Conntag
The following scenarios show how the conntag feature integrates with conntrack logging and system conntrack show commands. Conntag allows tagging conntrack entries with string values (up to 255 characters) for traffic identification and logging.
Conntag In Conntrack Show
Description
Verify that conntag values appear correctly in the
system conntrack show command output. The conntag
field should display the string value assigned to the
connection via traffic policy.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.707 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.707/0.707/0.707/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.559 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.238 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.229 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2030ms rtt min/avg/max/mdev = 0.229/0.342/0.559/0.153 ms
Step 6: Run command system conntrack show at DUT0 and expect this output:
Show output
icmp 1 29 src=192.168.100.2 dst=192.168.100.1 type=8 code=0 id=22 packets=3 bytes=252 src=192.168.100.1 dst=192.168.100.2 type=0 code=0 id=22 packets=3 bytes=252 mark=0 conntag=my-logged-tag use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Conntag In Conntrack Logging
Description
Verify that conntag values appear in conntrack logging
events when system conntrack logging events is enabled.
The CONNTAG field should be included in log entries for
NEW, UPDATE, and DESTROY events.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.744 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.744/0.744/0.744/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /var/log/journal. Vacuuming done, freed 0B of archived journals from /run/log/journal. Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000002495-0006536b7544cf39.journal (112.0K). Vacuuming done, freed 112.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.561 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.208 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.247 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2051ms rtt min/avg/max/mdev = 0.208/0.338/0.561/0.158 ms
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=my-logged-tagShow output
Jun 04 11:00:56.686599 osdx systemd-journald[2213]: Runtime Journal (/run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4) is 1.8M, max 13.8M, 11.9M free. Jun 04 11:00:56.689573 osdx systemd-journald[2213]: Received client request to rotate journal, rotating. Jun 04 11:00:56.689627 osdx systemd-journald[2213]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Jun 04 11:00:56.697286 osdx OSDxCLI[31450]: User 'admin' executed a new command: 'system journal clear'. Jun 04 11:00:56.798999 osdx ulogd[45821]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Jun 04 11:00:56.799022 osdx ulogd[45821]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag
Conntag In Traffic Policy Log
Description
Verify that conntag values appear in traffic policy log
entries when the log option is enabled on a rule that
sets conntag.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 log prefix CONNTAG set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.700 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.700/0.700/0.700/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /var/log/journal. Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-00000000000024e5-0006536b75ce61af.journal (84.0K). Vacuuming done, freed 84.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /run/log/journal.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.523 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.316 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.302 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2046ms rtt min/avg/max/mdev = 0.302/0.380/0.523/0.101 ms
Step 7: Run command system journal show | tail at DUT0 and check if output contains the following tokens:
[CONNTAG-1] ACCEPTShow output
Jun 04 11:01:05.832324 osdx systemd-journald[2213]: Runtime Journal (/run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4) is 1.8M, max 13.8M, 12.0M free. Jun 04 11:01:05.836303 osdx systemd-journald[2213]: Received client request to rotate journal, rotating. Jun 04 11:01:05.836370 osdx systemd-journald[2213]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Jun 04 11:01:05.842459 osdx OSDxCLI[31450]: User 'admin' executed a new command: 'system journal clear'. Jun 04 11:01:05.962020 osdx kernel: [CONNTAG-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=16621 DF PROTO=ICMP TYPE=8 CODE=0 ID=26 SEQ=1 Jun 04 11:01:06.984242 osdx kernel: [CONNTAG-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=16796 DF PROTO=ICMP TYPE=8 CODE=0 ID=26 SEQ=2 Jun 04 11:01:08.008215 osdx kernel: [CONNTAG-1] ACCEPT IN=eth0 OUT= MAC=de:ad:be:ef:6c:00:de:ad:be:ef:6c:10:08:00 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=16836 DF PROTO=ICMP TYPE=8 CODE=0 ID=26 SEQ=3
Conntag Persistence Through Connection States
Description
