Message ID | 20171026193044.9438-4-e@erig.me |
---|---|
State | Superseded |
Headers | show |
Series | Add dpif support for ct_clear action | expand |
On Thu, Oct 26, 2017 at 12:30 PM, Eric Garver <e@erig.me> wrote: > This test cases uses floating IP (FIP) addresses for each endpoint. If > the destination is a FIP, the packet will undergo a transformation of > the form (dst=FIP, src=non-FIP) --> (dst=non-FIP, src=FIP) before > egress. Otherwise the packet is untouched. > > This exercises the ct_clear action in the datapath. > > Signed-off-by: Eric Garver <e@erig.me> > --- Looks good to me. Acked-by: William Tu <u9012063@gmail.com>
On Thu, 26 Oct 2017 15:30:44 -0400 Eric Garver <e@erig.me> wrote: > This test cases uses floating IP (FIP) addresses for each endpoint. If > the destination is a FIP, the packet will undergo a transformation of > the form (dst=FIP, src=non-FIP) --> (dst=non-FIP, src=FIP) before > egress. Otherwise the packet is untouched. > > This exercises the ct_clear action in the datapath. > > Signed-off-by: Eric Garver <e@erig.me> > --- > tests/system-traffic.at | 73 +++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 73 insertions(+) > > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > index 522eaa615834..cf915d6be7cd 100644 > --- a/tests/system-traffic.at > +++ b/tests/system-traffic.at > @@ -3996,6 +3996,79 @@ ovs-ofctl -O OpenFlow15 dump-group-stats br0 > OVS_TRAFFIC_VSWITCHD_STOP > AT_CLEANUP > > +AT_SETUP([conntrack - floating IP]) > +AT_SKIP_IF([test $HAVE_NC = no]) > +CHECK_CONNTRACK() > +OVS_TRAFFIC_VSWITCHD_START() > +OVS_CHECK_CT_CLEAR() > + > +ADD_NAMESPACES(at_ns0, at_ns1) > +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24", "f0:00:00:01:01:01") dnl FIP 10.254.254.1 > +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24", "f0:00:00:01:01:02") dnl FIP 10.254.254.2 > + > +dnl Static ARPs > +NS_CHECK_EXEC([at_ns0], [ip neigh add 10.1.1.2 lladdr f0:00:00:01:01:02 dev p0]) > +NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.1 lladdr f0:00:00:01:01:01 dev p1]) > + > +dnl Static ARP and route entries for the FIP "gateway" > +NS_CHECK_EXEC([at_ns0], [ip neigh add 10.1.1.254 lladdr f0:00:00:01:01:FE dev p0]) > +NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.254 lladdr f0:00:00:01:01:FE dev p1]) > +NS_CHECK_EXEC([at_ns0], [ip route add default nexthop via 10.1.1.254]) > +NS_CHECK_EXEC([at_ns1], [ip route add default nexthop via 10.1.1.254]) > + > +NETNS_DAEMONIZE([at_ns0], [nc -l -k 1234 > /dev/null], [nc0.pid]) > + > +AT_DATA([flows.txt], [dnl > +table=0,priority=10 ip action=ct(table=1) > +table=0,priority=1 action=drop > +dnl dst FIP > +table=1,priority=20 ip,ct_state=+trk+est,nw_dst=10.254.254.0/24 action=goto_table:10 > +table=1,priority=20 ip,ct_state=+trk+new,nw_dst=10.254.254.0/24 action=ct(commit,table=10) > +dnl dst local > +table=1,priority=10 ip,ct_state=+trk+est action=goto_table:20 > +table=1,priority=10 ip,ct_state=+trk+new action=ct(commit,table=20) > +table=1,priority=1 ip,ct_state=+trk+inv action=drop > +dnl > +dnl FIP translation (dst FIP, src local) --> (dst local, src FIP) > +table=10 ip,nw_dst=10.254.254.1 action=set_field:10.1.1.1->nw_dst,goto_table:11 > +table=10 ip,nw_dst=10.254.254.2 action=set_field:10.1.1.2->nw_dst,goto_table:11 > +table=11 ip,nw_src=10.1.1.1 action=set_field:10.254.254.1->nw_src,goto_table:12 > +table=11 ip,nw_src=10.1.1.2 action=set_field:10.254.254.2->nw_src,goto_table:12 > +dnl clear conntrack and do another lookup since we changed the tuple > +table=12,priority=10 ip action=ct_clear,ct(table=13) > +table=12,priority=1 action=drop > +table=13 ip,ct_state=+trk+est action=goto_table:20 > +table=13 ip,ct_state=+trk+new action=ct(commit,table=20) > +table=13 ip,ct_state=+trk+inv action=drop > +dnl > +dnl Output > +table=20 ip,nw_src=10.1.1.1 action=set_field:f0:00:00:01:01:01->eth_src,goto_table:21 > +table=20 ip,nw_src=10.1.1.2 action=set_field:f0:00:00:01:01:02->eth_src,goto_table:21 > +table=20 ip,nw_src=10.254.254.0/24 action=set_field:f0:00:00:01:01:FE->eth_src,goto_table:21 > +table=21 ip,nw_dst=10.1.1.1 action=set_field:f0:00:00:01:01:01->eth_dst,output:ovs-p0 > +table=21 ip,nw_dst=10.1.1.2 action=set_field:f0:00:00:01:01:02->eth_dst,output:ovs-p1 > +]) > + > +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > + > +dnl non-FIP case > +NS_CHECK_EXEC([at_ns1], [echo "foobar" |nc $NC_EOF_OPT 10.1.1.1 1234]) > +OVS_WAIT_UNTIL([[ovs-appctl dpctl/dump-conntrack | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/id=[0-9]*/id=<cleared>/g' | > +grep "tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)" > +]]) > + > +dnl Check that the full session ends as expected (i.e. TIME_WAIT). Otherwise it > +dnl means the datapath didn't process the ct_clear action. Ending in SYN_RECV > +dnl (OVS maps to ESTABLISHED) means the initial frame was committed, but not a > +dnl second time after the FIP translation (because ct_clear didn't occur). > +NS_CHECK_EXEC([at_ns1], [echo "foobar" |nc $NC_EOF_OPT 10.254.254.1 1234]) > +OVS_WAIT_UNTIL([[ovs-appctl dpctl/dump-conntrack | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/id=[0-9]*/id=<cleared>/g' | > +grep "tcp,orig=(src=10.254.254.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.254.254.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)" > +]]) > + > +OVS_TRAFFIC_VSWITCHD_STOP > +AT_CLEANUP > + > AT_BANNER([802.1ad]) > > AT_SETUP([802.1ad - vlan_limit]) Acked-by: Flavio Leitner <fbl@sysclose.org> Thanks!
diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 522eaa615834..cf915d6be7cd 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -3996,6 +3996,79 @@ ovs-ofctl -O OpenFlow15 dump-group-stats br0 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +AT_SETUP([conntrack - floating IP]) +AT_SKIP_IF([test $HAVE_NC = no]) +CHECK_CONNTRACK() +OVS_TRAFFIC_VSWITCHD_START() +OVS_CHECK_CT_CLEAR() + +ADD_NAMESPACES(at_ns0, at_ns1) +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24", "f0:00:00:01:01:01") dnl FIP 10.254.254.1 +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24", "f0:00:00:01:01:02") dnl FIP 10.254.254.2 + +dnl Static ARPs +NS_CHECK_EXEC([at_ns0], [ip neigh add 10.1.1.2 lladdr f0:00:00:01:01:02 dev p0]) +NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.1 lladdr f0:00:00:01:01:01 dev p1]) + +dnl Static ARP and route entries for the FIP "gateway" +NS_CHECK_EXEC([at_ns0], [ip neigh add 10.1.1.254 lladdr f0:00:00:01:01:FE dev p0]) +NS_CHECK_EXEC([at_ns1], [ip neigh add 10.1.1.254 lladdr f0:00:00:01:01:FE dev p1]) +NS_CHECK_EXEC([at_ns0], [ip route add default nexthop via 10.1.1.254]) +NS_CHECK_EXEC([at_ns1], [ip route add default nexthop via 