* [LTP] [PATCH 2/4] network/ipsec: move parsing command-line options to ipsec_lib.sh
2016-10-06 13:54 [LTP] [PATCH 1/4] runtest/net_stress.ipsec_icmp: disable multinic tests Alexey Kodanev
@ 2016-10-06 13:54 ` Alexey Kodanev
2016-10-06 13:54 ` [LTP] [PATCH 3/4] network/ipsec: use the same mode parameter name as in iproute Alexey Kodanev
2016-10-06 13:54 ` [LTP] [PATCH 4/4] network/ipsec: add vti tunnel test & new options for enc algs Alexey Kodanev
2 siblings, 0 replies; 5+ messages in thread
From: Alexey Kodanev @ 2016-10-06 13:54 UTC (permalink / raw)
To: ltp
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
---
testcases/network/stress/icmp/icmp-uni-basic.sh | 29 +--------
testcases/network/stress/ipsec/ipsec_lib.sh | 76 ++++++++++++++--------
2 files changed, 50 insertions(+), 55 deletions(-)
diff --git a/testcases/network/stress/icmp/icmp-uni-basic.sh b/testcases/network/stress/icmp/icmp-uni-basic.sh
index 519d870..963f3bc 100755
--- a/testcases/network/stress/icmp/icmp-uni-basic.sh
+++ b/testcases/network/stress/icmp/icmp-uni-basic.sh
@@ -25,31 +25,6 @@ TST_CLEANUP="tst_ipsec_cleanup"
. ipsec_lib.sh
-while getopts "hl:m:p:s:S:6" opt; do
- case "$opt" in
- h)
- echo "Usage:"
- echo "h help"
- echo "l n n is the number of test link when tests run"
- echo "m x x is ipsec mode, could be transport / tunnel"
- echo "p x x is ipsec protocol, could be ah / esp / ipcomp"
- echo "s x x is icmp messge size array"
- echo "S n n is IPsec SPI value"
- echo "6 run over IPv6"
- exit 0
- ;;
- l) LINK_NUM=$OPTARG ;;
- m) IPSEC_MODE=$OPTARG ;;
- p) IPSEC_PROTO=$OPTARG ;;
- s) ICMP_SIZE_ARRAY=$OPTARG ;;
- S) SPI=$OPTARG ;;
- 6) # skip, test_net library already processed it
- ;;
- *) tst_brkm TBROK "unknown option: $opt" ;;
- esac
-done
-
-SPI=${SPI:-1000}
LINK_NUM=${LINK_NUM:-0}
DO_IPSEC=${DO_IPSEC:-false}
ICMP_SIZE_ARRAY=${ICMP_SIZE_ARRAY:-"10 100 1000 10000 65507"}
@@ -77,8 +52,8 @@ rhost_addr=$(tst_ipaddr rhost)
# Configure SAD/SPD
if $DO_IPSEC ; then
- tst_ipsec lhost $IPSEC_PROTO $IPSEC_MODE $SPI $lhost_addr $rhost_addr
- tst_ipsec rhost $IPSEC_PROTO $IPSEC_MODE $SPI $rhost_addr $lhost_addr
+ tst_ipsec lhost $lhost_addr $rhost_addr
+ tst_ipsec rhost $rhost_addr $lhost_addr
fi
tst_ping $lhost_ifname $rhost_addr $ICMP_SIZE_ARRAY
diff --git a/testcases/network/stress/ipsec/ipsec_lib.sh b/testcases/network/stress/ipsec/ipsec_lib.sh
index b222484..99d0229 100644
--- a/testcases/network/stress/ipsec/ipsec_lib.sh
+++ b/testcases/network/stress/ipsec/ipsec_lib.sh
@@ -1,5 +1,6 @@
#!/bin/sh
# Copyright (c) 2016 Red Hat Inc., All Rights Reserved.
+# Copyright (c) 2016 Oracle and/or its affiliates. All Rights Reserved.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
@@ -20,6 +21,32 @@
. test_net.sh
+while getopts "hl:m:p:s:S:6" opt; do
+ case "$opt" in
+ h)
+ echo "Usage:"
+ echo "h help"
+ echo "l n n is the number of test link when tests run"
+ echo "m x x is ipsec mode, could be transport / tunnel"
+ echo "p x x is ipsec protocol, could be ah / esp / ipcomp"
+ echo "s x x is icmp messge size array"
+ echo "S n n is IPsec SPI value"
+ echo "6 run over IPv6"
+ exit 0
+ ;;
+ l) LINK_NUM=$OPTARG ;;
+ m) IPSEC_MODE=$OPTARG ;;
+ p) IPSEC_PROTO=$OPTARG ;;
+ s) ICMP_SIZE_ARRAY=$OPTARG ;;
+ S) SPI=$OPTARG ;;
+ 6) # skip, test_net library already processed it
+ ;;
+ *) tst_brkm TBROK "unknown option: $opt" ;;
+ esac
+done
+
+SPI=${SPI:-1000}
+
# tst_ipsec_cleanup: flush ipsec state and policy rules
tst_ipsec_cleanup()
{
@@ -28,45 +55,36 @@ tst_ipsec_cleanup()
tst_rhost_run -c "ip xfrm state flush && ip xfrm policy flush"
}
-# tst_ipsec target protocol mode spi src_addr dst_addr: config ipsec with
-# supplied protocol and mode.
+tst_check_cmds hexdump
+
+# Encryption algorithm
+EALGO="des3_ede"
+EALGO_KEY=0x$(printf _I_want_to_have_chicken_ | hexdump -ve '/1 "%x"')
+
+# Authentication algorithm
+AALGO="sha1"
+AALGO_KEY=0x$(printf beef_fish_pork_salad | hexdump -ve '/1 "%x"')
+
+# tst_ipsec target src_addr dst_addr: config ipsec
#
# target: target of the configuration host ( lhost / rhost )
-# protocol: ah / esp / ipcomp
-# mode: transport / tunnel
-# spi: the first spi value
# src_addr: source IP address
# dst_addr: destination IP address
tst_ipsec()
{
- if [ $# -ne 6 ]; then
+ if [ $# -ne 3 ]; then
tst_brkm TCONF "tst_ipsec parameter mismatch"
fi
- tst_check_cmds hexdump
local target=$1
- local protocol=$2
- local mode=$3
- local spi=$4
- local src=$5
- local dst=$6
-
- # Encryption algorithm
- local EALGO="des3_ede"
- local EALGO_KEY=0x$(printf _I_want_to_have_chicken_ | \
- hexdump -ve '/1 "%x"')
-
- # Authentication algorithm
- local AALGO="sha1"
- local AALGO_KEY=0x$(printf beef_fish_pork_salad | \
- hexdump -ve '/1 "%x"')
+ local src=$2
+ local dst=$3
# Compression algorithm
local CALGO="deflate"
# Algorithm options for each protocol
local algo_line=
- local proto=
- case $protocol in
+ case $IPSEC_PROTO in
ah)
algo_line="auth $AALGO $AALGO_KEY"
proto="ah"
@@ -84,9 +102,11 @@ tst_ipsec()
;;
esac
+ local mode=$IPSEC_MODE
+
if [ $target = lhost ]; then
- local spi_1="0x$spi"
- local spi_2="0x$(( $spi + 1 ))"
+ local spi_1="0x$SPI"
+ local spi_2="0x$(( $SPI + 1 ))"
ROD ip xfrm state add src $src dst $dst spi $spi_1 \
proto $proto $algo_line mode $mode sel src $src dst $dst
ROD ip xfrm state add src $dst dst $src spi $spi_2 \
@@ -97,8 +117,8 @@ tst_ipsec()
ROD ip xfrm policy add src $dst dst $src dir in tmpl src $dst \
