2015-08-04 19:00:16 +01:00
|
|
|
# DEL_NAMESPACES(ns [, ns ... ])
|
|
|
|
|
#
|
|
|
|
|
# Delete namespaces from the running OS
|
|
|
|
|
m4_define([DEL_NAMESPACES],
|
2024-11-01 02:23:08 +01:00
|
|
|
[m4_foreach([ns], [$@], [echo removing namespace ns; ip netns del ns])]
|
2015-08-04 19:00:16 +01:00
|
|
|
)
|
2015-08-07 19:40:35 +01:00
|
|
|
|
2015-08-04 19:00:16 +01:00
|
|
|
# ADD_NAMESPACES(ns [, ns ... ])
|
|
|
|
|
#
|
|
|
|
|
# Add new namespaces, if ns exists, the old one
|
|
|
|
|
# will be remove before new ones are installed.
|
|
|
|
|
m4_define([ADD_NAMESPACES],
|
|
|
|
|
[m4_foreach([ns], [$@],
|
|
|
|
|
[DEL_NAMESPACES(ns)
|
2016-03-04 08:31:56 +03:00
|
|
|
AT_CHECK([ip netns add ns || return 77])
|
|
|
|
|
on_exit 'DEL_NAMESPACES(ns)'
|
2016-05-04 18:01:03 -07:00
|
|
|
ip netns exec ns sysctl -w net.netfilter.nf_conntrack_helper=0
|
2015-08-04 19:00:16 +01:00
|
|
|
])
|
|
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
|
2015-08-07 19:40:35 +01:00
|
|
|
# NS_EXEC([namespace], [command])
|
|
|
|
|
#
|
|
|
|
|
# Execute 'command' in 'namespace'
|
|
|
|
|
m4_define([NS_EXEC],
|
2015-08-12 14:01:26 -07:00
|
|
|
[ip netns exec $1 sh << NS_EXEC_HEREDOC
|
|
|
|
|
$2
|
|
|
|
|
NS_EXEC_HEREDOC])
|
2015-08-07 19:40:35 +01:00
|
|
|
|
|
|
|
|
# NS_CHECK_EXEC([namespace], [command], other_params...)
|
|
|
|
|
#
|
|
|
|
|
# Wrapper for AT_CHECK that executes 'command' inside 'namespace'.
|
|
|
|
|
# 'other_params' as passed as they are to AT_CHECK.
|
|
|
|
|
m4_define([NS_CHECK_EXEC],
|
|
|
|
|
[ AT_CHECK([NS_EXEC([$1], [$2])], m4_shift(m4_shift($@))) ]
|
|
|
|
|
)
|
|
|
|
|
|
2015-08-12 14:01:28 -07:00
|
|
|
# ADD_BR([name], [vsctl-args])
|
|
|
|
|
#
|
|
|
|
|
# Expands into the proper ovs-vsctl commands to create a bridge with the
|
|
|
|
|
# appropriate type, and allows additional arguments to be passed.
|
|
|
|
|
m4_define([ADD_BR], [ovs-vsctl _ADD_BR([$1]) -- $2])
|
|
|
|
|
|
2015-11-07 12:00:00 -08:00
|
|
|
# ADD_INT([port], [namespace], [ovs-br], [ip_addr])
|
|
|
|
|
#
|
|
|
|
|
# Add an internal port to 'ovs-br', then shift it into 'namespace' and
|
|
|
|
|
# configure it with 'ip_addr' (specified in CIDR notation).
|
|
|
|
|
m4_define([ADD_INT],
|
|
|
|
|
[ AT_CHECK([ovs-vsctl add-port $3 $1 -- set int $1 type=internal])
|
|
|
|
|
AT_CHECK([ip link set $1 netns $2])
|
|
|
|
|
NS_CHECK_EXEC([$2], [ip addr add $4 dev $1])
|
|
|
|
|
NS_CHECK_EXEC([$2], [ip link set dev $1 up])
|
|
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
|
2017-06-07 19:54:24 -04:00
|
|
|
# ADD_VETH([port], [namespace], [ovs-br], [ip_addr] [mac_addr], [gateway],
|
|
|
|
|
# [ip_addr_flags])
|
2015-08-04 19:00:16 +01:00
|
|
|
#
|
|
|
|
|
# Add a pair of veth ports. 'port' will be added to name space 'namespace',
|
|
|
|
|
# and "ovs-'port'" will be added to ovs bridge 'ovs-br'.
|
|
|
|
|
#
|
|
|
|
|
# The 'port' in 'namespace' will be brought up with static IP address
|
|
|
|
|
# with 'ip_addr' in CIDR notation.
|
|
|
|
|
#
|
2016-07-11 02:55:59 -07:00
|
|
|
# Optionally, one can specify the 'mac_addr' for 'port' and the default
|
|
|
|
|
# 'gateway'.
|
|
|
|
|
#
|
2015-08-04 19:00:16 +01:00
|
|
|
# The existing 'port' or 'ovs-port' will be removed before new ones are added.
|
|
|
|
|
#
|
|
|
|
|
m4_define([ADD_VETH],
|
2016-03-04 08:31:56 +03:00
|
|
|
[ AT_CHECK([ip link add $1 type veth peer name ovs-$1 || return 77])
|
2024-11-01 02:23:08 +01:00
|
|
|
on_exit 'echo removing interface ovs-$1; ip link del ovs-$1'
|
system-tests: Disable offloads in userspace tests.
The system userspace testsuite uses the userspace datapath with
netdev-linux devices, connected to veth pairs with the AF_PACKET socket:
(veth pair) (AF_PACKET)
TCP stack -> p0 ---> ovs-p0 -------------> netdev-linux (userspace OVS)
Unfortunately this configuration has some problems with offloads: a
packet generated by the TCP stack maybe sent to p0 without being
checksummed or segmented. The AF_PACKET socket, by default, ignores the
offloads and just transmits the data of the packets to userspace, but:
1. The packet may need GSO, so the data will be too big to be received
by the userspace datapath
2. The packet might have incomplete checksums, so it will likely be
discarded by the receiver.
Problem 1 causes TCP connections to see a congestion window smaller than
the MTU, which hurts performance but doesn't prevent communication.
Problem 2 was hidden in the testsuite by a Linux kernel bug, fixed by
commit ce8c839b74e3("veth: don’t modify ip_summed; doing so treats
packets with bad checksums as good"). In the kernels that include the
fix, the userspace datapath is able to process pings, but not tcp or udp
data.
Unfortunately I couldn't find a way to ask the AF_PACKET to perform
offloads in kernel. A possible fix would be to use the PACKET_VNET_HDR
sockopt and perform the offloads in userspace.
Until a proper fix is worked out for netdev-linux, this commit disables
offloads on the non-OVS side of the veth pair, as a workaround.
Signed-off-by: Daniele Di Proietto <diproiettod@vmware.com>
Acked-by: Joe Stringer <joe@ovn.org>
Acked-by: Flavio Leitner <fbl@sysclose.org>
2016-04-15 13:17:50 -07:00
|
|
|
CONFIGURE_VETH_OFFLOADS([$1])
|
2015-08-04 19:00:16 +01:00
|
|
|
AT_CHECK([ip link set $1 netns $2])
|
|
|
|
|
AT_CHECK([ip link set dev ovs-$1 up])
|
2016-07-11 03:06:21 -07:00
|
|
|
AT_CHECK([ovs-vsctl add-port $3 ovs-$1 -- \
|
|
|
|
|
set interface ovs-$1 external-ids:iface-id="$1"])
|
2017-06-07 19:54:24 -04:00
|
|
|
NS_CHECK_EXEC([$2], [ip addr add $4 dev $1 $7])
|
2015-08-07 19:40:35 +01:00
|
|
|
NS_CHECK_EXEC([$2], [ip link set dev $1 up])
|
2016-07-11 02:55:59 -07:00
|
|
|
if test -n "$5"; then
|
|
|
|
|
NS_CHECK_EXEC([$2], [ip link set dev $1 address $5])
|
|
|
|
|
fi
|
|
|
|
|
if test -n "$6"; then
|
|
|
|
|
NS_CHECK_EXEC([$2], [ip route add default via $6])
|
|
|
|
|
fi
|
2015-08-04 19:00:16 +01:00
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
|
2016-08-30 16:45:27 -04:00
|
|
|
# ADD_VETH_BOND([ports], [namespace], [ovs-br], [bond], [mode], [ip_addr])
|
|
|
|
|
#
|
|
|
|
|
# Add a set of veth port pairs. Ports named in the list 'ports' will be added
|
|
|
|
|
# to 'namespace', and the corresponding port names, prefixed by 'ovs-' will
|
|
|
|
|
# be included in an OVS bond 'bond' which is added to bridge 'ovs-br'.
|
|
|
|
|
#
|
|
|
|
|
# The 'bond' in 'namespace' will be brought up with static IP address
|
|
|
|
|
# with 'ip_addr' in CIDR notation.
|
|
|
|
|
#
|
|
|
|
|
m4_define([ADD_VETH_BOND],
|
|
|
|
|
[
|
|
|
|
|
BONDPORTS=""
|
|
|
|
|
for port in $1; do
|
|
|
|
|
AT_CHECK([ip link add $port type veth peer name ovs-$port])
|
|
|
|
|
CONFIGURE_VETH_OFFLOADS([$port])
|
|
|
|
|
AT_CHECK([ip link set $port netns $2])
|
|
|
|
|
AT_CHECK([ip link set dev ovs-$port up])
|
|
|
|
|
BONDPORTS="$BONDPORTS ovs-$port"
|
|
|
|
|
on_exit 'ip link del ovs-$port'
|
|
|
|
|
done
|
|
|
|
|
NS_CHECK_EXEC([$2], [ip link add name $4 type bond])
|
|
|
|
|
case "$(echo $5 | sed 's/.*lacp=//' | sed 's/ .*//')" in
|
|
|
|
|
active|passive)
|
|
|
|
|
NS_CHECK_EXEC([$2], [sh -c "echo 802.3ad > /sys/class/net/$4/bonding/mode"])
|
|
|
|
|
NS_CHECK_EXEC([$2], [sh -c "echo 100 > /sys/class/net/$4/bonding/miimon"])
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
for port in $1; do
|
|
|
|
|
NS_CHECK_EXEC([$2], [ip link set dev $port master $4])
|
|
|
|
|
done
|
|
|
|
|
NS_CHECK_EXEC([$2], [ip addr add $6 dev $4])
|
|
|
|
|
NS_CHECK_EXEC([$2], [ip link set dev $4 up])
|
|
|
|
|
AT_CHECK([ovs-vsctl add-bond $3 ovs-$4 $BONDPORTS $5])
|
|
|
|
|
on_exit 'ip link del ovs-$4'
|
|
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
|
2023-03-29 14:51:14 +09:00
|
|
|
# ADD_VETH_NS([ns1], [port1], [ip_addr1], [ns2], [port2], [ip_addr2])
|
|
|
|
|
#
|
|
|
|
|
# Add a pair of veth ports in 'ns1' and 'ns2'. The port names are 'port1'
|
|
|
|
|
# and 'port2' respectively, and the IP addresses 'ip_addr1' and 'ip_addr2'
|
|
|
|
|
# are assigned to each port.
|
|
|
|
|
m4_define([ADD_VETH_NS],
|
|
|
|
|
[ AT_CHECK([ip link add $2 type veth peer name $5]),
|
|
|
|
|
AT_CHECK([ip link set $2 netns $1])
|
|
|
|
|
AT_CHECK([ip link set $5 netns $4])
|
|
|
|
|
NS_CHECK_EXEC([$1], [ip link set $2 up])
|
|
|
|
|
NS_CHECK_EXEC([$4], [ip link set $5 up])
|
|
|
|
|
NS_CHECK_EXEC([$1], [ip addr add $3 dev $2])
|
|
|
|
|
NS_CHECK_EXEC([$4], [ip addr add $6 dev $5])
|
|
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
|
2015-08-04 19:00:16 +01:00
|
|
|
# ADD_VLAN([port], [namespace], [vlan-id], [ip-addr])
|
|
|
|
|
#
|
|
|
|
|
# Add a VLAN device named 'port' within 'namespace'. It will be configured
|
|
|
|
|
# with the ID 'vlan-id' and the address 'ip-addr'.
|
|
|
|
|
m4_define([ADD_VLAN],
|
2016-09-23 15:16:24 -04:00
|
|
|
[ NS_CHECK_EXEC([$2], [ip link add link $1 name $1.$3 type vlan proto 802.1q id $3])
|
2015-08-07 19:40:35 +01:00
|
|
|
NS_CHECK_EXEC([$2], [ip link set dev $1.$3 up])
|
|
|
|
|
NS_CHECK_EXEC([$2], [ip addr add dev $1.$3 $4])
|
2015-08-04 19:00:16 +01:00
|
|
|
]
|
|
|
|
|
)
