From patchwork Fri Apr 24 07:55:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Numan Siddique X-Patchwork-Id: 1276241 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=ovn.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 497mgT2cYHz9sSX for ; Fri, 24 Apr 2020 17:55:32 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id F37BA880E8; Fri, 24 Apr 2020 07:55:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EOKSlwyeWCIK; Fri, 24 Apr 2020 07:55:25 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by whitealder.osuosl.org (Postfix) with ESMTP id D55F388079; Fri, 24 Apr 2020 07:55:25 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id B32E0C089E; Fri, 24 Apr 2020 07:55:25 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 59704C0175 for ; Fri, 24 Apr 2020 07:55:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id 501528875A for ; Fri, 24 Apr 2020 07:55:23 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4SVHVa4NDdgg for ; Fri, 24 Apr 2020 07:55:21 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net [217.70.183.199]) by hemlock.osuosl.org (Postfix) with ESMTPS id A0A5C88757 for ; Fri, 24 Apr 2020 07:55:20 +0000 (UTC) X-Originating-IP: 116.75.115.155 Received: from nummac.local (unknown [116.75.115.155]) (Authenticated sender: numans@ovn.org) by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id 9BC2CFF807; Fri, 24 Apr 2020 07:55:15 +0000 (UTC) From: numans@ovn.org To: dev@openvswitch.org Date: Fri, 24 Apr 2020 13:25:07 +0530 Message-Id: <20200424075507.1811244-1-numans@ovn.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Cc: Tim Rozet Subject: [ovs-dev] [PATCH ovn] Fix conntrack entry leaks because of TCP RST packets not sent to conntrack. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Numan Siddique The commit [1] - 28097d5adb95("Fix tcp_reset action handling") fixed an issue with tcp_reset OVN action. In order to fix that issue, this commit added logical flows to skip all the TCP RST packets from conntrack. Ideally it should have skipped only the TCP RST packets generated by ovn-controller from conntrack. Since all the TCP RST packets are skipped from conntrack, the connections in conntrack remain in ESTABLISHED state even if the client/server sends TCP RST to close the connection. And these entries live for a long time and this is causing performance issues as reported in the BZ. This patch reverts the logical flows added in [1] and modifies the inner actions of tcp_reset in the ingress logical switch pipeline from - "tcp_reset { outport <-> inport; output; }" to "tcp_reset { output <-> inport; next(pipeline=egress,table=5); }". This causes the packet to resubmit to the egress table ls_out_qos_mark skipping the egress ACL stage. Prior to this packet, next action was not allowing a resubmit from ingress to egress pipeline. This patch relaxes this limitation. For the tcp_reset action in the egress logical switch pipeline, this patch modifies the inner action from - "tcp_reset { outport <-> inport; next(pipeline=ingress,table=0); }" to - "tcp_reset { outport <-> inport; next(pipeline=ingress,table=19); }". This causes the packet to enter the ingress table ls_in_l2_lkup. We don't see similar conntrack leaks with UDP. Although there is an issue with the acl reject action for UDP packets. When ovn-controller generates icmp destination unreachable packet, it doesn't get delivered. And the IP checksum is incorrect in this packet. A follow up patch will fix these issues. [1] - 28097d5adb95("Fix tcp_reset action handling") Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1819785 Co-Authored-by: Tim Rozet Signed-off-by: Tim Rozet Signed-off-by: Numan Siddique Acked-by: Dumitru Ceara Acked-by: Lorenzo Bianconi --- lib/actions.c | 6 +- northd/ovn-northd.8.xml | 8 ++ northd/ovn-northd.c | 14 ++-- ovn-sb.xml | 10 ++- tests/automake.mk | 3 +- tests/ovn.at | 6 +- tests/system-ovn.at | 170 +++++++++++++++++++++++++++++++++++----- tests/test-tcp-rst.py | 37 +++++++++ 8 files changed, 216 insertions(+), 38 deletions(-) create mode 100644 tests/test-tcp-rst.py diff --git a/lib/actions.c b/lib/actions.c index