[ovs-dev] system-traffic: Add FTP NAT test without seqadj.

Message ID	20160907210741.21867-1-joe@ovn.org
State	Accepted
Headers	show Return-Path: <dev-bounces@openvswitch.org> Received-SPF: pass (mx1-pf1.cudamail.com: SPF record at ovn.org designates 217.70.183.198 as permitted sender) sender: joe@ovn.org) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id 0BCBBFB883; Wed, 7 Sep 2016 23:07:47 +0200 (CEST) From: Joe Stringer <joe@ovn.org> To: dev@openvswitch.org Date: Wed, 7 Sep 2016 14:07:41 -0700 system-traffic: Add FTP NAT test without seqadj. Message-Id: <20160907210741.21867-1-joe@ovn.org> Subject: [ovs-dev] [PATCH] system-traffic: Add FTP NAT test without seqadj. Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: dev-bounces@openvswitch.org Sender: "dev" <dev-bounces@openvswitch.org>

Message ID

20160907210741.21867-1-joe@ovn.org

State

Accepted

Headers

Received-SPF: pass (mx1-pf1.cudamail.com: SPF record at ovn.org designates
	217.70.183.198 as permitted sender)
From: Joe Stringer <joe@ovn.org>
To: dev@openvswitch.org
Date: Wed,  7 Sep 2016 14:07:41 -0700
Message-Id: <20160907210741.21867-1-joe@ovn.org>
Subject: [ovs-dev] [PATCH] system-traffic: Add FTP NAT test without seqadj.
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: dev-bounces@openvswitch.org
Sender: "dev" <dev-bounces@openvswitch.org>

Commit Message

Joe Stringer Sept. 7, 2016, 9:07 p.m. UTC

The existing FTP with NAT tests all perform NATing from an IP like
10.1.1.1 -> 10.1.1.240, which requires adjusting the length of FTP
control messages as they pass through the connection tracker.
Occasionally this is a source of kernel bugs, so it is useful to have a
regular FTP NAT test between IPs that do not change the message length
in FTP control messages (eg, 10.1.1.1 -> 10.1.1.9) to more clearly
identify failures in this area.

Signed-off-by: Joe Stringer <joe@ovn.org>
---
 tests/system-traffic.at | 83 +++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 81 insertions(+), 2 deletions(-)

