Test Case 1: Working Fine
port stop all
flow configure 0 queues_number 9 queues_size 256 conn_tracks_number 4
flow pattern_template 0 create pattern_template_id 2 relaxed true ingress template tcp / end
flow pattern_template 0 create pattern_template_id 4 relaxed true ingress template eth / ipv4 / tcp / conntrack spec 1 / end
flow actions_template 0 create actions_template_id 1 template jump group 1 / end mask jump group 1 / end
flow actions_template 0 create actions_template_id 2 template jump group 5 / end mask jump group 5 / end
flow actions_template 0 create actions_template_id 4 template queue index 4 / end mask queue index 4 / end
flow template_table 0 create table_id 1 group 0 ingress rules_number 10 pattern_template 2 actions_template 1
flow template_table 0 create table_id 2 group 1 ingress rules_number 10 pattern_template 2 actions_template 2
flow template_table 0 create table_id 4 group 5 ingress rules_number 10 pattern_template 4 actions_template 4
port start all
set conntrack com peer 0 is_orig 1 enable 1 live 1 sack 1 cack 0 last_dir 1 liberal 0 state 1 max_ack_win 7 r_lim 5 last_win 510 last_seq 2 last_ack 1 last_end 2 last_index 0x2
set conntrack orig scale 7 fin 0 acked 1 unack_data 0 sent_end 2 reply_end 1 max_win 8192 max_ack 2
set conntrack rply scale 7 fin 0 acked 1 unack_data 0 sent_end 2 reply_end 1 max_win 8192 max_ack 1
flow queue 0 indirect_action 0 create action_id 9 ingress postpone no action conntrack / end
flow push 0 queue 0
flow pull 0 queue 0
flow queue 0 create 0 template_table 1 pattern_template 0 actions_template 0 postpone 0 pattern tcp / end actions jump group 1 / end
flow push 0 queue 0
flow pull 0 queue 0
flow queue 0 create 0 template_table 2 pattern_template 0 actions_template 0 postpone 0 pattern tcp / end actions indirect 9 / jump group 5 / end
flow push 0 queue 0
flow pull 0 queue 0
flow queue 0 create 0 template_table 4 pattern_template 0 actions_template 0 postpone 0 pattern eth / ipv4 / tcp / conntrack spec 1 / end actions queue index 4 / end
flow push 0 queue 0
flow pull 0 queue 0
Result:
It was observed that the packet was sent to the right queue when the correct packet was sent
Scapy Packet:
sendp( Ether(dst="B8:CE:F6:D2:CD:22",src="aa:bb:cc:dd:ee:ff")/IP()/TCP(dport=5555), iface="enp134s0f0",count=1) --->> redirect the packet to queue 4
for Flow rule 3
sendp( Ether(dst="B8:CE:F6:D2:CD:22",src="aa:bb:cc:dd:ee:ff")/IP()/TCP(dport=1234), iface="enp134s0f0",count=1) --->> redirect the packet to queue 6 for Flow rule 2
Test Case 2:
This test case has shown strange behavior when we keep everything similar to the above test case and just make changes in the pattern template and rule involving ct the match is not found and the packets are drop
Note: I have Tested this test on the same packets.
The changes We did our to find an exact match on tcp dst port
flow pattern_template 0 create pattern_template_id 4 relaxed true ingress template eth / ipv4 / tcp / conntrack spec 1 / end
flow pattern_template 0 create pattern_template_id 4 relaxed true ingress template eth / ipv4 / tcp
dst is 5555 / conntrack spec 1 / end
For Flow Rule
flow queue 0 create 0 template_table 4 pattern_template 0 actions_template 0 postpone 0 pattern eth / ipv4 / tcp / conntrack spec 1 / end actions queue index 4 / end
flow queue 0 create 0 template_table 4 pattern_template 0 actions_template 0 postpone 0 pattern eth / ipv4 / tcp
dst is 5555 / conntrack spec 1 / end actions queue index 4 / end
Result:
The packets were sent to queue 6 but not to queue for
Scapy Packet:
sendp( Ether(dst="B8:CE:F6:D2:CD:22",src="aa:bb:cc:dd:ee:ff")/IP()/TCP(dport=5555), iface="enp134s0f0",count=1) -- were not redirected to queue 4 for flow rule
sendp( Ether(dst="B8:CE:F6:D2:CD:22",src="aa:bb:cc:dd:ee:ff")/IP()/TCP(dport=1234), iface="enp134s0f0",count=1) --were redirected to queue 6 for Flow rule 2.
