1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - http between two ports])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
37 3 packets transmitted, 3 received, 0% packet loss, time 0ms
40 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
41 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
43 OVS_TRAFFIC_VSWITCHD_STOP
46 AT_SETUP([datapath - ping between two ports on vlan])
47 OVS_TRAFFIC_VSWITCHD_START()
49 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
51 ADD_NAMESPACES(at_ns0, at_ns1)
53 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
56 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
59 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
60 3 packets transmitted, 3 received, 0% packet loss, time 0ms
62 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
63 3 packets transmitted, 3 received, 0% packet loss, time 0ms
65 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
66 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 OVS_TRAFFIC_VSWITCHD_STOP
72 AT_SETUP([datapath - ping between two ports on cvlan])
73 OVS_TRAFFIC_VSWITCHD_START()
75 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
77 ADD_NAMESPACES(at_ns0, at_ns1)
79 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
80 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
82 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
83 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
85 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
86 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
88 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
90 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
91 3 packets transmitted, 3 received, 0% packet loss, time 0ms
93 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
94 3 packets transmitted, 3 received, 0% packet loss, time 0ms
96 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
97 3 packets transmitted, 3 received, 0% packet loss, time 0ms
100 OVS_TRAFFIC_VSWITCHD_STOP
103 AT_SETUP([datapath - ping6 between two ports])
104 OVS_TRAFFIC_VSWITCHD_START()
106 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
108 ADD_NAMESPACES(at_ns0, at_ns1)
110 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
111 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
113 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
114 dnl waiting, we get occasional failures due to the following error:
115 dnl "connect: Cannot assign requested address"
116 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
118 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
119 3 packets transmitted, 3 received, 0% packet loss, time 0ms
121 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
122 3 packets transmitted, 3 received, 0% packet loss, time 0ms
124 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
125 3 packets transmitted, 3 received, 0% packet loss, time 0ms
128 OVS_TRAFFIC_VSWITCHD_STOP
131 AT_SETUP([datapath - ping6 between two ports on vlan])
132 OVS_TRAFFIC_VSWITCHD_START()
134 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
136 ADD_NAMESPACES(at_ns0, at_ns1)
138 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
139 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
141 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
142 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
144 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
145 dnl waiting, we get occasional failures due to the following error:
146 dnl "connect: Cannot assign requested address"
147 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
149 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
150 3 packets transmitted, 3 received, 0% packet loss, time 0ms
152 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
153 3 packets transmitted, 3 received, 0% packet loss, time 0ms
155 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
156 3 packets transmitted, 3 received, 0% packet loss, time 0ms
159 OVS_TRAFFIC_VSWITCHD_STOP
162 AT_SETUP([datapath - ping6 between two ports on cvlan])
163 OVS_TRAFFIC_VSWITCHD_START()
165 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
167 ADD_NAMESPACES(at_ns0, at_ns1)
169 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
170 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
172 ADD_SVLAN(p0, at_ns0, 4094, "fc00:ffff::1/96")
173 ADD_SVLAN(p1, at_ns1, 4094, "fc00:ffff::2/96")
175 ADD_CVLAN(p0.4094, at_ns0, 100, "fc00:1::1/96")
176 ADD_CVLAN(p1.4094, at_ns1, 100, "fc00:1::2/96")
178 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
180 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
181 3 packets transmitted, 3 received, 0% packet loss, time 0ms
183 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
184 3 packets transmitted, 3 received, 0% packet loss, time 0ms
186 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
187 3 packets transmitted, 3 received, 0% packet loss, time 0ms
190 OVS_TRAFFIC_VSWITCHD_STOP
193 AT_SETUP([datapath - ping over bond])
194 OVS_TRAFFIC_VSWITCHD_START()
196 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
198 ADD_NAMESPACES(at_ns0, at_ns1)
200 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
201 ADD_VETH_BOND(p1 p2, at_ns1, br0, bond0, lacp=active bond_mode=balance-tcp, "10.1.1.2/24")
203 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2])
205 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
206 3 packets transmitted, 3 received, 0% packet loss, time 0ms
208 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
209 3 packets transmitted, 3 received, 0% packet loss, time 0ms
211 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
212 3 packets transmitted, 3 received, 0% packet loss, time 0ms
215 OVS_TRAFFIC_VSWITCHD_STOP
218 AT_SETUP([datapath - ping over vxlan tunnel])
221 OVS_TRAFFIC_VSWITCHD_START()
222 ADD_BR([br-underlay])
224 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
225 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
227 ADD_NAMESPACES(at_ns0)
229 dnl Set up underlay link from host into the namespace using veth pair.
230 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
231 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
232 AT_CHECK([ip link set dev br-underlay up])
234 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
235 dnl linux device inside the namespace.
236 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
237 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
240 dnl First, check the underlay
241 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
242 3 packets transmitted, 3 received, 0% packet loss, time 0ms
245 dnl Okay, now check the overlay with different packet sizes
246 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
247 3 packets transmitted, 3 received, 0% packet loss, time 0ms
249 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
250 3 packets transmitted, 3 received, 0% packet loss, time 0ms
252 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
253 3 packets transmitted, 3 received, 0% packet loss, time 0ms
256 OVS_TRAFFIC_VSWITCHD_STOP
259 AT_SETUP([datapath - ping over gre tunnel])
262 OVS_TRAFFIC_VSWITCHD_START()
263 ADD_BR([br-underlay])
265 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
266 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
268 ADD_NAMESPACES(at_ns0)
270 dnl Set up underlay link from host into the namespace using veth pair.
271 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
272 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
273 AT_CHECK([ip link set dev br-underlay up])
275 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
276 dnl linux device inside the namespace.
277 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
278 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
280 dnl First, check the underlay
281 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
282 3 packets transmitted, 3 received, 0% packet loss, time 0ms
285 dnl Okay, now check the overlay with different packet sizes
286 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
287 3 packets transmitted, 3 received, 0% packet loss, time 0ms
289 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
290 3 packets transmitted, 3 received, 0% packet loss, time 0ms
292 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
293 3 packets transmitted, 3 received, 0% packet loss, time 0ms
296 OVS_TRAFFIC_VSWITCHD_STOP
299 AT_SETUP([datapath - ping over geneve tunnel])
302 OVS_TRAFFIC_VSWITCHD_START()
303 ADD_BR([br-underlay])
305 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
306 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
308 ADD_NAMESPACES(at_ns0)
310 dnl Set up underlay link from host into the namespace using veth pair.
311 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
312 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
313 AT_CHECK([ip link set dev br-underlay up])
315 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
316 dnl linux device inside the namespace.
317 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
318 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
321 dnl First, check the underlay
322 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
323 3 packets transmitted, 3 received, 0% packet loss, time 0ms
326 dnl Okay, now check the overlay with different packet sizes
327 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
328 3 packets transmitted, 3 received, 0% packet loss, time 0ms
330 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
331 3 packets transmitted, 3 received, 0% packet loss, time 0ms
333 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
334 3 packets transmitted, 3 received, 0% packet loss, time 0ms
337 OVS_TRAFFIC_VSWITCHD_STOP
340 AT_SETUP([datapath - basic truncate action])
341 OVS_TRAFFIC_VSWITCHD_START()
342 AT_CHECK([ovs-ofctl del-flows br0])
344 dnl Create p0 and ovs-p0(1)
345 ADD_NAMESPACES(at_ns0)
346 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
347 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
348 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
350 dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
351 AT_CHECK([ip link add p1 type veth peer name ovs-p1])
352 on_exit 'ip link del ovs-p1'
353 AT_CHECK([ip link set dev ovs-p1 up])
354 AT_CHECK([ip link set dev p1 up])
355 AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
356 dnl Use p1 to check the truncated packet
357 AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
359 dnl Create p2(5) and ovs-p2(4)
360 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
361 on_exit 'ip link del ovs-p2'
362 AT_CHECK([ip link set dev ovs-p2 up])
363 AT_CHECK([ip link set dev p2 up])
364 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
365 dnl Use p2 to check the truncated packet
366 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
369 AT_CHECK([ovs-ofctl del-flows br0])
370 AT_DATA([flows.txt], [dnl
371 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
372 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
373 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
375 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
377 dnl use this file as payload file for ncat
378 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
379 on_exit 'rm -f payload200.bin'
380 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
382 dnl packet with truncated size
383 AT_CHECK([ovs-appctl revalidator/purge], [0])
384 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
387 dnl packet with original size
388 AT_CHECK([ovs-appctl revalidator/purge], [0])
389 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
393 dnl more complicated output actions
394 AT_CHECK([ovs-ofctl del-flows br0])
395 AT_DATA([flows.txt], [dnl
396 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
397 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
398 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
400 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
402 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
404 dnl 100 + 100 + 242 + min(65535,242) = 684
405 AT_CHECK([ovs-appctl revalidator/purge], [0])
406 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
409 dnl 242 + 100 + min(242,200) = 542
410 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
414 dnl SLOW_ACTION: disable kernel datapath truncate support
415 dnl Repeat the test above, but exercise the SLOW_ACTION code path
416 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
417 [Datapath truncate action diabled
420 dnl SLOW_ACTION test1: check datapatch actions
421 AT_CHECK([ovs-ofctl del-flows br0])
422 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
424 AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,dl_type=0x800,dl_src=e6:66:c1:11:11:11,dl_dst=e6:66:c1:22:22:22,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,tp_src=8,tp_dst=9"], [0], [stdout])
425 AT_CHECK([tail -3 stdout], [0],
426 [Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
427 This flow is handled by the userspace slow path because it:
428 - Uses action(s) not supported by datapath.
