do_esp_policy() {
local ns=$1
local me=$2
local remote=$3
local lnet=$4
local rnet=$5
# to encrypt packets as they go out (includes forwarded packets that need encapsulation)
ip -net $ns xfrm policy add src $lnet dst $rnet dir out tmpl src $me dst $remote proto esp mode tunnel priority 100 action allow # to fwd decrypted packets after esp processing:
ip -net $ns xfrm policy add src $rnet dst $lnet dir fwd tmpl src $remote dst $me proto esp mode tunnel priority 100 action allow
}
do_esp() {
local ns=$1
local me=$2
local remote=$3
local lnet=$4
local rnet=$5
local spi_out=$6
local spi_in=$7
ip -net $ns xfrm state add src $remote dst $me proto esp spi $spi_in enc aes $KEY_AES auth sha1 $KEY_SHA mode tunnel sel src $rnet dst $lnet
ip -net $ns xfrm state add src $me dst $remote proto esp spi $spi_out enc aes $KEY_AES auth sha1 $KEY_SHA mode tunnel sel src $lnet dst $rnet
do_esp_policy $ns $me $remote $lnet $rnet
}
# add policies with different netmasks, to make sure kernel carries # the policies contained within new netmask over when search tree is # re-built. # peer netns that are supposed to be encapsulated via esp have addresses # in the 10.0.1.0/24 and 10.0.2.0/24 subnets, respectively. # # Adding a policy for '10.0.1.0/23' will make it necessary to # alter the prefix of 10.0.1.0 subnet. # In case new prefix overlaps with existing node, the node and all # policies it carries need to be merged with the existing one(s). # # Do that here.
do_overlap()
{
local ns=$1
# adds new nodes to tree (neither network exists yet in policy database).
ip -net $ns xfrm policy add src 10.1.0.0/24 dst 10.0.0.0/24 dir fwd priority 200 action block
# adds a new node in the 10.0.0.0/24 tree (dst node exists).
ip -net $ns xfrm policy add src 10.2.0.0/24 dst 10.0.0.0/24 dir fwd priority 200 action block
# adds a 10.2.0.0/23 node, but for different dst.
ip -net $ns xfrm policy add src 10.2.0.0/23 dst 10.0.1.0/24 dir fwd priority 200 action block
# dst now overlaps with the 10.0.1.0/24 ESP policy in fwd. # kernel must 'promote' existing one (10.0.0.0/24) to 10.0.0.0/23. # But 10.0.0.0/23 also includes existing 10.0.1.0/24, so that node # also has to be merged too, including source-sorted subtrees. # old: # 10.0.0.0/24 (node 1 in dst tree of the bin) # 10.1.0.0/24 (node in src tree of dst node 1) # 10.2.0.0/24 (node in src tree of dst node 1) # 10.0.1.0/24 (node 2 in dst tree of the bin) # 10.0.2.0/24 (node in src tree of dst node 2) # 10.2.0.0/24 (node in src tree of dst node 2) # # The next 'policy add' adds dst '10.0.0.0/23', which means # that dst node 1 and dst node 2 have to be merged including # the sub-tree. As no duplicates are allowed, policies in # the two '10.0.2.0/24' are also merged. # # after the 'add', internal search tree should look like this: # 10.0.0.0/23 (node in dst tree of bin) # 10.0.2.0/24 (node in src tree of dst node) # 10.1.0.0/24 (node in src tree of dst node) # 10.2.0.0/24 (node in src tree of dst node) # # 10.0.0.0/24 and 10.0.1.0/24 nodes have been merged as 10.0.0.0/23.
ip -net $ns xfrm policy add src 10.1.0.0/24 dst 10.0.0.0/23 dir fwd priority 200 action block
# similar to above: add policies (with partially random address), with shrinking prefixes. for p in 29 28 27;do for k in $(seq 1 32); do
ip -net $ns xfrm policy add src 10.253.1.$((RANDOM%255))/$p dst 10.254.1.$((RANDOM%255))/$p dir fwd priority $((200+k)) action block 2>/dev/null done done
}
do_esp_policy_get_check() {
local ns=$1
local lnet=$2
local rnet=$3
ip -net $ns xfrm policy get src $lnet dst $rnet dir out > /dev/null if [ $? -ne 0 ] && [ $policy_checks_ok -eq 1 ] ;then
policy_checks_ok=0 echo"FAIL: ip -net $ns xfrm policy get src $lnet dst $rnet dir out"
ret=1 fi
ip -net $ns xfrm policy get src $rnet dst $lnet dir fwd > /dev/null if [ $? -ne 0 ] && [ $policy_checks_ok -eq 1 ] ;then
policy_checks_ok=0 echo"FAIL: ip -net $ns xfrm policy get src $rnet dst $lnet dir fwd"
ret=1 fi
}
do_exception() {
local ns=$1
local me=$2
local remote=$3
local encryptip=$4
local plain=$5
# network $plain passes without tunnel
ip -net $ns xfrm policy add dst $plain dir out priority 10 action allow
# direct policy for $encryptip, use tunnel, higher prio takes precedence
ip -net $ns xfrm policy add dst $encryptip dir out tmpl src $me dst $remote proto esp mode tunnel priority 1 action allow
}
# policies that are not supposed to match any packets generated in this test.
do_dummies4() {
local ns=$1
for i in $(seq 10 16);do # dummy policy with wildcard src/dst. echo netns exec $ns ip xfrm policy add src 0.0.0.0/0 dst 10.$i.99.0/30 dir out action block echo netns exec $ns ip xfrm policy add src 10.$i.99.0/30 dst 0.0.0.0/0 dir out action block for j in $(seq 32 64);do echo netns exec $ns ip xfrm policy add src 10.$i.1.0/30 dst 10.$i.$j.0/30 dir out action block # silly, as it encompasses the one above too, but its allowed: echo netns exec $ns ip xfrm policy add src 10.$i.1.0/29 dst 10.$i.$j.0/29 dir out action block # and yet again, even more broad one. echo netns exec $ns ip xfrm policy add src 10.$i.1.0/24 dst 10.$i.$j.0/24 dir out action block echo netns exec $ns ip xfrm policy add src 10.$i.$j.0/24 dst 10.$i.1.0/24 dir fwd action block done done | ip -batch /dev/stdin
}
do_dummies6() {
local ns=$1
for i in $(seq 10 16);do for j in $(seq 32 64);do echo netns exec $ns ip xfrm policy add src dead:$i::/64 dst dead:$i:$j::/64 dir out action block echo netns exec $ns ip xfrm policy add src dead:$i:$j::/64 dst dead:$i::/24 dir fwd action block done done | ip -batch /dev/stdin
}
check_ipt_policy_count()
{
ns=$1
ip netns exec $ns iptables-save -c |grep policy | ( read c rest
ip netns exec $ns iptables -Z if [ x"$c" = x'[0:0]' ]; then
exit 0 elif [ x"$c" = x ]; then echo"ERROR: No counters"
ret=1
exit 111 else
exit 1 fi
)
}
check_ipt_policy_count ${ns[3]} if [ $? -ne $rval ] ; then
lret=1 fi
check_ipt_policy_count ${ns[4]} if [ $? -ne $rval ] ; then
lret=1 fi
return $lret
}
check_exceptions()
{
logpostfix="$1"
local lret=0
# ping to .254 should be excluded from the tunnel (exception is in place).
check_xfrm 0 254 if [ $? -ne 0 ]; then echo"FAIL: expected ping to .254 to fail ($logpostfix)"
lret=1 else echo"PASS: ping to .254 bypassed ipsec tunnel ($logpostfix)" fi
# ping to .253 should use use ipsec due to direct policy exception.
check_xfrm 1 253 if [ $? -ne 0 ]; then echo"FAIL: expected ping to .253 to use ipsec tunnel ($logpostfix)"
lret=1 else echo"PASS: direct policy matches ($logpostfix)" fi
# ping to .2 should use ipsec.
check_xfrm 1 2 if [ $? -ne 0 ]; then echo"FAIL: expected ping to .2 to use ipsec tunnel ($logpostfix)"
lret=1 else echo"PASS: policy matches ($logpostfix)" fi
return $lret
}
check_hthresh_repeat()
{
local log=$1
i=0
for i in $(seq 1 10);do
ip -net ${ns[1]} xfrm policy update src e000:0001::0000 dst ff01::0014:0000:0001 dir in tmpl src :: dst :: proto esp mode tunnel priority 100 action allow || break
ip -net ${ns[1]} xfrm policy set hthresh6 0 28 || break
ip -net ${ns[1]} xfrm policy update src e000:0001::0000 dst ff01::01 dir in tmpl src :: dst :: proto esp mode tunnel priority 100 action allow || break
ip -net ${ns[1]} xfrm policy set hthresh6 0 28 || break done
if [ $i -ne 10 ] ;then echo"FAIL: $log" 1>&2
ret=1
return 1 fi
echo"PASS: $log"
return 0
}
# insert non-overlapping policies in a random order and check that # all of them can be fetched using the traffic selectors.
