Scriptable Network Testing Environment
Kelvin.Proctor at citect.com
Tue Jun 13 16:57:43 CEST 2006
G'day Netfilter List,
My apologies for a rather long post that may contain quite a few newbie
questions or be slightly mis-posted on this list.
My company builds software for industrial control system and I'm trying
change the way we test our product, particularly in relation to network
environments. We often require our products to work over quite poor
links such as radio modem networks for pipeline projects or water
I'm proposing a system to let us create different network test
on the fly, particularly from within a unit testing harness. The goal is
create a system where via a web-services interface we can simulate any
sort of network conditions between any nodes on our network without
to change any cable patching or ip addresses or effect traffic to and
any other nodes.
The sort of network configuration I'm envisaging is as follows:
| |----------------| WWW | 10.0.0.4
| | -------
| M |
| a | eth0 -----------
| n | |--------| |
| a | VLAN | eth0.2 | Packet |
| g |-------|--------| | 10.0.0.1
| e | TRUNK | eth0.3 | Mangler |
| d | |--------| |
| | -----------
| S |
| w | VLAN 2 -------
| i |----------------| PC1 | 10.0.0.2
| t | -------
| c |
| h | VLAN 3 -------
| |----------------| PC2 | 10.0.0.3
| | -------
The plan goes something like this:
1. A request will come into the packet mangler setup a test environment
two nodes (nodes PC1 and PC2 above) that are both on the main network
2. The packet mangler will interrogate the switch to find out which
two nodes are on.
3. The two nodes will then be put onto separate VLANs, allocated on the
(VLANs 2 and 3 above). The packet mangler also adds the two VLANs to
trunk port it is connected on, creating interfaces eth0.2 and eth0.3
4. On the packet mangler netfilter / ebtables / arptables etc... must
now be setup
to do the following:
A. Answer all ARP request for ANY address on the VLANs, replying
with it's own
MAC address so all traffic will be sent to the mangler.
B. On the main network answer ARP requests for the 'hidden' nodes
traffic for these nodes will be sent to the mangler.
C. Any traffic that is going to/from nodes on the rest of the
network to the
test nodes just gets routed through normally.
D. All of the traffic between the test nodes gets pushed through
iptables target so we can actually mangle the packets from
5. Once the test session is over the test VLANS will be torn down and
back to normal.
Once the above has been made work it can be extended to include
more than 2 nodes etc.. without any trouble.
There are a few things I am aware of:
1. This will cause some disruptions at test setup until devices refill
caches to send packets to the correct location.
2. It may not be possible to have the trunk port of the switch send /
traffic off the 'normal' network if it not on any VLAN (which I
VLAN 0). The above diagram could be expanded to have a separate NIC
connection to the main network without effecting the concetp.
Now to my real questions:
1. Has anyone else tried to do something like this? [I've looked at
FreeBSD and NIST Net]
2. Do you think I'm taking a sane approach to the problem? Are there
Problems that people can see I'm about to walk into?
3. How am I best to get the ARP resolution behaviour I desire. I've
the arp_proxy sysctl but need a little bit of guidance. On the main
VLAN I could just add all the 'hidden' IP addresses to the eth0
I'm not sure how to make sure I answer *ALL* ARP requests coming from
PCs on the eth0.2 and eth0.3 interfaces.
4. It has been suggested I should also consider buying a linux based
switch / router
such as the linksys devices and hack the firmware to do it all in the
itself. Does this approach have merit?
Thank-you for your help and patience.
More information about the netfilter