nfsim: Untested code is buggy code

The netfilter simulation environment (nfsim) allows netfilter developers to build, run, and test their code without having to touch a real network, or having superuser privileges. On top of this, we have built a regression testsuite for netfilter and iptables.

Nfsim provides an emulated kernel environment in userspace, with a simulated IPv4 stack, as well as enhanced versions of standard kernel primitives such as locking and a proc filesystem. The kernel code is imported into the nfsim environment, and run as a userspace application with a scriptable command-line interface which can load and unload modules, add a route, inject packets, run iptables, control time, inspect /proc, and so forth.

More importantly we can test every single permutation of external failures automatically - for example, packet drops, kmalloc failures and timer deletion races. This makes it possible to check error paths that very rarely happen in real life.

This paper will discuss some of our experiences with nfsim and the progression of the netfilter testsuite as new features became available in the simulator, and the amazing effect on development. We will also show the techniques we used for exhaustive testing, and why these should be a part of every project.


Download PDF.