@@ -366,3 +366,8 @@ dnl Add a rule to always accept the traffic.
m4_define([IPTABLES_ACCEPT],
[AT_CHECK([iptables -I INPUT 1 -i $1 -j ACCEPT])
on_exit 'iptables -D INPUT 1 -i $1'])
+
+dnl Required to let conntrack start tracking the packets outside ovs
+m4_define([IPTABLES_CT],
+ [AT_CHECK([iptables -t raw -I OUTPUT 1 -o $1 -j CT])
+ on_exit 'iptables -t raw -D OUTPUT 1'])
@@ -5460,6 +5460,7 @@ CHECK_CONNTRACK()
CHECK_CONNTRACK_LOCAL_STACK()
OVS_TRAFFIC_VSWITCHD_START()
+IPTABLES_CT([br0])
ADD_NAMESPACES(at_ns0)
AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
@@ -5509,6 +5510,7 @@ CHECK_CONNTRACK()
CHECK_CONNTRACK_LOCAL_STACK()
OVS_TRAFFIC_VSWITCHD_START()
+IPTABLES_CT([br0])
ADD_NAMESPACES(at_ns0)
AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
@@ -8396,6 +8398,7 @@ AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])
AT_CHECK([ovs-ofctl add-flow br-underlay "priority=100,ct_state=+trk,actions=ct_clear,resubmit(,0)"])
AT_CHECK([ovs-ofctl add-flow br-underlay "priority=10,actions=normal"])
+IPTABLES_CT([br0])
ADD_NAMESPACES(at_ns0)
dnl Set up underlay link from host into the namespace using veth pair.
As Long reported, kernels built without CONFIG_NETFILTER_CONNCOUNT result in the unexpected failure of the following tests: conntrack - multiple zones, local conntrack - multi-stage pipeline, local conntrack - can match and clear ct_state from outside OVS this happens because the nf_conncount turns on connection tracking and the above tests rely on this side effect. However, this behavior may be corrected in the kernel, which could, in turn, cause the tests to fail. The patch removes the assumption by adding explicit iptables rules to attach an nf_conn template to the skb resulting tracked once hit the OvS pipeline. Reported-by: Xin Long <lucien.xin@gmail.com> Reported-at: https://issues.redhat.com/browse/FDP-708 Signed-off-by: Paolo Valerio <pvalerio@redhat.com> --- tests/ovs-macros.at | 5 +++++ tests/system-traffic.at | 3 +++ 2 files changed, 8 insertions(+)