2 # SPDX-License-Identifier: GPL-2.0
4 # Check xfrm policy resolution. Topology:
6 # 1.2 1.1 3.1 3.10 2.1 2.2
7 # eth1 eth1 veth0 veth0 eth1 eth1
8 # ns1 ---- ns3 ----- ns4 ---- ns2
10 # ns3 and ns4 are connected via ipsec tunnel.
11 # pings from ns1 to ns2 (and vice versa) are supposed to work like this:
12 # ns1: ping 10.0.2.2: passes via ipsec tunnel.
13 # ns2: ping 10.0.1.2: passes via ipsec tunnel.
15 # ns1: ping 10.0.1.253: passes via ipsec tunnel (direct policy)
16 # ns2: ping 10.0.2.253: passes via ipsec tunnel (direct policy)
18 # ns1: ping 10.0.2.254: does NOT pass via ipsec tunnel (exception)
19 # ns2: ping 10.0.1.254: does NOT pass via ipsec tunnel (exception)
21 # Kselftest framework requirement - SKIP code is 4.
26 KEY_SHA=0xdeadbeef1234567890abcdefabcdefabcdefabcd
27 KEY_AES=0x0123456789abcdef0123456789012345
40 ip -net $ns xfrm state add src $remote dst $me proto esp spi $spi_in enc aes $KEY_AES auth sha1 $KEY_SHA mode tunnel sel src $rnet dst $lnet
41 ip -net $ns xfrm state add src $me dst $remote proto esp spi $spi_out enc aes $KEY_AES auth sha1 $KEY_SHA mode tunnel sel src $lnet dst $rnet
43 # to encrypt packets as they go out (includes forwarded packets that need encapsulation)
44 ip -net $ns xfrm policy add src $lnet dst $rnet dir out tmpl src $me dst $remote proto esp mode tunnel priority 100 action allow
45 # to fwd decrypted packets after esp processing:
46 ip -net $ns xfrm policy add src $rnet dst $lnet dir fwd tmpl src $remote dst $me proto esp mode tunnel priority 100 action allow
49 do_esp_policy_get_check() {
54 ip -net $ns xfrm policy get src $lnet dst $rnet dir out > /dev/null
55 if [ $? -ne 0 ] && [ $policy_checks_ok -eq 1 ] ;then
57 echo "FAIL: ip -net $ns xfrm policy get src $lnet dst $rnet dir out"
61 ip -net $ns xfrm policy get src $rnet dst $lnet dir fwd > /dev/null
62 if [ $? -ne 0 ] && [ $policy_checks_ok -eq 1 ] ;then
64 echo "FAIL: ip -net $ns xfrm policy get src $rnet dst $lnet dir fwd"
76 # network $plain passes without tunnel
77 ip -net $ns xfrm policy add dst $plain dir out priority 10 action allow
79 # direct policy for $encryptip, use tunnel, higher prio takes precedence
80 ip -net $ns xfrm policy add dst $encryptip dir out tmpl src $me dst $remote proto esp mode tunnel priority 1 action allow
83 # policies that are not supposed to match any packets generated in this test.
87 for i in $(seq 10 16);do
88 # dummy policy with wildcard src/dst.
89 echo netns exec $ns ip xfrm policy add src 0.0.0.0/0 dst 10.$i.99.0/30 dir out action block
90 echo netns exec $ns ip xfrm policy add src 10.$i.99.0/30 dst 0.0.0.0/0 dir out action block
91 for j in $(seq 32 64);do
92 echo netns exec $ns ip xfrm policy add src 10.$i.1.0/30 dst 10.$i.$j.0/30 dir out action block
93 # silly, as it encompasses the one above too, but its allowed:
94 echo netns exec $ns ip xfrm policy add src 10.$i.1.0/29 dst 10.$i.$j.0/29 dir out action block
95 # and yet again, even more broad one.
96 echo netns exec $ns ip xfrm policy add src 10.$i.1.0/24 dst 10.$i.$j.0/24 dir out action block
97 echo netns exec $ns ip xfrm policy add src 10.$i.$j.0/24 dst 10.$i.1.0/24 dir fwd action block
99 done | ip -batch /dev/stdin
105 for i in $(seq 10 16);do
106 for j in $(seq 32 64);do
107 echo netns exec $ns ip xfrm policy add src dead:$i::/64 dst dead:$i:$j::/64 dir out action block
108 echo netns exec $ns ip xfrm policy add src dead:$i:$j::/64 dst dead:$i::/24 dir fwd action block
110 done | ip -batch /dev/stdin
113 check_ipt_policy_count()
117 ip netns exec $ns iptables-save -c |grep policy | ( read c rest
118 ip netns exec $ns iptables -Z
119 if [ x"$c" = x'[0:0]' ]; then
121 elif [ x"$c" = x ]; then
122 echo "ERROR: No counters"
132 # 0: iptables -m policy rule count == 0
133 # 1: iptables -m policy rule count != 0
138 ip netns exec ns1 ping -q -c 1 10.0.2.$ip > /dev/null
140 check_ipt_policy_count ns3
141 if [ $? -ne $rval ] ; then
144 check_ipt_policy_count ns4
145 if [ $? -ne $rval ] ; then
149 ip netns exec ns2 ping -q -c 1 10.0.1.$ip > /dev/null
151 check_ipt_policy_count ns3
152 if [ $? -ne $rval ] ; then
155 check_ipt_policy_count ns4
156 if [ $? -ne $rval ] ; then
163 #check for needed privileges
164 if [ "$(id -u)" -ne 0 ];then
165 echo "SKIP: Need root privileges"
169 ip -Version 2>/dev/null >/dev/null
171 echo "SKIP: Could not run test without the ip tool"
175 # needed to check if policy lookup got valid ipsec result
176 iptables --version 2>/dev/null >/dev/null
178 echo "SKIP: Could not run test without iptables tool"
184 ip -net ns$i link set lo up
188 ip link add $DEV netns ns1 type veth peer name eth1 netns ns3
189 ip link add $DEV netns ns2 type veth peer name eth1 netns ns4
191 ip link add $DEV netns ns3 type veth peer name veth0 netns ns4
195 ip -net ns$i link set $DEV up
196 ip -net ns$i addr add 10.0.$i.2/24 dev $DEV
197 ip -net ns$i addr add dead:$i::2/64 dev $DEV
199 ip -net ns$i addr add 10.0.$i.253 dev $DEV
200 ip -net ns$i addr add 10.0.$i.254 dev $DEV
201 ip -net ns$i addr add dead:$i::fd dev $DEV
202 ip -net ns$i addr add dead:$i::fe dev $DEV
206 ip -net ns$i link set eth1 up
207 ip -net ns$i link set veth0 up
210 ip -net ns1 route add default via 10.0.1.1
211 ip -net ns2 route add default via 10.0.2.1
213 ip -net ns3 addr add 10.0.1.1/24 dev eth1
214 ip -net ns3 addr add 10.0.3.1/24 dev veth0
215 ip -net ns3 addr add 2001:1::1/64 dev eth1
216 ip -net ns3 addr add 2001:3::1/64 dev veth0
218 ip -net ns3 route add default via 10.0.3.10
220 ip -net ns4 addr add 10.0.2.1/24 dev eth1
221 ip -net ns4 addr add 10.0.3.10/24 dev veth0
222 ip -net ns4 addr add 2001:2::1/64 dev eth1
223 ip -net ns4 addr add 2001:3::10/64 dev veth0
224 ip -net ns4 route add default via 10.0.3.1
228 ip netns exec ns$i sysctl net.ipv$j.conf.eth1.forwarding=1 > /dev/null
229 ip netns exec ns$i sysctl net.ipv$j.conf.veth0.forwarding=1 > /dev/null
233 # abuse iptables rule counter to check if ping matches a policy
234 ip netns exec ns3 iptables -p icmp -A FORWARD -m policy --dir out --pol ipsec
235 ip netns exec ns4 iptables -p icmp -A FORWARD -m policy --dir out --pol ipsec
237 echo "SKIP: Could not insert iptables rule"
238 for i in 1 2 3 4;do ip netns del ns$i;done
242 # localip remoteip localnet remotenet
243 do_esp ns3 10.0.3.1 10.0.3.10 10.0.1.0/24 10.0.2.0/24 $SPI1 $SPI2
244 do_esp ns3 dead:3::1 dead:3::10 dead:1::/64 dead:2::/64 $SPI1 $SPI2
245 do_esp ns4 10.0.3.10 10.0.3.1 10.0.2.0/24 10.0.1.0/24 $SPI2 $SPI1
246 do_esp ns4 dead:3::10 dead:3::1 dead:2::/64 dead:1::/64 $SPI2 $SPI1
251 do_esp_policy_get_check ns3 10.0.1.0/24 10.0.2.0/24
252 do_esp_policy_get_check ns4 10.0.2.0/24 10.0.1.0/24
253 do_esp_policy_get_check ns3 dead:1::/64 dead:2::/64
254 do_esp_policy_get_check ns4 dead:2::/64 dead:1::/64
256 # ping to .254 should use ipsec, exception is not installed.
258 if [ $? -ne 0 ]; then
259 echo "FAIL: expected ping to .254 to use ipsec tunnel"
262 echo "PASS: policy before exception matches"
265 # installs exceptions
266 # localip remoteip encryptdst plaindst
267 do_exception ns3 10.0.3.1 10.0.3.10 10.0.2.253 10.0.2.240/28
268 do_exception ns4 10.0.3.10 10.0.3.1 10.0.1.253 10.0.1.240/28
270 do_exception ns3 dead:3::1 dead:3::10 dead:2::fd dead:2:f0::/96
271 do_exception ns4 dead:3::10 dead:3::1 dead:1::fd dead:1:f0::/96
273 # ping to .254 should now be excluded from the tunnel
275 if [ $? -ne 0 ]; then
276 echo "FAIL: expected ping to .254 to fail"
279 echo "PASS: ping to .254 bypassed ipsec tunnel"
282 # ping to .253 should use use ipsec due to direct policy exception.
284 if [ $? -ne 0 ]; then
285 echo "FAIL: expected ping to .253 to use ipsec tunnel"
288 echo "PASS: direct policy matches"
291 # ping to .2 should use ipsec.
293 if [ $? -ne 0 ]; then
294 echo "FAIL: expected ping to .2 to use ipsec tunnel"
297 echo "PASS: policy matches"
300 for i in 1 2 3 4;do ip netns del ns$i;done