1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - ping between two ports on vlan])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
37 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
39 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
40 3 packets transmitted, 3 received, 0% packet loss, time 0ms
42 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
43 3 packets transmitted, 3 received, 0% packet loss, time 0ms
45 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
46 3 packets transmitted, 3 received, 0% packet loss, time 0ms
49 OVS_TRAFFIC_VSWITCHD_STOP
52 AT_SETUP([datapath - ping6 between two ports])
53 OVS_TRAFFIC_VSWITCHD_START()
55 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
57 ADD_NAMESPACES(at_ns0, at_ns1)
59 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
60 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
62 dnl Without this sleep, we get occasional failures due to the following error:
63 dnl "connect: Cannot assign requested address"
66 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
67 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
70 3 packets transmitted, 3 received, 0% packet loss, time 0ms
72 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
73 3 packets transmitted, 3 received, 0% packet loss, time 0ms
76 OVS_TRAFFIC_VSWITCHD_STOP
79 AT_SETUP([datapath - ping6 between two ports on vlan])
80 OVS_TRAFFIC_VSWITCHD_START()
82 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
84 ADD_NAMESPACES(at_ns0, at_ns1)
86 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
87 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
89 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
90 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
92 dnl Without this sleep, we get occasional failures due to the following error:
93 dnl "connect: Cannot assign requested address"
96 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
97 3 packets transmitted, 3 received, 0% packet loss, time 0ms
99 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
100 3 packets transmitted, 3 received, 0% packet loss, time 0ms
102 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
103 3 packets transmitted, 3 received, 0% packet loss, time 0ms
106 OVS_TRAFFIC_VSWITCHD_STOP
109 AT_SETUP([datapath - ping over vxlan tunnel])
110 AT_SKIP_IF([! ip link add foo type vxlan help 2>&1 | grep dstport >/dev/null])
112 OVS_TRAFFIC_VSWITCHD_START()
113 ADD_BR([br-underlay])
115 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
116 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
118 ADD_NAMESPACES(at_ns0)
120 dnl Set up underlay link from host into the namespace using veth pair.
121 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
122 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
123 AT_CHECK([ip link set dev br-underlay up])
125 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
126 dnl linux device inside the namespace.
127 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
128 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
131 dnl First, check the underlay
132 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
133 3 packets transmitted, 3 received, 0% packet loss, time 0ms
136 dnl Okay, now check the overlay with different packet sizes
137 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
138 3 packets transmitted, 3 received, 0% packet loss, time 0ms
140 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
141 3 packets transmitted, 3 received, 0% packet loss, time 0ms
143 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
144 3 packets transmitted, 3 received, 0% packet loss, time 0ms
147 OVS_TRAFFIC_VSWITCHD_STOP
150 AT_SETUP([conntrack - controller])
152 OVS_TRAFFIC_VSWITCHD_START()
154 ADD_NAMESPACES(at_ns0, at_ns1)
156 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
157 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
159 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
160 AT_DATA([flows.txt], [dnl
161 priority=1,action=drop
162 priority=10,arp,action=normal
163 priority=100,in_port=1,udp,action=ct(commit),controller
164 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
165 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
168 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
170 AT_CAPTURE_FILE([ofctl_monitor.log])
171 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
173 dnl Send an unsolicited reply from port 2. This should be dropped.
174 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
176 dnl OK, now start a new connection from port 1.
177 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
179 dnl Now try a reply from port 2.
180 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
182 dnl Check this output. We only see the latter two packets, not the first.
183 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
184 NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
185 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
186 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
187 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
190 OVS_TRAFFIC_VSWITCHD_STOP
193 AT_SETUP([conntrack - IPv4 HTTP])
195 OVS_TRAFFIC_VSWITCHD_START()
197 ADD_NAMESPACES(at_ns0, at_ns1)
199 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
200 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
202 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
203 AT_DATA([flows.txt], [dnl
204 priority=1,action=drop
205 priority=10,arp,action=normal
206 priority=10,icmp,action=normal
207 priority=100,in_port=1,tcp,action=ct(commit),2
208 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
209 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
212 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
214 dnl Basic connectivity check.
215 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
217 dnl HTTP requests from ns0->ns1 should work fine.
218 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
219 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
221 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
222 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
225 dnl HTTP requests from ns1->ns0 should fail due to network failure.
226 dnl Try 3 times, in 1 second intervals.
227 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
228 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
230 OVS_TRAFFIC_VSWITCHD_STOP
233 AT_SETUP([conntrack - IPv6 HTTP])
235 OVS_TRAFFIC_VSWITCHD_START()
237 ADD_NAMESPACES(at_ns0, at_ns1)
239 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
240 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
242 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
243 AT_DATA([flows.txt], [dnl
244 priority=1,action=drop
245 priority=10,icmp6,action=normal
246 priority=100,in_port=1,tcp6,action=ct(commit),2
247 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
248 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
251 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
253 dnl Without this sleep, we get occasional failures due to the following error:
254 dnl "connect: Cannot assign requested address"
257 dnl HTTP requests from ns0->ns1 should work fine.
258 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
260 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
262 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
263 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
266 dnl HTTP requests from ns1->ns0 should fail due to network failure.
267 dnl Try 3 times, in 1 second intervals.
268 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
269 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
271 OVS_TRAFFIC_VSWITCHD_STOP
274 AT_SETUP([conntrack - commit, recirc])
276 OVS_TRAFFIC_VSWITCHD_START()
278 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
280 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
281 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
282 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
283 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
285 dnl Allow any traffic from ns0->ns1, ns2->ns3.
286 AT_DATA([flows.txt], [dnl
287 priority=1,action=drop
288 priority=10,arp,action=normal
289 priority=10,icmp,action=normal
290 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
291 priority=100,in_port=1,tcp,ct_state=+trk,action=2
292 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
293 priority=100,in_port=2,tcp,ct_state=+trk,action=1
294 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
295 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
296 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
297 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
298 priority=100,in_port=4,tcp,ct_state=+trk,action=3
301 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
303 dnl HTTP requests from p0->p1 should work fine.
304 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
305 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
307 dnl HTTP requests from p2->p3 should work fine.
308 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
309 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
311 OVS_TRAFFIC_VSWITCHD_STOP
314 AT_SETUP([conntrack - preserve registers])
316 OVS_TRAFFIC_VSWITCHD_START()
318 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
320 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
321 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
322 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
323 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
325 dnl Allow any traffic from ns0->ns1, ns2->ns3.
326 AT_DATA([flows.txt], [dnl
327 priority=1,action=drop
328 priority=10,arp,action=normal
329 priority=10,icmp,action=normal
330 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
331 priority=100,in_port=1,tcp,ct_state=+trk,action=2
332 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
333 priority=100,in_port=2,tcp,ct_state=+trk,action=1
334 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
335 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
336 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
337 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
338 priority=100,in_port=4,tcp,ct_state=+trk,action=3
341 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
343 dnl HTTP requests from p0->p1 should work fine.
344 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
345 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
347 dnl HTTP requests from p2->p3 should work fine.
348 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
349 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
351 OVS_TRAFFIC_VSWITCHD_STOP
354 AT_SETUP([conntrack - invalid])
356 OVS_TRAFFIC_VSWITCHD_START()
358 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
360 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
361 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
362 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
363 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
365 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
366 dnl the opposite direction. This should fail.
367 dnl Pass traffic from ns3->ns4 without committing, and this time match
368 dnl invalid traffic and allow it through.
369 AT_DATA([flows.txt], [dnl
370 priority=1,action=drop
371 priority=10,arp,action=normal
372 priority=10,icmp,action=normal
373 priority=100,in_port=1,tcp,action=ct(),2
374 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
375 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
376 priority=100,in_port=3,tcp,action=ct(),4
377 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
378 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
379 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
382 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
384 dnl We set up our rules to allow the request without committing. The return
385 dnl traffic can't be identified, because the initial request wasn't committed.
386 dnl For the first pair of ports, this means that the connection fails.
387 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
388 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
390 dnl For the second pair, we allow packets from invalid connections, so it works.
391 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
392 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
394 OVS_TRAFFIC_VSWITCHD_STOP
397 AT_SETUP([conntrack - zones])
399 OVS_TRAFFIC_VSWITCHD_START()
401 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
403 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
404 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
405 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
406 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
408 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
409 dnl For ns2->ns3, use a different zone and see that the match fails.
410 AT_DATA([flows.txt], [dnl
411 priority=1,action=drop
412 priority=10,arp,action=normal
413 priority=10,icmp,action=normal
414 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
415 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
416 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
417 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
418 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
419 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
422 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
424 dnl HTTP requests from p0->p1 should work fine.
425 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
426 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
428 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
429 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
432 dnl HTTP requests from p2->p3 should fail due to network failure.
433 dnl Try 3 times, in 1 second intervals.
434 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
435 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
437 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
438 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=ESTABLISHED)
441 OVS_TRAFFIC_VSWITCHD_STOP
444 AT_SETUP([conntrack - zones from field])
446 OVS_TRAFFIC_VSWITCHD_START()
448 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
450 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
451 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
452 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
453 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
455 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
456 AT_DATA([flows.txt], [dnl
457 priority=1,action=drop
458 priority=10,arp,action=normal
459 priority=10,icmp,action=normal
460 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
461 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
462 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
463 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
464 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
465 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
468 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
470 dnl HTTP requests from p0->p1 should work fine.
471 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
472 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
474 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
475 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=TIME_WAIT)
478 dnl HTTP requests from p2->p3 should fail due to network failure.
479 dnl Try 3 times, in 1 second intervals.
480 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
481 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
483 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
484 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=ESTABLISHED)
487 OVS_TRAFFIC_VSWITCHD_STOP
490 AT_SETUP([conntrack - multiple bridges])
492 OVS_TRAFFIC_VSWITCHD_START(
494 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
495 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
497 ADD_NAMESPACES(at_ns0, at_ns1)
499 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
500 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
502 dnl Allow any traffic from ns0->br1, allow established in reverse.
503 AT_DATA([flows-br0.txt], [dnl
504 priority=1,action=drop
505 priority=10,arp,action=normal
506 priority=10,icmp,action=normal
507 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
508 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
509 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
512 dnl Allow any traffic from br0->ns1, allow established in reverse.
513 AT_DATA([flows-br1.txt], [dnl
514 priority=1,action=drop
515 priority=10,arp,action=normal
516 priority=10,icmp,action=normal
517 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
518 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
519 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
520 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
521 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
524 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
525 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
527 dnl HTTP requests from p0->p1 should work fine.
528 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
529 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
531 OVS_TRAFFIC_VSWITCHD_STOP
534 AT_SETUP([conntrack - multiple zones])
536 OVS_TRAFFIC_VSWITCHD_START()
538 ADD_NAMESPACES(at_ns0, at_ns1)
540 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
541 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
543 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
544 AT_DATA([flows.txt], [dnl
545 priority=1,action=drop
546 priority=10,arp,action=normal
547 priority=10,icmp,action=normal
548 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
549 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
550 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
553 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
555 dnl HTTP requests from p0->p1 should work fine.
556 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
557 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
559 dnl (again) HTTP requests from p0->p1 should work fine.
560 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
562 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
563 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=SYN_SENT)
564 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
567 OVS_TRAFFIC_VSWITCHD_STOP
570 AT_SETUP([conntrack - multiple zones, local])
572 OVS_TRAFFIC_VSWITCHD_START()
574 ADD_NAMESPACES(at_ns0)
576 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
577 AT_CHECK([ip link set dev br0 up])
578 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
579 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
581 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
582 dnl return traffic from ns0 back to the local stack.
583 AT_DATA([flows.txt], [dnl
584 priority=1,action=drop
585 priority=10,arp,action=normal
586 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
587 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
588 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
589 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
590 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
591 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
594 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
596 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
597 3 packets transmitted, 3 received, 0% packet loss, time 0ms
600 dnl HTTP requests from root namespace to p0 should work fine.
601 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
602 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
604 dnl (again) HTTP requests from root namespace to p0 should work fine.
605 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
607 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
608 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
609 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=2
610 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
611 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
614 OVS_TRAFFIC_VSWITCHD_STOP
617 AT_SETUP([conntrack - multiple namespaces, internal ports])
619 OVS_TRAFFIC_VSWITCHD_START(
620 [set-fail-mode br0 secure -- ])
622 ADD_NAMESPACES(at_ns0, at_ns1)
624 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
625 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
627 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
629 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
630 AT_DATA([flows.txt], [dnl
631 priority=1,action=drop
632 priority=10,arp,action=normal
633 priority=10,icmp,action=normal
634 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
635 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
636 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
639 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
641 dnl HTTP requests from p0->p1 should work fine.
642 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
643 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
645 dnl (again) HTTP requests from p0->p1 should work fine.
646 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
648 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
649 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
652 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
653 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
654 /removing policing failed: No such device/d"])
657 AT_SETUP([conntrack - multi-stage pipeline, local])
659 OVS_TRAFFIC_VSWITCHD_START()
661 ADD_NAMESPACES(at_ns0)
663 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
664 AT_CHECK([ip link set dev br0 up])
665 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
666 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
668 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
669 dnl return traffic from ns0 back to the local stack.
670 AT_DATA([flows.txt], [dnl
672 table=0,priority=1,action=drop
673 table=0,priority=10,arp,action=normal
675 dnl Load the output port to REG0
676 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
677 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
680 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
681 dnl - All other connections go through conntracker using the input port as
682 dnl a connection tracking zone.
683 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
684 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
685 table=1,priority=1,action=drop
688 dnl - Allow all connections from LOCAL port (commit and skip to output)
689 dnl - Allow other established connections to go through conntracker using
690 dnl output port as a connection tracking zone.
691 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
692 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
693 table=2,priority=1,action=drop
695 dnl Only allow established traffic from egress ct lookup
696 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
697 table=3,priority=1,action=drop
700 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
703 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
705 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
706 3 packets transmitted, 3 received, 0% packet loss, time 0ms
709 dnl HTTP requests from root namespace to p0 should work fine.
710 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
711 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
713 dnl (again) HTTP requests from root namespace to p0 should work fine.
714 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
716 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
717 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
718 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=65534
719 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
720 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=TIME_WAIT)
723 OVS_TRAFFIC_VSWITCHD_STOP
726 AT_SETUP([conntrack - ct_mark])
728 OVS_TRAFFIC_VSWITCHD_START()
730 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
732 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
733 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
734 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
735 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
737 dnl Allow traffic between ns0<->ns1 using the ct_mark.
738 dnl Check that different marks do not match for traffic between ns2<->ns3.
739 AT_DATA([flows.txt], [dnl
740 priority=1,action=drop
741 priority=10,arp,action=normal
742 priority=10,icmp,action=normal
743 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
744 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
745 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
746 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
747 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
748 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
751 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
753 dnl HTTP requests from p0->p1 should work fine.