Verify that conntag values persist through different connection states (NEW, ESTABLISHED). The tag should remain associated with the connection throughout its lifecycle.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag my-logged-tag
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.823 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.823/0.823/0.823/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000002516-0006536b7652aec8.journal (64.0K). Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-0000000000002519-0006536b76582929.journal (112.0K). Vacuuming done, freed 176.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Vacuuming done, freed 0B of archived journals from /run/log/journal. Vacuuming done, freed 0B of archived journals from /var/log/journal.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.570 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.337 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.353 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2036ms rtt min/avg/max/mdev = 0.337/0.420/0.570/0.106 ms
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
\[NEW\].*CONNTAG=my-logged-tagShow output
Jun 04 11:01:14.865191 osdx systemd-journald[2213]: Runtime Journal (/run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4) is 1.8M, max 13.8M, 11.9M free. Jun 04 11:01:14.868909 osdx systemd-journald[2213]: Received client request to rotate journal, rotating. Jun 04 11:01:14.868984 osdx systemd-journald[2213]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Jun 04 11:01:14.880008 osdx OSDxCLI[31450]: User 'admin' executed a new command: 'system journal clear'. Jun 04 11:01:14.956789 osdx ulogd[46549]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Jun 04 11:01:14.956820 osdx ulogd[46549]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag
Step 8: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
\[UPDATE\].*CONNTAG=my-logged-tagShow output
Jun 04 11:01:14.865191 osdx systemd-journald[2213]: Runtime Journal (/run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4) is 1.8M, max 13.8M, 11.9M free. Jun 04 11:01:14.868909 osdx systemd-journald[2213]: Received client request to rotate journal, rotating. Jun 04 11:01:14.868984 osdx systemd-journald[2213]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Jun 04 11:01:14.880008 osdx OSDxCLI[31450]: User 'admin' executed a new command: 'system journal clear'. Jun 04 11:01:14.956789 osdx ulogd[46549]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Jun 04 11:01:14.956820 osdx ulogd[46549]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=my-logged-tag Jun 04 11:01:17.065522 osdx OSDxCLI[31450]: User 'admin' executed a new command: 'system journal show | cat'.
Conntag With Long String In Logs
Description
Verify that long conntag strings are correctly logged and displayed. The system should handle strings up to 255 characters without truncation in logs.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_TAG set system conntrack logging events new set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_TAG rule 1 set conntag application-traffic-identifier-v1.2.3-production-env
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 1 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.769 ms --- 192.168.100.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.769/0.769/0.769/0.000 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /var/log/journal. Vacuuming done, freed 0B of archived journals from /run/log/journal. Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-000000000000256a-0006536b76f0aecd.journal (108.0K). Vacuuming done, freed 108.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.504 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.261 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.256 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2037ms rtt min/avg/max/mdev = 0.256/0.340/0.504/0.115 ms
Step 7: Run command system conntrack show at DUT0 and expect this output:
Show output
icmp 1 29 src=192.168.100.2 dst=192.168.100.1 type=8 code=0 id=30 packets=3 bytes=252 src=192.168.100.1 dst=192.168.100.2 type=0 code=0 id=30 packets=3 bytes=252 mark=0 conntag=application-traffic-identifier-v1.2.3-production-env use=1 conntrack v1.4.7 (conntrack-tools): 1 flow entries have been shown.
Step 8: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=application-traffic-identifierShow output
Jun 04 11:01:25.031073 osdx systemd-journald[2213]: Runtime Journal (/run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4) is 1.8M, max 13.8M, 11.9M free. Jun 04 11:01:25.031932 osdx systemd-journald[2213]: Received client request to rotate journal, rotating. Jun 04 11:01:25.031977 osdx systemd-journald[2213]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Jun 04 11:01:25.040771 osdx OSDxCLI[31450]: User 'admin' executed a new command: 'system journal clear'. Jun 04 11:01:25.166587 osdx ulogd[46924]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=application-traffic-identifier-v1.2.3-production-env Jun 04 11:01:27.309266 osdx OSDxCLI[31450]: User 'admin' executed a new command: 'system conntrack show'.
