| Message ID | 1446855055-38378-6-git-send-email-jrajahalme@nicira.com |
|---|---|
| State | Superseded |
| Headers | show |
On Fri, Nov 06, 2015 at 04:10:52PM -0800, Jarno Rajahalme wrote:
> Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
I'll let someone who knows this part of the system better review this.
Apologies, I missed this one. On 6 November 2015 at 16:10, Jarno Rajahalme <jrajahalme@nicira.com> wrote: > Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> > --- > tests/system-traffic.at | 50 +++++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 50 insertions(+) > > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > index eeafd24..0999f03 100644 > --- a/tests/system-traffic.at > +++ b/tests/system-traffic.at > @@ -972,6 +972,56 @@ TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 > OVS_TRAFFIC_VSWITCHD_STOP > AT_CLEANUP > > + > +AT_SETUP([conntrack - IPv6 FTP]) > +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) > +CHECK_CONNTRACK() > +OVS_TRAFFIC_VSWITCHD_START() > + > +ADD_NAMESPACES(at_ns0, at_ns1) > + > +ADD_VETH(p0, at_ns0, br0, "fc00::1/96") > +ADD_VETH(p1, at_ns1, br0, "fc00::2/96") > + > +dnl Allow any traffic from ns0->ns1. > +dnl Only allow nd, return traffic from ns1->ns0. > +AT_DATA([flows.txt], [dnl > +dnl Track all IPv6 traffic and drop the rest. > +table=0 ip6, action=ct(table=1) > +table=0 priority=0 action=drop > +dnl > +dnl Table 1 > +dnl > +dnl Allow new TCPv6 FTP control connections from port 1. > +table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2 > +dnl Allow related TCPv6 connections from port 2. > +table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1 > +dnl Allow established TCPv6 connections both ways. > +table=1 in_port=1 ct_state=+est, tcp6, action=2 > +table=1 in_port=2 ct_state=+est, tcp6, action=1 > +dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked. > +table=1 in_port=1 ct_state=+new, icmp6, action=2 > +table=1 in_port=2 ct_state=+new, icmp6, action=1 These ICMPv6 flows aren't used in the test, and are probably not a great example as I don't think things like Neighbour Discovery (also ICMPv6) should really be sent to the connection tracker at all. For instance, it's not describing point-to-point "connections", and ct may not respect zone. But it's easy enough to just drop those flows. Otherwise, LGTM. Acked-by: Joe Stringer <joe@ovn.org>
> On Nov 25, 2015, at 3:52 PM, Joe Stringer <joe@ovn.org> wrote: > > Apologies, I missed this one. > > On 6 November 2015 at 16:10, Jarno Rajahalme <jrajahalme@nicira.com> wrote: >> Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> >> --- >> tests/system-traffic.at | 50 +++++++++++++++++++++++++++++++++++++++++++++++++ >> 1 file changed, 50 insertions(+) >> >> diff --git a/tests/system-traffic.at b/tests/system-traffic.at >> index eeafd24..0999f03 100644 >> --- a/tests/system-traffic.at >> +++ b/tests/system-traffic.at >> @@ -972,6 +972,56 @@ TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 >> OVS_TRAFFIC_VSWITCHD_STOP >> AT_CLEANUP >> >> + >> +AT_SETUP([conntrack - IPv6 FTP]) >> +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) >> +CHECK_CONNTRACK() >> +OVS_TRAFFIC_VSWITCHD_START() >> + >> +ADD_NAMESPACES(at_ns0, at_ns1) >> + >> +ADD_VETH(p0, at_ns0, br0, "fc00::1/96") >> +ADD_VETH(p1, at_ns1, br0, "fc00::2/96") >> + >> +dnl Allow any traffic from ns0->ns1. >> +dnl Only allow nd, return traffic from ns1->ns0. >> +AT_DATA([flows.txt], [dnl >> +dnl Track all IPv6 traffic and drop the rest. >> +table=0 ip6, action=ct(table=1) >> +table=0 priority=0 action=drop >> +dnl >> +dnl Table 1 >> +dnl >> +dnl Allow new TCPv6 FTP control connections from port 1. >> +table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2 >> +dnl Allow related TCPv6 connections from port 2. >> +table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1 >> +dnl Allow established TCPv6 connections both ways. >> +table=1 in_port=1 ct_state=+est, tcp6, action=2 >> +table=1 in_port=2 ct_state=+est, tcp6, action=1 >> +dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked. >> +table=1 in_port=1 ct_state=+new, icmp6, action=2 >> +table=1 in_port=2 ct_state=+new, icmp6, action=1 > > These ICMPv6 flows aren't used in the test, and are probably not a > great example as I don't think things like Neighbour Discovery (also > ICMPv6) should really be sent to the connection tracker at all. For > instance, it's not describing point-to-point "connections", and ct may > not respect zone. But it's easy enough to just drop those flows. > > Otherwise, LGTM. > In fact the test case fails without these flows, but you are right in that they need not be in table 1 (== after conntrack). I moved them to table 0. > Acked-by: Joe Stringer <joe@ovn.org> Thanks for the review, pushed to master. Jarno
diff --git a/tests/system-traffic.at b/tests/system-traffic.at index eeafd24..0999f03 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -972,6 +972,56 @@ TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP + +AT_SETUP([conntrack - IPv6 FTP]) +AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) +CHECK_CONNTRACK() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "fc00::1/96") +ADD_VETH(p1, at_ns1, br0, "fc00::2/96") + +dnl Allow any traffic from ns0->ns1. +dnl Only allow nd, return traffic from ns1->ns0. +AT_DATA([flows.txt], [dnl +dnl Track all IPv6 traffic and drop the rest. +table=0 ip6, action=ct(table=1) +table=0 priority=0 action=drop +dnl +dnl Table 1 +dnl +dnl Allow new TCPv6 FTP control connections from port 1. +table=1 in_port=1 ct_state=+new, tcp6, tp_dst=21, action=ct(alg=ftp,commit),2 +dnl Allow related TCPv6 connections from port 2. +table=1 in_port=2 ct_state=+new+rel, tcp6, action=ct(commit),1 +dnl Allow established TCPv6 connections both ways. +table=1 in_port=1 ct_state=+est, tcp6, action=2 +table=1 in_port=2 ct_state=+est, tcp6, action=1 +dnl Allow ICMPv6 both ways. No commit, so pings will not be tracked. +table=1 in_port=1 ct_state=+new, icmp6, action=2 +table=1 in_port=2 ct_state=+new, icmp6, action=1 +dnl Drop everything else. +table=1 priority=0, action=drop +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +NETNS_DAEMONIZE([at_ns1], [[$PYTHON $srcdir/test-l7.py ftp]], [ftp0.pid]) + +dnl FTP requests from p0->p1 should work fine. +NS_CHECK_EXEC([at_ns0], [wget ftp://[[fc00::2]] -6 --no-passive-ftp -t 3 -T 1 --retry-connrefused -v --server-response --no-proxy --no-remove-listing -o wget0.log -d]) + +AT_CHECK([conntrack -L -f ipv6 2>&1 | FORMAT_CT(fc00::2) | grep -v "FIN" | grep -v "CLOSE"], [0], [dnl +TIME_WAIT src=fc00::1 dst=fc00::2 sport=<cleared> dport=<cleared> src=fc00::2 dst=fc00::1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 helper=ftp use=2 +TIME_WAIT src=fc00::2 dst=fc00::1 sport=<cleared> dport=<cleared> src=fc00::1 dst=fc00::2 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 use=1 +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + + AT_SETUP([conntrack - FTP with multiple expectations]) AT_SKIP_IF([test $HAVE_PYFTPDLIB = no]) CHECK_CONNTRACK()
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com> --- tests/system-traffic.at | 50 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+)