10.1.1.254]) + +NETNS_DAEMONIZE([at_ns0], [nc -l -k 1234 > /dev/null], [nc0.pid]) + +AT_DATA([flows.txt], [dnl +table=0,priority=10 ip action=ct(table=1) +table=0,priority=1 action=drop +dnl dst FIP +table=1,priority=20 ip,ct_state=+trk+est,nw_dst=10.254.254.0/24 action=goto_table:10 +table=1,priority=20 ip,ct_state=+trk+new,nw_dst=10.254.254.0/24 action=ct(commit,table=10) +dnl dst local +table=1,priority=10 ip,ct_state=+trk+est action=goto_table:20 +table=1,priority=10 ip,ct_state=+trk+new action=ct(commit,table=20) +table=1,priority=1 ip,ct_state=+trk+inv action=drop +dnl +dnl FIP translation (dst FIP, src local) --> (dst local, src FIP) +table=10 ip,nw_dst=10.254.254.1 action=set_field:10.1.1.1->nw_dst,goto_table:11 +table=10 ip,nw_dst=10.254.254.2 action=set_field:10.1.1.2->nw_dst,goto_table:11 +table=11 ip,nw_src=10.1.1.1 action=set_field:10.254.254.1->nw_src,goto_table:12 +table=11 ip,nw_src=10.1.1.2 action=set_field:10.254.254.2->nw_src,goto_table:12 +dnl clear conntrack and do another lookup since we changed the tuple +table=12,priority=10 ip action=ct_clear,ct(table=13) +table=12,priority=1 action=drop +table=13 ip,ct_state=+trk+est action=goto_table:20 +table=13 ip,ct_state=+trk+new action=ct(commit,table=20) +table=13 ip,ct_state=+trk+inv action=drop +dnl +dnl Output +table=20 ip,nw_src=10.1.1.1 action=set_field:f0:00:00:01:01:01->eth_src,goto_table:21 +table=20 ip,nw_src=10.1.1.2 action=set_field:f0:00:00:01:01:02->eth_src,goto_table:21 +table=20 ip,nw_src=10.254.254.0/24 action=set_field:f0:00:00:01:01:FE->eth_src,goto_table:21 +table=21 ip,nw_dst=10.1.1.1 action=set_field:f0:00:00:01:01:01->eth_dst,output:ovs-p0 +table=21 ip,nw_dst=10.1.1.2 action=set_field:f0:00:00:01:01:02->eth_dst,output:ovs-p1 +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +dnl non-FIP case +NS_CHECK_EXEC([at_ns1], [echo "foobar" |nc $NC_EOF_OPT 10.1.1.1 1234]) +OVS_WAIT_UNTIL([[ovs-appctl dpctl/dump-conntrack | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/id=[0-9]*/id=<cleared>/g' | +grep "tcp,orig=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)" +]]) + +dnl Check that the full session ends as expected (i.e. TIME_WAIT). Otherwise it +dnl means the datapath didn't process the ct_clear action. Ending in SYN_RECV +dnl (OVS maps to ESTABLISHED) means the initial frame was committed, but not a +dnl second time after the FIP translation (because ct_clear didn't occur). +NS_CHECK_EXEC([at_ns1], [echo "foobar" |nc $NC_EOF_OPT 10.254.254.1 1234]) +OVS_WAIT_UNTIL([[ovs-appctl dpctl/dump-conntrack | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/id=[0-9]*/id=<cleared>/g' | +grep "tcp,orig=(src=10.254.254.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.1,dst=10.254.254.2,sport=<cleared>,dport=<cleared>),protoinfo=(state=TIME_WAIT)" +]]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + AT_BANNER([802.1ad]) AT_SETUP([802.1ad - vlan_limit])
This test cases uses floating IP (FIP) addresses for each endpoint. If the destination is a FIP, the packet will undergo a transformation of the form (dst=FIP, src=non-FIP) --> (dst=non-FIP, src=FIP) before egress. Otherwise the packet is untouched. This exercises the ct_clear action in the datapath. Signed-off-by: Eric Garver <e@erig.me> --- tests/system-traffic.at | 73 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+)