diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2016-08-12 13:47:20 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2016-08-12 16:17:24 +0200 |
commit | 61b57c7c8c3f8f10b7e4ab313f31d345931863cc (patch) | |
tree | 6e13814142612c656c92ace0dc0ab269aecaa84d | |
parent | bc7adc9e1729b464b1890cce283efb58134cb902 (diff) |
tests: add crypto-RP filter test
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
-rw-r--r-- | src/tests/debug.mk | 2 | ||||
-rwxr-xr-x | src/tests/netns.sh | 18 | ||||
-rw-r--r-- | src/tests/qemu/Makefile | 15 |
3 files changed, 34 insertions, 1 deletions
diff --git a/src/tests/debug.mk b/src/tests/debug.mk index 1b298a7..cac4107 100644 --- a/src/tests/debug.mk +++ b/src/tests/debug.mk @@ -21,6 +21,8 @@ test: debug -sudo modprobe x_tables -sudo modprobe ipv6 -sudo modprobe xt_hashlimit + -sudo modprobe nf_conntrack_ipv4 + -sudo modprobe nf_conntrack_ipv6 -sudo rmmod wireguard -sudo insmod wireguard.ko sudo PATH="$(shell pwd)/tools:$$PATH:/usr/sbin:/sbin:/usr/bin:/bin:/usr/local/sbin:/usr/local/bin" ./tests/netns.sh diff --git a/src/tests/netns.sh b/src/tests/netns.sh index eb5ed43..5424d81 100755 --- a/src/tests/netns.sh +++ b/src/tests/netns.sh @@ -35,6 +35,7 @@ ip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; } ip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; } sleep() { read -t "$1" -N 0 || true; } waitiperf() { pretty "${1//*-}" "wait for iperf:5201"; while [[ $(ss -N "$1" -tlp 'sport = 5201') != *iperf3* ]]; do sleep 0.1; done; } +waitncatudp() { pretty "${1//*-}" "wait for udp:1111"; while [[ $(ss -N "$1" -ulp 'sport = 1111') != *ncat* ]]; do sleep 0.1; done; } cleanup() { set +e @@ -161,6 +162,23 @@ n1 ping -W 1 -c 1 192.168.241.2 n1 wg n2 wg +# Test that crypto-RP filter works +n1 wg set wg0 peer "$pub2" allowed-ips 192.168.241.0/24 +read -r -N 1 -t 1 out < <(n1 ncat -l -u -p 1111) && [[ $out == "X" ]] & listener_pid=$! +waitncatudp $netns1 +n2 ncat -u 192.168.241.1 1111 <<<"X" +wait $listener_pid +more_specific_key="$(pp wg genkey | pp wg pubkey)" +n1 wg set wg0 peer "$more_specific_key" allowed-ips 192.168.241.2/32 +n2 wg set wg0 listen-port 9997 +read -r -N 1 -t 1 out < <(n1 ncat -l -u -p 1111) && [[ $out == "X" ]] & listener_pid=$! +waitncatudp $netns1 +n2 ncat -u 192.168.241.1 1111 <<<"X" +! wait $listener_pid || false +n1 wg set wg0 peer "$more_specific_key" remove +[[ $(n1 wg show wg0 endpoints) == "$pub2 [::1]:9997" ]] + + # Test using NAT. We now change the topology to this: # ┌────────────────────────────────────────┐ ┌────────────────────────────────────────────────┐ ┌────────────────────────────────────────┐ # │ $ns1 namespace │ │ $ns0 namespace │ │ $ns2 namespace │ diff --git a/src/tests/qemu/Makefile b/src/tests/qemu/Makefile index 781fcca..0e5ab0d 100644 --- a/src/tests/qemu/Makefile +++ b/src/tests/qemu/Makefile @@ -48,6 +48,7 @@ $(eval $(call tar_download,IPERF,iperf,3.1.3,.tar.gz,http://downloads.es.net/pub $(eval $(call tar_download,BASH,bash,30a978b7d808c067219c95be88c4979b6a7aa251,.tar.gz,http://git.savannah.gnu.org/cgit/bash.git/snapshot/)) $(eval $(call tar_download,IPROUTE2,iproute2,4.3.0,.tar.gz,http://www.kernel.org/pub/linux/utils/net/iproute2/)) $(eval $(call tar_download,IPTABLES,iptables,1.6.0,.tar.bz2,http://ftp.netfilter.org/pub/iptables/)) +$(eval $(call tar_download,NMAP,nmap,7.25BETA1,.tar.bz2,http://nmap.org/dist/)) IPUTILS_VERSION := s20160308 IPUTILS_TAR := $(DISTFILES_PATH)/$(IPUTILS_VERSION).tar.gz @@ -93,6 +94,7 @@ $(BUILD_PATH)/init-cpio-spec.txt: echo "file /bin/ip $(IPROUTE2_PATH)/ip/ip 755 0 0" >> $@ echo "file /bin/ss $(IPROUTE2_PATH)/misc/ss 755 0 0" >> $@ echo "file /bin/ping $(IPUTILS_PATH)/ping 755 0 0" >> $@ + echo "file /bin/ncat $(NMAP_PATH)/ncat/ncat 755 0 0" >> $@ echo "file /bin/xtables-multi $(IPTABLES_PATH)/iptables/xtables-multi 755 0 0" >> $@ echo "slink /bin/iptables xtables-multi 777 0 0" >> $@ echo "slink /bin/ping6 ping 777 0 0" >> $@ @@ -115,7 +117,7 @@ $(KERNEL_PATH)/.config: kernel.config | $(KERNEL_PATH)/.installed cd $(KERNEL_PATH) && scripts/kconfig/merge_config.sh -n .config minimal.config -[ "$(DEBUG_KERNEL)" = "yes" ] && ( cd $(KERNEL_PATH) && scripts/kconfig/merge_config.sh -n .config $(PWD)/debug.config ) -$(KERNEL_BZIMAGE): $(KERNEL_PATH)/.installed $(KERNEL_PATH)/.config $(BUILD_PATH)/init-cpio-spec.txt $(MUSL_PATH)/lib/libc.so $(IPERF_PATH)/src/iperf3 $(BUILD_PATH)/tools/wg $(IPUTILS_PATH)/ping $(BASH_PATH)/bash $(IPROUTE2_PATH)/ip/ip $(IPTABLES_PATH)/iptables/xtables-multi $(BUILD_PATH)/init ../netns.sh $(WIREGUARD_SOURCES) $(TOOLS_SOURCES) +$(KERNEL_BZIMAGE): $(KERNEL_PATH)/.installed $(KERNEL_PATH)/.config $(BUILD_PATH)/init-cpio-spec.txt $(MUSL_PATH)/lib/libc.so $(IPERF_PATH)/src/iperf3 $(BUILD_PATH)/tools/wg $(IPUTILS_PATH)/ping $(BASH_PATH)/bash $(IPROUTE2_PATH)/ip/ip $(IPTABLES_PATH)/iptables/xtables-multi $(NMAP_PATH)/ncat/ncat $(BUILD_PATH)/init ../netns.sh $(WIREGUARD_SOURCES) $(TOOLS_SOURCES) $(MAKE) -C $(KERNEL_PATH) $(BUILD_PATH)/include/linux/.installed: | $(KERNEL_PATH)/.installed @@ -209,6 +211,17 @@ $(IPTABLES_PATH)/.installed: $(IPTABLES_TAR) $(IPTABLES_PATH)/iptables/xtables-multi: $(IPTABLES_PATH)/.installed $(MUSL_CC) $(LIBMNL_PATH)/src/.libs/libmnl.a | $(KERNEL_PATH)/.installed cd $(IPTABLES_PATH) && PKG_CONFIG_LIBDIR="$(LIBMNL_PATH)" CC="$(MUSL_CC)" CFLAGS="$(CFLAGS)" ./configure --prefix=/ --host=$(CHOST) --enable-static --disable-shared --disable-nftables --disable-bpf-compiler --disable-nfsynproxy --disable-libipq --with-kernel=$(KERNEL_PATH) $(MAKE) -C $(IPTABLES_PATH) + strip -s $@ + +$(NMAP_PATH)/.installed: $(NMAP_TAR) + flock -x $<.lock true + tar -C $(BUILD_PATH) -xf $< + touch $@ + +$(NMAP_PATH)/ncat/ncat: $(NMAP_PATH)/.installed $(MUSL_CC) | $(KERNEL_PATH)/.installed + cd $(NMAP_PATH) && CC="$(MUSL_CC)" CFLAGS="$(CFLAGS)" ./configure --prefix=/ --host=$(CHOST) --enable-static --disable-shared --without-ndiff --without-zenmap --without-nping --with-libpcap=included --with-libpcre=included --with-libdnet=included --without-liblua --with-liblinear=included --without-nmap-update --without-openssl --with-pcap=linux + $(MAKE) -C $(NMAP_PATH) build-ncat + strip -s $@ clean: rm -rf $(BUILD_PATH) |