1. 17 Dec, 2023 5 commits
    • Dmitry Safonov's avatar
      selftests/net: Add a test for TCP-AO keys matching · ed9d09b3
      Dmitry Safonov authored
      Add TCP-AO tests on connect()/accept() pair.
      SNMP counters exposed by kernel are very useful here to verify the
      expected behavior of TCP-AO.
      
      Expected output for ipv4 version:
      > # ./connect-deny_ipv4
      > 1..19
      > # 1702[lib/setup.c:254] rand seed 1680553689
      > TAP version 13
      > ok 1 Non-AO server + AO client
      > ok 2 Non-AO server + AO client: counter TCPAOKeyNotFound increased 0 => 1
      > ok 3 AO server + Non-AO client
      > ok 4 AO server + Non-AO client: counter TCPAORequired increased 0 => 1
      > ok 5 Wrong password
      > ok 6 Wrong password: counter TCPAOBad increased 0 => 1
      > ok 7 Wrong rcv id
      > ok 8 Wrong rcv id: counter TCPAOKeyNotFound increased 1 => 2
      > ok 9 Wrong snd id
      > ok 10 Wrong snd id: counter TCPAOGood increased 0 => 1
      > ok 11 Server: Wrong addr: counter TCPAOKeyNotFound increased 2 => 3
      > ok 12 Server: Wrong addr
      > ok 13 Client: Wrong addr: connect() was prevented
      > ok 14 rcv id != snd id: connected
      > ok 15 rcv id != snd id: counter TCPAOGood increased 1 => 3
      > ok 16 Server: prefix match: connected
      > ok 17 Server: prefix match: counter TCPAOGood increased 4 => 6
      > ok 18 Client: prefix match: connected
      > ok 19 Client: prefix match: counter TCPAOGood increased 7 => 9
      > # Totals: pass:19 fail:0 xfail:0 xpass:0 skip:0 error:0
      
      Expected output for ipv6 version:
      > # ./connect-deny_ipv6
      > 1..19
      > # 1725[lib/setup.c:254] rand seed 1680553711
      > TAP version 13
      > ok 1 Non-AO server + AO client
      > ok 2 Non-AO server + AO client: counter TCPAOKeyNotFound increased 0 => 1
      > ok 3 AO server + Non-AO client: counter TCPAORequired increased 0 => 1
      > ok 4 AO server + Non-AO client
      > ok 5 Wrong password: counter TCPAOBad increased 0 => 1
      > ok 6 Wrong password
      > ok 7 Wrong rcv id: counter TCPAOKeyNotFound increased 1 => 2
      > ok 8 Wrong rcv id
      > ok 9 Wrong snd id: counter TCPAOGood increased 0 => 1
      > ok 10 Wrong snd id
      > ok 11 Server: Wrong addr
      > ok 12 Server: Wrong addr: counter TCPAOKeyNotFound increased 2 => 3
      > ok 13 Client: Wrong addr: connect() was prevented
      > ok 14 rcv id != snd id: connected
      > ok 15 rcv id != snd id: counter TCPAOGood increased 1 => 3
      > ok 16 Server: prefix match: connected
      > ok 17 Server: prefix match: counter TCPAOGood increased 5 => 7
      > ok 18 Client: prefix match: connected
      > ok 19 Client: prefix match: counter TCPAOGood increased 8 => 10
      > # Totals: pass:19 fail:0 xfail:0 xpass:0 skip:0 error:0
      Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ed9d09b3
    • Dmitry Safonov's avatar
      selftests/net: Add TCP-AO ICMPs accept test · d11301f6
      Dmitry Safonov authored
      Reverse to icmps-discard test: the server accepts ICMPs, using
      TCP_AO_CMDF_ACCEPT_ICMP and it is expected to fail under ICMP
      flood from client. Test that the default pre-TCP-AO behaviour functions
      when TCP_AO_CMDF_ACCEPT_ICMP is set.
      
      Expected output for ipv4 version (in case it receives ICMP_PROT_UNREACH):
      > # ./icmps-accept_ipv4
      > 1..3
      > # 3209[lib/setup.c:166] rand seed 1642623870
      > TAP version 13
      > # 3209[lib/proc.c:207]    Snmp6             Ip6InReceives: 0 => 1
      > # 3209[lib/proc.c:207]    Snmp6             Ip6InNoRoutes: 0 => 1
      > # 3209[lib/proc.c:207]    Snmp6               Ip6InOctets: 0 => 76
      > # 3209[lib/proc.c:207]    Snmp6            Ip6InNoECTPkts: 0 => 1
      > # 3209[lib/proc.c:207]      Tcp                    InSegs: 3 => 23
      > # 3209[lib/proc.c:207]      Tcp                   OutSegs: 2 => 22
      > # 3209[lib/proc.c:207]  IcmpMsg                   InType3: 0 => 4
      > # 3209[lib/proc.c:207]     Icmp                    InMsgs: 0 => 4
      > # 3209[lib/proc.c:207]     Icmp            InDestUnreachs: 0 => 4
      > # 3209[lib/proc.c:207]       Ip                InReceives: 3 => 27
      > # 3209[lib/proc.c:207]       Ip                InDelivers: 3 => 27
      > # 3209[lib/proc.c:207]       Ip               OutRequests: 2 => 22
      > # 3209[lib/proc.c:207]    IpExt                  InOctets: 288 => 3420
      > # 3209[lib/proc.c:207]    IpExt                 OutOctets: 124 => 3244
      > # 3209[lib/proc.c:207]    IpExt               InNoECTPkts: 3 => 25
      > # 3209[lib/proc.c:207]   TcpExt               TCPPureAcks: 1 => 2
      > # 3209[lib/proc.c:207]   TcpExt           TCPOrigDataSent: 0 => 20
      > # 3209[lib/proc.c:207]   TcpExt              TCPDelivered: 0 => 19
      > # 3209[lib/proc.c:207]   TcpExt                 TCPAOGood: 3 => 23
      > ok 1 InDestUnreachs delivered 4
      > ok 2 server failed with -92: Protocol not available
      > ok 3 TCPAODroppedIcmps counter didn't change: 0 >= 0
      > # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0
      
      Expected output for ipv6 version (in case it receives ADM_PROHIBITED):
      > # ./icmps-accept_ipv6
      > 1..3
      > # 3277[lib/setup.c:166] rand seed 1642624035
      > TAP version 13
      > # 3277[lib/proc.c:207]    Snmp6             Ip6InReceives: 6 => 31
      > # 3277[lib/proc.c:207]    Snmp6             Ip6InDelivers: 4 => 29
      > # 3277[lib/proc.c:207]    Snmp6            Ip6OutRequests: 4 => 24
      > # 3277[lib/proc.c:207]    Snmp6               Ip6InOctets: 592 => 4492
      > # 3277[lib/proc.c:207]    Snmp6              Ip6OutOctets: 332 => 3852
      > # 3277[lib/proc.c:207]    Snmp6            Ip6InNoECTPkts: 6 => 31
      > # 3277[lib/proc.c:207]    Snmp6               Icmp6InMsgs: 1 => 6
      > # 3277[lib/proc.c:207]    Snmp6       Icmp6InDestUnreachs: 0 => 5
      > # 3277[lib/proc.c:207]    Snmp6              Icmp6InType1: 0 => 5
      > # 3277[lib/proc.c:207]      Tcp                    InSegs: 3 => 23
      > # 3277[lib/proc.c:207]      Tcp                   OutSegs: 2 => 22
      > # 3277[lib/proc.c:207]   TcpExt               TCPPureAcks: 1 => 2
      > # 3277[lib/proc.c:207]   TcpExt           TCPOrigDataSent: 0 => 20
      > # 3277[lib/proc.c:207]   TcpExt              TCPDelivered: 0 => 19
      > # 3277[lib/proc.c:207]   TcpExt                 TCPAOGood: 3 => 23
      > ok 1 Icmp6InDestUnreachs delivered 5
      > ok 2 server failed with -13: Permission denied
      > ok 3 TCPAODroppedIcmps counter didn't change: 0 >= 0
      > # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0
      
      With some luck the server may fail with ECONNREFUSED (depending on what
      icmp packet was delivered firstly).
      For the kernel error handlers see: tab_unreach[] and icmp_err_convert[].
      Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d11301f6
    • Dmitry Safonov's avatar
      selftests/net: Verify that TCP-AO complies with ignoring ICMPs · a8fcf8ca
      Dmitry Safonov authored
      Hand-crafted ICMP packets are sent to the server, the server checks for
      hard/soft errors and fails if any.
      
      Expected output for ipv4 version:
      > # ./icmps-discard_ipv4
      > 1..3
      > # 3164[lib/setup.c:166] rand seed 1642623745
      > TAP version 13
      > # 3164[lib/proc.c:207]    Snmp6             Ip6InReceives: 0 => 1
      > # 3164[lib/proc.c:207]    Snmp6             Ip6InNoRoutes: 0 => 1
      > # 3164[lib/proc.c:207]    Snmp6               Ip6InOctets: 0 => 76
      > # 3164[lib/proc.c:207]    Snmp6            Ip6InNoECTPkts: 0 => 1
      > # 3164[lib/proc.c:207]      Tcp                    InSegs: 2 => 203
      > # 3164[lib/proc.c:207]      Tcp                   OutSegs: 1 => 202
      > # 3164[lib/proc.c:207]  IcmpMsg                   InType3: 0 => 543
      > # 3164[lib/proc.c:207]     Icmp                    InMsgs: 0 => 543
      > # 3164[lib/proc.c:207]     Icmp            InDestUnreachs: 0 => 543
      > # 3164[lib/proc.c:207]       Ip                InReceives: 2 => 746
      > # 3164[lib/proc.c:207]       Ip                InDelivers: 2 => 746
      > # 3164[lib/proc.c:207]       Ip               OutRequests: 1 => 202
      > # 3164[lib/proc.c:207]    IpExt                  InOctets: 132 => 61684
      > # 3164[lib/proc.c:207]    IpExt                 OutOctets: 68 => 31324
      > # 3164[lib/proc.c:207]    IpExt               InNoECTPkts: 2 => 744
      > # 3164[lib/proc.c:207]   TcpExt               TCPPureAcks: 1 => 2
      > # 3164[lib/proc.c:207]   TcpExt           TCPOrigDataSent: 0 => 200
      > # 3164[lib/proc.c:207]   TcpExt              TCPDelivered: 0 => 199
      > # 3164[lib/proc.c:207]   TcpExt                 TCPAOGood: 2 => 203
      > # 3164[lib/proc.c:207]   TcpExt         TCPAODroppedIcmps: 0 => 541
      > ok 1 InDestUnreachs delivered 543
      > ok 2 Server survived 20000 bytes of traffic
      > ok 3 ICMPs ignored 541
      > # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0
      
      Expected output for ipv6 version:
      > # ./icmps-discard_ipv6
      > 1..3
      > # 3186[lib/setup.c:166] rand seed 1642623803
      > TAP version 13
      > # 3186[lib/proc.c:207]    Snmp6             Ip6InReceives: 4 => 568
      > # 3186[lib/proc.c:207]    Snmp6             Ip6InDelivers: 3 => 564
      > # 3186[lib/proc.c:207]    Snmp6            Ip6OutRequests: 2 => 204
      > # 3186[lib/proc.c:207]    Snmp6            Ip6InMcastPkts: 1 => 4
      > # 3186[lib/proc.c:207]    Snmp6           Ip6OutMcastPkts: 0 => 1
      > # 3186[lib/proc.c:207]    Snmp6               Ip6InOctets: 320 => 70420
      > # 3186[lib/proc.c:207]    Snmp6              Ip6OutOctets: 160 => 35512
      > # 3186[lib/proc.c:207]    Snmp6          Ip6InMcastOctets: 72 => 336
      > # 3186[lib/proc.c:207]    Snmp6         Ip6OutMcastOctets: 0 => 76
      > # 3186[lib/proc.c:207]    Snmp6            Ip6InNoECTPkts: 4 => 568
      > # 3186[lib/proc.c:207]    Snmp6               Icmp6InMsgs: 1 => 361
      > # 3186[lib/proc.c:207]    Snmp6              Icmp6OutMsgs: 1 => 2
      > # 3186[lib/proc.c:207]    Snmp6       Icmp6InDestUnreachs: 0 => 360
      > # 3186[lib/proc.c:207]    Snmp6      Icmp6OutMLDv2Reports: 0 => 1
      > # 3186[lib/proc.c:207]    Snmp6              Icmp6InType1: 0 => 360
      > # 3186[lib/proc.c:207]    Snmp6           Icmp6OutType143: 0 => 1
      > # 3186[lib/proc.c:207]      Tcp                    InSegs: 2 => 203
      > # 3186[lib/proc.c:207]      Tcp                   OutSegs: 1 => 202
      > # 3186[lib/proc.c:207]   TcpExt               TCPPureAcks: 1 => 2
      > # 3186[lib/proc.c:207]   TcpExt           TCPOrigDataSent: 0 => 200
      > # 3186[lib/proc.c:207]   TcpExt              TCPDelivered: 0 => 199
      > # 3186[lib/proc.c:207]   TcpExt                 TCPAOGood: 2 => 203
      > # 3186[lib/proc.c:207]   TcpExt         TCPAODroppedIcmps: 0 => 360
      > ok 1 Icmp6InDestUnreachs delivered 360
      > ok 2 Server survived 20000 bytes of traffic
      > ok 3 ICMPs ignored 360
      > # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0
      Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8fcf8ca
    • Dmitry Safonov's avatar
      selftests/net: Add TCP-AO library · cfbab37b
      Dmitry Safonov authored
      Provide functions to create selftests dedicated to TCP-AO.
      They can run in parallel, as they use temporary net namespaces.
      They can be very specific to the feature being tested.
      This will allow to create a lot of TCP-AO tests, without complicating
      one binary with many --options and to create scenarios, that are
      hard to put in bash script that uses one binary.
      Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cfbab37b
    • Vladimir Oltean's avatar
      net: phylink: reimplement population of pl->supported for in-band · 37a8997f
      Vladimir Oltean authored
      phylink_parse_mode() populates all possible supported link modes for a
      given phy_interface_t, for the case where a phylib phy may be absent and
      we can't retrieve the supported link modes from that.
      
      Russell points out that since the introduction of the generic validation
      helpers phylink_get_capabilities() and phylink_caps_to_linkmodes(), we
      can rewrite this procedure to populate the pl->supported mask, so that
      instead of spelling out the link modes, we derive an intermediary
      mac_capabilities bit field, and we convert that to the equivalent link
      modes.
      Suggested-by: default avatarRussell King (Oracle) <linux@armlinux.org.uk>
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      37a8997f
  2. 16 Dec, 2023 4 commits
  3. 15 Dec, 2023 31 commits