fortitudepub · September 9, 2016 07:58 · fortitudepub · Sep 9, 2016
diff --git a/gistfile1.txt b/gistfile1.txt
 # ns0
 ip netns del natns0
 ip netns add natns0
 ip netns exec natns0 ip link set lo up
 ip link add natp0 type veth peer name natp0p
 ip link set natp0 netns natns0
 ip link set natp0p up
 ip netns exec natns0 ip link set natp0 up
 ip netns exec natns0 ip link set natp0 address 80:88:88:88:88:88
 ip netns exec natns0 ip addr add 10.1.1.1/24 dev natp0
 # ns1
 ip netns del natns1
 ip netns add natns1
 ip netns exec natns1 ip link set lo up
 ip link add natp1 type veth peer name natp1p
 ip link set natp1 netns natns1
 ip link set natp1p up
 ip netns exec natns1 ip link set natp1 up
 ip netns exec natns1 ip addr add 10.1.1.2/24 dev natp1

 # add two ports to ovs
 ovs-vsctl del-br natbr
 ovs-vsctl add-br natbr
 # be port 1
 ovs-vsctl add-port natbr natp0p
 ovs-vsctl add-port natbr natp1p
 # be port 2

 # add rules. (note ovs also support bundle, which can be used to bundle multiple rules together in atomic way.)
 ovs-ofctl add-flow natbr "in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2"
 ovs-ofctl add-flow natbr "in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)"
 ovs-ofctl add-flow natbr "in_port=2,ct_state=+trk,ct_zone=1,ip,action=1"

 ovs-ofctl add-flow natbr "priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[]->NXM_NX_REG2[],resubmit(,8),goto_table:10"
 ovs-ofctl add-flow natbr "priority=10 arp action=normal"
 ovs-ofctl add-flow natbr "priority=0,action=drop"

 # Because of snat to 10.1.1.240, p1 will request 240's mac since they are in same subnet.
 ovs-ofctl add-flow natbr "table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[]"
 ovs-ofctl add-flow natbr "table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[]"
 ovs-ofctl add-flow natbr "table=10 priority=100 arp xreg0=0 action=normal"
 ovs-ofctl add-flow natbr "table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[],move:OXM_OF_ARP_SHA[]->OXM_OF_ARP_THA[],move:OXM_OF_PKT_REG0[0..47]->OXM_OF_ARP_SHA[],move:OXM_OF_ARP_SPA[]->OXM_OF_ARP_TPA[],move:NXM_NX_REG2[]->OXM_OF_ARP_SPA[],move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],move:OXM_OF_PKT_REG0[0..47]->NXM_OF_ETH_SRC[],move:NXM_OF_IN_PORT[]->NXM_NX_REG3[0..15],load:0->NXM_OF_IN_PORT[],output:NXM_NX_REG3[0..15]"
 ovs-ofctl add-flow natbr "table=10 priority=0 action=drop"

 # dnl HTTP requests from p0->p1 should work fine.
 # NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
 # NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])

 # AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
 # tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)

 # FTP test...
	# ns0
	ip netns del natns0
	ip netns add natns0
	ip netns exec natns0 ip link set lo up
	ip link add natp0 type veth peer name natp0p
	ip link set natp0 netns natns0
	ip link set natp0p up
	ip netns exec natns0 ip link set natp0 up
	ip netns exec natns0 ip link set natp0 address 80:88:88:88:88:88
	ip netns exec natns0 ip addr add 10.1.1.1/24 dev natp0
	# ns1
	ip netns del natns1
	ip netns add natns1
	ip netns exec natns1 ip link set lo up
	ip link add natp1 type veth peer name natp1p
	ip link set natp1 netns natns1
	ip link set natp1p up
	ip netns exec natns1 ip link set natp1 up
	ip netns exec natns1 ip addr add 10.1.1.2/24 dev natp1

	# add two ports to ovs
	ovs-vsctl del-br natbr
	ovs-vsctl add-br natbr
	# be port 1
	ovs-vsctl add-port natbr natp0p
	ovs-vsctl add-port natbr natp1p
	# be port 2

	# add rules. (note ovs also support bundle, which can be used to bundle multiple rules together in atomic way.)
	ovs-ofctl add-flow natbr "in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2"
	ovs-ofctl add-flow natbr "in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)"
	ovs-ofctl add-flow natbr "in_port=2,ct_state=+trk,ct_zone=1,ip,action=1"

	ovs-ofctl add-flow natbr "priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[]->NXM_NX_REG2[],resubmit(,8),goto_table:10"
	ovs-ofctl add-flow natbr "priority=10 arp action=normal"
	ovs-ofctl add-flow natbr "priority=0,action=drop"

	# Because of snat to 10.1.1.240, p1 will request 240's mac since they are in same subnet.
	ovs-ofctl add-flow natbr "table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[]"
	ovs-ofctl add-flow natbr "table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[]"
	ovs-ofctl add-flow natbr "table=10 priority=100 arp xreg0=0 action=normal"
	ovs-ofctl add-flow natbr "table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[],move:OXM_OF_ARP_SHA[]->OXM_OF_ARP_THA[],move:OXM_OF_PKT_REG0[0..47]->OXM_OF_ARP_SHA[],move:OXM_OF_ARP_SPA[]->OXM_OF_ARP_TPA[],move:NXM_NX_REG2[]->OXM_OF_ARP_SPA[],move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],move:OXM_OF_PKT_REG0[0..47]->NXM_OF_ETH_SRC[],move:NXM_OF_IN_PORT[]->NXM_NX_REG3[0..15],load:0->NXM_OF_IN_PORT[],output:NXM_NX_REG3[0..15]"
	ovs-ofctl add-flow natbr "table=10 priority=0 action=drop"

	# dnl HTTP requests from p0->p1 should work fine.
	# NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
	# NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])

	# AT_CHECK([ovs-appctl dpctl/dump-conntrack \| FORMAT_CT(10.1.1.2) \| sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
	# tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)

	# FTP test...