xfrm_policy.sh 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486
  1. #!/bin/bash
  2. # SPDX-License-Identifier: GPL-2.0
  3. #
  4. # Check xfrm policy resolution. Topology:
  5. #
  6. # 1.2 1.1 3.1 3.10 2.1 2.2
  7. # eth1 eth1 veth0 veth0 eth1 eth1
  8. # ns1 ---- ns3 ----- ns4 ---- ns2
  9. #
  10. # ns3 and ns4 are connected via ipsec tunnel.
  11. # pings from ns1 to ns2 (and vice versa) are supposed to work like this:
  12. # ns1: ping 10.0.2.2: passes via ipsec tunnel.
  13. # ns2: ping 10.0.1.2: passes via ipsec tunnel.
  14. # ns1: ping 10.0.1.253: passes via ipsec tunnel (direct policy)
  15. # ns2: ping 10.0.2.253: passes via ipsec tunnel (direct policy)
  16. #
  17. # ns1: ping 10.0.2.254: does NOT pass via ipsec tunnel (exception)
  18. # ns2: ping 10.0.1.254: does NOT pass via ipsec tunnel (exception)
  19. source lib.sh
  20. ret=0
  21. policy_checks_ok=1
  22. KEY_SHA=0xdeadbeef1234567890abcdefabcdefabcdefabcd
  23. KEY_AES=0x0123456789abcdef0123456789012345
  24. SPI1=0x1
  25. SPI2=0x2
  26. do_esp_policy() {
  27. local ns=$1
  28. local me=$2
  29. local remote=$3
  30. local lnet=$4
  31. local rnet=$5
  32. # to encrypt packets as they go out (includes forwarded packets that need encapsulation)
  33. ip -net $ns xfrm policy add src $lnet dst $rnet dir out tmpl src $me dst $remote proto esp mode tunnel priority 100 action allow
  34. # to fwd decrypted packets after esp processing:
  35. ip -net $ns xfrm policy add src $rnet dst $lnet dir fwd tmpl src $remote dst $me proto esp mode tunnel priority 100 action allow
  36. }
  37. do_esp() {
  38. local ns=$1
  39. local me=$2
  40. local remote=$3
  41. local lnet=$4
  42. local rnet=$5
  43. local spi_out=$6
  44. local spi_in=$7
  45. ip -net $ns xfrm state add src $remote dst $me proto esp spi $spi_in enc aes $KEY_AES auth sha1 $KEY_SHA mode tunnel sel src $rnet dst $lnet
  46. ip -net $ns xfrm state add src $me dst $remote proto esp spi $spi_out enc aes $KEY_AES auth sha1 $KEY_SHA mode tunnel sel src $lnet dst $rnet
  47. do_esp_policy $ns $me $remote $lnet $rnet
  48. }
  49. # add policies with different netmasks, to make sure kernel carries
  50. # the policies contained within new netmask over when search tree is
  51. # re-built.
  52. # peer netns that are supposed to be encapsulated via esp have addresses
  53. # in the 10.0.1.0/24 and 10.0.2.0/24 subnets, respectively.
  54. #
  55. # Adding a policy for '10.0.1.0/23' will make it necessary to
  56. # alter the prefix of 10.0.1.0 subnet.
  57. # In case new prefix overlaps with existing node, the node and all
  58. # policies it carries need to be merged with the existing one(s).
  59. #
  60. # Do that here.
  61. do_overlap()
  62. {
  63. local ns=$1
  64. # adds new nodes to tree (neither network exists yet in policy database).
  65. ip -net $ns xfrm policy add src 10.1.0.0/24 dst 10.0.0.0/24 dir fwd priority 200 action block
  66. # adds a new node in the 10.0.0.0/24 tree (dst node exists).
  67. ip -net $ns xfrm policy add src 10.2.0.0/24 dst 10.0.0.0/24 dir fwd priority 200 action block
  68. # adds a 10.2.0.0/23 node, but for different dst.
  69. ip -net $ns xfrm policy add src 10.2.0.0/23 dst 10.0.1.0/24 dir fwd priority 200 action block
  70. # dst now overlaps with the 10.0.1.0/24 ESP policy in fwd.
  71. # kernel must 'promote' existing one (10.0.0.0/24) to 10.0.0.0/23.
  72. # But 10.0.0.0/23 also includes existing 10.0.1.0/24, so that node
  73. # also has to be merged too, including source-sorted subtrees.
