Bypass Tests
The following scenario shows different configuration alternatives to improve the OSDx firewall performance.
Test Local Bypass
Description
Builds a scenario with three DUTs in which a performance test is carried out between DUT1 and DUT2, and DUT0 is the router running the firewall. “Local bypass” is set to allow the firewall to internally skips packets belonging to a flow that must be bypassed. The performance test may produce better results than the general tests.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/test-performance.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 129 100 129 0 0 21262 0 --:--:-- --:--:-- --:--:-- 21500
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://test-performance.rules' set service firewall FW stream bypass set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 3: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.823 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.823/0.823/0.823/0.000 ms
Step 4: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=1.21 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.208/1.208/1.208/0.000 ms
Step 5: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5001 admin@DUT2$ monitor test performance client 40.0.0.2 duration 10 port 5001Expect this output in
DUT2:Connecting to host 40.0.0.2, port 5001 [ 5] local 20.0.0.2 port 59454 connected to 40.0.0.2 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 78.0 MBytes 654 Mbits/sec 77 1.71 MBytes [ 5] 1.00-2.00 sec 106 MBytes 891 Mbits/sec 0 1.89 MBytes [ 5] 2.00-3.00 sec 104 MBytes 870 Mbits/sec 0 2.03 MBytes [ 5] 3.00-4.00 sec 102 MBytes 860 Mbits/sec 0 2.14 MBytes [ 5] 4.00-5.00 sec 100 MBytes 839 Mbits/sec 0 2.23 MBytes [ 5] 5.00-6.00 sec 106 MBytes 891 Mbits/sec 0 2.30 MBytes [ 5] 6.00-7.00 sec 106 MBytes 891 Mbits/sec 8 1.70 MBytes [ 5] 7.00-8.00 sec 109 MBytes 912 Mbits/sec 0 1.79 MBytes [ 5] 8.00-9.00 sec 106 MBytes 891 Mbits/sec 0 1.86 MBytes [ 5] 9.00-10.00 sec 109 MBytes 912 Mbits/sec 0 1.90 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 1.00 GBytes 861 Mbits/sec 85 sender [ 5] 0.00-10.01 sec 1.00 GBytes 859 Mbits/sec receiver iperf Done.
Step 6: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Skipping test network performance traffic).+$Show output
07/03/2024-17:14:16.914580 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:59442 -> 40.0.0.2:5001 07/03/2024-17:14:16.915651 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:59454 -> 40.0.0.2:5001
Test Capture Bypass
Description
Builds a scenario with three DUTs in which a performance test is conducted between DUT1 and DUT2, and DUT0 is the router running the firewall. “Capture bypass” is set to allow the firewall to mark packets. An external tool can then decide what to do with the flow when the mark is seen. For this example, when packet marks are detected, the traffic is assigned a label, thereby allowing the possibility of classifying traffic. In particular, labeling avoids traffic from entering the firewall.
Performance must improve considerably compared to the previous test.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/test-performance.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 129 100 129 0 0 48441 0 --:--:-- --:--:-- --:--:-- 64500
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 101 traffic policy out FW-SKIP set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 traffic policy out FW-SKIP set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://test-performance.rules' set service firewall FW stream bypass mark 129834765 set service firewall FW stream bypass mask 129834765 set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic label BYPASS set traffic policy FW-SKIP rule 1 log prefix SKIP set traffic policy FW-SKIP rule 1 selector MARKED-PACKETS set traffic policy FW-SKIP rule 1 set label BYPASS set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic policy FW_PLAN rule 1 selector FW_SEL set traffic policy FW_PWAN rule 1 selector FW_SEL set traffic queue FW_Q elements 1 set traffic selector FW_SEL rule 1 not label BYPASS set traffic selector MARKED-PACKETS rule 1 mark 129834765
Step 3: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.905 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.905/0.905/0.905/0.000 ms
Step 4: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.848 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.848/0.848/0.848/0.000 ms
Step 5: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5001 admin@DUT2$ monitor test performance client 40.0.0.2 duration 10 port 5001Expect this output in
DUT2:Connecting to host 40.0.0.2, port 5001 [ 5] local 20.0.0.2 port 48042 connected to 40.0.0.2 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 152 MBytes 1.27 Gbits/sec 7 2.09 MBytes [ 5] 1.00-2.00 sec 356 MBytes 2.99 Gbits/sec 0 2.29 MBytes [ 5] 2.00-3.00 sec 364 MBytes 3.05 Gbits/sec 32 1.72 MBytes [ 5] 3.00-4.00 sec 360 MBytes 3.02 Gbits/sec 0 1.86 MBytes [ 5] 4.00-5.00 sec 368 MBytes 3.08 Gbits/sec 0 1.99 MBytes [ 5] 5.00-6.00 sec 381 MBytes 3.20 Gbits/sec 0 2.12 MBytes [ 5] 6.00-7.00 sec 376 MBytes 3.16 Gbits/sec 0 2.24 MBytes [ 5] 7.00-8.00 sec 371 MBytes 3.11 Gbits/sec 0 2.34 MBytes [ 5] 8.00-9.00 sec 399 MBytes 3.35 Gbits/sec 0 2.45 MBytes [ 5] 9.00-10.00 sec 400 MBytes 3.35 Gbits/sec 13 1.80 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 3.44 GBytes 2.96 Gbits/sec 52 sender [ 5] 0.00-10.00 sec 3.44 GBytes 2.96 Gbits/sec receiver iperf Done.
