.. _example_service_firewall_bypasstests:

############
Bypass Tests
############


.. sidebar:: Contents

  .. contents::
    :depth: 2
    :local:

The following scenario shows different configuration
alternatives to improve the OSDx firewall performance.

.. image:: topology.svg
  :width: 400

*****************
Test Local Bypass
*****************

Description
===========

Builds a scenario with three DUTs in which a performance
test is carried out between DUT1 and DUT2, and DUT0 is the
router running the firewall. "Local bypass" is set
to allow the firewall to internally skips packets belonging
to a flow that must be bypassed. The performance test may
produce better results than the general tests.

Scenario
========

.. include:: bypasstests/testlocalbypass

.. raw:: html

  <hr>

*************************************
Test Capture Bypass Using Packet Mark
*************************************

Description
===========

Builds a scenario with three DUTs in which a performance
test is conducted between DUT1 and DUT2, and DUT0 is the
router running the firewall. "Capture bypass" is set
to allow the firewall to mark packets. An external tool
can then decide what to do with the flow when the mark is seen.
For this example, when packet marks are detected, the traffic is
assigned a label, thereby allowing the possibility of classifying traffic.
In particular, labeling avoids traffic from entering the firewall.

Performance must improve considerably compared to the Local Bypass
test.

The test is extended by using other packet marks that we have customized
for the firewall.

Scenario
========

.. include:: bypasstests/testcapturebypassusingpacketmark

.. raw:: html

  <hr>

****************************************
Test Capture Bypass Using Conntrack Mark
****************************************

Description
===========

Builds a scenario with three DUTs in which a performance
test is conducted between DUT1 and DUT2, and DUT0 is the
router running the firewall. This test sets the conntrack
mark directly, thus skipping all the steps required to set
it later.

Performance must improve considerably compared to the Local Bypass
test.

Then this test is broadened by using other conntrack marks that we have customized
for the firewall.

Scenario
========

.. include:: bypasstests/testcapturebypassusingconntrackmark

.. raw:: html

  <hr>

**************************************
Test Bypass-Drop Using Conntrack Marks
**************************************

Description
===========

Builds a scenario with three DUTs in which a performance
test is conducted between DUT1 and DUT2, and DUT0 is the
router running the firewall. This test is aimed at configuring
"Capture bypass drop" to avoid dropped packets from entering
the firewall.

Scenario
========

.. include:: bypasstests/testbypass-dropusingconntrackmarks

.. raw:: html

  <hr>

************************
Test Capture And Offload
************************

Description
===========

Builds a scenario with three DUTs in which a performance
test is conducted between DUT1 and DUT2, and DUT0 is the
router running the firewall. This test sets the conntrack
mark directly, thus skipping all the steps required to set
it later. In addition, OSDx is instructed to accelerate
the flow using internal accelerators.

Performance must improve considerably compared to the previous
test, to reach its top value.

Scenario
========

.. include:: bypasstests/testcaptureandoffload

.. raw:: html

  <hr>

***************************
Test Traffic Early Dropping
***************************

Description
===========

.. include:: xdpfiltering.rst.partial

Scenario
========

.. include:: bypasstests/testtrafficearlydropping

.. raw:: html

  <hr>