  74. # old:
  75. # 10.0.0.0/24 (node 1 in dst tree of the bin)
  76. # 10.1.0.0/24 (node in src tree of dst node 1)
  77. # 10.2.0.0/24 (node in src tree of dst node 1)
  78. # 10.0.1.0/24 (node 2 in dst tree of the bin)
  79. # 10.0.2.0/24 (node in src tree of dst node 2)
  80. # 10.2.0.0/24 (node in src tree of dst node 2)
  81. #
  82. # The next 'policy add' adds dst '10.0.0.0/23', which means
  83. # that dst node 1 and dst node 2 have to be merged including
  84. # the sub-tree. As no duplicates are allowed, policies in
  85. # the two '10.0.2.0/24' are also merged.
  86. #
  87. # after the 'add', internal search tree should look like this:
  88. # 10.0.0.0/23 (node in dst tree of bin)
  89. # 10.0.2.0/24 (node in src tree of dst node)
  90. # 10.1.0.0/24 (node in src tree of dst node)
  91. # 10.2.0.0/24 (node in src tree of dst node)
  92. #
  93. # 10.0.0.0/24 and 10.0.1.0/24 nodes have been merged as 10.0.0.0/23.
  94. ip -net $ns xfrm policy add src 10.1.0.0/24 dst 10.0.0.0/23 dir fwd priority 200 action block
  95. # similar to above: add policies (with partially random address), with shrinking prefixes.
  96. for p in 29 28 27;do
  97. for k in $(seq 1 32); do
  98. ip -net $ns xfrm policy add src 10.253.1.$((RANDOM%255))/$p dst 10.254.1.$((RANDOM%255))/$p dir fwd priority $((200+k)) action block 2>/dev/null
  99. done
  100. done
  101. }
  102. do_esp_policy_get_check() {
  103. local ns=$1
  104. local lnet=$2
  105. local rnet=$3
  106. ip -net $ns xfrm policy get src $lnet dst $rnet dir out > /dev/null
  107. if [ $? -ne 0 ] && [ $policy_checks_ok -eq 1 ] ;then
  108. policy_checks_ok=0
  109. echo "FAIL: ip -net $ns xfrm policy get src $lnet dst $rnet dir out"
  110. ret=1
  111. fi
  112. ip -net $ns xfrm policy get src $rnet dst $lnet dir fwd > /dev/null
  113. if [ $? -ne 0 ] && [ $policy_checks_ok -eq 1 ] ;then
  114. policy_checks_ok=0
  115. echo "FAIL: ip -net $ns xfrm policy get src $rnet dst $lnet dir fwd"
  116. ret=1
  117. fi
  118. }
  119. do_exception() {
  120. local ns=$1
  121. local me=$2
  122. local remote=$3
  123. local encryptip=$4
  124. local plain=$5
  125. # network $plain passes without tunnel
  126. ip -net $ns xfrm policy add dst $plain dir out priority 10 action allow
  127. # direct policy for $encryptip, use tunnel, higher prio takes precedence
  128. ip -net $ns xfrm policy add dst $encryptip dir out tmpl src $me dst $remote proto esp mode tunnel priority 1 action allow
  129. }
  130. # policies that are not supposed to match any packets generated in this test.
  131. do_dummies4() {
  132. local ns=$1
  133. for i in $(seq 10 16);do
  134. # dummy policy with wildcard src/dst.
  135. echo netns exec $ns ip xfrm policy add src 0.0.0.0/0 dst 10.$i.99.0/30 dir out action block
  136. echo netns exec $ns ip xfrm policy add src 10.$i.99.0/30 dst 0.0.0.0/0 dir out action block
  137. for j in $(seq 32 64);do
  138. echo netns exec $ns ip xfrm policy add src 10.$i.1.0/30 dst 10.$i.$j.0/30 dir out action block
  139. # silly, as it encompasses the one above too, but its allowed:
  140. echo netns exec $ns ip xfrm policy add src 10.$i.1.0/29 dst 10.$i.$j.0/29 dir out action block
  141. # and yet again, even more broad one.
