AT_SETUP([ovn -- action parsing])
dnl Text before => is input, text after => is expected output.
AT_DATA([test-cases.txt], [[
-# Positive tests.
+# drop
drop; => actions=drop, prereqs=1
+drop; next; => Syntax error at `next' expecting end of input.
+next; drop; => Syntax error at `drop' expecting action.
+
+# output
+output; => actions=resubmit(,64), prereqs=1
+
+# next
next; => actions=resubmit(,27), prereqs=1
next(0); => actions=resubmit(,16), prereqs=1
next(15); => actions=resubmit(,31), prereqs=1
-ct_next; => actions=ct(table=27,zone=NXM_NX_REG5[0..15]), prereqs=ip
-ct_commit; => actions=ct(commit,zone=NXM_NX_REG5[0..15]), prereqs=ip
-output; => actions=resubmit(,64), prereqs=1
-outport="eth0"; next; outport="LOCAL"; next; => actions=set_field:0x5->reg7,resubmit(,27),set_field:0xfffe->reg7,resubmit(,27), prereqs=1
+
+next(); => Syntax error at `)' expecting small integer.
+next(10; => Syntax error at `;' expecting `)'.
+next(16); => "next" argument must be in range 0 to 15.
+
+# Loading a constant value.
tcp.dst=80; => actions=set_field:80->tcp_dst, prereqs=ip.proto == 0x6 && (eth.type == 0x800 || eth.type == 0x86dd)
eth.dst[40] = 1; => actions=set_field:01:00:00:00:00:00/01:00:00:00:00:00->eth_dst, prereqs=1
vlan.pcp = 2; => actions=set_field:0x4000/0xe000->vlan_tci, prereqs=vlan.tci[12]
vlan.tci[13..15] = 2; => actions=set_field:0x4000/0xe000->vlan_tci, prereqs=1
-reg0 = reg1; => actions=move:OXM_OF_PKT_REG0[0..31]->OXM_OF_PKT_REG0[32..63], prereqs=1
-vlan.pcp = reg0[0..2]; => actions=move:OXM_OF_PKT_REG0[32..34]->NXM_OF_VLAN_TCI[13..15], prereqs=vlan.tci[12]
-reg0[10] = vlan.pcp[1]; => actions=move:NXM_OF_VLAN_TCI[14]->OXM_OF_PKT_REG0[42], prereqs=vlan.tci[12]
-outport = inport; => actions=move:NXM_NX_REG6[]->NXM_NX_REG7[], prereqs=1
inport = ""; => actions=set_field:0->reg6,set_field:0->in_port, prereqs=1
-reg0 <-> reg1; => actions=push:OXM_OF_PKT_REG0[0..31],push:OXM_OF_PKT_REG0[32..63],pop:OXM_OF_PKT_REG0[0..31],pop:OXM_OF_PKT_REG0[32..63], prereqs=1
-vlan.pcp <-> reg0[0..2]; => actions=push:OXM_OF_PKT_REG0[32..34],push:NXM_OF_VLAN_TCI[13..15],pop:OXM_OF_PKT_REG0[32..34],pop:NXM_OF_VLAN_TCI[13..15], prereqs=vlan.tci[12]
-reg0[10] <-> vlan.pcp[1]; => actions=push:NXM_OF_VLAN_TCI[14],push:OXM_OF_PKT_REG0[42],pop:NXM_OF_VLAN_TCI[14],pop:OXM_OF_PKT_REG0[42], prereqs=vlan.tci[12]
-outport <-> inport; => actions=push:NXM_NX_REG6[],push:NXM_NX_REG7[],pop:NXM_NX_REG6[],pop:NXM_NX_REG7[], prereqs=1
-ip.ttl--; => actions=dec_ttl, prereqs=ip
ip.ttl = 4; => actions=set_field:4->nw_ttl, prereqs=eth.type == 0x800 || eth.type == 0x86dd
-
-# Contradictionary prerequisites (allowed but not useful):
-ip4.src = ip6.src[0..31]; => actions=move:NXM_NX_IPV6_SRC[0..31]->NXM_OF_IP_SRC[], prereqs=eth.type == 0x800 && eth.type == 0x86dd
-ip4.src <-> ip6.src[0..31]; => actions=push:NXM_NX_IPV6_SRC[0..31],push:NXM_OF_IP_SRC[],pop:NXM_NX_IPV6_SRC[0..31],pop:NXM_OF_IP_SRC[], prereqs=eth.type == 0x800 && eth.type == 0x86dd
-
-## Negative tests.
-
-; => Syntax error at `;'.
-xyzzy; => Syntax error at `xyzzy' expecting action.
-next; 123; => Syntax error at `123'.
-next; xyzzy; => Syntax error at `xyzzy' expecting action.
-
-# "drop;" must be on its own:
-drop; next; => Syntax error at `next' expecting end of input.
-next; drop; => Syntax error at `drop' expecting action.
-
-# Missing ";":
-next => Syntax error at end of input expecting ';'.
-
-next(); => Syntax error at `)' expecting small integer.
-next(10; => Syntax error at `;' expecting `)'.
-next(16); => "next" argument must be in range 0 to 15.
+outport="eth0"; next; outport="LOCAL"; next; => actions=set_field:0x5->reg7,resubmit(,27),set_field:0xfffe->reg7,resubmit(,27), prereqs=1
inport[1] = 1; => Cannot select subfield of string field inport.
ip.proto[1] = 1; => Cannot select subfield of nominal field ip.proto.
eth.dst[40] == 1; => Syntax error at `==' expecting `='.
-ip = 1; => Predicate symbol ip cannot be used in assignment.
+ip = 1; => Predicate symbol ip used where lvalue required.
ip.proto = 6; => Field ip.proto is not modifiable.
inport = {"a", "b"}; => Assignments require a single value.
inport = {}; => Syntax error at `}' expecting constant.
bad_prereq = 123; => Error parsing expression `xyzzy' encountered as prerequisite or predicate of initial expression: Syntax error at `xyzzy' expecting field name.
self_recurse = 123; => Error parsing expression `self_recurse != 0' encountered as prerequisite or predicate of initial expression: Error parsing expression `self_recurse != 0' encountered as prerequisite or predicate of initial expression: Recursive expansion of symbol `self_recurse'.
-vlan.present = 0; => Predicate symbol vlan.present cannot be used in assignment.
-reg0[0] = vlan.present; => Predicate symbol vlan.present cannot be used in assignment.
+vlan.present = 0; => Predicate symbol vlan.present used where lvalue required.
+
+# Moving one field into another.
+reg0 = reg1; => actions=move:OXM_OF_PKT_REG0[0..31]->OXM_OF_PKT_REG0[32..63], prereqs=1
+vlan.pcp = reg0[0..2]; => actions=move:OXM_OF_PKT_REG0[32..34]->NXM_OF_VLAN_TCI[13..15], prereqs=vlan.tci[12]
+reg0[10] = vlan.pcp[1]; => actions=move:NXM_OF_VLAN_TCI[14]->OXM_OF_PKT_REG0[42], prereqs=vlan.tci[12]
+outport = inport; => actions=move:NXM_NX_REG6[]->NXM_NX_REG7[], prereqs=1
+
+reg0[0] = vlan.present; => Predicate symbol vlan.present used where lvalue required.
reg0 = reg1[0..10]; => Can't assign 11-bit value to 32-bit destination.
inport = reg0; => Can't assign integer field (reg0) to string field (inport).
inport = big_string; => String fields inport and big_string are incompatible for assignment.
ip.proto = reg0[0..7]; => Field ip.proto is not modifiable.
-reg0[0] <-> vlan.present; => Predicate symbol vlan.present cannot be used in exchange.
+
+# Exchanging fields.
+reg0 <-> reg1; => actions=push:OXM_OF_PKT_REG0[0..31],push:OXM_OF_PKT_REG0[32..63],pop:OXM_OF_PKT_REG0[0..31],pop:OXM_OF_PKT_REG0[32..63], prereqs=1
+vlan.pcp <-> reg0[0..2]; => actions=push:OXM_OF_PKT_REG0[32..34],push:NXM_OF_VLAN_TCI[13..15],pop:OXM_OF_PKT_REG0[32..34],pop:NXM_OF_VLAN_TCI[13..15], prereqs=vlan.tci[12]
+reg0[10] <-> vlan.pcp[1]; => actions=push:NXM_OF_VLAN_TCI[14],push:OXM_OF_PKT_REG0[42],pop:NXM_OF_VLAN_TCI[14],pop:OXM_OF_PKT_REG0[42], prereqs=vlan.tci[12]
+outport <-> inport; => actions=push:NXM_NX_REG6[],push:NXM_NX_REG7[],pop:NXM_NX_REG6[],pop:NXM_NX_REG7[], prereqs=1
+
+reg0[0] <-> vlan.present; => Predicate symbol vlan.present used where lvalue required.
reg0 <-> reg1[0..10]; => Can't exchange 32-bit field with 11-bit field.
inport <-> reg0; => Can't exchange string field (inport) with integer field (reg0).
inport <-> big_string; => String fields inport and big_string are incompatible for exchange.
ip.proto <-> reg0[0..7]; => Field ip.proto is not modifiable.
reg0[0..7] <-> ip.proto; => Field ip.proto is not modifiable.
+
+# TTL decrement.
+ip.ttl--; => actions=dec_ttl, prereqs=ip
ip.ttl => Syntax error at end of input expecting `--'.
+
+# conntrack
+ct_next; => actions=ct(table=27,zone=NXM_NX_REG5[0..15]), prereqs=ip
+ct_commit; => actions=ct(commit,zone=NXM_NX_REG5[0..15]), prereqs=ip
+
+# arp
+arp { eth.dst = ff:ff:ff:ff:ff:ff; output; }; => actions=controller(userdata=00.00.00.00.00.00.00.00.00.19.00.10.80.00.06.06.ff.ff.ff.ff.ff.ff.00.00.ff.ff.00.10.00.00.23.20.00.0e.ff.f8.40.00.00.00), prereqs=ip4
+
+# get_arp
+get_arp(outport, ip4.dst); => actions=push:NXM_NX_REG0[],push:NXM_OF_IP_DST[],pop:NXM_NX_REG0[],set_field:00:00:00:00:00:00->eth_dst,resubmit(,65),pop:NXM_NX_REG0[], prereqs=eth.type == 0x800
+get_arp(inport, reg0); => actions=push:NXM_NX_REG7[],push:NXM_NX_REG0[],push:OXM_OF_PKT_REG0[32..63],push:NXM_NX_REG6[],pop:NXM_NX_REG7[],pop:NXM_NX_REG0[],set_field:00:00:00:00:00:00->eth_dst,resubmit(,65),pop:NXM_NX_REG0[],pop:NXM_NX_REG7[], prereqs=1
+get_arp; => Syntax error at `;' expecting `('.
