From patchwork Fri Mar 24 09:15:17 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Darrell Ball <dlu998@gmail.com>
X-Patchwork-Id: 743109
X-Patchwork-Delegate: diproiettod@vmware.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3vqHtj4Kw7z9s86
	for <incoming@patchwork.ozlabs.org>;
	Fri, 24 Mar 2017 20:19:41 +1100 (AEDT)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="tcLWxNA3"; dkim-atps=neutral
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id BB86CB9B;
	Fri, 24 Mar 2017 09:15:48 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id EC990B62
	for <dev@openvswitch.org>; Fri, 24 Mar 2017 09:15:40 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pg0-f65.google.com (mail-pg0-f65.google.com
	[74.125.83.65])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 62E45156
	for <dev@openvswitch.org>; Fri, 24 Mar 2017 09:15:40 +0000 (UTC)
Received: by mail-pg0-f65.google.com with SMTP id 81so2006984pgh.3
	for <dev@openvswitch.org>; Fri, 24 Mar 2017 02:15:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:subject:date:message-id:in-reply-to:references;
	bh=aQCe4lol+4MJqtuAQpVjfpa0kh2fEM0icSFVAVwYKb4=;
	b=tcLWxNA3AgWBLYcqwXBuF629rPlKnSE7Yar5PPceCtJQqCcHgnEivYLeji9OHbm9f7
	h6x3MueOjcRjJ2ij6Dl3DS7PsMThFbjWrVzzj9p4BTma78d1u31HHGUZg4Mk8W9sMYdH
	CgeMKqVYP89AmuR/iooKKJ7oF6wekPBStdi1StBDljydfU/ZQXRUif1zYkW8Ky+/q4y6
	gDD4+IIPyflxC7zKuPRVsIybezenCSdMqHGoGKvwyc+IqgJDwJCNeq2d7Iby0K/tMzqw
	v3ZIFx/TrVchAoB6PMnuCAzmGEaMZKHuM9AGcv/qIiJqllLWfA85GqlP8rzrElVWXHa5
	4cAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=aQCe4lol+4MJqtuAQpVjfpa0kh2fEM0icSFVAVwYKb4=;
	b=QqkispXxvOqa5Au597T5Wp3+f/XFyoBWafza8NlT4Mdt7IbFPWwj38Tmuc61NlVwF8
	0wbuzbtTt5qvYB9OsXE6bry7OT9ehuKSitE2Oh4f5ofPhfxasFrTnApPxzsoYGRBdsvE
	yFpLye2ZK1RXK5LeowYUlkKcjT2vTw+ro8ds+IOQuo7HRnfugvsSOcOagkje6STgkY9J
	krPj+pQwO5rjUAAKQOWYXzWyQ+MK0LCANp5xh1AZqVCusdl7O5Z8BKZA2l3wkCty3Ihf
	P8ZZQ/r/9UF3rXIofNNkcqwcgnXFXnk+95iPXJ3rRp1YkKSdDgh+1AhrfCIqg1o6geBl
	85mA==
X-Gm-Message-State: 
 AFeK/H17yz5xGxMgsxE27T4DncYsOIdzioKbu6TxA5kgP3AZdtpp4LOEWQaelvUbLI0Ufg==
X-Received: by 10.99.155.17 with SMTP id r17mr7680158pgd.193.1490346939906;
	Fri, 24 Mar 2017 02:15:39 -0700 (PDT)
Received: from localhost.localdomain (c-24-4-8-103.hsd1.ca.comcast.net.
	[24.4.8.103]) by smtp.gmail.com with ESMTPSA id
	g27sm3255601pfk.95.2017.03.24.02.15.39
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 24 Mar 2017 02:15:39 -0700 (PDT)
From: Darrell Ball <dlu998@gmail.com>
To: dlu998@gmail.com,
	dev@openvswitch.org
Date: Fri, 24 Mar 2017 02:15:17 -0700
Message-Id: <1490346920-104476-7-git-send-email-dlu998@gmail.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1490346920-104476-1-git-send-email-dlu998@gmail.com>
References: <1490346920-104476-1-git-send-email-dlu998@gmail.com>
X-Spam-Status: No, score=-1.2 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: [ovs-dev] [patch_v7 6/9] System Tests: Enhance NAT tests.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

Two new tests are added and two other tests were
enhanced.