  142. echo netns exec $ns ip xfrm policy add src 10.$i.1.0/24 dst 10.$i.$j.0/24 dir out action block
  143. echo netns exec $ns ip xfrm policy add src 10.$i.$j.0/24 dst 10.$i.1.0/24 dir fwd action block
  144. done
  145. done | ip -batch /dev/stdin
  146. }
  147. do_dummies6() {
  148. local ns=$1
  149. for i in $(seq 10 16);do
  150. for j in $(seq 32 64);do
  151. echo netns exec $ns ip xfrm policy add src dead:$i::/64 dst dead:$i:$j::/64 dir out action block
  152. echo netns exec $ns ip xfrm policy add src dead:$i:$j::/64 dst dead:$i::/24 dir fwd action block
  153. done
  154. done | ip -batch /dev/stdin
  155. }
  156. check_ipt_policy_count()
  157. {
  158. ns=$1
  159. ip netns exec $ns iptables-save -c |grep policy | ( read c rest
  160. ip netns exec $ns iptables -Z
  161. if [ x"$c" = x'[0:0]' ]; then
  162. exit 0
  163. elif [ x"$c" = x ]; then
  164. echo "ERROR: No counters"
  165. ret=1
  166. exit 111
  167. else
  168. exit 1
  169. fi
  170. )
  171. }
  172. check_xfrm() {
  173. # 0: iptables -m policy rule count == 0
  174. # 1: iptables -m policy rule count != 0
  175. rval=$1
  176. ip=$2
  177. local lret=0
  178. ip netns exec ${ns[1]} ping -q -c 1 10.0.2.$ip > /dev/null
  179. check_ipt_policy_count ${ns[3]}
  180. if [ $? -ne $rval ] ; then
  181. lret=1
  182. fi
  183. check_ipt_policy_count ${ns[4]}
  184. if [ $? -ne $rval ] ; then
  185. lret=1
  186. fi
  187. ip netns exec ${ns[2]} ping -q -c 1 10.0.1.$ip > /dev/null
  188. check_ipt_policy_count ${ns[3]}
  189. if [ $? -ne $rval ] ; then
  190. lret=1
  191. fi
  192. check_ipt_policy_count ${ns[4]}
  193. if [ $? -ne $rval ] ; then
  194. lret=1
  195. fi
  196. return $lret
  197. }
  198. check_exceptions()
  199. {
  200. logpostfix="$1"
  201. local lret=0
  202. # ping to .254 should be excluded from the tunnel (exception is in place).
  203. check_xfrm 0 254
  204. if [ $? -ne 0 ]; then
  205. echo "FAIL: expected ping to .254 to fail ($logpostfix)"
  206. lret=1
  207. else
  208. echo "PASS: ping to .254 bypassed ipsec tunnel ($logpostfix)"
  209. fi
  210. # ping to .253 should use use ipsec due to direct policy exception.
  211. check_xfrm 1 253
  212. if [ $? -ne 0 ]; then
  213. echo "FAIL: expected ping to .253 to use ipsec tunnel ($logpostfix)"
  214. lret=1
  215. else
  216. echo "PASS: direct policy matches ($logpostfix)"
  217. fi
  218. # ping to .2 should use ipsec.
  219. check_xfrm 1 2
  220. if [ $? -ne 0 ]; then
  221. echo "FAIL: expected ping to .2 to use ipsec tunnel ($logpostfix)"
  222. lret=1
  223. else
  224. echo "PASS: policy matches ($logpostfix)"
  225. fi
  226. return $lret
  227. }
  228. check_hthresh_repeat()
  229. {
  230. local log=$1
  231. i=0
  232. for i in $(seq 1 10);do
  233. ip -net ${ns[1]} xfrm policy update src e000:0001::0000 dst ff01::0014:0000:0001 dir in tmpl src :: dst :: proto esp mode tunnel priority 100 action allow || break
  234. ip -net ${ns[1]} xfrm policy set hthresh6 0 28 || break
  235. ip -net ${ns[1]} xfrm policy update src e000:0001::0000 dst ff01::01 dir in tmpl src :: dst :: proto esp mode tunnel priority 100 action allow || break
  236. ip -net ${ns[1]} xfrm policy set hthresh6 0 28 || break
  237. done
  238. if [ $i -ne 10 ] ;then
  239. echo "FAIL: $log" 1>&2
  240. ret=1
  241. return 1
  242. fi
  243. echo "PASS: $log"
  244. return 0
  245. }
  246. # insert non-overlapping policies in a random order and check that
  247. # all of them can be fetched using the traffic selectors.
