This patch introduces a new scenario with a virtual network layout that was previously designed by Pablo (see commit 7f1fb5dad90f04caa94f4fcefd1340aeb2c2f0e3). The scenario is called 'basic_2_peer_network_tcp_notrack' and can be used to test conntrack entry replication in TCP/NOTRACK mode with both caches disables. In this mode entry syncronization should happen basically in the same instant the event is produced. The testcase is very simple, but works really well: * send 1 ping to a network peer across the router * verify the conntrack entry has been replicated to the stand-by router === 8< === $ cd tests ; sudo ./cttools-testing-framework.py --single tcp_notrack_replicate_icmp [cttools-testing-framework.py] INFO: --- running test: tcp_notrack_replicate_icmp [cttools-testing-framework.py] INFO: --- passed test: tcp_notrack_replicate_icmp [cttools-testing-framework.py] INFO: --- [cttools-testing-framework.py] INFO: --- finished [cttools-testing-framework.py] INFO: --- passed tests: 1 [cttools-testing-framework.py] INFO: --- failed tests: 0 [cttools-testing-framework.py] INFO: --- scenario failure: 0 [cttools-testing-framework.py] INFO: --- total tests: 1 === 8< === Signed-off-by: Arturo Borrero Gonzalez <arturo@xxxxxxxxxxxxx> --- HINT: while developing this scenario/testcase I already detected several bugs. How to trigger them is left as an exercise for the reader. I will send detailed (failure) testcases in other patch series. scenarios.yaml | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ tests.yaml | 11 +++++++++++ 2 files changed, 112 insertions(+) diff --git a/tests/scenarios.yaml b/tests/scenarios.yaml index a47e1a1..798d9eb 100644 --- a/tests/scenarios.yaml +++ b/tests/scenarios.yaml @@ -17,3 +17,104 @@ - $CONNTRACKD -C /tmp/conntrackd_test_simple_stats -k - rm -f /var/lock/conntrack.lock - rm -f /tmp/conntrackd_test_simple_stats + +- name: basic_2_peer_network_tcp_notrack + start: + - ip netns add ns1 + - ip netns add ns2 + - ip netns add nsr1 + - ip netns add nsr2 + - ip link add veth0 netns ns1 type veth peer name veth1 netns nsr1 + - ip link add veth0 netns nsr1 type veth peer name veth0 netns ns2 + - ip link add veth2 netns nsr1 type veth peer name veth0 netns nsr2 + - ip -net ns1 addr add 192.168.10.2/24 dev veth0 + - ip -net ns1 link set up dev veth0 + - ip -net ns1 ro add 10.0.1.0/24 via 192.168.10.1 dev veth0 + - ip -net nsr1 addr add 10.0.1.1/24 dev veth0 + - ip -net nsr1 addr add 192.168.10.1/24 dev veth1 + - ip -net nsr1 link set up dev veth0 + - ip -net nsr1 link set up dev veth1 + - ip -net nsr1 route add default via 192.168.10.2 + - ip netns exec nsr1 sysctl -q net.ipv4.ip_forward=1 + - ip -net nsr1 addr add 192.168.100.2/24 dev veth2 + - ip -net nsr1 link set up dev veth2 + - ip -net nsr2 addr add 192.168.100.3/24 dev veth0 + - ip -net nsr2 link set up dev veth0 + - ip -net ns2 addr add 10.0.1.2/24 dev veth0 + - ip -net ns2 link set up dev veth0 + - ip -net ns2 route add default via 10.0.1.1 + - | + cat << EOF > /tmp/ruleset.nft + table ip filter { + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + oif veth0 masquerade + } + } + EOF + - ip netns exec nsr1 nft -f /tmp/ruleset.nft + - | + cat << EOF > /tmp/nsr1.conf + Sync { + Mode NOTRACK { + DisableExternalCache on + DisableInternalCache on + } + TCP { + IPv4_address 192.168.100.2 + IPv4_Destination_Address 192.168.100.3 + Interface veth2 + Port 3780 + } + } + General { + LogFile on + LockFile /var/lock/conntrack-nsr1.lock + UNIX { Path /var/run/conntrackd-nsr1.ctl } + } + EOF + - | + cat << EOF > /tmp/nsr2.conf + Sync { + Mode NOTRACK { + DisableExternalCache on + DisableInternalCache on + } + TCP { + IPv4_address 192.168.100.3 + IPv4_Destination_Address 192.168.100.2 + Interface veth0 + Port 3780 + } + } + General { + LogFile on + LockFile /var/lock/conntrack-nsr2.lock + UNIX { Path /var/run/conntrackd-nsr2.ctl } + } + EOF + # finally run the daemons + - ip netns exec nsr1 $CONNTRACKD -C /tmp/nsr1.conf -d + - ip netns exec nsr2 $CONNTRACKD -C /tmp/nsr2.conf -d + # make sure they are alive and connected before considering the scenario started + - timeout 5 bash -c -- ' + while ! ip netns exec nsr1 $CONNTRACKD -C /tmp/nsr1.conf -s | grep -q "server=connected" + ; do sleep 0.5 ; done' + - timeout 5 bash -c -- ' + while ! ip netns exec nsr1 $CONNTRACKD -C /tmp/nsr1.conf -s | grep -q "client=connected" + ; do sleep 0.5 ; done' + - timeout 5 bash -c -- ' + while ! ip netns exec nsr2 $CONNTRACKD -C /tmp/nsr2.conf -s | grep -q "server=connected" + ; do sleep 0.5 ; done' + - timeout 5 bash -c -- ' + while ! ip netns exec nsr2 $CONNTRACKD -C /tmp/nsr2.conf -s | grep -q "client=connected" + ; do sleep 0.5 ; done' + stop: + - $CONNTRACKD -C /tmp/nsr1.conf -k 2>/dev/null + - $CONNTRACKD -C /tmp/nsr2.conf -k 2>/dev/null + - rm -f /tmp/ruleset.nft /tmp/nsr2.conf /tmp/nsr1.conf + - rm -f /var/lock/conntrack-nsr1.lock /var/lock/conntrack-nsr2.lock + - ip netns del ns1 || true + - ip netns del ns2 || true + - ip netns del nsr1 || true + - ip netns del nsr2 || true diff --git a/tests/tests.yaml b/tests/tests.yaml index 8324dbe..872269d 100644 --- a/tests/tests.yaml +++ b/tests/tests.yaml @@ -39,3 +39,14 @@ # check that we can obtain stats via unix socket: expect (no output) test: - $CONNTRACKD -C /tmp/conntrackd_test_simple_stats -s expect + +- name: tcp_notrack_replicate_icmp + scenario: basic_2_peer_network_tcp_notrack + # check that we can replicate a ICMP conntrack entry in a 2 conntrackd TCP/NOTRACK setup + test: + # PING should inject an ICMP conntrack entry in nsr1 + - ip netns exec ns1 ping -c1 10.0.1.2 >/dev/null + # verify conntrack entry is then replicated to nsr2, wait up to 5 seconds + - timeout 5 bash -c -- ' + while ! ip netns exec nsr2 $CONNTRACK -L -p icmp 2>/dev/null | grep -q icmp + ; do sleep 0.5 ; done'