From patchwork Tue Dec 20 21:28:28 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Joe Stringer X-Patchwork-Id: 707596 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3tjrYW5Bfwz9t14 for ; Wed, 21 Dec 2016 08:30:39 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id B6CCBC5E; Tue, 20 Dec 2016 21:28:49 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 58710C49 for ; Tue, 20 Dec 2016 21:28:46 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [217.70.183.194]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 535FC1AD for ; Tue, 20 Dec 2016 21:28:43 +0000 (UTC) Received: from mfilter14-d.gandi.net (mfilter14-d.gandi.net [217.70.178.142]) by relay2-d.mail.gandi.net (Postfix) with ESMTP id 248F4C5A54 for ; Tue, 20 Dec 2016 22:28:42 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mfilter14-d.gandi.net Received: from relay2-d.mail.gandi.net ([IPv6:::ffff:217.70.183.194]) by mfilter14-d.gandi.net (mfilter14-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id 40eKHWdqMcCF for ; Tue, 20 Dec 2016 22:28:38 +0100 (CET) X-Originating-IP: 208.91.1.34 Received: from carno.eng.vmware.com (unknown [208.91.1.34]) (Authenticated sender: joe@ovn.org) by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 00EEAC5A74 for ; Tue, 20 Dec 2016 22:28:37 +0100 (CET) From: Joe Stringer To: dev@openvswitch.org Date: Tue, 20 Dec 2016 13:28:28 -0800 Message-Id: <20161220212829.19947-4-joe@ovn.org> X-Mailer: git-send-email 2.10.2 In-Reply-To: <20161220212829.19947-1-joe@ovn.org> References: <20161220212829.19947-1-joe@ovn.org> X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 4/5] system-traffic: Reorder and bannerize ct tests. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Signed-off-by: Joe Stringer Acked-by: Daniele Di Proietto --- tests/system-traffic.at | 898 ++++++++++++++++++++++++------------------------ 1 file changed, 449 insertions(+), 449 deletions(-) diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 14fbf4518fdf..8e424c56031c 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -649,84 +649,6 @@ udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10. OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -AT_SETUP([conntrack - IPv4 HTTP]) -CHECK_CONNTRACK() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0, at_ns1) - -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") - -dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. -AT_DATA([flows.txt], [dnl -priority=1,action=drop -priority=10,arp,action=normal -priority=10,icmp,action=normal -priority=100,in_port=1,tcp,action=ct(commit),2 -priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0) -priority=100,in_port=2,ct_state=+trk+est,tcp,action=1 -]) - -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) - -OVS_START_L7([at_ns0], [http]) -OVS_START_L7([at_ns1], [http]) - -dnl HTTP requests from ns0->ns1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=) -]) - -dnl HTTP requests from ns1->ns0 should fail due to network failure. -dnl Try 3 times, in 1 second intervals. -NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - -AT_SETUP([conntrack - IPv6 HTTP]) -CHECK_CONNTRACK() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0, at_ns1) - -ADD_VETH(p0, at_ns0, br0, "fc00::1/96") -ADD_VETH(p1, at_ns1, br0, "fc00::2/96") - -dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. -AT_DATA([flows.txt], [dnl -priority=1,action=drop -priority=10,icmp6,action=normal -priority=100,in_port=1,tcp6,action=ct(commit),2 -priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0) -priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1 -]) - -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) - -dnl Linux seems to take a little time to get its IPv6 stack in order. Without -dnl waiting, we get occasional failures due to the following error: -dnl "connect: Cannot assign requested address" -OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2]) - -OVS_START_L7([at_ns0], [http6]) -OVS_START_L7([at_ns1], [http6]) - -dnl HTTP requests from ns0->ns1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -tcp,orig=(src=fc00::1,dst=fc00::2,sport=,dport=),reply=(src=fc00::2,dst=fc00::1,sport=,dport=),protoinfo=(state=) -]) - -dnl HTTP requests from ns1->ns0 should fail due to network failure. -dnl Try 3 times, in 1 second intervals. -NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - AT_SETUP([conntrack - IPv4 ping]) CHECK_CONNTRACK() OVS_TRAFFIC_VSWITCHD_START() @@ -815,47 +737,6 @@ icmpv6,orig=(src=fc00::1,dst=fc00::2,id=,type=128,code=0),reply=(src=fc OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -AT_SETUP([conntrack - commit, recirc]) -CHECK_CONNTRACK() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3) - -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") -ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24") -ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24") - -dnl Allow any traffic from ns0->ns1, ns2->ns3. -AT_DATA([flows.txt], [dnl -priority=1,action=drop -priority=10,arp,action=normal -priority=10,icmp,action=normal -priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0) -priority=100,in_port=1,tcp,ct_state=+trk,action=2 -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) -priority=100,in_port=2,tcp,ct_state=+trk,action=1 -priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0) -priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0) -priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4 -priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0) -priority=100,in_port=4,tcp,ct_state=+trk,action=3 -]) - -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) - -OVS_START_L7([at_ns1], [http]) -OVS_START_L7([at_ns3], [http]) - -dnl HTTP requests from p0->p1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) - -dnl HTTP requests from p2->p3 should work fine. -NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - AT_SETUP([conntrack - preserve registers]) CHECK_CONNTRACK() OVS_TRAFFIC_VSWITCHD_START() @@ -1116,55 +997,6 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -AT_SETUP([conntrack - multiple zones, local]) -CHECK_CONNTRACK() -CHECK_CONNTRACK_LOCAL_STACK() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0) - -AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) -AT_CHECK([ip link set dev br0 up]) -on_exit 'ip addr del dev br0 "10.1.1.1/24"' -ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24") - -dnl Allow traffic from local stack to ns0. Only allow neighbour discovery, -dnl return traffic from ns0 back to the local stack. -AT_DATA([flows.txt], [dnl -priority=1,action=drop -priority=10,arp,action=normal -priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop -priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1 -priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1 -priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1) -table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2) -table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL -]) - -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) - -AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl -3 packets transmitted, 3 received, 0% packet loss, time 0ms -]) - -OVS_START_L7([at_ns0], [http]) - -dnl HTTP requests from root namespace to p0 should work fine. -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) - -dnl (again) HTTP requests from root namespace to p0 should work fine. -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) - -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0),zone=1 -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0),zone=2 -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=2,protoinfo=(state=) -]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - AT_SETUP([conntrack - multiple namespaces, internal ports]) CHECK_CONNTRACK() CHECK_CONNTRACK_LOCAL_STACK() @@ -1207,77 +1039,6 @@ OVS_TRAFFIC_VSWITCHD_STOP(["dnl /removing policing failed: No such device/d"]) AT_CLEANUP -AT_SETUP([conntrack - multi-stage pipeline, local]) -CHECK_CONNTRACK() -CHECK_CONNTRACK_LOCAL_STACK() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0) - -AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) -AT_CHECK([ip link set dev br0 up]) -on_exit 'ip addr del dev br0 "10.1.1.1/24"' -ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24") - -dnl Allow traffic from local stack to ns0. Only allow neighbour discovery, -dnl return traffic from ns0 back to the local stack. -AT_DATA([flows.txt], [dnl -dnl default -table=0,priority=1,action=drop -table=0,priority=10,arp,action=normal - -dnl Load the output port to REG0 -table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1 -table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1 - -dnl Ingress pipeline -dnl - Allow all connections from LOCAL port (commit and proceed to egress) -dnl - All other connections go through conntracker using the input port as -dnl a connection tracking zone. -table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2 -table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]]) -table=1,priority=1,action=drop - -dnl Egress pipeline -dnl - Allow all connections from LOCAL port (commit and skip to output) -dnl - Allow other established connections to go through conntracker using -dnl output port as a connection tracking zone. -table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4 -table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]]) -table=2,priority=1,action=drop - -dnl Only allow established traffic from egress ct lookup -table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4 -table=3,priority=1,action=drop - -dnl output table -table=4,priority=100,ip,action=output:NXM_NX_REG0[[]] -]) - -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) - -AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl -3 packets transmitted, 3 received, 0% packet loss, time 0ms -]) - -OVS_START_L7([at_ns0], [http]) - -dnl HTTP requests from root namespace to p0 should work fine. -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) - -dnl (again) HTTP requests from root namespace to p0 should work fine. -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) - -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0),zone=1 -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0),zone=65534 -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=65534,protoinfo=(state=) -]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - AT_SETUP([conntrack - ct_mark]) CHECK_CONNTRACK() OVS_TRAFFIC_VSWITCHD_START() @@ -1600,217 +1361,9 @@ icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=17 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -AT_SETUP([conntrack - FTP]) -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) +AT_SETUP([conntrack - IPv4 fragmentation ]) CHECK_CONNTRACK() -CHECK_CONNTRACK_ALG() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0, at_ns1) - -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") - -dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. -AT_DATA([flows1.txt], [dnl -table=0,priority=1,action=drop -table=0,priority=10,arp,action=normal -table=0,priority=10,icmp,action=normal -table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2 -table=0,priority=100,in_port=2,tcp,action=ct(table=1) -table=1,in_port=2,tcp,ct_state=+trk+est,action=1 -table=1,in_port=2,tcp,ct_state=+trk+rel,action=1 -]) - -dnl Similar policy but without allowing all traffic from ns0->ns1. -AT_DATA([flows2.txt], [dnl -table=0,priority=1,action=drop -table=0,priority=10,arp,action=normal -table=0,priority=10,icmp,action=normal - -dnl Allow outgoing TCP connections, and treat them as FTP -table=0,priority=100,in_port=1,tcp,action=ct(table=1) -table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2 -table=1,in_port=1,tcp,ct_state=+trk+est,action=2 - -dnl Allow incoming FTP data connections and responses to existing connections -table=0,priority=100,in_port=2,tcp,action=ct(table=1) -table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1 -table=1,in_port=2,tcp,ct_state=+trk+est,action=1 -table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1 -]) - -AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt]) - -OVS_START_L7([at_ns0], [ftp]) -OVS_START_L7([at_ns1], [ftp]) - -dnl FTP requests from p1->p0 should fail due to network failure. -dnl Try 3 times, in 1 second intervals. -NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl -]) - -dnl FTP requests from p0->p1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp -]) - -dnl Try the second set of flows. -AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt]) -AT_CHECK([ovs-appctl dpctl/flush-conntrack]) - -dnl FTP requests from p1->p0 should fail due to network failure. -dnl Try 3 times, in 1 second intervals. -NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl -]) - -dnl Active FTP requests from p0->p1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp -tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),protoinfo=(state=) -]) - -AT_CHECK([ovs-appctl dpctl/flush-conntrack]) - -dnl Passive FTP requests from p0->p1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp -]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - - -AT_SETUP([conntrack - IPv6 FTP]) -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) -CHECK_CONNTRACK() -CHECK_CONNTRACK_ALG() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0, at_ns1) - -ADD_VETH(p0, at_ns0, br0, "fc00::1/96") -ADD_VETH(p1, at_ns1, br0, "fc00::2/96") - -dnl Allow any traffic from ns0->ns1. -dnl Only allow nd, return traffic from ns1->ns0. -AT_DATA([flows.txt], [dnl -dnl Track all IPv6 traffic and drop the rest. -dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked. -table=0 priority=100 in_port=1 icmp6, action=2 -table=0 priority=100 in_port=2 icmp6, action=1 -table=0 priority=10 ip6, action=ct(table=1) -table=0 priority=0 action=drop -dnl -dnl Table 1 -dnl -dnl Allow new TCPv6 FTP control connections from port 1. -table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2 -dnl Allow related TCPv6 connections from port 2. -table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1 -dnl Allow established TCPv6 connections both ways. -table=1 in_port=1 ct_state=+est, tcp6, action=2 -table=1 in_port=2 ct_state=+est, tcp6, action=1 -dnl Drop everything else. -table=1 priority=0, action=drop -]) - -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) - -dnl Linux seems to take a little time to get its IPv6 stack in order. Without -dnl waiting, we get occasional failures due to the following error: -dnl "connect: Cannot assign requested address" -OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) - -OVS_START_L7([at_ns1], [ftp]) - -dnl FTP requests from p0->p1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d]) - -dnl Discards CLOSE_WAIT and CLOSING -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -tcp,orig=(src=fc00::1,dst=fc00::2,sport=,dport=),reply=(src=fc00::2,dst=fc00::1,sport=,dport=),protoinfo=(state=),helper=ftp -tcp,orig=(src=fc00::2,dst=fc00::1,sport=,dport=),reply=(src=fc00::1,dst=fc00::2,sport=,dport=),protoinfo=(state=) -]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - - -AT_SETUP([conntrack - FTP with multiple expectations]) -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) -CHECK_CONNTRACK() -CHECK_CONNTRACK_ALG() -OVS_TRAFFIC_VSWITCHD_START() - -ADD_NAMESPACES(at_ns0, at_ns1) - -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") - -dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1. -AT_DATA([flows.txt], [dnl -table=0,priority=1,action=drop -table=0,priority=10,arp,action=normal -table=0,priority=10,icmp,action=normal - -dnl Traffic from ns1 -table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1) -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2 -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2) -table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 - -dnl Traffic from ns2 -table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2) -table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 -table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1) -table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 -table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1 -]) - -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) - -OVS_START_L7([at_ns0], [ftp]) -OVS_START_L7([at_ns1], [ftp]) - -dnl FTP requests from p1->p0 should fail due to network failure. -dnl Try 3 times, in 1 second intervals. -NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl -]) - -dnl Active FTP requests from p0->p1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=),helper=ftp -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=2,protoinfo=(state=),helper=ftp -tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),zone=1,protoinfo=(state=) -tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),zone=2,protoinfo=(state=) -]) - -AT_CHECK([ovs-appctl dpctl/flush-conntrack]) - -dnl Passive FTP requests from p0->p1 should work fine. -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=),helper=ftp -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=2,protoinfo=(state=) -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=2,protoinfo=(state=),helper=ftp -]) - -OVS_TRAFFIC_VSWITCHD_STOP -AT_CLEANUP - -AT_SETUP([conntrack - IPv4 fragmentation ]) -CHECK_CONNTRACK() -CHECK_CONNTRACK_FRAG() +CHECK_CONNTRACK_FRAG() OVS_TRAFFIC_VSWITCHD_START() ADD_NAMESPACES(at_ns0, at_ns1) @@ -2184,6 +1737,453 @@ NXST_FLOW reply: OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +AT_BANNER([conntrack - L7]) + +AT_SETUP([conntrack - IPv4 HTTP]) +CHECK_CONNTRACK() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") + +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. +AT_DATA([flows.txt], [dnl +priority=1,action=drop +priority=10,arp,action=normal +priority=10,icmp,action=normal +priority=100,in_port=1,tcp,action=ct(commit),2 +priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0) +priority=100,in_port=2,ct_state=+trk+est,tcp,action=1 +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +OVS_START_L7([at_ns0], [http]) +OVS_START_L7([at_ns1], [http]) + +dnl HTTP requests from ns0->ns1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=) +]) + +dnl HTTP requests from ns1->ns0 should fail due to network failure. +dnl Try 3 times, in 1 second intervals. +NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - IPv6 HTTP]) +CHECK_CONNTRACK() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "fc00::1/96") +ADD_VETH(p1, at_ns1, br0, "fc00::2/96") + +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. +AT_DATA([flows.txt], [dnl +priority=1,action=drop +priority=10,icmp6,action=normal +priority=100,in_port=1,tcp6,action=ct(commit),2 +priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0) +priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1 +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +dnl Linux seems to take a little time to get its IPv6 stack in order. Without +dnl waiting, we get occasional failures due to the following error: +dnl "connect: Cannot assign requested address" +OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2]) + +OVS_START_L7([at_ns0], [http6]) +OVS_START_L7([at_ns1], [http6]) + +dnl HTTP requests from ns0->ns1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl +tcp,orig=(src=fc00::1,dst=fc00::2,sport=,dport=),reply=(src=fc00::2,dst=fc00::1,sport=,dport=),protoinfo=(state=) +]) + +dnl HTTP requests from ns1->ns0 should fail due to network failure. +dnl Try 3 times, in 1 second intervals. +NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - commit, recirc]) +CHECK_CONNTRACK() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") +ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24") +ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24") + +dnl Allow any traffic from ns0->ns1, ns2->ns3. +AT_DATA([flows.txt], [dnl +priority=1,action=drop +priority=10,arp,action=normal +priority=10,icmp,action=normal +priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0) +priority=100,in_port=1,tcp,ct_state=+trk,action=2 +priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0) +priority=100,in_port=2,tcp,ct_state=+trk,action=1 +priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0) +priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0) +priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4 +priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0) +priority=100,in_port=4,tcp,ct_state=+trk,action=3 +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +OVS_START_L7([at_ns1], [http]) +OVS_START_L7([at_ns3], [http]) + +dnl HTTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) + +dnl HTTP requests from p2->p3 should work fine. +NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - multiple zones, local]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_LOCAL_STACK() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0) + +AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) +AT_CHECK([ip link set dev br0 up]) +on_exit 'ip addr del dev br0 "10.1.1.1/24"' +ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24") + +dnl Allow traffic from local stack to ns0. Only allow neighbour discovery, +dnl return traffic from ns0 back to the local stack. +AT_DATA([flows.txt], [dnl +priority=1,action=drop +priority=10,arp,action=normal +priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop +priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1 +priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1 +priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1) +table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2) +table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl +3 packets transmitted, 3 received, 0% packet loss, time 0ms +]) + +OVS_START_L7([at_ns0], [http]) + +dnl HTTP requests from root namespace to p0 should work fine. +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) + +dnl (again) HTTP requests from root namespace to p0 should work fine. +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) + +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0),zone=1 +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0),zone=2 +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=2,protoinfo=(state=) +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - multi-stage pipeline, local]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_LOCAL_STACK() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0) + +AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) +AT_CHECK([ip link set dev br0 up]) +on_exit 'ip addr del dev br0 "10.1.1.1/24"' +ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24") + +dnl Allow traffic from local stack to ns0. Only allow neighbour discovery, +dnl return traffic from ns0 back to the local stack. +AT_DATA([flows.txt], [dnl +dnl default +table=0,priority=1,action=drop +table=0,priority=10,arp,action=normal + +dnl Load the output port to REG0 +table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1 +table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1 + +dnl Ingress pipeline +dnl - Allow all connections from LOCAL port (commit and proceed to egress) +dnl - All other connections go through conntracker using the input port as +dnl a connection tracking zone. +table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2 +table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]]) +table=1,priority=1,action=drop + +dnl Egress pipeline +dnl - Allow all connections from LOCAL port (commit and skip to output) +dnl - Allow other established connections to go through conntracker using +dnl output port as a connection tracking zone. +table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4 +table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]]) +table=2,priority=1,action=drop + +dnl Only allow established traffic from egress ct lookup +table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4 +table=3,priority=1,action=drop + +dnl output table +table=4,priority=100,ip,action=output:NXM_NX_REG0[[]] +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl +3 packets transmitted, 3 received, 0% packet loss, time 0ms +]) + +OVS_START_L7([at_ns0], [http]) + +dnl HTTP requests from root namespace to p0 should work fine. +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) + +dnl (again) HTTP requests from root namespace to p0 should work fine. +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) + +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0),zone=1 +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0),zone=65534 +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=65534,protoinfo=(state=) +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - FTP]) +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_ALG() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") + +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. +AT_DATA([flows1.txt], [dnl +table=0,priority=1,action=drop +table=0,priority=10,arp,action=normal +table=0,priority=10,icmp,action=normal +table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2 +table=0,priority=100,in_port=2,tcp,action=ct(table=1) +table=1,in_port=2,tcp,ct_state=+trk+est,action=1 +table=1,in_port=2,tcp,ct_state=+trk+rel,action=1 +]) + +dnl Similar policy but without allowing all traffic from ns0->ns1. +AT_DATA([flows2.txt], [dnl +table=0,priority=1,action=drop +table=0,priority=10,arp,action=normal +table=0,priority=10,icmp,action=normal + +dnl Allow outgoing TCP connections, and treat them as FTP +table=0,priority=100,in_port=1,tcp,action=ct(table=1) +table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2 +table=1,in_port=1,tcp,ct_state=+trk+est,action=2 + +dnl Allow incoming FTP data connections and responses to existing connections +table=0,priority=100,in_port=2,tcp,action=ct(table=1) +table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1 +table=1,in_port=2,tcp,ct_state=+trk+est,action=1 +table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1 +]) + +AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt]) + +OVS_START_L7([at_ns0], [ftp]) +OVS_START_L7([at_ns1], [ftp]) + +dnl FTP requests from p1->p0 should fail due to network failure. +dnl Try 3 times, in 1 second intervals. +NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl +]) + +dnl FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp +]) + +dnl Try the second set of flows. +AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt]) +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) + +dnl FTP requests from p1->p0 should fail due to network failure. +dnl Try 3 times, in 1 second intervals. +NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl +]) + +dnl Active FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp +tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),protoinfo=(state=) +]) + +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) + +dnl Passive FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - FTP over IPv6]) +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_ALG() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "fc00::1/96") +ADD_VETH(p1, at_ns1, br0, "fc00::2/96") + +dnl Allow any traffic from ns0->ns1. +dnl Only allow nd, return traffic from ns1->ns0. +AT_DATA([flows.txt], [dnl +dnl Track all IPv6 traffic and drop the rest. +dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked. +table=0 priority=100 in_port=1 icmp6, action=2 +table=0 priority=100 in_port=2 icmp6, action=1 +table=0 priority=10 ip6, action=ct(table=1) +table=0 priority=0 action=drop +dnl +dnl Table 1 +dnl +dnl Allow new TCPv6 FTP control connections from port 1. +table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2 +dnl Allow related TCPv6 connections from port 2. +table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1 +dnl Allow established TCPv6 connections both ways. +table=1 in_port=1 ct_state=+est, tcp6, action=2 +table=1 in_port=2 ct_state=+est, tcp6, action=1 +dnl Drop everything else. +table=1 priority=0, action=drop +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +dnl Linux seems to take a little time to get its IPv6 stack in order. Without +dnl waiting, we get occasional failures due to the following error: +dnl "connect: Cannot assign requested address" +OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) + +OVS_START_L7([at_ns1], [ftp]) + +dnl FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d]) + +dnl Discards CLOSE_WAIT and CLOSING +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl +tcp,orig=(src=fc00::1,dst=fc00::2,sport=,dport=),reply=(src=fc00::2,dst=fc00::1,sport=,dport=),protoinfo=(state=),helper=ftp +tcp,orig=(src=fc00::2,dst=fc00::1,sport=,dport=),reply=(src=fc00::1,dst=fc00::2,sport=,dport=),protoinfo=(state=) +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + +AT_SETUP([conntrack - FTP with multiple expectations]) +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_ALG() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") + +dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1. +AT_DATA([flows.txt], [dnl +table=0,priority=1,action=drop +table=0,priority=10,arp,action=normal +table=0,priority=10,icmp,action=normal + +dnl Traffic from ns1 +table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1) +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2 +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2) +table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 + +dnl Traffic from ns2 +table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2) +table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 +table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1) +table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 +table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1 +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +OVS_START_L7([at_ns0], [ftp]) +OVS_START_L7([at_ns1], [ftp]) + +dnl FTP requests from p1->p0 should fail due to network failure. +dnl Try 3 times, in 1 second intervals. +NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl +]) + +dnl Active FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=),helper=ftp +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=2,protoinfo=(state=),helper=ftp +tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),zone=1,protoinfo=(state=) +tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),zone=2,protoinfo=(state=) +]) + +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) + +dnl Passive FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=),helper=ftp +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=2,protoinfo=(state=) +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=2,protoinfo=(state=),helper=ftp +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + AT_BANNER([conntrack - NAT]) AT_SETUP([conntrack - simple SNAT])