This patch adds a system traffic test to verify the conntrack timeout feature. The test uses nfct utility to configure the customized ICMP and UDP timeout to a short period. It then injects ICMP and UDP traffic to conntrack, and checks if the corresponding conntrack entry expires after the predefined timeout.
Signed-off-by: Yi-Hung Wei <[email protected]> --- tests/atlocal.in | 2 ++ tests/system-kmod-macros.at | 10 +++++++ tests/system-traffic.at | 65 ++++++++++++++++++++++++++++++++++++++++ tests/system-userspace-macros.at | 10 +++++++ 4 files changed, 87 insertions(+) diff --git a/tests/atlocal.in b/tests/atlocal.in index 2e565d788b15..100e661168bc 100644 --- a/tests/atlocal.in +++ b/tests/atlocal.in @@ -182,6 +182,8 @@ find_command() # Set HAVE_NC find_command nc +# Set HAVE_NFCT +find_command nfct # Determine correct netcat option to quit on stdin EOF if nc --version 2>&1 | grep -q nmap.org; then diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at index 554a61e9bd95..1ecda5407b92 100644 --- a/tests/system-kmod-macros.at +++ b/tests/system-kmod-macros.at @@ -100,6 +100,16 @@ m4_define([CHECK_CONNTRACK_FRAG_OVERLAP], # m4_define([CHECK_CONNTRACK_NAT]) +# CHECK_CONNTRACK_TIMEOUT() +# +# Perform requirements checks for running conntrack customized timeout tests. +# +m4_define([CHECK_CONNTRACK_TIMEOUT], +[ + AT_SKIP_IF([test $HAVE_NFCT = no]) + AT_SKIP_IF([! cat /boot/config-$(uname -r) | grep NF_CONNTRACK_TIMEOUT | grep '=y' > /dev/null]) +]) + # CHECK_CT_DPIF_PER_ZONE_LIMIT() # # Perform requirements checks for running ovs-dpctl ct-[set|get|del]-limits per diff --git a/tests/system-traffic.at b/tests/system-traffic.at index a358744637d8..e2009ee74a41 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -3137,6 +3137,71 @@ NXST_FLOW reply: OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +AT_SETUP([conntrack - customized timeout]) +CHECK_CONNTRACK() +CHECK_CONNTRACK_TIMEOUT() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") + +AT_DATA([flows.txt], [dnl +priority=1,action=drop +priority=10,arp,action=normal +priority=100,in_port=1,icmp,action=ct(commit,timeout=1),2 +priority=100,in_port=1,udp,action=ct(commit,timeout=2),2 +priority=100,in_port=2,icmp,action=ct(table=1) +priority=100,in_port=2,udp,action=ct(table=1) +table=1,in_port=2,icmp,ct_state=+trk+est,action=1 +table=1,in_port=2,udp,ct_state=+trk+est,action=1 +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +dnl Add customized timeout +dnl Note that the default ICMP timeout is 30 seconds. +dnl The default timeout for unreplied UDP is 30 seconds, and +dnl 180 seconds for replied UDP connection. +AT_CHECK([nfct add timeout ovs_timeout_1 inet icmp timeout 3]) +AT_CHECK([nfct add timeout ovs_timeout_2 inet udp unreplied 3]) +on_exit 'nfct delete timeout ovs_timeout_1' +on_exit 'nfct delete timeout ovs_timeout_2' + +dnl ICMP traffic +NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl +3 packets transmitted, 3 received, 0% packet loss, time 0ms +]) + +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0],[dnl +icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0) +]) + +dnl Wait until ICMP timeout expire. +dnl We intend to wait a bit longer, because conntrack does not recycle the entry right after it is expired. +sleep 4 + +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +]) + +dnl Send out an UDP packet from port 1 +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"]) + +ovs-appctl dpctl/dump-conntrack +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "dst=10\.1\.1\.2,"], [0], [dnl +udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1) +]) + +dnl Wait until UDP timeout expire +sleep 4 + +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + AT_BANNER([conntrack - L7]) AT_SETUP([conntrack - IPv4 HTTP]) diff --git a/tests/system-userspace-macros.at b/tests/system-userspace-macros.at index 92ffbf6d503f..60818c332fe2 100644 --- a/tests/system-userspace-macros.at +++ b/tests/system-userspace-macros.at @@ -96,6 +96,16 @@ m4_define([CHECK_CONNTRACK_FRAG_OVERLAP]) # m4_define([CHECK_CONNTRACK_NAT]) +# CHECK_CONNTRACK_TIMEOUT() +# +# Perform requirements checks for running conntrack customized timeout tests. +* The userspace datapath does not support this feature yet. +# +m4_define([CHECK_CONNTRACK_TIMEOUT], +[ + AT_SKIP_IF([:]) +]) + # CHECK_CT_DPIF_PER_ZONE_LIMIT() # # Perform requirements checks for running ovs-dpctl ct-[set|get|del]-limits per -- 2.7.4 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
