| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aSg2L5eAAEhyHMxM@krikkit>
Date: Thu, 27 Nov 2025 12:29:51 +0100
From: Sabrina Dubroca <sd@...asysnail.net>
To: Antonio Quartulli <antonio@...nvpn.net>
Cc: netdev@...r.kernel.org, Ralf Lici <ralf@...delbit.com>,
Jakub Kicinski <kuba@...nel.org>, linux-kselftest@...r.kernel.org,
Shuah Khan <shuah@...nel.org>
Subject: Re: [RFC net-next 11/13] selftests: ovpn: add test for bound device
2025-11-21, 01:20:42 +0100, Antonio Quartulli wrote:
> From: Ralf Lici <ralf@...delbit.com>
>
> Add a selftest to verify that when a socket is bound to a device, UDP
> traffic from ovpn is correctly routed through the specified interface.
>
> The test sets up a P2P session between two peers in separate network
> namespaces, connected via two veth pairs. It binds to both veth
> interfaces and uses tcpdump to confirm that traffic flows through the
> expected paths.
The current setup doesn't really test that, since it would also work
without SO_BINDTODEVICE (traffic still flows through the expected veth
if I pass "any" instead of veth1/veth2 to the new_peer commands).
[...]
> diff --git a/tools/testing/selftests/net/ovpn/common.sh b/tools/testing/selftests/net/ovpn/common.sh
> index d926413c9f16..c802e4e50054 100644
> --- a/tools/testing/selftests/net/ovpn/common.sh
> +++ b/tools/testing/selftests/net/ovpn/common.sh
> @@ -66,9 +66,11 @@ setup_listener() {
> }
>
> add_peer() {
> + dev=${2:-"any"}
nit: no user of add_peer is patched to pass this extra argument
> diff --git a/tools/testing/selftests/net/ovpn/test-bind.sh b/tools/testing/selftests/net/ovpn/test-bind.sh
> new file mode 100755
> index 000000000000..fd7c3c8fdf63
> --- /dev/null
> +++ b/tools/testing/selftests/net/ovpn/test-bind.sh
> @@ -0,0 +1,103 @@
[...]
> +run_bind_test() {
> + dev1=${1}
> + dev2=${2}
> + raddr4_peer1=${3}
> + raddr4_peer2=${4}
> +
> + touch /tmp/ovpn-bind1.log
> + touch /tmp/ovpn-bind2.log
> +
> + ip netns exec peer1 ${OVPN_CLI} del_peer tun1 1 2>/dev/null || true
> + ip netns exec peer2 ${OVPN_CLI} del_peer tun2 10 2>/dev/null || true
> +
> + # close any active socket
> + killall $(basename ${OVPN_CLI}) 2>/dev/null || true
> +
> + ip netns exec peer1 ${OVPN_CLI} new_peer tun1 ${dev1} 1 10 1 ${raddr4_peer1} 1
> + ip netns exec peer1 ${OVPN_CLI} new_key tun1 1 1 0 ${ALG} 0 data64.key
> + ip netns exec peer2 ${OVPN_CLI} new_peer tun2 ${dev2} 10 1 1 ${raddr4_peer2} 1
> + ip netns exec peer2 ${OVPN_CLI} new_key tun2 10 1 0 ${ALG} 1 data64.key
> +
> + ip netns exec peer1 ${OVPN_CLI} set_peer tun1 1 60 120
> + ip netns exec peer2 ${OVPN_CLI} set_peer tun2 10 60 120
> +
> + timeout 2 ip netns exec peer1 tcpdump -i veth1 "${PROTO,,}" port 1 -n -q > /tmp/ovpn-bind1.log &
Maybe add
2> /dev/null
to clean up a bit the script output?
> + tcpdump1_pid=$!
> + timeout 2 ip netns exec peer1 tcpdump -i veth2 "${PROTO,,}" port 1 -n -q > /tmp/ovpn-bind2.log &
> + tcpdump2_pid=$!
> + sleep 0.5
> +
> + ip netns exec peer1 ping -qfc 50 -w 1 5.5.5.2
> +
> + wait ${tcpdump1_pid} || true
> + wait ${tcpdump2_pid} || true
> +}
> +
> +run_bind_test veth1 any 10.10.10.2 10.10.10.1
> +[ "$(grep -c -i udp /tmp/ovpn-bind1.log)" -ge 100 ]
> +[ "$(grep -c -i udp /tmp/ovpn-bind2.log)" -eq 0 ]
> +
> +run_bind_test veth2 any 20.20.20.2 20.20.20.1
> +[ "$(grep -c -i udp /tmp/ovpn-bind2.log)" -ge 100 ]
> +[ "$(grep -c -i udp /tmp/ovpn-bind1.log)" -eq 0 ]
> +
> +run_bind_test any veth1 10.10.10.2 10.10.10.1
> +[ "$(grep -c -i udp /tmp/ovpn-bind1.log)" -ge 100 ]
> +[ "$(grep -c -i udp /tmp/ovpn-bind2.log)" -eq 0 ]
> +
> +run_bind_test any veth2 20.20.20.2 20.20.20.1
> +[ "$(grep -c -i udp /tmp/ovpn-bind2.log)" -ge 100 ]
> +[ "$(grep -c -i udp /tmp/ovpn-bind1.log)" -eq 0 ]
> +
> +cleanup
And also clean up the log files? (maybe via "trap <function> EXIT" so
that they get removed as well if the test fails)
--
Sabrina
Powered by blists - more mailing lists