On Mon, Oct 07, 2024 at 05:54:24PM +0200, Paolo Valerio wrote: > As Long reported, kernels built without CONFIG_NETFILTER_CONNCOUNT > result in the unexpected failure of the following tests: > > conntrack - multiple zones, local > conntrack - multi-stage pipeline, local > conntrack - can match and clear ct_state from outside OVS > > this happens because the nf_conncount turns on connection tracking and > the above tests rely on this side effect. However, this behavior may > be corrected in the kernel, which could, in turn, cause the tests to > fail. > > The patch removes the assumption by adding iptables rules to attach > an nf_conn template to the skb resulting tracked once hit the OvS > pipeline. > > While at it, introduce $HAVE_IPTABLES and skip tests if iptables > binary is not present. > > Reported-by: Xin Long <[email protected]> > Reported-at: https://issues.redhat.com/browse/FDP-708 > Signed-off-by: Paolo Valerio <[email protected]> > Acked-by: Eelco Chaudron <[email protected]> > --- > v4: > - removed IPTABLES_CT() leftover (Simon) > > v3: > - generalized introducing CHECK_EXTERNAL_CT()/ADD_EXTERNAL_CT() > to ease the transition toward a different front-end > > v2: > - add $HAVE_IPTABLES > - reduced subject length (0-day Robot)
Thanks for the updates. Acked-by: Simon Horman <[email protected]> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
