1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - ping between two ports on vlan])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
37 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
39 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
40 3 packets transmitted, 3 received, 0% packet loss, time 0ms
42 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
43 3 packets transmitted, 3 received, 0% packet loss, time 0ms
45 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
46 3 packets transmitted, 3 received, 0% packet loss, time 0ms
49 OVS_TRAFFIC_VSWITCHD_STOP
52 AT_SETUP([datapath - ping6 between two ports])
53 OVS_TRAFFIC_VSWITCHD_START()
55 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
57 ADD_NAMESPACES(at_ns0, at_ns1)
59 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
60 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
62 dnl Without this sleep, we get occasional failures due to the following error:
63 dnl "connect: Cannot assign requested address"
66 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
67 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
70 3 packets transmitted, 3 received, 0% packet loss, time 0ms
72 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
73 3 packets transmitted, 3 received, 0% packet loss, time 0ms
76 OVS_TRAFFIC_VSWITCHD_STOP
79 AT_SETUP([datapath - ping6 between two ports on vlan])
80 OVS_TRAFFIC_VSWITCHD_START()
82 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
84 ADD_NAMESPACES(at_ns0, at_ns1)
86 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
87 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
89 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
90 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
92 dnl Without this sleep, we get occasional failures due to the following error:
93 dnl "connect: Cannot assign requested address"
96 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
97 3 packets transmitted, 3 received, 0% packet loss, time 0ms
99 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
100 3 packets transmitted, 3 received, 0% packet loss, time 0ms
102 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
103 3 packets transmitted, 3 received, 0% packet loss, time 0ms
106 OVS_TRAFFIC_VSWITCHD_STOP
109 AT_SETUP([datapath - ping over vxlan tunnel])
110 AT_SKIP_IF([! ip link add foo type vxlan help 2>&1 | grep dstport >/dev/null])
112 OVS_TRAFFIC_VSWITCHD_START()
113 ADD_BR([br-underlay])
115 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
116 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
118 ADD_NAMESPACES(at_ns0)
120 dnl Set up underlay link from host into the namespace using veth pair.
121 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
122 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
123 AT_CHECK([ip link set dev br-underlay up])
125 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
126 dnl linux device inside the namespace.
127 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
128 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
131 dnl First, check the underlay
132 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
133 3 packets transmitted, 3 received, 0% packet loss, time 0ms
136 dnl Okay, now check the overlay with different packet sizes
137 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
138 3 packets transmitted, 3 received, 0% packet loss, time 0ms
140 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
141 3 packets transmitted, 3 received, 0% packet loss, time 0ms
143 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
144 3 packets transmitted, 3 received, 0% packet loss, time 0ms
147 OVS_TRAFFIC_VSWITCHD_STOP
150 AT_SETUP([conntrack - controller])
152 OVS_TRAFFIC_VSWITCHD_START()
154 ADD_NAMESPACES(at_ns0, at_ns1)
156 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
157 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
159 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
160 AT_DATA([flows.txt], [dnl
161 priority=1,action=drop
162 priority=10,arp,action=normal
163 priority=100,in_port=1,udp,action=ct(commit),controller
164 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
165 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
168 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
170 AT_CAPTURE_FILE([ofctl_monitor.log])
171 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
173 dnl Send an unsolicited reply from port 2. This should be dropped.
174 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
176 dnl OK, now start a new connection from port 1.
177 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
179 dnl Now try a reply from port 2.
180 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
182 dnl Check this output. We only see the latter two packets, not the first.
183 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
184 NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
185 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
186 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
187 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
190 OVS_TRAFFIC_VSWITCHD_STOP
193 AT_SETUP([conntrack - IPv4 HTTP])
195 OVS_TRAFFIC_VSWITCHD_START()
197 ADD_NAMESPACES(at_ns0, at_ns1)
199 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
200 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
202 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
203 AT_DATA([flows.txt], [dnl
204 priority=1,action=drop
205 priority=10,arp,action=normal
206 priority=10,icmp,action=normal
207 priority=100,in_port=1,tcp,action=ct(commit),2
208 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
209 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
212 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
214 dnl Basic connectivity check.
215 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
217 dnl HTTP requests from ns0->ns1 should work fine.
218 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
219 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
221 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
222 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
225 dnl HTTP requests from ns1->ns0 should fail due to network failure.
226 dnl Try 3 times, in 1 second intervals.
227 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
228 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
230 OVS_TRAFFIC_VSWITCHD_STOP
233 AT_SETUP([conntrack - IPv6 HTTP])
235 OVS_TRAFFIC_VSWITCHD_START()
237 ADD_NAMESPACES(at_ns0, at_ns1)
239 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
240 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
242 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
243 AT_DATA([flows.txt], [dnl
244 priority=1,action=drop
245 priority=10,icmp6,action=normal
246 priority=100,in_port=1,tcp6,action=ct(commit),2
247 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
248 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
251 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
253 dnl Without this sleep, we get occasional failures due to the following error:
254 dnl "connect: Cannot assign requested address"
257 dnl HTTP requests from ns0->ns1 should work fine.
258 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
260 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
262 dnl HTTP requests from ns1->ns0 should fail due to network failure.
263 dnl Try 3 times, in 1 second intervals.
