[ovs-dev] [PATCH 4/4] ipsec: Introduce IPsec system tests for Libreswan

Eelco Chaudron echaudro at redhat.com
Tue Mar 30 13:16:53 UTC 2021



On 8 Mar 2021, at 18:57, Mark Gray wrote:

> This patch adds system tests for OVS IPsec using Libreswan.
> If Libreswan is not present on the system, the tests will
> be skipped.
>
> These tests set up an underlay switch with bridge 'br0'
> to carry encrypted traffic between two emulated "nodes".
> Each "node" is a seperate network namespace ('left' and
> 'right') and runs an instance of the Libreswan "pluto"
> daemon, ovs-monitor-ipsec, ovs-vswitch and ovsdb-server.
>
> Each test sets up IPsec between the two emulated "nodes"
> using various configurations (currently tunnel
> type, IPv6/IPv6, authentication method, local_ip). After
> configuration, connectivity between the two nodes is
> tested and the underlay traffic is also inspected to
> ensure the traffic is encrypted.
>
> All IPsec system tests can be run by using the ipsec
> keyword:
>
> sudo make check-kernel TESTSUITEFLAGS='-k ipsec'

Just a general note first, the --rundir option in pluto does not like 
long path names, and hence it failed in my environment.

Guess this might need a fix in pluto, and maybe also a check in the 
self-test to avoid other people trying to figure out what they do wrong.

> Signed-off-by: Mark Gray <mark.d.gray at redhat.com>
> ---
>  tests/automake.mk              |   3 +-
>  tests/system-ipsec.at          | 379 
> +++++++++++++++++++++++++++++++++
>  tests/system-kmod-testsuite.at |   1 +
>  3 files changed, 382 insertions(+), 1 deletion(-)
>  create mode 100644 tests/system-ipsec.at
>
> diff --git a/tests/automake.mk b/tests/automake.mk
> index 44a65849ccac..1a528aa394ff 100644
> --- a/tests/automake.mk
> +++ b/tests/automake.mk
> @@ -173,6 +173,7 @@ SYSTEM_TESTSUITE_AT = \
>  	tests/system-common-macros.at \
>  	tests/system-layer3-tunnels.at \
>  	tests/system-traffic.at \
> +	tests/system-ipsec.at \
>  	tests/system-interface.at
>
>  SYSTEM_OFFLOADS_TESTSUITE_AT = \
> @@ -200,7 +201,7 @@ SYSTEM_DPDK_TESTSUITE = 
> $(srcdir)/tests/system-dpdk-testsuite
>  OVSDB_CLUSTER_TESTSUITE = $(srcdir)/tests/ovsdb-cluster-testsuite
>  DISTCLEANFILES += tests/atconfig tests/atlocal
>
> -AUTOTEST_PATH = 
> utilities:vswitchd:ovsdb:vtep:tests:$(PTHREAD_WIN32_DIR_DLL):$(SSL_DIR)
> +AUTOTEST_PATH = 
> utilities:vswitchd:ovsdb:vtep:tests:ipsec:$(PTHREAD_WIN32_DIR_DLL):$(SSL_DIR)
>
>  check-local:
>  	set $(SHELL) '$(TESTSUITE)' -C tests AUTOTEST_PATH=$(AUTOTEST_PATH); 
> \
> diff --git a/tests/system-ipsec.at b/tests/system-ipsec.at
> new file mode 100644
> index 000000000000..1dcff38798d7
> --- /dev/null
> +++ b/tests/system-ipsec.at
> @@ -0,0 +1,379 @@
> +AT_BANNER(IPsec)
> +
> +dnl IPSEC_SETUP_UNDERLAY()
> +dnl
> +dnl Configure anything required in the underlay network
> +m4_define([IPSEC_SETUP_UNDERLAY],
> +      [AT_CHECK([cp ${abs_top_srcdir}/vswitchd/vswitch.ovsschema 
> vswitch.ovsschema])
> +      dnl Set up the underlay switch
> +      AT_CHECK([ovs-ofctl add-flow br0 "actions=normal"])])
> +
> +dnl IPSEC_ADD_NODE([namespace], [device], [address], [peer address]))
> +dnl
> +dnl Creates a dummy host that acts as an IPsec endpoint. Creates host 
> in
> +dnl 'namespace' and attaches a veth 'device' to 'namespace' to act as 
> the host
> +dnl NIC. Assigns 'address' to 'device' and adds the other end of veth 
> 'device' to
> +dnl 'br0' which is an OVS bridge in the default namespace acting as 
> an underlay
> +dnl switch. Sets the default gateway of 'namespace' to 'peer 
> address'.
> +dnl
> +dnl Starts all daemons in 'namespace' that are required for IPsec
> +m4_define([IPSEC_ADD_NODE],
> +  [ADD_NAMESPACES($1)
> +  dnl Disable DAD. We know we wont get duplicates on this underlay 
> network.
> +  NS_EXEC([$1], [sysctl -w net.ipv6.conf.all.accept_dad=0])
> +  NS_EXEC([$1], [sysctl -w net.ipv6.conf.default.accept_dad=0])
> +  ADD_VETH($2, $1, br0, $3/24)
> +  NS_EXEC([$1], [ip route add default via $4 dev $2])
> +  mkdir -p $ovs_base/$1
> +  touch $ovs_base/$1/.conf.db.~lock~
> +  NS_EXEC([$1], [ovsdb-tool create $ovs_base/$1/conf.db \
> +                $abs_top_srcdir/vswitchd/vswitch.ovsschema], [0], [], 
> [stderr])
> +
> +  dnl Start ovsdb-server.
> +  NS_EXEC([$1],[ovsdb-server $ovs_base/$1/conf.db --detach --no-chdir 
> \
> +        --log-file=$ovs_base/$1/ovsdb.log 
> --pidfile=$ovs_base/$1/ovsdb.pid \
> +        --remote=punix:$OVS_RUNDIR/$1/db.sock], [0], [], [stderr])
> +  on_exit "kill `cat $ovs_base/$1/ovsdb.pid`"
> +  NS_EXEC([$1], [ovs-vsctl --no-wait init])
> +
> +  dnl Start ovs-vswitchd.
> +  NS_EXEC([$1], [ovs-vswitchd unix:${OVS_RUNDIR}/$1/db.sock --detach 
> \
> +        --no-chdir --pidfile=$ovs_base/$1/vswitchd.pid \
> +        --unixctl=$ovs_base/$1/vswitchd.ctl \
> +        --log-file=$ovs_base/$1/vswitchd.log -vvconn -vofproto_dpif 
> -vunixctl],\
> +        [0], [], [stderr])
> +  on_exit "kill_ovs_vswitchd `cat $ovs_base/$1/vswitchd.pid`"
> +
> +  dnl Start pluto
> +  mkdir -p $ovs_base/$1/ipsec.d
> +  touch $ovs_base/$1/ipsec.conf
> +  touch $ovs_base/$1/secrets
> +  ipsec initnss --nssdir $ovs_base/$1/ipsec.d
> +  NS_CHECK_EXEC([$1], [ipsec pluto --config $ovs_base/$1/ipsec.conf \
> +        --ipsecdir $ovs_base/$1 --nssdir $ovs_base/$1/ipsec.d \
> +        --logfile $ovs_base/$1/pluto.log --secretsfile 
> $ovs_base/$1/secrets \
> +        --rundir $ovs_base/$1], [0], [], [stderr])
> +  on_exit "kill `cat $ovs_base/$1/pluto.pid`"
> +
> +  dnl Start ovs-monitor-ipsec
> +  NS_CHECK_EXEC([$1], [ovs-monitor-ipsec 
> unix:${OVS_RUNDIR}/$1/db.sock\
> +        --pidfile=${OVS_RUNDIR}/$1/ovs-monitor-ipsec.pid 
> --ike-daemon=libreswan\
> +        --ipsec-conf=$ovs_base/$1/ipsec.conf 
> --ipsec-d=$ovs_base/$1/ipsec.d \
> +        --ipsec-secrets=$ovs_base/$1/secrets \
> +        --log-file=$ovs_base/$1/ovs-monitor-ipsec.log \
> +        --ipsec-ctl=$ovs_base/$1/pluto.ctl \
> +        --no-restart-ike-daemon --detach ], [0], [], [stderr])
> +  on_exit "kill `cat $ovs_base/$1/ovs-monitor-ipsec.pid`"
> +
> +  dnl Set up OVS bridge
> +  NS_EXEC([$1], [ovs-vsctl --db unix:$ovs_base/$1/db.sock add-br 
> br-ipsec])]
> +)
> +m4_define([IPSEC_ADD_NODE_LEFT], [IPSEC_ADD_NODE(left, p0, $1, $2)])
> +m4_define([IPSEC_ADD_NODE_RIGHT], [IPSEC_ADD_NODE(right, p1, $1, 
> $2)])
> +
> +dnl OVS_VSCTL([namespace], [sub-command])
> +dnl
> +dnl Runs `ovs-vsctl 'sub-command'` in 'namespace'
> +m4_define([OVS_VSCTL],
> +      [[ip netns exec $1 ovs-vsctl --db unix:$ovs_base/$1/db.sock $2 
> ]])
> +m4_define([OVS_VSCTL_LEFT], [OVS_VSCTL(left, $1)])
> +m4_define([OVS_VSCTL_RIGHT], [OVS_VSCTL(right, $1)])
> +
> +dnl CHECK_LIBRESWAN()
> +dnl
> +dnl Check if necessary Libreswan dependencies are available on the 
> test machine
> +m4_define([CHECK_LIBRESWAN],
> +      [dnl Skip tests if system has not been set up for Libreswan
> +      AT_SKIP_IF([!(ipsec --version | grep Libreswan)])

