| Message ID | 20240226104948.91796-1-xsimonar@redhat.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Ilya Maximets |
| Headers | show |
| Series | [ovs-dev,v2] conntrack: Fix flush not flushing all elements. | expand |
| Context | Check | Description |
|---|---|---|
| ovsrobot/apply-robot | success | apply and check: success |
| ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
| ovsrobot/intel-ovs-compilation | success | test: success |
On Mon, Feb 26, 2024 at 5:50 AM Xavier Simonart <xsimonar@redhat.com> wrote: > > On netdev datapath, when a ct element was cleaned, the cmap > could be shrinked, potentially causing some elements to be skipped > in the flush iteration. > > Fixes: 967bb5c5cd90 ("conntrack: Add rcu support.") > Signed-off-by: Xavier Simonart <xsimonar@redhat.com> Thank you for the patch, I was able to test this out, verify the issue is as you described, and that your patch fixes the problem. > --- > v2: - Updated commit message. > - Use compose-packet instead of hex packet content. > - Use dnl for comments. > - Remove unnecessary errors in OVS_TRAFFIC_VSWITCHD_STOP. > - Rebased on origin/master. > --- > lib/conntrack.c | 14 ++++-------- > lib/conntrack.h | 1 + > tests/system-traffic.at | 47 +++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 52 insertions(+), 10 deletions(-) > > diff --git a/lib/conntrack.c b/lib/conntrack.c > index 8a7056bac..5786424f6 100644 > --- a/lib/conntrack.c > +++ b/lib/conntrack.c > @@ -2651,25 +2651,19 @@ conntrack_dump_start(struct conntrack *ct, struct conntrack_dump *dump, > > dump->ct = ct; > *ptot_bkts = 1; /* Need to clean up the callers. */ > + dump->cursor = cmap_cursor_start(&ct->conns); > return 0; > } > > int > conntrack_dump_next(struct conntrack_dump *dump, struct ct_dpif_entry *entry) > { > - struct conntrack *ct = dump->ct; > long long now = time_msec(); > > - for (;;) { > - struct cmap_node *cm_node = cmap_next_position(&ct->conns, > - &dump->cm_pos); > - if (!cm_node) { > - break; > - } > - struct conn_key_node *keyn; > - struct conn *conn; > + struct conn_key_node *keyn; > + struct conn *conn; > > - INIT_CONTAINER(keyn, cm_node, cm_node); > + CMAP_CURSOR_FOR_EACH_CONTINUE (keyn, cm_node, &dump->cursor) { > if (keyn->dir != CT_DIR_FWD) { > continue; > } > diff --git a/lib/conntrack.h b/lib/conntrack.h > index ee7da099e..aa12a1847 100644 > --- a/lib/conntrack.h > +++ b/lib/conntrack.h > @@ -109,6 +109,7 @@ struct conntrack_dump { > union { > struct cmap_position cm_pos; cm_pos is now dead code. > struct hmap_position hmap_pos; > + struct cmap_cursor cursor; > }; > bool filter_zone; > uint16_t zone; > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > index 98e494abf..34f93b2e5 100644 > --- a/tests/system-traffic.at > +++ b/tests/system-traffic.at > @@ -8389,6 +8389,53 @@ AT_CHECK([ovs-pcap client.pcap | grep 000000002010000000002000], [0], [dnl > OVS_TRAFFIC_VSWITCHD_STOP > AT_CLEANUP > > +AT_SETUP([conntrack - Flush many conntrack entries by port]) > +CHECK_CONNTRACK() > +OVS_TRAFFIC_VSWITCHD_START() > + > +ADD_NAMESPACES(at_ns0, at_ns1) > + > +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > + > +AT_DATA([flows.txt], [dnl > +priority=100,in_port=1,udp,action=ct(zone=1,commit),2 > +]) > + > +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > + > +dnl 20 packets from port 1 and 1 packet from port 2. > +flow_l3="\ > + eth_src=50:54:00:00:00:09,eth_dst=50:54:00:00:00:0a,dl_type=0x0800,\ > + nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_proto=17,nw_ttl=64,nw_frag=no" > + > +for i in $(seq 1 20); do > + frame=$(ovs-ofctl compose-packet --bare "$flow_l3, udp_src=1,udp_dst=$i") > + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=$frame actions=resubmit(,0)"]) > +done > +frame=$(ovs-ofctl compose-packet --bare "$flow_l3, udp_src=2,udp_dst=1") > +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=$frame actions=resubmit(,0)"]) > + > +: > conntrack > + > +for i in $(seq 1 20); do > + echo "udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=${i}),reply=(src=10.1.1.2,dst=10.1.1.1,sport=${i},dport=1),zone=1" >> conntrack > +done > +echo "udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=2,dport=1),reply=(src=10.1.1.2,dst=10.1.1.1,sport=1,dport=2),zone=1" >> conntrack > + > +sort conntrack > expout > + > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep -F "src=10.1.1.1," | sort ], [0], [expout]) > + > +dnl Check that flushing conntrack by port 1 flush all ct for port 1 but keeps ct for port 2. > +AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_proto=17,ct_tp_src=1']) > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep -F "src=10.1.1.1," | sort ], [0], [dnl > +udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=2,dport=1),reply=(src=10.1.1.2,dst=10.1.1.1,sport=1,dport=2),zone=1 > +]) > + > +OVS_TRAFFIC_VSWITCHD_STOP > +AT_CLEANUP > + > AT_BANNER([IGMP]) > > AT_SETUP([IGMP - flood under normal action]) > -- > 2.41.0 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
On 2/26/24 11:49, Xavier Simonart wrote: > On netdev datapath, when a ct element was cleaned, the cmap > could be shrinked, potentially causing some elements to be skipped > in the flush iteration. > > Fixes: 967bb5c5cd90 ("conntrack: Add rcu support.") > Signed-off-by: Xavier Simonart <xsimonar@redhat.com> > --- > v2: - Updated commit message. > - Use compose-packet instead of hex packet content. > - Use dnl for comments. > - Remove unnecessary errors in OVS_TRAFFIC_VSWITCHD_STOP. > - Rebased on origin/master. Thanks, Xavier! Beside the comment from Mike I have a couple nits for the test. See below. Otherwise, the change looks good. Best regards, Ilya Maximets. > --- > lib/conntrack.c | 14 ++++-------- > lib/conntrack.h | 1 + > tests/system-traffic.at | 47 +++++++++++++++++++++++++++++++++++++++++ > 3 files changed, 52 insertions(+), 10 deletions(-) > > diff --git a/lib/conntrack.c b/lib/conntrack.c > index 8a7056bac..5786424f6 100644 > --- a/lib/conntrack.c > +++ b/lib/conntrack.c > @@ -2651,25 +2651,19 @@ conntrack_dump_start(struct conntrack *ct, struct conntrack_dump *dump, > > dump->ct = ct; > *ptot_bkts = 1; /* Need to clean up the callers. */ > + dump->cursor = cmap_cursor_start(&ct->conns); > return 0; > } > > int > conntrack_dump_next(struct conntrack_dump *dump, struct ct_dpif_entry *entry) > { > - struct conntrack *ct = dump->ct; > long long now = time_msec(); > > - for (;;) { > - struct cmap_node *cm_node = cmap_next_position(&ct->conns, > - &dump->cm_pos); > - if (!cm_node) { > - break; > - } > - struct conn_key_node *keyn; > - struct conn *conn; > + struct conn_key_node *keyn; > + struct conn *conn; > > - INIT_CONTAINER(keyn, cm_node, cm_node); > + CMAP_CURSOR_FOR_EACH_CONTINUE (keyn, cm_node, &dump->cursor) { > if (keyn->dir != CT_DIR_FWD) { > continue; > } > diff --git a/lib/conntrack.h b/lib/conntrack.h > index ee7da099e..aa12a1847 100644 > --- a/lib/conntrack.h > +++ b/lib/conntrack.h > @@ -109,6 +109,7 @@ struct conntrack_dump { > union { > struct cmap_position cm_pos; > struct hmap_position hmap_pos; > + struct cmap_cursor cursor; > }; > bool filter_zone; > uint16_t zone; > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > index 98e494abf..34f93b2e5 100644 > --- a/tests/system-traffic.at > +++ b/tests/system-traffic.at > @@ -8389,6 +8389,53 @@ AT_CHECK([ovs-pcap client.pcap | grep 000000002010000000002000], [0], [dnl > OVS_TRAFFIC_VSWITCHD_STOP > AT_CLEANUP > > +AT_SETUP([conntrack - Flush many conntrack entries by