Comments

Jarno Rajahalme Sept. 7, 2016, 9:23 p.m. UTC | #1

Assuming the test is otherwise identical,

Acked-by: Jarno Rajahalme <jarno@ovn.org>

> On Sep 7, 2016, at 2:07 PM, Joe Stringer <joe@ovn.org> wrote:
> 
> The existing FTP with NAT tests all perform NATing from an IP like
> 10.1.1.1 -> 10.1.1.240, which requires adjusting the length of FTP
> control messages as they pass through the connection tracker.
> Occasionally this is a source of kernel bugs, so it is useful to have a
> regular FTP NAT test between IPs that do not change the message length
> in FTP control messages (eg, 10.1.1.1 -> 10.1.1.9) to more clearly
> identify failures in this area.
> 
> Signed-off-by: Joe Stringer <joe@ovn.org>
> ---
> tests/system-traffic.at | 83 +++++++++++++++++++++++++++++++++++++++++++++++--
> 1 file changed, 81 insertions(+), 2 deletions(-)
> 
> diff --git a/tests/system-traffic.at b/tests/system-traffic.at
> index eaf4aba13869..4dabd90356a1 100644
> --- a/tests/system-traffic.at
> +++ b/tests/system-traffic.at
> @@ -2405,7 +2405,6 @@ udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=
> OVS_TRAFFIC_VSWITCHD_STOP
> AT_CLEANUP
> 
> -
> AT_SETUP([conntrack - FTP with NAT])
> AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
> CHECK_CONNTRACK()
> @@ -2435,6 +2434,87 @@ dnl
> dnl Table 1: port 1 -> 2
> dnl
> dnl Allow new FTP connections. These need to be commited.
> +table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.9)),2
> +dnl Allow established TCP connections, make sure they are NATted already.
> +table=1 ct_state=+est, tcp, nw_src=10.1.1.9,     action=2
> +dnl
> +dnl Table 1: droppers
> +dnl
> +table=1 priority=10, tcp, action=drop
> +table=1 priority=0,action=drop
> +dnl
> +dnl Table 2: port 2 -> 1
> +dnl
> +dnl Allow established TCP connections, make sure they are reverse NATted
> +table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
> +dnl Allow (new) related (data) connections.  These need to be commited.
> +table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.9, action=ct(commit,nat),1
> +dnl Allow related ICMP packets, make sure they are reverse NATted
> +table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
> +dnl
> +dnl Table 2: droppers
> +dnl
> +table=2 priority=10, tcp, action=drop
> +table=2 priority=0, action=drop
> +dnl
> +dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
> +dnl
> +table=8,reg2=0x0a010109/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
> +table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
> +dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
> +dnl TPA IP in reg2.
> +dnl Swaps the fields of the ARP message to turn a query to a response.
> +table=10 priority=100 arp xreg0=0 action=normal
> +table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
> +table=10 priority=0 action=drop
> +])
> +
> +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> +
> +dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
> +NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
> +OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
> +
> +dnl FTP requests from p0->p1 should work fine.
> +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
> +
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.9,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
> +tcp,orig=(src=10.1.1.2,dst=10.1.1.9,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
> +])
> +
> +OVS_TRAFFIC_VSWITCHD_STOP
> +AT_CLEANUP
> +
> +AT_SETUP([conntrack - FTP with NAT (seq-adj)])
> +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
> +CHECK_CONNTRACK()
> +CHECK_CONNTRACK_NAT()
> +
> +OVS_TRAFFIC_VSWITCHD_START()
> +
> +ADD_NAMESPACES(at_ns0, at_ns1)
> +
> +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
> +NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
> +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
> +
> +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
> +
> +AT_DATA([flows.txt], [dnl
> +dnl track all IP traffic, de-mangle non-NEW connections
> +table=0 in_port=1, ip, action=ct(table=1,nat)
> +table=0 in_port=2, ip, action=ct(table=2,nat)
> +dnl
> +dnl ARP
> +dnl
> +table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
> +table=0 priority=10 arp action=normal
> +table=0 priority=0 action=drop
> +dnl
> +dnl Table 1: port 1 -> 2
> +dnl
> +dnl Allow new FTP connections. These need to be commited.
> table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
> dnl Allow established TCP connections, make sure they are NATted already.
> table=1 ct_state=+est, tcp, nw_src=10.1.1.240,     action=2
> @@ -2487,7 +2567,6 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(sr
> OVS_TRAFFIC_VSWITCHD_STOP
> AT_CLEANUP
> 
> -
> AT_SETUP([conntrack - FTP with NAT 2])
> AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
> CHECK_CONNTRACK()
> -- 
> 2.9.3
>

Joe Stringer Sept. 7, 2016, 10:21 p.m. UTC | #2

On 7 September 2016 at 14:23, Jarno Rajahalme <jarno@ovn.org> wrote:
> Assuming the test is otherwise identical,
>
> Acked-by: Jarno Rajahalme <jarno@ovn.org>

Yup, it's just 's/10.1.1.240/10.1.1.9/' and
's/0x0a0101f0\/0xfffffff0/0x0a010109/0xffffffff/' plus a test rename.

Thanks, applied to master.

I plan to follow up shortly to reduce copy/paste in these tests and
clarify what "FTP with NAT 2" means.