431 dnl SLOW_ACTION test2: check actual packet truncate
432 AT_CHECK([ovs-ofctl del-flows br0])
433 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
434 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
436 dnl 100 + 100 + 242 + min(65535,242) = 684
437 AT_CHECK([ovs-appctl revalidator/purge], [0])
438 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
442 dnl 242 + 100 + min(242,200) = 542
443 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
447 OVS_TRAFFIC_VSWITCHD_STOP
450 dnl Create 2 bridges and 2 namespaces to test truncate over
452 dnl br0: overlay bridge
453 dnl ns1: connect to br0, with IP:10.1.1.2
454 dnl br-underlay: with IP: 172.31.1.100
455 dnl ns0: connect to br-underlay, with IP: 10.1.1.1
456 AT_SETUP([datapath - truncate and output to gre tunnel])
458 OVS_TRAFFIC_VSWITCHD_START()
460 ADD_BR([br-underlay])
461 ADD_NAMESPACES(at_ns0)
462 ADD_NAMESPACES(at_ns1)
463 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
464 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
466 dnl Set up underlay link from host into the namespace using veth pair.
467 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
468 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
469 AT_CHECK([ip link set dev br-underlay up])
471 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
472 dnl linux device inside the namespace.
473 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
474 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
475 [], [address e6:66:c1:11:11:11])
476 AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
477 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
479 dnl Set up (p1 and ovs-p1) at br0
480 ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
481 AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
482 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
483 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
485 dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
486 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
487 on_exit 'ip link del ovs-p2'
488 AT_CHECK([ip link set dev ovs-p2 up])
489 AT_CHECK([ip link set dev p2 up])
490 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
491 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
493 dnl use this file as payload file for ncat
494 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
495 on_exit 'rm -f payload200.bin'
497 AT_CHECK([ovs-ofctl del-flows br0])
498 AT_DATA([flows.txt], [dnl
499 priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
500 priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
501 priority=1,in_port=4,ip,actions=drop
502 priority=1,actions=drop
504 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
506 AT_CHECK([ovs-ofctl del-flows br-underlay])
507 AT_DATA([flows-underlay.txt], [dnl
508 priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
509 priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
510 priority=1,actions=drop
513 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
515 dnl check tunnel push path, from at_ns1 to at_ns0
516 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
517 AT_CHECK([ovs-appctl revalidator/purge], [0])
519 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
520 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
523 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
524 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
528 dnl check tunnel pop path, from at_ns0 to at_ns1
529 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
530 dnl After truncation = 100 byte at loopback device p2(4)
531 AT_CHECK([ovs-appctl revalidator/purge], [0])
532 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
533 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
536 dnl SLOW_ACTION: disable datapath truncate support
537 dnl Repeat the test above, but exercise the SLOW_ACTION code path
538 AT_CHECK([ovs-appctl dpif/disable-truncate], [0],
539 [Datapath truncate action diabled
542 dnl SLOW_ACTION test1: check datapatch actions
543 AT_CHECK([ovs-ofctl del-flows br0])
544 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
546 dnl SLOW_ACTION test2: check actual packet truncate
547 AT_CHECK([ovs-ofctl del-flows br0])
548 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
549 AT_CHECK([ovs-ofctl del-flows br-underlay])
550 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
552 dnl check tunnel push path, from at_ns1 to at_ns0
553 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
554 AT_CHECK([ovs-appctl revalidator/purge], [0])
556 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
557 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
560 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
561 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
565 dnl check tunnel pop path, from at_ns0 to at_ns1
566 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
567 dnl After truncation = 100 byte at loopback device p2(4)
568 AT_CHECK([ovs-appctl revalidator/purge], [0])
569 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
570 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
573 OVS_TRAFFIC_VSWITCHD_STOP
576 AT_SETUP([conntrack - controller])
578 OVS_TRAFFIC_VSWITCHD_START()
580 ADD_NAMESPACES(at_ns0, at_ns1)
582 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
583 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
585 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
586 AT_DATA([flows.txt], [dnl
587 priority=1,action=drop
588 priority=10,arp,action=normal
589 priority=100,in_port=1,udp,action=ct(commit),controller
590 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
591 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
594 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
596 AT_CAPTURE_FILE([ofctl_monitor.log])
597 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
599 dnl Send an unsolicited reply from port 2. This should be dropped.
600 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
602 dnl OK, now start a new connection from port 1.
603 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000'])
605 dnl Now try a reply from port 2.
606 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
608 dnl Check this output. We only see the latter two packets, not the first.
609 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
610 NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
611 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
612 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
613 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
616 OVS_TRAFFIC_VSWITCHD_STOP
619 AT_SETUP([conntrack - IPv4 HTTP])
621 OVS_TRAFFIC_VSWITCHD_START()
623 ADD_NAMESPACES(at_ns0, at_ns1)
625 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
626 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
628 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
629 AT_DATA([flows.txt], [dnl
630 priority=1,action=drop
631 priority=10,arp,action=normal
632 priority=10,icmp,action=normal
633 priority=100,in_port=1,tcp,action=ct(commit),2
634 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
635 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
638 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
640 dnl HTTP requests from ns0->ns1 should work fine.
641 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
642 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
645 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
648 dnl HTTP requests from ns1->ns0 should fail due to network failure.
649 dnl Try 3 times, in 1 second intervals.
650 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
651 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
653 OVS_TRAFFIC_VSWITCHD_STOP
656 AT_SETUP([conntrack - IPv6 HTTP])
658 OVS_TRAFFIC_VSWITCHD_START()
660 ADD_NAMESPACES(at_ns0, at_ns1)
662 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
663 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
665 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
666 AT_DATA([flows.txt], [dnl
667 priority=1,action=drop
668 priority=10,icmp6,action=normal
669 priority=100,in_port=1,tcp6,action=ct(commit),2
670 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
671 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
674 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
676 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
677 dnl waiting, we get occasional failures due to the following error:
678 dnl "connect: Cannot assign requested address"
679 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
681 dnl HTTP requests from ns0->ns1 should work fine.
682 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
684 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
686 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
687 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
690 dnl HTTP requests from ns1->ns0 should fail due to network failure.
691 dnl Try 3 times, in 1 second intervals.
692 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
693 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
695 OVS_TRAFFIC_VSWITCHD_STOP
698 AT_SETUP([conntrack - IPv4 ping])
700 OVS_TRAFFIC_VSWITCHD_START()
702 ADD_NAMESPACES(at_ns0, at_ns1)
704 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
705 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
707 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
708 AT_DATA([flows.txt], [dnl
709 priority=1,action=drop
710 priority=10,arp,action=normal
711 priority=100,in_port=1,icmp,action=ct(commit),2
712 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
713 priority=100,in_port=2,icmp,ct_state=+trk+est,action=1
716 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
718 dnl Pings from ns0->ns1 should work fine.
