-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
engine: throttling-aware jafar replacement #1803
Comments
Scripts to work with namespacesCreating a namespace#!/bin/bash
set -ex
ip netns add jafar
ip link add jafar0 type veth peer netns jafar name jafar1
ip link set dev jafar0 up
ip -n jafar link set dev jafar1 up
ip address add 10.17.14.1/24 dev jafar0
ip -n jafar address add 10.17.14.11/24 dev jafar1
ip -n jafar route add default via 10.17.14.1 dev jafar1
iptables -t nat -A POSTROUTING -s 10.17.14.0/24 -o wlp2s0 -j MASQUERADE
mkdir -p /etc/netns/jafar/
echo "nameserver 8.8.8.8" > /etc/netns/jafar/resolv.conf Three notes: (1) it seems that Fedora's firewalld prevents this kind of namespaces from working because it blocks certain ICMP packets and therefore causes errors and (2) systemd's 127.0.0.53 resolver does not work inside the namespace and we need to create a namespace specific directory, which is then overlay-mounted when we enter the namespace and (3) the script is currently hardcoding the correct interface for me. Using the namespace#!/bin/bash
set -ex
ip netns exec jafar "$@" Removing the namespace#!/bin/bash
set -ex
ip netns del jafar
iptables -t nat -D POSTROUTING -s 10.17.14.0/24 -o wlp2s0 -j MASQUERADE
rm -rf /etc/netns/jafar Useful links
|
Alternative approachSee how google/martian and Shopify/toxyproxy work. It may be that we can implement most operations in userspace without any kernel support, which is potentially quite great to perform QA on all platforms. Part of this approach will include some transparent proxying. Roughly speaking we need to transparently proxy the system resolver and DNS over UDP resolvers to a local proxy. For TCP connections, the most complete solution is probably to redirect to a SOCKS5 proxy. For QUIC connections, the ideal would be some sort of SOCKS5 using QUIC. If we take out the SOCKS5 part, then we need to use the SNI, which is missing for URLs such as http://1.1.1.1.1, which are URLs we want to test. This project https://github.com/freedomio/fio-go may also be useful if we need to implement a "socks5 for QUIC" approach. |
Another possible designWe will stop using netfilter for network filtering. We can do filtering and routing directly inside the implementation by adding hooks that can direct traffic elsewhere to netxlite. We previously had a package called selfcensor, which attempted to do this. The issue with such a package is that it contained both the mechanism and the policy to selfcensor. We're now going to do it a bit differently: the mechanism (allowing for transparent interception) will live inside |
I develop this diff while working on ooni/probe#1803 (comment). While there, make sure we don't have duplicate bogon code and always use the code inside netxlite.
I develop this diff while working on ooni/probe#1803 (comment). While there, make sure we don't have duplicate bogon code and always use the code inside netxlite.
This change will simplify follow-up work done as part of ooni/probe#1803 (comment) to implement a comprehensive self-censoring solution. While there, rename the "proxy" action to "pass" because what we are effectively doing is passing traffic to the network (that's a minor change but it seems a better analogy).
This change will simplify follow-up work done as part of ooni/probe#1803 (comment) to implement a comprehensive self-censoring solution. While there, rename the "proxy" action to "pass" because what we are effectively doing is passing traffic to the network (that's a minor change but it seems a better analogy).
Without this change, it takes too much to serve a single query and we cannot properly use this code for QA. See ooni/probe#1803 (comment)
Without this change, it takes too much to serve a single query and we cannot properly use this code for QA. See ooni/probe#1803 (comment)
Needed to finish the design at ooni/probe#1803 (comment)
Needed to finish the design at ooni/probe#1803 (comment)
This PR implements the core concept described at ooni/probe#1803 (comment) While there, try to reduce as much as possible the cases in which we write ```Go if err == nil { ``` in tests because it's too broad and we should instead be checking for the expected error or otherwise fail the test (many error could occur and we want to be sure it's the one we're expecting).
1. in normal code is better to always do if err != nil so that the ifs only contain error code (this is ~coding policy) 2. in tests we want to ensure we narrow down the error to the real error that happened, to have greater confidence Written while working on ooni/probe#1803 (comment)
1. in normal code is better to always do if err != nil so that the ifs only contain error code (this is ~coding policy) 2. in tests we want to ensure we narrow down the error to the real error that happened, to have greater confidence Written while working on ooni/probe#1803 (comment)
…oni#1212) This test modifies webconnectivityqa to extract and compare all the relevant fields. We have already found some inconsistencies, which are minor, but which still grants skipping some tests until they have been fixed. While there, do some extra work to add prefixes to log messages, such that it's clear which component emits which message. Part of ooni/probe#2525, because we're writing a tool to perform A/B comparisons across Web Connectivity versions. Part of ooni/probe#1803, because we're writing a tool that is eventually goind to replace Jafar. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: see above - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: not needed
…oni#1213) This diff imports the QA/webconnectivity.py integration test into the webconnectivityqa framework and removes it from Python. While there, remove other QA/webconnectivity.py tests that I have already converted. Part of ooni/probe#1803. See also ooni/probe#1536. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: see above - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
ooni#1214) This diff imports the given QA/webconnectivity.py integration test into the webconnectivityqa framework and removes it from Python. While there, stop building libtorlinux.yml on pull requests, since currently there's no need. Part of ooni/probe#1803. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: see above - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
ooni#1215) This diff imports the given QA/webconnectivity.py integration test into the webconnectivityqa framework and removes it from Python. To this end, we need to modify how we handle timeouts in netxlite such that it is possible to change the default timeout programmatically when using netemx. While there, document the flag magic numbers used in tests, so that each test makes much more sense when reading it. Part of ooni/probe#1803. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: see above - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: not needed
As we learned in ooni#1216, using the 130.192.91.x namespace for every IP address in netemx breaks mapping domain names to IP addresess in Web Connectivity. No IP address would ever, in fact, be inconsistent, because they all belong to AS137. Initially, I thought about overriding the code that maps IP addresses to ASNs, to provide a custom implementation. But then I realized it was a more thorough test to use the default implementation (relying on maxminddb files) and using the correct IP addresses in the correct address space. My original thought for using 130.192.91.x addresses was that they were not the right addresses for the domains we're testing, thus, in the event in which netem was not WAI, all tests would have failed. However, we have many tests checking that netem is WAI already, so probably I was being excessively paranoid. As a result, this patch modifies the code to use the correct addresses. We're still using some 130.192.91.x addresses where it makes sense to do so (user's IP address and default user's resolver). Part of ooni/probe#1803. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: see above - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
…dns (ooni#1216) Part of ooni/probe#1803 ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: see above - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: not needed
I am trying to lift some netemx restrictions that make certain Web Connectivity integration tests a bit unrealistic. To progress towards this goal, I have determined that I need to (1) improve the construction for the QAEnv and (2) make the scenario constructor a function that initialized a given QAEnv rather than rolling additional abstraction on top of it. The current diff moves IP addresses around to create space for myself to attempt to implement the above changes. The reference issue is ooni/probe#1803. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: see above - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
This diff starts refactoring netemx such that any kind of service we want to create for a given IP address uses the same interface, which is a generic factory to create a generic server working depending on a netstack. The overall objective here is to enable the same IP address to serve DNS, HTTP/HTTPS/HTTP3, and possibly arbitrary other services. Currently, we can only choose one of these services per IP address. This limitation, for example, makes it impossible to have 8.8.8.8 handle both Do53 and DoH. I will move towards this objective incrementally. This diff just refactors the way in which we manage the echo server to follow a model where there is a factory for creating a server, which is what HTTP code is using. Once this diff lands, I will refactor HTTP and DNS to follow this model. And, after that, I will try to allow multiple factories for each IP addr. Reference issue: ooni/probe#1803 ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: see above - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
The overall intent of this work is to unify how we manage HTTP, DNS, and ordinary netstacks for netemx, and allow the same IP address to host multiple servers rather than just one, as it's currently the case. To this end, the current diff adapts code that used to be an integration test for telegram to become the cleartext HTTP NetStackServerFactory. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
) This diff continues improving and refactoring netemx with the objective of unifying how we create all kind of servers. Here, specifically, we modify the HTTP server implementing NetStackServerFactory implemented in the previous commit and obtain an HTTPS server honouring NetStackServerFactory. Crucially, this diff also adds support for overriding the TLS config passed to the server, which enables us to test for expired certificates, self-signed certificates, and so forth. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
) This diff continues improving and refactoring netemx with the objective of unifying how we create all kind of servers. Here, specifically, we modify the HTTPS server implementing NetStackServerFactory implemented in the previous commit and obtain an HTTP3 server honouring NetStackServerFactory. Crucially, this diff also adds support for overriding the TLS config passed to the server, which enables us to test for expired certificates, self-signed certificates, and so forth. While working on this diff, I noticed a weird behavior with HTTP/3 tests using the same address, which is documented at ooni/probe#2527. I modified the tests to make them pass. To this end, I changed the IP addresses used by HTTP/3 tests to avoid reusing www.example.com's IP address. It seems fine, for now, to merge this code, because HTTP/3 is not a cornerstone of how we measure, for now. But we should investigate further in the future! ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
…1225) This diff moves forward the work we're doing to try to unify the way in which all the possible servers in netemx are constructed. The general idea is to enable configuring every kind of server using the QAEnvOptionNetStack option. To this end, we need to implement NetStackServerFactory. In this diff, in particular, we're implementing a NetStackServerFactory for constructing DNS-over-UDP servers. These servers would use: 1. the OtherResolversConfig for lookups (which makes sense because the [MustNewQAEnv] internally constructs the ISP resolver); 2. the logger configured for the QAEnv. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
) With the changes we implemented so far, we're not able to start migrating part of scenario.go (probably the easiest part) to use QAEnvOptionNetStack for configuring servers. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
) This diff converts the ScenarioRoleWebServer case to using QAEnvOptionNetStack. While there, recognize that ooni/probe#2527 is really making all QUIC tests fragile, and scale them down a bit. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
ooni#1229) This diff continues the refactoring of netemx to use a single mechanism to create all the possible kind of servers. While there, this diff removes the limitation that we cannot create more than a single server per IP address, which was one of the reasons why we started this refactoring process. While there, make sure we have full coverage of netemx. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
This diff takes advantage of all the refactoring performed so far to expose Do53 (aka DNS-over-UDP) along with DoH (DNS-over-HTTPS). Additionally, we extend the test suite to verify we're always exposing the two protocols side by side for public, well-known DNS resolvers. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
…i#1231) ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A ## Description This diff removes code to init resolvers that does not use QAEnvOptionNetStack. This change allows us to drop duplicate code that we don't really need (in fact, removing this functionality does not produce a huge diff). While there, we introduce more resolvers IP addresses, including 8.8.8.8, so we can simplify webconnectivitylte tests. While there, rename the uncensored root resolver as the root resolver and use the F root resolver address for it. While there, stop allowing to change the ISP resolver address or the root resolver address (there's no need).
) With all the changes implemented so far, we're now well positioned to futher cleanup netemx by implementing QAEnvOptionHTTPServer as just syntactic sugar for QAEnvOptionNetStack. This change allows us to delete more code that is duplicating existing functionality and is not otherwise useful. While there, introduce a role for a blockpage server and make sure that such a server only listens for HTTP, thus fixing a case in which the behavior of netemx was not consistent with the reality. After this change, we need to skip a QA test for LTE, because LTE is actually able to bypass the block and thus produces accurate webpage content. Part of ooni/probe#1803. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
This diff ports the tests where the control fails from Jafar to the new Web Connectivity QA framework. ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A
## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A ## Description To continue rewriting Jafar based tests to use netemx, the next step is to adapt the proxies used by Jafar to be usable from within netemx to implement equivalent test cases. In turn, netemx is using testingx for general-purpose test servers that could also be interesting for other packages. We also have the netxlite/filtering package, which is ~fine but has a string-based API, where an interface-based API would be more proper and easier to compose. (We historically use a string-based API there because we previously attempted to replace Jafar with code in userspace usinf netxlite/filtering.) The first step in this quest is therefore to rewrite the DNS code inside netxlite/filtering and move it to testingx. While there rename netemx.UDPResolverFactory to DNSOverUDPServerFactory for consistency.
## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A ## Description This diff merges internal/filtering's code with testingx. While doing this, we refactor the code to (1) be a drop-in replacement for the net/http/httptest package and (2) use interfaces rather than string values to select the proper behavior, which makes the code more composable than it was before. The overall objective of this effort is to consolidate filtering into testingx such that we can later merge the proxy capabilities implemented by Jafar into the testingx package, which is a stepping stone for ditching Jafar.
## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A ## Description This commit finishes the mini quest about merging netxlite/filtering with testingx and replaces the string-based API with interfaces. What remains to be done is now to implement specific handles that mimic the proxies implemented by Jafar. Then, it remains to see how to port the remaining QA tests to webconnectivityqa.
## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A ## Description This diff adapts jafar HTTP proxy to be a testingx proxy. We need this work to eventually get rid of jafar.
## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A ## Description This is the last bit of jafar we needed to import and adapt. What remains to be done now is finishing converting QA tests. Then, we can remove jafar and QA. While there, write missing netem tests for TLS servers.
## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A ## Description This diff imports into webconnectivityqa test cases using proxies that are currently also implemented by ./QA/webconnectivity.py. The ./QA/webconnectivity.py contains three test cases. Two of them deal with using transparent proxies without DNS lies, which was easy to do using iptables, and much harder now. However, it's doubtful whether those two cases are actually very useful, since there is no measurement feature which allows us to distinguish them from what we would otherwise get (perhaps, possibly latency?). The third case, instead, is interesting and deals with the DNS serving to users the IP addresses of transparent HTTP and TLS proxies. To make this test case more similar to what it was in Python, and considering that LTE uses many resolvers, here I have chosen to use DNS spoofing, which may or may not be the best choice for LTE in the long term. Yet, since the objective currently is to be able to check v0.4 against webconnectivityqa and the A/B comparison and the focus to LTE will come at a later stage, this seems good enough for now.
…ni#1240) ## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A ## Description This diff starts adapting from QA/webconnectivity.py some of the test cases involding errors happening during HTTP redirects. I am pleased to see that we've discovered LTE bugs thanks to these new test cases... well, let's say "pleased".
## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A ## Description This diff moves test cases from QA/webconnectivity.py to the ./internal/webconnectivityqa package.
## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A ## Description This diff ports jafar's http-diff test cases to webconnectivityqa.
## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A ## Description This diff imports the misconfigured-TLS test cases of the QA/webconnectivity.py test suite in webconnectivityqa. The only QA/webconnectivity.py test case we're not merging is the one about self-signed certificate, which are equivalent enough to an unknown root certificate that it seems unimportant to merge them. In other word, we have basically finished rewriting Jafar. Now it will be time to drop Jafar. 😅
## Checklist - [x] I have read the [contribution guidelines](https://github.com/ooni/probe-cli/blob/master/CONTRIBUTING.md) - [x] reference issue for this pull request: ooni/probe#1803 - [x] if you changed anything related to how experiments work and you need to reflect these changes in the ooni/spec repository, please link to the related ooni/spec pull request: N/A - [x] if you changed code inside an experiment, make sure you bump its version number: N/A ## Description This is the final act of the quest to replace Jafar. Let's remove Jafar itself and the QA framework using it. We now have a much better QA framework, that runs for each commit, is faster, and allows to better emulate censorship cases. While working on the removal, I noticed some tutorials depended on a limited set of Jafar functionality, namely the possibility of provoking simple censorship conditions. So, I refactored the previous code for managing iptables on Linux used by Jafar to produce a much slimmer, fully unit tested tool implementing a subset of the original CLI. By implementing this change, we make sure that we still have simple ways for people to learn while reading tutorials. What remains to be done at this point is to update existing issues, close done issues, and generally make sure we explain clearly what we achieved by working on this quest, and what new features are now available.
We currently have
jafar
. It is a tool to simulate censorship. It uses the Linux kernel network filtering and routing functionality to make endpoints unaccessible, drop packets, ~transparently redirect to DNS/TLS/HTTP proxies implementing blocking.During #1797, I started sketching up the prototype for
jafar2
. The code is currently not part ofjafar
, because I was doing research and needed to break/change things quickly.This issue documents some insights on how we could improve
jafar
and merge good stuff fromjafar2
.We should support network emulation inside
jafar
. This includes adding extra latency, dropping packets, traffic shaping and generally all the policies that are possible using Linux'snetem
.We should investigate the possibility of using Linux's transparent proxy to intercept QUIC, DNS, TLS. We currently do not support intercepting/blocking QUIC, but for setting
iptables
rules. However, if we switch to the transparent proxy model, we can drop a bunch ofiptables
rules in favour, instead, of dropping directly in the proxies.We should introduce configuration files describing the conditions in which we want to run a test. For example, we may want to run both
ndt7
andwebsteps
with 3G-like network conditions. It would be useful to put this information inside of a configuration file.If we want to support running any command, it would be more seamless to switch to a
getopt
-like options parsing model where everything after the--
defines what child command we want to run.An interesting idea is to tell
jafa2
to automatically choose what to block, then run a full scan, letjafar2
write down what it has blocked, and then check whether this is mirrored into the measurement files.There is no timeline/priority attached to this issue, for now. It will be fine to keep the changes out of tree into a separate branch and continuing to refine them as we need them for developing websteps.
Here are some suggestions from @FedericoCeratto re: how to better restructure the current prototype:
most kernels are now tickless and it's important to run tests on bare metal as opposed to docker (which basically boils down to manually creating a bridge, attaching a virtual NIC to it, and then running the program so that it uses the virtual NIC as opposed to the default NIC of the system);
netem
now implements shaping, so we can avoid using TBF;it would be nice to have reproducible
jafar2
experiments to integrate into the CI;it's possible to better the simulation of mobile networks by using
netem
's options for slotting and reordering.I'll transform this issue into an Epic so we can create child issues.
The text was updated successfully, but these errors were encountered: