1 AT_BANNER([datapath-sanity])
3 AT_SETUP([datapath - ping between two ports])
4 OVS_TRAFFIC_VSWITCHD_START()
6 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
8 ADD_NAMESPACES(at_ns0, at_ns1)
10 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
11 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
13 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
14 3 packets transmitted, 3 received, 0% packet loss, time 0ms
16 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
17 3 packets transmitted, 3 received, 0% packet loss, time 0ms
19 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
20 3 packets transmitted, 3 received, 0% packet loss, time 0ms
23 OVS_TRAFFIC_VSWITCHD_STOP
26 AT_SETUP([datapath - ping between two ports on vlan])
27 OVS_TRAFFIC_VSWITCHD_START()
29 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
31 ADD_NAMESPACES(at_ns0, at_ns1)
33 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
34 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
36 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
37 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
39 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
40 3 packets transmitted, 3 received, 0% packet loss, time 0ms
42 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
43 3 packets transmitted, 3 received, 0% packet loss, time 0ms
45 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
46 3 packets transmitted, 3 received, 0% packet loss, time 0ms
49 OVS_TRAFFIC_VSWITCHD_STOP
52 AT_SETUP([datapath - ping6 between two ports])
53 OVS_TRAFFIC_VSWITCHD_START()
55 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
57 ADD_NAMESPACES(at_ns0, at_ns1)
59 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
60 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
62 dnl Without this sleep, we get occasional failures due to the following error:
63 dnl "connect: Cannot assign requested address"
66 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
67 3 packets transmitted, 3 received, 0% packet loss, time 0ms
69 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
70 3 packets transmitted, 3 received, 0% packet loss, time 0ms
72 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
73 3 packets transmitted, 3 received, 0% packet loss, time 0ms
76 OVS_TRAFFIC_VSWITCHD_STOP
79 AT_SETUP([datapath - ping6 between two ports on vlan])
80 OVS_TRAFFIC_VSWITCHD_START()
82 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
84 ADD_NAMESPACES(at_ns0, at_ns1)
86 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
87 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
89 ADD_VLAN(p0, at_ns0, 100, "fc00:1::1/96")
90 ADD_VLAN(p1, at_ns1, 100, "fc00:1::2/96")
92 dnl Without this sleep, we get occasional failures due to the following error:
93 dnl "connect: Cannot assign requested address"
96 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
97 3 packets transmitted, 3 received, 0% packet loss, time 0ms
99 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
100 3 packets transmitted, 3 received, 0% packet loss, time 0ms
102 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::2 | FORMAT_PING], [0], [dnl
103 3 packets transmitted, 3 received, 0% packet loss, time 0ms
106 OVS_TRAFFIC_VSWITCHD_STOP
109 AT_SETUP([datapath - ping over vxlan tunnel])
112 OVS_TRAFFIC_VSWITCHD_START()
113 ADD_BR([br-underlay])
115 AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
116 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
118 ADD_NAMESPACES(at_ns0)
120 dnl Set up underlay link from host into the namespace using veth pair.
121 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
122 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
123 AT_CHECK([ip link set dev br-underlay up])
125 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
126 dnl linux device inside the namespace.
127 ADD_OVS_TUNNEL([vxlan], [br0], [at_vxlan0], [172.31.1.1], [10.1.1.100/24])
128 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
131 dnl First, check the underlay
132 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
133 3 packets transmitted, 3 received, 0% packet loss, time 0ms
136 dnl Okay, now check the overlay with different packet sizes
137 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
138 3 packets transmitted, 3 received, 0% packet loss, time 0ms
140 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
141 3 packets transmitted, 3 received, 0% packet loss, time 0ms
143 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
144 3 packets transmitted, 3 received, 0% packet loss, time 0ms
147 OVS_TRAFFIC_VSWITCHD_STOP
150 AT_SETUP([conntrack - controller])
152 OVS_TRAFFIC_VSWITCHD_START()
154 ADD_NAMESPACES(at_ns0, at_ns1)
156 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
157 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
159 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
160 AT_DATA([flows.txt], [dnl
161 priority=1,action=drop
162 priority=10,arp,action=normal
163 priority=100,in_port=1,udp,action=ct(commit),controller
164 priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0)
165 priority=100,in_port=2,ct_state=+trk+est,udp,action=controller
168 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
170 AT_CAPTURE_FILE([ofctl_monitor.log])
171 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
173 dnl Send an unsolicited reply from port 2. This should be dropped.
174 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
176 dnl OK, now start a new connection from port 1.
177 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit\),controller '50540000000a50540000000908004500001c00000000001100000a0101010a0101020001000200080000'])
179 dnl Now try a reply from port 2.
180 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) '50540000000a50540000000908004500001c00000000001100000a0101020a0101010002000100080000'])
182 dnl Check this output. We only see the latter two packets, not the first.
183 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
184 NXT_PACKET_IN (xid=0x0): total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
185 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=1,tp_dst=2 udp_csum:0
186 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
187 udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=2,tp_dst=1 udp_csum:0
190 OVS_TRAFFIC_VSWITCHD_STOP
193 AT_SETUP([conntrack - IPv4 HTTP])
195 OVS_TRAFFIC_VSWITCHD_START()
197 ADD_NAMESPACES(at_ns0, at_ns1)
199 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
200 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
202 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
203 AT_DATA([flows.txt], [dnl
204 priority=1,action=drop
205 priority=10,arp,action=normal
206 priority=10,icmp,action=normal
207 priority=100,in_port=1,tcp,action=ct(commit),2
208 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
209 priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
212 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
214 dnl Basic connectivity check.
215 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 >/dev/null])
217 dnl HTTP requests from ns0->ns1 should work fine.
218 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
219 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
221 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
222 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
225 dnl HTTP requests from ns1->ns0 should fail due to network failure.
226 dnl Try 3 times, in 1 second intervals.
227 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
228 NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
230 OVS_TRAFFIC_VSWITCHD_STOP
233 AT_SETUP([conntrack - IPv6 HTTP])
235 OVS_TRAFFIC_VSWITCHD_START()
237 ADD_NAMESPACES(at_ns0, at_ns1)
239 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
240 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
242 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
243 AT_DATA([flows.txt], [dnl
244 priority=1,action=drop
245 priority=10,icmp6,action=normal
246 priority=100,in_port=1,tcp6,action=ct(commit),2
247 priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
248 priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
251 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
253 dnl Without this sleep, we get occasional failures due to the following error:
254 dnl "connect: Cannot assign requested address"
257 dnl HTTP requests from ns0->ns1 should work fine.
258 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
260 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
262 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
263 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
266 dnl HTTP requests from ns1->ns0 should fail due to network failure.
267 dnl Try 3 times, in 1 second intervals.
