| Message ID | 20160719195408.1611-3-joe@ovn.org |
|---|---|
| State | Accepted |
| Headers | show |
For the series: Acked-by: Jarno Rajahalme <jarno@ovn.org> > On Jul 19, 2016, at 12:54 PM, Joe Stringer <joe@ovn.org> wrote: > > Prior to commit b87a5aacefe2 ("datapath: Fix cached ct with helper."), > we were relying on automatic helpers to ensure that FTP connections were > tracked correctly, regardless of the flows that existed in the datapath. > Now, we can drop the automatic helpers in the root namespace and still > have related connections work correctly. Also, the ALG should only be > specified when committing the connection. Update the rules. > > Signed-off-by: Joe Stringer <joe@ovn.org> > --- > tests/system-kmod-macros.at | 1 + > tests/system-traffic.at | 8 ++++---- > 2 files changed, 5 insertions(+), 4 deletions(-) > > diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at > index cee0510bda96..2134db72808c 100644 > --- a/tests/system-kmod-macros.at > +++ b/tests/system-kmod-macros.at > @@ -63,6 +63,7 @@ m4_define([CHECK_CONNTRACK], > [modprobe mod || echo "Module mod not loaded." > on_exit 'modprobe -r mod' > ]) > + sysctl -w net.netfilter.nf_conntrack_helper=0 > on_exit 'ovstest test-netlink-conntrack flush' > ] > ) > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > index 14a75b68fe7e..a337950741bd 100644 > --- a/tests/system-traffic.at > +++ b/tests/system-traffic.at > @@ -1458,7 +1458,6 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) > dnl Passive FTP requests from p0->p1 should work fine. > NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log]) > AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl > -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) > tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp > ]) > > @@ -1539,13 +1538,14 @@ table=0,priority=10,arp,action=normal > table=0,priority=10,icmp,action=normal > > dnl Traffic from ns1 > -table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1,alg=ftp) > -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 > +table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1) > +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 > +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2 > table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2) > table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 > > dnl Traffic from ns2 > -table=0,priority=100,in_port=2,tcp,action=ct(table=1,alg=ftp,zone=2) > +table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2) > table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 > table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1) > table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 > -- > 2.9.0 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev
Thanks, I applied this series to master. On 21 July 2016 at 04:19, Jarno Rajahalme <jarno@ovn.org> wrote: > For the series: > > Acked-by: Jarno Rajahalme <jarno@ovn.org> > >> On Jul 19, 2016, at 12:54 PM, Joe Stringer <joe@ovn.org> wrote: >> >> Prior to commit b87a5aacefe2 ("datapath: Fix cached ct with helper."), >> we were relying on automatic helpers to ensure that FTP connections were >> tracked correctly, regardless of the flows that existed in the datapath. >> Now, we can drop the automatic helpers in the root namespace and still >> have related connections work correctly. Also, the ALG should only be >> specified when committing the connection. Update the rules. >> >> Signed-off-by: Joe Stringer <joe@ovn.org> >> --- >> tests/system-kmod-macros.at | 1 + >> tests/system-traffic.at | 8 ++++---- >> 2 files changed, 5 insertions(+), 4 deletions(-) >> >> diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at >> index cee0510bda96..2134db72808c 100644 >> --- a/tests/system-kmod-macros.at >> +++ b/tests/system-kmod-macros.at >> @@ -63,6 +63,7 @@ m4_define([CHECK_CONNTRACK], >> [modprobe mod || echo "Module mod not loaded." >> on_exit 'modprobe -r mod' >> ]) >> + sysctl -w net.netfilter.nf_conntrack_helper=0 >> on_exit 'ovstest test-netlink-conntrack flush' >> ] >> ) >> diff --git a/tests/system-traffic.at b/tests/system-traffic.at >> index 14a75b68fe7e..a337950741bd 100644 >> --- a/tests/system-traffic.at >> +++ b/tests/system-traffic.at >> @@ -1458,7 +1458,6 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) >> dnl Passive FTP requests from p0->p1 should work fine. >> NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log]) >> AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl >> -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) >> tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp >> ]) >> >> @@ -1539,13 +1538,14 @@ table=0,priority=10,arp,action=normal >> table=0,priority=10,icmp,action=normal >> >> dnl Traffic from ns1 >> -table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1,alg=ftp) >> -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 >> +table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1) >> +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 >> +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2 >> table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2) >> table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 >> >> dnl Traffic from ns2 >> -table=0,priority=100,in_port=2,tcp,action=ct(table=1,alg=ftp,zone=2) >> +table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2) >> table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 >> table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1) >> table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 >> -- >> 2.9.0 >> >> _______________________________________________ >> dev mailing list >> dev@openvswitch.org >> http://openvswitch.org/mailman/listinfo/dev >
diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at index cee0510bda96..2134db72808c 100644 --- a/tests/system-kmod-macros.at +++ b/tests/system-kmod-macros.at @@ -63,6 +63,7 @@ m4_define([CHECK_CONNTRACK], [modprobe mod || echo "Module mod not loaded." on_exit 'modprobe -r mod' ]) + sysctl -w net.netfilter.nf_conntrack_helper=0 on_exit 'ovstest test-netlink-conntrack flush' ] ) diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 14a75b68fe7e..a337950741bd 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -1458,7 +1458,6 @@ AT_CHECK([ovs-appctl dpctl/flush-conntrack]) dnl Passive FTP requests from p0->p1 should work fine. NS_CHECK_EXEC([at_ns0], [wget ftp://10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0-2.log]) AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl -tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>) tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),protoinfo=(state=<cleared>),helper=ftp ]) @@ -1539,13 +1538,14 @@ table=0,priority=10,arp,action=normal table=0,priority=10,icmp,action=normal dnl Traffic from ns1 -table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1,alg=ftp) -table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 +table=0,priority=100,in_port=1,tcp,action=ct(table=1,zone=1) +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new-rel,action=ct(commit,alg=ftp,zone=1),ct(commit,alg=ftp,zone=2),2 +table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+new+rel,action=ct(commit,zone=1),ct(commit,zone=2),2 table=1,in_port=1,tcp,ct_zone=1,ct_state=+trk+est,action=ct(table=2,zone=2) table=2,in_port=1,tcp,ct_zone=2,ct_state=+trk+est,action=2 dnl Traffic from ns2 -table=0,priority=100,in_port=2,tcp,action=ct(table=1,alg=ftp,zone=2) +table=0,priority=100,in_port=2,tcp,action=ct(table=1,zone=2) table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1 table=1,in_port=2,tcp,ct_zone=2,ct_state=+trk+est,action=ct(table=2,zone=1) table=2,in_port=2,tcp,ct_zone=1,ct_state=+trk+rel,action=ct(commit,zone=2),ct(commit,zone=1),1
Prior to commit b87a5aacefe2 ("datapath: Fix cached ct with helper."), we were relying on automatic helpers to ensure that FTP connections were tracked correctly, regardless of the flows that existed in the datapath. Now, we can drop the automatic helpers in the root namespace and still have related connections work correctly. Also, the ALG should only be specified when committing the connection. Update the rules. Signed-off-by: Joe Stringer <joe@ovn.org> --- tests/system-kmod-macros.at | 1 + tests/system-traffic.at | 8 ++++---- 2 files changed, 5 insertions(+), 4 deletions(-)