719 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
720 3 packets transmitted, 3 received, 0% packet loss, time 0ms
723 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
724 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0)
727 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
729 dnl Pings from ns1->ns0 should fail.
730 NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
731 7 packets transmitted, 0 received, 100% packet loss, time 0ms
734 OVS_TRAFFIC_VSWITCHD_STOP
737 AT_SETUP([conntrack - IPv6 ping])
739 OVS_TRAFFIC_VSWITCHD_START()
741 ADD_NAMESPACES(at_ns0, at_ns1)
743 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
744 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
746 AT_DATA([flows.txt], [dnl
748 dnl ICMPv6 echo request and reply go to table 1. The rest of the traffic goes
749 dnl through normal action.
750 table=0,priority=10,icmp6,icmp_type=128,action=goto_table:1
751 table=0,priority=10,icmp6,icmp_type=129,action=goto_table:1
752 table=0,priority=1,action=normal
754 dnl Allow everything from ns0->ns1. Only allow return traffic from ns1->ns0.
755 table=1,priority=100,in_port=1,icmp6,action=ct(commit),2
756 table=1,priority=100,in_port=2,icmp6,ct_state=-trk,action=ct(table=0)
757 table=1,priority=100,in_port=2,icmp6,ct_state=+trk+est,action=1
758 table=1,priority=1,action=drop
761 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
763 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
765 dnl The above ping creates state in the connection tracker. We're not
766 dnl interested in that state.
767 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
769 dnl Pings from ns1->ns0 should fail.
770 NS_CHECK_EXEC([at_ns1], [ping6 -q -c 3 -i 0.3 -w 2 fc00::1 | FORMAT_PING], [0], [dnl
771 7 packets transmitted, 0 received, 100% packet loss, time 0ms
774 dnl Pings from ns0->ns1 should work fine.
775 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
776 3 packets transmitted, 3 received, 0% packet loss, time 0ms
779 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
780 icmpv6,orig=(src=fc00::1,dst=fc00::2,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0)
783 OVS_TRAFFIC_VSWITCHD_STOP
786 AT_SETUP([conntrack - commit, recirc])
788 OVS_TRAFFIC_VSWITCHD_START()
790 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
792 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
793 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
794 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
795 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
797 dnl Allow any traffic from ns0->ns1, ns2->ns3.
798 AT_DATA([flows.txt], [dnl
799 priority=1,action=drop
800 priority=10,arp,action=normal
801 priority=10,icmp,action=normal
802 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
803 priority=100,in_port=1,tcp,ct_state=+trk,action=2
804 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
805 priority=100,in_port=2,tcp,ct_state=+trk,action=1
806 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
807 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
808 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
809 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
810 priority=100,in_port=4,tcp,ct_state=+trk,action=3
813 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
815 dnl HTTP requests from p0->p1 should work fine.
816 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
817 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
819 dnl HTTP requests from p2->p3 should work fine.
820 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
821 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
823 OVS_TRAFFIC_VSWITCHD_STOP
826 AT_SETUP([conntrack - preserve registers])
828 OVS_TRAFFIC_VSWITCHD_START()
830 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
832 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
833 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
834 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
835 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
837 dnl Allow any traffic from ns0->ns1, ns2->ns3.
838 AT_DATA([flows.txt], [dnl
839 priority=1,action=drop
840 priority=10,arp,action=normal
841 priority=10,icmp,action=normal
842 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
843 priority=100,in_port=1,tcp,ct_state=+trk,action=2
844 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
845 priority=100,in_port=2,tcp,ct_state=+trk,action=1
846 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
847 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
848 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
849 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
850 priority=100,in_port=4,tcp,ct_state=+trk,action=3
853 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
855 dnl HTTP requests from p0->p1 should work fine.
856 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
857 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
859 dnl HTTP requests from p2->p3 should work fine.
860 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
861 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
863 OVS_TRAFFIC_VSWITCHD_STOP
866 AT_SETUP([conntrack - invalid])
868 OVS_TRAFFIC_VSWITCHD_START()
870 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
872 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
873 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
874 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
875 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
877 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
878 dnl the opposite direction. This should fail.
879 dnl Pass traffic from ns3->ns4 without committing, and this time match
880 dnl invalid traffic and allow it through.
881 AT_DATA([flows.txt], [dnl
882 priority=1,action=drop
883 priority=10,arp,action=normal
884 priority=10,icmp,action=normal
885 priority=100,in_port=1,tcp,action=ct(),2
886 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
887 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
888 priority=100,in_port=3,tcp,action=ct(),4
889 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
890 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
891 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
894 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
896 dnl We set up our rules to allow the request without committing. The return
897 dnl traffic can't be identified, because the initial request wasn't committed.
898 dnl For the first pair of ports, this means that the connection fails.
899 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
900 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
902 dnl For the second pair, we allow packets from invalid connections, so it works.
903 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
904 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
906 OVS_TRAFFIC_VSWITCHD_STOP
909 AT_SETUP([conntrack - zones])
911 OVS_TRAFFIC_VSWITCHD_START()
913 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
915 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
916 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
917 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
918 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
920 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
921 dnl For ns2->ns3, use a different zone and see that the match fails.
922 AT_DATA([flows.txt], [dnl
923 priority=1,action=drop
924 priority=10,arp,action=normal
925 priority=10,icmp,action=normal
926 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
927 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
928 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
929 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
930 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
931 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
934 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
936 dnl HTTP requests from p0->p1 should work fine.
937 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
938 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
940 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
941 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
944 dnl HTTP requests from p2->p3 should fail due to network failure.
945 dnl Try 3 times, in 1 second intervals.
946 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
947 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
949 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
950 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
953 OVS_TRAFFIC_VSWITCHD_STOP
956 AT_SETUP([conntrack - zones from field])
958 OVS_TRAFFIC_VSWITCHD_START()
960 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
962 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
963 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
964 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
965 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
967 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
968 AT_DATA([flows.txt], [dnl
969 priority=1,action=drop
970 priority=10,arp,action=normal
971 priority=10,icmp,action=normal
972 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
973 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
974 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
975 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
976 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
977 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
980 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
982 dnl HTTP requests from p0->p1 should work fine.
983 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
984 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
986 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
987 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
990 dnl HTTP requests from p2->p3 should fail due to network failure.
991 dnl Try 3 times, in 1 second intervals.
992 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
993 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
995 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
996 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
999 OVS_TRAFFIC_VSWITCHD_STOP
1002 AT_SETUP([conntrack - multiple bridges])
1004 OVS_TRAFFIC_VSWITCHD_START(
1006 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
1007 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
1009 ADD_NAMESPACES(at_ns0, at_ns1)
1011 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1012 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
1014 dnl Allow any traffic from ns0->br1, allow established in reverse.
1015 AT_DATA([flows-br0.txt], [dnl
1016 priority=1,action=drop
1017 priority=10,arp,action=normal
1018 priority=10,icmp,action=normal
1019 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
1020 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1021 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
1024 dnl Allow any traffic from br0->ns1, allow established in reverse.
1025 AT_DATA([flows-br1.txt], [dnl
1026 priority=1,action=drop
1027 priority=10,arp,action=normal
1028 priority=10,icmp,action=normal
1029 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1030 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
1031 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
1032 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1033 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
1036 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
1037 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
1039 dnl HTTP requests from p0->p1 should work fine.
1040 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1041 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1043 OVS_TRAFFIC_VSWITCHD_STOP
1046 AT_SETUP([conntrack - multiple zones])
1048 OVS_TRAFFIC_VSWITCHD_START()
1050 ADD_NAMESPACES(at_ns0, at_ns1)
1052 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1053 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1055 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1056 AT_DATA([flows.txt], [dnl
1057 priority=1,action=drop
1058 priority=10,arp,action=normal
1059 priority=10,icmp,action=normal
1060 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
1061 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
1062 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
1065 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1067 dnl HTTP requests from p0->p1 should work fine.
1068 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1069 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1071 dnl (again) HTTP requests from p0->p1 should work fine.