  248. check_random_order()
  249. {
  250. local ns=$1
  251. local log=$2
  252. for i in $(seq 50); do
  253. ip -net $ns xfrm policy flush
  254. for j in $(seq 0 16 255 | sort -R); do
  255. ip -net $ns xfrm policy add dst $j.0.0.0/24 dir out priority 10 action allow
  256. done
  257. for j in $(seq 0 16 255); do
  258. if ! ip -net $ns xfrm policy get dst $j.0.0.0/24 dir out > /dev/null; then
  259. echo "FAIL: $log" 1>&2
  260. return 1
  261. fi
  262. done
  263. done
  264. for i in $(seq 50); do
  265. ip -net $ns xfrm policy flush
  266. for j in $(seq 0 16 255 | sort -R); do
  267. local addr=$(printf "e000:0000:%02x00::/56" $j)
  268. ip -net $ns xfrm policy add dst $addr dir out priority 10 action allow
  269. done
  270. for j in $(seq 0 16 255); do
  271. local addr=$(printf "e000:0000:%02x00::/56" $j)
  272. if ! ip -net $ns xfrm policy get dst $addr dir out > /dev/null; then
  273. echo "FAIL: $log" 1>&2
  274. return 1
  275. fi
  276. done
  277. done
  278. ip -net $ns xfrm policy flush
  279. echo "PASS: $log"
  280. return 0
  281. }
  282. #check for needed privileges
  283. if [ "$(id -u)" -ne 0 ];then
  284. echo "SKIP: Need root privileges"
  285. exit $ksft_skip
  286. fi
  287. ip -Version 2>/dev/null >/dev/null
  288. if [ $? -ne 0 ];then
  289. echo "SKIP: Could not run test without the ip tool"
  290. exit $ksft_skip
  291. fi
  292. # needed to check if policy lookup got valid ipsec result
  293. iptables --version 2>/dev/null >/dev/null
  294. if [ $? -ne 0 ];then
  295. echo "SKIP: Could not run test without iptables tool"
  296. exit $ksft_skip
  297. fi
  298. setup_ns ns1 ns2 ns3 ns4
  299. ns[1]=$ns1
  300. ns[2]=$ns2
  301. ns[3]=$ns3
  302. ns[4]=$ns4
  303. DEV=veth0
  304. ip link add $DEV netns ${ns[1]} type veth peer name eth1 netns ${ns[3]}
  305. ip link add $DEV netns ${ns[2]} type veth peer name eth1 netns ${ns[4]}
  306. ip link add $DEV netns ${ns[3]} type veth peer name veth0 netns ${ns[4]}
  307. DEV=veth0
  308. for i in 1 2; do
  309. ip -net ${ns[$i]} link set $DEV up
  310. ip -net ${ns[$i]} addr add 10.0.$i.2/24 dev $DEV
  311. ip -net ${ns[$i]} addr add dead:$i::2/64 dev $DEV
  312. ip -net ${ns[$i]} addr add 10.0.$i.253 dev $DEV
  313. ip -net ${ns[$i]} addr add 10.0.$i.254 dev $DEV
  314. ip -net ${ns[$i]} addr add dead:$i::fd dev $DEV
  315. ip -net ${ns[$i]} addr add dead:$i::fe dev $DEV
  316. done
  317. for i in 3 4; do
  318. ip -net ${ns[$i]} link set eth1 up
  319. ip -net ${ns[$i]} link set veth0 up
  320. done
  321. ip -net ${ns[1]} route add default via 10.0.1.1
  322. ip -net ${ns[2]} route add default via 10.0.2.1
  323. ip -net ${ns[3]} addr add 10.0.1.1/24 dev eth1
  324. ip -net ${ns[3]} addr add 10.0.3.1/24 dev veth0
  325. ip -net ${ns[3]} addr add 2001:1::1/64 dev eth1
  326. ip -net ${ns[3]} addr add 2001:3::1/64 dev veth0
  327. ip -net ${ns[3]} route add default via 10.0.3.10
  328. ip -net ${ns[4]} addr add 10.0.2.1/24 dev eth1
  329. ip -net ${ns[4]} addr add 10.0.3.10/24 dev veth0
  330. ip -net ${ns[4]} addr add 2001:2::1/64 dev eth1
  331. ip -net ${ns[4]} addr add 2001:3::10/64 dev veth0
  332. ip -net ${ns[4]} route add default via 10.0.3.1
  333. for j in 4 6; do
  334. for i in 3 4;do
  335. ip netns exec ${ns[$i]} sysctl net.ipv$j.conf.eth1.forwarding=1 > /dev/null
  336. ip netns exec ${ns[$i]} sysctl net.ipv$j.conf.veth0.forwarding=1 > /dev/null
  337. done
  338. done
  339. # abuse iptables rule counter to check if ping matches a policy
  340. ip netns exec ${ns[3]} iptables -p icmp -A FORWARD -m policy --dir out --pol ipsec
  341. ip netns exec ${ns[4]} iptables -p icmp -A FORWARD -m policy --dir out --pol ipsec
  342. if [ $? -ne 0 ];then
  343. echo "SKIP: Could not insert iptables rule"
  344. cleanup_ns $ns1 $ns2 $ns3 $ns4
  345. exit $ksft_skip
  346. fi
  347. # localip remoteip localnet remotenet
  348. do_esp ${ns[3]} 10.0.3.1 10.0.3.10 10.0.1.0/24 10.0.2.0/24 $SPI1 $SPI2
  349. do_esp ${ns[3]} dead:3::1 dead:3::10 dead:1::/64 dead:2::/64 $SPI1 $SPI2
  350. do_esp ${ns[4]} 10.0.3.10 10.0.3.1 10.0.2.0/24 10.0.1.0/24 $SPI2 $SPI1
  351. do_esp ${ns[4]} dead:3::10 dead:3::1 dead:2::/64 dead:1::/64 $SPI2 $SPI1
  352. do_dummies4 ${ns[3]}
  353. do_dummies6 ${ns[4]}
  354. do_esp_policy_get_check ${ns[3]} 10.0.1.0/24 10.0.2.0/24
  355. do_esp_policy_get_check ${ns[4]} 10.0.2.0/24 10.0.1.0/24
  356. do_esp_policy_get_check ${ns[3]} dead:1::/64 dead:2::/64
  357. do_esp_policy_get_check ${ns[4]} dead:2::/64 dead:1::/64
  358. # ping to .254 should use ipsec, exception is not installed.
  359. check_xfrm 1 254
  360. if [ $? -ne 0 ]; then
  361. echo "FAIL: expected ping to .254 to use ipsec tunnel"
  362. ret=1
  363. else
  364. echo "PASS: policy before exception matches"
  365. fi
  366. # installs exceptions
  367. # localip remoteip encryptdst plaindst
  368. do_exception ${ns[3]} 10.0.3.1 10.0.3.10 10.0.2.253 10.0.2.240/28
  369. do_exception ${ns[4]} 10.0.3.10 10.0.3.1 10.0.1.253 10.0.1.240/28
  370. do_exception ${ns[3]} dead:3::1 dead:3::10 dead:2::fd dead:2:f0::/96
  371. do_exception ${ns[4]} dead:3::10 dead:3::1 dead:1::fd dead:1:f0::/96
  372. check_exceptions "exceptions"
  373. if [ $? -ne 0 ]; then
  374. ret=1
  375. fi
  376. # insert block policies with adjacent/overlapping netmasks
  377. do_overlap ${ns[3]}
  378. check_exceptions "exceptions and block policies"
  379. if [ $? -ne 0 ]; then
  380. ret=1
  381. fi
  382. for n in ${ns[3]} ${ns[4]};do
  383. ip -net $n xfrm policy set hthresh4 28 24 hthresh6 126 125
  384. sleep $((RANDOM%5))
  385. done
  386. check_exceptions "exceptions and block policies after hresh changes"
  387. # full flush of policy db, check everything gets freed incl. internal meta data
  388. ip -net ${ns[3]} xfrm policy flush
  389. do_esp_policy ${ns[3]} 10.0.3.1 10.0.3.10 10.0.1.0/24 10.0.2.0/24
  390. do_exception ${ns[3]} 10.0.3.1 10.0.3.10 10.0.2.253 10.0.2.240/28
  391. # move inexact policies to hash table
  392. ip -net ${ns[3]} xfrm policy set hthresh4 16 16
  393. sleep $((RANDOM%5))
  394. check_exceptions "exceptions and block policies after hthresh change in ns3"
  395. # restore original hthresh settings -- move policies back to tables
  396. for n in ${ns[3]} ${ns[4]};do
  397. ip -net $n xfrm policy set hthresh4 32 32 hthresh6 128 128
  398. sleep $((RANDOM%5))
  399. done
  400. check_exceptions "exceptions and block policies after htresh change to normal"
  401. check_hthresh_repeat "policies with repeated htresh change"
  402. check_random_order ${ns[3]} "policies inserted in random order"
  403. cleanup_ns $ns1 $ns2 $ns3 $ns4
  404. exit $ret