[ovs-dev,PATCHv3,11/11] system-traffic: Add ct tests using local stack.
diff mbox

Message ID 1443559234-7330-12-git-send-email-joestringer@nicira.com
State Superseded
Headers show

Commit Message

Joe Stringer Sept. 29, 2015, 8:40 p.m. UTC
When interacting with the local stack, the kernel may provide packets
with existing ct state as they ingress OVS. These tests check that we
are able to connection-track such packets successfully in non-zero
zones, using slightly more realistic pipelines.

Signed-off-by: Joe Stringer <joestringer@nicira.com>
---
 tests/system-common-macros.at |   5 +-
 tests/system-traffic.at       | 117 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 121 insertions(+), 1 deletion(-)

Comments

Joe Stringer Sept. 29, 2015, 9:23 p.m. UTC | #1
On 29 September 2015 at 13:40, Joe Stringer <joestringer@nicira.com> wrote:
> When interacting with the local stack, the kernel may provide packets
> with existing ct state as they ingress OVS. These tests check that we
> are able to connection-track such packets successfully in non-zero
> zones, using slightly more realistic pipelines.
>
> Signed-off-by: Joe Stringer <joestringer@nicira.com>
> ---
>  tests/system-common-macros.at |   5 +-
>  tests/system-traffic.at       | 117 ++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 121 insertions(+), 1 deletion(-)
>
> diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at
> index 8f3b318..f0da589 100644
> --- a/tests/system-common-macros.at
> +++ b/tests/system-common-macros.at
> @@ -124,7 +124,10 @@ m4_define([FORMAT_PING], [grep "transmitted" | sed 's/time.*ms$/time 0ms/'])
>  # Strip content from the piped input which would differ from test to test.
>  #
>  m4_define([FORMAT_CT],
> -    [[grep "dst=$1" | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/  */ /g' -e 's/secctx[^ ]* //' | cut -d' ' -f4- | sort | uniq]])
> +    [[grep "dst=$1" | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/  */ /g' \
> +                          -e 's/secctx[^ ]* //' \
> +                          -e 's/id=[0-9]*/id=<cleared>/g' \
> +                    | cut -d' ' -f4- | sort | uniq]])
>
>  # NETNS_DAEMONIZE([namespace], [command], [pidfile])
>  #
> diff --git a/tests/system-traffic.at b/tests/system-traffic.at
> index 081531b..84f5baa 100644
> --- a/tests/system-traffic.at
> +++ b/tests/system-traffic.at
> @@ -566,6 +566,123 @@ TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2
>  OVS_TRAFFIC_VSWITCHD_STOP
>  AT_CLEANUP
>
> +AT_SETUP([conntrack - multiple zones, local])
> +CHECK_CONNTRACK()
> +OVS_TRAFFIC_VSWITCHD_START(
> +   [set-fail-mode br0 secure -- ])
> +
> +ADD_NAMESPACES(at_ns0)
> +
> +AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
> +AT_CHECK([ip link set dev br0 up])
> +on_exit 'ip addr del dev br0 "10.1.1.1/24"'
> +ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
> +
> +dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.

This comment keeps leaking into other tests, it's meant to be the same
as the comment in the equivalent part of the next test:

+dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
+dnl return traffic from ns0 back to the local stack.
Ben Pfaff Sept. 30, 2015, 4:03 p.m. UTC | #2
On Tue, Sep 29, 2015 at 01:40:34PM -0700, Joe Stringer wrote:
> When interacting with the local stack, the kernel may provide packets
> with existing ct state as they ingress OVS. These tests check that we
> are able to connection-track such packets successfully in non-zero
> zones, using slightly more realistic pipelines.
> 
> Signed-off-by: Joe Stringer <joestringer@nicira.com>

I haven't done a good job keeping up with the kernel tests.  Do you
think this needs a detailed review?  Is anyone else more familiar with
them and better suited to review this?
Joe Stringer Sept. 30, 2015, 4:59 p.m. UTC | #3
On 30 September 2015 at 09:03, Ben Pfaff <blp@nicira.com> wrote:
> On Tue, Sep 29, 2015 at 01:40:34PM -0700, Joe Stringer wrote:
>> When interacting with the local stack, the kernel may provide packets
>> with existing ct state as they ingress OVS. These tests check that we
>> are able to connection-track such packets successfully in non-zero
>> zones, using slightly more realistic pipelines.
>>
>> Signed-off-by: Joe Stringer <joestringer@nicira.com>
>
> I haven't done a good job keeping up with the kernel tests.  Do you
> think this needs a detailed review?  Is anyone else more familiar with
> them and better suited to review this?

I think that Daniele is probably the best to review this, he's had
quite a bit of experience with these tests particularly with the
userspace CT work.
Daniele Di Proietto Sept. 30, 2015, 5:51 p.m. UTC | #4
On 30/09/2015 17:59, "Joe Stringer" <joestringer@nicira.com> wrote:

>On 30 September 2015 at 09:03, Ben Pfaff <blp@nicira.com> wrote:
>> On Tue, Sep 29, 2015 at 01:40:34PM -0700, Joe Stringer wrote:
>>> When interacting with the local stack, the kernel may provide packets
>>> with existing ct state as they ingress OVS. These tests check that we
>>> are able to connection-track such packets successfully in non-zero
>>> zones, using slightly more realistic pipelines.
>>>
>>> Signed-off-by: Joe Stringer <joestringer@nicira.com>
>>
>> I haven't done a good job keeping up with the kernel tests.  Do you
>> think this needs a detailed review?  Is anyone else more familiar with
>> them and better suited to review this?
>
>I think that Daniele is probably the best to review this, he's had
>quite a bit of experience with these tests particularly with the
>userspace CT work.

Sure, I can review this

Patch
diff mbox

diff --git a/tests/system-common-macros.at b/tests/system-common-macros.at
index 8f3b318..f0da589 100644
--- a/tests/system-common-macros.at
+++ b/tests/system-common-macros.at
@@ -124,7 +124,10 @@  m4_define([FORMAT_PING], [grep "transmitted" | sed 's/time.*ms$/time 0ms/'])
 # Strip content from the piped input which would differ from test to test.
 #
 m4_define([FORMAT_CT],
-    [[grep "dst=$1" | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/  */ /g' -e 's/secctx[^ ]* //' | cut -d' ' -f4- | sort | uniq]])
+    [[grep "dst=$1" | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/  */ /g' \
+                          -e 's/secctx[^ ]* //' \
+                          -e 's/id=[0-9]*/id=<cleared>/g' \
+                    | cut -d' ' -f4- | sort | uniq]])
 
 # NETNS_DAEMONIZE([namespace], [command], [pidfile])
 #
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index 081531b..84f5baa 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -566,6 +566,123 @@  TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2
 OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
+AT_SETUP([conntrack - multiple zones, local])
+CHECK_CONNTRACK()
+OVS_TRAFFIC_VSWITCHD_START(
+   [set-fail-mode br0 secure -- ])
+
+ADD_NAMESPACES(at_ns0)
+
+AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
+AT_CHECK([ip link set dev br0 up])
+on_exit 'ip addr del dev br0 "10.1.1.1/24"'
+ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
+
+dnl Allow any traffic from ns0->ns1. Only allow nd, return traffic from ns1->ns0.
+AT_DATA([flows.txt], [dnl
+priority=1,action=drop
+priority=10,arp,action=normal
+priority=100,in_port=LOCAL,ip,ct_state=-trk,action=drop
+priority=100,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=1),ct(commit,zone=2),1
+priority=100,in_port=LOCAL,ip,ct_state=+trk+est,action=ct(commit,zone=1),ct(commit,zone=2),1
+priority=100,in_port=1,ip,ct_state=-trk,action=ct(table=1,zone=1)
+table=1,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=1,action=ct(table=2,zone=2)
+table=2,priority=100,in_port=1,ip,ct_state=+trk+est,ct_zone=2,action=LOCAL
+])
+
+AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
+
+AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+
+dnl HTTP requests from root namespace to p0 should work fine.
+NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
+AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
+
+dnl (again) HTTP requests from root namespace to  p0 should work fine.
+AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
+
+AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
+TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
+TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=2 use=1
+src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
+src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=2 use=1
+])
+
+OVS_TRAFFIC_VSWITCHD_STOP
+AT_CLEANUP
+
+AT_SETUP([conntrack - multi-stage pipeline, local])
+CHECK_CONNTRACK()
+OVS_TRAFFIC_VSWITCHD_START(
+   [set-fail-mode br0 secure -- ])
+
+ADD_NAMESPACES(at_ns0)
+
+AT_CHECK([ip addr add dev br0 "10.1.1.1/24"])
+AT_CHECK([ip link set dev br0 up])
+on_exit 'ip addr del dev br0 "10.1.1.1/24"'
+ADD_VETH(p0, at_ns0, br0, "10.1.1.2/24")
+
+dnl Allow traffic from local stack to ns0. Only allow neighbour discovery,
+dnl return traffic from ns0 back to the local stack.
+AT_DATA([flows.txt], [dnl
+dnl default
+table=0,priority=1,action=drop
+table=0,priority=10,arp,action=normal
+
+dnl Load the output port to REG0
+table=0,priority=100,ip,in_port=LOCAL,action=load:1->NXM_NX_REG0[[0..15]],goto_table:1
+table=0,priority=100,ip,in_port=1,action=load:65534->NXM_NX_REG0[[0..15]],goto_table:1
+
+dnl Ingress pipeline
+dnl - Allow all connections from LOCAL port (commit and proceed to egress)
+dnl - All other connections go through conntracker using the input port as
+dnl   a connection tracking zone.
+table=1,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=OXM_OF_IN_PORT[[0..15]]),goto_table:2
+table=1,priority=100,ip,action=ct(table=2,zone=OXM_OF_IN_PORT[[0..15]])
+table=1,priority=1,action=drop
+
+dnl Egress pipeline
+dnl - Allow all connections from LOCAL port (commit and skip to output)
+dnl - Allow other established connections to go through conntracker using
+dnl   output port as a connection tracking zone.
+table=2,priority=150,in_port=LOCAL,ip,ct_state=+trk+new,action=ct(commit,zone=NXM_NX_REG0[[0..15]]),goto_table:4
+table=2,priority=100,ip,ct_state=+trk+est,action=ct(table=3,zone=NXM_NX_REG0[[0..15]])
+table=2,priority=1,action=drop
+
+dnl Only allow established traffic from egress ct lookup
+table=3,priority=100,ip,ct_state=+trk+est,action=goto_table:4
+table=3,priority=1,action=drop
+
+dnl output table
+table=4,priority=100,ip,action=output:NXM_NX_REG0[[]]
+])
+
+AT_CHECK([ovs-ofctl add-flows br0 flows.txt])
+
+AT_CHECK([ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+
+dnl HTTP requests from root namespace to p0 should work fine.
+NETNS_DAEMONIZE([at_ns0], [[$PYTHON $srcdir/test-l7.py]], [http0.pid])
+AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
+
+dnl (again) HTTP requests from root namespace to p0 should work fine.
+AT_CHECK([wget 10.1.1.2 -t 3 -T 1 --retry-connrefused -v -o wget0.log])
+
+AT_CHECK([conntrack -L 2>&1 | FORMAT_CT(10.1.1.2) | grep "zone"], [0], [dnl
+TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=1 use=1
+TIME_WAIT src=10.1.1.1 dst=10.1.1.2 sport=<cleared> dport=<cleared> src=10.1.1.2 dst=10.1.1.1 sport=<cleared> dport=<cleared> [[ASSURED]] mark=0 zone=65534 use=1
+src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=1 use=1
+src=10.1.1.1 dst=10.1.1.2 type=8 code=0 id=<cleared> src=10.1.1.2 dst=10.1.1.1 type=0 code=0 id=<cleared> mark=0 zone=65534 use=1
+])
+
+OVS_TRAFFIC_VSWITCHD_STOP
+AT_CLEANUP
+
 AT_SETUP([conntrack - ct_mark])
 CHECK_CONNTRACK()
 OVS_TRAFFIC_VSWITCHD_START(