1072 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1074 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1075 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1076 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1079 OVS_TRAFFIC_VSWITCHD_STOP
1082 AT_SETUP([conntrack - multiple zones, local])
1084 CHECK_CONNTRACK_LOCAL_STACK()
1085 OVS_TRAFFIC_VSWITCHD_START()
1087 ADD_NAMESPACES(at_ns0)
1089 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
1090 AT_CHECK([ip link set dev br0 up])
1091 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
1092 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
1094 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
1095 dnl return traffic from ns0 back to the local stack.
1096 AT_DATA([flows.txt], [dnl
1097 priority=1,action=drop
1098 priority=10,arp,action=normal
1099 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
1100 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
1101 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
1102 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
1103 table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
1104 table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
1107 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1109 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1110 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1113 dnl HTTP requests from root namespace to p0 should work fine.
1114 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1115 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1117 dnl (again) HTTP requests from root namespace to p0 should work fine.
1118 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1120 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
1121 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
1122 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=2
1123 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1124 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1127 OVS_TRAFFIC_VSWITCHD_STOP
1130 AT_SETUP([conntrack - multiple namespaces, internal ports])
1132 CHECK_CONNTRACK_LOCAL_STACK()
1133 OVS_TRAFFIC_VSWITCHD_START(
1134 [set-fail-mode br0 secure -- ])
1136 ADD_NAMESPACES(at_ns0, at_ns1)
1138 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
1139 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
1141 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1143 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
1144 AT_DATA([flows.txt], [dnl
1145 priority=1,action=drop
1146 priority=10,arp,action=normal
1147 priority=10,icmp,action=normal
1148 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
1149 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
1150 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1153 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1155 dnl HTTP requests from p0->p1 should work fine.
1156 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1157 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1159 dnl (again) HTTP requests from p0->p1 should work fine.
1160 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1162 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1163 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1166 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
1167 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
1168 /removing policing failed: No such device/d"])
1171 AT_SETUP([conntrack - multi-stage pipeline, local])
1173 CHECK_CONNTRACK_LOCAL_STACK()
1174 OVS_TRAFFIC_VSWITCHD_START()
1176 ADD_NAMESPACES(at_ns0)
1178 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
1179 AT_CHECK([ip link set dev br0 up])
1180 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
1181 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
1183 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
1184 dnl return traffic from ns0 back to the local stack.
1185 AT_DATA([flows.txt], [dnl
1187 table=0,priority=1,action=drop
1188 table=0,priority=10,arp,action=normal
1190 dnl Load the output port to REG0
1191 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
1192 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
1194 dnl Ingress pipeline
1195 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
1196 dnl - All other connections go through conntracker using the input port as
1197 dnl a connection tracking zone.
1198 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
1199 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
1200 table=1,priority=1,action=drop
1203 dnl - Allow all connections from LOCAL port (commit and skip to output)
1204 dnl - Allow other established connections to go through conntracker using
1205 dnl output port as a connection tracking zone.
1206 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
1207 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
1208 table=2,priority=1,action=drop
1210 dnl Only allow established traffic from egress ct lookup
1211 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
1212 table=3,priority=1,action=drop
1215 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
1218 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1220 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1221 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1224 dnl HTTP requests from root namespace to p0 should work fine.
1225 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1226 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1228 dnl (again) HTTP requests from root namespace to p0 should work fine.
1229 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1231 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
1232 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
1233 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=65534
1234 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1235 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
1238 OVS_TRAFFIC_VSWITCHD_STOP
1241 AT_SETUP([conntrack - ct_mark])
1243 OVS_TRAFFIC_VSWITCHD_START()
1245 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1247 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1248 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1249 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1250 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1252 dnl Allow traffic between ns0<->ns1 using the ct_mark.
1253 dnl Check that different marks do not match for traffic between ns2<->ns3.
1254 AT_DATA([flows.txt], [dnl
1255 priority=1,action=drop
1256 priority=10,arp,action=normal
1257 priority=10,icmp,action=normal
1258 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
1259 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1260 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1261 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
1262 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1263 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1266 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1268 dnl HTTP requests from p0->p1 should work fine.
1269 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1270 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1272 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1273 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1276 dnl HTTP requests from p2->p3 should fail due to network failure.
1277 dnl Try 3 times, in 1 second intervals.
1278 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1279 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1281 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1282 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1285 OVS_TRAFFIC_VSWITCHD_STOP
1288 AT_SETUP([conntrack - ct_mark bit-fiddling])
1290 OVS_TRAFFIC_VSWITCHD_START()
1292 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1294 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1295 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1297 dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
1298 dnl cause an additional bit to be set in the connection (and be allowed).
1299 AT_DATA([flows.txt], [dnl
1300 table=0,priority=1,action=drop
1301 table=0,priority=10,arp,action=normal
1302 table=0,priority=10,icmp,action=normal
1303 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1304 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
1305 table=1,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
1306 table=1,in_port=1,ct_state=-new,tcp,action=2
1307 table=1,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
1310 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1312 dnl HTTP requests from p0->p1 should work fine.
1313 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1314 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1316 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1317 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
1320 OVS_TRAFFIC_VSWITCHD_STOP
1323 AT_SETUP([conntrack - ct_mark from register])
1325 OVS_TRAFFIC_VSWITCHD_START()
1327 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1329 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1330 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1331 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1332 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1334 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1335 AT_DATA([flows.txt], [dnl
1336 priority=1,action=drop
1337 priority=10,arp,action=normal
1338 priority=10,icmp,action=normal
1339 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
1340 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1341 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
1342 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
1343 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1344 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
1347 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1349 dnl HTTP requests from p0->p1 should work fine.
1350 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1351 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1353 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1354 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
1357 dnl HTTP requests from p2->p3 should fail due to network failure.
1358 dnl Try 3 times, in 1 second intervals.
1359 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1360 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1362 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1363 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
1366 OVS_TRAFFIC_VSWITCHD_STOP
1369 AT_SETUP([conntrack - ct_label])
1371 OVS_TRAFFIC_VSWITCHD_START()
1373 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1375 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1376 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1377 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1378 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1380 dnl Allow traffic between ns0<->ns1 using the ct_label.
1381 dnl Check that different labels do not match for traffic between ns2<->ns3.
1382 AT_DATA([flows.txt], [dnl
1383 priority=1,action=drop
1384 priority=10,arp,action=normal
1385 priority=10,icmp,action=normal
1386 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
1387 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1388 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
1389 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
1390 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1391 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
1394 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1396 dnl HTTP requests from p0->p1 should work fine.
1397 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1398 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1400 dnl HTTP requests from p2->p3 should fail due to network failure.
1401 dnl Try 3 times, in 1 second intervals.
1402 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
1403 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1405 OVS_TRAFFIC_VSWITCHD_STOP
1408 AT_SETUP([conntrack - ct_label bit-fiddling])
1410 OVS_TRAFFIC_VSWITCHD_START()
1412 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1414 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1415 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1417 dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
1418 dnl cause an additional bit to be set in the connection labels (and be allowed)
1419 AT_DATA([flows.txt], [dnl
1420 table=0,priority=1,action=drop
1421 table=0,priority=10,arp,action=normal
1422 table=0,priority=10,icmp,action=normal
1423 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1424 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
1425 table=1,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
1426 table=1,in_port=1,tcp,ct_state=-new,action=2
1427 table=1,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
1430 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1432 dnl HTTP requests from p0->p1 should work fine.
1433 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1434 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1436 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1437 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
1440 OVS_TRAFFIC_VSWITCHD_STOP
1443 AT_SETUP([conntrack - ct metadata, multiple zones])
1445 OVS_TRAFFIC_VSWITCHD_START()
1447 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1449 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1450 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1452 dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
1453 dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
1454 dnl and we should see that the conntrack entries only apply the ct_mark and
1455 dnl ct_labels to the connection in zone=1.
1456 AT_DATA([flows.txt], [dnl
1457 table=0,priority=1,action=drop
1458 table=0,priority=10,arp,action=normal
1459 table=0,priority=10,icmp,action=normal
1460 table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
1461 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
1462 table=1,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
1463 table=1,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
1464 table=1,in_port=2,tcp,action=ct(zone=2),1
1467 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1469 dnl HTTP requests from p0->p1 should work fine.
1470 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1471 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1473 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1474 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
1475 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1478 OVS_TRAFFIC_VSWITCHD_STOP
1481 AT_SETUP([conntrack - ICMP related])
1483 OVS_TRAFFIC_VSWITCHD_START()
1485 ADD_NAMESPACES(at_ns0, at_ns1)
1487 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1488 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1490 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1491 AT_DATA([flows.txt], [dnl
1492 priority=1,action=drop
1493 priority=10,arp,action=normal
1494 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
1495 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1496 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
1499 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1501 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1502 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
1504 AT_CHECK([ovs-appctl revalidator/purge], [0])
1505 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1506 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
1507 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
1508 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
1509 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
1513 OVS_TRAFFIC_VSWITCHD_STOP
1516 AT_SETUP([conntrack - ICMP related 2])
1518 OVS_TRAFFIC_VSWITCHD_START()
1520 ADD_NAMESPACES(at_ns0, at_ns1)
1522 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
1523 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
1525 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1526 AT_DATA([flows.txt], [dnl
1527 priority=1,action=drop
1528 priority=10,arp,action=normal
1529 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
1530 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
1531 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
1532 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
1535 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
1537 AT_CAPTURE_FILE([ofctl_monitor.log])
1538 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1540 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
1541 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
1543 dnl 2. Send and UDP packet to port 5555
1544 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1546 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
1547 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
1549 dnl Check this output. We only see the latter two packets, not the first.
1550 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1551 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
1552 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
1553 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
1554 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
1557 OVS_TRAFFIC_VSWITCHD_STOP
1560 AT_SETUP([conntrack - FTP])
1561 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1563 CHECK_CONNTRACK_ALG()
1564 OVS_TRAFFIC_VSWITCHD_START()
1566 ADD_NAMESPACES(at_ns0, at_ns1)
1568 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1569 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1571 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1572 AT_DATA([flows1.txt], [dnl
1573 table=0,priority=1,action=drop
1574 table=0,priority=10,arp,action=normal
1575 table=0,priority=10,icmp,action=normal
1576 table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
1577 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
1578 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
1579 table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
1582 dnl Similar policy but without allowing all traffic from ns0->ns1.
1583 AT_DATA([flows2.txt], [dnl
1584 table=0,priority=1,action=drop
1585 table=0,priority=10,arp,action=normal
1586 table=0,priority=10,icmp,action=normal
1588 dnl Allow outgoing TCP connections, and treat them as FTP
1589 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
1590 table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
1591 table=1,in_port=1,tcp,ct_state=+trk+est,action=2
1593 dnl Allow incoming FTP data connections and responses to existing connections
1594 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
1595 table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
1596 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
1597 table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1
1600 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
1602 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1603 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1604 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1606 dnl FTP requests from p1->p0 should fail due to network failure.
1607 dnl Try 3 times, in 1 second intervals.
1608 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1609 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1612 dnl FTP requests from p0->p1 should work fine.
1613 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1614 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1615 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1618 dnl Try the second set of flows.
1619 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
1620 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1622 dnl FTP requests from p1->p0 should fail due to network failure.
1623 dnl Try 3 times, in 1 second intervals.
1624 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1625 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1628 dnl Active FTP requests from p0->p1 should work fine.
1629 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
1630 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1631 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1632 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1635 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1637 dnl Passive FTP requests from p0->p1 should work fine.
1638 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
1639 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1640 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1643 OVS_TRAFFIC_VSWITCHD_STOP
1647 AT_SETUP([conntrack - IPv6 FTP])
1648 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1650 CHECK_CONNTRACK_ALG()
1651 OVS_TRAFFIC_VSWITCHD_START()
1653 ADD_NAMESPACES(at_ns0, at_ns1)
1655 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1656 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1658 dnl Allow any traffic from ns0->ns1.
1659 dnl Only allow nd, return traffic from ns1->ns0.
1660 AT_DATA([flows.txt], [dnl
1661 dnl Track all IPv6 traffic and drop the rest.
1662 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1663 table=0 priority=100 in_port=1 icmp6, action=2
1664 table=0 priority=100 in_port=2 icmp6, action=1
1665 table=0 priority=10 ip6, action=ct(table=1)
1666 table=0 priority=0 action=drop
1670 dnl Allow new TCPv6 FTP control connections from port 1.
1671 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1672 dnl Allow related TCPv6 connections from port 2.
1673 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1674 dnl Allow established TCPv6 connections both ways.
1675 table=1 in_port=1 ct_state=+est, tcp6, action=2
1676 table=1 in_port=2 ct_state=+est, tcp6, action=1
1677 dnl Drop everything else.
1678 table=1 priority=0, action=drop
1681 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1683 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1684 dnl waiting, we get occasional failures due to the following error:
1685 dnl "connect: Cannot assign requested address"
1686 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
1688 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1689 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
1691 dnl FTP requests from p0->p1 should work fine.
1692 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
1694 dnl Discards CLOSE_WAIT and CLOSING
1695 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
1696 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
1697 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
1700 OVS_TRAFFIC_VSWITCHD_STOP
1704 AT_SETUP([conntrack - FTP with multiple expectations])
1705 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1707 CHECK_CONNTRACK_ALG()
1708 OVS_TRAFFIC_VSWITCHD_START()
1710 ADD_NAMESPACES(at_ns0, at_ns1)
1712 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1713 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1715 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1716 AT_DATA([flows.txt], [dnl
1717 table=0,priority=1,action=drop
1718 table=0,priority=10,arp,action=normal
1719 table=0,priority=10,icmp,action=normal
1721 dnl Traffic from ns1
1722 table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1)
1723 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1724 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2
1725 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2)
1726 table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1728 dnl Traffic from ns2
1729 table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2)
1730 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1731 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1)
1732 table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1733 table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1736 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1738 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1739 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1741 dnl FTP requests from p1->p0 should fail due to network failure.
1742 dnl Try 3 times, in 1 second intervals.
1743 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1744 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1747 dnl Active FTP requests from p0->p1 should work fine.
1748 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1749 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1750 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1751 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1752 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1753 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1756 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1758 dnl Passive FTP requests from p0->p1 should work fine.
1759 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1760 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1761 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1762 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
1763 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1764 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
1767 OVS_TRAFFIC_VSWITCHD_STOP
1770 AT_SETUP([conntrack - IPv4 fragmentation ])
1772 CHECK_CONNTRACK_FRAG()
1773 OVS_TRAFFIC_VSWITCHD_START()
1775 ADD_NAMESPACES(at_ns0, at_ns1)
1777 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1778 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1780 dnl Sending ping through conntrack
1781 AT_DATA([flows.txt], [dnl
1782 priority=1,action=drop
1783 priority=10,arp,action=normal
1784 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1785 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1786 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1789 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1791 dnl Ipv4 fragmentation connectivity check.
1792 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1793 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1796 dnl Ipv4 larger fragmentation connectivity check.
1797 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1798 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1801 OVS_TRAFFIC_VSWITCHD_STOP
1804 AT_SETUP([conntrack - IPv4 fragmentation expiry])
1806 CHECK_CONNTRACK_FRAG()
1807 OVS_TRAFFIC_VSWITCHD_START()
1809 ADD_NAMESPACES(at_ns0, at_ns1)
1811 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1812 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1814 AT_DATA([flows.txt], [dnl
1815 priority=1,action=drop
1816 priority=10,arp,action=normal
1818 dnl Only allow non-fragmented messages and 1st fragments of each message
1819 priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
1820 priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
1821 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1822 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1825 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1827 dnl Ipv4 fragmentation connectivity check.
1828 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1829 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1832 OVS_TRAFFIC_VSWITCHD_STOP
1835 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1837 CHECK_CONNTRACK_FRAG()
1838 OVS_TRAFFIC_VSWITCHD_START()
1840 ADD_NAMESPACES(at_ns0, at_ns1)
1842 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1843 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1844 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1845 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1847 dnl Sending ping through conntrack
1848 AT_DATA([flows.txt], [dnl
1849 priority=1,action=drop
1850 priority=10,arp,action=normal
1851 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1852 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1853 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1856 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1858 dnl Ipv4 fragmentation connectivity check.
1859 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1860 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1863 dnl Ipv4 larger fragmentation connectivity check.
