[ovs-dev] [PATCH 4/4] system-traffic: Add conntrack timeout system traffic test

Yi-Hung Wei yihung.wei at gmail.com
Fri May 3 21:56:40 UTC 2019


This patch adds a system traffic test to verify the conntrack
timeout feature.  The test uses nfct utility to configure
the customized ICMP and UDP timeout to a short period.  It then
injects ICMP and UDP traffic to conntrack, and checks if the
corresponding conntrack entry expires after the predefined timeout.

Signed-off-by: Yi-Hung Wei <yihung.wei at gmail.com>
---
 tests/atlocal.in                 |  2 ++
 tests/system-kmod-macros.at      | 10 +++++++
 tests/system-traffic.at          | 65 ++++++++++++++++++++++++++++++++++++++++
 tests/system-userspace-macros.at | 10 +++++++
 4 files changed, 87 insertions(+)

diff --git a/tests/atlocal.in b/tests/atlocal.in
index 2e565d788b15..100e661168bc 100644
--- a/tests/atlocal.in
+++ b/tests/atlocal.in
@@ -182,6 +182,8 @@ find_command()
 
 # Set HAVE_NC
 find_command nc
+# Set HAVE_NFCT
+find_command nfct
 
 # Determine correct netcat option to quit on stdin EOF
 if nc --version 2>&1 | grep -q nmap.org; then
diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at
index 554a61e9bd95..1ecda5407b92 100644
--- a/tests/system-kmod-macros.at
+++ b/tests/system-kmod-macros.at
@@ -100,6 +100,16 @@ m4_define([CHECK_CONNTRACK_FRAG_OVERLAP],
 #
 m4_define([CHECK_CONNTRACK_NAT])
 
+# CHECK_CONNTRACK_TIMEOUT()
+#
+# Perform requirements checks for running conntrack customized timeout tests.
+#
+m4_define([CHECK_CONNTRACK_TIMEOUT],
+[
+    AT_SKIP_IF([test $HAVE_NFCT = no])
+    AT_SKIP_IF([! cat /boot/config-$(uname -r) | grep NF_CONNTRACK_TIMEOUT | grep '=y' > /dev/null])
+])
+
 # CHECK_CT_DPIF_PER_ZONE_LIMIT()
 #
 # Perform requirements checks for running ovs-dpctl ct-[set|get|del]-limits per
diff --git a/tests/system-traffic.at b/tests/system-traffic.at
index a358744637d8..e2009ee74a41 100644
--- a/tests/system-traffic.at
+++ b/tests/system-traffic.at
@@ -3137,6 +3137,71 @@ NXST_FLOW reply:
 OVS_TRAFFIC_VSWITCHD_STOP
 AT_CLEANUP
 
+AT_SETUP([conntrack - customized timeout])
+CHECK_CONNTRACK()
+CHECK_CONNTRACK_TIMEOUT()
+OVS_TRAFFIC_VSWITCHD_START()
+
+ADD_NAMESPACES(at_ns0, at_ns1)
+
+ADD_VETH(p0, at_ns0, br0, "10.1.1.1/24")
+ADD_VETH(p1, at_ns1, br0, "10.1.1.2/24")
+
+AT_DATA([flows.txt], [dnl
+priority=1,action=drop
+priority=10,arp,action=normal
+priority=100,in_port=1,icmp,action=ct(commit,timeout=1),2
+priority=100,in_port=1,udp,action=ct(commit,timeout=2),2
+priority=100,in_port=2,icmp,action=ct(table=1)
+priority=100,in_port=2,udp,action=ct(table=1)
+table=1,in_port=2,icmp,ct_state=+trk+est,action=1
+table=1,in_port=2,udp,ct_state=+trk+est,action=1
+])
+
+AT_CHECK([ovs-ofctl --bundle add-flows br0 flows.txt])
+
+dnl Add customized timeout
+dnl Note that the default ICMP timeout is 30 seconds.
+dnl The default timeout for unreplied UDP is 30 seconds, and
+dnl 180 seconds for replied UDP connection.
+AT_CHECK([nfct add timeout ovs_timeout_1 inet icmp timeout 3])
+AT_CHECK([nfct add timeout ovs_timeout_2 inet udp unreplied 3])
+on_exit 'nfct delete timeout ovs_timeout_1'
+on_exit 'nfct delete timeout ovs_timeout_2'
+
+dnl ICMP traffic
+NS_CHECK_EXEC([at_ns0], [ping -q -c 3 -i 0.3 -w 2 10.1.1.2 | FORMAT_PING], [0], [dnl
+3 packets transmitted, 3 received, 0% packet loss, time 0ms
+])
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0],[dnl
+icmp,orig=(src=10.1.1.1,dst=10.1.1.2,id=<cleared>,type=8,code=0),reply=(src=10.1.1.2,dst=10.1.1.1,id=<cleared>,type=0,code=0)
+])
+
+dnl Wait until ICMP timeout expire.
+dnl We intend to wait a bit longer, because conntrack does not recycle the entry right after it is expired.
+sleep 4
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
+])
+
+dnl Send out an UDP packet from port 1
+AT_CHECK([ovs-ofctl -O OpenFlow13 packet-out br0 "in_port=1 packet=50540000000a50540000000908004500001c000000000011a4cd0a0101010a0101020001000200080000 actions=resubmit(,0)"])
+
+ovs-appctl dpctl/dump-conntrack
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | grep "dst=10\.1\.1\.2,"], [0], [dnl
+udp,orig=(src=10.1.1.1,dst=10.1.1.2,sport=1,dport=2),reply=(src=10.1.1.2,dst=10.1.1.1,sport=2,dport=1)
+])
+
+dnl Wait until UDP timeout expire
+sleep 4
+
+AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(10.1.1.2)], [0], [dnl
+])
+
+OVS_TRAFFIC_VSWITCHD_STOP
+AT_CLEANUP
+
 AT_BANNER([conntrack - L7])
 
 AT_SETUP([conntrack - IPv4 HTTP])
diff --git a/tests/system-userspace-macros.at b/tests/system-userspace-macros.at
index 92ffbf6d503f..60818c332fe2 100644
--- a/tests/system-userspace-macros.at
+++ b/tests/system-userspace-macros.at
@@ -96,6 +96,16 @@ m4_define([CHECK_CONNTRACK_FRAG_OVERLAP])
 #
 m4_define([CHECK_CONNTRACK_NAT])
 
+# CHECK_CONNTRACK_TIMEOUT()
+#
+# Perform requirements checks for running conntrack customized timeout tests.
+* The userspace datapath does not support this feature yet.
+#
+m4_define([CHECK_CONNTRACK_TIMEOUT],
+[
+    AT_SKIP_IF([:])
+])
+
 # CHECK_CT_DPIF_PER_ZONE_LIMIT()
 #
 # Perform requirements checks for running ovs-dpctl ct-[set|get|del]-limits per
-- 
2.7.4



More information about the dev mailing list