[Audit-test-developer] network filtering tests

[James C. <cz...@li...>]

Hi Linda

Just another question to you or anyone else here that has an opinion. 
For some of the netfiltering tests I've created I utilize the 
do_accept.c module in utils/bin. (The filtering tests are being modeled 
after the network tests and currently utilize the lblnet_tst_server as a 
frame/segment generator) In do_accept.c the ALARM_TIMER (which is used 
for sigalrm to wake up the routine in the event the listen is never 
satisfied) is set to 15 which is probably appropriate for the network 
tests since within this time the lblnet_tst_server should have easily 
finished sending any packet it was prompted to do. In the netfiltering 
tests however I typically have instances where I request the 
lblnet_tst_server to send packets to the device, address, port , or 
combination thereof  I'm filtering on and the target of the chain 
command is sometimes DROP. Unlike REJECT where an icmp response goes 
back rejecting the connection when DROP is used, tcp on the 
lblnet_tst_server side has no idea why there is no response and 
consequently goes into a retransmission state of the SYN 
segment.(connection establishment). Most systems I've seen will not 
retransmit beyond a 75 second timeout period however that is not 
necessarily true for all systems . The problem I ran into with the 15 
second timeout value is that if the SYN segment is still retransmitting 
to the TOE port when the do_accept for the test being run times out, the 
TOE starts the next test and the next SYN segment received appears as a 
response for the new test the TOE has started. This will result in the 
following TOE test either failing or claiming an error. The TOE and 
lblnet_tst_server are now out of sync on all the following tests.

My solution for the problem was of course to bump the ALARM_TIMER up to 
120. This tended to take care of any tcp retransmission issues (with a 
little bit of play for systems that might have longer retransmission 
timeouts/retries) and even if a test finishes sooner then the 120 second 
timeout, the lblnet_tst_server doesn't do anything else until it get's 
the next command from the TOE. However this does cause all tests using 
the do_accept utility to have to run longer if the segment from the 
lblnet_tst_server is not received.  I have not noticed this slowing down 
the network tests  as none of those tests rely on a segment from the 
lblnet_tst_server not being received. So I'm wondering if anyone see's 
changing the timer value as a potential problem  If so there are a 
couple of options. I could create a new do_xxxxx.c which I did for the 
case where I have to force a URG flag to be sent, or I could put an 
alternate timer to be used in do_accept.c for only the netfiltering cases.

Any comments would be appreciated.

Jim