1864 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1865 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1868 OVS_TRAFFIC_VSWITCHD_STOP
1871 AT_SETUP([conntrack - IPv6 fragmentation])
1873 CHECK_CONNTRACK_FRAG()
1874 OVS_TRAFFIC_VSWITCHD_START()
1876 ADD_NAMESPACES(at_ns0, at_ns1)
1878 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1879 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1881 dnl Sending ping through conntrack
1882 AT_DATA([flows.txt], [dnl
1883 priority=1,action=drop
1884 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1885 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1886 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1887 priority=100,icmp6,icmp_type=135,action=normal
1888 priority=100,icmp6,icmp_type=136,action=normal
1891 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1893 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1894 dnl waiting, we get occasional failures due to the following error:
1895 dnl "connect: Cannot assign requested address"
1896 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1898 dnl Ipv6 fragmentation connectivity check.
1899 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1900 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1903 dnl Ipv6 larger fragmentation connectivity check.
1904 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1905 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1908 OVS_TRAFFIC_VSWITCHD_STOP
1911 AT_SETUP([conntrack - IPv6 fragmentation expiry])
1913 CHECK_CONNTRACK_FRAG()
1914 OVS_TRAFFIC_VSWITCHD_START()
1916 ADD_NAMESPACES(at_ns0, at_ns1)
1918 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1919 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1921 AT_DATA([flows.txt], [dnl
1922 priority=1,action=drop
1924 dnl Only allow non-fragmented messages and 1st fragments of each message
1925 priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
1926 priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
1927 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1928 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1930 dnl Neighbour Discovery
1931 priority=100,icmp6,icmp_type=135,action=normal
1932 priority=100,icmp6,icmp_type=136,action=normal
1935 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1937 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1938 dnl waiting, we get occasional failures due to the following error:
1939 dnl "connect: Cannot assign requested address"
1940 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1942 dnl Send an IPv6 fragment. Some time later, it should expire.
1943 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1944 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1947 dnl At this point, the kernel will either crash or everything is OK.
1949 OVS_TRAFFIC_VSWITCHD_STOP
1952 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1954 CHECK_CONNTRACK_FRAG()
1955 OVS_TRAFFIC_VSWITCHD_START()
1957 ADD_NAMESPACES(at_ns0, at_ns1)
1959 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1960 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1962 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1963 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1965 dnl Sending ping through conntrack
1966 AT_DATA([flows.txt], [dnl
1967 priority=1,action=drop
1968 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1969 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1970 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1971 priority=100,icmp6,icmp_type=135,action=normal
1972 priority=100,icmp6,icmp_type=136,action=normal
1975 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1977 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
1978 dnl waiting, we get occasional failures due to the following error:
1979 dnl "connect: Cannot assign requested address"
1980 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1982 dnl Ipv4 fragmentation connectivity check.
1983 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1984 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1987 dnl Ipv4 larger fragmentation connectivity check.
1988 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1989 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1992 OVS_TRAFFIC_VSWITCHD_STOP
1995 AT_SETUP([conntrack - Fragmentation over vxlan])
1998 CHECK_CONNTRACK_FRAG()
2000 OVS_TRAFFIC_VSWITCHD_START()
2001 ADD_BR([br-underlay])
2002 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
2004 ADD_NAMESPACES(at_ns0)
2006 dnl Sending ping through conntrack
2007 AT_DATA([flows.txt], [dnl
2008 priority=1,action=drop
2009 priority=10,arp,action=normal
2010 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
2011 priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
2012 table=1,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
2015 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2017 dnl Set up underlay link from host into the namespace using veth pair.
2018 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
2019 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
2020 AT_CHECK([ip link set dev br-underlay up])
2022 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
2023 dnl linux device inside the namespace.
2024 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
2025 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
2026 [id 0 dstport 4789])
2028 dnl First, check the underlay
2029 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
2030 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2033 dnl Okay, now check the overlay with different packet sizes
2034 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2035 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2037 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2038 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2040 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
2041 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2044 OVS_TRAFFIC_VSWITCHD_STOP
2047 AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
2050 CHECK_CONNTRACK_FRAG()
2052 OVS_TRAFFIC_VSWITCHD_START()
2053 ADD_BR([br-underlay])
2054 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
2056 ADD_NAMESPACES(at_ns0)
2058 dnl Sending ping through conntrack
2059 AT_DATA([flows.txt], [dnl
2060 priority=1,action=drop
2061 priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
2062 priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
2063 table=1,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
2065 dnl Neighbour Discovery
2066 priority=1000,icmp6,icmp_type=135,action=normal
2067 priority=1000,icmp6,icmp_type=136,action=normal
2070 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2072 dnl Set up underlay link from host into the namespace using veth pair.
2073 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
2074 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
2075 AT_CHECK([ip link set dev br-underlay up])
2077 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
2078 dnl linux device inside the namespace.
2079 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
2080 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
2081 [id 0 dstport 4789])
2083 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2084 dnl waiting, we get occasional failures due to the following error:
2085 dnl "connect: Cannot assign requested address"
2086 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2088 dnl First, check the underlay
2089 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
2090 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2093 dnl Okay, now check the overlay with different packet sizes
2094 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
2095 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2097 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
2098 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2100 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
2101 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2104 OVS_TRAFFIC_VSWITCHD_STOP
2107 AT_SETUP([conntrack - resubmit to ct multiple times])
2110 OVS_TRAFFIC_VSWITCHD_START(
2111 [set-fail-mode br0 secure -- ])
2113 ADD_NAMESPACES(at_ns0, at_ns1)
2115 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2116 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2118 AT_DATA([flows.txt], [dnl
2119 table=0,priority=150,arp,action=normal
2120 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
2122 table=1,ip,action=ct(table=3)
2123 table=2,ip,action=ct(table=3)
2125 table=3,ip,action=drop
2128 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
2130 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
2131 1 packets transmitted, 0 received, 100% packet loss, time 0ms
2134 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
2135 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
2136 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
2137 table=1, n_packets=1, n_bytes=98, ip actions=ct(table=3)
2138 table=2, n_packets=1, n_bytes=98, ip actions=ct(table=3)
2139 table=3, n_packets=2, n_bytes=196, ip actions=drop
2143 OVS_TRAFFIC_VSWITCHD_STOP
2147 AT_SETUP([conntrack - simple SNAT])
2149 CHECK_CONNTRACK_NAT()
2150 OVS_TRAFFIC_VSWITCHD_START()
2152 ADD_NAMESPACES(at_ns0, at_ns1)
2154 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2155 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2156 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2158 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2159 AT_DATA([flows.txt], [dnl
2160 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2161 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
2162 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
2165 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2166 priority=10 arp action=normal
2167 priority=0,action=drop
2169 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2170 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2171 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2172 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2174 dnl Swaps the fields of the ARP message to turn a query to a response.
2175 table=10 priority=100 arp xreg0=0 action=normal
2176 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2177 table=10 priority=0 action=drop
2180 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2182 dnl HTTP requests from p0->p1 should work fine.
2183 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2184 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2186 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2187 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2190 OVS_TRAFFIC_VSWITCHD_STOP
2194 AT_SETUP([conntrack - SNAT with port range])
2196 CHECK_CONNTRACK_NAT()
2197 OVS_TRAFFIC_VSWITCHD_START()
2199 ADD_NAMESPACES(at_ns0, at_ns1)
2201 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2202 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2203 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2205 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2206 AT_DATA([flows.txt], [dnl
2207 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
2208 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
2209 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
2210 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
2213 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2214 priority=10 arp action=normal
2215 priority=0,action=drop
2217 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2218 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2219 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2220 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2222 dnl Swaps the fields of the ARP message to turn a query to a response.
2223 table=10 priority=100 arp xreg0=0 action=normal
2224 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2225 table=10 priority=0 action=drop
2228 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2230 dnl HTTP requests from p0->p1 should work fine.
2231 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2232 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2234 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2235 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2238 OVS_TRAFFIC_VSWITCHD_STOP
2242 AT_SETUP([conntrack - more complex SNAT])
2244 CHECK_CONNTRACK_NAT()
2245 OVS_TRAFFIC_VSWITCHD_START()
2247 ADD_NAMESPACES(at_ns0, at_ns1)
2249 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2250 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2251 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2253 AT_DATA([flows.txt], [dnl
2254 dnl Track all IP traffic, NAT existing connections.