+get_arp(); => Syntax error at `)' expecting field name.
+get_arp(inport); => Syntax error at `)' expecting `,'.
+get_arp(inport ip4.dst); => Syntax error at `ip4.dst' expecting `,'.
+get_arp(inport, ip4.dst; => Syntax error at `;' expecting `)'.
+get_arp(inport, eth.dst); => Cannot use 48-bit field eth.dst[0..47] where 32-bit field is required.
+get_arp(inport, outport); => Cannot use string field outport where numeric field is required.
+get_arp(reg0, ip4.dst); => Cannot use numeric field reg0 where string field is required.
+
+# put_arp
+put_arp(inport, arp.spa, arp.sha); => actions=push:NXM_NX_REG0[],push:NXM_OF_ETH_SRC[],push:NXM_NX_ARP_SHA[],push:NXM_OF_ARP_SPA[],pop:NXM_NX_REG0[],pop:NXM_OF_ETH_SRC[],controller(userdata=00.00.00.01.00.00.00.00),pop:NXM_OF_ETH_SRC[],pop:NXM_NX_REG0[], prereqs=eth.type == 0x806 && eth.type == 0x806
+
+# Contradictionary prerequisites (allowed but not useful):
+ip4.src = ip6.src[0..31]; => actions=move:NXM_NX_IPV6_SRC[0..31]->NXM_OF_IP_SRC[], prereqs=eth.type == 0x800 && eth.type == 0x86dd
+ip4.src <-> ip6.src[0..31]; => actions=push:NXM_NX_IPV6_SRC[0..31],push:NXM_OF_IP_SRC[],pop:NXM_NX_IPV6_SRC[0..31],pop:NXM_OF_IP_SRC[], prereqs=eth.type == 0x800 && eth.type == 0x86dd
+
+## Miscellaneous negative tests.
+; => Syntax error at `;'.
+xyzzy; => Syntax error at `xyzzy' expecting action.
+next; 123; => Syntax error at `123'.
+next; xyzzy; => Syntax error at `xyzzy' expecting action.
+next => Syntax error at end of input expecting ';'.
]])
sed 's/ =>.*//' test-cases.txt > input.txt
sed 's/.* => //' test-cases.txt > expout
if test $j = 1; then
ovn-nbctl lport-set-addresses lp$i$j "f0:00:00:00:00:$i$j 192.168.0.$i$j" unknown
else
- ovn-nbctl lport-set-addresses lp$i$j "f0:00:00:00:00:$i$j 192.168.0.$i$j"
+ if test $j = 3; then
+ ip_addrs="192.168.0.$i$j fe80::ea2a:eaff:fe28:$i$j/64 192.169.0.$i$j"
+ else
+ ip_addrs="192.168.0.$i$j"
+ fi
+ ovn-nbctl lport-set-addresses lp$i$j "f0:00:00:00:00:$i$j $ip_addrs"
ovn-nbctl lport-set-port-security lp$i$j f0:00:00:00:00:$i$j
fi
done
sleep 1
ovn-sbctl dump-flows -- list multicast_group
+echo "------ hv1 dump ------"
+as hv1 ovs-vsctl show
+as hv1 ovs-ofctl -O OpenFlow13 dump-flows br-int
+
+echo "------ hv2 dump ------"
+as hv2 ovs-vsctl show
+as hv2 ovs-ofctl -O OpenFlow13 dump-flows br-int
+
+echo "------ hv3 dump ------"
+as hv3 ovs-vsctl show
+as hv3 ovs-ofctl -O OpenFlow13 dump-flows br-int
+
# Given the name of a logical port, prints the name of the hypervisor
# on which it is located.
vif_to_hv() {
hv=`vif_to_hv $inport`
as $hv ovs-appctl netdev-dummy/receive vif$inport $request
- if test X$reply_ha == X; then
+ if test X$reply_ha = X; then
# Expect to receive the broadcast ARP on the other logical switch ports
# if no reply is expected.
local i j
tip_unknown=`ip_to_hex 11 11 11 11`
test_arp $s f000000000$s $sip $tip f000000000$d #9
test_arp $s f000000000$s $sip $tip_unknown #10
+
+ if test $jd = 3; then
+ # lport[123]3 has an additional ip 192.169.0.[123]3.
+ tip=`ip_to_hex 192 169 0 $id$jd`
+ test_arp $s f000000000$s $sip $tip f000000000$d #9
+ fi
done
done
done
done
+# set address for lp13 with invalid characters.
+# lp13 should be configured with only 192.168.0.13.
