From patchwork Thu Mar 28 16:18:46 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Paolo Valerio <pvalerio@redhat.com>
X-Patchwork-Id: 1917429
X-Patchwork-Delegate: i.maximets@samsung.com
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=SEEg94Vd;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4V57yX4s86z1yYM
	for <incoming@patchwork.ozlabs.org>; Fri, 29 Mar 2024 03:19:00 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp2.osuosl.org (Postfix) with ESMTP id 194CA417CB;
	Thu, 28 Mar 2024 16:18:59 +0000 (UTC)
X-Virus-Scanned: amavis at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id niKCje5o5xta; Thu, 28 Mar 2024 16:18:58 +0000 (UTC)
X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56;
 helo=lists.linuxfoundation.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 184DC417B9
Authentication-Results: smtp2.osuosl.org;
	dkim=fail reason="signature verification failed" (1024-bit key)
 header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=SEEg94Vd
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp2.osuosl.org (Postfix) with ESMTPS id 184DC417B9;
	Thu, 28 Mar 2024 16:18:58 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id C5BE0C0072;
	Thu, 28 Mar 2024 16:18:57 +0000 (UTC)
X-Original-To: ovs-dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 500E9C0072
 for <ovs-dev@openvswitch.org>; Thu, 28 Mar 2024 16:18:56 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp3.osuosl.org (Postfix) with ESMTP id 408F260E7C
 for <ovs-dev@openvswitch.org>; Thu, 28 Mar 2024 16:18:56 +0000 (UTC)
X-Virus-Scanned: amavis at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
 by localhost (smtp3.osuosl.org [127.0.0.1]) (amavis, port 10024) with ESMTP
 id XBFSR350OHzS for <ovs-dev@openvswitch.org>;
 Thu, 28 Mar 2024 16:18:55 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.129.124;
 helo=us-smtp-delivery-124.mimecast.com; envelope-from=pvalerio@redhat.com;
 receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 0A8D8606F5
Authentication-Results: smtp3.osuosl.org;
 dmarc=pass (p=none dis=none) header.from=redhat.com
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 0A8D8606F5
Authentication-Results: smtp3.osuosl.org;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.a=rsa-sha256 header.s=mimecast20190719 header.b=SEEg94Vd
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.129.124])
 by smtp3.osuosl.org (Postfix) with ESMTPS id 0A8D8606F5
 for <ovs-dev@openvswitch.org>; Thu, 28 Mar 2024 16:18:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1711642734;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=Rg0OVi/TCZms+LTkQhfj7eFI4TK5IIy8Yn7Jt3rp15w=;
 b=SEEg94VdJCToV2lK+gkOjW6t+BcnTjlQM8fbLu98q+s6dpcO1qLJPwAeE2rWi7gyB/eapm
 4hW/GSV89XpEU6EtAmyXboanRmSRR4Hq9UmUniMzQaaHIF9KGnguZFbC9onvMirh2AN10z
 0bOvP+hDnE23HbB09iPX+wGctDI1DGU=
Received: from mail-ej1-f69.google.com (mail-ej1-f69.google.com
 [209.85.218.69]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-531-14Zkv3vmNqianx9hhDSzrQ-1; Thu, 28 Mar 2024 12:18:52 -0400
X-MC-Unique: 14Zkv3vmNqianx9hhDSzrQ-1
Received: by mail-ej1-f69.google.com with SMTP id
 a640c23a62f3a-a4752eb8190so4802366b.1
 for <ovs-dev@openvswitch.org>; Thu, 28 Mar 2024 09:18:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1711642731; x=1712247531;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=Rg0OVi/TCZms+LTkQhfj7eFI4TK5IIy8Yn7Jt3rp15w=;
 b=UUFjtbEplCb0O3Fuyj/EhXOPybyxEKS99LjV3Qh2dByBMmMKQE3CSodu7E38J7W4mK
 /LimpryDU7JeqM5LMlcnruE8qv7GcNZaEUBu45D2rhpBsRXndnnXzNj/lQRgSotpgVNp
 nOYSohDXHr1YZTurgOxBaTgE6TJ84wKWfC763FcZ9BXYo9+MDqnLCkhFXCBTVGkdfh3m
 sR6E45Op/uDMuiNngW/XwvrzWRBdDKphUZLsTpM7ynZRmOyq24JWefnxonCcVuzXTjNv
 BW96Fb3IXJU/J/u0i6MoaremOR0Gk5CmKA6laPg3I1iQFpdrYnNQWBph8vyfLtHrEVZw
 rTbg==
X-Gm-Message-State: AOJu0Ywj3tcUY41IRgDxaStq2ekNDI9siBoI9N9EqoVx/bT06JoRs0/J
 nwx+qtQ2I+RW/KnbJUDyD09lT5nuuuEkN2EhUuQaqun++yPWBxwOq33fDQcGnZAABh5UN3VZ1l4
 zsx77sUnvoilNcVMOca2rVC/yw1AyIDkTLCzOfze2T+zohgOfv9AzZn4C5j24h0vU44z9pFkn2Z
 ejwQPXylyf4xXW1wxKoNGHyFmuAhgmIczT1uCc6IU=
X-Received: by 2002:a50:d503:0:b0:56b:ebe4:203 with SMTP id
 u3-20020a50d503000000b0056bebe40203mr2289559edi.1.1711642731094;
 Thu, 28 Mar 2024 09:18:51 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IEhQ9RTFt3vJskl6CzZlnLhz2qVQvKceIImvcSj+TLAlse2/Ue2+sQJzYae92iWwXTb03Ya0Q==
X-Received: by 2002:a50:d503:0:b0:56b:ebe4:203 with SMTP id
 u3-20020a50d503000000b0056bebe40203mr2289543edi.1.1711642730654;
 Thu, 28 Mar 2024 09:18:50 -0700 (PDT)
Received: from localhost ([151.50.222.114]) by smtp.gmail.com with ESMTPSA id
 t35-20020a056402242300b0056c2d0052c0sm986916eda.60.2024.03.28.09.18.50
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 28 Mar 2024 09:18:50 -0700 (PDT)
From: Paolo Valerio <pvalerio@redhat.com>
To: ovs-dev@openvswitch.org
Date: Thu, 28 Mar 2024 17:18:46 +0100
Message-ID: <20240328161846.252508-1-pvalerio@redhat.com>
X-Mailer: git-send-email 2.44.0
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Cc: Ilya Maximets <i.maximets@ovn.org>
Subject: [ovs-dev] [PATCH v2] conntrack: Fix SNAT with exhaustion system
	test.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