268 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
269 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
271 OVS_TRAFFIC_VSWITCHD_STOP
274 AT_SETUP([conntrack - commit, recirc])
276 OVS_TRAFFIC_VSWITCHD_START()
278 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
280 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
281 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
282 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
283 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
285 dnl Allow any traffic from ns0->ns1, ns2->ns3.
286 AT_DATA([flows.txt], [dnl
287 priority=1,action=drop
288 priority=10,arp,action=normal
289 priority=10,icmp,action=normal
290 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
291 priority=100,in_port=1,tcp,ct_state=+trk,action=2
292 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
293 priority=100,in_port=2,tcp,ct_state=+trk,action=1
294 priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
295 priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
296 priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
297 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
298 priority=100,in_port=4,tcp,ct_state=+trk,action=3
301 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
303 dnl HTTP requests from p0->p1 should work fine.
304 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
305 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
307 dnl HTTP requests from p2->p3 should work fine.
308 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
309 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
311 OVS_TRAFFIC_VSWITCHD_STOP
314 AT_SETUP([conntrack - preserve registers])
316 OVS_TRAFFIC_VSWITCHD_START()
318 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
320 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
321 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
322 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
323 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
325 dnl Allow any traffic from ns0->ns1, ns2->ns3.
326 AT_DATA([flows.txt], [dnl
327 priority=1,action=drop
328 priority=10,arp,action=normal
329 priority=10,icmp,action=normal
330 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
331 priority=100,in_port=1,tcp,ct_state=+trk,action=2
332 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
333 priority=100,in_port=2,tcp,ct_state=+trk,action=1
334 priority=100,in_port=3,tcp,ct_state=-trk,action=load:0->NXM_NX_REG0[[]],ct(table=0)
335 priority=100,in_port=3,tcp,ct_state=+trk,reg0=0,action=load:1->NXM_NX_REG0[[]],ct(commit,table=0)
336 priority=100,in_port=3,tcp,ct_state=+trk,reg0=1,action=4
337 priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
338 priority=100,in_port=4,tcp,ct_state=+trk,action=3
341 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
343 dnl HTTP requests from p0->p1 should work fine.
344 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
345 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
347 dnl HTTP requests from p2->p3 should work fine.
348 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
349 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
351 OVS_TRAFFIC_VSWITCHD_STOP
354 AT_SETUP([conntrack - invalid])
356 OVS_TRAFFIC_VSWITCHD_START()
358 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
360 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
361 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
362 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
363 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
365 dnl Pass traffic from ns0->ns1 without committing, but attempt to track in
366 dnl the opposite direction. This should fail.
367 dnl Pass traffic from ns3->ns4 without committing, and this time match
368 dnl invalid traffic and allow it through.
369 AT_DATA([flows.txt], [dnl
370 priority=1,action=drop
371 priority=10,arp,action=normal
372 priority=10,icmp,action=normal
373 priority=100,in_port=1,tcp,action=ct(),2
374 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
375 priority=100,in_port=2,ct_state=+trk+new,tcp,action=1
376 priority=100,in_port=3,tcp,action=ct(),4
377 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
378 priority=100,in_port=4,ct_state=+trk+inv,tcp,action=3
379 priority=100,in_port=4,ct_state=+trk+new,tcp,action=3
382 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
384 dnl We set up our rules to allow the request without committing. The return
385 dnl traffic can't be identified, because the initial request wasn't committed.
386 dnl For the first pair of ports, this means that the connection fails.
387 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
388 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log], [4])
390 dnl For the second pair, we allow packets from invalid connections, so it works.
391 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
392 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
394 OVS_TRAFFIC_VSWITCHD_STOP
397 AT_SETUP([conntrack - zones])
399 OVS_TRAFFIC_VSWITCHD_START()
401 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
403 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
404 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
405 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
406 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
408 dnl Allow any traffic from ns0->ns1. Allow return traffic, matching on zone.
409 dnl For ns2->ns3, use a different zone and see that the match fails.
410 AT_DATA([flows.txt], [dnl
411 priority=1,action=drop
412 priority=10,arp,action=normal
413 priority=10,icmp,action=normal
414 priority=100,in_port=1,tcp,action=ct(commit,zone=1),2
415 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
416 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
417 priority=100,in_port=3,tcp,action=ct(commit,zone=2),4
418 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0,zone=2)
419 priority=100,in_port=4,ct_state=+trk,ct_zone=1,tcp,action=3
422 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
424 dnl HTTP requests from p0->p1 should work fine.
425 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
426 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
428 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
429 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
432 dnl HTTP requests from p2->p3 should fail due to network failure.
433 dnl Try 3 times, in 1 second intervals.
434 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
435 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
437 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
438 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=ESTABLISHED)
441 OVS_TRAFFIC_VSWITCHD_STOP
444 AT_SETUP([conntrack - zones from field])
446 OVS_TRAFFIC_VSWITCHD_START()
448 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
450 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
451 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
452 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
453 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
455 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
456 AT_DATA([flows.txt], [dnl
457 priority=1,action=drop
458 priority=10,arp,action=normal
459 priority=10,icmp,action=normal
460 priority=100,in_port=1,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),2
461 priority=100,in_port=2,ct_state=-trk,tcp,action=load:0x1001->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
462 priority=100,in_port=2,ct_state=+trk,ct_zone=0x1001,tcp,action=1
463 priority=100,in_port=3,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(commit,zone=NXM_NX_REG0[[0..15]]),4
464 priority=100,in_port=4,ct_state=-trk,tcp,action=load:0x1002->NXM_NX_REG0[[0..15]],ct(table=0,zone=NXM_NX_REG0[[0..15]])
465 priority=100,in_port=4,ct_state=+trk,ct_zone=0x1001,tcp,action=3
468 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
470 dnl HTTP requests from p0->p1 should work fine.
471 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
472 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
474 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
475 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=4097,protoinfo=(state=TIME_WAIT)
478 dnl HTTP requests from p2->p3 should fail due to network failure.
479 dnl Try 3 times, in 1 second intervals.
480 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
481 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
483 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
484 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),zone=4098,protoinfo=(state=ESTABLISHED)
487 OVS_TRAFFIC_VSWITCHD_STOP
490 AT_SETUP([conntrack - multiple bridges])
492 OVS_TRAFFIC_VSWITCHD_START(
494 add-port br0 patch+ -- set int patch+ type=patch options:peer=patch- --\
495 add-port br1 patch- -- set int patch- type=patch options:peer=patch+ --])
497 ADD_NAMESPACES(at_ns0, at_ns1)
499 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
500 ADD_VETH(p1, at_ns1, br1, "10.1.1.2/24")
502 dnl Allow any traffic from ns0->br1, allow established in reverse.
503 AT_DATA([flows-br0.txt], [dnl
504 priority=1,action=drop
505 priority=10,arp,action=normal
506 priority=10,icmp,action=normal
507 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,zone=1),1
508 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
509 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=1,action=2
512 dnl Allow any traffic from br0->ns1, allow established in reverse.
513 AT_DATA([flows-br1.txt], [dnl
514 priority=1,action=drop
515 priority=10,arp,action=normal
516 priority=10,icmp,action=normal
517 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=2)
518 priority=100,in_port=1,tcp,ct_state=+trk+new,ct_zone=2,action=ct(commit,zone=2),2
519 priority=100,in_port=1,tcp,ct_state=+trk+est,ct_zone=2,action=2
520 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
521 priority=100,in_port=2,tcp,ct_state=+trk+est,ct_zone=2,action=ct(commit,zone=2),1
524 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows-br0.txt])
525 AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt])
527 dnl HTTP requests from p0->p1 should work fine.
528 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
529 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
531 OVS_TRAFFIC_VSWITCHD_STOP
534 AT_SETUP([conntrack - multiple zones])
536 OVS_TRAFFIC_VSWITCHD_START()
538 ADD_NAMESPACES(at_ns0, at_ns1)
540 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
541 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
543 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
544 AT_DATA([flows.txt], [dnl
545 priority=1,action=drop
546 priority=10,arp,action=normal
547 priority=10,icmp,action=normal
548 priority=100,in_port=1,tcp,action=ct(commit,zone=1),ct(commit,zone=2),2
549 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2)
550 priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1
553 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
555 dnl HTTP requests from p0->p1 should work fine.
556 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
557 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
559 dnl (again) HTTP requests from p0->p1 should work fine.
560 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
562 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
563 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=SYN_SENT)
564 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
567 OVS_TRAFFIC_VSWITCHD_STOP
570 AT_SETUP([conntrack - multiple zones, local])
572 OVS_TRAFFIC_VSWITCHD_START()
574 ADD_NAMESPACES(at_ns0)
576 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
577 AT_CHECK([ip link set dev br0 up])
578 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
579 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
581 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
582 dnl return traffic from ns0 back to the local stack.
583 AT_DATA([flows.txt], [dnl
584 priority=1,action=drop
585 priority=10,arp,action=normal
586 priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
587 priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
588 priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
589 priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
590 table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
591 table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
594 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
596 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
597 3 packets transmitted, 3 received, 0% packet loss, time 0ms
600 dnl HTTP requests from root namespace to p0 should work fine.
601 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
602 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
604 dnl (again) HTTP requests from root namespace to p0 should work fine.
605 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
607 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
608 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
609 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=2
610 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
611 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
614 OVS_TRAFFIC_VSWITCHD_STOP
617 AT_SETUP([conntrack - multiple namespaces, internal ports])
619 OVS_TRAFFIC_VSWITCHD_START(
620 [set-fail-mode br0 secure -- ])
622 ADD_NAMESPACES(at_ns0, at_ns1)
624 ADD_INT(p0, at_ns0, br0, "10.1.1.1/24")
625 ADD_INT(p1, at_ns1, br0, "10.1.1.2/24")
627 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
629 dnl If skb->nfct is leaking from inside the namespace, this test will fail.
630 AT_DATA([flows.txt], [dnl
631 priority=1,action=drop
632 priority=10,arp,action=normal
633 priority=10,icmp,action=normal
634 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2
635 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1)
636 priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
639 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
641 dnl HTTP requests from p0->p1 should work fine.
642 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
643 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
645 dnl (again) HTTP requests from p0->p1 should work fine.
646 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
648 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
649 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
652 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
653 /ioctl(SIOCGIFINDEX) on .* device failed: No such device/d
654 /removing policing failed: No such device/d"])
657 AT_SETUP([conntrack - multi-stage pipeline, local])
659 OVS_TRAFFIC_VSWITCHD_START()
661 ADD_NAMESPACES(at_ns0)
663 AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
664 AT_CHECK([ip link set dev br0 up])
665 on_exit 'ip addr del dev br0 "10.1.1.1/24"'
666 ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
668 dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
669 dnl return traffic from ns0 back to the local stack.
670 AT_DATA([flows.txt], [dnl
672 table=0,priority=1,action=drop
673 table=0,priority=10,arp,action=normal
675 dnl Load the output port to REG0
676 table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
677 table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
680 dnl - Allow all connections from LOCAL port (commit and proceed to egress)
681 dnl - All other connections go through conntracker using the input port as
682 dnl a connection tracking zone.
683 table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
684 table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
685 table=1,priority=1,action=drop
688 dnl - Allow all connections from LOCAL port (commit and skip to output)
689 dnl - Allow other established connections to go through conntracker using
690 dnl output port as a connection tracking zone.
691 table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
692 table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
693 table=2,priority=1,action=drop
695 dnl Only allow established traffic from egress ct lookup
696 table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
697 table=3,priority=1,action=drop
700 table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
703 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
705 AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
706 3 packets transmitted, 3 received, 0% packet loss, time 0ms
709 dnl HTTP requests from root namespace to p0 should work fine.
710 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
711 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
713 dnl (again) HTTP requests from root namespace to p0 should work fine.
714 AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
716 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
717 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=1
718 icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>),zone=65534
719 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
720 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=TIME_WAIT)
723 OVS_TRAFFIC_VSWITCHD_STOP
726 AT_SETUP([conntrack - ct_mark])
728 OVS_TRAFFIC_VSWITCHD_START()
730 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
732 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
733 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
734 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
735 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
737 dnl Allow traffic between ns0<->ns1 using the ct_mark.
738 dnl Check that different marks do not match for traffic between ns2<->ns3.
739 AT_DATA([flows.txt], [dnl
740 priority=1,action=drop
741 priority=10,arp,action=normal
742 priority=10,icmp,action=normal
743 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_mark)),2
744 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
745 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
746 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:2->ct_mark)),4
747 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
748 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
751 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
753 dnl HTTP requests from p0->p1 should work fine.
754 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
755 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
757 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
758 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=TIME_WAIT)
761 dnl HTTP requests from p2->p3 should fail due to network failure.
762 dnl Try 3 times, in 1 second intervals.
763 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
764 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
766 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
767 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=ESTABLISHED)
770 OVS_TRAFFIC_VSWITCHD_STOP
773 AT_SETUP([conntrack - ct_mark from register])
775 OVS_TRAFFIC_VSWITCHD_START()
777 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
779 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
780 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
781 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
782 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
784 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
785 AT_DATA([flows.txt], [dnl
786 priority=1,action=drop
787 priority=10,arp,action=normal
788 priority=10,icmp,action=normal
789 priority=100,in_port=1,tcp,action=load:1->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),2
790 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
791 priority=100,in_port=2,ct_state=+trk,ct_mark=1,tcp,action=1
792 priority=100,in_port=3,tcp,action=load:2->NXM_NX_REG0[[0..31]],ct(commit,exec(move:NXM_NX_REG0[[0..31]]->NXM_NX_CT_MARK[[]])),4
793 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
794 priority=100,in_port=4,ct_state=+trk,ct_mark=1,tcp,action=3
797 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
799 dnl HTTP requests from p0->p1 should work fine.