c19813de0..91619c889 100644 --- a/lib/actions.c +++ b/lib/actions.c @@ -319,11 +319,7 @@ parse_NEXT(struct action_context *ctx) } } - if (pipeline == OVNACT_P_EGRESS && ctx->pp->pipeline == OVNACT_P_INGRESS) { - lexer_error(ctx->lexer, - "\"next\" action cannot advance from ingress to egress " - "pipeline (use \"output\" action instead)"); - } else if (table >= ctx->pp->n_tables) { + if (table >= ctx->pp->n_tables) { lexer_error(ctx->lexer, "\"next\" action cannot advance beyond table %d.", ctx->pp->n_tables - 1); diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index efcc4b7fc..d39e259f6 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -373,6 +373,14 @@ for new connections and reg0[1] = 1; next; for existing connections. +
  • + reject ACLs translate into logical + flows with the + tcp_reset { output <-> inport; + next(pipeline=egress,table=5);} + action for TCP connections and icmp4/icmp6 action + for UDP connections. +
  • Other ACLs translate to drop; for new or untracked connections and ct_commit(ct_label=1/1); for known diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index c4675bd68..f8ae155a2 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -4721,11 +4721,11 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows) * unreachable packets. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, "nd || nd_rs || nd_ra || icmp4.type == 3 || " - "icmp6.type == 1 || (tcp && tcp.flags == 20) || " + "icmp6.type == 1 || " "(udp && udp.src == 546 && udp.dst == 547)", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, "nd || nd_rs || nd_ra || icmp4.type == 3 || " - "icmp6.type == 1 || (tcp && tcp.flags == 20) ||" + "icmp6.type == 1 || " "(udp && udp.src == 546 && udp.dst == 547)", "next;"); /* Ingress and Egress Pre-ACL Table (Priority 100). @@ -4838,11 +4838,11 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows, /* Do not send ND packets to conntrack */ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110, "nd || nd_rs || nd_ra || icmp4.type == 3 ||" - "icmp6.type == 1 || (tcp && tcp.flags == 20)", + "icmp6.type == 1", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110, "nd || nd_rs || nd_ra || icmp4.type == 3 ||" - "icmp6.type == 1 || (tcp && tcp.flags == 20)", + "icmp6.type == 1", "next;"); /* Do not send service monitor packets to conntrack. */ @@ -4988,7 +4988,8 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows, ds_put_format(&actions, "reg0 = 0; " "eth.dst <-> eth.src; ip4.dst <-> ip4.src; " "tcp_reset { outport <-> inport; %s };", - ingress ? "output;" : "next(pipeline=ingress,table=0);"); + ingress ? "next(pipeline=egress,table=5);" + : "next(pipeline=ingress,table=19);"); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET + 10, ds_cstr(&match), ds_cstr(&actions), stage_hint); @@ -5002,7 +5003,8 @@ build_reject_acl_rules(struct ovn_datapath *od, struct hmap *lflows, ds_put_format(&actions, "reg0 = 0; " "eth.dst <-> eth.src; ip6.dst <-> ip6.src; " "tcp_reset { outport <-> inport; %s };", - ingress ? "output;" : "next(pipeline=ingress,table=0);"); + ingress ? "next(pipeline=egress,table=5);" + : "next(pipeline=ingress,table=19);"); ovn_lflow_add_with_hint(lflows, od, stage, acl->priority + OVN_ACL_PRI_OFFSET + 10, ds_cstr(&match), ds_cstr(&actions), stage_hint); diff --git a/ovn-sb.xml b/ovn-sb.xml index 5f8da534c..3aa7cd4da 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -1112,10 +1112,12 @@ pipeline as a subroutine. The default table is just after the current one. If pipeline is specified, it may be ingress or egress; the default - pipeline is the one currently executing. Actions in the - ingress pipeline may not use next to jump into the - egress pipeline (use the output instead), but - transitions in the opposite direction are allowed. + pipeline is the one currently executing. Actions in the + both ingress and egress pipeline can use next to jump + across the other pipeline. Actions in the ingress pipeline should + use next to jump into the specific table of egress + pipeline only if it is certain that the packets are local and not + tunnelled and wants to skip certain stages in the packet processing.
