Conntag
The following scenarios show how the conntag feature integrates with conntrack logging and system conntrack show commands. Conntag allows tagging conntrack entries with string values (up to 255 characters) for traffic identification and logging.
Conntag In Conntrack Show
Description
Verify that conntag values appear correctly in the
system conntrack show command output. The conntag
field should display the string value assigned to the
connection via traffic policy.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.495 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.495/0.495/0.495/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.284 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.240 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.287 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2041ms rtt min/avg/max/mdev = 0.240/0.270/0.287/0.021 ms
Step 6: Run command system conntrack show at DUT0 and expect this output:
Show output
icmp 1 29 src=192.168.100.2 dst=192.168.100.1 type=8 code=0 id=546 packets=3 bytes=252 src=192.168.100.1 dst=192.168.100.2 type=0 code=0 id=546 packets=3 bytes=252 mark=0 conntag=my-logged-tag use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Conntag In Conntrack Logging
Description
Verify that conntag values appear in conntrack logging
events when system conntrack logging events is enabled.
The CONNTAG field should be included in log entries for
NEW, UPDATE, and DESTROY events.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.351 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.351/0.351/0.351/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /var/log/journal. Deleted archived journal /run/log/journal/69bd8e6fd19244c08e519827aa7e309f/system@ad701fd0d9574f3d99608ff002f1c080-0000000000021589-00064b2cda0e7146.journal (124.0K). Vacuuming done, freed 124.0K of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f. Vacuuming done, freed 0B of archived journals from /run/log/journal.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.237 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.231 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.546 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2031ms rtt min/avg/max/mdev = 0.231/0.338/0.546/0.147 ms
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=my-logged-tagShow output
Feb 19 12:57:51.497355 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.3M, max 17.2M, 14.9M free. Feb 19 12:57:51.501045 osdx systemd-journald[2186]: Received client request to rotate journal, rotating. Feb 19 12:57:51.501102 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f. Feb 19 12:57:51.507138 osdx OSDxCLI[633180]: User 'admin' executed a new command: 'system journal clear'. Feb 19 12:57:51.635542 osdx ulogd[643144]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Feb 19 12:57:51.635561 osdx ulogd[643144]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag
Conntag In Traffic Policy Log
Description
Verify that conntag values appear in traffic policy log
entries when the log option is enabled on a rule that
sets conntag.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 log prefix CONNTAG set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.411 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.411/0.411/0.411/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /run/log/journal. Vacuuming done, freed 0B of archived journals from /var/log/journal. Deleted archived journal /run/log/journal/69bd8e6fd19244c08e519827aa7e309f/system@ad701fd0d9574f3d99608ff002f1c080-00000000000215da-00064b2cda97aba6.journal (96.0K). Vacuuming done, freed 96.0K of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.461 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.323 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.315 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2043ms rtt min/avg/max/mdev = 0.315/0.366/0.461/0.067 ms
Step 7: Run command system journal show | tail at DUT0 and check if output contains the following tokens:
[CONNTAG-1] ACCEPTShow output
Feb 19 12:58:00.603306 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free. Feb 19 12:58:00.606094 osdx systemd-journald[2186]: Received client request to rotate journal, rotating. Feb 19 12:58:00.606166 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f. Feb 19 12:58:00.613736 osdx OSDxCLI[633180]: User 'admin' executed a new command: 'system journal clear'. Feb 19 12:58:00.724508 osdx kernel: [CONNTAG-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=9648 DF PROTO=ICMP TYPE=8 CODE=0 ID=550 SEQ=1 Feb 19 12:58:01.743117 osdx kernel: [CONNTAG-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=9773 DF PROTO=ICMP TYPE=8 CODE=0 ID=550 SEQ=2 Feb 19 12:58:02.767101 osdx kernel: [CONNTAG-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=10001 DF PROTO=ICMP TYPE=8 CODE=0 ID=550 SEQ=3
Conntag Persistence Through Connection States
Description
Verify that conntag values persist through different connection states (NEW, ESTABLISHED). The tag should remain associated with the connection throughout its lifecycle.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.387 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.387/0.387/0.387/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /run/log/journal. Vacuuming done, freed 0B of archived journals from /var/log/journal. Deleted archived journal /run/log/journal/69bd8e6fd19244c08e519827aa7e309f/system@ad701fd0d9574f3d99608ff002f1c080-000000000002160e-00064b2cdb2161a8.journal (124.0K). Vacuuming done, freed 124.0K of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.259 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.224 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.272 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2029ms rtt min/avg/max/mdev = 0.224/0.251/0.272/0.020 ms
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
\[NEW\].*CONNTAG=my-logged-tagShow output
Feb 19 12:58:09.595721 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 15.0M free. Feb 19 12:58:09.597569 osdx systemd-journald[2186]: Received client request to rotate journal, rotating. Feb 19 12:58:09.597626 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f. Feb 19 12:58:09.605126 osdx OSDxCLI[633180]: User 'admin' executed a new command: 'system journal clear'. Feb 19 12:58:09.738067 osdx ulogd[643865]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Feb 19 12:58:09.738087 osdx ulogd[643865]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag
Step 8: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
\[UPDATE\].*CONNTAG=my-logged-tagShow output
Feb 19 12:58:09.595721 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 15.0M free. Feb 19 12:58:09.597569 osdx systemd-journald[2186]: Received client request to rotate journal, rotating. Feb 19 12:58:09.597626 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f. Feb 19 12:58:09.605126 osdx OSDxCLI[633180]: User 'admin' executed a new command: 'system journal clear'. Feb 19 12:58:09.738067 osdx ulogd[643865]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Feb 19 12:58:09.738087 osdx ulogd[643865]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Feb 19 12:58:11.841956 osdx OSDxCLI[633180]: User 'admin' executed a new command: 'system journal show | cat'.
Conntag With Long String In Logs
Description
Verify that long conntag strings are correctly logged and displayed. The system should handle strings up to 255 characters without truncation in logs.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system conntrack logging events new set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag application-traffic-identifier-v1.2.3-production-env
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.463 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.463/0.463/0.463/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Deleted archived journal /run/log/journal/69bd8e6fd19244c08e519827aa7e309f/system@ad701fd0d9574f3d99608ff002f1c080-0000000000021660-00064b2cdbaad902.journal (120.0K). Vacuuming done, freed 120.0K of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f. Vacuuming done, freed 0B of archived journals from /run/log/journal. Vacuuming done, freed 0B of archived journals from /var/log/journal.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.309 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.262 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.255 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2045ms rtt min/avg/max/mdev = 0.255/0.275/0.309/0.023 ms
Step 7: Run command system conntrack show at DUT0 and expect this output:
Show output
icmp 1 29 src=192.168.100.2 dst=192.168.100.1 type=8 code=0 id=554 packets=3 bytes=252 src=192.168.100.1 dst=192.168.100.2 type=0 code=0 id=554 packets=3 bytes=252 mark=0 conntag=application-traffic-identifier-v1.2.3-production-env use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 8: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=application-traffic-identifierShow output
Feb 19 12:58:18.818535 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free. Feb 19 12:58:18.822494 osdx systemd-journald[2186]: Received client request to rotate journal, rotating. Feb 19 12:58:18.822594 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f. Feb 19 12:58:18.830329 osdx OSDxCLI[633180]: User 'admin' executed a new command: 'system journal clear'. Feb 19 12:58:18.914663 osdx ulogd[644239]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=application-traffic-identifier-v1.2.3-production-env Feb 19 12:58:21.034468 osdx OSDxCLI[633180]: User 'admin' executed a new command: 'system conntrack show'.
Conntag With Multiple Policies
Description
Verify that different traffic policies can set different conntag values, and each connection is tagged appropriately based on which policy rule matched.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_MULTI set service ssh set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_MULTI rule 1 selector SEL_ICMP set traffic policy POLICY_MULTI rule 1 set conntag icmp-traffic-tag set traffic policy POLICY_MULTI rule 2 selector SEL_TCP set traffic policy POLICY_MULTI rule 2 set conntag tcp-traffic-tag set traffic selector SEL_ICMP rule 1 protocol icmp set traffic selector SEL_TCP rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.518 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.269 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.248 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2035ms rtt min/avg/max/mdev = 0.248/0.345/0.518/0.122 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /run/log/journal. Deleted archived journal /run/log/journal/69bd8e6fd19244c08e519827aa7e309f/system@ad701fd0d9574f3d99608ff002f1c080-00000000000216af-00064b2cdc340a2c.journal (132.0K). Vacuuming done, freed 132.0K of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f. Vacuuming done, freed 0B of archived journals from /var/log/journal.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.689 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.311 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.281 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2047ms rtt min/avg/max/mdev = 0.281/0.427/0.689/0.185 ms
Step 7: Init an SSH connection from DUT1 to IP address 192.168.100.1 with the user admin:
admin@DUT1$ ssh admin@192.168.100.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '192.168.100.1' (ECDSA) to the list of known hosts. admin@192.168.100.1's password: Welcome to Teldat OSDx v4.2.8.4 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Feb 19 12:50:51 2026 admin@osdx$
Step 8: Run command system conntrack show at DUT0 and expect this output:
Show output
tcp 6 19 TIME_WAIT src=192.168.100.2 dst=192.168.100.1 sport=45960 dport=22 packets=25 bytes=5084 src=192.168.100.1 dst=192.168.100.2 sport=22 dport=45960 packets=20 bytes=4824 [ASSURED] mark=0 conntag=tcp-traffic-tag use=1 icmp 1 29 src=192.168.100.2 dst=192.168.100.1 type=8 code=0 id=556 packets=3 bytes=252 src=192.168.100.1 dst=192.168.100.2 type=0 code=0 id=556 packets=3 bytes=252 mark=0 conntag=icmp-traffic-tag use=1 conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=icmp-traffic-tagShow output
Feb 19 12:58:30.655477 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free. Feb 19 12:58:30.655989 osdx systemd-journald[2186]: Received client request to rotate journal, rotating. Feb 19 12:58:30.656023 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f. Feb 19 12:58:30.666217 osdx OSDxCLI[633180]: User 'admin' executed a new command: 'system journal clear'. Feb 19 12:58:30.754101 osdx ulogd[644697]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Feb 19 12:58:30.754124 osdx ulogd[644697]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Feb 19 12:58:32.886151 osdx ulogd[644697]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=45960 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=45960 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 19 12:58:32.886172 osdx ulogd[644697]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=45960 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=45960 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 19 12:58:32.886185 osdx ulogd[644697]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=45960 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=45960 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 19 12:58:33.084737 osdx sshd[644739]: Accepted password for admin from 192.168.100.2 port 45960 ssh2 Feb 19 12:58:33.092293 osdx sshd[644739]: pam_env(sshd:session): deprecated reading of user environment enabled Feb 19 12:58:33.164496 osdx OSDxCLI[644749]: User 'admin' has logged in. Feb 19 12:58:33.180226 osdx OSDxCLI[644749]: User 'admin' has logged out. Feb 19 12:58:33.184192 osdx sshd[644748]: Received disconnect from 192.168.100.2 port 45960:11: disconnected by user Feb 19 12:58:33.184269 osdx ulogd[644697]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=45960 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=45960 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 19 12:58:33.184303 osdx sshd[644748]: Disconnected from user admin 192.168.100.2 port 45960 Feb 19 12:58:33.186083 osdx ulogd[644697]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=45960 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=45960 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 19 12:58:33.186328 osdx ulogd[644697]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=45960 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=45960 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 19 12:58:33.326724 osdx OSDxCLI[633180]: User 'admin' executed a new command: 'system conntrack show'.
Step 10: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=tcp-traffic-tagShow output
Feb 19 12:58:30.655477 osdx systemd-journald[2186]: Runtime Journal (/run/log/journal/69bd8e6fd19244c08e519827aa7e309f) is 2.2M, max 17.2M, 14.9M free. Feb 19 12:58:30.655989 osdx systemd-journald[2186]: Received client request to rotate journal, rotating. Feb 19 12:58:30.656023 osdx systemd-journald[2186]: Vacuuming done, freed 0B of archived journals from /run/log/journal/69bd8e6fd19244c08e519827aa7e309f. Feb 19 12:58:30.666217 osdx OSDxCLI[633180]: User 'admin' executed a new command: 'system journal clear'. Feb 19 12:58:30.754101 osdx ulogd[644697]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Feb 19 12:58:30.754124 osdx ulogd[644697]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Feb 19 12:58:32.886151 osdx ulogd[644697]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=45960 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=45960 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 19 12:58:32.886172 osdx ulogd[644697]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=45960 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=45960 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 19 12:58:32.886185 osdx ulogd[644697]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=45960 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=45960 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 19 12:58:33.084737 osdx sshd[644739]: Accepted password for admin from 192.168.100.2 port 45960 ssh2 Feb 19 12:58:33.092293 osdx sshd[644739]: pam_env(sshd:session): deprecated reading of user environment enabled Feb 19 12:58:33.164496 osdx OSDxCLI[644749]: User 'admin' has logged in. Feb 19 12:58:33.180226 osdx OSDxCLI[644749]: User 'admin' has logged out. Feb 19 12:58:33.184192 osdx sshd[644748]: Received disconnect from 192.168.100.2 port 45960:11: disconnected by user Feb 19 12:58:33.184269 osdx ulogd[644697]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=45960 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=45960 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 19 12:58:33.184303 osdx sshd[644748]: Disconnected from user admin 192.168.100.2 port 45960 Feb 19 12:58:33.186083 osdx ulogd[644697]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=45960 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=45960 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 19 12:58:33.186328 osdx ulogd[644697]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=45960 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=45960 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Feb 19 12:58:33.326724 osdx OSDxCLI[633180]: User 'admin' executed a new command: 'system conntrack show'. Feb 19 12:58:33.402509 osdx OSDxCLI[633180]: User 'admin' executed a new command: 'system journal show | cat'.