From 93d3e9c17c4fb5eca0ecf56093bd37328c6d61fc Mon Sep 17 00:00:00 2001 From: bluhm Date: Wed, 20 Jan 2021 17:38:18 +0000 Subject: [PATCH] Test path MTU discovery with IPv6 TCP packets tunneled in IPv4 ESP. --- regress/sys/netinet/ipsec/LICENSE | 26 +++++++------- regress/sys/netinet/ipsec/Makefile | 54 ++++++++++++++++++++++++++-- regress/sys/netinet/ipsec/ipsec.conf | 12 ++++++- 3 files changed, 75 insertions(+), 17 deletions(-) diff --git a/regress/sys/netinet/ipsec/LICENSE b/regress/sys/netinet/ipsec/LICENSE index fc86159c7c6..c3e06a00534 100644 --- a/regress/sys/netinet/ipsec/LICENSE +++ b/regress/sys/netinet/ipsec/LICENSE @@ -1,13 +1,13 @@ -# Copyright (c) 2017 Alexander Bluhm -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +Copyright (c) 2017-2021 Alexander Bluhm + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/regress/sys/netinet/ipsec/Makefile b/regress/sys/netinet/ipsec/Makefile index 8b0568cb544..ed7425b7df5 100644 --- a/regress/sys/netinet/ipsec/Makefile +++ b/regress/sys/netinet/ipsec/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.29 2020/12/21 00:47:18 bluhm Exp $ +# $OpenBSD: Makefile,v 1.30 2021/01/20 17:38:18 bluhm Exp $ # This test needs a manual setup of four machines, the make # target create-setup can be used to distribute the configuration. @@ -365,12 +365,16 @@ run-send-tcp-${host}_${sec}_${mode}_${ipv}: # Send large tcp stream, this should trigger path mtu discovery. # but it works only fo a few cases -.if "${sec}" == ESP && "${mode}" == TUNNEL4 && "${ipv}" == IPV4 +.if "${sec}" == ESP && "${mode}" == TUNNEL4 TARGETS += tcp-pmtu-${host}_${sec}_${mode}_${ipv} tcp pmtu ${host:L} ${sec:L} ${mode:L} ${ipv:L}:\ run-send-tcp-pmtu-${host}_${sec}_${mode}_${ipv} run-send-tcp-pmtu-${host}_${sec}_${mode}_${ipv}: - route delete -host ${${host}_${sec}_${mode}_${ipv}} || true + ${SUDO} route delete -host ${${host}_${sec}_${mode}_${ipv}} || true +.if "${host}" == ECO + ssh ${IPS_SSH} ${SUDO}\ + route delete -host ${${host}_${sec}_${mode}_${ipv}} || true +.endif openssl rand -base64 10000 |\ nc -n -N -w 8 ${${host}_${sec}_${mode}_${ipv}} 7 |\ wc | fgrep ' 209 209 13545' @@ -499,13 +503,30 @@ run-bpf-tcp-pmtu-IPS_ESP_TUNNEL4_IPV4: stamp-stop ${REGEX_REQ_IPS_ESP_TUNNEL4_IPV4_TCP}\ .* 1:1...\(1372\) ack ' enc0.tcpdump +run-bpf-tcp-pmtu-IPS_ESP_TUNNEL4_IPV6: stamp-stop + egrep -q '\ + ${REGEX_ESP}\ + ${REGEX_REQ_TUNNEL4}\ + ${REGEX_REQ_IPS_ESP_TUNNEL4_IPV6_TCP}\ + .* 1:1...\(1352\) ack ' enc0.tcpdump + run-bpf-tcp-pmtu-ECO_ESP_TUNNEL4_IPV4: stamp-stop + egrep -q '\ + ${REGEX_ESP}\ + ${REGEX_REQ_TUNNEL4}\ + ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV4_TCP}\ + .* 1:1...\(1372\) ack ' enc0.tcpdump egrep -q '\ ${REGEX_ESP}\ ${REGEX_RPL_TUNNEL4}\ ${IPS_IN_IPV4} > ${SRC_ESP_TUNNEL_IPV4}:\ icmp: ${ECO_ESP_TUNNEL4_IPV4} unreachable -\ need to frag \(mtu 1400\) ' enc0.tcpdump + egrep -q '\ + ${REGEX_ESP}\ + ${REGEX_REQ_TUNNEL4}\ + ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV4_TCP}\ + .* 1:1...\(1348\) ack ' enc0.tcpdump egrep -q '\ ${REGEX_ESP}\ ${REGEX_RPL_TUNNEL4}\ @@ -518,6 +539,33 @@ run-bpf-tcp-pmtu-ECO_ESP_TUNNEL4_IPV4: stamp-stop ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV4_TCP}\ .* 1:1...\(1248\) ack ' enc0.tcpdump +run-bpf-tcp-pmtu-ECO_ESP_TUNNEL4_IPV6: stamp-stop + egrep -q '\ + ${REGEX_ESP}\ + ${REGEX_REQ_TUNNEL4}\ + ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV6_TCP}\ + .* 1:1...\(1352\) ack ' enc0.tcpdump + egrep -q '\ + ${REGEX_ESP}\ + ${REGEX_RPL_TUNNEL6}\ + ${IPS_IN_IPV6} > ${SRC_ESP_TUNNEL_IPV6}:\ + icmp6: too big 1400 ' enc0.tcpdump + egrep -q '\ + ${REGEX_ESP}\ + ${REGEX_REQ_TUNNEL4}\ + ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV6_TCP}\ + .* 1:1...\(1328\) ack ' enc0.tcpdump + egrep -q '\ + ${REGEX_ESP}\ + ${REGEX_RPL_TUNNEL6}\ + ${RT_IN_IPV6} > ${SRC_ESP_TUNNEL_IPV6}:\ + icmp6: too big 1300 ' enc0.tcpdump + egrep -q '\ + ${REGEX_ESP}\ + ${REGEX_REQ_TUNNEL4}\ + ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV6_TCP}\ + .* 1:1...\(1228\) ack ' enc0.tcpdump + REGRESS_TARGETS = ${TARGETS:S/^/run-send-/} \ ${TARGETS:N*_IPIP_*:N*_BUNDLE_*:N*_IN_*:N*_OUT_*:N*-SRC_*:Nudp-*_IPCOMP_*:Ntcp-*_IPCOMP_*:N*-small-*:Nnonxt-*_IPCOMP_*:S/-big-/-/:S/^/run-bpf-/} \ ${TARGETS:N*_IPIP_*:N*_IPCOMP_*:N*_IN_*:N*_OUT_*:N*-SRC_*:N*-small-*:N*-pmtu-*:S/-big-/-/:S/^/run-pflog-/} diff --git a/regress/sys/netinet/ipsec/ipsec.conf b/regress/sys/netinet/ipsec/ipsec.conf index 0f8d394978a..202a6b1b1db 100644 --- a/regress/sys/netinet/ipsec/ipsec.conf +++ b/regress/sys/netinet/ipsec/ipsec.conf @@ -1,4 +1,4 @@ -# $OpenBSD: ipsec.conf,v 1.8 2020/12/21 00:47:18 bluhm Exp $ +# $OpenBSD: ipsec.conf,v 1.9 2021/01/20 17:38:18 bluhm Exp $ ### regress ipsec ipsec.conf # Install symmetric config by exchanging local and peer keywords. @@ -58,6 +58,11 @@ flow esp \ $FROM $SRC_ESP_TUNNEL_IPV6/64 $TO $IPS_ESP_TUNNEL6_IPV6/64 \ $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \ type dontacq +# icmp6 too big +flow esp proto icmp6 \ + $FROM $SRC_ESP_TUNNEL_IPV6/64 $TO $IPS_IN_IPV6 \ + $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \ + type dontacq # ESP TUNNEL ECO @@ -83,6 +88,11 @@ flow esp \ $FROM $SRC_ESP_TUNNEL_IPV6/64 $TO $ECO_ESP_TUNNEL6_IPV6/64 \ $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \ type dontacq +# icmp6 too big +flow esp proto icmp6 \ + $FROM $SRC_ESP_TUNNEL_IPV6/64 $TO $RT_IN_IPV6 \ + $LOCAL $SRC_OUT_IPV6 $PEER $IPS_IN_IPV6 \ + type dontacq # ESP TUNNEL SA -- 2.20.1