    field = constant;
    diff --git a/tests/automake.mk b/tests/automake.mk index 215fb432b..ed530dd77 100644 --- a/tests/automake.mk +++ b/tests/automake.mk @@ -205,7 +205,8 @@ tests_ovstest_LDADD = $(OVS_LIBDIR)/libopenvswitch.la lib/libovn.la # Python tests. CHECK_PYFILES = \ tests/test-l7.py \ - tests/uuidfilt.py + tests/uuidfilt.py \ + tests/test-tcp-rst.py EXTRA_DIST += $(CHECK_PYFILES) PYCOV_CLEAN_FILES += $(CHECK_PYFILES:.py=.py,cover) .coverage diff --git a/tests/ovn.at b/tests/ovn.at index 2a7ee7528..b00670816 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -852,7 +852,11 @@ next(pipeline=ingress, table=11); encodes as resubmit(,19) next(pipeline=egress); - "next" action cannot advance from ingress to egress pipeline (use "output" action instead) + formats as next(pipeline=egress, table=11); + encodes as resubmit(,51) + +next(pipeline=egress, table=5); + encodes as resubmit(,45) next(table=10); formats as next(10); diff --git a/tests/system-ovn.at b/tests/system-ovn.at index bdb9768d2..3b11cf92b 100644 --- a/tests/system-ovn.at +++ b/tests/system-ovn.at @@ -3719,60 +3719,86 @@ start_daemon ovn-controller ovn-nbctl ls-add sw0 -ovn-nbctl lsp-add sw0 sw0-p1 -ovn-nbctl lsp-set-addresses sw0-p1 "50:54:00:00:00:03 10.0.0.3 aef0::3" -ovn-nbctl lsp-set-port-security sw0-p1 "50:54:00:00:00:03 10.0.0.3 aef0::3" +ovn-nbctl lsp-add sw0 sw0-p1-rej +ovn-nbctl lsp-set-addresses sw0-p1-rej "50:54:00:00:00:03 10.0.0.3 aef0::3" +ovn-nbctl lsp-set-port-security sw0-p1-rej "50:54:00:00:00:03 10.0.0.3 aef0::3" -ovn-nbctl lsp-add sw0 sw0-p2 -ovn-nbctl lsp-set-addresses sw0-p2 "50:54:00:00:00:04 10.0.0.4 aef0::4" -ovn-nbctl lsp-set-port-security sw0-p2 "50:54:00:00:00:04 10.0.0.4 aef0::4" +ovn-nbctl lsp-add sw0 sw0-p2-rej +ovn-nbctl lsp-set-addresses sw0-p2-rej "50:54:00:00:00:04 10.0.0.4 aef0::4" +ovn-nbctl lsp-set-port-security sw0-p2-rej "50:54:00:00:00:04 10.0.0.4 aef0::4" + +#ovn-nbctl --log acl-add sw0 from-lport 1000 "inport == \"sw0-p1\" && tcp && tcp.dst == 80" reject +#ovn-nbctl --log acl-add sw0 from-lport 1000 "inport == \"sw0-p2\" && ip6 && tcp && tcp.dst == 80" reject + +# Create port group and ACLs for sw0 ports. +ovn-nbctl pg-add pg0_drop sw0-p1-rej sw0-p2-rej +ovn-nbctl acl-add pg0_drop from-lport 1001 "inport == @pg0_drop && ip" drop +ovn-nbctl acl-add pg0_drop to-lport 1001 "outport == @pg0_drop && ip" drop + +ovn-nbctl pg-add pg0 sw0-p1-rej sw0-p2-rej +ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip4" allow-related +ovn-nbctl --log acl-add pg0 from-lport 1004 "inport == @pg0 && ip && tcp && tcp.dst == 80" reject -ovn-nbctl --log acl-add sw0 from-lport 1000 "inport == \"sw0-p1\" && tcp && tcp.dst == 80" reject -ovn-nbctl --log acl-add sw0 from-lport 1000 "inport == \"sw0-p2\" && ip6 && tcp && tcp.dst == 80" reject +ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && icmp4" allow-related +ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 82" allow-related +ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst == 82" allow-related +ovn-nbctl --log acl-add pg0 to-lport 1004 "inport == @pg0 && ip && tcp && tcp.dst == 84" reject OVN_POPULATE_ARP ovn-nbctl --wait=hv sync -ADD_NAMESPACES(sw0-p1) -ADD_VETH(sw0-p1, sw0-p1, br-int, "10.0.0.3/24", "50:54:00:00:00:03", \ +ADD_NAMESPACES(sw0-p1-rej) +ADD_VETH(sw0-p1-rej, sw0-p1-rej, br-int, "10.0.0.3/24", "50:54:00:00:00:03", \ "10.0.0.1") -ADD_NAMESPACES(sw0-p2) -ADD_VETH(sw0-p2, sw0-p2, br-int, "10.0.0.4/24", "50:54:00:00:00:04", \ +ADD_NAMESPACES(sw0-p2-rej) +ADD_VETH(sw0-p2-rej, sw0-p2-rej, br-int, "10.0.0.4/24", "50:54:00:00:00:04", \ "10.0.0.1") -NS_CHECK_EXEC([sw0-p1], [ip a a aef0::3/64 dev sw0-p1], [0]) -NS_CHECK_EXEC([sw0-p2], [ip a a aef0::4/64 dev sw0-p2], [0]) +NS_CHECK_EXEC([sw0-p1-rej], [ip a a aef0::3/64 dev sw0-p1-rej], [0]) +NS_CHECK_EXEC([sw0-p2-rej], [ip a a aef0::4/64 dev sw0-p2-rej], [0]) -# Capture packets in sw0-p1. -NS_CHECK_EXEC([sw0-p1], [tcpdump -n -c 2 -i sw0-p1 tcp port 80 > sw0-p1-ip4.pcap &], [0]) +# Capture packets in sw0-p1-rej. +NS_CHECK_EXEC([sw0-p1-rej], [tcpdump -n -c 2 -i sw0-p1-rej tcp port 80 > sw0-p1-rej-ip4.pcap &], [0]) sleep 1 -NS_CHECK_EXEC([sw0-p1], [nc 10.0.0.4 80], [1], [], +NS_CHECK_EXEC([sw0-p1-rej], [nc 10.0.0.4 80], [1], [], [dnl Ncat: Connection refused. ]) OVS_WAIT_UNTIL([ - total=`cat sw0-p1-ip4.pcap | wc -l` + total=`cat sw0-p1-rej-ip4.pcap | wc -l` echo "total = $total" test "${total}" = "2" ]) +# Now send traffic to port 84 +NS_CHECK_EXEC([sw0-p1-rej], [nc 10.0.0.4 84], [1], [], +[dnl +Ncat: Connection refused. +]) + +AT_CHECK([ + n_pkt=$(ovs-ofctl dump-flows br-int table=44 | grep -v n_packets=0 | \ +grep controller | grep tp_dst=84 -c) + test $n_pkt -eq 1 +]) + # Without this sleep, test case fails intermittently. sleep 3 -NS_CHECK_EXEC([sw0-p2], [tcpdump -n -c 2 -i sw0-p2 tcp port 80 > sw0-p2-ip6.pcap &], [0]) +NS_CHECK_EXEC([sw0-p2-rej], [tcpdump -n -c 2 -i sw0-p2-rej tcp port 80 > sw0-p2-rej-ip6.pcap &], [0]) sleep 1 -NS_CHECK_EXEC([sw0-p2], [nc -6 aef0::3 80], [1], [], +NS_CHECK_EXEC([sw0-p2-rej], [nc -6 aef0::3 80], [1], [], [dnl Ncat: Connection refused. ]) OVS_WAIT_UNTIL([ - total=`cat sw0-p2-ip6.pcap | wc -l` + total=`cat sw0-p2-rej-ip6.pcap | wc -l` echo "total = $total" test "${total}" = "2" ]) @@ -3936,3 +3962,105 @@ as OVS_TRAFFIC_VSWITCHD_STOP(["/.*error receiving.*/d /.*terminating with signal 15.*/d"]) AT_CLEANUP + +# Tests that when an established connection sends TCP reset, +# the conntrack entry is not in established state. +AT_SETUP([ovn -- conntrack TCP reset]) +AT_KEYWORDS([conntrack]) +ovn_start + +OVS_TRAFFIC_VSWITCHD_START() +ADD_BR([br-int]) + +# Set external-ids in br-int needed for ovn-controller +ovs-vsctl \ + -- set Open_vSwitch . external-ids:system-id=hv1 \ + -- set Open_vSwitch . external-ids:ovn-remote=unix:$ovs_base/ovn-sb/ovn-sb.sock \ + -- set Open_vSwitch . external-ids:ovn-encap-type=geneve \ + -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 \ + -- set bridge br-int fail-mode=secure other-config:disable-in-band=true + +# Start ovn-controller +start_daemon ovn-controller + +ovn-nbctl ls-add sw0 + +ovn-nbctl lsp-add sw0 rst-p1 +ovn-nbctl lsp-set-addresses rst-p1 "50:54:00:00:00:03" +ovn-nbctl lsp-set-port-security rst-p1 "50:54:00:00:00:03" + +ovn-nbctl lsp-add sw0 rst-p2 +ovn-nbctl lsp-set-addresses rst-p2 "50:54:00:00:00:04 10.0.0.4" +ovn-nbctl lsp-set-port-security rst-p2 "50:54:00:00:00:04 10.0.0.4" + +# Create port group and ACLs for sw0 ports. +ovn-nbctl pg-add pg0_drop rst-p1 rst-p2 +ovn-nbctl acl-add pg0_drop from-lport 1001 "inport == @pg0_drop && ip" drop +ovn-nbctl acl-add pg0_drop to-lport 1001 "outport == @pg0_drop && ip" drop + +ovn-nbctl pg-add pg0 rst-p1 rst-p2 +ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip4" allow-related +ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && icmp4" allow-related +ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 80" allow-related +ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst == 80" allow-related + +# Create a logical router and attach to logical switch. +ovn-nbctl lr-add lr0 +ovn-nbctl lrp-add lr0 lr0-sw0 00:00:00:00:ff:01 10.0.0.1/24 +ovn-nbctl lsp-add sw0 sw0-lr0 +ovn-nbctl lsp-set-type sw0-lr0 router +ovn-nbctl lsp-set-addresses sw0-lr0 router +ovn-nbctl lsp-set-options sw0-lr0 router-port=lr0-sw0 + +ovn-nbctl lb-add lb1 10.0.0.10:80 10.0.0.3:80 +ovn-nbctl --wait=sb ls-lb-add sw0 lb1 +ovn-nbctl --wait=sb lr-lb-add lr0 lb1 + +OVN_POPULATE_ARP +ovn-nbctl --wait=hv sync + +ADD_NAMESPACES(rst-p1) +ADD_VETH(rst-p1, rst-p1, br-int, "10.0.0.3/24", "50:54:00:00:00:03", \ + "10.0.0.1") + +ADD_NAMESPACES(rst-p2) +ADD_VETH(rst-p2, rst-p2, br-int, "10.0.0.4/24", "50:54:00:00:00:04", \ + "10.0.0.1") + +OVS_WAIT_UNTIL([test x$(ovn-nbctl lsp-get-up rst-p1) = xup]) +OVS_WAIT_UNTIL([test x$(ovn-nbctl lsp-get-up rst-p2) = xup]) + +# Start webservers in 'rst-p1'. +OVS_START_L7([rst-p1], [http]) + +NS_CHECK_EXEC([rst-p2], [$PYTHON $srcdir/test-tcp-rst.py --dst-port 80 --dst-ip 10.0.0.10]) + +# When tcp reset is sent, conntrack entry should be in the state - CLOSED or CLOSING. +# But there is a bug where tcp reset packet was not sent to the conntrack. +# This test case checks that the tcp reset packet is sent to conntrack +# and the state is not in established state. +AT_CHECK([ + ct_est_count=$(ovs-appctl dpctl/dump-conntrack | grep 10.0.0.10 | grep state=ESTABLISHED -c) + test $ct_est_count -eq 0 + + ct_est_count=$(ovs-appctl dpctl/dump-conntrack | grep 10.0.0.10 | grep state=CLOS -c) + test $ct_est_count -eq 1 +]) + +OVS_APP_EXIT_AND_WAIT([ovn-controller]) + +as ovn-sb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as ovn-nb +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) + +as northd +OVS_APP_EXIT_AND_WAIT([ovn-northd]) + +as +OVS_TRAFFIC_VSWITCHD_STOP(["/failed to query port patch-.*/d +/connection dropped.*/d +/Service monitor not found.*/d"]) + +AT_CLEANUP diff --git a/tests/test-tcp-rst.py b/tests/test-tcp-rst.py new file mode 100644 index 000000000..6f96c5706 --- /dev/null +++ b/tests/test-tcp-rst.py @@ -0,0 +1,37 @@ +#!/usr/bin/env python3 +# Copyright (c) 2020 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Simple python script which connects to tcp server and then +# resets the connection. +import argparse +import socket +import sys +import struct +import time + +parser = argparse.ArgumentParser(description='') +parser.add_argument("--src-port", type=int, default=11337, help="source port to use") +parser.add_argument("--dst-port", type=int, help="dst port to use") +parser.add_argument("--dst-ip", help="server ip to use") +args = parser.parse_args() +sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +server_address = (args.dst_ip, args.dst_port) +sock.bind(('0.0.0.0', args.src_port)) +sock.connect(server_address) +l_onoff = 1 +l_linger = 0 +time.sleep(1) +sock.setsockopt(socket.SOL_SOCKET, socket.SO_LINGER, struct.pack('ii', l_onoff, l_linger)) +sock.close()