Conntag
The following scenarios show how the conntag feature integrates with conntrack logging and system conntrack show commands. Conntag allows tagging conntrack entries with string values (up to 255 characters) for traffic identification and logging.
Conntag In Conntrack Show
Description
Verify that conntag values appear correctly in the
system conntrack show command output. The conntag
field should display the string value assigned to the
connection via traffic policy.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.364 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.364/0.364/0.364/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.246 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.263 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.269 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2036ms rtt min/avg/max/mdev = 0.246/0.259/0.269/0.009 ms
Step 6: Run command system conntrack show at DUT0 and expect this output:
Show output
icmp 1 29 src=192.168.100.2 dst=192.168.100.1 type=8 code=0 id=757 packets=3 bytes=252 src=192.168.100.1 dst=192.168.100.2 type=0 code=0 id=757 packets=3 bytes=252 mark=0 conntag=my-logged-tag use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Conntag In Conntrack Logging
Description
Verify that conntag values appear in conntrack logging
events when system conntrack logging events is enabled.
The CONNTAG field should be included in log entries for
NEW, UPDATE, and DESTROY events.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.544 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.544/0.544/0.544/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /run/log/journal. Deleted archived journal /run/log/journal/fef7273cfed74888920ec39438478308/system@49dfdc862bfc4c0082012cc566ec61e1-0000000000028925-00064aa8f29848b4.journal (124.0K). Vacuuming done, freed 124.0K of archived journals from /run/log/journal/fef7273cfed74888920ec39438478308. Vacuuming done, freed 0B of archived journals from /var/log/journal.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.266 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.285 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.262 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2038ms rtt min/avg/max/mdev = 0.262/0.271/0.285/0.010 ms
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=my-logged-tagShow output
Feb 12 23:35:47.619060 osdx systemd-journald[681778]: Runtime Journal (/run/log/journal/fef7273cfed74888920ec39438478308) is 2.3M, max 17.2M, 14.9M free. Feb 12 23:35:47.621341 osdx systemd-journald[681778]: Received client request to rotate journal, rotating. Feb 12 23:35:47.621392 osdx systemd-journald[681778]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fef7273cfed74888920ec39438478308. Feb 12 23:35:47.629111 osdx OSDxCLI[781896]: User 'admin' executed a new command: 'system journal clear'. Feb 12 23:35:47.738324 osdx ulogd[815078]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Feb 12 23:35:47.738344 osdx ulogd[815078]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag
Conntag In Traffic Policy Log
Description
Verify that conntag values appear in traffic policy log
entries when the log option is enabled on a rule that
sets conntag.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 log prefix CONNTAG set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=1.35 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.347/1.347/1.347/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Deleted archived journal /run/log/journal/fef7273cfed74888920ec39438478308/system@49dfdc862bfc4c0082012cc566ec61e1-0000000000028976-00064aa8f322ec29.journal (96.0K). Vacuuming done, freed 96.0K of archived journals from /run/log/journal/fef7273cfed74888920ec39438478308. Vacuuming done, freed 0B of archived journals from /var/log/journal. Vacuuming done, freed 0B of archived journals from /run/log/journal.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.656 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.302 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.310 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2040ms rtt min/avg/max/mdev = 0.302/0.422/0.656/0.165 ms
