As Long reported, kernels built without CONFIG_NETFILTER_CONNCOUNT result in the unexpected failure of the following tests:
conntrack - multiple zones, local conntrack - multi-stage pipeline, local conntrack - can match and clear ct_state from outside OVS this happens because the nf_conncount turns on connection tracking and the above tests rely on this side effect. However, this behavior may be corrected in the kernel, which could, in turn, cause the tests to fail. The patch removes the assumption by adding explicit iptables rules to attach an nf_conn template to the skb resulting tracked once hit the OvS pipeline. Reported-by: Xin Long <[email protected]> Reported-at: https://issues.redhat.com/browse/FDP-708 Signed-off-by: Paolo Valerio <[email protected]> --- tests/ovs-macros.at | 5 +++++ tests/system-traffic.at | 3 +++ 2 files changed, 8 insertions(+) diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at index 06c978555..df2835747 100644 --- a/tests/ovs-macros.at +++ b/tests/ovs-macros.at @@ -366,3 +366,8 @@ dnl Add a rule to always accept the traffic. m4_define([IPTABLES_ACCEPT], [AT_CHECK([iptables -I INPUT 1 -i $1 -j ACCEPT]) on_exit 'iptables -D INPUT 1 -i $1']) + +dnl Required to let conntrack start tracking the packets outside ovs +m4_define([IPTABLES_CT], + [AT_CHECK([iptables -t raw -I OUTPUT 1 -o $1 -j CT]) + on_exit 'iptables -t raw -D OUTPUT 1']) diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 202ff0492..4da640604 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -5460,6 +5460,7 @@ CHECK_CONNTRACK() CHECK_CONNTRACK_LOCAL_STACK() OVS_TRAFFIC_VSWITCHD_START() +IPTABLES_CT([br0]) ADD_NAMESPACES(at_ns0) AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) @@ -5509,6 +5510,7 @@ CHECK_CONNTRACK() CHECK_CONNTRACK_LOCAL_STACK() OVS_TRAFFIC_VSWITCHD_START() +IPTABLES_CT([br0]) ADD_NAMESPACES(at_ns0) AT_CHECK([ip addr add dev br0 "10.1.1.1/24"]) @@ -8396,6 +8398,7 @@ AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"]) AT_CHECK([ovs-ofctl add-flow br-underlay "priority=100,ct_state=+trk,actions=ct_clear,resubmit(,0)"]) AT_CHECK([ovs-ofctl add-flow br-underlay "priority=10,actions=normal"]) +IPTABLES_CT([br0]) ADD_NAMESPACES(at_ns0) dnl Set up underlay link from host into the namespace using veth pair. -- 2.46.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
