summaryrefslogtreecommitdiffstats
path: root/tools/testing/selftests/net/xfrm_policy.sh
blob: b5a1b565a7e69d8abff76c13f878c2b9847ba131 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# Check xfrm policy resolution.  Topology:
#
# 1.2   1.1   3.1  3.10    2.1   2.2
# eth1  eth1 veth0 veth0 eth1   eth1
# ns1 ---- ns3 ----- ns4 ---- ns2
#
# ns3 and ns4 are connected via ipsec tunnel.
# pings from ns1 to ns2 (and vice versa) are supposed to work like this:
# ns1: ping 10.0.2.2: passes via ipsec tunnel.
# ns2: ping 10.0.1.2: passes via ipsec tunnel.

# ns1: ping 10.0.1.253: passes via ipsec tunnel (direct policy)
# ns2: ping 10.0.2.253: passes via ipsec tunnel (direct policy)
#
# ns1: ping 10.0.2.254: does NOT pass via ipsec tunnel (exception)
# ns2: ping 10.0.1.254: does NOT pass via ipsec tunnel (exception)

# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
ret=0
policy_checks_ok=1

KEY_SHA=0xdeadbeef1234567890abcdefabcdefabcdefabcd
KEY_AES=0x0123456789abcdef0123456789012345
SPI1=0x1
SPI2=0x2

do_esp() {
    local ns=$1
    local me=$2
    local remote=$3
    local lnet=$4
    local rnet=$5
    local spi_out=$6
    local spi_in=$7

    ip -net $ns xfrm state add src $remote dst $me proto esp spi $spi_in  enc aes $KEY_AES  auth sha1 $KEY_SHA  mode tunnel sel src $rnet dst $lnet
    ip -net $ns xfrm state add src $me  dst $remote proto esp spi $spi_out enc aes $KEY_AES auth sha1 $KEY_SHA mode tunnel sel src $lnet dst $rnet

    # to encrypt packets as they go out (includes forwarded packets that need encapsulation)
    ip -net $ns xfrm policy add src $lnet dst $rnet dir out tmpl src $me dst $remote proto esp mode tunnel priority 100 action allow
    # to fwd decrypted packets after esp processing:
    ip -net $ns xfrm policy add src $rnet dst $lnet dir fwd tmpl src $remote dst $me proto esp mode tunnel priority 100 action allow
}

# add policies with different netmasks, to make sure kernel carries
# the policies contained within new netmask over when search tree is
# re-built.
# peer netns that are supposed to be encapsulated via esp have addresses
# in the 10.0.1.0/24 and 10.0.2.0/24 subnets, respectively.
#
# Adding a policy for '10.0.1.0/23' will make it necessary to
# alter the prefix of 10.0.1.0 subnet.
# In case new prefix overlaps with existing node, the node and all
# policies it carries need to be merged with the existing one(s).
#
# Do that here.
do_overlap()
{
    local ns=$1

    # adds new nodes to tree (neither network exists yet in policy database).
    ip -net $ns xfrm policy add src 10.1.0.0/24 dst 10.0.0.0/24 dir fwd priority 200 action block

    # adds a new node in the 10.0.0.0/24 tree (dst node exists).
    ip -net $ns xfrm policy add src 10.2.0.0/24 dst 10.0.0.0/24 dir fwd priority 200 action block

    # adds a 10.2.0.0/24 node, but for different dst.
    ip -net $ns xfrm policy add src 10.2.0.0/24 dst 10.0.1.0/24 dir fwd priority 200 action block

    # dst now overlaps with the 10.0.1.0/24 ESP policy in fwd.
    # kernel must 'promote' existing one (10.0.0.0/24) to 10.0.0.0/23.
    # But 10.0.0.0/23 also includes existing 10.0.1.0/24, so that node
    # also has to be merged too, including source-sorted subtrees.
    # old:
    # 10.0.0.0/24 (node 1 in dst tree of the bin)
    #    10.1.0.0/24 (node in src tree of dst node 1)
    #    10.2.0.0/24 (node in src tree of dst node 1)
    # 10.0.1.0/24 (node 2 in dst tree of the bin)
    #    10.0.2.0/24 (node in src tree of dst node 2)
    #    10.2.0.0/24 (node in src tree of dst node 2)
    #
    # The next 'policy add' adds dst '10.0.0.0/23', which means
    # that dst node 1 and dst node 2 have to be merged including
    # the sub-tree.  As no duplicates are allowed, policies in
    # the two '10.0.2.0/24' are also merged.
    #
    # after the 'add', internal search tree should look like this:
    # 10.0.0.0/23 (node in dst tree of bin)
    #     10.0.2.0/24 (node in src tree of dst node)
    #     10.1.0.0/24 (node in src tree of dst node)
    #     10.2.0.0/24 (node in src tree of dst node)
    #
    # 10.0.0.0/24 and 10.0.1.0/24 nodes have been merged as 10.0.0.0/23.
    ip -net $ns xfrm policy add src 10.1.0.0/24 dst 10.0.0.0/23 dir fwd priority 200 action block
}

