new action ct_commit_nat, which ensures that
the traffic is commited and NATted. In combination
with match on ct.rel it allows the related traffic
to go through with correct NAT being applied.
Reported-at: https://bugzilla.redhat.com/2126083
Signed-off-by: Ales Musil <[email protected]>
---
v2: Add e2e test case.
---
northd/northd.c | 29 ++++--
northd/ovn-northd.8.xml | 19 +++-
tests/ovn-northd.at | 208 +++++++++++++++++++++-------------------
tests/ovn.at | 10 +-
tests/system-ovn.at | 128 +++++++++++++++++++++++++
5 files changed, 279 insertions(+), 115 deletions(-)
diff --git a/northd/northd.c b/northd/northd.c
index b7388afc5..e188e4f6a 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -6686,7 +6686,8 @@ build_acls(struct ovn_datapath *od, const struct
chassis_features *features,
/* Ingress and Egress ACL Table (Priority 65535).
*
* Allow traffic that is related to an existing conntrack entry that
- * has not been marked for deletion (ct_mark.blocked).
+ * has not been marked for deletion (ct_mark.blocked). At the same
+ * time apply NAT on this traffic.
*
* This is enforced at a higher priority than ACLs can be defined.
*
@@ -6699,9 +6700,9 @@ build_acls(struct ovn_datapath *od, const struct
chassis_features *features,
use_ct_inv_match ? " && !ct.inv" : "",
ct_blocked_match);
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3,
- ds_cstr(&match), "next;");
+ ds_cstr(&match), "ct_commit_nat;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3,
- ds_cstr(&match), "next;");
+ ds_cstr(&match), "ct_commit_nat;");
/* Ingress and Egress ACL Table (Priority 65532).
*
@@ -10006,16 +10007,16 @@ build_lrouter_nat_flows_for_lb(struct ovn_lb_vip
*lb_vip,
int prio = 110;
if (lb_vip->vip_port) {
prio = 120;
- new_match = xasprintf("ct.new && %s && %s && "
+ new_match = xasprintf("ct.new && !ct.rel && %s && %s && "
REG_ORIG_TP_DPORT_ROUTER" == %d",
ds_cstr(match), lb->proto, lb_vip->vip_port);
- est_match = xasprintf("ct.est && %s && %s && "
+ est_match = xasprintf("ct.est && !ct.rel && %s && %s && "
REG_ORIG_TP_DPORT_ROUTER" == %d && %s == 1",
ds_cstr(match), lb->proto, lb_vip->vip_port,
ct_natted);
} else {
- new_match = xasprintf("ct.new && %s", ds_cstr(match));
- est_match = xasprintf("ct.est && %s && %s == 1",
+ new_match = xasprintf("ct.new && !ct.rel && %s", ds_cstr(match));
+ est_match = xasprintf("ct.est && !ct.rel && %s && %s == 1",
ds_cstr(match), ct_natted);
}
@@ -13664,6 +13665,20 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows,
ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_ROUTER_IN_ECMP_STATEFUL, 0, "1", "next;");
+ /* Ingress DNAT Table (Priority 50).
+ *
+ * Allow traffic that is related to an existing conntrack entry.
+ * At the same time apply NAT for this traffic.
+ *
+ * NOTE: This does not support related data sessions (eg,
+ * a dynamically negotiated FTP data channel), but will allow
+ * related traffic such as an ICMP Port Unreachable through
+ * that's generated from a non-listening UDP port. */
+ if (od->has_lb_vip) {
+ ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 50,
+ "ct.rel && !ct.est && !ct.new", "ct_commit_nat;");
+ }
+
/* If the router has load balancer or DNAT rules, re-circulate every
packet
* through the DNAT zone so that packets that need to be unDNATed in the
* reverse direction get unDNATed.
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index a70f2e678..175db6130 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -766,6 +766,8 @@
related to a committed flow in the connection tracker (e.g., an
ICMP Port Unreachable from a non-listening UDP port), as long
as the committed flow does not have <code>ct_mark.blocked</code> set.
+ This flow also applies NAT to the related traffic so that ICMP headers
+ and the inner packet have correct addresses.
If ACL logging and logging of related packets is enabled, then a
companion priority-65533 flow will be installed that accomplishes the
same thing but also logs the traffic.
@@ -3206,7 +3208,7 @@ icmp6 {
Router with gateway port in <code>OVN_Northbound</code> database
that
includes a L4 port <var>PORT</var> of protocol <var>P</var> and IPv4
or IPv6 address <var>VIP</var>, a priority-120 flow that matches on
- <code>ct.new && ip && reg0 == <var>VIP</var>
+ <code>ct.new && !ct.rel && ip && reg0 ==
<var>VIP</var>
&& <var>P</var> && reg9[16..31] == </code>
<code><var>PORT</var></code> (<code>xxreg0 == <var>VIP</var></code>
in the IPv6 case) with an action of
@@ -3238,7 +3240,7 @@ icmp6 {
<code>OVN_Northbound</code> database that includes a L4 port
<var>PORT</var> of protocol <var>P</var> and IPv4 or IPv6 address
<var>VIP</var>, a priority-120 flow that matches on
- <code>ct.est && ip4 && reg0 == <var>VIP</var>
+ <code>ct.est && !ct.rel && ip4 && reg0 ==
<var>VIP</var>
&& <var>P</var> && reg9[16..31] == </code>
<code><var>PORT</var></code> (<code>ip6</code> and
<code>xxreg0 == <var>VIP</var></code> in the IPv6 case) with an
@@ -3263,7 +3265,7 @@ icmp6 {
For all the configured load balancing rules for a router in
<code>OVN_Northbound</code> database that includes just an IP
address
<var>VIP</var> to match on, a priority-110 flow that matches on
- <code>ct.new && ip4 && reg0 ==
+ <code>ct.new && !ct.rel && ip4 && reg0 ==
<var>VIP</var></code> (<code>ip6</code> and <code>xxreg0 ==
<var>VIP</var></code> in the IPv6 case) with an action of
<code>ct_lb_mark(<var>args</var>)</code>, where <var>args</var>
contains
@@ -3290,7 +3292,7 @@ icmp6 {
For all the configured load balancing rules for a router in
<code>OVN_Northbound</code> database that includes just an IP
address
<var>VIP</var> to match on, a priority-110 flow that matches on
- <code>ct.est && ip4 && reg0 ==
+ <code>ct.est && !ct.rel && ip4 && reg0 ==
<var>VIP</var></code> (or <code>ip6</code> and
<code>xxreg0 == <var>VIP</var></code>) with an action of
<code>next;</code>. If the router is configured to force SNAT any
@@ -3317,6 +3319,15 @@ icmp6 {
Please note using <code>--reject</code> option will disable
empty_lb SB controller event for this load balancer.
</li>
+
+ <li>
+ <p>
+ For the related traffic, a priority 50 flow that matches
+ <code>ct.rel && !ct.est && !ct.new </code>
+ with an action of <code>ct_commit_nat;</code>, if the router
+ has load balancer assigned to it.
+ </p>
+ </li>
</ul>
<p>Ingress Table 6: DNAT on Gateway Routers</p>
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 4f399eccb..654e55984 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -2348,7 +2348,7 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
ls_in_acl_hint -e ls_out_acl_hint -e
table=3 (ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est),
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
table=4 (ls_out_acl ), priority=1 , match=(ip && !ct.est),
action=(reg0[[1]] = 1; next;)
table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;)
- table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;)
table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est &&
ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;)
@@ -2360,7 +2360,7 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
ls_in_acl_hint -e ls_out_acl_hint -e
table=7 (ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est),
action=(reg0[[7]] = 1; reg0[[9]] = 1; next;)
table=8 (ls_in_acl ), priority=1 , match=(ip && !ct.est),
action=(reg0[[1]] = 1; next;)
table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;)
- table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;)
table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
])
@@ -2388,7 +2388,7 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
ls_in_acl_hint -e ls_out_acl_hint -e
table=4 (ls_out_acl ), priority=1001 , match=(reg0[[7]] == 1 &&
(ip)), action=(reg0[[1]] = 1; next;)
table=4 (ls_out_acl ), priority=1001 , match=(reg0[[8]] == 1 &&
(ip)), action=(next;)
table=4 (ls_out_acl ), priority=34000, match=(eth.src ==
$svc_monitor_mac), action=(next;)
- table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;)
table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=4 (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
@@ -2406,7 +2406,7 @@ AT_CHECK([ovn-sbctl lflow-list ls | grep -e
ls_in_acl_hint -e ls_out_acl_hint -e
table=8 (ls_in_acl ), priority=1001 , match=(reg0[[7]] == 1 &&
(ip)), action=(reg0[[1]] = 1; next;)
table=8 (ls_in_acl ), priority=1001 , match=(reg0[[8]] == 1 &&
(ip)), action=(next;)
table=8 (ls_in_acl ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(next;)
- table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;)
table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=8 (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
@@ -3660,10 +3660,11 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0],
[dnl
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.10 &&
tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.100 &&
tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.100
&& tcp && reg9[[16..31]] == 80), action=(ct_lb_mark(backends=10.0.0.40:8080);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.100
&& tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
10.0.0.10 && tcp && reg9[[16..31]] == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
10.0.0.100 && tcp && reg9[[16..31]] == 80), action=(ct_lb_mark(backends=10.0.0.40:8080);)
+ table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est &&
!ct.new), action=(ct_commit_nat;)
])
AT_CHECK([grep "lr_out_undnat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
@@ -3696,10 +3697,11 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0],
[dnl
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.10 &&
tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.100 &&
tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.4:8080);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.100
&& tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.40:8080);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.100
&& tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
10.0.0.10 && tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.4:8080);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
10.0.0.100 && tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.40:8080);)
+ table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est &&
!ct.new), action=(ct_commit_nat;)
])
AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
@@ -3742,10 +3744,11 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0],
[dnl
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.10 &&
tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.100 &&
tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.4:8080);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.100
&& tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.40:8080);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.100
&& tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
10.0.0.10 && tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.4:8080);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
10.0.0.100 && tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.40:8080);)
+ table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est &&
!ct.new), action=(ct_commit_nat;)
])
AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
@@ -3802,10 +3805,11 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0],
[dnl
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.10 &&
tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.100 &&
tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.4:8080);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.100
&& tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.40:8080);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.100
&& tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
10.0.0.10 && tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.4:8080);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
10.0.0.100 && tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.40:8080);)
+ table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est &&
!ct.new), action=(ct_commit_nat;)
])
AT_CHECK([grep "lr_out_snat" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
@@ -3848,8 +3852,8 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0], [dnl
])
AT_CHECK([grep "lr_in_dnat" lr0flows | grep skip_snat_for_lb | sort], [0], [dnl
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.20 &&
tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.skip_snat_for_lb = 1; next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.20
&& tcp && reg9[[16..31]] == 80), action=(flags.skip_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.40:8080);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.20
&& tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.skip_snat_for_lb = 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
10.0.0.20 && tcp && reg9[[16..31]] == 80), action=(flags.skip_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.40:8080);)
])
AT_CHECK([grep "lr_out_snat" lr0flows | grep skip_snat_for_lb | sed 's/table=./table=?/' | sort], [0], [dnl
@@ -4224,14 +4228,14 @@ ovn-sbctl dump-flows sw0 > sw0flows
AT_CAPTURE_FILE([sw0flows])
AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl
- table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;)
table=? (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
])
AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl
- table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;)
table=? (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
@@ -4244,14 +4248,14 @@ ovn-sbctl dump-flows sw0 > sw0flows
AT_CAPTURE_FILE([sw0flows])
AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl
- table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& ct_mark.blocked == 0), action=(next;)
+ table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& ct_mark.blocked == 0), action=(ct_commit_nat;)
table=? (ls_in_acl ), priority=65532, match=((ct.est && ct.rpl &&
ct_mark.blocked == 1)), action=(drop;)
table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new
&& ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;)
table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
])
AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl
- table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& ct_mark.blocked == 0), action=(next;)
+ table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& ct_mark.blocked == 0), action=(ct_commit_nat;)
table=? (ls_out_acl ), priority=65532, match=((ct.est && ct.rpl &&
ct_mark.blocked == 1)), action=(drop;)
table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new
&& ct.rpl && ct_mark.blocked == 0), action=(next;)
table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
@@ -4268,14 +4272,14 @@ ovn-sbctl dump-flows sw0 > sw0flows
AT_CAPTURE_FILE([sw0flows])
AT_CHECK([grep -w "ls_in_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl
- table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=? (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=? (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;)
table=? (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=? (ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
])
AT_CHECK([grep -w "ls_out_acl" sw0flows | grep 6553 | sort | sed 's/table=./table=?/'], [0], [dnl
- table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=? (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=? (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;)
table=? (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=? (ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
@@ -5103,14 +5107,15 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0],
[dnl
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst == 172.168.0.20 && inport ==
"lr0-public" && is_chassis_resident("cr-lr0-public")), action=(ct_dnat_in_czone(10.0.0.3);)
- table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 == 172.168.0.200
&& ct_mark.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;)
- table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0 == 172.168.0.200
&& is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.80,10.0.0.81);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.10 && tcp &&
reg9[[16..31]] == 80 && ct_mark.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 172.168.0.100 && tcp &&
reg9[[16..31]] == 8082 && ct_mark.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 172.168.0.210 && udp &&
reg9[[16..31]] == 60 && ct_mark.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.10 && tcp
&& reg9[[16..31]] == 80 && is_chassis_resident("cr-lr0-public")),
action=(ct_lb_mark(backends=10.0.0.4:8080);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.100 && tcp
&& reg9[[16..31]] == 8082 && is_chassis_resident("cr-lr0-public")),
action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.210 && udp
&& reg9[[16..31]] == 60 && is_chassis_resident("cr-lr0-public")),
action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.est && !ct.rel && ip4 && reg0 ==
172.168.0.200 && ct_mark.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4 && reg0 ==
172.168.0.200 && is_chassis_resident("cr-lr0-public")),
action=(ct_lb_mark(backends=10.0.0.80,10.0.0.81);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp
&& reg9[[16..31]] == 80 && ct_mark.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 172.168.0.100 && tcp
&& reg9[[16..31]] == 8082 && ct_mark.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 172.168.0.210 && udp
&& reg9[[16..31]] == 60 && ct_mark.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 == 10.0.0.10 &&
tcp && reg9[[16..31]] == 80 && is_chassis_resident("cr-lr0-public")),
action=(ct_lb_mark(backends=10.0.0.4:8080);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 == 172.168.0.100
&& tcp && reg9[[16..31]] == 8082 && is_chassis_resident("cr-lr0-public")),
action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 == 172.168.0.210
&& udp && reg9[[16..31]] == 60 && is_chassis_resident("cr-lr0-public")),
action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
+ table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est &&
!ct.new), action=(ct_commit_nat;)
])
AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
@@ -5172,14 +5177,15 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0],
[dnl
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst ==
172.168.0.20), action=(flags.loopback = 1; ct_dnat(10.0.0.3);)
- table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 ==
172.168.0.200 && ct_mark.natted == 1), action=(next;)
- table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0
== 172.168.0.200), action=(ct_lb_mark(backends=10.0.0.80,10.0.0.81);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.10 &&
tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 172.168.0.100
&& tcp && reg9[[16..31]] == 8082 && ct_mark.natted == 1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 172.168.0.210
&& udp && reg9[[16..31]] == 60 && ct_mark.natted == 1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.100
&& tcp && reg9[[16..31]] == 8082), action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.210
&& udp && reg9[[16..31]] == 60), action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.est && !ct.rel && ip4 &&
reg0 == 172.168.0.200 && ct_mark.natted == 1), action=(next;)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4
&& reg0 == 172.168.0.200), action=(ct_lb_mark(backends=10.0.0.80,10.0.0.81);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 ==
172.168.0.100 && tcp && reg9[[16..31]] == 8082 && ct_mark.natted == 1), action=(next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 ==
172.168.0.210 && udp && reg9[[16..31]] == 60 && ct_mark.natted == 1), action=(next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
10.0.0.10 && tcp && reg9[[16..31]] == 80), action=(ct_lb_mark(backends=10.0.0.4:8080);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
