diff --git a/SOURCES/openvswitch-3.3.0.patch b/SOURCES/openvswitch-3.3.0.patch index 6a05dab..e90b16c 100644 --- a/SOURCES/openvswitch-3.3.0.patch +++ b/SOURCES/openvswitch-3.3.0.patch @@ -1629,11 +1629,18 @@ index 9af258917b..b8149e7897 100644 bfd_put_details(&ds, bfd); VLOG_INFO("%s", ds_cstr(&ds)); diff --git a/lib/classifier.h b/lib/classifier.h -index f55a2cba99..c9cab970ec 100644 +index f55a2cba99..7928601e0f 100644 --- a/lib/classifier.h +++ b/lib/classifier.h -@@ -170,7 +170,7 @@ - * value of the "prefix" key is a comma separated list of field names. +@@ -165,12 +165,11 @@ + * separate tries for subsets of rules separated by metadata fields. + * + * Prefix tracking is configured via OVSDB "Flow_Table" table, +- * "fieldspec" column. "fieldspec" is a string map where a "prefix" +- * key tells which fields should be used for prefix tracking. The +- * value of the "prefix" key is a comma separated list of field names. ++ * "prefixes" column. "prefixes" is a string set where each element ++ * is a name of a field that should be used for prefix tracking. * * There is a maximum number of fields that can be enabled for any one - * flow table. Currently this limit is 3. @@ -1641,7 +1648,7 @@ index f55a2cba99..c9cab970ec 100644 * * * Partitioning (Lookup Time and Wildcard Optimization) -@@ -328,7 +328,7 @@ struct cls_trie { +@@ -328,7 +327,7 @@ struct cls_trie { enum { CLS_MAX_INDICES = 3, /* Maximum number of lookup indices per subtable. */ @@ -2475,6 +2482,59 @@ index aa7cf1fcbb..b03fe7abf1 100644 break; case MFF_ARP_SPA: +diff --git a/lib/netdev-bsd.c b/lib/netdev-bsd.c +index 8596741aa1..6e3091b939 100644 +--- a/lib/netdev-bsd.c ++++ b/lib/netdev-bsd.c +@@ -669,6 +669,7 @@ netdev_bsd_rxq_drain(struct netdev_rxq *rxq_) + struct ifreq ifr; + struct netdev_rxq_bsd *rxq = netdev_rxq_bsd_cast(rxq_); + ++ memset(&ifr, 0, sizeof ifr); + strcpy(ifr.ifr_name, netdev_get_kernel_name(netdev_rxq_get_netdev(rxq_))); + if (ioctl(rxq->fd, BIOCFLUSH, &ifr) == -1) { + VLOG_DBG_RL(&rl, "%s: ioctl(BIOCFLUSH) failed: %s", +@@ -828,6 +829,7 @@ netdev_bsd_get_mtu(const struct netdev *netdev_, int *mtup) + if (!(netdev->cache_valid & VALID_MTU)) { + struct ifreq ifr; + ++ memset(&ifr, 0, sizeof ifr); + error = af_inet_ifreq_ioctl(netdev_get_kernel_name(netdev_), &ifr, + SIOCGIFMTU, "SIOCGIFMTU"); + if (!error) { +@@ -1440,6 +1442,8 @@ do_set_addr(struct netdev *netdev, + struct in_addr addr) + { + struct ifreq ifr; ++ ++ memset(&ifr, 0, sizeof ifr); + make_in4_sockaddr(&ifr.ifr_addr, addr); + return af_inet_ifreq_ioctl(netdev_get_kernel_name(netdev), &ifr, ioctl_nr, + ioctl_name); +@@ -1547,6 +1551,7 @@ destroy_tap(int fd, const char *name) + struct ifreq ifr; + + close(fd); ++ memset(&ifr, 0, sizeof ifr); + strcpy(ifr.ifr_name, name); + /* XXX What to do if this call fails? */ + af_inet_ioctl(SIOCIFDESTROY, &ifr); +@@ -1558,6 +1563,7 @@ get_flags(const struct netdev *netdev, int *flags) + struct ifreq ifr; + int error; + ++ memset(&ifr, 0, sizeof ifr); + error = af_inet_ifreq_ioctl(netdev_get_kernel_name(netdev), &ifr, + SIOCGIFFLAGS, "SIOCGIFFLAGS"); + +@@ -1571,6 +1577,7 @@ set_flags(const char *name, int flags) + { + struct ifreq ifr; + ++ memset(&ifr, 0, sizeof ifr); + ifr_set_flags(&ifr, flags); + + return af_inet_ifreq_ioctl(name, &ifr, SIOCSIFFLAGS, "SIOCSIFFLAGS"); diff --git a/lib/netdev-dpdk.c b/lib/netdev-dpdk.c index 45f61930d4..fd54f34692 100644 --- a/lib/netdev-dpdk.c @@ -2937,10 +2997,19 @@ index cd7e85a818..e8bbf8d514 100644 } else { unixctl_command_reply_error(conn, error); diff --git a/lib/netdev-linux.c b/lib/netdev-linux.c -index bf91ef462e..220825074b 100644 +index bf91ef462e..fb18defa0d 100644 --- a/lib/netdev-linux.c +++ b/lib/netdev-linux.c -@@ -1062,8 +1062,7 @@ netdev_linux_construct_tap(struct netdev *netdev_) +@@ -1029,6 +1029,8 @@ netdev_linux_construct_tap(struct netdev *netdev_) + ovsthread_once_done(&once); + } + ++ memset(&ifr, 0, sizeof ifr); ++ + ifr.ifr_flags = IFF_TAP | IFF_NO_PI; + if (tap_supports_vnet_hdr) { + ifr.ifr_flags |= IFF_VNET_HDR; +@@ -1062,8 +1064,7 @@ netdev_linux_construct_tap(struct netdev *netdev_) if (tap_supports_vnet_hdr && ioctl(netdev->tap_fd, TUNSETOFFLOAD, oflags) == 0) { @@ -2950,7 +3019,40 @@ index bf91ef462e..220825074b 100644 | NETDEV_TX_OFFLOAD_UDP_CKSUM); if (userspace_tso_enabled()) { -@@ -2403,6 +2402,7 @@ static int +@@ -1584,8 +1585,11 @@ netdev_linux_rxq_drain(struct netdev_rxq *rxq_) + struct netdev_rxq_linux *rx = netdev_rxq_linux_cast(rxq_); + if (rx->is_tap) { + struct ifreq ifr; +- int error = af_inet_ifreq_ioctl(netdev_rxq_get_name(rxq_), &ifr, +- SIOCGIFTXQLEN, "SIOCGIFTXQLEN"); ++ int error; ++ ++ memset(&ifr, 0, sizeof ifr); ++ error = af_inet_ifreq_ioctl(netdev_rxq_get_name(rxq_), &ifr, ++ SIOCGIFTXQLEN, "SIOCGIFTXQLEN"); + if (error) { + return error; + } +@@ -1941,6 +1945,7 @@ netdev_linux_get_mtu__(struct netdev_linux *netdev, int *mtup) + /* Fall back to ioctl if netlink fails */ + struct ifreq ifr; + ++ memset(&ifr, 0, sizeof ifr); + netdev->netdev_mtu_error = af_inet_ifreq_ioctl( + netdev_get_name(&netdev->up), &ifr, SIOCGIFMTU, "SIOCGIFMTU"); + netdev->mtu = ifr.ifr_mtu; +@@ -2003,7 +2008,10 @@ netdev_linux_set_mtu(struct netdev *netdev_, int mtu) + } + netdev->cache_valid &= ~VALID_MTU; + } ++ ++ memset(&ifr, 0, sizeof ifr); + ifr.ifr_mtu = mtu; ++ + error = af_inet_ifreq_ioctl(netdev_get_name(netdev_), &ifr, + SIOCSIFMTU, "SIOCSIFMTU"); + if (!error || error == ENODEV) { +@@ -2403,6 +2411,7 @@ static int netdev_linux_read_stringset_info(struct netdev_linux *netdev, uint32_t *len) { union { @@ -2958,7 +3060,7 @@ index bf91ef462e..220825074b 100644 struct ethtool_sset_info hdr; struct { uint64_t pad[2]; -@@ -2440,9 +2440,12 @@ netdev_linux_read_definitions(struct netdev_linux *netdev, +@@ -2440,9 +2449,12 @@ netdev_linux_read_definitions(struct netdev_linux *netdev, int error = 0; error = netdev_linux_read_stringset_info(netdev, &len); @@ -2972,7 +3074,7 @@ index bf91ef462e..220825074b 100644 strings = xzalloc(sizeof *strings + len * ETH_GSTRING_LEN); strings->cmd = ETHTOOL_GSTRINGS; -@@ -2507,13 +2510,11 @@ netdev_linux_set_ol(struct netdev *netdev_) +@@ -2507,13 +2519,11 @@ netdev_linux_set_ol(struct netdev *netdev_) char *string; uint32_t value; } t_list[] = { @@ -2988,7 +3090,7 @@ index bf91ef462e..220825074b 100644 NETDEV_TX_OFFLOAD_UDP_CKSUM}, {"tx-checksum-sctp", NETDEV_TX_OFFLOAD_SCTP_CKSUM}, {"tx-tcp-segmentation", NETDEV_TX_OFFLOAD_TCP_TSO}, -@@ -2725,6 +2726,7 @@ netdev_linux_get_speed_locked(struct netdev_linux *netdev, +@@ -2725,6 +2735,7 @@ netdev_linux_get_speed_locked(struct netdev_linux *netdev, uint32_t *current, uint32_t *max) { if (netdev_linux_netnsid_is_remote(netdev)) { @@ -2996,7 +3098,7 @@ index bf91ef462e..220825074b 100644 return EOPNOTSUPP; } -@@ -2734,6 +2736,8 @@ netdev_linux_get_speed_locked(struct netdev_linux *netdev, +@@ -2734,6 +2745,8 @@ netdev_linux_get_speed_locked(struct netdev_linux *netdev, ? 