%     Registration              nfsim: Untested code is buggy code            
%  [2]Register/Submit Rusty Russell (rusty@rustcorp.com.au)                   
%                     Co-Author: Jeremy Kerr (jk@ozlabs.org)                  

The netfilter simulation environment (nfsim) allows     
netfilter developers to build, run, and test their code 
without having to touch a real network, or being root.  
On top of this, we built a regression testsuite for     
netfilter and iptables.                                 

Nfsim provides an emulated kernel environment in        
userspace, with a simulated IPv4 stack, as well as      
enhanced versions of standard kernel primitives such as 
locking and a proc filesystem. The kernel code is       
sucked into the nfsim environment, and run as a         
userspace application with a scriptable command-line    
interface which can load and unload modules, add a      
route, inject a packet or run iptables, control time,   
inspect proc, etc.                                      

More importantly we can test every single permutation   
of external failures automatically: packet drops,       
kmalloc failures, timer deletion races, etc. This makes 
it possible to check error paths that never happen in   
real life.                                              

This paper will discuss some of our experiences with    
nfsim and the progression of the netfilter testsuite as 
new features became available in the simulator, and the 
amazing effect on development. We will also show the    
techniques we used for exhaustive testing, and why      
these should be a part of every project.