Contributed by pitrh on from the log me testily, fragment dept.
Alexander Bluhm (bluhm@) wrote in with this report from the recently completed c2k15 hackathon:
First of all I would like to say that SAIT in Calgary is a great place to hack. Network connectivity was perfect. Thanks for the invitation.
During this hackathon I was sitting at a table together with benno@ and reyk@. We were discussing the test framework that I have created for kernel socket splicing, pf divert, ospfd, relayd and syslogd. It is integrated in /usr/src/regress. There it spawns processes and coordinates the communication between them. Everything is written in Perl.
Basically it starts a daemon, e.g. relayd, for each subtest with an adjusted configuration. It also forks client and server processes that communicate with the daemon. For each subtest they get special functions that tell them what to send and expect. These functions can be high level like send an HTTP request and expect a chunked answer or low level like send this byte, wait a bit, send a second byte and close the connection.
All processes write log files where the test greps for certain events. In addition the test can look for system calls in the ktrace output of the daemon or check its file descriptors with fstat.
I helped benno@ writing a test to verify that relayd does not use to much memory. reyk@ used the framework to start writing tests for httpd.
Apart from that, I have finished TCP input for syslogd. The syslog over TCP messages can be encoded with octet counting or non transparent framing. Syslogd autodetects the method and accepts both. The number of incomming TCP connections is compared to the process's file descriptor limit and restricted in a secure way. All features are covered by the regression tests.
The tls_write() function of libtls inherited the short write semantics from OpenSSL. That required workarounds in httpd and syslogd. We have changed this by setting the SSL_MODE_ENABLE_PARTIAL_WRITE and SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flags in libtls. That means you have to check for short writes after tls_write() like in write(2).
More over you have to check for TLS_READ_AGAIN and TLS_WRITE_AGAIN error codes. In all three cases, do not modify the data that was presented to tls_write() before. LibreSSL may have already used them in the crypto algorithms although they have not been sent yet. For that change I have adopted ftp and ntpd to the new behavior. Workarounds in syslogd and httpd were removed.
Finally I looked into the regression test for pf fragments. I plan to extend it for the route-to case. sashan@ has provided a diff for IPv6, I would like to test it before it gets commited.
All exciting stuff! Thanks for the report and the work, Alexander!
(Comments are closed)