Acked-by: Jarno Rajahalme <ja...@ovn.org> > On Sep 7, 2016, at 4:34 PM, Joe Stringer <j...@ovn.org> wrote: > > Previously we had the following tests: > * FTP with NAT > * FTP with NAT (seq-adj) > * FTP with NAT 2 > > Tests 1 and 2 share everything, except use different IP addresses. Test > 3 has a different flow table, but shares the topology with 1 and 2. > > This commit creates macros: > * CHECK_FTP_NAT(title, ip, flow_table) > * CHECK_FTP_NAT_PRE_RECIRC(title, ip, ip-as-hex) > * CHECK_FTP_NAT_POST_RECIRC(title, ip, ip-as-hex) > > The second macro represents tests 1 and 2, while the third macro > represents two variations on test 3: with and without TCP sequence > adjustment. > > By using these macros to declare the tests, much of the code may be > reused and shared rather than copying/pasting. As a result, the > differences between tests are easier to identify. > > Signed-off-by: Joe Stringer <j...@ovn.org> > --- > tests/system-traffic.at | 218 ++++++++++++++++++------------------------------ > 1 file changed, 81 insertions(+), 137 deletions(-) > > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > index 4dabd90356a1..31076f8b141a 100644 > --- a/tests/system-traffic.at > +++ b/tests/system-traffic.at > @@ -2405,103 +2405,55 @@ > udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src= > OVS_TRAFFIC_VSWITCHD_STOP > AT_CLEANUP > > -AT_SETUP([conntrack - FTP with NAT]) > -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) > -CHECK_CONNTRACK() > -CHECK_CONNTRACK_NAT() > - > -OVS_TRAFFIC_VSWITCHD_START() > - > -ADD_NAMESPACES(at_ns0, at_ns1) > - > -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > -NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88]) > -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > - > -dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from > ns1->ns0. > - > -AT_DATA([flows.txt], [dnl > -dnl track all IP traffic, de-mangle non-NEW connections > -table=0 in_port=1, ip, action=ct(table=1,nat) > -table=0 in_port=2, ip, action=ct(table=2,nat) > -dnl > -dnl ARP > -dnl > -table=0 priority=100 arp arp_op=1 > action=move:OXM_OF_ARP_TPA[[]]->NXM_NX_REG2[[]],resubmit(,8),goto_table:10 > -table=0 priority=10 arp action=normal > -table=0 priority=0 action=drop > -dnl > -dnl Table 1: port 1 -> 2 > -dnl > -dnl Allow new FTP connections. These need to be commited. > -table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, > action=ct(alg=ftp,commit,nat(src=10.1.1.9)),2 > -dnl Allow established TCP connections, make sure they are NATted already. > -table=1 ct_state=+est, tcp, nw_src=10.1.1.9, action=2 > -dnl > -dnl Table 1: droppers > +dnl CHECK_FTP_NAT(TITLE, IP_ADDR, FLOWS) > dnl > -table=1 priority=10, tcp, action=drop > -table=1 priority=0,action=drop > -dnl > -dnl Table 2: port 2 -> 1 > -dnl > -dnl Allow established TCP connections, make sure they are reverse NATted > -table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1 > -dnl Allow (new) related (data) connections. These need to be commited. > -table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.9, action=ct(commit,nat),1 > -dnl Allow related ICMP packets, make sure they are reverse NATted > -table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1 > -dnl > -dnl Table 2: droppers > -dnl > -table=2 priority=10, tcp, action=drop > -table=2 priority=0, action=drop > -dnl > -dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0 > -dnl > -table=8,reg2=0x0a010109/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]] > -table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]] > -dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action. > -dnl TPA IP in reg2. > -dnl Swaps the fields of the ARP message to turn a query to a response. > -table=10 priority=100 arp xreg0=0 action=normal > -table=10 > priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]] > -table=10 priority=0 action=drop > -]) > +dnl Checks the implementation of conntrack with FTP ALGs in combination with > +dnl NAT, using the provided flow table. > +m4_define([CHECK_FTP_NAT], > + [AT_SETUP([conntrack - FTP NAT $1]) > + AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) > + CHECK_CONNTRACK() > + CHECK_CONNTRACK_NAT() > > -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > + OVS_TRAFFIC_VSWITCHD_START() > > -dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid]) > -NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid]) > -OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp]) > + ADD_NAMESPACES(at_ns0, at_ns1) > > -dnl FTP requests from p0->p1 should work fine. > -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 > --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d]) > + ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > + NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88]) > + ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.9,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp > -tcp,orig=(src=10.1.1.2,dst=10.1.1.9,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) > + dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from > ns1->ns0. > + AT_DATA([flows.txt], [$3 > ]) > > -OVS_TRAFFIC_VSWITCHD_STOP > -AT_CLEANUP > - > -AT_SETUP([conntrack - FTP with NAT (seq-adj)]) > -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) > -CHECK_CONNTRACK() > -CHECK_CONNTRACK_NAT() > + AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > > -OVS_TRAFFIC_VSWITCHD_START() > + NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid]) > + OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp]) > > -ADD_NAMESPACES(at_ns0, at_ns1) > + dnl FTP requests from p0->p1 should work fine. > + NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T > 1 --retry-connrefused -v --server-response --no-remove-listing -o wget0.log > -d]) > > -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > -NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88]) > -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > + dnl Discards CLOSE_WAIT and CLOSING > + AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], > [dnl > +tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp > +tcp,orig=(src=10.1.1.2,dst=$2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) > +]) > > -dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from > ns1->ns0. > + OVS_TRAFFIC_VSWITCHD_STOP > + AT_CLEANUP]) > > -AT_DATA([flows.txt], [dnl > +dnl CHECK_FTP_NAT_PRE_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX) > +dnl > +dnl Checks the implementation of conntrack with FTP ALGs in combination with > +dnl NAT, with flow tables that implement the NATing as part of handling of > +dnl initial incoming packets - ie, the first flow is ct(nat,table=foo). > +dnl > +dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format, > +dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx. > +m4_define([CHECK_FTP_NAT_PRE_RECIRC], [dnl > + CHECK_FTP_NAT([prerecirc $1], [$2], [dnl > dnl track all IP traffic, de-mangle non-NEW connections > table=0 in_port=1, ip, action=ct(table=1,nat) > table=0 in_port=2, ip, action=ct(table=2,nat) > @@ -2515,9 +2467,9 @@ dnl > dnl Table 1: port 1 -> 2 > dnl > dnl Allow new FTP connections. These need to be commited. > -table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, > action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2 > +table=1 ct_state=+new, tcp, tp_dst=21, nw_src=10.1.1.1, > action=ct(alg=ftp,commit,nat(src=$2)),2 > dnl Allow established TCP connections, make sure they are NATted already. > -table=1 ct_state=+est, tcp, nw_src=10.1.1.240, action=2 > +table=1 ct_state=+est, tcp, nw_src=$2, action=2 > dnl > dnl Table 1: droppers > dnl > @@ -2529,7 +2481,7 @@ dnl > dnl Allow established TCP connections, make sure they are reverse NATted > table=2 ct_state=+est, tcp, nw_dst=10.1.1.1, action=1 > dnl Allow (new) related (data) connections. These need to be commited. > -table=2 ct_state=+new+rel, tcp, nw_dst=10.1.1.240, action=ct(commit,nat),1 > +table=2 ct_state=+new+rel, tcp, nw_dst=$2, action=ct(commit,nat),1 > dnl Allow related ICMP packets, make sure they are reverse NATted > table=2 ct_state=+rel, icmp, nw_dst=10.1.1.1, action=1 > dnl > @@ -2540,7 +2492,7 @@ table=2 priority=0, action=drop > dnl > dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0 > dnl > -table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]] > +table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]] > table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]] > dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action. > dnl TPA IP in reg2. > @@ -2548,40 +2500,34 @@ dnl Swaps the fields of the ARP message to turn a > query to a response. > table=10 priority=100 arp xreg0=0 action=normal > table=10 > priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]] > table=10 priority=0 action=drop > + ]) > ]) > > -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > - > -dnl NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid]) > -NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid]) > -OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp]) > - > -dnl FTP requests from p0->p1 should work fine. > -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 > --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d]) > +dnl Check that ct(nat,table=foo) works without TCP sequence adjustment. > +CHECK_FTP_NAT_PRE_RECIRC([], [10.1.1.9], [0x0a010109]) > > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp > -tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) > -]) > - > -OVS_TRAFFIC_VSWITCHD_STOP > -AT_CLEANUP > - > -AT_SETUP([conntrack - FTP with NAT 