Apologies, I missed this one. On 6 November 2015 at 16:10, Jarno Rajahalme <[email protected]> wrote: > Signed-off-by: Jarno Rajahalme <[email protected]> > --- > tests/system-traffic.at | 50 > +++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 50 insertions(+) > > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > index eeafd24..0999f03 100644 > --- a/tests/system-traffic.at > +++ b/tests/system-traffic.at > @@ -972,6 +972,56 @@ TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> > dport=<cleared> src=10.1.1.2 > OVS_TRAFFIC_VSWITCHD_STOP > AT_CLEANUP > > + > +AT_SETUP([conntrack - IPv6 FTP]) > +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) > +CHECK_CONNTRACK() > +OVS_TRAFFIC_VSWITCHD_START() > + > +ADD_NAMESPACES(at_ns0, at_ns1) > + > +ADD_VETH(p0, at_ns0, br0, "fc00::1/96") > +ADD_VETH(p1, at_ns1, br0, "fc00::2/96") > + > +dnl Allow any traffic from ns0->ns1. > +dnl Only allow nd, return traffic from ns1->ns0. > +AT_DATA([flows.txt], [dnl > +dnl Track all IPv6 traffic and drop the rest. > +table=0 ip6, action=ct(table=1) > +table=0 priority=0 action=drop > +dnl > +dnl Table 1 > +dnl > +dnl Allow new TCPv6 FTP control connections from port 1. > +table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2 > +dnl Allow related TCPv6 connections from port 2. > +table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1 > +dnl Allow established TCPv6 connections both ways. > +table=1 in_port=1 ct_state=+est, tcp6, action=2 > +table=1 in_port=2 ct_state=+est, tcp6, action=1 > +dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked. > +table=1 in_port=1 ct_state=+new, icmp6, action=2 > +table=1 in_port=2 ct_state=+new, icmp6, action=1
These ICMPv6 flows aren't used in the test, and are probably not a great example as I don't think things like Neighbour Discovery (also ICMPv6) should really be sent to the connection tracker at all. For instance, it's not describing point-to-point "connections", and ct may not respect zone. But it's easy enough to just drop those flows. Otherwise, LGTM. Acked-by: Joe Stringer <[email protected]> _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