Conntag With Multiple Policies
Description
Verify that different traffic policies can set different conntag values, and each connection is tagged appropriately based on which policy rule matched.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 192.168.100.1/24 set interfaces ethernet eth0 traffic policy in POLICY_MULTI set service ssh set system conntrack logging events all set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy POLICY_MULTI rule 1 selector SEL_ICMP set traffic policy POLICY_MULTI rule 1 set conntag icmp-traffic-tag set traffic policy POLICY_MULTI rule 2 selector SEL_TCP set traffic policy POLICY_MULTI rule 2 set conntag tcp-traffic-tag set traffic selector SEL_ICMP rule 1 protocol icmp set traffic selector SEL_TCP rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.100.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.100.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.893 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.255 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.257 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2050ms rtt min/avg/max/mdev = 0.255/0.468/0.893/0.300 ms
Step 4: Run command system conntrack clear at DUT0 and expect this output:
Show output
Connection tracking table has been emptied
Step 5: Run command system journal clear at DUT0 and expect this output:
Show output
Vacuuming done, freed 0B of archived journals from /run/log/journal. Vacuuming done, freed 0B of archived journals from /var/log/journal. Deleted archived journal /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4/system@b2a3ce0988494c3a886da4e49a31d2c5-00000000000025b9-0006536b77888aee.journal (120.0K). Vacuuming done, freed 120.0K of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4.
Step 6: Ping IP address 192.168.100.1 from DUT1:
admin@DUT1$ ping 192.168.100.1 count 3 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.497 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=0.284 ms 64 bytes from 192.168.100.1: icmp_seq=3 ttl=64 time=0.323 ms --- 192.168.100.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2046ms rtt min/avg/max/mdev = 0.284/0.368/0.497/0.092 ms
Step 7: Init an SSH connection from DUT1 to IP address 192.168.100.1 with the user admin:
admin@DUT1$ ssh admin@192.168.100.1 option StrictHostKeyChecking=no option UserKnownHostsFile=/dev/nullShow output
Warning: Permanently added '192.168.100.1' (ECDSA) to the list of known hosts. admin@192.168.100.1's password: Welcome to Teldat OSDx v4.2.9.4 This system includes free software. Contact Teldat for licenses information and source code. Last login: Thu Jun 4 10:51:45 2026 admin@osdx$
Step 8: Run command system conntrack show at DUT0 and expect this output:
Show output
icmp 1 29 src=192.168.100.2 dst=192.168.100.1 type=8 code=0 id=32 packets=3 bytes=252 src=192.168.100.1 dst=192.168.100.2 type=0 code=0 id=32 packets=3 bytes=252 mark=0 conntag=icmp-traffic-tag use=1 tcp 6 19 TIME_WAIT src=192.168.100.2 dst=192.168.100.1 sport=35230 dport=22 packets=25 bytes=5111 src=192.168.100.1 dst=192.168.100.2 sport=22 dport=35230 packets=20 bytes=4823 [ASSURED] mark=0 conntag=tcp-traffic-tag use=1 conntrack v1.4.7 (conntrack-tools): 2 flow entries have been shown.
Step 9: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=icmp-traffic-tagShow output
Jun 04 11:01:37.669225 osdx systemd-journald[2213]: Runtime Journal (/run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4) is 1.8M, max 13.8M, 11.9M free. Jun 04 11:01:37.672149 osdx systemd-journald[2213]: Received client request to rotate journal, rotating. Jun 04 11:01:37.672210 osdx systemd-journald[2213]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Jun 04 11:01:37.679145 osdx OSDxCLI[31450]: User 'admin' executed a new command: 'system journal clear'. Jun 04 11:01:37.789984 osdx ulogd[47382]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Jun 04 11:01:37.790008 osdx ulogd[47382]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Jun 04 11:01:39.922379 osdx ulogd[47382]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=35230 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=35230 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jun 04 11:01:39.922410 osdx ulogd[47382]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=35230 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=35230 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jun 04 11:01:39.923002 osdx ulogd[47382]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=35230 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=35230 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jun 04 11:01:40.108417 osdx sshd[47425]: Accepted password for admin from 192.168.100.2 port 35230 ssh2 Jun 04 11:01:40.116043 osdx sshd[47425]: pam_env(sshd:session): deprecated reading of user environment enabled Jun 04 11:01:40.188749 osdx OSDxCLI[47435]: User 'admin' has logged in. Jun 04 11:01:40.220684 osdx OSDxCLI[47435]: User 'admin' has logged out. Jun 04 11:01:40.225496 osdx sshd[47434]: Received disconnect from 192.168.100.2 port 35230:11: disconnected by user Jun 04 11:01:40.225647 osdx sshd[47434]: Disconnected from user admin 192.168.100.2 port 35230 Jun 04 11:01:40.225670 osdx ulogd[47382]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=35230 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=35230 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jun 04 11:01:40.225688 osdx ulogd[47382]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=35230 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=35230 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jun 04 11:01:40.226834 osdx ulogd[47382]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=35230 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=35230 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jun 04 11:01:40.227039 osdx ulogd[47382]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=35230 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=35230 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jun 04 11:01:40.370982 osdx OSDxCLI[31450]: User 'admin' executed a new command: 'system conntrack show'.
Step 10: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
CONNTAG=tcp-traffic-tagShow output
Jun 04 11:01:37.669225 osdx systemd-journald[2213]: Runtime Journal (/run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4) is 1.8M, max 13.8M, 11.9M free. Jun 04 11:01:37.672149 osdx systemd-journald[2213]: Received client request to rotate journal, rotating. Jun 04 11:01:37.672210 osdx systemd-journald[2213]: Vacuuming done, freed 0B of archived journals from /run/log/journal/d7b8b58d13984d0bb9acdb87ea6c32f4. Jun 04 11:01:37.679145 osdx OSDxCLI[31450]: User 'admin' executed a new command: 'system journal clear'. Jun 04 11:01:37.789984 osdx ulogd[47382]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Jun 04 11:01:37.790008 osdx ulogd[47382]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=ICMP TYPE=0 CODE=8 PKTS=0 BYTES=0 CONNTAG=icmp-traffic-tag Jun 04 11:01:39.922379 osdx ulogd[47382]: [NEW] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=35230 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=35230 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jun 04 11:01:39.922410 osdx ulogd[47382]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=35230 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=35230 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jun 04 11:01:39.923002 osdx ulogd[47382]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=35230 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=35230 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jun 04 11:01:40.108417 osdx sshd[47425]: Accepted password for admin from 192.168.100.2 port 35230 ssh2 Jun 04 11:01:40.116043 osdx sshd[47425]: pam_env(sshd:session): deprecated reading of user environment enabled Jun 04 11:01:40.188749 osdx OSDxCLI[47435]: User 'admin' has logged in. Jun 04 11:01:40.220684 osdx OSDxCLI[47435]: User 'admin' has logged out. Jun 04 11:01:40.225496 osdx sshd[47434]: Received disconnect from 192.168.100.2 port 35230:11: disconnected by user Jun 04 11:01:40.225647 osdx sshd[47434]: Disconnected from user admin 192.168.100.2 port 35230 Jun 04 11:01:40.225670 osdx ulogd[47382]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=35230 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=35230 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jun 04 11:01:40.225688 osdx ulogd[47382]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=35230 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=35230 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jun 04 11:01:40.226834 osdx ulogd[47382]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=35230 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=35230 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jun 04 11:01:40.227039 osdx ulogd[47382]: [UPDATE] ORIG: SRC=192.168.100.2 DST=192.168.100.1 PROTO=TCP SPT=35230 DPT=22 PKTS=0 BYTES=0 , REPLY: SRC=192.168.100.1 DST=192.168.100.2 PROTO=TCP SPT=22 DPT=35230 PKTS=0 BYTES=0 CONNTAG=tcp-traffic-tag Jun 04 11:01:40.370982 osdx OSDxCLI[31450]: User 'admin' executed a new command: 'system conntrack show'. Jun 04 11:01:40.457110 osdx OSDxCLI[31450]: User 'admin' executed a new command: 'system journal show | cat'.