Recent kernels introduced a mechanism that allows to evict colliding
entries in a closing state whereas they were previously considered as
parts of a non-recoverable clash.
This new behavior makes "conntrack - SNAT with port range with
exhaustion test" fail, as it relies on the previous assumptions.

Fix it by creating and not advancing the first entry in SYN_SENT to
avoid early eviction.

Suggested-by: Ilya Maximets <i.maximets@ovn.org>
Reported-at: https://issues.redhat.com/browse/FDP-486
Signed-off-by: Paolo Valerio <pvalerio@redhat.com>
---
v2:
- replaced open-coded bytes with
  'ovs-ofctl compose-packet --bare' (Ilya)
---
 tests/system-traffic.at | 24 +++++++++++++++++-------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index 2d12d558e..20b011b7e 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -6388,7 +6388,6 @@ OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
 AT_SETUP([conntrack - SNAT with port range with exhaustion])
-OVS_CHECK_GITHUB_ACTION()
 CHECK_CONNTRACK()
 CHECK_CONNTRACK_NAT()
 OVS_TRAFFIC_VSWITCHD_START()
@@ -6398,11 +6397,11 @@ ADD_NAMESPACES(at_ns0, at_ns1)
 ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
 NS_CHECK_EXEC([at_ns0], [ip link set dev p0 address 80:88:88:88:88:88])
 ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
+NS_CHECK_EXEC([at_ns1], [ip link set dev p1 address 80:89:89:89:89:89])
 
 dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
 AT_DATA([flows.txt], [dnl
-in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240:34568,random)),2
-in_port=2,ct_state=-trk,tcp,tp_dst=34567,action=ct(table=0,zone=1,nat)
+in_port=1,tcp,action=ct(commit,zone=1,nat(src=10.1.1.240:34568)),2
 in_port=2,ct_state=-trk,tcp,tp_dst=34568,action=ct(table=0,zone=1,nat)
 in_port=2,ct_state=+trk,ct_zone=1,tcp,action=1
 dnl
@@ -6426,17 +6425,28 @@ AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
 
 dnl HTTP requests from p0->p1 should work fine.
 OVS_START_L7([at_ns1], [http])
-NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 1 -T 1 --retry-connrefused -v -o wget0.log])
+
+dnl Send a valid SYN to make conntrack pick it up.
+dnl The source port used is 123 to prevent unwanted reuse in the next HTTP request.
+syn_pkt=$(ovs-ofctl compose-packet --bare "eth_src=80:88:88:88:88:88,eth_dst=80:89:89:89:89:89,\
+  dl_type=0x0800,nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_proto=6,nw_ttl=64,nw_frag=no,tcp_flags=syn,\
+  tcp_src=123,tcp_dst=80")
+AT_CHECK([ovs-ofctl packet-out br0 "packet=${syn_pkt} actions=ct(commit,zone=1,nat(src=10.1.1.240:34568))"])
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | uniq], [0], [dnl
+tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
+])
 
 NS_CHECK_EXEC([at_ns0], [wget 10.1.1.2 -t 1 -T 1 --retry-connrefused -v -o wget0.log], [4])
 
-AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | sed -e 's/dst=10.1.1.2[[45]][[0-9]]/dst=10.1.1.2XX/' | uniq], [0], [dnl
-tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.2XX,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2) | uniq], [0], [dnl
+tcp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.240,sport=<cleared>,dport=<cleared>),zone=1,protoinfo=(state=<cleared>)
 ])
 
 OVS_TRAFFIC_VSWITCHD_STOP(["dnl
 /Unable to NAT due to tuple space exhaustion - if DoS attack, use firewalling and\/or zone partitioning./d
-/Dropped .* log messages in last .* seconds \(most recently, .* seconds ago\) due to excessive rate/d"])
+/Dropped .* log messages in last .* seconds \(most recently, .* seconds ago\) due to excessive rate/d
+/|WARN|.* execute ct.* failed/d"])
 AT_CLEANUP
 
 AT_SETUP([conntrack - more complex SNAT])