2]) > -AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) > -CHECK_CONNTRACK() > -CHECK_CONNTRACK_NAT() > -OVS_TRAFFIC_VSWITCHD_START() > - > -ADD_NAMESPACES(at_ns0, at_ns1) > - > -ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > -NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88]) > -ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > - > -dnl Allow any traffic from ns0->ns1. > -dnl Only allow nd, return traffic from ns1->ns0. > -AT_DATA([flows.txt], [dnl > +dnl Check that ct(nat,table=foo) works with TCP sequence adjustment. > +dnl > +dnl The FTP PORT command includes the ASCII representation of the address, > +dnl so when these messages need to be NATed between addresses that have > +dnl different lengths when represented in ASCII (such as the original address > +dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must > +dnl resize the packet and adjust TCP sequence numbers. This test is kept > +dnl separate from the above to easier identify issues in this code on > different > +dnl kernels. > +CHECK_FTP_NAT_PRE_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0]) > + > +dnl CHECK_FTP_NAT_POST_RECIRC(TITLE, IP_ADDR, IP_ADDR_AS_HEX) > +dnl > +dnl Checks the implementation of conntrack with FTP ALGs in combination with > +dnl NAT, with flow tables that implement the NATing after the first round > +dnl of recirculation - that is, the first flow ct(table=foo) then a > subsequent > +dnl flow will implement the NATing with ct(nat..),output:foo. > +dnl > +dnl IP_ADDR must specify the NAT address in standard "10.1.1.x" format, > +dnl and IP_ADDR_AS_HEX must specify the same address as hex, eg 0x0a0101xx. > +m4_define([CHECK_FTP_NAT_POST_RECIRC], [dnl > + CHECK_FTP_NAT([postrecirc $1], [$2], [dnl > dnl track all IP traffic (this includes a helper call to non-NEW packets.) > table=0 ip, action=ct(table=1) > dnl > @@ -2595,7 +2541,7 @@ dnl Table 1 > dnl > dnl Allow new FTP connections. These need to be commited. > dnl This does helper for new packets. > -table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, > action=ct(alg=ftp,commit,nat(src=10.1.1.240)),2 > +table=1 in_port=1 ct_state=+new, tcp, tp_dst=21, > action=ct(alg=ftp,commit,nat(src=$2)),2 > dnl Allow and NAT established TCP connections > table=1 in_port=1 ct_state=+est, tcp, action=ct(nat),2 > table=1 in_port=2 ct_state=+est, tcp, action=ct(nat),1 > @@ -2609,7 +2555,7 @@ table=1 priority=0, action=drop > dnl > dnl MAC resolution table for IP in reg2, stores mac in OXM_OF_PKT_REG0 > dnl > -table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[[]] > +table=8,reg2=$3/0xffffffff,action=load:0x808888888888->OXM_OF_PKT_REG0[[]] > table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[[]] > dnl ARP responder mac filled in at OXM_OF_PKT_REG0, or 0 for normal action. > dnl TPA IP in reg2. > @@ -2617,24 +2563,22 @@ dnl Swaps the fields of the ARP message to turn a > query to a response. > table=10 priority=100 arp xreg0=0 action=normal > table=10 > priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[[]],move:OXM_OF_ARP_SHA[[]]->OXM_OF_ARP_THA[[]],move:OXM_OF_PKT_REG0[[0..47]]->OXM_OF_ARP_SHA[[]],move:OXM_OF_ARP_SPA[[]]->OXM_OF_ARP_TPA[[]],move:NXM_NX_REG2[[]]->OXM_OF_ARP_SPA[[]],move:NXM_OF_ETH_SRC[[]]->NXM_OF_ETH_DST[[]],move:OXM_OF_PKT_REG0[[0..47]]->NXM_OF_ETH_SRC[[]],move:NXM_OF_IN_PORT[[]]->NXM_NX_REG3[[0..15]],load:0->NXM_OF_IN_PORT[[]],output:NXM_NX_REG3[[0..15]] > table=10 priority=0 action=drop > + ]) > ]) > > -AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > - > -NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid]) > -OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp]) > - > -dnl FTP requests from p0->p1 should work fine. > -NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -4 --no-passive-ftp -t 3 -T 1 > --retry-connrefused -v --server-response --no-remove-listing -o wget0.log -d]) > +dnl Check that ct(nat,table=foo) works without TCP sequence adjustment. > +CHECK_FTP_NAT_POST_RECIRC([], [10.1.1.9], [0x0a010109]) > > -dnl Discards CLOSE_WAIT and CLOSING > -AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp > -tcp,orig=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) > -]) > - > -OVS_TRAFFIC_VSWITCHD_STOP > -AT_CLEANUP > +dnl Check that ct(nat,table=foo) works with TCP sequence adjustment. > +dnl > +dnl The FTP PORT command includes the ASCII representation of the address, > +dnl so when these messages need to be NATed between addresses that have > +dnl different lengths when represented in ASCII (such as the original address > +dnl of 10.1.1.1 used in the test and 10.1.1.240 here), the FTP NAT ALG must > +dnl resize the packet and adjust TCP sequence numbers. This test is kept > +dnl separate from the above to easier identify issues in this code on > different > +dnl kernels. > +CHECK_FTP_NAT_POST_RECIRC([seqadj], [10.1.1.240], [0x0a0101f0]) > > AT_SETUP([conntrack - IPv6 HTTP with NAT]) > CHECK_CONNTRACK() > -- > 2.9.3 >
_______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev