Simon Horman <ho...@ovn.org> writes: > On Wed, Oct 02, 2024 at 06:01:41PM +0200, Paolo Valerio wrote: >> As Long reported, kernels built without CONFIG_NETFILTER_CONNCOUNT >> result in the unexpected failure of the following tests: >> >> conntrack - multiple zones, local >> conntrack - multi-stage pipeline, local >> conntrack - can match and clear ct_state from outside OVS >> >> this happens because the nf_conncount turns on connection tracking and >> the above tests rely on this side effect. However, this behavior may >> be corrected in the kernel, which could, in turn, cause the tests to >> fail. >> >> The patch removes the assumption by adding iptables rules to attach >> an nf_conn template to the skb resulting tracked once hit the OvS >> pipeline. >> >> While at it, introduce $HAVE_IPTABLES and skip tests if iptables >> binary is not present. >> >> Reported-by: Xin Long <lucien....@gmail.com> >> Reported-at: https://issues.redhat.com/browse/FDP-708 >> Signed-off-by: Paolo Valerio <pvale...@redhat.com> >> --- >> v3: >> - generalized introducing CHECK_EXTERNAL_CT()/ADD_EXTERNAL_CT() >> to ease the transition toward a different front-end >> >> v2: >> - add $HAVE_IPTABLES >> - reduced subject length (0-day Robot) > > ... > >> diff --git a/tests/atlocal.in b/tests/atlocal.in >> index 8565a0bae..d6b87f8ec 100644 >> --- a/tests/atlocal.in >> +++ b/tests/atlocal.in >> @@ -185,6 +185,9 @@ find_command lftp >> # Set HAVE_ETHTOOL >> find_command ethtool >> >> +# Set HAVE_IPTABLES >> +find_command iptables >> + >> CURL_OPT="-g -v --max-time 1 --retry 2 --retry-delay 1 --connect-timeout 1" >> >> # Determine whether "diff" supports "normal" diffs. (busybox diff does >> not.) >> diff --git a/tests/ovs-macros.at b/tests/ovs-macros.at >> index 06c978555..df2835747 100644 >> --- a/tests/ovs-macros.at >> +++ b/tests/ovs-macros.at >> @@ -366,3 +366,8 @@ dnl Add a rule to always accept the traffic. >> m4_define([IPTABLES_ACCEPT], >> [AT_CHECK([iptables -I INPUT 1 -i $1 -j ACCEPT]) >> on_exit 'iptables -D INPUT 1 -i $1']) >> + >> +dnl Required to let conntrack start tracking the packets outside ovs >> +m4_define([IPTABLES_CT], >> + [AT_CHECK([iptables -t raw -I OUTPUT 1 -o $1 -j CT]) >> + on_exit 'iptables -t raw -D OUTPUT 1']) > > Hi Paolo, > > I don't think IPTABLES_CT is needed now that we have ADD_EXTERNAL_CT. >
it's not, indeed. It's a leftover of the old revision. I sent a new revision. Thanks. > Otherwise this looks good to me. > >> diff --git a/tests/system-kmod-macros.at b/tests/system-kmod-macros.at >> index 5203b1df8..135892e91 100644 >> --- a/tests/system-kmod-macros.at >> +++ b/tests/system-kmod-macros.at >> @@ -267,3 +267,24 @@ m4_define([OVS_CHECK_BAREUDP], >> AT_SKIP_IF([! ip link add dev ovs_bareudp0 type bareudp dstport 6635 >> ethertype mpls_uc 2>&1 >/dev/null]) >> AT_CHECK([ip link del dev ovs_bareudp0]) >> ]) >> + >> +# CHECK_EXTERNAL_CT() >> +# >> +# Checks if packets can be tracked outside OvS. >> +m4_define([CHECK_EXTERNAL_CT], >> +[ >> + dnl Kernel config (CONFIG_NETFILTER_XT_TARGET_CT) >> + dnl and user space extensions need to be present. >> + AT_SKIP_IF([test $HAVE_IPTABLES = no]) >> + AT_SKIP_IF([! iptables -t raw -I OUTPUT 1 -j CT]) >> + AT_CHECK([iptables -t raw -D OUTPUT 1]) >> +]) >> + >> +# ADD_EXTERNAL_CT() >> +# >> +# Let conntrack start tracking the packets outside OvS. >> +m4_define([ADD_EXTERNAL_CT], >> +[ >> + AT_CHECK([iptables -t raw -I OUTPUT 1 -o $1 -j CT]) >> + on_exit 'iptables -t raw -D OUTPUT 1' >> +]) > > ... _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
