Halo sadayana, nami abdi Sasha, abdi mingpin tés backend di FunCorp. Kami, sapertos seueur anu sanés, parantos ngalaksanakeun arsitektur berorientasi jasa. Di hiji sisi, ieu simplifies karya, sabab ... Éta langkung gampang pikeun nguji masing-masing jasa, tapi di sisi anu sanés, peryogi pikeun nguji interaksi jasa saling, anu sering lumangsung dina jaringan.

Dina tulisan ieu, kuring bakal ngobrol ngeunaan dua utilitas anu tiasa dianggo pikeun mariksa skenario dasar anu ngajelaskeun operasi aplikasi dina ayana masalah jaringan.

Simulating masalah jaringan

Biasana, parangkat lunak diuji dina pangladén tés anu gaduh sambungan Internét anu saé. Dina lingkungan produksi kasar, hal bisa jadi teu jadi lemes, jadi kadang Anjeun kudu nguji program dina kondisi sambungan goréng. Dina Linux, utilitas bakal ngabantosan tugas simulasi kaayaan sapertos kitu tc.

tc(abbr. ti Traffic Control) ngidinan Anjeun pikeun ngonpigurasikeun pangiriman pakét jaringan dina sistem. Utiliti ieu ngagaduhan kamampuan anu saé, anjeun tiasa maca langkung seueur ngeunaan aranjeunna di dieu. Di dieu kuring bakal mertimbangkeun ngan sababaraha di antarana: urang museurkeun scheduling lalulintas, nu urang ngagunakeun qdisc, sarta saprak urang kudu emulate jaringan teu stabil, urang bakal ngagunakeun qdisc classless netem.

Hayu urang ngajalankeun hiji server gema dina server (I dipaké nmap-ncat):

ncat -l 127.0.0.1 12345 -k -c 'xargs -n1 -i echo "Response: {}"'

Pikeun nunjukkeun sacara rinci sadaya cap waktu dina unggal léngkah interaksi antara klien sareng server, kuring nyerat naskah Python anu sederhana anu ngirimkeun pamundut. ujian ka server gema urang.

Kode sumber klien

#!/bin/python

import socket
import time

HOST = '127.0.0.1'
PORT = 12345
BUFFER_SIZE = 1024
MESSAGE = "Testn"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
t1 = time.time()
print "[time before connection: %.5f]" % t1
s.connect((HOST, PORT))
print "[time after connection, before sending: %.5f]" % time.time()
s.send(MESSAGE)
print "[time after sending, before receiving: %.5f]" % time.time()
data = s.recv(BUFFER_SIZE)
print "[time after receiving, before closing: %.5f]" % time.time()
s.close()
t2 = time.time()
print "[time after closing: %.5f]" % t2
print "[total duration: %.5f]" % (t2 - t1)

print data

Hayu urang ngaluncurkeunana sareng tingali lalu lintas dina antarmuka lo sareng port 12345:

[user@host ~]# python client.py
[time before connection: 1578652979.44837]
[time after connection, before sending: 1578652979.44889]
[time after sending, before receiving: 1578652979.44894]
[time after receiving, before closing: 1578652979.45922]
[time after closing: 1578652979.45928]
[total duration: 0.01091]
Response: Test

Dump lalulintas

[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:59.448601 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [S], seq 3383332866, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 0,nop,wscale 7], length 0
10:42:59.448612 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [S.], seq 2584700178, ack 3383332867, win 43690, options [mss 65495,sackOK,TS val 606325685 ecr 606325685,nop,wscale 7], length 0
10:42:59.448622 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.448923 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 5
10:42:59.448930 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [.], ack 6, win 342, options [nop,nop,TS val 606325685 ecr 606325685], length 0
10:42:59.459118 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 606325696 ecr 606325685], length 14
10:42:59.459213 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.459268 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 606325696 ecr 606325696], length 0
10:42:59.460184 IP 127.0.0.1.12345 > 127.0.0.1.54054: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 606325697 ecr 606325696], length 0
10:42:59.460196 IP 127.0.0.1.54054 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 606325697 ecr 606325697], length 0

Sagalana geus baku: a sasalaman tilu arah, PSH / ACK na ACK di respon dua kali - ieu bursa pamundut na respon antara klien tur server, sarta FIN / ACK na ACK dua kali - ngalengkepan sambungan.

Pakét reureuh

Ayeuna hayu urang setel reureuh ka 500 milidetik:

tc qdisc add dev lo root netem delay 500ms

Kami ngaluncurkeun klien sareng ningali yén naskah ayeuna dijalankeun salami 2 detik:

[user@host ~]# ./client.py
[time before connection: 1578662612.71044]
[time after connection, before sending: 1578662613.71059]
[time after sending, before receiving: 1578662613.71065]
[time after receiving, before closing: 1578662614.72011]
[time after closing: 1578662614.72019]
[total duration: 2.00974]
Response: Test

Naon di lalulintas? Hayu urang tingali:

Dump lalulintas

13:23:33.210520 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [S], seq 1720950927, win 43690, options [mss 65495,sackOK,TS val 615958947 ecr 0,nop,wscale 7], length 0
13:23:33.710554 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [S.], seq 1801168125, ack 1720950928, win 43690, options [mss 65495,sackOK,TS val 615959447 ecr 615958947,nop,wscale 7], length 0
13:23:34.210590 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 0
13:23:34.210657 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 615959947 ecr 615959447], length 5
13:23:34.710680 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [.], ack 6, win 342, options [nop,nop,TS val 615960447 ecr 615959947], length 0
13:23:34.719371 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 615960456 ecr 615959947], length 14
13:23:35.220106 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.220188 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 615960957 ecr 615960456], length 0
13:23:35.720994 IP 127.0.0.1.12345 > 127.0.0.1.58694: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 615961457 ecr 615960957], length 0
13:23:36.221025 IP 127.0.0.1.58694 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 615961957 ecr 615961457], length 0

Anjeun tiasa ningali yén lag ekspektasi satengah detik parantos muncul dina interaksi antara klien sareng server. Sistem kalakuanana langkung narik upami lag langkung ageung: kernel mimiti ngirimkeun deui sababaraha pakét TCP. Hayu urang robih reureuh ka 1 detik sareng tingali lalu lintas (Kuring moal nunjukkeun kaluaran klien, aya anu diperkirakeun 4 detik dina total durasi):

tc qdisc change dev lo root netem delay 1s

Dump lalulintas

13:29:07.709981 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616292946 ecr 0,nop,wscale 7], length 0
13:29:08.710018 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616293946 ecr 616292946,nop,wscale 7], length 0
13:29:08.711094 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [S], seq 283338334, win 43690, options [mss 65495,sackOK,TS val 616293948 ecr 0,nop,wscale 7], length 0
13:29:09.710048 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616294946 ecr 616293946], length 0
13:29:09.710152 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 616294947 ecr 616293946], length 5
13:29:09.711120 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [S.], seq 3514208179, ack 283338335, win 43690, options [mss 65495,sackOK,TS val 616294948 ecr 616292946,nop,wscale 7], length 0
13:29:10.710173 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [.], ack 6, win 342, options [nop,nop,TS val 616295947 ecr 616294947], length 0
13:29:10.711140 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 616295948 ecr 616293946], length 0
13:29:10.714782 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 616295951 ecr 616294947], length 14
13:29:11.714819 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:11.714893 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 616296951 ecr 616295951], length 0
13:29:12.715562 IP 127.0.0.1.12345 > 127.0.0.1.39306: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 616297952 ecr 616296951], length 0
13:29:13.715596 IP 127.0.0.1.39306 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 616298952 ecr 616297952], length 0

Ieu bisa ditempo yén klien nu dikirim pakét SYN dua kali, sarta server dikirim SYN a / ACK dua kali.

Salian nilai konstan, reureuh bisa disetel ka simpangan, fungsi distribusi, jeung korelasi (jeung nilai keur pakét saméméhna). Hal ieu dilakukeun saperti kieu:

tc qdisc change dev lo root netem delay 500ms 400ms 50 distribution normal

Di dieu kami parantos nyetél tunda antara 100 sareng 900 milliseconds, nilai-nilaina bakal dipilih dumasar kana distribusi normal sareng bakal aya korelasi 50% sareng nilai reureuh pikeun pakét sateuacana.