172.168.0.100 && tcp && reg9[[16..31]] == 8082),
action=(ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
172.168.0.210 && udp && reg9[[16..31]] == 60),
action=(ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
+ table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est &&
!ct.new), action=(ct_commit_nat;)
])
AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
@@ -5233,14 +5239,15 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0],
[dnl
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst ==
172.168.0.20), action=(flags.loopback = 1; ct_dnat(10.0.0.3);)
- table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 ==
172.168.0.200 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
- table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0
== 172.168.0.200), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.80,10.0.0.81);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.10 &&
tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 172.168.0.100
&& tcp && reg9[[16..31]] == 8082 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1;
next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 172.168.0.210
&& udp && reg9[[16..31]] == 60 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1;
next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.4:8080);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.100
&& tcp && reg9[[16..31]] == 8082), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.210
&& udp && reg9[[16..31]] == 60), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.est && !ct.rel && ip4 &&
reg0 == 172.168.0.200 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4
&& reg0 == 172.168.0.200), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.80,10.0.0.81);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 ==
172.168.0.100 && tcp && reg9[[16..31]] == 8082 && ct_mark.natted == 1), action=(flags.force_snat_for_lb
= 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 ==
172.168.0.210 && udp && reg9[[16..31]] == 60 && ct_mark.natted == 1), action=(flags.force_snat_for_lb =
1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
10.0.0.10 && tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.4:8080);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
172.168.0.100 && tcp && reg9[[16..31]] == 8082), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
172.168.0.210 && udp && reg9[[16..31]] == 60), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
+ table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est &&
!ct.new), action=(ct_commit_nat;)
])
AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
@@ -5297,16 +5304,17 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0],
[dnl
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst ==
172.168.0.20), action=(flags.loopback = 1; ct_dnat(10.0.0.3);)
- table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 ==
172.168.0.200 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
- table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0
== 172.168.0.200), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.80,10.0.0.81);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.10 &&
tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 172.168.0.10
&& tcp && reg9[[16..31]] == 9082 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1;
next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 172.168.0.100
&& tcp && reg9[[16..31]] == 8082 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1;
next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 172.168.0.210
&& udp && reg9[[16..31]] == 60 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1;
next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.4:8080);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.10
&& tcp && reg9[[16..31]] == 9082), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.100
&& tcp && reg9[[16..31]] == 8082), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.210
&& udp && reg9[[16..31]] == 60), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.est && !ct.rel && ip4 &&
reg0 == 172.168.0.200 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4
&& reg0 == 172.168.0.200), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.80,10.0.0.81);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 ==
172.168.0.10 && tcp && reg9[[16..31]] == 9082 && ct_mark.natted == 1), action=(flags.force_snat_for_lb
= 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 ==
172.168.0.100 && tcp && reg9[[16..31]] == 8082 && ct_mark.natted == 1), action=(flags.force_snat_for_lb
= 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 ==
172.168.0.210 && udp && reg9[[16..31]] == 60 && ct_mark.natted == 1), action=(flags.force_snat_for_lb =
1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
10.0.0.10 && tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.4:8080);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
172.168.0.10 && tcp && reg9[[16..31]] == 9082), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
172.168.0.100 && tcp && reg9[[16..31]] == 8082), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
172.168.0.210 && udp && reg9[[16..31]] == 60), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
+ table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est &&
!ct.new), action=(ct_commit_nat;)
])
AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
@@ -5374,18 +5382,19 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0],
[dnl
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst ==
172.168.0.20), action=(flags.loopback = 1; ct_dnat(10.0.0.3);)
- table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 ==
172.168.0.200 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
- table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0
== 172.168.0.200), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.80,10.0.0.81);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.10 &&
tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 172.168.0.10
&& tcp && reg9[[16..31]] == 9082 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1;
next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 172.168.0.100
&& tcp && reg9[[16..31]] == 8082 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1;
next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 172.168.0.210
&& udp && reg9[[16..31]] == 60 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1;
next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip6 && xxreg0 == def0::2 &&
tcp && reg9[[16..31]] == 8000 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.4:8080);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.10
&& tcp && reg9[[16..31]] == 9082), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.100
&& tcp && reg9[[16..31]] == 8082), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.210
&& udp && reg9[[16..31]] == 60), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip6 && xxreg0 == def0::2
&& tcp && reg9[[16..31]] == 8000), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=[[aef0::2]]:80,[[aef0::3]]:80);)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.est && !ct.rel && ip4 &&
reg0 == 172.168.0.200 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4
&& reg0 == 172.168.0.200), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.80,10.0.0.81);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.10
&& tcp && reg9[[16..31]] == 80 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 ==
172.168.0.10 && tcp && reg9[[16..31]] == 9082 && ct_mark.natted == 1), action=(flags.force_snat_for_lb
= 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 ==
172.168.0.100 && tcp && reg9[[16..31]] == 8082 && ct_mark.natted == 1), action=(flags.force_snat_for_lb
= 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 ==
172.168.0.210 && udp && reg9[[16..31]] == 60 && ct_mark.natted == 1), action=(flags.force_snat_for_lb =
1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip6 && xxreg0 == def0::2
&& tcp && reg9[[16..31]] == 8000 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
10.0.0.10 && tcp && reg9[[16..31]] == 80), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.4:8080);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
172.168.0.10 && tcp && reg9[[16..31]] == 9082), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
172.168.0.100 && tcp && reg9[[16..31]] == 8082), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:82,10.0.0.60:82);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
172.168.0.210 && udp && reg9[[16..31]] == 60), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip6 && xxreg0 ==
def0::2 && tcp && reg9[[16..31]] == 8000), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=[[aef0::2]]:80,[[aef0::3]]:80);)
+ table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est &&
!ct.new), action=(ct_commit_nat;)
])
AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
@@ -5441,10 +5450,11 @@ AT_CHECK([grep "lr_in_defrag" lr0flows | sort], [0],
[dnl
AT_CHECK([grep "lr_in_dnat" lr0flows | sort], [0], [dnl
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 172.168.0.210
&& tcp && reg9[[16..31]] == 60 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1;
next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 172.168.0.210
&& udp && reg9[[16..31]] == 60 && ct_mark.natted == 1), action=(flags.force_snat_for_lb = 1;
next;)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.210
&& tcp && reg9[[16..31]] == 60), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
- table=6 (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 172.168.0.210
&& udp && reg9[[16..31]] == 60), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 ==
172.168.0.210 && tcp && reg9[[16..31]] == 60 && ct_mark.natted == 1), action=(flags.force_snat_for_lb =
1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 ==
172.168.0.210 && udp && reg9[[16..31]] == 60 && ct_mark.natted == 1), action=(flags.force_snat_for_lb =
1; next;)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
172.168.0.210 && tcp && reg9[[16..31]] == 60), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
+ table=6 (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 ==
172.168.0.210 && udp && reg9[[16..31]] == 60), action=(flags.force_snat_for_lb = 1;
ct_lb_mark(backends=10.0.0.50:6062,10.0.0.60:6062);)
+ table=6 (lr_in_dnat ), priority=50 , match=(ct.rel && !ct.est &&
!ct.new), action=(ct_commit_nat;)
])
AT_CHECK([grep "lr_out_chk_dnat_local" lr0flows | sed 's/table=./table=?/' | sort], [0], [dnl
@@ -6522,7 +6532,7 @@ AT_CHECK([grep -e "ls_in_acl" lsflows | sed
's/table=../table=??/' | sort], [0],
table=??(ls_in_acl ), priority=2004 , match=(reg0[[10]] == 1 && (ip4
&& ip4.dst == 10.0.0.2)), action=(ct_commit { ct_mark.blocked = 1; }; /* drop */)
table=??(ls_in_acl ), priority=2004 , match=(reg0[[9]] == 1 && (ip4
&& ip4.dst == 10.0.0.2)), action=(/* drop */)
table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(next;)
- table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;)
table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
@@ -6567,7 +6577,7 @@ AT_CHECK([grep -e "ls_in_acl" lsflows | sed
's/table=../table=??/' | sort], [0],
table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est),
action=(reg0[[1]] = 1; next;)
table=??(ls_in_acl ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;)
table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(next;)
- table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;)
table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
@@ -6624,7 +6634,7 @@ AT_CHECK([grep -e "ls_in_acl" lsflows | sed
's/table=../table=??/' | sort], [0],
table=??(ls_in_acl ), priority=2003 , match=(reg0[[7]] == 1 && (ip4
&& icmp)), action=(reg0[[1]] = 1; next;)
table=??(ls_in_acl ), priority=2003 , match=(reg0[[8]] == 1 && (ip4
&& icmp)), action=(next;)
table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(next;)
- table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;)
table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
@@ -7055,7 +7065,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
sed 's/table=../table=??/
table=??(ls_in_acl ), priority=1001 , match=(reg0[[7]] == 1 && (ip4
&& tcp)), action=(reg0[[1]] = 1; next;)
table=??(ls_in_acl ), priority=1001 , match=(reg0[[8]] == 1 && (ip4
&& tcp)), action=(next;)
table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(next;)
- table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;)
table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
@@ -7077,7 +7087,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
sed 's/table=../table=??/
table=??(ls_out_acl ), priority=1 , match=(ip && !ct.est),
action=(drop;)
table=??(ls_out_acl ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;)
table=??(ls_out_acl ), priority=34000, match=(eth.src ==
$svc_monitor_mac), action=(next;)
- table=??(ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=??(ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=??(ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;)
table=??(ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
@@ -7178,7 +7188,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
sed 's/table=../table=??/
table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est),
action=(drop;)
table=??(ls_in_acl ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;)
table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(next;)
- table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;)
table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
@@ -7202,7 +7212,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
sed 's/table=../table=??/
table=??(ls_out_acl ), priority=1 , match=(ip && !ct.est),
action=(drop;)
table=??(ls_out_acl ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;)
table=??(ls_out_acl ), priority=34000, match=(eth.src ==
$svc_monitor_mac), action=(next;)
- table=??(ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=??(ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=??(ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;)
table=??(ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
@@ -7303,7 +7313,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
sed 's/table=../table=??/
table=??(ls_in_acl ), priority=1 , match=(ip && !ct.est),
action=(drop;)
table=??(ls_in_acl ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;)
table=??(ls_in_acl ), priority=34000, match=(eth.dst ==
$svc_monitor_mac), action=(next;)
- table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=??(ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=??(ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;)
table=??(ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=??(ls_in_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
@@ -7327,7 +7337,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep -E "ls_.*_acl" |
sed 's/table=../table=??/
table=??(ls_out_acl ), priority=1001 , match=(reg0[[7]] == 1 && (ip4
&& tcp)), action=(reg0[[1]] = 1; next;)
table=??(ls_out_acl ), priority=1001 , match=(reg0[[8]] == 1 && (ip4
&& tcp)), action=(next;)
table=??(ls_out_acl ), priority=34000, match=(eth.src ==
$svc_monitor_mac), action=(next;)
- table=??(ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=??(ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=??(ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;)
table=??(ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=??(ls_out_acl ), priority=65532, match=(nd || nd_ra || nd_rs
|| mldv1 || mldv2), action=(next;)
@@ -7648,8 +7658,8 @@ check ovn-nbctl
\
AS_BOX([No chassis registered - use ct_lb_mark and ct_mark.natted])
check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl
- table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 ==
66.66.66.66 && ct_mark.natted == 1), action=(next;)
- table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0
== 66.66.66.66), action=(ct_lb_mark(backends=42.42.42.2);)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.est && !ct.rel && ip4 &&
reg0 == 66.66.66.66 && ct_mark.natted == 1), action=(next;)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4
&& reg0 == 66.66.66.66), action=(ct_lb_mark(backends=42.42.42.2);)
table=6 (ls_in_pre_stateful ), priority=120 , match=(ip4.dst ==
66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb_mark;)
table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
table=11(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
66.66.66.66), action=(reg0[[1]] = 0; ct_lb_mark(backends=42.42.42.2);)
@@ -7660,8 +7670,8 @@ AS_BOX([Chassis registered that doesn't support
ct_lb_mark - use ct_lb and ct_la
check ovn-sbctl chassis-add hv geneve 127.0.0.1
check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl
- table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 ==
66.66.66.66 && ct_label.natted == 1), action=(next;)
- table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0
== 66.66.66.66), action=(ct_lb(backends=42.42.42.2);)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.est && !ct.rel && ip4 &&
reg0 == 66.66.66.66 && ct_label.natted == 1), action=(next;)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4
&& reg0 == 66.66.66.66), action=(ct_lb(backends=42.42.42.2);)
table=6 (ls_in_pre_stateful ), priority=120 , match=(ip4.dst ==
66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb;)
table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb;)
table=11(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
66.66.66.66), action=(reg0[[1]] = 0; ct_lb(backends=42.42.42.2);)
@@ -7672,8 +7682,8 @@ AS_BOX([Chassis upgrades and supports ct_lb_mark - use
ct_lb_mark and ct_mark.na
check ovn-sbctl set chassis hv other_config:ct-no-masked-label=true
check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl
- table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 ==
66.66.66.66 && ct_mark.natted == 1), action=(next;)
- table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0
== 66.66.66.66), action=(ct_lb_mark(backends=42.42.42.2);)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.est && !ct.rel && ip4 &&
reg0 == 66.66.66.66 && ct_mark.natted == 1), action=(next;)
+ table=6 (lr_in_dnat ), priority=110 , match=(ct.new && !ct.rel && ip4
&& reg0 == 66.66.66.66), action=(ct_lb_mark(backends=42.42.42.2);)
table=6 (ls_in_pre_stateful ), priority=120 , match=(ip4.dst ==
66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb_mark;)
table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
table=11(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
66.66.66.66), action=(reg0[[1]] = 0; ct_lb_mark(backends=42.42.42.2);)
@@ -7701,7 +7711,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep 'ls.*acl.*blocked'
], [0], [dnl
table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est &&
ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;)
table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est &&
ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;)
- table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;)
table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;)
@@ -7709,7 +7719,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep 'ls.*acl.*blocked'
], [0], [dnl
table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est &&
ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;)
table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est &&
ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;)
- table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;)
table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;)
@@ -7723,7 +7733,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep 'ls.*acl.*blocked'
], [0], [dnl
table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl
&& ct_label.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est &&
ct_label.blocked == 1), action=(reg0[[9]] = 1; next;)
table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est &&
ct_label.blocked == 0), action=(reg0[[10]] = 1; next;)
- table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_label.blocked == 0), action=(next;)
+ table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_label.blocked == 0), action=(ct_commit_nat;)
table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_label.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;)
table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_label.blocked == 1)), action=(drop;)
table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est &&
ct_label.blocked == 1), action=(reg0[[1]] = 1; next;)
@@ -7731,7 +7741,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep 'ls.*acl.*blocked'
], [0], [dnl
table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl
&& ct_label.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est &&
ct_label.blocked == 1), action=(reg0[[9]] = 1; next;)
table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est &&
ct_label.blocked == 0), action=(reg0[[10]] = 1; next;)
- table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_label.blocked == 0), action=(next;)
+ table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_label.blocked == 0), action=(ct_commit_nat;)
table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_label.blocked == 0), action=(next;)
table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_label.blocked == 1)), action=(drop;)
table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est &&
ct_label.blocked == 1), action=(reg0[[1]] = 1; next;)
@@ -7745,7 +7755,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep 'ls.*acl.*blocked'
], [0], [dnl
table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est &&
ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;)
table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est &&
ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;)
- table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=8 (ls_in_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=8 (ls_in_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[[9]] = 0; reg0[[10]] = 0; next;)
table=8 (ls_in_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=8 (ls_in_acl ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;)
@@ -7753,7 +7763,7 @@ AT_CHECK([ovn-sbctl lflow-list | grep 'ls.*acl.*blocked'
], [0], [dnl
table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl
&& ct_mark.blocked == 0), action=(reg0[[8]] = 1; reg0[[10]] = 1; next;)
table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est &&
ct_mark.blocked == 1), action=(reg0[[9]] = 1; next;)
table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est &&
ct_mark.blocked == 0), action=(reg0[[10]] = 1; next;)
- table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(next;)
+ table=4 (ls_out_acl ), priority=65532, match=(!ct.est && ct.rel && !ct.new
&& !ct.inv && ct_mark.blocked == 0), action=(ct_commit_nat;)
table=4 (ls_out_acl ), priority=65532, match=(ct.est && !ct.rel && !ct.new &&
!ct.inv && ct.rpl && ct_mark.blocked == 0), action=(next;)
table=4 (ls_out_acl ), priority=65532, match=(ct.inv || (ct.est && ct.rpl
&& ct_mark.blocked == 1)), action=(drop;)
table=4 (ls_out_acl ), priority=1 , match=(ip && ct.est &&
ct_mark.blocked == 1), action=(reg0[[1]] = 1; next;)
diff --git a/tests/ovn.at b/tests/ovn.at
index 65edb7812..b9ac6d359 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -23669,7 +23669,7 @@ AT_CAPTURE_FILE([sbflows2])
OVS_WAIT_FOR_OUTPUT(
[ovn-sbctl dump-flows > sbflows2
ovn-sbctl dump-flows lr0 | grep ct_lb_mark | grep priority=120 | sed
's/table=..//'], 0,
- [ (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.10 && tcp &&
reg9[[16..31]] == 80 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80;
hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");)
+ [ (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp &&
reg9[[16..31]] == 80 && is_chassis_resident("cr-lr0-public")), action=(ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80;
hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");)
])
# get the svc monitor mac.
@@ -23711,8 +23711,8 @@ AT_CHECK(
AT_CAPTURE_FILE([sbflows4])
ovn-sbctl dump-flows lr0 > sbflows4
AT_CHECK([grep lr_in_dnat sbflows4 | grep priority=120 | sed 's/table=..//' |
sort], [0], [dnl
- (lr_in_dnat ), priority=120 , match=(ct.est && ip4 && reg0 == 10.0.0.10 && tcp &&
reg9[[16..31]] == 80 && ct_mark.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;)
- (lr_in_dnat ), priority=120 , match=(ct.new && ip4 && reg0 == 10.0.0.10 && tcp &&
reg9[[16..31]] == 80 && is_chassis_resident("cr-lr0-public")), action=(drop;)
+ (lr_in_dnat ), priority=120 , match=(ct.est && !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp &&
reg9[[16..31]] == 80 && ct_mark.natted == 1 && is_chassis_resident("cr-lr0-public")), action=(next;)
+ (lr_in_dnat ), priority=120 , match=(ct.new && !ct.rel && ip4 && reg0 == 10.0.0.10 && tcp
&& reg9[[16..31]] == 80 && is_chassis_resident("cr-lr0-public")), action=(drop;)
])
# Delete sw0-p1
@@ -32405,7 +32405,7 @@ SNAT_ZONE_REG="NXM_NX_REG12[[0..15]]"
lr0_dp_key=$(printf "%x" $(fetch_column Datapath_Binding tunnel_key external_ids:name=lr0))
-dnat_zone=$(ovs-ofctl dump-flows br-int table=$DNAT_TABLE,metadata=0x${lr0_dp_key} | grep -o zone=.*, | cut -d '=' -f 2)
+dnat_zone=$(ovs-ofctl dump-flows br-int table=$DNAT_TABLE,metadata=0x${lr0_dp_key} |
grep "nw_dst=172.16.0.2" | grep -o zone=.*, | cut -d '=' -f 2)
dnat_zone=${dnat_zone::-1}
snat_zone=$(ovs-ofctl dump-flows br-int
table=$SNAT_TABLE,metadata=0x${lr0_dp_key} | grep priority=153 | grep -o
zone=.*, | cut -d '=' -f 2)
snat_zone=${snat_zone::-1}
@@ -32417,7 +32417,7 @@ check test "$snat_zone" = "$DNAT_ZONE_REG"
check ovn-nbctl --wait=hv set logical_router lr0 options:snat-ct-zone=666
-dnat_zone=$(ovs-ofctl dump-flows br-int table=$DNAT_TABLE,metadata=0x${lr0_dp_key} | grep -o zone=.*, | cut -d '=' -f 2)
+dnat_zone=$(ovs-ofctl dump-flows br-int table=$DNAT_TABLE,metadata=0x${lr0_dp_key} |
grep "nw_dst=172.16.0.2" | grep -o zone=.*, | cut -d '=' -f 2)
dnat_zone=${dnat_zone::-1}
snat_zone=$(ovs-ofctl dump-flows br-int
table=$SNAT_TABLE,metadata=0x${lr0_dp_key} | grep priority=153 | grep -o
zone=.*, | cut -d '=' -f 2)
snat_zone=${snat_zone::-1}
diff --git a/tests/system-ovn.at b/tests/system-ovn.at
index 20c058415..bcaf765e4 100644
--- a/tests/system-ovn.at
+++ b/tests/system-ovn.at
@@ -8597,3 +8597,131 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port
patch-.*/d
/connection dropped.*/d"])
AT_CLEANUP
])
+
+OVN_FOR_EACH_NORTHD([
+AT_SETUP([LB - ICMP related traffic])
+
+CHECK_CONNTRACK()
+CHECK_CONNTRACK_NAT()
+ovn_start
+OVS_TRAFFIC_VSWITCHD_START()
+ADD_BR([br-int])
+
+# Set external-ids in br-int needed for ovn-controller
+ovs-vsctl \
+ -- set Open_vSwitch . external-ids:system-id=hv1 \
+ -- set Open_vSwitch .
external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \
+ -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \
+ -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \
+ -- set bridge br-int fail-mode=secure other-config:disable-in-band=true
+start_daemon ovn-controller
+
+# client -- ls0 -- lr -- ls1 -- server
+check ovn-nbctl ls-add ls0
+check ovn-nbctl ls-add ls1
+
+check ovn-nbctl lsp-add ls0 ls0-lr
+check ovn-nbctl lsp-set-type ls0-lr router
+check ovn-nbctl lsp-set-addresses ls0-lr 00:00:00:00:10:00 router
+check ovn-nbctl lsp-set-options ls0-lr router-port=lr-ls0
+
+check ovn-nbctl lsp-add ls1 ls1-lr
+check ovn-nbctl lsp-set-type ls1-lr router
+check ovn-nbctl lsp-set-addresses ls1-lr 00:00:00:00:20:00 router
+check ovn-nbctl lsp-set-options ls1-lr router-port=lr-ls1
+
+check ovn-nbctl lsp-add ls0 client
+check ovn-nbctl lsp-set-addresses client "00:00:00:00:10:10 192.168.10.10"
+
+check ovn-nbctl lsp-add ls1 server
+check ovn-nbctl lsp-set-addresses server "00:00:00:00:20:10 192.168.20.10"
+
+check ovn-nbctl lr-add lr
+check ovn-nbctl lrp-add lr lr-ls0 00:00:00:00:10:00 192.168.10.1/24
+check ovn-nbctl lrp-add lr lr-ls1 00:00:00:00:20:00 192.168.20.1/24
+
+check ovn-nbctl lrp-set-gateway-chassis lr-ls0 hv1
+
+check ovn-nbctl lb-add lb0 192.168.20.20 192.168.20.10
+
+ADD_NAMESPACES(client)
+ADD_VETH(client, client, br-int, "192.168.10.10/24", "00:00:00:00:10:10", \
+ "192.168.10.1")
+ADD_NAMESPACES(server)
+ADD_VETH(server, server, br-int, "192.168.20.10/24", "00:00:00:00:20:10", \
+ "192.168.20.1")
+
+test_related_traffic() {
+
+ check ovn-nbctl ls-lb-del ls0
+ check ovn-nbctl lr-lb-del lr
+
+ if [[ "$1" == "switch" ]]; then
+ check ovn-nbctl ls-lb-add ls0 lb0
+ else
+ check ovn-nbctl lr-lb-add lr lb0
+ fi
+
+ NETNS_DAEMONIZE([client], [tcpdump -U -i client -w client.pcap],
[tcpdump0.pid])
+ NETNS_DAEMONIZE([server], [tcpdump -U -i server -w server.pcap],
[tcpdump1.pid])
+
+ # Setup a dummy UDP listeners so we don't get "port unreachable".
+ NETNS_DAEMONIZE([client], [nc -l -u 1], [nc0.pid])
+ NETNS_DAEMONIZE([server], [nc -l -u 2], [nc1.pid])
+ sleep 1
+
+ # Send UDP client -> server
+ check ovs-ofctl packet-out br-int "in_port=ovs-client,\
+packet=00000000100000000000101008004500001C000040000A11D162C0A80A0AC0A814140001000200080000,\
+actions=resubmit(,0)"
+
+ # Send reply server -> client
+ check ovs-ofctl packet-out br-int "in_port=ovs-server,\
+packet=00000000200000000000201008004500001C000040000A11D16CC0A8140AC0A80A0A0002000100080000,\
+actions=resubmit(,0)"
+
+ # Send ICMP "need to frag" client -> server
+ check ovs-ofctl packet-out br-int "in_port=ovs-client,\
+packet=000000001000000000001010080045000038011F0000FF011B37C0A80A0AC0A814140304F77800000578\
+4500001c000040000911d262c0a81414c0a80a0a0002000100080000,\
+actions=resubmit(,0)"
+
+ # Wait for all packets to arrive
+ OVS_WAIT_UNTIL([test $(tcpdump -tvnnne "udp" -r client.pcap 2>/dev/null |
wc -l) -eq 2])
+ OVS_WAIT_UNTIL([test $(tcpdump -tvnnne "udp" -r server.pcap 2>/dev/null |
wc -l) -eq 2])
+ OVS_WAIT_UNTIL([test $(tcpdump -tvnnne "icmp" -r server.pcap 2>/dev/null |
wc -l) -eq 4])
+
+ kill $(cat tcpdump0.pid)
+ kill $(cat tcpdump1.pid)
+
+ kill $(cat nc0.pid)
+ kill $(cat nc1.pid)
+
+ # Check the ICMP packet
+ AT_CHECK([tcpdump -tvnnne "icmp" -r server.pcap 2>/dev/null | sed
's/^\s*//'], [0], [dnl
+00:00:00:00:20:00 > 00:00:00:00:20:10, ethertype IPv4 (0x0800), length 70:
(tos 0x0, ttl 254, id 287, offset 0, flags [[none]], proto ICMP (1), length 56)
+192.168.10.10 > 192.168.20.10: ICMP 192.168.10.10 unreachable - need to frag
(mtu 1400), length 36
+(tos 0x0, ttl 9, id 0, offset 0, flags [[DF]], proto UDP (17), length 28)
+192.168.20.10.2 > 192.168.10.10.1: UDP, length 0
+])