754 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
755 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
757 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
758 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=TIME_WAIT)
761 dnl HTTP requests from p2->p3 should fail due to network failure.
762 dnl Try 3 times, in 1 second intervals.
763 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
764 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
766 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
767 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=ESTABLISHED)
770 OVS_TRAFFIC_VSWITCHD_STOP
773 AT_SETUP([conntrack - ct_mark from register])
775 OVS_TRAFFIC_VSWITCHD_START()
777 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
779 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
780 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
781 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
782 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
784 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
785 AT_DATA([flows.txt], [dnl
786 priority=1,action=drop
787 priority=10,arp,action=normal
788 priority=10,icmp,action=normal
789 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
790 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
791 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
792 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
793 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
794 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
797 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
799 dnl HTTP requests from p0->p1 should work fine.
800 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
801 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
803 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
804 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=TIME_WAIT)
807 dnl HTTP requests from p2->p3 should fail due to network failure.
808 dnl Try 3 times, in 1 second intervals.
809 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
810 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
812 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
813 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=ESTABLISHED)
816 OVS_TRAFFIC_VSWITCHD_STOP
819 AT_SETUP([conntrack - ct_label])
821 OVS_TRAFFIC_VSWITCHD_START()
823 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
825 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
826 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
827 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
828 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
830 dnl Allow traffic between ns0<->ns1 using the ct_label.
831 dnl Check that different labels do not match for traffic between ns2<->ns3.
832 AT_DATA([flows.txt], [dnl
833 priority=1,action=drop
834 priority=10,arp,action=normal
835 priority=10,icmp,action=normal
836 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
837 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
838 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
839 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
840 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
841 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
844 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
846 dnl HTTP requests from p0->p1 should work fine.
847 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
848 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
850 dnl HTTP requests from p2->p3 should fail due to network failure.
851 dnl Try 3 times, in 1 second intervals.
852 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
853 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
855 OVS_TRAFFIC_VSWITCHD_STOP
858 AT_SETUP([conntrack - ICMP related])
860 OVS_TRAFFIC_VSWITCHD_START()
862 ADD_NAMESPACES(at_ns0, at_ns1)
864 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
865 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
867 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
868 AT_DATA([flows.txt], [dnl
869 priority=1,action=drop
870 priority=10,arp,action=normal
871 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
872 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
873 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
876 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
878 dnl If we simulate a UDP request to a port that isn't serving any real traffic,
879 dnl then the destination responds with an ICMP "destination unreachable"
880 dnl message, it should be marked as "related".
881 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 resubmit\(,0\) 'dnl
882 0000 0000 0000 0000 0000 0000 0800 4500 dnl
883 001e bb85 4000 4011 6945 0a01 0101 0a01 dnl
884 0102 839c 1388 000a f1a6 610a'])
886 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 resubmit\(,0\) 'dnl
887 0000 0000 0000 0000 0000 0000 0800 45c0 dnl
888 003a 411e 0000 4001 22e1 0a01 0102 0a01 dnl
889 0101 0303 131d 0000 0000 dnl
890 4500 001e bb85 4000 4011 6945 0a01 0101 dnl
891 0a01 0102 839c 1388 000a f1a6 610a'])
893 AT_CHECK([ovs-appctl revalidator/purge], [0])
894 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
895 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
896 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
897 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
898 priority=10,arp actions=NORMAL
902 OVS_TRAFFIC_VSWITCHD_STOP
905 AT_SETUP([conntrack - ICMP related 2])
907 OVS_TRAFFIC_VSWITCHD_START()
909 ADD_NAMESPACES(at_ns0, at_ns1)
911 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
912 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
914 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
915 AT_DATA([flows.txt], [dnl
916 priority=1,action=drop
917 priority=10,arp,action=normal
918 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
919 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
920 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
921 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
924 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
926 AT_CAPTURE_FILE([ofctl_monitor.log])
927 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
929 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
930 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
932 dnl 2. Send and UDP packet to port 5555
933 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
935 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
936 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
938 dnl Check this output. We only see the latter two packets, not the first.
939 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
940 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
941 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
942 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
943 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
946 OVS_TRAFFIC_VSWITCHD_STOP
949 AT_SETUP([conntrack - FTP])
950 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
952 OVS_TRAFFIC_VSWITCHD_START()
954 ADD_NAMESPACES(at_ns0, at_ns1)
956 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
957 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
959 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
960 AT_DATA([flows1.txt], [dnl
961 priority=1,action=drop
962 priority=10,arp,action=normal
963 priority=10,icmp,action=normal
964 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
965 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
966 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
967 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
970 dnl Similar policy but without allowing all traffic from ns0->ns1.
971 AT_DATA([flows2.txt], [dnl
972 priority=1,action=drop
973 priority=10,arp,action=normal
974 priority=10,icmp,action=normal
975 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
976 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
977 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
978 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
979 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
980 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
981 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
984 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
986 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
987 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
989 dnl FTP requests from p1->p0 should fail due to network failure.
990 dnl Try 3 times, in 1 second intervals.
991 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
992 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
995 dnl FTP requests from p0->p1 should work fine.
996 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
997 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
998 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1001 dnl Try the second set of flows.
1002 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
1003 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1005 dnl FTP requests from p1->p0 should fail due to network failure.
1006 dnl Try 3 times, in 1 second intervals.
1007 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1008 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1011 dnl Active FTP requests from p0->p1 should work fine.
1012 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
1013 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1014 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1015 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1018 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1020 dnl Passive FTP requests from p0->p1 should work fine.
1021 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
1022 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1023 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1024 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1027 OVS_TRAFFIC_VSWITCHD_STOP
1031 AT_SETUP([conntrack - IPv6 FTP])
1032 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1034 OVS_TRAFFIC_VSWITCHD_START()
1036 ADD_NAMESPACES(at_ns0, at_ns1)
1038 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1039 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1041 dnl Allow any traffic from ns0->ns1.
1042 dnl Only allow nd, return traffic from ns1->ns0.
1043 AT_DATA([flows.txt], [dnl
1044 dnl Track all IPv6 traffic and drop the rest.
1045 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1046 table=0 priority=100 in_port=1 icmp6, action=2
1047 table=0 priority=100 in_port=2 icmp6, action=1
1048 table=0 priority=10 ip6, action=ct(table=1)
1049 table=0 priority=0 action=drop
1053 dnl Allow new TCPv6 FTP control connections from port 1.
1054 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1055 dnl Allow related TCPv6 connections from port 2.
1056 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1057 dnl Allow established TCPv6 connections both ways.
1058 table=1 in_port=1 ct_state=+est, tcp6, action=2
1059 table=1 in_port=2 ct_state=+est, tcp6, action=1
1060 dnl Drop everything else.
1061 table=1 priority=0, action=drop
1064 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1066 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1068 dnl FTP requests from p0->p1 should work fine.
1069 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1071 dnl Discards CLOSE_WAIT and CLOSING
1072 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1073 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1074 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1077 OVS_TRAFFIC_VSWITCHD_STOP
1081 AT_SETUP([conntrack - FTP with multiple expectations])
1082 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1084 OVS_TRAFFIC_VSWITCHD_START()
1086 ADD_NAMESPACES(at_ns0, at_ns1)
1088 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1089 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1091 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1092 AT_DATA([flows.txt], [dnl
1093 priority=1,action=drop
1094 priority=10,arp,action=normal
1095 priority=10,icmp,action=normal
1096 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1097 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1098 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1099 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1100 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1101 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1102 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1103 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1104 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1105 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1108 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1110 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1111 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1113 dnl FTP requests from p1->p0 should fail due to network failure.
1114 dnl Try 3 times, in 1 second intervals.
1115 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1116 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1119 dnl Active FTP requests from p0->p1 should work fine.
1120 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1121 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1122 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT),helper=ftp
1123 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT),helper=ftp
1124 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1125 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
1128 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1130 dnl Passive FTP requests from p0->p1 should work fine.
1131 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1132 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1133 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1134 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT),helper=ftp
1135 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
1136 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT),helper=ftp
1139 OVS_TRAFFIC_VSWITCHD_STOP
1142 AT_SETUP([conntrack - IPv4 fragmentation ])
1144 OVS_TRAFFIC_VSWITCHD_START()
1146 ADD_NAMESPACES(at_ns0, at_ns1)
1148 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1149 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1151 dnl Sending ping through conntrack
1152 AT_DATA([flows.txt], [dnl
1153 priority=1,action=drop
1154 priority=10,arp,action=normal
1155 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1156 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1157 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1160 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1162 dnl Basic connectivity check.
1163 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1164 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1167 dnl Ipv4 fragmentation connectivity check.
1168 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1169 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1172 dnl Ipv4 larger fragmentation connectivity check.
1173 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1174 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1177 OVS_TRAFFIC_VSWITCHD_STOP
1180 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1182 OVS_TRAFFIC_VSWITCHD_START()
1184 ADD_NAMESPACES(at_ns0, at_ns1)
1186 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1187 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1188 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1189 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1191 dnl Sending ping through conntrack
1192 AT_DATA([flows.txt], [dnl
1193 priority=1,action=drop
1194 priority=10,arp,action=normal
1195 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1196 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1197 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1200 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1202 dnl Basic connectivity check.
1203 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1204 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1207 dnl Ipv4 fragmentation connectivity check.
1208 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1209 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1212 dnl Ipv4 larger fragmentation connectivity check.
1213 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1214 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1217 OVS_TRAFFIC_VSWITCHD_STOP
1220 AT_SETUP([conntrack - IPv6 fragmentation])
1222 OVS_TRAFFIC_VSWITCHD_START()
1224 ADD_NAMESPACES(at_ns0, at_ns1)
1226 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1227 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1229 dnl Sending ping through conntrack
1230 AT_DATA([flows.txt], [dnl
1231 priority=1,action=drop
1232 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1233 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1234 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1235 priority=100,icmp6,icmp_type=135,action=normal
1236 priority=100,icmp6,icmp_type=136,action=normal
1239 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1241 dnl Without this sleep, we get occasional failures due to the following error:
1242 dnl "connect: Cannot assign requested address"
1245 dnl Basic connectivity check.
1246 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1247 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1250 dnl Ipv4 fragmentation connectivity check.
1251 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1252 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1255 dnl Ipv4 larger fragmentation connectivity check.
1256 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1257 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1260 OVS_TRAFFIC_VSWITCHD_STOP
1263 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1265 OVS_TRAFFIC_VSWITCHD_START()
1267 ADD_NAMESPACES(at_ns0, at_ns1)
1269 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1270 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1272 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1273 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1275 dnl Sending ping through conntrack
1276 AT_DATA([flows.txt], [dnl
1277 priority=1,action=drop
1278 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1279 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1280 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1281 priority=100,icmp6,icmp_type=135,action=normal
1282 priority=100,icmp6,icmp_type=136,action=normal
1285 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1287 dnl Without this sleep, we get occasional failures due to the following error:
1288 dnl "connect: Cannot assign requested address"
1291 dnl Basic connectivity check.
1292 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1293 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1296 dnl Ipv4 fragmentation connectivity check.
1297 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1298 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1301 dnl Ipv4 larger fragmentation connectivity check.
1302 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1303 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1306 OVS_TRAFFIC_VSWITCHD_STOP
1309 AT_SETUP([conntrack - Fragmentation over vxlan])
1310 AT_SKIP_IF([! ip link help 2>&1 | grep vxlan >/dev/null])
1313 OVS_TRAFFIC_VSWITCHD_START()
1314 ADD_BR([br-underlay])
1315 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1317 ADD_NAMESPACES(at_ns0)
1319 dnl Sending ping through conntrack
1320 AT_DATA([flows.txt], [dnl
1321 priority=1,action=drop
1322 priority=10,arp,action=normal
1323 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1324 priority=100,in_port=LOCAL,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1325 priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1328 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1330 dnl Set up underlay link from host into the namespace using veth pair.
1331 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1332 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1333 AT_CHECK([ip link set dev br-underlay up])
1335 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1336 dnl linux device inside the namespace.
1337 ADD_OVS_TUNNEL([vxlan], [br0], [at_ns0], [172.31.1.1], [10.1.1.100/24])
1338 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1339 [id 0 dstport 4789])
1341 dnl First, check the underlay
1342 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1343 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1346 dnl Okay, now check the overlay with different packet sizes
1347 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1348 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1350 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1351 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1353 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1354 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1357 OVS_TRAFFIC_VSWITCHD_STOP
1361 AT_SETUP([conntrack - resubmit to ct multiple times])
1364 OVS_TRAFFIC_VSWITCHD_START(
1365 [set-fail-mode br0 secure -- ])
1367 ADD_NAMESPACES(at_ns0, at_ns1)
1369 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1370 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1372 AT_DATA([flows.txt], [dnl
1373 table=0,priority=150,arp,action=normal
1374 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1376 table=1,priority=100,ip,action=ct(table=3)
1377 table=2,priority=100,ip,action=ct(table=3)
1379 table=3,ip,action=drop
1382 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1384 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1385 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1388 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1389 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1390 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1391 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1392 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1393 table=3, n_packets=2, n_bytes=196, ip actions=drop
1397 OVS_TRAFFIC_VSWITCHD_STOP
1401 AT_SETUP([conntrack - simple SNAT])
1403 OVS_TRAFFIC_VSWITCHD_START()
1405 ADD_NAMESPACES(at_ns0, at_ns1)
1407 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1408 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1409 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1411 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1412 AT_DATA([flows.txt], [dnl
1413 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1414 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
1415 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
1418 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1419 priority=10 arp action=normal
1420 priority=0,action=drop
1422 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1423 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1424 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1425 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1427 dnl Swaps the fields of the ARP message to turn a query to a response.
1428 table=10 priority=100 arp xreg0=0 action=normal
1429 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1430 table=10 priority=0 action=drop
1433 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1435 dnl HTTP requests from p0->p1 should work fine.
1436 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1437 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1439 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1440 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1443 OVS_TRAFFIC_VSWITCHD_STOP
1447 AT_SETUP([conntrack - SNAT with port range])
1449 OVS_TRAFFIC_VSWITCHD_START()
1451 ADD_NAMESPACES(at_ns0, at_ns1)
1453 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1454 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1455 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1457 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1458 AT_DATA([flows.txt], [dnl
1459 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
1460 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
1461 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
1462 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1465 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1466 priority=10 arp action=normal
1467 priority=0,action=drop
1469 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1470 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1471 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1472 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1474 dnl Swaps the fields of the ARP message to turn a query to a response.
1475 table=10 priority=100 arp xreg0=0 action=normal
1476 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1477 table=10 priority=0 action=drop
1480 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1482 dnl HTTP requests from p0->p1 should work fine.
1483 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1484 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1486 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1487 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1490 OVS_TRAFFIC_VSWITCHD_STOP
1494 AT_SETUP([conntrack - more complex SNAT])
1496 OVS_TRAFFIC_VSWITCHD_START()
1498 ADD_NAMESPACES(at_ns0, at_ns1)
1500 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1501 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1502 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1504 AT_DATA([flows.txt], [dnl
1505 dnl Track all IP traffic, NAT existing connections.
1506 priority=100 ip action=ct(table=1,zone=1,nat)
1508 dnl Allow ARP, but generate responses for NATed addresses
1509 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1510 priority=10 arp action=normal
1511 priority=0 action=drop
1513 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
1514 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1515 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
1516 dnl Only allow established traffic from ns1->ns0.
1517 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
1518 table=1 priority=0 action=drop
1520 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1521 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1522 dnl Zero result means not found.
1523 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
1524 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1525 dnl ARP TPA IP in reg2.
1526 table=10 priority=100 arp xreg0=0 action=normal
1527 dnl Swaps the fields of the ARP message to turn a query to a response.
1528 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1529 table=10 priority=0 action=drop
1532 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1534 dnl HTTP requests from p0->p1 should work fine.
1535 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1536 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1538 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1539 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1542 OVS_TRAFFIC_VSWITCHD_STOP
1545 AT_SETUP([conntrack - simple DNAT])
1547 OVS_TRAFFIC_VSWITCHD_START()
1549 ADD_NAMESPACES(at_ns0, at_ns1)
1551 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1552 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1553 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1555 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1556 AT_DATA([flows.txt], [dnl
1557 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1558 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
1559 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
1560 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
1563 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1564 priority=10 arp action=normal
1565 priority=0,action=drop
1567 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1568 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1569 dnl Zero result means not found.
1570 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1571 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1573 table=10 priority=100 arp xreg0=0 action=normal
1574 dnl Swaps the fields of the ARP message to turn a query to a response.
1575 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1576 table=10 priority=0 action=drop
1579 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1581 dnl Should work with the virtual IP address through NAT
1582 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1583 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1585 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) ], [0], [dnl
1586 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1589 dnl Should work with the assigned IP address as well
1590 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1592 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) ], [0], [dnl
1593 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1596 OVS_TRAFFIC_VSWITCHD_STOP
1599 AT_SETUP([conntrack - more complex DNAT])
1601 OVS_TRAFFIC_VSWITCHD_START()
1603 ADD_NAMESPACES(at_ns0, at_ns1)
1605 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1606 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1607 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1609 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1610 AT_DATA([flows.txt], [dnl
1611 dnl Track all IP traffic
1612 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
1614 dnl Allow ARP, but generate responses for NATed addresses
1615 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1616 table=0 priority=10 arp action=normal
1617 table=0 priority=0 action=drop
1619 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
1620 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1621 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
1622 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
1623 dnl Only allow established traffic from ns1->ns0.
1624 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
1625 table=1 priority=0 action=drop
1627 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1628 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1629 dnl Zero result means not found.
1630 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1631 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1633 table=10 priority=100 arp xreg0=0 action=normal
1634 dnl Swaps the fields of the ARP message to turn a query to a response.
1635 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1636 table=10 priority=0 action=drop
1639 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1641 dnl Should work with the virtual IP address through NAT
1642 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1643 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1645 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) ], [0], [dnl
1646 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1649 dnl Should work with the assigned IP address as well
1650 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1652 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) ], [0], [dnl
1653 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1656 OVS_TRAFFIC_VSWITCHD_STOP
1659 AT_SETUP([conntrack - ICMP related with NAT])
1661 OVS_TRAFFIC_VSWITCHD_START()
1663 ADD_NAMESPACES(at_ns0, at_ns1)
1665 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1666 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1667 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1669 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1670 dnl Make sure ICMP responses are reverse-NATted.
1671 AT_DATA([flows.txt], [dnl
1672 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
1673 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
1674 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
1677 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1678 priority=10 arp action=normal
1679 priority=0,action=drop
1681 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1682 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1683 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1684 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1686 dnl Swaps the fields of the ARP message to turn a query to a response.
1687 table=10 priority=100 arp xreg0=0 action=normal
1688 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1689 table=10 priority=0 action=drop
1692 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1694 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1695 dnl We pass "-q 1" here to handle openbsd-style nc that can't quit immediately.
1696 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -q 1 -u 10.1.1.2 10000"])
1698 AT_CHECK([ovs-appctl revalidator/purge], [0])
1699 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1700 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
1701 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
1702 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
1703 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
1704 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1705 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
1706 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
1707 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
1708 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
1709 OFPST_FLOW reply (OF1.5):
1712 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1713 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
1716 OVS_TRAFFIC_VSWITCHD_STOP
1720 AT_SETUP([conntrack - FTP with NAT])
1721 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1724 OVS_TRAFFIC_VSWITCHD_START()
1726 ADD_NAMESPACES(at_ns0, at_ns1)
1728 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1729 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1730 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1732 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1734 AT_DATA([flows.txt], [dnl
1735 dnl track all IP traffic, de-mangle non-NEW connections
1736 table=0 in_port=1, ip, action=ct(table=1,nat)
1737 table=0 in_port=2, ip, action=ct(table=2,nat)
1741 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1742 table=0 priority=10 arp action=normal
1743 table=0 priority=0 action=drop
1745 dnl Table 1: port 1 -> 2
1747 dnl Allow new FTP connections. These need to be commited.
1748 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
1749 dnl Allow established TCP connections, make sure they are NATted already.
1750 table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2
1752 dnl Table 1: droppers
1754 table=1 priority=10, tcp, action=drop
1755 table=1 priority=0,action=drop
1757 dnl Table 2: port 2 -> 1
1759 dnl Allow established TCP connections, make sure they are reverse NATted
1760 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
1761 dnl Allow (new) related (data) connections. These need to be commited.
1762 table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
1763 dnl Allow related ICMP packets, make sure they are reverse NATted
1764 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
1766 dnl Table 2: droppers
1768 table=2 priority=10, tcp, action=drop
1769 table=2 priority=0, action=drop
1771 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1773 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1774 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1775 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1777 dnl Swaps the fields of the ARP message to turn a query to a response.
1778 table=10 priority=100 arp xreg0=0 action=normal
1779 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1780 table=10 priority=0 action=drop
1783 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1785 dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1786 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1788 dnl FTP requests from p0->p1 should work fine.
1789 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1791 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1792 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1793 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1796 OVS_TRAFFIC_VSWITCHD_STOP
1800 AT_SETUP([conntrack - FTP with NAT 2])
1801 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1803 OVS_TRAFFIC_VSWITCHD_START()
1805 ADD_NAMESPACES(at_ns0, at_ns1)
1807 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1808 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1809 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1811 dnl Allow any traffic from ns0->ns1.
1812 dnl Only allow nd, return traffic from ns1->ns0.
1813 AT_DATA([flows.txt], [dnl
1814 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
1815 table=0 ip, action=ct(table=1)
1819 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1820 table=0 priority=10 arp action=normal
1821 table=0 priority=0 action=drop
1825 dnl Allow new FTP connections. These need to be commited.
1826 dnl This does helper for new packets.
1827 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
1828 dnl Allow and NAT established TCP connections
1829 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
1830 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
1831 dnl Allow and NAT (new) related active (data) connections.
1832 dnl These need to be commited.
1833 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
1834 dnl Allow related ICMP packets.
1835 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
1836 dnl Drop everything else.
1837 table=1 priority=0, action=drop
1839 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1841 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1842 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1843 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1845 dnl Swaps the fields of the ARP message to turn a query to a response.
1846 table=10 priority=100 arp xreg0=0 action=normal
1847 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1848 table=10 priority=0 action=drop
1851 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1853 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1855 dnl FTP requests from p0->p1 should work fine.
1856 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1858 dnl Discards CLOSE_WAIT and CLOSING
1859 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1860 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1861 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1864 OVS_TRAFFIC_VSWITCHD_STOP
1867 AT_SETUP([conntrack - IPv6 HTTP with NAT])
1869 OVS_TRAFFIC_VSWITCHD_START()
1871 ADD_NAMESPACES(at_ns0, at_ns1)
1873 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1874 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1875 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1876 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
1878 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1879 AT_DATA([flows.txt], [dnl
1880 priority=1,action=drop
1881 priority=10,icmp6,action=normal
1882 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
1883 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
1884 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
1885 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
1888 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1890 dnl Without this sleep, we get occasional failures due to the following error:
1891 dnl "connect: Cannot assign requested address"
1894 dnl HTTP requests from ns0->ns1 should work fine.
1895 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
1897 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1899 dnl HTTP requests from ns1->ns0 should fail due to network failure.
1900 dnl Try 3 times, in 1 second intervals.
1901 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
1902 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
1904 OVS_TRAFFIC_VSWITCHD_STOP
1908 AT_SETUP([conntrack - IPv6 FTP with NAT])
1909 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1911 OVS_TRAFFIC_VSWITCHD_START()
1913 ADD_NAMESPACES(at_ns0, at_ns1)
1915 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1916 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1917 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1918 dnl Would be nice if NAT could translate neighbor discovery messages, too.
1919 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
1921 dnl Allow any traffic from ns0->ns1.
1922 dnl Only allow nd, return traffic from ns1->ns0.
1923 AT_DATA([flows.txt], [dnl
1924 dnl Allow other ICMPv6 both ways (without commit).
1925 table=1 priority=100 in_port=1 icmp6, action=2
1926 table=1 priority=100 in_port=2 icmp6, action=1
1927 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
1928 table=0 priority=10 ip6, action=ct(nat,table=1)
1929 table=0 priority=0 action=drop
1933 dnl Allow new TCPv6 FTP control connections.
1934 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
1935 dnl Allow related TCPv6 connections from port 2 to the NATted address.
1936 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
1937 dnl Allow established TCPv6 connections both ways, enforce NATting
1938 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
1939 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
1940 dnl Drop everything else.
1941 table=1 priority=0, action=drop
1944 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1946 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1948 dnl FTP requests from p0->p1 should work fine.
1949 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1951 dnl Discards CLOSE_WAIT and CLOSING
1952 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1953 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1954 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1957 OVS_TRAFFIC_VSWITCHD_STOP