Anjeun meureun geus noticed nu dina paréntah kahiji kuring dipaké nambah, teras salajengna nukeuran. Harti paréntah ieu écés, janten kuring ngan ukur nambihan yén aya deui éta, anu tiasa dianggo pikeun ngahapus konfigurasi.

Pakét Loss

Hayu urang ayeuna coba ngalakukeun packet loss. Salaku bisa ditempo ti dokuméntasi, ieu bisa dipigawé ku tilu cara: kaleungitan pakét acak kalawan sababaraha probabiliti, ngagunakeun ranté Markov 2, 3 atawa 4 kaayaan keur ngitung leungitna pakét, atawa ngagunakeun modél Elliott-Gilbert. Dina artikel ieu kuring bakal mertimbangkeun kahiji (pangbasajanna jeung paling atra) métode, jeung anjeun bisa maca ngeunaan batur di dieu.

Hayu urang kaleungitan 50% pakét kalayan korelasi 25%:

tc qdisc add dev lo root netem loss 50% 25%

Hanjakal, tcpdump moal bisa jelas némbongkeun urang leungitna pakét, urang ngan bakal nganggap yen eta bener jalan. Sareng waktos skrip anu ningkat sareng teu stabil bakal ngabantosan urang pariksa ieu. klien.py (tiasa réngsé instan, atawa meureun dina 20 detik), kitu ogé jumlah ngaronjat tina pakét retransmitted:

[user@host ~]# netstat -s | grep retransmited; sleep 10; netstat -s | grep retransmited
    17147 segments retransmited
    17185 segments retransmited

Nambahkeun noise kana pakét

Salian leungitna pakét, anjeun tiasa simulate karuksakan pakét: noise bakal muncul dina posisi pakét acak. Hayu urang ngadamel karusakan pakét kalayan kamungkinan 50% sareng tanpa korelasi:

tc qdisc change dev lo root netem corrupt 50%

Urang ngajalankeun skrip klien (teu aya anu pikaresepeun, tapi peryogi 2 detik kanggo réngsé), tingali lalu lintas:

Dump lalulintas

[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:20:54.812434 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [S], seq 2023663770, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 0,nop,wscale 7], length 0
10:20:54.812449 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [S.], seq 2104268044, ack 2023663771, win 43690, options [mss 65495,sackOK,TS val 1037001049 ecr 1037001049,nop,wscale 7], length 0
10:20:54.812458 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 0
10:20:54.812509 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001049 ecr 1037001049], length 5
10:20:55.013093 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1037001250 ecr 1037001049], length 5
10:20:55.013122 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [.], ack 6, win 342, options [nop,nop,TS val 1037001250 ecr 1037001250], length 0
10:20:55.014681 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,nop,TS val 1037001251 ecr 1037001250], length 14
10:20:55.014745 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 15, win 340, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.014823 IP 127.0.0.1.43666 > 127.0.0.5.12345: Flags [F.], seq 2023663776, ack 2104268059, win 342, options [nop,nop,TS val 1037001251 ecr 1037001251], length 0
10:20:55.214088 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [P.], seq 1:15, ack 6, win 342, options [nop,unknown-65 0x0a3dcf62eb3d,[bad opt]>
10:20:55.416087 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [F.], seq 6, ack 15, win 342, options [nop,nop,TS val 1037001653 ecr 1037001251], length 0
10:20:55.416804 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:55.416818 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 343, options [nop,nop,TS val 1037001653 ecr 1037001653], length 0
10:20:56.147086 IP 127.0.0.1.12345 > 127.0.0.1.43666: Flags [F.], seq 15, ack 7, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0
10:20:56.147101 IP 127.0.0.1.43666 > 127.0.0.1.12345: Flags [.], ack 16, win 342, options [nop,nop,TS val 1037002384 ecr 1037001653], length 0

Ieu tiasa katingali yén sababaraha pakét dikirim sababaraha kali sareng aya hiji pakét anu metadata rusak: pilihan [nop,unknown-65 0x0a3dcf62eb3d,[bad opt]>. Tapi hal utama nyaéta yén dina tungtungna sagalana jalan neuleu - TCP coped kalawan tugas na.

Duplikasi pakét

Naon deui anu anjeun tiasa laksanakeun netem? Contona, simulasi kaayaan sabalikna tina packet loss-packet duplikasi. Paréntah ieu ogé nyandak 2 argumen: probabiliti sareng korelasi.

tc qdisc change dev lo root netem duplicate 50% 25%

Ngarobah urutan bungkusan

Anjeun tiasa nyampur kantong dina dua cara.

Dina mimitina, sababaraha pakét dikirim langsung, sésana kalayan reureuh anu ditangtukeun. Conto tina dokuméntasi:

tc qdisc change dev lo root netem delay 10ms reorder 25% 50%

Kalawan kamungkinan 25% (jeung korelasi 50%) pakét bakal dikirim langsung, sésana bakal dikirim kalayan reureuh 10 milliseconds.

Metodeu kadua nyaéta nalika unggal pakét Nth dikirim langsung kalayan kamungkinan anu ditangtukeun (sareng korelasi), sareng sésana kalayan reureuh anu ditangtukeun. Conto tina dokuméntasi:

tc qdisc change dev lo root netem delay 10ms reorder 25% 50% gap 5

Unggal pakét kalima boga 25% kasempetan pikeun dikirim tanpa reureuh.

Ngarobah Bandwidth

Biasana di mana waé aranjeunna nujul TBF, tapi kalayan pitulung netem Anjeun oge bisa ngarobah rubakpita panganteur:

tc qdisc change dev lo root netem rate 56kbit

Tim ieu bakal nyieun treks sabudeureun localhost nyeri sakumaha surfing Internet ngaliwatan modem dial-up. Salian nyetel bitrate, Anjeun oge bisa emulate model protokol lapisan link: nyetel overhead pikeun pakét, ukuran sél, jeung overhead pikeun sél. Contona, ieu bisa simulated ATM sareng laju bit 56 kbit/detik:

tc qdisc change dev lo root netem rate 56kbit 0 48 5

Simulating sambungan timeout

Titik penting anu sanés dina rencana uji nalika nampi parangkat lunak nyaéta waktuna. Ieu penting sabab dina sistem anu disebarkeun, nalika salah sahiji jasa ditumpurkeun, anu sanésna kedah turun deui ka anu sanés dina waktosna atanapi uih deui kasalahan ka klien, sareng dina kasus naon waé aranjeunna kedah ngagantung, ngantosan réspon atanapi sambungan. pikeun ngadegkeun.

Aya sababaraha cara pikeun ngalakukeun ieu: Contona, ngagunakeun bohongan nu teu ngabales, atawa nyambung ka prosés maké debugger a, nempatkeun breakpoint di tempat katuhu jeung ngeureunkeun prosés (ieu meureun cara paling perverted). Tapi salah sahiji anu pang atra nyaéta palabuhan firewall atanapi host. Ieu bakal nulungan urang jeung ieu iptables.

Pikeun démo, urang bakal firewall port 12345 tur ngajalankeun skrip klien urang. Anjeun tiasa firewall pakét kaluar ka port ieu dina pangirim atawa pakét asup dina panarima. Dina conto abdi, pakét asup bakal firewalled (urang ngagunakeun ranté INPUT jeung pilihan --dport). Pakét sapertos kitu tiasa DROP, REJECT atanapi REJECT kalayan bandéra TCP RST, atanapi nganggo host ICMP anu teu tiasa dicapai (saleresna, paripolah standar nyaéta icmp-port-unreachable, sarta aya ogé kasempetan pikeun ngirim reply a icmp-net-unreachable, icmp-proto-unreachable, icmp-net-dilarang и icmp-host-dilarang).

TUTU

Upami aya aturan sareng DROP, pakét ngan saukur "ngaleungit".

iptables -A INPUT -p tcp --dport 12345 -j DROP

Urang ngajalankeun klien tur tingal yén éta freezes dina tahap nyambungkeun ka server. Hayu urang nempo lalulintas:
Dump lalulintas

[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:28:20.213506 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203046450 ecr 0,nop,wscale 7], length 0
08:28:21.215086 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203047452 ecr 0,nop,wscale 7], length 0
08:28:23.219092 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203049456 ecr 0,nop,wscale 7], length 0
08:28:27.227087 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203053464 ecr 0,nop,wscale 7], length 0
08:28:35.235102 IP 127.0.0.1.32856 > 127.0.0.1.12345: Flags [S], seq 3019694933, win 43690, options [mss 65495,sackOK,TS val 1203061472 ecr 0,nop,wscale 7], length 0

Éta tiasa katingali yén klien ngirimkeun pakét SYN kalayan waktosna ningkat sacara éksponénsial. Janten kami mendakan bug leutik dina klien: anjeun kedah nganggo metodeu settimeout()pikeun ngawatesan waktu salila klien bakal nyoba nyambung ka server.

Urang langsung ngahapus aturan:

iptables -D INPUT -p tcp --dport 12345 -j DROP

Anjeun tiasa ngahapus sadaya aturan sakaligus:
iptables -F

Upami anjeun nganggo Docker sareng anjeun kedah firewall sadaya lalu lintas ka wadahna, maka anjeun tiasa ngalakukeun sapertos kieu:
iptables -I DOCKER-USER -p tcp -d CONTAINER_IP -j DROP

GAMPANG

Ayeuna hayu urang tambahkeun aturan anu sami, tapi kalayan REJECT:

iptables -A INPUT -p tcp --dport 12345 -j REJECT

Klién kaluar saatos sadetik kalayan kasalahan [Errno 111] Sambungan nampik. Hayu urang nempo lalulintas ICMP:

[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
08:45:32.871414 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68
08:45:33.873097 IP 127.0.0.1 > 127.0.0.1: ICMP 127.0.0.1 tcp port 12345 unreachable, length 68

Ieu bisa ditempo yén klien narima dua kali port unreachable terus dipungkas ku kasalahan.

TOLAK sareng tcp-reset

Hayu urang coba pikeun nambahkeun pilihan --reject-with tcp-reset:

iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset

Dina hal ieu, klien langsung kaluar kalawan kasalahan, sabab pamundut kahiji narima pakét RST:

[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
09:02:52.766175 IP 127.0.0.1.60658 > 127.0.0.1.12345: Flags [S], seq 1889460883, win 43690, options [mss 65495,sackOK,TS val 1205119003 ecr 0,nop,wscale 7], length 0
09:02:52.766184 IP 127.0.0.1.12345 > 127.0.0.1.60658: Flags [R.], seq 0, ack 1889460884, win 0, length 0

TOLAK sareng icmp-host-unreachable

Hayu urang coba pilihan séjén pikeun ngagunakeun REJECT:

iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-host-unreachable

Klién kaluar saatos sadetik kalayan kasalahan [Errno 113] Henteu aya rute ka host, urang tingali dina lalulintas ICMP ICMP host 127.0.0.1 unreachable.

Anjeun ogé tiasa nyobian parameter REJECT anu sanés, sareng kuring bakal fokus kana ieu :)

Simulating pamundut timeout

kaayaan sejen nyaeta nalika klien éta bisa nyambung ka server, tapi teu bisa ngirim pamundut ka dinya. Kumaha nyaring pakét supados nyaring henteu langsung ngamimitian? Lamun nempo lalulintas komunikasi wae antara klien tur server, anjeun bakal aya bewara yén nalika nyieun sambungan, ngan SYN na ACK bandéra dipaké, tapi lamun exchanging data, pakét pamundut panungtungan bakal ngandung bandéra PSH. Éta dipasang sacara otomatis pikeun nyegah panyangga. Anjeun tiasa nganggo inpormasi ieu pikeun nyiptakeun saringan: éta bakal ngijinkeun sadaya pakét kecuali anu ngandung bandéra PSH. Ku kituna, sambungan bakal diadegkeun, tapi klien moal bisa ngirim data ka server.

TUTU

Pikeun DROP paréntahna bakal siga kieu:

iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j DROP

Ngajalankeun klien tur lalajo lalulintas:

Dump lalulintas

[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:02:47.549498 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [S], seq 2166014137, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 0,nop,wscale 7], length 0
10:02:47.549510 IP 127.0.0.1.12345 > 127.0.0.1.49594: Flags [S.], seq 2341799088, ack 2166014138, win 43690, options [mss 65495,sackOK,TS val 1208713786 ecr 1208713786,nop,wscale 7], length 0
10:02:47.549520 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 0
10:02:47.549568 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713786 ecr 1208713786], length 5
10:02:47.750084 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208713987 ecr 1208713786], length 5
10:02:47.951088 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714188 ecr 1208713786], length 5
10:02:48.354089 IP 127.0.0.1.49594 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1208714591 ecr 1208713786], length 5

Urang nempo yén sambungan geus ngadegkeun tur klien nu teu bisa ngirim data ka server.

