lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZhbQ/qteBv7Up1lE@moon.secunet.de>
Date: Wed, 10 Apr 2024 19:48:46 +0200
From: Antony Antony <antony.antony@...unet.com>
To: Jakub Kicinski <kuba@...nel.org>
CC: Antony Antony <antony.antony@...unet.com>, Steffen Klassert
	<steffen.klassert@...unet.com>, "David S. Miller" <davem@...emloft.net>,
	David Ahern <dsahern@...nel.org>, Eric Dumazet <edumazet@...gle.com>, "Paolo
 Abeni" <pabeni@...hat.com>, <netdev@...r.kernel.org>, Herbert Xu
	<herbert@...dor.apana.org.au>, <devel@...ux-ipsec.org>, Tobias Brunner
	<tobias@...ongswan.org>
Subject: 14141

On Mon, Apr 08, 2024 at 19:15:34 -0700, Jakub Kicinski wrote:
> On Thu, 4 Apr 2024 12:31:56 +0200 Antony Antony wrote:
> > export AB="10.1"
> > for i in 1 2 3 4 5; do
> >         h="host${i}"
> >         ip netns add ${h}
> >         ip -netns ${h} link set lo up
> >         ip netns exec ${h} sysctl -wq net.ipv4.ip_forward=1
> >         if [ $i -lt 5 ]; then
> >                 ip -netns ${h} link add eth0 type veth peer name eth10${i}
> >                 ip -netns ${h} addr add "${AB}.${i}.1/24" dev eth0
> >                 ip -netns ${h} link set up dev eth0
> >         fi
> > done
> > 
> > for i in 1 2 3 4 5; do
> >         h="host${i}"
> >         p=$((i - 1))
> >         ph="host${p}"
> >         # connect to previous host
> >         if [ $i -gt 1 ]; then
> >                 ip -netns ${ph} link set eth10${p} netns ${h}
> >                 ip -netns ${h} link set eth10${p} name eth1
> >                 ip -netns ${h} link set up dev eth1
> >                 ip -netns ${h} addr add "${AB}.${p}.2/24" dev eth1
> >         fi
> >         # add forward routes
> >         for k in $(seq ${i} $((5 - 1))); do
> >                 ip -netns ${h} route 2>/dev/null | (grep "${AB}.${k}.0" 2>/dev/null) || \
> >                 ip -netns ${h} route add "${AB}.${k}.0/24" via "${AB}.${i}.2" 2>/dev/nul
> >         done
> > 
> >         # add reverse routes
> >         for k in $(seq 1 $((i - 2))); do
> >                 ip -netns ${h} route 2>/dev/null | grep "${AB}.${k}.0" 2>/dev/null || \
> >                 ip -netns ${h} route add "${AB}.${k}.0/24" via "${AB}.${p}.1" 2>/dev/nul
> >         done
> > done
> > 
> > ip netns exec host1 ping -q -W 2 -w 1 -c 1 10.1.4.2 2>&1>/dev/null && echo "success 10.1.4.2 reachable" || echo "ERROR"
> > ip netns exec host1 ping -W 9 -w 5 -c 1 10.1.4.3 || echo  "note the source address of unreachble of gateway"
> > ip -netns host1 route flush cache
> > 
> > ip netns exec host3 nft add table inet filter
> > ip netns exec host3 nft add chain inet filter FORWARD { type filter hook forward priority filter\; policy drop \; }
> > ip netns exec host3 nft add rule inet filter FORWARD counter ip protocol icmp drop
> > ip netns exec host3 nft add rule inet filter FORWARD counter ip protocol esp accept
> > ip netns exec host3 nft add rule inet filter FORWARD counter drop
> > 
> > ip -netns host2 xfrm policy add src 10.1.1.0/24 dst 10.1.4.0/24 dir out \
> >         flag icmp tmpl src 10.1.2.1 dst 10.1.3.2 proto esp reqid 1 mode tunnel
> > 
> > ip -netns host2 xfrm policy add src 10.1.4.0/24 dst 10.1.1.0/24 dir in \
> >         tmpl src 10.1.3.2 dst 10.1.2.1 proto esp reqid 2 mode tunnel
> > 
> > ip -netns host2 xfrm policy add src 10.1.4.0/24 dst 10.1.1.0/24 dir fwd \
> >         flag icmp tmpl src 10.1.3.2 dst 10.1.2.1 proto esp reqid 2 mode tunnel
> > 
> > ip -netns host2 xfrm state add src 10.1.2.1 dst 10.1.3.2 proto esp spi 1 \
> >         reqid 1 replay-window 1  mode tunnel aead 'rfc4106(gcm(aes))' \
> >         0x1111111111111111111111111111111111111111 96 \
> >         sel src 10.1.1.0/24 dst 10.1.4.0/24
> > 
> > ip -netns host2 xfrm state add src 10.1.3.2 dst 10.1.2.1 proto esp spi 2 \
> >         flag icmp reqid 2 replay-window 10 mode tunnel aead 'rfc4106(gcm(aes))' \
> >         0x2222222222222222222222222222222222222222 96
> > 
> > ip -netns host4 xfrm policy add src 10.1.4.0/24 dst 10.1.1.0/24 dir out \
> >         flag icmp tmpl src 10.1.3.2 dst 10.1.2.1 proto esp reqid 1 mode tunnel
> > 
> > ip -netns host4 xfrm policy add src 10.1.1.0/24 dst 10.1.4.0/24 dir in \
> >         tmpl src 10.1.2.1 dst 10.1.3.2 proto esp reqid 2  mode tunnel
> > 
> > ip -netns host4 xfrm policy add src 10.1.1.0/24 dst 10.1.4.0/24 dir fwd \
> >                 flag icmp tmpl src 10.1.2.1 dst 10.1.3.2 proto esp reqid 2 mode tunnel
> > 
> > ip -netns host4 xfrm state add src 10.1.3.2 dst 10.1.2.1 proto esp spi 2 \
> >         reqid 1 replay-window 1 mode tunnel aead 'rfc4106(gcm(aes))' \
> >         0x2222222222222222222222222222222222222222 96
> > 
> > ip -netns host4 xfrm state add src 10.1.2.1 dst 10.1.3.2 proto esp spi 1 \
> >         reqid 2 replay-window 20 flag icmp  mode tunnel aead 'rfc4106(gcm(aes))' \
> >         0x1111111111111111111111111111111111111111 96 \
> >         sel src 10.1.1.0/24 dst 10.1.4.0/24
> > 
> > ip netns exec host1 ping -W 5 -c 1 10.1.4.2 2>&1 > /dev/null && echo ""
> > ip netns exec host1 ping -W 5 -c 1 10.1.4.3 || echo "note source address of gateway 10.1.3.2"
> 
> Could you turn this into a selftest?

I thought about it, and I didn't find any selftest file that match this
test. This test need a topology with 4, ideally 5, namespaces connected in a line, and ip xfrm.

git/linux/tools/testing/selftests/net/pmtu.sh  is probably the easiest I
can think off.

git/linux/tools/testing/selftests/net/xfrm_policy.sh seems to be a bit
more complex to a extra tests to.

Do you have any preference? which file to add?

-antonz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