|
2015-08-12 14:01:27 -07:00
|
|
|
|
2016-09-23 15:16:24 -04:00
|
|
|
# ADD_SVLAN([port], [namespace], [vlan-id], [ip-addr])
|
|
|
|
|
#
|
|
|
|
|
# Add a SVLAN device named 'port' within 'namespace'. It will be configured
|
|
|
|
|
# with the ID 'vlan-id' and the address 'ip-addr'.
|
|
|
|
|
m4_define([ADD_SVLAN],
|
|
|
|
|
[ NS_CHECK_EXEC([$2], [ip link add link $1 name $1.$3 type vlan proto 802.1ad id $3])
|
|
|
|
|
NS_CHECK_EXEC([$2], [ip link set dev $1.$3 up])
|
|
|
|
|
NS_CHECK_EXEC([$2], [ip addr add dev $1.$3 $4])
|
|
|
|
|
NS_CHECK_EXEC([$2], [ip link set $1.$3 mtu 1496])
|
|
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# ADD_CVLAN([port], [namespace], [vlan-id], [ip-addr])
|
|
|
|
|
#
|
|
|
|
|
# Similar to ADD_VLAN(), but sets MTU. Lower MTU here instead of increase MTU
|
|
|
|
|
# on bridge/SVLAN because older kernels didn't work.
|
|
|
|
|
#
|
|
|
|
|
m4_define([ADD_CVLAN],
|
|
|
|
|
[ ADD_VLAN([$1], [$2], [$3], [$4])
|
|
|
|
|
NS_CHECK_EXEC([$2], [ip link set $1.$3 mtu 1492])
|
|
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
|
2017-07-10 15:39:55 -04:00
|
|
|
# ADD_OVS_TUNNEL([type], [bridge], [port], [remote-addr], [overlay-addr],
|
|
|
|
|
# [tunnel-args])
|
2015-08-12 14:01:30 -07:00
|
|
|
#
|
|
|
|
|
# Add an ovs-based tunnel device in the root namespace, with name 'port' and
|
|
|
|
|
# type 'type'. The tunnel device will be configured as point-to-point with the
|
|
|
|
|
# 'remote-addr' as the underlay address of the remote tunnel endpoint.
|
|
|
|
|
#
|
|
|
|
|
# 'port will be configured with the address 'overlay-addr'.
|
|
|
|
|
#
|
|
|
|
|
m4_define([ADD_OVS_TUNNEL],
|
|
|
|
|
[AT_CHECK([ovs-vsctl add-port $2 $3 -- \
|
2017-07-10 15:39:55 -04:00
|
|
|
set int $3 type=$1 options:remote_ip=$4 $6])
|
2015-08-12 14:01:30 -07:00
|
|
|
AT_CHECK([ip addr add dev $2 $5])
|
|
|
|
|
AT_CHECK([ip link set dev $2 up])
|
|
|
|
|
AT_CHECK([ip link set dev $2 mtu 1450])
|
2015-09-09 10:26:11 -07:00
|
|
|
on_exit 'ip addr del dev $2 $5'
|
2015-08-12 14:01:30 -07:00
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
|
2018-03-09 13:02:21 -08:00
|
|
|
# ADD_OVS_TUNNEL6([type], [bridge], [port], [remote-addr], [overlay-addr],
|
|
|
|
|
# [tunnel-args])
|
2017-06-07 19:54:25 -04:00
|
|
|
#
|
|
|
|
|
# Same as ADD_OVS_TUNNEL, but drops MTU enough for the IPv6 underlay.
|
|
|
|
|
#
|
|
|
|
|
m4_define([ADD_OVS_TUNNEL6],
|
2018-03-09 13:02:21 -08:00
|
|
|
[ADD_OVS_TUNNEL([$1], [$2], [$3], [$4], [$5], [$6])
|
2017-06-07 19:54:25 -04:00
|
|
|
AT_CHECK([ip link set dev $2 mtu 1430])
|
|
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
|
2015-08-12 14:01:30 -07:00
|
|
|
# ADD_NATIVE_TUNNEL([type], [port], [namespace], [remote-addr], [overlay-addr],
|
2016-08-18 11:09:39 -07:00
|
|
|
# [type-args], [link-args])
|
2015-08-12 14:01:30 -07:00
|
|
|
#
|
|
|
|
|
# Add a native tunnel device within 'namespace', with name 'port' and type
|
|
|
|
|
# 'type'. The tunnel device will be configured as point-to-point with the
|
|
|
|
|
# 'remote-addr' as the underlay address of the remote tunnel endpoint (as
|
|
|
|
|
# viewed from the perspective of that namespace).
|
|
|
|
|
#
|
2016-08-18 11:09:39 -07:00
|
|
|
# 'port' will be configured with the address 'overlay-addr'. 'type-args' is
|
|
|
|
|
# made available so that additional arguments can be passed to "ip link add"
|
|
|
|
|
# for configuring specific link type's arguments, for instance to configure
|
|
|
|
|
# the vxlan destination port. 'link-args' is made for arguments passed to
|
|
|
|
|
# "ip link set", for instance to configure MAC address.
|
2015-08-12 14:01:30 -07:00
|
|
|
#
|
|
|
|
|
m4_define([ADD_NATIVE_TUNNEL],
|
|
|
|
|
[NS_CHECK_EXEC([$3], [ip link add dev $2 type $1 remote $4 $6])
|
|
|
|
|
NS_CHECK_EXEC([$3], [ip addr add dev $2 $5])
|
2016-08-18 11:09:39 -07:00
|
|
|
NS_CHECK_EXEC([$3], [ip link set dev $2 mtu 1450 $7 up])
|
2015-08-12 14:01:30 -07:00
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
|
2017-06-07 19:54:25 -04:00
|
|
|
# ADD_NATIVE_TUNNEL6([type], [port], [namespace], [remote-addr], [overlay-addr],
|
|
|
|
|
# [type-args], [link-args])
|
|
|
|
|
#
|
|
|
|
|
# Same as ADD_NATIVE_TUNNEL, but drops MTU enough for the IPv6 underlay.
|
|
|
|
|
#
|
|
|
|
|
m4_define([ADD_NATIVE_TUNNEL6],
|
|
|
|
|
[ADD_NATIVE_TUNNEL([$1], [$2], [$3], [$4], [$5], [$6], [$7])
|
|
|
|
|
NS_CHECK_EXEC([$3], [ip link set dev $2 mtu 1430])
|
|
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
|
2015-08-12 14:01:27 -07:00
|
|
|
# FORMAT_PING([])
|
|
|
|
|
#
|
|
|
|
|
# Strip variant pieces from ping output so the output can be reliably compared.
|
|
|
|
|
#
|
|
|
|
|
m4_define([FORMAT_PING], [grep "transmitted" | sed 's/time.*ms$/time 0ms/'])
|
Add support for connection tracking.