GAMPANG

Dina hal ieu kabiasaan bakal sarua: klien moal bisa ngirim pamundut, tapi bakal nampa ICMP 127.0.0.1 port tcp 12345 teu bisa dihontal jeung nambahan waktu antara pamundut resubmissions éksponénsial. Paréntahna sapertos kieu:

iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT

TOLAK sareng tcp-reset

Paréntahna sapertos kieu:

iptables -A INPUT -p tcp --tcp-flags PSH PSH --dport 12345 -j REJECT --reject-with tcp-reset

Kami parantos terang yén nalika nganggo --reject-with tcp-reset klien bakal nampa hiji pakét RST dina respon, jadi paripolah bisa diprediksi: narima hiji pakét RST bari sambungan ngadegkeun hartina stop kontak disangka ditutup dina sisi séjén, nu hartina klien kedah nampi. Sambungan ulang ku peer. Hayu urang ngajalankeun skrip urang sareng pastikeun ieu. Sareng ieu kumaha lalu lintas bakal katingali:

Dump lalulintas

[user@host ~]# tcpdump -i lo -nn port 12345
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:22:14.186269 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [S], seq 2615137531, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 0,nop,wscale 7], length 0
10:22:14.186284 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [S.], seq 3999904809, ack 2615137532, win 43690, options [mss 65495,sackOK,TS val 1209880423 ecr 1209880423,nop,wscale 7], length 0
10:22:14.186293 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [.], ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 0
10:22:14.186338 IP 127.0.0.1.52536 > 127.0.0.1.12345: Flags [P.], seq 1:6, ack 1, win 342, options [nop,nop,TS val 1209880423 ecr 1209880423], length 5
10:22:14.186344 IP 127.0.0.1.12345 > 127.0.0.1.52536: Flags [R], seq 3999904810, win 0, length 0

TOLAK sareng icmp-host-unreachable

Jigana éta geus atra ka dulur naon paréntah bakal kasampak kawas :) Paripolah klien dina hal ieu bakal rada béda ti nu ku tampikan basajan: klien moal nambahan waktu kaluar antara usaha pikeun ngirim ulang pakét.

[user@host ~]# tcpdump -i lo -nn icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
10:29:56.149202 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.349107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.549117 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.750125 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:56.951130 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.152107 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65
10:29:57.353115 IP 127.0.0.1 > 127.0.0.1: ICMP host 127.0.0.1 unreachable, length 65

kacindekan

Henteu kedah nyerat bohongan pikeun nguji interaksi jasa sareng klien atanapi server anu digantung; sakapeung cukup ngagunakeun utilitas standar anu aya dina Linux.

Utiliti anu dibahas dina tulisan éta ngagaduhan kamampuan anu langkung seueur tibatan anu dijelaskeun, ku kituna anjeun tiasa mendakan sababaraha pilihan anjeun sorangan pikeun ngagunakeunana. Pribadi, abdi sok gaduh cukup naon kuring wrote ngeunaan (dina kanyataanana, malah kirang). Upami anjeun nganggo ieu atanapi utilitas anu sami dina nguji di perusahaan anjeun, punten nyerat kumaha persisna. Upami henteu, maka kuring ngarepkeun parangkat lunak anjeun bakal langkung saé upami anjeun mutuskeun pikeun nguji éta dina kaayaan masalah jaringan nganggo metode anu disarankeun.

sumber: www.habr.com

Simulasi masalah jaringan dina Linux

Simulating masalah jaringan

Pakét reureuh

Pakét Loss

Nambahkeun noise kana pakét

Duplikasi pakét

Ngarobah urutan bungkusan

Ngarobah Bandwidth

Simulating sambungan timeout

TUTU

GAMPANG

TOLAK sareng tcp-reset

TOLAK sareng icmp-host-unreachable

Simulating pamundut timeout

TUTU

GAMPANG

TOLAK sareng tcp-reset

TOLAK sareng icmp-host-unreachable

kacindekan

Tambahkeun komentar ngabolaykeun reply