dst $src proto $proto mode $mode level use
elif [ $target = rhost ]; then
- local spi_1="0x$(( $spi + 1 ))"
- local spi_2="0x$spi"
+ local spi_1="0x$(( $SPI + 1 ))"
+ local spi_2="0x$SPI"
tst_rhost_run -s -c "ip xfrm state add src $src dst $dst \
spi $spi_1 proto $proto $algo_line mode $mode sel \
src $src dst $dst"
--
1.7.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* [LTP] [PATCH 3/4] network/ipsec: use the same mode parameter name as in iproute
2016-10-06 13:54 [LTP] [PATCH 1/4] runtest/net_stress.ipsec_icmp: disable multinic tests Alexey Kodanev
2016-10-06 13:54 ` [LTP] [PATCH 2/4] network/ipsec: move parsing command-line options to ipsec_lib.sh Alexey Kodanev
@ 2016-10-06 13:54 ` Alexey Kodanev
2016-10-06 13:54 ` [LTP] [PATCH 4/4] network/ipsec: add vti tunnel test & new options for enc algs Alexey Kodanev
2 siblings, 0 replies; 5+ messages in thread
From: Alexey Kodanev @ 2016-10-06 13:54 UTC (permalink / raw)
To: ltp
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
---
runtest/net_stress.ipsec_icmp | 8 ++++----
testcases/network/stress/icmp/icmp-uni-basic.sh | 2 +-
testcases/network/stress/ipsec/ipsec_lib.sh | 2 +-
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/runtest/net_stress.ipsec_icmp b/runtest/net_stress.ipsec_icmp
index 071af7d..4a841e4 100644
--- a/runtest/net_stress.ipsec_icmp
+++ b/runtest/net_stress.ipsec_icmp
@@ -15,8 +15,8 @@ icmp4-uni-basic04 icmp-uni-basic.sh -p esp -m transport -s "10 100 1000 10000 65
icmp4-uni-basic05 icmp-uni-basic.sh -p esp -m tunnel -s "10 100 1000 10000 65450"
# Same message size but different content will result in different data size
# after compression. So we just use a large enough message size(65000) for testing
-icmp4-uni-basic06 icmp-uni-basic.sh -p ipcomp -m transport -s "10 100 1000 10000 65000"
-icmp4-uni-basic07 icmp-uni-basic.sh -p ipcomp -m tunnel -s "10 100 1000 10000 65000"
+icmp4-uni-basic06 icmp-uni-basic.sh -p comp -m transport -s "10 100 1000 10000 65000"
+icmp4-uni-basic07 icmp-uni-basic.sh -p comp -m tunnel -s "10 100 1000 10000 65000"
# MAX_LENGTH(65535) - ICMP(8) = MAX_SIZE(65527)
icmp6-uni-basic01 icmp-uni-basic.sh -6 -s "10 100 1000 10000 65527"
@@ -33,5 +33,5 @@ icmp6-uni-basic04 icmp-uni-basic.sh -6 -p esp -m transport -s "10 100 1000 10000
icmp6-uni-basic05 icmp-uni-basic.sh -6 -p esp -m tunnel -s "10 100 1000 10000 65527"
# Same message size but different content will result in different data size
# after compression. So we just use a large enough message size(65000) for testing
-icmp6-uni-basic06 icmp-uni-basic.sh -6 -p ipcomp -m transport -s "10 100 1000 10000 65000"
-icmp6-uni-basic07 icmp-uni-basic.sh -6 -p ipcomp -m tunnel -s "10 100 1000 10000 65000"
+icmp6-uni-basic06 icmp-uni-basic.sh -6 -p comp -m transport -s "10 100 1000 10000 65000"
+icmp6-uni-basic07 icmp-uni-basic.sh -6 -p comp -m tunnel -s "10 100 1000 10000 65000"
diff --git a/testcases/network/stress/icmp/icmp-uni-basic.sh b/testcases/network/stress/icmp/icmp-uni-basic.sh
index 963f3bc..04baa39 100755