Step 6: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Skipping test network performance traffic).+$Show output
07/03/2024-17:14:49.466179 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:48026 -> 40.0.0.2:5001 07/03/2024-17:14:49.467319 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:48042 -> 40.0.0.2:5001
Step 7: Run command system journal show | cat at DUT0 and check if output matches the following regular expressions:
(?m)^.*\[SKIP\-1\].*$Show output
Jul 03 17:14:41.323078 osdx systemd-journald[19587]: Runtime Journal (/run/log/journal/aa1bd7befff24a8b91d1e90ef92c032b) is 1.9M, max 15.3M, 13.4M free. Jul 03 17:14:41.324512 osdx systemd-journald[19587]: Received client request to rotate journal, rotating. Jul 03 17:14:41.324566 osdx systemd-journald[19587]: Vacuuming done, freed 0B of archived journals from /run/log/journal/aa1bd7befff24a8b91d1e90ef92c032b. Jul 03 17:14:41.335595 osdx OSDxCLI[377353]: User 'admin' executed a new command: 'system journal clear'. Jul 03 17:14:41.710446 osdx osdx-coredump[377689]: Deleting all coredumps in /opt/vyatta/etc/config/coredump... Jul 03 17:14:41.717991 osdx OSDxCLI[377353]: User 'admin' executed a new command: 'system coredump delete all'. Jul 03 17:14:42.257351 osdx OSDxCLI[377353]: User 'admin' entered the configuration menu. Jul 03 17:14:42.327191 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 address 10.215.168.64/24'. Jul 03 17:14:42.418911 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set interfaces ethernet eth0 traffic nat source rule 1 address masquerade'. Jul 03 17:14:42.473393 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set protocols static route 0.0.0.0/0 next-hop 10.215.168.1'. Jul 03 17:14:42.566076 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set service dns static host-name WAN inet 10.215.168.1'. Jul 03 17:14:42.625049 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set interfaces ethernet eth1 vif 101 address 40.0.0.1/8'. Jul 03 17:14:42.717612 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set interfaces ethernet eth1 vif 201 address 20.0.0.1/8'. Jul 03 17:14:42.801882 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'show working'. Jul 03 17:14:42.948478 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth0 Jul 03 17:14:42.976444 osdx kernel: 8021q: adding VLAN 0 to HW filter on device eth1 Jul 03 17:14:42.992217 osdx (udev-worker)[377759]: Network interface NamePolicy= disabled on kernel command line. Jul 03 17:14:43.005285 osdx (udev-worker)[377764]: Network interface NamePolicy= disabled on kernel command line. Jul 03 17:14:43.112126 osdx cfgd[1440]: [377353]Completed change to active configuration Jul 03 17:14:43.147161 osdx OSDxCLI[377353]: User 'admin' committed the configuration. Jul 03 17:14:43.165969 osdx OSDxCLI[377353]: User 'admin' left the configuration menu. Jul 03 17:14:45.388534 osdx OSDxCLI[377353]: User 'admin' executed a new command: 'ping 10.215.168.1 count 1 size 56 timeout 1'. Jul 03 17:14:45.461028 osdx OSDxCLI[377353]: User 'admin' executed a new command: 'ping 40.0.0.2 count 1 size 56 timeout 1'. Jul 03 17:14:45.560215 osdx OSDxCLI[377353]: User 'admin' executed a new command: 'ping 20.0.0.2 count 1 size 56 timeout 1'. Jul 03 17:14:46.052598 osdx file_operation[377837]: using src url: http://10.215.168.1/~robot/test-performance.rules dst url: running:// Jul 03 17:14:46.076172 osdx OSDxCLI[377353]: User 'admin' executed a new command: 'file copy http://10.215.168.1/~robot/test-performance.rules running:// force'. Jul 03 17:14:46.221841 osdx OSDxCLI[377353]: User 'admin' entered the configuration menu. Jul 03 17:14:46.300713 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set service firewall FW ruleset file running://test-performance.rules'. Jul 03 17:14:46.384970 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set service firewall FW mode inline queue FW_Q'. Jul 03 17:14:46.487618 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set service firewall FW logging outputs fast'. Jul 03 17:14:46.540990 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set service firewall FW logging level config'. Jul 03 17:14:46.636070 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set service firewall FW validator-timeout 20'. Jul 03 17:14:46.690685 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set traffic queue FW_Q elements 1'. Jul 03 17:14:46.806198 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN'. Jul 03 17:14:46.862446 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN'. Jul 03 17:14:46.963470 osdx zebra[1405]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jul 03 17:14:47.068507 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set service firewall FW stream bypass mark 129834765'. Jul 03 17:14:47.121970 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set service firewall FW stream bypass mask 129834765'. Jul 03 17:14:47.209022 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set traffic label BYPASS'. Jul 03 17:14:47.275894 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set traffic policy FW-SKIP rule 1 log prefix SKIP'. Jul 03 17:14:47.378050 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set traffic policy FW-SKIP rule 1 selector MARKED-PACKETS'. Jul 03 17:14:47.442542 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set traffic policy FW-SKIP rule 1 set label BYPASS'. Jul 03 17:14:47.539368 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set traffic selector MARKED-PACKETS rule 1 mark 129834765'. Jul 03 17:14:47.602244 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set traffic selector FW_SEL rule 1 not label BYPASS'. Jul 03 17:14:47.731696 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set traffic policy FW_PLAN rule 1 selector FW_SEL'. Jul 03 17:14:47.792958 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set traffic policy FW_PWAN rule 1 selector FW_SEL'. Jul 03 17:14:47.906634 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set interfaces ethernet eth1 vif 101 traffic policy out FW-SKIP'. Jul 03 17:14:47.963362 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set interfaces ethernet eth1 vif 201 traffic policy out FW-SKIP'. Jul 03 17:14:48.060010 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'set traffic policy FW_PLAN rule 1 action enqueue FW_Q'. Jul 03 17:14:48.164376 osdx OSDxCLI[377353]: User 'admin' added a new cfg line: 'show working'. Jul 03 17:14:48.616087 osdx systemd[1]: Reloading. Jul 03 17:14:48.740452 osdx systemd-sysv-generator[377965]: stat() failed on /etc/init.d/README, ignoring: No such file or directory Jul 03 17:14:48.865035 osdx systemd[1]: Starting suricata@FW.service - Suricata client "FW" service... Jul 03 17:14:48.881293 osdx systemd[1]: Started suricata@FW.service - Suricata client "FW" service. Jul 03 17:14:49.083687 osdx INFO[377948]: Rules successfully loaded Jul 03 17:14:49.084760 osdx cfgd[1440]: [377353]Completed change to active configuration Jul 03 17:14:49.087164 osdx OSDxCLI[377353]: User 'admin' committed the configuration. Jul 03 17:14:49.104787 osdx OSDxCLI[377353]: User 'admin' left the