Test Case 3:
kept the same configuration for this test similar to test 1 except for some minor changes
flow pattern_template 0 create pattern_template_id 4 relaxed true ingress template eth / ipv4 / tcp / conntrack spec 1 / end
flow pattern_template 0 create pattern_template_id 4 relaxed true ingress template eth / ipv4 / tcp / conntrack
is 1 / end
For Flow Rule:
flow queue 0 create 0 template_table 4 pattern_template 0 actions_template 0 postpone 0 pattern eth / ipv4 / tcp / conntrack spec 1 / end actions queue index 4 / end
flow queue 0 create 0 template_table 4 pattern_template 0 actions_template 0 postpone 0 pattern eth / ipv4 / tcp dst is 5555 / conntrack
is 1 / end actions queue index 4 / end
Result:
The packets were sent to queue 6 but not to queue for
Scapy Packet:
sendp( Ether(dst="B8:CE:F6:D2:CD:22",src="aa:bb:cc:dd:ee:ff")/IP()/TCP(dport=5555), iface="enp134s0f0",count=1) -- were not redirected to queue 4 for flow rule
sendp( Ether(dst="B8:CE:F6:D2:CD:22",src="aa:bb:cc:dd:ee:ff")/IP()/TCP(dport=1234), iface="enp134s0f0",count=1) --were redirected to queue 6 for Flow rule 2.
Test Case 4:
In this test case, I have removed the ct object, The indirect action and configuration related to
ct
NOTE: Please observe there are no ct object ,indirect action or connection tracking numbers in the following test
port stop all
flow configure 0 queues_number 9 queues_size 256
flow indirect_action 0 destroy action_id 0
flow indirect_action 0 destroy action_id 9
flow pattern_template 0 create pattern_template_id 2 relaxed true ingress template tcp / end
flow pattern_template 0 create pattern_template_id 3 relaxed true ingress template eth / ipv4 / tcp dst is 1234 / end
flow pattern_template 0 create pattern_template_id 4 relaxed true ingress template eth / ipv4 / tcp / conntrack spec 65535 / end
flow actions_template 0 create actions_template_id 1 template jump group 1 / end mask jump group 1 / end
flow actions_template 0 create actions_template_id 2 template jump group 5 / end mask jump group 5 / end
flow actions_template 0 create actions_template_id 3 template queue index 6 / end mask queue index 6 / end
flow actions_template 0 create actions_template_id 4 template queue index 4 / end mask queue index 4 / end
flow template_table 0 create table_id 1 group 0 ingress rules_number 10 pattern_template 2 actions_template 1
flow template_table 0 create table_id 2 group 1 ingress rules_number 10 pattern_template 2 actions_template 2
flow template_table 0 create table_id 3 group 5 ingress rules_number 10 pattern_template 3 actions_template 3
flow template_table 0 create table_id 4 group 5 ingress rules_number 10 pattern_template 4 actions_template 4
port start all
flow queue 0 create 0 template_table 1 pattern_template 0 actions_template 0 postpone 0 pattern tcp / end actions jump group 1 / end
flow push 0 queue 0
flow pull 0 queue 0
flow queue 0 create 0 template_table 2 pattern_template 0 actions_template 0 postpone 0 pattern tcp / end actions jump group 5 / end
flow push 0 queue 0
flow pull 0 queue 0
flow queue 0 create 0 template_table 3 pattern_template 0 actions_template 0 postpone 0 pattern eth / ipv4 / tcp dst is 1234 / end actions queue index 6 / end
flow push 0 queue 0
flow pull 0 queue 0
flow queue 0 create 0 template_table 4 pattern_template 0 actions_template 0 postpone 0 pattern eth / ipv4 / tcp / conntrack spec 65535 / end actions queue index 4 / end
flow push 0 queue 0
flow pull 0 queue 0
set verbose 3
start
Result:
The packets were sent to Queue 6 and Queue 4.
This shouldn't be the case since no ct object was created in the rule and their was no indirect action.
Scapy Packet:
sendp( Ether(dst="B8:CE:F6:D2:CD:22",src="aa:bb:cc:dd:ee:ff")/IP()/TCP(dport=5555), iface="enp134s0f0",count=1) -- were redirected to queue 4 for flow rule
sendp( Ether(dst="B8:CE:F6:D2:CD:22",src="aa:bb:cc:dd:ee:ff")/IP()/TCP(dport=1234), iface="enp134s0f0",count=1) --were redirected to queue 6 for Flow rule 2.
Summary:
-
Test case 1 worked as it was intended and packets were redirected to the desired queues
-
Test Cases 2 and 3 did not work as it was intended when matching on the exact tcp dst port and when the connection tracking keyword
is was used.
-
Test case 4 sent the packet to their desired queues but they shouldn't have because no ct context was created and no indirection action was created
Regards,
Taha
flow pattern_template 0 create pattern_template_id 4 relaxed true ingress template eth / ipv4 / tcp / conntrack spec 1 / end
Test Case 1: