test: Multi-Port Network Namespaces #799
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Story time: In the days of yore, we generated PCAPs using tcpdump, which will flush any buffered packets to its output file on reception of SIGUSR2. Therefore we sent a USR2 before terminating the capture. At some point, we switched over to use tshark to capture packets for us, but the SIGUSR2 sayed in place. It turns out, tshark will just die on USR2, abandoning the dumpcap child it has created, which means the enclosing network namespace can't be properly torn down. Therefore: Remove skip sending USR2 and just send TERM directly.
This is needed to create namespaces with MACVLANs from different parent interfaces. The first consumer will be a Two-Port Mac Relay (TPMR), so that we can control the flow of packets between two nodes.
This mode let's us receive all packets from the parent device, which is automatically set in promiscuous mode, and let's the MACVLAN transmit packets with any SA, which we need to implement a TPMR (or a bridge or anything else we might dream up)
This gets rid of annoying "Address already in use" errors when running tests repeatedly from a test-sh.
When used as a context manager, __exit__ will be called even though __enter__ might throw an exception half way through. So there is no guarantee that the instance is on the cleanup list when we get to stop().
Now that we're using the `passthru` mode of MACVLANs, it seems we can rely on the parent interface's promiscuity going down to 0 as an indication that the kernel has completed the removal of the interface, and will accept the creation of a new one.
This is a specialized namespace, containing two ports, which (hopefully) acts as completely transparent "bump-on-the-wire" bridge. Useful in scenarios where you want to test what happens when the flow of packets between two nodes is disrupted. E.g., for testing fail-over behavior in dynamic routing protocols, L2 redundancy, VRRP etc.
Initially done as a workaround for the MACVLAN create/remove race. But even though the old version of this test now works, this refactor provides better test step descriptions, making it easier to follow for anyone looking to manually verify the functionality.
troglobit
approved these changes
Nov 5, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
IsolatedMacVlanclass to support creating namespaces with multiple portsIn order for the TPMR to act as a bridge, the mode of the MACVLANs has been changed to
passthru, which allows it to receive all packets from its lower interface, and also lets it transmit unicast packets with any SA without triggering the kernel's spoof protection logic. This also enables us to use the parent interface'spromiscuityvalue as an indicator for when a MACVLAN has been fully removed in the kernel, which should be more reliable than the oldtime.sleep(.5).Close #261
Checklist
Tick relevant boxes, this PR is-a or has-a: