 and SI=1
5871 NS_CHECK_EXEC([at_ns1], [$PYTHON $srcdir/sendpkt.py p1 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 01 c6 01 03 00 01 00 01 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
5875 dnl Check for the above packet on ovs-p2 interface
5876 AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000 *0001 *894f *01c6" 2>&1 1>/dev/null])
5877 AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0010: *0103 *0001 *0001 *0102 *0304 *0506 *0708 *090a" 2>&1 1>/dev/null])
5878 AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0020: *0b0c *0d0e *0f10 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
5879 AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
5880 AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
5881 AT_CHECK([tcpdump -xx -r ovs-p2.pcap 2>&1 | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
5885 OVS_TRAFFIC_VSWITCHD_STOP