tests: stabilize wireguard ratelimiting test
Type: test "test_wg_handshake_ratelimiting_multi_peer" has been unstable recently because the test strongly relies on execution speed. Currently, the test triggers ratelimiting for peer 1 and sends handshake initiations from peer 1 and 2 mixed up. After that, the test expects that all handshake initiations for peer 1 are ratelimited and a handshake response for peer 2 is received. Ratelimiting is based on the token bucket algorithm. The more time passes between triggering ratelimiting for peer 1 and sending a mixture of handshake initiations from peer 1 and 2, the more tokens will be added into the bucket for peer 1. Depending on delays between these steps, the number of tokens might be enough to process handshake initiations from peer 1 while they are expected to be rejected due to ratelimiting. With this change, these two steps are combined into one and the logic modified. The test triggers ratelimiting for both peer 1 and 2. Packets that trigger ratelimiting and that are to be rejected are sent in one batch that is going to reduce delays between packet processing. Also, verify that number of rejected handshake messages is in expected range instead of verifying the exact number as it still may slightly vary. Also, this should finish making the wireguard tests stable on Ubuntu 22.04 and Debian 11. Signed-off-by: Alexander Chernavin <achernavin@netgate.com> Change-Id: I3407d15abe1356dde23a241ac3650e84401c9802
This commit is contained in:
Alexander Chernavin
committed by
Matthew Smith
Matthew Smith
parent
ce668aa3f6
commit
cf9144e65f
@ -42,7 +42,6 @@ from vpp_pg_interface import is_ipv6_misc
|
||||
from vpp_ip_route import VppIpRoute, VppRoutePath
|
||||
from vpp_object import VppObject
|
||||
from vpp_papi import VppEnum
|
||||
from framework import tag_fixme_ubuntu2204, tag_fixme_debian11
|
||||
from framework import is_distro_ubuntu2204, is_distro_debian11
|
||||
from framework import VppTestCase
|
||||
from re import compile
|
||||
@ -502,8 +501,6 @@ def is_handshake_init(p):
|
||||
return wg_p[Wireguard].message_type == 1
|
||||
|
||||
|
||||
@tag_fixme_ubuntu2204
|
||||
@tag_fixme_debian11
|
||||
class TestWg(VppTestCase):
|
||||
"""Wireguard Test Case"""
|
||||
|
||||
@ -989,36 +986,25 @@ class TestWg(VppTestCase):
|
||||
rxs = self.send_and_expect(self.pg1, [init_2], self.pg1)
|
||||
peer_2.consume_cookie(rxs[0])
|
||||
|
||||
# (peer_1) prepare and send a bunch of handshake initiations with correct mac2
|
||||
# expect no ratelimiting and a handshake response
|
||||
# (peer_1) (peer_2) prepare and send a bunch of handshake initiations with correct mac2
|
||||
# expect a handshake response and then ratelimiting
|
||||
PEER_1_NUM_TO_REJECT = 2
|
||||
PEER_2_NUM_TO_REJECT = 5
|
||||
init_1 = peer_1.mk_handshake(self.pg1)
|
||||
txs = [init_1] * HANDSHAKE_NUM_BEFORE_RATELIMITING
|
||||
rxs = self.send_and_expect_some(self.pg1, txs, self.pg1)
|
||||
self.assertEqual(
|
||||
self.base_ratelimited4_err,
|
||||
self.statistics.get_err_counter(self.ratelimited4_err),
|
||||
)
|
||||
|
||||
# (peer_1) verify the response
|
||||
peer_1.consume_response(rxs[0])
|
||||
peer_1.noise_reset()
|
||||
|
||||
# (peer_1) send another two handshake initiations with correct mac2
|
||||
# expect ratelimiting
|
||||
# (peer_2) prepare and send a handshake initiation with correct mac2
|
||||
# expect no ratelimiting and a handshake response
|
||||
txs = [init_1] * (HANDSHAKE_NUM_BEFORE_RATELIMITING + PEER_1_NUM_TO_REJECT)
|
||||
init_2 = peer_2.mk_handshake(self.pg1)
|
||||
txs = [init_1, init_2, init_1]
|
||||
txs += [init_2] * (HANDSHAKE_NUM_BEFORE_RATELIMITING + PEER_2_NUM_TO_REJECT)
|
||||
rxs = self.send_and_expect_some(self.pg1, txs, self.pg1)
|
||||
|
||||
# (peer_1) verify ratelimiting
|
||||
self.assertEqual(
|
||||
self.base_ratelimited4_err + 2,
|
||||
self.statistics.get_err_counter(self.ratelimited4_err),
|
||||
self.assertTrue(
|
||||
self.base_ratelimited4_err + PEER_1_NUM_TO_REJECT
|
||||
< self.statistics.get_err_counter(self.ratelimited4_err)
|
||||
<= self.base_ratelimited4_err + PEER_1_NUM_TO_REJECT + PEER_2_NUM_TO_REJECT
|
||||
)
|
||||
|
||||
# (peer_2) verify the response
|
||||
peer_2.consume_response(rxs[0])
|
||||
# (peer_1) (peer_2) verify the response
|
||||
peer_1.consume_response(rxs[0])
|
||||
peer_2.consume_response(rxs[1])
|
||||
|
||||
# clear up under load state
|
||||
self.sleep(UNDER_LOAD_INTERVAL)
|
||||
@ -2393,8 +2379,6 @@ class TestWg(VppTestCase):
|
||||
wg0.remove_vpp_config()
|
||||
|
||||
|
||||
@tag_fixme_ubuntu2204
|
||||
@tag_fixme_debian11
|
||||
class WireguardHandoffTests(TestWg):
|
||||
"""Wireguard Tests in multi worker setup"""
|
||||
|
||||
|
||||
Reference in New Issue
Block a user