+ovn-nbctl lport-set-addresses lp13 "f0:00:00:00:00:13 192.168.0.13 invalid 192.169.0.13"
+sip=`ip_to_hex 192 168 0 11`
+tip=`ip_to_hex 192 168 0 13`
+test_arp 11 f00000000011 $sip $tip f00000000013
+
+tip=`ip_to_hex 192 169 0 13`
+#arp request for 192.169.0.13 should be flooded
+test_arp 11 f00000000011 $sip $tip
+
# Allow some time for packet forwarding.
# XXX This can be improved.
sleep 1
echo
done
done
+
+# Gracefully terminate daemons
+for daemon in ovn-controller ovn-northd ovsdb-server; do
+ ovs-appctl -t $daemon exit
+done
AT_CLEANUP
# 2 hypervisors, 4 logical ports per HV
# 2 locally attached networks (one flat, one vlan tagged over same device)
# 2 ports per HV on each network
-AT_SETUP([ovn -- 2 HVs, 2 lports/HV, localnet ports])
+AT_SETUP([ovn -- 2 HVs, 4 lports/HV, localnet ports])
AT_KEYWORDS([ovn-localnet])
AT_SKIP_IF([test $HAVE_PYTHON = no])
ovn_start
# lp11 and lp12 are on the same network (phys, untagged)
# and on the same hypervisor
-# TODO this is broken.
-#test_packet 11 f00000000012 f00000000011 1112 12
-#test_packet 12 f00000000011 f00000000012 1211 11
+test_packet 11 f00000000012 f00000000011 1112 12
+test_packet 12 f00000000011 f00000000012 1211 11
# lp13 and lp23 are on the same network (phys, VLAN 101)
# and on different hypervisors
# lp13 and lp14 are on the same network (phys, VLAN 101)
# and on the same hypervisor
-# TODO this is broken.
-#test_packet 13 f00000000014 f00000000013 1314 14
-#test_packet 14 f00000000013 f00000000014 1413 13
+test_packet 13 f00000000014 f00000000013 1314 14
+test_packet 14 f00000000013 f00000000014 1413 13
# Ports that should not be able to communicate
test_packet 11 f00000000013 f00000000011 1113
done
done
+# Gracefully terminate daemons
+for daemon in ovn-controller ovn-northd ovsdb-server; do
+ ovs-appctl -t $daemon exit
+done
AT_CLEANUP
AT_SETUP([ovn -- 3 HVs, 1 VIFs/HV, 1 GW, 1 LS])
AT_CHECK([sort $i.packets], [0], [expout])
echo
done
+
+# Gracefully terminate daemons
+for daemon in ovs-vtep ovn-controller-vtep ovn-controller ovn-northd ovsdb-server; do
+ ovs-appctl -t $daemon exit
+done
AT_CLEANUP
# 3 hypervisors, 3 logical switches with 3 logical ports each, 1 logical router
ovn-nbctl lswitch-add ls$i
for j in 1 2 3; do
for k in 1 2 3; do
+ # Add "unknown" to MAC addresses for lp?11, so packets for
+ # MAC-IP bindings discovered via ARP later have somewhere to go.
+ if test $j$k = 11; then unknown=unknown; else unknown=; fi
+
ovn-nbctl \
-- lport-add ls$i lp$i$j$k \
- -- lport-set-addresses lp$i$j$k "f0:00:00:00:0$i:$j$k 192.168.$i$j.$k"
+ -- lport-set-addresses lp$i$j$k "f0:00:00:00:0$i:$j$k 192.168.$i$j.$k" $unknown
done
done
done
# content has Ethernet destination DST and source SRC (each exactly 12 hex
# digits) and Ethernet type ETHTYPE (4 hex digits). The OUTPORTs (zero or
# more) list the VIFs on which the packet should be received. INPORT and the
-# OUTPORTs are specified as lport numbers, e.g. 11 for vif11.
+# OUTPORTs are specified as lport numbers, e.g. 123 for vif123.
trim_zeros() {
sed 's/\(00\)\{1,\}$//'
}
}
as hv1 ovs-vsctl --columns=name,ofport list interface
+as hv1 ovn-sbctl list port_binding
+as hv1 ovn-sbctl list datapath_binding
as hv1 ovn-sbctl dump-flows
as hv1 ovs-ofctl dump-flows br-int
done
done
+# 3. Send an IP packet from every logical port to every other subnet,
+# to an IP address that does not have a static IP-MAC binding.
+# This should generate a broadcast ARP request for the destination
+# IP address in the destination subnet.
+for is in 1 2 3; do
+ for js in 1 2 3; do
+ for ks in 1 2 3; do
+ s=$is$js$ks
+ smac=f00000000$s
+ sip=`ip_to_hex 192 168 $is$js $ks`
+ for id in 1 2 3; do
+ for jd in 1 2 3; do
+ if test $is$js = $id$jd; then
+ continue
+ fi
+
+ # Send the packet.
+ dmac=00000000ff$is$js
+ # Calculate a 4th octet for the destination that is
+ # unique per $s, avoids the .1 .2 .3 and .254 IP addresses
+ # that have static MAC bindings, and fits in the range
+ # 0-255.
+ o4=`expr $is '*' 9 + $js '*' 3 + $ks + 10`
+ dip=`ip_to_hex 192 168 $id$jd $o4`
+ test_ip $s $smac $dmac $sip $dip
+
+ # Every LP on the destination subnet's lswitch should
+ # receive the ARP request.
+ lrmac=00000000ff$id$jd
+ lrip=`ip_to_hex 192 168 $id$jd 254`
+ arp=ffffffffffff${lrmac}08060001080006040001${lrmac}${lrip}000000000000${dip}
+ for jd2 in 1 2 3; do
+ for kd in 1 2 3; do
+ echo $arp | trim_zeros >> $id$jd2$kd.expected
+ done
+ done
+ done
+ done
+ done
+ done
+done
+
# test_arp INPORT SHA SPA TPA [REPLY_HA]
#
# Causes a packet to be received on INPORT. The packet is an ARP
local j k
for j in 1 2 3; do
for k in 1 2 3; do
- # 192.168.33.254 is configured to the lswtich patch port for lrp33,
+ # 192.168.33.254 is configured to the lswitch patch port for lrp33,
# so no ARP flooding expected for it.
if test $i$j$k != $inport && test $tpa != `ip_to_hex 192 168 33 254`; then
echo $request >> $i$j$k.expected
# Test router replies to ARP requests from all source ports:
#
-# 3. Router replies to query for its MAC address from port's own IP address.
+# 4. Router replies to query for its MAC address from port's own IP address.
#
-# 4. Router replies to query for its MAC address from any random IP address
+# 5. Router replies to query for its MAC address from any random IP address
# in its subnet.
#
-# 5. Router replies to query for its MAC address from another subnet.
+# 6. Router replies to query for its MAC address from another subnet.
#
-# 6. No reply to query for IP address other than router IP.
+# 7. No reply to query for IP address other than router IP.
for i in 1 2 3; do
for j in 1 2 3; do
for k in 1 2 3; do
rip=`ip_to_hex 192 168 $i$j 254` # Router IP
rmac=00000000ff$i$j # Router MAC
otherip=`ip_to_hex 192 168 $i$j 55` # Some other IP in subnet
- test_arp $i$j$k $smac $sip $rip $rmac #3
- test_arp $i$j$k $smac $otherip $rip $rmac #4
- test_arp $i$j$k $smac 0a123456 $rip $rmac #5
- test_arp $i$j$k $smac $sip $otherip #6
+ test_arp $i$j$k $smac $sip $rip $rmac #4
+ test_arp $i$j$k $smac $otherip $rip $rmac #5
+ test_arp $i$j$k $smac 0a123456 $rip $rmac #6
+ test_arp $i$j$k $smac $sip $otherip #7
+ done
+ done
+done
+
+# Allow some time for packet forwarding.
+# XXX This can be improved.
+sleep 1
+
+# 8. Generate an ARP reply for each of the IP addresses ARPed for
+# earlier as #3.
+#
+# Here, the $s is the VIF that originated the ARP request and $d is
+# the VIF that sends the ARP reply, which is somewhat backward but
+# it means that $s and $d are the same as #3.
+: > mac_bindings.expected
+for is in 1 2 3; do
+ for js in 1 2 3; do
+ for ks in 1 2 3; do
+ s=$is$js$ks
+ for id in 1 2 3; do
+ for jd in 1 2 3; do
+ if test $is$js = $id$jd; then
+ continue
+ fi
+
+ kd=1
+ d=$id$jd$kd
+
+ o4=`expr $is '*' 9 + $js '*' 3 + $ks + 10`
+ host_ip=`ip_to_hex 192 168 $id$jd $o4`
+ host_mac=8000000000$o4
+
+ lrmac=00000000ff$id$jd
+ lrip=`ip_to_hex 192 168 $id$jd 254`
+
+ arp=${lrmac}${host_mac}08060001080006040002${host_mac}${host_ip}${lrmac}${lrip}
+
+ echo
+ echo
+ echo
+ hv=hv`vif_to_hv $d`
+ as $hv ovs-appctl netdev-dummy/receive vif$d $arp
+ #as $hv ovs-appctl ofproto/trace br-int in_port=$d $arp
+ #as $hv ovs-ofctl dump-flows br-int table=19
+
+ host_ip_pretty=192.168.$id$jd.$o4
+ host_mac_pretty=80:00:00:00:00:$o4
+ echo lrp$id$jd,$host_ip_pretty,$host_mac_pretty >> mac_bindings.expected
+ done
+ done
+ done
+ done
+done
+
+# Allow some time for packet forwarding.
+# XXX This can be improved.
+sleep 1
+
+# 9. Send an IP packet from every logical port to every other subnet. These
+# are the same packets already sent as #3, but now the destinations' IP-MAC
+# bindings have been discovered via ARP, so instead of provoking an ARP
+# request, these packets now get routed to their destinations (which don't
+# have static MAC bindings, so they go to the port we've designated as
+# accepting "unknown" MACs.)
+for is in 1 2 3; do
+ for js in 1 2 3; do
+ for ks in 1 2 3; do
+ s=$is$js$ks
+ smac=f00000000$s
+ sip=`ip_to_hex 192 168 $is$js $ks`
+ for id in 1 2 3; do
+ for jd in 1 2 3; do
+ if test $is$js = $id$jd; then
+ continue
+ fi
+
+ # Send the packet.
+ dmac=00000000ff$is$js
+ # Calculate a 4th octet for the destination that is
+ # unique per $s, avoids the .1 .2 .3 and .254 IP addresses
+ # that have static MAC bindings, and fits in the range
+ # 0-255.
+ o4=`expr $is '*' 9 + $js '*' 3 + $ks + 10`
+ dip=`ip_to_hex 192 168 $id$jd $o4`
+ test_ip $s $smac $dmac $sip $dip
+
+ # Expect the packet egress.
+ host_mac=8000000000$o4
+ outport=${id}11
+ out_lrp=$id$jd
+ echo ${host_mac}00000000ff${out_lrp}08004500001c00000000"3f1101"00${sip}${dip}0035111100080000 | trim_zeros >> $outport.expected
+ done
+ done
done
done
done
+
# Allow some time for packet forwarding.
# XXX This can be improved.
sleep 1
+ovn-sbctl -f csv -d bare --no-heading \
+ -- --columns=logical_port,ip,mac list mac_binding > mac_bindings
+
# Now check the packets actually received against the ones expected.
for i in 1 2 3; do
for j in 1 2 3; do
done
done
done
+
+# Check the MAC bindings against those expected.
+AT_CHECK_UNQUOTED([sort < mac_bindings], [0], [`sort < mac_bindings.expected`
+])
+
+# Gracefully terminate daemons
+for daemon in ovn-controller ovn-northd ovsdb-server; do
+ ovs-appctl -t $daemon exit
+done
+AT_CLEANUP
+
+# 3 hypervisors, one logical switch, 3 logical ports per hypervisor
+AT_SETUP([ovn -- portsecurity : 3 HVs, 1 LS, 3 lports/HV])
+AT_KEYWORDS([portsecurity])
+AT_SKIP_IF([test $HAVE_PYTHON = no])
+ovn_start
+
+# Create hypervisors hv[123].
+# Add vif1[123] to hv1, vif2[123] to hv2, vif3[123] to hv3.
+# Add all of the vifs to a single logical switch lsw0.
+# Turn off port security on vifs vif[123]1
+# Turn on l2 port security on vifs vif[123]2
+# Turn of l2 and l3 port security on vifs vif[123]3
+# Make vif13, vif2[23], vif3[123] destinations for unknown MACs.
+ovn-nbctl lswitch-add lsw0
+net_add n1
+for i in 1 2 3; do
+ sim_add hv$i
+ as hv$i
+ ovs-vsctl add-br br-phys
+ ovn_attach n1 br-phys 192.168.0.$i
+
+ for j in 1 2 3; do
+ ovs-vsctl add-port br-int vif$i$j -- set Interface vif$i$j external-ids:iface-id=lp$i$j options:tx_pcap=hv$i/vif$i$j-tx.pcap options:rxq_pcap=hv$i/vif$i$j-rx.pcap ofport-request=$i$j
+ ovn-nbctl lport-add lsw0 lp$i$j
+ if test $j = 1; then
+ ovn-nbctl lport-set-addresses lp$i$j "f0:00:00:00:00:$i$j 192.168.0.$i$j" unknown
+ elif test $j = 2; then
+ ovn-nbctl lport-set-addresses lp$i$j "f0:00:00:00:00:$i$j 192.168.0.$i$j"
+ ovn-nbctl lport-set-port-security lp$i$j f0:00:00:00:00:$i$j
+ else
+ extra_addr="f0:00:00:00:0$i:$i$j fe80::ea2a:eaff:fe28:$i$j"
+ ovn-nbctl lport-set-addresses lp$i$j "f0:00:00:00:00:$i$j 192.168.0.$i$j" "$extra_addr"
+ ovn-nbctl lport-set-port-security lp$i$j "f0:00:00:00:00:$i$j 192.168.0.$i$j" "$extra_addr"
+ fi
+ done
+done
+
+ovn-nbctl show
+
+# Pre-populate the hypervisors' ARP tables so that we don't lose any
+# packets for ARP resolution (native tunneling doesn't queue packets
+# for ARP resolution).
+ovn_populate_arp
+
+# Allow some time for ovn-northd and ovn-controller to catch up.
+# XXX This should be more systematic.
+sleep 1
+ovn-sbctl dump-flows -- list multicast_group
+
+echo "------ hv1 dump ------"
+as hv1 ovs-vsctl show
+as hv1 ovs-ofctl -O OpenFlow13 dump-flows br-int
+
+echo "------ hv2 dump ------"
+as hv2 ovs-vsctl show
+as hv2 ovs-ofctl -O OpenFlow13 dump-flows br-int
+
+echo "------ hv3 dump ------"
+as hv3 ovs-vsctl show
+as hv3 ovs-ofctl -O OpenFlow13 dump-flows br-int
+
+# Given the name of a logical port, prints the name of the hypervisor
+# on which it is located.
+vif_to_hv() {
+ echo hv${1%?}
+}
+
+
+trim_zeros() {
+ sed 's/\(00\)\{1,\}$//'
+}
+for i in 1 2 3; do
+ for j in 1 2 3; do
+ : > $i$j.expected
+ done
+done
+
+# test_ip INPORT SRC_MAC DST_MAC SRC_IP DST_IP OUTPORT...
+#
+# This shell function causes an ip packet to be received on INPORT.
+# The packet's content has Ethernet destination DST and source SRC
+# (each exactly 12 hex digits) and Ethernet type ETHTYPE (4 hex digits).
+# The OUTPORTs (zero or more) list the VIFs on which the packet should
+# be received. INPORT and the OUTPORTs are specified as lport numbers,
+# e.g. 11 for vif11.
+test_ip() {
+ # This packet has bad checksums but logical L3 routing doesn't check.
+ local inport=$1 src_mac=$2 dst_mac=$3 src_ip=$4 dst_ip=$5
+ local packet=${dst_mac}${src_mac}08004500001c0000000040110000${src_ip}${dst_ip}003511110008
+ shift; shift; shift; shift; shift
+ hv=`vif_to_hv $inport`
+ as $hv ovs-appctl netdev-dummy/receive vif$inport $packet
+ #as $hv ovs-appctl ofproto/trace br-int in_port=$inport $packet
+ for outport; do
+ echo $packet | trim_zeros >> $outport.expected
+ done
+}
+
+# test_arp INPORT SHA SPA TPA DROP [REPLY_HA]
+#
+# Causes a packet to be received on INPORT. The packet is an ARP
+# request with SHA, SPA, and TPA as specified. If REPLY_HA is provided, then
+# it should be the hardware address of the target to expect to receive in an
+# ARP reply; otherwise no reply is expected.
+#
+# INPORT is an lport number, e.g. 11 for vif11.
+# SHA and REPLY_HA are each 12 hex digits.
+# SPA and TPA are each 8 hex digits.
+test_arp() {
+ local inport=$1 smac=$2 sha=$3 spa=$4 tpa=$5 drop=$6 reply_ha=$7
+ local request=ffffffffffff${smac}08060001080006040001${sha}${spa}ffffffffffff${tpa}
+ hv=`vif_to_hv $inport`
+ as $hv ovs-appctl netdev-dummy/receive vif$inport $request
+ #as $hv ovs-appctl ofproto/trace br-int in_port=$inport $request
+ if test $drop != 1; then
+ if test X$reply_ha == X; then
+ # Expect to receive the broadcast ARP on the other logical switch ports
+ # if no reply is expected.
+ local i j
+ for i in 1 2 3; do
+ for j in 1 2 3; do
+ if test $i$j != $inport; then
+ echo $request >> $i$j.expected
+ fi
+ done
+ done
+ else
+ # Expect to receive the reply, if any.
+ local reply=${smac}${reply_ha}08060001080006040002${reply_ha}${tpa}${sha}${spa}
+ echo $reply >> $inport.expected
+ fi
+ fi
+}
+
+# test_ipv6 INPORT SRC_MAC DST_MAC SRC_IP DST_IP OUTPORT...
+# This function is similar to test_ip() except that it sends
+# ipv6 packet
+test_ipv6() {
+ local inport=$1 src_mac=$2 dst_mac=$3 src_ip=$4 dst_ip=$5
+ local packet=${dst_mac}${src_mac}86dd6000000000083aff${src_ip}${dst_ip}0000000000000000
+ shift; shift; shift; shift; shift
+ hv=`vif_to_hv $inport`
+ as $hv ovs-appctl netdev-dummy/receive vif$inport $packet
+ #as $hv ovs-appctl ofproto/trace br-int in_port=$inport $packet
+ for outport; do
+ echo $packet | trim_zeros >> $outport.expected
+ done
+}
+
+ip_to_hex() {
+ printf "%02x%02x%02x%02x" "$@"
+}
+
+# no port security
+sip=`ip_to_hex 192 168 0 12`
+tip=`ip_to_hex 192 168 0 13`
+# the arp packet should be allowed even if lp[123]1 is
+# not configured with mac f00000000023 and ip 192.168.0.12
+for i in 1 2 3; do
+ test_arp ${i}1 f00000000023 f00000000023 $sip $tip 0 f00000000013
+ for j in 1 2 3; do
+ if test $i != $j; then
+ test_ip ${i}1 f000000000${i}1 f000000000${j}1 $sip $tip ${j}1
+ fi
+ done
+done
+
+# l2 port security
+sip=`ip_to_hex 192 168 0 12`
+tip=`ip_to_hex 192 168 0 13`
+
+# arp packet should be allowed since lp22 is configured with
+# mac f00000000022
+test_arp 22 f00000000022 f00000000022 $sip $tip 0 f00000000013
+
+# arp packet should not be allowed since lp32 is not configured with
+# mac f00000000021
+test_arp 32 f00000000021 f00000000021 $sip $tip 1
+
+# arp packet with sha set to f00000000021 should not be allowed
+# for lp12
+test_arp 12 f00000000012 f00000000021 $sip $tip 1
+
+# ip packets should be allowed and received since lp[123]2 do not
+# have l3 port security
+sip=`ip_to_hex 192 168 0 55`
+tip=`ip_to_hex 192 168 0 66`
+for i in 1 2 3; do
+ for j in 1 2 3; do
+ if test $i != $j; then
+ test_ip ${i}2 f000000000${i}2 f000000000${j}2 $sip $tip ${j}2
+ fi
+ done
+done
+
+# ipv6 packets should be received by lp[123]2
+# lp[123]1 can send ipv6 traffic as there is no port security
+sip=fe800000000000000000000000000000
+tip=ff020000000000000000000000000000
+
+for i in 1 2 3; do
+ test_ipv6 ${i}1 f000000000${i}1 f000000000${i}2 $sip $tip ${i}2
+done
+
+
+# l2 and l3 port security
+sip=`ip_to_hex 192 168 0 13`
+tip=`ip_to_hex 192 168 0 22`
+# arp packet should be allowed since lp13 is configured with
+# f00000000013 and 192.168.0.13
+test_arp 13 f00000000013 f00000000013 $sip $tip 0 f00000000022
+
+# the arp packet should be dropped because lp23 is not configured
+# with mac f00000000022
+sip=`ip_to_hex 192 168 0 13`
+tip=`ip_to_hex 192 168 0 22`
+test_arp 23 f00000000022 f00000000022 $sip $tip 1
+
+# the arp packet should be dropped because lp33 is not configured
+# with ip 192.168.0.55
+spa=`ip_to_hex 192 168 0 55`
+tpa=`ip_to_hex 192 168 0 22`
+test_arp 33 f00000000031 f00000000031 $spa $tpa 1
+
+# ip packets should not be received by lp[123]3 since
+# l3 port security is enabled
+sip=`ip_to_hex 192 168 0 55`
+tip=`ip_to_hex 192 168 0 66`
+for i in 1 2 3; do
+ for j in 1 2 3; do
+ test_ip ${i}2 f000000000${i}2 f000000000${j}3 $sip $tip
+ done
+done
+
+# ipv6 packets should be dropped for lp[123]3 since
+# it is configured with only ipv4 address
+sip=fe800000000000000000000000000000
+tip=ff020000000000000000000000000000
+
+for i in 1 2 3; do
+ test_ipv6 ${i}3 f000000000${i}3 f00000000022 $sip $tip
+done
+
+# ipv6 packets should not be received by lp[123]3 with mac f000000000$[123]3
+# lp[123]1 can send ipv6 traffic as there is no port security
+for i in 1 2 3; do
+ test_ipv6 ${i}1 f000000000${i}1 f000000000${i}3 $sip $tip
+done
+
+# lp13 has extra port security with mac f0000000113 and ipv6 addr
+# fe80::ea2a:eaff:fe28:0012
+
+# ipv4 packet should be dropped for lp13 with mac f0000000113
+sip=`ip_to_hex 192 168 0 13`
+tip=`ip_to_hex 192 168 0 23`
+test_ip 13 f00000000113 f00000000023 $sip $tip
+
+# ipv6 packet should be received by lp[123]3 with mac f0000000{i}{i}3
+# and ip6.dst as fe80::ea2a:eaff:fe28:0{i}{i}3.
+# lp11 can send ipv6 traffic as there is no port security
+sip=ee800000000000000000000000000000
+for i in 1 2 3; do
+ tip=fe80000000000000ea2aeafffe2800{i}3
+ test_ipv6 11 f00000000011 f000000000{i}${i}3 $sip $tip {i}3
+done
+
+
+# ipv6 packet should not be received by lp33 with mac f0000000333
+# and ip6.dst as fe80::ea2a:eaff:fe28:0023 as it is
+# configured with fe80::ea2a:eaff:fe28:0033
+# lp11 can send ipv6 traffic as there is no port security
+
+sip=ee800000000000000000000000000000
+tip=fe80000000000000ea2aeafffe280023
+test_ipv6 11 f00000000011 f00000000333 $sip $tip
+
+# ipv6 packet should be allowed for lp[123]3 with mac f0000000{i}{i}3
+# and ip6.src fe80::ea2a:eaff:fe28:0{i}{i}3 and ip6.src ::.
+# and should be dropped for any other ip6.src
+# lp21 can receive ipv6 traffic as there is no port security
+
+tip=ee800000000000000000000000000000
+for i in 1 2 3; do
+ sip=fe80000000000000ea2aeafffe2800${i}3
+ test_ipv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip $tip 21
+
+ sip=00000000000000000000000000000000
+ test_ipv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip $tip 21
+
+ # should be dropped
+ sip=ae80000000000000ea2aeafffe2800aa
+ test_ipv6 ${i}3 f00000000${i}${i}3 f00000000021 $sip $tip
+done
+
+
+# Allow some time for packet forwarding.
+
+# XXX This can be improved.
+sleep 1
+
+# Now check the packets actually received against the ones expected.
+for i in 1 2 3; do
+ for j in 1 2 3; do
+ file=hv$i/vif$i$j-tx.pcap
+ echo $file
+ $PYTHON "$top_srcdir/utilities/ovs-pcap.in" $file | trim_zeros > $i$j.packets
+ sort $i$j.expected > expout
+ AT_CHECK([sort $i$j.packets], [0], [expout])
+ echo
+ done
+done
+
+# Gracefully terminate daemons
+for daemon in ovn-controller ovn-northd ovsdb-server; do
+ ovs-appctl -t $daemon exit
+done
AT_CLEANUP
projects / cascardo / ovs.git / blobdiff