From: Dmitry Safonov <dima@arista.com>
To: linux-kernel@vger.kernel.org, David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>
Cc: Dmitry Safonov <dima@arista.com>,
Andy Lutomirski <luto@amacapital.net>,
Ard Biesheuvel <ardb@kernel.org>,
Bob Gilligan <gilligan@arista.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
"David S. Miller" <davem@davemloft.net>,
Dmitry Safonov <0x7f454c46@gmail.com>,
Eric Biggers <ebiggers@kernel.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Francesco Ruggeri <fruggeri@arista.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Ivan Delalande <colona@arista.com>,
Jakub Kicinski <kuba@kernel.org>,
Leonard Crestez <cdleonard@gmail.com>,
Paolo Abeni <pabeni@redhat.com>,
Salam Noureddine <noureddine@arista.com>,
Shuah Khan <shuah@kernel.org>,
netdev@vger.kernel.org, linux-crypto@vger.kernel.org
Subject: [PATCH v3 28/36] selftest/net: Add TCP-AO ICMPs accept test
Date: Thu, 27 Oct 2022 21:43:39 +0100 [thread overview]
Message-ID: <20221027204347.529913-29-dima@arista.com> (raw)
In-Reply-To: <20221027204347.529913-1-dima@arista.com>
Reverse to icmps-discard test: the server accepts ICMPs, using
TCP_AO_CMDF_ACCEPT_ICMP and it is expected to fail under ICMP
flood from client. Test that the default pre-TCP-AO behaviour functions
when TCP_AO_CMDF_ACCEPT_ICMP is set.
Expected output for ipv4 version (in case it receives ICMP_PROT_UNREACH):
> # ./icmps-accept_ipv4
> 1..3
> # 3209[lib/setup.c:166] rand seed 1642623870
> TAP version 13
> # 3209[lib/proc.c:207] Snmp6 Ip6InReceives: 0 => 1
> # 3209[lib/proc.c:207] Snmp6 Ip6InNoRoutes: 0 => 1
> # 3209[lib/proc.c:207] Snmp6 Ip6InOctets: 0 => 76
> # 3209[lib/proc.c:207] Snmp6 Ip6InNoECTPkts: 0 => 1
> # 3209[lib/proc.c:207] Tcp InSegs: 3 => 23
> # 3209[lib/proc.c:207] Tcp OutSegs: 2 => 22
> # 3209[lib/proc.c:207] IcmpMsg InType3: 0 => 4
> # 3209[lib/proc.c:207] Icmp InMsgs: 0 => 4
> # 3209[lib/proc.c:207] Icmp InDestUnreachs: 0 => 4
> # 3209[lib/proc.c:207] Ip InReceives: 3 => 27
> # 3209[lib/proc.c:207] Ip InDelivers: 3 => 27
> # 3209[lib/proc.c:207] Ip OutRequests: 2 => 22
> # 3209[lib/proc.c:207] IpExt InOctets: 288 => 3420
> # 3209[lib/proc.c:207] IpExt OutOctets: 124 => 3244
> # 3209[lib/proc.c:207] IpExt InNoECTPkts: 3 => 25
> # 3209[lib/proc.c:207] TcpExt TCPPureAcks: 1 => 2
> # 3209[lib/proc.c:207] TcpExt TCPOrigDataSent: 0 => 20
> # 3209[lib/proc.c:207] TcpExt TCPDelivered: 0 => 19
> # 3209[lib/proc.c:207] TcpExt TCPAOGood: 3 => 23
> ok 1 InDestUnreachs delivered 4
> ok 2 server failed with -92: Protocol not available
> ok 3 TCPAODroppedIcmps counter didn't change: 0 >= 0
> # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0
Expected output for ipv6 version (in case it receives ADM_PROHIBITED):
> # ./icmps-accept_ipv6
> 1..3
> # 3277[lib/setup.c:166] rand seed 1642624035
> TAP version 13
> # 3277[lib/proc.c:207] Snmp6 Ip6InReceives: 6 => 31
> # 3277[lib/proc.c:207] Snmp6 Ip6InDelivers: 4 => 29
> # 3277[lib/proc.c:207] Snmp6 Ip6OutRequests: 4 => 24
> # 3277[lib/proc.c:207] Snmp6 Ip6InOctets: 592 => 4492
> # 3277[lib/proc.c:207] Snmp6 Ip6OutOctets: 332 => 3852
> # 3277[lib/proc.c:207] Snmp6 Ip6InNoECTPkts: 6 => 31
> # 3277[lib/proc.c:207] Snmp6 Icmp6InMsgs: 1 => 6
> # 3277[lib/proc.c:207] Snmp6 Icmp6InDestUnreachs: 0 => 5
> # 3277[lib/proc.c:207] Snmp6 Icmp6InType1: 0 => 5
> # 3277[lib/proc.c:207] Tcp InSegs: 3 => 23
> # 3277[lib/proc.c:207] Tcp OutSegs: 2 => 22
> # 3277[lib/proc.c:207] TcpExt TCPPureAcks: 1 => 2
> # 3277[lib/proc.c:207] TcpExt TCPOrigDataSent: 0 => 20
> # 3277[lib/proc.c:207] TcpExt TCPDelivered: 0 => 19
> # 3277[lib/proc.c:207] TcpExt TCPAOGood: 3 => 23
> ok 1 Icmp6InDestUnreachs delivered 5
> ok 2 server failed with -13: Permission denied
> ok 3 TCPAODroppedIcmps counter didn't change: 0 >= 0
> # Totals: pass:3 fail:0 xfail:0 xpass:0 skip:0 error:0
With some luck the server may fail with ECONNREFUSED (depending on what
icmp packet was delivered firstly).
