Testing on hosts with firewalls
Florian Weimer
fweimer@redhat.com
Thu Dec 29 12:53:00 GMT 2016
I'm finally porting my resolv tests, using and enhancing the support/
framework. Unfortunately, I hit a major roadblock along the way:
netfilter connection tracking.
resolv testing uses many short-lived UDP and TCP flows. It's not clear
how to reduce the number of these flows. For TCP, the TIME_WAIT state
gets us (which is a bit silly for localhost traffic). For UDP, we might
slash the timeout by 1/6 if we change the stub resolver so that it never
sends more than one query over one UDP socket. This means that A/AAAA
parallel queries need two flows instead of one, so the overall reduction
in table load is 1/3.
But with a typical default netfilter table size of 64K entries, this
will not really help all that much.
We could start fixing the test server ports. The default dynamic port
range includes 28232 ports. This would mean that the number of flows
per test server port would be bounded by that. But the TIME_WAIT state
will still conspire against us, I fear.
I will experiment with SO_LINGER, but I hesitate to set this option for
the stub resolver. Maybe we could do so for localhost only.
I would prefer if the resolv tests weren't xtests. Can we require that
the testing is done without a firewall connection tracking, or
sufficiently large table sizes?
Thanks,
Florian
More information about the Libc-alpha
mailing list