1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - http between two ports])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
37 3 packets transmitted, 3 received, 0% packet loss, time 0ms
40 OVS_START_L7([at_ns1], [http])
41 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
43 OVS_TRAFFIC_VSWITCHD_STOP
46 AT_SETUP([datapath - ping between two ports on vlan])
47 OVS_TRAFFIC_VSWITCHD_START()
49 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
51 ADD_NAMESPACES(at_ns0, at_ns1)
53 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
54 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
56 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
57 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
59 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
60 3 packets transmitted, 3 received, 0% packet loss, time 0ms
62 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
63 3 packets transmitted, 3 received, 0% packet loss, time 0ms
65 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
66 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 OVS_TRAFFIC_VSWITCHD_STOP
72 AT_SETUP([datapath - ping between two ports on cvlan])
73 OVS_TRAFFIC_VSWITCHD_START()
76 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
78 ADD_NAMESPACES(at_ns0, at_ns1)
80 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
81 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
83 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
84 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
86 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
87 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
89 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
91 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
92 3 packets transmitted, 3 received, 0% packet loss, time 0ms
94 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
95 3 packets transmitted, 3 received, 0% packet loss, time 0ms
97 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
98 3 packets transmitted, 3 received, 0% packet loss, time 0ms
101 OVS_TRAFFIC_VSWITCHD_STOP
104 AT_SETUP([datapath - ping6 between two ports])
105 OVS_TRAFFIC_VSWITCHD_START()
107 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
109 ADD_NAMESPACES(at_ns0, at_ns1)
111 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
112 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
114 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
115 dnl waiting, we get occasional failures due to the following error:
116 dnl "connect: Cannot assign requested address"
117 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
119 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
120 3 packets transmitted, 3 received, 0% packet loss, time 0ms
122 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
123 3 packets transmitted, 3 received, 0% packet loss, time 0ms
125 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
126 3 packets transmitted, 3 received, 0% packet loss, time 0ms
129 OVS_TRAFFIC_VSWITCHD_STOP
132 AT_SETUP([datapath - ping6 between two ports on vlan])
133 OVS_TRAFFIC_VSWITCHD_START()
135 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
137 ADD_NAMESPACES(at_ns0, at_ns1)
139 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
140 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
142 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
143 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
145 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
146 dnl waiting, we get occasional failures due to the following error:
147 dnl "connect: Cannot assign requested address"
148 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
150 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
151 3 packets transmitted, 3 received, 0% packet loss, time 0ms
153 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
154 3 packets transmitted, 3 received, 0% packet loss, time 0ms
156 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
157 3 packets transmitted, 3 received, 0% packet loss, time 0ms
160 OVS_TRAFFIC_VSWITCHD_STOP
163 AT_SETUP([datapath - ping6 between two ports on cvlan])
164 OVS_TRAFFIC_VSWITCHD_START()
167 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
169 ADD_NAMESPACES(at_ns0, at_ns1)
171 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
172 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
174 ADD_SVLAN(p0, at_ns0, 4094, "fc00:ffff::1/96")
175 ADD_SVLAN(p1, at_ns1, 4094, "fc00:ffff::2/96")
177 ADD_CVLAN(p0.4094, at_ns0, 100, "fc00:1::1/96")
178 ADD_CVLAN(p1.4094, at_ns1, 100, "fc00:1::2/96")
180 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::2])
182 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
183 3 packets transmitted, 3 received, 0% packet loss, time 0ms
185 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
186 3 packets transmitted, 3 received, 0% packet loss, time 0ms
188 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
189 3 packets transmitted, 3 received, 0% packet loss, time 0ms
192 OVS_TRAFFIC_VSWITCHD_STOP
195 AT_SETUP([datapath - ping over bond])
196 OVS_TRAFFIC_VSWITCHD_START()
198 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
200 ADD_NAMESPACES(at_ns0, at_ns1)
202 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
203 ADD_VETH_BOND(p1 p2, at_ns1, br0, bond0, lacp=active bond_mode=balance-tcp, "10.1.1.2/24")
205 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2])
207 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
208 3 packets transmitted, 3 received, 0% packet loss, time 0ms
210 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
211 3 packets transmitted, 3 received, 0% packet loss, time 0ms
213 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
214 3 packets transmitted, 3 received, 0% packet loss, time 0ms
217 OVS_TRAFFIC_VSWITCHD_STOP
220 AT_SETUP([datapath - ping over vxlan tunnel])
223 OVS_TRAFFIC_VSWITCHD_START()
224 ADD_BR([br-underlay])
226 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
227 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
229 ADD_NAMESPACES(at_ns0)
231 dnl Set up underlay link from host into the namespace using veth pair.
232 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
233 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
234 AT_CHECK([ip link set dev br-underlay up])
236 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
237 dnl linux device inside the namespace.
238 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
239 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
242 dnl First, check the underlay
243 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
244 3 packets transmitted, 3 received, 0% packet loss, time 0ms
247 dnl Okay, now check the overlay with different packet sizes
248 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
249 3 packets transmitted, 3 received, 0% packet loss, time 0ms
251 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
252 3 packets transmitted, 3 received, 0% packet loss, time 0ms
254 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
255 3 packets transmitted, 3 received, 0% packet loss, time 0ms
258 OVS_TRAFFIC_VSWITCHD_STOP
261 AT_SETUP([datapath - ping over vxlan6 tunnel])
262 OVS_CHECK_VXLAN_UDP6ZEROCSUM()
264 OVS_TRAFFIC_VSWITCHD_START()
265 ADD_BR([br-underlay])
267 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
268 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
270 ADD_NAMESPACES(at_ns0)
272 dnl Set up underlay link from host into the namespace using veth pair.
273 ADD_VETH(p0, at_ns0, br-underlay, "fc00::1/64", [], [], "nodad")
274 AT_CHECK([ip addr add dev br-underlay "fc00::100/64" nodad])
275 AT_CHECK([ip link set dev br-underlay up])
277 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
278 dnl linux device inside the namespace.
279 ADD_OVS_TUNNEL6([vxlan], [br0], [at_vxlan0], [fc00::1], [10.1.1.100/24])
280 ADD_NATIVE_TUNNEL6([vxlan], [at_vxlan1], [at_ns0], [fc00::100], [10.1.1.1/24],
281 [id 0 dstport 4789 udp6zerocsumtx udp6zerocsumrx])
283 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::100])
285 dnl First, check the underlay
286 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::100 | FORMAT_PING], [0], [dnl
287 3 packets transmitted, 3 received, 0% packet loss, time 0ms
290 dnl Okay, now check the overlay with different packet sizes
291 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
292 3 packets transmitted, 3 received, 0% packet loss, time 0ms
294 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
295 3 packets transmitted, 3 received, 0% packet loss, time 0ms
297 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
298 3 packets transmitted, 3 received, 0% packet loss, time 0ms
301 OVS_TRAFFIC_VSWITCHD_STOP
304 AT_SETUP([datapath - ping over gre tunnel])
305 OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
308 OVS_TRAFFIC_VSWITCHD_START()
309 ADD_BR([br-underlay])
311 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
312 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
314 ADD_NAMESPACES(at_ns0)
316 dnl Set up underlay link from host into the namespace using veth pair.
317 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
318 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
319 AT_CHECK([ip link set dev br-underlay up])
321 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
322 dnl linux device inside the namespace.
323 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
324 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
326 dnl First, check the underlay
327 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
328 3 packets transmitted, 3 received, 0% packet loss, time 0ms
331 dnl Okay, now check the overlay with different packet sizes
332 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
333 3 packets transmitted, 3 received, 0% packet loss, time 0ms
335 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
336 3 packets transmitted, 3 received, 0% packet loss, time 0ms
338 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
339 3 packets transmitted, 3 received, 0% packet loss, time 0ms
342 OVS_TRAFFIC_VSWITCHD_STOP
345 AT_SETUP([datapath - ping over ip6gre L2 tunnel])
346 OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
350 OVS_TRAFFIC_VSWITCHD_START()
351 ADD_BR([br-underlay])
353 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
354 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
356 ADD_NAMESPACES(at_ns0)
358 dnl Set up underlay link from host into the namespace using veth pair.
359 ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", [], [], nodad)
360 AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
361 AT_CHECK([ip link set dev br-underlay up])
363 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
364 dnl linux device inside the namespace.
365 ADD_OVS_TUNNEL6([ip6gre], [br0], [at_gre0], [fc00:100::1], [10.1.1.100/24],
366 [options:packet_type=legacy_l2])
367 ADD_NATIVE_TUNNEL6([ip6gretap], [ns_gretap0], [at_ns0], [fc00:100::100],
368 [10.1.1.1/24], [local fc00:100::1])
370 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
372 dnl First, check the underlay
373 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
374 3 packets transmitted, 3 received, 0% packet loss, time 0ms
377 dnl Okay, now check the overlay with different packet sizes
378 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
379 3 packets transmitted, 3 received, 0% packet loss, time 0ms
381 OVS_TRAFFIC_VSWITCHD_STOP
385 AT_SETUP([datapath - ping over erspan v1 tunnel])
386 OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
390 OVS_TRAFFIC_VSWITCHD_START()
391 ADD_BR([br-underlay])
393 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
394 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
396 ADD_NAMESPACES(at_ns0)
398 dnl Set up underlay link from host into the namespace using veth pair.
399 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
400 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
401 AT_CHECK([ip link set dev br-underlay up])
403 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
404 dnl linux device inside the namespace.
405 ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=1 options:erspan_idx=7])
406 ADD_NATIVE_TUNNEL([erspan], [ns_erspan0], [at_ns0], [172.31.1.100], [10.1.1.1/24], [seq key 1 erspan_ver 1 erspan 7])
408 dnl First, check the underlay
409 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
410 3 packets transmitted, 3 received, 0% packet loss, time 0ms
413 dnl Okay, now check the overlay with different packet sizes
414 dnl NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
415 NS_CHECK_EXEC([at_ns0], [ping -s 1200 -i 0.3 -c 3 10.1.1.100 | FORMAT_PING], [0], [dnl
416 3 packets transmitted, 3 received, 0% packet loss, time 0ms
418 OVS_TRAFFIC_VSWITCHD_STOP
421 AT_SETUP([datapath - ping over erspan v2 tunnel])
422 OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
426 OVS_TRAFFIC_VSWITCHD_START()
427 ADD_BR([br-underlay])
429 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
430 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
432 ADD_NAMESPACES(at_ns0)
434 dnl Set up underlay link from host into the namespace using veth pair.
435 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
436 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
437 AT_CHECK([ip link set dev br-underlay up])
439 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
440 dnl linux device inside the namespace.
441 ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=2 options:erspan_dir=1 options:erspan_hwid=0x7])
442 ADD_NATIVE_TUNNEL([erspan], [ns_erspan0], [at_ns0], [172.31.1.100], [10.1.1.1/24], [seq key 1 erspan_ver 2 erspan_dir egress erspan_hwid 7])
444 dnl First, check the underlay
445 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
446 3 packets transmitted, 3 received, 0% packet loss, time 0ms
449 dnl Okay, now check the overlay with different packet sizes
450 dnl NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
451 NS_CHECK_EXEC([at_ns0], [ping -s 1200 -i 0.3 -c 3 10.1.1.100 | FORMAT_PING], [0], [dnl
452 3 packets transmitted, 3 received, 0% packet loss, time 0ms
454 OVS_TRAFFIC_VSWITCHD_STOP
457 AT_SETUP([datapath - ping over ip6erspan v1 tunnel])
458 OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
462 OVS_TRAFFIC_VSWITCHD_START()
463 ADD_BR([br-underlay])
465 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
466 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
468 ADD_NAMESPACES(at_ns0)
470 dnl Set up underlay link from host into the namespace using veth pair.
471 ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", [], [], nodad)
472 AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
473 AT_CHECK([ip link set dev br-underlay up])
475 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
476 dnl linux device inside the namespace.
477 ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
478 [options:key=123 options:erspan_ver=1 options:erspan_idx=0x7])
479 ADD_NATIVE_TUNNEL6([ip6erspan], [ns_erspan0], [at_ns0], [fc00:100::100],
480 [10.1.1.1/24], [local fc00:100::1 seq key 123 erspan_ver 1 erspan 7])
482 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
484 dnl First, check the underlay
485 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
486 3 packets transmitted, 3 received, 0% packet loss, time 0ms
489 dnl Okay, now check the overlay with different packet sizes
490 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
491 3 packets transmitted, 3 received, 0% packet loss, time 0ms
493 OVS_TRAFFIC_VSWITCHD_STOP
496 AT_SETUP([datapath - ping over ip6erspan v2 tunnel])
497 OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
501 OVS_TRAFFIC_VSWITCHD_START()
502 ADD_BR([br-underlay])
504 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
505 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
507 ADD_NAMESPACES(at_ns0)
509 dnl Set up underlay link from host into the namespace using veth pair.
510 ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", [], [], nodad)
511 AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
512 AT_CHECK([ip link set dev br-underlay up])
514 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
515 dnl linux device inside the namespace.
516 ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
517 [options:key=121 options:erspan_ver=2 options:erspan_dir=0 options:erspan_hwid=0x7])
518 ADD_NATIVE_TUNNEL6([ip6erspan], [ns_erspan0], [at_ns0], [fc00:100::100],
520 [local fc00:100::1 seq key 121 erspan_ver 2 erspan_dir ingress erspan_hwid 0x7])
522 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
524 dnl First, check the underlay
525 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
526 3 packets transmitted, 3 received, 0% packet loss, time 0ms
529 dnl Okay, now check the overlay with different packet sizes
530 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
531 3 packets transmitted, 3 received, 0% packet loss, time 0ms
533 OVS_TRAFFIC_VSWITCHD_STOP
536 AT_SETUP([datapath - ping over geneve tunnel])
539 OVS_TRAFFIC_VSWITCHD_START()
540 ADD_BR([br-underlay])
542 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
543 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
545 ADD_NAMESPACES(at_ns0)
547 dnl Set up underlay link from host into the namespace using veth pair.
548 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
549 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
550 AT_CHECK([ip link set dev br-underlay up])
552 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
553 dnl linux device inside the namespace.
554 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
555 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
558 dnl First, check the underlay
559 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
560 3 packets transmitted, 3 received, 0% packet loss, time 0ms
563 dnl Okay, now check the overlay with different packet sizes
564 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
565 3 packets transmitted, 3 received, 0% packet loss, time 0ms
567 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
568 3 packets transmitted, 3 received, 0% packet loss, time 0ms
570 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
571 3 packets transmitted, 3 received, 0% packet loss, time 0ms
574 OVS_TRAFFIC_VSWITCHD_STOP
577 AT_SETUP([datapath - flow resume with geneve tun_metadata])
580 OVS_TRAFFIC_VSWITCHD_START()
581 ADD_BR([br-underlay])
583 AT_CHECK([ovs-ofctl monitor br0 resume --detach --no-chdir --pidfile 2> /dev/null])
585 ADD_NAMESPACES(at_ns0)
587 dnl Set up underlay link from host into the namespace using veth pair.
588 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
589 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
590 AT_CHECK([ip link set dev br-underlay up])
592 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
593 dnl linux device inside the namespace.
594 ADD_OVS_TUNNEL([geneve], [br0], [at_gnv0], [172.31.1.1], [10.1.1.100/24])
595 ADD_NATIVE_TUNNEL([geneve], [ns_gnv0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
599 AT_DATA([flows.txt], [dnl
600 table=0, arp action=NORMAL
601 table=0, in_port=LOCAL icmp action=output:at_gnv0
602 table=0, in_port=at_gnv0 icmp action=set_field:0xa->tun_metadata0,resubmit(,1)
603 table=1, icmp action=controller(pause), resubmit(,2)
604 table=2, tun_metadata0=0xa, icmp action=output:LOCAL
606 AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0,len=4}->tun_metadata0"])
607 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
608 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
610 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 10.1.1.100 | FORMAT_PING], [0], [dnl
611 3 packets transmitted, 3 received, 0% packet loss, time 0ms
614 dnl Test OVS handles TLV map modifictions properly when restores frozen state.
615 NS_CHECK_EXEC([at_ns0], [ping 10.1.1.100 > /dev/null &])
617 AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0x88,len=4}->tun_metadata1"])
619 AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0x99,len=4}->tun_metadata2"])
621 AT_CHECK([ovs-ofctl add-tlv-map br0 "{class=0xffff,type=0xaa,len=4}->tun_metadata3"])
624 OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
625 OVS_TRAFFIC_VSWITCHD_STOP
628 AT_SETUP([datapath - ping over geneve6 tunnel])
629 OVS_CHECK_GENEVE_UDP6ZEROCSUM()
631 OVS_TRAFFIC_VSWITCHD_START()
632 ADD_BR([br-underlay])
634 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
635 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
637 ADD_NAMESPACES(at_ns0)
639 dnl Set up underlay link from host into the namespace using veth pair.
640 ADD_VETH(p0, at_ns0, br-underlay, "fc00::1/64", [], [], "nodad")
641 AT_CHECK([ip addr add dev br-underlay "fc00::100/64" nodad])
642 AT_CHECK([ip link set dev br-underlay up])
644 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
645 dnl linux device inside the namespace.
646 ADD_OVS_TUNNEL6([geneve], [br0], [at_gnv0], [fc00::1], [10.1.1.100/24])
647 ADD_NATIVE_TUNNEL6([geneve], [ns_gnv0], [at_ns0], [fc00::100], [10.1.1.1/24],
648 [vni 0 udp6zerocsumtx udp6zerocsumrx])
650 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::100])
652 dnl First, check the underlay
653 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::100 | FORMAT_PING], [0], [dnl
654 3 packets transmitted, 3 received, 0% packet loss, time 0ms
657 dnl Okay, now check the overlay with different packet sizes
658 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
659 3 packets transmitted, 3 received, 0% packet loss, time 0ms
661 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
662 3 packets transmitted, 3 received, 0% packet loss, time 0ms
664 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
665 3 packets transmitted, 3 received, 0% packet loss, time 0ms
668 OVS_TRAFFIC_VSWITCHD_STOP
671 AT_SETUP([datapath - ping over gre tunnel by simulated packets])
672 OVS_CHECK_MIN_KERNEL(3, 10)
674 OVS_TRAFFIC_VSWITCHD_START()
675 AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
676 ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
678 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
679 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
681 ADD_NAMESPACES(at_ns0)
683 dnl Set up underlay link from host into the namespace using veth pair.
684 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03)
685 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
686 AT_CHECK([ip link set dev br-underlay up])
688 dnl Set up tunnel endpoints on OVS outside the namespace.
689 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
691 IPTABLES_ACCEPT([br-underlay])
693 ip netns exec at_ns0 tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap &
696 dnl First, check the underlay.
697 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
698 3 packets transmitted, 3 received, 0% packet loss, time 0ms
701 dnl We don't actually add gretap port as below, instead, we will
702 dnl emulate one that sends packets. Suppose its mac address is f2:ff:00:00:00:04.
703 dnl ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24])
705 dnl Now, check the overlay by sending out raw arp and icmp packets.
706 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff00000003080045000042ec2c4000402ff3bcac1f0101ac1f016400006558fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=NORMAL"
708 OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0, length 46: ARP, Reply 10.1.1.100 is-at f2:ff:00:00:00:01.* length 28" 2>&1 1>/dev/null])
710 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500007aec8e4000402ff322ac1f0101ac1f016400006558f2ff00000001f2ff00000004080045000054548f40004001cfb30a0101010a0101640800e6e829270003e1a3435b00000000ff1a050000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 actions=NORMAL"
712 OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0, length 102: IP 10.1.1.100 > 10.1.1.1: ICMP echo reply,.* length 64$" 2>&1 1>/dev/null])
714 OVS_TRAFFIC_VSWITCHD_STOP
717 AT_SETUP([datapath - ping over erspan v1 tunnel by simulated packets])
718 OVS_CHECK_MIN_KERNEL(3, 10)
720 OVS_TRAFFIC_VSWITCHD_START()
721 AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
722 ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
724 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
725 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
727 ADD_NAMESPACES(at_ns0)
729 dnl Set up underlay link from host into the namespace using veth pair.
730 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03)
731 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
732 AT_CHECK([ip link set dev br-underlay up])
734 dnl Set up tunnel endpoints on OVS outside the namespace and emulate a native
735 dnl linux device inside the namespace.
736 ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=1 options:erspan_idx=7])
738 IPTABLES_ACCEPT([br-underlay])
740 ip netns exec at_ns0 tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap &
743 dnl First, check the underlay
744 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
745 3 packets transmitted, 3 received, 0% packet loss, time 0ms
748 dnl Okay, now send out an arp request from 10.1.1.1 for 10.1.1.100 in erspan.
749 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500004e151d4000402fcac0ac1f0101ac1f0164100088be000000061000000100000007fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
751 dnl 0002 is arp reply, followed by mac address of 10.1.1.100.
752 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0030: 0806 0001 0800 0604 0002 f2ff 0000 0001" 2>&1 1>/dev/null])
753 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0a01 0164 f2ff 0000 0004 0a01 0101" 2>&1 1>/dev/null])
755 dnl Okay, now check the overlay with raw icmp packets.
756 AT_FAIL_IF([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 122" 2>&1 1>/dev/null])
758 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500008e70cb4000402f6ed2ac1f0101ac1f0164100088be000000051000000100000007f2ff00000001f2ff0000000408004500005c4a3340004001da070a0101010a010164080084f238fb0001f36a6b5b0000000021870e0000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f actions=normal"
760 OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 122" 2>&1 1>/dev/null])
762 OVS_TRAFFIC_VSWITCHD_STOP
765 AT_SETUP([datapath - ping over erspan v2 tunnel by simulated packets])
766 OVS_CHECK_MIN_KERNEL(3, 10)
768 OVS_TRAFFIC_VSWITCHD_START()
769 AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
770 ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
772 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
773 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
775 ADD_NAMESPACES(at_ns0)
777 dnl Set up underlay link from host into the namespace using veth pair.
778 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", f2:ff:00:00:00:03)
779 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
780 AT_CHECK([ip link set dev br-underlay up])
782 dnl Set up tunnel endpoints on OVS outside the namespace and simulate a native
783 dnl linux device inside the namespace.
784 ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=2 options:erspan_dir=1 options:erspan_hwid=0x7])
786 dnl Certain Linux distributions, like CentOS, have default iptable rules
787 dnl to reject input traffic from br-underlay. Here we add a rule to walk
789 iptables -I INPUT 1 -i br-underlay -j ACCEPT
790 on_exit 'iptables -D INPUT 1'
792 ip netns exec at_ns0 tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap &
795 dnl First, check the underlay.
796 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
797 3 packets transmitted, 3 received, 0% packet loss, time 0ms
800 dnl Okay, send raw arp request and icmp echo request.
801 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff00000003080045000052373d4000402fa89cac1f0101ac1f0164100088be00000006200000016f54b41700008078fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
803 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0030: 0000 0001 0806 0001 0800 0604 0002 f2ff" 2>&1 1>/dev/null])
804 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0000 0001 0a01 0164 f2ff 0000 0004 0a01" 2>&1 1>/dev/null])
805 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0050: 0101" 2>&1 1>/dev/null])
807 dnl Because tcpdump might not be able to parse erspan headers, we check icmp echo reply
808 dnl by packet length.
809 AT_FAIL_IF([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 126" 2>&1 1>/dev/null])
811 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000308004500009287e14000402f57b8ac1f0101ac1f0164100088be0000000520000001144cd5a400008078f2ff00000001f2ff0000000408004500005c38d640004001eb640a0101010a01016408005e57585f0001df6c6b5b0000000045bc050000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f actions=normal"
813 OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP 172.31.1.100 > 172.31.1.1: GREv0,.* length 126" 2>&1 1>/dev/null])
815 OVS_TRAFFIC_VSWITCHD_STOP
818 AT_SETUP([datapath - ping over ip6erspan v1 tunnel by simulated packets])
819 OVS_CHECK_MIN_KERNEL(3, 10)
821 OVS_TRAFFIC_VSWITCHD_START()
822 AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
823 ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
825 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
826 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
828 ADD_NAMESPACES(at_ns0)
830 dnl Set up underlay link from host into the namespace using veth pair.
831 ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", f2:ff:00:00:00:03, [], nodad)
832 AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
833 AT_CHECK([ip link set dev br-underlay up])
835 dnl Set up tunnel endpoints on OVS outside the namespace and simulate a native
836 dnl linux device inside the namespace.
837 ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
838 [options:key=123 options:erspan_ver=1 options:erspan_idx=0x7])
840 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
842 dnl Certain Linux distributions, like CentOS, have default iptable rules
843 dnl to reject input traffic from br-underlay. Here we add a rule to walk
845 ip6tables -I INPUT 1 -i br-underlay -j ACCEPT
846 on_exit 'ip6tables -D INPUT 1'
848 ip netns exec at_ns0 tcpdump -n -x -i p0 dst host fc00:100::1 -l > p0.pcap &
851 dnl First, check the underlay.
852 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
853 3 packets transmitted, 3 received, 0% packet loss, time 0ms
856 dnl Okay, now send raw arp request and icmp echo request.
