From 7c29a0b971d1eef3c99ec8d57a04c3e1fa4ced71 Mon Sep 17 00:00:00 2001 From: Open vSwitch CI Date: Dec 03 2024 01:21:33 +0000 Subject: Import openvswitch3.4-3.4.0-23 from Fast DataPath --- diff --git a/SOURCES/openvswitch-3.4.0.patch b/SOURCES/openvswitch-3.4.0.patch index 4c8da70..f4c0d24 100644 --- a/SOURCES/openvswitch-3.4.0.patch +++ b/SOURCES/openvswitch-3.4.0.patch @@ -1256,11 +1256,18 @@ index 37c509ac68..6c60c07e3f 100755 unixctl_server.close() diff --git a/lib/classifier.h b/lib/classifier.h -index f55a2cba99..c9cab970ec 100644 +index f55a2cba99..7928601e0f 100644 --- a/lib/classifier.h +++ b/lib/classifier.h -@@ -170,7 +170,7 @@ - * value of the "prefix" key is a comma separated list of field names. +@@ -165,12 +165,11 @@ + * separate tries for subsets of rules separated by metadata fields. + * + * Prefix tracking is configured via OVSDB "Flow_Table" table, +- * "fieldspec" column. "fieldspec" is a string map where a "prefix" +- * key tells which fields should be used for prefix tracking. The +- * value of the "prefix" key is a comma separated list of field names. ++ * "prefixes" column. "prefixes" is a string set where each element ++ * is a name of a field that should be used for prefix tracking. * * There is a maximum number of fields that can be enabled for any one - * flow table. Currently this limit is 3. @@ -1268,7 +1275,7 @@ index f55a2cba99..c9cab970ec 100644 * * * Partitioning (Lookup Time and Wildcard Optimization) -@@ -328,7 +328,7 @@ struct cls_trie { +@@ -328,7 +327,7 @@ struct cls_trie { enum { CLS_MAX_INDICES = 3, /* Maximum number of lookup indices per subtable. */ @@ -1464,6 +1471,59 @@ index 499be04b60..2595fd634b 100644 break; case MFF_ARP_SPA: +diff --git a/lib/netdev-bsd.c b/lib/netdev-bsd.c +index 8596741aa1..6e3091b939 100644 +--- a/lib/netdev-bsd.c ++++ b/lib/netdev-bsd.c +@@ -669,6 +669,7 @@ netdev_bsd_rxq_drain(struct netdev_rxq *rxq_) + struct ifreq ifr; + struct netdev_rxq_bsd *rxq = netdev_rxq_bsd_cast(rxq_); + ++ memset(&ifr, 0, sizeof ifr); + strcpy(ifr.ifr_name, netdev_get_kernel_name(netdev_rxq_get_netdev(rxq_))); + if (ioctl(rxq->fd, BIOCFLUSH, &ifr) == -1) { + VLOG_DBG_RL(&rl, "%s: ioctl(BIOCFLUSH) failed: %s", +@@ -828,6 +829,7 @@ netdev_bsd_get_mtu(const struct netdev *netdev_, int *mtup) + if (!(netdev->cache_valid & VALID_MTU)) { + struct ifreq ifr; + ++ memset(&ifr, 0, sizeof ifr); + error = af_inet_ifreq_ioctl(netdev_get_kernel_name(netdev_), &ifr, + SIOCGIFMTU, "SIOCGIFMTU"); + if (!error) { +@@ -1440,6 +1442,8 @@ do_set_addr(struct netdev *netdev, + struct in_addr addr) + { + struct ifreq ifr; ++ ++ memset(&ifr, 0, sizeof ifr); + make_in4_sockaddr(&ifr.ifr_addr, addr); + return af_inet_ifreq_ioctl(netdev_get_kernel_name(netdev), &ifr, ioctl_nr, + ioctl_name); +@@ -1547,6 +1551,7 @@ destroy_tap(int fd, const char *name) + struct ifreq ifr; + + close(fd); ++ memset(&ifr, 0, sizeof ifr); + strcpy(ifr.ifr_name, name); + /* XXX What to do if this call fails? */ + af_inet_ioctl(SIOCIFDESTROY, &ifr); +@@ -1558,6 +1563,7 @@ get_flags(const struct netdev *netdev, int *flags) + struct ifreq ifr; + int error; + ++ memset(&ifr, 0, sizeof ifr); + error = af_inet_ifreq_ioctl(netdev_get_kernel_name(netdev), &ifr, + SIOCGIFFLAGS, "SIOCGIFFLAGS"); + +@@ -1571,6 +1577,7 @@ set_flags(const char *name, int flags) + { + struct ifreq ifr; + ++ memset(&ifr, 0, sizeof ifr); + ifr_set_flags(&ifr, flags); + + return af_inet_ifreq_ioctl(name, &ifr, SIOCSIFFLAGS, "SIOCSIFFLAGS"); diff --git a/lib/netdev-dpdk.c b/lib/netdev-dpdk.c index 7cced0f226..d3cd66f18a 100644 --- a/lib/netdev-dpdk.c @@ -1484,11 +1544,117 @@ index 7cced0f226..d3cd66f18a 100644 netdev_get_name(&dev->up)); info.tx_offload_capa &= ~RTE_ETH_TX_OFFLOAD_OUTER_UDP_CKSUM; info.tx_offload_capa &= ~RTE_ETH_TX_OFFLOAD_VXLAN_TNL_TSO; +diff --git a/lib/netdev-linux.c b/lib/netdev-linux.c +index 0cd0850a31..19bf62ecee 100644 +--- a/lib/netdev-linux.c ++++ b/lib/netdev-linux.c +@@ -1028,6 +1028,8 @@ netdev_linux_construct_tap(struct netdev *netdev_) + ovsthread_once_done(&once); + } + ++ memset(&ifr, 0, sizeof ifr); ++ + ifr.ifr_flags = IFF_TAP | IFF_NO_PI; + if (tap_supports_vnet_hdr) { + ifr.ifr_flags |= IFF_VNET_HDR; +@@ -1582,8 +1584,11 @@ netdev_linux_rxq_drain(struct netdev_rxq *rxq_) + struct netdev_rxq_linux *rx = netdev_rxq_linux_cast(rxq_); + if (rx->is_tap) { + struct ifreq ifr; +- int error = af_inet_ifreq_ioctl(netdev_rxq_get_name(rxq_), &ifr, +- SIOCGIFTXQLEN, "SIOCGIFTXQLEN"); ++ int error; ++ ++ memset(&ifr, 0, sizeof ifr); ++ error = af_inet_ifreq_ioctl(netdev_rxq_get_name(rxq_), &ifr, ++ SIOCGIFTXQLEN, "SIOCGIFTXQLEN"); + if (error) { + return error; + } +@@ -1939,6 +1944,7 @@ netdev_linux_get_mtu__(struct netdev_linux *netdev, int *mtup) + /* Fall back to ioctl if netlink fails */ + struct ifreq ifr; + ++ memset(&ifr, 0, sizeof ifr); + netdev->netdev_mtu_error = af_inet_ifreq_ioctl( + netdev_get_name(&netdev->up), &ifr, SIOCGIFMTU, "SIOCGIFMTU"); + netdev->mtu = ifr.ifr_mtu; +@@ -2001,7 +2007,10 @@ netdev_linux_set_mtu(struct netdev *netdev_, int mtu) + } + netdev->cache_valid &= ~VALID_MTU; + } ++ ++ memset(&ifr, 0, sizeof ifr); + ifr.ifr_mtu = mtu; ++ + error = af_inet_ifreq_ioctl(netdev_get_name(netdev_), &ifr, + SIOCSIFMTU, "SIOCSIFMTU"); + if (!error || error == ENODEV) { +@@ -3570,6 +3579,7 @@ do_set_addr(struct netdev *netdev, + { + struct ifreq ifr; + ++ memset(&ifr, 0, sizeof ifr); + make_in4_sockaddr(&ifr.ifr_addr, addr); + return af_inet_ifreq_ioctl(netdev_get_name(netdev), &ifr, ioctl_nr, + ioctl_name); +@@ -6767,6 +6777,7 @@ get_flags(const struct netdev *dev, unsigned int *flags) + struct ifreq ifr; + int error; + ++ memset(&ifr, 0, sizeof ifr); + *flags = 0; + error = af_inet_ifreq_ioctl(dev->name, &ifr, SIOCGIFFLAGS, "SIOCGIFFLAGS"); + if (!error) { +@@ -6780,6 +6791,7 @@ set_flags(const char *name, unsigned int flags) + { + struct ifreq ifr; + ++ memset(&ifr, 0, sizeof ifr); + ifr.ifr_flags = flags; + return af_inet_ifreq_ioctl(name, &ifr, SIOCSIFFLAGS, "SIOCSIFFLAGS"); + } +@@ -6790,6 +6802,7 @@ linux_get_ifindex(const char *netdev_name) + struct ifreq ifr; + int error; + ++ memset(&ifr, 0, sizeof ifr); + ovs_strzcpy(ifr.ifr_name, netdev_name, sizeof ifr.ifr_name); + COVERAGE_INC(netdev_get_ifindex); + diff --git a/lib/netdev-native-tnl.c b/lib/netdev-native-tnl.c -index 16c56608d8..529d64fe1d 100644 +index 16c56608d8..74d2e6f1ea 100644 --- a/lib/netdev-native-tnl.c +++ b/lib/netdev-native-tnl.c -@@ -254,7 +254,7 @@ dp_packet_tnl_ol_process(struct dp_packet *packet, +@@ -61,6 +61,27 @@ static struct vlog_rate_limit err_rl = VLOG_RATE_LIMIT_INIT(60, 5); + uint16_t tnl_udp_port_min = 32768; + uint16_t tnl_udp_port_max = 61000; + ++ovs_be16 ++netdev_tnl_get_src_port(struct dp_packet *packet) ++{ ++ uint32_t hash; ++ ++ if (OVS_LIKELY(dp_packet_rss_valid(packet))) { ++ hash = dp_packet_get_rss_hash(packet); ++ } else { ++ struct flow flow; ++ ++ flow_extract(packet, &flow); ++ hash = flow_hash_5tuple(&flow, 0); ++ ++ dp_packet_set_rss_hash(packet, hash); ++ } ++ ++ hash = ((uint64_t) hash * (tnl_udp_port_max - tnl_udp_port_min)) >> 32; ++ ++ return htons(hash + tnl_udp_port_min); ++} ++ + void * + netdev_tnl_ip_extract_tnl_md(struct dp_packet *packet, struct flow_tnl *tnl, + unsigned int *hlen) +@@ -254,7 +275,7 @@ dp_packet_tnl_ol_process(struct dp_packet *packet, if (IP_VER(ip->ip_ihl_ver) == 4) { dp_packet_hwol_set_tx_ipv4(packet); @@ -1497,6 +1663,69 @@ index 16c56608d8..529d64fe1d 100644 } else if (IP_VER(ip->ip_ihl_ver) == 6) { dp_packet_hwol_set_tx_ipv6(packet); } +@@ -276,14 +297,18 @@ netdev_tnl_push_udp_header(const struct netdev *netdev OVS_UNUSED, + uint16_t l3_ofs = packet->l3_ofs; + uint16_t l4_ofs = packet->l4_ofs; + struct udp_header *udp; ++ ovs_be16 udp_src; + int ip_tot_size; + ++ /* We may need to re-calculate the hash and this has to be done before ++ * modifying the packet. */ ++ udp_src = netdev_tnl_get_src_port(packet); ++ + dp_packet_tnl_ol_process(packet, data); + udp = netdev_tnl_push_ip_header(packet, data->header, data->header_len, + &ip_tot_size, 0); + +- /* set udp src port */ +- udp->udp_src = netdev_tnl_get_src_port(packet); ++ udp->udp_src = udp_src; + udp->udp_len = htons(ip_tot_size); + + if (udp->udp_csum) { +@@ -831,13 +856,18 @@ netdev_gtpu_push_header(const struct netdev *netdev, + struct netdev_vport *dev = netdev_vport_cast(netdev); + struct udp_header *udp; + struct gtpuhdr *gtpuh; ++ ovs_be16 udp_src; + int ip_tot_size; + unsigned int payload_len; + ++ /* We may need to re-calculate the hash and this has to be done before ++ * modifying the packet. */ ++ udp_src = netdev_tnl_get_src_port(packet); ++ + payload_len = dp_packet_size(packet); + udp = netdev_tnl_push_ip_header(packet, data->header, data->header_len, + &ip_tot_size, 0); +- udp->udp_src = netdev_tnl_get_src_port(packet); ++ udp->udp_src = udp_src; + udp->udp_len = htons(ip_tot_size); + /* Postpone checksum to the egress netdev. */ + dp_packet_hwol_set_csum_udp(packet); +diff --git a/lib/netdev-native-tnl.h b/lib/netdev-native-tnl.h +index eb55dd0417..5d8f1672a8 100644 +--- a/lib/netdev-native-tnl.h ++++ b/lib/netdev-native-tnl.h +@@ -123,16 +123,7 @@ netdev_tnl_ip_build_header(struct ovs_action_push_tnl *data, + extern uint16_t tnl_udp_port_min; + extern uint16_t tnl_udp_port_max; + +-static inline ovs_be16 +-netdev_tnl_get_src_port(struct dp_packet *packet) +-{ +- uint32_t hash; +- +- hash = dp_packet_get_rss_hash(packet); +- +- return htons((((uint64_t) hash * (tnl_udp_port_max - tnl_udp_port_min)) >> 32) + +- tnl_udp_port_min); +-} ++ovs_be16 netdev_tnl_get_src_port(struct dp_packet *); + + void * + netdev_tnl_ip_extract_tnl_md(struct dp_packet *packet, struct flow_tnl *tnl, diff --git a/lib/ofp-actions.c b/lib/ofp-actions.c index fe6a17b6da..8a05f7c9c8 100644 --- a/lib/ofp-actions.c @@ -1815,6 +2044,23 @@ index beb0ab0d66..fe2c5bb61a 100644 @begin_dpdk@ allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; @end_dpdk@ +diff --git a/tests/atlocal.in b/tests/atlocal.in +index 8565a0bae9..1c3d4891a7 100644 +--- a/tests/atlocal.in ++++ b/tests/atlocal.in +@@ -185,6 +185,12 @@ find_command lftp + # Set HAVE_ETHTOOL + find_command ethtool + ++# Set HAVE_IPTABLES ++find_command iptables ++ ++# Set HAVE_NFT ++find_command nft ++ + CURL_OPT="-g -v --max-time 1 --retry 2 --retry-delay 1 --connect-timeout 1" + + # Determine whether "diff" supports "normal" diffs. (busybox diff does not.) diff --git a/tests/classifier.at b/tests/classifier.at index 93a13f32b1..05e82ea968 100644 --- a/tests/classifier.at @@ -2102,6 +2348,63 @@ index 42fb66de68..18bd359bfe 100644 + +OVS_VSWITCHD_STOP(["/failed to flow_del (No such file or directory)/d"]) +AT_CLEANUP +diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at +index 06c9785554..738cda2e46 100644 +--- a/tests/ovs-macros.at ++++ b/tests/ovs-macros.at +@@ -360,9 +360,49 @@ m4_ifndef([AT_FAIL_IF], + [AT_CHECK([($1) \ + && exit 99 || exit 0], [0], [ignore], [ignore])])]) + ++dnl Add a rule to always accept the traffic. ++dnl The first argument to this macro should be the command to run: ++dnl iptables or ip6tables ++dnl The second argument to this macro should be the interface name (netdev) ++m4_define([IPTABLES_ACCEPT], ++ [AT_CHECK([$1 -I INPUT 1 -i $2 -j ACCEPT]) ++ on_exit '$1 -D INPUT 1']) ++ ++dnl Certain Linux distributions, like CentOS, have default iptable rules ++dnl to reject input traffic from bridges such as br-underlay. ++dnl This implies the existence of a ip filter INPUT chain for IPv4 or an ++dnl ip6 filter INPUT chain for IPv6. If that chain exists then add a rule ++dnl to it to always accept all traffic. ++dnl The first argument to this macro should be the filter chain: ip or ipv6 ++dnl The second argument to this macro should be the interface name (netdev) ++m4_define([NFT_ACCEPT], ++ [if nft list chain $1 filter INPUT > /dev/null 2>1; then ++ AT_CHECK([nft -ae \ ++ "insert rule $1 filter INPUT iifname \"$2\" counter accept"], ++ [0], [stdout-nolog]) ++ dnl Extract handle, which is used to delete the rule ++ AT_CHECK([sed -n 's/.