Message ID | 20161220212829.19947-4-joe@ovn.org |
---|---|
State | Accepted |
Headers | show |
2016-12-20 13:28 GMT-08:00 Joe Stringer <joe@ovn.org>: > Signed-off-by: Joe Stringer <joe@ovn.org> I haven't looked at this line by line, but as long as you just moved code around: Acked-by: Daniele Di Proietto <diproiettod@vmware.com> > --- > tests/system-traffic.at | 898 ++++++++++++++++++++++++------------------------ > 1 file changed, 449 insertions(+), 449 deletions(-) > > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > index 14fbf4518fdf..8e424c56031c 100644 > --- a/tests/system-traffic.at > +++ b/tests/system-traffic.at > @@ -649,84 +649,6 @@ udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10. > OVS_TRAFFIC_VSWITCHD_STOP > AT_CLEANUP > > -AT_SETUP([conntrack - IPv4 HTTP]) > -CHECK_CONNTRACK() > -OVS_TRAFFIC_VSWITCHD_START() > - > -ADD_NAMESPACES(at_ns0, at_ns1) > - > -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > - > -dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. > -AT_DATA([flows.txt], [dnl > -priority=1,action=drop > -priority=10,arp,action=normal > -priority=10,icmp,action=normal > -priority=100,in_port=1,tcp,action=ct(commit),2 > -priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0) > -priority=100,in_port=2,ct_state=+trk+est,tcp,action=1 > -]) > - > -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > - > -OVS_START_L7([at_ns0], [http]) > -OVS_START_L7([at_ns1], [http]) > - > -dnl HTTP requests from ns0->ns1 should work fine. > -NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) > -]) > - > -dnl HTTP requests from ns1->ns0 should fail due to network failure. > -dnl Try 3 times, in 1 second intervals. > -NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4]) > - > -OVS_TRAFFIC_VSWITCHD_STOP > -AT_CLEANUP > - > -AT_SETUP([conntrack - IPv6 HTTP]) > -CHECK_CONNTRACK() > -OVS_TRAFFIC_VSWITCHD_START() > - > -ADD_NAMESPACES(at_ns0, at_ns1) > - > -ADD_VETH(p0, at_ns0, br0, "fc00::1/96") > -ADD_VETH(p1, at_ns1, br0, "fc00::2/96") > - > -dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. > -AT_DATA([flows.txt], [dnl > -priority=1,action=drop > -priority=10,icmp6,action=normal > -priority=100,in_port=1,tcp6,action=ct(commit),2 > -priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0) > -priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1 > -]) > - > -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > - > -dnl Linux seems to take a little time to get its IPv6 stack in order. Without > -dnl waiting, we get occasional failures due to the following error: > -dnl "connect: Cannot assign requested address" > -OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2]) > - > -OVS_START_L7([at_ns0], [http6]) > -OVS_START_L7([at_ns1], [http6]) > - > -dnl HTTP requests from ns0->ns1 should work fine. > -NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl > -tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) > -]) > - > -dnl HTTP requests from ns1->ns0 should fail due to network failure. > -dnl Try 3 times, in 1 second intervals. > -NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4]) > - > -OVS_TRAFFIC_VSWITCHD_STOP > -AT_CLEANUP > - > AT_SETUP([conntrack - IPv4 ping]) > CHECK_CONNTRACK() > OVS_TRAFFIC_VSWITCHD_START() > @@ -815,47 +737,6 @@ icmpv6,orig=(src=fc00::1,dst=fc00::2,id=<cleared>,type=128,code=0),reply=(src=fc > OVS_TRAFFIC_VSWITCHD_STOP > AT_CLEANUP > > -AT_SETUP([conntrack - commit, recirc]) > -CHECK_CONNTRACK() > -OVS_TRAFFIC_VSWITCHD_START() > - > -ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3) > - > -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > -ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24") > -ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24") > - > -dnl Allow any traffic from ns0->ns1, ns2->ns3. > -AT_DATA([flows.txt], [dnl > -priority=1,action=drop > -priority=10,arp,action=normal > -priority=10,icmp,action=normal > -priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0) > -priority=100,in_port=1,tcp,ct_state=+trk,action=2 > -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) > -priority=100,in_port=2,tcp,ct_state=+trk,action=1 > -priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0) > -priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0) > -priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4 > -priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0) > -priority=100,in_port=4,tcp,ct_state=+trk,action=3 > -]) > - > -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > - > -OVS_START_L7([at_ns1], [http]) > -OVS_START_L7([at_ns3], [http]) > - > -dnl HTTP requests from p0->p1 should work fine. > -NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > - > -dnl HTTP requests from p2->p3 should work fine. > -NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log]) > - > -OVS_TRAFFIC_VSWITCHD_STOP > -AT_CLEANUP > - > AT_SETUP([conntrack - preserve registers]) > CHECK_CONNTRACK() > OVS_TRAFFIC_VSWITCHD_START() > @@ -1116,55 +997,6 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src= > OVS_TRAFFIC_VSWITCHD_STOP > AT_CLEANUP > > -AT_SETUP([conntrack - multiple zones, local]) > -CHECK_CONNTRACK() > -CHECK_CONNTRACK_LOCAL_STACK() > -OVS_TRAFFIC_VSWITCHD_START() > - > -ADD_NAMESPACES(at_ns0) > - > -AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) > -AT_CHECK([ip link set dev br0 up]) > -on_exit 'ip addr del dev br0 "10.1.1.1/24"' > -ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24") > - > -dnl Allow traffic from local stack to ns0. Only allow neighbour discovery, > -dnl return traffic from ns0 back to the local stack. > -AT_DATA([flows.txt], [dnl > -priority=1,action=drop > -priority=10,arp,action=normal > -priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop > -priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1 > -priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1 > -priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1) > -table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2) > -table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL > -]) > - > -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > - > -AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl > -3 packets transmitted, 3 received, 0% packet loss, time 0ms > -]) > - > -OVS_START_L7([at_ns0], [http]) > - > -dnl HTTP requests from root namespace to p0 should work fine. > -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > - > -dnl (again) HTTP requests from root namespace to p0 should work fine. > -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > - > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl > -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1 > -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=2 > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>) > -]) > - > -OVS_TRAFFIC_VSWITCHD_STOP > -AT_CLEANUP > - > AT_SETUP([conntrack - multiple namespaces, internal ports]) > CHECK_CONNTRACK() > CHECK_CONNTRACK_LOCAL_STACK() > @@ -1207,77 +1039,6 @@ OVS_TRAFFIC_VSWITCHD_STOP(["dnl > /removing policing failed: No such device/d"]) > AT_CLEANUP > > -AT_SETUP([conntrack - multi-stage pipeline, local]) > -CHECK_CONNTRACK() > -CHECK_CONNTRACK_LOCAL_STACK() > -OVS_TRAFFIC_VSWITCHD_START() > - > -ADD_NAMESPACES(at_ns0) > - > -AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) > -AT_CHECK([ip link set dev br0 up]) > -on_exit 'ip addr del dev br0 "10.1.1.1/24"' > -ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24") > - > -dnl Allow traffic from local stack to ns0. Only allow neighbour discovery, > -dnl return traffic from ns0 back to the local stack. > -AT_DATA([flows.txt], [dnl > -dnl default > -table=0,priority=1,action=drop > -table=0,priority=10,arp,action=normal > - > -dnl Load the output port to REG0 > -table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1 > -table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1 > - > -dnl Ingress pipeline > -dnl - Allow all connections from LOCAL port (commit and proceed to egress) > -dnl - All other connections go through conntracker using the input port as > -dnl a connection tracking zone. > -table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2 > -table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]]) > -table=1,priority=1,action=drop > - > -dnl Egress pipeline > -dnl - Allow all connections from LOCAL port (commit and skip to output) > -dnl - Allow other established connections to go through conntracker using > -dnl output port as a connection tracking zone. > -table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4 > -table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]]) > -table=2,priority=1,action=drop > - > -dnl Only allow established traffic from egress ct lookup > -table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4 > -table=3,priority=1,action=drop > - > -dnl output table > -table=4,priority=100,ip,action=output:NXM_NX_REG0[[]] > -]) > - > -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > - > -AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl > -3 packets transmitted, 3 received, 0% packet loss, time 0ms > -]) > - > -OVS_START_L7([at_ns0], [http]) > - > -dnl HTTP requests from root namespace to p0 should work fine. > -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > - > -dnl (again) HTTP requests from root namespace to p0 should work fine. > -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > - > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl > -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1 > -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=65534 > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>) > -]) > - > -OVS_TRAFFIC_VSWITCHD_STOP > -AT_CLEANUP > - > AT_SETUP([conntrack - ct_mark]) > CHECK_CONNTRACK() > OVS_TRAFFIC_VSWITCHD_START() > @@ -1600,217 +1361,9 @@ icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=17 > OVS_TRAFFIC_VSWITCHD_STOP > AT_CLEANUP > > -AT_SETUP([conntrack - FTP]) > -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) > +AT_SETUP([conntrack - IPv4 fragmentation ]) > CHECK_CONNTRACK() > -CHECK_CONNTRACK_ALG() > -OVS_TRAFFIC_VSWITCHD_START() > - > -ADD_NAMESPACES(at_ns0, at_ns1) > - > -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > - > -dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. > -AT_DATA([flows1.txt], [dnl > -table=0,priority=1,action=drop > -table=0,priority=10,arp,action=normal > -table=0,priority=10,icmp,action=normal > -table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2 > -table=0,priority=100,in_port=2,tcp,action=ct(table=1) > -table=1,in_port=2,tcp,ct_state=+trk+est,action=1 > -table=1,in_port=2,tcp,ct_state=+trk+rel,action=1 > -]) > - > -dnl Similar policy but without allowing all traffic from ns0->ns1. > -AT_DATA([flows2.txt], [dnl > -table=0,priority=1,action=drop > -table=0,priority=10,arp,action=normal > -table=0,priority=10,icmp,action=normal > - > -dnl Allow outgoing TCP connections, and treat them as FTP > -table=0,priority=100,in_port=1,tcp,action=ct(table=1) > -table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2 > -table=1,in_port=1,tcp,ct_state=+trk+est,action=2 > - > -dnl Allow incoming FTP data connections and responses to existing connections > -table=0,priority=100,in_port=2,tcp,action=ct(table=1) > -table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1 > -table=1,in_port=2,tcp,ct_state=+trk+est,action=1 > -table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1 > -]) > - > -AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt]) > - > -OVS_START_L7([at_ns0], [ftp]) > -OVS_START_L7([at_ns1], [ftp]) > - > -dnl FTP requests from p1->p0 should fail due to network failure. > -dnl Try 3 times, in 1 second intervals. > -NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl > -]) > - > -dnl FTP requests from p0->p1 should work fine. > -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp > -]) > - > -dnl Try the second set of flows. > -AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt]) > -AT_CHECK([ovs-appctl dpctl/flush-conntrack]) > - > -dnl FTP requests from p1->p0 should fail due to network failure. > -dnl Try 3 times, in 1 second intervals. > -NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl > -]) > - > -dnl Active FTP requests from p0->p1 should work fine. > -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log]) > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp > -tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) > -]) > - > -AT_CHECK([ovs-appctl dpctl/flush-conntrack]) > - > -dnl Passive FTP requests from p0->p1 should work fine. > -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log]) > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp > -]) > - > -OVS_TRAFFIC_VSWITCHD_STOP > -AT_CLEANUP > - > - > -AT_SETUP([conntrack - IPv6 FTP]) > -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) > -CHECK_CONNTRACK() > -CHECK_CONNTRACK_ALG() > -OVS_TRAFFIC_VSWITCHD_START() > - > -ADD_NAMESPACES(at_ns0, at_ns1) > - > -ADD_VETH(p0, at_ns0, br0, "fc00::1/96") > -ADD_VETH(p1, at_ns1, br0, "fc00::2/96") > - > -dnl Allow any traffic from ns0->ns1. > -dnl Only allow nd, return traffic from ns1->ns0. > -AT_DATA([flows.txt], [dnl > -dnl Track all IPv6 traffic and drop the rest. > -dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked. > -table=0 priority=100 in_port=1 icmp6, action=2 > -table=0 priority=100 in_port=2 icmp6, action=1 > -table=0 priority=10 ip6, action=ct(table=1) > -table=0 priority=0 action=drop > -dnl > -dnl Table 1 > -dnl > -dnl Allow new TCPv6 FTP control connections from port 1. > -table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2 > -dnl Allow related TCPv6 connections from port 2. > -table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1 > -dnl Allow established TCPv6 connections both ways. > -table=1 in_port=1 ct_state=+est, tcp6, action=2 > -table=1 in_port=2 ct_state=+est, tcp6, action=1 > -dnl Drop everything else. > -table=1 priority=0, action=drop > -]) > - > -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > - > -dnl Linux seems to take a little time to get its IPv6 stack in order. Without > -dnl waiting, we get occasional failures due to the following error: > -dnl "connect: Cannot assign requested address" > -OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) > - > -OVS_START_L7([at_ns1], [ftp]) > - > -dnl FTP requests from p0->p1 should work fine. > -NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d]) > - > -dnl Discards CLOSE_WAIT and CLOSING > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl > -tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp > -tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) > -]) > - > -OVS_TRAFFIC_VSWITCHD_STOP > -AT_CLEANUP > - > - > -AT_SETUP([conntrack - FTP with multiple expectations]) > -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) > -CHECK_CONNTRACK() > -CHECK_CONNTRACK_ALG() > -OVS_TRAFFIC_VSWITCHD_START() > - > -ADD_NAMESPACES(at_ns0, at_ns1) > - > -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > - > -dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1. > -AT_DATA([flows.txt], [dnl > -table=0,priority=1,action=drop > -table=0,priority=10,arp,action=normal > -table=0,priority=10,icmp,action=normal > - > -dnl Traffic from ns1 > -table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1) > -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 > -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2 > -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2) > -table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 > - > -dnl Traffic from ns2 > -table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2) > -table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 > -table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1) > -table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 > -table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1 > -]) > - > -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > - > -OVS_START_L7([at_ns0], [ftp]) > -OVS_START_L7([at_ns1], [ftp]) > - > -dnl FTP requests from p1->p0 should fail due to network failure. > -dnl Try 3 times, in 1 second intervals. > -NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl > -]) > - > -dnl Active FTP requests from p0->p1 should work fine. > -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp > -tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) > -tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>) > -]) > - > -AT_CHECK([ovs-appctl dpctl/flush-conntrack]) > - > -dnl Passive FTP requests from p0->p1 should work fine. > -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>) > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp > -]) > - > -OVS_TRAFFIC_VSWITCHD_STOP > -AT_CLEANUP > - > -AT_SETUP([conntrack - IPv4 fragmentation ]) > -CHECK_CONNTRACK() > -CHECK_CONNTRACK_FRAG() > +CHECK_CONNTRACK_FRAG() > OVS_TRAFFIC_VSWITCHD_START() > > ADD_NAMESPACES(at_ns0, at_ns1) > @@ -2184,6 +1737,453 @@ NXST_FLOW reply: > OVS_TRAFFIC_VSWITCHD_STOP > AT_CLEANUP > > +AT_BANNER([conntrack - L7]) > + > +AT_SETUP([conntrack - IPv4 HTTP]) > +CHECK_CONNTRACK() > +OVS_TRAFFIC_VSWITCHD_START() > + > +ADD_NAMESPACES(at_ns0, at_ns1) > + > +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > + > +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. > +AT_DATA([flows.txt], [dnl > +priority=1,action=drop > +priority=10,arp,action=normal > +priority=10,icmp,action=normal > +priority=100,in_port=1,tcp,action=ct(commit),2 > +priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0) > +priority=100,in_port=2,ct_state=+trk+est,tcp,action=1 > +]) > + > +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > + > +OVS_START_L7([at_ns0], [http]) > +OVS_START_L7([at_ns1], [http]) > + > +dnl HTTP requests from ns0->ns1 should work fine. > +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) > +]) > + > +dnl HTTP requests from ns1->ns0 should fail due to network failure. > +dnl Try 3 times, in 1 second intervals. > +NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4]) > + > +OVS_TRAFFIC_VSWITCHD_STOP > +AT_CLEANUP > + > +AT_SETUP([conntrack - IPv6 HTTP]) > +CHECK_CONNTRACK() > +OVS_TRAFFIC_VSWITCHD_START() > + > +ADD_NAMESPACES(at_ns0, at_ns1) > + > +ADD_VETH(p0, at_ns0, br0, "fc00::1/96") > +ADD_VETH(p1, at_ns1, br0, "fc00::2/96") > + > +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. > +AT_DATA([flows.txt], [dnl > +priority=1,action=drop > +priority=10,icmp6,action=normal > +priority=100,in_port=1,tcp6,action=ct(commit),2 > +priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0) > +priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1 > +]) > + > +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > + > +dnl Linux seems to take a little time to get its IPv6 stack in order. Without > +dnl waiting, we get occasional failures due to the following error: > +dnl "connect: Cannot assign requested address" > +OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2]) > + > +OVS_START_L7([at_ns0], [http6]) > +OVS_START_L7([at_ns1], [http6]) > + > +dnl HTTP requests from ns0->ns1 should work fine. > +NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl > +tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) > +]) > + > +dnl HTTP requests from ns1->ns0 should fail due to network failure. > +dnl Try 3 times, in 1 second intervals. > +NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4]) > + > +OVS_TRAFFIC_VSWITCHD_STOP > +AT_CLEANUP > + > +AT_SETUP([conntrack - commit, recirc]) > +CHECK_CONNTRACK() > +OVS_TRAFFIC_VSWITCHD_START() > + > +ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3) > + > +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > +ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24") > +ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24") > + > +dnl Allow any traffic from ns0->ns1, ns2->ns3. > +AT_DATA([flows.txt], [dnl > +priority=1,action=drop > +priority=10,arp,action=normal > +priority=10,icmp,action=normal > +priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0) > +priority=100,in_port=1,tcp,ct_state=+trk,action=2 > +priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) > +priority=100,in_port=2,tcp,ct_state=+trk,action=1 > +priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0) > +priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0) > +priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4 > +priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0) > +priority=100,in_port=4,tcp,ct_state=+trk,action=3 > +]) > + > +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > + > +OVS_START_L7([at_ns1], [http]) > +OVS_START_L7([at_ns3], [http]) > + > +dnl HTTP requests from p0->p1 should work fine. > +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > + > +dnl HTTP requests from p2->p3 should work fine. > +NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log]) > + > +OVS_TRAFFIC_VSWITCHD_STOP > +AT_CLEANUP > + > +AT_SETUP([conntrack - multiple zones, local]) > +CHECK_CONNTRACK() > +CHECK_CONNTRACK_LOCAL_STACK() > +OVS_TRAFFIC_VSWITCHD_START() > + > +ADD_NAMESPACES(at_ns0) > + > +AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) > +AT_CHECK([ip link set dev br0 up]) > +on_exit 'ip addr del dev br0 "10.1.1.1/24"' > +ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24") > + > +dnl Allow traffic from local stack to ns0. Only allow neighbour discovery, > +dnl return traffic from ns0 back to the local stack. > +AT_DATA([flows.txt], [dnl > +priority=1,action=drop > +priority=10,arp,action=normal > +priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop > +priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1 > +priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1 > +priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1) > +table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2) > +table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL > +]) > + > +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > + > +AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl > +3 packets transmitted, 3 received, 0% packet loss, time 0ms > +]) > + > +OVS_START_L7([at_ns0], [http]) > + > +dnl HTTP requests from root namespace to p0 should work fine. > +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > + > +dnl (again) HTTP requests from root namespace to p0 should work fine. > +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > + > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl > +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1 > +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=2 > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>) > +]) > + > +OVS_TRAFFIC_VSWITCHD_STOP > +AT_CLEANUP > + > +AT_SETUP([conntrack - multi-stage pipeline, local]) > +CHECK_CONNTRACK() > +CHECK_CONNTRACK_LOCAL_STACK() > +OVS_TRAFFIC_VSWITCHD_START() > + > +ADD_NAMESPACES(at_ns0) > + > +AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) > +AT_CHECK([ip link set dev br0 up]) > +on_exit 'ip addr del dev br0 "10.1.1.1/24"' > +ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24") > + > +dnl Allow traffic from local stack to ns0. Only allow neighbour discovery, > +dnl return traffic from ns0 back to the local stack. > +AT_DATA([flows.txt], [dnl > +dnl default > +table=0,priority=1,action=drop > +table=0,priority=10,arp,action=normal > + > +dnl Load the output port to REG0 > +table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1 > +table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1 > + > +dnl Ingress pipeline > +dnl - Allow all connections from LOCAL port (commit and proceed to egress) > +dnl - All other connections go through conntracker using the input port as > +dnl a connection tracking zone. > +table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2 > +table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]]) > +table=1,priority=1,action=drop > + > +dnl Egress pipeline > +dnl - Allow all connections from LOCAL port (commit and skip to output) > +dnl - Allow other established connections to go through conntracker using > +dnl output port as a connection tracking zone. > +table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4 > +table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]]) > +table=2,priority=1,action=drop > + > +dnl Only allow established traffic from egress ct lookup > +table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4 > +table=3,priority=1,action=drop > + > +dnl output table > +table=4,priority=100,ip,action=output:NXM_NX_REG0[[]] > +]) > + > +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > + > +AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl > +3 packets transmitted, 3 received, 0% packet loss, time 0ms > +]) > + > +OVS_START_L7([at_ns0], [http]) > + > +dnl HTTP requests from root namespace to p0 should work fine. > +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > + > +dnl (again) HTTP requests from root namespace to p0 should work fine. > +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > + > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl > +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1 > +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=65534 > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>) > +]) > + > +OVS_TRAFFIC_VSWITCHD_STOP > +AT_CLEANUP > + > +AT_SETUP([conntrack - FTP]) > +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) > +CHECK_CONNTRACK() > +CHECK_CONNTRACK_ALG() > +OVS_TRAFFIC_VSWITCHD_START() > + > +ADD_NAMESPACES(at_ns0, at_ns1) > + > +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > + > +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. > +AT_DATA([flows1.txt], [dnl > +table=0,priority=1,action=drop > +table=0,priority=10,arp,action=normal > +table=0,priority=10,icmp,action=normal > +table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2 > +table=0,priority=100,in_port=2,tcp,action=ct(table=1) > +table=1,in_port=2,tcp,ct_state=+trk+est,action=1 > +table=1,in_port=2,tcp,ct_state=+trk+rel,action=1 > +]) > + > +dnl Similar policy but without allowing all traffic from ns0->ns1. > +AT_DATA([flows2.txt], [dnl > +table=0,priority=1,action=drop > +table=0,priority=10,arp,action=normal > +table=0,priority=10,icmp,action=normal > + > +dnl Allow outgoing TCP connections, and treat them as FTP > +table=0,priority=100,in_port=1,tcp,action=ct(table=1) > +table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2 > +table=1,in_port=1,tcp,ct_state=+trk+est,action=2 > + > +dnl Allow incoming FTP data connections and responses to existing connections > +table=0,priority=100,in_port=2,tcp,action=ct(table=1) > +table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1 > +table=1,in_port=2,tcp,ct_state=+trk+est,action=1 > +table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1 > +]) > + > +AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt]) > + > +OVS_START_L7([at_ns0], [ftp]) > +OVS_START_L7([at_ns1], [ftp]) > + > +dnl FTP requests from p1->p0 should fail due to network failure. > +dnl Try 3 times, in 1 second intervals. > +NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl > +]) > + > +dnl FTP requests from p0->p1 should work fine. > +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp > +]) > + > +dnl Try the second set of flows. > +AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt]) > +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) > + > +dnl FTP requests from p1->p0 should fail due to network failure. > +dnl Try 3 times, in 1 second intervals. > +NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl > +]) > + > +dnl Active FTP requests from p0->p1 should work fine. > +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log]) > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp > +tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) > +]) > + > +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) > + > +dnl Passive FTP requests from p0->p1 should work fine. > +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log]) > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp > +]) > + > +OVS_TRAFFIC_VSWITCHD_STOP > +AT_CLEANUP > + > +AT_SETUP([conntrack - FTP over IPv6]) > +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) > +CHECK_CONNTRACK() > +CHECK_CONNTRACK_ALG() > +OVS_TRAFFIC_VSWITCHD_START() > + > +ADD_NAMESPACES(at_ns0, at_ns1) > + > +ADD_VETH(p0, at_ns0, br0, "fc00::1/96") > +ADD_VETH(p1, at_ns1, br0, "fc00::2/96") > + > +dnl Allow any traffic from ns0->ns1. > +dnl Only allow nd, return traffic from ns1->ns0. > +AT_DATA([flows.txt], [dnl > +dnl Track all IPv6 traffic and drop the rest. > +dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked. > +table=0 priority=100 in_port=1 icmp6, action=2 > +table=0 priority=100 in_port=2 icmp6, action=1 > +table=0 priority=10 ip6, action=ct(table=1) > +table=0 priority=0 action=drop > +dnl > +dnl Table 1 > +dnl > +dnl Allow new TCPv6 FTP control connections from port 1. > +table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2 > +dnl Allow related TCPv6 connections from port 2. > +table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1 > +dnl Allow established TCPv6 connections both ways. > +table=1 in_port=1 ct_state=+est, tcp6, action=2 > +table=1 in_port=2 ct_state=+est, tcp6, action=1 > +dnl Drop everything else. > +table=1 priority=0, action=drop > +]) > + > +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > + > +dnl Linux seems to take a little time to get its IPv6 stack in order. Without > +dnl waiting, we get occasional failures due to the following error: > +dnl "connect: Cannot assign requested address" > +OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) > + > +OVS_START_L7([at_ns1], [ftp]) > + > +dnl FTP requests from p0->p1 should work fine. > +NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d]) > + > +dnl Discards CLOSE_WAIT and CLOSING > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl > +tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp > +tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) > +]) > + > +OVS_TRAFFIC_VSWITCHD_STOP > +AT_CLEANUP > + > +AT_SETUP([conntrack - FTP with multiple expectations]) > +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) > +CHECK_CONNTRACK() > +CHECK_CONNTRACK_ALG() > +OVS_TRAFFIC_VSWITCHD_START() > + > +ADD_NAMESPACES(at_ns0, at_ns1) > + > +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > + > +dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1. > +AT_DATA([flows.txt], [dnl > +table=0,priority=1,action=drop > +table=0,priority=10,arp,action=normal > +table=0,priority=10,icmp,action=normal > + > +dnl Traffic from ns1 > +table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1) > +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 > +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2 > +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2) > +table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 > + > +dnl Traffic from ns2 > +table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2) > +table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 > +table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1) > +table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 > +table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1 > +]) > + > +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > + > +OVS_START_L7([at_ns0], [ftp]) > +OVS_START_L7([at_ns1], [ftp]) > + > +dnl FTP requests from p1->p0 should fail due to network failure. > +dnl Try 3 times, in 1 second intervals. > +NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl > +]) > + > +dnl Active FTP requests from p0->p1 should work fine. > +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp > +tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) > +tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>) > +]) > + > +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) > + > +dnl Passive FTP requests from p0->p1 should work fine. > +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>) > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp > +]) > + > +OVS_TRAFFIC_VSWITCHD_STOP > +AT_CLEANUP > + > AT_BANNER([conntrack - NAT]) > > AT_SETUP([conntrack - simple SNAT]) > -- > 2.10.2 > > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 14fbf4518fdf..8e424c56031c 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -649,84 +649,6 @@ udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10. OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -AT_SETUP([conntrack - IPv4 HTTP]) -CHECK_CONNTRACK() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0, at_ns1) - -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") - -dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. -AT_DATA([flows.txt], [dnl -priority=1,action=drop -priority=10,arp,action=normal -priority=10,icmp,action=normal -priority=100,in_port=1,tcp,action=ct(commit),2 -priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0) -priority=100,in_port=2,ct_state=+trk+est,tcp,action=1 -]) - -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) - -OVS_START_L7([at_ns0], [http]) -OVS_START_L7([at_ns1], [http]) - -dnl HTTP requests from ns0->ns1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) -]) - -dnl HTTP requests from ns1->ns0 should fail due to network failure. -dnl Try 3 times, in 1 second intervals. -NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - -AT_SETUP([conntrack - IPv6 HTTP]) -CHECK_CONNTRACK() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0, at_ns1) - -ADD_VETH(p0, at_ns0, br0, "fc00::1/96") -ADD_VETH(p1, at_ns1, br0, "fc00::2/96") - -dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. -AT_DATA([flows.txt], [dnl -priority=1,action=drop -priority=10,icmp6,action=normal -priority=100,in_port=1,tcp6,action=ct(commit),2 -priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0) -priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1 -]) - -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) - -dnl Linux seems to take a little time to get its IPv6 stack in order. Without -dnl waiting, we get occasional failures due to the following error: -dnl "connect: Cannot assign requested address" -OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2]) - -OVS_START_L7([at_ns0], [http6]) -OVS_START_L7([at_ns1], [http6]) - -dnl HTTP requests from ns0->ns1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) -]) - -dnl HTTP requests from ns1->ns0 should fail due to network failure. -dnl Try 3 times, in 1 second intervals. -NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - AT_SETUP([conntrack - IPv4 ping]) CHECK_CONNTRACK() OVS_TRAFFIC_VSWITCHD_START() @@ -815,47 +737,6 @@ icmpv6,orig=(src=fc00::1,dst=fc00::2,id=<cleared>,type=128,code=0),reply=(src=fc OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -AT_SETUP([conntrack - commit, recirc]) -CHECK_CONNTRACK() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3) - -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") -ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24") -ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24") - -dnl Allow any traffic from ns0->ns1, ns2->ns3. -AT_DATA([flows.txt], [dnl -priority=1,action=drop -priority=10,arp,action=normal -priority=10,icmp,action=normal -priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0) -priority=100,in_port=1,tcp,ct_state=+trk,action=2 -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) -priority=100,in_port=2,tcp,ct_state=+trk,action=1 -priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0) -priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0) -priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4 -priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0) -priority=100,in_port=4,tcp,ct_state=+trk,action=3 -]) - -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) - -OVS_START_L7([at_ns1], [http]) -OVS_START_L7([at_ns3], [http]) - -dnl HTTP requests from p0->p1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) - -dnl HTTP requests from p2->p3 should work fine. -NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - AT_SETUP([conntrack - preserve registers]) CHECK_CONNTRACK() OVS_TRAFFIC_VSWITCHD_START() @@ -1116,55 +997,6 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src= OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -AT_SETUP([conntrack - multiple zones, local]) -CHECK_CONNTRACK() -CHECK_CONNTRACK_LOCAL_STACK() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0) - -AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) -AT_CHECK([ip link set dev br0 up]) -on_exit 'ip addr del dev br0 "10.1.1.1/24"' -ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24") - -dnl Allow traffic from local stack to ns0. Only allow neighbour discovery, -dnl return traffic from ns0 back to the local stack. -AT_DATA([flows.txt], [dnl -priority=1,action=drop -priority=10,arp,action=normal -priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop -priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1 -priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1 -priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1) -table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2) -table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL -]) - -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) - -AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl -3 packets transmitted, 3 received, 0% packet loss, time 0ms -]) - -OVS_START_L7([at_ns0], [http]) - -dnl HTTP requests from root namespace to p0 should work