--- a/testcases/network/stress/icmp/icmp-uni-basic.sh
+++ b/testcases/network/stress/icmp/icmp-uni-basic.sh
@@ -39,7 +39,7 @@ if $DO_IPSEC; then
case $IPSEC_PROTO in
ah) tst_resm TINFO "- IPsec [ AH / $IPSEC_MODE ]" ;;
esp) tst_resm TINFO "- IPsec [ ESP / $IPSEC_MODE ]" ;;
- ipcomp) tst_resm TINFO "- IPcomp [ $IPSEC_MODE ]" ;;
+ comp) tst_resm TINFO "- IPcomp [ $IPSEC_MODE ]" ;;
esac
fi
diff --git a/testcases/network/stress/ipsec/ipsec_lib.sh b/testcases/network/stress/ipsec/ipsec_lib.sh
index 99d0229..56422c3 100644
--- a/testcases/network/stress/ipsec/ipsec_lib.sh
+++ b/testcases/network/stress/ipsec/ipsec_lib.sh
@@ -93,7 +93,7 @@ tst_ipsec()
algo_line="enc $EALGO $EALGO_KEY auth $AALGO $AALGO_KEY"
proto="esp"
;;
- ipcomp)
+ comp)
algo_line="comp $CALGO"
proto="comp"
;;
--
1.7.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [LTP] [PATCH 4/4] network/ipsec: add vti tunnel test & new options for enc algs
2016-10-06 13:54 [LTP] [PATCH 1/4] runtest/net_stress.ipsec_icmp: disable multinic tests Alexey Kodanev
2016-10-06 13:54 ` [LTP] [PATCH 2/4] network/ipsec: move parsing command-line options to ipsec_lib.sh Alexey Kodanev
2016-10-06 13:54 ` [LTP] [PATCH 3/4] network/ipsec: use the same mode parameter name as in iproute Alexey Kodanev
@ 2016-10-06 13:54 ` Alexey Kodanev
2016-11-24 13:41 ` Alexey Kodanev
2 siblings, 1 reply; 5+ messages in thread
From: Alexey Kodanev @ 2016-10-06 13:54 UTC (permalink / raw)
To: ltp
* Add vti with IPsec policies, send ICMP messages through the tunnel.
New test-cases include ah, esp protocols over vti and vti6 +
new authentication and encryption algorithms.
* New options in ipsec_lib.sh:
'e' - Encryption algorithm,
'a' - Authentication algorithm,
'c' - Compression algorithm.
* Dynamically generates algorithms random keys based on predefined key
length for each algorithm type.
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
---
runtest/net_stress.ipsec_icmp | 18 +++-
testcases/network/stress/icmp/icmp-uni-vti.sh | 71 ++++++++++
testcases/network/stress/ipsec/ipsec_lib.sh | 174 +++++++++++++++++++-----
3 files changed, 225 insertions(+), 38 deletions(-)
create mode 100755 testcases/network/stress/icmp/icmp-uni-vti.sh
diff --git a/runtest/net_stress.ipsec_icmp b/runtest/net_stress.ipsec_icmp
index 4a841e4..6e5908f 100644
--- a/runtest/net_stress.ipsec_icmp
+++ b/runtest/net_stress.ipsec_icmp
@@ -1,5 +1,5 @@
#
-# Stress test for TCP/IP protocol stack (ICMP)
+# Stress test for IPsec with ICMP messages
#
# MAX_LENGTH(65535) - IP(20) - ICMP(8) = MAX_SIZE(65507)
@@ -35,3 +35,19 @@ icmp6-uni-basic05 icmp-uni-basic.sh -6 -p esp -m tunnel -s "10 100 1000 10000 65
# after compression. So we just use a large enough message size(65000) for testing
icmp6-uni-basic06 icmp-uni-basic.sh -6 -p comp -m transport -s "10 100 1000 10000 65000"
icmp6-uni-basic07 icmp-uni-basic.sh -6 -p comp -m tunnel -s "10 100 1000 10000 65000"
+
+icmp4-uni-vti01 icmp-uni-vti.sh -p ah -a sha256 -m tunnel -S fffffffe -k 1 -s "10 100 1000 10000 65463"
+icmp4-uni-vti02 icmp-uni-vti.sh -p esp -a sha512 -e des -m tunnel -S fffffffe -k 0xf0f0f0f0 -s "10 100 1000 10000 65450"
+icmp4-uni-vti03 icmp-uni-vti.sh -p esp -a rmd160 -e cast5 -m tunnel -S fffffffe -k 0xffffffff -s "10 100 1000 10000 65463"
+icmp4-uni-vti04 icmp-uni-vti.sh -p esp -e blowfish -m tunnel -S fffffffe -k 3 -s "10 100 1000 10000 65463"
+icmp4-uni-vti05 icmp-uni-vti.sh -p esp -a sha512 -e twofish -m tunnel -S fffffffe -k 0x7fffffff -s "10 100 1000 10000 65463"
+icmp4-uni-vti06 icmp-uni-vti.sh -p esp -a sha384 -e camellia -m tunnel -S fffffffe -k 0x80000000 -s "10 100 1000 10000 65463"
+icmp4-uni-vti07 icmp-uni-vti.sh -p esp -a sha512 -e serpent -m tunnel -S fffffffe -k 0xffff -s "10 100 1000 10000 65463"
+
+icmp6-uni-vti01 icmp-uni-vti.sh -6 -p ah -m tunnel -S f1f1f1f1 -k 0xffffffff -s "10 100 1000 10000 65527"
+icmp6-uni-vti02 icmp-uni-vti.sh -6 -p esp -a sha256 -e des3_ede -m tunnel -S ffafafaf -k 0xffffffff -s "10 100 1000 10000 65527"
+icmp6-uni-vti03 icmp-uni-vti.sh -6 -p esp -a sha512 -e cast5 -m tunnel -S fffffffe -k 1 -s "10 100 1000 10000 65527"
+icmp6-uni-vti04 icmp-uni-vti.sh -6 -p esp -a rmd160 -e blowfish -m tunnel -S fffffffe -k 0x80000000 -s "10 100 1000 10000 65527"
+icmp6-uni-vti05 icmp-uni-vti.sh -6 -p esp -e twofish -m tunnel -S fffffffe -k 0xffff -s "10 100 1000 10000 65527"
+icmp6-uni-vti06 icmp-uni-vti.sh -6 -p esp -a sha512 -e camellia -m tunnel -S fffffffe -k 0x7fffffff -s "10 100 1000 10000 65527"
+icmp6-uni-vti07 icmp-uni-vti.sh -6 -p esp -a sha384 -e serpent -m tunnel -S ffffffff -k 0x11111111 -s "10 100 1000 10000 65527"
diff --git a/testcases/network/stress/icmp/icmp-uni-vti.sh b/testcases/network/stress/icmp/icmp-uni-vti.sh
new file mode 100755
index 0000000..0f1b8df
--- /dev/null
+++ b/testcases/network/stress/icmp/icmp-uni-vti.sh
@@ -0,0 +1,71 @@
+#!/bin/sh
+# Copyright (c) 2016 Oracle and/or its affiliates. All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+# Author: Alexey Kodanev <alexey.kodanev@oracle.com>
+
+TCID=icmp-uni-vti
+TST_TOTAL=1
+TST_CLEANUP="tst_ipsec_cleanup"
+
+. ipsec_lib.sh
+
+do_setup()
+{
+ ICMP_SIZE_ARRAY=${ICMP_SIZE_ARRAY:-"10 100 1000 10000 65507"}
+
+ if_loc=$(tst_iface)
+ if_rmt=$(tst_iface rhost)
+
+ ip_loc=$(tst_ipaddr)
+ ip_rmt=$(tst_ipaddr rhost)
+
+ tst_vti="ltp_vti0"
+
+ tst_resm TINFO "Test vti$TST_IPV6 + IPsec[$IPSEC_PROTO/$IPSEC_MODE]"
+
+ tst_ipsec_vti lhost $ip_loc $ip_rmt $tst_vti
+ tst_ipsec_vti rhost $ip_rmt $ip_loc $tst_vti
+
+ local mask=
+ if [ "$TST_IPV6" ]; then
+ ip_loc_tun="${IPV6_NET32_UNUSED}::1";
+ ip_rmt_tun="${IPV6_NET32_UNUSED}::2";
+ mask=64
+ ROD ip -6 route add ${IPV6_NET32_UNUSED}::/$mask dev $tst_vti
+ else
+ ip_loc_tun="${IPV4_NET16_UNUSED}.1.1";
+ ip_rmt_tun="${IPV4_NET16_UNUSED}.1.2";
+ mask=30
+ ROD ip route add ${IPV4_NET16_UNUSED}.1.0/$mask dev $tst_vti
+ fi
+
+ tst_resm TINFO "Add IPs to vti tunnel, " \
+ "loc: $ip_loc_tun/$mask, rmt: $ip_rmt_tun/$mask"
+
+ ROD ip a add $ip_loc_tun/$mask dev $tst_vti
+ tst_rhost_run -s -c "ip a add $ip_rmt_tun/$mask dev $tst_vti"
+}
+
+do_test()
+{
+ tst_resm TINFO "Sending ICMP messages..."
+ EXPECT_PASS tst_ping $tst_vti $ip_rmt_tun $ICMP_SIZE_ARRAY
+}
+
+do_setup
+do_test
+
+tst_exit
diff --git a/testcases/network/stress/ipsec/ipsec_lib.sh b/testcases/network/stress/ipsec/ipsec_lib.sh
index 56422c3..8f3d958 100644
--- a/testcases/network/stress/ipsec/ipsec_lib.sh
+++ b/testcases/network/stress/ipsec/ipsec_lib.sh
@@ -21,7 +21,14 @@
. test_net.sh
-while getopts "hl:m:p:s:S:6" opt; do
+# Encryption algorithm
+EALGO="des3_ede"
+# Authentication algorithm
+AALGO="sha1"
+# Compression algorithm
+CALGO="deflate"
+
+while getopts "hl:m:p:s:S:k:e:a:c:6" opt; do
case "$opt" in
h)
echo "Usage:"
@@ -31,6 +38,10 @@ while getopts "hl:m:p:s:S:6" opt; do
echo "p x x is ipsec protocol, could be ah / esp / ipcomp"
echo "s x x is icmp messge size array"
echo "S n n is IPsec SPI value"
+ echo "k x key for vti interface"
+ echo "e x Encryption algorithm"
+ echo "a x Authentication algorithm"
+ echo "c x Compression algorithm"
echo "6 run over IPv6"
exit 0
;;
@@ -39,13 +50,45 @@ while getopts "hl:m:p:s:S:6" opt; do
p) IPSEC_PROTO=$OPTARG ;;
s) ICMP_SIZE_ARRAY=$OPTARG ;;
S) SPI=$OPTARG ;;
+ k) VTI_KEY=$OPTARG ;;
+ e) EALGO=$OPTARG ;;
+ a) AALGO=$OPTARG ;;
+ c) CALGO=$OPTARG ;;
6) # skip, test_net library already processed it
;;
*) tst_brkm TBROK "unknown option: $opt" ;;
esac
done
+get_key()
+{
+ local bits=$1
+ local xdg_num=$(( $bits / 4 ))
+ echo "0x$(tr -dc "[:xdigit:]" < /dev/urandom | head -c$xdg_num)"
+}
+
+case $EALGO in
+des) EALGO_KEY=$(get_key 64) ;;
+des3_ede) EALGO_KEY=$(get_key 192) ;;
+cast5) EALGO_KEY=$(get_key 128) ;;
+blowfish) EALGO_KEY=$(get_key 448) ;;
+aes|twofish|camellia|serpent) EALGO_KEY=$(get_key 256) ;;
+*) tst_brkm TBROK "unknown enc alg: $EALGO" ;;
+esac
+
+case $AALGO in
+sha1|rmd160) AALGO_KEY=$(get_key 160) ;;
+sha256) AALGO_KEY=$(get_key 256) ;;
+sha384) AALGO_KEY=$(get_key 384) ;;
+sha512) AALGO_KEY=$(get_key 512) ;;
+*) tst_brkm TBROK "unknown auth alg: $AALGO" ;;
+esac
+
SPI=${SPI:-1000}
+VTI_KEY=${VTI_KEY:-10}
+cleanup_vti=
+ALG=
+ALGR=
# tst_ipsec_cleanup: flush ipsec state and policy rules
tst_ipsec_cleanup()
@@ -53,17 +96,33 @@ tst_ipsec_cleanup()
ip xfrm state flush
ip xfrm policy flush
tst_rhost_run -c "ip xfrm state flush && ip xfrm policy flush"
-}
-
-tst_check_cmds hexdump
-# Encryption algorithm
-EALGO="des3_ede"
-EALGO_KEY=0x$(printf _I_want_to_have_chicken_ | hexdump -ve '/1 "%x"')
+ if [ -n "$cleanup_vti" ]; then
+ ip li del $cleanup_vti 2>/dev/null
+ tst_rhost_run -c "ip li del $cleanup_vti 2>/dev/null"
+ fi
+}
-# Authentication algorithm
-AALGO="sha1"
-AALGO_KEY=0x$(printf beef_fish_pork_salad | hexdump -ve '/1 "%x"')
