selftests: netfilter: extend flowtable test script for ipsec

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

'flow offload' expression should not offload flows that will be subject
to ipsec, but it does.

This results in a connectivity blackhole for the affected flows -- first
packets will go through (offload happens after established state is
reached), but all remaining ones bypass ipsec encryption and are thus
discarded by the peer.

This can be worked around by adding "rt ipsec exists accept"
before the 'flow offload' rule matches.

This test case will fail, support for such flows is added in
next patch.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by

Pablo Neira Ayuso 6 years ago 0ca1bbb7 5e5412c3

+48

1 changed file

expand all

tools

testing

selftests

netfilter

nft_flowtable.sh

+48

tools/testing/selftests/netfilter/nft_flowtable.sh

··· 321 321 ip netns exec nsr1 nft list ruleset 322 322 fi 323 323 324 + KEY_SHA="0x"$(ps -xaf | sha1sum | cut -d " " -f 1) 325 + KEY_AES="0x"$(ps -xaf | md5sum | cut -d " " -f 1) 326 + SPI1=$RANDOM 327 + SPI2=$RANDOM 328 + 329 + if [ $SPI1 -eq $SPI2 ]; then 330 + SPI2=$((SPI2+1)) 331 + fi 332 + 333 + do_esp() { 334 + local ns=$1 335 + local me=$2 336 + local remote=$3 337 + local lnet=$4 338 + local rnet=$5 339 + local spi_out=$6 340 + local spi_in=$7 341 + 342 + ip -net $ns xfrm state add src $remote dst $me proto esp spi $spi_in enc aes $KEY_AES auth sha1 $KEY_SHA mode tunnel sel src $rnet dst $lnet 343 + ip -net $ns xfrm state add src $me dst $remote proto esp spi $spi_out enc aes $KEY_AES auth sha1 $KEY_SHA mode tunnel sel src $lnet dst $rnet 344 + 345 + # to encrypt packets as they go out (includes forwarded packets that need encapsulation) 346 + ip -net $ns xfrm policy add src $lnet dst $rnet dir out tmpl src $me dst $remote proto esp mode tunnel priority 1 action allow 347 + # to fwd decrypted packets after esp processing: 348 + ip -net $ns xfrm policy add src $rnet dst $lnet dir fwd tmpl src $remote dst $me proto esp mode tunnel priority 1 action allow 349 + 350 + } 351 + 352 + do_esp nsr1 192.168.10.1 192.168.10.2 10.0.1.0/24 10.0.2.0/24 $SPI1 $SPI2 353 + 354 + do_esp nsr2 192.168.10.2 192.168.10.1 10.0.2.0/24 10.0.1.0/24 $SPI2 $SPI1 355 + 356 + ip netns exec nsr1 nft delete table ip nat 357 + 358 + # restore default routes 359 + ip -net ns2 route del 192.168.10.1 via 10.0.2.1 360 + ip -net ns2 route add default via 10.0.2.1 361 + ip -net ns2 route add default via dead:2::1 362 + 363 + test_tcp_forwarding ns1 ns2 364 + if [ $? -eq 0 ] ;then 365 + echo "PASS: ipsec tunnel mode for ns1/ns2" 366 + else 367 + echo "FAIL: ipsec tunnel mode for ns1/ns2" 368 + ip netns exec nsr1 nft list ruleset 1>&2 369 + ip netns exec nsr1 cat /proc/net/xfrm_stat 1>&2 370 + fi 371 + 324 372 exit $ret