857 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531003a2f40fc000100000000000000000000000001fc000100000000000000000000000100100088be000000051000007b00000007fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
860 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0000 0001 0806 0001 0800 0604 0002 f2ff" 2>&1 1>/dev/null])
861 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0050: 0000 0001 0a01 0164 f2ff 0000 0004 0a01" 2>&1 1>/dev/null])
862 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0060: 0101" 2>&1 1>/dev/null])
864 AT_FAIL_IF([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0,.* length 114" 2>&1 1>/dev/null])
866 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531007a3c40fc000100000000000000000000000001fc0001000000000000000000000001002f00040104010100100088be000000061000407b00000007f2ff00000001f2ff0000000408004500005429b640004001fa8c0a0101010a01016408005c2c7526000118d3685b00000000e4aa020000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 actions=normal"
868 OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0,.* length 114" 2>&1 1>/dev/null])
870 OVS_TRAFFIC_VSWITCHD_STOP
873 AT_SETUP([datapath - ping over ip6erspan v2 tunnel by simulated packets])
874 OVS_CHECK_MIN_KERNEL(3, 10)
876 OVS_TRAFFIC_VSWITCHD_START()
877 AT_CHECK([ovs-vsctl -- set bridge br0 other-config:hwaddr=\"f2:ff:00:00:00:01\"])
878 ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"f2:ff:00:00:00:02\"])
880 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
881 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
883 ADD_NAMESPACES(at_ns0)
885 dnl Set up underlay link from host into the namespace using veth pair.
886 ADD_VETH(p0, at_ns0, br-underlay, "fc00:100::1/96", f2:ff:00:00:00:03, [], nodad)
887 AT_CHECK([ip addr add dev br-underlay "fc00:100::100/96" nodad])
888 AT_CHECK([ip link set dev br-underlay up])
890 dnl Set up tunnel endpoints on OVS outside the namespace and simulate a native
891 dnl linux device inside the namespace.
892 ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24],
893 [options:key=121 options:erspan_ver=2 options:erspan_dir=0 options:erspan_hwid=0x7])
895 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100])
897 dnl Certain Linux distributions, like CentOS, have default iptable rules
898 dnl to reject input traffic from br-underlay. Here we add a rule to walk
900 ip6tables -I INPUT 1 -i br-underlay -j ACCEPT
901 on_exit 'ip6tables -D INPUT 1'
903 ip netns exec at_ns0 tcpdump -n -x -i p0 dst host fc00:100::1 -l > p0.pcap &
906 dnl First, check the underlay.
907 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:100::100 | FORMAT_PING], [0], [dnl
908 3 packets transmitted, 3 received, 0% packet loss, time 0ms
911 dnl Okay, now send raw arp request and icmp echo request.
912 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531003e2f40fc000100000000000000000000000001fc000100000000000000000000000100100088be0000000620000079af514f9900008070fffffffffffff2ff0000000408060001080006040001f2ff000000040a0101010000000000000a010164 actions=normal"
914 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0040: 0004 f2ff 0000 0001 0806 0001 0800 0604" 2>&1 1>/dev/null])
915 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0050: 0002 f2ff 0000 0001 0a01 0164 f2ff 0000" 2>&1 1>/dev/null])
916 OVS_WAIT_UNTIL([cat p0.pcap | egrep "0x0060: 0004 0a01 0101" 2>&1 1>/dev/null])
918 AT_FAIL_IF([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0, .* length 118" 2>&1 1>/dev/null])
920 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=f2ff00000002f2ff0000000386dd60008531007e3c40fc000100000000000000000000000001fc0001000000000000000000000001002f00040104010100100088be0000000720004079af514f9b00008070f2ff00000001f2ff00000004080045000054ffcb4000400124770a0101010a0101640800419e23ac000112d7685b000000004caf0c0000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 actions=normal"
922 OVS_WAIT_UNTIL([cat p0.pcap | egrep "IP6 fc00:100::100 > fc00:100::1: GREv0, .* length 118" 2>&1 1>/dev/null])
924 OVS_TRAFFIC_VSWITCHD_STOP
927 AT_SETUP([datapath - clone action])
928 OVS_TRAFFIC_VSWITCHD_START()
930 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2)
932 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
933 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
935 AT_CHECK([ovs-vsctl -- set interface ovs-p0 ofport_request=1 \
936 -- set interface ovs-p1 ofport_request=2])
938 AT_DATA([flows.txt], [dnl
939 priority=1 actions=NORMAL
940 priority=10 in_port=1,ip,actions=clone(mod_dl_dst(50:54:00:00:00:0a),set_field:192.168.3.3->ip_dst), output:2
941 priority=10 in_port=2,ip,actions=clone(mod_dl_src(ae:c6:7e:54:8d:4d),mod_dl_dst(50:54:00:00:00:0b),set_field:192.168.4.4->ip_dst, controller), output:1
943 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
945 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
946 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
947 3 packets transmitted, 3 received, 0% packet loss, time 0ms
950 OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
952 AT_CHECK([cat ofctl_monitor.log | STRIP_MONITOR_CSUM], [0], [dnl
953 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
954 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
955 icmp,vlan_tci=0x0000,dl_src=ae:c6:7e:54:8d:4d,dl_dst=50:54:00:00:00:0b,nw_src=10.1.1.2,nw_dst=192.168.4.4,nw_tos=0,nw_ecn=0,nw_ttl=64,icmp_type=0,icmp_code=0 icmp_csum: <skip>
958 OVS_TRAFFIC_VSWITCHD_STOP
961 AT_SETUP([datapath - mpls actions])
962 OVS_TRAFFIC_VSWITCHD_START([_ADD_BR([br1])])
964 ADD_NAMESPACES(at_ns0, at_ns1)
966 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
967 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
969 AT_CHECK([ip link add patch0 type veth peer name patch1])
970 on_exit 'ip link del patch0'
972 AT_CHECK([ip link set dev patch0 up])
973 AT_CHECK([ip link set dev patch1 up])
974 AT_CHECK([ovs-vsctl add-port br0 patch0])
975 AT_CHECK([ovs-vsctl add-port br1 patch1])
977 AT_DATA([flows.txt], [dnl
978 table=0,priority=100,dl_type=0x0800 actions=push_mpls:0x8847,set_mpls_label:3,resubmit(,1)
979 table=0,priority=100,dl_type=0x8847,mpls_label=3 actions=pop_mpls:0x0800,resubmit(,1)
980 table=0,priority=10 actions=resubmit(,1)
981 table=1,priority=10 actions=normal
984 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
985 AT_CHECK([ovs-ofctl add-flows br1 flows.txt])
987 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
988 3 packets transmitted, 3 received, 0% packet loss, time 0ms
991 NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
992 3 packets transmitted, 3 received, 0% packet loss, time 0ms
995 OVS_TRAFFIC_VSWITCHD_STOP
998 AT_SETUP([datapath - multiple mpls label pop])
999 OVS_TRAFFIC_VSWITCHD_START([_ADD_BR([br1])])
1001 ADD_NAMESPACES(at_ns0, at_ns1)
1003 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1004 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
1006 AT_CHECK([ip link add patch0 type veth peer name patch1])
1007 on_exit 'ip link del patch0'
1009 AT_CHECK([ip link set dev patch0 up])
1010 AT_CHECK([ip link set dev patch1 up])
1011 AT_CHECK([ovs-vsctl add-port br0 patch0])
1012 AT_CHECK([ovs-vsctl add-port br1 patch1])
1014 AT_DATA([flows.txt], [dnl
1015 table=0,priority=100,dl_type=0x0800 actions=push_mpls:0x8847,set_mpls_label:3,push_mpls:0x8847,set_mpls_label:2,push_mpls:0x8847,set_mpls_label:1,resubmit(,3)
1016 table=0,priority=100,dl_type=0x8847,mpls_label=1 actions=pop_mpls:0x8847,resubmit(,1)
1017 table=1,priority=100,dl_type=0x8847,mpls_label=2 actions=pop_mpls:0x8847,resubmit(,2)
1018 table=2,priority=100,dl_type=0x8847,mpls_label=3 actions=pop_mpls:0x0800,resubmit(,3)
1019 table=0,priority=10 actions=resubmit(,3)
1020 table=3,priority=10 actions=normal
1023 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1024 AT_CHECK([ovs-ofctl add-flows br1 flows.txt])
1026 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1027 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1030 NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
1031 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1033 OVS_TRAFFIC_VSWITCHD_STOP
1036 AT_SETUP([datapath - basic truncate action])
1037 AT_SKIP_IF([test $HAVE_NC = no])
1038 OVS_TRAFFIC_VSWITCHD_START()
1039 AT_CHECK([ovs-ofctl del-flows br0])
1041 dnl Create p0 and ovs-p0(1)
1042 ADD_NAMESPACES(at_ns0)
1043 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1044 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
1045 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
1047 dnl Create p1(3) and ovs-p1(2), packets received from ovs-p1 will appear in p1
1048 AT_CHECK([ip link add p1 type veth peer name ovs-p1])
1049 on_exit 'ip link del ovs-p1'
1050 AT_CHECK([ip link set dev ovs-p1 up])
1051 AT_CHECK([ip link set dev p1 up])
1052 AT_CHECK([ovs-vsctl add-port br0 ovs-p1 -- set interface ovs-p1 ofport_request=2])
1053 dnl Use p1 to check the truncated packet
1054 AT_CHECK([ovs-vsctl add-port br0 p1 -- set interface p1 ofport_request=3])
1056 dnl Create p2(5) and ovs-p2(4)
1057 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
1058 on_exit 'ip link del ovs-p2'
1059 AT_CHECK([ip link set dev ovs-p2 up])
1060 AT_CHECK([ip link set dev p2 up])
1061 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=4])
1062 dnl Use p2 to check the truncated packet
1063 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=5])
1066 AT_CHECK([ovs-ofctl del-flows br0])
1067 AT_DATA([flows.txt], [dnl
1068 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
1069 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
1070 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4
1072 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1074 dnl use this file as payload file for ncat
1075 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
1076 on_exit 'rm -f payload200.bin'
1077 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
1079 dnl packet with truncated size
1080 AT_CHECK([ovs-appctl revalidator/purge], [0])
1081 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1084 dnl packet with original size
1085 AT_CHECK([ovs-appctl revalidator/purge], [0])
1086 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1090 dnl more complicated output actions
1091 AT_CHECK([ovs-ofctl del-flows br0])
1092 AT_DATA([flows.txt], [dnl
1093 in_port=3 dl_dst=e6:66:c1:22:22:22 actions=drop
1094 in_port=5 dl_dst=e6:66:c1:22:22:22 actions=drop
1095 in_port=1 dl_dst=e6:66:c1:22:22:22 actions=output(port=2,max_len=100),output:4,output(port=2,max_len=100),output(port=4,max_len=100),output:2,output(port=4,max_len=200),output(port=2,max_len=65535)
1097 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1099 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
1101 dnl 100 + 100 + 242 + min(65535,242) = 684
1102 AT_CHECK([ovs-appctl revalidator/purge], [0])
1103 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1106 dnl 242 + 100 + min(242,200) = 542
1107 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1111 dnl SLOW_ACTION: disable kernel datapath truncate support
1112 dnl Repeat the test above, but exercise the SLOW_ACTION code path
1113 AT_CHECK([ovs-appctl dpif/set-dp-features br0 trunc false], [0])
1115 dnl SLOW_ACTION test1: check datapatch actions
1116 AT_CHECK([ovs-ofctl del-flows br0])
1117 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1119 AT_CHECK([ovs-appctl ofproto/trace br0 "in_port=1,dl_type=0x800,dl_src=e6:66:c1:11:11:11,dl_dst=e6:66:c1:22:22:22,nw_src=192.168.0.1,nw_dst=192.168.0.2,nw_proto=6,tp_src=8,tp_dst=9"], [0], [stdout])
1120 AT_CHECK([tail -3 stdout], [0],
1121 [Datapath actions: trunc(100),3,5,trunc(100),3,trunc(100),5,3,trunc(200),5,trunc(65535),3
1122 This flow is handled by the userspace slow path because it:
1123 - Uses action(s) not supported by datapath.
1126 dnl SLOW_ACTION test2: check actual packet truncate
1127 AT_CHECK([ovs-ofctl del-flows br0])
1128 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1129 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 1234 < payload200.bin])
1131 dnl 100 + 100 + 242 + min(65535,242) = 684
1132 AT_CHECK([ovs-appctl revalidator/purge], [0])
1133 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=3" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1137 dnl 242 + 100 + min(242,200) = 542
1138 AT_CHECK([ovs-ofctl dump-flows br0 table=0 | grep "in_port=5" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1142 OVS_TRAFFIC_VSWITCHD_STOP
1145 dnl Create 2 bridges and 2 namespaces to test truncate over
1147 dnl br0: overlay bridge
1148 dnl ns1: connect to br0, with IP:10.1.1.2
1149 dnl br-underlay: with IP: 172.31.1.100
1150 dnl ns0: connect to br-underlay, with IP: 10.1.1.1
1151 AT_SETUP([datapath - truncate and output to gre tunnel by simulated packets])
1152 OVS_CHECK_MIN_KERNEL(3, 10)
1153 AT_SKIP_IF([test $HAVE_NC = no])
1154 OVS_TRAFFIC_VSWITCHD_START()
1156 ADD_BR([br-underlay], [set bridge br-underlay other-config:hwaddr=\"02:90:8c:a8:a1:49\"])
1157 ADD_NAMESPACES(at_ns0)
1158 ADD_NAMESPACES(at_ns1)
1159 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
1160 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1162 dnl Set up underlay link from host into the namespace using veth pair.
1163 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24", fa:ad:fa:25:05:60)
1164 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1165 AT_CHECK([ip link set dev br-underlay up])
1167 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1168 dnl linux device inside the namespace.
1169 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
1171 dnl The below native tunnel isn't actually added. We simulate it to send
1172 dnl and receive packets.
1173 dnl ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1174 dnl [], [address e6:66:c1:11:11:11])
1175 dnl AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
1176 dnl NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
1178 dnl Set up (p1 and ovs-p1) at br0
1179 ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
1180 AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
1181 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
1182 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
1184 dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
1185 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
1186 on_exit 'ip link del ovs-p2'
1187 AT_CHECK([ip link set dev ovs-p2 up])
1188 AT_CHECK([ip link set dev p2 up])
1189 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
1190 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
1192 dnl use this file as payload file for ncat
1193 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
1194 on_exit 'rm -f payload200.bin'
1196 AT_CHECK([ovs-ofctl del-flows br0])
1197 AT_DATA([flows.txt], [dnl
1198 priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
1199 priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
1200 priority=1,in_port=4,ip,actions=drop
1201 priority=1,actions=drop
1203 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1205 AT_CHECK([ovs-ofctl del-flows br-underlay])
1206 AT_DATA([flows-underlay.txt], [dnl
1207 priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
1208 priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
1209 priority=1,actions=drop
1212 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1214 dnl check tunnel push path, from at_ns1 to at_ns0
1215 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
1216 AT_CHECK([ovs-appctl revalidator/purge], [0])
1218 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1219 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1222 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1223 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1227 dnl check tunnel pop path, from at_ns0 to at_ns1
1228 dnl This 200-byte packet is simulated on behalf of ns_gre0
1229 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=02908ca8a149faadfa25056008004500010a9e9d4000402f4084ac1f0101ac1f016400006558e666c1222222e666c11111110800450000e46f8e40004011b4760a0101010a010102e026162e00d016e6a366ebf904c74132c6fed42a9e9e46240b4d9fd13c9b47d9704a388e70a5e77db16934a6188dc01d86aa20007ace2cf9cdb111f208474b88ffc851c871f0e3fb4fff138c1d288d437efff487e2b86a9c99fbf4229a6485e133bcf3e16f6e345207fda0932d9eeb602740456fd077b4847d25481337bd716155cc245be129ccc11bf82b834767b3760b52fe913c0e24f31c0e1b27f88acf7bba6b985fb64ee2cd6fc6bba1a9c1f021e253e1728b046fd4d023307e3296361a37ea2617ebcb2537e0284a81050dd0ee actions=LOCAL"
1231 dnl After truncation = 100 byte at loopback device p2(4)
1232 AT_CHECK([ovs-appctl revalidator/purge], [0])
1233 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1234 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
1237 dnl SLOW_ACTION: disable datapath truncate support
1238 dnl Repeat the test above, but exercise the SLOW_ACTION code path
1239 AT_CHECK([ovs-appctl dpif/set-dp-features br0 trunc false], [0])
1241 dnl SLOW_ACTION test1: check datapatch actions
1242 AT_CHECK([ovs-ofctl del-flows br0])
1243 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1245 dnl SLOW_ACTION test2: check actual packet truncate
1246 AT_CHECK([ovs-ofctl del-flows br0])
1247 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1248 AT_CHECK([ovs-ofctl del-flows br-underlay])
1249 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1251 dnl check tunnel push path, from at_ns1 to at_ns0
1252 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
1253 AT_CHECK([ovs-appctl revalidator/purge], [0])
1255 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1256 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1259 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1260 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1264 dnl check tunnel pop path, from at_ns0 to at_ns1
1265 dnl This 200-byte packet is simulated on behalf of ns_gre0
1266 ovs-ofctl -O OpenFlow13 packet-out br-underlay "in_port=1 packet=02908ca8a149faadfa25056008004500010a9e9d4000402f4084ac1f0101ac1f016400006558e666c1222222e666c11111110800450000e46f8e40004011b4760a0101010a010102e026162e00d016e6a366ebf904c74132c6fed42a9e9e46240b4d9fd13c9b47d9704a388e70a5e77db16934a6188dc01d86aa20007ace2cf9cdb111f208474b88ffc851c871f0e3fb4fff138c1d288d437efff487e2b86a9c99fbf4229a6485e133bcf3e16f6e345207fda0932d9eeb602740456fd077b4847d25481337bd716155cc245be129ccc11bf82b834767b3760b52fe913c0e24f31c0e1b27f88acf7bba6b985fb64ee2cd6fc6bba1a9c1f021e253e1728b046fd4d023307e3296361a37ea2617ebcb2537e0284a81050dd0ee actions=LOCAL"
1268 dnl After truncation = 100 byte at loopback device p2(4)
1269 AT_CHECK([ovs-appctl revalidator/purge], [0])
1270 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1271 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
1274 OVS_TRAFFIC_VSWITCHD_STOP
1277 dnl Create 2 bridges and 2 namespaces to test truncate over
1279 dnl br0: overlay bridge
1280 dnl ns1: connect to br0, with IP:10.1.1.2
1281 dnl br-underlay: with IP: 172.31.1.100
1282 dnl ns0: connect to br-underlay, with IP: 10.1.1.1
1283 AT_SETUP([datapath - truncate and output to gre tunnel])
1284 AT_SKIP_IF([test $HAVE_NC = no])
1285 OVS_CHECK_KERNEL_EXCL(3, 10, 4, 15)
1287 OVS_TRAFFIC_VSWITCHD_START()
1289 ADD_BR([br-underlay])
1290 ADD_NAMESPACES(at_ns0)
1291 ADD_NAMESPACES(at_ns1)
1292 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
1293 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1295 dnl Set up underlay link from host into the namespace using veth pair.
1296 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1297 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1298 AT_CHECK([ip link set dev br-underlay up])
1300 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1301 dnl linux device inside the namespace.
1302 ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24])
1303 ADD_NATIVE_TUNNEL([gretap], [ns_gre0], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1304 [], [address e6:66:c1:11:11:11])
1305 AT_CHECK([ovs-vsctl -- set interface at_gre0 ofport_request=1])
1306 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
1308 dnl Set up (p1 and ovs-p1) at br0
1309 ADD_VETH(p1, at_ns1, br0, '10.1.1.2/24')
1310 AT_CHECK([ovs-vsctl -- set interface ovs-p1 ofport_request=2])
1311 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
1312 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
1314 dnl Set up (p2 and ovs-p2) as loopback for verifying packet size
1315 AT_CHECK([ip link add p2 type veth peer name ovs-p2])
1316 on_exit 'ip link del ovs-p2'
1317 AT_CHECK([ip link set dev ovs-p2 up])
1318 AT_CHECK([ip link set dev p2 up])
1319 AT_CHECK([ovs-vsctl add-port br0 ovs-p2 -- set interface ovs-p2 ofport_request=3])
1320 AT_CHECK([ovs-vsctl add-port br0 p2 -- set interface p2 ofport_request=4])
1322 dnl use this file as payload file for ncat
1323 AT_CHECK([dd if=/dev/urandom of=payload200.bin bs=200 count=1 2> /dev/null])
1324 on_exit 'rm -f payload200.bin'
1326 AT_CHECK([ovs-ofctl del-flows br0])
1327 AT_DATA([flows.txt], [dnl
1328 priority=99,in_port=1,actions=output(port=2,max_len=100),output(port=3,max_len=100)
1329 priority=99,in_port=2,udp,actions=output(port=1,max_len=100)
1330 priority=1,in_port=4,ip,actions=drop
1331 priority=1,actions=drop
1333 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1335 AT_CHECK([ovs-ofctl del-flows br-underlay])
1336 AT_DATA([flows-underlay.txt], [dnl
1337 priority=99,dl_type=0x0800,nw_proto=47,in_port=1,actions=LOCAL
1338 priority=99,dl_type=0x0800,nw_proto=47,in_port=LOCAL,ip_dst=172.31.1.1/24,actions=1
1339 priority=1,actions=drop
1342 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1344 dnl check tunnel push path, from at_ns1 to at_ns0
1345 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
1346 AT_CHECK([ovs-appctl revalidator/purge], [0])
1348 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1349 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1352 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1353 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1357 dnl check tunnel pop path, from at_ns0 to at_ns1
1358 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
1359 dnl After truncation = 100 byte at loopback device p2(4)
1360 AT_CHECK([ovs-appctl revalidator/purge], [0])
1361 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1362 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
1365 dnl SLOW_ACTION: disable datapath truncate support
1366 dnl Repeat the test above, but exercise the SLOW_ACTION code path
1367 AT_CHECK([ovs-appctl dpif/set-dp-features br0 trunc false], [0])
1369 dnl SLOW_ACTION test1: check datapatch actions
1370 AT_CHECK([ovs-ofctl del-flows br0])
1371 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1373 dnl SLOW_ACTION test2: check actual packet truncate
1374 AT_CHECK([ovs-ofctl del-flows br0])
1375 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1376 AT_CHECK([ovs-ofctl del-flows br-underlay])
1377 AT_CHECK([ovs-ofctl add-flows br-underlay flows-underlay.txt])
1379 dnl check tunnel push path, from at_ns1 to at_ns0
1380 NS_CHECK_EXEC([at_ns1], [nc $NC_EOF_OPT -u 10.1.1.1 1234 < payload200.bin])
1381 AT_CHECK([ovs-appctl revalidator/purge], [0])
1383 dnl Before truncation = ETH(14) + IP(20) + UDP(8) + 200 = 242B
1384 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=2" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1387 dnl After truncation = outer ETH(14) + outer IP(20) + GRE(4) + 100 = 138B
1388 AT_CHECK([ovs-ofctl dump-flows br-underlay | grep "in_port=LOCAL" | sed -n 's/.*\(n\_bytes=[[0-9]]*\).*/\1/p'], [0], [dnl
1392 dnl check tunnel pop path, from at_ns0 to at_ns1
1393 NS_CHECK_EXEC([at_ns0], [nc $NC_EOF_OPT -u 10.1.1.2 5678 < payload200.bin])
1394 dnl After truncation = 100 byte at loopback device p2(4)
1395 AT_CHECK([ovs-appctl revalidator/purge], [0])
1396 AT_CHECK([ovs-ofctl dump-flows br0 | grep "in_port=4" | ofctl_strip], [0], [dnl
1397 n_packets=1, n_bytes=100, priority=1,ip,in_port=4 actions=drop
1400 OVS_TRAFFIC_VSWITCHD_STOP
1403 AT_BANNER([conntrack])
1405 AT_SETUP([conntrack - controller])
1407 OVS_TRAFFIC_VSWITCHD_START()
1408 AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg ofproto_dpif_upcall:dbg])
1410 ADD_NAMESPACES(at_ns0, at_ns1)
1412 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1413 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1415 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1416 AT_DATA([flows.txt], [dnl
1417 priority=1,action=drop
1418 priority=10,arp,action=normal
1419 priority=100,in_port=1,udp,action=ct(commit),controller
1420 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
1421 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
1424 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1426 AT_CAPTURE_FILE([ofctl_monitor.log])
1427 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1429 dnl Send an unsolicited reply from port 2. This should be dropped.
1430 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
1432 dnl OK, now start a new connection from port 1.
1433 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000'])
1435 dnl Now try a reply from port 2.
1436 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000'])
1438 OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
1440 dnl Check this output. We only see the latter two packets, not the first.
1441 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1442 NXT_PACKET_IN2 (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
1443 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
1444 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=17,ct_tp_src=1,ct_tp_dst=2,ip,in_port=2 (via action) data_len=42 (unbuffered)
1445 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
1448 OVS_TRAFFIC_VSWITCHD_STOP
1451 AT_SETUP([conntrack - force commit])
1453 OVS_TRAFFIC_VSWITCHD_START()
1454 AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg ofproto_dpif_upcall:dbg])
1456 ADD_NAMESPACES(at_ns0, at_ns1)
1458 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1459 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1461 AT_DATA([flows.txt], [dnl
1462 priority=1,action=drop
1463 priority=10,arp,action=normal
1464 priority=100,in_port=1,udp,action=ct(force,commit),controller
1465 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
1466 priority=100,in_port=2,ct_state=+trk+est,udp,action=ct(force,commit,table=1)
1467 table=1,in_port=2,ct_state=+trk,udp,action=controller
1470 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1472 AT_CAPTURE_FILE([ofctl_monitor.log])
1473 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
1475 dnl Send an unsolicited reply from port 2. This should be dropped.
1476 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 actions=resubmit(,0)"])
1478 dnl OK, now start a new connection from port 1.
1479 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
1481 dnl Now try a reply from port 2.
1482 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 actions=resubmit(,0)"])
1484 AT_CHECK([ovs-appctl revalidator/purge], [0])
1486 OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
1488 dnl Check this output. We only see the latter two packets, not the first.
1489 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
1490 NXT_PACKET_IN2 (xid=0x0): cookie=0x0 total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
1491 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
1492 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=new|trk,ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=17,ct_tp_src=2,ct_tp_dst=1,ip,in_port=2 (via action) data_len=42 (unbuffered)
1493 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
1497 dnl Check that the directionality has been changed by force commit.
1499 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [], [dnl
1500 udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2)
1503 dnl OK, now send another packet from port 1 and see that it switches again
1504 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
1505 AT_CHECK([ovs-appctl revalidator/purge], [0])
1507 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], [], [dnl
1508 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
1511 OVS_TRAFFIC_VSWITCHD_STOP
1514 AT_SETUP([conntrack - ct flush by 5-tuple])
1516 OVS_TRAFFIC_VSWITCHD_START()
1518 ADD_NAMESPACES(at_ns0, at_ns1)
1520 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1521 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1523 AT_DATA([flows.txt], [dnl
1524 priority=1,action=drop
1525 priority=10,arp,action=normal
1526 priority=100,in_port=1,udp,action=ct(commit),2
1527 priority=100,in_port=2,udp,action=ct(zone=5,commit),1
1528 priority=100,in_port=1,icmp,action=ct(commit),2
1529 priority=100,in_port=2,icmp,action=ct(zone=5,commit),1
1532 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1534 dnl Test UDP from port 1
1535 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
1537 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], [], [dnl
1538 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
1541 AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=17,ct_tp_src=2,ct_tp_dst=1'])
1543 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1,"], [1], [dnl
1546 dnl Test UDP from port 2
1547 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101020a0101010002000100080000 actions=resubmit(,0)"])
1549 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [0], [dnl
1550 udp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1),reply=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),zone=5
1553 AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=5 'ct_nw_src=10.1.1.1,ct_nw_dst=10.1.1.2,ct_nw_proto=17,ct_tp_src=1,ct_tp_dst=2'])
1555 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1558 dnl Test ICMP traffic
1559 NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
1560 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1563 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [0], [stdout])
1564 AT_CHECK([cat stdout | FORMAT_CT(10.1.1.1)], [0],[dnl
1565 icmp,orig=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=8,code=0),reply=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=0,code=0),zone=5
1568 ICMP_ID=`cat stdout | cut -d ',' -f4 | cut -d '=' -f2`
1569 ICMP_TUPLE=ct_nw_src=10.1.1.2,ct_nw_dst=10.1.1.1,ct_nw_proto=1,icmp_id=$ICMP_ID,icmp_type=8,icmp_code=0
1570 AT_CHECK([ovs-appctl dpctl/flush-conntrack zone=5 $ICMP_TUPLE])
1572 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.2,"], [1], [dnl
1575 OVS_TRAFFIC_VSWITCHD_STOP
1578 AT_SETUP([conntrack - IPv4 ping])
1580 OVS_TRAFFIC_VSWITCHD_START()
1582 ADD_NAMESPACES(at_ns0, at_ns1)
1584 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1585 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1587 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1588 AT_DATA([flows.txt], [dnl
1589 priority=1,action=drop
1590 priority=10,arp,action=normal
1591 priority=100,in_port=1,icmp,action=ct(commit),2
1592 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1593 priority=100,in_port=2,icmp,ct_state=+trk+est,action=1
1596 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1598 dnl Pings from ns0->ns1 should work fine.
1599 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1600 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1603 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1604 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0)
1607 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1609 dnl Pings from ns1->ns0 should fail.
1610 NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl
1611 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1614 OVS_TRAFFIC_VSWITCHD_STOP
1617 AT_SETUP([conntrack - get_nconns and get/set_maxconns])
1619 CHECK_CT_DPIF_SET_GET_MAXCONNS()
1620 CHECK_CT_DPIF_GET_NCONNS()
1621 OVS_TRAFFIC_VSWITCHD_START()
1623 ADD_NAMESPACES(at_ns0, at_ns1)
1625 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1626 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1628 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1629 AT_DATA([flows.txt], [dnl
1630 priority=1,action=drop
1631 priority=10,arp,action=normal
1632 priority=100,in_port=1,icmp,action=ct(commit),2
1633 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
1634 priority=100,in_port=2,icmp,ct_state=+trk+est,action=1
1637 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1639 dnl Pings from ns0->ns1 should work fine.
1640 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1641 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1645 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0)
1648 AT_CHECK([ovs-appctl dpctl/ct-set-maxconns one-bad-dp], [2], [], [dnl
1649 ovs-vswitchd: maxconns missing or malformed (Invalid argument)
1650 ovs-appctl: ovs-vswitchd: server returned an error
1653 AT_CHECK([ovs-appctl dpctl/ct-set-maxconns a], [2], [], [dnl
1654 ovs-vswitchd: maxconns missing or malformed (Invalid argument)
1655 ovs-appctl: ovs-vswitchd: server returned an error
1658 AT_CHECK([ovs-appctl dpctl/ct-set-maxconns one-bad-dp 10], [2], [], [dnl
1659 ovs-vswitchd: datapath not found (Invalid argument)
1660 ovs-appctl: ovs-vswitchd: server returned an error
1663 AT_CHECK([ovs-appctl dpctl/ct-get-maxconns one-bad-dp], [2], [], [dnl
1664 ovs-vswitchd: datapath not found (Invalid argument)
1665 ovs-appctl: ovs-vswitchd: server returned an error
1668 AT_CHECK([ovs-appctl dpctl/ct-get-nconns one-bad-dp], [2], [], [dnl
1669 ovs-vswitchd: datapath not found (Invalid argument)
1670 ovs-appctl: ovs-vswitchd: server returned an error
1673 AT_CHECK([ovs-appctl dpctl/ct-get-nconns], [], [dnl
1677 AT_CHECK([ovs-appctl dpctl/ct-get-maxconns], [], [dnl
1681 AT_CHECK([ovs-appctl dpctl/ct-set-maxconns 10], [], [dnl
1682 setting maxconns successful
1685 AT_CHECK([ovs-appctl dpctl/ct-get-maxconns], [], [dnl
1689 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1691 AT_CHECK([ovs-appctl dpctl/ct-get-nconns], [], [dnl
1695 AT_CHECK([ovs-appctl dpctl/ct-get-maxconns], [], [dnl
1699 OVS_TRAFFIC_VSWITCHD_STOP
1702 AT_SETUP([conntrack - IPv6 ping])
1704 OVS_TRAFFIC_VSWITCHD_START()
1706 ADD_NAMESPACES(at_ns0, at_ns1)
1708 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1709 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1711 AT_DATA([flows.txt], [dnl
1713 dnl ICMPv6 echo request and reply go to table 1. The rest of the traffic goes
1714 dnl through normal action.
1715 table=0,priority=10,icmp6,icmp_type=128,action=goto_table:1
1716 table=0,priority=10,icmp6,icmp_type=129,action=goto_table:1
1717 table=0,priority=1,action=normal
1719 dnl Allow everything from ns0->ns1. Only allow return traffic from ns1->ns0.
1720 table=1,priority=100,in_port=1,icmp6,action=ct(commit),2
1721 table=1,priority=100,in_port=2,icmp6,ct_state=-trk,action=ct(table=0)
1722 table=1,priority=100,in_port=2,icmp6,ct_state=+trk+est,action=1
1723 table=1,priority=1,action=drop
1726 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1728 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
1730 dnl The above ping creates state in the connection tracker. We're not
1731 dnl interested in that state.
1732 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1734 dnl Pings from ns1->ns0 should fail.
1735 NS_CHECK_EXEC([at_ns1], [ping6 -q -c 3 -i 0.3 -w 2 fc00::1 | FORMAT_PING], [0], [dnl
1736 7 packets transmitted, 0 received, 100% packet loss, time 0ms
1739 dnl Pings from ns0->ns1 should work fine.
1740 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1741 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1744 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
1745 icmpv6,orig=(src=fc00::1,dst=fc00::2,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0)
1748 OVS_TRAFFIC_VSWITCHD_STOP
1751 AT_SETUP([conntrack - preserve registers])
1753 OVS_TRAFFIC_VSWITCHD_START()
1755 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1757 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1758 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1759 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1760 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1762 dnl Allow any traffic from ns0->ns1, ns2->ns3.
1763 AT_DATA([flows.txt], [dnl
1764 priority=1,action=drop
1765 priority=10,arp,action=normal
1766 priority=10,icmp,action=normal
1767 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
1768 priority=100,in_port=1,tcp,ct_state=+trk,action=2
1769 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
1770 priority=100,in_port=2,tcp,ct_state=+trk,action=1
1771 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
1772 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
1773 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
1774 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
1775 priority=100,in_port=4,tcp,ct_state=+trk,action=3
1778 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1780 OVS_START_L7([at_ns1], [http])
1781 OVS_START_L7([at_ns3], [http])
1783 dnl HTTP requests from p0->p1 should work fine.
1784 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1786 dnl HTTP requests from p2->p3 should work fine.
1787 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
1789 OVS_TRAFFIC_VSWITCHD_STOP
1792 AT_SETUP([conntrack - invalid])
1794 OVS_TRAFFIC_VSWITCHD_START()
1796 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1798 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1799 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1800 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1801 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1803 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
1804 dnl the opposite direction. This should fail.
1805 dnl Pass traffic from ns3->ns4 without committing, and this time match
1806 dnl invalid traffic and allow it through.
1807 AT_DATA([flows.txt], [dnl
1808 priority=1,action=drop
1809 priority=10,arp,action=normal
1810 priority=10,icmp,action=normal
1811 priority=100,in_port=1,tcp,action=ct(),2
1812 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
1813 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
1814 priority=100,in_port=3,tcp,action=ct(),4
1815 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
1816 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
1817 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
1820 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1822 dnl We set up our rules to allow the request without committing. The return
1823 dnl traffic can't be identified, because the initial request wasn't committed.
1824 dnl For the first pair of ports, this means that the connection fails.
1825 OVS_START_L7([at_ns1], [http])
1826 OVS_START_L7([at_ns3], [http])
1827 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
1829 dnl For the second pair, we allow packets from invalid connections, so it works.
1830 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
1832 OVS_TRAFFIC_VSWITCHD_STOP
1835 AT_SETUP([conntrack - zones])
1837 OVS_TRAFFIC_VSWITCHD_START()
1839 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1841 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1842 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1843 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1844 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1846 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
1847 dnl For ns2->ns3, use a different zone and see that the match fails.
1848 AT_DATA([flows.txt], [dnl
1849 priority=1,action=drop
1850 priority=10,arp,action=normal
1851 priority=10,icmp,action=normal
1852 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
1853 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
1854 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1855 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
1856 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
1857 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
1860 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1862 OVS_START_L7([at_ns1], [http])
1863 OVS_START_L7([at_ns3], [http])
1865 dnl HTTP requests from p0->p1 should work fine.
1866 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1868 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1869 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
1872 dnl HTTP requests from p2->p3 should fail due to network failure.
1873 dnl Try 3 times, in 1 second intervals.
1874 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1876 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1877 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
1880 OVS_TRAFFIC_VSWITCHD_STOP
1883 AT_SETUP([conntrack - zones from field])
1885 OVS_TRAFFIC_VSWITCHD_START()
1887 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
1889 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1890 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1891 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
1892 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
1894 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1895 AT_DATA([flows.txt], [dnl
1896 priority=1,action=drop
1897 priority=10,arp,action=normal
1898 priority=10,icmp,action=normal
1899 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
1900 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
1901 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
1902 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
1903 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
1904 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
1907 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1909 OVS_START_L7([at_ns1], [http])
1910 OVS_START_L7([at_ns3], [http])
1912 dnl HTTP requests from p0->p1 should work fine.
1913 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1915 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
1916 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=<cleared>)
1919 dnl HTTP requests from p2->p3 should fail due to network failure.
1920 dnl Try 3 times, in 1 second intervals.
1921 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
1923 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
1924 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=<cleared>)
1927 OVS_TRAFFIC_VSWITCHD_STOP
1930 AT_SETUP([conntrack - multiple bridges])
1932 OVS_TRAFFIC_VSWITCHD_START(
1934 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
1935 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
1937 ADD_NAMESPACES(at_ns0, at_ns1)
1939 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1940 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
1942 dnl Allow any traffic from ns0->br1, allow established in reverse.
1943 AT_DATA([flows-br0.txt], [dnl
1944 priority=1,action=drop
1945 priority=10,arp,action=normal
1946 priority=10,icmp,action=normal
1947 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
1948 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1949 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
1952 dnl Allow any traffic from br0->ns1, allow established in reverse.
1953 AT_DATA([flows-br1.txt], [dnl
1954 priority=1,action=drop
1955 priority=10,arp,action=normal
1956 priority=10,icmp,action=normal
1957 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1958 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
1959 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
1960 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1961 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
1964 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
1965 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
1967 dnl HTTP requests from p0->p1 should work fine.
1968 OVS_START_L7([at_ns1], [http])
1969 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1971 OVS_TRAFFIC_VSWITCHD_STOP
1974 AT_SETUP([conntrack - multiple zones])
1976 OVS_TRAFFIC_VSWITCHD_START()
1978 ADD_NAMESPACES(at_ns0, at_ns1)
1980 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1981 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1983 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1984 AT_DATA([flows.txt], [dnl
1985 priority=1,action=drop
1986 priority=10,arp,action=normal
1987 priority=10,icmp,action=normal
1988 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
1989 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
1990 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
1993 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1995 OVS_START_L7([at_ns1], [http])
1997 dnl HTTP requests from p0->p1 should work fine.
1998 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2000 dnl (again) HTTP requests from p0->p1 should work fine.
2001 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2003 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2004 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2005 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
2008 OVS_TRAFFIC_VSWITCHD_STOP
2011 AT_SETUP([conntrack - multiple namespaces, internal ports])
2013 CHECK_CONNTRACK_LOCAL_STACK()
2014 OVS_TRAFFIC_VSWITCHD_START(
2015 [set-fail-mode br0 secure -- ])
2017 ADD_NAMESPACES(at_ns0, at_ns1)
2019 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
2020 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
2022 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2024 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
2025 AT_DATA([flows.txt], [dnl
2026 priority=1,action=drop
2027 priority=10,arp,action=normal
2028 priority=10,icmp,action=normal
2029 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
2030 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
2031 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
2034 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
2036 OVS_START_L7([at_ns1], [http])
2038 dnl HTTP requests from p0->p1 should work fine.
2039 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2041 dnl (again) HTTP requests from p0->p1 should work fine.
2042 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2044 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2045 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
2048 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
2049 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
2050 /removing policing failed: No such device/d"])
2053 AT_SETUP([conntrack - ct_mark])
2055 OVS_TRAFFIC_VSWITCHD_START()
2057 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2059 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2060 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2061 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
2062 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
2064 dnl Allow traffic between ns0<->ns1 using the ct_mark.
2065 dnl Check that different marks do not match for traffic between ns2<->ns3.
2066 AT_DATA([flows.txt], [dnl
2067 priority=1,action=drop
2068 priority=10,arp,action=normal
2069 priority=10,icmp,action=normal
2070 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
2071 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
2072 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
2073 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
2074 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
2075 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
2078 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2080 OVS_START_L7([at_ns1], [http])
2081 OVS_START_L7([at_ns3], [http])
2083 dnl HTTP requests from p0->p1 should work fine.
2084 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2085 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2086 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
2089 dnl HTTP requests from p2->p3 should fail due to network failure.
2090 dnl Try 3 times, in 1 second intervals.
2091 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
2092 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
2093 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
2096 OVS_TRAFFIC_VSWITCHD_STOP
2099 AT_SETUP([conntrack - ct_mark bit-fiddling])
2101 OVS_TRAFFIC_VSWITCHD_START()
2103 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2105 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2106 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2108 dnl Allow traffic between ns0<->ns1 using the ct_mark. Return traffic should
2109 dnl cause an additional bit to be set in the connection (and be allowed).
2110 AT_DATA([flows.txt], [dnl
2111 table=0,priority=1,action=drop
2112 table=0,priority=10,arp,action=normal
2113 table=0,priority=10,icmp,action=normal
2114 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
2115 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x2/0x6->ct_mark))
2116 table=1,in_port=1,ct_state=+new,tcp,action=ct(commit,exec(set_field:0x5/0x5->ct_mark)),2
2117 table=1,in_port=1,ct_state=-new,tcp,action=2
2118 table=1,in_port=2,ct_state=+trk,ct_mark=3,tcp,action=1
2121 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2123 OVS_START_L7([at_ns1], [http])
2125 dnl HTTP requests from p0->p1 should work fine.
2126 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2128 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2129 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=3,protoinfo=(state=<cleared>)
2132 OVS_TRAFFIC_VSWITCHD_STOP
2135 AT_SETUP([conntrack - ct_mark from register])
2137 OVS_TRAFFIC_VSWITCHD_START()
2139 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2141 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2142 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2143 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
2144 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
2146 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2147 AT_DATA([flows.txt], [dnl
2148 priority=1,action=drop
2149 priority=10,arp,action=normal
2150 priority=10,icmp,action=normal
2151 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
2152 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
2153 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
2154 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
2155 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
2156 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
2159 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2161 OVS_START_L7([at_ns1], [http])
2162 OVS_START_L7([at_ns3], [http])
2164 dnl HTTP requests from p0->p1 should work fine.
2165 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2166 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2167 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
2170 dnl HTTP requests from p2->p3 should fail due to network failure.
2171 dnl Try 3 times, in 1 second intervals.
2172 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
2173 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
2174 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
2177 OVS_TRAFFIC_VSWITCHD_STOP
2180 AT_SETUP([conntrack - ct_label])
2182 OVS_TRAFFIC_VSWITCHD_START()
2184 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2186 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2187 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2188 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
2189 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
2191 dnl Allow traffic between ns0<->ns1 using the ct_label.
2192 dnl Check that different labels do not match for traffic between ns2<->ns3.
2193 AT_DATA([flows.txt], [dnl
2194 priority=1,action=drop
2195 priority=10,arp,action=normal
2196 priority=10,icmp,action=normal
2197 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
2198 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
2199 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
2200 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
2201 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
2202 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
2205 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2207 OVS_START_L7([at_ns1], [http])
2208 OVS_START_L7([at_ns3], [http])
2210 dnl HTTP requests from p0->p1 should work fine.
2211 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2213 dnl HTTP requests from p2->p3 should fail due to network failure.
2214 dnl Try 3 times, in 1 second intervals.
2215 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
2217 OVS_TRAFFIC_VSWITCHD_STOP
2220 AT_SETUP([conntrack - ct_label bit-fiddling])
2222 OVS_TRAFFIC_VSWITCHD_START()
2224 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2226 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2227 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2229 dnl Allow traffic between ns0<->ns1 using the ct_labels. Return traffic should
2230 dnl cause an additional bit to be set in the connection labels (and be allowed)
2231 AT_DATA([flows.txt], [dnl
2232 table=0,priority=1,action=drop
2233 table=0,priority=10,arp,action=normal
2234 table=0,priority=10,icmp,action=normal
2235 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
2236 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label))
2237 table=1,in_port=1,tcp,ct_state=+new,action=ct(commit,exec(set_field:0x5/0x5->ct_label)),2
2238 table=1,in_port=1,tcp,ct_state=-new,action=2
2239 table=1,in_port=2,ct_state=+trk,ct_label=0x200000001,tcp,action=1
2242 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2244 OVS_START_L7([at_ns1], [http])
2246 dnl HTTP requests from p0->p1 should work fine.
2247 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2249 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2250 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),labels=0x200000001,protoinfo=(state=<cleared>)
2253 OVS_TRAFFIC_VSWITCHD_STOP
2256 AT_SETUP([conntrack - ct metadata, multiple zones])
2258 OVS_TRAFFIC_VSWITCHD_START()
2260 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
2262 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2263 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2265 dnl Allow traffic between ns0<->ns1 using the ct_mark and ct_labels in zone=1,
2266 dnl but do *not* set any of these for the ct() in zone=2. Traffic should pass,
2267 dnl and we should see that the conntrack entries only apply the ct_mark and
2268 dnl ct_labels to the connection in zone=1.
2269 AT_DATA([flows.txt], [dnl
2270 table=0,priority=1,action=drop
2271 table=0,priority=10,arp,action=normal
2272 table=0,priority=10,icmp,action=normal
2273 table=0,priority=100,in_port=1,tcp,action=ct(zone=1,table=1)
2274 table=0,priority=100,in_port=2,ct_state=-trk,tcp,action=ct(zone=1,table=1,commit,exec(set_field:0x200000000/0x200000004->ct_label,set_field:0x2/0x6->ct_mark))
2275 table=1,in_port=1,tcp,ct_state=+new,action=ct(zone=1,commit,exec(set_field:0x5/0x5->ct_label,set_field:0x5/0x5->ct_mark)),ct(commit,zone=2),2
2276 table=1,in_port=1,tcp,ct_state=-new,action=ct(zone=2),2
2277 table=1,in_port=2,tcp,action=ct(zone=2),1
2280 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2282 OVS_START_L7([at_ns1], [http])
2284 dnl HTTP requests from p0->p1 should work fine.
2285 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
2287 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2288 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,mark=3,labels=0x200000001,protoinfo=(state=<cleared>)
2289 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
2292 OVS_TRAFFIC_VSWITCHD_STOP
2295 AT_SETUP([conntrack - new connections])
2297 OVS_TRAFFIC_VSWITCHD_START()
2299 ADD_NAMESPACES(at_ns0, at_ns1)
2301 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2302 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2304 AT_DATA([flows1.txt], [dnl
2305 table=0, priority=1,action=drop
2306 table=0, priority=10,arp,action=normal
2307 table=0, priority=100,tcp,action=ct(table=1)
2308 table=0, priority=100,udp,action=ct(table=1)
2309 table=1, priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit)
2310 table=1, priority=100,in_port=1,udp,ct_state=+trk+new,action=ct(commit)
2311 table=1, priority=100,in_port=1,ct_state=+trk+est,action=2
2312 table=1, priority=100,in_port=2,ct_state=+trk+est,action=1
2315 ovs-appctl vlog/set dbg
2317 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows1.txt])
2319 dnl TCP traffic from ns0 to ns1 should fail.
2320 OVS_START_L7([at_ns1], [http])
2321 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
2323 dnl Send UDP packet on port 1 twice.
2324 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
2325 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
2327 dnl There should not be any packet that matches the established ct_state.
2328 AT_CHECK([ovs-ofctl dump-flows br0 "table=1 in_port=1,ct_state=+trk+est" | ofctl_strip], [0], [dnl
2330 table=1, priority=100,ct_state=+est+trk,in_port=1 actions=output:2
2333 OVS_TRAFFIC_VSWITCHD_STOP
2336 AT_SETUP([conntrack - generic IP protocol])
2338 OVS_TRAFFIC_VSWITCHD_START()
2339 AT_CHECK([ovs-appctl vlog/set dpif:dbg dpif_netdev:dbg ofproto_dpif_upcall:dbg])
2341 ADD_NAMESPACES(at_ns0, at_ns1)
2343 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2344 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2346 AT_DATA([flows.txt], [dnl
2347 table=0, priority=1,action=drop
2348 table=0, priority=10,arp,action=normal
2349 table=0, priority=100,ip,action=ct(table=1)
2350 table=1, priority=100,in_port=1,ip,ct_state=+trk+new,action=ct(commit)
2351 table=1, priority=100,in_port=1,ct_state=+trk+est,action=normal
2354 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2356 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=01005e00001200005e000101080045c0002800000000ff7019cdc0a8001ee0000012210164010001ba52c0a800010000000000000000000000000000 actions=resubmit(,0)"])
2358 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=192\.168\.0\.30,"], [], [dnl
2359 112,orig=(src=192.168.0.30,dst=224.0.0.18,sport=0,dport=0),reply=(src=224.0.0.18,dst=192.168.0.30,sport=0,dport=0)
2362 OVS_TRAFFIC_VSWITCHD_STOP
2365 AT_SETUP([conntrack - ICMP related])
2366 AT_SKIP_IF([test $HAVE_NC = no])
2368 OVS_TRAFFIC_VSWITCHD_START()
2370 ADD_NAMESPACES(at_ns0, at_ns1)
2372 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2373 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2375 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2376 AT_DATA([flows.txt], [dnl
2377 priority=1,action=drop
2378 priority=10,arp,action=normal
2379 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
2380 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
2381 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
2384 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2386 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
2387 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
2389 AT_CHECK([ovs-appctl revalidator/purge], [0])
2390 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2391 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
2392 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
2393 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
2394 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
2398 OVS_TRAFFIC_VSWITCHD_STOP
2401 AT_SETUP([conntrack - ICMP related to original direction])
2402 AT_SKIP_IF([test $HAVE_NC = no])
2404 OVS_TRAFFIC_VSWITCHD_START()
2406 ADD_NAMESPACES(at_ns0, at_ns1)
2408 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2409 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2411 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
2412 AT_DATA([flows.txt], [dnl
2413 priority=1000,arp,action=normal
2414 priority=100,ip,action=ct(table=1)
2415 priority=1,action=drop
2416 table=1,ip,action=ct(zone=34673,table=2)
2417 table=2,in_port=2,udp,action=ct(commit,zone=34673),1
2418 table=2,in_port=1,udp,action=ct(commit,zone=34673),2
2419 table=2,in_port=2,ct_state=+rel,icmp,action=1
2422 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2424 dnl 1. Send and UDP packet to port 53 (src=192.100.1.8,dst=192.100.2.5)
2425 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '00010200020400232211223308004500001c000100004011f6fac0640108c06402050035003500087b9e'])
2427 dnl 2. Send and UDP packet to port 53 (src=192.100.2.5,dst=192.100.1.8)
2428 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) '00232211223300010200020408004500001c000100004011f6fac0640205c06401080035003500087b9e'])
2430 dnl 3. Send an ICMP port unreach reply for port 53, related to the 2nd
2431 dnl packet, but in the original direction of the conntrack entry created
2432 dnl for the 1st packet.