fine. -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) - -dnl (again) HTTP requests from root namespace to p0 should work fine. -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) - -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1 -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=2 -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>) -]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - AT_SETUP([conntrack - multiple namespaces, internal ports]) CHECK_CONNTRACK() CHECK_CONNTRACK_LOCAL_STACK() @@ -1207,77 +1039,6 @@ OVS_TRAFFIC_VSWITCHD_STOP(["dnl /removing policing failed: No such device/d"]) AT_CLEANUP -AT_SETUP([conntrack - multi-stage pipeline, local]) -CHECK_CONNTRACK() -CHECK_CONNTRACK_LOCAL_STACK() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0) - -AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) -AT_CHECK([ip link set dev br0 up]) -on_exit 'ip addr del dev br0 "10.1.1.1/24"' -ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24") - -dnl Allow traffic from local stack to ns0. Only allow neighbour discovery, -dnl return traffic from ns0 back to the local stack. -AT_DATA([flows.txt], [dnl -dnl default -table=0,priority=1,action=drop -table=0,priority=10,arp,action=normal - -dnl Load the output port to REG0 -table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1 -table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1 - -dnl Ingress pipeline -dnl - Allow all connections from LOCAL port (commit and proceed to egress) -dnl - All other connections go through conntracker using the input port as -dnl a connection tracking zone. -table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2 -table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]]) -table=1,priority=1,action=drop - -dnl Egress pipeline -dnl - Allow all connections from LOCAL port (commit and skip to output) -dnl - Allow other established connections to go through conntracker using -dnl output port as a connection tracking zone. -table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4 -table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]]) -table=2,priority=1,action=drop - -dnl Only allow established traffic from egress ct lookup -table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4 -table=3,priority=1,action=drop - -dnl output table -table=4,priority=100,ip,action=output:NXM_NX_REG0[[]] -]) - -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) - -AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl -3 packets transmitted, 3 received, 0% packet loss, time 0ms -]) - -OVS_START_L7([at_ns0], [http]) - -dnl HTTP requests from root namespace to p0 should work fine. -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) - -dnl (again) HTTP requests from root namespace to p0 should work fine. -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) - -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1 -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=65534 -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>) -]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - AT_SETUP([conntrack - ct_mark]) CHECK_CONNTRACK() OVS_TRAFFIC_VSWITCHD_START() @@ -1600,217 +1361,9 @@ icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=17 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -AT_SETUP([conntrack - FTP]) -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) +AT_SETUP([conntrack - IPv4 fragmentation ]) CHECK_CONNTRACK() -CHECK_CONNTRACK_ALG() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0, at_ns1) - -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") - -dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. -AT_DATA([flows1.txt], [dnl -table=0,priority=1,action=drop -table=0,priority=10,arp,action=normal -table=0,priority=10,icmp,action=normal -table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2 -table=0,priority=100,in_port=2,tcp,action=ct(table=1) -table=1,in_port=2,tcp,ct_state=+trk+est,action=1 -table=1,in_port=2,tcp,ct_state=+trk+rel,action=1 -]) - -dnl Similar policy but without allowing all traffic from ns0->ns1. -AT_DATA([flows2.txt], [dnl -table=0,priority=1,action=drop -table=0,priority=10,arp,action=normal -table=0,priority=10,icmp,action=normal - -dnl Allow outgoing TCP connections, and treat them as FTP -table=0,priority=100,in_port=1,tcp,action=ct(table=1) -table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2 -table=1,in_port=1,tcp,ct_state=+trk+est,action=2 - -dnl Allow incoming FTP data connections and responses to existing connections -table=0,priority=100,in_port=2,tcp,action=ct(table=1) -table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1 -table=1,in_port=2,tcp,ct_state=+trk+est,action=1 -table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1 -]) - -AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt]) - -OVS_START_L7([at_ns0], [ftp]) -OVS_START_L7([at_ns1], [ftp]) - -dnl FTP requests from p1->p0 should fail due to network failure. -dnl Try 3 times, in 1 second intervals. -NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl -]) - -dnl FTP requests from p0->p1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp -]) - -dnl Try the second set of flows. -AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt]) -AT_CHECK([ovs-appctl dpctl/flush-conntrack]) - -dnl FTP requests from p1->p0 should fail due to network failure. -dnl Try 3 times, in 1 second intervals. -NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl -]) - -dnl Active FTP requests from p0->p1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp -tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) -]) - -AT_CHECK([ovs-appctl dpctl/flush-conntrack]) - -dnl Passive FTP requests from p0->p1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp -]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - - -AT_SETUP([conntrack - IPv6 FTP]) -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) -CHECK_CONNTRACK() -CHECK_CONNTRACK_ALG() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0, at_ns1) - -ADD_VETH(p0, at_ns0, br0, "fc00::1/96") -ADD_VETH(p1, at_ns1, br0, "fc00::2/96") - -dnl Allow any traffic from ns0->ns1. -dnl Only allow nd, return traffic from ns1->ns0. -AT_DATA([flows.txt], [dnl -dnl Track all IPv6 traffic and drop the rest. -dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked. -table=0 priority=100 in_port=1 icmp6, action=2 -table=0 priority=100 in_port=2 icmp6, action=1 -table=0 priority=10 ip6, action=ct(table=1) -table=0 priority=0 action=drop -dnl -dnl Table 1 -dnl -dnl Allow new TCPv6 FTP control connections from port 1. -table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2 -dnl Allow related TCPv6 connections from port 2. -table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1 -dnl Allow established TCPv6 connections both ways. -table=1 in_port=1 ct_state=+est, tcp6, action=2 -table=1 in_port=2 ct_state=+est, tcp6, action=1 -dnl Drop everything else. -table=1 priority=0, action=drop -]) - -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) - -dnl Linux seems to take a little time to get its IPv6 stack in order. Without -dnl waiting, we get occasional failures due to the following error: -dnl "connect: Cannot assign requested address" -OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) - -OVS_START_L7([at_ns1], [ftp]) - -dnl FTP requests from p0->p1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d]) - -dnl Discards CLOSE_WAIT and CLOSING -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp -tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) -]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - - -AT_SETUP([conntrack - FTP with multiple expectations]) -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) -CHECK_CONNTRACK() -CHECK_CONNTRACK_ALG() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0, at_ns1) - -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") - -dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1. -AT_DATA([flows.txt], [dnl -table=0,priority=1,action=drop -table=0,priority=10,arp,action=normal -table=0,priority=10,icmp,action=normal - -dnl Traffic from ns1 -table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1) -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2 -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2) -table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 - -dnl Traffic from ns2 -table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2) -table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 -table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1) -table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 -table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1 -]) - -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) - -OVS_START_L7([at_ns0], [ftp]) -OVS_START_L7([at_ns1], [ftp]) - -dnl FTP requests from p1->p0 should fail due to network failure. -dnl Try 3 times, in 1 second intervals. -NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl -]) - -dnl Active FTP requests from p0->p1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp -tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) -tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>) -]) - -AT_CHECK([ovs-appctl dpctl/flush-conntrack]) - -dnl Passive FTP requests from p0->p1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>) -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp -]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - -AT_SETUP([conntrack - IPv4 fragmentation ]) -CHECK_CONNTRACK() -CHECK_CONNTRACK_FRAG() +CHECK_CONNTRACK_FRAG() OVS_TRAFFIC_VSWITCHD_START() ADD_NAMESPACES(at_ns0, at_ns1) @@ -2184,6 +1737,453 @@ NXST_FLOW reply: OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +AT_BANNER([conntrack - L7]) + +AT_SETUP([conntrack - IPv4 HTTP]) +CHECK_CONNTRACK() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") + +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. +AT_DATA([flows.txt], [dnl +priority=1,action=drop +priority=10,arp,action=normal +priority=10,icmp,action=normal +priority=100,in_port=1,tcp,action=ct(commit),2 +priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0) +priority=100,in_port=2,ct_state=+trk+est,tcp,action=1 +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +OVS_START_L7([at_ns0], [http]) +OVS_START_L7([at_ns1], [http]) + +dnl HTTP requests from ns0->ns1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) +]) + +dnl HTTP requests from ns1->ns0 should fail due to network failure. +dnl Try 3 times, in 1 second intervals. +NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - IPv6 HTTP]) +CHECK_CONNTRACK() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "fc00::1/96") +ADD_VETH(p1, at_ns1, br0, "fc00::2/96") + +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. +AT_DATA([flows.txt], [dnl +priority=1,action=drop +priority=10,icmp6,action=normal +priority=100,in_port=1,tcp6,action=ct(commit),2 +priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0) +priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1 +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +dnl Linux seems to take a little time to get its IPv6 stack in order. Without +dnl waiting, we get occasional failures due to the following error: +dnl "connect: Cannot assign requested address" +OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2]) + +OVS_START_L7([at_ns0], [http6]) +OVS_START_L7([at_ns1], [http6]) + +dnl HTTP requests from ns0->ns1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl +tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) +]) + +dnl HTTP requests from ns1->ns0 should fail due to network failure. +dnl Try 3 times, in 1 second intervals. +NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - commit, recirc]) +CHECK_CONNTRACK() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") +ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24") +ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24") + +dnl Allow any traffic from ns0->ns1, ns2->ns3. +AT_DATA([flows.txt], [dnl +priority=1,action=drop +priority=10,arp,action=normal +priority=10,icmp,action=normal +priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0) +priority=100,in_port=1,tcp,ct_state=+trk,action=2 +priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) +priority=100,in_port=2,tcp,ct_state=+trk,action=1 +priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0) +priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0) +priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4 +priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0) +priority=100,in_port=4,tcp,ct_state=+trk,action=3 +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +OVS_START_L7([at_ns1], [http]) +OVS_START_L7([at_ns3], [http]) + +dnl HTTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) + +dnl HTTP requests from p2->p3 should work fine. +NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - multiple zones, local]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_LOCAL_STACK() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0) + +AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) +AT_CHECK([ip link set dev br0 up]) +on_exit 'ip addr del dev br0 "10.1.1.1/24"' +ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24") + +dnl Allow traffic from local stack to ns0. Only allow neighbour discovery, +dnl return traffic from ns0 back to the local stack. +AT_DATA([flows.txt], [dnl +priority=1,action=drop +priority=10,arp,action=normal +priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop +priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1 +priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1 +priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1) +table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2) +table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl +3 packets transmitted, 3 received, 0% packet loss, time 0ms +]) + +OVS_START_L7([at_ns0], [http]) + +dnl HTTP requests from root namespace to p0 should work fine. +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) + +dnl (again) HTTP requests from root namespace to p0 should work fine. +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) + +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1 +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=2 +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>) +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - multi-stage pipeline, local]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_LOCAL_STACK() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0) + +AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) +AT_CHECK([ip link set dev br0 up]) +on_exit 'ip addr del dev br0 "10.1.1.1/24"' +ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24") + +dnl Allow traffic from local stack to ns0. Only allow neighbour discovery, +dnl return traffic from ns0 back to the local stack. +AT_DATA([flows.txt], [dnl +dnl default +table=0,priority=1,action=drop +table=0,priority=10,arp,action=normal + +dnl Load the output port to REG0 +table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1 +table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1 + +dnl Ingress pipeline +dnl - Allow all connections from LOCAL port (commit and proceed to egress) +dnl - All other connections go through conntracker using the input port as +dnl a connection tracking zone. +table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2 +table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]]) +table=1,priority=1,action=drop + +dnl Egress pipeline +dnl - Allow all connections from LOCAL port (commit and skip to output) +dnl - Allow other established connections to go through conntracker using +dnl output port as a connection tracking zone. +table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4 +table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]]) +table=2,priority=1,action=drop + +dnl Only allow established traffic from egress ct lookup +table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4 +table=3,priority=1,action=drop + +dnl output table +table=4,priority=100,ip,action=output:NXM_NX_REG0[[]] +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl +3 packets transmitted, 3 received, 0% packet loss, time 0ms +]) + +OVS_START_L7([at_ns0], [http]) + +dnl HTTP requests from root namespace to p0 should work fine. +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) + +dnl (again) HTTP requests from root namespace to p0 should work fine. +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) + +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1 +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=65534 +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>) +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - FTP]) +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_ALG() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") + +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. +AT_DATA([flows1.txt], [dnl +table=0,priority=1,action=drop +table=0,priority=10,arp,action=normal +table=0,priority=10,icmp,action=normal +table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2 +table=0,priority=100,in_port=2,tcp,action=ct(table=1) +table=1,in_port=2,tcp,ct_state=+trk+est,action=1 +table=1,in_port=2,tcp,ct_state=+trk+rel,action=1 +]) + +dnl Similar policy but without allowing all traffic from ns0->ns1. +AT_DATA([flows2.txt], [dnl +table=0,priority=1,action=drop +table=0,priority=10,arp,action=normal +table=0,priority=10,icmp,action=normal + +dnl Allow outgoing TCP connections, and treat them as FTP +table=0,priority=100,in_port=1,tcp,action=ct(table=1) +table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2 +table=1,in_port=1,tcp,ct_state=+trk+est,action=2 + +dnl Allow incoming FTP data connections and responses to existing connections +table=0,priority=100,in_port=2,tcp,action=ct(table=1) +table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1 +table=1,in_port=2,tcp,ct_state=+trk+est,action=1 +table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1 +]) + +AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt]) + +OVS_START_L7([at_ns0], [ftp]) +OVS_START_L7([at_ns1], [ftp]) + +dnl FTP requests from p1->p0 should fail due to network failure. +dnl Try 3 times, in 1 second intervals. +NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl +]) + +dnl FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp +]) + +dnl Try the second set of flows. +AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt]) +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) + +dnl FTP requests from p1->p0 should fail due to network failure. +dnl Try 3 times, in 1 second intervals. +NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl +]) + +dnl Active FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp +tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) +]) + +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) + +dnl Passive FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - FTP over IPv6]) +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_ALG() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "fc00::1/96") +ADD_VETH(p1, at_ns1, br0, "fc00::2/96") + +dnl Allow any traffic from ns0->ns1. +dnl Only allow nd, return traffic from ns1->ns0. +AT_DATA([flows.txt], [dnl +dnl Track all IPv6 traffic and drop the rest. +dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked. +table=0 priority=100 in_port=1 icmp6, action=2 +table=0 priority=100 in_port=2 icmp6, action=1 +table=0 priority=10 ip6, action=ct(table=1) +table=0 priority=0 action=drop +dnl +dnl Table 1 +dnl +dnl Allow new TCPv6 FTP control connections from port 1. +table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2 +dnl Allow related TCPv6 connections from port 2. +table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1 +dnl Allow established TCPv6 connections both ways. +table=1 in_port=1 ct_state=+est, tcp6, action=2 +table=1 in_port=2 ct_state=+est, tcp6, action=1 +dnl Drop everything else. +table=1 priority=0, action=drop +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +dnl Linux seems to take a little time to get its IPv6 stack in order. Without +dnl waiting, we get occasional failures due to the following error: +dnl "connect: Cannot assign requested address" +OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) + +OVS_START_L7([at_ns1], [ftp]) + +dnl FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d]) + +dnl Discards CLOSE_WAIT and CLOSING +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl +tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp +tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - FTP with multiple expectations]) +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_ALG() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") + +dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1. +AT_DATA([flows.txt], [dnl +table=0,priority=1,action=drop +table=0,priority=10,arp,action=normal +table=0,priority=10,icmp,action=normal + +dnl Traffic from ns1 +table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1) +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2 +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2) +table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 + +dnl Traffic from ns2 +table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2) +table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 +table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1) +table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 +table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1 +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +OVS_START_L7([at_ns0], [ftp]) +OVS_START_L7([at_ns1], [ftp]) + +dnl FTP requests from p1->p0 should fail due to network failure. +dnl Try 3 times, in 1 second intervals. +NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl +]) + +dnl Active FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp +tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) +tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>) +]) + +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) + +dnl Passive FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>) +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>) +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + AT_BANNER([conntrack - NAT]) AT_SETUP([conntrack - simple SNAT])
Signed-off-by: Joe Stringer <joe@ovn.org> --- tests/system-traffic.at | 898 ++++++++++++++++++++++++------------------------ 1 file changed, 449 insertions(+), 449 deletions(-)