port]) > +CHECK_CONNTRACK() > +OVS_TRAFFIC_VSWITCHD_START() > + > +ADD_NAMESPACES(at_ns0, at_ns1) > + > +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > + > +AT_DATA([flows.txt], [dnl > +priority=100,in_port=1,udp,action=ct(zone=1,commit),2 > +]) > + > +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > + > +dnl 20 packets from port 1 and 1 packet from port 2. > +flow_l3="\ > + eth_src=50:54:00:00:00:09,eth_dst=50:54:00:00:00:0a,dl_type=0x0800,\ > + nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_proto=17,nw_ttl=64,nw_frag=no" > + > +for i in $(seq 1 20); do > + frame=$(ovs-ofctl compose-packet --bare "$flow_l3, udp_src=1,udp_dst=$i") > + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=$frame actions=resubmit(,0)"]) > +done > +frame=$(ovs-ofctl compose-packet --bare "$flow_l3, udp_src=2,udp_dst=1") > +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=$frame actions=resubmit(,0)"]) > + > +: > conntrack > + > +for i in $(seq 1 20); do > + echo "udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=${i}),reply=(src=10.1.1.2,dst=10.1.1.1,sport=${i},dport=1),zone=1" >> conntrack > +done > +echo "udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=2,dport=1),reply=(src=10.1.1.2,dst=10.1.1.1,sport=1,dport=2),zone=1" >> conntrack > + > +sort conntrack > expout > + > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep -F "src=10.1.1.1," | sort ], [0], [expout]) > + > +dnl Check that flushing conntrack by port 1 flush all ct for port 1 but keeps ct for port 2. > +AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_proto=17,ct_tp_src=1']) > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep -F "src=10.1.1.1," | sort ], [0], [dnl > +udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=2,dport=1),reply=(src=10.1.1.2,dst=10.1.1.1,sport=1,dport=2),zone=1 > +]) Can we add zone=1 filters to all the dump and especially flush commands above? We recently got rid of most of the zone 0 flushing in the tests to avoid any unexpected consequences of flushing default zones. > + > +OVS_TRAFFIC_VSWITCHD_STOP > +AT_CLEANUP > + > AT_BANNER([IGMP]) > > AT_SETUP([IGMP - flood under normal action])
Thanks Mike and Ilya. Sending v3 to handle comments from Mike and Ilya. Thanks Xavier On Fri, Mar 1, 2024 at 7:48 PM Ilya Maximets <i.maximets@ovn.org> wrote: > On 2/26/24 11:49, Xavier Simonart wrote: > > On netdev datapath, when a ct element was cleaned, the cmap > > could be shrinked, potentially causing some elements to be skipped > > in the flush iteration. > > > > Fixes: 967bb5c5cd90 ("conntrack: Add rcu support.") > > Signed-off-by: Xavier Simonart <xsimonar@redhat.com> > > --- > > v2: - Updated commit message. > > - Use compose-packet instead of hex packet content. > > - Use dnl for comments. > > - Remove unnecessary errors in OVS_TRAFFIC_VSWITCHD_STOP. > > - Rebased on origin/master. > > Thanks, Xavier! > > Beside the comment from Mike I have a couple nits for the test. > See below. Otherwise, the change looks good. > > Best regards, Ilya Maximets. > > > --- > > lib/conntrack.c | 14 ++++-------- > > lib/conntrack.h | 1 + > > tests/system-traffic.at | 47 +++++++++++++++++++++++++++++++++++++++++ > > 3 files changed, 52 insertions(+), 10 deletions(-) > > > > diff --git a/lib/conntrack.c b/lib/conntrack.c > > index 8a7056bac..5786424f6 100644 > > --- a/lib/conntrack.c > > +++ b/lib/conntrack.c > > @@ -2651,25 +2651,19 @@ conntrack_dump_start(struct conntrack *ct, > struct conntrack_dump *dump, > > > > dump->ct = ct; > > *ptot_bkts = 1; /* Need to clean up the callers. */ > > + dump->cursor = cmap_cursor_start(&ct->conns); > > return 0; > > } > > > > int > > conntrack_dump_next(struct conntrack_dump *dump, struct ct_dpif_entry > *entry) > > { > > - struct conntrack *ct = dump->ct; > > long long now = time_msec(); > > > > - for (;;) { > > - struct cmap_node *cm_node = cmap_next_position(&ct->conns, > > - &dump->cm_pos); > > - if (!cm_node) { > > - break; > > - } > > - struct conn_key_node *keyn; > > - struct conn *conn; > > + struct conn_key_node *keyn; > > + struct conn *conn; > > > > - INIT_CONTAINER(keyn, cm_node, cm_node); > > + CMAP_CURSOR_FOR_EACH_CONTINUE (keyn, cm_node, &dump->cursor) { > > if (keyn->dir != CT_DIR_FWD) { > > continue; > > } > > diff --git a/lib/conntrack.h b/lib/conntrack.h > > index ee7da099e..aa12a1847 100644 > > --- a/lib/conntrack.h > > +++ b/lib/conntrack.h > > @@ -109,6 +109,7 @@ struct conntrack_dump { > > union { > > struct cmap_position cm_pos; > > struct hmap_position hmap_pos; > > + struct cmap_cursor cursor; > > }; > > bool filter_zone; > > uint16_t zone; > > diff --git a/tests/system-traffic.at b/tests/system-traffic.at > > index 98e494abf..34f93b2e5 100644 > > --- a/tests/system-traffic.at > > +++ b/tests/system-traffic.at > > @@ -8389,6 +8389,53 @@ AT_CHECK([ovs-pcap client.pcap | grep > 000000002010000000002000], [0], [dnl > > OVS_TRAFFIC_VSWITCHD_STOP > > AT_CLEANUP > > > > +AT_SETUP([conntrack - Flush many conntrack entries by port]) > > +CHECK_CONNTRACK() > > +OVS_TRAFFIC_VSWITCHD_START() > > + > > +ADD_NAMESPACES(at_ns0, at_ns1) > > + > > +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") > > +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") > > + > > +AT_DATA([flows.txt], [dnl > > +priority=100,in_port=1,udp,action=ct(zone=1,commit),2 > > +]) > > + > > +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) > > + > > +dnl 20 packets from port 1 and 1 packet from port 2. > > +flow_l3="\ > > + eth_src=50:54:00:00:00:09,eth_dst=50:54:00:00:00:0a,dl_type=0x0800,\ > > + nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_proto=17,nw_ttl=64,nw_frag=no" > > + > > +for i in $(seq 1 20); do > > + frame=$(ovs-ofctl compose-packet --bare "$flow_l3, > udp_src=1,udp_dst=$i") > > + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 > packet=$frame actions=resubmit(,0)"]) > > +done > > +frame=$(ovs-ofctl compose-packet --bare "$flow_l3, udp_src=2,udp_dst=1") > > +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 > packet=$frame actions=resubmit(,0)"]) > > + > > +: > conntrack > > + > > +for i in $(seq 1 20); do > > + echo > "udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=${i}),reply=(src=10.1.1.2,dst=10.1.1.1,sport=${i},dport=1),zone=1" > >> conntrack > > +done > > +echo > "udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=2,dport=1),reply=(src=10.1.1.2,dst=10.1.1.1,sport=1,dport=2),zone=1" > >> conntrack > > + > > +sort conntrack > expout > > + > > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep -F "src=10.1.1.1," | > sort ], [0], [expout]) > > + > > +dnl Check that flushing conntrack by port 1 flush all ct for port 1 but > keeps ct for port 2. > > +AT_CHECK([ovs-appctl dpctl/flush-conntrack > 'ct_nw_proto=17,ct_tp_src=1']) > > +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep -F "src=10.1.1.1," | > sort ], [0], [dnl > > > +udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=2,dport=1),reply=(src=10.1.1.2,dst=10.1.1.1,sport=1,dport=2),zone=1 > > +]) > > Can we add zone=1 filters to all the dump and especially flush commands > above? > We recently got rid of most of the zone 0 flushing in the tests to avoid > any > unexpected consequences of flushing default zones. > > > + > > +OVS_TRAFFIC_VSWITCHD_STOP > > +AT_CLEANUP > > + > > AT_BANNER([IGMP]) > > > > AT_SETUP([IGMP - flood under normal action]) > >
