.. _example_service_firewall_completetests:

##############
Complete Tests
##############


.. sidebar:: Contents

  .. contents::
    :depth: 2
    :local:

The following scenario shows how to place an OSDx router
between two machines to allow them to communicate with
each other and to provide protection when accessing
one another and the external WAN.

.. image:: topology.svg
  :width: 400

*******************************
Test Simple Ruleset With Queues
*******************************

Description
===========

Configures the three DUTs that will be used and checks
that they are capable of pinging each other but not of
connecting via SSH, since these connections are being
dropped by the firewall.

Scenario
========

.. include:: completetests/testsimplerulesetwithqueues

.. raw:: html

  <hr>

********************************************
Test Simple Ruleset With Custom Action-order
********************************************

Description
===========

Configures the three DUTs that will be used and checks
that initially they are capable of pinging each other
but after changing the priority of rule actions, ICMP
traffic is not passed, but dropped by the firewall.

Scenario
========

.. include:: completetests/testsimplerulesetwithcustomaction-order

.. raw:: html

  <hr>

****************************************
Test Simple Ruleset With Queues IDS Mode
****************************************

Description
===========

Configures the three DUTs that will be used and
checks that they are capable of pinging each other
and of connecting via SSH. Since the firewall
is set to IDS mode, these connections are not being dropped.

Scenario
========

.. include:: completetests/testsimplerulesetwithqueuesidsmode

.. raw:: html

  <hr>

**********************
Test Encrypted Ruleset
**********************

Description
===========

Configures the three DUTs, encrypts an arbitrary ruleset file
and checks that the firewall is handling said file as expected.
The firewall behaves the same way as for `Test Simple Ruleset With Queues`_
but with an encrypted ruleset.

Scenario
========

.. include:: completetests/testencryptedruleset

.. raw:: html

  <hr>

********************
Test Encrypted Patch
********************

Description
===========

.. include:: encryptedpatch.rst.partial

Scenario
========

.. include:: completetests/testencryptedpatch

.. raw:: html

  <hr>

**********************************
Test Compressed Ruleset With Patch
**********************************

Description
===========

.. include:: compressedrulesetpatch.rst.partial

Scenario
========

.. include:: completetests/testcompressedrulesetwithpatch

.. raw:: html

  <hr>

**************************************
Test Single File In Compressed Ruleset
**************************************

Description
===========

Compresses two ruleset files but only chooses the ``test-performance.rules``
from within the compressed file. Lastly, checks that performance traffic is detected but
no message is generated for SSH traffic, indicating that only one file is
being used.

Scenario
========

.. include:: completetests/testsinglefileincompressedruleset

.. raw:: html

  <hr>

*****************
Test Local Bypass
*****************

Description
===========

Builds a scenario with three DUTs in which a performance
test is carried out between DUT1 and DUT2, and DUT0 is the
router running the firewall. "Local bypass" is set
to allow the firewall to internally skips packets belonging
to a flow that must be bypassed. The performance test may
produce better results than the previous test.

Scenario
========

.. include:: completetests/testlocalbypass

.. raw:: html

  <hr>

*******************
Test Capture Bypass
*******************

Description
===========

Builds a scenario with three DUTs in which a performance
test is conducted between DUT1 and DUT2, and DUT0 is the
router running the firewall. "Capture bypass" is set
to allow the firewall to mark packets. An external tool
can then decide what to do with the flow when the mark is seen.
For this example, when packet marks are detected, the traffic is
assigned a label, thereby allowing the possibility of classifying traffic.
In particular, labeling avoids traffic from entering the firewall.

Performance must improve considerably compared to the previous
test.

Scenario
========

.. include:: completetests/testcapturebypass

.. raw:: html

  <hr>

**************************
Test Simple Capture Bypass
**************************

Description
===========

Builds a scenario with three DUTs in which a performance
test is conducted between DUT1 and DUT2, and DUT0 is the
router running the firewall. This test sets the conntrack
mark directly, thus skipping all the steps required to set
it later.

Performance must improve considerably compared to the previous
test.

Scenario
========

.. include:: completetests/testsimplecapturebypass

.. raw:: html

  <hr>

**************
Test Selectors
**************

Description
===========

.. include:: selectors.rst.partial

Scenario
========

.. include:: completetests/testselectors

.. raw:: html

  <hr>

******************
Test XDP Filtering
******************

Description
===========

.. include:: xdpfiltering.rst.partial

Scenario
========

.. include:: completetests/testxdpfiltering

.. raw:: html

  <hr>