[ovs-dev,4/5] system-traffic: Reorder and bannerize ct tests.

Signed-off-by: Joe Stringer <joe@ovn.org>
---
 tests/system-traffic.at | 898 ++++++++++++++++++++++++------------------------
 1 file changed, 449 insertions(+), 449 deletions(-)

2016-12-20 13:28 GMT-08:00 Joe Stringer <joe@ovn.org>:
> Signed-off-by: Joe Stringer <joe@ovn.org>

I haven't looked at this line by line, but as long as you just moved
code around:

Acked-by: Daniele Di Proietto <diproiettod@vmware.com>

> ---
>  tests/system-traffic.at | 898 ++++++++++++++++++++++++------------------------
>  1 file changed, 449 insertions(+), 449 deletions(-)
>
> diff --git a/tests/system-traffic.at b/tests/system-traffic.at
> index 14fbf4518fdf..8e424c56031c 100644
> --- a/tests/system-traffic.at
> +++ b/tests/system-traffic.at
> @@ -649,84 +649,6 @@ udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.
>  OVS_TRAFFIC_VSWITCHD_STOP
>  AT_CLEANUP
>
> -AT_SETUP([conntrack - IPv4 HTTP])
> -CHECK_CONNTRACK()
> -OVS_TRAFFIC_VSWITCHD_START()
> -
> -ADD_NAMESPACES(at_ns0, at_ns1)
> -
> -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
> -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
> -
> -dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
> -AT_DATA([flows.txt], [dnl
> -priority=1,action=drop
> -priority=10,arp,action=normal
> -priority=10,icmp,action=normal
> -priority=100,in_port=1,tcp,action=ct(commit),2
> -priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
> -priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
> -])
> -
> -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> -
> -OVS_START_L7([at_ns0], [http])
> -OVS_START_L7([at_ns1], [http])
> -
> -dnl HTTP requests from ns0->ns1 should work fine.
> -NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
> -])
> -
> -dnl HTTP requests from ns1->ns0 should fail due to network failure.
> -dnl Try 3 times, in 1 second intervals.
> -NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 -v -o wget1.log], [4])
> -
> -OVS_TRAFFIC_VSWITCHD_STOP
> -AT_CLEANUP
> -
> -AT_SETUP([conntrack - IPv6 HTTP])
> -CHECK_CONNTRACK()
> -OVS_TRAFFIC_VSWITCHD_START()
> -
> -ADD_NAMESPACES(at_ns0, at_ns1)
> -
> -ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
> -ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
> -
> -dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
> -AT_DATA([flows.txt], [dnl
> -priority=1,action=drop
> -priority=10,icmp6,action=normal
> -priority=100,in_port=1,tcp6,action=ct(commit),2
> -priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
> -priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
> -])
> -
> -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> -
> -dnl Linux seems to take a little time to get its IPv6 stack in order. Without
> -dnl waiting, we get occasional failures due to the following error:
> -dnl "connect: Cannot assign requested address"
> -OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
> -
> -OVS_START_L7([at_ns0], [http6])
> -OVS_START_L7([at_ns1], [http6])
> -
> -dnl HTTP requests from ns0->ns1 should work fine.
> -NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
> -tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
> -])
> -
> -dnl HTTP requests from ns1->ns0 should fail due to network failure.
> -dnl Try 3 times, in 1 second intervals.
> -NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 -v -o wget1.log], [4])
> -
> -OVS_TRAFFIC_VSWITCHD_STOP
> -AT_CLEANUP
> -
>  AT_SETUP([conntrack - IPv4 ping])
>  CHECK_CONNTRACK()
>  OVS_TRAFFIC_VSWITCHD_START()
> @@ -815,47 +737,6 @@ icmpv6,orig=(src=fc00::1,dst=fc00::2,id=<cleared>,type=128,code=0),reply=(src=fc
>  OVS_TRAFFIC_VSWITCHD_STOP
>  AT_CLEANUP
>
> -AT_SETUP([conntrack - commit, recirc])
> -CHECK_CONNTRACK()
> -OVS_TRAFFIC_VSWITCHD_START()
> -
> -ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
> -
> -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
> -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
> -ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
> -ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
> -
> -dnl Allow any traffic from ns0->ns1, ns2->ns3.
