Some test cases time out on Intel-IoT-Refkit image

[qiuzhong]

Description

I tried to run the tests of this repository on Intel-IoT-Refkit image but some tests always time out. It seems these test cases are OCF C/S-communication-related. Adding the timeout setting to 2 times / 3 times of the default value doesn't help. Ports 5683/5684 for IPv4/IPv6 were opened.

No such problem on Ubuntu.

Steps to reproduce:

1. Flash and boot Intel-IoT-Refkit gateway image build#211 on a Joule 570x device.
2. Find the iotivity-node vesion built in the image and copy the related version tests and dependencies to Joule.
3. Run ./node_modules/grunt-cli/bin/grunt test --force .
4. See the iotivity-node testing log.

Environment:

• Image node version: v6.11.0
• Image iotivity-node version: v1.2.1-1
• iptables settings:

  
  root@intel-corei7-64:~# iptables -S
  -P INPUT ACCEPT
  -P FORWARD ACCEPT
  -P OUTPUT ACCEPT
  -A INPUT -p udp -m udp --dport 5683 -j ACCEPT
  -A INPUT -p udp -m udp --dport 5684 -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT
  root@intel-corei7-64:~# ip6tables -S
  -P INPUT ACCEPT
  -P FORWARD ACCEPT
  -P OUTPUT ACCEPT
  -A INPUT -s fe80::/10 -p udp -m udp --dport 5683 -j ACCEPT
  -A INPUT -s fe80::/10 -p udp -m udp --dport 5684 -j ACCEPT
  -A INPUT -s fe80::/10 -p udp -m udp --dport 32768:60999 -j ACCEPT
  -A INPUT -p tcp -m tcp --dport 8000 -j ACCEPT

[ipuustin]

Last week Refkit moved into nftables-based firewalling. Try using nft for opening the ports.

Try creating this file (call it iotivity-node.nft) and copy it to /etc/firewall/services:

#!/usr/sbin/nft

table inet filter {
    include "zones.ruleset"
    chain iotivity-node-udp {
        ip6 protocol udp saddr fe80::/10 accept;
        ip protocol udp accept;
   }
}

add element inet filter udp_service_map { 5683, 5684, 32768-60999 : jump iotivity-node-udp };
add element inet filter tcp_service_map { 8000 : accept };

I didn't have a chance to try to file out, so it might very well contain errors. :-)

If you just want to open the ports temporarily (firewall config is fully replaced whenever a configuration change or a large network change happens), see how iotivity firewall settings are done in tests for example here: https://github.com/intel/intel-iot-refkit/blob/master/meta-iotqa/lib/oeqa/runtime/core/iotivity/base.py

[ipuustin]

See here for current Refkit firewall documentation: https://github.com/intel/intel-iot-refkit/blob/master/doc/security.rst#firewall-support

[qiuzhong]

@ipuustin , this works! Thanks very much!

I added iotivity-node.nft and reboot the system. Then all the tests pass completely.

[qiuzhong]

Since this is a firewall-related issue and fixed, close it.

[ipuustin]

Sorry, there was a bug. I forgot that we couldn't have ranges in map keys because of a known bug in nft (already fixed upstream but not released). Please use this file instead:

#!/usr/sbin/nft

table inet filter {
    include "zones.ruleset"
    chain iotivity-node {
        type filter hook input priority 0; policy accept;

        ip6 saddr fe80::/10 udp dport {5683-5684, 32768-60999} mark set $accept_packet;
        ip protocol udp udp dport {5683-5684, 32768-60999} mark set $accept_packet;
        tcp dport 8000 mark set $accept_packet;
    }
}

(For future reference, here's a bit faster version that we can take into use later when the range interval flag fix gets released in nftables 0.8):

#!/usr/sbin/nft

table inet filter {
    include "zones.ruleset"
    chain iotivity-node {
        ip6 saddr fe80::/10 accept;
        ip protocol udp accept;
   }
}

add element inet filter udp_service_map { 5683-5684 : jump iotivity-node };
add element inet filter udp_service_map { 32768-60999 : jump iotivity-node };
add element inet filter tcp_service_map { 8000 : accept };

[qiuzhong]

Thanks! I updated the nft file.

Currently, the version of nft is 0.7 in the image. I'll use the faster version when 0.8 is ready in the image.