fortitudepub/gist:be8618f595dbfacc503e043a3887e181

## gistfile1.txt
# ns0
ip netns del natns0
ip netns add natns0
ip netns exec natns0 ip link set lo up
ip link add natp0 type veth peer name natp0p
ip link set natp0 netns natns0
ip link set natp0p up
ip netns exec natns0 ip link set natp0 up
ip netns exec natns0 ip link set natp0 address 80:88:88:88:88:88
ip netns exec natns0 ip addr add 10.1.1.1/24 dev natp0
# ns1
ip netns del natns1
ip netns add natns1
ip netns exec natns1 ip link set lo up
ip link add natp1 type veth peer name natp1p
ip link set natp1 netns natns1
ip link set natp1p up
ip netns exec natns1 ip link set natp1 up
ip netns exec natns1 ip addr add 10.1.1.2/24 dev natp1

# add two ports to ovs
ovs-vsctl del-br natbr
ovs-vsctl add-br natbr
# be port 1
ovs-vsctl add-port natbr natp0p
ovs-vsctl add-port natbr natp1p
# be port 2

# add rules. (note ovs also support bundle, which can be used to bundle multiple rules together in atomic way.)
ovs-ofctl add-flow natbr "in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2"
ovs-ofctl add-flow natbr "in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)"
ovs-ofctl add-flow natbr "in_port=2,ct_state=+trk,ct_zone=1,ip,action=1"

ovs-ofctl add-flow natbr "priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[]->NXM_NX_REG2[],resubmit(,8),goto_table:10"
ovs-ofctl add-flow natbr "priority=10 arp action=normal"
ovs-ofctl add-flow natbr "priority=0,action=drop"

# Because of snat to 10.1.1.240, p1 will request 240's mac since they are in same subnet.
ovs-ofctl add-flow natbr "table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[]"
ovs-ofctl add-flow natbr "table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[]"
ovs-ofctl add-flow natbr "table=10 priority=100 arp xreg0=0 action=normal"
ovs-ofctl add-flow natbr "table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[],move:OXM_OF_ARP_SHA[]->OXM_OF_ARP_THA[],move:OXM_OF_PKT_REG0[0..47]->OXM_OF_ARP_SHA[],move:OXM_OF_ARP_SPA[]->OXM_OF_ARP_TPA[],move:NXM_NX_REG2[]->OXM_OF_ARP_SPA[],move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],move:OXM_OF_PKT_REG0[0..47]->NXM_OF_ETH_SRC[],move:NXM_OF_IN_PORT[]->NXM_NX_REG3[0..15],load:0->NXM_OF_IN_PORT[],output:NXM_NX_REG3[0..15]"
ovs-ofctl add-flow natbr "table=10 priority=0 action=drop"

# dnl HTTP requests from p0->p1 should work fine.
# NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
# NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])

# AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
# tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)

# FTP test...
	# ns0
	ip netns del natns0
	ip netns add natns0
	ip netns exec natns0 ip link set lo up
	ip link add natp0 type veth peer name natp0p
	ip link set natp0 netns natns0
	ip link set natp0p up
	ip netns exec natns0 ip link set natp0 up
	ip netns exec natns0 ip link set natp0 address 80:88:88:88:88:88
	ip netns exec natns0 ip addr add 10.1.1.1/24 dev natp0
	# ns1
	ip netns del natns1
	ip netns add natns1
	ip netns exec natns1 ip link set lo up
	ip link add natp1 type veth peer name natp1p
	ip link set natp1 netns natns1
	ip link set natp1p up
	ip netns exec natns1 ip link set natp1 up
	ip netns exec natns1 ip addr add 10.1.1.2/24 dev natp1

	# add two ports to ovs
	ovs-vsctl del-br natbr
	ovs-vsctl add-br natbr
	# be port 1
	ovs-vsctl add-port natbr natp0p
	ovs-vsctl add-port natbr natp1p
	# be port 2

	# add rules. (note ovs also support bundle, which can be used to bundle multiple rules together in atomic way.)
	ovs-ofctl add-flow natbr "in_port=1,ip,action=ct(commit,zone=1,nat(src=10.1.1.240-10.1.1.255)),2"
	ovs-ofctl add-flow natbr "in_port=2,ct_state=-trk,ip,action=ct(table=0,zone=1,nat)"
	ovs-ofctl add-flow natbr "in_port=2,ct_state=+trk,ct_zone=1,ip,action=1"

	ovs-ofctl add-flow natbr "priority=100 arp arp_op=1 action=move:OXM_OF_ARP_TPA[]->NXM_NX_REG2[],resubmit(,8),goto_table:10"
	ovs-ofctl add-flow natbr "priority=10 arp action=normal"
	ovs-ofctl add-flow natbr "priority=0,action=drop"

	# Because of snat to 10.1.1.240, p1 will request 240's mac since they are in same subnet.
	ovs-ofctl add-flow natbr "table=8,reg2=0x0a0101f0/0xfffffff0,action=load:0x808888888888->OXM_OF_PKT_REG0[]"
	ovs-ofctl add-flow natbr "table=8,priority=0,action=load:0->OXM_OF_PKT_REG0[]"
	ovs-ofctl add-flow natbr "table=10 priority=100 arp xreg0=0 action=normal"
	ovs-ofctl add-flow natbr "table=10 priority=10,arp,arp_op=1,action=load:2->OXM_OF_ARP_OP[],move:OXM_OF_ARP_SHA[]->OXM_OF_ARP_THA[],move:OXM_OF_PKT_REG0[0..47]->OXM_OF_ARP_SHA[],move:OXM_OF_ARP_SPA[]->OXM_OF_ARP_TPA[],move:NXM_NX_REG2[]->OXM_OF_ARP_SPA[],move:NXM_OF_ETH_SRC[]->NXM_OF_ETH_DST[],move:OXM_OF_PKT_REG0[0..47]->NXM_OF_ETH_SRC[],move:NXM_OF_IN_PORT[]->NXM_NX_REG3[0..15],load:0->NXM_OF_IN_PORT[],output:NXM_NX_REG3[0..15]"
	ovs-ofctl add-flow natbr "table=10 priority=0 action=drop"

	# dnl HTTP requests from p0->p1 should work fine.
	# NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
	# NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 5 -T 1 --retry-connrefused -v -o wget0.log])

	# AT_CHECK([ovs-appctl dpctl/dump-conntrack \| FORMAT_CT(10.1.1.2) \| sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/'], [0], [dnl
	# tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)

	# FTP test...