From cf9144e65f37402fc6f7dacb7bd7bad6fd596784 Mon Sep 17 00:00:00 2001 From: Alexander Chernavin Date: Fri, 23 Sep 2022 12:41:31 +0000 Subject: tests: stabilize wireguard ratelimiting test Type: test "test_wg_handshake_ratelimiting_multi_peer" has been unstable recently because the test strongly relies on execution speed. Currently, the test triggers ratelimiting for peer 1 and sends handshake initiations from peer 1 and 2 mixed up. After that, the test expects that all handshake initiations for peer 1 are ratelimited and a handshake response for peer 2 is received. Ratelimiting is based on the token bucket algorithm. The more time passes between triggering ratelimiting for peer 1 and sending a mixture of handshake initiations from peer 1 and 2, the more tokens will be added into the bucket for peer 1. Depending on delays between these steps, the number of tokens might be enough to process handshake initiations from peer 1 while they are expected to be rejected due to ratelimiting. With this change, these two steps are combined into one and the logic modified. The test triggers ratelimiting for both peer 1 and 2. Packets that trigger ratelimiting and that are to be rejected are sent in one batch that is going to reduce delays between packet processing. Also, verify that number of rejected handshake messages is in expected range instead of verifying the exact number as it still may slightly vary. Also, this should finish making the wireguard tests stable on Ubuntu 22.04 and Debian 11. Signed-off-by: Alexander Chernavin Change-Id: I3407d15abe1356dde23a241ac3650e84401c9802 --- test/test_wireguard.py | 42 +++++++++++++----------------------------- 1 file changed, 13 insertions(+), 29 deletions(-) diff --git a/test/test_wireguard.py b/test/test_wireguard.py index 7e5ef5b3616..e9caa8d2454 100644 --- a/test/test_wireguard.py +++ b/test/test_wireguard.py @@ -42,7 +42,6 @@ from vpp_pg_interface import is_ipv6_misc from vpp_ip_route import VppIpRoute, VppRoutePath from vpp_object import VppObject from vpp_papi import VppEnum -from framework import tag_fixme_ubuntu2204, tag_fixme_debian11 from framework import is_distro_ubuntu2204, is_distro_debian11 from framework import VppTestCase from re import compile @@ -502,8 +501,6 @@ def is_handshake_init(p): return wg_p[Wireguard].message_type == 1 -@tag_fixme_ubuntu2204 -@tag_fixme_debian11 class TestWg(VppTestCase): """Wireguard Test Case""" @@ -989,36 +986,25 @@ class TestWg(VppTestCase): rxs = self.send_and_expect(self.pg1, [init_2], self.pg1) peer_2.consume_cookie(rxs[0]) - # (peer_1) prepare and send a bunch of handshake initiations with correct mac2 - # expect no ratelimiting and a handshake response + # (peer_1) (peer_2) prepare and send a bunch of handshake initiations with correct mac2 + # expect a handshake response and then ratelimiting + PEER_1_NUM_TO_REJECT = 2 + PEER_2_NUM_TO_REJECT = 5 init_1 = peer_1.mk_handshake(self.pg1) - txs = [init_1] * HANDSHAKE_NUM_BEFORE_RATELIMITING - rxs = self.send_and_expect_some(self.pg1, txs, self.pg1) - self.assertEqual( - self.base_ratelimited4_err, - self.statistics.get_err_counter(self.ratelimited4_err), - ) - - # (peer_1) verify the response - peer_1.consume_response(rxs[0]) - peer_1.noise_reset() - - # (peer_1) send another two handshake initiations with correct mac2 - # expect ratelimiting - # (peer_2) prepare and send a handshake initiation with correct mac2 - # expect no ratelimiting and a handshake response + txs = [init_1] * (HANDSHAKE_NUM_BEFORE_RATELIMITING + PEER_1_NUM_TO_REJECT) init_2 = peer_2.mk_handshake(self.pg1) - txs = [init_1, init_2, init_1] + txs += [init_2] * (HANDSHAKE_NUM_BEFORE_RATELIMITING + PEER_2_NUM_TO_REJECT) rxs = self.send_and_expect_some(self.pg1, txs, self.pg1) - # (peer_1) verify ratelimiting - self.assertEqual( - self.base_ratelimited4_err + 2, - self.statistics.get_err_counter(self.ratelimited4_err), + self.assertTrue( + self.base_ratelimited4_err + PEER_1_NUM_TO_REJECT + < self.statistics.get_err_counter(self.ratelimited4_err) + <= self.base_ratelimited4_err + PEER_1_NUM_TO_REJECT + PEER_2_NUM_TO_REJECT ) - # (peer_2) verify the response - peer_2.consume_response(rxs[0]) + # (peer_1) (peer_2) verify the response + peer_1.consume_response(rxs[0]) + peer_2.consume_response(rxs[1]) # clear up under load state self.sleep(UNDER_LOAD_INTERVAL) @@ -2393,8 +2379,6 @@ class TestWg(VppTestCase): wg0.remove_vpp_config() -@tag_fixme_ubuntu2204 -@tag_fixme_debian11 class WireguardHandoffTests(TestWg): """Wireguard Tests in multi worker setup""" -- cgit 1.2.3-korg