A few prop271 scenarios that must be tested:

Make iptables rule that simulates FascistFirewall, then try connecting with FascistFirewall. See if it works.

prop271 seems to work pretty well if you turn on FascistFirewall and join a fascist network: iptables -A OUTPUT -p tcp --match multiport ! --dport 80,443 -j DROP

Make iptables rule that simulates FascistFirewall, then try connecting without FascistFirewall. Note differences between old and new algo.

prop271 will not work well in a fascist firewall environment, if FascistFirewall is not turned on. It will basically get stuck on the first primary guard for a long time. Need to check whether old code was behaving better.

Make iptables rule that disables outgoing connections. Make sure that the sampled guards set size limit works.

Test hardcoded entry guards (EntryNodes)

prop271 will not work at all with EntryNodes. It will fill up the sampled guards list, and then fail to find the right node.

Test bridges support

Basic bridge test with 1 bridge seems to work fine. SIGHUP also works fine transitioning between bridges and non-bridges.

Test transition between modes using SIGHUP

Basic testing seems to work. Managed to switch from "default" to "bridge" to "restricted" just with SIGHUP without any visible problems or leaks.

Switch between guard selections on the fly. Test flappiness

Test circuit state machine (?)

Test guard retry schedule

Test guard priority logic

Test guard lifetime

Test state loading / state saving

Test internet-is-down heuristic