[ovs-dev] [PATCH] tests: Fix conntrack tests on windows.
Daniele Di Proietto
diproiettod at vmware.com
Tue Aug 2 23:20:09 UTC 2016
On 02/08/2016 13:19, "Joe Stringer" <joe at ovn.org> wrote:
>On 2 August 2016 at 11:58, Daniele Di Proietto <diproiettod at vmware.com> wrote:
>> The conntrack unit tests seem to generate different megaflow masks on
>> Windows. The megaflow masks depend on the internal ordering of the
>> subtables, which are sorted using qsort(), based on their max priority.
>> If two subtables have the same priority the ordering between them depend
>> on the stability property of qsort(), which apparently are different
>> between Windows and Linux/*BSD.
>>
>> This commit uses multiple OpenFlow tables to build our conntrack
>> pipelines in the tests, which gives us more control over the visited
>> subtables and also improves clarity
>>
>> Reported-by: Alin Serdean <aserdean at cloudbasesolutions.com>
>> Signed-off-by: Daniele Di Proietto <diproiettod at vmware.com>
>
>Thanks for fixing this, LGTM.
>
>Minor comment, the flows for port 2 in table 0 in each of these tests
>don't really need a match on ct_state=-trk now that we have different
>tables for pre-conntrack and post-conntrack flows.
Good point, I removed all the superfluous ct_state=-trk from the tables.
>
>Acked-by: Joe Stringer <joe at ovn.org>
Thanks for the fast review, applied to master
>
>> ---
>> tests/ofproto-dpif.at | 263 +++++++++++++++++++++++++++++++++-----------------
>> 1 file changed, 174 insertions(+), 89 deletions(-)
>>
>> diff --git a/tests/ofproto-dpif.at b/tests/ofproto-dpif.at
>> index 5ce6439..b2373d3 100644
>> --- a/tests/ofproto-dpif.at
>> +++ b/tests/ofproto-dpif.at
>> @@ -8107,11 +8107,17 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg vconn:info ofproto_dpif:info])
>>
>> dnl Allow new connections on p1->p2, but not on p2->p1.
>> AT_DATA([flows.txt], [dnl
>> -priority=1,action=drop
>> -priority=10,arp,action=normal
>> -priority=100,in_port=1,udp,action=ct(commit,zone=0),controller
>> -priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0,zone=0)
>> -priority=100,in_port=2,ct_state=+trk+est-new,udp,action=controller
>> +dnl Table 0
>> +dnl
>> +table=0,priority=100,arp,action=normal
>> +table=0,priority=10,in_port=1,udp,action=ct(commit,zone=0),controller
>> +table=0,priority=10,in_port=2,ct_state=-trk,udp,action=ct(table=1,zone=0)
>> +table=0,priority=1,action=drop
>> +dnl
>> +dnl Table 1
>> +dnl
>> +table=1,priority=10,in_port=2,ct_state=+trk+est-new,udp,action=controller
>> +table=1,priority=1,action=drop
>> ])
>>
>> AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
>> @@ -8137,7 +8143,7 @@ AT_CHECK([cat ofctl_monitor.log], [0], [dnl
>> NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=1,tp_dst=2 udp_csum:e9d6
>> dnl
>> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
>> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=2,tp_dst=1 udp_csum:e9d6
>> ])
>>
>> @@ -8160,7 +8166,7 @@ AT_CHECK([cat ofctl_monitor.log], [0], [dnl
>> NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=3,tp_dst=4 udp_csum:e9d2
>> dnl
>> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
>> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4,tp_dst=3 udp_csum:e9d2
>> ])
>>
>> @@ -8176,11 +8182,16 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg vconn:info ofproto_dpif:info])
>>
>> dnl Allow new connections on p1->p2, but not on p2->p1.
>> AT_DATA([flows.txt], [dnl
>> -priority=1,action=drop
>> -priority=10,arp,action=normal
>> -priority=100,in_port=1,udp6,action=ct(commit,zone=0),controller
>> -priority=100,in_port=2,ct_state=-trk,udp6,action=ct(table=0,zone=0)
>> -priority=100,in_port=2,ct_state=+trk+est-new,udp6,action=controller
>> +dnl Table 0
>> +dnl
>> +table=0,priority=100,arp,action=normal
>> +table=0,priority=10,in_port=1,udp6,action=ct(commit,zone=0),controller
>> +table=0,priority=10,in_port=2,ct_state=-trk,udp6,action=ct(table=1,zone=0)
>> +table=0,priority=1,action=drop
>> +dnl Table 1
>> +dnl
>> +table=1,priority=10,in_port=2,ct_state=+trk+est-new,udp6,action=controller
>> +table=1,priority=1,action=drop
>> ])
>>
>> AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
>> @@ -8205,7 +8216,7 @@ dnl happens because the ct_state field is available only after recirc.
>> AT_CHECK([cat ofctl_monitor.log], [0], [dnl
>> NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=62 in_port=1 (via action) data_len=62 (unbuffered)
>> udp6,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,ipv6_src=2001:db8::1,ipv6_dst=2001:db8::2,ipv6_label=0x00000,nw_tos=112,nw_ecn=0,nw_ttl=128,tp_src=1,tp_dst=2 udp_csum:a466
>> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=62 ct_state=est|rpl|trk,in_port=2 (via action) data_len=62 (unbuffered)
>> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=62 ct_state=est|rpl|trk,in_port=2 (via action) data_len=62 (unbuffered)
>> udp6,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,ipv6_src=2001:db8::2,ipv6_dst=2001:db8::1,ipv6_label=0x00000,nw_tos=112,nw_ecn=0,nw_ttl=128,tp_src=2,tp_dst=1 udp_csum:a466
>> ])
>>
>> @@ -8221,11 +8232,26 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg vconn:info ofproto_dpif:info])
>>
>> dnl Allow new connections on p1->p2. Allow only established connections p2->p1
>> AT_DATA([flows.txt], [dnl
>> -priority=1,action=drop
>> -priority=10,arp,action=normal
>> -priority=100,in_port=1,udp,action=ct(commit,zone=0),2
>> -priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0,zone=0)
>> -priority=100,in_port=2,ct_state=+trk+est-new,udp,action=1
>> +dnl The flows are in two separate tables for two reasons:
>> +dnl * To make the pipeline more clear.
>> +dnl * To make megaflows more consistent (we check megaflows below). The
>> +dnl unwildcarding in megaflows depends on the internal ordering of the
>> +dnl subtables, which are sorted using the system qsort(). qsort()
>> +dnl is provided by libc and may or may not be stable, so we can't rely
>> +dnl on that. By having separate tables we have more control over which
>> +dnl subtables are visited, meaning consistent megaflows.
>> +dnl
>> +dnl Table 0
>> +dnl
>> +table=0,priority=100,arp,action=normal
>> +table=0,priority=10,in_port=1,udp,action=ct(commit,zone=0),2
>> +table=0,priority=10,in_port=2,ct_state=-trk,udp,action=ct(table=1,zone=0)
>> +table=0,priority=1,action=drop
>> +dnl
>> +dnl Table 1
>> +dnl
>> +table=1,priority=10,in_port=2,ct_state=+trk+est-new,udp,action=1
>> +table=1,priority=1,action=drop
>> ])
>>
>> AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
>> @@ -8265,11 +8291,17 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg vconn:info ofproto_dpif:info])
>>
>> dnl Allow new connections on p1->p2. Allow only established connections p2->p1
>> AT_DATA([flows.txt], [dnl
>> -priority=1,action=drop
>> -priority=10,arp,action=normal
>> -priority=100,in_port=1,udp,action=ct(commit,zone=0)
>> -priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0,zone=0)
>> -priority=100,in_port=2,ct_state=+trk+est-new,udp,action=controller
>> +dnl Table 0
>> +dnl
>> +table=0,priority=100,arp,action=normal
>> +table=0,priority=10,in_port=1,udp,action=ct(commit,zone=0)
>> +table=0,priority=10,in_port=2,ct_state=-trk,udp,action=ct(table=1,zone=0)
>> +table=0,priority=1,action=drop
>> +dnl
>> +dnl Table 1
>> +dnl
>> +table=1,priority=10,in_port=2,ct_state=+trk+est-new,udp,action=controller
>> +table=1,priority=1,action=drop
>> ])
>>
>> AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
>> @@ -8295,7 +8327,7 @@ OVS_WAIT_UNTIL([ovs-appctl -t ovs-ofctl exit])
>>
>> dnl Check this output. Only one reply must be there
>> AT_CHECK([cat ofctl_monitor.log], [0], [dnl
>> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
>> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=2,tp_dst=1 udp_csum:e9d6
>> dnl
>> OFPT_ECHO_REQUEST (xid=0x0): 0 bytes of payload
>> @@ -8347,14 +8379,20 @@ dnl Allow new connections on p1->p2 or p3->p4.
>> dnl Allow only established connections p2->p1 and p4->p3
>> dnl p1,p2 and p3,p4 are on different zones
>> AT_DATA([flows.txt], [dnl
>> -priority=1,action=drop
>> -priority=10,arp,action=normal
>> -priority=100,in_port=1,udp,action=ct(commit,zone=0),controller
>> -priority=100,in_port=2,ct_state=-trk,udp,action=ct(table=0,zone=0)
>> -priority=100,in_port=2,ct_state=+trk+est-new,udp,action=controller
>> -priority=100,in_port=3,udp,action=ct(commit,zone=1),controller
>> -priority=100,in_port=4,ct_state=-trk,udp,action=ct(table=0,zone=1)
>> -priority=100,in_port=4,ct_state=+trk+est-new,udp,action=controller
>> +dnl Table 0
>> +dnl
>> +table=0,priority=100,arp,action=normal
>> +table=0,priority=10,in_port=1,udp,action=ct(commit,zone=0),controller
>> +table=0,priority=10,in_port=2,ct_state=-trk,udp,action=ct(table=1,zone=0)
>> +table=0,priority=10,in_port=3,udp,action=ct(commit,zone=1),controller
>> +table=0,priority=10,in_port=4,ct_state=-trk,udp,action=ct(table=1,zone=1)
>> +table=0,priority=1,action=drop
>> +dnl
>> +dnl Table 1
>> +dnl
>> +table=1,priority=10,in_port=2,ct_state=+trk+est-new,udp,action=controller
>> +table=1,priority=10,in_port=4,ct_state=+trk+est-new,udp,action=controller
>> +table=1,priority=1,action=drop
>> ])
>>
>> AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
>> @@ -8382,17 +8420,16 @@ AT_CHECK([cat ofctl_monitor.log], [0], [dnl
>> NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 in_port=1 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=1,tp_dst=2 udp_csum:e9d6
>> dnl
>> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
>> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=2,tp_dst=1 udp_csum:e9d6
>> dnl
>> NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 in_port=3 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=1,tp_dst=2 udp_csum:e9d6
>> dnl
>> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_zone=1,in_port=4 (via action) data_len=42 (unbuffered)
>> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_zone=1,in_port=4 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=2,tp_dst=1 udp_csum:e9d6
>> ])
>>
>> -
>> OVS_VSWITCHD_STOP
>> AT_CLEANUP
>>
>> @@ -8405,11 +8442,17 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg vconn:info ofproto_dpif:info])
>>
>> dnl Allow new connections on p1->p2. Allow only established connections p2->p1
>> AT_DATA([flows.txt], [dnl
>> -priority=1,action=drop
>> -priority=10,arp,action=normal
>> -priority=100,ct_state=-trk,udp,action=ct(table=0,zone=0)
>> -priority=100,in_port=1,ct_state=+trk+new,udp,action=ct(commit,zone=0),controller
>> -priority=100,ct_state=+trk+est,udp,action=controller
>> +dnl Table 0
>> +dnl
>> +table=0,priority=100,arp,action=normal
>> +table=0,priority=10,ct_state=-trk,udp,action=ct(table=1,zone=0)
>> +table=0,priority=1,action=drop
>> +dnl
>> +dnl Table 1
>> +dnl
>> +table=1,priority=10,in_port=1,ct_state=+trk+new,udp,action=ct(commit,zone=0),controller
>> +table=1,priority=10,ct_state=+trk+est,udp,action=controller
>> +table=1,priority=1,action=drop
>> ])
>>
>> AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
>> @@ -8430,10 +8473,10 @@ OVS_WAIT_UNTIL([ovs-appctl -t ovs-ofctl exit])
>>
>> dnl Check this output. We only see the latter two packets, not the first.
>> AT_CHECK([cat ofctl_monitor.log], [0], [dnl
>> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=new|trk,in_port=1 (via action) data_len=42 (unbuffered)
>> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=new|trk,in_port=1 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=1,tp_dst=2 udp_csum:e9d6
>> dnl
>> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
>> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=est|rpl|trk,in_port=2 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=2,tp_dst=1 udp_csum:e9d6
>> ])
>>
>> @@ -8447,12 +8490,18 @@ add_of_ports br0 1 2
>>
>> dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
>> AT_DATA([flows.txt], [dnl
>> -priority=1,action=drop
>> -priority=10,arp,action=normal
>> -priority=100,in_port=1,ct_state=-trk,udp,action=ct(commit,zone=0,table=0)
>> -priority=100,in_port=1,ct_state=+trk,actions=controller
>> -priority=100,in_port=2,ct_state=-trk,action=ct(table=0,zone=0)
>> -priority=100,in_port=2,ct_state=+trk-inv-new,action=controller
>> +dnl Table 0
>> +dnl
>> +table=0,priority=100,arp,action=normal
>> +table=0,priority=10,in_port=1,ct_state=-trk,udp,action=ct(commit,table=1)
>> +table=0,priority=10,in_port=2,ct_state=-trk,action=ct(table=1)
>> +table=0,priority=1,action=drop
>> +dnl
>> +dnl Table 1
>> +dnl
>> +table=1,priority=10,in_port=1,ct_state=+trk,action=controller
>> +table=1,priority=10,in_port=2,ct_state=+trk-inv-new,action=controller
>> +table=1,priority=1,action=drop
>> ])
>>
>> AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
>> @@ -8461,23 +8510,23 @@ AT_CAPTURE_FILE([ofctl_monitor.log])
>> AT_CHECK([ovs-ofctl monitor br0 65534 invalid_ttl -P nxt_packet_in --detach --no-chdir --pidfile 2> ofctl_monitor.log])
>>
>> dnl 1. Send an ICMP port unreach reply for port 8738, without any previous request
>> -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0,zone=0\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f351ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000da5a06369616f0a'])
>> +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=1\) 'f64c473528c9c6f54ecb72db080045c0003d2e8700004001f351ac100004ac1000030303553f0000000045000021317040004011b138ac100003ac10000411112222000da5a06369616f0a'])
>>
>> dnl 2. Send and UDP packet to port 5555
>> -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,zone=0,table=0\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
>> +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 1 ct\(commit,table=1\) 'c6f94ecb72dbe64c473528c9080045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
>>
>> dnl 3. Send an ICMP port unreach reply for port 5555, related to the first packet
>> -AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=0,zone=0\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
>> +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 2 ct\(table=1\) 'e64c473528c9c6f94ecb72db080045c0003d2e8700004001f355ac100002ac1000010303553f0000000045000021317040004011b138ac100001ac100002a28e15b3000d20966369616f0a'])
>>
>> OVS_WAIT_UNTIL([test `wc -l < ofctl_monitor.log` -ge 4])
>> OVS_WAIT_UNTIL([ovs-appctl -t ovs-ofctl exit])
>>
>> dnl Check this output. We only see the first and the last packet
>> AT_CHECK([cat ofctl_monitor.log], [0], [dnl
>> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
>> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=47 ct_state=new|trk,in_port=1 (via action) data_len=47 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=e6:4c:47:35:28:c9,dl_dst=c6:f9:4e:cb:72:db,nw_src=172.16.0.1,nw_dst=172.16.0.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=41614,tp_dst=5555 udp_csum:2096
>> dnl
>> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
>> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=75 ct_state=rel|rpl|trk,in_port=2 (via action) data_len=75 (unbuffered)
>> icmp,vlan_tci=0x0000,dl_src=c6:f9:4e:cb:72:db,dl_dst=e6:4c:47:35:28:c9,nw_src=172.16.0.2,nw_dst=172.16.0.1,nw_tos=192,nw_ecn=0,nw_ttl=64,icmp_type=3,icmp_code=3 icmp_csum:553f
>> ])
>>
>> @@ -8493,13 +8542,19 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg vconn:info ofproto_dpif:info])
>>
>> dnl Allow new connections on p1->p2. Allow only established connections p2->p1
>> AT_DATA([flows.txt], [dnl
>> -priority=1,action=drop
>> -priority=10,arp,action=normal
>> -priority=100,in_port=1,ct_state=-trk,udp,tp_src=1,action=ct(commit,exec(set_field:1->ct_mark)),controller
>> -priority=100,in_port=1,ct_state=-trk,udp,tp_src=3,action=ct(commit,exec(set_field:3->ct_mark)),controller
>> -priority=100,in_port=1,ct_state=-trk,udp,tp_src=5,action=ct(commit,exec(set_field:5->ct_mark)),controller
>> -priority=100,in_port=2,ct_state=-trk,actions=ct(table=0)
>> -priority=100,ct_state=+trk+rpl,ct_mark=0/4,actions=controller
>> +dnl Table 0
>> +dnl
>> +table=0,priority=100,arp,action=normal
>> +table=0,priority=10,in_port=1,ct_state=-trk,udp,tp_src=1,action=ct(commit,exec(set_field:1->ct_mark)),controller
>> +table=0,priority=10,in_port=1,ct_state=-trk,udp,tp_src=3,action=ct(commit,exec(set_field:3->ct_mark)),controller
>> +table=0,priority=10,in_port=1,ct_state=-trk,udp,tp_src=5,action=ct(commit,exec(set_field:5->ct_mark)),controller
>> +table=0,priority=10,in_port=2,ct_state=-trk,actions=ct(table=1)
>> +table=0,priority=1,action=drop
>> +dnl
>> +dnl Table 1
>> +dnl
>> +table=1,priority=100,ct_state=+trk+rpl,ct_mark=0/4,actions=controller
>> +table=1,priority=1,action=drop
>> ])
>>
>> AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
>> @@ -8529,10 +8584,10 @@ dnl
>> NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_mark=0x5,in_port=1 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:09,dl_dst=50:54:00:00:00:0a,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=5,tp_dst=6 udp_csum:e9ce
>> dnl
>> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_mark=0x1,in_port=2 (via action) data_len=42 (unbuffered)
>> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_mark=0x1,in_port=2 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=2,tp_dst=1 udp_csum:e9d6
>> dnl
>> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_mark=0x3,in_port=2 (via action) data_len=42 (unbuffered)
>> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_mark=0x3,in_port=2 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4,tp_dst=3 udp_csum:e9d2
>> ])
>>
>> @@ -8548,12 +8603,17 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg vconn:info ofproto_dpif:info])
>>
>> dnl Allow new connections on p1->p2. Allow only established connections p2->p1
>> AT_DATA([flows.txt], [dnl
>> -priority=1,action=drop
>> -priority=10,arp,action=normal
>> -priority=100,in_port=1,ct_state=-trk,udp,tp_src=1,action=ct(commit,exec(set_field:000000000000000001->ct_label))
>> -priority=100,in_port=1,ct_state=-trk,udp,tp_src=3,action=ct(commit,exec(set_field:000000000000000002->ct_label))
>> -priority=100,in_port=2,ct_state=-trk,actions=ct(table=0)
>> -priority=100,ct_state=+trk+rpl,actions=controller
>> +dnl Table 0
>> +dnl
>> +table=0,priority=100,arp,action=normal
>> +table=0,priority=10,in_port=1,ct_state=-trk,udp,tp_src=1,action=ct(commit,exec(set_field:000000000000000001->ct_label))
>> +table=0,priority=10,in_port=1,ct_state=-trk,udp,tp_src=3,action=ct(commit,exec(set_field:000000000000000002->ct_label))
>> +table=0,priority=10,in_port=2,ct_state=-trk,actions=ct(table=1)
>> +dnl
>> +dnl Table 1
>> +dnl
>> +table=1,priority=10,ct_state=+trk+rpl,actions=controller
>> +table=1,priority=1,action=drop
>> ])
>>
>> AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
>> @@ -8572,10 +8632,10 @@ OVS_WAIT_UNTIL([ovs-appctl -t ovs-ofctl exit])
>>
>> dnl Check this output.
>> AT_CHECK([cat ofctl_monitor.log], [0], [dnl
>> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_label=0x1,in_port=2 (via action) data_len=42 (unbuffered)
>> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_label=0x1,in_port=2 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=2,tp_dst=1 udp_csum:e9d6
>> dnl
>> -NXT_PACKET_IN (xid=0x0): cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_label=0x2,in_port=2 (via action) data_len=42 (unbuffered)
>> +NXT_PACKET_IN (xid=0x0): table_id=1 cookie=0x0 total_len=42 ct_state=est|rpl|trk,ct_label=0x2,in_port=2 (via action) data_len=42 (unbuffered)
>> udp,vlan_tci=0x0000,dl_src=50:54:00:00:00:0a,dl_dst=50:54:00:00:00:09,nw_src=10.1.1.2,nw_dst=10.1.1.1,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=4,tp_dst=3 udp_csum:e9d2
>> ])
>>
>> @@ -8591,11 +8651,26 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg vconn:info ofproto_dpif:info])
>>
>> dnl Allow new connections on p1->p2. Allow only established connections p2->p1
>> AT_DATA([flows.txt], [dnl
>> -priority=1,action=drop
>> -priority=10,arp,action=normal
>> -priority=100,in_port=1,ct_state=-trk,udp,tp_src=1,action=ct(commit,exec(set_field:1->ct_label)),2
>> -priority=100,in_port=2,ct_state=-trk,actions=ct(table=0)
>> -priority=100,ct_state=+trk+rpl,ct_label=0x1,actions=1
>> +dnl The flows are in two separate tables for two reasons:
>> +dnl * To make the pipeline more clear.
>> +dnl * To make megaflows more consistent (we check megaflows below). The
>> +dnl unwildcarding in megaflows depends on the internal ordering of the
>> +dnl subtables, which are sorted using the system qsort(). qsort()
>> +dnl is provided by libc and may or may not be stable, so we can't rely
>> +dnl on that. By having separate tables we have more control over which
>> +dnl subtables are visited, meaning consistent megaflows.
>> +dnl
>> +dnl Table 0
>> +dnl
>> +table=0,priority=100,arp,action=normal
>> +table=0,priority=10,in_port=1,ct_state=-trk,udp,tp_src=1,action=ct(commit,exec(set_field:1->ct_label)),2
>> +table=0,priority=10,in_port=2,ct_state=-trk,actions=ct(table=1)
>> +table=0,priority=1,action=drop
>> +dnl
>> +dnl Table 1
>> +dnl
>> +table=1,priority=10,ct_state=+trk+rpl,ct_label=0x1,actions=1
>> +table=1,priority=1,action=drop
>> ])
>>
>> AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
>> @@ -8645,17 +8720,22 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg vconn:info ofproto_dpif:info])
>>
>> dnl Allow new connections on p1->p2. Allow only established connections p2->p1
>> AT_DATA([flows.txt], [dnl
>> -priority=1,action=drop
>> -priority=10,arp,action=normal
>> -in_port=1,ip,ct_state=-trk,action=ct(commit,table=0)
>> +dnl Table 0
>> +dnl
>> +table=0,priority=100,arp,action=normal
>> +table=0,priority=10,in_port=1,ip,ct_state=-trk,action=ct(commit,table=1)
>> +table=0,priority=10,in_port=2,ip,ct_state=-trk,action=ct(table=1)
>> +table=0,priority=1,action=drop
>> +dnl
>> +dnl Table 1
>> +dnl
>> dnl The following two flows are separated to explicitly count the packets
>> dnl that create a new connection
>> -priority=100,cookie=0x1,in_port=1,ip,ct_state=+trk+new-inv-rpl,action=2
>> -priority=100,in_port=1,ip,ct_state=+trk-new-inv-rpl,action=2
>> +table=1,priority=100,cookie=0x1,in_port=1,ip,ct_state=+trk+new-inv-rpl,action=2
>> +table=1,priority=100,in_port=1,ip,ct_state=+trk-new-inv-rpl,action=2
>> dnl
>> -priority=100,in_port=2,ip,ct_state=-trk,action=ct(table=0)
>> -priority=100,in_port=2,ip,ct_state=+trk+est+rpl-new-inv,action=1
>> -ip,ct_state=+trk+inv,action=drop
>> +table=1,priority=100,in_port=2,ip,ct_state=+trk+est+rpl-new-inv,action=1
>> +table=1,ip,ct_state=+trk+inv,action=drop
>> ])
>>
>> AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
>> @@ -8704,12 +8784,17 @@ AT_CHECK([ovs-appctl vlog/set dpif_netdev:dbg vconn:info ofproto_dpif:info])
>>
>> dnl Allow new connections on p1->p2. Allow only established connections p2->p1
>> AT_DATA([flows.txt], [dnl
>> -priority=1,action=drop
>> -priority=10,arp,action=normal
>> -priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=0,table=0)
>> -priority=100,in_port=2,tcp,ct_state=-trk,action=ct(table=0,zone=0)
>> -priority=100,in_port=2,tcp,ct_state=+trk+est-new,action=drop
>> -cookie=0x1,ip,ct_state=+trk+inv,action=controller
>> +dnl Table 0
>> +dnl
>> +table=0,priority=100,arp,action=normal
>> +table=0,priority=10,in_port=1,tcp,ct_state=-trk,action=ct(commit,table=1)
>> +table=0,priority=10,in_port=2,tcp,ct_state=-trk,action=ct(table=1)
>> +table=0,priority=1,action=drop
>> +dnl
>> +dnl Table 1
>> +dnl
>> +table=1,priority=10,cookie=0x1,ip,ct_state=+trk+inv,action=controller
>> +table=1,priority=1,action=drop
>> ])
>>
>> AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
>> --
>> 2.8.1
>>
>> _______________________________________________
>> dev mailing list
>> dev at openvswitch.org
>> http://openvswitch.org/mailman/listinfo/dev
More information about the dev
mailing list