At OONI, we have been trying to improve our integration testing and QA strategy for quite some time. This document, in particular, illustrates a QA approach based on Gvisor to create TCP/IP stacks in userspace. This framework will connect several Gvisor stacks together and drop packets, throttle, etc.
More specifically, we want this framework to enable writing integration tests for OONI experiments where:
-
tests are written in Go and run for
go test ./...; -
tests do not depend on the outside network and do not depend on being on Linux with
iptablesorneteminstalled; -
we can interfere with the nettest traffic (e.g., drop, RST);
-
we can throttle connections and the testing mechanism will degrade the performance when we increase the RTT or the PLR.
To this end, we use Gvisor to create a userspace TCP/IP network stacks. We also implement a mechanism to connect a number of userspace network stacks together, either in point-to-point or in a star topology. We also use gopacket to parse, route, capture, and inject packets.
This package should contain code that integrates ~nicely with the underlying network mechanism of probe-cli. It should also contain helpers required to implement tests without too much effort (e.g., helpers to create PPP or star topologies).
We should, additionally, be able to capture PCAPs by intercepting the packets flowing inside the emulated network.
We should also be able to inject a fake X.509 certificate root, such that we can run unmodified OONI code using fake servers that impersonate existing servers.
Because OONI code is quite low-level, we may also want higher level code that could simplify using this library in other contexts.
We probably also want a mechanism to deliver packets generated by Gvisor
stacks to remote hosts where we implement censorship by other means
(e.g., real DPI tools, netem, iptables).