> -AT_DATA([flows.txt], [dnl
> -priority=1,action=drop
> -priority=10,arp,action=normal
> -priority=10,icmp,action=normal
> -priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
> -priority=100,in_port=1,tcp,ct_state=+trk,action=2
> -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
> -priority=100,in_port=2,tcp,ct_state=+trk,action=1
> -priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
> -priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
> -priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
> -priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
> -priority=100,in_port=4,tcp,ct_state=+trk,action=3
> -])
> -
> -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> -
> -OVS_START_L7([at_ns1], [http])
> -OVS_START_L7([at_ns3], [http])
> -
> -dnl HTTP requests from p0->p1 should work fine.
> -NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> -
> -dnl HTTP requests from p2->p3 should work fine.
> -NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
> -
> -OVS_TRAFFIC_VSWITCHD_STOP
> -AT_CLEANUP
> -
>  AT_SETUP([conntrack - preserve registers])
>  CHECK_CONNTRACK()
>  OVS_TRAFFIC_VSWITCHD_START()
> @@ -1116,55 +997,6 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=
>  OVS_TRAFFIC_VSWITCHD_STOP
>  AT_CLEANUP
>
> -AT_SETUP([conntrack - multiple zones, local])
> -CHECK_CONNTRACK()
> -CHECK_CONNTRACK_LOCAL_STACK()
> -OVS_TRAFFIC_VSWITCHD_START()
> -
> -ADD_NAMESPACES(at_ns0)
> -
> -AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
> -AT_CHECK([ip link set dev br0 up])
> -on_exit 'ip addr del dev br0 "10.1.1.1/24"'
> -ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
> -
> -dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
> -dnl return traffic from ns0 back to the local stack.
> -AT_DATA([flows.txt], [dnl
> -priority=1,action=drop
> -priority=10,arp,action=normal
> -priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
> -priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
> -priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
> -priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
> -table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
> -table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
> -])
> -
> -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> -
> -AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
> -3 packets transmitted, 3 received, 0% packet loss, time 0ms
> -])
> -
> -OVS_START_L7([at_ns0], [http])
> -
> -dnl HTTP requests from root namespace to p0 should work fine.
> -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> -
> -dnl (again) HTTP requests from root namespace to  p0 should work fine.
> -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> -
> -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
> -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
> -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=2
> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
> -])
> -
> -OVS_TRAFFIC_VSWITCHD_STOP
> -AT_CLEANUP
> -
>  AT_SETUP([conntrack - multiple namespaces, internal ports])
>  CHECK_CONNTRACK()
>  CHECK_CONNTRACK_LOCAL_STACK()
> @@ -1207,77 +1039,6 @@ OVS_TRAFFIC_VSWITCHD_STOP(["dnl
>  /removing policing failed: No such device/d"])
>  AT_CLEANUP
>
> -AT_SETUP([conntrack - multi-stage pipeline, local])
> -CHECK_CONNTRACK()
> -CHECK_CONNTRACK_LOCAL_STACK()
> -OVS_TRAFFIC_VSWITCHD_START()
> -
> -ADD_NAMESPACES(at_ns0)
> -
> -AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
> -AT_CHECK([ip link set dev br0 up])
> -on_exit 'ip addr del dev br0 "10.1.1.1/24"'
> -ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
> -
> -dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
> -dnl return traffic from ns0 back to the local stack.
> -AT_DATA([flows.txt], [dnl
> -dnl default
> -table=0,priority=1,action=drop
> -table=0,priority=10,arp,action=normal
> -
> -dnl Load the output port to REG0
> -table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
> -table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
> -
> -dnl Ingress pipeline
> -dnl - Allow all connections from LOCAL port (commit and proceed to egress)
> -dnl - All other connections go through conntracker using the input port as
> -dnl   a connection tracking zone.
> -table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
> -table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
> -table=1,priority=1,action=drop
> -
> -dnl Egress pipeline
> -dnl - Allow all connections from LOCAL port (commit and skip to output)
> -dnl - Allow other established connections to go through conntracker using
> -dnl   output port as a connection tracking zone.
> -table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
> -table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
> -table=2,priority=1,action=drop
> -
> -dnl Only allow established traffic from egress ct lookup
> -table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
> -table=3,priority=1,action=drop
> -
> -dnl output table
> -table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
> -])
> -
> -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> -
> -AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
> -3 packets transmitted, 3 received, 0% packet loss, time 0ms
> -])
> -
> -OVS_START_L7([at_ns0], [http])
> -
> -dnl HTTP requests from root namespace to p0 should work fine.
> -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> -
> -dnl (again) HTTP requests from root namespace to p0 should work fine.
> -AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> -
> -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
> -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
> -icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=65534
> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
> -])
> -
> -OVS_TRAFFIC_VSWITCHD_STOP
> -AT_CLEANUP
> -
>  AT_SETUP([conntrack - ct_mark])
>  CHECK_CONNTRACK()
>  OVS_TRAFFIC_VSWITCHD_START()
> @@ -1600,217 +1361,9 @@ icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=17
>  OVS_TRAFFIC_VSWITCHD_STOP
>  AT_CLEANUP
>
> -AT_SETUP([conntrack - FTP])
> -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
> +AT_SETUP([conntrack - IPv4 fragmentation ])
>  CHECK_CONNTRACK()
> -CHECK_CONNTRACK_ALG()
> -OVS_TRAFFIC_VSWITCHD_START()
> -
> -ADD_NAMESPACES(at_ns0, at_ns1)
> -
> -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
> -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
> -
> -dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
> -AT_DATA([flows1.txt], [dnl
> -table=0,priority=1,action=drop
> -table=0,priority=10,arp,action=normal
> -table=0,priority=10,icmp,action=normal
> -table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
> -table=0,priority=100,in_port=2,tcp,action=ct(table=1)
> -table=1,in_port=2,tcp,ct_state=+trk+est,action=1
> -table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
> -])
> -
> -dnl Similar policy but without allowing all traffic from ns0->ns1.
> -AT_DATA([flows2.txt], [dnl
> -table=0,priority=1,action=drop
> -table=0,priority=10,arp,action=normal
> -table=0,priority=10,icmp,action=normal
> -
> -dnl Allow outgoing TCP connections, and treat them as FTP
> -table=0,priority=100,in_port=1,tcp,action=ct(table=1)
> -table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
> -table=1,in_port=1,tcp,ct_state=+trk+est,action=2
> -
> -dnl Allow incoming FTP data connections and responses to existing connections
> -table=0,priority=100,in_port=2,tcp,action=ct(table=1)
> -table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
> -table=1,in_port=2,tcp,ct_state=+trk+est,action=1
> -table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1
> -])
> -
> -AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
> -
> -OVS_START_L7([at_ns0], [ftp])
> -OVS_START_L7([at_ns1], [ftp])
> -
> -dnl FTP requests from p1->p0 should fail due to network failure.
> -dnl Try 3 times, in 1 second intervals.
> -NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
> -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
> -])
> -
> -dnl FTP requests from p0->p1 should work fine.
> -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
> -])
> -
> -dnl Try the second set of flows.
> -AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
> -AT_CHECK([ovs-appctl dpctl/flush-conntrack])
> -
> -dnl FTP requests from p1->p0 should fail due to network failure.
> -dnl Try 3 times, in 1 second intervals.
> -NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
> -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
> -])
> -
> -dnl Active FTP requests from p0->p1 should work fine.