diff --git a/lib/conntrack.c b/lib/conntrack.c index 8a7056bac..5786424f6 100644 --- a/lib/conntrack.c +++ b/lib/conntrack.c @@ -2651,25 +2651,19 @@ conntrack_dump_start(struct conntrack *ct, struct conntrack_dump *dump, dump->ct = ct; *ptot_bkts = 1; /* Need to clean up the callers. */ + dump->cursor = cmap_cursor_start(&ct->conns); return 0; } int conntrack_dump_next(struct conntrack_dump *dump, struct ct_dpif_entry *entry) { - struct conntrack *ct = dump->ct; long long now = time_msec(); - for (;;) { - struct cmap_node *cm_node = cmap_next_position(&ct->conns, - &dump->cm_pos); - if (!cm_node) { - break; - } - struct conn_key_node *keyn; - struct conn *conn; + struct conn_key_node *keyn; + struct conn *conn; - INIT_CONTAINER(keyn, cm_node, cm_node); + CMAP_CURSOR_FOR_EACH_CONTINUE (keyn, cm_node, &dump->cursor) { if (keyn->dir != CT_DIR_FWD) { continue; } diff --git a/lib/conntrack.h b/lib/conntrack.h index ee7da099e..aa12a1847 100644 --- a/lib/conntrack.h +++ b/lib/conntrack.h @@ -109,6 +109,7 @@ struct conntrack_dump { union { struct cmap_position cm_pos; struct hmap_position hmap_pos; + struct cmap_cursor cursor; }; bool filter_zone; uint16_t zone; diff --git a/tests/system-traffic.at b/tests/system-traffic.at index 98e494abf..34f93b2e5 100644 --- a/tests/system-traffic.at +++ b/tests/system-traffic.at @@ -8389,6 +8389,53 @@ AT_CHECK([ovs-pcap client.pcap | grep 000000002010000000002000], [0], [dnl OVS_TRAFFIC_VSWITCHD_STOP AT_CLEANUP +AT_SETUP([conntrack - Flush many conntrack entries by port]) +CHECK_CONNTRACK() +OVS_TRAFFIC_VSWITCHD_START() + +ADD_NAMESPACES(at_ns0, at_ns1) + +ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24") +ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24") + +AT_DATA([flows.txt], [dnl +priority=100,in_port=1,udp,action=ct(zone=1,commit),2 +]) + +AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt]) + +dnl 20 packets from port 1 and 1 packet from port 2. +flow_l3="\ + eth_src=50:54:00:00:00:09,eth_dst=50:54:00:00:00:0a,dl_type=0x0800,\ + nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_proto=17,nw_ttl=64,nw_frag=no" + +for i in $(seq 1 20); do + frame=$(ovs-ofctl compose-packet --bare "$flow_l3, udp_src=1,udp_dst=$i") + AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=$frame actions=resubmit(,0)"]) +done +frame=$(ovs-ofctl compose-packet --bare "$flow_l3, udp_src=2,udp_dst=1") +AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=$frame actions=resubmit(,0)"]) + +: > conntrack + +for i in $(seq 1 20); do + echo "udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=${i}),reply=(src=10.1.1.2,dst=10.1.1.1,sport=${i},dport=1),zone=1" >> conntrack +done +echo "udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=2,dport=1),reply=(src=10.1.1.2,dst=10.1.1.1,sport=1,dport=2),zone=1" >> conntrack + +sort conntrack > expout + +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep -F "src=10.1.1.1," | sort ], [0], [expout]) + +dnl Check that flushing conntrack by port 1 flush all ct for port 1 but keeps ct for port 2. +AT_CHECK([ovs-appctl dpctl/flush-conntrack 'ct_nw_proto=17,ct_tp_src=1']) +AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep -F "src=10.1.1.1," | sort ], [0], [dnl +udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=2,dport=1),reply=(src=10.1.1.2,dst=10.1.1.1,sport=1,dport=2),zone=1 +]) + +OVS_TRAFFIC_VSWITCHD_STOP +AT_CLEANUP + AT_BANNER([IGMP]) AT_SETUP([IGMP - flood under normal action])
On netdev datapath, when a ct element was cleaned, the cmap could be shrinked, potentially causing some elements to be skipped in the flush iteration. Fixes: 967bb5c5cd90 ("conntrack: Add rcu support.") Signed-off-by: Xavier Simonart <xsimonar@redhat.com> --- v2: - Updated commit message. - Use compose-packet instead of hex packet content. - Use dnl for comments. - Remove unnecessary errors in OVS_TRAFFIC_VSWITCHD_STOP. - Rebased on origin/master. --- lib/conntrack.c | 14 ++++-------- lib/conntrack.h | 1 + tests/system-traffic.at | 47 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 10 deletions(-)