2433 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '000102000204002322112233080045000038000100003f01f7eec0640108c0640205030a80e5ffffffff4500001c000100003f11f7fac0640205c06401080035003500087b9e'])
2435 AT_CHECK([ovs-appctl revalidator/purge], [0])
2438 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) '000102000204002322112233080045000038000100003f01f7eec0640108c0640205030a80e5ffffffff4500001c000100003f11f7fac0640205c06401080035003500087b9e'])
2440 AT_CHECK([ovs-appctl revalidator/purge], [0])
2442 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
2443 n_packets=4, n_bytes=224, priority=100,ip actions=ct(table=1)
2444 priority=1000,arp actions=NORMAL
2445 table=1, n_packets=4, n_bytes=224, ip actions=ct(table=2,zone=34673)
2446 table=2, n_packets=1, n_bytes=42, udp,in_port=1 actions=ct(commit,zone=34673),output:2
2447 table=2, n_packets=1, n_bytes=42, udp,in_port=2 actions=ct(commit,zone=34673),output:1
2448 table=2, n_packets=2, n_bytes=140, ct_state=+rel,icmp,in_port=2 actions=output:1
2452 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(192.100.1.8)], [0], [dnl
2453 udp,orig=(src=192.100.1.8,dst=192.100.2.5,sport=<cleared>,dport=<cleared>),reply=(src=192.100.2.5,dst=192.100.1.8,sport=<cleared>,dport=<cleared>),zone=34673
2456 OVS_TRAFFIC_VSWITCHD_STOP
2459 AT_SETUP([conntrack - ICMP related 2])
2461 OVS_TRAFFIC_VSWITCHD_START()
2463 ADD_NAMESPACES(at_ns0, at_ns1)
2465 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
2466 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
2468 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
2469 AT_DATA([flows.txt], [dnl
2470 table=0,ip,action=ct(commit,table=1)
2471 table=1,ip,action=controller
2474 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
2476 AT_CAPTURE_FILE([ofctl_monitor.log])
2477 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
2479 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
2480 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f351ac100004ac1000030303da490000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
2482 dnl 2. Send and UDP packet to port 5555
2483 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
2485 dnl 3. Send an ICMP port unreach reply from a path midpoint for port 5555, related to the first packet
2486 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f354ac100003ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
2488 OVS_APP_EXIT_AND_WAIT([ovs-ofctl])
2490 dnl Check this output. We only see the latter two packets, not the first.
2491 AT_CHECK([cat ofctl_monitor.log | grep -v ff02 | grep -v fe80 | grep -v no_match], [0], [dnl
2492 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=inv|trk,ip,in_port=2 (via action) data_len=75 (unbuffered)
2493 icmp,vlan_tci=0x0000,dl_src=c6:f5:4e:cb:72:db,dl_dst=f6:4c:47:35:28:c9,nw_src=172.16.0.4,nw_dst=172.16.0.3,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:da49
2494 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=47 ct_state=new|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=1 (via action) data_len=47 (unbuffered)
2495 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
2496 NXT_PACKET_IN2 (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=rel|rpl|trk,ct_nw_src=172.16.0.1,ct_nw_dst=172.16.0.2,ct_nw_proto=17,ct_tp_src=41614,ct_tp_dst=5555,ip,in_port=2 (via action) data_len=75 (unbuffered)
2497 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.3,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
2500 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.1)], [0], [dnl
2501 udp,orig=(src=172.16.0.1,dst=172.16.0.2,sport=<cleared>,dport=<cleared>),reply=(src=172.16.0.2,dst=172.16.0.1,sport=<cleared>,dport=<cleared>)
2504 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(172.16.0.3)], [0], [dnl
2507 OVS_TRAFFIC_VSWITCHD_STOP
2510 AT_SETUP([conntrack - IPv4 fragmentation])
2512 OVS_TRAFFIC_VSWITCHD_START()
2514 ADD_NAMESPACES(at_ns0, at_ns1)
2516 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2517 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2519 dnl Sending ping through conntrack
2520 AT_DATA([flows.txt], [dnl
2521 priority=1,action=drop
2522 priority=10,arp,action=normal
2523 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
2524 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2525 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2528 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2530 dnl Modify userspace conntrack fragmentation handling.
2531 DPCTL_MODIFY_FRAGMENTATION()
2533 dnl Ipv4 fragmentation connectivity check.
2534 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
2535 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2538 dnl Ipv4 larger fragmentation connectivity check.
2539 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
2540 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2543 dnl Check userspace conntrack fragmentation counters.
2544 DPCTL_CHECK_FRAGMENTATION_PASS()
2546 OVS_TRAFFIC_VSWITCHD_STOP
2549 AT_SETUP([conntrack - IPv4 fragmentation expiry])
2551 OVS_TRAFFIC_VSWITCHD_START()
2553 ADD_NAMESPACES(at_ns0, at_ns1)
2555 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2556 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2558 AT_DATA([flows.txt], [dnl
2559 priority=1,action=drop
2560 priority=10,arp,action=normal
2562 dnl Only allow non-fragmented messages and 1st fragments of each message
2563 priority=100,in_port=1,icmp,ip_frag=no,action=ct(commit,zone=9),2
2564 priority=100,in_port=1,icmp,ip_frag=firstaction=ct(commit,zone=9),2
2565 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2566 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2569 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2571 dnl Modify userspace conntrack fragmentation handling.
2572 DPCTL_MODIFY_FRAGMENTATION()
2574 dnl Ipv4 fragmentation connectivity check.
2575 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 1 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
2576 7 packets transmitted, 0 received, 100% packet loss, time 0ms
2579 dnl Check userspace conntrack fragmentation counters.
2580 DPCTL_CHECK_FRAGMENTATION_FAIL()
2582 OVS_TRAFFIC_VSWITCHD_STOP
2585 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
2587 OVS_TRAFFIC_VSWITCHD_START()
2589 ADD_NAMESPACES(at_ns0, at_ns1)
2591 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2592 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2593 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
2594 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
2596 dnl Sending ping through conntrack
2597 AT_DATA([flows.txt], [dnl
2598 priority=1,action=drop
2599 priority=10,arp,action=normal
2600 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
2601 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2602 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2605 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2607 dnl Modify userspace conntrack fragmentation handling.
2608 DPCTL_MODIFY_FRAGMENTATION()
2610 dnl Ipv4 fragmentation connectivity check.
2611 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
2612 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2615 dnl Ipv4 larger fragmentation connectivity check.
2616 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
2617 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2620 dnl Check userspace conntrack fragmentation counters.
2621 DPCTL_CHECK_FRAGMENTATION_PASS()
2623 OVS_TRAFFIC_VSWITCHD_STOP
2626 AT_SETUP([conntrack - IPv4 fragmentation + cvlan])
2628 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
2631 ADD_NAMESPACES(at_ns0, at_ns1)
2633 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2634 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2636 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
2637 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
2639 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
2640 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
2642 dnl Sending ping through conntrack
2643 AT_DATA([flows.txt], [dnl
2644 priority=1,action=drop
2645 priority=10,arp,action=normal
2646 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
2647 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
2648 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
2651 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2653 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
2655 dnl Ipv4 fragmentation connectivity check.
2656 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
2657 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2660 dnl Ipv4 fragmentation connectivity check. (outer svlan)
2661 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.255.2.2 | FORMAT_PING], [0], [dnl
2662 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2665 dnl Ipv4 larger fragmentation connectivity check.
2666 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
2667 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2670 dnl Ipv4 larger fragmentation connectivity check. (outer svlan)
2671 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.255.2.2 | FORMAT_PING], [0], [dnl
2672 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2675 OVS_TRAFFIC_VSWITCHD_STOP
2678 AT_SETUP([conntrack - IPv4 fragmentation incomplete reassembled packet])
2680 OVS_TRAFFIC_VSWITCHD_START()
2681 DPCTL_SET_MIN_FRAG_SIZE()
2684 ADD_NAMESPACES(at_ns0, at_ns1)
2686 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2687 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2689 AT_DATA([bundle.txt], [dnl
2690 packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2693 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2695 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2698 OVS_TRAFFIC_VSWITCHD_STOP
2701 dnl Uses same first fragment as above 'incomplete reassembled packet' test.
2702 AT_SETUP([conntrack - IPv4 fragmentation with fragments specified])
2704 OVS_TRAFFIC_VSWITCHD_START()
2705 DPCTL_SET_MIN_FRAG_SIZE()
2707 ADD_NAMESPACES(at_ns0, at_ns1)
2709 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2710 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2712 AT_DATA([bundle.txt], [dnl
2713 packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2714 packet-out in_port=1, packet=50540000000a505400000009080045000030000100320011a4860a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2717 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2719 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2720 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>)
2723 OVS_TRAFFIC_VSWITCHD_STOP
2726 AT_SETUP([conntrack - IPv4 fragmentation out of order])
2728 OVS_TRAFFIC_VSWITCHD_START()
2729 DPCTL_SET_MIN_FRAG_SIZE()
2731 ADD_NAMESPACES(at_ns0, at_ns1)
2733 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2734 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2736 AT_DATA([bundle.txt], [dnl
2737 packet-out in_port=1, packet=50540000000a505400000009080045000030000100320011a4860a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2738 packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2741 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2743 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2744 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>)
2747 OVS_TRAFFIC_VSWITCHD_STOP
2750 AT_SETUP([conntrack - IPv4 fragmentation overlapping fragments by 1 octet])
2752 CHECK_CONNTRACK_FRAG_OVERLAP()
2753 OVS_TRAFFIC_VSWITCHD_START()
2754 DPCTL_SET_MIN_FRAG_SIZE()
2756 ADD_NAMESPACES(at_ns0, at_ns1)
2758 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2759 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2761 AT_DATA([bundle.txt], [dnl
2762 packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2763 packet-out in_port=1, packet=50540000000a505400000009080045000030000100310011a4870a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2766 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2767 dnl There is one byte of overlap, hence no packet gets thru. conntrack.
2768 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2771 OVS_TRAFFIC_VSWITCHD_STOP
2774 AT_SETUP([conntrack - IPv4 fragmentation overlapping fragments by 1 octet out of order])
2776 CHECK_CONNTRACK_FRAG_OVERLAP()
2777 OVS_TRAFFIC_VSWITCHD_START()
2778 DPCTL_SET_MIN_FRAG_SIZE()
2780 ADD_NAMESPACES(at_ns0, at_ns1)
2782 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
2783 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
2785 AT_DATA([bundle.txt], [dnl
2786 packet-out in_port=1, packet=50540000000a505400000009080045000030000100310011a4870a0101010a01010200010002000800000010203040506070809000010203040506070809, actions=ct(commit)
2787 packet-out in_port=1, packet=50540000000a5054000000090800450001a400012000001183440a0101010a01010200010002000800000304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809, actions=ct(commit)
2790 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2791 dnl There is one byte of overlap, hence no packet gets thru. conntrack.
2792 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
2795 OVS_TRAFFIC_VSWITCHD_STOP
2798 AT_SETUP([conntrack - IPv6 fragmentation])
2800 OVS_TRAFFIC_VSWITCHD_START()
2802 ADD_NAMESPACES(at_ns0, at_ns1)
2804 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2805 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2807 dnl Sending ping through conntrack
2808 AT_DATA([flows.txt], [dnl
2809 priority=1,action=drop
2810 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
2811 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2812 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2813 priority=100,icmp6,icmp_type=135,action=normal
2814 priority=100,icmp6,icmp_type=136,action=normal
2817 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2819 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2820 dnl waiting, we get occasional failures due to the following error:
2821 dnl "connect: Cannot assign requested address"
2822 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2824 dnl Ipv6 fragmentation connectivity check.
2825 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
2826 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2829 dnl Ipv6 larger fragmentation connectivity check.
2830 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
2831 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2834 OVS_TRAFFIC_VSWITCHD_STOP
2837 AT_SETUP([conntrack - IPv6 fragmentation expiry])
2839 OVS_TRAFFIC_VSWITCHD_START()
2841 ADD_NAMESPACES(at_ns0, at_ns1)
2843 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2844 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2846 AT_DATA([flows.txt], [dnl
2847 priority=1,action=drop
2849 dnl Only allow non-fragmented messages and 1st fragments of each message
2850 priority=10,in_port=1,ipv6,ip_frag=first,action=ct(commit,zone=9),2
2851 priority=10,in_port=1,ipv6,ip_frag=no,action=ct(commit,zone=9),2
2852 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2853 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2855 dnl Neighbour Discovery
2856 priority=100,icmp6,icmp_type=135,action=normal
2857 priority=100,icmp6,icmp_type=136,action=normal
2860 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2862 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2863 dnl waiting, we get occasional failures due to the following error:
2864 dnl "connect: Cannot assign requested address"
2865 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2867 dnl Send an IPv6 fragment. Some time later, it should expire.
2868 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 1 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
2869 7 packets transmitted, 0 received, 100% packet loss, time 0ms
2872 dnl At this point, the kernel will either crash or everything is OK.
2874 OVS_TRAFFIC_VSWITCHD_STOP
2877 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
2879 OVS_TRAFFIC_VSWITCHD_START()
2881 ADD_NAMESPACES(at_ns0, at_ns1)
2883 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2884 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2886 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
2887 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
2889 dnl Sending ping through conntrack
2890 AT_DATA([flows.txt], [dnl
2891 priority=1,action=drop
2892 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
2893 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2894 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2895 priority=100,icmp6,icmp_type=135,action=normal
2896 priority=100,icmp6,icmp_type=136,action=normal
2899 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2901 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
2902 dnl waiting, we get occasional failures due to the following error:
2903 dnl "connect: Cannot assign requested address"
2904 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
2906 dnl Ipv4 fragmentation connectivity check.
2907 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
2908 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2911 dnl Ipv4 larger fragmentation connectivity check.
2912 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
2913 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2916 OVS_TRAFFIC_VSWITCHD_STOP
2919 AT_SETUP([conntrack - IPv6 fragmentation + cvlan])
2921 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
2924 ADD_NAMESPACES(at_ns0, at_ns1)
2926 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2927 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2929 ADD_SVLAN(p0, at_ns0, 4094, "fc00:ffff::3/96")
2930 ADD_SVLAN(p1, at_ns1, 4094, "fc00:ffff::4/96")
2932 ADD_CVLAN(p0.4094, at_ns0, 100, "fc00:1::3/96")
2933 ADD_CVLAN(p1.4094, at_ns1, 100, "fc00:1::4/96")
2935 dnl Sending ping through conntrack
2936 AT_DATA([flows.txt], [dnl
2937 priority=1,action=drop
2938 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
2939 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
2940 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
2941 priority=100,icmp6,icmp_type=135,action=normal
2942 priority=100,icmp6,icmp_type=136,action=normal
2945 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
2947 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00:1::4])
2949 dnl Ipv6 fragmentation connectivity check.
2950 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
2951 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2954 dnl Ipv6 fragmentation connectivity check. (outer svlan)
2955 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:ffff::4 | FORMAT_PING], [0], [dnl
2956 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2959 dnl Ipv6 larger fragmentation connectivity check.
2960 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
2961 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2964 dnl Ipv6 larger fragmentation connectivity check. (outer svlan)
2965 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:ffff::4 | FORMAT_PING], [0], [dnl
2966 3 packets transmitted, 3 received, 0% packet loss, time 0ms
2969 OVS_TRAFFIC_VSWITCHD_STOP
2972 AT_SETUP([conntrack - IPv6 fragmentation incomplete reassembled packet])
2974 OVS_TRAFFIC_VSWITCHD_START()
2975 DPCTL_SET_MIN_FRAG_SIZE()
2977 ADD_NAMESPACES(at_ns0, at_ns1)
2979 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
2980 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
2982 AT_DATA([bundle.txt], [dnl
2983 packet-out in_port=1, packet=50540000000a50540000000986dd6000000005002cfffc000000000000000000000000000001fc0000000000000000000000000000021100000100000001000100020008f62900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809001020304050607080900102030405060708090010203040506070809001020304050607080900102030405060708090010203040506070, actions=ct(commit)
2986 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
2988 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
2991 OVS_TRAFFIC_VSWITCHD_STOP
2994 AT_SETUP([conntrack - IPv6 fragmentation with fragments specified])
2996 OVS_TRAFFIC_VSWITCHD_START()
2997 DPCTL_SET_MIN_FRAG_SIZE()
2999 ADD_NAMESPACES(at_ns0, at_ns1)
3001 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3002 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3004 AT_DATA([bundle.txt], [dnl
3005 packet-out in_port=1, packet=50540000000A50540000000986DD6000000005002CFFFC000000000000000000000000000001FC0000000000000000000000000000021100000100000001000100020008267100010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809001020304050607080900102030405060708090010203040506070809001020304050607080900102030405060708090010203040506070, actions=ct(commit)
3006 packet-out in_port=1, packet=50540000000A50540000000986DD6000000000242CFFFC000000000000000000000000000001FC000000000000000000000000000002110004F80000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
3009 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
3011 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3012 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
3015 OVS_TRAFFIC_VSWITCHD_STOP
3018 AT_SETUP([conntrack - IPv6 fragmentation out of order])
3020 OVS_TRAFFIC_VSWITCHD_START()
3021 DPCTL_SET_MIN_FRAG_SIZE()
3023 ADD_NAMESPACES(at_ns0, at_ns1)
3025 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3026 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3028 AT_DATA([bundle.txt], [dnl
3029 packet-out in_port=1, packet=50540000000A50540000000986DD6000000000242CFFFC000000000000000000000000000001FC000000000000000000000000000002110004F80000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
3030 packet-out in_port=1, packet=50540000000A50540000000986DD6000000005002CFFFC000000000000000000000000000001FC0000000000000000000000000000021100000100000001000100020008267100010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809001020304050607080900102030405060708090010203040506070809001020304050607080900102030405060708090010203040506070, actions=ct(commit)
3033 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
3035 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3036 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
3039 OVS_TRAFFIC_VSWITCHD_STOP
3042 AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers])
3044 OVS_TRAFFIC_VSWITCHD_START()
3045 DPCTL_SET_MIN_FRAG_SIZE()
3047 ADD_NAMESPACES(at_ns0, at_ns1)
3049 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3050 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3052 # Add different extension headers
3053 AT_DATA([bundle.txt], [dnl
3054 packet-out in_port=1, packet=50540000000A50540000000986DD60000000050800FFFC000000000000000000000000000001FC0000000000000000000000000000022C000000000000001100000100000001000100020008267100010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809001020304050607080900102030405060708090010203040506070809001020304050607080900102030405060708090010203040506070, actions=ct(commit)
3055 packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000000000000110004f80000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
3058 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
3060 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3061 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
3064 OVS_TRAFFIC_VSWITCHD_STOP
3067 AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers + out of order])
3069 OVS_TRAFFIC_VSWITCHD_START()
3070 DPCTL_SET_MIN_FRAG_SIZE()
3072 ADD_NAMESPACES(at_ns0, at_ns1)
3074 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3075 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3077 # Add different extension headers
3078 AT_DATA([bundle.txt], [dnl
3079 packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000000000000110004f80000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
3080 packet-out in_port=1, packet=50540000000A50540000000986DD60000000050800FFFC000000000000000000000000000001FC0000000000000000000000000000022C000000000000001100000100000001000100020008267100010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809001020304050607080900102030405060708090010203040506070809001020304050607080900102030405060708090010203040506070, actions=ct(commit)
3083 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
3085 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3086 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
3089 OVS_TRAFFIC_VSWITCHD_STOP
3092 AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers 2])
3094 OVS_TRAFFIC_VSWITCHD_START()
3095 DPCTL_SET_MIN_FRAG_SIZE()
3097 ADD_NAMESPACES(at_ns0, at_ns1)
3099 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3100 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3102 # Add different extension headers
3103 AT_DATA([bundle.txt], [dnl
3104 packet-out in_port=1, packet=50540000000A50540000000986DD60000000050800FFFC000000000000000000000000000001FC0000000000000000000000000000022C000000050200001100000100000001000100020008267100010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809001020304050607080900102030405060708090010203040506070809001020304050607080900102030405060708090010203040506070, actions=ct(commit)
3105 packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000005020000110004f80000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
3108 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
3110 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3111 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
3114 OVS_TRAFFIC_VSWITCHD_STOP
3117 AT_SETUP([conntrack - IPv6 fragmentation, multiple extension headers 2 + out of order])
3119 OVS_TRAFFIC_VSWITCHD_START()
3120 DPCTL_SET_MIN_FRAG_SIZE()
3122 ADD_NAMESPACES(at_ns0, at_ns1)
3124 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3125 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3127 # Add different extension headers
3128 AT_DATA([bundle.txt], [dnl
3129 packet-out in_port=1, packet=50540000000a50540000000986dd60000000002c00fffc000000000000000000000000000001fc0000000000000000000000000000022c00000005020000110004f80000000100010002000800000001020304050607080900010203040506070809, actions=ct(commit)
3130 packet-out in_port=1, packet=50540000000A50540000000986DD60000000050800FFFC000000000000000000000000000001FC0000000000000000000000000000022C000000050200001100000100000001000100020008267100010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090001020304050607080900010203040506070809000102030405060708090010203040506070809001020304050607080900102030405060708090010203040506070809001020304050607080900102030405060708090010203040506070, actions=ct(commit)
3133 AT_CHECK([ovs-ofctl bundle br0 bundle.txt])
3135 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3136 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>)
3139 OVS_TRAFFIC_VSWITCHD_STOP
3142 AT_SETUP([conntrack - Fragmentation over vxlan])
3145 CHECK_CONNTRACK_LOCAL_STACK()
3147 OVS_TRAFFIC_VSWITCHD_START()
3148 ADD_BR([br-underlay])
3149 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
3151 ADD_NAMESPACES(at_ns0)
3153 dnl Sending ping through conntrack
3154 AT_DATA([flows.txt], [dnl
3155 priority=1,action=drop
3156 priority=10,arp,action=normal
3157 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
3158 priority=100,in_port=LOCAL,icmp,action=ct(table=1,zone=9)
3159 table=1,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
3162 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3164 dnl Set up underlay link from host into the namespace using veth pair.
3165 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
3166 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
3167 AT_CHECK([ip link set dev br-underlay up])
3169 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
3170 dnl linux device inside the namespace.
3171 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
3172 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
3173 [id 0 dstport 4789])
3175 dnl First, check the underlay
3176 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
3177 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3180 dnl Okay, now check the overlay with different packet sizes
3181 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3182 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3184 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3185 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3187 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
3188 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3191 OVS_TRAFFIC_VSWITCHD_STOP
3194 AT_SETUP([conntrack - IPv6 Fragmentation over vxlan])
3197 CHECK_CONNTRACK_LOCAL_STACK()
3199 OVS_TRAFFIC_VSWITCHD_START()
3200 ADD_BR([br-underlay])
3201 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
3203 ADD_NAMESPACES(at_ns0)
3205 dnl Sending ping through conntrack
3206 AT_DATA([flows.txt], [dnl
3207 priority=1,action=drop
3208 priority=100,in_port=1,ipv6,action=ct(commit,zone=9),LOCAL
3209 priority=100,in_port=LOCAL,ipv6,action=ct(table=1,zone=9)
3210 table=1,in_port=LOCAL,ct_state=+trk+est,ipv6,action=1
3212 dnl Neighbour Discovery
3213 priority=1000,icmp6,icmp_type=135,action=normal
3214 priority=1000,icmp6,icmp_type=136,action=normal
3217 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3219 dnl Set up underlay link from host into the namespace using veth pair.
3220 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
3221 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
3222 AT_CHECK([ip link set dev br-underlay up])
3224 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
3225 dnl linux device inside the namespace.
3226 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], ["fc00::2/96"])
3227 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], ["fc00::1/96"],
3228 [id 0 dstport 4789])
3230 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3231 dnl waiting, we get occasional failures due to the following error:
3232 dnl "connect: Cannot assign requested address"
3233 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
3235 dnl First, check the underlay
3236 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
3237 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3240 dnl Okay, now check the overlay with different packet sizes
3241 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
3242 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3244 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
3245 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3247 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
3248 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3251 OVS_TRAFFIC_VSWITCHD_STOP
3254 AT_SETUP([conntrack - resubmit to ct multiple times])
3257 OVS_TRAFFIC_VSWITCHD_START(
3258 [set-fail-mode br0 secure -- ])
3260 ADD_NAMESPACES(at_ns0, at_ns1)
3262 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3263 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3265 AT_DATA([flows.txt], [dnl
3266 table=0,priority=150,arp,action=normal
3267 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
3269 table=1,ip,action=ct(table=3)
3270 table=2,ip,action=ct(table=3)
3272 table=3,ip,action=drop
3275 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
3277 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
3278 1 packets transmitted, 0 received, 100% packet loss, time 0ms
3281 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
3282 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
3283 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
3284 table=1, n_packets=1, n_bytes=98, ip actions=ct(table=3)
3285 table=2, n_packets=1, n_bytes=98, ip actions=ct(table=3)
3286 table=3, n_packets=2, n_bytes=196, ip actions=drop
3290 OVS_TRAFFIC_VSWITCHD_STOP
3293 AT_SETUP([conntrack - zone-based timeout policy])
3295 CHECK_CONNTRACK_TIMEOUT()
3296 OVS_TRAFFIC_VSWITCHD_START()
3298 ADD_NAMESPACES(at_ns0, at_ns1)
3300 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3301 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3303 AT_DATA([flows.txt], [dnl
3304 priority=1,action=drop
3305 priority=10,arp,action=normal
3306 priority=100,in_port=1,ip,action=ct(zone=5, table=1)
3307 priority=100,in_port=2,ip,action=ct(zone=5, table=1)
3308 table=1,in_port=2,ip,ct_state=+trk+est,action=1
3309 table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit,zone=5),2
3310 table=1,in_port=1,ip,ct_state=+trk+est,action=2
3313 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3315 dnl Test with default timeout
3316 dnl The default udp_single and icmp_first timeouts are 30 seconds in
3317 dnl kernel DP, and 60 seconds in userspace DP.
3319 dnl Send ICMP and UDP traffic
3320 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3321 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3323 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
3327 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sort], [0], [dnl
3328 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=5
3329 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=5
3332 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3334 dnl Shorten the udp_single and icmp_first timeout in zone 5
3335 dnl Userspace datapath uses udp_first and icmp_reply, and
3336 dnl kernel datapath uses udp_single and icmp_first
3337 VSCTL_ADD_DATAPATH_TABLE()
3339 dnl Creating more timeout policies
3340 for i in `seq 1 255`; do
3341 ovs-vsctl --may-exist add-zone-tp $DP_TYPE zone=$i udp_first=$i udp_single=$i icmp_first=$i icmp_reply=$i;
3343 AT_CHECK([ovs-vsctl --may-exist add-zone-tp $DP_TYPE zone=5 udp_first=1 udp_single=1 icmp_first=1 icmp_reply=1])
3345 dnl Send ICMP and UDP traffic
3346 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3347 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3349 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
3351 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sort], [0], [dnl
3352 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=5
3353 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=5
3356 dnl Wait until the timeout expire.
3357 dnl We intend to wait a bit longer, because conntrack does not recycle the entry right after it is expired.
3360 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3363 dnl Re-send ICMP and UDP traffic to test conntrack cache
3364 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3365 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3367 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
3369 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sort], [0], [dnl
3370 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=5
3371 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=5
3374 dnl Wait until the timeout expire.
3375 dnl We intend to wait a bit longer, because conntrack does not recycle the entry right after it is expired.
3378 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3381 dnl Set the timeout policy to default again.
3382 AT_CHECK([ovs-vsctl del-zone-tp $DP_TYPE zone=5])
3384 dnl Send ICMP and UDP traffic
3385 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3386 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3388 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
3392 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sort], [0], [dnl
3393 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=5
3394 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=5
3397 OVS_TRAFFIC_VSWITCHD_STOP
3400 dnl Check kernel datapath to make sure conntrack fills in L3 and L4
3401 dnl protocol information
3402 AT_SETUP([conntrack - fragment reassembly with L3 L4 protocol information])
3404 CHECK_L3L4_CONNTRACK_REASM()
3405 OVS_TRAFFIC_VSWITCHD_START()
3407 AT_DATA([flows.txt], [dnl
3411 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3413 AT_CHECK([ovs-ofctl packet-out br0 "packet=52540003287c525400444ab586dd6006f70605b02c4020010001000000000000000000000020200100010000000000000000000000101100000134e88deb13891389080803136161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616"dnl
3414 "16161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161"dnl
3415 "61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616"dnl
3416 "1616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161, actions=ct(table=1)"])
3418 AT_CHECK([ovs-ofctl packet-out br0 "packet=52540003287c525400444ab586dd6006f70602682c402001000100000000000000000000002020010001000000000000000000000010110005a834e88deb6161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616"dnl
3419 "161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161, actions=ct(table=1)"])
3421 AT_CHECK([ovs-ofctl packet-out br0 "packet=52540003287c525400444ab586dd6006f706033d1140200100010000000000000000000000202001000100000000000000000000001013891389033d923861616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616"dnl
3422 "1616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161610a, actions=ct(table=1)"])
3424 AT_CHECK([ovs-appctl dpctl/dump-flows | head -2 | tail -1 | grep -q -e ["]udp[(]src=5001["]])
3426 OVS_TRAFFIC_VSWITCHD_STOP
3429 AT_BANNER([conntrack - L7])
3431 AT_SETUP([conntrack - IPv4 HTTP])
3433 OVS_TRAFFIC_VSWITCHD_START()
3435 ADD_NAMESPACES(at_ns0, at_ns1)
3437 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3438 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3440 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3441 AT_DATA([flows.txt], [dnl
3442 priority=1,action=drop
3443 priority=10,arp,action=normal
3444 priority=10,icmp,action=normal
3445 priority=100,in_port=1,tcp,action=ct(commit),2
3446 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
3447 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
3450 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3452 OVS_START_L7([at_ns0], [http])
3453 OVS_START_L7([at_ns1], [http])
3455 dnl HTTP requests from ns0->ns1 should work fine.
3456 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3457 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3458 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3461 dnl HTTP requests from ns1->ns0 should fail due to network failure.
3462 dnl Try 3 times, in 1 second intervals.
3463 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
3465 OVS_TRAFFIC_VSWITCHD_STOP
3468 AT_SETUP([conntrack - IPv6 HTTP])
3470 OVS_TRAFFIC_VSWITCHD_START()
3472 ADD_NAMESPACES(at_ns0, at_ns1)
3474 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3475 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3477 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3478 AT_DATA([flows.txt], [dnl
3479 priority=1,action=drop
3480 priority=10,icmp6,action=normal
3481 priority=100,in_port=1,tcp6,action=ct(commit),2
3482 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
3483 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
3486 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3488 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3489 dnl waiting, we get occasional failures due to the following error:
3490 dnl "connect: Cannot assign requested address"
3491 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
3493 OVS_START_L7([at_ns0], [http6])
3494 OVS_START_L7([at_ns1], [http6])
3496 dnl HTTP requests from ns0->ns1 should work fine.
3497 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3498 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3499 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3502 dnl HTTP requests from ns1->ns0 should fail due to network failure.
3503 dnl Try 3 times, in 1 second intervals.
3504 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
3506 OVS_TRAFFIC_VSWITCHD_STOP
3509 AT_SETUP([conntrack - commit, recirc])
3511 OVS_TRAFFIC_VSWITCHD_START()
3513 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
3515 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3516 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3517 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
3518 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
3520 dnl Allow any traffic from ns0->ns1, ns2->ns3.
3521 AT_DATA([flows.txt], [dnl
3522 priority=1,action=drop
3523 priority=10,arp,action=normal
3524 priority=10,icmp,action=normal
3525 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
3526 priority=100,in_port=1,tcp,ct_state=+trk,action=2
3527 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
3528 priority=100,in_port=2,tcp,ct_state=+trk,action=1
3529 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
3530 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
3531 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
3532 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
3533 priority=100,in_port=4,tcp,ct_state=+trk,action=3
3536 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3538 OVS_START_L7([at_ns1], [http])
3539 OVS_START_L7([at_ns3], [http])
3541 dnl HTTP requests from p0->p1 should work fine.
3542 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3544 dnl HTTP requests from p2->p3 should work fine.
3545 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
3547 OVS_TRAFFIC_VSWITCHD_STOP
3550 AT_SETUP([conntrack - multiple zones, local])
3552 CHECK_CONNTRACK_LOCAL_STACK()
3553 OVS_TRAFFIC_VSWITCHD_START()
3555 ADD_NAMESPACES(at_ns0)
3557 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
3558 AT_CHECK([ip link set dev br0 up])
3559 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
3560 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
3562 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
3563 dnl return traffic from ns0 back to the local stack.
3564 AT_DATA([flows.txt], [dnl
3565 priority=1,action=drop
3566 priority=10,arp,action=normal
3567 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
3568 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
3569 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
3570 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
3571 table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
3572 table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
3575 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3577 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3578 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3581 OVS_START_L7([at_ns0], [http])
3583 dnl HTTP requests from root namespace to p0 should work fine.
3584 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3586 dnl (again) HTTP requests from root namespace to p0 should work fine.
3587 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3589 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
3590 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
3591 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=2
3592 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3593 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
3596 OVS_TRAFFIC_VSWITCHD_STOP
3599 AT_SETUP([conntrack - multi-stage pipeline, local])
3601 CHECK_CONNTRACK_LOCAL_STACK()
3602 OVS_TRAFFIC_VSWITCHD_START()
3604 ADD_NAMESPACES(at_ns0)
3606 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
3607 AT_CHECK([ip link set dev br0 up])
3608 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
3609 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
3611 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
3612 dnl return traffic from ns0 back to the local stack.
3613 AT_DATA([flows.txt], [dnl
3615 table=0,priority=1,action=drop
3616 table=0,priority=10,arp,action=normal
3618 dnl Load the output port to REG0
3619 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
3620 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
3622 dnl Ingress pipeline
3623 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
3624 dnl - All other connections go through conntracker using the input port as
3625 dnl a connection tracking zone.
3626 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,table=2,zone=OXM_OF_IN_PORT[[0..15]])
3627 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
3628 table=1,priority=1,action=drop
3631 dnl - Allow all connections from LOCAL port (commit and skip to output)
3632 dnl - Allow other established connections to go through conntracker using
3633 dnl output port as a connection tracking zone.
3634 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,table=4,zone=NXM_NX_REG0[[0..15]])
3635 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
3636 table=2,priority=1,action=drop
3638 dnl Only allow established traffic from egress ct lookup
3639 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
3640 table=3,priority=1,action=drop
3643 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
3646 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3648 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
3649 3 packets transmitted, 3 received, 0% packet loss, time 0ms
3652 OVS_START_L7([at_ns0], [http])
3654 dnl HTTP requests from root namespace to p0 should work fine.
3655 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3657 dnl (again) HTTP requests from root namespace to p0 should work fine.
3658 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3660 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
3661 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
3662 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=65534
3663 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
3664 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
3667 OVS_TRAFFIC_VSWITCHD_STOP
3670 AT_SETUP([conntrack - limit by zone])
3672 OVS_TRAFFIC_VSWITCHD_START()
3674 ADD_NAMESPACES(at_ns0, at_ns1)
3676 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3677 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3679 AT_DATA([flows.txt], [dnl
3680 priority=1,action=drop
3681 priority=10,arp,action=normal
3682 priority=100,in_port=1,udp,action=ct(commit),2
3683 priority=100,in_port=2,udp,action=ct(zone=3,commit),1
3686 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3688 AT_CHECK([ovs-appctl dpctl/ct-set-limits default=10 zone=0,limit=5 zone=1,limit=15 zone=2,limit=3 zone=3,limit=3])
3689 AT_CHECK([ovs-appctl dpctl/ct-del-limits zone=1,2,4])
3690 AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,1,2,3], [],[dnl
3692 zone=0,limit=5,count=0
3693 zone=1,limit=10,count=0
3694 zone=2,limit=10,count=0
3695 zone=3,limit=3,count=0
3698 dnl Test UDP from port 1
3699 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
3700 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000300080000 actions=resubmit(,0)"])
3701 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000400080000 actions=resubmit(,0)"])
3702 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000500080000 actions=resubmit(,0)"])
3703 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000600080000 actions=resubmit(,0)"])
3704 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000700080000 actions=resubmit(,0)"])
3705 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000800080000 actions=resubmit(,0)"])
3706 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000900080000 actions=resubmit(,0)"])
3707 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000a00080000 actions=resubmit(,0)"])
3709 AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,1,2,3,4,5], [0], [dnl
3711 zone=0,limit=5,count=5
3712 zone=1,limit=10,count=0
3713 zone=2,limit=10,count=0
3714 zone=3,limit=3,count=0
3715 zone=4,limit=10,count=0
3716 zone=5,limit=10,count=0
3719 dnl Test ct-get-limits for all zoens
3720 AT_CHECK([ovs-appctl dpctl/ct-get-limits], [0], [dnl
3722 zone=0,limit=5,count=5
3723 zone=3,limit=3,count=0
3726 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.1," | sort ], [0], [dnl
3727 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
3728 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=3),reply=(src=10.1.1.2,dst=10.1.1.1,sport=3,dport=1)
3729 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=4),reply=(src=10.1.1.2,dst=10.1.1.1,sport=4,dport=1)
3730 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=5),reply=(src=10.1.1.2,dst=10.1.1.1,sport=5,dport=1)
3731 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=6),reply=(src=10.1.1.2,dst=10.1.1.1,sport=6,dport=1)
3734 dnl Test UDP from port 2
3735 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4c90a0101030a0101040001000200080000 actions=resubmit(,0)"])
3736 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4c90a0101030a0101040001000300080000 actions=resubmit(,0)"])
3737 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4c90a0101030a0101040001000400080000 actions=resubmit(,0)"])
3738 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4c90a0101030a0101040001000500080000 actions=resubmit(,0)"])
3739 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=2 packet=50540000000a50540000000908004500001c000000000011a4c90a0101030a0101040001000600080000 actions=resubmit(,0)"])
3741 AT_CHECK([ovs-appctl dpctl/ct-get-limits zone=0,3], [0], [dnl
3743 zone=0,limit=5,count=5
3744 zone=3,limit=3,count=3
3747 AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "orig=.src=10\.1\.1\.3," | sort ], [0], [dnl
3748 udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=2),reply=(src=10.1.1.4,dst=10.1.1.3,sport=2,dport=1),zone=3
3749 udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=3),reply=(src=10.1.1.4,dst=10.1.1.3,sport=3,dport=1),zone=3
3750 udp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=1,dport=4),reply=(src=10.1.1.4,dst=10.1.1.3,sport=4,dport=1),zone=3
3753 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
3754 /could not create datapath/d
3755 /(Cannot allocate memory) on packet/d"])
3758 AT_SETUP([FTP - no conntrack])
3759 AT_SKIP_IF([test $HAVE_FTP = no])
3760 OVS_TRAFFIC_VSWITCHD_START()
3762 ADD_NAMESPACES(at_ns0, at_ns1)
3764 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3765 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3767 AT_DATA([flows.txt], [dnl
3768 table=0,action=normal
3771 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
3773 NETNS_DAEMONIZE([at_ns0], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp1.pid])
3774 NETNS_DAEMONIZE([at_ns1], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp0.pid])
3775 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
3777 dnl FTP requests from p0->p1 should work fine.
3778 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3780 AT_CHECK([find -name index.html], [0], [dnl
3784 OVS_TRAFFIC_VSWITCHD_STOP
3787 AT_SETUP([conntrack - FTP])
3788 AT_SKIP_IF([test $HAVE_FTP = no])
3790 CHECK_CONNTRACK_ALG()
3791 OVS_TRAFFIC_VSWITCHD_START()
3793 ADD_NAMESPACES(at_ns0, at_ns1)
3795 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
3796 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
3798 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
3799 AT_DATA([flows1.txt], [dnl
3800 table=0,priority=1,action=drop
3801 table=0,priority=10,arp,action=normal
3802 table=0,priority=10,icmp,action=normal
3803 table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
3804 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
3805 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
3806 table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
3809 dnl Similar policy but without allowing all traffic from ns0->ns1.
3810 AT_DATA([flows2.txt], [dnl
3811 table=0,priority=1,action=drop
3812 table=0,priority=10,arp,action=normal
3813 table=0,priority=10,icmp,action=normal
3815 dnl Allow outgoing TCP connections, and treat them as FTP
3816 table=0,priority=100,in_port=1,tcp,action=ct(table=1)
3817 table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
3818 table=1,in_port=1,tcp,ct_state=+trk+est,action=2
3820 dnl Allow incoming FTP data connections and responses to existing connections
3821 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
3822 table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
3823 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
3824 table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1
3827 dnl flows3 is same as flows1, except no ALG is specified.
3828 AT_DATA([flows3.txt], [dnl
3829 table=0,priority=1,action=drop
3830 table=0,priority=10,arp,action=normal
3831 table=0,priority=10,icmp,action=normal
3832 table=0,priority=100,in_port=1,tcp,action=ct(commit),2
3833 table=0,priority=100,in_port=2,tcp,action=ct(table=1)
3834 table=1,in_port=2,tcp,ct_state=+trk+est,action=1
3835 table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
3838 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
3840 OVS_START_L7([at_ns0], [ftp])
3841 OVS_START_L7([at_ns1], [ftp])
3843 dnl FTP requests from p1->p0 should fail due to network failure.
3844 dnl Try 3 times, in 1 second intervals.
3845 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
3846 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3849 dnl FTP requests from p0->p1 should work fine.
3850 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
3851 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3852 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3855 dnl Try the second set of flows.
3856 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
3857 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3859 dnl FTP requests from p1->p0 should fail due to network failure.
3860 dnl Try 3 times, in 1 second intervals.
3861 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
3862 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
3865 dnl Active FTP requests from p0->p1 should work fine.
3866 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
3867 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3868 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3869 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3872 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3874 dnl Passive FTP requests from p0->p1 should work fine.
3875 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
3876 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3877 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3880 dnl Try the third set of flows, without alg specifier.
3881 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt])
3882 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
3884 dnl FTP control requests from p0->p1 should work fine, but helper will not be assigned.
3885 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-3.log], [4])
3886 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
3887 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3890 OVS_TRAFFIC_VSWITCHD_STOP
3893 AT_SETUP([conntrack - FTP over IPv6])
3894 AT_SKIP_IF([test $HAVE_FTP = no])
3896 CHECK_CONNTRACK_ALG()
3897 OVS_TRAFFIC_VSWITCHD_START()
3899 ADD_NAMESPACES(at_ns0, at_ns1)
3901 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3902 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3904 dnl Allow any traffic from ns0->ns1.
3905 dnl Only allow nd, return traffic from ns1->ns0.
3906 AT_DATA([flows.txt], [dnl
3907 dnl Track all IPv6 traffic and drop the rest.
3908 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
3909 table=0 priority=100 in_port=1 icmp6, action=2
3910 table=0 priority=100 in_port=2 icmp6, action=1
3911 table=0 priority=10 ip6, action=ct(table=1)
3912 table=0 priority=0 action=drop
3916 dnl Allow new TCPv6 FTP control connections from port 1.
3917 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
3918 dnl Allow related TCPv6 connections from port 2.
3919 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
3920 dnl Allow established TCPv6 connections both ways.
3921 table=1 in_port=1 ct_state=+est, tcp6, action=2
3922 table=1 in_port=2 ct_state=+est, tcp6, action=1
3923 dnl Drop everything else.
3924 table=1 priority=0, action=drop
3927 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3929 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3930 dnl waiting, we get occasional failures due to the following error:
3931 dnl "connect: Cannot assign requested address"
3932 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3934 OVS_START_L7([at_ns1], [ftp])
3936 dnl FTP requests from p0->p1 should work fine.
3937 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3939 dnl Discards CLOSE_WAIT and CLOSING
3940 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
3941 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
3942 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
3945 OVS_TRAFFIC_VSWITCHD_STOP
3948 AT_SETUP([conntrack - IPv6 FTP Passive])
3949 AT_SKIP_IF([test $HAVE_FTP = no])
3951 CHECK_CONNTRACK_ALG()
3952 OVS_TRAFFIC_VSWITCHD_START()
3954 ADD_NAMESPACES(at_ns0, at_ns1)
3956 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
3957 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
3958 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
3959 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:99])
3960 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:99 dev p0])
3961 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:88 dev p1])
3963 dnl Allow any traffic from ns0->ns1.
3964 dnl Only allow nd, return traffic from ns1->ns0.
3965 AT_DATA([flows.txt], [dnl
3966 dnl Track all IPv6 traffic and drop the rest.
3967 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
3968 table=0 priority=100 in_port=1 icmp6, action=2
3969 table=0 priority=100 in_port=2 icmp6, action=1
3970 table=0 priority=10 ip6, action=ct(table=1)
3971 table=0 priority=0 action=drop
3975 dnl Allow new TCPv6 FTP control connections from port 1.
3976 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
3977 dnl Allow related TCPv6 connections from port 1.
3978 table=1 in_port=1 ct_state=+new+rel, tcp6, action=ct(commit),2
3979 dnl Allow established TCPv6 connections both ways.
3980 table=1 in_port=1 ct_state=+est, tcp6, action=2
3981 table=1 in_port=2 ct_state=+est, tcp6, action=1
3982 dnl Drop everything else.
3983 table=1 priority=0, action=drop
3986 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
3988 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
3989 dnl waiting, we get occasional failures due to the following error:
3990 dnl "connect: Cannot assign requested address"
3991 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
3993 OVS_START_L7([at_ns1], [ftp])
3995 dnl FTP passive requests from p0->p1 should work fine.
3996 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
3998 dnl Discards CLOSE_WAIT and CLOSING
3999 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
4000 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4001 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4004 OVS_TRAFFIC_VSWITCHD_STOP
4007 AT_SETUP([conntrack - FTP with multiple expectations])
4008 AT_SKIP_IF([test $HAVE_FTP = no])
4010 CHECK_CONNTRACK_ALG()
4011 OVS_TRAFFIC_VSWITCHD_START()
4013 ADD_NAMESPACES(at_ns0, at_ns1)
4015 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4016 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4018 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
4019 AT_DATA([flows.txt], [dnl
4020 table=0,priority=1,action=drop
4021 table=0,priority=10,arp,action=normal
4022 table=0,priority=10,icmp,action=normal
4024 dnl Traffic from ns1
4025 table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1)
4026 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
4027 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2
4028 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2)
4029 table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
4031 dnl Traffic from ns2
4032 table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2)
4033 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
4034 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1)
4035 table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
4036 table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
4039 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4041 OVS_START_L7([at_ns0], [ftp])
4042 OVS_START_L7([at_ns1], [ftp])
4044 dnl FTP requests from p1->p0 should fail due to network failure.
4045 dnl Try 3 times, in 1 second intervals.
4046 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
4047 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
4050 dnl Active FTP requests from p0->p1 should work fine.
4051 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4052 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4053 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
4054 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
4055 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4056 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
4059 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
4061 dnl Passive FTP requests from p0->p1 should work fine.
4062 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4063 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4064 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4065 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
4066 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
4067 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
4070 OVS_TRAFFIC_VSWITCHD_STOP
4073 AT_SETUP([conntrack - TFTP])
4074 AT_SKIP_IF([test $HAVE_TFTP = no])
4076 CHECK_CONNTRACK_ALG()
4077 OVS_TRAFFIC_VSWITCHD_START()
4079 ADD_NAMESPACES(at_ns0, at_ns1)
4081 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4082 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4084 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4085 AT_DATA([flows1.txt], [dnl
4086 table=0,priority=1,action=drop
4087 table=0,priority=10,arp,action=normal
4088 table=0,priority=10,icmp,action=normal
4089 table=0,priority=100,in_port=1,udp,action=ct(alg=tftp,commit),2
4090 table=0,priority=100,in_port=2,udp,action=ct(table=1)
4091 table=1,in_port=2,udp,ct_state=+trk+est,action=1
4092 table=1,in_port=2,udp,ct_state=+trk+rel,action=1
4095 dnl Similar policy but without allowing all traffic from ns0->ns1.
4096 AT_DATA([flows2.txt], [dnl
4097 table=0,priority=1,action=drop
4098 table=0,priority=10,arp,action=normal
4099 table=0,priority=10,icmp,action=normal
4101 dnl Allow outgoing UDP connections, and treat them as TFTP
4102 table=0,priority=100,in_port=1,udp,action=ct(table=1)
4103 table=1,in_port=1,udp,ct_state=+trk+new-rel,action=ct(commit,alg=tftp),2
4104 table=1,in_port=1,udp,ct_state=+trk+new+rel,action=ct(commit),2
4105 table=1,in_port=1,udp,ct_state=+trk+est,action=2
4107 dnl Allow incoming TFTP data connections and responses to existing connections
4108 table=0,priority=100,in_port=2,udp,action=ct(table=1)
4109 table=1,in_port=2,udp,ct_state=+trk+est,action=1
4110 table=1,in_port=2,udp,ct_state=+trk+new+rel,action=1
4113 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
4115 OVS_START_L7([at_ns0], [tftp])
4116 OVS_START_L7([at_ns1], [tftp])
4118 dnl TFTP requests from p1->p0 should fail due to network failure.
4119 NS_CHECK_EXEC([at_ns1], [[curl $CURL_OPT tftp://10.1.1.1/flows1.txt -o foo 2>curl0.log]], [28])
4120 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
4123 dnl TFTP requests from p0->p1 should work fine.
4124 NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows1.txt -o foo 2>curl1.log]])
4125 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4126 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),helper=tftp
4129 dnl Try the second set of flows.
4130 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
4131 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
4133 dnl TFTP requests from p1->p0 should fail due to network failure.
4134 NS_CHECK_EXEC([at_ns1], [[curl $CURL_OPT tftp://10.1.1.1/flows1.txt -o foo 2>curl2.log]], [28])
4135 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
4138 dnl TFTP requests from p0->p1 should work fine.
4139 NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows1.txt -o foo 2>curl3.log]])
4140 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4141 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),helper=tftp
4144 OVS_TRAFFIC_VSWITCHD_STOP
4147 AT_BANNER([conntrack - NAT])
4149 AT_SETUP([conntrack - simple SNAT])
4151 CHECK_CONNTRACK_NAT()
4152 OVS_TRAFFIC_VSWITCHD_START()
4154 ADD_NAMESPACES(at_ns0, at_ns1)
4156 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4157 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4158 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4160 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4161 AT_DATA([flows.txt], [dnl
4162 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
4163 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
4164 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
4167 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4168 priority=10 arp action=normal
4169 priority=0,action=drop
4171 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4172 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4173 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4174 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4176 dnl Swaps the fields of the ARP message to turn a query to a response.
4177 table=10 priority=100 arp xreg0=0 action=normal
4178 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4179 table=10 priority=0 action=drop
4182 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4184 dnl HTTP requests from p0->p1 should work fine.