0 : netdev->current_speed; *max = MIN(UINT32_MAX, netdev_features_to_bps(netdev->supported, 0) / 1000000ULL); @@ -3005,7 +3107,15 @@ index bf91ef462e..220825074b 100644 } return netdev->get_features_error; } -@@ -6739,7 +6743,8 @@ get_stats_via_netlink(const struct netdev *netdev_, struct netdev_stats *stats) +@@ -3567,6 +3580,7 @@ do_set_addr(struct netdev *netdev, + { + struct ifreq ifr; + ++ memset(&ifr, 0, sizeof ifr); + make_in4_sockaddr(&ifr.ifr_addr, addr); + return af_inet_ifreq_ioctl(netdev_get_name(netdev), &ifr, ioctl_nr, + ioctl_name); +@@ -6739,7 +6753,8 @@ get_stats_via_netlink(const struct netdev *netdev_, struct netdev_stats *stats) struct rtnl_link_stats64 aligned_lstats; if (!IS_PTR_ALIGNED(lstats)) { @@ -3015,7 +3125,31 @@ index bf91ef462e..220825074b 100644 lstats = &aligned_lstats; } netdev_stats_from_rtnl_link_stats64(stats, lstats); -@@ -7199,13 +7204,6 @@ netdev_linux_prepend_vnet_hdr(struct dp_packet *b, int mtu) +@@ -6770,6 +6785,7 @@ get_flags(const struct netdev *dev, unsigned int *flags) + struct ifreq ifr; + int error; + ++ memset(&ifr, 0, sizeof ifr); + *flags = 0; + error = af_inet_ifreq_ioctl(dev->name, &ifr, SIOCGIFFLAGS, "SIOCGIFFLAGS"); + if (!error) { +@@ -6783,6 +6799,7 @@ set_flags(const char *name, unsigned int flags) + { + struct ifreq ifr; + ++ memset(&ifr, 0, sizeof ifr); + ifr.ifr_flags = flags; + return af_inet_ifreq_ioctl(name, &ifr, SIOCSIFFLAGS, "SIOCSIFFLAGS"); + } +@@ -6793,6 +6810,7 @@ linux_get_ifindex(const char *netdev_name) + struct ifreq ifr; + int error; + ++ memset(&ifr, 0, sizeof ifr); + ovs_strzcpy(ifr.ifr_name, netdev_name, sizeof ifr.ifr_name); + COVERAGE_INC(netdev_get_ifindex); + +@@ -7199,13 +7217,6 @@ netdev_linux_prepend_vnet_hdr(struct dp_packet *b, int mtu) /* The packet has good L4 checksum. No need to validate again. */ vnet->csum_start = vnet->csum_offset = (OVS_FORCE __virtio16) 0; vnet->flags = VIRTIO_NET_HDR_F_DATA_VALID; @@ -3030,10 +3164,38 @@ index bf91ef462e..220825074b 100644 /* The csum calculation is offloaded. */ if (dp_packet_hwol_l4_is_tcp(b)) { diff --git a/lib/netdev-native-tnl.c b/lib/netdev-native-tnl.c -index dee9ab344e..74e89ba09e 100644 +index dee9ab344e..a9c950db3f 100644 --- a/lib/netdev-native-tnl.c +++ b/lib/netdev-native-tnl.c -@@ -240,71 +240,31 @@ udp_extract_tnl_md(struct dp_packet *packet, struct flow_tnl *tnl, +@@ -61,6 +61,27 @@ static struct vlog_rate_limit err_rl = VLOG_RATE_LIMIT_INIT(60, 5); + uint16_t tnl_udp_port_min = 32768; + uint16_t tnl_udp_port_max = 61000; + ++ovs_be16 ++netdev_tnl_get_src_port(struct dp_packet *packet) ++{ ++ uint32_t hash; ++ ++ if (OVS_LIKELY(dp_packet_rss_valid(packet))) { ++ hash = dp_packet_get_rss_hash(packet); ++ } else { ++ struct flow flow; ++ ++ flow_extract(packet, &flow); ++ hash = flow_hash_5tuple(&flow, 0); ++ ++ dp_packet_set_rss_hash(packet, hash); ++ } ++ ++ hash = ((uint64_t) hash * (tnl_udp_port_max - tnl_udp_port_min)) >> 32; ++ ++ return htons(hash + tnl_udp_port_min); ++} ++ + void * + netdev_tnl_ip_extract_tnl_md(struct dp_packet *packet, struct flow_tnl *tnl, + unsigned int *hlen) +@@ -240,71 +261,31 @@ udp_extract_tnl_md(struct dp_packet *packet, struct flow_tnl *tnl, return udp + 1; } @@ -3111,7 +3273,48 @@ index dee9ab344e..74e89ba09e 100644 } } -@@ -932,9 +892,9 @@ netdev_srv6_build_header(const struct netdev *netdev, +@@ -316,14 +297,18 @@ netdev_tnl_push_udp_header(const struct netdev *netdev OVS_UNUSED, + uint16_t l3_ofs = packet->l3_ofs; + uint16_t l4_ofs = packet->l4_ofs; + struct udp_header *udp; ++ ovs_be16 udp_src; + int ip_tot_size; + ++ /* We may need to re-calculate the hash and this has to be done before ++ * modifying the packet. */ ++ udp_src = netdev_tnl_get_src_port(packet); ++ + dp_packet_tnl_ol_process(packet, data); + udp = netdev_tnl_push_ip_header(packet, data->header, data->header_len, + &ip_tot_size, 0); + +- /* set udp src port */ +- udp->udp_src = netdev_tnl_get_src_port(packet); ++ udp->udp_src = udp_src; + udp->udp_len = htons(ip_tot_size); + + if (udp->udp_csum) { +@@ -871,13 +856,18 @@ netdev_gtpu_push_header(const struct netdev *netdev, + struct netdev_vport *dev = netdev_vport_cast(netdev); + struct udp_header *udp; + struct gtpuhdr *gtpuh; ++ ovs_be16 udp_src; + int ip_tot_size; + unsigned int payload_len; + ++ /* We may need to re-calculate the hash and this has to be done before ++ * modifying the packet. */ ++ udp_src = netdev_tnl_get_src_port(packet); ++ + payload_len = dp_packet_size(packet); + udp = netdev_tnl_push_ip_header(packet, data->header, data->header_len, + &ip_tot_size, 0); +- udp->udp_src = netdev_tnl_get_src_port(packet); ++ udp->udp_src = udp_src; + udp->udp_len = htons(ip_tot_size); + /* Postpone checksum to the egress netdev. */ + dp_packet_hwol_set_csum_udp(packet); +@@ -932,9 +922,9 @@ netdev_srv6_build_header(const struct netdev *netdev, const struct netdev_tnl_build_header_params *params) { const struct netdev_tunnel_config *tnl_cfg; @@ -3122,7 +3325,7 @@ index dee9ab344e..74e89ba09e 100644 ovs_be16 dl_type; int nr_segs; int i; -@@ -978,8 +938,7 @@ netdev_srv6_build_header(const struct netdev *netdev, +@@ -978,8 +968,7 @@ netdev_srv6_build_header(const struct netdev *netdev, return EOPNOTSUPP; } @@ -3132,7 +3335,7 @@ index dee9ab344e..74e89ba09e 100644 for (i = 0; i < nr_segs; i++) { /* Segment list is written to the header in reverse order. */ memcpy(s, &segs[nr_segs - i - 1], sizeof *s); -@@ -1068,7 +1027,10 @@ netdev_srv6_pop_header(struct dp_packet *packet) +@@ -1068,7 +1057,10 @@ netdev_srv6_pop_header(struct dp_packet *packet) } pkt_metadata_init_tnl(md); @@ -3144,6 +3347,28 @@ index dee9ab344e..74e89ba09e 100644 dp_packet_reset_packet(packet, hlen); return packet; +diff --git a/lib/netdev-native-tnl.h b/lib/netdev-native-tnl.h +index eb55dd0417..5d8f1672a8 100644 +--- a/lib/netdev-native-tnl.h ++++ b/lib/netdev-native-tnl.h +@@ -123,16 +123,7 @@ netdev_tnl_ip_build_header(struct ovs_action_push_tnl *data, + extern uint16_t tnl_udp_port_min; + extern uint16_t tnl_udp_port_max; + +-static inline ovs_be16 +-netdev_tnl_get_src_port(struct dp_packet *packet) +-{ +- uint32_t hash; +- +- hash = dp_packet_get_rss_hash(packet); +- +- return htons((((uint64_t) hash * (tnl_udp_port_max - tnl_udp_port_min)) >> 32) + +- tnl_udp_port_min); +-} ++ovs_be16 netdev_tnl_get_src_port(struct dp_packet *); + + void * + netdev_tnl_ip_extract_tnl_md(struct dp_packet *packet, struct flow_tnl *tnl, diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c index 921d523177..3be1c08d24 100644 --- a/lib/netdev-offload-tc.c @@ -5651,10 +5876,23 @@ index beb0ab0d66..fe2c5bb61a 100644 allow openvswitch_t self:netlink_rdma_socket { setopt bind create }; @end_dpdk@ diff --git a/tests/atlocal.in b/tests/atlocal.in -index f321bae55f..8565a0bae9 100644 +index f321bae55f..1c3d4891a7 100644 --- a/tests/atlocal.in +++ b/tests/atlocal.in -@@ -229,18 +229,35 @@ export UBSAN_OPTIONS +@@ -185,6 +185,12 @@ find_command lftp + # Set HAVE_ETHTOOL + find_command ethtool + ++# Set HAVE_IPTABLES ++find_command iptables ++ ++# Set HAVE_NFT ++find_command nft ++ + CURL_OPT="-g -v --max-time 1 --retry 2 --retry-delay 1 --connect-timeout 1" + + # Determine whether "diff" supports "normal" diffs. (busybox diff does not.) +@@ -229,18 +235,35 @@ export UBSAN_OPTIONS REQUIREMENT_PATH=$abs_top_srcdir/python/test_requirements.txt $PYTHON3 -c ' import os import pathlib @@ -6333,6 +6571,63 @@ index c22fb3c79c..3795ca7149 100644 m4_divert_pop([PREPARE_TESTS]) m4_define([TESTABLE_LOG], [-vPATTERN:ANY:'%c|%p|%m']) +diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at +index 06c9785554..738cda2e46 100644 +--- a/tests/ovs-macros.at ++++ b/tests/ovs-macros.at +@@ -360,9 +360,49 @@ m4_ifndef([AT_FAIL_IF], + [AT_CHECK([($1) \ + && exit 99 || exit 0], [0], [ignore], [ignore])])]) + ++dnl Add a rule to always accept the traffic. ++dnl The first argument to this macro should be the command to run: ++dnl iptables or ip6tables ++dnl The second argument to this macro should be the interface name (netdev) ++m4_define([IPTABLES_ACCEPT], ++ [AT_CHECK([$1 -I INPUT 1 -i $2 -j ACCEPT]) ++ on_exit '$1 -D INPUT 1']) ++ ++dnl Certain Linux distributions, like CentOS, have default iptable rules ++dnl to reject input traffic from bridges such as br-underlay. ++dnl This implies the existence of a ip filter INPUT chain for IPv4 or an ++dnl ip6 filter INPUT chain for IPv6. If that chain exists then add a rule ++dnl to it to always accept all traffic. ++dnl The first argument to this macro should be the filter chain: ip or ipv6 ++dnl The second argument to this macro should be the interface name (netdev) ++m4_define([NFT_ACCEPT], ++ [if nft list chain $1 filter INPUT > /dev/null 2>1; then ++ AT_CHECK([nft -ae \ ++ "insert rule $1 filter INPUT iifname \"$2\" counter accept"], ++ [0], [stdout-nolog]) ++ dnl Extract handle, which is used to delete the rule ++ AT_CHECK([sed -n 's/.*handle //; T; p' < stdout], [0], [stdout]) ++ on_exit "nft \"delete rule $1 filter INPUT handle $(cat stdout)\"" ++ fi]) ++ + dnl Certain Linux distributions, like CentOS, have default iptable rules + dnl to reject input traffic from bridges such as br-underlay. + dnl Add a rule to always accept the traffic. +-m4_define([IPTABLES_ACCEPT], +- [AT_CHECK([iptables -I INPUT 1 -i $1 -j ACCEPT]) +- on_exit 'iptables -D INPUT 1 -i $1']) ++dnl IPv4 variant of this macro. ++m4_define([XT_ACCEPT], ++ [if test $HAVE_NFT = yes; then ++ NFT_ACCEPT([ip], [$1]) ++ else ++ IPTABLES_ACCEPT([iptables], [$1]) ++ fi]) ++ ++dnl Certain Linux distributions, like CentOS, have default iptable rules ++dnl to reject input traffic from bridges such as br-underlay. ++dnl Add a rule to always accept the traffic. ++dnl IPv6 variant of this macro. ++m4_define([XT6_ACCEPT], ++ [if test $HAVE_NFT = yes; then ++ NFT_ACCEPT([ip6], [$1]) ++ else ++ IPTABLES_ACCEPT([ip6tables], [$1]) ++ fi]) diff --git a/tests/ovs-ofctl.at b/tests/ovs-ofctl.at index d03d365003..a9337f6192 100644 --- a/tests/ovs-ofctl.at @@ -6816,7 +7111,7 @@ index 49ac45275a..7cbea51654 100755 try: sockfd = socket.socket(socket.AF_PACKET, socket.SOCK_RAW) diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at -index 01ebe364ee..5859457171 100644 +index 01ebe364ee..0893187ce5 100644 --- a/tests/system-common-macros.at +++ b/tests/system-common-macros.at @@ -2,10 +2,7 @@ @@ -6873,6 +7168,14 @@ index 01ebe364ee..5859457171 100644 # OVS_CHECK_FIREWALL() # # Check if firewalld is active, skip the test if it is on. +@@ -374,3 +397,7 @@ m4_define([OVS_CHECK_CT_CLEAR], + # OVS_CHECK_GITHUB_ACTION + m4_define([OVS_CHECK_GITHUB_ACTION], + [AT_SKIP_IF([test "$GITHUB_ACTIONS" = "true"])]) ++ ++# OVS_CHECK_XT() ++m4_define([OVS_CHECK_XT], ++ [AT_SKIP_IF([test $HAVE_IPTABLES = no && test $HAVE_NFT = no])]) diff --git a/tests/system-dpdk-macros.at b/tests/system-dpdk-macros.at index 7cf9bac170..f8ba766739 100644 --- a/tests/system-dpdk-macros.at @@ -7153,6 +7456,105 @@ index d3d27133b9..4ab384d89c 100644 + +OVS_TRAFFIC_VSWITCHD_STOP() +AT_CLEANUP +diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at +index 5203b1df80..a48bd532a0 100644 +--- a/tests/system-kmod-macros.at ++++ b/tests/system-kmod-macros.at +@@ -267,3 +267,94 @@ m4_define([OVS_CHECK_BAREUDP], + AT_SKIP_IF([! ip link add dev ovs_bareudp0 type bareudp dstport 6635 ethertype mpls_uc 2>&1 >/dev/null]) + AT_CHECK([ip link del dev ovs_bareudp0]) + ]) ++ ++# IPTABLES_CHECK_EXTERNAL_CT() ++# ++# Checks if packets can be tracked outside OvS. ++# iptables variant of this macro ++m4_define([IPTABLES_CHECK_EXTERNAL_CT], ++[ ++ dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT) ++ dnl and user space extensions need to be present. ++ AT_SKIP_IF([! iptables -t raw -I OUTPUT 1 -j CT]) ++ AT_CHECK([iptables -t raw -D OUTPUT 1]) ++]) ++ ++# NFT_CHECK_EXTERNAL_CT() ++# ++# Checks if packets can be tracked outside OvS. ++# nft variant of this macro ++m4_define([NFT_CHECK_EXTERNAL_CT], ++[ ++ dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT) ++ dnl and user space extensions need to be present. ++ AT_SKIP_IF([! nft -c -f - << EOF ++ table ip raw { ++ chain output-ovs-testsuite { ++ type filter hook output priority raw; ++ ct state new ++ } ++ } ++EOF ++ ]) ++]) ++ ++# CHECK_EXTERNAL_CT() ++# ++# Checks if packets can be tracked outside OvS. ++m4_define([CHECK_EXTERNAL_CT], ++[ ++ dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT) ++ dnl and user space extensions need to be present. ++ if test $HAVE_NFT = yes; then ++ NFT_CHECK_EXTERNAL_CT() ++ elif test $HAVE_IPTABLES = yes; then ++ IPTABLES_CHECK_EXTERNAL_CT() ++ else ++ AT_SKIP_IF([true]) ++ fi ++]) ++ ++# IPTABLES_ADD_EXTERNAL_CT() ++# ++# Let conntrack start tracking the packets outside OvS. ++# iptables variant of this macro ++m4_define([IPTABLES_ADD_EXTERNAL_CT], ++[ ++ AT_CHECK([iptables -t raw -I OUTPUT 1 -o $1 -j CT]) ++ on_exit 'iptables -t raw -D OUTPUT 1' ++]) ++ ++# NFT_ADD_EXTERNAL_CT() ++# ++# Let conntrack start tracking the packets outside OvS. ++# nft variant of this macro ++m4_define([NFT_ADD_EXTERNAL_CT], ++[ ++ if ! nft list table ip raw > /dev/null 2>1; then ++ on_exit 'nft "delete table ip raw"' ++ fi ++ ++ AT_CHECK([nft -f - << EOF ++ table ip raw { ++ chain output-ovs-testsuite { ++ type filter hook output priority raw; ++ oifname "$1" ct state new ++ } ++ } ++EOF ++ ]) ++ on_exit 'nft "delete chain ip raw output-ovs-testsuite"' ++]) ++ ++# ADD_EXTERNAL_CT() ++# ++# Checks if packets can be tracked outside OvS. ++m4_define([ADD_EXTERNAL_CT], ++[ ++ if test $HAVE_NFT = yes; then ++ NFT_ADD_EXTERNAL_CT([$1]) ++ else ++ IPTABLES_ADD_EXTERNAL_CT([$1]) ++ fi ++]) diff --git a/tests/system-layer3-tunnels.at b/tests/system-layer3-tunnels.at index 6fbdedb64f..5dcdd2afae 100644 --- a/tests/system-layer3-tunnels.at @@ -7219,6 +7621,53 @@ index 6fbdedb64f..5dcdd2afae 100644 AT_SETUP([layer3 - ping over MPLS Bareudp]) OVS_CHECK_BAREUDP() OVS_TRAFFIC_VSWITCHD_START([_ADD_BR([br1])]) +diff --git a/tests/system-offloads-traffic.at b/tests/system-offloads-traffic.at +index 6bd49a3eef..d33c782cf4 100644 +--- a/tests/system-offloads-traffic.at ++++ b/tests/system-offloads-traffic.at +@@ -812,6 +812,7 @@ OVS_CHECK_VXLAN() + + OVS_TRAFFIC_VSWITCHD_START([], [], [-- set Open_vSwitch . other_config:hw-offload=true]) + AT_SKIP_IF([! grep -q "probe tc: vxlan gbp is supported." ovs-vswitchd.log]) ++AT_SKIP_IF([test $HAVE_NFT = no -a $HAVE_IPTABLES = no]) + ADD_BR([br-underlay]) + + AT_CHECK([ovs-ofctl add-flow br-underlay "actions=normal"]) +@@ -832,8 +833,32 @@ AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) + + ADD_NATIVE_TUNNEL([vxlan], [at_vxlan1], [at_ns0], [172.31.1.100], [10.1.1.1/24], + [id 0 dstport 4789 gbp]) +-NS_CHECK_EXEC([at_ns0], [iptables -I OUTPUT -p ip -j MARK --set-mark 512 2>/dev/null], [0]) +-NS_CHECK_EXEC([at_ns0], [iptables -I INPUT -m mark --mark 512 -j ACCEPT 2>/dev/null], [0], [ignore]) ++ ++if test $HAVE_NFT = yes; then ++ NS_CHECK_EXEC([at_ns0], [nft -f - << EOF ++ table ip filter { ++ chain OUTPUT { ++ type filter hook output priority filter; policy accept; ++ counter meta mark set 512 ++ } ++ } ++ ++ table ip filter { ++ chain INPUT { ++ type filter hook input priority filter; policy accept; ++ mark 512 counter accept; ++ } ++ } ++EOF ++ ]) ++else ++ NS_CHECK_EXEC([at_ns0], ++ [iptables -I OUTPUT -p ip -j MARK --set-mark 512 2>/dev/null], ++ [0]) ++ NS_CHECK_EXEC([at_ns0], ++ [iptables -I INPUT -m mark --mark 512 -j ACCEPT 2>/dev/null], ++ [0], [ignore]) ++fi + + dnl First, check the underlay. + NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -W 2 172.31.1.100 | FORMAT_PING], [0], [dnl diff --git a/tests/system-route.at b/tests/system-route.at index 114aaebc77..c0ecad6cfb 100644 --- a/tests/system-route.at @@ -7305,7 +7754,7 @@ index 3d84a53182..03ec01270f 100644 OVS_TRAFFIC_VSWITCHD_STOP(["/.*ethtool command ETHTOOL_G.*/d"]) diff --git a/tests/system-traffic.at b/tests/system-traffic.at -index 98e494abf4..9dc8d9e4d0 100644 +index 98e494abf4..07dabe7988 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -38,7 +38,7 @@ NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], @@ -7328,7 +7777,104 @@ index 98e494abf4..9dc8d9e4d0 100644 NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -W 2 fc00::3 | FORMAT_PING], [0], [dnl 3 packets transmitted, 3 received, 0% packet loss, time 0ms ]) -@@ -2359,11 +2363,22 @@ table=20 actions=drop +@@ -1094,6 +1098,7 @@ OVS_TRAFFIC_VSWITCHD_STOP(["/Invalid Geneve tunnel metadata on bridge br0 while + AT_CLEANUP + + AT_SETUP([datapath - ping over gre tunnel by simulated packets]) ++OVS_CHECK_XT() + OVS_CHECK_MIN_KERNEL(3, 10) + + OVS_TRAFFIC_VSWITCHD_START() +@@ -1113,7 +1118,7 @@ AT_CHECK([ip link set dev br-underlay up]) + dnl Set up tunnel endpoints on OVS outside the namespace. + ADD_OVS_TUNNEL([gre], [br0], [at_gre0], [172.31.1.1], [10.1.1.100/24]) + +-IPTABLES_ACCEPT([br-underlay]) ++XT_ACCEPT([br-underlay]) + + NETNS_DAEMONIZE([at_ns0], [tcpdump -n -i p0 dst host 172.31.1.1 -l > p0.pcap 2>/dev/null], [tcpdump.pid]) + sleep 1 +@@ -1140,6 +1145,7 @@ OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + + AT_SETUP([datapath - ping over erspan v1 tunnel by simulated packets]) ++OVS_CHECK_XT() + OVS_CHECK_MIN_KERNEL(3, 10) + + OVS_TRAFFIC_VSWITCHD_START() +@@ -1160,7 +1166,7 @@ dnl Set up tunnel endpoints on OVS outside the namespace and emulate a native + dnl linux device inside the namespace. + ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=1 options:erspan_idx=7]) + +-IPTABLES_ACCEPT([br-underlay]) ++XT_ACCEPT([br-underlay]) + + NETNS_DAEMONIZE([at_ns0], [tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap 2>/dev/null], [tcpdump.pid]) + sleep 1 +@@ -1188,6 +1194,7 @@ OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + + AT_SETUP([datapath - ping over erspan v2 tunnel by simulated packets]) ++OVS_CHECK_XT() + OVS_CHECK_MIN_KERNEL(3, 10) + + OVS_TRAFFIC_VSWITCHD_START() +@@ -1208,11 +1215,7 @@ dnl Set up tunnel endpoints on OVS outside the namespace and simulate a native + dnl linux device inside the namespace. + ADD_OVS_TUNNEL([erspan], [br0], [at_erspan0], [172.31.1.1], [10.1.1.100/24], [options:key=1 options:erspan_ver=2 options:erspan_dir=1 options:erspan_hwid=0x7]) + +-dnl Certain Linux distributions, like CentOS, have default iptable rules +-dnl to reject input traffic from br-underlay. Here we add a rule to walk +-dnl around it. +-iptables -I INPUT 1 -i br-underlay -j ACCEPT +-on_exit 'iptables -D INPUT 1' ++XT_ACCEPT([br-underlay]) + + NETNS_DAEMONIZE([at_ns0], [tcpdump -n -x -i p0 dst host 172.31.1.1 -l > p0.pcap 2>/dev/null], [tcpdump.pid]) + sleep 1 +@@ -1241,6 +1244,7 @@ OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + + AT_SETUP([datapath - ping over ip6erspan v1 tunnel by simulated packets]) ++OVS_CHECK_XT() + OVS_CHECK_MIN_KERNEL(3, 10) + + OVS_TRAFFIC_VSWITCHD_START() +@@ -1264,11 +1268,7 @@ ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24] + + OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100]) + +-dnl Certain Linux distributions, like CentOS, have default iptable rules +-dnl to reject input traffic from br-underlay. Here we add a rule to walk +-dnl around it. +-ip6tables -I INPUT 1 -i br-underlay -j ACCEPT +-on_exit 'ip6tables -D INPUT 1' ++XT6_ACCEPT([br-underlay]) + + NETNS_DAEMONIZE([at_ns0], [tcpdump -n -x -i p0 dst host fc00:100::1 -l > p0.pcap 2>/dev/null], [tcpdump.pid]) + sleep 1 +@@ -1296,6 +1296,7 @@ OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + + AT_SETUP([datapath - ping over ip6erspan v2 tunnel by simulated packets]) ++OVS_CHECK_XT() + OVS_CHECK_MIN_KERNEL(3, 10) + + OVS_TRAFFIC_VSWITCHD_START() +@@ -1319,11 +1320,7 @@ ADD_OVS_TUNNEL6([ip6erspan], [br0], [at_erspan0], [fc00:100::1], [10.1.1.100/24] + + OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 2 fc00:100::100]) + +-dnl Certain Linux distributions, like CentOS, have default iptable rules +-dnl to reject input traffic from br-underlay. Here we add a rule to walk +-dnl around it. +-ip6tables -I INPUT 1 -i br-underlay -j ACCEPT +-on_exit 'ip6tables -D INPUT 1' ++XT6_ACCEPT([br-underlay]) + + NETNS_DAEMONIZE([at_ns0], [tcpdump -n -x -i p0 dst host fc00:100::1 -l > p0.pcap 2>/dev/null], [tcpdump.pid]) + sleep 1 +@@ -2359,11 +2356,22 @@ table=20 actions=drop AT_CHECK([ovs-ofctl del-flows br0]) AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) @@ -7353,7 +7899,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-flows | strip_stats | strip_used | dnl strip_key32 | strip_ptype | strip_eth | strip_recirc | dnl -@@ -2375,10 +2390,14 @@ recirc_id(),in_port(2),eth_type(0x86dd),ipv6(proto=58,frag=no),icmpv6(ty +@@ -2375,10 +2383,14 @@ recirc_id(),in_port(2),eth_type(0x86dd),ipv6(proto=58,frag=no),icmpv6(ty OVS_WAIT_UNTIL([ovs-appctl dpctl/dump-flows | grep ",nd" | wc -l | grep -E ^0]) dnl Send a matching neighbor discovery. @@ -7370,7 +7916,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-flows | strip_stats | strip_used | dnl strip_key32 | strip_ptype | strip_eth | strip_recirc | dnl -@@ -2407,20 +2426,29 @@ dnl The flow will encap a mpls header to the ip packet +@@ -2407,20 +2419,29 @@ dnl The flow will encap a mpls header to the ip packet dnl eth/ip/icmp --> OVS --> eth/mpls/eth/ip/icmp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x0800 actions=encap(mpls),set_mpls_label:2,encap(ethernet),set_field:00:00:00:00:00:02->dl_dst,set_field:00:00:00:00:00:01->dl_src,ovs-p1"]) @@ -7411,7 +7957,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -2439,20 +2467,29 @@ dnl The flow will encap a mpls header to the ip packet +@@ -2439,20 +2460,29 @@ dnl The flow will encap a mpls header to the ip packet dnl eth/ip/icmp --> OVS --> eth/mpls/eth/ip/icmp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x0800 actions=encap(mpls),set_mpls_label:2,encap(ethernet),set_field:00:00:00:00:00:02->dl_dst,set_field:00:00:00:00:00:01->dl_src,ovs-p1"]) @@ -7452,7 +7998,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -2472,20 +2509,29 @@ dnl The flow will encap a mpls header to the ip packet +@@ -2472,20 +2502,29 @@ dnl The flow will encap a mpls header to the ip packet dnl eth/ip/icmp --> OVS --> eth/mpls/eth/ip/icmp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x0800 actions=encap(mpls_mc),set_mpls_label:2,encap(ethernet),set_field:00:00:00:00:00:02->dl_dst,set_field:00:00:00:00:00:01->dl_src,ovs-p1"]) @@ -7493,7 +8039,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -2504,20 +2550,29 @@ dnl The flow will encap a mpls header to the ip packet +@@ -2504,20 +2543,29 @@ dnl The flow will encap a mpls header to the ip packet dnl eth/ip/icmp --> OVS --> eth/mpls/eth/ip/icmp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x0800 actions=encap(mpls_mc),set_mpls_label:2,encap(ethernet),set_field:00:00:00:00:00:02->dl_dst,set_field:00:00:00:00:00:01->dl_src,ovs-p1"]) @@ -7534,7 +8080,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -2538,24 +2593,30 @@ dnl eth/mpls/eth/ip/icmp --> OVS --> eth/ip/icmp +@@ -2538,24 +2586,30 @@ dnl eth/mpls/eth/ip/icmp --> OVS --> eth/ip/icmp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x8847,mpls_label=2 actions=decap(),decap(packet_type(ns=0,type=0)),ovs-p1"]) @@ -7580,7 +8126,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -2575,24 +2636,30 @@ dnl eth/mpls/eth/ip/icmp --> OVS --> eth/ip/icmp +@@ -2575,24 +2629,30 @@ dnl eth/mpls/eth/ip/icmp --> OVS --> eth/ip/icmp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x8847,mpls_label=2 actions=decap(),decap(packet_type(ns=0,type=0)),ovs-p1"]) @@ -7626,7 +8172,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3103,7 +3170,10 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +@@ -3103,7 +3163,10 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0) ]) @@ -7638,7 +8184,7 @@ index 98e494abf4..9dc8d9e4d0 100644 dnl Pings from ns1->ns0 should fail. NS_CHECK_EXEC([at_ns1], [ping -q -c 3 -i 0.3 -w 2 10.1.1.1 | FORMAT_PING], [0], [dnl -@@ -3244,6 +3314,11 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl +@@ -3244,6 +3307,11 @@ AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl icmpv6,orig=(src=fc00::1,dst=fc00::2,id=,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=,type=129,code=0) ]) @@ -7650,7 +8196,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3280,10 +3355,10 @@ OVS_START_L7([at_ns1], [http]) +@@ -3280,10 +3348,10 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -7663,7 +8209,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3323,10 +3398,10 @@ dnl traffic can't be identified, because the initial request wasn't committed. +@@ -3323,10 +3391,10 @@ dnl traffic can't be identified, because the initial request wasn't committed. dnl For the first pair of ports, this means that the connection fails. OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) @@ -7676,7 +8222,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3362,7 +3437,7 @@ OVS_START_L7([at_ns1], [http]) +@@ -3362,7 +3430,7 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -7685,7 +8231,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -3370,7 +3445,7 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= +@@ -3370,7 +3438,7 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= dnl HTTP requests from p2->p3 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -7694,7 +8240,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=,dport=),reply=(src=10.1.1.4,dst=10.1.1.3,sport=,dport=),zone=2,protoinfo=(state=) -@@ -3409,7 +3484,7 @@ OVS_START_L7([at_ns1], [http]) +@@ -3409,7 +3477,7 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -7703,7 +8249,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=4097,protoinfo=(state=) -@@ -3417,7 +3492,7 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= +@@ -3417,7 +3485,7 @@ tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src= dnl HTTP requests from p2->p3 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -7712,7 +8258,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=,dport=),reply=(src=10.1.1.4,dst=10.1.1.3,sport=,dport=),zone=4098,protoinfo=(state=) -@@ -3451,7 +3526,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3451,7 +3519,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -7721,7 +8267,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,dnl -@@ -3477,7 +3552,7 @@ AT_CHECK([ovs-ofctl mod-flows br0 dnl +@@ -3477,7 +3545,7 @@ AT_CHECK([ovs-ofctl mod-flows br0 dnl dnl Wait for a flow flush as some datapaths (read TC) might take time to clear. AT_CHECK([ovs-appctl revalidator/wait], [0]) @@ -7730,7 +8276,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-flows --names filter=in_port=ovs-p0 dnl | grep "+trk" | grep -q "ct_zone(0xf)" ], [0], []) -@@ -3511,7 +3586,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3511,7 +3579,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -7739,7 +8285,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,dnl -@@ -3529,7 +3604,7 @@ AT_CHECK([ovs-ofctl mod-flows br0 'priority=100,ct_state=-trk,tcp,in_port="ovs-p +@@ -3529,7 +3597,7 @@ AT_CHECK([ovs-ofctl mod-flows br0 'priority=100,ct_state=-trk,tcp,in_port="ovs-p dnl Wait for a flow flush as some datapaths (read TC) might take time to clear. AT_CHECK([ovs-appctl revalidator/wait], [0]) @@ -7748,7 +8294,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-flows --names filter=in_port=ovs-p0 dnl | grep "+trk" | sed 's/0xffff000f\/0xffff/0xf\/0xffff/' dnl -@@ -3577,7 +3652,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt]) +@@ -3577,7 +3645,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br1 flows-br1.txt]) dnl HTTP requests from p0->p1 should work fine. OVS_START_L7([at_ns1], [http]) @@ -7757,7 +8303,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3606,10 +3681,10 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3606,10 +3674,10 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -7770,7 +8316,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -3648,10 +3723,10 @@ AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) +@@ -3648,10 +3716,10 @@ AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -7783,7 +8329,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -3693,14 +3768,14 @@ OVS_START_L7([at_ns1], [http]) +@@ -3693,14 +3761,14 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -7800,7 +8346,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=,dport=),reply=(src=10.1.1.4,dst=10.1.1.3,sport=,dport=),mark=2,protoinfo=(state=) ]) -@@ -3735,7 +3810,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3735,7 +3803,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -7809,7 +8355,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),mark=3,protoinfo=(state=) -@@ -3774,14 +3849,14 @@ OVS_START_L7([at_ns1], [http]) +@@ -3774,14 +3842,14 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -7826,7 +8372,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.4)], [0], [dnl tcp,orig=(src=10.1.1.3,dst=10.1.1.4,sport=,dport=),reply=(src=10.1.1.4,dst=10.1.1.3,sport=,dport=),mark=2,protoinfo=(state=) ]) -@@ -3820,11 +3895,11 @@ OVS_START_L7([at_ns1], [http]) +@@ -3820,11 +3888,11 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -7840,7 +8386,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -3856,7 +3931,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3856,7 +3924,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -7849,7 +8395,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),labels=0x200000001,protoinfo=(state=) -@@ -3894,7 +3969,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -3894,7 +3962,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -7858,7 +8404,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,mark=3,labels=0x200000001,protoinfo=(state=) -@@ -3930,7 +4005,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows1.txt]) +@@ -3930,7 +3998,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows1.txt]) dnl TCP traffic from ns0 to ns1 should fail. OVS_START_L7([at_ns1], [http]) @@ -7867,7 +8413,7 @@ index 98e494abf4..9dc8d9e4d0 100644 dnl Send UDP packet on port 1 twice. AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"]) -@@ -5230,14 +5305,14 @@ OVS_START_L7([at_ns0], [http]) +@@ -5230,14 +5298,14 @@ OVS_START_L7([at_ns0], [http]) OVS_START_L7([at_ns1], [http]) dnl HTTP requests from ns0->ns1 should work fine. @@ -7884,7 +8430,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -5271,7 +5346,7 @@ OVS_START_L7([at_ns0], [http6]) +@@ -5271,7 +5339,7 @@ OVS_START_L7([at_ns0], [http6]) OVS_START_L7([at_ns1], [http6]) dnl HTTP requests from ns0->ns1 should work fine. @@ -7893,7 +8439,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl tcp,orig=(src=fc00::1,dst=fc00::2,sport=,dport=),reply=(src=fc00::2,dst=fc00::1,sport=,dport=),protoinfo=(state=) -@@ -5279,7 +5354,7 @@ tcp,orig=(src=fc00::1,dst=fc00::2,sport=,dport=),reply=(src=fc +@@ -5279,7 +5347,7 @@ tcp,orig=(src=fc00::1,dst=fc00::2,sport=,dport=),reply=(src=fc dnl HTTP requests from ns1->ns0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -7902,7 +8448,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -5317,10 +5392,10 @@ OVS_START_L7([at_ns1], [http]) +@@ -5317,19 +5385,21 @@ OVS_START_L7([at_ns1], [http]) OVS_START_L7([at_ns3], [http]) dnl HTTP requests from p0->p1 should work fine. @@ -7915,7 +8461,18 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -5359,10 +5434,10 @@ AT_CHECK([ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], [dnl + + AT_SETUP([conntrack - multiple zones, local]) ++CHECK_EXTERNAL_CT() + CHECK_CONNTRACK() + CHECK_CONNTRACK_LOCAL_STACK() + OVS_TRAFFIC_VSWITCHD_START() + ++ADD_EXTERNAL_CT([br0]) + ADD_NAMESPACES(at_ns0) + + AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) +@@ -5359,10 +5429,10 @@ AT_CHECK([ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], [dnl OVS_START_L7([at_ns0], [http]) dnl HTTP requests from root namespace to p0 should work fine. @@ -7929,7 +8486,20 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0),zone=1 -@@ -5430,10 +5505,10 @@ AT_CHECK([ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], [dnl +@@ -5375,10 +5445,12 @@ OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + + AT_SETUP([conntrack - multi-stage pipeline, local]) ++CHECK_EXTERNAL_CT() + CHECK_CONNTRACK() + CHECK_CONNTRACK_LOCAL_STACK() + OVS_TRAFFIC_VSWITCHD_START() + ++ADD_EXTERNAL_CT([br0]) + ADD_NAMESPACES(at_ns0) + + AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) +@@ -5430,10 +5502,10 @@ AT_CHECK([ping -q -c 3 -i 0.3 -W 2 10.1.1.2 | FORMAT_PING], [0], [dnl OVS_START_L7([at_ns0], [http]) dnl HTTP requests from root namespace to p0 should work fine. @@ -7942,7 +8512,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=,type=0,code=0),zone=1 -@@ -5682,7 +5757,7 @@ NETNS_DAEMONIZE([at_ns1], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp0.pid]) +@@ -5682,7 +5754,7 @@ NETNS_DAEMONIZE([at_ns1], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp0.pid]) OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp]) dnl FTP requests from p0->p1 should work fine. @@ -7951,7 +8521,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([find -name index.html], [0], [dnl ./index.html -@@ -5749,12 +5824,12 @@ OVS_START_L7([at_ns1], [ftp]) +@@ -5749,12 +5821,12 @@ OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -7966,7 +8536,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp ]) -@@ -5765,12 +5840,12 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) +@@ -5765,12 +5837,12 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -7981,7 +8551,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),protoinfo=(state=) -@@ -5779,7 +5854,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= +@@ -5779,7 +5851,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl Passive FTP requests from p0->p1 should work fine. @@ -7990,7 +8560,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp ]) -@@ -5789,7 +5864,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt]) +@@ -5789,7 +5861,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt]) AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl FTP control requests from p0->p1 should work fine, but helper will not be assigned. @@ -7999,7 +8569,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=) ]) -@@ -5855,12 +5930,12 @@ OVS_START_L7([at_ns1], [ftp], [11111]) +@@ -5855,12 +5927,12 @@ OVS_START_L7([at_ns1], [ftp], [11111]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -8014,7 +8584,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp ]) -@@ -5871,12 +5946,12 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) +@@ -5871,12 +5943,12 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -8029,7 +8599,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),protoinfo=(state=) -@@ -5885,7 +5960,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= +@@ -5885,7 +5957,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl Passive FTP requests from p0->p1 should work fine. @@ -8038,7 +8608,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp ]) -@@ -5895,7 +5970,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt]) +@@ -5895,7 +5967,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows3.txt]) AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl FTP control requests from p0->p1 should work fine, but helper will not be assigned. @@ -8047,7 +8617,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=) ]) -@@ -5930,7 +6005,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt]) +@@ -5930,7 +6002,7 @@ AT_CHECK([ovs-ofctl --bundle replace-flows br0 flows.txt]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8056,7 +8626,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),protoinfo=(state=),helper=ftp -@@ -5991,7 +6066,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) +@@ -5991,7 +6063,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8065,7 +8635,7 @@ index 98e494abf4..9dc8d9e4d0 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -6050,7 +6125,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) +@@ -6050,7 +6122,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP passive requests from p0->p1 should work fine. @@ -8074,7 +8644,7 @@ index 98e494abf4..9dc8d9e4d0 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -6100,12 +6175,12 @@ OVS_START_L7([at_ns1], [ftp]) +@@ -6100,12 +6172,12 @@ OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p1->p0 should fail due to network failure. dnl Try 3 times, in 1 second intervals. @@ -8089,7 +8659,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=),helper=ftp tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=2,protoinfo=(state=),helper=ftp -@@ -6116,7 +6191,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= +@@ -6116,7 +6188,7 @@ tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),reply=(src= AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl Passive FTP requests from p0->p1 should work fine. @@ -8098,7 +8668,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=),helper=ftp -@@ -6240,7 +6315,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6240,7 +6312,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl HTTP requests from p0->p1 should work fine. OVS_START_L7([at_ns1], [http]) @@ -8107,7 +8677,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=,dport=),zone=1,protoinfo=(state=) -@@ -6330,7 +6405,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6330,7 +6402,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl HTTP requests from p0->p1 should work fine. OVS_START_L7([at_ns1], [http]) @@ -8116,7 +8686,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=,dport=),zone=1,protoinfo=(state=) -@@ -6397,11 +6472,11 @@ ADD_NAMESPACES(at_ns0, at_ns1) +@@ -6397,11 +6469,11 @@ ADD_NAMESPACES(at_ns0, at_ns1) ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88]) ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") @@ -8130,7 +8700,7 @@ index 98e494abf4..9dc8d9e4d0 100644 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat) in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1 dnl -@@ -6425,17 +6500,28 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6425,17 +6497,28 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl HTTP requests from p0->p1 should work fine. OVS_START_L7([at_ns1], [http]) @@ -8164,7 +8734,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CLEANUP AT_SETUP([conntrack - more complex SNAT]) -@@ -6481,7 +6567,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6481,7 +6564,7 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl HTTP requests from p0->p1 should work fine. OVS_START_L7([at_ns1], [http]) @@ -8173,7 +8743,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=,dport=),zone=1,protoinfo=(state=) -@@ -6575,14 +6661,14 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6575,14 +6658,14 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl Should work with the virtual IP address through NAT OVS_START_L7([at_ns1], [http]) @@ -8190,7 +8760,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -6613,7 +6699,7 @@ table=2,in_port=1,ip,ct_mark=0xac,ct_label=0xac,actions=2 +@@ -6613,7 +6696,7 @@ table=2,in_port=1,ip,ct_mark=0xac,ct_label=0xac,actions=2 ]) AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) @@ -8199,7 +8769,7 @@ index 98e494abf4..9dc8d9e4d0 100644 dnl - make sure only dst nat has been performed AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.240)], [0], [dnl -@@ -6671,14 +6757,14 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) +@@ -6671,14 +6754,14 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) dnl Should work with the virtual IP address through NAT OVS_START_L7([at_ns1], [http]) @@ -8216,7 +8786,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=,dport=),reply=(src=10.1.1.2,dst=10.1.1.1,sport=,dport=),zone=1,protoinfo=(state=) -@@ -7206,7 +7292,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null]) +@@ -7206,7 +7289,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8225,7 +8795,7 @@ index 98e494abf4..9dc8d9e4d0 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -@@ -7266,7 +7352,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null]) +@@ -7266,7 +7349,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8234,7 +8804,7 @@ index 98e494abf4..9dc8d9e4d0 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -@@ -7326,7 +7412,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.100.1 >/dev/null]) +@@ -7326,7 +7409,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.100.1 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8243,7 +8813,7 @@ index 98e494abf4..9dc8d9e4d0 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.200)], [0], [dnl -@@ -7386,7 +7472,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null]) +@@ -7386,7 +7469,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.240 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8252,7 +8822,7 @@ index 98e494abf4..9dc8d9e4d0 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -@@ -7446,7 +7532,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null]) +@@ -7446,7 +7529,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping -c 1 10.1.1.2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8261,7 +8831,7 @@ index 98e494abf4..9dc8d9e4d0 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.120.240)], [0], [dnl -@@ -7491,12 +7577,12 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2]) +@@ -7491,12 +7574,12 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2]) dnl HTTP requests from ns0->ns1 should work fine. OVS_START_L7([at_ns1], [http6]) @@ -8276,7 +8846,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -7535,7 +7621,7 @@ NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -W 2 fc00::240 | FORMAT_PING], [0] +@@ -7535,7 +7618,7 @@ NS_CHECK_EXEC([at_ns0], [ping6 -q -c 3 -i 0.3 -W 2 fc00::240 | FORMAT_PING], [0] dnl Should work with the virtual IP address through NAT OVS_START_L7([at_ns1], [http6]) @@ -8285,7 +8855,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::1)], [0], [dnl icmpv6,orig=(src=fc00::1,dst=fc00::240,id=,type=128,code=0),reply=(src=fc00::2,dst=fc00::1,id=,type=129,code=0),zone=1 -@@ -7685,7 +7771,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) +@@ -7685,7 +7768,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8294,7 +8864,7 @@ index 98e494abf4..9dc8d9e4d0 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -7746,7 +7832,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) +@@ -7746,7 +7829,7 @@ OVS_WAIT_UNTIL([ip netns exec at_ns0 ping6 -c 1 fc00::2 >/dev/null]) OVS_START_L7([at_ns1], [ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8303,7 +8873,7 @@ index 98e494abf4..9dc8d9e4d0 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -7806,7 +7892,7 @@ NETNS_DAEMONIZE([at_ns1], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp0.pid]) +@@ -7806,7 +7889,7 @@ NETNS_DAEMONIZE([at_ns1], [[$PYTHON3 $srcdir/test-l7.py ftp]], [ftp0.pid]) OVS_WAIT_UNTIL([ip netns exec at_ns1 netstat -l | grep ftp]) dnl FTP requests from p0->p1 should work fine. @@ -8312,7 +8882,7 @@ index 98e494abf4..9dc8d9e4d0 100644 dnl Discards CLOSE_WAIT and CLOSING AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fc00::2)], [0], [dnl -@@ -7949,7 +8035,7 @@ on_exit 'ovs-appctl dpif/dump-flows br0' +@@ -7949,7 +8032,7 @@ on_exit 'ovs-appctl dpif/dump-flows br0' dnl Should work with the virtual IP address through NAT for i in $(seq 1 50); do echo Request $i @@ -8321,7 +8891,7 @@ index 98e494abf4..9dc8d9e4d0 100644 done dnl Each server should have at least one connection. -@@ -8215,10 +8301,18 @@ table=2,priority=10 ct_state=+trk+est action=drop +@@ -8215,10 +8298,18 @@ table=2,priority=10 ct_state=+trk+est action=drop AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) @@ -8343,7 +8913,23 @@ index 98e494abf4..9dc8d9e4d0 100644 sleep 1 -@@ -8389,6 +8483,53 @@ AT_CHECK([ovs-pcap client.pcap | grep 000000002010000000002000], [0], [dnl +@@ -8237,6 +8328,7 @@ OVS_TRAFFIC_VSWITCHD_STOP + AT_CLEANUP + + AT_SETUP([conntrack - can match and clear ct_state from outside OVS]) ++CHECK_EXTERNAL_CT() + CHECK_CONNTRACK_LOCAL_STACK() + OVS_CHECK_GENEVE() + +@@ -8247,6 +8339,7 @@ AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) + AT_CHECK([ovs-ofctl add-flow br-underlay "priority=100,ct_state=+trk,actions=ct_clear,resubmit(,0)"]) + AT_CHECK([ovs-ofctl add-flow br-underlay "priority=10,actions=normal"]) + ++ADD_EXTERNAL_CT([br0]) + ADD_NAMESPACES(at_ns0) + + dnl Set up underlay link from host into the namespace using veth pair. +@@ -8389,6 +8482,53 @@ AT_CHECK([ovs-pcap client.pcap | grep 000000002010000000002000], [0], [dnl OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP @@ -8397,7 +8983,7 @@ index 98e494abf4..9dc8d9e4d0 100644 AT_BANNER([IGMP]) AT_SETUP([IGMP - flood under normal action]) -@@ -8724,21 +8865,29 @@ dnl The flow will encap a nsh header to the TCP syn packet +@@ -8724,21 +8864,29 @@ dnl The flow will encap a nsh header to the TCP syn packet dnl eth/ip/tcp --> OVS --> eth/nsh/eth/ip/tcp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,ip,actions=encap(nsh(md_type=1)),set_field:0x1234->nsh_spi,set_field:0x11223344->nsh_c1,encap(ethernet),set_field:f2:ff:00:00:00:02->dl_dst,set_field:f2:ff:00:00:00:01->dl_src,ovs-p1"]) @@ -8440,7 +9026,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -8756,19 +8905,31 @@ dnl The flow will decap a nsh header which in turn carries a TCP syn packet +@@ -8756,19 +8904,31 @@ dnl The flow will decap a nsh header which in turn carries a TCP syn packet dnl eth/nsh/eth/ip/tcp --> OVS --> eth/ip/tcp AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,dl_type=0x894f, actions=decap(),decap(), ovs-p1"]) @@ -8482,7 +9068,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -8788,22 +8949,38 @@ dnl The flow will add another NSH header with nsh_spi=0x101, nsh_si=4, +@@ -8788,22 +8948,38 @@ dnl The flow will add another NSH header with nsh_spi=0x101, nsh_si=4, dnl nsh_ttl=7 and change the md1 context AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,in_port=ovs-p0,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x03,actions=decap(),decap(),encap(nsh(md_type=1)),set_field:0x07->nsh_ttl,set_field:0x0101->nsh_spi,set_field:0x04->nsh_si,set_field:0x100f0e0d->nsh_c1,set_field:0x0c0b0a09->nsh_c2,set_field:0x08070605->nsh_c3,set_field:0x04030201->nsh_c4,encap(ethernet),set_field:f2:ff:00:00:00:02->dl_dst,set_field:f2:ff:00:00:00:01->dl_src,ovs-p1"]) @@ -8535,7 +9121,7 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP -@@ -8824,31 +9001,50 @@ dnl packet to to at_ns2. +@@ -8824,31 +9000,50 @@ dnl packet to to at_ns2. AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x02,actions=ovs-p1"]) AT_CHECK([ovs-ofctl -Oopenflow13 add-flow br0 "table=0,priority=100,dl_type=0x894f,nsh_spi=0x100,nsh_si=0x01,actions=ovs-p2"]) @@ -8611,6 +9197,30 @@ index 98e494abf4..9dc8d9e4d0 100644 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +diff --git a/tests/system-userspace-macros.at b/tests/system-userspace-macros.at +index d9b5b7e4c4..c1be973478 100644 +--- a/tests/system-userspace-macros.at ++++ b/tests/system-userspace-macros.at +@@ -357,3 +357,19 @@ m4_define([OVS_CHECK_BAREUDP], + [ + AT_SKIP_IF([:]) + ]) ++ ++# CHECK_EXTERNAL_CT() ++# ++# The userspace datapath does not support external ct. ++m4_define([CHECK_EXTERNAL_CT], ++[ ++ AT_SKIP_IF([:]) ++]) ++ ++# ADD_EXTERNAL_CT() ++# ++# The userspace datapath does not support external ct. ++m4_define([ADD_EXTERNAL_CT], ++[ ++ AT_SKIP_IF([:]) ++]) diff --git a/tests/test-multipath.c b/tests/test-multipath.c index 08d2cbaebf..4e9a3ab5c2 100644 --- a/tests/test-multipath.c @@ -9187,7 +9797,7 @@ index a8dd28c5b5..abf9b1d64c 100644 +OVS_VSWITCHD_STOP +AT_CLEANUP diff --git a/tests/tunnel-push-pop.at b/tests/tunnel-push-pop.at -index b1440f5904..885df07e5a 100644 +index b1440f5904..061650860d 100644 --- a/tests/tunnel-push-pop.at +++ b/tests/tunnel-push-pop.at @@ -30,17 +30,15 @@ dummy@ovs-dummy: hit:0 missed:0 @@ -9274,7 +9884,24 @@ index b1440f5904..885df07e5a 100644 ]) AT_CHECK([ovs-ofctl add-flow br0 action=normal]) -@@ -777,6 +779,88 @@ AT_CHECK([ovs-appctl dpctl/dump-flows | grep -q 'slow_path(action)'], [0]) +@@ -765,6 +767,16 @@ dnl Sending again to exercise the non-miss upcall path. + AT_CHECK([ovs-appctl netdev-dummy/receive int-br "${packet}4"]) + OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep -E "${encap}${packet}4" | wc -l` -ge 2]) + ++dnl Send two more packets at the same time to make sure they are distinct ++dnl memory buffers. ++AT_CHECK([ovs-appctl netdev-dummy/receive int-br "${packet}4" "${packet}4"]) ++OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep -E "${encap}${packet}4" | wc -l` -ge 4]) ++ ++dnl Make sure all the packets are the same, i.e. have the same source port. ++AT_CHECK([ovs-pcap p0.pcap | sed 's/.$//' | sort | uniq \ ++ | grep -E -c "${encap}${packet}"], [0], [1 ++]) ++ + dnl Output to tunnel from the controller. + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out int-br CONTROLLER "debug_slow,output:2" "${packet}5"]) + OVS_WAIT_UNTIL([test `ovs-pcap p0.pcap | grep -E "${encap}${packet}5" | wc -l` -ge 1]) +@@ -777,6 +789,88 @@ AT_CHECK([ovs-appctl dpctl/dump-flows | grep -q 'slow_path(action)'], [0]) OVS_VSWITCHD_STOP AT_CLEANUP @@ -9363,7 +9990,7 @@ index b1440f5904..885df07e5a 100644 AT_SETUP([tunnel_push_pop - underlay bridge match]) OVS_VSWITCHD_START([add-port br0 p0 -- set Interface p0 type=dummy ofport_request=1 other-config:hwaddr=aa:55:aa:55:00:00]) -@@ -796,8 +880,11 @@ dummy@ovs-dummy: hit:0 missed:0 +@@ -796,8 +890,11 @@ dummy@ovs-dummy: hit:0 missed:0 AT_CHECK([ovs-appctl netdev-dummy/ip4addr br0 1.1.2.88/24], [0], [OK ]) @@ -9376,7 +10003,7 @@ index b1440f5904..885df07e5a 100644 AT_CHECK([ovs-ofctl add-flow br0 'arp,priority=1,action=normal']) dnl Use arp reply to achieve tunnel next hop mac binding -@@ -840,11 +927,12 @@ AT_CHECK([ovs-vsctl add-port int-br t2 dnl +@@ -840,11 +937,12 @@ AT_CHECK([ovs-vsctl add-port int-br t2 dnl -- set Interface t2 type=geneve options:remote_ip=1.1.2.92 dnl options:key=123 ofport_request=2]) @@ -9392,7 +10019,7 @@ index b1440f5904..885df07e5a 100644 ]) AT_CHECK([ovs-ofctl add-flow br0 action=normal]) -@@ -908,10 +996,12 @@ AT_CHECK([ovs-vsctl set port p8 tag=42 dnl +@@ -908,10 +1006,12 @@ AT_CHECK([ovs-vsctl set port p8 tag=42 dnl -- set port br0 tag=42 dnl -- set port p7 tag=200]) @@ -9407,7 +10034,7 @@ index b1440f5904..885df07e5a 100644 ]) dnl Send an ARP reply to port b8 on br0, so that packets will be forwarded -@@ -953,10 +1043,12 @@ AT_CHECK([ovs-vsctl add-port ovs-tun0 tun0 dnl +@@ -953,10 +1053,12 @@ AT_CHECK([ovs-vsctl add-port ovs-tun0 tun0 dnl -- add-port ovs-tun0 p7 dnl -- set interface p7 type=dummy ofport_request=7]) @@ -9422,7 +10049,7 @@ index b1440f5904..885df07e5a 100644 ]) dnl Send an ARP reply to port b8 on br0, so that packets will be forwarded -@@ -993,3 +1085,249 @@ udp(src=0,dst=4789,csum=0x0),vxlan(flags=0x8000000,vni=0x0)),out_port(100)),8),7 +@@ -993,3 +1095,249 @@ udp(src=0,dst=4789,csum=0x0),vxlan(flags=0x8000000,vni=0x0)),out_port(100)),8),7 OVS_VSWITCHD_STOP AT_CLEANUP diff --git a/SPECS/openvswitch3.3.spec b/SPECS/openvswitch3.3.spec index 7aae76d..be5f835 100644 --- a/SPECS/openvswitch3.3.spec +++ b/SPECS/openvswitch3.3.spec @@ -57,7 +57,7 @@ Summary: Open vSwitch Group: System Environment/Daemons daemon/database/utilities URL: http://www.openvswitch.org/ Version: 3.3.0 -Release: 66%{?dist} +Release: 67%{?dist} # Nearly all of openvswitch is ASL 2.0. The bugtool is LGPLv2+, and the # lib/sflow*.[ch] files are SISSL @@ -769,6 +769,21 @@ exit 0 %endif %changelog +* Mon Dec 02 2024 Open vSwitch CI - 3.3.0-67 +- Merging upstream branch-3.3 [RH git: b167f15ca8] + Commit list: + 283bfbad24 netdev: Always clear struct ifreq before ioctl. + 27f9795a74 netdev-native-tnl: Fix use of uninitialized RSS hash. + ee440713cd tests: Use OVS_CHECK_XT6 for all applicable IPv6 tests. + ed8db7aaf3 tests: Use OVS_CHECK_XT for all applicable IPv4 tests. + 6629327049 classifier: Fix the fieldspec comment in the prefix tracking section. + 30c5962fc6 tests: Handle marks using nft if available. + 98c143755d tests: Add nft support to ADD_EXTERNAL_CT. + ef3ce35b47 tests: Add nft accept support. + 2395d33155 ovs-macros.at: Correctly delete iptables rule on_exit. + 3a9accee14 system-traffic: Do not rely on conncount for already tracked packets. (FDP-708) + + * Mon Dec 02 2024 Open vSwitch CI - 3.3.0-66 - Merging upstream branch-3.3 [RH git: f984308b7a] Commit list: