Re: Testing on hosts with firewalls

[Mike Frysinger <vapier at gentoo dot org>]

On 29 Dec 2016 13:53, Florian Weimer wrote:
> I'm finally porting my resolv tests, using and enhancing the support/ 
> framework.  Unfortunately, I hit a major roadblock along the way: 
> netfilter connection tracking.
> 
> resolv testing uses many short-lived UDP and TCP flows. It's not clear 
> how to reduce the number of these flows.  For TCP, the TIME_WAIT state 
> gets us (which is a bit silly for localhost traffic).  For UDP, we might 
> slash the timeout by 1/6 if we change the stub resolver so that it never 
> sends more than one query over one UDP socket.  This means that A/AAAA 
> parallel queries need two flows instead of one, so the overall reduction 
> in table load is 1/3.
> 
> But with a typical default netfilter table size of 64K entries, this 
> will not really help all that much.
> 
> We could start fixing the test server ports.  The default dynamic port 
> range includes 28232 ports.  This would mean that the number of flows 
> per test server port would be bounded by that.  But the TIME_WAIT state 
> will still conspire against us, I fear.
> 
> I will experiment with SO_LINGER, but I hesitate to set this option for 
> the stub resolver.  Maybe we could do so for localhost only.
> 
> I would prefer if the resolv tests weren't xtests.  Can we require that 
> the testing is done without a firewall connection tracking, or 
> sufficiently large table sizes?

does it help if you run all the tests in a unique net namespace ?
i think our skel test framework should set up unique namespaces
all the time anyways to prevent inadvertent leakage, and to handle
issues like port collisions.
-mike

Attachment: signature.asc
Description: Digital signature