Hello kulħadd, jien jisimni Sasha, jien inmexxi l-ittestjar backend f'FunCorp. Aħna, bħal ħafna oħrajn, implimentajna arkitettura orjentata lejn is-servizz. Min-naħa waħda, dan jissimplifika x-xogħol, għax... Huwa aktar faċli li tittestja kull servizz separatament, iżda min-naħa l-oħra, hemm bżonn li tittestja l-interazzjoni tas-servizzi ma 'xulxin, li ħafna drabi sseħħ fuq in-netwerk.

F'dan l-artikolu, ser nitkellem dwar żewġ utilitajiet li jistgħu jintużaw biex jiċċekkjaw xenarji bażiċi li jiddeskrivu l-operat ta 'applikazzjoni fil-preżenza ta' problemi tan-netwerk.

Simulazzjoni ta' problemi tan-netwerk

Tipikament, is-softwer jiġi ttestjat fuq servers tat-test b'konnessjoni tajba tal-Internet. F'ambjenti ta 'produzzjoni ħarxa, l-affarijiet jistgħu ma jkunux daqshekk bla xkiel, għalhekk xi kultant ikollok bżonn tittestja programmi f'kundizzjonijiet ħżiena ta' konnessjoni. Fuq Linux, l-utilità se tgħin fil-kompitu li tissimula kundizzjonijiet bħal dawn tc.

tc(abbr. mill-Kontroll tat-Traffiku) jippermettilek tikkonfigura t-trażmissjoni tal-pakketti tan-netwerk fis-sistema. Din l-utilità għandha kapaċitajiet kbar, tista 'taqra aktar dwarhom hawn. Hawnhekk se nikkunsidra biss ftit minnhom: aħna interessati fl-iskedar tat-traffiku, li nużaw għalih qdisc, u peress li għandna bżonn niemu netwerk instabbli, se nużaw qdisc bla klassi netem.

Ejja nniedu server echo fuq is-server (li użajt nmap-ncat):

ncat -l 127.0.0.1 12345 -k -c 'xargs -n1 -i echo "Response: {}"'

Sabiex turi fid-dettall il-timestamps kollha f'kull pass ta' interazzjoni bejn il-klijent u s-server, ktibt script Python sempliċi li jibgħat talba Test lis-server tal-echo tagħna.

Kodiċi tas-sors tal-klijent

#!/bin/python

import socket
import time

HOST = '127.0.0.1'
PORT = 12345
BUFFER_SIZE = 1024
MESSAGE = "Testn"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
t1 = time.time()
print "[time before connection: %.5f]" % t1
s.connect((HOST, PORT))
print "[time after connection, before sending: %.5f]" % time.time()
s.send(MESSAGE)
print "[time after sending, before receiving: %.5f]" % time.time()
data = s.recv(BUFFER_SIZE)
print "[time after receiving, before closing: %.5f]" % time.time()
s.close()
t2 = time.time()
print "[time after closing: %.5f]" % t2
print "[total duration: %.5f]" % (t2 - t1)

print data

Ejja nnieduha u nħarsu lejn it-traffiku fuq l-interface lo u l-port 12345:

[user@host ~]# python client.py
[time before connection: 1578652979.44837]
[time after connection, before sending: 1578652979.44889]
[time after sending, before receiving: 1578652979.44894]
[time after receiving, before closing: 1578652979.45922]
[time after closing: 1578652979.45928]
[total duration: 0.01091]
Response: Test

Dump tat-traffiku

[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:59.448601 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [S], seq 3383332866, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 0,nop,wscale 7], length 0
10:42:59.448612 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [S.], seq 2584700178, ack 3383332867, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 606325685,nop,wscale 7], length 0
10:42:59.448622 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.448923 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 5
10:42:59.448930 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [.], ack 6, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.459118 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 606325696 ecr 606325685], length 14
10:42:59.459213 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.459268 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.460184 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 606325697 ecr 606325696], length 0
10:42:59.460196 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 606325697 ecr 606325697], length 0

Kollox huwa standard: handshake bi tliet direzzjonijiet, PSH/ACK u ACK bi tweġiba darbtejn - dan huwa l-iskambju ta 'talba u rispons bejn il-klijent u s-server, u FIN/ACK u ACK darbtejn - tlestija tal-konnessjoni.