Guess there is no minimum version we need to check for?

> +      AT_SKIP_IF([test ! -x $(which certutil)])
> +      AT_SKIP_IF([test ! -x $(which pk12util)])
> +      AT_SKIP_IF([test ! -x $(which openssl)])])
> +
> +dnl CHECK_ESP_TRAFFIC()
> +dnl
> +dnl Checks for connectivity between nodes and that the underlay 
> traffic is ESP.
> +m4_define([CHECK_ESP_TRAFFIC],
> +      [dnl Add test interfaces for pinging
> +      NS_EXEC([left], [ip addr add 192.0.0.1/24 dev br-ipsec])
> +      NS_EXEC([left], [ip link set dev br-ipsec up])
> +
> +      NS_EXEC([right], [ip addr add 192.0.0.2/24 dev br-ipsec])
> +      NS_EXEC([right], [ip link set dev br-ipsec up])
> +
> +
> +      dnl Capture any underlay esp packets
> +      tcpdump -l -i ovs-p0 esp > $ovs_base/left/tcpdump.log &
> +      on_exit "kill $!"
> +      tcpdump -l -i ovs-p1 esp > $ovs_base/right/tcpdump.log &
> +      on_exit "kill $!"
> +
> +      dnl Wait a split second for IPsec tunnel to establish
> +      sleep 0.5

Rather than a delay (which was failing in my setup), maybe can we do 
some check to see if it’s up in a loop for x times?

> +
> +      dnl Ping over IPsec tunnel
> +      NS_CHECK_EXEC([left], [ping -q -c 3 -i 0.3 -w 2 192.0.0.2 | 
> FORMAT_PING], [0], [dnl
> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> +])
> +      NS_CHECK_EXEC([right], [ping -q -c 3 -i 0.3 -w 2 192.0.0.1 | 
> FORMAT_PING], [0], [dnl
> +3 packets transmitted, 3 received, 0% packet loss, time 0ms
> +])
> +
> +      dnl Check for esp traffic
> +      AT_CHECK([cat $ovs_base/left/tcpdump.log | grep ESP], [0], 
> [stdout], [stderr])
> +      AT_CHECK([cat $ovs_base/right/tcpdump.log | grep ESP], [0], 
> [stdout], [stderr])]) +
> +AT_SETUP([IPsec -- Libreswan (ipv4, geneve, defaultroute, psk)])
> +AT_KEYWORDS([ipsec libreswan ipv4 geneve psk])
> +dnl Note: Geneve test may not work on older kernels due to 
> CVE-2020-25645
> +dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2)
> +IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=geneve 
> \
> +          options:remote_ip=10.1.1.2 options:psk=swordfish)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun 
> type=geneve \
> +          options:remote_ip=10.1.1.1 options:psk=swordfish)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv4, geneve, localip, psk)])
> +AT_KEYWORDS([ipsec libreswan ipv4 geneve psk])
> +dnl Note: Geneve test may not work on older kernels due to 
> CVE-2020-25645
> +dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2)
> +IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=geneve 
> \
> +          options:remote_ip=10.1.1.2 options:local_ip=10.1.1.1 
> options:psk=swordfish)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun 
> type=geneve \
> +          options:remote_ip=10.1.1.1 options:local_ip=10.1.1.2 
> options:psk=swordfish)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv4, geneve, defaultroute, 
> self-signed)])
> +AT_KEYWORDS([ipsec libreswan ipv4 geneve self-signed])
> +dnl Note: Geneve test may not work on older kernels due to 
> CVE-2020-25645
> +dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988
>
Maybe move this note closer to where it would fail, so people will 
notice? I guess at CHECK_ESP_TRAFFIC() below.

> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2)
> +IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1)
> +
> +dnl Create and set self-signed certs
> +ovs-pki -b -d ${ovs_base} -l ${ovs_base}/ovs-pki.log req -u left
> +ovs-pki -b -d ${ovs_base} -l ${ovs_base}/ovs-pki.log req -u right
> +ovs-pki -b -d ${ovs_base} -l ${ovs_base}/ovs-pki.log self-sign left
> +ovs-pki -b -d ${ovs_base} -l ${ovs_base}/ovs-pki.log self-sign right
> +OVS_VSCTL_LEFT(set Open_vSwitch . \
> +      other_config:certificate=${ovs_base}/left-cert.pem \
> +      other_config:private_key=${ovs_base}/left-privkey.pem)
> +OVS_VSCTL_RIGHT(set Open_vSwitch . \
> +      other_config:certificate=${ovs_base}/right-cert.pem \
> +      other_config:private_key=${ovs_base}/right-privkey.pem)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=geneve 
> \
> +          options:remote_ip=10.1.1.2 
> options:remote_cert=${ovs_base}/right-cert.pem)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun 
> type=geneve \
> +          options:remote_ip=10.1.1.1 
> options:remote_cert=${ovs_base}/left-cert.pem)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv4, geneve, defaultroute, 
> ca-signed)])
> +AT_KEYWORDS([ipsec libreswan ipv4 geneve ca-signed])
> +dnl Note: Geneve test may not work on older kernels due to 
> CVE-2020-25645
> +dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2)
> +IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1)
> +
> +dnl Create and set ca-signed certs
> +ovs-pki --force -b --dir=${ovs_base} -l ${ovs_base}/ovs-pki.log init
> +ovs-pki -b --dir=${ovs_base} -l ${ovs_base}/ovs-pki.log req+sign -u 
> left
> +ovs-pki -b --dir=${ovs_base} -l ${ovs_base}/ovs-pki.log req+sign -u 
> right
> +OVS_VSCTL_LEFT(set Open_vSwitch . \
> +      other_config:ca_cert=${ovs_base}/switchca/cacert.pem \
> +      other_config:certificate=${ovs_base}/left-cert.pem \
> +      other_config:private_key=${ovs_base}/left-privkey.pem)
> +OVS_VSCTL_RIGHT(set Open_vSwitch . \
> +      other_config:ca_cert=${ovs_base}/switchca/cacert.pem \
> +      other_config:certificate=${ovs_base}/right-cert.pem \
> +      other_config:private_key=${ovs_base}/right-privkey.pem)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=geneve 
> \
> +          options:remote_ip=10.1.1.2 options:remote_name=right)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun 
> type=geneve \
> +          options:remote_ip=10.1.1.1 options:remote_name=left)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv4, gre, defaultroute, psk)])
> +AT_KEYWORDS([ipsec libreswan ipv4 gre psk])
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2)
> +IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=gre \
> +          options:remote_ip=10.1.1.2 options:psk=swordfish)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=gre \
> +          options:remote_ip=10.1.1.1 options:psk=swordfish)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv4, vxlan, defaultroute, psk)])
> +AT_KEYWORDS([ipsec libreswan ipv4, vxlan psk])
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(10.1.1.1, 10.1.1.2)
> +IPSEC_ADD_NODE_RIGHT(10.1.1.2, 10.1.1.1)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=vxlan 
> \
> +          options:remote_ip=10.1.1.2 options:psk=swordfish)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=vxlan 
> \
> +          options:remote_ip=10.1.1.1 options:psk=swordfish)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv6, vxlan, defaultroute, psk)])
> +AT_KEYWORDS([ipsec libreswan ipv6 vxlan psk])
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(fd01::101, fd01::102)
> +IPSEC_ADD_NODE_RIGHT(fd01::102, fd01::101)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=vxlan 
> \
> +          options:remote_ip=fd01::102 options:psk=swordfish)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=vxlan 
> \
> +          options:remote_ip=fd01::101 options:psk=swordfish)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv6, vxlan, localip, psk)])
> +AT_KEYWORDS([ipsec libreswan ipv6 vxlan psk])
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(fd01::101, fd01::102)
> +IPSEC_ADD_NODE_RIGHT(fd01::102, fd01::101)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=vxlan 
> \
> +          options:remote_ip=fd01::102 options:local_ip=fd01::101 
> options:psk=swordfish)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun type=vxlan 
> \
> +          options:remote_ip=fd01::101 options:local_ip=fd01::102 
> options:psk=swordfish)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> +
> +AT_SETUP([IPsec -- Libreswan (ipv6, geneve, defaultroute, psk)])
> +AT_KEYWORDS([ipsec libreswan ipv6 geneve psk])
> +dnl Note: Geneve test may not work on older kernels due to 
> CVE-2020-25645
> +dnl https://bugzilla.redhat.com/show_bug.cgi?id=1883988
> +
> +CHECK_LIBRESWAN()
> +OVS_TRAFFIC_VSWITCHD_START()
> +IPSEC_SETUP_UNDERLAY()
> +
> +dnl Set up dummy hosts
> +IPSEC_ADD_NODE_LEFT(fd01::101, fd01::102)
> +IPSEC_ADD_NODE_RIGHT(fd01::102, fd01::101)
> +
> +dnl Set up IPsec tunnel on 'left' host
> +OVS_VSCTL_LEFT(add-port br-ipsec tun -- set Interface tun type=geneve 
> \
> +          options:remote_ip=fd01::102 options:psk=swordfish)
> +
> +dnl Set up IPsec tunnel on 'right' host
> +OVS_VSCTL_RIGHT(add-port br-ipsec tun -- set Interface tun 
> type=geneve \
> +          options:remote_ip=fd01::101 options:psk=swordfish)
> +
> +CHECK_ESP_TRAFFIC()
> +
> +OVS_TRAFFIC_VSWITCHD_STOP()
> +AT_CLEANUP
> \ No newline at end of file
> diff --git a/tests/system-kmod-testsuite.at 
> b/tests/system-kmod-testsuite.at
> index 3de0290c02f4..a595baf92987 100644
> --- a/tests/system-kmod-testsuite.at
> +++ b/tests/system-kmod-testsuite.at
> @@ -25,3 +25,4 @@ m4_include([tests/system-kmod-macros.at])
>  m4_include([tests/system-traffic.at])
>  m4_include([tests/system-layer3-tunnels.at])
>  m4_include([tests/system-interface.at])
> +m4_include([tests/system-ipsec.at])
> -- 
> 2.27.0
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev



More information about the dev mailing list