2255 priority=100 ip action=ct(table=1,zone=1,nat)
2257 dnl Allow ARP, but generate responses for NATed addresses
2258 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2259 priority=10 arp action=normal
2260 priority=0 action=drop
2262 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
2263 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
2264 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
2265 dnl Only allow established traffic from ns1->ns0.
2266 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
2267 table=1 priority=0 action=drop
2269 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2270 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2271 dnl Zero result means not found.
2272 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
2273 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2274 dnl ARP TPA IP in reg2.
2275 table=10 priority=100 arp xreg0=0 action=normal
2276 dnl Swaps the fields of the ARP message to turn a query to a response.
2277 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2278 table=10 priority=0 action=drop
2281 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2283 dnl HTTP requests from p0->p1 should work fine.
2284 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2285 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2287 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2288 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2291 OVS_TRAFFIC_VSWITCHD_STOP
2294 AT_SETUP([conntrack - simple DNAT])
2296 CHECK_CONNTRACK_NAT()
2297 OVS_TRAFFIC_VSWITCHD_START()
2299 ADD_NAMESPACES(at_ns0, at_ns1)
2301 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2302 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2303 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2305 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2306 AT_DATA([flows.txt], [dnl
2307 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2308 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
2309 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
2310 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
2313 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2314 priority=10 arp action=normal
2315 priority=0,action=drop
2317 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2318 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2319 dnl Zero result means not found.
2320 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2321 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2323 table=10 priority=100 arp xreg0=0 action=normal
2324 dnl Swaps the fields of the ARP message to turn a query to a response.
2325 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2326 table=10 priority=0 action=drop
2329 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2331 dnl Should work with the virtual IP address through NAT
2332 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2333 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2335 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2336 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2339 dnl Should work with the assigned IP address as well
2340 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2342 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2343 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2346 OVS_TRAFFIC_VSWITCHD_STOP
2349 AT_SETUP([conntrack - more complex DNAT])
2351 CHECK_CONNTRACK_NAT()
2352 OVS_TRAFFIC_VSWITCHD_START()
2354 ADD_NAMESPACES(at_ns0, at_ns1)
2356 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2357 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2358 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
2360 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2361 AT_DATA([flows.txt], [dnl
2362 dnl Track all IP traffic
2363 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
2365 dnl Allow ARP, but generate responses for NATed addresses
2366 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2367 table=0 priority=10 arp action=normal
2368 table=0 priority=0 action=drop
2370 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
2371 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
2372 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
2373 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
2374 dnl Only allow established traffic from ns1->ns0.
2375 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
2376 table=1 priority=0 action=drop
2378 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2379 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2380 dnl Zero result means not found.
2381 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2382 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2384 table=10 priority=100 arp xreg0=0 action=normal
2385 dnl Swaps the fields of the ARP message to turn a query to a response.
2386 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2387 table=10 priority=0 action=drop
2390 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2392 dnl Should work with the virtual IP address through NAT
2393 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
2394 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
2396 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2397 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2400 dnl Should work with the assigned IP address as well
2401 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2403 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2404 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2407 OVS_TRAFFIC_VSWITCHD_STOP
2410 AT_SETUP([conntrack - ICMP related with NAT])
2412 CHECK_CONNTRACK_NAT()
2413 OVS_TRAFFIC_VSWITCHD_START()
2415 ADD_NAMESPACES(at_ns0, at_ns1)
2417 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2418 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2419 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2421 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2422 dnl Make sure ICMP responses are reverse-NATted.
2423 AT_DATA([flows.txt], [dnl
2424 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
2425 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
2426 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
2429 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2430 priority=10 arp action=normal
2431 priority=0,action=drop
2433 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2434 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2435 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2436 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2438 dnl Swaps the fields of the ARP message to turn a query to a response.
2439 table=10 priority=100 arp xreg0=0 action=normal
2440 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2441 table=10 priority=0 action=drop
2444 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2446 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
2447 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
2449 AT_CHECK([ovs-appctl revalidator/purge], [0])
2450 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2451 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
2452 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
2453 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
2454 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
2455 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2456 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
2457 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
2458 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
2459 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
2460 OFPST_FLOW reply (OF1.5):
2463 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
2464 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
2467 OVS_TRAFFIC_VSWITCHD_STOP
2470 dnl CHECK_FTP_NAT(TITLE, IP_ADDR, FLOWS)
2472 dnl Checks the implementation of conntrack with FTP ALGs in combination with
2473 dnl NAT, using the provided flow table.
2474 m4_define([CHECK_FTP_NAT],
2475 [AT_SETUP([conntrack - FTP NAT $1])
2476 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2478 CHECK_CONNTRACK_NAT()
2480 OVS_TRAFFIC_VSWITCHD_START()
2482 ADD_NAMESPACES(at_ns0, at_ns1)
2484 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2485 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2486 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2488 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2489 AT_DATA([flows.txt], [$3
2492 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2494 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2495 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2497 dnl FTP requests from p0->p1 should work fine.
2498 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
2500 dnl Discards CLOSE_WAIT and CLOSING
2501 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2502 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2503 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2506 OVS_TRAFFIC_VSWITCHD_STOP
2509 dnl CHECK_FTP_NAT_PRE_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
2511 dnl Checks the implementation of conntrack with FTP ALGs in combination with
2512 dnl NAT, with flow tables that implement the NATing as part of handling of
2513 dnl initial incoming packets - ie, the first flow is ct(nat,table=foo).
2515 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
2516 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
2517 m4_define([CHECK_FTP_NAT_PRE_RECIRC], [dnl
2518 CHECK_FTP_NAT([prerecirc $1], [$2], [dnl
2519 dnl track all IP traffic, de-mangle non-NEW connections
2520 table=0 in_port=1, ip, action=ct(table=1,nat)
2521 table=0 in_port=2, ip, action=ct(table=2,nat)
2525 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2526 table=0 priority=10 arp action=normal
2527 table=0 priority=0 action=drop
2529 dnl Table 1: port 1 -> 2
2531 dnl Allow new FTP connections. These need to be commited.
2532 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=$2)),2
2533 dnl Allow established TCP connections, make sure they are NATted already.
2534 table=1 ct_state=+est, tcp, nw_src=$2, action=2
2536 dnl Table 1: droppers
2538 table=1 priority=10, tcp, action=drop
2539 table=1 priority=0,action=drop
2541 dnl Table 2: port 2 -> 1
2543 dnl Allow established TCP connections, make sure they are reverse NATted
2544 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
2545 dnl Allow (new) related (data) connections. These need to be commited.
2546 table=2 ct_state=+new+rel, tcp, nw_dst=$2, action=ct(commit,nat),1
2547 dnl Allow related ICMP packets, make sure they are reverse NATted
2548 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
2550 dnl Table 2: droppers
2552 table=2 priority=10, tcp, action=drop
2553 table=2 priority=0, action=drop
2555 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2557 table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2558 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2559 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2561 dnl Swaps the fields of the ARP message to turn a query to a response.
2562 table=10 priority=100 arp xreg0=0 action=normal
2563 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2564 table=10 priority=0 action=drop
2568 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
2569 CHECK_FTP_NAT_PRE_RECIRC([], [10.1.1.9], [0x0a010109])
2571 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
2573 dnl The FTP PORT command includes the ASCII representation of the address,
2574 dnl so when these messages need to be NATed between addresses that have
2575 dnl different lengths when represented in ASCII (such as the original address
2576 dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
2577 dnl resize the packet and adjust TCP sequence numbers. This test is kept
2578 dnl separate from the above to easier identify issues in this code on different
2580 CHECK_FTP_NAT_PRE_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
2582 dnl CHECK_FTP_NAT_POST_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
2584 dnl Checks the implementation of conntrack with FTP ALGs in combination with
2585 dnl NAT, with flow tables that implement the NATing after the first round
2586 dnl of recirculation - that is, the first flow ct(table=foo) then a subsequent
2587 dnl flow will implement the NATing with ct(nat..),output:foo.
2589 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
2590 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
2591 m4_define([CHECK_FTP_NAT_POST_RECIRC], [dnl
2592 CHECK_FTP_NAT([postrecirc $1], [$2], [dnl
2593 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
2594 table=0 ip, action=ct(table=1)
2598 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2599 table=0 priority=10 arp action=normal
2600 table=0 priority=0 action=drop
2604 dnl Allow new FTP connections. These need to be commited.
2605 dnl This does helper for new packets.
2606 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=$2)),2
2607 dnl Allow and NAT established TCP connections
2608 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
2609 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
2610 dnl Allow and NAT (new) related active (data) connections.
2611 dnl These need to be commited.
2612 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
2613 dnl Allow related ICMP packets.
2614 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
2615 dnl Drop everything else.
2616 table=1 priority=0, action=drop
2618 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2620 table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2621 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2622 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2624 dnl Swaps the fields of the ARP message to turn a query to a response.
2625 table=10 priority=100 arp xreg0=0 action=normal
2626 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2627 table=10 priority=0 action=drop
2631 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
2632 CHECK_FTP_NAT_POST_RECIRC([], [10.1.1.9], [0x0a010109])
2634 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
2636 dnl The FTP PORT command includes the ASCII representation of the address,
2637 dnl so when these messages need to be NATed between addresses that have
2638 dnl different lengths when represented in ASCII (such as the original address
2639 dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
2640 dnl resize the packet and adjust TCP sequence numbers. This test is kept
2641 dnl separate from the above to easier identify issues in this code on different
2643 CHECK_FTP_NAT_POST_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
2645 AT_SETUP([conntrack - IPv6 HTTP with NAT])
2647 CHECK_CONNTRACK_NAT()
2648 OVS_TRAFFIC_VSWITCHD_START()
2650 ADD_NAMESPACES(at_ns0, at_ns1)
2652 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2653 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2654 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2655 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2657 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2658 AT_DATA([flows.txt], [dnl
2659 priority=1,action=drop
2660 priority=10,icmp6,action=normal
2661 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
2662 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
2663 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
2664 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
2667 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2669 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2670 dnl waiting, we get occasional failures due to the following error:
2671 dnl "connect: Cannot assign requested address"
2672 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2674 dnl HTTP requests from ns0->ns1 should work fine.
2675 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
2677 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2679 dnl HTTP requests from ns1->ns0 should fail due to network failure.
2680 dnl Try 3 times, in 1 second intervals.
2681 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
2682 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
2684 OVS_TRAFFIC_VSWITCHD_STOP
2688 AT_SETUP([conntrack - IPv6 FTP with NAT])
2689 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
2691 CHECK_CONNTRACK_NAT()
2692 OVS_TRAFFIC_VSWITCHD_START()
2694 ADD_NAMESPACES(at_ns0, at_ns1)
2696 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2697 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
2698 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2699 dnl Would be nice if NAT could translate neighbor discovery messages, too.
2700 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
2702 dnl Allow any traffic from ns0->ns1.
2703 dnl Only allow nd, return traffic from ns1->ns0.
2704 AT_DATA([flows.txt], [dnl
2705 dnl Allow other ICMPv6 both ways (without commit).
2706 table=1 priority=100 in_port=1 icmp6, action=2
2707 table=1 priority=100 in_port=2 icmp6, action=1
2708 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
2709 table=0 priority=10 ip6, action=ct(nat,table=1)
2710 table=0 priority=0 action=drop
2714 dnl Allow new TCPv6 FTP control connections.
2715 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
2716 dnl Allow related TCPv6 connections from port 2 to the NATted address.
2717 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
2718 dnl Allow established TCPv6 connections both ways, enforce NATting
2719 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
2720 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
2721 dnl Drop everything else.
2722 table=1 priority=0, action=drop
2725 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2727 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2728 dnl waiting, we get occasional failures due to the following error:
2729 dnl "connect: Cannot assign requested address"
2730 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
2732 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
2733 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
2735 dnl FTP requests from p0->p1 should work fine.
2736 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
2738 dnl Discards CLOSE_WAIT and CLOSING
2739 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2740 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
2741 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2744 OVS_TRAFFIC_VSWITCHD_STOP
2747 AT_SETUP([conntrack - DNAT load balancing])
2749 CHECK_CONNTRACK_NAT()
2750 OVS_TRAFFIC_VSWITCHD_START()
2752 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
2754 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2755 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2756 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2757 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2758 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2759 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2760 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2761 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2763 dnl Select group for load balancing. One bucket per server. Each bucket
2764 dnl tracks and NATs the connection and recirculates to table 4 for egress
2765 dnl routing. Packets of existing connections are always NATted based on
2766 dnl connection state, only new connections are NATted according to the
2767 dnl specific NAT parameters in each bucket.
2768 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2770 AT_DATA([flows.txt], [dnl
2771 dnl Track connections to the virtual IP address.
2772 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2773 dnl All other IP traffic is allowed but the connection state is no commited.
2774 table=0 priority=90 ip action=ct(table=4,nat)
2776 dnl Allow ARP, but generate responses for virtual addresses
2777 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2778 table=0 priority=10 arp action=normal
2779 table=0 priority=0 action=drop
2783 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2784 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2785 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2786 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2787 table=4 priority=0 action=drop
2789 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2790 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2791 dnl Zero result means not found.
2792 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2793 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2795 table=10 priority=100 arp xreg0=0 action=normal
2796 dnl Swaps the fields of the ARP message to turn a query to a response.
2797 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2798 table=10 priority=0 action=controller
2801 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2803 dnl Start web servers
2804 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2805 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2806 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2808 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2809 on_exit 'ovs-appctl revalidator/purge'
2810 on_exit 'ovs-appctl dpif/dump-flows br0'
2812 dnl Should work with the virtual IP address through NAT
2813 for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
2815 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
2818 dnl Each server should have at least one connection.
2819 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
2820 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2821 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2822 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
2825 ovs-appctl dpif/dump-flows br0
2826 ovs-appctl revalidator/purge
2827 ovs-ofctl -O OpenFlow15 dump-flows br0
2828 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2830 OVS_TRAFFIC_VSWITCHD_STOP
2834 AT_SETUP([conntrack - DNAT load balancing with NC])
2836 CHECK_CONNTRACK_NAT()
2837 OVS_TRAFFIC_VSWITCHD_START()
2839 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
2841 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
2842 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
2843 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
2844 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
2845 ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
2846 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
2847 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
2848 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
2849 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
2850 NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
2852 dnl Select group for load balancing. One bucket per server. Each bucket
2853 dnl tracks and NATs the connection and recirculates to table 4 for egress
2854 dnl routing. Packets of existing connections are always NATted based on
2855 dnl connection state, only new connections are NATted according to the
2856 dnl specific NAT parameters in each bucket.
2857 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
2859 AT_DATA([flows.txt], [dnl
2860 dnl Track connections to the virtual IP address.
2861 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
2862 dnl All other IP traffic is allowed but the connection state is no commited.
2863 table=0 priority=90 ip action=ct(table=4,nat)
2865 dnl Allow ARP, but generate responses for virtual addresses
2866 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
2867 table=0 priority=10 arp action=normal
2868 table=0 priority=0 action=drop
2872 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
2873 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
2874 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
2875 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
2876 table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
2877 table=4 priority=0 action=drop
2879 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
2880 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
2881 dnl Zero result means not found.
2882 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
2883 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
2885 table=10 priority=100 arp xreg0=0 action=normal
2886 dnl Swaps the fields of the ARP message to turn a query to a response.
2887 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
2888 table=10 priority=0 action=controller
2891 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2893 dnl Start web servers
2894 NETNS_DAEMONIZE([at_ns2], [[$PYTHON $srcdir/test-l7.py]], [http2.pid])
2895 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http3.pid])
2896 NETNS_DAEMONIZE([at_ns4], [[$PYTHON $srcdir/test-l7.py]], [http4.pid])
2898 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
2899 on_exit 'ovs-appctl revalidator/purge'
2900 on_exit 'ovs-appctl dpif/dump-flows br0'
2904 dnl Should work with the virtual IP address through NAT
2905 for i in 1 2 3 4 5 6 7 8 9; do
2907 NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
2908 NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
2913 ovs-appctl dpif/dump-flows br0
2914 ovs-appctl revalidator/purge
2915 ovs-ofctl -O OpenFlow15 dump-flows br0
2916 ovs-ofctl -O OpenFlow15 dump-group-stats br0
2918 OVS_TRAFFIC_VSWITCHD_STOP