264 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
265 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
267 OVS_TRAFFIC_VSWITCHD_STOP
270 AT_SETUP([conntrack - commit, recirc])
272 OVS_TRAFFIC_VSWITCHD_START()
274 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
276 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
277 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
278 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
279 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
281 dnl Allow any traffic from ns0->ns1, ns2->ns3.
282 AT_DATA([flows.txt], [dnl
283 priority=1,action=drop
284 priority=10,arp,action=normal
285 priority=10,icmp,action=normal
286 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
287 priority=100,in_port=1,tcp,ct_state=+trk,action=2
288 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
289 priority=100,in_port=2,tcp,ct_state=+trk,action=1
290 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
291 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
292 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
293 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
294 priority=100,in_port=4,tcp,ct_state=+trk,action=3
297 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
299 dnl HTTP requests from p0->p1 should work fine.
300 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
301 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
303 dnl HTTP requests from p2->p3 should work fine.
304 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
305 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
307 OVS_TRAFFIC_VSWITCHD_STOP
310 AT_SETUP([conntrack - preserve registers])
312 OVS_TRAFFIC_VSWITCHD_START()
314 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
316 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
317 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
318 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
319 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
321 dnl Allow any traffic from ns0->ns1, ns2->ns3.
322 AT_DATA([flows.txt], [dnl
323 priority=1,action=drop
324 priority=10,arp,action=normal
325 priority=10,icmp,action=normal
326 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
327 priority=100,in_port=1,tcp,ct_state=+trk,action=2
328 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
329 priority=100,in_port=2,tcp,ct_state=+trk,action=1
330 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
331 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
332 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
333 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
334 priority=100,in_port=4,tcp,ct_state=+trk,action=3
337 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
339 dnl HTTP requests from p0->p1 should work fine.
340 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
341 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
343 dnl HTTP requests from p2->p3 should work fine.
344 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
345 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
347 OVS_TRAFFIC_VSWITCHD_STOP
350 AT_SETUP([conntrack - invalid])
352 OVS_TRAFFIC_VSWITCHD_START()
354 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
356 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
357 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
358 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
359 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
361 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
362 dnl the opposite direction. This should fail.
363 dnl Pass traffic from ns3->ns4 without committing, and this time match
364 dnl invalid traffic and allow it through.
365 AT_DATA([flows.txt], [dnl
366 priority=1,action=drop
367 priority=10,arp,action=normal
368 priority=10,icmp,action=normal
369 priority=100,in_port=1,tcp,action=ct(),2
370 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
371 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
372 priority=100,in_port=3,tcp,action=ct(),4
373 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
374 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
375 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
378 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
380 dnl We set up our rules to allow the request without committing. The return
381 dnl traffic can't be identified, because the initial request wasn't committed.
382 dnl For the first pair of ports, this means that the connection fails.
383 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
384 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
386 dnl For the second pair, we allow packets from invalid connections, so it works.
387 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
388 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
390 OVS_TRAFFIC_VSWITCHD_STOP
393 AT_SETUP([conntrack - zones])
395 OVS_TRAFFIC_VSWITCHD_START()
397 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
399 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
400 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
401 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
402 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
404 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
405 dnl For ns2->ns3, use a different zone and see that the match fails.
406 AT_DATA([flows.txt], [dnl
407 priority=1,action=drop
408 priority=10,arp,action=normal
409 priority=10,icmp,action=normal
410 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
411 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
412 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
413 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
414 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
415 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
418 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
420 dnl HTTP requests from p0->p1 should work fine.
421 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
422 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
424 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
425 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
428 dnl HTTP requests from p2->p3 should fail due to network failure.
429 dnl Try 3 times, in 1 second intervals.
430 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
431 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
433 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
434 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=2 use=1
437 OVS_TRAFFIC_VSWITCHD_STOP
440 AT_SETUP([conntrack - zones from field])
442 OVS_TRAFFIC_VSWITCHD_START()
444 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
446 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
447 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
448 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
449 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
451 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
452 AT_DATA([flows.txt], [dnl
453 priority=1,action=drop
454 priority=10,arp,action=normal
455 priority=10,icmp,action=normal
456 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
457 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
458 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
459 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
460 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
461 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
464 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
466 dnl HTTP requests from p0->p1 should work fine.
467 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
468 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
470 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
471 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=4097 use=1
474 dnl HTTP requests from p2->p3 should fail due to network failure.
475 dnl Try 3 times, in 1 second intervals.
476 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
477 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
479 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
480 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=0 zone=4098 use=1
483 OVS_TRAFFIC_VSWITCHD_STOP
486 AT_SETUP([conntrack - multiple bridges])
488 OVS_TRAFFIC_VSWITCHD_START(
490 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
491 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
493 ADD_NAMESPACES(at_ns0, at_ns1)
495 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
496 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
498 dnl Allow any traffic from ns0->br1, allow established in reverse.
499 AT_DATA([flows-br0.txt], [dnl
500 priority=1,action=drop
501 priority=10,arp,action=normal
502 priority=10,icmp,action=normal
503 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
504 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
505 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
508 dnl Allow any traffic from br0->ns1, allow established in reverse.