Step 7: Run command system journal show | tail at DUT0 and check if output contains the following tokens:
[CONNTAG-1] ACCEPTShow output
Feb 12 23:35:56.959517 osdx systemd-journald[681778]: Runtime Journal (/run/log/journal/fef7273cfed74888920ec39438478308) is 2.2M, max 17.2M, 14.9M free. Feb 12 23:35:56.962439 osdx systemd-journald[681778]: Received client request to rotate journal, rotating. Feb 12 23:35:56.962522 osdx systemd-journald[681778]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fef7273cfed74888920ec39438478308. Feb 12 23:35:56.978389 osdx OSDxCLI[781896]: User 'admin' executed a new command: 'system journal clear'. Feb 12 23:35:57.097419 osdx kernel: [CONNTAG-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32675 DF PROTO=ICMP TYPE=8 CODE=0 ID=761 SEQ=1 Feb 12 23:35:58.113202 osdx kernel: [CONNTAG-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32799 DF PROTO=ICMP TYPE=8 CODE=0 ID=761 SEQ=2 Feb 12 23:35:59.137212 osdx kernel: [CONNTAG-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32968 DF PROTO=ICMP TYPE=8 CODE=0 ID=761 SEQ=3
Conntag Persistence Through Connection States
Description
Verify that conntag values persist through different connection states (NEW, ESTABLISHED). The tag should remain associated with the connection throughout its lifecycle.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.504 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.504/0.504/0.504/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Deleted archived journal /run/log/journal/fef7273cfed74888920ec39438478308/system@49dfdc862bfc4c0082012cc566ec61e1-00000000000289aa-00064aa8f3bb7356.journal (124.0K). Vacuuming done, freed 124.0K of archived journals from /run/log/journal/fef7273cfed74888920ec39438478308. Vacuuming done, freed 0B of archived journals from /run/log/journal. Vacuuming done, freed 0B of archived journals from /var/log/journal.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.265 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.332 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.327 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2031ms rtt min/avg/max/mdev = 0.265/0.308/0.332/0.030 ms
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
\[NEW\].*CONNTAG=my-logged-tagShow output
Feb 12 23:36:06.940817 osdx systemd-journald[681778]: Runtime Journal (/run/log/journal/fef7273cfed74888920ec39438478308) is 2.2M, max 17.2M, 15.0M free. Feb 12 23:36:06.942593 osdx systemd-journald[681778]: Received client request to rotate journal, rotating. Feb 12 23:36:06.942672 osdx systemd-journald[681778]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fef7273cfed74888920ec39438478308. Feb 12 23:36:06.964497 osdx OSDxCLI[781896]: User 'admin' executed a new command: 'system journal clear'. Feb 12 23:36:07.114844 osdx ulogd[815815]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Feb 12 23:36:07.114870 osdx ulogd[815815]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag
Step 8: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
\[UPDATE\].*CONNTAG=my-logged-tagShow output
Feb 12 23:36:06.940817 osdx systemd-journald[681778]: Runtime Journal (/run/log/journal/fef7273cfed74888920ec39438478308) is 2.2M, max 17.2M, 15.0M free. Feb 12 23:36:06.942593 osdx systemd-journald[681778]: Received client request to rotate journal, rotating. Feb 12 23:36:06.942672 osdx systemd-journald[681778]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fef7273cfed74888920ec39438478308. Feb 12 23:36:06.964497 osdx OSDxCLI[781896]: User 'admin' executed a new command: 'system journal clear'. Feb 12 23:36:07.114844 osdx ulogd[815815]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Feb 12 23:36:07.114870 osdx ulogd[815815]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Feb 12 23:36:09.244683 osdx OSDxCLI[781896]: User 'admin' executed a new command: 'system journal show | cat'.
Conntag With Long String In Logs
Description
Verify that long conntag strings are correctly logged and displayed. The system should handle strings up to 255 characters without truncation in logs.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system conntrack logging events new set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag application-traffic-identifier-v1.2.3-production-env
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.388 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.388/0.388/0.388/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /var/log/journal. Vacuuming done, freed 0B of archived journals from /run/log/journal. Deleted archived journal /run/log/journal/fef7273cfed74888920ec39438478308/system@49dfdc862bfc4c0082012cc566ec61e1-00000000000289fc-00064aa8f45411ac.journal (120.0K). Vacuuming done, freed 120.0K of archived journals from /run/log/journal/fef7273cfed74888920ec39438478308.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.689 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.234 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.304 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2051ms rtt min/avg/max/mdev = 0.234/0.409/0.689/0.200 ms
Step 7: Run command system conntrack show at DUT0 and expect this output:
Show output
icmp 1 29 src=192.168.100.2 dst=192.168.100.1 type=8 code=0 id=765 packets=3 bytes=252 src=192.168.100.1 dst=192.168.100.2 type=0 code=0 id=765 packets=3 bytes=252 mark=0 conntag=application-traffic-identifier-v1.2.3-production-env use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 8: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=application-traffic-identifierShow output
Feb 12 23:36:17.038481 osdx systemd-journald[681778]: Runtime Journal (/run/log/journal/fef7273cfed74888920ec39438478308) is 2.2M, max 17.2M, 14.9M free. Feb 12 23:36:17.040237 osdx systemd-journald[681778]: Received client request to rotate journal, rotating. Feb 12 23:36:17.040307 osdx systemd-journald[681778]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fef7273cfed74888920ec39438478308. Feb 12 23:36:17.048837 osdx OSDxCLI[781896]: User 'admin' executed a new command: 'system journal clear'. Feb 12 23:36:17.184791 osdx ulogd[816196]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=application-traffic-identifier-v1.2.3-production-env Feb 12 23:36:19.316510 osdx OSDxCLI[781896]: User 'admin' executed a new command: 'system conntrack show'.
Conntag With Multiple Policies
Description
Verify that different traffic policies can set different conntag values, and each connection is tagged appropriately based on which policy rule matched.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_MULTI set service ssh set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_MULTI rule 1 selector SEL_ICMP set traffic policy POLICY_MULTI rule 1 set conntag icmp-traffic-tag set traffic policy POLICY_MULTI rule 2 selector SEL_TCP set traffic policy POLICY_MULTI rule 2 set conntag tcp-traffic-tag set traffic selector SEL_ICMP rule 1 protocol icmp set traffic selector SEL_TCP rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.617 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.283 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.281 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2047ms rtt min/avg/max/mdev = 0.281/0.393/0.617/0.157 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Deleted archived journal /run/log/journal/fef7273cfed74888920ec39438478308/system@49dfdc862bfc4c0082012cc566ec61e1-0000000000028a4b-00064aa8f4fbe536.journal (132.0K). Vacuuming done, freed 132.0K of archived journals from /run/log/journal/fef7273cfed74888920ec39438478308. Vacuuming done, freed 0B of archived journals from /var/log/journal. Vacuuming done, freed 0B of archived journals from /run/log/journal.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.324 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.325 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.259 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2049ms rtt min/avg/max/mdev = 0.259/0.302/0.325/0.030 ms
Step 7: Init an SSH connection from DUT1 to IP address 192.168.100.1 with the user admin:
admin@DUT1$ ssh admin@192.168.100.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '192.168.100.1' (ECDSA) to the list of known hosts. admin@192.168.100.1's password: Welcome to Teldat OSDx v4.2.8.3 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Feb 12 23:18:21 2026 admin@osdx$
Step 8: Run command system conntrack show at DUT0 and expect this output:
Show output
icmp 1 29 src=192.168.100.2 dst=192.168.100.1 type=8 code=0 id=767 packets=3 bytes=252 src=192.168.100.1 dst=192.168.100.2 type=0 code=0 id=767 packets=3 bytes=252 mark=0 conntag=icmp-traffic-tag use=1 tcp 6 19 TIME_WAIT src=192.168.100.2 dst=192.168.100.1 sport=44670 dport=22 packets=25 bytes=5084 src=192.168.100.1 dst=192.168.100.2 sport=22 dport=44670 packets=20 bytes=4832 [ASSURED] mark=0 conntag=tcp-traffic-tag use=1 conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=icmp-traffic-tagShow output
Feb 12 23:36:30.994628 osdx systemd-journald[681778]: Runtime Journal (/run/log/journal/fef7273cfed74888920ec39438478308) is 2.2M, max 17.2M, 14.9M free. Feb 12 23:36:30.995909 osdx systemd-journald[681778]: Received client request to rotate journal, rotating. Feb 12 23:36:30.995962 osdx systemd-journald[681778]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fef7273cfed74888920ec39438478308. Feb 12 23:36:31.006400 osdx OSDxCLI[781896]: User 'admin' executed a new command: 'system journal clear'. Feb 12 23:36:31.121314 osdx ulogd[816660]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Feb 12 23:36:31.121339 osdx ulogd[816660]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Feb 12 23:36:33.256565 osdx ulogd[816660]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=44670 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=44670 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 12 23:36:33.256585 osdx ulogd[816660]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=44670 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=44670 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 12 23:36:33.256679 osdx ulogd[816660]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=44670 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=44670 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 12 23:36:33.413001 osdx sshd[816702]: Accepted password for admin from 192.168.100.2 port 44670 ssh2 Feb 12 23:36:33.419785 osdx sshd[816702]: pam_env(sshd:session): deprecated reading of user environment enabled Feb 12 23:36:33.495091 osdx OSDxCLI[816712]: User 'admin' has logged in. Feb 12 23:36:33.509909 osdx OSDxCLI[816712]: User 'admin' has logged out. Feb 12 23:36:33.514443 osdx ulogd[816660]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=44670 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=44670 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 12 23:36:33.514455 osdx sshd[816711]: Received disconnect from 192.168.100.2 port 44670:11: disconnected by user Feb 12 23:36:33.514460 osdx ulogd[816660]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=44670 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=44670 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 12 23:36:33.514581 osdx sshd[816711]: Disconnected from user admin 192.168.100.2 port 44670 Feb 12 23:36:33.516406 osdx ulogd[816660]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=44670 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=44670 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 12 23:36:33.516588 osdx ulogd[816660]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=44670 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=44670 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 12 23:36:33.643904 osdx OSDxCLI[781896]: User 'admin' executed a new command: 'system conntrack show'.
Step 10: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=tcp-traffic-tagShow output
Feb 12 23:36:30.994628 osdx systemd-journald[681778]: Runtime Journal (/run/log/journal/fef7273cfed74888920ec39438478308) is 2.2M, max 17.2M, 14.9M free. Feb 12 23:36:30.995909 osdx systemd-journald[681778]: Received client request to rotate journal, rotating. Feb 12 23:36:30.995962 osdx systemd-journald[681778]: Vacuuming done, freed 0B of archived journals from /run/log/journal/fef7273cfed74888920ec39438478308. Feb 12 23:36:31.006400 osdx OSDxCLI[781896]: User 'admin' executed a new command: 'system journal clear'. Feb 12 23:36:31.121314 osdx ulogd[816660]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Feb 12 23:36:31.121339 osdx ulogd[816660]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Feb 12 23:36:33.256565 osdx ulogd[816660]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=44670 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=44670 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 12 23:36:33.256585 osdx ulogd[816660]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=44670 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=44670 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 12 23:36:33.256679 osdx ulogd[816660]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=44670 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=44670 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 12 23:36:33.413001 osdx sshd[816702]: Accepted password for admin from 192.168.100.2 port 44670 ssh2 Feb 12 23:36:33.419785 osdx sshd[816702]: pam_env(sshd:session): deprecated reading of user environment enabled Feb 12 23:36:33.495091 osdx OSDxCLI[816712]: User 'admin' has logged in. Feb 12 23:36:33.509909 osdx OSDxCLI[816712]: User 'admin' has logged out. Feb 12 23:36:33.514443 osdx ulogd[816660]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=44670 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=44670 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 12 23:36:33.514455 osdx sshd[816711]: Received disconnect from 192.168.100.2 port 44670:11: disconnected by user Feb 12 23:36:33.514460 osdx ulogd[816660]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=44670 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=44670 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 12 23:36:33.514581 osdx sshd[816711]: Disconnected from user admin 192.168.100.2 port 44670 Feb 12 23:36:33.516406 osdx ulogd[816660]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=44670 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=44670 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 12 23:36:33.516588 osdx ulogd[816660]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=44670 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=44670 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 12 23:36:33.643904 osdx OSDxCLI[781896]: User 'admin' executed a new command: 'system conntrack show'. Feb 12 23:36:33.722885 osdx OSDxCLI[781896]: User 'admin' executed a new command: 'system journal show | cat'.