Add SPI and by-address wildcard-mark shadowing tests.
Signed-off-by: Antony Antony <[email protected]>
---
tools/testing/selftests/net/xfrm_state.sh | 130 +++++++++++++++++++++++++++++-
1 file changed, 129 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/net/xfrm_state.sh
b/tools/testing/selftests/net/xfrm_state.sh
index f6c54a6496d7..f202073726a9 100755
--- a/tools/testing/selftests/net/xfrm_state.sh
+++ b/tools/testing/selftests/net/xfrm_state.sh
@@ -42,7 +42,11 @@ tests="
mtu_ipv4_r2 IPv4 MTU exceeded from ESP router r2
mtu_ipv6_r2 IPv6 MTU exceeded from ESP router r2
mtu_ipv4_r3 IPv4 MTU exceeded from router r3
- mtu_ipv6_r3 IPv6 MTU exceeded from router r3"
+ mtu_ipv6_r3 IPv6 MTU exceeded from router r3
+ mark_wildcard_shadow mark: wildcard SA in by-spi state get
lookup
+ mark_wildcard_delete mark: wildcard SA in by-spi state delete
+ mark_wildcard_get_addr mark: wildcard SA in by-address get
lookup
+ mark_wildcard_delete_addr mark: wildcard SA in by-address delete"
prefix4="10.1"
prefix6="fc00"
@@ -101,6 +105,10 @@ run_test() {
mtu_ipv6_r2) test_mtu_ipv6_r2 ;;
mtu_ipv4_r3) test_mtu_ipv4_r3 ;;
mtu_ipv6_r3) test_mtu_ipv6_r3 ;;
+ mark_wildcard_shadow) test_mark_wildcard_shadow ;;
+ mark_wildcard_delete) test_mark_wildcard_delete ;;
+ mark_wildcard_get_addr) test_mark_wildcard_get_addr ;;
+ mark_wildcard_delete_addr) test_mark_wildcard_delete_addr ;;
esac
ret=$?
@@ -167,6 +175,8 @@ setup_namespaces() {
[ -n "${NS_S2}" ] && ns_s2=(ip netns exec "${NS_S2}") &&
ns_active="${ns_active} $NS_S2"
[ -n "${NS_R3}" ] && ns_r3=(ip netns exec "${NS_R3}") &&
ns_active="${ns_active} $NS_R3"
[ -n "${NS_B}" ] && ns_active="${ns_active} $NS_B"
+
+ return 0
}
addr_add() {
@@ -295,6 +305,18 @@ setup_ns_set_v6x() {
set_xfrm_params
}
+setup_ns_set_simple() {
+ # Single namespace, no veths/routes.
+ ns_set="a"
+ imax=1
+ src="10.1.1.1"
+ dst="10.1.1.2"
+ src_net="10.1.0.0/24"
+ dst_net="10.2.0.0/24"
+
+ set_xfrm_params
+}
+
setup_network() {
# Create veths and add addresses
local -a ns_cmd
@@ -403,6 +425,7 @@ setup() {
ns_set_v4x) setup_ns_set_v4x ;;
ns_set_v6) setup_ns_set_v6 ;;
ns_set_v6x) setup_ns_set_v6x ;;
+ ns_set_simple) setup_ns_set_simple ;;
namespaces) setup_namespaces ;;
network) setup_network ;;
xfrm) setup_xfrm ;;
@@ -548,6 +571,111 @@ test_mtu_ipv6_r3() {
return "${rc}"
}
+# SA_decoy (mark 0/0, added second) shadows SA_target (mark 1/1) on a
+# wildcard mark lookup. No traffic sent; these only exercise the SAD.
+
+test_mark_wildcard_shadow() {
+ setup ns_set_simple namespaces || return "$ksft_skip"
+ local result=0
+
+ run_cmd "${ns_a[@]}" ip xfrm state add \
+ src "${src}" dst "${dst}" proto esp spi 0x1000 \
+ reqid 100 mode tunnel \
+ aead 'rfc4106(gcm(aes))'
0x1111111111111111111111111111111111111111 96 \
+ mark 1 mask 1
+
+ run_cmd "${ns_a[@]}" ip xfrm state add \
+ src "${src}" dst "${dst}" proto esp spi 0x1000 \
+ reqid 100 mode tunnel \
+ aead 'rfc4106(gcm(aes))'
0x2222222222222222222222222222222222222222 96 \
+ mark 0 mask 0
+
+ run_cmd_err "${ns_a[@]}" ip xfrm state get \
+ dst "${dst}" proto esp spi 0x1000 \
+ mark 1 mask 1
+
+ # Expected: SA_target (mark 0x1/0x1). Actual (bug): SA_decoy (mark 0/0).
+ echo "$out" | grep -q "mark 0x1/0x1" || result=1
+
+ return "${result}"
+}
+
+test_mark_wildcard_delete() {
+ setup ns_set_simple namespaces || return "$ksft_skip"
+ local result=0
+
+ run_cmd "${ns_a[@]}" ip xfrm state add \
+ src "${src}" dst "${dst}" proto esp spi 0x1000 \
+ reqid 100 mode tunnel \
+ aead 'rfc4106(gcm(aes))'
0x1111111111111111111111111111111111111111 96 \
+ mark 1 mask 1
+
+ run_cmd "${ns_a[@]}" ip xfrm state add \
+ src "${src}" dst "${dst}" proto esp spi 0x1000 \
+ reqid 100 mode tunnel \
+ aead 'rfc4106(gcm(aes))'
0x2222222222222222222222222222222222222222 96 \
+ mark 0 mask 0
+
+ run_cmd "${ns_a[@]}" ip xfrm state delete \
+ dst "${dst}" proto esp spi 0x1000 \
+ mark 1 mask 1
+
+ run_cmd_err "${ns_a[@]}" ip xfrm state show
+ echo "$out" | grep -q "mark 0x1/0x1" && result=1
+
+ return "${result}"
+}
+
+# by-address counterpart: proto route2/hao (IPv6 mobility) have no SPI,
+# so xfrm_user_state_lookup() resolves them by address instead.
+
+test_mark_wildcard_get_addr() {
+ setup ns_set_simple namespaces || return "$ksft_skip"
+ local result=0
+ local src6="fc00:9::1"
+ local dst6="fc00:9::2"
+
+ run_cmd "${ns_a[@]}" ip xfrm state add \
+ src "${src6}" dst "${dst6}" proto route2 mode ro coa fc00:9::3 \
+ mark 1 mask 1
+
+ run_cmd "${ns_a[@]}" ip xfrm state add \
+ src "${src6}" dst "${dst6}" proto route2 mode ro coa fc00:9::4 \
+ mark 0 mask 0
+
+ run_cmd_err "${ns_a[@]}" ip xfrm state get \
+ src "${src6}" dst "${dst6}" proto route2 \
+ mark 1 mask 1
+
+ echo "$out" | grep -q "mark 0x1/0x1" || result=1
+
+ return "${result}"
+}
+
+test_mark_wildcard_delete_addr() {
+ setup ns_set_simple namespaces || return "$ksft_skip"
+ local result=0
+ local src6="fc00:9::1"
+ local dst6="fc00:9::2"
+
+ run_cmd "${ns_a[@]}" ip xfrm state add \
+ src "${src6}" dst "${dst6}" proto route2 mode ro coa fc00:9::3 \
+ mark 1 mask 1
+
+ run_cmd "${ns_a[@]}" ip xfrm state add \
+ src "${src6}" dst "${dst6}" proto route2 mode ro coa fc00:9::4 \
+ mark 0 mask 0
+
+ run_cmd "${ns_a[@]}" ip xfrm state delete \
+ src "${src6}" dst "${dst6}" proto route2 \
+ mark 1 mask 1
+
+ run_cmd_err "${ns_a[@]}" ip xfrm state show
+ echo "$out" | grep -q "mark 0x1/0x1" && result=1
+
+ return "${result}"
+}
+
################################################################################
#
usage() {
--
2.47.3