509 AT_DATA([flows-br1.txt], [dnl
510 priority=1,action=drop
511 priority=10,arp,action=normal
512 priority=10,icmp,action=normal
513 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
514 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
515 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
516 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
517 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
520 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
521 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
523 dnl HTTP requests from p0->p1 should work fine.
524 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
525 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
527 OVS_TRAFFIC_VSWITCHD_STOP
530 AT_SETUP([conntrack - multiple zones])
532 OVS_TRAFFIC_VSWITCHD_START()
534 ADD_NAMESPACES(at_ns0, at_ns1)
536 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
537 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
539 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
540 AT_DATA([flows.txt], [dnl
541 priority=1,action=drop
542 priority=10,arp,action=normal
543 priority=10,icmp,action=normal
544 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
545 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
546 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
549 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
551 dnl HTTP requests from p0->p1 should work fine.
552 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
553 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
555 dnl (again) HTTP requests from p0->p1 should work fine.
556 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
558 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
559 SYN_SENT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[UNREPLIED]] src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> mark=0 zone=1 use=1
560 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
563 OVS_TRAFFIC_VSWITCHD_STOP
566 AT_SETUP([conntrack - multiple zones, local])
568 OVS_TRAFFIC_VSWITCHD_START()
570 ADD_NAMESPACES(at_ns0)
572 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
573 AT_CHECK([ip link set dev br0 up])
574 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
575 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
577 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
578 dnl return traffic from ns0 back to the local stack.
579 AT_DATA([flows.txt], [dnl
580 priority=1,action=drop
581 priority=10,arp,action=normal
582 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
583 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
584 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
585 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
586 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
587 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
590 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
592 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
593 3 packets transmitted, 3 received, 0% packet loss, time 0ms
596 dnl HTTP requests from root namespace to p0 should work fine.
597 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
598 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
600 dnl (again) HTTP requests from root namespace to p0 should work fine.
601 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
603 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
604 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
605 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
606 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
607 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=2 use=1
610 OVS_TRAFFIC_VSWITCHD_STOP
613 AT_SETUP([conntrack - multiple namespaces, internal ports])
615 OVS_TRAFFIC_VSWITCHD_START(
616 [set-fail-mode br0 secure -- ])
618 ADD_NAMESPACES(at_ns0, at_ns1)
620 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
621 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
623 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
625 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
626 AT_DATA([flows.txt], [dnl
627 priority=1,action=drop
628 priority=10,arp,action=normal
629 priority=10,icmp,action=normal
630 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
631 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
632 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
635 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
637 dnl HTTP requests from p0->p1 should work fine.
638 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
639 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
641 dnl (again) HTTP requests from p0->p1 should work fine.
642 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
644 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl
645 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
648 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
649 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
650 /removing policing failed: No such device/d"])
653 AT_SETUP([conntrack - multi-stage pipeline, local])
655 OVS_TRAFFIC_VSWITCHD_START()
657 ADD_NAMESPACES(at_ns0)
659 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
660 AT_CHECK([ip link set dev br0 up])
661 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
662 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
664 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
665 dnl return traffic from ns0 back to the local stack.
666 AT_DATA([flows.txt], [dnl
668 table=0,priority=1,action=drop
669 table=0,priority=10,arp,action=normal
671 dnl Load the output port to REG0
672 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
673 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
676 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
677 dnl - All other connections go through conntracker using the input port as
678 dnl a connection tracking zone.
679 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
680 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
681 table=1,priority=1,action=drop
684 dnl - Allow all connections from LOCAL port (commit and skip to output)
685 dnl - Allow other established connections to go through conntracker using
686 dnl output port as a connection tracking zone.
687 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
688 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
689 table=2,priority=1,action=drop
691 dnl Only allow established traffic from egress ct lookup
692 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
693 table=3,priority=1,action=drop
696 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
699 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
701 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
702 3 packets transmitted, 3 received, 0% packet loss, time 0ms
705 dnl HTTP requests from root namespace to p0 should work fine.
706 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
707 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
709 dnl (again) HTTP requests from root namespace to p0 should work fine.
710 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
712 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
713 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
714 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=65534 use=1
715 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
716 src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=65534 use=1
719 OVS_TRAFFIC_VSWITCHD_STOP
722 AT_SETUP([conntrack - ct_mark])
724 OVS_TRAFFIC_VSWITCHD_START()
726 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
728 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
729 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
730 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
731 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
733 dnl Allow traffic between ns0<->ns1 using the ct_mark.
734 dnl Check that different marks do not match for traffic between ns2<->ns3.
735 AT_DATA([flows.txt], [dnl
736 priority=1,action=drop
737 priority=10,arp,action=normal
738 priority=10,icmp,action=normal
739 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
740 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
741 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
742 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
743 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
744 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
747 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
749 dnl HTTP requests from p0->p1 should work fine.
750 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
751 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
753 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
754 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
757 dnl HTTP requests from p2->p3 should fail due to network failure.
758 dnl Try 3 times, in 1 second intervals.
759 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
760 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
762 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
763 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
766 OVS_TRAFFIC_VSWITCHD_STOP
769 AT_SETUP([conntrack - ct_mark from register])
771 OVS_TRAFFIC_VSWITCHD_START()
773 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
775 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
776 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
777 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
778 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
780 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
781 AT_DATA([flows.txt], [dnl
782 priority=1,action=drop
783 priority=10,arp,action=normal
784 priority=10,icmp,action=normal
785 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
786 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
787 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
788 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
789 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
790 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
793 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
795 dnl HTTP requests from p0->p1 should work fine.
796 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
797 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
799 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
800 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=1 use=1
803 dnl HTTP requests from p2->p3 should fail due to network failure.
804 dnl Try 3 times, in 1 second intervals.
805 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
806 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
808 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.4)], [0], [dnl
809 SYN_RECV src=10.1.1.3 dst=10.1.1.4 sport=<cleared> dport=<cleared> src=10.1.1.4 dst=10.1.1.3 sport=<cleared> dport=<cleared> mark=2 use=1
812 OVS_TRAFFIC_VSWITCHD_STOP
815 AT_SETUP([conntrack - ct_label])
817 OVS_TRAFFIC_VSWITCHD_START()
819 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
821 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
822 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
823 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
824 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
826 dnl Allow traffic between ns0<->ns1 using the ct_label.
827 dnl Check that different labels do not match for traffic between ns2<->ns3.
828 AT_DATA([flows.txt], [dnl
829 priority=1,action=drop
830 priority=10,arp,action=normal
831 priority=10,icmp,action=normal
832 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
833 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
834 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
835 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
836 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
837 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
840 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
842 dnl HTTP requests from p0->p1 should work fine.
843 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
844 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
846 dnl HTTP requests from p2->p3 should fail due to network failure.
847 dnl Try 3 times, in 1 second intervals.
848 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
849 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
851 OVS_TRAFFIC_VSWITCHD_STOP
854 AT_SETUP([conntrack - ICMP related])
856 OVS_TRAFFIC_VSWITCHD_START()
858 ADD_NAMESPACES(at_ns0, at_ns1)
860 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
861 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
863 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
864 AT_DATA([flows.txt], [dnl
865 priority=1,action=drop
866 priority=10,arp,action=normal
867 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
868 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
869 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
872 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
874 dnl If we simulate a UDP request to a port that isn't serving any real traffic,
875 dnl then the destination responds with an ICMP "destination unreachable"
876 dnl message, it should be marked as "related".
877 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'dnl
878 0000 0000 0000 0000 0000 0000 0800 4500 dnl
879 001e bb85 4000 4011 6945 0a01 0101 0a01 dnl
880 0102 839c 1388 000a f1a6 610a'])
882 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'dnl
883 0000 0000 0000 0000 0000 0000 0800 45c0 dnl
884 003a 411e 0000 4001 22e1 0a01 0102 0a01 dnl
885 0101 0303 131d 0000 0000 dnl
886 4500 001e bb85 4000 4011 6945 0a01 0101 dnl
887 0a01 0102 839c 1388 000a f1a6 610a'])
889 AT_CHECK([ovs-appctl revalidator/purge], [0])
890 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
891 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
892 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
893 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
894 priority=10,arp actions=NORMAL
898 OVS_TRAFFIC_VSWITCHD_STOP
901 AT_SETUP([conntrack - ICMP related 2])
903 OVS_TRAFFIC_VSWITCHD_START()
905 ADD_NAMESPACES(at_ns0, at_ns1)
907 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
908 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
910 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
911 AT_DATA([flows.txt], [dnl
912 priority=1,action=drop
913 priority=10,arp,action=normal
914 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
915 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
916 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
917 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
920 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
922 AT_CAPTURE_FILE([ofctl_monitor.log])
923 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
925 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
926 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
928 dnl 2. Send and UDP packet to port 5555
929 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
931 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
932 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
934 dnl Check this output. We only see the latter two packets, not the first.
935 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
936 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
937 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
938 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
939 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
942 OVS_TRAFFIC_VSWITCHD_STOP
945 AT_SETUP([conntrack - FTP])
946 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
948 OVS_TRAFFIC_VSWITCHD_START()
950 ADD_NAMESPACES(at_ns0, at_ns1)
952 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
953 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
955 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
956 AT_DATA([flows1.txt], [dnl
957 priority=1,action=drop
958 priority=10,arp,action=normal
959 priority=10,icmp,action=normal
960 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
961 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
962 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
963 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
966 dnl Similar policy but without allowing all traffic from ns0->ns1.
967 AT_DATA([flows2.txt], [dnl
968 priority=1,action=drop
969 priority=10,arp,action=normal
970 priority=10,icmp,action=normal
971 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
972 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
973 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
974 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
975 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
976 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
977 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
980 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
982 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
983 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
985 dnl FTP requests from p1->p0 should fail due to network failure.
986 dnl Try 3 times, in 1 second intervals.
987 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
988 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
991 dnl FTP requests from p0->p1 should work fine.
992 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
993 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
994 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=1
997 dnl Try the second set of flows.
998 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
1001 dnl FTP requests from p1->p0 should fail due to network failure.
1002 dnl Try 3 times, in 1 second intervals.
1003 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1004 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
1007 dnl Active FTP requests from p0->p1 should work fine.
1008 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
1009 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1010 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
1011 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
1014 AT_CHECK([conntrack -F 2>/dev/null])
1016 dnl Passive FTP requests from p0->p1 should work fine.