check_random_order()
{
local ns=$1
local log=$2
for i in $(seq 50); do
ip -net $ns xfrm policy flush for j in $(seq 0 16 255 | sort -R); do
ip -net $ns xfrm policy add dst $j.0.0.0/24 dir out priority 10 action allow done for j in $(seq 0 16 255); do if ! ip -net $ns xfrm policy get dst $j.0.0.0/24 dir out > /dev/null; then echo"FAIL: $log" 1>&2
return 1 fi done done
for i in $(seq 50); do
ip -net $ns xfrm policy flush for j in $(seq 0 16 255 | sort -R); do
local addr=$(printf "e000:0000:%02x00::/56" $j)
ip -net $ns xfrm policy add dst $addr dir out priority 10 action allow done for j in $(seq 0 16 255); do
local addr=$(printf "e000:0000:%02x00::/56" $j) if ! ip -net $ns xfrm policy get dst $addr dir out > /dev/null; then echo"FAIL: $log" 1>&2
return 1 fi done done
ip -net $ns xfrm policy flush
echo"PASS: $log"
return 0
}
#check for needed privileges if [ "$(id -u)" -ne 0 ];then echo"SKIP: Need root privileges"
exit $ksft_skip fi
ip -Version 2>/dev/null >/dev/null if [ $? -ne 0 ];then echo"SKIP: Could not run test without the ip tool"
exit $ksft_skip fi
# needed to check if policy lookup got valid ipsec result
iptables --version 2>/dev/null >/dev/null if [ $? -ne 0 ];then echo"SKIP: Could not run test without iptables tool"
exit $ksft_skip fi
DEV=veth0
ip link add $DEV netns ${ns[1]} type veth peer name eth1 netns ${ns[3]}
ip link add $DEV netns ${ns[2]} type veth peer name eth1 netns ${ns[4]}
ip link add $DEV netns ${ns[3]} type veth peer name veth0 netns ${ns[4]}
DEV=veth0 for i in 1 2; do
ip -net ${ns[$i]} link set $DEV up
ip -net ${ns[$i]} addr add 10.0.$i.2/24 dev $DEV
ip -net ${ns[$i]} addr add dead:$i::2/64 dev $DEV
ip -net ${ns[$i]} addr add 10.0.$i.253 dev $DEV
ip -net ${ns[$i]} addr add 10.0.$i.254 dev $DEV
ip -net ${ns[$i]} addr add dead:$i::fd dev $DEV
ip -net ${ns[$i]} addr add dead:$i::fe dev $DEV done
for i in 3 4; do
ip -net ${ns[$i]} link set eth1 up
ip -net ${ns[$i]} link set veth0 up done
ip -net ${ns[1]} route add default via 10.0.1.1
ip -net ${ns[2]} route add default via 10.0.2.1
ip -net ${ns[3]} addr add 10.0.1.1/24 dev eth1
ip -net ${ns[3]} addr add 10.0.3.1/24 dev veth0
ip -net ${ns[3]} addr add 2001:1::1/64 dev eth1
ip -net ${ns[3]} addr add 2001:3::1/64 dev veth0
ip -net ${ns[3]} route add default via 10.0.3.10
ip -net ${ns[4]} addr add 10.0.2.1/24 dev eth1
ip -net ${ns[4]} addr add 10.0.3.10/24 dev veth0
ip -net ${ns[4]} addr add 2001:2::1/64 dev eth1
ip -net ${ns[4]} addr add 2001:3::10/64 dev veth0
ip -net ${ns[4]} route add default via 10.0.3.1
for j in 4 6; do for i in 3 4;do
ip netns exec ${ns[$i]} sysctl net.ipv$j.conf.eth1.forwarding=1 > /dev/null
ip netns exec ${ns[$i]} sysctl net.ipv$j.conf.veth0.forwarding=1 > /dev/null done done
# abuse iptables rule counter to check if ping matches a policy
ip netns exec ${ns[3]} iptables -p icmp -A FORWARD -m policy --dir out --pol ipsec
ip netns exec ${ns[4]} iptables -p icmp -A FORWARD -m policy --dir out --pol ipsec if [ $? -ne 0 ];then echo"SKIP: Could not insert iptables rule"
cleanup_ns $ns1 $ns2 $ns3 $ns4
exit $ksft_skip fi
# ping to .254 should use ipsec, exception is not installed.
check_xfrm 1 254 if [ $? -ne 0 ]; then echo"FAIL: expected ping to .254 to use ipsec tunnel"
ret=1 else echo"PASS: policy before exception matches" fi
# move inexact policies to hash table
ip -net ${ns[3]} xfrm policy set hthresh4 16 16
sleep $((RANDOM%5))
check_exceptions "exceptions and block policies after hthresh change in ns3"
# restore original hthresh settings -- move policies back to tables for n in ${ns[3]} ${ns[4]};do
ip -net $n xfrm policy set hthresh4 32 32 hthresh6 128 128
sleep $((RANDOM%5)) done
check_exceptions "exceptions and block policies after htresh change to normal"
check_hthresh_repeat "policies with repeated htresh change"
check_random_order ${ns[3]} "policies inserted in random order"
cleanup_ns $ns1 $ns2 $ns3 $ns4
exit $ret
Messung V0.5
¤ Dauer der Verarbeitung: 0.11 Sekunden
(vorverarbeitet)
¤
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