800 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
801 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
803 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep TIME], [0], [dnl
804 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),mark=1,protoinfo=(state=TIME_WAIT)
807 dnl HTTP requests from p2->p3 should fail due to network failure.
808 dnl Try 3 times, in 1 second intervals.
809 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
810 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
812 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl
813 tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.4,dst=10.1.1.3,sport=<cleared>,dport=<cleared>),mark=2,protoinfo=(state=ESTABLISHED)
816 OVS_TRAFFIC_VSWITCHD_STOP
819 AT_SETUP([conntrack - ct_label])
821 OVS_TRAFFIC_VSWITCHD_START()
823 ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
825 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
826 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
827 ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
828 ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
830 dnl Allow traffic between ns0<->ns1 using the ct_label.
831 dnl Check that different labels do not match for traffic between ns2<->ns3.
832 AT_DATA([flows.txt], [dnl
833 priority=1,action=drop
834 priority=10,arp,action=normal
835 priority=10,icmp,action=normal
836 priority=100,in_port=1,tcp,action=ct(commit,exec(set_field:0x0a000d000005000001->ct_label)),2
837 priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
838 priority=100,in_port=2,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=1
839 priority=100,in_port=3,tcp,action=ct(commit,exec(set_field:0x2->ct_label)),4
840 priority=100,in_port=4,ct_state=-trk,tcp,action=ct(table=0)
841 priority=100,in_port=4,ct_state=+trk,ct_label=0x0a000d000005000001,tcp,action=3
844 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
846 dnl HTTP requests from p0->p1 should work fine.
847 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
848 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
850 dnl HTTP requests from p2->p3 should fail due to network failure.
851 dnl Try 3 times, in 1 second intervals.
852 NETNS_DAEMONIZE([at_ns3], [[$PYTHON $srcdir/test-l7.py]], [http1.pid])
853 NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 -v -o wget1.log], [4])
855 OVS_TRAFFIC_VSWITCHD_STOP
858 AT_SETUP([conntrack - ICMP related])
860 OVS_TRAFFIC_VSWITCHD_START()
862 ADD_NAMESPACES(at_ns0, at_ns1)
864 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
865 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
867 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
868 AT_DATA([flows.txt], [dnl
869 priority=1,action=drop
870 priority=10,arp,action=normal
871 priority=100,in_port=1,udp,action=ct(commit,exec(set_field:1->ct_mark)),2
872 priority=100,in_port=2,icmp,ct_state=-trk,action=ct(table=0)
873 priority=100,in_port=2,icmp,ct_state=+trk+rel,ct_mark=1,action=1
876 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
878 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
879 dnl We pass "-q 1" here to handle openbsd-style nc that can't quit immediately.
880 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -q 1 -u 10.1.1.2 10000"])
882 AT_CHECK([ovs-appctl revalidator/purge], [0])
883 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
884 n_packets=1, n_bytes=44, priority=100,udp,in_port=1 actions=ct(commit,exec(load:0x1->NXM_NX_CT_MARK[[]])),output:2
885 n_packets=1, n_bytes=72, priority=100,ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2 actions=output:1
886 n_packets=1, n_bytes=72, priority=100,ct_state=-trk,icmp,in_port=2 actions=ct(table=0)
887 n_packets=2, n_bytes=84, priority=10,arp actions=NORMAL
891 OVS_TRAFFIC_VSWITCHD_STOP
894 AT_SETUP([conntrack - ICMP related 2])
896 OVS_TRAFFIC_VSWITCHD_START()
898 ADD_NAMESPACES(at_ns0, at_ns1)
900 ADD_VETH(p0, at_ns0, br0, "172.16.0.1/24")
901 ADD_VETH(p1, at_ns1, br0, "172.16.0.2/24")
903 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
904 AT_DATA([flows.txt], [dnl
905 priority=1,action=drop
906 priority=10,arp,action=normal
907 priority=100,in_port=1,udp,ct_state=-trk,action=ct(commit,table=0)
908 priority=100,in_port=1,ip,ct_state=+trk,actions=controller
909 priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
910 priority=100,in_port=2,ip,ct_state=+trk+rel+rpl,action=controller
913 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt])
915 AT_CAPTURE_FILE([ofctl_monitor.log])
916 AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl --detach --no-chdir --pidfile 2> ofctl_monitor.log])
918 dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
919 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f355ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000d20966369616f0a'])
921 dnl 2. Send and UDP packet to port 5555
922 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
924 dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
925 AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
927 dnl Check this output. We only see the latter two packets, not the first.
928 AT_CHECK([cat ofctl_monitor.log], [0], [dnl
929 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
930 udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
931 NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
932 icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
935 OVS_TRAFFIC_VSWITCHD_STOP
938 AT_SETUP([conntrack - FTP])
939 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
941 OVS_TRAFFIC_VSWITCHD_START()
943 ADD_NAMESPACES(at_ns0, at_ns1)
945 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
946 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
948 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
949 AT_DATA([flows1.txt], [dnl
950 priority=1,action=drop
951 priority=10,arp,action=normal
952 priority=10,icmp,action=normal
953 priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
954 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
955 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
956 priority=100,in_port=2,tcp,ct_state=+trk+rel,action=1
959 dnl Similar policy but without allowing all traffic from ns0->ns1.
960 AT_DATA([flows2.txt], [dnl
961 priority=1,action=drop
962 priority=10,arp,action=normal
963 priority=10,icmp,action=normal
964 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0)
965 priority=100,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
966 priority=100,in_port=1,tcp,ct_state=+trk+est,action=2
967 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
968 priority=100,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
969 priority=100,in_port=2,tcp,ct_state=+trk+est,action=1
970 priority=100,in_port=2,tcp,ct_state=+trk-new+rel,action=1
973 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
975 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
976 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
978 dnl FTP requests from p1->p0 should fail due to network failure.
979 dnl Try 3 times, in 1 second intervals.
980 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
981 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
984 dnl FTP requests from p0->p1 should work fine.
985 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
986 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
987 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
990 dnl Try the second set of flows.
991 AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
992 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
994 dnl FTP requests from p1->p0 should fail due to network failure.
995 dnl Try 3 times, in 1 second intervals.
996 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
997 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1000 dnl Active FTP requests from p0->p1 should work fine.
1001 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
1002 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1003 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1004 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1007 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1009 dnl Passive FTP requests from p0->p1 should work fine.
1010 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
1011 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1012 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1013 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1016 OVS_TRAFFIC_VSWITCHD_STOP
1020 AT_SETUP([conntrack - IPv6 FTP])
1021 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1023 OVS_TRAFFIC_VSWITCHD_START()
1025 ADD_NAMESPACES(at_ns0, at_ns1)
1027 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1028 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1030 dnl Allow any traffic from ns0->ns1.
1031 dnl Only allow nd, return traffic from ns1->ns0.
1032 AT_DATA([flows.txt], [dnl
1033 dnl Track all IPv6 traffic and drop the rest.
1034 dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked.
1035 table=0 priority=100 in_port=1 icmp6, action=2
1036 table=0 priority=100 in_port=2 icmp6, action=1
1037 table=0 priority=10 ip6, action=ct(table=1)
1038 table=0 priority=0 action=drop
1042 dnl Allow new TCPv6 FTP control connections from port 1.
1043 table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
1044 dnl Allow related TCPv6 connections from port 2.
1045 table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
1046 dnl Allow established TCPv6 connections both ways.
1047 table=1 in_port=1 ct_state=+est, tcp6, action=2
1048 table=1 in_port=2 ct_state=+est, tcp6, action=1
1049 dnl Drop everything else.
1050 table=1 priority=0, action=drop
1053 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1055 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1057 dnl FTP requests from p0->p1 should work fine.
1058 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1060 dnl Discards CLOSE_WAIT and CLOSING
1061 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1062 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1063 tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1066 OVS_TRAFFIC_VSWITCHD_STOP
1070 AT_SETUP([conntrack - FTP with multiple expectations])
1071 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1073 OVS_TRAFFIC_VSWITCHD_START()
1075 ADD_NAMESPACES(at_ns0, at_ns1)
1077 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1078 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1080 dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
1081 AT_DATA([flows.txt], [dnl
1082 priority=1,action=drop
1083 priority=10,arp,action=normal
1084 priority=10,icmp,action=normal
1085 priority=100,in_port=1,tcp,ct_state=-trk,action=ct(table=0,zone=1)
1086 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
1087 priority=100,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=0,zone=2)
1088 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=2)
1089 priority=100,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
1090 priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=2)
1091 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1092 priority=100,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=0,zone=1)
1093 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
1094 priority=100,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
1097 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1099 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1100 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1102 dnl FTP requests from p1->p0 should fail due to network failure.
1103 dnl Try 3 times, in 1 second intervals.
1104 NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
1105 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
1108 dnl Active FTP requests from p0->p1 should work fine.
1109 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1110 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1111 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT),helper=ftp
1112 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT),helper=ftp
1113 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1114 tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
1117 AT_CHECK([ovs-appctl dpctl/flush-conntrack])
1119 dnl Passive FTP requests from p0->p1 should work fine.
1120 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1121 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1122 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1123 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT),helper=ftp
1124 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT)
1125 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=TIME_WAIT),helper=ftp
1128 OVS_TRAFFIC_VSWITCHD_STOP
1131 AT_SETUP([conntrack - IPv4 fragmentation ])
1133 OVS_TRAFFIC_VSWITCHD_START()
1135 ADD_NAMESPACES(at_ns0, at_ns1)
1137 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1138 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1140 dnl Sending ping through conntrack
1141 AT_DATA([flows.txt], [dnl
1142 priority=1,action=drop
1143 priority=10,arp,action=normal
1144 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1145 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1146 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1149 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1151 dnl Basic connectivity check.
1152 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1153 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1156 dnl Ipv4 fragmentation connectivity check.
1157 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1158 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1161 dnl Ipv4 larger fragmentation connectivity check.
1162 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
1163 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1166 OVS_TRAFFIC_VSWITCHD_STOP
1169 AT_SETUP([conntrack - IPv4 fragmentation + vlan])
1171 OVS_TRAFFIC_VSWITCHD_START()
1173 ADD_NAMESPACES(at_ns0, at_ns1)
1175 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1176 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1177 ADD_VLAN(p0, at_ns0, 100, "10.2.2.1/24")
1178 ADD_VLAN(p1, at_ns1, 100, "10.2.2.2/24")
1180 dnl Sending ping through conntrack
1181 AT_DATA([flows.txt], [dnl
1182 priority=1,action=drop
1183 priority=10,arp,action=normal
1184 priority=100,in_port=1,icmp,action=ct(commit,zone=9),2
1185 priority=100,in_port=2,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1186 priority=100,in_port=2,ct_state=+trk+est-new,icmp,action=1
1189 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1191 dnl Basic connectivity check.
1192 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1193 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1196 dnl Ipv4 fragmentation connectivity check.
1197 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1198 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1201 dnl Ipv4 larger fragmentation connectivity check.
1202 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.2.2.2 | FORMAT_PING], [0], [dnl
1203 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1206 OVS_TRAFFIC_VSWITCHD_STOP
1209 AT_SETUP([conntrack - IPv6 fragmentation])
1211 OVS_TRAFFIC_VSWITCHD_START()
1213 ADD_NAMESPACES(at_ns0, at_ns1)
1215 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1216 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1218 dnl Sending ping through conntrack
1219 AT_DATA([flows.txt], [dnl
1220 priority=1,action=drop
1221 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1222 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1223 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1224 priority=100,icmp6,icmp_type=135,action=normal
1225 priority=100,icmp6,icmp_type=136,action=normal
1228 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1230 dnl Without this sleep, we get occasional failures due to the following error:
1231 dnl "connect: Cannot assign requested address"
1234 dnl Basic connectivity check.
1235 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1236 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1239 dnl Ipv4 fragmentation connectivity check.
1240 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1241 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1244 dnl Ipv4 larger fragmentation connectivity check.
1245 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00::2 | FORMAT_PING], [0], [dnl
1246 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1249 OVS_TRAFFIC_VSWITCHD_STOP
1252 AT_SETUP([conntrack - IPv6 fragmentation + vlan])
1254 OVS_TRAFFIC_VSWITCHD_START()
1256 ADD_NAMESPACES(at_ns0, at_ns1)
1258 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1259 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1261 ADD_VLAN(p0, at_ns0, 100, "fc00:1::3/96")
1262 ADD_VLAN(p1, at_ns1, 100, "fc00:1::4/96")
1264 dnl Sending ping through conntrack
1265 AT_DATA([flows.txt], [dnl
1266 priority=1,action=drop
1267 priority=10,in_port=1,ipv6,action=ct(commit,zone=9),2
1268 priority=10,in_port=2,ct_state=-trk,ipv6,action=ct(table=0,zone=9)
1269 priority=10,in_port=2,ct_state=+trk+est-new,ipv6,action=1
1270 priority=100,icmp6,icmp_type=135,action=normal
1271 priority=100,icmp6,icmp_type=136,action=normal
1274 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1276 dnl Without this sleep, we get occasional failures due to the following error:
1277 dnl "connect: Cannot assign requested address"
1280 dnl Basic connectivity check.
1281 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1282 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1285 dnl Ipv4 fragmentation connectivity check.
