Conntag
The following scenarios show how the conntag feature integrates with conntrack logging and system conntrack show commands. Conntag allows tagging conntrack entries with string values (up to 255 characters) for traffic identification and logging.
Conntag In Conntrack Show
Description
Verify that conntag values appear correctly in the
system conntrack show command output. The conntag
field should display the string value assigned to the
connection via traffic policy.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.312 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.312/0.312/0.312/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.221 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.273 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.272 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2050ms rtt min/avg/max/mdev = 0.221/0.255/0.273/0.024 ms
Step 6: Run command system conntrack show at DUT0 and expect this output:
Show output
icmp 1 29 src=192.168.100.2 dst=192.168.100.1 type=8 code=0 id=715 packets=3 bytes=252 src=192.168.100.1 dst=192.168.100.2 type=0 code=0 id=715 packets=3 bytes=252 mark=0 conntag=my-logged-tag use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Conntag In Conntrack Logging
Description
Verify that conntag values appear in conntrack logging
events when system conntrack logging events is enabled.
The CONNTAG field should be included in log entries for
NEW, UPDATE, and DESTROY events.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.381 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.381/0.381/0.381/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /run/log/journal. Vacuuming done, freed 0B of archived journals from /var/log/journal. Deleted archived journal /run/log/journal/7f16b2c6785447ce99316296df636466/system@3c4b536b314b4befa3bd9bd2b4242f2f-00000000000035e6-0006496161b6e81b.journal (112.0K). Vacuuming done, freed 112.0K of archived journals from /run/log/journal/7f16b2c6785447ce99316296df636466.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.240 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.238 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.226 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2054ms rtt min/avg/max/mdev = 0.226/0.234/0.240/0.006 ms
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=my-logged-tagShow output
Jan 27 16:47:43.005235 osdx systemd-journald[1842]: Runtime Journal (/run/log/journal/7f16b2c6785447ce99316296df636466) is 1.8M, max 13.8M, 11.9M free. Jan 27 16:47:43.005706 osdx systemd-journald[1842]: Received client request to rotate journal, rotating. Jan 27 16:47:43.005746 osdx systemd-journald[1842]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7f16b2c6785447ce99316296df636466. Jan 27 16:47:43.014830 osdx OSDxCLI[44999]: User 'admin' executed a new command: 'system journal clear'. Jan 27 16:47:43.091229 osdx ulogd[56269]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Jan 27 16:47:43.091251 osdx ulogd[56269]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag
Conntag In Traffic Policy Log
Description
Verify that conntag values appear in traffic policy log
entries when the log option is enabled on a rule that
sets conntag.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 log prefix CONNTAG set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.372 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.372/0.372/0.372/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /var/log/journal. Vacuuming done, freed 0B of archived journals from /run/log/journal. Deleted archived journal /run/log/journal/7f16b2c6785447ce99316296df636466/system@3c4b536b314b4befa3bd9bd2b4242f2f-0000000000003638-0006496162409b57.journal (84.0K). Vacuuming done, freed 84.0K of archived journals from /run/log/journal/7f16b2c6785447ce99316296df636466.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.275 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.283 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.367 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2047ms rtt min/avg/max/mdev = 0.275/0.308/0.367/0.041 ms
Step 7: Run command system journal show | tail at DUT0 and check if output contains the following tokens:
[CONNTAG-1] ACCEPTShow output
Jan 27 16:47:51.502892 osdx systemd-journald[1842]: Runtime Journal (/run/log/journal/7f16b2c6785447ce99316296df636466) is 1.8M, max 13.8M, 11.9M free. Jan 27 16:47:51.506269 osdx systemd-journald[1842]: Received client request to rotate journal, rotating. Jan 27 16:47:51.506339 osdx systemd-journald[1842]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7f16b2c6785447ce99316296df636466. Jan 27 16:47:51.513634 osdx OSDxCLI[44999]: User 'admin' executed a new command: 'system journal clear'. Jan 27 16:47:51.622652 osdx kernel: [CONNTAG-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=6144 DF PROTO=ICMP TYPE=8 CODE=0 ID=719 SEQ=1 Jan 27 16:47:52.645567 osdx kernel: [CONNTAG-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=6172 DF PROTO=ICMP TYPE=8 CODE=0 ID=719 SEQ=2 Jan 27 16:47:53.669673 osdx kernel: [CONNTAG-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=6407 DF PROTO=ICMP TYPE=8 CODE=0 ID=719 SEQ=3
Conntag Persistence Through Connection States
Description
Verify that conntag values persist through different connection states (NEW, ESTABLISHED). The tag should remain associated with the connection throughout its lifecycle.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.340 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.340/0.340/0.340/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Deleted archived journal /run/log/journal/7f16b2c6785447ce99316296df636466/system@3c4b536b314b4befa3bd9bd2b4242f2f-000000000000366c-0006496162ca4626.journal (112.0K). Vacuuming done, freed 112.0K of archived journals from /run/log/journal/7f16b2c6785447ce99316296df636466. Vacuuming done, freed 0B of archived journals from /run/log/journal. Vacuuming done, freed 0B of archived journals from /var/log/journal.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.262 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.247 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.327 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2031ms rtt min/avg/max/mdev = 0.247/0.278/0.327/0.034 ms
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
\[NEW\].*CONNTAG=my-logged-tagShow output
Jan 27 16:48:00.631179 osdx systemd-journald[1842]: Runtime Journal (/run/log/journal/7f16b2c6785447ce99316296df636466) is 1.8M, max 13.8M, 11.9M free. Jan 27 16:48:00.633167 osdx systemd-journald[1842]: Received client request to rotate journal, rotating. Jan 27 16:48:00.633215 osdx systemd-journald[1842]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7f16b2c6785447ce99316296df636466. Jan 27 16:48:00.640699 osdx OSDxCLI[44999]: User 'admin' executed a new command: 'system journal clear'. Jan 27 16:48:00.773387 osdx ulogd[56980]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Jan 27 16:48:00.773412 osdx ulogd[56980]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag
Step 8: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
\[UPDATE\].*CONNTAG=my-logged-tagShow output
Jan 27 16:48:00.631179 osdx systemd-journald[1842]: Runtime Journal (/run/log/journal/7f16b2c6785447ce99316296df636466) is 1.8M, max 13.8M, 11.9M free. Jan 27 16:48:00.633167 osdx systemd-journald[1842]: Received client request to rotate journal, rotating. Jan 27 16:48:00.633215 osdx systemd-journald[1842]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7f16b2c6785447ce99316296df636466. Jan 27 16:48:00.640699 osdx OSDxCLI[44999]: User 'admin' executed a new command: 'system journal clear'. Jan 27 16:48:00.773387 osdx ulogd[56980]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Jan 27 16:48:00.773412 osdx ulogd[56980]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Jan 27 16:48:02.871173 osdx OSDxCLI[44999]: User 'admin' executed a new command: 'system journal show | cat'.
Conntag With Long String In Logs
Description
Verify that long conntag strings are correctly logged and displayed. The system should handle strings up to 255 characters without truncation in logs.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system conntrack logging events new set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag application-traffic-identifier-v1.2.3-production-env
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.654 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.654/0.654/0.654/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /var/log/journal. Deleted archived journal /run/log/journal/7f16b2c6785447ce99316296df636466/system@3c4b536b314b4befa3bd9bd2b4242f2f-00000000000036be-000649616352edfd.journal (108.0K). Vacuuming done, freed 108.0K of archived journals from /run/log/journal/7f16b2c6785447ce99316296df636466. Vacuuming done, freed 0B of archived journals from /run/log/journal.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.372 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.254 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.311 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2047ms rtt min/avg/max/mdev = 0.254/0.312/0.372/0.048 ms
Step 7: Run command system conntrack show at DUT0 and expect this output:
Show output
icmp 1 29 src=192.168.100.2 dst=192.168.100.1 type=8 code=0 id=723 packets=3 bytes=252 src=192.168.100.1 dst=192.168.100.2 type=0 code=0 id=723 packets=3 bytes=252 mark=0 conntag=application-traffic-identifier-v1.2.3-production-env use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 8: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=application-traffic-identifierShow output
Jan 27 16:48:09.924970 osdx systemd-journald[1842]: Runtime Journal (/run/log/journal/7f16b2c6785447ce99316296df636466) is 1.8M, max 13.8M, 11.9M free. Jan 27 16:48:09.926041 osdx systemd-journald[1842]: Received client request to rotate journal, rotating. Jan 27 16:48:09.926102 osdx systemd-journald[1842]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7f16b2c6785447ce99316296df636466. Jan 27 16:48:09.934631 osdx OSDxCLI[44999]: User 'admin' executed a new command: 'system journal clear'. Jan 27 16:48:10.062229 osdx ulogd[57353]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=application-traffic-identifier-v1.2.3-production-env Jan 27 16:48:12.187258 osdx OSDxCLI[44999]: User 'admin' executed a new command: 'system conntrack show'.
