fw-daemon icon indicating copy to clipboard operation
fw-daemon copied to clipboard
verified publisher icon subgraph

Automated tests for policy evaluation & traffic attribution

Open dma opened this issue 8 years ago • 4 comments

As Subgraph Firewall's complexity and scope grows, we more than ever need automated tests for FW policy evaluation and traffic source identification. This will help us clearly define & articulate the policy logic as well as the limits of SGFW.

Tests objectives:

Verifying policy decision in as many different cases as possible:

Create or generate test case allow/deny rules. Simulate connections/packets of different types, policy code evaluates packet against test rules, test pass if policy decision against expected result.

Accurately attributing traffic origin:

Simulates traffic from:

  • Processes (/proc)
  • Proxy ports (Tor, i2p, ssh socks5 proxy)
  • Sandboxes (oz-daemon, cleranet bridge..)

Test pass if fw-daemon's identified traffic origin matches expected result.

dma avatar Sep 09 '17 15:09 dma

Another thing to test: testing the parser, i.e., validating that rules read from disk match expected results

dma avatar Sep 11 '17 01:09 dma

Yet more testing: address globbing / wildcards vs. traffic and expected filter matches.

dma avatar Oct 01 '17 14:10 dma

Extensive testing of TLSGuard: all versions and various types of TLS handshakes, including injection of TLS alerts, session resumption, and other things that can occur that we may not have expected.

dma avatar Oct 01 '17 14:10 dma

Also testing onioncircuits style tracking of circuits vs. the attempt at forcing stream isolation in the SOCKS proxy, this could be automated.

dma avatar Oct 01 '17 20:10 dma