*handle //; T; p' < stdout], [0], [stdout]) ++ on_exit "nft \"delete rule $1 filter INPUT handle $(cat stdout)\"" ++ fi]) ++ + dnl Certain Linux distributions, like CentOS, have default iptable rules + dnl to reject input traffic from bridges such as br-underlay. + dnl Add a rule to always accept the traffic. +-m4_define([IPTABLES_ACCEPT], +- [AT_CHECK([iptables -I INPUT 1 -i $1 -j ACCEPT]) +- on_exit 'iptables -D INPUT 1 -i $1']) ++dnl IPv4 variant of this macro. ++m4_define([XT_ACCEPT], ++ [if test $HAVE_NFT = yes; then ++ NFT_ACCEPT([ip], [$1]) ++ else ++ IPTABLES_ACCEPT([iptables], [$1]) ++ fi]) ++ ++dnl Certain Linux distributions, like CentOS, have default iptable rules ++dnl to reject input traffic from bridges such as br-underlay. ++dnl Add a rule to always accept the traffic. ++dnl IPv6 variant of this macro. ++m4_define([XT6_ACCEPT], ++ [if test $HAVE_NFT = yes; then ++ NFT_ACCEPT([ip6], [$1]) ++ else ++ IPTABLES_ACCEPT([ip6tables], [$1]) ++ fi]) diff --git a/tests/ovs-ofctl.at b/tests/ovs-ofctl.at index e2f4429ae5..2363b72aa8 100644 --- a/tests/ovs-ofctl.at @@ -2186,7 +2489,7 @@ index 9070ea051a..74ccaccdd2 100644 OVSDB_CHECK_IDL_PY([partial-set idl], diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at -index e9be021f3f..de4ed8d4d2 100644 +index e9be021f3f..a8093ec4eb 100644 --- a/tests/system-common-macros.at +++ b/tests/system-common-macros.at @@ -2,10 +2,7 @@ @@ -2243,6 +2546,14 @@ index e9be021f3f..de4ed8d4d2 100644 # OVS_CHECK_FIREWALL() # # Check if firewalld is active, skip the test if it is on. +@@ -382,3 +405,7 @@ m4_define([OVS_CHECK_DROP_ACTION], + # OVS_CHECK_PSAMPLE() + m4_define([OVS_CHECK_PSAMPLE], + [AT_SKIP_IF([! grep -q "Datapath supports psample action" ovs-vswitchd.log])]) ++ ++# OVS_CHECK_XT() ++m4_define([OVS_CHECK_XT], ++ [AT_SKIP_IF([test $HAVE_IPTABLES = no && test $HAVE_NFT = no])]) diff --git a/tests/system-ipsec.at b/tests/system-ipsec.at index 1e155fecea..4ab384d89c 100644 --- a/tests/system-ipsec.at @@ -2493,6 +2804,152 @@ index 1e155fecea..4ab384d89c 100644 + +OVS_TRAFFIC_VSWITCHD_STOP() +AT_CLEANUP +diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at +index 5203b1df80..a48bd532a0 100644 +--- a/tests/system-kmod-macros.at ++++ b/tests/system-kmod-macros.at +@@ -267,3 +267,94 @@ m4_define([OVS_CHECK_BAREUDP], + AT_SKIP_IF([! ip link add dev ovs_bareudp0 type bareudp dstport 6635 ethertype mpls_uc 2>&1 >/dev/null]) + AT_CHECK([ip link del dev ovs_bareudp0]) + ]) ++ ++# IPTABLES_CHECK_EXTERNAL_CT() ++# ++# Checks if packets can be tracked outside OvS. ++# iptables variant of this macro ++m4_define([IPTABLES_CHECK_EXTERNAL_CT], ++[ ++ dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT) ++ dnl and user space extensions need to be present. ++ AT_SKIP_IF([! iptables -t raw -I OUTPUT 1 -j CT]) ++ AT_CHECK([iptables -t raw -D OUTPUT 1]) ++]) ++ ++# NFT_CHECK_EXTERNAL_CT() ++# ++# Checks if packets can be tracked outside OvS. ++# nft variant of this macro ++m4_define([NFT_CHECK_EXTERNAL_CT], ++[ ++ dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT) ++ dnl and user space extensions need to be present. ++ AT_SKIP_IF([! nft -c -f - << EOF ++ table ip raw { ++ chain output-ovs-testsuite { ++ type filter hook output priority raw; ++ ct state new ++ } ++ } ++EOF ++ ]) ++]) ++ ++# CHECK_EXTERNAL_CT() ++# ++# Checks if packets can be tracked outside OvS. ++m4_define([CHECK_EXTERNAL_CT], ++[ ++ dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT) ++ dnl and user space extensions need to be present. ++ if test $HAVE_NFT = yes; then ++ NFT_CHECK_EXTERNAL_CT() ++ elif test $HAVE_IPTABLES = yes; then ++ IPTABLES_CHECK_EXTERNAL_CT() ++ else ++ AT_SKIP_IF([true]) ++ fi ++]) ++ ++# IPTABLES_ADD_EXTERNAL_CT() ++# ++# Let conntrack start tracking the packets outside OvS. ++# iptables variant of this macro ++m4_define([IPTABLES_ADD_EXTERNAL_CT], ++[ ++ AT_CHECK([iptables -t raw -I OUTPUT 1 -o $1 -j CT]) ++ on_exit 'iptables -t raw -D OUTPUT 1' ++]) ++ ++# NFT_ADD_EXTERNAL_CT() ++# ++# Let conntrack start tracking the packets outside OvS. ++# nft variant of this macro ++m4_define([NFT_ADD_EXTERNAL_CT], ++[ ++ if ! nft list table ip raw > /dev/null 2>1; then ++ on_exit 'nft "delete table ip raw"' ++ fi ++ ++ AT_CHECK([nft -f - << EOF ++ table ip raw { ++ chain output-ovs-testsuite { ++ type filter hook output priority raw; ++ oifname "$1" ct state new ++ } ++ } ++EOF ++ ]) ++ on_exit 'nft "delete chain ip raw output-ovs-testsuite"' ++]) ++ ++# ADD_EXTERNAL_CT() ++# ++# Checks if packets can be tracked outside OvS. ++m4_define([ADD_EXTERNAL_CT], ++[ ++ if test $HAVE_NFT = yes; then ++ NFT_ADD_EXTERNAL_CT([$1]) ++ else ++ IPTABLES_ADD_EXTERNAL_CT([$1]) ++ fi ++]) +diff --git a/tests/system-offloads-traffic.at b/tests/system-offloads-traffic.at +index d1da33d96c..a84c3be5a1 100644 +--- a/tests/system-offloads-traffic.at ++++ b/tests/system-offloads-traffic.at +@@ -812,6 +812,7 @@ OVS_CHECK_VXLAN() + + OVS_TRAFFIC_VSWITCHD_START([], [], [-- set Open_vSwitch . other_config:hw-offload=true]) + AT_SKIP_IF([! grep -q "probe tc: vxlan gbp is supported." ovs-vswitchd.log]) ++AT_SKIP_IF([test $HAVE_NFT = no -a $HAVE_IPTABLES = no]) + ADD_BR([br-underlay]) + + AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"]) +@@ -832,8 +833,32 @@ AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) + + ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24], + [id 0 dstport 4789 gbp]) +-NS_CHECK_EXEC([at_ns0], [iptables -I OUTPUT -p ip -j MARK --set-mark 512 2>/dev/null], [0]) +-NS_CHECK_EXEC([at_ns0], [iptables -I INPUT -m mark --mark 512 -j ACCEPT 2>/dev/null], [0], [ignore]) ++ ++if test $HAVE_NFT = yes; then ++ NS_CHECK_EXEC([at_ns0], [nft -f - << EOF ++ table ip filter { ++ chain OUTPUT { ++ type filter hook output priority filter; policy accept; ++ counter meta mark set 512 ++ } ++ } ++ ++ table ip filter { ++ chain INPUT { ++ type filter hook input priority filter; policy accept; ++ mark 512 counter accept; ++ } ++ } ++EOF ++ ]) ++else ++ NS_CHECK_EXEC([at_ns0], ++ [iptables -I OUTPUT -p ip -j MARK --set-mark 512 2>/dev/null], ++ [0]) ++ NS_CHECK_EXEC([at_ns0], ++ [iptables -I INPUT -m mark --mark 512 -j ACCEPT 2>/dev/null], ++ [0], [ignore]) ++fi + + dnl First, check the underlay. + NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -W 2 172.31.1.100 | FORMAT_PING], [0], [dnl diff --git a/tests/system-tap.at b/tests/system-tap.at index 3d84a53182..03ec01270f 100644 --- a/tests/system-tap.at @@ -2507,7 +2964,7 @@ index 3d84a53182..03ec01270f 100644 OVS_TRAFFIC_VSWITCHD_STOP(["/.*ethtool command ETHTOOL_G.*/d"]) diff --git a/tests/system-traffic.at b/tests/system-traffic.at -index 202ff04922..74233c6769 100644 +index 202ff04922..f914512a49 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -38,7 +38,7 @@ NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], @@ -2530,7 +2987,104 @@ index 202ff04922..74233c6769 100644 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -W 2 fc00::3 | FORMAT_PING], [0], [dnl 3 packets transmitted, 3 received, 0% packet loss, time 0ms ]) -@@ -3410,10 +3414,10 @@ OVS_START_L7([at_ns1], [http]) +@@ -1094,6 +1098,7 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while + AT_CLEANUP + + AT_SETUP([datapath - ping over gre tunnel by simulated packets]) ++OVS_CHECK_XT() + OVS_CHECK_MIN_KERNEL(3, 10) + + OVS_TRAFFIC_VSWITCHD_START() +@@ -1113,7 +1118,7 @@ AT_CHECK([ip link set dev br-underlay up]) + dnl Set up tunnel endpoints on OVS outside the namespace. + ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24]) + +-IPTABLES_ACCEPT([br-underlay]) ++XT_ACCEPT([br-underlay]) + + NETNS_DAEMONIZE([at_ns0], [tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap 2>/dev/null], [tcpdump.pid]) + sleep 1 +@@ -1140,6 +1145,7 @@ OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + + AT_SETUP([datapath - ping over erspan v1 tunnel by simulated packets]) ++OVS_CHECK_XT() + OVS_CHECK_MIN_KERNEL(3, 10) + + OVS_TRAFFIC_VSWITCHD_START() +@@ -1160,7 +1166,7 @@ dnl Set up tunnel endpoints on OVS outside the namespace and emulate a native + dnl linux device inside the namespace. + ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=1 options:erspan_idx=7]) + +-IPTABLES_ACCEPT([br-underlay]) ++XT_ACCEPT([br-underlay]) + + NETNS_DAEMONIZE([at_ns0], [tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap 2>/dev/null], [tcpdump.pid]) + sleep 1 +@@ -1188,6 +1194,7 @@ OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + + AT_SETUP([datapath - ping over erspan v2 tunnel by simulated packets]) ++OVS_CHECK_XT() + OVS_CHECK_MIN_KERNEL(3, 10) + + OVS_TRAFFIC_VSWITCHD_START() +@@ -1208,11 +1215,7 @@ dnl Set up tunnel endpoints on OVS outside the namespace and simulate a native + dnl linux device inside the namespace. + ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=2 options:erspan_dir=1 options:erspan_hwid=0x7]) + +-dnl Certain Linux distributions, like CentOS, have default iptable rules +-dnl to reject input traffic from br-underlay. Here we add a rule to walk +-dnl around it. +-iptables -I INPUT 1 -i br-underlay -j ACCEPT +-on_exit 'iptables -D INPUT 1' ++XT_ACCEPT([br-underlay]) + + NETNS_DAEMONIZE([at_ns0], [tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap 2>/dev/null], [tcpdump.pid]) + sleep 1 +@@ -1241,6 +1244,7 @@ OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + + AT_SETUP([datapath - ping over ip6erspan v1 tunnel by simulated packets]) ++OVS_CHECK_XT() + OVS_CHECK_MIN_KERNEL(3, 10) + + OVS_TRAFFIC_VSWITCHD_START() +@@ -1264,11 +1268,7 @@ ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24] + + OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100]) + +-dnl Certain Linux distributions, like CentOS, have default iptable rules +-dnl to reject input traffic from br-underlay. Here we add a rule to walk +-dnl around it. +-ip6tables -I INPUT 1 -i br-underlay -j ACCEPT +-on_exit 'ip6tables -D INPUT 1' ++XT6_ACCEPT([br-underlay]) + + NETNS_DAEMONIZE([at_ns0], [tcpdump -n -x -i p0 dst host fc00:100::1 -l > p0.pcap 2>/dev/null], [tcpdump.pid]) + sleep 1 +@@ -1296,6 +1296,7 @@ OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + + AT_SETUP([datapath - ping over ip6erspan v2 tunnel by simulated packets]) ++OVS_CHECK_XT() + OVS_CHECK_MIN_KERNEL(3, 10) + + OVS_TRAFFIC_VSWITCHD_START() +@@ -1319,11 +1320,7 @@ ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24] + + OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100]) + +-dnl Certain Linux distributions, like CentOS, have default iptable rules +-dnl to reject input traffic from br-underlay. Here we add a rule to walk +-dnl around it. +-ip6tables -I INPUT 1 -i br-underlay -j ACCEPT +-on_exit 'ip6tables -D INPUT 1' ++XT6_ACCEPT([br-underlay]) + + NETNS_DAEMONIZE([at_ns0], [tcpdump -n -x -i p0 dst host fc00:100::1 -l > p0.pcap 2>/dev/null], [tcpdump.pid]) + sleep 1 +@@ -3410,10 +3407,10 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -2543,7 +3097,7 @@ index 202ff04922..74233c6769 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3453,10 +3457,10 @@ dnl traffic can't be identified, because the initial request wasn't committed. +@@ -3453,10 +3450,10 @@ dnl traffic can't be identified, because the initial request wasn't committed. dnl For the first pair of ports, this means that the connection fails. OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) @@ -2556,7 +3110,7 @@ index 202ff04922..74233c6769 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3492,7 +3496,7 @@ OVS_START_L7([at_ns1], [http]) +@@ -3492,7 +3489,7 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -2565,7 +3119,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -3500,7 +3504,7 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= +@@ -3500,7 +3497,7 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= dnl HTTP requests from p2->p3 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -2574,7 +3128,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=,dport=),reply=(src=10.1.1.4,dst=10.1.1.3,sport=,dport=),zone=2,protoinfo=(state=) -@@ -3539,7 +3543,7 @@ OVS_START_L7([at_ns1], [http]) +@@ -3539,7 +3536,7 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -2583,7 +3137,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=4097,protoinfo=(state=) -@@ -3547,7 +3551,7 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= +@@ -3547,7 +3544,7 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= dnl HTTP requests from p2->p3 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -2592,7 +3146,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=,dport=),reply=(src=10.1.1.4,dst=10.1.1.3,sport=,dport=),zone=4098,protoinfo=(state=) -@@ -3581,7 +3585,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3581,7 +3578,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -2601,7 +3155,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,dnl -@@ -3607,7 +3611,7 @@ AT_CHECK([ovs-ofctl mod-flows br0 dnl +@@ -3607,7 +3604,7 @@ AT_CHECK([ovs-ofctl mod-flows br0 dnl dnl Wait for a flow flush as some datapaths (read TC) might take time to clear. AT_CHECK([ovs-appctl revalidator/wait], [0]) @@ -2610,7 +3164,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-flows --names filter=in_port=ovs-p0 dnl | grep "+trk" | grep -q "ct_zone(0xf)" ], [0], []) -@@ -3641,7 +3645,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3641,7 +3638,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -2619,7 +3173,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,dnl -@@ -3659,7 +3663,7 @@ AT_CHECK([ovs-ofctl mod-flows br0 'priority=100,ct_state=-trk,tcp,in_port="ovs-p +@@ -3659,7 +3656,7 @@ AT_CHECK([ovs-ofctl mod-flows br0 'priority=100,ct_state=-trk,tcp,in_port="ovs-p dnl Wait for a flow flush as some datapaths (read TC) might take time to clear. AT_CHECK([ovs-appctl revalidator/wait], [0]) @@ -2628,7 +3182,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-flows --names filter=in_port=ovs-p0 dnl | grep "+trk" | sed 's/0xffff000f\/0xffff/0xf\/0xffff/' dnl -@@ -3707,7 +3711,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt]) +@@ -3707,7 +3704,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt]) dnl HTTP requests from p0->p1 should work fine. OVS_START_L7([at_ns1], [http]) @@ -2637,7 +3191,7 @@ index 202ff04922..74233c6769 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3736,10 +3740,10 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3736,10 +3733,10 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -2650,7 +3204,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -3778,10 +3782,10 @@ AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) +@@ -3778,10 +3775,10 @@ AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -2663,7 +3217,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -3823,14 +3827,14 @@ OVS_START_L7([at_ns1], [http]) +@@ -3823,14 +3820,14 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -2680,7 +3234,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=,dport=),reply=(src=10.1.1.4,dst=10.1.1.3,sport=,dport=),mark=2,protoinfo=(state=) ]) -@@ -3865,7 +3869,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3865,7 +3862,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -2689,7 +3243,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),mark=3,protoinfo=(state=) -@@ -3904,14 +3908,14 @@ OVS_START_L7([at_ns1], [http]) +@@ -3904,14 +3901,14 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -2706,7 +3260,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=,dport=),reply=(src=10.1.1.4,dst=10.1.1.3,sport=,dport=),mark=2,protoinfo=(state=) ]) -@@ -3950,11 +3954,11 @@ OVS_START_L7([at_ns1], [http]) +@@ -3950,11 +3947,11 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -2720,7 +3274,7 @@ index 202ff04922..74233c6769 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3986,7 +3990,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3986,7 +3983,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -2729,7 +3283,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),labels=0x200000001,protoinfo=(state=) -@@ -4024,7 +4028,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -4024,7 +4021,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -2738,7 +3292,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,mark=3,labels=0x200000001,protoinfo=(state=) -@@ -4060,7 +4064,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows1.txt]) +@@ -4060,7 +4057,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows1.txt]) dnl TCP traffic from ns0 to ns1 should fail. OVS_START_L7([at_ns1], [http]) @@ -2747,7 +3301,7 @@ index 202ff04922..74233c6769 100644 dnl Send UDP packet on port 1 twice. AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"]) -@@ -5360,14 +5364,14 @@ OVS_START_L7([at_ns0], [http]) +@@ -5360,14 +5357,14 @@ OVS_START_L7([at_ns0], [http]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from ns0->ns1 should work fine. @@ -2764,7 +3318,7 @@ index 202ff04922..74233c6769 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -5401,7 +5405,7 @@ OVS_START_L7([at_ns0], [http6]) +@@ -5401,7 +5398,7 @@ OVS_START_L7([at_ns0], [http6]) OVS_START_L7([at_ns1], [http6]) dnl HTTP requests from ns0->ns1 should work fine. @@ -2773,7 +3327,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl tcp,orig=(src=fc00::1,dst=fc00::2,sport=,dport=),reply=(src=fc00::2,dst=fc00::1,sport=,dport=),protoinfo=(state=) -@@ -5409,7 +5413,7 @@ tcp,orig=(src=fc00::1,dst=fc00::2,sport=,dport=),reply=(src=fc +@@ -5409,7 +5406,7 @@ tcp,orig=(src=fc00::1,dst=fc00::2,sport=,dport=),reply=(src=fc dnl HTTP requests from ns1->ns0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -2782,7 +3336,7 @@ index 202ff04922..74233c6769 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -5447,10 +5451,10 @@ OVS_START_L7([at_ns1], [http]) +@@ -5447,19 +5444,21 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -2795,7 +3349,18 @@ index 202ff04922..74233c6769 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -5489,10 +5493,10 @@ AT_CHECK([ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], [dnl + + AT_SETUP([conntrack - multiple zones, local]) ++CHECK_EXTERNAL_CT() + CHECK_CONNTRACK() + CHECK_CONNTRACK_LOCAL_STACK() + OVS_TRAFFIC_VSWITCHD_START() + ++ADD_EXTERNAL_CT([br0]) + ADD_NAMESPACES(at_ns0) + + AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) +@@ -5489,10 +5488,10 @@ AT_CHECK([ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], [dnl OVS_START_L7([at_ns0], [http]) dnl HTTP requests from root namespace to p0 should work fine. @@ -2809,7 +3374,20 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0),zone=1 -@@ -5560,10 +5564,10 @@ AT_CHECK([ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], [dnl +@@ -5505,10 +5504,12 @@ OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + + AT_SETUP([conntrack - multi-stage pipeline, local]) ++CHECK_EXTERNAL_CT() + CHECK_CONNTRACK() + CHECK_CONNTRACK_LOCAL_STACK() + OVS_TRAFFIC_VSWITCHD_START() + ++ADD_EXTERNAL_CT([br0]) + ADD_NAMESPACES(at_ns0) + + AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) +@@ -5560,10 +5561,10 @@ AT_CHECK([ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], [dnl OVS_START_L7([at_ns0], [http]) dnl HTTP requests from root namespace to p0 should work fine. @@ -2822,7 +3400,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0),zone=1 -@@ -5812,7 +5816,7 @@ NETNS_DAEMONIZE([at_ns1], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp0.pid]) +@@ -5812,7 +5813,7 @@ NETNS_DAEMONIZE([at_ns1], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp0.pid]) OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp]) dnl FTP requests from p0->p1 should work fine. @@ -2831,7 +3409,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([find -name index.html], [0], [dnl ./index.html -@@ -5879,12 +5883,12 @@ OVS_START_L7([at_ns1], [ftp]) +@@ -5879,12 +5880,12 @@ OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -2846,7 +3424,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp ]) -@@ -5895,12 +5899,12 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) +@@ -5895,12 +5896,12 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -2861,7 +3439,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),protoinfo=(state=) -@@ -5909,7 +5913,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= +@@ -5909,7 +5910,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl Passive FTP requests from p0->p1 should work fine. @@ -2870,7 +3448,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp ]) -@@ -5919,7 +5923,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt]) +@@ -5919,7 +5920,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt]) AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl FTP control requests from p0->p1 should work fine, but helper will not be assigned. @@ -2879,7 +3457,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=) ]) -@@ -5985,12 +5989,12 @@ OVS_START_L7([at_ns1], [ftp], [11111]) +@@ -5985,12 +5986,12 @@ OVS_START_L7([at_ns1], [ftp], [11111]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -2894,7 +3472,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp ]) -@@ -6001,12 +6005,12 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) +@@ -6001,12 +6002,12 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -2909,7 +3487,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),protoinfo=(state=) -@@ -6015,7 +6019,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= +@@ -6015,7 +6016,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl Passive FTP requests from p0->p1 should work fine. @@ -2918,7 +3496,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp ]) -@@ -6025,7 +6029,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt]) +@@ -6025,7 +6026,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt]) AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl FTP control requests from p0->p1 should work fine, but helper will not be assigned. @@ -2927,7 +3505,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=) ]) -@@ -6060,7 +6064,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt]) +@@ -6060,7 +6061,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -2936,7 +3514,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp -@@ -6121,7 +6125,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) +@@ -6121,7 +6122,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -2945,7 +3523,7 @@ index 202ff04922..74233c6769 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -6180,7 +6184,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) +@@ -6180,7 +6181,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP passive requests from p0->p1 should work fine. @@ -2954,7 +3532,7 @@ index 202ff04922..74233c6769 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -6230,12 +6234,12 @@ OVS_START_L7([at_ns1], [ftp]) +@@ -6230,12 +6231,12 @@ OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -2969,7 +3547,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=),helper=ftp tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=2,protoinfo=(state=),helper=ftp -@@ -6246,7 +6250,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= +@@ -6246,7 +6247,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl Passive FTP requests from p0->p1 should work fine. @@ -2978,7 +3556,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=),helper=ftp -@@ -6370,7 +6374,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6370,7 +6371,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl HTTP requests from p0->p1 should work fine. OVS_START_L7([at_ns1], [http]) @@ -2987,7 +3565,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=,dport=),zone=1,protoinfo=(state=) -@@ -6460,7 +6464,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6460,7 +6461,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl HTTP requests from p0->p1 should work fine. OVS_START_L7([at_ns1], [http]) @@ -2996,7 +3574,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=,dport=),zone=1,protoinfo=(state=) -@@ -6567,7 +6571,7 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | uniq], [0], [d +@@ -6567,7 +6568,7 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | uniq], [0], [d tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.240,sport=,dport=),zone=1,protoinfo=(state=) ]) @@ -3005,7 +3583,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | uniq], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.240,sport=,dport=),zone=1,protoinfo=(state=) -@@ -6622,7 +6626,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6622,7 +6623,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl HTTP requests from p0->p1 should work fine. OVS_START_L7([at_ns1], [http]) @@ -3014,7 +3592,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=,dport=),zone=1,protoinfo=(state=) -@@ -6716,14 +6720,14 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6716,14 +6717,14 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl Should work with the virtual IP address through NAT OVS_START_L7([at_ns1], [http]) @@ -3031,7 +3609,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -6754,7 +6758,7 @@ table=2,in_port=1,ip,ct_mark=0xac,ct_label=0xac,actions=2 +@@ -6754,7 +6755,7 @@ table=2,in_port=1,ip,ct_mark=0xac,ct_label=0xac,actions=2 ]) AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) @@ -3040,7 +3618,7 @@ index 202ff04922..74233c6769 100644 dnl - make sure only dst nat has been performed AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.240)], [0], [dnl -@@ -6812,14 +6816,14 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6812,14 +6813,14 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl Should work with the virtual IP address through NAT OVS_START_L7([at_ns1], [http]) @@ -3057,7 +3635,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -7347,7 +7351,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null]) +@@ -7347,7 +7348,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -3066,7 +3644,7 @@ index 202ff04922..74233c6769 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -@@ -7407,7 +7411,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null]) +@@ -7407,7 +7408,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -3075,7 +3653,7 @@ index 202ff04922..74233c6769 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -@@ -7467,7 +7471,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.100.1 >/dev/null]) +@@ -7467,7 +7468,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.100.1 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -3084,7 +3662,7 @@ index 202ff04922..74233c6769 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.200)], [0], [dnl -@@ -7527,7 +7531,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null]) +@@ -7527,7 +7528,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -3093,7 +3671,7 @@ index 202ff04922..74233c6769 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -@@ -7587,7 +7591,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null]) +@@ -7587,7 +7588,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -3102,7 +3680,7 @@ index 202ff04922..74233c6769 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.120.240)], [0], [dnl -@@ -7632,12 +7636,12 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2]) +@@ -7632,12 +7633,12 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2]) dnl HTTP requests from ns0->ns1 should work fine. OVS_START_L7([at_ns1], [http6]) @@ -3117,7 +3695,7 @@ index 202ff04922..74233c6769 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -7676,7 +7680,7 @@ NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -W 2 fc00::240 | FORMAT_PING], [0] +@@ -7676,7 +7677,7 @@ NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -W 2 fc00::240 | FORMAT_PING], [0] dnl Should work with the virtual IP address through NAT OVS_START_L7([at_ns1], [http6]) @@ -3126,7 +3704,7 @@ index 202ff04922..74233c6769 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::1)], [0], [dnl icmpv6,orig=(src=fc00::1,dst=fc00::240,id=,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=,type=129,code=0),zone=1 -@@ -7826,7 +7830,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) +@@ -7826,7 +7827,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -3135,7 +3713,7 @@ index 202ff04922..74233c6769 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -7887,7 +7891,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) +@@ -7887,7 +7888,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -3144,7 +3722,7 @@ index 202ff04922..74233c6769 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -7947,7 +7951,7 @@ NETNS_DAEMONIZE([at_ns1], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp0.pid]) +@@ -7947,7 +7948,7 @@ NETNS_DAEMONIZE([at_ns1], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp0.pid]) OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp]) dnl FTP requests from p0->p1 should work fine. @@ -3153,7 +3731,7 @@ index 202ff04922..74233c6769 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -8090,7 +8094,7 @@ on_exit 'ovs-appctl dpif/dump-flows br0' +@@ -8090,7 +8091,7 @@ on_exit 'ovs-appctl dpif/dump-flows br0' dnl Should work with the virtual IP address through NAT for i in $(seq 1 50); do echo Request $i @@ -3162,6 +3740,46 @@ index 202ff04922..74233c6769 100644 done dnl Each server should have at least one connection. +@@ -8386,6 +8387,7 @@ OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + + AT_SETUP([conntrack - can match and clear ct_state from outside OVS]) ++CHECK_EXTERNAL_CT() + CHECK_CONNTRACK_LOCAL_STACK() + OVS_CHECK_GENEVE() + +@@ -8396,6 +8398,7 @@ AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) + AT_CHECK([ovs-ofctl add-flow br-underlay "priority=100,ct_state=+trk,actions=ct_clear,resubmit(,0)"]) + AT_CHECK([ovs-ofctl add-flow br-underlay "priority=10,actions=normal"]) + ++ADD_EXTERNAL_CT([br0]) + ADD_NAMESPACES(at_ns0) + + dnl Set up underlay link from host into the namespace using veth pair. +diff --git a/tests/system-userspace-macros.at b/tests/system-userspace-macros.at +index d9b5b7e4c4..c1be973478 100644 +--- a/tests/system-userspace-macros.at ++++ b/tests/system-userspace-macros.at +@@ -357,3 +357,19 @@ m4_define([OVS_CHECK_BAREUDP], + [ + AT_SKIP_IF([:]) + ]) ++ ++# CHECK_EXTERNAL_CT() ++# ++# The userspace datapath does not support external ct. ++m4_define([CHECK_EXTERNAL_CT], ++[ ++ AT_SKIP_IF([:]) ++]) ++ ++# ADD_EXTERNAL_CT() ++# ++# The userspace datapath does not support external ct. ++m4_define([ADD_EXTERNAL_CT], ++[ ++ AT_SKIP_IF([:]) ++]) diff --git a/tests/test-multipath.c b/tests/test-multipath.c index 08d2cbaebf..4e9a3ab5c2 100644 --- a/tests/test-multipath.c @@ -3230,6 +3848,27 @@ index 41c1525f45..710341b655 100644 ovsdb_idl_destroy(idl); printf("%03d: End test\n", step); } +diff --git a/tests/tunnel-push-pop.at b/tests/tunnel-push-pop.at +index 99b1b02bf9..cf4e622014 100644 +--- a/tests/tunnel-push-pop.at ++++ b/tests/tunnel-push-pop.at +@@ -774,6 +774,16 @@ dnl Sending again to exercise the non-miss upcall path. + AT_CHECK([ovs-appctl netdev-dummy/receive int-br "${packet}4"]) + OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep -E "${encap}${packet}4" | wc -l` -ge 2]) + ++dnl Send two more packets at the same time to make sure they are distinct ++dnl memory buffers. ++AT_CHECK([ovs-appctl netdev-dummy/receive int-br "${packet}4" "${packet}4"]) ++OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep -E "${encap}${packet}4" | wc -l` -ge 4]) ++ ++dnl Make sure all the packets are the same, i.e. have the same source port. ++AT_CHECK([ovs-pcap p0.pcap | sed 's/.$//' | sort | uniq \ ++ | grep -E -c "${encap}${packet}"], [0], [1 ++]) ++ + dnl Output to tunnel from the controller. + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out int-br CONTROLLER "debug_slow,output:2" "${packet}5"]) + OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep -E "${encap}${packet}5" | wc -l` -ge 1]) diff --git a/utilities/ovs-vsctl.c b/utilities/ovs-vsctl.c index 495be35652..edef0f18ef 100644 --- a/utilities/ovs-vsctl.c diff --git a/SPECS/openvswitch3.4.spec b/SPECS/openvswitch3.4.spec index 6b92ef7..8712162 100644 --- a/SPECS/openvswitch3.4.spec +++ b/SPECS/openvswitch3.4.spec @@ -57,7 +57,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 3.4.0 -Release: 22%{?dist} +Release: 23%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -770,6 +770,21 @@ exit 0 %endif %changelog +* Mon Dec 02 2024 Open vSwitch CI - 3.4.0-23 +- Merging upstream branch-3.4 [RH git: 222ad449f6] + Commit list: + a234629c33 netdev: Always clear struct ifreq before ioctl. + 118b4f2076 netdev-native-tnl: Fix use of uninitialized RSS hash. + 49d8d3066c tests: Use OVS_CHECK_XT6 for all applicable IPv6 tests. + 8886c64c1f tests: Use OVS_CHECK_XT for all applicable IPv4 tests. + 985f7ee313 classifier: Fix the fieldspec comment in the prefix tracking section. + 07720bc3f6 tests: Handle marks using nft if available. + f3de3ab1b6 tests: Add nft support to ADD_EXTERNAL_CT. + 5931c6feb7 tests: Add nft accept support. + e4d76aacd9 ovs-macros.at: Correctly delete iptables rule on_exit. + 2cdd886fc0 system-traffic: Do not rely on conncount for already tracked packets. (FDP-708) + + * Mon Dec 02 2024 Open vSwitch CI - 3.4.0-22 - Merging upstream branch-3.4 [RH git: 9f3c002b41] Commit list: