| Message ID | 20230830175609.794716-1-aconole@redhat.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [ovs-dev,v3] conntrack: Add a test for IPv4 UDP zero checksum | expand |
| Context | Check | Description |
|---|---|---|
| ovsrobot/apply-robot | success | apply and check: success |
| ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
| ovsrobot/intel-ovs-compilation | success | test: success |
On 30 Aug 2023, at 19:56, Aaron Conole wrote: > In the past, during some conntrack testing a bug was uncovered in a DPDK > PMD which didn't support an IPv4 packet with a zero checksum value. > In order to show that the connection tracking code in userspace > supports IPv4 UDP with a zero checksum, add a test case to enforce > this behavior > > Reported-at: http://mails.dpdk.org/archives/dev/2021-January/198528.html > Reported-by: Paolo Valerio <pvalerio@redhat.com> > Signed-off-by: Aaron Conole <aconole@redhat.com> > --- > v1->v2: - Addressed most of the comments by Flavio & William Tu. > - Added the 0xffff checksum case > - Added a bad checksum case > - For the single instance of "sleep 1," this needs to be retained > due to the negative test case (we have no WAIT_UNTIL to rely on) > but there are other instances of sleep 1 throughout the suite, > so I guess it should be okay. Hi Aaron, I think the patch looks good, however, can we just not wait for the drop actions to appear, and if it does then do the check for the empty conntrack table? Or am I missing something? Cheers, Eelco > v2->v3: - Add a check for the ofproto dropped packet stats > - Fix whitespace issue > - Restricted the dump-conntrack checks to keep the possibility of > UDP queries poisoning the test case lower. > > tests/system-traffic.at | 67 +++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 67 insertions(+) > > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > index 808c492a22..65c44c4350 100644 > --- a/tests/system-traffic.at > +++ b/tests/system-traffic.at > @@ -3813,6 +3813,73 @@ OVS_WAIT_UNTIL([ovs-pcap p0.pcap | grep -q "f00000010101f00000010102080045c00045 > OVS_TRAFFIC_VSWITCHD_STOP > AT_CLEANUP > > +AT_SETUP([conntrack - IPv4 UDP zero checksum]) > +dnl Checks sending zero checksum packets for udp over ipv4 > +CHECK_CONNTRACK() > +OVS_TRAFFIC_VSWITCHD_START() > +OVS_CHECK_CT_CLEAR() > + > +ADD_NAMESPACES(at_ns0, at_ns1) > +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24", "f0:00:00:01:01:01") > +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24", "f0:00:00:01:01:02") > + > +dnl Setup conntrack flows > +AT_DATA([flows.txt], [dnl > +table=0,priority=10 ip,udp,ct_state=-trk action=ct(zone=1,table=1) > +table=0,priority=0 action=drop > +table=1,priority=10 ct_state=-est+trk+new,ip,ct_zone=1,in_port=1 action=ct(commit,table=2) > +table=1,priority=10 ct_state=+est-new+trk,ct_zone=1,in_port=1 action=resubmit(,2) > +table=1,priority=0 action=drop > +table=2,priority=10 ct_state=+trk+new,in_port=1 action=2 > +table=2,priority=10 ct_state=+trk+est action=2 > +]) > +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > + > +dnl sending udp pkt with 0000 checksum > +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0 00 00 01 01 01 08 00 45 00 00 28 00 01 00 00 40 11 64 c0 0a 01 01 01 0a 01 01 02 04 d2 04 d2 00 14 00 00 aa aa aa aa aa aa aa aa aa aa aa aa > /dev/null]) > + > +OVS_WAIT_UNTIL([ovs-appctl dpctl/dump-conntrack | grep "udp"]) > + > +dnl ensure CT picked up the packet > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1)], [0], [dnl > +udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>) > +]) > + > +dnl clear CT tuples > +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "udp"], [1]) > + > +dnl send UDP with ffff checksum > +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0 00 00 01 01 01 08 00 45 00 00 40 00 01 00 00 40 11 64 a8 0a 01 01 01 0a 01 01 02 04 d2 04 d2 00 2c ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 df ed > /dev/null]) > +OVS_WAIT_UNTIL([ovs-appctl dpctl/dump-conntrack | grep "udp"]) > + > +dnl ensure CT picked up the packet > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1)], [0], [dnl > +udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>) > +]) > + > +dnl clear CT tuples > +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "udp"], [1]) > + > +dnl sending udp pkt with bad checksum > +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0 00 00 01 01 01 08 00 45 00 00 28 00 01 00 00 40 11 64 c0 0a 01 01 01 0a 01 01 02 04 d2 04 d2 00 14 11 11 aa aa aa aa aa aa aa aa aa aa aa aa > /dev/null]) > + > +dnl We call a sleep here to ensure that we let the system get through any > +dnl needed upcalls. Once the sleep is expired, we can check the drop counter > +dnl in table 1 for our bad csum packet, and ensure that there are no entries > +dnl in the conntrack table. > +sleep 1 > + > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1)], [0], [dnl > +]) > +AT_CHECK([ovs-ofctl dump-flows br0 | grep 'table=1,' | dnl > + grep 'actions=drop' | strip_duration], [0], [ dnl > +cookie=0x0, table=1, n_packets=1, n_bytes=54, idle_age=1, priority=0 actions=drop > +]) > +OVS_TRAFFIC_VSWITCHD_STOP > +AT_CLEANUP > + > AT_SETUP([conntrack - IPv4 fragmentation]) > CHECK_CONNTRACK() > OVS_TRAFFIC_VSWITCHD_START() > -- > 2.40.1 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Eelco Chaudron <echaudro@redhat.com> writes: > On 30 Aug 2023, at 19:56, Aaron Conole wrote: > >> In the past, during some conntrack testing a bug was uncovered in a DPDK >> PMD which didn't support an IPv4 packet with a zero checksum value. >> In order to show that the connection tracking code in userspace >> supports IPv4 UDP with a zero checksum, add a test case to enforce >> this behavior >> >> Reported-at: http://mails.dpdk.org/archives/dev/2021-January/198528.html >> Reported-by: Paolo Valerio <pvalerio@redhat.com> >> Signed-off-by: Aaron Conole <aconole@redhat.com> >> --- >> v1->v2: - Addressed most of the comments by Flavio & William Tu. >> - Added the 0xffff checksum case >> - Added a bad checksum case >> - For the single instance of "sleep 1," this needs to be retained >> due to the negative test case (we have no WAIT_UNTIL to rely on) >> but there are other instances of sleep 1 throughout the suite, >> so I guess it should be okay. > > Hi Aaron, > > I think the patch looks good, however, can we just not wait for the > drop actions to appear, and if it does then do the check for the empty > conntrack table? Or am I missing something? Most likely we can. I'll update the test to WAIT for the drop condition. > Cheers, > > Eelco > > >> v2->v3: - Add a check for the ofproto dropped packet stats >> - Fix whitespace issue >> - Restricted the dump-conntrack checks to keep the possibility of >> UDP queries poisoning the test case lower. >> >> tests/system-traffic.at | 67 +++++++++++++++++++++++++++++++++++++++++ >> 1 file changed, 67 insertions(+) >> >> diff --git a/tests/system-traffic.at b/tests/system-traffic.at >> index 808c492a22..65c44c4350 100644 >> --- a/tests/system-traffic.at >> +++ b/tests/system-traffic.at >> @@ -3813,6 +3813,73 @@ OVS_WAIT_UNTIL([ovs-pcap p0.pcap | grep -q "f00000010101f00000010102080045c00045 >> OVS_TRAFFIC_VSWITCHD_STOP >> AT_CLEANUP >> >> +AT_SETUP([conntrack - IPv4 UDP zero checksum]) >> +dnl Checks sending zero checksum packets for udp over ipv4 >> +CHECK_CONNTRACK() >> +OVS_TRAFFIC_VSWITCHD_START() >> +OVS_CHECK_CT_CLEAR() >> + >> +ADD_NAMESPACES(at_ns0, at_ns1) >> +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24", "f0:00:00:01:01:01") >> +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24", "f0:00:00:01:01:02") >> + >> +dnl