> -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
> -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
> -tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
> -])
> -
> -AT_CHECK([ovs-appctl dpctl/flush-conntrack])
> -
> -dnl Passive FTP requests from p0->p1 should work fine.
> -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
> -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
> -])
> -
> -OVS_TRAFFIC_VSWITCHD_STOP
> -AT_CLEANUP
> -
> -
> -AT_SETUP([conntrack - IPv6 FTP])
> -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
> -CHECK_CONNTRACK()
> -CHECK_CONNTRACK_ALG()
> -OVS_TRAFFIC_VSWITCHD_START()
> -
> -ADD_NAMESPACES(at_ns0, at_ns1)
> -
> -ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
> -ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
> -
> -dnl Allow any traffic from ns0->ns1.
> -dnl Only allow nd, return traffic from ns1->ns0.
> -AT_DATA([flows.txt], [dnl
> -dnl Track all IPv6 traffic and drop the rest.
> -dnl Allow ICMPv6 both ways.  No commit, so pings will not be tracked.
> -table=0 priority=100 in_port=1 icmp6, action=2
> -table=0 priority=100 in_port=2 icmp6, action=1
> -table=0 priority=10 ip6, action=ct(table=1)
> -table=0 priority=0 action=drop
> -dnl
> -dnl Table 1
> -dnl
> -dnl Allow new TCPv6 FTP control connections from port 1.
> -table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
> -dnl Allow related TCPv6 connections from port 2.
> -table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
> -dnl Allow established TCPv6 connections both ways.
> -table=1 in_port=1 ct_state=+est, tcp6, action=2
> -table=1 in_port=2 ct_state=+est, tcp6, action=1
> -dnl Drop everything else.
> -table=1 priority=0, action=drop
> -])
> -
> -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> -
> -dnl Linux seems to take a little time to get its IPv6 stack in order. Without
> -dnl waiting, we get occasional failures due to the following error:
> -dnl "connect: Cannot assign requested address"
> -OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
> -
> -OVS_START_L7([at_ns1], [ftp])
> -
> -dnl FTP requests from p0->p1 should work fine.
> -NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
> -
> -dnl Discards CLOSE_WAIT and CLOSING
> -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
> -tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
> -tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
> -])
> -
> -OVS_TRAFFIC_VSWITCHD_STOP
> -AT_CLEANUP
> -
> -
> -AT_SETUP([conntrack - FTP with multiple expectations])
> -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
> -CHECK_CONNTRACK()
> -CHECK_CONNTRACK_ALG()
> -OVS_TRAFFIC_VSWITCHD_START()
> -
> -ADD_NAMESPACES(at_ns0, at_ns1)
> -
> -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
> -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
> -
> -dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
> -AT_DATA([flows.txt], [dnl
> -table=0,priority=1,action=drop
> -table=0,priority=10,arp,action=normal
> -table=0,priority=10,icmp,action=normal
> -
> -dnl Traffic from ns1
> -table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1)
> -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
> -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2
> -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2)
> -table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
> -
> -dnl Traffic from ns2
> -table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2)
> -table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
> -table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1)
> -table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
> -table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
> -])
> -
> -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> -
> -OVS_START_L7([at_ns0], [ftp])
> -OVS_START_L7([at_ns1], [ftp])
> -
> -dnl FTP requests from p1->p0 should fail due to network failure.
> -dnl Try 3 times, in 1 second intervals.
> -NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
> -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
> -])
> -
> -dnl Active FTP requests from p0->p1 should work fine.
> -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
> -tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
> -tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
> -])
> -
> -AT_CHECK([ovs-appctl dpctl/flush-conntrack])
> -
> -dnl Passive FTP requests from p0->p1 should work fine.
> -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
> -])
> -
> -OVS_TRAFFIC_VSWITCHD_STOP
> -AT_CLEANUP
> -
> -AT_SETUP([conntrack - IPv4 fragmentation ])
> -CHECK_CONNTRACK()
> -CHECK_CONNTRACK_FRAG()
> +CHECK_CONNTRACK_FRAG()
>  OVS_TRAFFIC_VSWITCHD_START()
>
>  ADD_NAMESPACES(at_ns0, at_ns1)
> @@ -2184,6 +1737,453 @@ NXST_FLOW reply:
>  OVS_TRAFFIC_VSWITCHD_STOP
>  AT_CLEANUP
>
> +AT_BANNER([conntrack - L7])
> +
> +AT_SETUP([conntrack - IPv4 HTTP])
> +CHECK_CONNTRACK()
> +OVS_TRAFFIC_VSWITCHD_START()
> +
> +ADD_NAMESPACES(at_ns0, at_ns1)
> +
> +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
> +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
> +
> +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
> +AT_DATA([flows.txt], [dnl
> +priority=1,action=drop
> +priority=10,arp,action=normal
> +priority=10,icmp,action=normal
> +priority=100,in_port=1,tcp,action=ct(commit),2
> +priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0)
> +priority=100,in_port=2,ct_state=+trk+est,tcp,action=1
> +])
> +
> +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> +
> +OVS_START_L7([at_ns0], [http])
> +OVS_START_L7([at_ns1], [http])
> +
> +dnl HTTP requests from ns0->ns1 should work fine.
> +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
> +])
> +
> +dnl HTTP requests from ns1->ns0 should fail due to network failure.
> +dnl Try 3 times, in 1 second intervals.
> +NS_CHECK_EXEC([at_ns1], [wget 10.1.1.1 -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
> +
> +OVS_TRAFFIC_VSWITCHD_STOP
> +AT_CLEANUP
> +
> +AT_SETUP([conntrack - IPv6 HTTP])
> +CHECK_CONNTRACK()
> +OVS_TRAFFIC_VSWITCHD_START()
> +
> +ADD_NAMESPACES(at_ns0, at_ns1)
> +
> +ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
> +ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
> +
> +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
> +AT_DATA([flows.txt], [dnl
> +priority=1,action=drop
> +priority=10,icmp6,action=normal
> +priority=100,in_port=1,tcp6,action=ct(commit),2
> +priority=100,in_port=2,ct_state=-trk,tcp6,action=ct(table=0)
> +priority=100,in_port=2,ct_state=+trk+est,tcp6,action=1
> +])
> +
> +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> +
> +dnl Linux seems to take a little time to get its IPv6 stack in order. Without
> +dnl waiting, we get occasional failures due to the following error:
> +dnl "connect: Cannot assign requested address"
> +OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2])
> +
> +OVS_START_L7([at_ns0], [http6])
> +OVS_START_L7([at_ns1], [http6])
> +
> +dnl HTTP requests from ns0->ns1 should work fine.
> +NS_CHECK_EXEC([at_ns0], [wget http://[[fc00::2]] -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
> +tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
> +])
> +
> +dnl HTTP requests from ns1->ns0 should fail due to network failure.
> +dnl Try 3 times, in 1 second intervals.
> +NS_CHECK_EXEC([at_ns1], [wget http://[[fc00::1]] -t 3 -T 1 --retry-connrefused -v -o wget1.log], [4])
> +
> +OVS_TRAFFIC_VSWITCHD_STOP
> +AT_CLEANUP
> +
> +AT_SETUP([conntrack - commit, recirc])
> +CHECK_CONNTRACK()
> +OVS_TRAFFIC_VSWITCHD_START()
> +
> +ADD_NAMESPACES(at_ns0, at_ns1, at_ns2, at_ns3)
> +
> +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
> +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
> +ADD_VETH(p2, at_ns2, br0, "10.1.1.3/24")
> +ADD_VETH(p3, at_ns3, br0, "10.1.1.4/24")
> +
> +dnl Allow any traffic from ns0->ns1, ns2->ns3.
> +AT_DATA([flows.txt], [dnl
> +priority=1,action=drop
> +priority=10,arp,action=normal
> +priority=10,icmp,action=normal
> +priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=0)
> +priority=100,in_port=1,tcp,ct_state=+trk,action=2
> +priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0)
> +priority=100,in_port=2,tcp,ct_state=+trk,action=1
> +priority=100,in_port=3,tcp,ct_state=-trk,action=set_field:0->metadata,ct(table=0)
> +priority=100,in_port=3,tcp,ct_state=+trk,metadata=0,action=set_field:1->metadata,ct(commit,table=0)
> +priority=100,in_port=3,tcp,ct_state=+trk,metadata=1,action=4
> +priority=100,in_port=4,tcp,ct_state=-trk,action=ct(commit,table=0)
> +priority=100,in_port=4,tcp,ct_state=+trk,action=3
> +])
> +
> +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> +
> +OVS_START_L7([at_ns1], [http])
> +OVS_START_L7([at_ns3], [http])
> +
> +dnl HTTP requests from p0->p1 should work fine.
> +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> +
> +dnl HTTP requests from p2->p3 should work fine.
> +NS_CHECK_EXEC([at_ns2], [wget 10.1.1.4 -t 3 -T 1 --retry-connrefused -v -o wget1.log])
> +
> +OVS_TRAFFIC_VSWITCHD_STOP
> +AT_CLEANUP
> +
> +AT_SETUP([conntrack - multiple zones, local])
> +CHECK_CONNTRACK()
> +CHECK_CONNTRACK_LOCAL_STACK()
> +OVS_TRAFFIC_VSWITCHD_START()
> +
> +ADD_NAMESPACES(at_ns0)
> +
> +AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
> +AT_CHECK([ip link set dev br0 up])
> +on_exit 'ip addr del dev br0 "10.1.1.1/24"'
> +ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
> +
> +dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
> +dnl return traffic from ns0 back to the local stack.
> +AT_DATA([flows.txt], [dnl
> +priority=1,action=drop
> +priority=10,arp,action=normal
> +priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
> +priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
> +priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
> +priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
> +table=1,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
> +table=2,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
> +])
> +
> +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> +
> +AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> +])
> +
> +OVS_START_L7([at_ns0], [http])
> +
> +dnl HTTP requests from root namespace to p0 should work fine.
> +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> +
> +dnl (again) HTTP requests from root namespace to  p0 should work fine.
> +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> +
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
> +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
> +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=2
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
> +])
> +
> +OVS_TRAFFIC_VSWITCHD_STOP
> +AT_CLEANUP
> +
> +AT_SETUP([conntrack - multi-stage pipeline, local])
> +CHECK_CONNTRACK()
> +CHECK_CONNTRACK_LOCAL_STACK()
> +OVS_TRAFFIC_VSWITCHD_START()
> +
> +ADD_NAMESPACES(at_ns0)
> +
> +AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
> +AT_CHECK([ip link set dev br0 up])
> +on_exit 'ip addr del dev br0 "10.1.1.1/24"'
> +ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
> +
> +dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
> +dnl return traffic from ns0 back to the local stack.
> +AT_DATA([flows.txt], [dnl
> +dnl default
> +table=0,priority=1,action=drop
> +table=0,priority=10,arp,action=normal
> +
> +dnl Load the output port to REG0
> +table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
> +table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
> +
> +dnl Ingress pipeline
> +dnl - Allow all connections from LOCAL port (commit and proceed to egress)
> +dnl - All other connections go through conntracker using the input port as
> +dnl   a connection tracking zone.
> +table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
> +table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
> +table=1,priority=1,action=drop
> +
> +dnl Egress pipeline
> +dnl - Allow all connections from LOCAL port (commit and skip to output)
> +dnl - Allow other established connections to go through conntracker using
> +dnl   output port as a connection tracking zone.
> +table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
> +table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
> +table=2,priority=1,action=drop
> +
> +dnl Only allow established traffic from egress ct lookup
> +table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
> +table=3,priority=1,action=drop
> +
> +dnl output table
> +table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
> +])
> +
> +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> +
> +AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> +])
> +
> +OVS_START_L7([at_ns0], [http])
> +
> +dnl HTTP requests from root namespace to p0 should work fine.
> +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> +
> +dnl (again) HTTP requests from root namespace to p0 should work fine.
> +AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> +
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
> +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=1
> +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0),zone=65534
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=65534,protoinfo=(state=<cleared>)
> +])
> +
> +OVS_TRAFFIC_VSWITCHD_STOP
> +AT_CLEANUP
> +
> +AT_SETUP([conntrack - FTP])
> +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
> +CHECK_CONNTRACK()
> +CHECK_CONNTRACK_ALG()
> +OVS_TRAFFIC_VSWITCHD_START()
> +
> +ADD_NAMESPACES(at_ns0, at_ns1)
> +
> +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
> +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
> +
> +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
> +AT_DATA([flows1.txt], [dnl
> +table=0,priority=1,action=drop
> +table=0,priority=10,arp,action=normal
> +table=0,priority=10,icmp,action=normal
> +table=0,priority=100,in_port=1,tcp,action=ct(alg=ftp,commit),2
> +table=0,priority=100,in_port=2,tcp,action=ct(table=1)
> +table=1,in_port=2,tcp,ct_state=+trk+est,action=1
> +table=1,in_port=2,tcp,ct_state=+trk+rel,action=1
> +])
> +
> +dnl Similar policy but without allowing all traffic from ns0->ns1.
> +AT_DATA([flows2.txt], [dnl
> +table=0,priority=1,action=drop
> +table=0,priority=10,arp,action=normal
> +table=0,priority=10,icmp,action=normal
> +
> +dnl Allow outgoing TCP connections, and treat them as FTP
> +table=0,priority=100,in_port=1,tcp,action=ct(table=1)
> +table=1,in_port=1,tcp,ct_state=+trk+new,action=ct(commit,alg=ftp),2
> +table=1,in_port=1,tcp,ct_state=+trk+est,action=2
> +
> +dnl Allow incoming FTP data connections and responses to existing connections
> +table=0,priority=100,in_port=2,tcp,action=ct(table=1)
> +table=1,in_port=2,tcp,ct_state=+trk+new+rel,action=ct(commit),1
> +table=1,in_port=2,tcp,ct_state=+trk+est,action=1
> +table=1,in_port=2,tcp,ct_state=+trk-new+rel,action=1
> +])
> +
> +AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows1.txt])
> +
> +OVS_START_L7([at_ns0], [ftp])
> +OVS_START_L7([at_ns1], [ftp])
> +
> +dnl FTP requests from p1->p0 should fail due to network failure.
> +dnl Try 3 times, in 1 second intervals.
> +NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
> +])
> +
> +dnl FTP requests from p0->p1 should work fine.
> +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
> +])
> +
> +dnl Try the second set of flows.
> +AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows2.txt])
> +AT_CHECK([ovs-appctl dpctl/flush-conntrack])
> +
> +dnl FTP requests from p1->p0 should fail due to network failure.
> +dnl Try 3 times, in 1 second intervals.
> +NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
> +])
> +
> +dnl Active FTP requests from p0->p1 should work fine.
> +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0-1.log])
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
> +tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
> +])
> +
> +AT_CHECK([ovs-appctl dpctl/flush-conntrack])
> +
> +dnl Passive FTP requests from p0->p1 should work fine.
> +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log])
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
> +])
> +
> +OVS_TRAFFIC_VSWITCHD_STOP
> +AT_CLEANUP
> +
> +AT_SETUP([conntrack - FTP over IPv6])
> +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
> +CHECK_CONNTRACK()
> +CHECK_CONNTRACK_ALG()
> +OVS_TRAFFIC_VSWITCHD_START()
> +
> +ADD_NAMESPACES(at_ns0, at_ns1)
> +
> +ADD_VETH(p0, at_ns0, br0, "fc00::1/96")
> +ADD_VETH(p1, at_ns1, br0, "fc00::2/96")
> +
> +dnl Allow any traffic from ns0->ns1.
> +dnl Only allow nd, return traffic from ns1->ns0.
> +AT_DATA([flows.txt], [dnl
> +dnl Track all IPv6 traffic and drop the rest.
> +dnl Allow ICMPv6 both ways.  No commit, so pings will not be tracked.
> +table=0 priority=100 in_port=1 icmp6, action=2
> +table=0 priority=100 in_port=2 icmp6, action=1
> +table=0 priority=10 ip6, action=ct(table=1)
> +table=0 priority=0 action=drop
> +dnl
> +dnl Table 1
> +dnl
> +dnl Allow new TCPv6 FTP control connections from port 1.
> +table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2
> +dnl Allow related TCPv6 connections from port 2.
> +table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1
> +dnl Allow established TCPv6 connections both ways.
> +table=1 in_port=1 ct_state=+est, tcp6, action=2
> +table=1 in_port=2 ct_state=+est, tcp6, action=1
> +dnl Drop everything else.
> +table=1 priority=0, action=drop
> +])
> +
> +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> +
> +dnl Linux seems to take a little time to get its IPv6 stack in order. Without
> +dnl waiting, we get occasional failures due to the following error:
> +dnl "connect: Cannot assign requested address"
> +OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null])
> +
> +OVS_START_L7([at_ns1], [ftp])
> +
> +dnl FTP requests from p0->p1 should work fine.
> +NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d])
> +
> +dnl Discards CLOSE_WAIT and CLOSING
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl
> +tcp,orig=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),reply=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp
> +tcp,orig=(src=fc00::2,dst=fc00::1,sport=<cleared>,dport=<cleared>),reply=(src=fc00::1,dst=fc00::2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>)
> +])
> +
> +OVS_TRAFFIC_VSWITCHD_STOP
> +AT_CLEANUP
> +
> +AT_SETUP([conntrack - FTP with multiple expectations])
> +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
> +CHECK_CONNTRACK()
> +CHECK_CONNTRACK_ALG()
> +OVS_TRAFFIC_VSWITCHD_START()
> +
> +ADD_NAMESPACES(at_ns0, at_ns1)
> +
> +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
> +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
> +
> +dnl Dual-firewall, allow all from ns1->ns2, allow established and ftp ns2->ns1.
> +AT_DATA([flows.txt], [dnl
> +table=0,priority=1,action=drop
> +table=0,priority=10,arp,action=normal
> +table=0,priority=10,icmp,action=normal
> +
> +dnl Traffic from ns1
> +table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1)
> +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2
> +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2
> +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2)
> +table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2
> +
> +dnl Traffic from ns2
> +table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2)
> +table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
> +table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1)
> +table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
> +table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+est,action=1
> +])
> +
> +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> +
> +OVS_START_L7([at_ns0], [ftp])
> +OVS_START_L7([at_ns1], [ftp])
> +
> +dnl FTP requests from p1->p0 should fail due to network failure.
> +dnl Try 3 times, in 1 second intervals.
> +NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp  -t 3 -T 1 -v -o wget1.log], [4])
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.1)], [0], [dnl
> +])
> +
> +dnl Active FTP requests from p0->p1 should work fine.
> +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
> +tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
> +tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
> +])
> +
> +AT_CHECK([ovs-appctl dpctl/flush-conntrack])
> +
> +dnl Passive FTP requests from p0->p1 should work fine.
> +NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>),helper=ftp
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>)
> +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),zone=2,protoinfo=(state=<cleared>),helper=ftp
> +])
> +
> +OVS_TRAFFIC_VSWITCHD_STOP
> +AT_CLEANUP
> +
>  AT_BANNER([conntrack - NAT])
>
>  AT_SETUP([conntrack - simple SNAT])
> --
> 2.10.2
>
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>