Conntag With Multiple Policies
Description
Verify that different traffic policies can set different conntag values, and each connection is tagged appropriately based on which policy rule matched.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_MULTI set service ssh set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_MULTI rule 1 selector SEL_ICMP set traffic policy POLICY_MULTI rule 1 set conntag icmp-traffic-tag set traffic policy POLICY_MULTI rule 2 selector SEL_TCP set traffic policy POLICY_MULTI rule 2 set conntag tcp-traffic-tag set traffic selector SEL_ICMP rule 1 protocol icmp set traffic selector SEL_TCP rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.540 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.264 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.267 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2041ms rtt min/avg/max/mdev = 0.264/0.357/0.540/0.129 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /run/log/journal. Vacuuming done, freed 0B of archived journals from /var/log/journal. Deleted archived journal /run/log/journal/7f16b2c6785447ce99316296df636466/system@3c4b536b314b4befa3bd9bd2b4242f2f-000000000000370d-0006496163ed45ee.journal (120.0K). Vacuuming done, freed 120.0K of archived journals from /run/log/journal/7f16b2c6785447ce99316296df636466.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.439 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.276 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.251 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2056ms rtt min/avg/max/mdev = 0.251/0.322/0.439/0.083 ms
Step 7: Init an SSH connection from DUT1 to IP address 192.168.100.1 with the user admin:
admin@DUT1$ ssh admin@192.168.100.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '192.168.100.1' (ECDSA) to the list of known hosts. admin@192.168.100.1's password: Welcome to Teldat OSDx v4.2.8.2 This system includes free software. Contact Teldat for licenses information and source code. Last login: Tue Jan 27 16:43:17 2026 admin@osdx$
Step 8: Run command system conntrack show at DUT0 and expect this output:
Show output
icmp 1 29 src=192.168.100.2 dst=192.168.100.1 type=8 code=0 id=725 packets=3 bytes=252 src=192.168.100.1 dst=192.168.100.2 type=0 code=0 id=725 packets=3 bytes=252 mark=0 conntag=icmp-traffic-tag use=1 tcp 6 19 TIME_WAIT src=192.168.100.2 dst=192.168.100.1 sport=46402 dport=22 packets=25 bytes=5084 src=192.168.100.1 dst=192.168.100.2 sport=22 dport=46402 packets=20 bytes=4824 [ASSURED] mark=0 conntag=tcp-traffic-tag use=1 conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=icmp-traffic-tagShow output
Jan 27 16:48:22.754331 osdx systemd-journald[1842]: Runtime Journal (/run/log/journal/7f16b2c6785447ce99316296df636466) is 1.8M, max 13.8M, 11.9M free. Jan 27 16:48:22.754873 osdx systemd-journald[1842]: Received client request to rotate journal, rotating. Jan 27 16:48:22.754938 osdx systemd-journald[1842]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7f16b2c6785447ce99316296df636466. Jan 27 16:48:22.765540 osdx OSDxCLI[44999]: User 'admin' executed a new command: 'system journal clear'. Jan 27 16:48:22.878802 osdx ulogd[57798]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Jan 27 16:48:22.878827 osdx ulogd[57798]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Jan 27 16:48:25.013477 osdx ulogd[57798]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=46402 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=46402 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jan 27 16:48:25.013497 osdx ulogd[57798]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=46402 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=46402 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jan 27 16:48:25.013509 osdx ulogd[57798]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=46402 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=46402 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jan 27 16:48:25.183792 osdx sshd[57840]: Accepted password for admin from 192.168.100.2 port 46402 ssh2 Jan 27 16:48:25.191157 osdx sshd[57840]: pam_env(sshd:session): deprecated reading of user environment enabled Jan 27 16:48:25.262512 osdx OSDxCLI[57850]: User 'admin' has logged in. Jan 27 16:48:25.277249 osdx OSDxCLI[57850]: User 'admin' has logged out. Jan 27 16:48:25.283185 osdx sshd[57849]: Received disconnect from 192.168.100.2 port 46402:11: disconnected by user Jan 27 16:48:25.283190 osdx ulogd[57798]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=46402 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=46402 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jan 27 16:48:25.283209 osdx ulogd[57798]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=46402 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=46402 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jan 27 16:48:25.283324 osdx sshd[57849]: Disconnected from user admin 192.168.100.2 port 46402 Jan 27 16:48:25.284777 osdx ulogd[57798]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=46402 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=46402 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jan 27 16:48:25.284930 osdx ulogd[57798]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=46402 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=46402 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jan 27 16:48:25.417018 osdx OSDxCLI[44999]: User 'admin' executed a new command: 'system conntrack show'.
Step 10: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=tcp-traffic-tagShow output
Jan 27 16:48:22.754331 osdx systemd-journald[1842]: Runtime Journal (/run/log/journal/7f16b2c6785447ce99316296df636466) is 1.8M, max 13.8M, 11.9M free. Jan 27 16:48:22.754873 osdx systemd-journald[1842]: Received client request to rotate journal, rotating. Jan 27 16:48:22.754938 osdx systemd-journald[1842]: Vacuuming done, freed 0B of archived journals from /run/log/journal/7f16b2c6785447ce99316296df636466. Jan 27 16:48:22.765540 osdx OSDxCLI[44999]: User 'admin' executed a new command: 'system journal clear'. Jan 27 16:48:22.878802 osdx ulogd[57798]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Jan 27 16:48:22.878827 osdx ulogd[57798]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Jan 27 16:48:25.013477 osdx ulogd[57798]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=46402 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=46402 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jan 27 16:48:25.013497 osdx ulogd[57798]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=46402 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=46402 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jan 27 16:48:25.013509 osdx ulogd[57798]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=46402 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=46402 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jan 27 16:48:25.183792 osdx sshd[57840]: Accepted password for admin from 192.168.100.2 port 46402 ssh2 Jan 27 16:48:25.191157 osdx sshd[57840]: pam_env(sshd:session): deprecated reading of user environment enabled Jan 27 16:48:25.262512 osdx OSDxCLI[57850]: User 'admin' has logged in. Jan 27 16:48:25.277249 osdx OSDxCLI[57850]: User 'admin' has logged out. Jan 27 16:48:25.283185 osdx sshd[57849]: Received disconnect from 192.168.100.2 port 46402:11: disconnected by user Jan 27 16:48:25.283190 osdx ulogd[57798]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=46402 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=46402 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jan 27 16:48:25.283209 osdx ulogd[57798]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=46402 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=46402 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jan 27 16:48:25.283324 osdx sshd[57849]: Disconnected from user admin 192.168.100.2 port 46402 Jan 27 16:48:25.284777 osdx ulogd[57798]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=46402 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=46402 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jan 27 16:48:25.284930 osdx ulogd[57798]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=46402 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=46402 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jan 27 16:48:25.417018 osdx OSDxCLI[44999]: User 'admin' executed a new command: 'system conntrack show'. Jan 27 16:48:25.491921 osdx OSDxCLI[44999]: User 'admin' executed a new command: 'system journal show | cat'.