Setup conntrack flows >> +AT_DATA([flows.txt], [dnl >> +table=0,priority=10 ip,udp,ct_state=-trk action=ct(zone=1,table=1) >> +table=0,priority=0 action=drop >> +table=1,priority=10 ct_state=-est+trk+new,ip,ct_zone=1,in_port=1 action=ct(commit,table=2) >> +table=1,priority=10 ct_state=+est-new+trk,ct_zone=1,in_port=1 action=resubmit(,2) >> +table=1,priority=0 action=drop >> +table=2,priority=10 ct_state=+trk+new,in_port=1 action=2 >> +table=2,priority=10 ct_state=+trk+est action=2 >> +]) >> +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) >> + >> +dnl sending udp pkt with 0000 checksum >> +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0 00 00 01 01 01 08 00 45 00 00 28 00 01 00 00 40 11 64 c0 0a 01 01 01 0a 01 01 02 04 d2 04 d2 00 14 00 00 aa aa aa aa aa aa aa aa aa aa aa aa > /dev/null]) >> + >> +OVS_WAIT_UNTIL([ovs-appctl dpctl/dump-conntrack | grep "udp"]) >> + >> +dnl ensure CT picked up the packet >> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1)], [0], [dnl >> +udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>) >> +]) >> + >> +dnl clear CT tuples >> +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) >> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "udp"], [1]) >> + >> +dnl send UDP with ffff checksum >> +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0 00 00 01 01 01 08 00 45 00 00 40 00 01 00 00 40 11 64 a8 0a 01 01 01 0a 01 01 02 04 d2 04 d2 00 2c ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 df ed > /dev/null]) >> +OVS_WAIT_UNTIL([ovs-appctl dpctl/dump-conntrack | grep "udp"]) >> + >> +dnl ensure CT picked up the packet >> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1)], [0], [dnl >> +udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>) >> +]) >> + >> +dnl clear CT tuples >> +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) >> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "udp"], [1]) >> + >> +dnl sending udp pkt with bad checksum >> +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0 00 00 01 01 01 08 00 45 00 00 28 00 01 00 00 40 11 64 c0 0a 01 01 01 0a 01 01 02 04 d2 04 d2 00 14 11 11 aa aa aa aa aa aa aa aa aa aa aa aa > /dev/null]) >> + >> +dnl We call a sleep here to ensure that we let the system get through any >> +dnl needed upcalls. Once the sleep is expired, we can check the drop counter >> +dnl in table 1 for our bad csum packet, and ensure that there are no entries >> +dnl in the conntrack table. >> +sleep 1 >> + >> +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1)], [0], [dnl >> +]) >> +AT_CHECK([ovs-ofctl dump-flows br0 | grep 'table=1,' | dnl >> + grep 'actions=drop' | strip_duration], [0], [ dnl >> +cookie=0x0, table=1, n_packets=1, n_bytes=54, idle_age=1, priority=0 actions=drop >> +]) >> +OVS_TRAFFIC_VSWITCHD_STOP >> +AT_CLEANUP >> + >> AT_SETUP([conntrack - IPv4 fragmentation]) >> CHECK_CONNTRACK() >> OVS_TRAFFIC_VSWITCHD_START() >> -- >> 2.40.1 >> >> _______________________________________________ >> dev mailing list >> dev@openvswitch.org >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 808c492a22..65c44c4350 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -3813,6 +3813,73 @@ OVS_WAIT_UNTIL([ovs-pcap p0.pcap | grep -q "f00000010101f00000010102080045c00045 OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +AT_SETUP([conntrack - IPv4 UDP zero checksum]) +dnl Checks sending zero checksum packets for udp over ipv4 +CHECK_CONNTRACK() +OVS_TRAFFIC_VSWITCHD_START() +OVS_CHECK_CT_CLEAR() + +ADD_NAMESPACES(at_ns0, at_ns1) +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24", "f0:00:00:01:01:01") +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24", "f0:00:00:01:01:02") + +dnl Setup conntrack flows +AT_DATA([flows.txt], [dnl +table=0,priority=10 