aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2016-08-12 13:47:20 +0200
committerJason A. Donenfeld <Jason@zx2c4.com>2016-08-12 16:17:24 +0200
commit502ff81c5e7b0c8a8599eb822137299f594c3d42 (patch)
tree3ed5a7bc9bb0f2407ba34b79da6218dc00d156c5
parentmain: load driver late in boot process when debugging (diff)
downloadwireguard-monolithic-historical-502ff81c5e7b0c8a8599eb822137299f594c3d42.tar.xz
wireguard-monolithic-historical-502ff81c5e7b0c8a8599eb822137299f594c3d42.zip
tests: add crypto-RP filter test
Diffstat (limited to '')
-rw-r--r--src/tests/debug.mk2
-rwxr-xr-xsrc/tests/netns.sh18
-rw-r--r--src/tests/qemu/Makefile15
3 files changed, 34 insertions, 1 deletions
diff --git a/src/tests/debug.mk b/src/tests/debug.mk
index 1b298a7..cac4107 100644
--- a/src/tests/debug.mk
+++ b/src/tests/debug.mk
@@ -21,6 +21,8 @@ test: debug
-sudo modprobe x_tables
-sudo modprobe ipv6
-sudo modprobe xt_hashlimit
+ -sudo modprobe nf_conntrack_ipv4
+ -sudo modprobe nf_conntrack_ipv6
-sudo rmmod wireguard
-sudo insmod wireguard.ko
sudo PATH="$(shell pwd)/tools:$$PATH:/usr/sbin:/sbin:/usr/bin:/bin:/usr/local/sbin:/usr/local/bin" ./tests/netns.sh
diff --git a/src/tests/netns.sh b/src/tests/netns.sh
index eb5ed43..5424d81 100755
--- a/src/tests/netns.sh
+++ b/src/tests/netns.sh
@@ -35,6 +35,7 @@ ip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; }
ip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; }
sleep() { read -t "$1" -N 0 || true; }
waitiperf() { pretty "${1//*-}" "wait for iperf:5201"; while [[ $(ss -N "$1" -tlp 'sport = 5201') != *iperf3* ]]; do sleep 0.1; done; }
+waitncatudp() { pretty "${1//*-}" "wait for udp:1111"; while [[ $(ss -N "$1" -ulp 'sport = 1111') != *ncat* ]]; do sleep 0.1; done; }
cleanup() {
set +e
@@ -161,6 +162,23 @@ n1 ping -W 1 -c 1 192.168.241.2
n1 wg
n2 wg
+# Test that crypto-RP filter works
+n1 wg set wg0 peer "$pub2" allowed-ips 192.168.241.0/24
+read -r -N 1 -t 1 out < <(n1 ncat -l -u -p 1111) && [[ $out == "X" ]] & listener_pid=$!
+waitncatudp $netns1
+n2 ncat -u 192.168.241.1 1111 <<<"X"
+wait $listener_pid
+more_specific_key="$(pp wg genkey | pp wg pubkey)"
+n1 wg set wg0 peer "$more_specific_key" allowed-ips 192.168.241.2/32
+n2 wg set wg0 listen-port 9997
+read -r -N 1 -t 1 out < <(n1 ncat -l -u -p 1111) && [[ $out == "X" ]] & listener_pid=$!
+waitncatudp $netns1
+n2 ncat -u 192.168.241.1 1111 <<<"X"
+! wait $listener_pid || false
+n1 wg set wg0 peer "$more_specific_key" remove
+[[ $(n1 wg show wg0 endpoints) == "$pub2 [::1]:9997" ]]
+
+
# Test using NAT. We now change the topology to this:
# ┌────────────────────────────────────────┐ ┌────────────────────────────────────────────────┐ ┌────────────────────────────────────────┐
# │ $ns1 namespace │ │ $ns0 namespace │ │ $ns2 namespace │
diff --git a/src/tests/qemu/Makefile b/src/tests/qemu/Makefile
index 781fcca..0e5ab0d 100644
--- a/src/tests/qemu/Makefile
+++ b/src/tests/qemu/Makefile
@@ -48,6 +48,7 @@ $(eval $(call tar_download,IPERF,iperf,3.1.3,.tar.gz,http://downloads.es.net/pub
$(eval $(call tar_download,BASH,bash,30a978b7d808c067219c95be88c4979b6a7aa251,.tar.gz,http://git.savannah.gnu.org/cgit/bash.git/snapshot/))
$(eval $(call tar_download,IPROUTE2,iproute2,4.3.0,.tar.gz,http://www.kernel.org/pub/linux/utils/net/iproute2/))
$(eval $(call tar_download,IPTABLES,iptables,1.6.0,.tar.bz2,http://ftp.netfilter.org/pub/iptables/))
+$(eval $(call tar_download,NMAP,nmap,7.25BETA1,.tar.bz2,http://nmap.org/dist/))
IPUTILS_VERSION := s20160308
IPUTILS_TAR := $(DISTFILES_PATH)/$(IPUTILS_VERSION).tar.gz
@@ -93,6 +94,7 @@ $(BUILD_PATH)/init-cpio-spec.txt:
echo "file /bin/ip $(IPROUTE2_PATH)/ip/ip 755 0 0" >> $@
echo "file /bin/ss $(IPROUTE2_PATH)/misc/ss 755 0 0" >> $@
echo "file /bin/ping $(IPUTILS_PATH)/ping 755 0 0" >> $@
+ echo "file /bin/ncat $(NMAP_PATH)/ncat/ncat 755 0 0" >> $@
echo "file /bin/xtables-multi $(IPTABLES_PATH)/iptables/xtables-multi 755 0 0" >> $@
echo "slink /bin/iptables xtables-multi 777 0 0" >> $@
echo "slink /bin/ping6 ping 777 0 0" >> $@
@@ -115,7 +117,7 @@ $(KERNEL_PATH)/.config: kernel.config | $(KERNEL_PATH)/.installed
cd $(KERNEL_PATH) && scripts/kconfig/merge_config.sh -n .config minimal.config
-[ "$(DEBUG_KERNEL)" = "yes" ] && ( cd $(KERNEL_PATH) && scripts/kconfig/merge_config.sh -n .config $(PWD)/debug.config )
-$(KERNEL_BZIMAGE): $(KERNEL_PATH)/.installed $(KERNEL_PATH)/.config $(BUILD_PATH)/init-cpio-spec.txt $(MUSL_PATH)/lib/libc.so $(IPERF_PATH)/src/iperf3 $(BUILD_PATH)/tools/wg $(IPUTILS_PATH)/ping $(BASH_PATH)/bash $(IPROUTE2_PATH)/ip/ip $(IPTABLES_PATH)/iptables/xtables-multi $(BUILD_PATH)/init ../netns.sh $(WIREGUARD_SOURCES) $(TOOLS_SOURCES)
+$(KERNEL_BZIMAGE): $(KERNEL_PATH)/.installed $(KERNEL_PATH)/.config $(BUILD_PATH)/init-cpio-spec.txt $(MUSL_PATH)/lib/libc.so $(IPERF_PATH)/src/iperf3 $(BUILD_PATH)/tools/wg $(IPUTILS_PATH)/ping $(BASH_PATH)/bash $(IPROUTE2_PATH)/ip/ip $(IPTABLES_PATH)/iptables/xtables-multi $(NMAP_PATH)/ncat/ncat $(BUILD_PATH)/init ../netns.sh $(WIREGUARD_SOURCES) $(TOOLS_SOURCES)
$(MAKE) -C $(KERNEL_PATH)
$(BUILD_PATH)/include/linux/.installed: | $(KERNEL_PATH)/.installed
@@ -209,6 +211,17 @@ $(IPTABLES_PATH)/.installed: $(IPTABLES_TAR)
$(IPTABLES_PATH)/iptables/xtables-multi: $(IPTABLES_PATH)/.installed $(MUSL_CC) $(LIBMNL_PATH)/src/.libs/libmnl.a | $(KERNEL_PATH)/.installed
cd $(IPTABLES_PATH) && PKG_CONFIG_LIBDIR="$(LIBMNL_PATH)" CC="$(MUSL_CC)" CFLAGS="$(CFLAGS)" ./configure --prefix=/ --host=$(CHOST) --enable-static --disable-shared --disable-nftables --disable-bpf-compiler --disable-nfsynproxy --disable-libipq --with-kernel=$(KERNEL_PATH)
$(MAKE) -C $(IPTABLES_PATH)
+ strip -s $@
+
+$(NMAP_PATH)/.installed: $(NMAP_TAR)
+ flock -x $<.lock true
+ tar -C $(BUILD_PATH) -xf $<
+ touch $@
+
+$(NMAP_PATH)/ncat/ncat: $(NMAP_PATH)/.installed $(MUSL_CC) | $(KERNEL_PATH)/.installed
+ cd $(NMAP_PATH) && CC="$(MUSL_CC)" CFLAGS="$(CFLAGS)" ./configure --prefix=/ --host=$(CHOST) --enable-static --disable-shared --without-ndiff --without-zenmap --without-nping --with-libpcap=included --with-libpcre=included --with-libdnet=included --without-liblua --with-liblinear=included --without-nmap-update --without-openssl --with-pcap=linux
+ $(MAKE) -C $(NMAP_PATH) build-ncat
+ strip -s $@
clean:
rm -rf $(BUILD_PATH)