On 30 Aug 2023, at 19:56, Aaron Conole wrote:
> In the past, during some conntrack testing a bug was uncovered in a DPDK
> PMD which didn't support an IPv4 packet with a zero checksum value.
> In order to show that the connection tracking code in userspace
> supports IPv4 UDP with a zero checksum, add a test case to enforce
> this behavior
>
> Reported-at: http://mails.dpdk.org/archives/dev/2021-January/198528.html
> Reported-by: Paolo Valerio <[email protected]>
> Signed-off-by: Aaron Conole <[email protected]>
> ---
> v1->v2: - Addressed most of the comments by Flavio & William Tu.
> - Added the 0xffff checksum case
> - Added a bad checksum case
> - For the single instance of "sleep 1," this needs to be retained
> due to the negative test case (we have no WAIT_UNTIL to rely on)
> but there are other instances of sleep 1 throughout the suite,
> so I guess it should be okay.
Hi Aaron,
I think the patch looks good, however, can we just not wait for the drop
actions to appear, and if it does then do the check for the empty conntrack
table? Or am I missing something?
Cheers,
Eelco
> v2->v3: - Add a check for the ofproto dropped packet stats
> - Fix whitespace issue
> - Restricted the dump-conntrack checks to keep the possibility of
> UDP queries poisoning the test case lower.
>
> tests/system-traffic.at | 67 +++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 67 insertions(+)
>
> diff --git a/tests/system-traffic.at b/tests/system-traffic.at
> index 808c492a22..65c44c4350 100644
> --- a/tests/system-traffic.at
> +++ b/tests/system-traffic.at
> @@ -3813,6 +3813,73 @@ OVS_WAIT_UNTIL([ovs-pcap p0.pcap | grep -q
> "f00000010101f00000010102080045c00045
> OVS_TRAFFIC_VSWITCHD_STOP
> AT_CLEANUP
>
> +AT_SETUP([conntrack - IPv4 UDP zero checksum])
> +dnl Checks sending zero checksum packets for udp over ipv4
> +CHECK_CONNTRACK()
> +OVS_TRAFFIC_VSWITCHD_START()
> +OVS_CHECK_CT_CLEAR()
> +
> +ADD_NAMESPACES(at_ns0, at_ns1)
> +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24", "f0:00:00:01:01:01")
> +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24", "f0:00:00:01:01:02")
> +
> +dnl Setup conntrack flows
> +AT_DATA([flows.txt], [dnl
> +table=0,priority=10 ip,udp,ct_state=-trk action=ct(zone=1,table=1)
> +table=0,priority=0 action=drop
> +table=1,priority=10 ct_state=-est+trk+new,ip,ct_zone=1,in_port=1
> action=ct(commit,table=2)
> +table=1,priority=10 ct_state=+est-new+trk,ct_zone=1,in_port=1
> action=resubmit(,2)
> +table=1,priority=0 action=drop
> +table=2,priority=10 ct_state=+trk+new,in_port=1 action=2
> +table=2,priority=10 ct_state=+trk+est action=2
> +])
> +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
> +
> +dnl sending udp pkt with 0000 checksum
> +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0
> 00 00 01 01 01 08 00 45 00 00 28 00 01 00 00 40 11 64 c0 0a 01 01 01 0a 01 01
> 02 04 d2 04 d2 00 14 00 00 aa aa aa aa aa aa aa aa aa aa aa aa > /dev/null])
> +
> +OVS_WAIT_UNTIL([ovs-appctl dpctl/dump-conntrack | grep "udp"])
> +
> +dnl ensure CT picked up the packet
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1)], [0], [dnl
> +udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>)
> +])
> +
> +dnl clear CT tuples
> +AT_CHECK([ovs-appctl dpctl/flush-conntrack])
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "udp"], [1])
> +
> +dnl send UDP with ffff checksum
> +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0
> 00 00 01 01 01 08 00 45 00 00 40 00 01 00 00 40 11 64 a8 0a 01 01 01 0a 01 01
> 02 04 d2 04 d2 00 2c ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 df ed > /dev/null])
> +OVS_WAIT_UNTIL([ovs-appctl dpctl/dump-conntrack | grep "udp"])
> +
> +dnl ensure CT picked up the packet
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1)], [0], [dnl
> +udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>)
> +])
> +
> +dnl clear CT tuples
> +AT_CHECK([ovs-appctl dpctl/flush-conntrack])
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "udp"], [1])
> +
> +dnl sending udp pkt with bad checksum
> +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0
> 00 00 01 01 01 08 00 45 00 00 28 00 01 00 00 40 11 64 c0 0a 01 01 01 0a 01 01
> 02 04 d2 04 d2 00 14 11 11 aa aa aa aa aa aa aa aa aa aa aa aa > /dev/null])
> +
> +dnl We call a sleep here to ensure that we let the system get through any
> +dnl needed upcalls. Once the sleep is expired, we can check the drop counter
> +dnl in table 1 for our bad csum packet, and ensure that there are no entries
> +dnl in the conntrack table.
> +sleep 1
> +
> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1)], [0], [dnl
> +])
> +AT_CHECK([ovs-ofctl dump-flows br0 | grep 'table=1,' | dnl
> + grep 'actions=drop' | strip_duration], [0], [ dnl
> +cookie=0x0, table=1, n_packets=1, n_bytes=54, idle_age=1, priority=0
> actions=drop
> +])
> +OVS_TRAFFIC_VSWITCHD_STOP
> +AT_CLEANUP
> +
> AT_SETUP([conntrack - IPv4 fragmentation])
> CHECK_CONNTRACK()
> OVS_TRAFFIC_VSWITCHD_START()
> --
> 2.40.1
>
> _______________________________________________
> dev mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