1286 NS_CHECK_EXEC([at_ns0], [ping6 -s 1600 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1287 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1290 dnl Ipv4 larger fragmentation connectivity check.
1291 NS_CHECK_EXEC([at_ns0], [ping6 -s 3200 -q -c 3 -i 0.3 -w 2 fc00:1::4 | FORMAT_PING], [0], [dnl
1292 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1295 OVS_TRAFFIC_VSWITCHD_STOP
1298 AT_SETUP([conntrack - Fragmentation over vxlan])
1302 OVS_TRAFFIC_VSWITCHD_START()
1303 ADD_BR([br-underlay])
1304 AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"])
1306 ADD_NAMESPACES(at_ns0)
1308 dnl Sending ping through conntrack
1309 AT_DATA([flows.txt], [dnl
1310 priority=1,action=drop
1311 priority=10,arp,action=normal
1312 priority=100,in_port=1,icmp,action=ct(commit,zone=9),LOCAL
1313 priority=100,in_port=LOCAL,ct_state=-trk,icmp,action=ct(table=0,zone=9)
1314 priority=100,in_port=LOCAL,ct_state=+trk+est,icmp,action=1
1317 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1319 dnl Set up underlay link from host into the namespace using veth pair.
1320 ADD_VETH(p0, at_ns0, br-underlay, "172.31.1.1/24")
1321 AT_CHECK([ip addr add dev br-underlay "172.31.1.100/24"])
1322 AT_CHECK([ip link set dev br-underlay up])
1324 dnl Set up tunnel endpoints on OVS outside the namespace and with a native
1325 dnl linux device inside the namespace.
1326 ADD_OVS_TUNNEL([vxlan], [br0], [at_ns0], [172.31.1.1], [10.1.1.100/24])
1327 ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24],
1328 [id 0 dstport 4789])
1330 dnl First, check the underlay
1331 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 172.31.1.100 | FORMAT_PING], [0], [dnl
1332 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1335 dnl Okay, now check the overlay with different packet sizes
1336 NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1337 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1339 NS_CHECK_EXEC([at_ns0], [ping -s 1600 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1340 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1342 NS_CHECK_EXEC([at_ns0], [ping -s 3200 -q -c 3 -i 0.3 -w 2 10.1.1.100 | FORMAT_PING], [0], [dnl
1343 3 packets transmitted, 3 received, 0% packet loss, time 0ms
1346 OVS_TRAFFIC_VSWITCHD_STOP
1350 AT_SETUP([conntrack - resubmit to ct multiple times])
1353 OVS_TRAFFIC_VSWITCHD_START(
1354 [set-fail-mode br0 secure -- ])
1356 ADD_NAMESPACES(at_ns0, at_ns1)
1358 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1359 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1361 AT_DATA([flows.txt], [dnl
1362 table=0,priority=150,arp,action=normal
1363 table=0,priority=100,ip,in_port=1,action=resubmit(,1),resubmit(,2)
1365 table=1,priority=100,ip,action=ct(table=3)
1366 table=2,priority=100,ip,action=ct(table=3)
1368 table=3,ip,action=drop
1371 AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
1373 NS_CHECK_EXEC([at_ns0], [ping -q -c 1 10.1.1.2 | FORMAT_PING], [0], [dnl
1374 1 packets transmitted, 0 received, 100% packet loss, time 0ms
1377 AT_CHECK([ovs-ofctl dump-flows br0 | ofctl_strip | sort], [0], [dnl
1378 n_packets=1, n_bytes=98, priority=100,ip,in_port=1 actions=resubmit(,1),resubmit(,2)
1379 n_packets=2, n_bytes=84, priority=150,arp actions=NORMAL
1380 table=1, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1381 table=2, n_packets=1, n_bytes=98, priority=100,ip actions=ct(table=3)
1382 table=3, n_packets=2, n_bytes=196, ip actions=drop
1386 OVS_TRAFFIC_VSWITCHD_STOP
1390 AT_SETUP([conntrack - simple SNAT])
1392 OVS_TRAFFIC_VSWITCHD_START()
1394 ADD_NAMESPACES(at_ns0, at_ns1)
1396 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1397 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1398 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1400 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1401 AT_DATA([flows.txt], [dnl
1402 in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1403 in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)
1404 in_port=2,ct_state=+trk,ct_zone=1,ip,action=1
1407 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1408 priority=10 arp action=normal
1409 priority=0,action=drop
1411 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1412 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1413 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1414 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1416 dnl Swaps the fields of the ARP message to turn a query to a response.
1417 table=10 priority=100 arp xreg0=0 action=normal
1418 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1419 table=10 priority=0 action=drop
1422 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1424 dnl HTTP requests from p0->p1 should work fine.
1425 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1426 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1428 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1429 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1432 OVS_TRAFFIC_VSWITCHD_STOP
1436 AT_SETUP([conntrack - SNAT with port range])
1438 OVS_TRAFFIC_VSWITCHD_START()
1440 ADD_NAMESPACES(at_ns0, at_ns1)
1442 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1443 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1444 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1446 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1447 AT_DATA([flows.txt], [dnl
1448 in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255:34567-34568,random)),2
1449 in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
1450 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
1451 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
1454 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1455 priority=10 arp action=normal
1456 priority=0,action=drop
1458 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1459 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1460 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1461 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1463 dnl Swaps the fields of the ARP message to turn a query to a response.
1464 table=10 priority=100 arp xreg0=0 action=normal
1465 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1466 table=10 priority=0 action=drop
1469 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1471 dnl HTTP requests from p0->p1 should work fine.
1472 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1473 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1475 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1476 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1479 OVS_TRAFFIC_VSWITCHD_STOP
1483 AT_SETUP([conntrack - more complex SNAT])
1485 OVS_TRAFFIC_VSWITCHD_START()
1487 ADD_NAMESPACES(at_ns0, at_ns1)
1489 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1490 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1491 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1493 AT_DATA([flows.txt], [dnl
1494 dnl Track all IP traffic, NAT existing connections.
1495 priority=100 ip action=ct(table=1,zone=1,nat)
1497 dnl Allow ARP, but generate responses for NATed addresses
1498 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1499 priority=10 arp action=normal
1500 priority=0 action=drop
1502 dnl Allow any traffic from ns0->ns1. SNAT ns0 to 10.1.1.240-10.1.1.255
1503 table=1 priority=100 in_port=1 ip ct_state=+trk+new-est action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2
1504 table=1 priority=100 in_port=1 ip ct_state=+trk-new+est action=2
1505 dnl Only allow established traffic from ns1->ns0.
1506 table=1 priority=100 in_port=2 ip ct_state=+trk-new+est action=1
1507 table=1 priority=0 action=drop
1509 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1510 table=8 priority=100 reg2=0x0a0101f0/0xfffffff0 action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1511 dnl Zero result means not found.
1512 table=8 priority=0 action=load:0->OXM_OF_PKT_REG0[[]]
1513 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1514 dnl ARP TPA IP in reg2.
1515 table=10 priority=100 arp xreg0=0 action=normal
1516 dnl Swaps the fields of the ARP message to turn a query to a response.
1517 table=10 priority=10 arp arp_op=1 action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1518 table=10 priority=0 action=drop
1521 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1523 dnl HTTP requests from p0->p1 should work fine.
1524 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1525 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1527 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1528 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1531 OVS_TRAFFIC_VSWITCHD_STOP
1534 AT_SETUP([conntrack - simple DNAT])
1536 OVS_TRAFFIC_VSWITCHD_START()
1538 ADD_NAMESPACES(at_ns0, at_ns1)
1540 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1541 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1542 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1544 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1545 AT_DATA([flows.txt], [dnl
1546 priority=100 in_port=1,ip,nw_dst=10.1.1.64,action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1547 priority=10 in_port=1,ip,action=ct(commit,zone=1),2
1548 priority=100 in_port=2,ct_state=-trk,ip,action=ct(table=0,nat,zone=1)
1549 priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip,action=1
1552 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1553 priority=10 arp action=normal
1554 priority=0,action=drop
1556 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1557 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1558 dnl Zero result means not found.
1559 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1560 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1562 table=10 priority=100 arp xreg0=0 action=normal
1563 dnl Swaps the fields of the ARP message to turn a query to a response.
1564 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1565 table=10 priority=0 action=drop
1568 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1570 dnl Should work with the virtual IP address through NAT
1571 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1572 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1574 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) ], [0], [dnl
1575 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1578 dnl Should work with the assigned IP address as well
1579 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1581 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) ], [0], [dnl
1582 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1585 OVS_TRAFFIC_VSWITCHD_STOP
1588 AT_SETUP([conntrack - more complex DNAT])
1590 OVS_TRAFFIC_VSWITCHD_START()
1592 ADD_NAMESPACES(at_ns0, at_ns1)
1594 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1595 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1596 NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:88:88:88:88:88])
1598 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1599 AT_DATA([flows.txt], [dnl
1600 dnl Track all IP traffic
1601 table=0 priority=100 ip action=ct(table=1,zone=1,nat)
1603 dnl Allow ARP, but generate responses for NATed addresses
1604 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1605 table=0 priority=10 arp action=normal
1606 table=0 priority=0 action=drop
1608 dnl Allow any IP traffic from ns0->ns1. DNAT ns0 from 10.1.1.64 to 10.1.1.2
1609 table=1 priority=100 in_port=1 ct_state=+new ip nw_dst=10.1.1.64 action=ct(zone=1,nat(dst=10.1.1.2),commit),2
1610 table=1 priority=10 in_port=1 ct_state=+new ip action=ct(commit,zone=1),2
1611 table=1 priority=100 in_port=1 ct_state=+est ct_zone=1 action=2
1612 dnl Only allow established traffic from ns1->ns0.
1613 table=1 priority=100 in_port=2 ct_state=+est ct_zone=1 action=1
1614 table=1 priority=0 action=drop
1616 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1617 table=8,reg2=0x0a010140,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1618 dnl Zero result means not found.
1619 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1620 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1622 table=10 priority=100 arp xreg0=0 action=normal
1623 dnl Swaps the fields of the ARP message to turn a query to a response.
1624 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1625 table=10 priority=0 action=drop
1628 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1630 dnl Should work with the virtual IP address through NAT
1631 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
1632 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.64 -t 5 -T 1 --retry-connrefused -v -o wget0.log])
1634 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.64) ], [0], [dnl
1635 tcp,orig=(src=10.1.1.1,dst=10.1.1.64,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1638 dnl Should work with the assigned IP address as well
1639 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1641 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) ], [0], [dnl
1642 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=TIME_WAIT)
1645 OVS_TRAFFIC_VSWITCHD_STOP
1648 AT_SETUP([conntrack - ICMP related with NAT])
1650 OVS_TRAFFIC_VSWITCHD_START()
1652 ADD_NAMESPACES(at_ns0, at_ns1)
1654 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1655 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1656 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1658 dnl Allow UDP traffic from ns0->ns1. Only allow related ICMP responses back.
1659 dnl Make sure ICMP responses are reverse-NATted.
1660 AT_DATA([flows.txt], [dnl
1661 in_port=1,udp,action=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:1->ct_mark)),2
1662 in_port=2,icmp,ct_state=-trk,action=ct(table=0,nat)
1663 in_port=2,icmp,nw_dst=10.1.1.1,ct_state=+trk+rel,ct_mark=1,action=1
1666 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1667 priority=10 arp action=normal
1668 priority=0,action=drop
1670 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1671 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1672 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1673 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1675 dnl Swaps the fields of the ARP message to turn a query to a response.
1676 table=10 priority=100 arp xreg0=0 action=normal
1677 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1678 table=10 priority=0 action=drop
1681 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1683 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
1684 dnl We pass "-q 1" here to handle openbsd-style nc that can't quit immediately.
1685 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -q 1 -u 10.1.1.2 10000"])
1687 AT_CHECK([ovs-appctl revalidator/purge], [0])
1688 AT_CHECK([ovs-ofctl -O OpenFlow15 dump-flows br0 | ofctl_strip | sort | grep -v drop], [0], [dnl
1689 n_packets=1, n_bytes=42, priority=10,arp actions=NORMAL
1690 n_packets=1, n_bytes=44, udp,in_port=1 actions=ct(commit,nat(src=10.1.1.240-10.1.1.255),exec(set_field:0x1->ct_mark)),output:2
1691 n_packets=1, n_bytes=72, ct_state=+rel+trk,ct_mark=0x1,icmp,in_port=2,nw_dst=10.1.1.1 actions=output:1
1692 n_packets=1, n_bytes=72, ct_state=-trk,icmp,in_port=2 actions=ct(table=0,nat)
1693 n_packets=2, n_bytes=84, priority=100,arp,arp_op=1 actions=move:NXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1694 table=10, n_packets=1, n_bytes=42, priority=10,arp,arp_op=1 actions=set_field:2->arp_op,move:NXM_NX_ARP_SHA[[]]->NXM_NX_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_NX_ARP_SHA[[]],move:NXM_OF_ARP_SPA[[]]->NXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->NXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],set_field:0->in_port,output:NXM_NX_REG3[[0..15]]
1695 table=10, n_packets=1, n_bytes=42, priority=100,arp,reg0=0,reg1=0 actions=NORMAL
1696 table=8, n_packets=1, n_bytes=42, priority=0 actions=set_field:0->xreg0
1697 table=8, n_packets=1, n_bytes=42, reg2=0xa0101f0/0xfffffff0 actions=set_field:0x808888888888->xreg0
1698 OFPST_FLOW reply (OF1.5):
1701 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
1702 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
1705 OVS_TRAFFIC_VSWITCHD_STOP
1709 AT_SETUP([conntrack - FTP with NAT])
1710 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1713 OVS_TRAFFIC_VSWITCHD_START()
1715 ADD_NAMESPACES(at_ns0, at_ns1)
1717 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1718 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1719 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1721 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1723 AT_DATA([flows.txt], [dnl
1724 dnl track all IP traffic, de-mangle non-NEW connections
1725 table=0 in_port=1, ip, action=ct(table=1,nat)
1726 table=0 in_port=2, ip, action=ct(table=2,nat)
1730 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1731 table=0 priority=10 arp action=normal
1732 table=0 priority=0 action=drop
1734 dnl Table 1: port 1 -> 2
1736 dnl Allow new FTP connections. These need to be commited.
1737 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
1738 dnl Allow established TCP connections, make sure they are NATted already.
1739 table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2
1741 dnl Table 1: droppers
1743 table=1 priority=10, tcp, action=drop
1744 table=1 priority=0,action=drop
1746 dnl Table 2: port 2 -> 1
1748 dnl Allow established TCP connections, make sure they are reverse NATted
1749 table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
1750 dnl Allow (new) related (data) connections. These need to be commited.
1751 table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1
1752 dnl Allow related ICMP packets, make sure they are reverse NATted
1753 table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
1755 dnl Table 2: droppers
1757 table=2 priority=10, tcp, action=drop
1758 table=2 priority=0, action=drop
1760 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1762 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1763 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1764 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1766 dnl Swaps the fields of the ARP message to turn a query to a response.
1767 table=10 priority=100 arp xreg0=0 action=normal
1768 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1769 table=10 priority=0 action=drop
1772 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1774 dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
1775 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1777 dnl FTP requests from p0->p1 should work fine.
1778 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1780 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
1781 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1782 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1785 OVS_TRAFFIC_VSWITCHD_STOP
1789 AT_SETUP([conntrack - FTP with NAT 2])
1790 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1792 OVS_TRAFFIC_VSWITCHD_START()
1794 ADD_NAMESPACES(at_ns0, at_ns1)
1796 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
1797 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1798 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
1800 dnl Allow any traffic from ns0->ns1.
1801 dnl Only allow nd, return traffic from ns1->ns0.
1802 AT_DATA([flows.txt], [dnl
1803 dnl track all IP traffic (this includes a helper call to non-NEW packets.)
1804 table=0 ip, action=ct(table=1)
1808 table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
1809 table=0 priority=10 arp action=normal
1810 table=0 priority=0 action=drop
1814 dnl Allow new FTP connections. These need to be commited.
1815 dnl This does helper for new packets.
1816 table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
1817 dnl Allow and NAT established TCP connections
1818 table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2
1819 table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1
1820 dnl Allow and NAT (new) related active (data) connections.
1821 dnl These need to be commited.
1822 table=1 in_port=2 ct_state=+new+rel, tcp, action=ct(commit,nat),1
1823 dnl Allow related ICMP packets.
1824 table=1 in_port=2 ct_state=+rel, icmp, action=ct(nat),1
1825 dnl Drop everything else.
1826 table=1 priority=0, action=drop
1828 dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
1830 table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
1831 table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
1832 dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
1834 dnl Swaps the fields of the ARP message to turn a query to a response.
1835 table=10 priority=100 arp xreg0=0 action=normal
1836 table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
1837 table=10 priority=0 action=drop
1840 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1842 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1844 dnl FTP requests from p0->p1 should work fine.
1845 NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1847 dnl Discards CLOSE_WAIT and CLOSING
1848 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1849 tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1850 tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1853 OVS_TRAFFIC_VSWITCHD_STOP
1856 AT_SETUP([conntrack - IPv6 HTTP with NAT])
1858 OVS_TRAFFIC_VSWITCHD_START()
1860 ADD_NAMESPACES(at_ns0, at_ns1)
1862 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1863 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1864 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1865 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
1867 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
1868 AT_DATA([flows.txt], [dnl
1869 priority=1,action=drop
1870 priority=10,icmp6,action=normal
1871 priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
1872 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
1873 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
1874 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
1877 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1879 dnl Without this sleep, we get occasional failures due to the following error:
1880 dnl "connect: Cannot assign requested address"
1883 dnl HTTP requests from ns0->ns1 should work fine.
1884 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py http6]], [http0.pid])
1886 NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
1888 dnl HTTP requests from ns1->ns0 should fail due to network failure.
1889 dnl Try 3 times, in 1 second intervals.
1890 NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py http6]], [http1.pid])
1891 NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
1893 OVS_TRAFFIC_VSWITCHD_STOP
1897 AT_SETUP([conntrack - IPv6 FTP with NAT])
1898 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
1900 OVS_TRAFFIC_VSWITCHD_START()
1902 ADD_NAMESPACES(at_ns0, at_ns1)
1904 ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
1905 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
1906 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
1907 dnl Would be nice if NAT could translate neighbor discovery messages, too.
1908 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
1910 dnl Allow any traffic from ns0->ns1.
1911 dnl Only allow nd, return traffic from ns1->ns0.
1912 AT_DATA([flows.txt], [dnl
1913 dnl Allow other ICMPv6 both ways (without commit).
1914 table=1 priority=100 in_port=1 icmp6, action=2
1915 table=1 priority=100 in_port=2 icmp6, action=1
1916 dnl track all IPv6 traffic (this includes NAT & help to non-NEW packets.)
1917 table=0 priority=10 ip6, action=ct(nat,table=1)
1918 table=0 priority=0 action=drop
1922 dnl Allow new TCPv6 FTP control connections.
1923 table=1 in_port=1 ct_state=+new tcp6 ipv6_src=fc00::1 tp_dst=21 action=ct(alg=ftp,commit,nat(src=fc00::240)),2
1924 dnl Allow related TCPv6 connections from port 2 to the NATted address.
1925 table=1 in_port=2 ct_state=+new+rel tcp6 ipv6_dst=fc00::240 action=ct(commit,nat),1
1926 dnl Allow established TCPv6 connections both ways, enforce NATting
1927 table=1 in_port=1 ct_state=+est tcp6 ipv6_src=fc00::240 action=2
1928 table=1 in_port=2 ct_state=+est tcp6 ipv6_dst=fc00::1 action=1
1929 dnl Drop everything else.
1930 table=1 priority=0, action=drop
1933 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
1935 NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
1937 dnl FTP requests from p0->p1 should work fine.
1938 NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d])
1940 dnl Discards CLOSE_WAIT and CLOSING
1941 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOS"], [0], [dnl
1942 tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT),helper=ftp
1943 tcp,orig=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)
1946 OVS_TRAFFIC_VSWITCHD_STOP