For the kernel error handlers see: tab_unreach[] and icmp_err_convert[].
Signed-off-by: Dmitry Safonov <dima@arista.com>
---
tools/testing/selftests/net/tcp_ao/Makefile | 4 +++-
.../testing/selftests/net/tcp_ao/icmps-accept.c | 1 +
.../selftests/net/tcp_ao/icmps-discard.c | 17 +++++++++++++++--
3 files changed, 19 insertions(+), 3 deletions(-)
create mode 120000 tools/testing/selftests/net/tcp_ao/icmps-accept.c
diff --git a/tools/testing/selftests/net/tcp_ao/Makefile b/tools/testing/selftests/net/tcp_ao/Makefile
index 9acfd782c20f..a178bde0af08 100644
--- a/tools/testing/selftests/net/tcp_ao/Makefile
+++ b/tools/testing/selftests/net/tcp_ao/Makefile
@@ -1,5 +1,5 @@
# SPDX-License-Identifier: GPL-2.0
-TEST_BOTH_AF := connect icmps-discard
+TEST_BOTH_AF := connect icmps-discard icmps-accept
TEST_IPV4_PROGS := $(TEST_BOTH_AF:%=%_ipv4)
TEST_IPV6_PROGS := $(TEST_BOTH_AF:%=%_ipv6)
@@ -43,3 +43,5 @@ $(OUTPUT)/%_ipv4: %.c
$(OUTPUT)/%_ipv6: %.c
$(LINK.c) -DIPV6_TEST $^ $(LDLIBS) -o $@
+$(OUTPUT)/icmps-accept_ipv4: CFLAGS+= -DTEST_ICMPS_ACCEPT
+$(OUTPUT)/icmps-accept_ipv6: CFLAGS+= -DTEST_ICMPS_ACCEPT
diff --git a/tools/testing/selftests/net/tcp_ao/icmps-accept.c b/tools/testing/selftests/net/tcp_ao/icmps-accept.c
new file mode 120000
index 000000000000..0a5bb85eb260
--- /dev/null
+++ b/tools/testing/selftests/net/tcp_ao/icmps-accept.c
@@ -0,0 +1 @@
+icmps-discard.c
\ No newline at end of file
diff --git a/tools/testing/selftests/net/tcp_ao/icmps-discard.c b/tools/testing/selftests/net/tcp_ao/icmps-discard.c
index 07eba1308b4e..d90017dfc20d 100644
--- a/tools/testing/selftests/net/tcp_ao/icmps-discard.c
+++ b/tools/testing/selftests/net/tcp_ao/icmps-discard.c
@@ -43,8 +43,17 @@ const int sk_ip_level = SOL_IP;
const int sk_recverr = IP_RECVERR;
#endif
-#define test_icmps_fail test_fail
-#define test_icmps_ok test_ok
+/*
+ * Server is expected to fail with hard error if
+ * TCP_AO_CMDF_ACCEPT_ICMP is set
+ */
+#ifdef TEST_ICMPS_ACCEPT
+# define test_icmps_fail test_ok
+# define test_icmps_ok test_fail
+#else
+# define test_icmps_fail test_fail
+# define test_icmps_ok test_ok
+#endif
static void serve_interfered(int sk)
{
@@ -98,6 +107,10 @@ static void *server_fn(void *arg)
lsk = test_listen_socket(this_ip_addr, test_server_port, 1);
+#ifdef TEST_ICMPS_ACCEPT
+ flags = TCP_AO_CMDF_ACCEPT_ICMP;
+#endif
+
if (test_set_ao(lsk, "password", flags, this_ip_dest, -1, 100, 100))
test_error("setsockopt(TCP_AO)");
synchronize_threads();
--
2.38.1
next prev parent reply other threads:[~2022-10-27 20:50 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-27 20:43 [PATCH v3 00/36] net/tcp: Add TCP-AO support Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 01/36] crypto: Introduce crypto_pool Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 02/36] crypto_pool: Add crypto_pool_reserve_scratch() Dmitry Safonov
2022-10-28 7:06 ` kernel test robot
2022-10-27 20:43 ` [PATCH v3 03/36] net/tcp: Separate tcp_md5sig_info allocation into tcp_md5sig_info_add() Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 04/36] net/tcp: Disable TCP-MD5 static key on tcp_md5sig_info destruction Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 05/36] net/tcp: Use crypto_pool for TCP-MD5 Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 06/36] net/ipv6: sr: Switch to using crypto_pool Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 07/36] tcp: Add TCP-AO config and structures Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 08/36] net/tcp: Introduce TCP_AO setsockopt()s Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 09/36] net/tcp: Prevent TCP-MD5 with TCP-AO being set Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 10/36] net/tcp: Calculate TCP-AO traffic keys Dmitry Safonov
2022-10-28 8:07 ` kernel test robot
2022-10-27 20:43 ` [PATCH v3 11/36] net/tcp: Add TCP-AO sign to outgoing packets Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 12/36] net/tcp: Add tcp_parse_auth_options() Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 13/36] net/tcp: Add AO sign to RST packets Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 14/36] net/tcp: Add TCP-AO sign to twsk Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 15/36] net/tcp: Wire TCP-AO to request sockets Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 16/36] net/tcp: Sign SYN-ACK segments with TCP-AO Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 17/36] net/tcp: Verify inbound TCP-AO signed segments Dmitry Safonov
2022-10-28 5:15 ` kernel test robot
2022-10-27 20:43 ` [PATCH v3 18/36] net/tcp: Add TCP-AO segments counters Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 19/36] net/tcp: Add TCP-AO SNE support Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 20/36] net/tcp: Add tcp_hash_fail() ratelimited logs Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 21/36] net/tcp: Ignore specific ICMPs for TCP-AO connections Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 22/36] net/tcp: Add option for TCP-AO to (not) hash header Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 23/36] net/tcp: Add getsockopt(TCP_AO_GET) Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 24/36] net/tcp: Allow asynchronous delete for TCP-AO keys (MKTs) Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 25/36] net/tcp-ao: Add static_key for TCP-AO Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 26/36] selftests/net: Add TCP-AO library Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 27/36] selftests/net: Verify that TCP-AO complies with ignoring ICMPs Dmitry Safonov
2022-10-27 20:43 ` Dmitry Safonov [this message]
2022-10-27 20:43 ` [PATCH v3 29/36] selftest/tcp-ao: Add a test for MKT matching Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 30/36] selftest/tcp-ao: Add test for TCP-AO add setsockopt() command Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 31/36] selftests/tcp-ao: Add TCP-AO + TCP-MD5 + no sign listen socket tests Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 32/36] selftests/aolib: Add test/benchmark for removing MKTs Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 33/36] selftests/nettest: Remove client_pw Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 34/36] selftest/nettest: Rename md5_prefix* => auth_prefix* Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 35/36] selftests/nettest: Add TCP-AO support Dmitry Safonov
2022-10-27 20:43 ` [PATCH v3 36/36] selftests/fcnal-test.sh: Add TCP-AO tests Dmitry Safonov
2022-11-01 2:22 ` [PATCH v3 00/36] net/tcp: Add TCP-AO support David Ahern
2022-11-01 17:35 ` Dmitry Safonov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221027204347.529913-29-dima@arista.com \
--to=dima@arista.com \
--cc=0x7f454c46@gmail.com \
--cc=ardb@kernel.org \
--cc=cdleonard@gmail.com \
--cc=colona@arista.com \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=ebiederm@xmission.com \
--cc=ebiggers@kernel.org \
--cc=edumazet@google.com \
--cc=fruggeri@arista.com \
--cc=gilligan@arista.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=noureddine@arista.com \
--cc=pabeni@redhat.com \
--cc=shuah@kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).