1017 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
1018 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1019 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
1020 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
1023 OVS_TRAFFIC_VSWITCHD_STOP
1027 AT_SETUP([conntrack - IPv6 FTP])
1028 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1030 OVS_TRAFFIC_VSWITCHD_START()
1032 ADD_NAMESPACES(at_ns0, at_ns1)
1034 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1035 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1037 dnl Allow any traffic from ns0->ns1.
1038 dnl Only allow nd, return traffic from ns1->ns0.
1039 AT_DATA([flows.txt], [dnl
1040 dnl Track all IPv6 traffic and drop the rest.
1041 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1042 table=0 priority=100 in_port=1 icmp6, action=2
1043 table=0 priority=100 in_port=2 icmp6, action=1
1044 table=0 priority=10 ip6, action=ct(table=1)
1045 table=0 priority=0 action=drop
1049 dnl Allow new TCPv6 FTP control connections from port 1.
1050 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1051 dnl Allow related TCPv6 connections from port 2.
1052 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1053 dnl Allow established TCPv6 connections both ways.
1054 table=1 in_port=1 ct_state=+est, tcp6, action=2
1055 table=1 in_port=2 ct_state=+est, tcp6, action=1
1056 dnl Drop everything else.
1057 table=1 priority=0, action=drop
1060 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1062 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1064 dnl FTP requests from p0->p1 should work fine.
1065 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1067 AT_CHECK([conntrack -L -f ipv6 2>&1 | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOSE"], [0], [dnl
1068 TIME_WAIT src=fc00::1 dst=fc00::2 sport=<cleared> dport=<cleared> src=fc00::2 dst=fc00::1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
1069 TIME_WAIT src=fc00::2 dst=fc00::1 sport=<cleared> dport=<cleared> src=fc00::1 dst=fc00::2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
1072 OVS_TRAFFIC_VSWITCHD_STOP
1076 AT_SETUP([conntrack - FTP with multiple expectations])
1077 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1079 OVS_TRAFFIC_VSWITCHD_START()
1081 ADD_NAMESPACES(at_ns0, at_ns1)
1083 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1084 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1086 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1087 AT_DATA([flows.txt], [dnl
1088 priority=1,action=drop
1089 priority=10,arp,action=normal
1090 priority=10,icmp,action=normal
1091 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1092 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1093 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1094 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1095 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1096 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1097 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1098 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1099 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1100 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1103 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1105 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1106 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1108 dnl FTP requests from p1->p0 should fail due to network failure.
1109 dnl Try 3 times, in 1 second intervals.
1110 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1111 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
1114 dnl Active FTP requests from p0->p1 should work fine.
1115 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1116 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1117 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
1118 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
1119 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1120 TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
1123 AT_CHECK([conntrack -F 2>/dev/null])
1125 dnl Passive FTP requests from p0->p1 should work fine.
1126 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1127 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1128 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 helper=ftp use=2
1129 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1130 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 helper=ftp use=2
1131 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
1134 OVS_TRAFFIC_VSWITCHD_STOP
1137 AT_SETUP([conntrack - IPv4 fragmentation ])
1139 OVS_TRAFFIC_VSWITCHD_START()
1141 ADD_NAMESPACES(at_ns0, at_ns1)
1143 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1144 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1146 dnl Sending ping through conntrack
1147 AT_DATA([flows.txt], [dnl
1148 priority=1,action=drop
1149 priority=10,arp,action=normal
1150 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1151 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1152 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1155 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1157 dnl Basic connectivity check.
1158 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1159 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1162 dnl Ipv4 fragmentation connectivity check.
1163 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1164 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1167 dnl Ipv4 larger fragmentation connectivity check.
1168 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1169 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1172 OVS_TRAFFIC_VSWITCHD_STOP
1175 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1177 OVS_TRAFFIC_VSWITCHD_START()
1179 ADD_NAMESPACES(at_ns0, at_ns1)
1181 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1182 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1183 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1184 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1186 dnl Sending ping through conntrack
1187 AT_DATA([flows.txt], [dnl
1188 priority=1,action=drop
1189 priority=10,arp,action=normal
1190 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1191 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1192 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1195 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1197 dnl Basic connectivity check.
1198 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1199 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1202 dnl Ipv4 fragmentation connectivity check.
1203 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1204 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1207 dnl Ipv4 larger fragmentation connectivity check.
1208 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1209 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1212 OVS_TRAFFIC_VSWITCHD_STOP
1215 AT_SETUP([conntrack - IPv6 fragmentation])
1217 OVS_TRAFFIC_VSWITCHD_START()
1219 ADD_NAMESPACES(at_ns0, at_ns1)
1221 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1222 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1224 dnl Sending ping through conntrack
1225 AT_DATA([flows.txt], [dnl
1226 priority=1,action=drop
1227 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1228 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1229 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1230 priority=100,icmp6,icmp_type=135,action=normal
1231 priority=100,icmp6,icmp_type=136,action=normal
1234 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1236 dnl Without this sleep, we get occasional failures due to the following error:
1237 dnl "connect: Cannot assign requested address"
1240 dnl Basic connectivity check.
1241 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1242 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1245 dnl Ipv4 fragmentation connectivity check.
1246 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1247 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1250 dnl Ipv4 larger fragmentation connectivity check.
