1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
% Registration nfsim: Untested code is buggy code
% [2]Register/Submit Rusty Russell (rusty@rustcorp.com.au)
% Co-Author: Jeremy Kerr (jk@ozlabs.org)
The netfilter simulation environment (nfsim) allows
netfilter developers to build, run, and test their code
without having to touch a real network, or being root.
On top of this, we built a regression testsuite for
netfilter and iptables.
Nfsim provides an emulated kernel environment in
userspace, with a simulated IPv4 stack, as well as
enhanced versions of standard kernel primitives such as
locking and a proc filesystem. The kernel code is
sucked into the nfsim environment, and run as a
userspace application with a scriptable command-line
interface which can load and unload modules, add a
route, inject a packet or run iptables, control time,
inspect proc, etc.
More importantly we can test every single permutation
of external failures automatically: packet drops,
kmalloc failures, timer deletion races, etc. This makes
it possible to check error paths that never happen in
real life.
This paper will discuss some of our experiences with
nfsim and the progression of the netfilter testsuite as
new features became available in the simulator, and the
amazing effect on development. We will also show the
techniques we used for exhaustive testing, and why
these should be a part of every project.
|