4185 OVS_START_L7([at_ns1], [http])
4186 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4188 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
4189 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4192 OVS_TRAFFIC_VSWITCHD_STOP
4195 AT_SETUP([conntrack - SNAT with ct_mark change on reply])
4197 CHECK_CONNTRACK_NAT()
4198 OVS_TRAFFIC_VSWITCHD_START()
4200 ADD_NAMESPACES(at_ns0, at_ns1)
4202 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4203 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4204 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
4206 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4207 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4208 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
4210 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4211 AT_DATA([flows.txt], [dnl
4212 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240)),2
4213 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
4215 dnl Setting the mark fails if the datapath can't find the existing conntrack
4216 dnl entry after NAT has been reversed and the skb was lost due to an upcall.
4218 in_port=2,ct_state=+trk,ct_zone=1,ip,action=ct(table=1,commit,zone=1,exec(set_field:1->ct_mark)),1
4219 table=1,in_port=2,ct_mark=1,ct_state=+rpl,ct_zone=1,ip,action=1
4221 priority=0,action=drop
4224 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4226 dnl ICMP requests from p0->p1 should work fine.
4227 NS_CHECK_EXEC([at_ns0], [ping -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
4228 1 packets transmitted, 1 received, 0% packet loss, time 0ms
4231 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
4232 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.2XX,id=<cleared>,type=0,code=0),zone=1,mark=1
4235 OVS_TRAFFIC_VSWITCHD_STOP
4238 AT_SETUP([conntrack - SNAT with port range])
4240 CHECK_CONNTRACK_NAT()
4241 OVS_TRAFFIC_VSWITCHD_START()
4243 ADD_NAMESPACES(at_ns0, at_ns1)
4245 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4246 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4247 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4249 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4250 AT_DATA([flows.txt], [dnl
4251 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
4252 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
4253 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
4254 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
4257 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4258 priority=10 arp action=normal
4259 priority=0,action=drop
4261 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4262 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4263 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4264 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4266 dnl Swaps the fields of the ARP message to turn a query to a response.
4267 table=10 priority=100 arp xreg0=0 action=normal
4268 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4269 table=10 priority=0 action=drop
4272 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4274 dnl HTTP requests from p0->p1 should work fine.
4275 OVS_START_L7([at_ns1], [http])
4276 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4278 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
4279 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4282 OVS_TRAFFIC_VSWITCHD_STOP
4285 AT_SETUP([conntrack - SNAT with port range using ICMP])
4286 dnl Check PAT is not attempted on ICMP packets causing corrupted packets.
4288 CHECK_CONNTRACK_NAT()
4289 OVS_TRAFFIC_VSWITCHD_START()
4291 ADD_NAMESPACES(at_ns0, at_ns1)
4293 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4294 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4295 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4297 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4298 AT_DATA([flows.txt], [dnl
4299 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:20000)),2
4300 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
4301 in_port=2,ct_state=+trk,ct_zone=1,action=1
4304 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4305 priority=10 arp action=normal
4306 priority=0,action=drop
4308 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4309 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4310 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4311 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4313 dnl Swaps the fields of the ARP message to turn a query to a response.
4314 table=10 priority=100 arp xreg0=0 action=normal
4315 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4316 table=10 priority=0 action=drop
4319 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4321 dnl ICMP requests from p0->p1 should work fine.
4322 NS_CHECK_EXEC([at_ns0], [ping -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
4323 1 packets transmitted, 1 received, 0% packet loss, time 0ms
4326 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
4327 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.2XX,id=<cleared>,type=0,code=0),zone=1
4330 OVS_TRAFFIC_VSWITCHD_STOP
4333 AT_SETUP([conntrack - SNAT with port range with exhaustion])
4335 CHECK_CONNTRACK_NAT()
4336 OVS_TRAFFIC_VSWITCHD_START()
4338 ADD_NAMESPACES(at_ns0, at_ns1)
4340 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4341 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4342 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4344 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4345 AT_DATA([flows.txt], [dnl
4346 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240:34568,random)),2
4347 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
4348 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
4349 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
4352 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4353 priority=10 arp action=normal
4354 priority=0,action=drop
4356 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4357 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4358 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4359 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4361 dnl Swaps the fields of the ARP message to turn a query to a response.
4362 table=10 priority=100 arp xreg0=0 action=normal
4363 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4364 table=10 priority=0 action=drop
4367 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4369 dnl HTTP requests from p0->p1 should work fine.
4370 OVS_START_L7([at_ns1], [http])
4371 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 1 -T 1 --retry-connrefused -v -o wget0.log])
4373 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 1 -T 1 --retry-connrefused -v -o wget0.log], [4])
4375 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
4376 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4379 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
4380 /Unable to NAT due to tuple space exhaustion - if DoS attack, use firewalling and\/or zone partitioning./d
4381 /Dropped .* log messages in last .* seconds \(most recently, .* seconds ago\) due to excessive rate/d"])
4384 AT_SETUP([conntrack - more complex SNAT])
4386 CHECK_CONNTRACK_NAT()
4387 OVS_TRAFFIC_VSWITCHD_START()
4389 ADD_NAMESPACES(at_ns0, at_ns1)
4391 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4392 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4393 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4395 AT_DATA([flows.txt], [dnl
4396 dnl Track all IP traffic, NAT existing connections.
4397 priority=100 ip action=ct(table=1,zone=1,nat)
4399 dnl Allow ARP, but generate responses for NATed addresses
4400 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4401 priority=10 arp action=normal
4402 priority=0 action=drop
4404 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
4405 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
4406 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
4407 dnl Only allow established traffic from ns1->ns0.
4408 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
4409 table=1 priority=0 action=drop
4411 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4412 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4413 dnl Zero result means not found.
4414 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
4415 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4416 dnl ARP TPA IP in reg2.
4417 table=10 priority=100 arp xreg0=0 action=normal
4418 dnl Swaps the fields of the ARP message to turn a query to a response.
4419 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4420 table=10 priority=0 action=drop
4423 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4425 dnl HTTP requests from p0->p1 should work fine.
4426 OVS_START_L7([at_ns1], [http])
4427 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4429 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
4430 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4433 OVS_TRAFFIC_VSWITCHD_STOP
4436 AT_SETUP([conntrack - simple DNAT])
4438 CHECK_CONNTRACK_NAT()
4439 OVS_TRAFFIC_VSWITCHD_START()
4441 ADD_NAMESPACES(at_ns0, at_ns1)
4443 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4444 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4445 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
4447 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4448 AT_DATA([flows.txt], [dnl
4449 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
4450 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
4451 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
4452 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
4455 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4456 priority=10 arp action=normal
4457 priority=0,action=drop
4459 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4460 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4461 dnl Zero result means not found.
4462 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4463 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4465 table=10 priority=100 arp xreg0=0 action=normal
4466 dnl Swaps the fields of the ARP message to turn a query to a response.
4467 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4468 table=10 priority=0 action=drop
4471 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4473 dnl Should work with the virtual IP address through NAT
4474 OVS_START_L7([at_ns1], [http])
4475 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4477 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
4478 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4481 dnl Should work with the assigned IP address as well
4482 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4484 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4485 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4488 OVS_TRAFFIC_VSWITCHD_STOP
4491 AT_SETUP([conntrack - more complex DNAT])
4493 CHECK_CONNTRACK_NAT()
4494 OVS_TRAFFIC_VSWITCHD_START()
4496 ADD_NAMESPACES(at_ns0, at_ns1)
4498 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4499 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4500 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
4502 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4503 AT_DATA([flows.txt], [dnl
4504 dnl Track all IP traffic
4505 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
4507 dnl Allow ARP, but generate responses for NATed addresses
4508 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4509 table=0 priority=10 arp action=normal
4510 table=0 priority=0 action=drop
4512 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
4513 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
4514 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
4515 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
4516 dnl Only allow established traffic from ns1->ns0.
4517 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
4518 table=1 priority=0 action=drop
4520 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4521 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4522 dnl Zero result means not found.
4523 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4524 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4526 table=10 priority=100 arp xreg0=0 action=normal
4527 dnl Swaps the fields of the ARP message to turn a query to a response.
4528 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4529 table=10 priority=0 action=drop
4532 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4534 dnl Should work with the virtual IP address through NAT
4535 OVS_START_L7([at_ns1], [http])
4536 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
4538 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
4539 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4542 dnl Should work with the assigned IP address as well
4543 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4545 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4546 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
4549 OVS_TRAFFIC_VSWITCHD_STOP
4552 AT_SETUP([conntrack - ICMP related with NAT])
4553 AT_SKIP_IF([test $HAVE_NC = no])
4554 AT_SKIP_IF([test $HAVE_TCPDUMP = no])
4556 CHECK_CONNTRACK_NAT()
4557 OVS_TRAFFIC_VSWITCHD_START()
4559 ADD_NAMESPACES(at_ns0, at_ns1)
4561 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4562 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4563 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4565 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
4566 dnl Make sure ICMP responses are reverse-NATted.
4567 AT_DATA([flows.txt], [dnl
4568 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
4569 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
4570 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
4573 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4574 priority=10 arp action=normal
4575 priority=0,action=drop
4577 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4578 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4579 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4580 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4582 dnl Swaps the fields of the ARP message to turn a query to a response.
4583 table=10 priority=100 arp xreg0=0 action=normal
4584 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4585 table=10 priority=0 action=drop
4588 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4591 tcpdump -U -i ovs-p0 -w p0.pcap &
4594 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
4595 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
4597 AT_CHECK([ovs-appctl revalidator/purge], [0])
4598 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
4599 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
4600 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
4601 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
4602 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
4603 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4604 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
4605 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
4606 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
4607 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
4608 OFPST_FLOW reply (OF1.5):
4611 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
4612 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
4615 AT_CHECK([tcpdump -v "icmp" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
4617 OVS_TRAFFIC_VSWITCHD_STOP
4620 dnl CHECK_FTP_NAT(TITLE, IP_ADDR, FLOWS, CT_DUMP)
4622 dnl Checks the implementation of conntrack with FTP ALGs in combination with
4623 dnl NAT, using the provided flow table.
4624 m4_define([CHECK_FTP_NAT],
4625 [AT_SETUP([conntrack - FTP $1])
4626 AT_SKIP_IF([test $HAVE_FTP = no])
4627 AT_SKIP_IF([test $HAVE_LFTP = no])
4629 CHECK_CONNTRACK_NAT()
4630 CHECK_CONNTRACK_ALG()
4632 OVS_TRAFFIC_VSWITCHD_START()
4634 ADD_NAMESPACES(at_ns0, at_ns1)
4636 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4637 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
4638 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4640 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
4641 AT_DATA([flows.txt], [$3])
4643 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4645 OVS_START_L7([at_ns1], [ftp])
4647 dnl FTP requests from p0->p1 should work fine.
4648 AT_DATA([ftp.cmd], [dnl
4649 set net:max-retries 1
4651 set ftp:passive-mode off
4653 connect ftp://anonymous:@10.1.1.2
4659 NS_CHECK_EXEC([at_ns0], [lftp -f ftp.cmd > lftp.log])
4661 dnl Discards CLOSE_WAIT and CLOSING
4662 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [$4])
4664 OVS_TRAFFIC_VSWITCHD_STOP
4667 dnl CHECK_FTP_SNAT_PRE_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
4669 dnl Checks the implementation of conntrack with FTP ALGs in combination with
4670 dnl NAT, with flow tables that implement the NATing as part of handling of
4671 dnl initial incoming packets - ie, the first flow is ct(nat,table=foo).
4673 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
4674 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
4675 m4_define([CHECK_FTP_SNAT_PRE_RECIRC], [dnl
4676 CHECK_FTP_NAT([SNAT prerecirc $1], [$2], [dnl
4677 dnl track all IP traffic, de-mangle non-NEW connections
4678 table=0 in_port=1, ip, action=ct(table=1,nat)
4679 table=0 in_port=2, ip, action=ct(table=2,nat)
4683 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4684 table=0 priority=10 arp action=normal
4685 table=0 priority=0 action=drop
4687 dnl Table 1: port 1 -> 2
4689 dnl Allow new FTP connections. These need to be commited.
4690 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=$2)),2
4691 dnl Allow established TCP connections, make sure they are NATted already.
4692 table=1 ct_state=+est, tcp, nw_src=$2, action=2
4694 dnl Table 1: droppers
4696 table=1 priority=10, tcp, action=drop
4697 table=1 priority=0,action=drop
4699 dnl Table 2: port 2 -> 1
4701 dnl Allow established TCP connections, make sure they are reverse NATted
4702 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
4703 dnl Allow (new) related (data) connections. These need to be commited.
4704 table=2 ct_state=+new+rel, tcp, nw_dst=$2, action=ct(commit,nat),1
4705 dnl Allow related ICMP packets, make sure they are reverse NATted
4706 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
4708 dnl Table 2: droppers
4710 table=2 priority=10, tcp, action=drop
4711 table=2 priority=0, action=drop
4713 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4715 table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4716 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4717 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4719 dnl Swaps the fields of the ARP message to turn a query to a response.
4720 table=10 priority=100 arp xreg0=0 action=normal
4721 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4722 table=10 priority=0 action=drop
4724 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4725 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4729 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
4730 CHECK_FTP_SNAT_PRE_RECIRC([], [10.1.1.9], [0x0a010109])
4732 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
4734 dnl The FTP PORT command includes the ASCII representation of the address,
4735 dnl so when these messages need to be NATed between addresses that have
4736 dnl different lengths when represented in ASCII (such as the original address
4737 dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
4738 dnl resize the packet and adjust TCP sequence numbers. This test is kept
4739 dnl separate from the above to easier identify issues in this code on different
4741 CHECK_FTP_SNAT_PRE_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
4743 dnl CHECK_FTP_SNAT_POST_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
4745 dnl Checks the implementation of conntrack with FTP ALGs in combination with
4746 dnl NAT, with flow tables that implement the NATing after the first round
4747 dnl of recirculation - that is, the first flow ct(table=foo) then a subsequent
4748 dnl flow will implement the NATing with ct(nat..),output:foo.
4750 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
4751 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
4752 m4_define([CHECK_FTP_SNAT_POST_RECIRC], [dnl
4753 CHECK_FTP_NAT([SNAT postrecirc $1], [$2], [dnl
4754 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
4755 table=0 ip, action=ct(table=1)
4759 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4760 table=0 priority=10 arp action=normal
4761 table=0 priority=0 action=drop
4765 dnl Allow new FTP connections. These need to be commited.
4766 dnl This does helper for new packets.
4767 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=$2)),2
4768 dnl Allow and NAT established TCP connections
4769 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
4770 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
4771 dnl Allow and NAT (new) related active (data) connections.
4772 dnl These need to be commited.
4773 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
4774 dnl Allow related ICMP packets.
4775 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
4776 dnl Drop everything else.
4777 table=1 priority=0, action=drop
4779 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4781 table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4782 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4783 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4785 dnl Swaps the fields of the ARP message to turn a query to a response.
4786 table=10 priority=100 arp xreg0=0 action=normal
4787 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4788 table=10 priority=0 action=drop
4790 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4791 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4795 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment.
4796 CHECK_FTP_SNAT_POST_RECIRC([], [10.1.1.9], [0x0a010109])
4798 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment.
4800 dnl The FTP PORT command includes the ASCII representation of the address,
4801 dnl so when these messages need to be NATed between addresses that have
4802 dnl different lengths when represented in ASCII (such as the original address
4803 dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must
4804 dnl resize the packet and adjust TCP sequence numbers. This test is kept
4805 dnl separate from the above to easier identify issues in this code on different
4807 CHECK_FTP_SNAT_POST_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0])
4810 dnl CHECK_FTP_SNAT_ORIG_TUPLE(TITLE, IP_ADDR, IP_ADDR_AS_HEX)
4812 dnl Checks the implementation of conntrack original direction tuple matching
4813 dnl with FTP ALGs in combination with NAT, with flow tables that implement
4814 dnl the NATing before the first round of recirculation - that is, the first
4815 dnl flow ct(nat, table=foo) then a subsequent flow will implement the
4816 dnl commiting of NATed and other connections with ct(nat..),output:foo.
4818 dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format,
4819 dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx.
4820 m4_define([CHECK_FTP_SNAT_ORIG_TUPLE], [dnl
4821 CHECK_FTP_NAT([SNAT orig tuple $1], [$2], [dnl
4822 dnl Store zone in reg4 and packet direction in reg3 (IN=1, OUT=2).
4823 dnl NAT is only applied to OUT-direction packets, so that ACL
4824 dnl processing can be done with non-NATted headers.
4826 dnl Track all IP traffic in the IN-direction (IN from Port 1).
4827 table=0 in_port=1, ip, action=set_field:1->reg4,set_field:1->reg3,ct(zone=NXM_NX_REG4[[0..15]],table=1)
4828 dnl Track all IP traffic in the OUT-direction (OUT to the Port 1).
4829 table=0 in_port=2, ip, action=set_field:1->reg4,set_field:2->reg3,ct(zone=NXM_NX_REG4[[0..15]],nat,table=1)
4833 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
4834 table=0 priority=10 arp action=normal
4835 table=0 priority=0 action=drop
4837 dnl Pass tracked traffic through ACL, drop everything else.
4838 dnl Non-REPLY/RELATED packets get the ACL lookup with the packet headers
4839 dnl in the actual packet direction in reg0 (IN=1, OUT=2). REPLY packets
4840 dnl get the ACL lookup using the conntrack tuple and the inverted direction.
4841 dnl RELATED packets get ACL lookup using the conntrack tuple in the direction
4842 dnl of the parent connection, as stored in ct_label[0].
4844 dnl Incoming non-related packet in the original direction (ACL IN)
4845 table=1 reg3=1, ip, ct_state=-rel-rpl+trk-inv action=set_field:1->reg0,resubmit(,3),goto_table:5
4846 dnl Incoming non-related reply packet (CT ACL OUT)
4847 table=1 reg3=1, ip, ct_state=-rel+rpl+trk-inv action=set_field:2->reg0,resubmit(,3,ct),goto_table:4
4848 dnl Outgoing non-related packet (ACL OUT)
4849 table=1 reg3=2, ip, ct_state=-rel-rpl+trk-inv action=set_field:2->reg0,resubmit(,3),goto_table:5
4850 dnl Outgoing non-related reply packet (CT ACL IN)
4851 table=1 reg3=2, ip, ct_state=-rel+rpl+trk-inv action=set_field:1->reg0,resubmit(,3,ct),goto_table:4
4853 dnl Related packet (CT ACL in the direction of the parent connection.)
4854 table=1 ip, ct_state=+rel+trk-inv, action=move:NXM_NX_CT_LABEL[[0]]->NXM_NX_REG0[[0]],resubmit(,3,ct),goto_table:4
4855 dnl Drop everything else.
4856 table=1 priority=0, action=drop
4860 dnl Stateful accept (1->reg2) all incoming (reg0=1) IP connections with
4861 dnl IP source address '10.1.1.1'. Store rule ID (1234) in reg1, verdict
4863 table=3 priority=10, reg0=1, ip, nw_src=10.1.1.1 action=set_field:1234->reg1,set_field:1->reg2
4864 dnl Stateless drop (0->reg2) everything else in both directions. (Rule ID: 1235)
4865 table=3 priority=0, action=set_field:1235->reg1,set_field:0->reg2
4867 dnl Re-process stateful traffic that was not accepted by a stateful rule as
4868 dnl normal traffic in the current direction. This should also delete the
4869 dnl now stale conntrack state, so that new state can be created in it's place.
4871 dnl Stateful accepts go to next table.
4872 table=4 priority=100 reg2=1, action=goto_table:5
4873 dnl Everything else is reprocessed disregarding the CT state, using the actual
4874 dnl packet direction.
4875 table=4 priority=0 action=move:NXM_NX_REG3[[]]->NXM_NX_REG0[[]],resubmit(,3),goto_table:5
4877 dnl "ACL verdict processing table."
4879 dnl Handle stateful (reg2=1) / stateless (reg2=2) accepts and drops (reg2=0)
4881 dnl Drop all non-accepted packets.
4882 table=5 reg2=0 priority=1000 action=drop
4884 dnl Commit new incoming FTP control connections with SNAT range. Must match on
4885 dnl 'tcp' when setting 'alg=ftp'. Store the directionality of non-related
4886 dnl connections to ct_label[0] Store the rule ID to ct_label[96..127].
4887 table=5 priority=100 reg2=1 reg3=1 ct_state=+new-rel, tcp, tp_dst=21, action=ct(zone=NXM_NX_REG4[[0..15]],alg=ftp,commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
4888 dnl Commit other new incoming non-related IP connections with SNAT range.
4889 table=5 priority=10 reg2=1 reg3=1 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(src=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
4890 dnl Commit non-related outgoing new IP connections with DNAT range.
4891 dnl (This should not get any packets in this test.)
4892 table=5 priority=10 reg2=1 reg3=2 ct_state=+new-rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat(dst=$2),exec(move:NXM_NX_REG3[[0]]->NXM_NX_CT_LABEL[[0]],move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
4893 dnl Commit new related connections in either direction, which need 'nat'
4894 dnl and which inherit the label (the direction of the original direction
4895 dnl parent tuple) from the parent connection.
4896 table=5 priority=10 reg2=1 ct_state=+new+rel, ip, action=ct(zone=NXM_NX_REG4[[0..15]],commit,nat,exec(move:NXM_NX_REG1[[0..31]]->NXM_NX_CT_LABEL[[96..127]])),goto_table:6
4898 dnl NAT incoming non-NEW packets. Outgoing packets were NATted in table 0.
4900 table=5 priority=10 ct_state=-new+trk-inv reg3=1 ip, action=ct(zone=NXM_NX_REG4[[0..15]],nat),goto_table:6
4901 dnl Forward everything else, including stateless accepts.
4902 table=5 priority=0 action=goto_table:6
4904 dnl "Forwarding table"
4906 table=6 in_port=1 action=2
4907 table=6 in_port=2 action=1
4909 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
4911 table=8,reg2=$3,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
4912 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
4913 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
4915 dnl Swaps the fields of the ARP message to turn a query to a response.
4916 table=10 priority=100 arp xreg0=0 action=normal
4917 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
4918 table=10 priority=0 action=drop
4920 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),zone=1,labels=0x4d2000000000000000000000001,protoinfo=(state=<cleared>),helper=ftp
4921 tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,labels=0x4d2000000000000000000000001,protoinfo=(state=<cleared>)
4925 dnl Check that ct(nat,table=foo) works without TCP sequence adjustment with
4926 dnl an ACL table based on matching on conntrack original direction tuple only.
4927 CHECK_FTP_SNAT_ORIG_TUPLE([], [10.1.1.9], [0x0a010109])
4929 dnl Check that ct(nat,table=foo) works with TCP sequence adjustment with
4930 dnl an ACL table based on matching on conntrack original direction tuple only.
4931 CHECK_FTP_SNAT_ORIG_TUPLE([seqadj], [10.1.1.240], [0x0a0101f0])
4933 AT_SETUP([conntrack - IPv4 FTP Passive with SNAT])
4934 AT_SKIP_IF([test $HAVE_FTP = no])
4936 CHECK_CONNTRACK_NAT()
4937 CHECK_CONNTRACK_ALG()
4939 OVS_TRAFFIC_VSWITCHD_START()
4941 ADD_NAMESPACES(at_ns0, at_ns1)
4943 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
4944 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
4945 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
4947 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
4948 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
4949 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
4950 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
4952 dnl Allow any traffic from ns0->ns1.
4953 AT_DATA([flows.txt], [dnl
4954 dnl track all IPv4 traffic and NAT any established traffic.
4955 table=0 priority=10 ip, action=ct(nat,table=1)
4956 table=0 priority=0 action=drop
4960 dnl Allow new FTP control connections.
4961 table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
4962 dnl Allow related TCP connections from port 1.
4963 table=1 in_port=1 ct_state=+new+rel tcp nw_src=10.1.1.1 action=ct(commit,nat),2
4964 dnl Allow established TCP connections both ways, post-NAT match.
4965 table=1 in_port=1 ct_state=+est tcp nw_src=10.1.1.240 action=2
4966 table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
4968 dnl Allow ICMP both ways.
4969 table=1 priority=100 in_port=1 icmp, action=2
4970 table=1 priority=100 in_port=2 icmp, action=1
4971 table=1 priority=0, action=drop
4974 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
4976 dnl Check that the stacks working to avoid races.
4977 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null])
4979 OVS_START_L7([at_ns1], [ftp])
4981 dnl FTP requests from p0->p1 should work fine.
4982 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
4984 dnl Discards CLOSE_WAIT and CLOSING
4985 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
4986 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
4987 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
4990 OVS_TRAFFIC_VSWITCHD_STOP
4993 AT_SETUP([conntrack - IPv4 FTP Passive with DNAT])
4994 AT_SKIP_IF([test $HAVE_FTP = no])
4996 CHECK_CONNTRACK_NAT()
4997 CHECK_CONNTRACK_ALG()
4999 OVS_TRAFFIC_VSWITCHD_START()
5001 ADD_NAMESPACES(at_ns0, at_ns1)
5003 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
5004 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
5005 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
5006 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.240 e6:66:c1:22:22:22])
5008 ADD_VETH(p1, at_ns1, br0, "10.1.1.240/24")
5009 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
5010 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
5012 dnl Allow any traffic from ns0->ns1.
5013 AT_DATA([flows.txt], [dnl
5014 dnl track all IPv4 traffic and NAT any established traffic.
5015 table=0 priority=10 ip, action=ct(nat,table=1)
5016 table=0 priority=0 action=drop
5020 dnl Allow new FTP control connections.
5021 table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.1.240)),2
5022 dnl Allow related TCP connections from port 1.
5023 table=1 in_port=1 ct_state=+new+rel tcp nw_src=10.1.1.1 action=ct(commit,nat),2
5024 dnl Allow established TCP connections both ways, post-NAT match.
5025 table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.1.240 action=2
5026 table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
5028 dnl Allow ICMP both ways.
5029 table=1 priority=100 in_port=1 icmp, action=2
5030 table=1 priority=100 in_port=2 icmp, action=1
5031 table=1 priority=0, action=drop
5034 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5036 dnl Check that the stacks working to avoid races.
5037 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null])
5039 OVS_START_L7([at_ns1], [ftp])
5041 dnl FTP requests from p0->p1 should work fine.
5042 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
5044 dnl Discards CLOSE_WAIT and CLOSING
5045 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
5046 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5047 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5050 OVS_TRAFFIC_VSWITCHD_STOP
5053 AT_SETUP([conntrack - IPv4 FTP Passive with DNAT 2])
5054 AT_SKIP_IF([test $HAVE_FTP = no])
5056 CHECK_CONNTRACK_NAT()
5057 CHECK_CONNTRACK_ALG()
5059 OVS_TRAFFIC_VSWITCHD_START()
5061 ADD_NAMESPACES(at_ns0, at_ns1)
5063 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/16")
5064 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
5065 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.200 e6:66:c1:22:22:22])
5066 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.100.1 e6:66:c1:22:22:22])
5068 ADD_VETH(p1, at_ns1, br0, "10.1.100.1/16")
5069 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
5070 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
5072 dnl Allow any traffic from ns0->ns1.
5073 AT_DATA([flows.txt], [dnl
5074 dnl track all IPv4 traffic and NAT any established traffic.
5075 table=0 priority=10 ip, action=ct(nat,table=1)
5076 table=0 priority=0 action=drop
5080 dnl Allow new FTP control connections.
5081 table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.100.1)),2
5082 dnl Allow related TCP connections from port 1.
5083 table=1 in_port=1 ct_state=+new+rel tcp nw_src=10.1.1.1 action=ct(commit,nat),2
5084 dnl Allow established TCP connections both ways, post-NAT match.
5085 table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.100.1 action=2
5086 table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
5088 dnl Allow ICMP both ways.
5089 table=1 priority=100 in_port=1 icmp, action=2
5090 table=1 priority=100 in_port=2 icmp, action=1
5091 table=1 priority=0, action=drop
5094 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5096 dnl Check that the stacks working to avoid races.
5097 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.100.1 >/dev/null])
5099 OVS_START_L7([at_ns1], [ftp])
5101 dnl FTP requests from p0->p1 should work fine.
5102 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.200 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
5104 dnl Discards CLOSE_WAIT and CLOSING
5105 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.200)], [0], [dnl
5106 tcp,orig=(src=10.1.1.1,dst=10.1.1.200,sport=<cleared>,dport=<cleared>),reply=(src=10.1.100.1,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5107 tcp,orig=(src=10.1.1.1,dst=10.1.1.200,sport=<cleared>,dport=<cleared>),reply=(src=10.1.100.1,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5110 OVS_TRAFFIC_VSWITCHD_STOP
5113 AT_SETUP([conntrack - IPv4 FTP Active with DNAT])
5114 AT_SKIP_IF([test $HAVE_FTP = no])
5116 CHECK_CONNTRACK_NAT()
5117 CHECK_CONNTRACK_ALG()
5119 OVS_TRAFFIC_VSWITCHD_START()
5121 ADD_NAMESPACES(at_ns0, at_ns1)
5123 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
5124 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
5125 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
5126 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.240 e6:66:c1:22:22:22])
5128 ADD_VETH(p1, at_ns1, br0, "10.1.1.240/24")
5129 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
5130 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
5132 dnl Allow any traffic from ns0->ns1.
5133 AT_DATA([flows.txt], [dnl
5134 dnl track all IPv4 traffic and NAT any established traffic.
5135 table=0 priority=10 ip, action=ct(nat,table=1)
5136 table=0 priority=0 action=drop
5140 dnl Allow new FTP control connections.
5141 table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.1.240)),2
5142 dnl Allow related TCP connections from port 1.
5143 table=1 in_port=2 ct_state=+new+rel tcp nw_src=10.1.1.240 action=ct(commit,nat),1
5144 dnl Allow established TCP connections both ways, post-NAT match.
5145 table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.1.240 action=2
5146 table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
5148 dnl Allow ICMP both ways.
5149 table=1 priority=100 in_port=1 icmp, action=2
5150 table=1 priority=100 in_port=2 icmp, action=1
5151 table=1 priority=0, action=drop
5154 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5156 dnl Check that the stacks working to avoid races.
5157 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null])
5159 OVS_START_L7([at_ns1], [ftp])
5161 dnl FTP requests from p0->p1 should work fine.
5162 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
5164 dnl Discards CLOSE_WAIT and CLOSING
5165 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
5166 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5167 tcp,orig=(src=10.1.1.240,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5170 OVS_TRAFFIC_VSWITCHD_STOP
5173 AT_SETUP([conntrack - IPv4 FTP Active with DNAT with reverse skew])
5174 AT_SKIP_IF([test $HAVE_FTP = no])
5176 CHECK_CONNTRACK_NAT()
5177 CHECK_CONNTRACK_ALG()
5179 OVS_TRAFFIC_VSWITCHD_START()
5181 ADD_NAMESPACES(at_ns0, at_ns1)
5183 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/16")
5184 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
5185 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
5186 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.120.240 e6:66:c1:22:22:22])
5188 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/16")
5189 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
5190 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
5192 dnl Allow any traffic from ns0->ns1.
5193 AT_DATA([flows.txt], [dnl
5194 dnl track all IPv4 traffic and NAT any established traffic.
5195 table=0 priority=10 ip, action=ct(nat,table=1)
5196 table=0 priority=0 action=drop
5200 dnl Allow new FTP control connections.
5201 table=1 in_port=1 ct_state=+new tcp nw_src=10.1.1.1 tp_dst=21 action=ct(alg=ftp,commit,nat(dst=10.1.1.2)),2
5202 dnl Allow related TCP connections from port 1.
5203 table=1 in_port=2 ct_state=+new+rel tcp nw_src=10.1.1.2 action=ct(commit,nat),1
5204 dnl Allow established TCP connections both ways, post-NAT match.
5205 table=1 in_port=1 ct_state=+est tcp nw_dst=10.1.1.2 action=2
5206 table=1 in_port=2 ct_state=+est tcp nw_dst=10.1.1.1 action=1
5208 dnl Allow ICMP both ways.
5209 table=1 priority=100 in_port=1 icmp, action=2
5210 table=1 priority=100 in_port=2 icmp, action=1
5211 table=1 priority=0, action=drop
5214 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5216 dnl Check that the stacks working to avoid races.
5217 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null])
5219 OVS_START_L7([at_ns1], [ftp])
5221 dnl FTP requests from p0->p1 should work fine.
5222 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.120.240 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
5224 dnl Discards CLOSE_WAIT and CLOSING
5225 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.120.240)], [0], [dnl
5226 tcp,orig=(src=10.1.1.1,dst=10.1.120.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5227 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.120.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5230 OVS_TRAFFIC_VSWITCHD_STOP
5233 AT_SETUP([conntrack - IPv6 HTTP with SNAT])
5235 CHECK_CONNTRACK_NAT()
5236 OVS_TRAFFIC_VSWITCHD_START()
5238 ADD_NAMESPACES(at_ns0, at_ns1)
5240 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5241 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
5242 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5243 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
5244 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::241 lladdr 80:88:88:88:88:88 dev p1])
5246 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
5247 AT_DATA([flows.txt], [dnl
5248 priority=1,action=drop
5249 priority=10,icmp6,action=normal
5250 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240-fc00::241)),2
5251 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
5252 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
5253 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
5254 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::241,action=ct(commit,nat(dst=fc00::1)),1
5257 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5259 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5260 dnl waiting, we get occasional failures due to the following error:
5261 dnl "connect: Cannot assign requested address"
5262 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
5264 dnl HTTP requests from ns0->ns1 should work fine.
5265 OVS_START_L7([at_ns1], [http6])
5267 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
5269 dnl HTTP requests from ns1->ns0 should fail due to network failure.
5270 dnl Try 3 times, in 1 second intervals.
5271 OVS_START_L7([at_ns0], [http6])
5272 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
5274 OVS_TRAFFIC_VSWITCHD_STOP
5277 AT_SETUP([conntrack - IPv6 HTTP with DNAT])
5279 CHECK_CONNTRACK_NAT()
5280 OVS_TRAFFIC_VSWITCHD_START()
5282 ADD_NAMESPACES(at_ns0, at_ns1)
5284 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5285 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5286 NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
5287 NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
5288 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p0])
5289 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
5291 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
5292 AT_DATA([flows.txt], [dnl
5293 priority=100 in_port=1,ip6,ipv6_dst=fc00::240,action=ct(zone=1,nat(dst=fc00::2),commit),2
5294 priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat,zone=1)
5295 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip6,action=1
5298 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5300 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5301 dnl waiting, we get occasional failures due to the following error:
5302 dnl "connect: Cannot assign requested address"
5303 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::240])
5305 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::240 | FORMAT_PING], [0], [dnl
5306 3 packets transmitted, 3 received, 0% packet loss, time 0ms
5309 dnl Should work with the virtual IP address through NAT
5310 OVS_START_L7([at_ns1], [http6])
5311 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::240]] -t 5 -T 1 --retry-connrefused -v -o wget0.log])
5313 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::1)], [0], [dnl
5314 icmpv6,orig=(src=fc00::1,dst=fc00::240,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0),zone=1
5315 tcp,orig=(src=fc00::1,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
5318 OVS_TRAFFIC_VSWITCHD_STOP
5321 AT_SETUP([conntrack - IPv6 ICMP6 Related with SNAT])
5322 AT_SKIP_IF([test $HAVE_TCPDUMP = no])
5324 CHECK_CONNTRACK_NAT()
5325 OVS_TRAFFIC_VSWITCHD_START()
5327 ADD_NAMESPACES(at_ns0, at_ns1)
5329 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5330 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5331 NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
5332 NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
5334 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:88 dev p0])
5335 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::3 lladdr 80:88:88:88:88:88 dev p0])
5336 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:77 dev p1])
5337 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
5339 NS_CHECK_EXEC([at_ns0], [ip -6 route add default via fc00::2])
5341 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
5342 AT_DATA([flows.txt], [dnl
5343 priority=100 in_port=1,ip6,action=ct(nat(src=fc00::240),commit),2
5344 priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat)
5345 priority=100 in_port=2,ct_state=+trk+est,ip6,action=1
5346 priority=100 in_port=2,ct_state=+trk+rel,ip6,action=1
5349 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5351 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5352 dnl waiting, we get occasional failures due to the following error:
5353 dnl "connect: Cannot assign requested address"
5354 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
5356 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
5359 tcpdump -U -i ovs-p0 -w p0.pcap &
5362 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
5363 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -6 $NC_EOF_OPT -u fc00::2 1"])
5365 AT_CHECK([tcpdump -v "icmp6" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
5367 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5368 udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>)
5371 OVS_TRAFFIC_VSWITCHD_STOP
5374 AT_SETUP([conntrack - IPv6 FTP with SNAT])
5375 AT_SKIP_IF([test $HAVE_FTP = no])
5377 CHECK_CONNTRACK_NAT()
5378 CHECK_CONNTRACK_ALG()
5380 OVS_TRAFFIC_VSWITCHD_START()
5382 ADD_NAMESPACES(at_ns0, at_ns1)
5384 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5385 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
5386 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5387 dnl Would be nice if NAT could translate neighbor discovery messages, too.
5388 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
5390 dnl Allow any traffic from ns0->ns1.
5391 dnl Only allow nd, return traffic from ns1->ns0.
5392 AT_DATA([flows.txt], [dnl
5393 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
5394 table=0 priority=10 ip6, action=ct(nat,table=1)
5395 table=0 priority=0 action=drop
5399 dnl Allow new TCPv6 FTP control connections.
5400 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
5401 dnl Allow related TCPv6 connections from port 2 to the NATted address.
5402 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
5403 dnl Allow established TCPv6 connections both ways, enforce NATting
5404 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
5405 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
5406 dnl Allow other ICMPv6 both ways (without commit).
5407 table=1 priority=100 in_port=1 icmp6, action=2
5408 table=1 priority=100 in_port=2 icmp6, action=1
5409 dnl Drop everything else.
5410 table=1 priority=0, action=drop
5413 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5415 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5416 dnl waiting, we get occasional failures due to the following error:
5417 dnl "connect: Cannot assign requested address"
5418 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
5420 OVS_START_L7([at_ns1], [ftp])
5422 dnl FTP requests from p0->p1 should work fine.
5423 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
5425 dnl Discards CLOSE_WAIT and CLOSING
5426 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5427 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5428 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5431 OVS_TRAFFIC_VSWITCHD_STOP
5434 AT_SETUP([conntrack - IPv6 FTP Passive with SNAT])
5435 AT_SKIP_IF([test $HAVE_FTP = no])
5437 CHECK_CONNTRACK_NAT()
5438 CHECK_CONNTRACK_ALG()
5440 OVS_TRAFFIC_VSWITCHD_START()
5442 ADD_NAMESPACES(at_ns0, at_ns1)
5444 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5445 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
5446 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5447 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:99])
5448 NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:99 dev p0])
5449 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
5451 dnl Allow any traffic from ns0->ns1.
5452 dnl Only allow nd, return traffic from ns1->ns0.
5453 AT_DATA([flows.txt], [dnl
5454 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
5455 table=0 priority=10 ip6, action=ct(nat,table=1)
5456 table=0 priority=0 action=drop
5460 dnl Allow new TCPv6 FTP control connections.
5461 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
5462 dnl Allow related TCPv6 connections from port 1.
5463 table=1 in_port=1 ct_state=+new+rel tcp6 ipv6_dst=fc00::2 action=ct(commit,nat),2
5464 dnl Allow established TCPv6 connections both ways, enforce NATting
5465 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
5466 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
5467 dnl Allow other ICMPv6 both ways (without commit).
5468 table=1 priority=100 in_port=1 icmp6, action=2
5469 table=1 priority=100 in_port=2 icmp6, action=1
5470 dnl Drop everything else.
5471 table=1 priority=0, action=drop
5474 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5476 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5477 dnl waiting, we get occasional failures due to the following error:
5478 dnl "connect: Cannot assign requested address"
5479 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
5481 OVS_START_L7([at_ns1], [ftp])
5483 dnl FTP requests from p0->p1 should work fine.
5484 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
5486 dnl Discards CLOSE_WAIT and CLOSING
5487 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5488 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5489 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5492 OVS_TRAFFIC_VSWITCHD_STOP
5495 AT_SETUP([conntrack - IPv6 FTP with SNAT - orig tuple])
5496 AT_SKIP_IF([test $HAVE_FTP = no])
5498 CHECK_CONNTRACK_NAT()
5499 CHECK_CONNTRACK_ALG()
5500 OVS_TRAFFIC_VSWITCHD_START()
5502 ADD_NAMESPACES(at_ns0, at_ns1)
5504 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
5505 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
5506 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
5507 dnl Would be nice if NAT could translate neighbor discovery messages, too.
5508 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
5510 dnl Allow any traffic from ns0->ns1.
5511 dnl Only allow nd, return traffic from ns1->ns0.
5512 AT_DATA([flows.txt], [dnl
5513 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
5514 table=0 priority=10 ip6, action=ct(nat,table=1)
5515 table=0 priority=0 action=drop
5519 dnl Allow other ICMPv6 both ways (without commit).
5520 table=1 priority=100 in_port=1 icmp6, action=2
5521 table=1 priority=100 in_port=2 icmp6, action=1
5522 dnl Allow new TCPv6 FTP control connections.
5523 table=1 priority=10 in_port=1 ct_state=+new+trk-inv tcp6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
5524 dnl Allow related TCPv6 connections from port 2 to the NATted address.
5525 table=1 priority=10 in_port=2 ct_state=+new+rel+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=ct(commit,nat),1
5526 dnl Allow established TCPv6 connections both ways, enforce NATting
5527 table=1 priority=10 in_port=1 ct_state=+est+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=2
5528 table=1 priority=10 in_port=2 ct_state=+est+trk-inv ipv6 ct_nw_proto=6 ct_ipv6_src=fc00::1 ct_tp_dst=21 action=1
5529 dnl Drop everything else.
5530 table=1 priority=0, action=drop
5533 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5535 dnl Linux seems to take a little time to get its IPv6 stack in order. Without
5536 dnl waiting, we get occasional failures due to the following error:
5537 dnl "connect: Cannot assign requested address"
5538 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
5540 NETNS_DAEMONIZE([at_ns1], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp0.pid])
5541 OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
5543 dnl FTP requests from p0->p1 should work fine.
5544 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
5546 dnl Discards CLOSE_WAIT and CLOSING
5547 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
5548 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
5549 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5552 OVS_TRAFFIC_VSWITCHD_STOP
5555 AT_SETUP([conntrack - IPv4 TFTP with SNAT])
5556 AT_SKIP_IF([test $HAVE_TFTP = no])
5558 CHECK_CONNTRACK_NAT()
5559 CHECK_CONNTRACK_ALG()
5561 OVS_TRAFFIC_VSWITCHD_START()
5563 ADD_NAMESPACES(at_ns0, at_ns1)
5565 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
5566 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address e6:66:c1:11:11:11])
5567 NS_CHECK_EXEC([at_ns0], [arp -s 10.1.1.2 e6:66:c1:22:22:22])
5569 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
5570 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address e6:66:c1:22:22:22])
5571 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.1 e6:66:c1:11:11:11])
5572 NS_CHECK_EXEC([at_ns1], [arp -s 10.1.1.240 e6:66:c1:11:11:11])
5574 dnl Allow any traffic from ns0->ns1.
5575 AT_DATA([flows.txt], [dnl
5576 dnl track all IPv4 traffic.
5577 table=0 priority=10 ip, action=ct(table=1)
5578 dnl drop everything else.
5579 table=0 priority=0 action=drop
5582 dnl Allow ICMP both ways.
5583 table=1 priority=100 in_port=1 icmp, action=2
5584 table=1 priority=100 in_port=2 icmp, action=1
5586 dnl Allow new TFTP control connections.
5587 table=1 in_port=1 ct_state=+new udp nw_src=10.1.1.1 tp_dst=69 action=ct(alg=tftp,commit,nat(src=10.1.1.240)),2
5588 dnl Allow related UDP connections from port 1.
5589 table=1 in_port=2 ct_state=+new+rel udp nw_src=10.1.1.2 action=ct(commit,nat),1
5590 dnl Allow established and NAT them.
5591 table=1 in_port=1 ct_state=+est udp nw_src=10.1.1.1 action=ct(nat,table=2)
5592 table=1 in_port=2 ct_state=+est udp nw_src=10.1.1.2 action=ct(nat,table=2)
5594 table=1 priority=0, action=drop
5596 table=2 in_port=1 ct_state=+est udp nw_src=10.1.1.240 action=2
5597 table=2 in_port=2 ct_state=+est udp nw_dst=10.1.1.1 action=1
5600 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5602 dnl Check that the stacks working to avoid races.
5603 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null])
5605 OVS_START_L7([at_ns0], [tftp])
5606 OVS_START_L7([at_ns1], [tftp])
5608 dnl TFTP requests from p0->p1 should work fine.
5609 NS_CHECK_EXEC([at_ns0], [[curl $CURL_OPT tftp://10.1.1.2/flows.txt -o foo 2>curl0.log]])
5611 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
5612 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),helper=tftp
5613 udp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>)
5616 OVS_TRAFFIC_VSWITCHD_STOP
5619 AT_SETUP([conntrack - DNAT load balancing])
5621 CHECK_CONNTRACK_NAT()
5622 OVS_TRAFFIC_VSWITCHD_START()
5624 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4)
5626 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
5627 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
5628 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
5629 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
5630 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
5631 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
5632 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
5633 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
5635 dnl Select group for load balancing. One bucket per server. Each bucket
5636 dnl tracks and NATs the connection and recirculates to table 4 for egress
5637 dnl routing. Packets of existing connections are always NATted based on
5638 dnl connection state, only new connections are NATted according to the
5639 dnl specific NAT parameters in each bucket.
5640 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
5642 AT_DATA([flows.txt], [dnl
5643 dnl Track connections to the virtual IP address.
5644 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
5645 dnl All other IP traffic is allowed but the connection state is no commited.
5646 table=0 priority=90 ip action=ct(table=4,nat)
5648 dnl Allow ARP, but generate responses for virtual addresses
5649 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
5650 table=0 priority=10 arp action=normal
5651 table=0 priority=0 action=drop
5655 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
5656 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
5657 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
5658 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
5659 table=4 priority=0 action=drop
5661 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
5662 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
5663 dnl Zero result means not found.
5664 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
5665 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
5667 table=10 priority=100 arp xreg0=0 action=normal
5668 dnl Swaps the fields of the ARP message to turn a query to a response.
5669 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
5670 table=10 priority=0 action=controller
5673 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5675 dnl Start web servers
5676 OVS_START_L7([at_ns2], [http])
5677 OVS_START_L7([at_ns3], [http])
5678 OVS_START_L7([at_ns4], [http])
5680 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
5681 on_exit 'ovs-appctl revalidator/purge'
5682 on_exit 'ovs-appctl dpif/dump-flows br0'
5684 dnl Should work with the virtual IP address through NAT
5685 for i in 1 2 3 4 5 6 7 8 9 10 11 12; do
5687 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget$i.log])
5690 dnl Each server should have at least one connection.
5691 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64)], [0], [dnl
5692 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5693 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.3,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5694 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
5697 ovs-appctl dpif/dump-flows br0
5698 ovs-appctl revalidator/purge
5699 ovs-ofctl -O OpenFlow15 dump-flows br0
5700 ovs-ofctl -O OpenFlow15 dump-group-stats br0
5702 OVS_TRAFFIC_VSWITCHD_STOP
5706 AT_SETUP([conntrack - DNAT load balancing with NC])
5707 AT_SKIP_IF([test $HAVE_NC = no])
5709 CHECK_CONNTRACK_NAT()
5710 OVS_TRAFFIC_VSWITCHD_START()
5712 ADD_NAMESPACES(at_ns1, at_ns2, at_ns3, at_ns4, at_ns5)
5714 ADD_VETH(p1, at_ns1, br0, "10.1.1.1/24")
5715 ADD_VETH(p2, at_ns2, br0, "10.1.1.2/24")
5716 ADD_VETH(p3, at_ns3, br0, "10.1.1.3/24")
5717 ADD_VETH(p4, at_ns4, br0, "10.1.1.4/24")
5718 ADD_VETH(p5, at_ns5, br0, "10.1.1.5/24")
5719 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:11])
5720 NS_CHECK_EXEC([at_ns2], [ip link set dev p2 address 80:88:88:88:88:22])
5721 NS_CHECK_EXEC([at_ns3], [ip link set dev p3 address 80:88:88:88:88:33])
5722 NS_CHECK_EXEC([at_ns4], [ip link set dev p4 address 80:88:88:88:88:44])
5723 NS_CHECK_EXEC([at_ns5], [ip link set dev p5 address 80:88:88:88:88:55])
5725 dnl Select group for load balancing. One bucket per server. Each bucket
5726 dnl tracks and NATs the connection and recirculates to table 4 for egress
5727 dnl routing. Packets of existing connections are always NATted based on
5728 dnl connection state, only new connections are NATted according to the
5729 dnl specific NAT parameters in each bucket.
5730 AT_CHECK([ovs-ofctl -O OpenFlow15 -vwarn add-group br0 "group_id=234,type=select,bucket=weight=100,ct(nat(dst=10.1.1.2),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.3),commit,table=4),bucket=weight=100,ct(nat(dst=10.1.1.4),commit,table=4)"])
5732 AT_DATA([flows.txt], [dnl
5733 dnl Track connections to the virtual IP address.
5734 table=0 priority=100 ip nw_dst=10.1.1.64 action=group:234
5735 dnl All other IP traffic is allowed but the connection state is no commited.
5736 table=0 priority=90 ip action=ct(table=4,nat)
5738 dnl Allow ARP, but generate responses for virtual addresses
5739 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
5740 table=0 priority=10 arp action=normal
5741 table=0 priority=0 action=drop
5745 table=4,ip,nw_dst=10.1.1.1 action=mod_dl_dst:80:88:88:88:88:11,output:1
5746 table=4,ip,nw_dst=10.1.1.2 action=mod_dl_dst:80:88:88:88:88:22,output:2
5747 table=4,ip,nw_dst=10.1.1.3 action=mod_dl_dst:80:88:88:88:88:33,output:3
5748 table=4,ip,nw_dst=10.1.1.4 action=mod_dl_dst:80:88:88:88:88:44,output:4
5749 table=4,ip,nw_dst=10.1.1.5 action=mod_dl_dst:80:88:88:88:88:55,output:5
5750 table=4 priority=0 action=drop
5752 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
5753 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
5754 dnl Zero result means not found.
5755 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
5756 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
5758 table=10 priority=100 arp xreg0=0 action=normal
5759 dnl Swaps the fields of the ARP message to turn a query to a response.
5760 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
5761 table=10 priority=0 action=controller
5764 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5766 dnl Start web servers
5767 OVS_START_L7([at_ns2], [http])
5768 OVS_START_L7([at_ns3], [http])
5769 OVS_START_L7([at_ns4], [http])
5771 on_exit 'ovs-ofctl -O OpenFlow15 dump-flows br0'
5772 on_exit 'ovs-appctl revalidator/purge'
5773 on_exit 'ovs-appctl dpif/dump-flows br0'
5777 dnl Should work with the virtual IP address through NAT
5778 for i in 1 2 3 4 5 6 7 8 9; do
5780 NS_CHECK_EXEC([at_ns1], [echo "TEST1" | nc -p 4100$i 10.1.1.64 80 > nc-1-$i.log])
5781 NS_CHECK_EXEC([at_ns5], [echo "TEST5" | nc -p 4100$i 10.1.1.64 80 > nc-5-$i.log])
5786 ovs-appctl dpif/dump-flows br0
5787 ovs-appctl revalidator/purge
5788 ovs-ofctl -O OpenFlow15 dump-flows br0
5789 ovs-ofctl -O OpenFlow15 dump-group-stats br0
5791 OVS_TRAFFIC_VSWITCHD_STOP
5794 AT_SETUP([conntrack - floating IP])
5795 AT_SKIP_IF([test $HAVE_NC = no])
5797 OVS_TRAFFIC_VSWITCHD_START()
5798 OVS_CHECK_CT_CLEAR()
5800 ADD_NAMESPACES(at_ns0, at_ns1)
5801 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24", "f0:00:00:01:01:01") dnl FIP 10.254.254.1
5802 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24", "f0:00:00:01:01:02") dnl FIP 10.254.254.2
5805 NS_CHECK_EXEC([at_ns0], [ip neigh add 10.1.1.2 lladdr f0:00:00:01:01:02 dev p0])
5806 NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.1 lladdr f0:00:00:01:01:01 dev p1])
5808 dnl Static ARP and route entries for the FIP "gateway"
5809 NS_CHECK_EXEC([at_ns0], [ip neigh add 10.1.1.254 lladdr f0:00:00:01:01:FE dev p0])
5810 NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.254 lladdr f0:00:00:01:01:FE dev p1])
5811 NS_CHECK_EXEC([at_ns0], [ip route add default nexthop via 10.1.1.254])
5812 NS_CHECK_EXEC([at_ns1], [ip route add default nexthop via 10.1.1.254])
5814 NETNS_DAEMONIZE([at_ns0], [nc -l -k 1234 > /dev/null], [nc0.pid])
5816 AT_DATA([flows.txt], [dnl
5817 table=0,priority=10 ip action=ct(table=1)
5818 table=0,priority=1 action=drop
5820 table=1,priority=20 ip,ct_state=+trk+est,nw_dst=10.254.254.0/24 action=goto_table:10
5821 table=1,priority=20 ip,ct_state=+trk+new,nw_dst=10.254.254.0/24 action=ct(commit,table=10)
5823 table=1,priority=10 ip,ct_state=+trk+est action=goto_table:20
5824 table=1,priority=10 ip,ct_state=+trk+new action=ct(commit,table=20)
5825 table=1,priority=1 ip,ct_state=+trk+inv action=drop
5827 dnl FIP translation (dst FIP, src local) --> (dst local, src FIP)
5828 table=10 ip,nw_dst=10.254.254.1 action=set_field:10.1.1.1->nw_dst,goto_table:11
5829 table=10 ip,nw_dst=10.254.254.2 action=set_field:10.1.1.2->nw_dst,goto_table:11
5830 table=11 ip,nw_src=10.1.1.1 action=set_field:10.254.254.1->nw_src,goto_table:12
5831 table=11 ip,nw_src=10.1.1.2 action=set_field:10.254.254.2->nw_src,goto_table:12
5832 dnl clear conntrack and do another lookup since we changed the tuple
5833 table=12,priority=10 ip action=ct_clear,ct(table=13)
5834 table=12,priority=1 action=drop
5835 table=13 ip,ct_state=+trk+est action=goto_table:20
5836 table=13 ip,ct_state=+trk+new action=ct(commit,table=20)
5837 table=13 ip,ct_state=+trk+inv action=drop
5840 table=20 ip,nw_src=10.1.1.1 action=set_field:f0:00:00:01:01:01->eth_src,goto_table:21
5841 table=20 ip,nw_src=10.1.1.2 action=set_field:f0:00:00:01:01:02->eth_src,goto_table:21
5842 table=20 ip,nw_src=10.254.254.0/24 action=set_field:f0:00:00:01:01:FE->eth_src,goto_table:21
5843 table=21 ip,nw_dst=10.1.1.1 action=set_field:f0:00:00:01:01:01->eth_dst,output:ovs-p0
5844 table=21 ip,nw_dst=10.1.1.2 action=set_field:f0:00:00:01:01:02->eth_dst,output:ovs-p1
5847 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5850 NS_CHECK_EXEC([at_ns1], [echo "foobar" |nc $NC_EOF_OPT 10.1.1.1 1234])
5851 OVS_WAIT_UNTIL([[ovs-appctl dpctl/dump-conntrack | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/id=[0-9]*/id=<cleared>/g' |
5852 grep "tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)"
5855 dnl Check that the full session ends as expected (i.e. TIME_WAIT). Otherwise it
5856 dnl means the datapath didn't process the ct_clear action. Ending in SYN_RECV
5857 dnl (OVS maps to ESTABLISHED) means the initial frame was committed, but not a
5858 dnl second time after the FIP translation (because ct_clear didn't occur).
5859 NS_CHECK_EXEC([at_ns1], [echo "foobar" |nc $NC_EOF_OPT 10.254.254.1 1234])
5860 OVS_WAIT_UNTIL([[ovs-appctl dpctl/dump-conntrack | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/id=[0-9]*/id=<cleared>/g' |
5861 grep "tcp,orig=(src=10.254.254.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.254.254.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)"
5864 OVS_TRAFFIC_VSWITCHD_STOP
5867 AT_SETUP([conntrack - negative test for recirculation optimization])
5868 dnl This test will fail if 'conn' caching is being used, because the tuple
5869 dnl has been changed outside of conntrack.
5870 AT_SKIP_IF([test $HAVE_NC = no])
5872 OVS_TRAFFIC_VSWITCHD_START()
5873 OVS_CHECK_CT_CLEAR()
5875 ADD_NAMESPACES(at_ns0, at_ns1)
5876 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24", "f0:00:00:01:01:01") dnl FIP 10.254.254.1
5877 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24", "f0:00:00:01:01:02") dnl FIP 10.254.254.2
5880 NS_CHECK_EXEC([at_ns0], [ip neigh add 10.1.1.2 lladdr f0:00:00:01:01:02 dev p0])
5881 NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.1 lladdr f0:00:00:01:01:01 dev p1])
5883 dnl Static ARP and route entries for the FIP "gateway"
5884 NS_CHECK_EXEC([at_ns0], [ip neigh add 10.1.1.254 lladdr f0:00:00:01:01:FE dev p0])
5885 NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.254 lladdr f0:00:00:01:01:FE dev p1])
5886 NS_CHECK_EXEC([at_ns0], [ip route add default nexthop via 10.1.1.254])
5887 NS_CHECK_EXEC([at_ns1], [ip route add default nexthop via 10.1.1.254])
5889 NETNS_DAEMONIZE([at_ns0], [nc -l -k 1234 > /dev/null], [nc0.pid])
5891 AT_DATA([flows.txt], [dnl
5892 table=0,priority=10 ip action=ct(table=1)
5894 table=1,priority=20 ip,ct_state=+trk+est,nw_dst=10.254.254.0/24 action=goto_table:2
5895 table=1,priority=20 ip,ct_state=+trk+new,nw_dst=10.254.254.0/24 action=ct(commit,exec(set_field:1->ct_mark),table=2)
5897 dnl FIP translation (dst FIP, src local) --> (dst local, src FIP)
5898 table=2 ip,nw_dst=10.254.254.1 action=set_field:10.1.1.1->nw_dst,goto_table:3
5899 table=2 ip,nw_dst=10.254.254.2 action=set_field:10.1.1.2->nw_dst,goto_table:3
5900 table=3 ip,nw_src=10.1.1.1 action=set_field:10.254.254.1->nw_src,goto_table:4
5901 table=3 ip,nw_src=10.1.1.2 action=set_field:10.254.254.2->nw_src,goto_table:4
5902 table=4 ip,nw_dst=10.1.1.1 action=set_field:f0:00:00:01:01:01->eth_dst,goto_table:5
5903 table=4 ip,nw_dst=10.1.1.2 action=set_field:f0:00:00:01:01:02->eth_dst,goto_table:5
5904 table=5 ip,nw_src=10.254.254.0/24 action=set_field:f0:00:00:01:01:FE->eth_src,goto_table:6
5906 dnl Tuple has been changed outside of conntrack
5907 table=6,priority=10 ip action=ct(table=7)
5909 table=7 ip,ct_state=+trk+est action=goto_table:8
5910 table=7 ip,ct_mark=0x0,ct_state=+trk+new action=ct(commit,exec(set_field:2->ct_mark),table=8)
5912 table=8 ip,nw_dst=10.1.1.1 action=output:ovs-p0
5913 table=8 ip,nw_dst=10.1.1.2 action=output:ovs-p1
5916 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
5918 NS_CHECK_EXEC([at_ns1], [echo "foobar" |nc $NC_EOF_OPT 10.254.254.1 1234])
5920 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.254.254)], [0], [dnl
5921 tcp,orig=(src=10.1.1.2,dst=10.254.254.1,sport=<cleared>,dport=<cleared>),reply=(src=10.254.254.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=<cleared>)
5922 tcp,orig=(src=10.254.254.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.254.254.2,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=<cleared>)
5925 ovs-appctl dpif/dump-flows br0
5927 OVS_TRAFFIC_VSWITCHD_STOP
5930 AT_BANNER([802.1ad])
5932 AT_SETUP([802.1ad - vlan_limit])
5933 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5936 ADD_NAMESPACES(at_ns0, at_ns1)
5938 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
5939 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
5941 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
5942 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
5944 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
5945 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
5947 AT_CHECK([ovs-ofctl add-flow br0 "priority=1 action=normal"])
5949 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
5951 dnl CVLAN traffic should match the flow and drop
5952 AT_CHECK([ovs-appctl revalidator/purge])
5953 AT_CHECK([ovs-vsctl set Open_vSwitch . other_config:vlan-limit=1])
5954 AT_CHECK([ovs-ofctl add-flow br0 "priority=100 dl_type=0x8100 action=drop"])
5955 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 -w 3 10.2.2.2], [1], [ignore])
5957 OVS_TRAFFIC_VSWITCHD_STOP
5961 AT_SETUP([802.1ad - push/pop outer 802.1ad])
5962 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
5967 ADD_NAMESPACES(at_ns0, at_ns1)
5969 AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
5970 AT_CHECK([ip link set dev ovs-p0 up])
5971 AT_CHECK([ip link set dev ovs-p1 up])
5972 AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
5973 AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
5974 on_exit 'ip link del ovs-p0'
5976 AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
5977 AT_CHECK([ip link set dev ovs-p2 up])
5978 AT_CHECK([ip link set dev ovs-p3 up])
5979 AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
5980 AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
5981 on_exit 'ip link del ovs-p2'
5983 ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
5984 ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
5985 ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
5986 ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
5988 AT_DATA([flows-br0.txt], [dnl
5989 priority=1 action=drop
5990 priority=100 in_port=1 action=push_vlan:0x88a8,mod_vlan_vid=4094,output:2
5991 priority=100 in_port=2 action=push_vlan:0x88a8,mod_vlan_vid=4094,output:1
5994 AT_DATA([flows-customer-br.txt], [dnl
5995 priority=1 action=normal
5996 priority=100 in_port=1 vlan_tci=0x1000/0x1000 action=pop_vlan,normal
5999 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
6000 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-customer-br.txt])
6001 AT_CHECK([ovs-ofctl --bundle add-flows br2 flows-customer-br.txt])
6003 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
6005 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
6006 3 packets transmitted, 3 received, 0% packet loss, time 0ms
6009 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
6010 3 packets transmitted, 3 received, 0% packet loss, time 0ms
6013 OVS_TRAFFIC_VSWITCHD_STOP
6017 AT_SETUP([802.1ad - push/pop outer 802.1q])
6018 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
6023 ADD_NAMESPACES(at_ns0, at_ns1)
6025 AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
6026 AT_CHECK([ip link set dev ovs-p0 up])
6027 AT_CHECK([ip link set dev ovs-p1 up])
6028 AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
6029 AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
6030 on_exit 'ip link del ovs-p0'
6032 AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
6033 AT_CHECK([ip link set dev ovs-p2 up])
6034 AT_CHECK([ip link set dev ovs-p3 up])
6035 AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
6036 AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
6037 on_exit 'ip link del ovs-p2'
6039 ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
6040 ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
6041 ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
6042 ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
6044 AT_DATA([flows-br0.txt], [dnl
6045 priority=1 action=drop
6046 priority=100 in_port=1 action=push_vlan:0x8100,mod_vlan_vid=4094,output:2
6047 priority=100 in_port=2 action=push_vlan:0x8100,mod_vlan_vid=4094,output:1
6050 AT_DATA([flows-customer-br.txt], [dnl
6051 priority=1 action=normal
6052 priority=100 in_port=1 vlan_tci=0x1000/0x1000 action=pop_vlan,normal
6055 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
6056 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-customer-br.txt])
6057 AT_CHECK([ovs-ofctl --bundle add-flows br2 flows-customer-br.txt])
6059 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
6061 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
6062 3 packets transmitted, 3 received, 0% packet loss, time 0ms
6065 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
6066 3 packets transmitted, 3 received, 0% packet loss, time 0ms
6069 OVS_TRAFFIC_VSWITCHD_STOP
6073 AT_SETUP([802.1ad - 802.1q tunnel])
6074 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
6079 ADD_NAMESPACES(at_ns0, at_ns1)
6081 AT_CHECK([ip link add ovs-p0 type veth peer name ovs-p1])
6082 AT_CHECK([ip link set dev ovs-p0 up])
6083 AT_CHECK([ip link set dev ovs-p1 up])
6084 AT_CHECK([ovs-vsctl add-port br0 ovs-p0])
6085 AT_CHECK([ovs-vsctl add-port br1 ovs-p1])
6086 on_exit 'ip link del ovs-p0'
6088 AT_CHECK([ip link add ovs-p2 type veth peer name ovs-p3])
6089 AT_CHECK([ip link set dev ovs-p2 up])
6090 AT_CHECK([ip link set dev ovs-p3 up])
6091 AT_CHECK([ovs-vsctl add-port br0 ovs-p2])
6092 AT_CHECK([ovs-vsctl add-port br2 ovs-p3])
6093 on_exit 'ip link del ovs-p2'
6095 ADD_VETH(p4, at_ns0, br1, "10.1.1.1/24")
6096 ADD_VETH(p5, at_ns1, br2, "10.1.1.2/24")
6097 ADD_CVLAN(p4, at_ns0, 100, "10.2.2.1/24")
6098 ADD_CVLAN(p5, at_ns1, 100, "10.2.2.2/24")
6099 ADD_CVLAN(p4, at_ns0, 200, "10.3.2.1/24")
6100 ADD_CVLAN(p5, at_ns1, 200, "10.3.2.2/24")
6101 ADD_CVLAN(p4, at_ns0, 300, "10.4.2.1/24")
6102 ADD_CVLAN(p5, at_ns1, 300, "10.4.2.2/24")
6104 AT_CHECK([ovs-ofctl add-flow br0 action=normal])
6105 AT_CHECK([ovs-ofctl add-flow br1 action=normal])
6106 AT_CHECK([ovs-ofctl add-flow br2 action=normal])
6107 AT_CHECK([ovs-vsctl set port ovs-p0 vlan_mode=dot1q-tunnel tag=4094 cvlans=100,200])
6108 AT_CHECK([ovs-vsctl set port ovs-p2 vlan_mode=dot1q-tunnel tag=4094 cvlans=100,200])
6110 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
6111 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.3.2.2])
6113 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
6114 3 packets transmitted, 3 received, 0% packet loss, time 0ms
6117 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.3.2.2 | FORMAT_PING], [0], [dnl
6118 3 packets transmitted, 3 received, 0% packet loss, time 0ms
6121 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
6122 3 packets transmitted, 3 received, 0% packet loss, time 0ms
6125 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.3.2.2 | FORMAT_PING], [0], [dnl
6126 3 packets transmitted, 3 received, 0% packet loss, time 0ms
6129 dnl CVLAN 300 is not permitted by dot1q-tunnel
6130 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 -w 3 10.4.2.2], [1], [ignore])
6132 OVS_TRAFFIC_VSWITCHD_STOP(["/dropping VLAN \(0\|300\) packet received on dot1q-tunnel port/d"])
6135 AT_SETUP([802.1ad - double vlan match])
6136 OVS_TRAFFIC_VSWITCHD_START([set Open_vSwitch . other_config:vlan-limit=0])
6139 ADD_NAMESPACES(at_ns0, at_ns1)
6141 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
6142 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
6144 ADD_SVLAN(p0, at_ns0, 4094, "10.255.2.1/24")
6145 ADD_SVLAN(p1, at_ns1, 4094, "10.255.2.2/24")
6147 ADD_CVLAN(p0.4094, at_ns0, 100, "10.2.2.1/24")
6148 ADD_CVLAN(p1.4094, at_ns1, 100, "10.2.2.2/24")
6150 AT_DATA([flows-br0.txt], [dnl
6151 table=0,priority=1 action=drop
6152 table=0,priority=100 dl_vlan=4094 action=pop_vlan,goto_table:1
6153 table=1,priority=100 dl_vlan=100 action=push_vlan:0x88a8,mod_vlan_vid:4094,normal
6155 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
6157 OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.2.2.2])
6159 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
6160 3 packets transmitted, 3 received, 0% packet loss, time 0ms
6163 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
6164 3 packets transmitted, 3 received, 0% packet loss, time 0ms
6167 OVS_TRAFFIC_VSWITCHD_STOP
6171 AT_BANNER([nsh-datapath])
6173 AT_SETUP([nsh - encap header])
6174 OVS_TRAFFIC_VSWITCHD_START()
6176 ADD_NAMESPACES(at_ns0, at_ns1)
6178 ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
6179 ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
6181 dnl The flow will encap a nsh header to the TCP syn packet
6182 dnl eth/ip/tcp --> OVS --> eth/nsh/eth/ip/tcp
6183 AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,ip,actions=encap(nsh(md_type=1)),set_field:0x1234->nsh_spi,set_field:0x11223344->nsh_c1,encap(ethernet),set_field:f2:ff:00:00:00:02->dl_dst,set_field:f2:ff:00:00:00:01->dl_src,ovs-p1"])
6185 NS_CHECK_EXEC([at_ns1], [tcpdump -l -n -xx -U -i p1 > p1.pcap &])
6188 dnl The hex dump is a TCP syn packet. pkt=eth/ip/tcp
6189 dnl The packet is sent from p0(at_ns0) interface directed to
6190 dnl p1(at_ns1) interface
6191 NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
6193 dnl Check the expected nsh encapsulated packet on the egress interface
6194 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000 *0001 *894f *0fc6" 2>&1 1>/dev/null])
6195 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0010: *0103 *0012 *34ff *1122 *3344 *0000 *0000 *0000" 2>&1 1>/dev/null])
6196 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0020: *0000 *0000 *0000 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
6197 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
6198 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
6199 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
6201 OVS_TRAFFIC_VSWITCHD_STOP
6205 AT_SETUP([nsh - decap header])
6206 OVS_TRAFFIC_VSWITCHD_START()
6208 ADD_NAMESPACES(at_ns0, at_ns1)
6210 ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
6211 ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
6213 dnl The flow will decap a nsh header which in turn carries a TCP syn packet
6214 dnl eth/nsh/eth/ip/tcp --> OVS --> eth/ip/tcp
6215 AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,dl_type=0x894f, actions=decap(),decap(), ovs-p1"])
6217 NS_CHECK_EXEC([at_ns1], [tcpdump -l -n -xx -U -i p1 > p1.pcap &])
6220 dnl The hex dump is NSH packet with TCP syn payload. pkt=eth/nsh/eth/ip/tcp
6221 dnl The packet is sent from p0(at_ns0) interface directed to
6222 dnl p1(at_ns1) interface
6223 NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 02 06 01 03 00 00 64 03 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
6225 dnl Check the expected de-capsulated TCP packet on the egress interface
6226 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0000: *f200 *0000 *0002 *f200 *0000 *0001 *0800 *4500" 2>&1 1>/dev/null])
6227 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0010: *0028 *0001 *0000 *4006 *b013 *c0a8 *000a *0a00" 2>&1 1>/dev/null])
6228 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0020: *000a *0400 *0800 *0000 *00c8 *0000 *0000 *5002" 2>&1 1>/dev/null])
6229 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0030: *2000 *b85e *0000" 2>&1 1>/dev/null])
6231 OVS_TRAFFIC_VSWITCHD_STOP
6235 AT_SETUP([nsh - replace header])
6236 OVS_TRAFFIC_VSWITCHD_START()
6238 ADD_NAMESPACES(at_ns0, at_ns1)
6240 ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
6241 ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
6243 dnl The flow will decap a nsh header and encap a new nsh header
6244 dnl eth/nsh-X/eth/ip/tcp --> OVS --> eth/nsh-Y/eth/ip/tcp
6245 dnl The flow will add another NSH header with nsh_spi=0x101, nsh_si=4,
6246 dnl nsh_ttl=7 and change the md1 context
6247 AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x03,actions=decap(),decap(),encap(nsh(md_type=1)),set_field:0x07->nsh_ttl,set_field:0x0101->nsh_spi,set_field:0x04->nsh_si,set_field:0x100f0e0d->nsh_c1,set_field:0x0c0b0a09->nsh_c2,set_field:0x08070605->nsh_c3,set_field:0x04030201->nsh_c4,encap(ethernet),set_field:f2:ff:00:00:00:02->dl_dst,set_field:f2:ff:00:00:00:01->dl_src,ovs-p1"])
6249 NS_CHECK_EXEC([at_ns1], [tcpdump -l -n -xx -U -i p1 > p1.pcap &])
6252 dnl The hex dump is NSH packet with TCP syn payload. pkt=eth/nsh/eth/ip/tcp
6253 dnl The nsh_ttl is 8, nsh_spi is 0x100 and nsh_si is 3
6254 dnl The packet is sent from p0(at_ns0) interface directed to
6255 dnl p1(at_ns1) interface
6256 NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 02 06 01 03 00 01 00 03 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
6258 dnl Check the expected NSH packet with new fields in the header
6259 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000* 0001 *894f *01c6" 2>&1 1>/dev/null])
6260 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0010: *0103 *0001 *0104 *100f *0e0d *0c0b *0a09 *0807" 2>&1 1>/dev/null])
6261 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0020: *0605 *0403 *0201 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
6262 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
6263 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
6264 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
6266 OVS_TRAFFIC_VSWITCHD_STOP
6270 AT_SETUP([nsh - forward])
6271 OVS_TRAFFIC_VSWITCHD_START()
6273 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2)
6275 ADD_VETH(p0, at_ns0, br0, "0.0.0.0")
6276 ADD_VETH(p1, at_ns1, br0, "0.0.0.0")
6277 ADD_VETH(p2, at_ns2, br0, "0.0.0.0")
6279 dnl Push two flows to OVS. #1 will check on SPI=0X100, SI=2 and send the
6280 dnl packet to at_ns1. #2 will check on SPI=0X100, SI=1 and send the
6281 dnl packet to to at_ns2.
6282 AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x02,actions=ovs-p1"])
6283 AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x01,actions=ovs-p2"])
6285 NS_CHECK_EXEC([at_ns1], [tcpdump -l -n -xx -U -i p1 > p1.pcap &])
6286 NS_CHECK_EXEC([at_ns2], [tcpdump -l -n -xx -U -i p2 > p2.pcap &])
6289 dnl First send packet from at_ns0 --> OVS with SPI=0x100 and SI=2
6290 NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 02 06 01 03 00 01 00 02 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
6292 dnl Check for the above packet on p1 interface
6293 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000 *0001 *894f *0206" 2>&1 1>/dev/null])
6294 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0010: *0103 *0001 *0002 *0102 *0304 *0506 *0708 *090a" 2>&1 1>/dev/null])
6295 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0020: *0b0c *0d0e *0f10 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
6296 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
6297 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
6298 OVS_WAIT_UNTIL([cat p1.pcap | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
6300 dnl Send the second packet from at_ns1 --> OVS with SPI=0x100 and SI=1
6301 NS_CHECK_EXEC([at_ns1], [$PYTHON3 $srcdir/sendpkt.py p1 f2 ff 00 00 00 02 f2 ff 00 00 00 01 89 4f 01 c6 01 03 00 01 00 01 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 f2 00 00 00 00 02 f2 00 00 00 00 01 08 00 45 00 00 28 00 01 00 00 40 06 b0 13 c0 a8 00 0a 0a 00 00 0a 04 00 08 00 00 00 00 c8 00 00 00 00 50 02 20 00 b8 5e 00 00 > /dev/null])
6303 dnl Check for the above packet on p2 interface
6304 OVS_WAIT_UNTIL([cat p2.pcap | egrep "0x0000: *f2ff *0000 *0002 *f2ff *0000 *0001 *894f *01c6" 2>&1 1>/dev/null])
6305 OVS_WAIT_UNTIL([cat p2.pcap | egrep "0x0010: *0103 *0001 *0001 *0102 *0304 *0506 *0708 *090a" 2>&1 1>/dev/null])
6306 OVS_WAIT_UNTIL([cat p2.pcap | egrep "0x0020: *0b0c *0d0e *0f10 *f200 *0000 *0002 *f200 *0000" 2>&1 1>/dev/null])
6307 OVS_WAIT_UNTIL([cat p2.pcap | egrep "0x0030: *0001 *0800 *4500 *0028 *0001 *0000 *4006 *b013" 2>&1 1>/dev/null])
6308 OVS_WAIT_UNTIL([cat p2.pcap | egrep "0x0040: *c0a8 *000a *0a00 *000a *0400 *0800 *0000 *00c8" 2>&1 1>/dev/null])
6309 OVS_WAIT_UNTIL([cat p2.pcap | egrep "0x0050: *0000 *0000 *5002 *2000 *b85e *0000" 2>&1 1>/dev/null])
6311 OVS_TRAFFIC_VSWITCHD_STOP