1251 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1252 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1255 OVS_TRAFFIC_VSWITCHD_STOP
1258 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1260 OVS_TRAFFIC_VSWITCHD_START()
1262 ADD_NAMESPACES(at_ns0, at_ns1)
1264 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1265 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1267 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1268 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1270 dnl Sending ping through conntrack
1271 AT_DATA([flows.txt], [dnl
1272 priority=1,action=drop
1273 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1274 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1275 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1276 priority=100,icmp6,icmp_type=135,action=normal
1277 priority=100,icmp6,icmp_type=136,action=normal
1280 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1282 dnl Without this sleep, we get occasional failures due to the following error:
1283 dnl "connect: Cannot assign requested address"
1286 dnl Basic connectivity check.
1287 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1288 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1291 dnl Ipv4 fragmentation connectivity check.
1292 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1293 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1296 dnl Ipv4 larger fragmentation connectivity check.
1297 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1298 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1301 OVS_TRAFFIC_VSWITCHD_STOP
1304 AT_SETUP([conntrack - Fragmentation over vxlan])
1305 AT_SKIP_IF([! ip link help 2>&1 | grep vxlan >/dev/null])
1308 OVS_TRAFFIC_VSWITCHD_START()
1309 ADD_BR([br-underlay])
1310 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1312 ADD_NAMESPACES(at_ns0)
1314 dnl Sending ping through conntrack
1315 AT_DATA([flows.txt], [dnl
1316 priority=1,action=drop
1317 priority=10,arp,action=normal
1318 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1319 priority=100,in_port=LOCAL,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1320 priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1323 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1325 dnl Set up underlay link from host into the namespace using veth pair.
1326 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1327 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1328 AT_CHECK([ip link set dev br-underlay up])
1330 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1331 dnl linux device inside the namespace.
1332 ADD_OVS_TUNNEL([vxlan], [br0], [at_ns0], [172.31.1.1], [10.1.1.100/24])
1333 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1334 [id 0 dstport 4789])
1336 dnl First, check the underlay
1337 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1338 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1341 dnl Okay, now check the overlay with different packet sizes
1342 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1343 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1345 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1346 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1348 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1349 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1352 OVS_TRAFFIC_VSWITCHD_STOP
1356 AT_SETUP([conntrack - resubmit to ct multiple times])
1359 OVS_TRAFFIC_VSWITCHD_START(
1360 [set-fail-mode br0 secure -- ])
1362 ADD_NAMESPACES(at_ns0, at_ns1)
1364 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1365 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1367 AT_DATA([flows.txt], [dnl
1368 table=0,priority=150,arp,action=normal
1369 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1371 table=1,priority=100,ip,action=ct(table=3)
1372 table=2,priority=100,ip,action=ct(table=3)
1374 table=3,ip,action=drop
1377 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1379 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1380 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1383 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1384 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1385 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1386 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1387 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1388 table=3, n_packets=2, n_bytes=196, ip actions=drop
1392 OVS_TRAFFIC_VSWITCHD_STOP
1396 AT_SETUP([conntrack - simple SNAT])
1398 OVS_TRAFFIC_VSWITCHD_START()
1400 ADD_NAMESPACES(at_ns0, at_ns1)
1402 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1403 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1404 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1406 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1407 AT_DATA([flows.txt], [dnl
1408 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1409 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
1410 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
1413 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1414 priority=10 arp action=normal
1415 priority=0,action=drop
1417 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1418 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1419 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1420 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1422 dnl Swaps the fields of the ARP message to turn a query to a response.
1423 table=10 priority=100 arp xreg0=0 action=normal
1424 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1425 table=10 priority=0 action=drop
1428 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1430 dnl HTTP requests from p0->p1 should work fine.
1431 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1432 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1434 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1435 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.2XX sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1438 OVS_TRAFFIC_VSWITCHD_STOP
1442 AT_SETUP([conntrack - SNAT with port range])
1444 OVS_TRAFFIC_VSWITCHD_START()
1446 ADD_NAMESPACES(at_ns0, at_ns1)
1448 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1449 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1450 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1452 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1453 AT_DATA([flows.txt], [dnl
1454 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
1455 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
1456 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
1457 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1460 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1461 priority=10 arp action=normal
1462 priority=0,action=drop
1464 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1465 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1466 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1467 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1469 dnl Swaps the fields of the ARP message to turn a query to a response.
1470 table=10 priority=100 arp xreg0=0 action=normal
1471 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1472 table=10 priority=0 action=drop
1475 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1477 dnl HTTP requests from p0->p1 should work fine.
1478 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1479 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1481 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1482 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.2XX sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1485 OVS_TRAFFIC_VSWITCHD_STOP
1489 AT_SETUP([conntrack - more complex SNAT])
1491 OVS_TRAFFIC_VSWITCHD_START()
1493 ADD_NAMESPACES(at_ns0, at_ns1)
1495 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1496 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1497 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1499 AT_DATA([flows.txt], [dnl
1500 dnl Track all IP traffic, NAT existing connections.
1501 priority=100 ip action=ct(table=1,zone=1,nat)
1503 dnl Allow ARP, but generate responses for NATed addresses
1504 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1505 priority=10 arp action=normal
1506 priority=0 action=drop
1508 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
1509 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1510 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
1511 dnl Only allow established traffic from ns1->ns0.
1512 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
1513 table=1 priority=0 action=drop
1515 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1516 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1517 dnl Zero result means not found.
1518 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
1519 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1520 dnl ARP TPA IP in reg2.
1521 table=10 priority=100 arp xreg0=0 action=normal
1522 dnl Swaps the fields of the ARP message to turn a query to a response.
1523 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1524 table=10 priority=0 action=drop
1527 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1529 dnl HTTP requests from p0->p1 should work fine.
1530 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1531 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1533 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1534 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.2XX sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1537 OVS_TRAFFIC_VSWITCHD_STOP
1540 AT_SETUP([conntrack - simple DNAT])
1542 OVS_TRAFFIC_VSWITCHD_START()
1544 ADD_NAMESPACES(at_ns0, at_ns1)
1546 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1547 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1548 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1550 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1551 AT_DATA([flows.txt], [dnl
1552 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1553 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
1554 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
1555 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
1558 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1559 priority=10 arp action=normal
1560 priority=0,action=drop
1562 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1563 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1564 dnl Zero result means not found.
1565 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1566 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1568 table=10 priority=100 arp xreg0=0 action=normal
1569 dnl Swaps the fields of the ARP message to turn a query to a response.
1570 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1571 table=10 priority=0 action=drop
1574 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1576 dnl Should work with the virtual IP address through NAT
1577 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1578 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1580 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.64) ], [0], [dnl
1581 TIME_WAIT src=10.1.1.1 dst=10.1.1.64 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1584 dnl Should work with the assigned IP address as well
1585 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1587 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) ], [0], [dnl
1588 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1591 OVS_TRAFFIC_VSWITCHD_STOP
1594 AT_SETUP([conntrack - more complex DNAT])
1596 OVS_TRAFFIC_VSWITCHD_START()
1598 ADD_NAMESPACES(at_ns0, at_ns1)
1600 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1601 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1602 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1604 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1605 AT_DATA([flows.txt], [dnl
1606 dnl Track all IP traffic
1607 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
1609 dnl Allow ARP, but generate responses for NATed addresses
1610 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1611 table=0 priority=10 arp action=normal
1612 table=0 priority=0 action=drop
1614 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
1615 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1616 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
1617 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
1618 dnl Only allow established traffic from ns1->ns0.
1619 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
1620 table=1 priority=0 action=drop
1622 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1623 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1624 dnl Zero result means not found.
1625 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1626 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1628 table=10 priority=100 arp xreg0=0 action=normal
1629 dnl Swaps the fields of the ARP message to turn a query to a response.
1630 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1631 table=10 priority=0 action=drop
1634 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1636 dnl Should work with the virtual IP address through NAT
1637 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1638 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1640 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.64) ], [0], [dnl
1641 TIME_WAIT src=10.1.1.1 dst=10.1.1.64 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1644 dnl Should work with the assigned IP address as well
1645 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1647 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) ], [0], [dnl
1648 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
1651 OVS_TRAFFIC_VSWITCHD_STOP
1654 AT_SETUP([conntrack - ICMP related with NAT])
1656 OVS_TRAFFIC_VSWITCHD_START()
1658 ADD_NAMESPACES(at_ns0, at_ns1)
1660 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1661 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1662 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1664 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1665 dnl Make sure ICMP responses are reverse-NATted.
1666 AT_DATA([flows.txt], [dnl
1667 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
1668 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
1669 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
1672 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1673 priority=10 arp action=normal
1674 priority=0,action=drop
1676 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1677 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1678 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1679 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1681 dnl Swaps the fields of the ARP message to turn a query to a response.
1682 table=10 priority=100 arp xreg0=0 action=normal
1683 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1684 table=10 priority=0 action=drop
1687 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1689 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1690 dnl We pass "-q 1" here to handle openbsd-style nc that can't quit immediately.
1691 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -q 1 -u 10.1.1.2 10000"])
1693 AT_CHECK([ovs-appctl revalidator/purge], [0])
1694 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1695 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
1696 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
1697 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
1698 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
1699 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1700 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
1701 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
1702 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
1703 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
1704 OFPST_FLOW reply (OF1.5):
1707 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1708 src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[UNREPLIED]] src=10.1.1.2 dst=10.1.1.2XX sport=<cleared> dport=<cleared> mark=1 use=1
1711 OVS_TRAFFIC_VSWITCHD_STOP
1715 AT_SETUP([conntrack - FTP with NAT])
1716 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1719 OVS_TRAFFIC_VSWITCHD_START()
1721 ADD_NAMESPACES(at_ns0, at_ns1)
1723 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1724 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1725 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1727 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1729 AT_DATA([flows.txt], [dnl
1730 dnl track all IP traffic, de-mangle non-NEW connections
1731 table=0 in_port=1, ip, action=ct(table=1,nat)
1732 table=0 in_port=2, ip, action=ct(table=2,nat)
1736 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1737 table=0 priority=10 arp action=normal
1738 table=0 priority=0 action=drop
1740 dnl Table 1: port 1 -> 2
1742 dnl Allow new FTP connections. These need to be commited.
1743 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
1744 dnl Allow established TCP connections, make sure they are NATted already.
