Merge pull request #4548 from c-po/T7202-conntrack

conntrack: T7208: nf_conntrack_buckets defaults and behavior
author: Daniil Baturin <daniil@vyos.io> 2025-06-09 12:11:38 +0100
committer: GitHub <noreply@github.com> 2025-06-09 12:11:38 +0100
commit: 34b07a49c052631e58401fd06c218701ad36d0ce (patch)
tree: 01208307f9d9a90f6e476ced35a7315ec5841fb4 /smoketest
parent: 6c8054a9ad223de9aba3646ef8a041c1f8f16839 (diff)
parent: 08421b277b1f460ebc51673571bab975aece2215 (diff)
download: vyos-1x-34b07a49c052631e58401fd06c218701ad36d0ce.tar.gz
vyos-1x-34b07a49c052631e58401fd06c218701ad36d0ce.zip
3 files changed, 135 insertions, 5 deletions
diff --git a/smoketest/config-tests/conntrack-basic b/smoketest/config-tests/conntrack-basic
new file mode 100644
index 000000000..8c375d244
--- /dev/null
+++ b/smoketest/config-tests/conntrack-basic
@@ -0,0 +1,35 @@
+set firewall global-options timeout icmp '30'
+set firewall global-options timeout other '600'
+set firewall global-options timeout udp other '300'
+set firewall global-options timeout udp stream '300'
+set interfaces ethernet eth0 vif 5 address '192.0.2.1/24'
+set interfaces ethernet eth1 vif 7 description 'FTTH-PPPoE'
+set nat source rule 100 log
+set nat source rule 100 outbound-interface name 'pppoe0'
+set nat source rule 100 source address '192.0.2.0/24'
+set nat source rule 100 translation address 'masquerade'
+set service ntp allow-client address '172.16.0.0/12'
+set service ntp server 0.pool.ntp.org
+set service ntp server 1.pool.ntp.org
+set service ntp server 2.pool.ntp.org
+set system config-management commit-revisions '200'
+set system conntrack expect-table-size '2048'
+set system conntrack hash-size '1024'
+set system conntrack modules ftp
+set system conntrack modules h323
+set system conntrack modules nfs
+set system conntrack modules pptp
+set system conntrack modules sip
+set system conntrack modules sqlnet
+set system conntrack modules tftp
+set system conntrack table-size '262144'
+set system conntrack timeout
+set system console device ttyS0 speed '115200'
+set system domain-name 'vyos.net'
+set system host-name 'vyos'
+set system login user vyos authentication encrypted-password '$6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/'
+set system login user vyos authentication plaintext-password ''
+set system name-server '172.16.254.30'
+set system syslog local facility all level 'debug'
+set system syslog local facility local7 level 'debug'
+set system syslog remote 172.16.100.1 facility all level 'warning'
diff --git a/smoketest/configs/conntrack-basic b/smoketest/configs/conntrack-basic
new file mode 100644
index 000000000..8ecb78aeb
--- /dev/null
+++ b/smoketest/configs/conntrack-basic
@@ -0,0 +1,92 @@
+interfaces {
+    ethernet eth0 {
+        duplex auto
+        speed auto
+        vif 5 {
+            address 192.0.2.1/24
+        }
+    }
+    ethernet eth1 {
+        vif 7 {
+            description FTTH-PPPoE
+        }
+    }
+}
+nat {
+    source {
+        rule 100 {
+            log
+            outbound-interface pppoe0
+            source {
+                address 192.0.2.0/24
+            }
+            translation {
+                address masquerade
+            }
+        }
+    }
+}
+system {
+    config-management {
+        commit-revisions 200
+    }
+    conntrack {
+        expect-table-size 2048
+        hash-size 1023
+        table-size 262144
+        timeout {
+            icmp 30
+            other 600
+            udp {
+                other 300
+                stream 300
+            }
+        }
+    }
+    console {
+        device ttyS0 {
+            speed 115200
+        }
+    }
+    domain-name vyos.net
+    host-name vyos
+    login {
+        user vyos {
+            authentication {
+                encrypted-password $6$2Ta6TWHd/U$NmrX0x9kexCimeOcYK1MfhMpITF9ELxHcaBU/znBq.X2ukQOj61fVI2UYP/xBzP4QtiTcdkgs7WOQMHWsRymO/
+                plaintext-password ""
+            }
+        }
+    }
+    name-server 172.16.254.30
+    ntp {
+        allow-clients {
+            address 172.16.0.0/12
+        }
+        server 0.pool.ntp.org {
+        }
+        server 1.pool.ntp.org {
+        }
+        server 2.pool.ntp.org {
+        }
+    }
+    syslog {
+        global {
+            facility all {
+                level debug
+            }
+            facility protocols {
+                level debug
+            }
+        }
+        host 172.16.100.1 {
+            facility all {
+                level warning
+            }
+        }
+    }
+}
+
+// Warning: Do not remove the following line.
+// vyos-config-version: "broadcast-relay@1:cluster@1:config-management@1:conntrack@1:conntrack-sync@1:dhcp-relay@2:dhcp-server@5:dhcpv6-server@1:dns-forwarding@3:firewall@5:https@2:interfaces@18:ipoe-server@1:ipsec@5:l2tp@3:lldp@1:mdns@1:nat@5:ntp@1:pppoe-server@5:pptp@2:qos@1:quagga@6:salt@1:snmp@2:ssh@2:sstp@3:system@20:vrrp@2:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2:zone-policy@1"
+// Release version: 1.3-beta-202101091250
diff --git a/smoketest/scripts/cli/test_system_conntrack.py b/smoketest/scripts/cli/test_system_conntrack.py
index f6bb3cf7c..27ca28298 100755
--- a/smoketest/scripts/cli/test_system_conntrack.py
+++ b/smoketest/scripts/cli/test_system_conntrack.py
@@ -20,7 +20,10 @@ import unittest
 from base_vyostest_shim import VyOSUnitTestSHIM
 
 from vyos.firewall import find_nftables_rule
-from vyos.utils.file import read_file, read_json
+from vyos.utils.file import read_file
+from vyos.utils.file import read_json
+from vyos.utils.system import sysctl_read
+from vyos.xml_ref import default_value
 
 base_path = ['system', 'conntrack']
 
@@ -168,8 +171,8 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
                     self.assertTrue(find_nftables_rule('ip vyos_conntrack', 'VYOS_CT_HELPER', [rule]) == None)
 
     def test_conntrack_hash_size(self):
-        hash_size = '65536'
-        hash_size_default = '32768'
+        hash_size = '8192'
+        hash_size_default = default_value(base_path + ['hash-size'])
 
         self.cli_set(base_path + ['hash-size', hash_size])
 
@@ -178,7 +181,7 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
 
         # verify new configuration - only effective after reboot, but
         # a valid config file is sufficient
-        tmp = read_file('/etc/modprobe.d/vyatta_nf_conntrack.conf')
+        tmp = sysctl_read('net.netfilter.nf_conntrack_buckets')
         self.assertIn(hash_size, tmp)
 
         # Test default value by deleting the configuration
@@ -189,7 +192,7 @@ class TestSystemConntrack(VyOSUnitTestSHIM.TestCase):
 
         # verify new configuration - only effective after reboot, but
         # a valid config file is sufficient
-        tmp = read_file('/etc/modprobe.d/vyatta_nf_conntrack.conf')
+        tmp = sysctl_read('net.netfilter.nf_conntrack_buckets')
         self.assertIn(hash_size_default, tmp)
 
     def test_conntrack_ignore(self):
author	Daniil Baturin <daniil@vyos.io>	2025-06-09 12:11:38 +0100
committer	GitHub <noreply@github.com>	2025-06-09 12:11:38 +0100
commit	34b07a49c052631e58401fd06c218701ad36d0ce (patch)
tree	01208307f9d9a90f6e476ced35a7315ec5841fb4 /smoketest
parent	6c8054a9ad223de9aba3646ef8a041c1f8f16839 (diff)
parent	08421b277b1f460ebc51673571bab975aece2215 (diff)
download	vyos-1x-34b07a49c052631e58401fd06c218701ad36d0ce.tar.gz vyos-1x-34b07a49c052631e58401fd06c218701ad36d0ce.zip