This patch adds a new action and fields to OVS that allow connection
tracking to be performed. This support works in conjunction with the
Linux kernel support merged into the Linux-4.3 development cycle.
Packets have two possible states with respect to connection tracking:
Untracked packets have not previously passed through the connection
tracker, while tracked packets have previously been through the
connection tracker. For OpenFlow pipeline processing, untracked packets
can become tracked, and they will remain tracked until the end of the
pipeline. Tracked packets cannot become untracked.
Connections can be unknown, uncommitted, or committed. Packets which are
untracked have unknown connection state. To know the connection state,
the packet must become tracked. Uncommitted connections have no
connection state stored about them, so it is only possible for the
connection tracker to identify whether they are a new connection or
whether they are invalid. Committed connections have connection state
stored beyond the lifetime of the packet, which allows later packets in
the same connection to be identified as part of the same established
connection, or related to an existing connection - for instance ICMP
error responses.
The new 'ct' action transitions the packet from "untracked" to
"tracked" by sending this flow through the connection tracker.
The following parameters are supported initally:
- "commit": When commit is executed, the connection moves from
uncommitted state to committed state. This signals that information
about the connection should be stored beyond the lifetime of the
packet within the pipeline. This allows future packets in the same
connection to be recognized as part of the same "established" (est)
connection, as well as identifying packets in the reply (rpl)
direction, or packets related to an existing connection (rel).
- "zone=[u16|NXM]": Perform connection tracking in the zone specified.
Each zone is an independent connection tracking context. When the
"commit" parameter is used, the connection will only be committed in
the specified zone, and not in other zones. This is 0 by default.
- "table=NUMBER": Fork pipeline processing in two. The original instance
of the packet will continue processing the current actions list as an
untracked packet. An additional instance of the packet will be sent to
the connection tracker, which will be re-injected into the OpenFlow
pipeline to resume processing in the specified table, with the
ct_state and other ct match fields set. If the table is not specified,
then the packet is submitted to the connection tracker, but the
pipeline does not fork and the ct match fields are not populated. It
is strongly recommended to specify a table later than the current
table to prevent loops.
When the "table" option is used, the packet that continues processing in
the specified table will have the ct_state populated. The ct_state may
have any of the following flags set:
- Tracked (trk): Connection tracking has occurred.
- Reply (rpl): The flow is in the reply direction.
- Invalid (inv): The connection tracker couldn't identify the connection.
- New (new): This is the beginning of a new connection.
- Established (est): This is part of an already existing connection.
- Related (rel): This connection is related to an existing connection.
For more information, consult the ovs-ofctl(8) man pages.
Below is a simple example flow table to allow outbound TCP traffic from
port 1 and drop traffic from port 2 that was not initiated by port 1:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=9),2
table=0,in_port=2,tcp,ct_state=-trk,action=ct(zone=9,table=1)
table=1,in_port=2,ct_state=+trk+est,tcp,action=1
table=1,in_port=2,ct_state=+trk+new,tcp,action=drop
Based on original design by Justin Pettit, contributions from Thomas
Graf and Daniele Di Proietto.
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-08-11 10:56:09 -07:00
|
|
|
|
2016-12-21 14:22:01 -08:00
|
|
|
# STRIP_MONITOR_CSUM([])
|
|
|
|
|
#
|
|
|
|
|
# Strip the csum value from ovs-ofctl monitor.
|
|
|
|
|
#
|
|
|
|
|
m4_define([STRIP_MONITOR_CSUM], [grep "csum:" | sed 's/csum:.*/csum: <skip>/'])
|
|
|
|
|
|
2015-11-02 14:24:54 -08:00
|
|
|
# FORMAT_CT([ip-addr])
|
|
|
|
|
#
|
|
|
|
|
# Strip content from the piped input which would differ from test to test
|
|
|
|
|
# and limit the output to the rows containing 'ip-addr'.
|
Add support for connection tracking.
This patch adds a new action and fields to OVS that allow connection
tracking to be performed. This support works in conjunction with the
Linux kernel support merged into the Linux-4.3 development cycle.
Packets have two possible states with respect to connection tracking:
Untracked packets have not previously passed through the connection
tracker, while tracked packets have previously been through the
connection tracker. For OpenFlow pipeline processing, untracked packets
can become tracked, and they will remain tracked until the end of the
pipeline. Tracked packets cannot become untracked.
Connections can be unknown, uncommitted, or committed. Packets which are
untracked have unknown connection state. To know the connection state,
the packet must become tracked. Uncommitted connections have no
connection state stored about them, so it is only possible for the
connection tracker to identify whether they are a new connection or
whether they are invalid. Committed connections have connection state
stored beyond the lifetime of the packet, which allows later packets in
the same connection to be identified as part of the same established
connection, or related to an existing connection - for instance ICMP
error responses.
The new 'ct' action transitions the packet from "untracked" to
"tracked" by sending this flow through the connection tracker.
The following parameters are supported initally:
- "commit": When commit is executed, the connection moves from
uncommitted state to committed state. This signals that information
about the connection should be stored beyond the lifetime of the
packet within the pipeline. This allows future packets in the same
connection to be recognized as part of the same "established" (est)
connection, as well as identifying packets in the reply (rpl)
direction, or packets related to an existing connection (rel).
- "zone=[u16|NXM]": Perform connection tracking in the zone specified.
Each zone is an independent connection tracking context. When the
"commit" parameter is used, the connection will only be committed in
the specified zone, and not in other zones. This is 0 by default.
- "table=NUMBER": Fork pipeline processing in two. The original instance
of the packet will continue processing the current actions list as an
untracked packet. An additional instance of the packet will be sent to
the connection tracker, which will be re-injected into the OpenFlow
pipeline to resume processing in the specified table, with the
ct_state and other ct match fields set. If the table is not specified,
then the packet is submitted to the connection tracker, but the
pipeline does not fork and the ct match fields are not populated. It
is strongly recommended to specify a table later than the current
table to prevent loops.
When the "table" option is used, the packet that continues processing in
the specified table will have the ct_state populated. The ct_state may
have any of the following flags set:
- Tracked (trk): Connection tracking has occurred.
- Reply (rpl): The flow is in the reply direction.
- Invalid (inv): The connection tracker couldn't identify the connection.
- New (new): This is the beginning of a new connection.
- Established (est): This is part of an already existing connection.
- Related (rel): This connection is related to an existing connection.
For more information, consult the ovs-ofctl(8) man pages.
Below is a simple example flow table to allow outbound TCP traffic from
port 1 and drop traffic from port 2 that was not initiated by port 1:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=9),2
table=0,in_port=2,tcp,ct_state=-trk,action=ct(zone=9,table=1)
table=1,in_port=2,ct_state=+trk+est,tcp,action=1
table=1,in_port=2,ct_state=+trk+new,tcp,action=drop
Based on original design by Justin Pettit, contributions from Thomas
Graf and Daniele Di Proietto.
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-08-11 10:56:09 -07:00
|
|
|
#
|
|
|
|
|
m4_define([FORMAT_CT],
|
2016-06-20 18:51:06 -07:00
|
|
|
[[grep "dst=$1" | sed -e 's/port=[0-9]*/port=<cleared>/g' -e 's/id=[0-9]*/id=<cleared>/g' -e 's/state=[0-9_A-Z]*/state=<cleared>/g' | sort | uniq]])
|
Add support for connection tracking.
This patch adds a new action and fields to OVS that allow connection
tracking to be performed. This support works in conjunction with the
Linux kernel support merged into the Linux-4.3 development cycle.
Packets have two possible states with respect to connection tracking:
Untracked packets have not previously passed through the connection
tracker, while tracked packets have previously been through the
connection tracker. For OpenFlow pipeline processing, untracked packets
can become tracked, and they will remain tracked until the end of the
pipeline. Tracked packets cannot become untracked.
Connections can be unknown, uncommitted, or committed. Packets which are
untracked have unknown connection state. To know the connection state,
the packet must become tracked. Uncommitted connections have no
connection state stored about them, so it is only possible for the
connection tracker to identify whether they are a new connection or
whether they are invalid. Committed connections have connection state
stored beyond the lifetime of the packet, which allows later packets in
the same connection to be identified as part of the same established
connection, or related to an existing connection - for instance ICMP
error responses.
The new 'ct' action transitions the packet from "untracked" to
"tracked" by sending this flow through the connection tracker.
The following parameters are supported initally:
- "commit": When commit is executed, the connection moves from
uncommitted state to committed state. This signals that information
about the connection should be stored beyond the lifetime of the
packet within the pipeline. This allows future packets in the same
connection to be recognized as part of the same "established" (est)
connection, as well as identifying packets in the reply (rpl)
direction, or packets related to an existing connection (rel).
- "zone=[u16|NXM]": Perform connection tracking in the zone specified.
Each zone is an independent connection tracking context. When the
"commit" parameter is used, the connection will only be committed in
the specified zone, and not in other zones. This is 0 by default.
- "table=NUMBER": Fork pipeline processing in two. The original instance
of the packet will continue processing the current actions list as an
untracked packet. An additional instance of the packet will be sent to
the connection tracker, which will be re-injected into the OpenFlow
pipeline to resume processing in the specified table, with the
ct_state and other ct match fields set. If the table is not specified,
then the packet is submitted to the connection tracker, but the
pipeline does not fork and the ct match fields are not populated. It
is strongly recommended to specify a table later than the current
table to prevent loops.
When the "table" option is used, the packet that continues processing in
the specified table will have the ct_state populated. The ct_state may
have any of the following flags set:
- Tracked (trk): Connection tracking has occurred.
- Reply (rpl): The flow is in the reply direction.
- Invalid (inv): The connection tracker couldn't identify the connection.
- New (new): This is the beginning of a new connection.
- Established (est): This is part of an already existing connection.
- Related (rel): This connection is related to an existing connection.
For more information, consult the ovs-ofctl(8) man pages.
Below is a simple example flow table to allow outbound TCP traffic from
port 1 and drop traffic from port 2 that was not initiated by port 1:
table=0,priority=1,action=drop
table=0,arp,action=normal
table=0,in_port=1,tcp,ct_state=-trk,action=ct(commit,zone=9),2
table=0,in_port=2,tcp,ct_state=-trk,action=ct(zone=9,table=1)
table=1,in_port=2,ct_state=+trk+est,tcp,action=1
table=1,in_port=2,ct_state=+trk+new,tcp,action=drop
Based on original design by Justin Pettit, contributions from Thomas
Graf and Daniele Di Proietto.
Signed-off-by: Joe Stringer <joestringer@nicira.com>
Acked-by: Jarno Rajahalme <jrajahalme@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
2015-08-11 10:56:09 -07:00
|
|
|
|
|
|
|
|
# NETNS_DAEMONIZE([namespace], [command], [pidfile])
|
|
|
|
|
#
|
|
|
|
|
# Run 'command' as a background process within 'namespace' and record its pid
|
|
|
|
|
# to 'pidfile' to allow cleanup on exit.
|
|
|
|
|
#
|
|
|
|
|
m4_define([NETNS_DAEMONIZE],
|
|
|
|
|
[ip netns exec $1 $2 & echo $! > $3
|
|
|
|
|
echo "kill \`cat $3\`" >> cleanup
|
|
|
|
|
]
|
|
|
|
|
)
|
2015-12-22 16:47:26 -08:00
|
|
|
|
system-traffic: Replace wget with curl for negative and ftp tests.
Some distributions, such as Fedora, have replaced wget with wget2, which,
according to its authors, does not have feature parity with wget.
This patch replaces unsupported use cases, such as negative timeouts
and FTP, with `curl`, as these features are not fully
supported/functioning in `wget2`.
Userspace conntrack doesn’t support Extended Passive Mode (EPSV) or
Extended Port Mode (EPRT), both of which are defaults for cURL.
Therefore, we disabled these modes.
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Simon Horman <horms@ovn.org>
2024-11-12 15:01:39 +01:00
|
|
|
# OVS_GET_HTTP([url], [optional_curl_arguments])
|
|
|
|
|
#
|
|
|
|
|
# Do a HTTP get; we are currently using the curl command.
|
|
|
|
|
#
|
|
|
|
|
m4_define([OVS_GET_HTTP],
|
|
|
|
|
[curl $1 --retry 3 --max-time 1 --retry-connrefused -v $2]
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# OVS_GET_FTP([url], [optional_curl_arguments])
|
|
|
|
|
#
|
|
|
|
|
# Do a passive FTP get; we are currently using the curl command.
|
|
|
|
|
#
|
|
|
|
|
m4_define([OVS_GET_FTP],
|
system-traffic: Fix syntax errors in FTP and IPv6 curl calls.
The system testsuite is broken due to syntax errors:
1. Misplaced parenthesis, like:
NS_CHECK_EXEC[at_ns0], (OVS_GET_FTP_ACTIVE...
NS_CHECK_EXEC([at_ns0], OVS_GET_FTP([[[fc00::2]]]), [--ipv6]), [0], ...
at-groups/122/test-source: line 757:
syntax error near unexpected token `curl'
at-groups/122/test-source: line 757:
`at_ns0, (curl ftp://10.1.1.2 --retry 3 --max-time 1 --retry-connrefused -v \'
system-kmod-testsuite: WARNING: unable to parse test group: 122
2. Insufficient escaping of brackets around IPv6 addresses.
It must be 4 brackets to survive double macro expansion.
curl ftp://fc00::2 --retry 3 ...
curl: (3) URL rejected: Port number was not a decimal number between 0 and 65535
3. OVS_GET_FTP macro is missing a line continuation:
sh: 2: -v: not found
Interestingly enough, when a testsuite fails with syntax errors, there
are no tests to re-check, so recheck succeeds and so the jobs are green
in GitHub Actions, even if they are not actually running a lot of tests.
While at it, adjusting formatting in OVS_GET_FTP_ACTIVE to match other
macros.
Fixes: 6bafaebf34fc ("system-traffic: Replace wget with curl for negative and ftp tests.")
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-11-29 23:03:48 +01:00
|
|
|
[curl ftp://$1 --retry 3 --max-time 1 --retry-connrefused \
|
2025-02-16 19:52:04 +00:00
|
|
|
--disable-epsv -v $2]
|
system-traffic: Replace wget with curl for negative and ftp tests.
Some distributions, such as Fedora, have replaced wget with wget2, which,
according to its authors, does not have feature parity with wget.
This patch replaces unsupported use cases, such as negative timeouts
and FTP, with `curl`, as these features are not fully
supported/functioning in `wget2`.
Userspace conntrack doesn’t support Extended Passive Mode (EPSV) or
Extended Port Mode (EPRT), both of which are defaults for cURL.
Therefore, we disabled these modes.
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Simon Horman <horms@ovn.org>
2024-11-12 15:01:39 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
# OVS_GET_FTP_ACTIVE([url], [optional_curl_arguments])
|
|
|
|
|
#
|
|
|
|
|
# Do an active FTP get; we are currently using the curl command.
|
|
|
|
|
#
|
|
|
|
|
m4_define([OVS_GET_FTP_ACTIVE],
|
|
|
|
|
[curl ftp://$1 --retry 3 --max-time 1 --retry-connrefused -v \
|
system-traffic: Fix syntax errors in FTP and IPv6 curl calls.
The system testsuite is broken due to syntax errors:
1. Misplaced parenthesis, like:
NS_CHECK_EXEC[at_ns0], (OVS_GET_FTP_ACTIVE...
NS_CHECK_EXEC([at_ns0], OVS_GET_FTP([[[fc00::2]]]), [--ipv6]), [0], ...
at-groups/122/test-source: line 757:
syntax error near unexpected token `curl'
at-groups/122/test-source: line 757:
`at_ns0, (curl ftp://10.1.1.2 --retry 3 --max-time 1 --retry-connrefused -v \'
system-kmod-testsuite: WARNING: unable to parse test group: 122
2. Insufficient escaping of brackets around IPv6 addresses.
It must be 4 brackets to survive double macro expansion.
curl ftp://fc00::2 --retry 3 ...
curl: (3) URL rejected: Port number was not a decimal number between 0 and 65535
3. OVS_GET_FTP macro is missing a line continuation:
sh: 2: -v: not found
Interestingly enough, when a testsuite fails with syntax errors, there
are no tests to re-check, so recheck succeeds and so the jobs are green
in GitHub Actions, even if they are not actually running a lot of tests.
While at it, adjusting formatting in OVS_GET_FTP_ACTIVE to match other
macros.
Fixes: 6bafaebf34fc ("system-traffic: Replace wget with curl for negative and ftp tests.")
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-11-29 23:03:48 +01:00
|
|
|
--ftp-port - --disable-eprt $2]
|
system-traffic: Replace wget with curl for negative and ftp tests.
Some distributions, such as Fedora, have replaced wget with wget2, which,
according to its authors, does not have feature parity with wget.
This patch replaces unsupported use cases, such as negative timeouts
and FTP, with `curl`, as these features are not fully
supported/functioning in `wget2`.
Userspace conntrack doesn’t support Extended Passive Mode (EPSV) or
Extended Port Mode (EPRT), both of which are defaults for cURL.
Therefore, we disabled these modes.
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Simon Horman <horms@ovn.org>
2024-11-12 15:01:39 +01:00
|
|
|
)
|
|
|
|
|
|
2016-12-08 18:34:07 -08:00
|
|
|
# OVS_CHECK_FIREWALL()
|
|
|
|
|
#
|
|
|
|
|
# Check if firewalld is active, skip the test if it is on.
|
|
|
|
|
# The following command currently only supports RHEL and CentOS.
|
|
|
|
|
m4_define([OVS_CHECK_FIREWALL],
|
|
|
|
|
[AT_SKIP_IF([systemctl status firewalld 2>&1 | grep running > /dev/null])])
|
|
|
|
|
|
2023-12-11 12:51:03 +02:00
|
|
|
# OVS_START_L7([namespace], [protocol], [port])
|
2016-12-20 13:28:25 -08:00
|
|
|
#
|
2023-12-11 12:51:03 +02:00
|
|
|
# Start a server serving 'protocol' on port 'port' within 'namespace'.
|
|
|
|
|
# If 'port' is not specified, the standard one for 'protocol' will be used.
|
|
|
|
|
# The server will exit when the test finishes.
|
2016-12-20 13:28:25 -08:00
|
|
|
#
|
|
|
|
|
m4_define([OVS_START_L7],
|
|
|
|
|
[PIDFILE=$(mktemp $2XXX.pid)
|
2023-12-11 12:51:03 +02:00
|
|
|
NETNS_DAEMONIZE([$1], [[$PYTHON3 $srcdir/test-l7.py $2 $3]], [$PIDFILE])
|
2016-08-11 11:19:16 -07:00
|
|
|
|
|
|
|
|
dnl netstat doesn't print http over IPv6 as "http6"; drop the number.
|
|
|
|
|
PROTO=$(echo $2 | sed -e 's/\([[a-zA-Z]]*\).*/\1/')
|
2023-12-11 12:51:03 +02:00
|
|
|
if test -z "$3"; then
|
|
|
|
|
OVS_WAIT_UNTIL([NS_EXEC([$1], [netstat -l | grep $PROTO])])
|
|
|
|
|
else
|
|
|
|
|
OVS_WAIT_UNTIL([NS_EXEC([$1], [netstat -ln | grep :$3])])
|
|
|
|
|
fi
|
2016-12-20 13:28:25 -08:00
|
|
|
]
|
|
|
|
|
)
|
|
|
|
|
|
2021-01-21 17:12:47 +08:00
|
|
|
# OFPROTO_CLEAR_DURATION_IDLE([])
|
|
|
|
|
#
|
|
|
|
|
# Clear the duration from the piped input which would differ from test to test
|
|
|
|
|
#
|
|
|
|
|
m4_define([OFPROTO_CLEAR_DURATION_IDLE], [[sed -e 's/duration=.*s,/duration=<cleared>,/g' -e 's/idle_age=[0-9]*,/idle_age=<cleared>,/g']])
|
|
|
|
|
|
2023-11-20 16:56:42 +01:00
|
|
|
# OVS_CHECK_TC_QDISC()
|
|
|
|
|
#
|
|
|
|
|
# Macro to skip tests when tc qdisc can't be applied on a OVS port.
|
|
|
|
|
m4_define([OVS_CHECK_TC_QDISC],
|
|
|
|
|
[AT_SKIP_IF([test $HAVE_TC = no])])
|
|
|
|
|
|
2022-01-05 11:57:38 -03:00
|
|
|
# OVS_CHECK_TUNNEL_TSO()
|
|
|
|
|
#
|
|
|
|
|
# Macro to be used in general tunneling tests that could be also
|
|
|
|
|
# used by system-tso. In that case, tunneling is not supported and
|
|
|
|
|
# the test should be skipped.
|
|
|
|
|
m4_define([OVS_CHECK_TUNNEL_TSO],
|
|
|
|
|
[m4_ifdef([CHECK_SYSTEM_TSO], [AT_SKIP_IF(:)])])
|
|
|
|
|
|
2015-12-22 16:47:26 -08:00
|
|
|
# OVS_CHECK_VXLAN()
|
|
|
|
|
#
|
|
|
|
|
# Do basic check for vxlan functionality, skip the test if it's not there.
|
|
|
|
|
m4_define([OVS_CHECK_VXLAN],
|
2016-12-08 18:34:07 -08:00
|
|
|
[AT_SKIP_IF([! ip link add foo type vxlan help 2>&1 | grep dstport >/dev/null])
|
|
|
|
|
OVS_CHECK_FIREWALL()])
|
2016-04-20 16:07:51 -07:00
|
|
|
|
2017-07-21 04:34:07 -07:00
|
|
|
# OVS_CHECK_VXLAN_UDP6ZEROCSUM()
|
|
|
|
|
m4_define([OVS_CHECK_VXLAN_UDP6ZEROCSUM],
|
|
|
|
|
[AT_SKIP_IF([! ip link add foo type vxlan help 2>&1 | grep udp6zerocsum >/dev/null])
|
|
|
|
|
OVS_CHECK_FIREWALL()])
|
|
|
|
|
|
2017-07-10 15:39:57 -04:00
|
|
|
# OVS_CHECK_VXLAN_GPE()
|
|
|
|
|
m4_define([OVS_CHECK_VXLAN_GPE],
|
|
|
|
|
[OVS_CHECK_VXLAN()
|
|
|
|
|
AT_SKIP_IF([! ip link add foo type vxlan help 2>&1 | grep gpe >/dev/null])])
|
|
|
|
|
|
2016-04-20 16:07:51 -07:00
|
|
|
# OVS_CHECK_GRE()
|
|
|
|
|
m4_define([OVS_CHECK_GRE],
|
2017-07-10 15:39:59 -04:00
|
|
|
[AT_SKIP_IF([! ip link add foo type gretap help 2>&1 | grep gretap >/dev/null])
|
|
|
|
|
OVS_CHECK_FIREWALL()])
|
|
|
|
|
|
2018-03-21 14:02:25 -07:00
|
|
|
# OVS_CHECK_ERSPAN()
|
|
|
|
|
m4_define([OVS_CHECK_ERSPAN],
|
|
|
|
|
[AT_SKIP_IF([! ip link add foo type erspan help 2>&1 | grep erspan >/dev/null])
|
|
|
|
|
OVS_CHECK_FIREWALL()])
|
|
|
|
|
|
2017-07-10 15:39:59 -04:00
|
|
|
# OVS_CHECK_GRE_L3()
|
|
|
|
|
m4_define([OVS_CHECK_GRE_L3],
|
|
|
|
|
[AT_SKIP_IF([! ip link add foo type gre help 2>&1 | grep "gre " >/dev/null])
|
2016-12-08 18:34:07 -08:00
|
|
|
OVS_CHECK_FIREWALL()])
|
2016-04-20 16:07:52 -07:00
|
|
|
|
|
|
|
|
# OVS_CHECK_GENEVE()
|
|
|
|
|
m4_define([OVS_CHECK_GENEVE],
|
2016-12-08 18:34:07 -08:00
|
|
|
[AT_SKIP_IF([! ip link add foo type geneve help 2>&1 | grep geneve >/dev/null])
|
|
|
|
|
OVS_CHECK_FIREWALL()])
|
2017-03-17 16:13:11 -04:00
|
|
|
|
2017-07-21 04:34:07 -07:00
|
|
|
# OVS_CHECK_GENEVE_UDP6ZEROCSUM()
|
|
|
|
|
m4_define([OVS_CHECK_GENEVE_UDP6ZEROCSUM],
|
|
|
|
|
[AT_SKIP_IF([! ip link add foo type geneve help 2>&1 | grep udp6zerocsum >/dev/null])
|
|
|
|
|
OVS_CHECK_FIREWALL()])
|
|
|
|
|
|
2017-03-17 16:13:11 -04:00
|
|
|
# OVS_CHECK_8021AD()
|
|
|
|
|
m4_define([OVS_CHECK_8021AD],
|
|
|
|
|
[AT_SKIP_IF([! grep -q "VLAN header stack length probed as" ovs-vswitchd.log])
|
|
|
|
|
AT_SKIP_IF([[test `sed -n 's/.*VLAN header stack length probed as \([0-9]\+\).*/\1/p' ovs-vswitchd.log` -lt 2]])])
|
2017-07-10 15:39:56 -04:00
|
|
|
|
|
|
|
|
# OVS_CHECK_IPROUTE_ENCAP()
|
|
|
|
|
m4_define([OVS_CHECK_IPROUTE_ENCAP],
|
|
|
|
|
[AT_SKIP_IF([! ip route help 2>&1 |grep encap >/dev/null])])
|
2018-01-19 14:21:52 -05:00
|
|
|
|
|
|
|
|
# OVS_CHECK_CT_CLEAR()
|
|
|
|
|
m4_define([OVS_CHECK_CT_CLEAR],
|
|
|
|
|
[AT_SKIP_IF([! grep -q "Datapath supports ct_clear action" ovs-vswitchd.log])])
|
ci: Exclude tests that show random failures through GitHub actions.
I ran 80 series of full tests, and the following tests showed failures:
802.1ad - vlan_limit
+2023-11-20T10:32:11.245Z|00001|dpif_netdev(revalidator5)|ERR|internal
error parsing flow key recirc_id(0),dp_hash(0),skb_priority(0),
in_port(2),skb_mark(0),ct_state(0),ct_zone(0),ct_mark(0),ct_label(0),
packet_type(ns=0,id=0),eth(src=42:7e:4b:46:68:1b,dst=33:33:ff:46:68:1b),
eth_type(0x88a8),vlan(vid=4094,pcp=0),encap(eth_type(0x8100),
vlan(vid=100,pcp=0),encap(eth_type(0x86dd),ipv6(
src=::,dst=ff02::1:ff46:681b,label=0,proto=58,tclass=0,hlimit=255,
frag=no),icmpv6(type=135,code=0),nd(target=fe80::407e:4bff:fe46:681b,
sll=00:00:00:00:00:00,tll=00:00:00:00:00:00)))
+2023-11-20T10:32:11.245Z|00002|dpif(revalidator5)|WARN|netdev@ovs-netdev:
failed to put[modify] (Invalid argument)
ufid:ef1ca90c-dbd0-4ca7-9869-411bdffd1ece recirc_id(0),dp_hash(0/0),
skb_priority(0/0),in_port(2),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),
ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),
eth(src=42:7e:4b:46:68:1b,dst=33:33:ff:46:68:1b),eth_type(0x88a8),
vlan(vid=4094,pcp=0/0x0),encap(eth_type(0x8100),
vlan(vid=100/0x0,pcp=0/0x0),encap(eth_type(0x86dd),
ipv6(src=::/::,dst=ff02::1:ff46:681b/::,label=0/0,proto=58/0,
tclass=0/0,hlimit=255/0,frag=no),icmpv6(type=135/0,code=0/0),
nd(target=fe80::407e:4bff:fe46:681b/::,
sll=00:00:00:00:00:00/00:00:00:00:00:00,
tll=00:00:00:00:00:00/00:00:00:00:00:00))), actions:drop
conntrack - zones from other field, more tests
+2023-11-20T10:45:43.015Z|00001|dpif(handler5)|WARN|system@ovs-system:
execute ct(commit),3 failed (Invalid argument) on packet tcp,
vlan_tci=0x0000,dl_src=42:7e:4b:46:68:1b,dl_dst=ba:72:4c:a5:31:6b,
nw_src=10.1.1.1,nw_dst=10.1.1.2,nw_tos=0,nw_ecn=0,nw_ttl=64,
nw_frag=no,tp_src=53738,tp_dst=80,tcp_flags=psh|ack tcp_csum:e4a
conntrack - limit by zone
./system-traffic.at:5154: ovs-appctl dpctl/ct-get-limits zone=0,1,2,3,4,5
--- - 2023-11-20 10:51:09.965375141 +0000
+++ /home/runner/work/ovs/ovs/tests/system-kmod-testsuite.dir/at-groups/
114/stdout 2023-11-20 10:51:09.956723756 +0000
@@ -1,5 +1,5 @@
default limit=10
-zone=0,limit=5,count=5
+zone=0,limit=5,count=6
As I do not see those failures when running these stand alone on the
same Ubuntu distribution, I've disabled them.
This patch also adds the 'CHECK_GITHUB_ACTION' macro to skip
tests that won't execute successfully through GitHub actions.
We could not use the -k !keyword option, as it can not be
combined with a range of tests.
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
2023-12-19 13:41:58 +01:00
|
|
|
|
|
|
|
|
# OVS_CHECK_GITHUB_ACTION
|
|
|
|
|
m4_define([OVS_CHECK_GITHUB_ACTION],
|
|
|
|
|
[AT_SKIP_IF([test "$GITHUB_ACTIONS" = "true"])])
|
2024-04-03 10:35:32 -04:00
|
|
|
|
|
|
|
|
# OVS_CHECK_DROP_ACTION()
|
|
|
|
|
m4_define([OVS_CHECK_DROP_ACTION],
|
|
|
|
|
[AT_SKIP_IF([! grep -q "Datapath supports explicit drop action" ovs-vswitchd.log])])
|
2024-07-13 23:23:44 +02:00
|
|
|
|
|
|
|
|
# OVS_CHECK_PSAMPLE()
|
|
|
|
|
m4_define([OVS_CHECK_PSAMPLE],
|
|
|
|
|
[AT_SKIP_IF([! grep -q "Datapath supports psample action" ovs-vswitchd.log])])
|
tests: Add nft accept support.
Certain Linux distributions, like CentOS, have default iptable rules
to reject input traffic from bridges such as br-underlay.
To address this, IPTABLES_ACCEPT adds an iptables rule to always accept
the traffic.
As part of an effort to use nft in place of iptables in the testsuite,
implement NFT_ACCEPT, an nft version of IPTABLES_ACCEPT. As the
condition where IPTABLES_ACCEPT implies the existence of an INPUT chain,
only instantiate an nft rule in that chain if it already exists.
Also provide a wrapper, XT_ACCEPT, which will call NFT_ACCEPT if
nft is available, and IPTABLES_ACCEPT otherwise
And provide OVS_CHECK_XT, which can be used to check if the
prerequisites for running XT_ACCEPT are present, and skips the current
test otherwise.
Update the one test where IPTABLES_ACCEPT is used so that it
now uses XT_ACCEPT and OVS_CHECK_XT.
Signed-off-by: Simon Horman <horms@ovn.org>
Signed-off-by: Aaron Conole <aconole@redhat.com>
2024-11-05 08:27:29 +00:00
|
|
|
|
|
|
|
|
# OVS_CHECK_XT()
|
|
|
|
|
m4_define([OVS_CHECK_XT],
|
|
|
|
|
[AT_SKIP_IF([test $HAVE_IPTABLES = no && test $HAVE_NFT = no])])
|