+ipsec_set_algoline()
+{
+ case $IPSEC_PROTO in
+ ah)
+ ALG='auth hmac('$AALGO') '$AALGO_KEY
+ ALGR='auth hmac\('$AALGO'\) '$AALGO_KEY
+ ;;
+ esp)
+ ALG="enc $EALGO $EALGO_KEY auth "'hmac('$AALGO') '$AALGO_KEY
+ ALGR="enc $EALGO $EALGO_KEY auth "'hmac\('$AALGO'\) '$AALGO_KEY
+ ;;
+ comp)
+ ALG="comp $CALGO"
+ ALGR=$ALG
+ ;;
+ *)
+ tst_brkm TCONF "tst_ipsec protocol mismatch"
+ ;;
+ esac
+}
# tst_ipsec target src_addr dst_addr: config ipsec
#
@@ -79,38 +138,18 @@ tst_ipsec()
local target=$1
local src=$2
local dst=$3
-
- # Compression algorithm
- local CALGO="deflate"
- # Algorithm options for each protocol
- local algo_line=
- case $IPSEC_PROTO in
- ah)
- algo_line="auth $AALGO $AALGO_KEY"
- proto="ah"
- ;;
- esp)
- algo_line="enc $EALGO $EALGO_KEY auth $AALGO $AALGO_KEY"
- proto="esp"
- ;;
- comp)
- algo_line="comp $CALGO"
- proto="comp"
- ;;
- *)
- tst_brkm TCONF "tst_ipsec protocol mismatch"
- ;;
- esac
-
local mode=$IPSEC_MODE
+ local proto=$IPSEC_PROTO
+
+ ipsec_set_algoline
if [ $target = lhost ]; then
local spi_1="0x$SPI"
local spi_2="0x$(( $SPI + 1 ))"
ROD ip xfrm state add src $src dst $dst spi $spi_1 \
- proto $proto $algo_line mode $mode sel src $src dst $dst
+ proto $proto $ALG mode $mode sel src $src dst $dst
ROD ip xfrm state add src $dst dst $src spi $spi_2 \
- proto $proto $algo_line mode $mode sel src $dst dst $src
+ proto $proto $ALG mode $mode sel src $dst dst $src
ROD ip xfrm policy add src $src dst $dst dir out tmpl src $src \
dst $dst proto $proto mode $mode
@@ -120,10 +159,10 @@ tst_ipsec()
local spi_1="0x$(( $SPI + 1 ))"
local spi_2="0x$SPI"
tst_rhost_run -s -c "ip xfrm state add src $src dst $dst \
- spi $spi_1 proto $proto $algo_line mode $mode sel \
+ spi $spi_1 proto $proto $ALGR mode $mode sel \
src $src dst $dst"
tst_rhost_run -s -c "ip xfrm state add src $dst dst $src \
- spi $spi_2 proto $proto $algo_line mode $mode sel \
+ spi $spi_2 proto $proto $ALGR mode $mode sel \
src $dst dst $src"
tst_rhost_run -s -c "ip xfrm policy add src $src dst $dst \
@@ -133,3 +172,64 @@ tst_ipsec()
mode $mode level use"
fi
}
+
+# tst_ipsec_vti target src_addr dst_addr vti_name
+#
+# target: target of the configuration host ( lhost / rhost )
+# src_addr: source IP address
+# dst_addr: destination IP address
+# vti_name: name of vti interface
+tst_ipsec_vti()
+{
+ if [ $# -ne 4 ]; then
+ tst_brkm TCONF "tst_ipsec_vti parameter mismatch"
+ fi
+
+ local target=$1
+ local src=$2
+ local dst=$3
+ local vti=$4
+ local mode="mode $IPSEC_MODE"
+ local proto="proto $IPSEC_PROTO"
+ local key="key $VTI_KEY"
+ local mark="mark $VTI_KEY"
+ local type="type vti$TST_IPV6"
+
+ ipsec_set_algoline
+
+ ip li add type vti help 2>&1 | grep -q vti || \
+ tst_brkm TCONF "iproute doesn't support 'vti'"
+
+ local o_dir="src $src dst $dst"
+ local i_dir="src $dst dst $src"
+
+ local sel='src 0.0.0.0/0 dst 0.0.0.0/0'
+ if [ "$TST_IPV6" ]; then
+ sel='src ::/0 dst ::/0'
+ fi
+
+ cleanup_vti=$vti
+
+ if [ $target = lhost ]; then
+ ROD ip li add $vti $type local $src remote $dst $key
+ ROD ip li set $vti up
+
+ local spi_1="spi 0x$SPI"
+ local spi_2="spi 0x$(( $SPI + 1 ))"
+ ROD ip xf st add $o_dir $proto $spi_1 $ALG $mode
+ ROD ip xf st add $i_dir $proto $spi_2 $ALG $mode
+ ROD ip xf po add $sel dir out tmpl $o_dir $proto $mode $mark
+ ROD ip xf po add $sel dir in tmpl $i_dir $proto $mode $mark
+ elif [ $target = rhost ]; then
+ tst_rhost_run -s -c \
+ "ip li add $vti $type local $src remote $dst $key"
+ tst_rhost_run -s -c "ip li set $vti up"
+
+ local spi_1="spi 0x$(( $SPI + 1 ))"
+ local spi_2="spi 0x$SPI"
+ tst_rhost_run -s -c "ip xf st add $o_dir $proto $spi_1 $ALGR $mode"
+ tst_rhost_run -s -c "ip xf st add $i_dir $proto $spi_2 $ALGR $mode"
+ tst_rhost_run -s -c "ip xf po add $sel dir out tmpl $o_dir $proto $mode $mark"
+ tst_rhost_run -s -c "ip xf po add $sel dir in tmpl $i_dir $proto $mode $mark"
+ fi
+}
--
1.7.1
^ permalink raw reply related [flat|nested] 5+ messages in thread* [LTP] [PATCH 4/4] network/ipsec: add vti tunnel test & new options for enc algs
2016-10-06 13:54 ` [LTP] [PATCH 4/4] network/ipsec: add vti tunnel test & new options for enc algs Alexey Kodanev
@ 2016-11-24 13:41 ` Alexey Kodanev
0 siblings, 0 replies; 5+ messages in thread
From: Alexey Kodanev @ 2016-11-24 13:41 UTC (permalink / raw)
To: ltp
Hi,
On 10/06/2016 04:54 PM, Alexey Kodanev wrote:
> * Add vti with IPsec policies, send ICMP messages through the tunnel.
> New test-cases include ah, esp protocols over vti and vti6 +
> new authentication and encryption algorithms.
>
> * New options in ipsec_lib.sh:
> 'e' - Encryption algorithm,
> 'a' - Authentication algorithm,
> 'c' - Compression algorithm.
>
> * Dynamically generates algorithms random keys based on predefined key
> length for each algorithm type.
> ...
> + local sel='src 0.0.0.0/0 dst 0.0.0.0/0'
> + if [ "$TST_IPV6" ]; then
> + sel='src ::/0 dst ::/0'
> + fi
> +
I've removed setting selected traffic explicitly here as it should be
correctly set by default for IPv6
if we add '-6' option to ip command. Also corrected lines over 80
characters and applied the patch-set.
Best regards,
Alexey
^ permalink raw reply [flat|nested] 5+ messages in thread