From 85a692d923f9f15fbabc3025fb70a2c8e5b64bd4 Mon Sep 17 00:00:00 2001 From: Christian Hopps Date: Wed, 4 Sep 2024 12:09:54 -0400 Subject: [PATCH] tests: add ipv6 tunnel with ipv4/ipv6 traffic tests to simplenet Signed-off-by: Christian Hopps --- tests/simplenet/test_simplenet.py | 130 ++++++++++++------------------ 1 file changed, 51 insertions(+), 79 deletions(-) diff --git a/tests/simplenet/test_simplenet.py b/tests/simplenet/test_simplenet.py index 5c36213..230cbcf 100644 --- a/tests/simplenet/test_simplenet.py +++ b/tests/simplenet/test_simplenet.py @@ -59,98 +59,67 @@ async def test_net_up(unet, astepf, pytestconfig): await _test_net_up(unet, ipv6=ipv6) -async def no_test_user_step(unet, astepf): - r1 = unet.hosts["r1"] - r2 = unet.hosts["r2"] - - MODE = "mode iptfs" - - spi_1to2 = 0xAAAAAA - spi_2to1 = 0xBBBBBB - - ipsec_intf = ("eth2",) - tun_ipv6 = False - spi_1to2, spi_2to1, sa_auth, sa_enc = get_sa_values( - use_gcm=True, use_nullnull=False, enc_null=False, tun_ipv6=tun_ipv6 - ) +async def test_policy_tun4_up(unet, astepf, pytestconfig): + h1 = unet.hosts["h1"] - r1ipp = r1.get_intf_addr(ipsec_intf, ipv6=tun_ipv6) - if r2 is not None: - r1ipp = r2.get_intf_addr(ipsec_intf, ipv6=tun_ipv6) - else: - # The other side is the switch interface - net = None - for net in r1.net_intfs: - if r1.net_intfs[net] == ipsec_intf: - break - assert net is not None, f"can't find network for {ipsec_intf}" - if tun_ipv6: - r2ipp = unet.switches[net].ip6_interface - else: - r2ipp = unet.switches[net].ip_interface - - r1ip = r1ipp.ip - r1ipp = r1ipp.network - r2ip = r2ipp.ip - r2ipp = r2ipp.network - - # - # SAs - # - - await astepf("configuring SA outbound") - - repl = r1.conrepl - repl.cmd_raises( - f"ip xfrm state add src {r1ip} dst {r2ip} proto esp " - f"spi {spi_1to2} {MODE} {sa_auth} {sa_enc} " - f"reqid 0x200" + ipv6 = pytestconfig.getoption("--enable-ipv6", False) + opts = pytestconfig.getoption("--iptfs-opts", "") + await setup_policy_tun( + unet, mode="iptfs", iptfs_opts=opts, tun_ipv6=False, ipv6=ipv6 ) - await astepf("configuring SA inbound") - - repl.cmd_raises( - f"ip xfrm state add src {r2ip} dst {r1ip} proto esp " - f"spi {spi_2to1} {MODE} {sa_auth} {sa_enc} " - f"reqid 0x300" - ) + if ipv6: + await astepf("first IPv6 ping") + logging.debug(h1.cmd_raises("ping -c1 fc00:0:0:2::4")) + await astepf("second IPv6 ping") + logging.debug(h1.cmd_raises("ping -c1 fc00:0:0:2::4")) + await astepf("third IPv6 ping") + logging.debug(h1.cmd_raises("ping -c1 fc00:0:0:2::4")) - await astepf("configuring outbound policy") + # Need to count ESP packets somehow to verify these were encrypted + await astepf("first ping") + logging.debug(h1.cmd_raises("ping -c1 10.0.2.4")) + await astepf("second ping") + logging.debug(h1.cmd_raises("ping -c1 10.0.2.4")) + await astepf("third ping") + logging.debug(h1.cmd_raises("ping -c1 10.0.2.4")) - x1ipp, x2ipp = ("10.0.0.0/24", "10.0.2.0/24") - direction = "dir out" - repl.cmd_raises( - f"ip xfrm policy add src {x1ipp} dst {x2ipp} {direction} " - f"tmpl src {r1ip} dst {r2ip} proto esp {MODE} " - f"reqid 0x200", - # " spi {spi_1to2} " - ) - await astepf("configuring forwarding policy") +async def test_routed_tun4_up(unet, astepf, pytestconfig): + h1 = unet.hosts["h1"] - direction = "dir fwd" - repl.cmd_raises( - f"ip xfrm policy add src {x2ipp} dst {x1ipp} {direction} " - f"tmpl src {r2ip} dst {r1ip} proto esp {MODE} " - f"reqid 0x300", - ) + ipv6 = pytestconfig.getoption("--enable-ipv6", False) + opts = pytestconfig.getoption("--iptfs-opts", "") + await setup_routed_tun(unet, iptfs_opts=opts, tun_ipv6=False, ipv6=ipv6) - await astepf("configuring inbound policy") + if ipv6: + await astepf("first IPv6 ping") + logging.debug(h1.cmd_raises("ping -c1 fc00:0:0:2::4")) + await astepf("second IPv6 ping") + logging.debug(h1.cmd_raises("ping -c1 fc00:0:0:2::4")) + await astepf("third IPv6 ping") + logging.debug(h1.cmd_raises("ping -c1 fc00:0:0:2::4")) - direction = "dir in" - repl.cmd_raises( - f"ip xfrm policy add src {x2ipp} dst {x1ipp} {direction} " - f"tmpl src {r2ip} dst {r1ip} proto esp {MODE} " - f"reqid 0x300", - ) + # Need to count ESP packets somehow to verify these were encrypted + await astepf("first ping") + logging.debug(h1.cmd_raises("ping -c1 10.0.2.4")) + await astepf("second ping") + logging.debug(h1.cmd_raises("ping -c1 10.0.2.4")) + await astepf("third ping") + logging.debug(h1.cmd_raises("ping -c3 10.0.2.4")) -async def test_policy_tun_up(unet, astepf, pytestconfig): +async def test_policy_tun6_up(unet, astepf, pytestconfig): h1 = unet.hosts["h1"] ipv6 = pytestconfig.getoption("--enable-ipv6", False) + if not ipv6: + pytest.skip("IPv6 not enabled (--enable-ipv6 to enalbe)") + opts = pytestconfig.getoption("--iptfs-opts", "") - await setup_policy_tun(unet, mode="iptfs", iptfs_opts=opts, ipv6=ipv6) + await setup_policy_tun( + unet, mode="iptfs", iptfs_opts=opts, tun_ipv6=True, ipv6=ipv6 + ) if ipv6: await astepf("first IPv6 ping") @@ -169,12 +138,15 @@ async def test_policy_tun_up(unet, astepf, pytestconfig): logging.debug(h1.cmd_raises("ping -c1 10.0.2.4")) -async def test_routed_tun_up(unet, astepf, pytestconfig): +async def test_routed_tun6_up(unet, astepf, pytestconfig): h1 = unet.hosts["h1"] ipv6 = pytestconfig.getoption("--enable-ipv6", False) + if not ipv6: + pytest.skip("IPv6 not enabled (--enable-ipv6 to enalbe)") + opts = pytestconfig.getoption("--iptfs-opts", "") - await setup_routed_tun(unet, iptfs_opts=opts, ipv6=ipv6) + await setup_routed_tun(unet, iptfs_opts=opts, tun_ipv6=True, ipv6=ipv6) if ipv6: await astepf("first IPv6 ping")