On Wed, Aug 28, 2024 at 07:14:06PM +0200, Paolo Valerio wrote: > As Long reported, kernels built without CONFIG_NETFILTER_CONNCOUNT > result in the unexpected failure of the following tests: > > conntrack - multiple zones, local > conntrack - multi-stage pipeline, local > conntrack - can match and clear ct_state from outside OVS > > this happens because the nf_conncount turns on connection tracking and > the above tests rely on this side effect. However, this behavior may > be corrected in the kernel, which could, in turn, cause the tests to > fail. > > The patch removes the assumption by adding explicit iptables rules to > attach an nf_conn template to the skb resulting tracked once hit the > OvS pipeline. > > While at it, introduce $HAVE_IPTABLES and skip tests if iptables > binary is not present. > > Reported-by: Xin Long <lucien....@gmail.com> > Reported-at: https://issues.redhat.com/browse/FDP-708 > Signed-off-by: Paolo Valerio <pvale...@redhat.com>
Hi Paolo, I exercised this using vng with net-next compiled using tools/testing/selftests/net/config from the upstream kernel tree [1]. [1] https://github.com/linux-netdev/nipa/wiki/How-to-run-netdev-selftests-CI-style The resulting config does not have CONFIG_NETFILTER_CONNCOUNT set. Some observations: * CONFIG_NETFILTER_XT_TARGET_CT is required for -j CT I don't think this is a problem (other than my own problem of it taking me a long time to figure that out). But it seems worth noting (see parentheses in previous sentence:). * Of the tests that are updated by this patch, I only observed that the last one, "conntrack - can match and clear ct_state from outside OVS", fails without this patch applied. I am unsure if that is something that warrants updating this patch or not. Or if, rather, there is an error in my testing. _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