>> On Sep 7, 2016, at 2:07 PM, Joe Stringer <joe@ovn.org> wrote:
>>
>> The existing FTP with NAT tests all perform NATing from an IP like
>> 10.1.1.1 -> 10.1.1.240, which requires adjusting the length of FTP
>> control messages as they pass through the connection tracker.
>> Occasionally this is a source of kernel bugs, so it is useful to have a
>> regular FTP NAT test between IPs that do not change the message length
>> in FTP control messages (eg, 10.1.1.1 -> 10.1.1.9) to more clearly
>> identify failures in this area.
>>
>> Signed-off-by: Joe Stringer <joe@ovn.org>
>> ---
>> tests/system-traffic.at | 83 +++++++++++++++++++++++++++++++++++++++++++++++--
>> 1 file changed, 81 insertions(+), 2 deletions(-)
>>
>> diff --git a/tests/system-traffic.at b/tests/system-traffic.at
>> index eaf4aba13869..4dabd90356a1 100644
>> --- a/tests/system-traffic.at
>> +++ b/tests/system-traffic.at
>> @@ -2405,7 +2405,6 @@ udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=
>> OVS_TRAFFIC_VSWITCHD_STOP
>> AT_CLEANUP
>>
>> -
>> AT_SETUP([conntrack - FTP with NAT])
>> AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
>> CHECK_CONNTRACK()
>> @@ -2435,6 +2434,87 @@ dnl
>> dnl Table 1: port 1 -> 2
>> dnl
>> dnl Allow new FTP connections. These need to be commited.
>> +table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.9)),2
>> +dnl Allow established TCP connections, make sure they are NATted already.
>> +table=1 ct_state=+est, tcp, nw_src=10.1.1.9,     action=2
>> +dnl
>> +dnl Table 1: droppers
>> +dnl
>> +table=1 priority=10, tcp, action=drop
>> +table=1 priority=0,action=drop
>> +dnl
>> +dnl Table 2: port 2 -> 1
>> +dnl
>> +dnl Allow established TCP connections, make sure they are reverse NATted
>> +table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
>> +dnl Allow (new) related (data) connections.  These need to be commited.
>> +table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.9, action=ct(commit,nat),1
>> +dnl Allow related ICMP packets, make sure they are reverse NATted
>> +table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
>> +dnl
>> +dnl Table 2: droppers
>> +dnl
>> +table=2 priority=10, tcp, action=drop
>> +table=2 priority=0, action=drop
>> +dnl
>> +dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
>> +dnl
>> +table=8,reg2=0x0a010109/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
>> +table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
>> +dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
>> +dnl TPA IP in reg2.
>> +dnl Swaps the fields of the ARP message to turn a query to a response.
>> +table=10 priority=100 arp xreg0=0 action=normal
>> +table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
>> +table=10 priority=0 action=drop
>> +])
>> +
>> +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
>> +
>> +dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
>> +NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
>> +OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
>> +
>> +dnl FTP requests from p0->p1 should work fine.
>> +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
>> +
>> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
>> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.9,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
>> +tcp,orig=(src=10.1.1.2,dst=10.1.1.9,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
>> +])
>> +
>> +OVS_TRAFFIC_VSWITCHD_STOP
>> +AT_CLEANUP
>> +
>> +AT_SETUP([conntrack - FTP with NAT (seq-adj)])
>> +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
>> +CHECK_CONNTRACK()
>> +CHECK_CONNTRACK_NAT()
>> +
>> +OVS_TRAFFIC_VSWITCHD_START()
>> +
>> +ADD_NAMESPACES(at_ns0, at_ns1)
>> +
>> +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
>> +NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
>> +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
>> +
>> +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
>> +
>> +AT_DATA([flows.txt], [dnl
>> +dnl track all IP traffic, de-mangle non-NEW connections
>> +table=0 in_port=1, ip, action=ct(table=1,nat)
>> +table=0 in_port=2, ip, action=ct(table=2,nat)
>> +dnl
>> +dnl ARP
>> +dnl
>> +table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
>> +table=0 priority=10 arp action=normal
>> +table=0 priority=0 action=drop
>> +dnl
>> +dnl Table 1: port 1 -> 2
>> +dnl
>> +dnl Allow new FTP connections. These need to be commited.
>> table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
>> dnl Allow established TCP connections, make sure they are NATted already.
>> table=1 ct_state=+est, tcp, nw_src=10.1.1.240,     action=2
>> @@ -2487,7 +2567,6 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(sr
>> OVS_TRAFFIC_VSWITCHD_STOP
>> AT_CLEANUP
>>
>> -
>> AT_SETUP([conntrack - FTP with NAT 2])
>> AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
>> CHECK_CONNTRACK()
>> --
>> 2.9.3
>>
>

diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index eaf4aba13869..4dabd90356a1 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -2405,7 +2405,6 @@  udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=
 OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
-
 AT_SETUP([conntrack - FTP with NAT])
 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
 CHECK_CONNTRACK()
@@ -2435,6 +2434,87 @@  dnl
 dnl Table 1: port 1 -> 2
 dnl
 dnl Allow new FTP connections. These need to be commited.
+table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.9)),2
+dnl Allow established TCP connections, make sure they are NATted already.
+table=1 ct_state=+est, tcp, nw_src=10.1.1.9,     action=2
+dnl
+dnl Table 1: droppers
+dnl
+table=1 priority=10, tcp, action=drop
+table=1 priority=0,action=drop
+dnl
+dnl Table 2: port 2 -> 1
+dnl
+dnl Allow established TCP connections, make sure they are reverse NATted
+table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1
+dnl Allow (new) related (data) connections.  These need to be commited.
+table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.9, action=ct(commit,nat),1
+dnl Allow related ICMP packets, make sure they are reverse NATted
+table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1
+dnl
+dnl Table 2: droppers
+dnl
+table=2 priority=10, tcp, action=drop
+table=2 priority=0, action=drop
+dnl
+dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0
+dnl
+table=8,reg2=0x0a010109/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]]
+table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]]
+dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action.
+dnl TPA IP in reg2.
+dnl Swaps the fields of the ARP message to turn a query to a response.
+table=10 priority=100 arp xreg0=0 action=normal
+table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]]
+table=10 priority=0 action=drop
+])
+
+AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
+
+dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
+NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
+OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp])
+
+dnl FTP requests from p0->p1 should work fine.
+NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
+tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.9,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
+tcp,orig=(src=10.1.1.2,dst=10.1.1.9,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
+])
+
+OVS_TRAFFIC_VSWITCHD_STOP
+AT_CLEANUP
+
+AT_SETUP([conntrack - FTP with NAT (seq-adj)])
+AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
+CHECK_CONNTRACK()
+CHECK_CONNTRACK_NAT()
+
+OVS_TRAFFIC_VSWITCHD_START()
+
+ADD_NAMESPACES(at_ns0, at_ns1)
+
+ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
+NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
+ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
+
+dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
+
+AT_DATA([flows.txt], [dnl
+dnl track all IP traffic, de-mangle non-NEW connections
+table=0 in_port=1, ip, action=ct(table=1,nat)
+table=0 in_port=2, ip, action=ct(table=2,nat)
+dnl
+dnl ARP
+dnl
+table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10
+table=0 priority=10 arp action=normal
+table=0 priority=0 action=drop
+dnl
+dnl Table 1: port 1 -> 2
+dnl
+dnl Allow new FTP connections. These need to be commited.
 table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2
 dnl Allow established TCP connections, make sure they are NATted already.
 table=1 ct_state=+est, tcp, nw_src=10.1.1.240,     action=2
@@ -2487,7 +2567,6 @@  tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(sr
 OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
-
 AT_SETUP([conntrack - FTP with NAT 2])
 AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
 CHECK_CONNTRACK()

[ovs-dev] system-traffic: Add FTP NAT test without seqadj.

Commit Message

Comments

Patch