diff mbox

[ovs-dev,patch_v7,6/9] System Tests: Enhance NAT tests.

Message ID 1490346920-104476-7-git-send-email-dlu998@gmail.com
State Changes Requested
Delegated to: Daniele Di Proietto
Headers show

Commit Message

Darrell Ball March 24, 2017, 9:15 a.m. UTC 
Two new tests are added and two other tests were
enhanced.

Signed-off-by: Darrell Ball <dlu998@gmail.com>
---
 tests/atlocal.in        |   3 ++
 tests/system-traffic.at | 109 +++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 110 insertions(+), 2 deletions(-)

Comments

Daniele Di Proietto April 30, 2017, 2:01 a.m. UTC | #1 
Not sure this is very important: so far we managed to avoid using tcpdump in
the tests.  Would it be possible to use ovs-ofctl monitor?

In any case, maybe, it shouldn't be prefixed by sudo

2017-03-24 2:15 GMT-07:00 Darrell Ball <dlu998@gmail.com>:
> Two new tests are added and two other tests were
> enhanced.
>
> Signed-off-by: Darrell Ball <dlu998@gmail.com>
> ---
>  tests/atlocal.in        |   3 ++
>  tests/system-traffic.at | 109 +++++++++++++++++++++++++++++++++++++++++++++++-
>  2 files changed, 110 insertions(+), 2 deletions(-)
>
> diff --git a/tests/atlocal.in b/tests/atlocal.in
> index bc2480b..67ebf0d 100644
> --- a/tests/atlocal.in
> +++ b/tests/atlocal.in
> @@ -152,6 +152,9 @@ else
>      NC_EOF_OPT="-q 1"
>  fi
>
> +# Set HAVE_TCPDUMP
> +find_command tcpdump
> +
>  CURL_OPT="-g -v --max-time 1 --retry 2 --retry-delay 1 --connect-timeout 1"
>
>  # Turn off proxies.
> diff --git a/tests/system-traffic.at b/tests/system-traffic.at
> index 9861fb1..59eae7e 100644
> --- a/tests/system-traffic.at
> +++ b/tests/system-traffic.at
> @@ -2668,6 +2668,7 @@ AT_CLEANUP
>
>  AT_SETUP([conntrack - ICMP related with NAT])
>  AT_SKIP_IF([test $HAVE_NC = no])
> +AT_SKIP_IF([test $HAVE_TCPDUMP = no])
>  CHECK_CONNTRACK()
>  CHECK_CONNTRACK_NAT()
>  OVS_TRAFFIC_VSWITCHD_START()
> @@ -2703,6 +2704,10 @@ table=10 priority=0 action=drop
>
>  AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
>
> +rm p0.pcap
> +tcpdump -U -i ovs-p0 -w p0.pcap &
> +sleep 1
> +
>  dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
>  NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
>
> @@ -2724,6 +2729,8 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=
>  udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
>  ])
>
> +AT_CHECK([sudo tcpdump -v "icmp" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
> +
>  OVS_TRAFFIC_VSWITCHD_STOP
>  AT_CLEANUP
>
> @@ -3028,7 +3035,7 @@ dnl Check that ct(nat,table=foo) works with TCP sequence adjustment with
>  dnl an ACL table based on matching on conntrack original direction tuple only.
>  CHECK_FTP_NAT_ORIG_TUPLE([seqadj], [10.1.1.240], [0x0a0101f0])
>
> -AT_SETUP([conntrack - IPv6 HTTP with NAT])
> +AT_SETUP([conntrack - IPv6 HTTP with SNAT])
>  CHECK_CONNTRACK()
>  CHECK_CONNTRACK_NAT()
>  OVS_TRAFFIC_VSWITCHD_START()
> @@ -3039,15 +3046,17 @@ ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
>  NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
>  ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
>  NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
> +NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::241 lladdr 80:88:88:88:88:88 dev p1])
>
>  dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
>  AT_DATA([flows.txt], [dnl
>  priority=1,action=drop
>  priority=10,icmp6,action=normal
> -priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
> +priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240-fc00::241)),2
>  priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
>  priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
>  priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
> +priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::241,action=ct(commit,nat(dst=fc00::1)),1
>  ])
>
>  AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> @@ -3070,6 +3079,102 @@ NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4]
>  OVS_TRAFFIC_VSWITCHD_STOP
>  AT_CLEANUP
>
> +AT_SETUP([conntrack - IPv6 HTTP with DNAT])
> +CHECK_CONNTRACK()
> +CHECK_CONNTRACK_NAT()
> +OVS_TRAFFIC_VSWITCHD_START()
> +
> +ADD_NAMESPACES(at_ns0, at_ns1)
> +
> +ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
> +ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
> +NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
> +NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
> +NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p0])
> +NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
> +
> +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
> +AT_DATA([flows.txt], [dnl
> +priority=100 in_port=1,ip6,ipv6_dst=fc00::240,action=ct(zone=1,nat(dst=fc00::2),commit),2
> +priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat,zone=1)
> +priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip6,action=1
> +])
> +
> +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> +
> +dnl Linux seems to take a little time to get its IPv6 stack in order. Without
> +dnl waiting, we get occasional failures due to the following error:
> +dnl "connect: Cannot assign requested address"
> +OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::240])
> +
> +NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::240 | FORMAT_PING], [0], [dnl
> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> +])
> +
> +dnl Should work with the virtual IP address through NAT
> +OVS_START_L7([at_ns1], [http6])
> +NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::240]] -t 5 -T 1 --retry-connrefused -v -o wget0.log])
> +
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::1)], [0], [dnl
> +icmpv6,orig=(src=fc00::1,dst=fc00::240,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0),zone=1
> +tcp,orig=(src=fc00::1,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
> +])
> +
> +OVS_TRAFFIC_VSWITCHD_STOP
> +AT_CLEANUP
> +
> +AT_SETUP([conntrack - IPv6 ICMP6 Related with SNAT])
> +AT_SKIP_IF([test $HAVE_TCPDUMP = no])
> +CHECK_CONNTRACK()
> +CHECK_CONNTRACK_NAT()
> +OVS_TRAFFIC_VSWITCHD_START()
> +
> +ADD_NAMESPACES(at_ns0, at_ns1)
> +
> +ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
> +ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
> +NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
> +NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
> +
> +NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:88 dev p0])
> +NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::3 lladdr 80:88:88:88:88:88 dev p0])
> +NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:77 dev p1])
> +NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
> +
> +NS_CHECK_EXEC([at_ns0], [route -A inet6 add default gw fc00::2])
> +
> +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
> +AT_DATA([flows.txt], [dnl
> +priority=100 in_port=1,ip6,action=ct(nat(src=fc00::240),commit),2
> +priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat)
> +priority=100 in_port=2,ct_state=+trk+est,ip6,action=1
> +priority=100 in_port=2,ct_state=+trk+rel,ip6,action=1
> +])
> +
> +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> +
> +dnl Linux seems to take a little time to get its IPv6 stack in order. Without
> +dnl waiting, we get occasional failures due to the following error:
> +dnl "connect: Cannot assign requested address"
> +OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
> +
> +AT_CHECK([ovs-appctl dpctl/flush-conntrack])
> +
> +rm p0.pcap
> +tcpdump -U -i ovs-p0 -w p0.pcap &
> +sleep 1
> +
> +dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
> +NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -6 $NC_EOF_OPT -u fc00::2 1"])
> +
> +AT_CHECK([sudo tcpdump -v "icmp6" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
> +
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
> +udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>)
> +])
> +
> +OVS_TRAFFIC_VSWITCHD_STOP
> +AT_CLEANUP
>
>  AT_SETUP([conntrack - IPv6 FTP with NAT])
>  AT_SKIP_IF([test $HAVE_FTP = no])
> --
> 1.9.1
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Darrell Ball April 30, 2017, 7:41 p.m. UTC | #2 
On Sat, Apr 29, 2017 at 7:01 PM, Daniele Di Proietto <diproiettod@ovn.org>
wrote:

> Not sure this is very important: so far we managed to avoid using tcpdump
> in
> the tests.  Would it be possible to use ovs-ofctl monitor?
>


I introduced tcpdump to catch checksum errors going forward.
I also subsequently heard from multiple people that there have been
several checksum error bugs in the past.



>
> In any case, maybe, it shouldn't be prefixed by sudo
>

I caught this after I hit send on the patches, but did not want to respin.
I also switched the route command I added to use iproute2.



>
> 2017-03-24 2:15 GMT-07:00 Darrell Ball <dlu998@gmail.com>:
> > Two new tests are added and two other tests were
> > enhanced.
> >
> > Signed-off-by: Darrell Ball <dlu998@gmail.com>
> > ---
> >  tests/atlocal.in        |   3 ++
> >  tests/system-traffic.at | 109 ++++++++++++++++++++++++++++++
> +++++++++++++++++-
> >  2 files changed, 110 insertions(+), 2 deletions(-)
> >
> > diff --git a/tests/atlocal.in b/tests/atlocal.in
> > index bc2480b..67ebf0d 100644
> > --- a/tests/atlocal.in
> > +++ b/tests/atlocal.in
> > @@ -152,6 +152,9 @@ else
> >      NC_EOF_OPT="-q 1"
> >  fi
> >
> > +# Set HAVE_TCPDUMP
> > +find_command tcpdump
> > +
> >  CURL_OPT="-g -v --max-time 1 --retry 2 --retry-delay 1
> --connect-timeout 1"
> >
> >  # Turn off proxies.
> > diff --git a/tests/system-traffic.at b/tests/system-traffic.at
> > index 9861fb1..59eae7e 100644
> > --- a/tests/system-traffic.at
> > +++ b/tests/system-traffic.at
> > @@ -2668,6 +2668,7 @@ AT_CLEANUP
> >
> >  AT_SETUP([conntrack - ICMP related with NAT])
> >  AT_SKIP_IF([test $HAVE_NC = no])
> > +AT_SKIP_IF([test $HAVE_TCPDUMP = no])
> >  CHECK_CONNTRACK()
> >  CHECK_CONNTRACK_NAT()
> >  OVS_TRAFFIC_VSWITCHD_START()
> > @@ -2703,6 +2704,10 @@ table=10 priority=0 action=drop
> >
> >  AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> >
> > +rm p0.pcap
> > +tcpdump -U -i ovs-p0 -w p0.pcap &
> > +sleep 1
> > +
> >  dnl UDP packets from ns0->ns1 should solicit "destination unreachable"
> response.
> >  NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2
> 10000"])
> >
> > @@ -2724,6 +2729,8 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack |
> FORMAT_CT(10.1.1.2) | sed -e 's/dst=
> >  udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<
> cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>
> ,dport=<cleared>),mark=1
> >  ])
> >
> > +AT_CHECK([sudo tcpdump -v "icmp" -r p0.pcap 2>/dev/null | egrep
> 'wrong|bad'], [1], [ignore-nolog])
> > +
> >  OVS_TRAFFIC_VSWITCHD_STOP
> >  AT_CLEANUP
> >
> > @@ -3028,7 +3035,7 @@ dnl Check that ct(nat,table=foo) works with TCP
> sequence adjustment with
> >  dnl an ACL table based on matching on conntrack original direction
> tuple only.
> >  CHECK_FTP_NAT_ORIG_TUPLE([seqadj], [10.1.1.240], [0x0a0101f0])
> >
> > -AT_SETUP([conntrack - IPv6 HTTP with NAT])
> > +AT_SETUP([conntrack - IPv6 HTTP with SNAT])
> >  CHECK_CONNTRACK()
> >  CHECK_CONNTRACK_NAT()
> >  OVS_TRAFFIC_VSWITCHD_START()
> > @@ -3039,15 +3046,17 @@ ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
> >  NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
> >  ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
> >  NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr
> 80:88:88:88:88:88 dev p1])
> > +NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::241 lladdr
> 80:88:88:88:88:88 dev p1])
> >
> >  dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from
> ns1->ns0.
> >  AT_DATA([flows.txt], [dnl
> >  priority=1,action=drop
> >  priority=10,icmp6,action=normal
> > -priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
> > +priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00:
> :240-fc00::241)),2
> >  priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
> >  priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
> >  priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_
> code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(
> commit,nat(dst=fc00::1)),1
> > +priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_
> code=0,icmpv6_type=135,nd_target=fc00::241,action=ct(
> commit,nat(dst=fc00::1)),1
> >  ])
> >
> >  AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> > @@ -3070,6 +3079,102 @@ NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]]
> -t 3 -T 1 -v -o wget1.log], [4]
> >  OVS_TRAFFIC_VSWITCHD_STOP
> >  AT_CLEANUP
> >
> > +AT_SETUP([conntrack - IPv6 HTTP with DNAT])
> > +CHECK_CONNTRACK()
> > +CHECK_CONNTRACK_NAT()
> > +OVS_TRAFFIC_VSWITCHD_START()
> > +
> > +ADD_NAMESPACES(at_ns0, at_ns1)
> > +
> > +ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
> > +ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
> > +NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address
> 80:88:88:88:88:77])
> > +NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address
> 80:88:88:88:88:88])
> > +NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::240 lladdr
> 80:88:88:88:88:88 dev p0])
> > +NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr
> 80:88:88:88:88:77 dev p1])
> > +
> > +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from
> ns1->ns0.
> > +AT_DATA([flows.txt], [dnl
> > +priority=100 in_port=1,ip6,ipv6_dst=fc00::240,action=ct(zone=1,nat(dst=
> fc00::2),commit),2
> > +priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat,zone=1)
> > +priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip6,action=1
> > +])
> > +
> > +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> > +
> > +dnl Linux seems to take a little time to get its IPv6 stack in order.
> Without
> > +dnl waiting, we get occasional failures due to the following error:
> > +dnl "connect: Cannot assign requested address"
> > +OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::240])
> > +
> > +NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::240 |
> FORMAT_PING], [0], [dnl
> > +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> > +])
> > +
> > +dnl Should work with the virtual IP address through NAT
> > +OVS_START_L7([at_ns1], [http6])
> > +NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::240]] -t 5 -T 1
> --retry-connrefused -v -o wget0.log])
> > +
> > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::1)], [0],
> [dnl
> > +icmpv6,orig=(src=fc00::1,dst=fc00::240,id=<cleared>,type=
> 128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,
> type=129,code=0),zone=1
> > +tcp,orig=(src=fc00::1,dst=fc00::240,sport=<cleared>,
> dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<
> cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
> > +])
> > +
> > +OVS_TRAFFIC_VSWITCHD_STOP
> > +AT_CLEANUP
> > +
> > +AT_SETUP([conntrack - IPv6 ICMP6 Related with SNAT])
> > +AT_SKIP_IF([test $HAVE_TCPDUMP = no])
> > +CHECK_CONNTRACK()
> > +CHECK_CONNTRACK_NAT()
> > +OVS_TRAFFIC_VSWITCHD_START()
> > +
> > +ADD_NAMESPACES(at_ns0, at_ns1)
> > +
> > +ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
> > +ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
> > +NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address
> 80:88:88:88:88:77])
> > +NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address
> 80:88:88:88:88:88])
> > +
> > +NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr
> 80:88:88:88:88:88 dev p0])
> > +NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::3 lladdr
> 80:88:88:88:88:88 dev p0])
> > +NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr
> 80:88:88:88:88:77 dev p1])
> > +NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr
> 80:88:88:88:88:77 dev p1])
> > +
> > +NS_CHECK_EXEC([at_ns0], [route -A inet6 add default gw fc00::2])
> > +
> > +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from
> ns1->ns0.
> > +AT_DATA([flows.txt], [dnl
> > +priority=100 in_port=1,ip6,action=ct(nat(src=fc00::240),commit),2
> > +priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat)
> > +priority=100 in_port=2,ct_state=+trk+est,ip6,action=1
> > +priority=100 in_port=2,ct_state=+trk+rel,ip6,action=1
> > +])
> > +
> > +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> > +
> > +dnl Linux seems to take a little time to get its IPv6 stack in order.
> Without
> > +dnl waiting, we get occasional failures due to the following error:
> > +dnl "connect: Cannot assign requested address"
> > +OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
> > +
> > +AT_CHECK([ovs-appctl dpctl/flush-conntrack])
> > +
> > +rm p0.pcap
> > +tcpdump -U -i ovs-p0 -w p0.pcap &
> > +sleep 1
> > +
> > +dnl UDP packets from ns0->ns1 should solicit "destination unreachable"
> response.
> > +NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -6 $NC_EOF_OPT -u fc00::2
> 1"])
> > +
> > +AT_CHECK([sudo tcpdump -v "icmp6" -r p0.pcap 2>/dev/null | egrep
> 'wrong|bad'], [1], [ignore-nolog])
> > +
> > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0],
> [dnl
> > +udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=
> <cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,
> dport=<cleared>)
> > +])
> > +
> > +OVS_TRAFFIC_VSWITCHD_STOP
> > +AT_CLEANUP
> >
> >  AT_SETUP([conntrack - IPv6 FTP with NAT])
> >  AT_SKIP_IF([test $HAVE_FTP = no])
> > --
> > 1.9.1
> >
> > _______________________________________________
> > dev mailing list
> > dev@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
diff mbox

Patch

diff --git a/tests/atlocal.in b/tests/atlocal.in
index bc2480b..67ebf0d 100644
--- a/tests/atlocal.in
+++ b/tests/atlocal.in
@@ -152,6 +152,9 @@  else
     NC_EOF_OPT="-q 1"
 fi
 
+# Set HAVE_TCPDUMP
+find_command tcpdump
+
 CURL_OPT="-g -v --max-time 1 --retry 2 --retry-delay 1 --connect-timeout 1"
 
 # Turn off proxies.
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index 9861fb1..59eae7e 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -2668,6 +2668,7 @@  AT_CLEANUP
 
 AT_SETUP([conntrack - ICMP related with NAT])
 AT_SKIP_IF([test $HAVE_NC = no])
+AT_SKIP_IF([test $HAVE_TCPDUMP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_NAT()
 OVS_TRAFFIC_VSWITCHD_START()
@@ -2703,6 +2704,10 @@  table=10 priority=0 action=drop
 
 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
 
+rm p0.pcap
+tcpdump -U -i ovs-p0 -w p0.pcap &
+sleep 1
+
 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
 
@@ -2724,6 +2729,8 @@  AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=
 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
 ])
 
+AT_CHECK([sudo tcpdump -v "icmp" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
+
 OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
@@ -3028,7 +3035,7 @@  dnl Check that ct(nat,table=foo) works with TCP sequence adjustment with
 dnl an ACL table based on matching on conntrack original direction tuple only.
 CHECK_FTP_NAT_ORIG_TUPLE([seqadj], [10.1.1.240], [0x0a0101f0])
 
-AT_SETUP([conntrack - IPv6 HTTP with NAT])
+AT_SETUP([conntrack - IPv6 HTTP with SNAT])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_NAT()
 OVS_TRAFFIC_VSWITCHD_START()
@@ -3039,15 +3046,17 @@  ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
+NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::241 lladdr 80:88:88:88:88:88 dev p1])
 
 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
 AT_DATA([flows.txt], [dnl
 priority=1,action=drop
 priority=10,icmp6,action=normal
-priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
+priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240-fc00::241)),2
 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
+priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::241,action=ct(commit,nat(dst=fc00::1)),1
 ])
 
 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
@@ -3070,6 +3079,102 @@  NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4]
 OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
+AT_SETUP([conntrack - IPv6 HTTP with DNAT])
+CHECK_CONNTRACK()
+CHECK_CONNTRACK_NAT()
+OVS_TRAFFIC_VSWITCHD_START()
+
+ADD_NAMESPACES(at_ns0, at_ns1)
+
+ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
+ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
+NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
+NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
+NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p0])
+NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
+
+dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
+AT_DATA([flows.txt], [dnl
+priority=100 in_port=1,ip6,ipv6_dst=fc00::240,action=ct(zone=1,nat(dst=fc00::2),commit),2
+priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat,zone=1)
+priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip6,action=1
+])
+
+AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
+
+dnl Linux seems to take a little time to get its IPv6 stack in order. Without
+dnl waiting, we get occasional failures due to the following error:
+dnl "connect: Cannot assign requested address"
+OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::240])
+
+NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::240 | FORMAT_PING], [0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+
+dnl Should work with the virtual IP address through NAT
+OVS_START_L7([at_ns1], [http6])
+NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::240]] -t 5 -T 1 --retry-connrefused -v -o wget0.log])
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::1)], [0], [dnl
+icmpv6,orig=(src=fc00::1,dst=fc00::240,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0),zone=1
+tcp,orig=(src=fc00::1,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
+])
+
+OVS_TRAFFIC_VSWITCHD_STOP
+AT_CLEANUP
+
+AT_SETUP([conntrack - IPv6 ICMP6 Related with SNAT])
+AT_SKIP_IF([test $HAVE_TCPDUMP = no])
+CHECK_CONNTRACK()
+CHECK_CONNTRACK_NAT()
+OVS_TRAFFIC_VSWITCHD_START()
+
+ADD_NAMESPACES(at_ns0, at_ns1)
+
+ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
+ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
+NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
+NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
+
+NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:88 dev p0])
+NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::3 lladdr 80:88:88:88:88:88 dev p0])
+NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:77 dev p1])
+NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
+
+NS_CHECK_EXEC([at_ns0], [route -A inet6 add default gw fc00::2])
+
+dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
+AT_DATA([flows.txt], [dnl
+priority=100 in_port=1,ip6,action=ct(nat(src=fc00::240),commit),2
+priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat)
+priority=100 in_port=2,ct_state=+trk+est,ip6,action=1
+priority=100 in_port=2,ct_state=+trk+rel,ip6,action=1
+])
+
+AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
+
+dnl Linux seems to take a little time to get its IPv6 stack in order. Without
+dnl waiting, we get occasional failures due to the following error:
+dnl "connect: Cannot assign requested address"
+OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
+
+AT_CHECK([ovs-appctl dpctl/flush-conntrack])
+
+rm p0.pcap
+tcpdump -U -i ovs-p0 -w p0.pcap &
+sleep 1
+
+dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
+NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -6 $NC_EOF_OPT -u fc00::2 1"])
+
+AT_CHECK([sudo tcpdump -v "icmp6" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
+udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>)
+])
+
+OVS_TRAFFIC_VSWITCHD_STOP
+AT_CLEANUP
 
 AT_SETUP([conntrack - IPv6 FTP with NAT])
 AT_SKIP_IF([test $HAVE_FTP = no])