ip,udp,ct_state=-trk action=ct(zone=1,table=1) +table=0,priority=0 action=drop +table=1,priority=10 ct_state=-est+trk+new,ip,ct_zone=1,in_port=1 action=ct(commit,table=2) +table=1,priority=10 ct_state=+est-new+trk,ct_zone=1,in_port=1 action=resubmit(,2) +table=1,priority=0 action=drop +table=2,priority=10 ct_state=+trk+new,in_port=1 action=2 +table=2,priority=10 ct_state=+trk+est action=2 +]) +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +dnl sending udp pkt with 0000 checksum +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0 00 00 01 01 01 08 00 45 00 00 28 00 01 00 00 40 11 64 c0 0a 01 01 01 0a 01 01 02 04 d2 04 d2 00 14 00 00 aa aa aa aa aa aa aa aa aa aa aa aa > /dev/null]) + +OVS_WAIT_UNTIL([ovs-appctl dpctl/dump-conntrack | grep "udp"]) + +dnl ensure CT picked up the packet +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1)], [0], [dnl +udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>) +]) + +dnl clear CT tuples +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "udp"], [1]) + +dnl send UDP with ffff checksum +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0 00 00 01 01 01 08 00 45 00 00 40 00 01 00 00 40 11 64 a8 0a 01 01 01 0a 01 01 02 04 d2 04 d2 00 2c ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 df ed > /dev/null]) +OVS_WAIT_UNTIL([ovs-appctl dpctl/dump-conntrack | grep "udp"]) + +dnl ensure CT picked up the packet +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1)], [0], [dnl +udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=<cleared>,dport=<cleared>),reply=(src=10.1.1.2,dst=10.1.1.1,sport=<cleared>,dport=<cleared>) +]) + +dnl clear CT tuples +AT_CHECK([ovs-appctl dpctl/flush-conntrack]) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "udp"], [1]) + +dnl sending udp pkt with bad checksum +NS_CHECK_EXEC([at_ns0], [$PYTHON3 $srcdir/sendpkt.py p0 f0 00 00 01 01 02 f0 00 00 01 01 01 08 00 45 00 00 28 00 01 00 00 40 11 64 c0 0a 01 01 01 0a 01 01 02 04 d2 04 d2 00 14 11 11 aa aa aa aa aa aa aa aa aa aa aa aa > /dev/null]) + +dnl We call a sleep here to ensure that we let the system get through any +dnl needed upcalls. Once the sleep is expired, we can check the drop counter +dnl in table 1 for our bad csum packet, and ensure that there are no entries +dnl in the conntrack table. +sleep 1 + +AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1)], [0], [dnl +]) +AT_CHECK([ovs-ofctl dump-flows br0 | grep 'table=1,' | dnl + grep 'actions=drop' | strip_duration], [0], [ dnl +cookie=0x0, table=1, n_packets=1, n_bytes=54, idle_age=1, priority=0 actions=drop +]) +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + AT_SETUP([conntrack - IPv4 fragmentation]) CHECK_CONNTRACK() OVS_TRAFFIC_VSWITCHD_START()
In the past, during some conntrack testing a bug was uncovered in a DPDK PMD which didn't support an IPv4 packet with a zero checksum value. In order to show that the connection tracking code in userspace supports IPv4 UDP with a zero checksum, add a test case to enforce this behavior Reported-at: http://mails.dpdk.org/archives/dev/2021-January/198528.html Reported-by: Paolo Valerio <pvalerio@redhat.com> Signed-off-by: Aaron Conole <aconole@redhat.com> --- v1->v2: - Addressed most of the comments by Flavio & William Tu. - Added the 0xffff checksum case - Added a bad checksum case - For the single instance of "sleep 1," this needs to be retained due to the negative test case (we have no WAIT_UNTIL to rely on) but there are other instances of sleep 1 throughout the suite, so I guess it should be okay. v2->v3: - Add a check for the ofproto dropped packet stats - Fix whitespace issue - Restricted the dump-conntrack checks to keep the possibility of UDP queries poisoning the test case lower. tests/system-traffic.at | 67 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+)