@@ -1057,6 +1057,57 @@ TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2
OVS_TRAFFIC_VSWITCHD_STOP
AT_CLEANUP
+AT_SETUP([conntrack - FTP commit then decide])
+AT_SKIP_IF([test $HAVE_PYFTPDLIB = no])
+CHECK_CONNTRACK()
+OVS_TRAFFIC_VSWITCHD_START(
+ [set-fail-mode br0 standalone -- ])
+
+ADD_NAMESPACES(at_ns0, at_ns1)
+
+ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
+ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
+
+dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
+dnl
+dnl This tests a bug in the "ct(commit)" action where new,related connections
+dnl are not always marked as new.
+AT_DATA([flows1.txt], [dnl
+priority=1,action=drop
+priority=10,arp,action=normal
+priority=10,icmp,action=normal
+priority=100,in_port=1,tcp,ct_state=-trk,action=ct(alg=ftp,commit,table=1)
+priority=100,table=1,in_port=1,tcp,ct_state=+new,action=2
+priority=100,table=1,in_port=1,tcp,ct_state=+est,action=2
+priority=100,in_port=2,tcp,ct_state=-trk,action=ct(commit,table=1)
+priority=100,table=1,in_port=2,tcp,ct_state=+trk+est,action=1
+priority=100,table=1,in_port=2,tcp,ct_state=+trk+rel+new,action=1
+])
+
+AT_CHECK([ovs-ofctl add-flows br0 flows1.txt])
+
+NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp1.pid])
+NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid])
+
+dnl FTP requests from p1->p0 should fail due to network failure, even though
+dnl FTP daemons are running in both namespaces.
+dnl Try 3 times, in 1 second intervals.
+NS_CHECK_EXEC([at_ns1], [wget ftp://10.1.1.1 --no-passive-ftp -t 3 -T 1 -v -o wget1.log], [4])
+AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.1)], [0], [dnl
+SYN_SENT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[UNREPLIED]] src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> mark=0 helper=ftp use=1
+])
+
+dnl FTP requests from p0->p1 should work fine.
+NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v -o wget0.log])
+AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep -v "FIN"], [0], [dnl
+SYN_SENT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[UNREPLIED]] src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> mark=0 helper=ftp use=1
+TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2
+TIME_WAIT src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1
+])
+
+OVS_TRAFFIC_VSWITCHD_STOP
+AT_CLEANUP
+
AT_SETUP([conntrack - IPv4 fragmentation ])
CHECK_CONNTRACK()
OVS_TRAFFIC_VSWITCHD_START(
Test the corner case where commit occurs only on "new" related connections. Signed-off-by: Joe Stringer <joestringer@nicira.com> --- tests/system-traffic.at | 51 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+)