Add an additional test that ensures that when receiving packets from internal ports that reside in a foreign namespace, the conntrack information is not populated in the flow.
Signed-off-by: Joe Stringer <[email protected]> --- tests/system-common-macros.at | 12 ++++++++++++ tests/system-traffic.at | 41 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+) diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at index f0da5893905b..581c779e3e28 100644 --- a/tests/system-common-macros.at +++ b/tests/system-common-macros.at @@ -43,6 +43,18 @@ m4_define([NS_CHECK_EXEC], # appropriate type, and allows additional arguments to be passed. m4_define([ADD_BR], [ovs-vsctl _ADD_BR([$1]) -- $2]) +# ADD_INT([port], [namespace], [ovs-br], [ip_addr]) +# +# Add an internal port to 'ovs-br', then shift it into 'namespace' and +# configure it with 'ip_addr' (specified in CIDR notation). +m4_define([ADD_INT], + [ AT_CHECK([ovs-vsctl add-port $3 $1 -- set int $1 type=internal]) + AT_CHECK([ip link set $1 netns $2]) + NS_CHECK_EXEC([$2], [ip addr add $4 dev $1]) + NS_CHECK_EXEC([$2], [ip link set dev $1 up]) + ] +) + # ADD_VETH([port], [namespace], [ovs-br], [ip_addr]) # # Add a pair of veth ports. 'port' will be added to name space 'namespace', diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 3b47cced678f..abe00e149feb 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -566,6 +566,47 @@ TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +AT_SETUP([conntrack - multiple zones, internal ports]) +CHECK_CONNTRACK() +OVS_TRAFFIC_VSWITCHD_START( + [set-fail-mode br0 secure -- ]) + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_INT(p0, at_ns0, br0, "10.1.1.1/24") +ADD_INT(p1, at_ns1, br0, "10.1.1.2/24") + +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0. +dnl +dnl If skb->nfct is leaking from inside the namespace, this test will fail. +AT_DATA([flows.txt], [dnl +priority=1,action=drop +priority=10,arp,action=normal +priority=10,icmp,action=normal +priority=100,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=1),ct(commit,zone=2),2 +priority=100,in_port=2,ct_state=-trk,tcp,action=ct(table=0,zone=2) +priority=100,in_port=2,ct_state=+trk,ct_zone=2,tcp,action=1 +]) + +AT_CHECK([ovs-ofctl add-flows br0 flows.txt]) + +dnl HTTP requests from p0->p1 should work fine. +NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py]], [http0.pid]) +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) + +dnl (again) HTTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log]) + +AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2)], [0], [dnl +SYN_SENT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[UNREPLIED]] src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> mark=0 zone=1 use=1 +TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1 +]) + +OVS_TRAFFIC_VSWITCHD_STOP(["dnl +/ioctl(SIOCGIFINDEX) on .* device failed: No such device/d +/removing policing failed: No such device/d"]) +AT_CLEANUP + AT_SETUP([conntrack - multiple zones, local]) CHECK_CONNTRACK() OVS_TRAFFIC_VSWITCHD_START( -- 2.1.4 _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