Dewmien tal-pakkett

Issa ejja nissettjaw id-dewmien għal 500 millisekondi:

tc qdisc add dev lo root netem delay 500ms

Inniedu l-klijent u naraw li l-iskrittura issa taħdem għal 2 sekondi:

[user@host ~]# ./client.py
[time before connection: 1578662612.71044]
[time after connection, before sending: 1578662613.71059]
[time after sending, before receiving: 1578662613.71065]
[time after receiving, before closing: 1578662614.72011]
[time after closing: 1578662614.72019]
[total duration: 2.00974]
Response: Test

X'hemm fit-traffiku? Ejja nħarsu:

Dump tat-traffiku

13:23:33.210520 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [S], seq 1720950927, win 43690, options [mss 65495,sackOK,TS val 615958947 ecr 0,nop,wscale 7], length 0
13:23:33.710554 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [S.], seq 1801168125, ack 1720950928, win 43690, options [mss 65495,sackOK,TS val 615959447 ecr 615958947,nop,wscale 7], length 0
13:23:34.210590 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 0
13:23:34.210657 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 5
13:23:34.710680 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [.], ack 6, win 342, options [nop,nop,TS val 615960447 ecr 615959947], length 0
13:23:34.719371 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 615960456 ecr 615959947], length 14
13:23:35.220106 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.220188 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.720994 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 615961457 ecr 615960957], length 0
13:23:36.221025 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 615961957 ecr 615961457], length 0

Tista 'tara li d-dewmien mistenni ta' nofs sekonda deher fl-interazzjoni bejn il-klijent u s-server. Is-sistema taġixxi b'mod ħafna aktar interessanti jekk id-dewmien ikun akbar: il-kernel jibda jibgħat mill-ġdid xi pakketti TCP. Ejja nbiddlu d-dewmien għal sekonda u nħarsu lejn it-traffiku (mhux se nuri l-output tal-klijent, hemm l-1 sekondi mistennija fit-tul totali):

tc qdisc change dev lo root netem delay 1s

Dump tat-traffiku

13:29:07.709981 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616292946 ecr 0,nop,wscale 7], length 0
13:29:08.710018 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616293946 ecr 616292946,nop,wscale 7], length 0
13:29:08.711094 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616293948 ecr 0,nop,wscale 7], length 0
13:29:09.710048 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616294946 ecr 616293946], length 0
13:29:09.710152 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 616294947 ecr 616293946], length 5
13:29:09.711120 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616294948 ecr 616292946,nop,wscale 7], length 0
13:29:10.710173 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [.], ack 6, win 342, options [nop,nop,TS val 616295947 ecr 616294947], length 0
13:29:10.711140 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616295948 ecr 616293946], length 0
13:29:10.714782 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 616295951 ecr 616294947], length 14
13:29:11.714819 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:11.714893 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:12.715562 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 616297952 ecr 616296951], length 0
13:29:13.715596 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 616298952 ecr 616297952], length 0

Wieħed jista 'jara li l-klijent bagħat pakkett SYN darbtejn, u s-server bagħat SYN/ACK darbtejn.

Minbarra valur kostanti, id-dewmien jista 'jiġi ssettjat għal devjazzjoni, funzjoni ta' distribuzzjoni, u korrelazzjoni (bil-valur għall-pakkett ta 'qabel). Dan isir kif ġej:

tc qdisc change dev lo root netem delay 500ms 400ms 50 distribution normal

Hawnhekk waqqafna d-dewmien bejn 100 u 900 millisekondi, il-valuri se jintgħażlu skont distribuzzjoni normali u se jkun hemm korrelazzjoni ta '50% mal-valur tad-dewmien għall-pakkett preċedenti.

Forsi ndunajt li fl-ewwel kmand użajt żid, imbagħad bidla. It-tifsira ta 'dawn il-kmandi hija ovvja, għalhekk ser inżid biss li hemm aktar il, li jistgħu jintużaw biex tneħħi l-konfigurazzjoni.

Telf ta' Pakkett

Ejja issa nippruvaw nagħmlu telf ta 'pakketti. Kif jidher mid-dokumentazzjoni, dan jista 'jsir fi tliet modi: pakketti li jintilfu b'mod każwali b'xi probabbiltà, bl-użu ta' katina Markov ta '2, 3 jew 4 stati biex jiġi kkalkulat it-telf ta' pakketti, jew bl-użu tal-mudell Elliott-Gilbert. Fl-artiklu se nikkunsidra l-ewwel metodu (l-aktar sempliċi u ovvju), u tista 'taqra dwar oħrajn hawn.

Ejja nagħmlu t-telf ta '50% tal-pakketti b'korrelazzjoni ta' 25%:

tc qdisc add dev lo root netem loss 50% 25%

Sfortunatament, tcpdump mhux se jkunu jistgħu juruna b'mod ċar it-telf ta 'pakketti, aħna se nassumu biss li verament jaħdem. U l-ħin ta 'tmexxija miżjud u instabbli tal-iskript se jgħinna nivverifikaw dan. klijent.py (jista' jitlesta istantanjament, jew forsi f'20 sekonda), kif ukoll numru akbar ta' pakketti trażmessi mill-ġdid:

[user@host ~]# netstat -s | grep retransmited; sleep 10; netstat -s | grep retransmited
    17147 segments retransmited
    17185 segments retransmited

Żieda tal-istorbju mal-pakketti

Minbarra t-telf tal-pakkett, tista 'tissimula ħsara lill-pakkett: il-ħoss jidher f'pożizzjoni ta' pakkett każwali. Ejja nagħmlu ħsara lill-pakkett bi probabbiltà ta' 50% u mingħajr korrelazzjoni:

tc qdisc change dev lo root netem corrupt 50%

Aħna nħaddmu l-iskript tal-klijent (hemm xejn interessanti, iżda ħadet 2 sekondi biex tlestiet), ħares lejn it-traffiku:

Dump tat-traffiku

[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:20:54.812434 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [S], seq 2023663770, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 0,nop,wscale 7], length 0
10:20:54.812449 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [S.], seq 2104268044, ack 2023663771, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 1037001049,nop,wscale 7], length 0
10:20:54.812458 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 0
10:20:54.812509 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 5
10:20:55.013093 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001250 ecr 1037001049], length 5
10:20:55.013122 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [.], ack 6, win 342, options [nop,nop,TS val 1037001250 ecr 1037001250], length 0
10:20:55.014681 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 1037001251 ecr 1037001250], length 14
10:20:55.014745 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 15, win 340, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.014823 IP 127.0.0.1.43666 > 127.0.0.5.12345: Flags [F.], seq 2023663776, ack 2104268059, win 342, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.214088 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,unknown-65 0x0a3dcf62eb3d,[bad opt]>
10:20:55.416087 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 1037001653 ecr 1037001251], length 0
10:20:55.416804 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:55.416818 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 343, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:56.147086 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
10:20:56.147101 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0

Wieħed jista 'jara li xi pakketti ntbagħtu ripetutament u hemm pakkett wieħed b'metadata miksura: għażliet [nop,mhux magħruf-65 0x0a3dcf62eb3d,[bad opt]>. Iżda l-ħaġa prinċipali hija li fl-aħħar kollox ħadem b'mod korrett - TCP ilaħħqu mal-kompitu tiegħu.

Duplikazzjoni tal-pakketti

X'iktar tista 'tagħmel netem? Pereżempju, jissimula s-sitwazzjoni inversa ta 'telf ta' pakkett—duplikazzjoni ta 'pakketti. Dan il-kmand jieħu wkoll 2 argumenti: probabbiltà u korrelazzjoni.

tc qdisc change dev lo root netem duplicate 50% 25%

Nibdlu l-ordni tal-pakketti

Tista 'tħallat il-boroż f'żewġ modi.

Fl-ewwel, xi pakketti jintbagħtu immedjatament, il-bqija b'dewmien speċifikat. Eżempju mid-dokumentazzjoni:

tc qdisc change dev lo root netem delay 10ms reorder 25% 50%

Bi probabbiltà ta '25% (u korrelazzjoni ta' 50%) il-pakkett jintbagħat immedjatament, il-bqija jintbagħat b'dewmien ta '10 millisekondi.

It-tieni metodu huwa meta kull pakkett Nth jintbagħat istantanjament bi probabbiltà partikolari (u korrelazzjoni), u l-bqija b'dewmien partikolari. Eżempju mid-dokumentazzjoni:

tc qdisc change dev lo root netem delay 10ms reorder 25% 50% gap 5

Kull ħames pakkett għandu 25% ċans li jintbagħat mingħajr dewmien.

Nibdlu Bandwidth

Normalment kullimkien jirreferu għalih TBF, iżda bl-għajnuna netem Tista 'wkoll tibdel il-bandwidth ta' l-interface:

tc qdisc change dev lo root netem rate 56kbit

Dan it-tim se jagħmel treks madwar localhost uġigħ daqs is-surfing fuq l-Internet permezz ta 'dial-up modem. Minbarra l-issettjar tal-bitrate, tista 'wkoll timita l-mudell tal-protokoll tas-saff tal-link: issettja l-overhead għall-pakkett, id-daqs taċ-ċellula, u l-overhead għaċ-ċellula. Per eżempju, dan jista 'jiġi simulat ATM u bitrate 56 kbit/sec:

tc qdisc change dev lo root netem rate 56kbit 0 48 5

Simulazzjoni ta' timeout tal-konnessjoni

Punt ieħor importanti fil-pjan tat-test meta jaċċetta softwer huwa timeouts. Dan huwa importanti għaliex fis-sistemi distribwiti, meta wieħed mis-servizzi jkun diżattivat, l-oħrajn għandhom jaqgħu lura lejn l-oħrajn fil-ħin jew jirritornaw żball lill-klijent, u fl-ebda każ m'għandhom sempliċement hang, jistennew rispons jew konnessjoni. li għandhom jiġu stabbiliti.

Hemm diversi modi biex tagħmel dan: pereżempju, uża mock li ma jirrispondix, jew qabbad mal-proċess billi tuża debugger, poġġi breakpoint fil-post it-tajjeb u waqqaf il-proċess (dan huwa probabbilment l-aktar mod pervertit). Iżda wieħed mill-aktar ovvji huwa li firewall ports jew hosts. Se jgħinna f'dan iptables.

Għal dimostrazzjoni, aħna se firewall port 12345 u nħaddmu l-iskript tal-klijent tagħna. Tista 'firewall pakketti ħerġin għal dan il-port fil-mittent jew pakketti deħlin fir-riċevitur. Fl-eżempji tiegħi, il-pakketti deħlin se jkunu firewalled (nużaw l-INPUT tal-katina u l-għażla --dport). Pakketti bħal dawn jistgħu jkunu DROP, REJECT jew REJECT bil-bandiera TCP RST, jew bl-host ICMP ma jistax jintlaħaq (fil-fatt, l-imġiba default hija icmp-port-unreachable, u hemm ukoll l-opportunità li tibgħat tweġiba icmp-net-unreachable, icmp-proto-unreachable, icmp-net-projbit и icmp-host-projbit).

QATT

Jekk ikun hemm regola bi DROP, il-pakketti sempliċement "jisparixxu".

iptables -A INPUT -p tcp --dport 12345 -j DROP

Aħna nniedu l-klijent u naraw li jiffriża fl-istadju tal-konnessjoni mas-server. Ejja nħarsu lejn it-traffiku:
Dump tat-traffiku

[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:28:20.213506 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203046450 ecr 0,nop,wscale 7], length 0
08:28:21.215086 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203047452 ecr 0,nop,wscale 7], length 0
08:28:23.219092 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203049456 ecr 0,nop,wscale 7], length 0
08:28:27.227087 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203053464 ecr 0,nop,wscale 7], length 0
08:28:35.235102 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203061472 ecr 0,nop,wscale 7], length 0

Wieħed jista 'jara li l-klijent jibgħat pakketti SYN bi timeout li jiżdied b'mod esponenzjali. Allura sibna bug żgħir fil-klijent: għandek bżonn tuża l-metodu settimeout()biex jillimita l-ħin li matulu l-klijent se jipprova jgħaqqad mas-server.

Immedjatament inneħħu r-regola:

iptables -D INPUT -p tcp --dport 12345 -j DROP

Tista' tħassar ir-regoli kollha f'daqqa:
iptables -F

Jekk qed tuża Docker u għandek bżonn tagħmel firewall it-traffiku kollu li jmur lejn il-kontenitur, allura tista 'tagħmel dan kif ġej:
iptables -I DOCKER-USER -p tcp -d CONTAINER_IP -j DROP

IRRAĠJETA

Issa ejja nżidu regola simili, iżda b'REJECT:

iptables -A INPUT -p tcp --dport 12345 -j REJECT

Il-klijent joħroġ wara sekonda bi żball [Errno 111] Konnessjoni miċħuda. Ejja nħarsu lejn it-traffiku ICMP:

[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:45:32.871414 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
08:45:33.873097 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68

Wieħed jista 'jara li l-klijent irċieva darbtejn port ma jistax jintlaħaq u mbagħad spiċċat bi żball.

IĊĦATA b'tcp-reset

Ejja nippruvaw inżidu l-għażla --reject-with tcp-reset:

iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset

F'dan il-każ, il-klijent immedjatament joħroġ bi żball, minħabba li l-ewwel talba rċeviet pakkett RST:

[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
09:02:52.766175 IP 127.0.0.1.60658 > 127.0.0.1.12345: Flags [S], seq 1889460883, win 43690, options [mss 65495,sackOK,TS val 1205119003 ecr 0,nop,wscale 7], length 0
09:02:52.766184 IP 127.0.0.1.12345 > 127.0.0.1.60658: Flags [R.], seq 0, ack 1889460884, win 0, length 0

IĊĦUT ma' icmp-host-unreachable

Ejja nippruvaw għażla oħra biex tuża REJECT:

iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-host-unreachable

Il-klijent joħroġ wara sekonda bi żball [Errno 113] L-ebda rotta biex tospita, naraw fit-traffiku ICMP L-ospitant ICMP 127.0.0.1 ma jistax jintlaħaq.

Tista' wkoll tipprova l-parametri l-oħra REJECT, u jien niffoka fuq dawn :)

Simulazzjoni ta' timeout tat-talba

Sitwazzjoni oħra hija meta l-klijent kien kapaċi jgħaqqad mas-server, iżda ma jistax jibgħat talba lilu. Kif tiffiltra l-pakketti sabiex l-iffiltrar ma jibdax immedjatament? Jekk tħares lejn it-traffiku ta 'kwalunkwe komunikazzjoni bejn il-klijent u s-server, tinduna li meta tistabbilixxi konnessjoni, jintużaw biss il-bnadar SYN u ACK, iżda meta tiskambja d-dejta, l-aħħar pakkett ta' talba jkun fih il-bandiera PSH. Jinstalla awtomatikament biex jiġi evitat il-buffering. Tista' tuża din l-informazzjoni biex toħloq filtru: se tippermetti l-pakketti kollha ħlief dawk li fihom il-bandiera PSH. Għalhekk, il-konnessjoni se tiġi stabbilita, iżda l-klijent mhux se jkun jista 'jibgħat data lis-server.

QATT

Għal DROP il-kmand ikun jidher bħal dan:

iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j DROP

Ibda l-klijent u ara t-traffiku:

Dump tat-traffiku

[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:02:47.549498 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [S], seq 2166014137, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 0,nop,wscale 7], length 0
10:02:47.549510 IP 127.0.0.1.12345 > 127.0.0.1.49594: Flags [S.], seq 2341799088, ack 2166014138, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 1208713786,nop,wscale 7], length 0
10:02:47.549520 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 0
10:02:47.549568 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 5
10:02:47.750084 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713987 ecr 1208713786], length 5
10:02:47.951088 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714188 ecr 1208713786], length 5
10:02:48.354089 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714591 ecr 1208713786], length 5

Naraw li l-konnessjoni hija stabbilita u l-klijent ma jistax jibgħat data lis-server.

IRRAĠJETA

F'dan il-każ l-imġieba se tkun l-istess: il-klijent ma jkunx jista 'jibgħat it-talba, iżda se jirċievi ICMP 127.0.0.1 tcp port 12345 ma jistax jintlaħaq u żżid iż-żmien bejn is-sottomissjonijiet mill-ġdid tat-talbiet b'mod esponenzjali. Il-kmand jidher bħal dan:

iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT

IĊĦATA b'tcp-reset

Il-kmand jidher bħal dan:

iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT --reject-with tcp-reset

Aħna diġà nafu li meta tuża --reject-with tcp-reset il-klijent se jirċievi pakkett RST bħala tweġiba, sabiex l-imġieba tkun tista 'tiġi mbassra: li tirċievi pakkett RST waqt li l-konnessjoni tkun stabbilita jfisser li s-sokit jingħalaq bla mistenni fuq in-naħa l-oħra, li jfisser li l-klijent għandu jirċievi Reset tal-konnessjoni mill-pari. Ejja nmexxu l-iskript tagħna u kun żgur minn dan. U hekk se jidher it-traffiku:

Dump tat-traffiku

[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:22:14.186269 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [S], seq 2615137531, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 0,nop,wscale 7], length 0
10:22:14.186284 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [S.], seq 3999904809, ack 2615137532, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 1209880423,nop,wscale 7], length 0
10:22:14.186293 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 0
10:22:14.186338 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 5
10:22:14.186344 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [R], seq 3999904810, win 0, length 0

IĊĦUT ma' icmp-host-unreachable

Naħseb li huwa diġà ovvju għal kulħadd kif se jidher il-kmand :) L-imġieba tal-klijent f'dan il-każ se tkun kemxejn differenti minn dik b'ċaħda sempliċi: il-klijent mhux se jżid il-timeout bejn tentattivi biex jerġa 'jibgħat il-pakkett.

[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:29:56.149202 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.349107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.549117 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.750125 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.951130 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.152107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.353115 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65

Output

Mhuwiex meħtieġ li tikteb mock biex tittestja l-interazzjoni ta 'servizz ma' klijent jew server mdendla; xi drabi huwa biżżejjed li tuża utilitajiet standard li jinsabu fil-Linux.

L-utilitajiet diskussi fl-artikolu għandhom saħansitra aktar kapaċitajiet milli kienu deskritti, sabiex tkun tista 'toħroġ b'xi wħud mill-għażliet tiegħek stess biex tużahom. Personalment, dejjem għandi biżżejjed minn dak li ktibt dwaru (fil-fatt, saħansitra inqas). Jekk tuża dawn l-utilitajiet jew simili fl-ittestjar fil-kumpanija tiegħek, jekk jogħġbok ikteb kif eżattament. Jekk le, allura nispera li s-softwer tiegħek isir aħjar jekk tiddeċiedi li tittestjah f'kundizzjonijiet ta 'problemi tan-netwerk billi tuża l-metodi ssuġġeriti.

Sors: www.habr.com

Simulazzjoni ta 'problemi tan-netwerk fil-Linux

Simulazzjoni ta' problemi tan-netwerk

Dewmien tal-pakkett

Telf ta' Pakkett

Żieda tal-istorbju mal-pakketti

Duplikazzjoni tal-pakketti

Nibdlu l-ordni tal-pakketti

Nibdlu Bandwidth

Simulazzjoni ta' timeout tal-konnessjoni

QATT

IRRAĠJETA

IĊĦATA b'tcp-reset

IĊĦUT ma' icmp-host-unreachable

Simulazzjoni ta' timeout tat-talba

QATT

IRRAĠJETA

IĊĦATA b'tcp-reset

IĊĦUT ma' icmp-host-unreachable

Output

Żid kumment Ikkanċella risposta