From: Joe Stringer Date: Sat, 7 Nov 2015 20:00:00 +0000 (-0800) Subject: system-traffic: Add internal port conntrack tests. X-Git-Tag: v2.5.0~295 X-Git-Url: http://git.cascardo.eti.br/?p=cascardo%2Fovs.git;a=commitdiff_plain;h=0e27c629d472da40e108a79dce3343e3ac7f54cd system-traffic: Add internal port conntrack tests. Add an additional test that ensures that when receiving packets from internal ports that reside in a foreign namespace, the conntrack information is not populated in the flow. Signed-off-by: Joe Stringer Acked-by: Daniele Di Proietto --- diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at index 7836f65f5..ea413d797 100644 --- a/tests/system-common-macros.at +++ b/tests/system-common-macros.at @@ -43,6 +43,18 @@ m4_define([NS_CHECK_EXEC], # appropriate type, and allows additional arguments to be passed. m4_define([ADD_BR], [ovs-vsctl _ADD_BR([$1]) -- $2]) +# ADD_INT([port], [namespace], [ovs-br], [ip_addr]) +# +# Add an internal port to 'ovs-br', then shift it into 'namespace' and +# configure it with 'ip_addr' (specified in CIDR notation). +m4_define([ADD_INT], + [ AT_CHECK([ovs-vsctl add-port $3 $1 -- set int $1 type=internal]) + AT_CHECK([ip link set $1 netns $2]) + NS_CHECK_EXEC([$2], [ip addr add $4 dev $1]) + NS_CHECK_EXEC([$2], [ip link set dev $1 up]) + ] +) + # ADD_VETH([port], [namespace], [ovs-br], [ip_addr]) # # Add a pair of veth ports. 'port' will be added to name space 'namespace', diff --git a/tests/system-traffic.at b/tests/system-traffic.at index ad84de6fb..82b884d72 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -610,6 +610,46 @@ src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id= src=10.1.1.2 dst=10.1.1.1 t OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +AT_SETUP([conntrack - multiple namespaces, internal ports]) +CHECK_CONNTRACK() +OVS_TRAFFIC_VSWITCHD_START( + [set-fail-mode br0 secure -- ]) + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_INT(p0, at_ns0, br0, "10.1.1.1/24") +ADD_INT(p1, at_ns1, br0, "10.1.1.2/24") + +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. +dnl +dnl If skb->nfct is leaking from inside the namespace, this test will fail. +AT_DATA([flows.txt], [dnl +priority=1,action=drop +priority=10,arp,action=normal +priority=10,icmp,action=normal +priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),2 +priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=1) +priority=100,in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1 +]) + +AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) + +dnl HTTP requests from p0->p1 should work fine. +NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid]) +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) + +dnl (again) HTTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) + +AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl +TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport= dport= src=10.1.1.2 dst=10.1.1.1 sport= dport= [[ASSURED]] mark=0 zone=1 use=1 +]) + +OVS_TRAFFIC_VSWITCHD_STOP(["dnl +/ioctl(SIOCGIFINDEX) on .* device failed: No such device/d +/removing policing failed: No such device/d"]) +AT_CLEANUP + AT_SETUP([conntrack - multi-stage pipeline, local]) CHECK_CONNTRACK() OVS_TRAFFIC_VSWITCHD_START()