Signed-off-by: Darrell Ball <dlu998@gmail.com>
---
 tests/atlocal.in        |   3 ++
 tests/system-traffic.at | 109 +++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 110 insertions(+), 2 deletions(-)

diff --git a/tests/atlocal.in b/tests/atlocal.in
index bc2480b..67ebf0d 100644
--- a/tests/atlocal.in
+++ b/tests/atlocal.in
@@ -152,6 +152,9 @@ else
     NC_EOF_OPT="-q 1"
 fi
 
+# Set HAVE_TCPDUMP
+find_command tcpdump
+
 CURL_OPT="-g -v --max-time 1 --retry 2 --retry-delay 1 --connect-timeout 1"
 
 # Turn off proxies.
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index 9861fb1..59eae7e 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -2668,6 +2668,7 @@ AT_CLEANUP
 
 AT_SETUP([conntrack - ICMP related with NAT])
 AT_SKIP_IF([test $HAVE_NC = no])
+AT_SKIP_IF([test $HAVE_TCPDUMP = no])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_NAT()
 OVS_TRAFFIC_VSWITCHD_START()
@@ -2703,6 +2704,10 @@ table=10 priority=0 action=drop
 
 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
 
+rm p0.pcap
+tcpdump -U -i ovs-p0 -w p0.pcap &
+sleep 1
+
 dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
 NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc $NC_EOF_OPT -u 10.1.1.2 10000"])
 
@@ -2724,6 +2729,8 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=
 udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),mark=1
 ])
 
+AT_CHECK([sudo tcpdump -v "icmp" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
+
 OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
@@ -3028,7 +3035,7 @@ dnl Check that ct(nat,table=foo) works with TCP sequence adjustment with
 dnl an ACL table based on matching on conntrack original direction tuple only.
 CHECK_FTP_NAT_ORIG_TUPLE([seqadj], [10.1.1.240], [0x0a0101f0])
 
-AT_SETUP([conntrack - IPv6 HTTP with NAT])
+AT_SETUP([conntrack - IPv6 HTTP with SNAT])
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_NAT()
 OVS_TRAFFIC_VSWITCHD_START()
@@ -3039,15 +3046,17 @@ ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
 ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
 NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p1])
+NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::241 lladdr 80:88:88:88:88:88 dev p1])
 
 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
 AT_DATA([flows.txt], [dnl
 priority=1,action=drop
 priority=10,icmp6,action=normal
-priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240)),2
+priority=100,in_port=1,ip6,action=ct(commit,nat(src=fc00::240-fc00::241)),2
 priority=100,in_port=2,ct_state=-trk,ip6,action=ct(nat,table=0)
 priority=100,in_port=2,ct_state=+trk+est,ip6,action=1
 priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::240,action=ct(commit,nat(dst=fc00::1)),1
+priority=200,in_port=2,ct_state=+trk+new,icmp6,icmpv6_code=0,icmpv6_type=135,nd_target=fc00::241,action=ct(commit,nat(dst=fc00::1)),1
 ])
 
 AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
@@ -3070,6 +3079,102 @@ NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4]
 OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
+AT_SETUP([conntrack - IPv6 HTTP with DNAT])
+CHECK_CONNTRACK()
+CHECK_CONNTRACK_NAT()
+OVS_TRAFFIC_VSWITCHD_START()
+
+ADD_NAMESPACES(at_ns0, at_ns1)
+
+ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
+ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
+NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
+NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
+NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:88 dev p0])
+NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
+
+dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
+AT_DATA([flows.txt], [dnl
+priority=100 in_port=1,ip6,ipv6_dst=fc00::240,action=ct(zone=1,nat(dst=fc00::2),commit),2
+priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat,zone=1)
+priority=100 in_port=2,ct_state=+trk+est,ct_zone=1,ip6,action=1
+])
+
+AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
+
+dnl Linux seems to take a little time to get its IPv6 stack in order. Without
+dnl waiting, we get occasional failures due to the following error:
+dnl "connect: Cannot assign requested address"
+OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::240])
+
+NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -w 2 fc00::240 | FORMAT_PING], [0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+
+dnl Should work with the virtual IP address through NAT
+OVS_START_L7([at_ns1], [http6])
+NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::240]] -t 5 -T 1 --retry-connrefused -v -o wget0.log])
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::1)], [0], [dnl
+icmpv6,orig=(src=fc00::1,dst=fc00::240,id=<cleared>,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=<cleared>,type=129,code=0),zone=1
+tcp,orig=(src=fc00::1,dst=fc00::240,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
+])
+
+OVS_TRAFFIC_VSWITCHD_STOP
+AT_CLEANUP
+
+AT_SETUP([conntrack - IPv6 ICMP6 Related with SNAT])
+AT_SKIP_IF([test $HAVE_TCPDUMP = no])
+CHECK_CONNTRACK()
+CHECK_CONNTRACK_NAT()
+OVS_TRAFFIC_VSWITCHD_START()
+
+ADD_NAMESPACES(at_ns0, at_ns1)
+
+ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
+ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
+NS_CHECK_EXEC([at_ns0], [ip -6 link set dev p0 address 80:88:88:88:88:77])
+NS_CHECK_EXEC([at_ns1], [ip -6 link set dev p1 address 80:88:88:88:88:88])
+
+NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::2 lladdr 80:88:88:88:88:88 dev p0])
+NS_CHECK_EXEC([at_ns0], [ip -6 neigh add fc00::3 lladdr 80:88:88:88:88:88 dev p0])
+NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::240 lladdr 80:88:88:88:88:77 dev p1])
+NS_CHECK_EXEC([at_ns1], [ip -6 neigh add fc00::1 lladdr 80:88:88:88:88:77 dev p1])
+
+NS_CHECK_EXEC([at_ns0], [route -A inet6 add default gw fc00::2])
+
+dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
+AT_DATA([flows.txt], [dnl
+priority=100 in_port=1,ip6,action=ct(nat(src=fc00::240),commit),2
+priority=100 in_port=2,ct_state=-trk,ip6,action=ct(table=0,nat)
+priority=100 in_port=2,ct_state=+trk+est,ip6,action=1
+priority=100 in_port=2,ct_state=+trk+rel,ip6,action=1
+])
+
+AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
+
+dnl Linux seems to take a little time to get its IPv6 stack in order. Without
+dnl waiting, we get occasional failures due to the following error:
+dnl "connect: Cannot assign requested address"
+OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
+
+AT_CHECK([ovs-appctl dpctl/flush-conntrack])
+
+rm p0.pcap
+tcpdump -U -i ovs-p0 -w p0.pcap &
+sleep 1
+
+dnl UDP packets from ns0->ns1 should solicit "destination unreachable" response.
+NS_CHECK_EXEC([at_ns0], [bash -c "echo a | nc -6 $NC_EOF_OPT -u fc00::2 1"])
+
+AT_CHECK([sudo tcpdump -v "icmp6" -r p0.pcap 2>/dev/null | egrep 'wrong|bad'], [1], [ignore-nolog])
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
+udp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::240,sport=<cleared>,dport=<cleared>)
+])
+
+OVS_TRAFFIC_VSWITCHD_STOP
+AT_CLEANUP
 
 AT_SETUP([conntrack - IPv6 FTP with NAT])
 AT_SKIP_IF([test $HAVE_FTP = no])