configuration menu. Jul 03 17:14:49.468495 osdx kernel: [SKIP-1] ACCEPT IN=eth1.201 OUT=eth1.101 MAC=de:ad:be:ef:6c:11:de:ad:be:ef:6c:30:08:00:45:00:00:59 SRC=20.0.0.2 DST=40.0.0.2 LEN=89 TOS=0x00 PREC=0x00 TTL=63 ID=43142 DF PROTO=TCP SPT=48026 DPT=5001 WINDOW=502 RES=0x00 ACK PSH URGP=0 MARK=0x7bd1f0d Jul 03 17:14:49.468564 osdx kernel: [SKIP-1] ACCEPT IN=eth1.201 OUT=eth1.101 MAC=de:ad:be:ef:6c:11:de:ad:be:ef:6c:30:08:00:45:00:00:59 SRC=20.0.0.2 DST=40.0.0.2 LEN=89 TOS=0x00 PREC=0x00 TTL=63 ID=20653 DF PROTO=TCP SPT=48042 DPT=5001 WINDOW=502 RES=0x00 ACK PSH URGP=0 MARK=0x7bd1f0d Jul 03 17:14:49.684184 osdx zebra[1405]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jul 03 17:14:49.684262 osdx zebra[1405]: [RZ3YY-GPH41][EC 100663310] snmp[warning]: Warning: Failed to connect to the agentx master agent ([NIL]): Jul 03 17:14:57.989116 osdx zebra[1405]: [WPPMZ-G9797] if_zebra_speed_update: eth1.201 old speed: 0 new speed: 4294967295 Jul 03 17:14:58.005102 osdx zebra[1405]: [WPPMZ-G9797] if_zebra_speed_update: eth1.101 old speed: 0 new speed: 4294967295 Jul 03 17:14:59.625484 osdx OSDxCLI[377353]: User 'admin' executed a new command: 'service firewall FW show logging fast | tail'.
Test Simple Capture Bypass
Description
Builds a scenario with three DUTs in which a performance test is conducted between DUT1 and DUT2, and DUT0 is the router running the firewall. This test sets the conntrack mark directly, thus skipping all the steps required to set it later.
Performance must improve considerably compared to the previous test.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/test-performance.rules running:// force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 129 100 129 0 0 1551 0 --:--:-- --:--:-- --:--:-- 1554
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://test-performance.rules' set service firewall FW stream bypass mark 129834765 set service firewall FW stream bypass mask 129834765 set service firewall FW stream bypass set-connmark set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic policy FW_PLAN rule 1 selector FW_SEL set traffic policy FW_PWAN rule 1 selector FW_SEL set traffic queue FW_Q elements 1 set traffic selector FW_SEL rule 1 not connmark 129834765
Step 3: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.905 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.905/0.905/0.905/0.000 ms
Step 4: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=1.16 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.155/1.155/1.155/0.000 ms
Step 5: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5001 admin@DUT2$ monitor test performance client 40.0.0.2 duration 10 port 5001Expect this output in
DUT2:Connecting to host 40.0.0.2, port 5001 [ 5] local 20.0.0.2 port 49522 connected to 40.0.0.2 port 5001 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 166 MBytes 1.40 Gbits/sec 50 2.25 MBytes [ 5] 1.00-2.00 sec 349 MBytes 2.92 Gbits/sec 57 1.71 MBytes [ 5] 2.00-3.00 sec 348 MBytes 2.92 Gbits/sec 0 1.83 MBytes [ 5] 3.00-4.00 sec 346 MBytes 2.90 Gbits/sec 0 1.95 MBytes [ 5] 4.00-5.00 sec 365 MBytes 3.06 Gbits/sec 0 2.05 MBytes [ 5] 5.00-6.00 sec 362 MBytes 3.04 Gbits/sec 0 2.14 MBytes [ 5] 6.00-7.00 sec 342 MBytes 2.87 Gbits/sec 0 2.24 MBytes [ 5] 7.00-8.00 sec 356 MBytes 2.99 Gbits/sec 0 2.34 MBytes [ 5] 8.00-9.00 sec 376 MBytes 3.16 Gbits/sec 34 1.80 MBytes [ 5] 9.00-10.00 sec 359 MBytes 3.01 Gbits/sec 0 1.95 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 3.29 GBytes 2.83 Gbits/sec 141 sender [ 5] 0.00-10.00 sec 3.29 GBytes 2.82 Gbits/sec receiver iperf Done.
Step 6: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Skipping test network performance traffic).+$Show output
07/03/2024-17:15:19.401983 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:49514 -> 40.0.0.2:5001 07/03/2024-17:15:19.403310 [**] [1:40:0] Skipping test network performance traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:49522 -> 40.0.0.2:5001
Step 7: Run command system conntrack show at DUT0 and check if output matches the following regular expressions:
(?m)^tcp\s+.*src=20.0.0.2 dst=40.0.0.2.+dport=5001.*mark=129834765.*$Show output
udp 17 19 src=127.0.0.1 dst=127.0.0.1 sport=48078 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=48078 packets=0 bytes=0 mark=0 use=1 icmp 1 19 src=20.0.0.2 dst=40.0.0.2 type=8 code=0 id=66 packets=1 bytes=84 src=40.0.0.2 dst=20.0.0.2 type=0 code=0 id=66 packets=1 bytes=84 (Sc: not-bypass) mark=0 use=1 udp 17 19 src=127.0.0.1 dst=127.0.0.1 sport=43630 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=43630 packets=0 bytes=0 mark=0 use=1 udp 17 19 src=127.0.0.1 dst=127.0.0.1 sport=39385 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=39385 packets=0 bytes=0 mark=0 use=1 tcp 6 19 TIME_WAIT src=20.0.0.2 dst=40.0.0.2 sport=49514 dport=5001 packets=14 bytes=1198 src=40.0.0.2 dst=20.0.0.2 sport=5001 dport=49514 packets=13 bytes=1019 [ASSURED] (Sc: not-bypass) mark=129834765 use=1 icmp 1 19 src=40.0.0.2 dst=20.0.0.2 type=8 code=0 id=406 packets=1 bytes=84 src=20.0.0.2 dst=40.0.0.2 type=0 code=0 id=406 packets=1 bytes=84 (Sc: not-bypass) mark=0 use=1 tcp 6 9 CLOSE src=20.0.0.2 dst=40.0.0.2 sport=49522 dport=5001 packets=2440426 bytes=3660583909 src=40.0.0.2 dst=20.0.0.2 sport=5001 dport=49522 packets=53766 bytes=2788516 [ASSURED] (Sc: not-bypass) mark=129834765 use=1 udp 17 19 src=127.0.0.1 dst=127.0.0.1 sport=59033 dport=53 packets=1 bytes=62 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=53 dport=59033 packets=0 bytes=0 mark=0 use=1 conntrack v1.4.7 (conntrack-tools): 8 flow entries have been shown.
Test Traffic Early Dropping
Description
Builds a scenario with three DUTs and a simple ruleset to drop TCP traffic between DUT1 and DUT2. Such traffic must pass through port 5000 for the rule to match. Later, XDP is queried to check if packets are being dropped at the specified interface.
The contents of the rule file are:
drop tcp any any -> any 5000 (msg: "Dropping TCP performance test traffic"; sid: 1; flow: established, to_server;)
This rule allows the connection to be established and traffic to be dropped later.
Scenario
Step 1: Run command file copy http://10.215.168.1/~robot/drop-performance.rules running://drop-performance.rules force at DUT0 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 200 100 200 0 0 11021 0 --:--:-- --:--:-- --:--:-- 11111
Step 2: Set the following configuration in DUT0:
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 vif 101 address 40.0.0.1/8 set interfaces ethernet eth1 vif 101 traffic policy in FW_PLAN set interfaces ethernet eth1 vif 201 address 20.0.0.1/8 set interfaces ethernet eth1 vif 201 traffic policy in FW_PLAN set protocols static route 0.0.0.0/0 next-hop 10.215.168.1 set service dns static host-name WAN inet 10.215.168.1 set service firewall FW logging level config set service firewall FW logging outputs fast set service firewall FW mode inline queue FW_Q set service firewall FW ruleset file 'running://drop-performance.rules' set service firewall FW stream bypass action drop set xdp-early-drop eth1 set service firewall FW validator-timeout 20 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy FW_PLAN rule 1 action enqueue FW_Q set traffic queue FW_Q elements 1
Step 3: Ping IP address 20.0.0.2 from DUT1:
admin@DUT1$ ping 20.0.0.2 count 1 size 56 timeout 1Show output
PING 20.0.0.2 (20.0.0.2) 56(84) bytes of data. 64 bytes from 20.0.0.2: icmp_seq=1 ttl=63 time=0.572 ms --- 20.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.572/0.572/0.572/0.000 ms
Step 4: Ping IP address 40.0.0.2 from DUT2:
admin@DUT2$ ping 40.0.0.2 count 1 size 56 timeout 1Show output
PING 40.0.0.2 (40.0.0.2) 56(84) bytes of data. 64 bytes from 40.0.0.2: icmp_seq=1 ttl=63 time=0.825 ms --- 40.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.825/0.825/0.825/0.000 ms
Step 5: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5000 admin@DUT2$ monitor test performance client 40.0.0.2 duration 10 port 5000Expect this output in
DUT2:^C- - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr iperf3: interrupt - the client has terminated admin@osdx$
Step 6: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Dropping TCP performance test traffic).+$Show output
07/03/2024-17:15:48.951300 [Drop] [**] [1:1:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:56240 -> 40.0.0.2:5000
Step 7: Run command service firewall FW show early-drop-stats eth1 at DUT0 and check if output matches the following regular expressions:
yes\s+201\s+\d+\s+[1-9]\d*\s+[1-9]\d*Show output
------------------------------------------------------------------------ src dst src port dst port tcp vlan_0 vlan_1 pkts bytes ------------------------------------------------------------------------ 20.0.0.2 40.0.0.2 56240 5000 yes 201 0 8 673 40.0.0.2 20.0.0.2 5000 56240 yes 201 0 0 0
Step 8: Run command interfaces ethernet eth1 monitor xdp-stats times 1 at DUT0 and expect this output:
Show output
Pin path: /sys/fs/bpf/eth1 Period of 0.250175s ending at 1720026952.699815 XDP_DROP 9 pkts ( 0 pps) 0 KiB ( 0 Mbits/s) XDP_PASS 6015850 pkts ( 0 pps) 8524387 KiB ( 0 Mbits/s) XDP_TX 0 pkts ( 0 pps) 0 KiB ( 0 Mbits/s) XDP_REDIRECT 0 pkts ( 0 pps) 0 KiB ( 0 Mbits/s)
Step 9: Initiate a bandwidth test from DUT2 to DUT1
admin@DUT1$ monitor test performance server port 5001 admin@DUT2$ monitor test performance client 40.0.0.2 duration 30 udp port 5001Expect this output in
DUT2:^C- - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Jitter Lost/Total Datagrams iperf3: interrupt - the client has terminated admin@osdx$
Step 10: Run command service firewall FW show logging fast | tail at DUT0 and check if output matches the following regular expressions:
(?m)^.+(Dropping UDP performance test traffic).+$Show output
07/03/2024-17:15:48.951300 [Drop] [**] [1:1:0] Dropping TCP performance test traffic [**] [Classification: (null)] [Priority: 3] {TCP} 20.0.0.2:56240 -> 40.0.0.2:5000 07/03/2024-17:15:52.928559 [Drop] [**] [1:2:0] Dropping UDP performance test traffic [**] [Classification: (null)] [Priority: 3] {UDP} 20.0.0.2:41392 -> 40.0.0.2:5001
Step 11: Run command service firewall FW show early-drop-stats eth1 at DUT0 and check if output matches the following regular expressions:
yes\s+201\s+\d+\s+[1-9]\d*\s+[1-9]\d*Show output
------------------------------------------------------------------------ src dst src port dst port tcp vlan_0 vlan_1 pkts bytes ------------------------------------------------------------------------ 40.0.0.2 20.0.0.2 5001 41392 no 201 0 0 0 20.0.0.2 40.0.0.2 56240 5000 yes 201 0 12 905 20.0.0.2 40.0.0.2 41392 5001 no 201 0 0 0 40.0.0.2 20.0.0.2 5000 56240 yes 201 0 0 0
Step 12: Run command interfaces ethernet eth1 monitor xdp-stats times 1 at DUT0 and expect this output:
Show output
Pin path: /sys/fs/bpf/eth1 Period of 0.250154s ending at 1720026956.554911 XDP_DROP 12 pkts ( 0 pps) 0 KiB ( 0 Mbits/s) XDP_PASS 6015890 pkts ( 0 pps) 8524390 KiB ( 0 Mbits/s) XDP_TX 0 pkts ( 0 pps) 0 KiB ( 0 Mbits/s) XDP_REDIRECT 0 pkts ( 0 pps) 0 KiB ( 0 Mbits/s)