From patchwork Wed Sep 7 21:07:41 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joe Stringer X-Patchwork-Id: 667158 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (archives.nicira.com [96.126.127.54]) by ozlabs.org (Postfix) with ESMTP id 3sTwzK25D9z9s2Q for ; Thu, 8 Sep 2016 07:07:57 +1000 (AEST) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id 4C9F610240; Wed, 7 Sep 2016 14:07:56 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v3.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id 255DB1023E for ; Wed, 7 Sep 2016 14:07:55 -0700 (PDT) Received: from bar6.cudamail.com (localhost [127.0.0.1]) by mx3v3.cudamail.com (Postfix) with ESMTPS id A5BEA162219 for ; Wed, 7 Sep 2016 15:07:54 -0600 (MDT) X-ASG-Debug-ID: 1473282473-0b32372502014d0001-byXFYA Received: from mx1-pf1.cudamail.com ([192.168.24.1]) by bar6.cudamail.com with ESMTP id FEqUQvGdfMPiynU5 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Wed, 07 Sep 2016 15:07:53 -0600 (MDT) X-Barracuda-Envelope-From: joe@ovn.org X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.1 Received: from unknown (HELO relay6-d.mail.gandi.net) (217.70.183.198) by mx1-pf1.cudamail.com with ESMTPS (DHE-RSA-AES256-SHA encrypted); 7 Sep 2016 21:07:52 -0000 Received-SPF: pass (mx1-pf1.cudamail.com: SPF record at ovn.org designates 217.70.183.198 as permitted sender) X-Barracuda-Apparent-Source-IP: 217.70.183.198 X-Barracuda-RBL-IP: 217.70.183.198 Received: from mfilter26-d.gandi.net (mfilter26-d.gandi.net [217.70.178.154]) by relay6-d.mail.gandi.net (Postfix) with ESMTP id BA8B3FB882; Wed, 7 Sep 2016 23:07:50 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mfilter26-d.gandi.net Received: from relay6-d.mail.gandi.net ([IPv6:::ffff:217.70.183.198]) by mfilter26-d.gandi.net (mfilter26-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id NWi7FD-O1192; Wed, 7 Sep 2016 23:07:49 +0200 (CEST) X-Originating-IP: 208.91.1.34 Received: from archer.eng.vmware.com (unknown [208.91.1.34]) (Authenticated sender: joe@ovn.org) by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id 0BCBBFB883; Wed, 7 Sep 2016 23:07:47 +0200 (CEST) X-CudaMail-Envelope-Sender: joe@ovn.org From: Joe Stringer To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-E1-906075733 X-CudaMail-DTE: 090716 X-CudaMail-Originating-IP: 217.70.183.198 Date: Wed, 7 Sep 2016 14:07:41 -0700 X-ASG-Orig-Subj: [##CM-E1-906075733##][PATCH] system-traffic: Add FTP NAT test without seqadj. Message-Id: <20160907210741.21867-1-joe@ovn.org> X-Mailer: git-send-email 2.9.3 X-Barracuda-Connect: UNKNOWN[192.168.24.1] X-Barracuda-Start-Time: 1473282473 X-Barracuda-Encrypted: ECDHE-RSA-AES256-GCM-SHA384 X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Virus-Scanned: by bsmtpd at cudamail.com X-Barracuda-BRTS-Status: 1 Subject: [ovs-dev] [PATCH] system-traffic: Add FTP NAT test without seqadj. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" The existing FTP with NAT tests all perform NATing from an IP like 10.1.1.1 -> 10.1.1.240, which requires adjusting the length of FTP control messages as they pass through the connection tracker. Occasionally this is a source of kernel bugs, so it is useful to have a regular FTP NAT test between IPs that do not change the message length in FTP control messages (eg, 10.1.1.1 -> 10.1.1.9) to more clearly identify failures in this area. Signed-off-by: Joe Stringer Acked-by: Jarno Rajahalme --- tests/system-traffic.at | 83 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 81 insertions(+), 2 deletions(-) diff --git a/tests/system-traffic.at b/tests/system-traffic.at index eaf4aba13869..4dabd90356a1 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -2405,7 +2405,6 @@ udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP - AT_SETUP([conntrack - FTP with NAT]) AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) CHECK_CONNTRACK() @@ -2435,6 +2434,87 @@ dnl dnl Table 1: port 1 -> 2 dnl dnl Allow new FTP connections. These need to be commited. +table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.9)),2 +dnl Allow established TCP connections, make sure they are NATted already. +table=1 ct_state=+est, tcp, nw_src=10.1.1.9, action=2 +dnl +dnl Table 1: droppers +dnl +table=1 priority=10, tcp, action=drop +table=1 priority=0,action=drop +dnl +dnl Table 2: port 2 -> 1 +dnl +dnl Allow established TCP connections, make sure they are reverse NATted +table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1 +dnl Allow (new) related (data) connections. These need to be commited. +table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.9, action=ct(commit,nat),1 +dnl Allow related ICMP packets, make sure they are reverse NATted +table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1 +dnl +dnl Table 2: droppers +dnl +table=2 priority=10, tcp, action=drop +table=2 priority=0, action=drop +dnl +dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0 +dnl +table=8,reg2=0x0a010109/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]] +table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]] +dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action. +dnl TPA IP in reg2. +dnl Swaps the fields of the ARP message to turn a query to a response. +table=10 priority=100 arp xreg0=0 action=normal +table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]] +table=10 priority=0 action=drop +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid]) +NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid]) +OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp]) + +dnl FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d]) + +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.9,sport=,dport=),protoinfo=(state=),helper=ftp +tcp,orig=(src=10.1.1.2,dst=10.1.1.9,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),protoinfo=(state=) +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - FTP with NAT (seq-adj)]) +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_NAT() + +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88]) +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") + +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. + +AT_DATA([flows.txt], [dnl +dnl track all IP traffic, de-mangle non-NEW connections +table=0 in_port=1, ip, action=ct(table=1,nat) +table=0 in_port=2, ip, action=ct(table=2,nat) +dnl +dnl ARP +dnl +table=0 priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10 +table=0 priority=10 arp action=normal +table=0 priority=0 action=drop +dnl +dnl Table 1: port 1 -> 2 +dnl +dnl Allow new FTP connections. These need to be commited. table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2 dnl Allow established TCP connections, make sure they are NATted already. table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2 @@ -2487,7 +2567,6 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=,dport=),reply=(sr OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP - AT_SETUP([conntrack - FTP with NAT 2]) AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) CHECK_CONNTRACK()