1745 table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2
1747 dnl Table 1: droppers
1749 table=1 priority=10, tcp, action=drop
1750 table=1 priority=0,action=drop
1752 dnl Table 2: port 2 -> 1
1754 dnl Allow established TCP connections, make sure they are reverse NATted
1755 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
1756 dnl Allow (new) related (data) connections. These need to be commited.
1757 table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
1758 dnl Allow related ICMP packets, make sure they are reverse NATted
1759 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
1761 dnl Table 2: droppers
1763 table=2 priority=10, tcp, action=drop
1764 table=2 priority=0, action=drop
1766 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1768 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1769 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1770 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1772 dnl Swaps the fields of the ARP message to turn a query to a response.
1773 table=10 priority=100 arp xreg0=0 action=normal
1774 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1775 table=10 priority=0 action=drop
1778 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1780 dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1781 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1783 dnl FTP requests from p0->p1 should work fine.
1784 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1786 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1787 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.240 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
1788 TIME_WAIT src=10.1.1.2 dst=10.1.1.240 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
1791 OVS_TRAFFIC_VSWITCHD_STOP
1795 AT_SETUP([conntrack - FTP with NAT 2])
1796 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1798 OVS_TRAFFIC_VSWITCHD_START()
1800 ADD_NAMESPACES(at_ns0, at_ns1)
1802 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1803 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1804 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1806 dnl Allow any traffic from ns0->ns1.
1807 dnl Only allow nd, return traffic from ns1->ns0.
1808 AT_DATA([flows.txt], [dnl
1809 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
1810 table=0 ip, action=ct(table=1)
1814 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1815 table=0 priority=10 arp action=normal
1816 table=0 priority=0 action=drop
1820 dnl Allow new FTP connections. These need to be commited.
1821 dnl This does helper for new packets.
1822 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
1823 dnl Allow and NAT established TCP connections
1824 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
1825 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
1826 dnl Allow and NAT (new) related active (data) connections.
1827 dnl These need to be commited.
1828 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
1829 dnl Allow related ICMP packets.
1830 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
1831 dnl Drop everything else.
1832 table=1 priority=0, action=drop
1834 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1836 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1837 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1838 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1840 dnl Swaps the fields of the ARP message to turn a query to a response.
1841 table=10 priority=100 arp xreg0=0 action=normal
1842 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1843 table=10 priority=0 action=drop
1846 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1848 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1850 dnl FTP requests from p0->p1 should work fine.
1851 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1853 AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN" | grep -v "CLOSE"], [0], [dnl
1854 TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.240 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
1855 TIME_WAIT src=10.1.1.2 dst=10.1.1.240 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
1858 OVS_TRAFFIC_VSWITCHD_STOP
1861 AT_SETUP([conntrack - IPv6 HTTP with NAT])
1863 OVS_TRAFFIC_VSWITCHD_START()
1865 ADD_NAMESPACES(at_ns0, at_ns1)
1867 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1868 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1869 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1870 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
1872 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1873 AT_DATA([flows.txt], [dnl
1874 priority=1,action=drop
1875 priority=10,icmp6,action=normal
1876 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
1877 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
1878 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
1879 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
1882 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1884 dnl Without this sleep, we get occasional failures due to the following error:
1885 dnl "connect: Cannot assign requested address"
1888 dnl HTTP requests from ns0->ns1 should work fine.
1889 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
1891 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1893 dnl HTTP requests from ns1->ns0 should fail due to network failure.
1894 dnl Try 3 times, in 1 second intervals.
1895 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
1896 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
1898 OVS_TRAFFIC_VSWITCHD_STOP
1902 AT_SETUP([conntrack - IPv6 FTP with NAT])
1903 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1905 OVS_TRAFFIC_VSWITCHD_START()
1907 ADD_NAMESPACES(at_ns0, at_ns1)
1909 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1910 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1911 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1912 dnl Would be nice if NAT could translate neighbor discovery messages, too.
1913 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
1915 dnl Allow any traffic from ns0->ns1.
1916 dnl Only allow nd, return traffic from ns1->ns0.
1917 AT_DATA([flows.txt], [dnl
1918 dnl Allow other ICMPv6 both ways (without commit).
1919 table=1 priority=100 in_port=1 icmp6, action=2
1920 table=1 priority=100 in_port=2 icmp6, action=1
1921 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
1922 table=0 priority=10 ip6, action=ct(nat,table=1)
1923 table=0 priority=0 action=drop
1927 dnl Allow new TCPv6 FTP control connections.
1928 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
1929 dnl Allow related TCPv6 connections from port 2 to the NATted address.
1930 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
1931 dnl Allow established TCPv6 connections both ways, enforce NATting
1932 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
1933 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
1934 dnl Drop everything else.
1935 table=1 priority=0, action=drop
1938 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1940 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1942 dnl FTP requests from p0->p1 should work fine.
1943 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1945 AT_CHECK([conntrack -L -f ipv6 2>&1 | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOSE"], [0], [dnl
1946 TIME_WAIT src=fc00::1 dst=fc00::2 sport=<cleared> dport=<cleared> src=fc00::2 dst=fc00::240 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
1947 TIME_WAIT src=fc00::2 dst=fc00::240 sport=<cleared> dport=<cleared> src=fc00::1 dst=fc00::2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
1950 OVS_TRAFFIC_VSWITCHD_STOP