On Tue, Jun 19, 2018 at 7:15 PM, Han Zhou <[email protected]> wrote: > > > > On Tue, Jun 19, 2018 at 5:49 PM, Ben Pfaff <[email protected]> wrote: > > > > On Tue, Jun 19, 2018 at 05:27:20PM -0700, Han Zhou wrote: > > > All looks good to me except that the test case "ovn -- ACLs on Port Groups" > > > is broken with this change. I think it is because conntrack is not > > > supported in the dummy datapath and so the stateful ACL would not work in > > > the test suites, and it was passing just because of this bug. So, to fix > > > the test case, you need below change: > > > > I would have guessed that conntrack works OK in the dummy datapath > > because dpif-netdev supports conntrack. > > Ah, I admit that I am ignorant on this. I need to study more on it to understand why this test case doesn't work. Is there any tool/documentation/example on how to debug the dummy datapath conntrack, such as dumping the conntrack table entries? > I checked more on this. I didn't find any tools to debug the user space conntrack module, but I found "ovs-appctl dpif/dump-flows" useful for debugging the dummy datapath. By dumping flow it shows the packets are dropped because the conntrack state for the packets are marked as "invalid". It is marked as invalid because the checksum we used in the test packets are all 0s and conn_key_extract() returns false. This is why stateful ACL seems not working in test cases, and probably this is why none of the ACL test cases were actually testing "allow-related".
conn_key_extract() checks both L3 and L4 checksums. I tried with a single ICMP request packet with correct IP header checksum and ICMP checksum, and the packet went through the conntrack and was received successfully. So I think there are 2 alternatives to test stateful ACLs in test cases. option1: write a script to generate proper checksums, and use it in test cases when correct checksum is required option2: add an option to the dummy datapath to bypass checksum validation in connection tracking I will try option1 first, but any suggestions are welcome. Thanks, Han _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