do_esp_policy_get_check() {
    local ns=$1
    local lnet=$2
    local rnet=$3

    ip -net $ns xfrm policy get src $lnet dst $rnet dir out > /dev/null
    if [ $? -ne 0 ] && [ $policy_checks_ok -eq 1 ] ;then
        policy_checks_ok=0
        echo "FAIL: ip -net $ns xfrm policy get src $lnet dst $rnet dir out"
        ret=1
    fi

    ip -net $ns xfrm policy get src $rnet dst $lnet dir fwd > /dev/null
    if [ $? -ne 0 ] && [ $policy_checks_ok -eq 1 ] ;then
        policy_checks_ok=0
        echo "FAIL: ip -net $ns xfrm policy get src $rnet dst $lnet dir fwd"
        ret=1
    fi
}

do_exception() {
    local ns=$1
    local me=$2
    local remote=$3
    local encryptip=$4
    local plain=$5

    # network $plain passes without tunnel
    ip -net $ns xfrm policy add dst $plain dir out priority 10 action allow

    # direct policy for $encryptip, use tunnel, higher prio takes precedence
    ip -net $ns xfrm policy add dst $encryptip dir out tmpl src $me dst $remote proto esp mode tunnel priority 1 action allow
}

# policies that are not supposed to match any packets generated in this test.
do_dummies4() {
    local ns=$1

    for i in $(seq 10 16);do
      # dummy policy with wildcard src/dst.
      echo netns exec $ns ip xfrm policy add src 0.0.0.0/0 dst 10.$i.99.0/30 dir out action block
      echo netns exec $ns ip xfrm policy add src 10.$i.99.0/30 dst 0.0.0.0/0 dir out action block
      for j in $(seq 32 64);do
        echo netns exec $ns ip xfrm policy add src 10.$i.1.0/30 dst 10.$i.$j.0/30 dir out action block
        # silly, as it encompasses the one above too, but its allowed:
        echo netns exec $ns ip xfrm policy add src 10.$i.1.0/29 dst 10.$i.$j.0/29 dir out action block
        # and yet again, even more broad one.
        echo netns exec $ns ip xfrm policy add src 10.$i.1.0/24 dst 10.$i.$j.0/24 dir out action block
        echo netns exec $ns ip xfrm policy add src 10.$i.$j.0/24 dst 10.$i.1.0/24 dir fwd action block
      done
    done | ip -batch /dev/stdin
}

do_dummies6() {
    local ns=$1

    for i in $(seq 10 16);do
      for j in $(seq 32 64);do
       echo netns exec $ns ip xfrm policy add src dead:$i::/64 dst dead:$i:$j::/64 dir out action block
       echo netns exec $ns ip xfrm policy add src dead:$i:$j::/64 dst dead:$i::/24 dir fwd action block
      done
    done | ip -batch /dev/stdin
}

check_ipt_policy_count()
{
	ns=$1

	ip netns exec $ns iptables-save -c |grep policy | ( read c rest
		ip netns exec $ns iptables -Z
		if [ x"$c" = x'[0:0]' ]; then
			exit 0
		elif [ x"$c" = x ]; then
			echo "ERROR: No counters"
			ret=1
			exit 111
		else
			exit 1
		fi
	)
}

check_xfrm() {
	# 0: iptables -m policy rule count == 0
	# 1: iptables -m policy rule count != 0
	rval=$1
	ip=$2
	lret=0

	ip netns exec ns1 ping -q -c 1 10.0.2.$ip > /dev/null

	check_ipt_policy_count ns3
	if [ $? -ne $rval ] ; then
		lret=1
	fi
	check_ipt_policy_count ns4
	if [ $? -ne $rval ] ; then
		lret=1
	fi

	ip netns exec ns2 ping -q -c 1 10.0.1.$ip > /dev/null

	check_ipt_policy_count ns3
	if [ $? -ne $rval ] ; then
		lret=1
	fi
	check_ipt_policy_count ns4
	if [ $? -ne $rval ] ; then
		lret=1
	fi

	return $lret
}

check_exceptions()
{
	logpostfix="$1"
	local lret=0

	# ping to .254 should be excluded from the tunnel (exception is in place).
	check_xfrm 0 254
	if [ $? -ne 0 ]; then
		echo "FAIL: expected ping to .254 to fail ($logpostfix)"
		lret=1
	else
		echo "PASS: ping to .254 bypassed ipsec tunnel ($logpostfix)"
	fi

	# ping to .253 should use use ipsec due to direct policy exception.
	check_xfrm 1 253
	if [ $? -ne 0 ]; then
		echo "FAIL: expected ping to .253 to use ipsec tunnel ($logpostfix)"
		lret=1
	else
		echo "PASS: direct policy matches ($logpostfix)"
	fi

	# ping to .2 should use ipsec.
	check_xfrm 1 2
	if [ $? -ne 0 ]; then
		echo "FAIL: expected ping to .2 to use ipsec tunnel ($logpostfix)"
		lret=1
	else
		echo "PASS: policy matches ($logpostfix)"
	fi

	return $lret
}

#check for needed privileges
if [ "$(id -u)" -ne 0 ];then
	echo "SKIP: Need root privileges"
	exit $ksft_skip
fi

ip -Version 2>/dev/null >/dev/null
if [ $? -ne 0 ];then
	echo "SKIP: Could not run test without the ip tool"
	exit $ksft_skip
fi

# needed to check if policy lookup got valid ipsec result
iptables --version 2>/dev/null >/dev/null
if [ $? -ne 0 ];then
	echo "SKIP: Could not run test without iptables tool"
	exit $ksft_skip
fi

for i in 1 2 3 4; do
    ip netns add ns$i
    ip -net ns$i link set lo up
done

DEV=veth0
ip link add $DEV netns ns1 type veth peer name eth1 netns ns3
ip link add $DEV netns ns2 type veth peer name eth1 netns ns4

ip link add $DEV netns ns3 type veth peer name veth0 netns ns4

DEV=veth0
for i in 1 2; do
    ip -net ns$i link set $DEV up
    ip -net ns$i addr add 10.0.$i.2/24 dev $DEV
    ip -net ns$i addr add dead:$i::2/64 dev $DEV

    ip -net ns$i addr add 10.0.$i.253 dev $DEV
    ip -net ns$i addr add 10.0.$i.254 dev $DEV
    ip -net ns$i addr add dead:$i::fd dev $DEV
    ip -net ns$i addr add dead:$i::fe dev $DEV
done

for i in 3 4; do
ip -net ns$i link set eth1 up
ip -net ns$i link set veth0 up
done

ip -net ns1 route add default via 10.0.1.1
ip -net ns2 route add default via 10.0.2.1

ip -net ns3 addr add 10.0.1.1/24 dev eth1
ip -net ns3 addr add 10.0.3.1/24 dev veth0
ip -net ns3 addr add 2001:1::1/64 dev eth1
ip -net ns3 addr add 2001:3::1/64 dev veth0

ip -net ns3 route add default via 10.0.3.10

ip -net ns4 addr add 10.0.2.1/24 dev eth1
ip -net ns4 addr add 10.0.3.10/24 dev veth0
ip -net ns4 addr add 2001:2::1/64 dev eth1
ip -net ns4 addr add 2001:3::10/64 dev veth0
ip -net ns4 route add default via 10.0.3.1

for j in 4 6; do
	for i in 3 4;do
		ip netns exec ns$i sysctl net.ipv$j.conf.eth1.forwarding=1 > /dev/null
		ip netns exec ns$i sysctl net.ipv$j.conf.veth0.forwarding=1 > /dev/null
	done
done

# abuse iptables rule counter to check if ping matches a policy
ip netns exec ns3 iptables -p icmp -A FORWARD -m policy --dir out --pol ipsec
ip netns exec ns4 iptables -p icmp -A FORWARD -m policy --dir out --pol ipsec
if [ $? -ne 0 ];then
	echo "SKIP: Could not insert iptables rule"
	for i in 1 2 3 4;do ip netns del ns$i;done
	exit $ksft_skip
fi

#          localip  remoteip  localnet    remotenet
do_esp ns3 10.0.3.1 10.0.3.10 10.0.1.0/24 10.0.2.0/24 $SPI1 $SPI2
do_esp ns3 dead:3::1 dead:3::10 dead:1::/64 dead:2::/64 $SPI1 $SPI2
do_esp ns4 10.0.3.10 10.0.3.1 10.0.2.0/24 10.0.1.0/24 $SPI2 $SPI1
do_esp ns4 dead:3::10 dead:3::1 dead:2::/64 dead:1::/64 $SPI2 $SPI1

do_dummies4 ns3
do_dummies6 ns4

do_esp_policy_get_check ns3 10.0.1.0/24 10.0.2.0/24
do_esp_policy_get_check ns4 10.0.2.0/24 10.0.1.0/24
do_esp_policy_get_check ns3 dead:1::/64 dead:2::/64
do_esp_policy_get_check ns4 dead:2::/64 dead:1::/64

# ping to .254 should use ipsec, exception is not installed.
check_xfrm 1 254
if [ $? -ne 0 ]; then
	echo "FAIL: expected ping to .254 to use ipsec tunnel"
	ret=1
else
	echo "PASS: policy before exception matches"
fi

# installs exceptions
#                localip  remoteip   encryptdst  plaindst
do_exception ns3 10.0.3.1 10.0.3.10 10.0.2.253 10.0.2.240/28
do_exception ns4 10.0.3.10 10.0.3.1 10.0.1.253 10.0.1.240/28

do_exception ns3 dead:3::1 dead:3::10 dead:2::fd  dead:2:f0::/96
do_exception ns4 dead:3::10 dead:3::1 dead:1::fd  dead:1:f0::/96

check_exceptions "exceptions"
if [ $? -ne 0 ]; then
	ret=1
fi

# insert block policies with adjacent/overlapping netmasks
do_overlap ns3

check_exceptions "exceptions and block policies"
if [ $? -ne 0 ]; then
	ret=1
fi

for i in 1 2 3 4;do ip netns del ns$i;done

exit $ret