From patchwork Fri Oct  2 21:16:18 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Joe Stringer <joestringer@nicira.com>
X-Patchwork-Id: 525812
Return-Path: <dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from archives.nicira.com (unknown
	[IPv6:2600:3c00::f03c:91ff:fe6e:bdf7])
	by ozlabs.org (Postfix) with ESMTP id 21D6C1402C4
	for <incoming@patchwork.ozlabs.org>;
	Sat,  3 Oct 2015 07:18:18 +1000 (AEST)
Received: from archives.nicira.com (localhost [127.0.0.1])
	by archives.nicira.com (Postfix) with ESMTP id ADCA722C4C1;
	Fri,  2 Oct 2015 14:16:44 -0700 (PDT)
X-Original-To: dev@openvswitch.org
Delivered-To: dev@openvswitch.org
Received: from mx1e4.cudamail.com (mx1.cudamail.com [69.90.118.67])
	by archives.nicira.com (Postfix) with ESMTPS id 5B8BF22C4BF
	for <dev@openvswitch.org>; Fri,  2 Oct 2015 14:16:41 -0700 (PDT)
Received: from bar2.cudamail.com (unknown [192.168.21.12])
	by mx1e4.cudamail.com (Postfix) with ESMTPS id ADD7A1E024E
	for <dev@openvswitch.org>; Fri,  2 Oct 2015 15:16:40 -0600 (MDT)
X-ASG-Debug-ID: 1443820600-03dc537fe1ab1fc0001-byXFYA
Received: from mx1-pf2.cudamail.com ([192.168.24.2]) by bar2.cudamail.com
	with
	ESMTP id 4Z10kjyhUUPsEjyu (version=TLSv1 cipher=DHE-RSA-AES256-SHA
	bits=256 verify=NO) for <dev@openvswitch.org>;
	Fri, 02 Oct 2015 15:16:40 -0600 (MDT)
X-Barracuda-Envelope-From: joestringer@nicira.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.24.2
Received: from unknown (HELO mail-pa0-f44.google.com) (209.85.220.44)
	by mx1-pf2.cudamail.com with ESMTPS (RC4-SHA encrypted);
	2 Oct 2015 21:16:40 -0000
Received-SPF: unknown (mx1-pf2.cudamail.com: Multiple SPF records returned)
X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.44
Received: by pablk4 with SMTP id lk4so115634120pab.3
	for <dev@openvswitch.org>; Fri, 02 Oct 2015 14:16:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=okGH8oVCJsSSjZjgJC9osjBO/HL3ypdeLfhjZ3M7EJU=;
	b=UOLXSEHfr831pRn3d1OGQzTHPbW/8MBQIUCpkMlDT4pnmhKcMpG+m0Quy8DWjpYLXZ
	yNJjgsV1zksk0DjUsi+tsprzZM0G/Gv+RLcARr8aUaTU4ZFB2aYu/0+tkH6FIppGd509
	sFUQNOCtW5SUkR1VgowQ+Jxw3dN3pDh/08Yfaxt/vlV3HKsQkPPi28hP7nItrqqmcIgH
	PAjO+o2wANdAfTUPlKGzQWdfYjaxzIt2REyOgTplHp/ukJS4dcuobVJSj9CFFH69XHm1
	3qhUr3q1a3XLL7tqk2JsoGZDg1yAK5oAetwqY/pVvhXs6Kb6WpYpIfmjzlE+Mz595HKd
	fmLw==
X-Gm-Message-State: 
 ALoCoQnuO/wibHYWs7YFuLsDqcNE5rM+j/GWFSC6+BXEmDEpCUFS+YUTpSfOLNAkICeKQ3VGhN7e
X-Received: by 10.66.124.198 with SMTP id mk6mr22455851pab.114.1443820599283;
	Fri, 02 Oct 2015 14:16:39 -0700 (PDT)
Received: from localhost.localdomain ([208.91.2.4])
	by smtp.gmail.com with ESMTPSA id
	z6sm13633900pbt.51.2015.10.02.14.16.38
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Fri, 02 Oct 2015 14:16:38 -0700 (PDT)
X-CudaMail-Envelope-Sender: joestringer@nicira.com
X-Barracuda-Apparent-Source-IP: 208.91.2.4
From: Joe Stringer <joestringer@nicira.com>
To: dev@openvswitch.org
X-CudaMail-Whitelist-To: dev@openvswitch.org
X-CudaMail-MID: CM-E2-1001085215
X-CudaMail-DTE: 100215
X-CudaMail-Originating-IP: 209.85.220.44
Date: Fri,  2 Oct 2015 14:16:18 -0700
X-ASG-Orig-Subj: [##CM-E2-1001085215##][PATCHv4 11/11] system-traffic: Add ct
	tests using local stack.
Message-Id: <1443820578-9287-12-git-send-email-joestringer@nicira.com>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1443820578-9287-1-git-send-email-joestringer@nicira.com>
References: <1443820578-9287-1-git-send-email-joestringer@nicira.com>
X-Barracuda-Connect: UNKNOWN[192.168.24.2]
X-Barracuda-Start-Time: 1443820600
X-Barracuda-Encrypted: DHE-RSA-AES256-SHA
X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi
X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?=
X-Virus-Scanned: by bsmtpd at cudamail.com
X-Barracuda-BRTS-Status: 1
Subject: [ovs-dev] [PATCHv4 11/11] system-traffic: Add ct tests using local
	stack.
X-BeenThere: dev@openvswitch.org
X-Mailman-Version: 2.1.16
Precedence: list
List-Id: <dev.openvswitch.org>
List-Unsubscribe: <http://openvswitch.org/mailman/options/dev>,
	<mailto:dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://openvswitch.org/pipermail/dev>
List-Post: <mailto:dev@openvswitch.org>
List-Help: <mailto:dev-request@openvswitch.org?subject=help>
List-Subscribe: <http://openvswitch.org/mailman/listinfo/dev>,
	<mailto:dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Errors-To: dev-bounces@openvswitch.org
Sender: "dev" <dev-bounces@openvswitch.org>

When interacting with the local stack, the kernel may provide packets
with existing ct state as they ingress OVS. These tests check that we
are able to connection-track such packets successfully in non-zero
zones, using slightly more realistic pipelines.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Daniele Di Proietto <diproiettod@vmware.com>
---
 tests/system-common-macros.at |   5 +-
 tests/system-traffic.at       | 118 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 122 insertions(+), 1 deletion(-)

diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at
index 8f3b318..f0da589 100644
--- a/tests/system-common-macros.at
+++ b/tests/system-common-macros.at
@@ -124,7 +124,10 @@ m4_define([FORMAT_PING], [grep "transmitted" | sed 's/time.*ms$/time 0ms/'])
 # Strip content from the piped input which would differ from test to test.
 #
 m4_define([FORMAT_CT],
-    [[grep "dst=$1" | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/  */ /g' -e 's/secctx[^ ]* //' | cut -d' ' -f4- | sort | uniq]])
+    [[grep "dst=$1" | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/  */ /g' \
+                          -e 's/secctx[^ ]* //' \
+                          -e 's/id=[0-9]*/id=<cleared>/g' \
+                    | cut -d' ' -f4- | sort | uniq]])
 
 # NETNS_DAEMONIZE([namespace], [command], [pidfile])
 #
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index 081531b..3b2de83 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -566,6 +566,124 @@ TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2
 OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
+AT_SETUP([conntrack - multiple zones, local])
+CHECK_CONNTRACK()
+OVS_TRAFFIC_VSWITCHD_START(
+   [set-fail-mode br0 secure -- ])
+
+ADD_NAMESPACES(at_ns0)
+
+AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
+AT_CHECK([ip link set dev br0 up])
+on_exit 'ip addr del dev br0 "10.1.1.1/24"'
+ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
+
+dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
+dnl return traffic from ns0 back to the local stack.
+AT_DATA([flows.txt], [dnl
+priority=1,action=drop
+priority=10,arp,action=normal
+priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
+priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
+priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
+priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
+table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
+table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
+])
+
+AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
+
+AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+
+dnl HTTP requests from root namespace to p0 should work fine.
+NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
+AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
+
+dnl (again) HTTP requests from root namespace to  p0 should work fine.
+AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
+
+AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
+TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
+TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
+src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
+src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=2 use=1
+])
+
+OVS_TRAFFIC_VSWITCHD_STOP
+AT_CLEANUP
+
+AT_SETUP([conntrack - multi-stage pipeline, local])
+CHECK_CONNTRACK()
+OVS_TRAFFIC_VSWITCHD_START(
+   [set-fail-mode br0 secure -- ])
+
+ADD_NAMESPACES(at_ns0)
+
+AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
+AT_CHECK([ip link set dev br0 up])
+on_exit 'ip addr del dev br0 "10.1.1.1/24"'
+ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
+
+dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
+dnl return traffic from ns0 back to the local stack.
+AT_DATA([flows.txt], [dnl
+dnl default
+table=0,priority=1,action=drop
+table=0,priority=10,arp,action=normal
+
+dnl Load the output port to REG0
+table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
+table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
+
+dnl Ingress pipeline
+dnl - Allow all connections from LOCAL port (commit and proceed to egress)
+dnl - All other connections go through conntracker using the input port as
+dnl   a connection tracking zone.
+table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
+table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
+table=1,priority=1,action=drop
+
+dnl Egress pipeline
+dnl - Allow all connections from LOCAL port (commit and skip to output)
+dnl - Allow other established connections to go through conntracker using
+dnl   output port as a connection tracking zone.
+table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
+table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
+table=2,priority=1,action=drop
+
+dnl Only allow established traffic from egress ct lookup
+table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
+table=3,priority=1,action=drop
+
+dnl output table
+table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
+])
+
+AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
+
+AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+
+dnl HTTP requests from root namespace to p0 should work fine.
+NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
+AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
+
+dnl (again) HTTP requests from root namespace to p0 should work fine.
+AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
+
+AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
+TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
+TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=65534 use=1
+src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
+src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=65534 use=1
+])
+
+OVS_TRAFFIC_VSWITCHD_STOP
+AT_CLEANUP
+
 AT_SETUP([conntrack - ct_mark])
 CHECK_CONNTRACK()
 OVS_TRAFFIC_VSWITCHD_START(