Lines Matching +full:route +full:- +full:up

2 # SPDX-License-Identifier: GPL-2.0
4 # Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
24 set -e
29 netns0="wg-test-$$-0"
30 netns1="wg-test-$$-1"
31 netns2="wg-test-$$-2"
32 pretty() { echo -e "\x1b[32m\x1b[1m[+] ${1:+NS$1: }${2}\x1b[0m" >&3; }
34 maybe_exec() { if [[ $BASHPID -eq $$ ]]; then "$@"; else exec "$@"; fi; }
38 ip0() { pretty 0 "ip $*"; ip -n $netns0 "$@"; }
39 ip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; }
40 ip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; }
41 sleep() { read -t "$1" -N 1 || true; }
42 waitiperf() { pretty "${1//*-}" "wait for iperf:${3:-5201} pid $2"; while [[ $(ss -N "$1" -tlpH "sp…
43 waitncatudp() { pretty "${1//*-}" "wait for udp:1111 pid $2"; while [[ $(ss -N "$1" -ulpH 'sport = …
44 …tty "${1//*-}" "wait for $2 to come up"; ip netns exec "$1" bash -c "while [[ \$(< \"/sys/class/ne…
57 	[[ -n $to_kill ]] && kill $to_kill
74 ip0 link set up dev lo
89 [[ -n $key1 && -n $key2 && -n $psk ]]
99 		private-key <(echo "$key1") \
100 		listen-port 1 \
102 			preshared-key <(echo "$psk") \
103 			allowed-ips 192.168.241.2/32,fd00::2/128
105 		private-key <(echo "$key2") \
106 		listen-port 2 \
108 			preshared-key <(echo "$psk") \
109 			allowed-ips 192.168.241.1/32,fd00::1/128
111 	ip1 link set up dev wg0
112 	ip2 link set up dev wg0
118 	n2 ping -c 10 -f -W 1 192.168.241.1
119 	n1 ping -c 10 -f -W 1 192.168.241.2
122 	n2 ping6 -c 10 -f -W 1 fd00::1
123 	n1 ping6 -c 10 -f -W 1 fd00::2
126 	n2 iperf3 -s -1 -B 192.168.241.2 &
128 	n1 iperf3 -Z -t 3 -c 192.168.241.2
131 	n1 iperf3 -s -1 -B fd00::1 &
133 	n2 iperf3 -Z -t 3 -c fd00::1
136 	n1 iperf3 -s -1 -B 192.168.241.1 &
138 	n2 iperf3 -Z -t 3 -b 0 -u -c 192.168.241.1
141 	n2 iperf3 -s -1 -B fd00::2 &
143 	n1 iperf3 -Z -t 3 -b 0 -u -c fd00::2
149 			n2 iperf3 -p $(( 5200 + i )) -s -1 -B 192.168.241.2 &
153 			n1 iperf3 -Z -t 3 -p $(( 5200 + i )) -c 192.168.241.2 &
159 [[ $(ip1 link show dev wg0) =~ mtu\ ([0-9]+) ]] && orig_mtu="${BASH_REMATCH[1]}"
160 big_mtu=$(( 34816 - 1500 + $orig_mtu ))
166 n2 ping -c 10 -f -W 1 192.168.241.1
167 { read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip2 -stats link show dev …
169 { read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip1 -stats link show dev …
175 read _ timestamp < <(n1 wg show wg0 latest-handshakes)
194 # Test that route MTUs work with the padding
199 n0 iptables -A INPUT -m length --length 1360 -j DROP
200 n1 ip route add 192.168.241.2/32 dev wg0 mtu 1299
201 n2 ip route add 192.168.241.1/32 dev wg0 mtu 1299
202 n2 ping -c 1 -W 1 -s 1269 192.168.241.1
203 n2 ip route delete 192.168.241.1/32 dev wg0 mtu 1299
204 n1 ip route delete 192.168.241.2/32 dev wg0 mtu 1299
205 n0 iptables -F INPUT
211 ip0 -4 addr del 127.0.0.1/8 dev lo
212 ip0 -4 addr add 127.212.121.99/8 dev lo
213 n1 wg set wg0 listen-port 9999
215 n1 ping6 -W 1 -c 1 fd00::2
219 n1 wg set wg0 listen-port 9998
221 n1 ping -W 1 -c 1 192.168.241.2
224 # Test that crypto-RP filter works
225 n1 wg set wg0 peer "$pub2" allowed-ips 192.168.241.0/24
226 exec 4< <(n1 ncat -l -u -p 1111)
229 n2 ncat -u 192.168.241.1 1111 <<<"X"
230 read -r -N 1 -t 1 out <&4 && [[ $out == "X" ]]
233 n1 wg set wg0 peer "$more_specific_key" allowed-ips 192.168.241.2/32
234 n2 wg set wg0 listen-port 9997
235 exec 4< <(n1 ncat -l -u -p 1111)
238 n2 ncat -u 192.168.241.1 1111 <<<"X"
239 ! read -r -N 1 -t 1 out <&4 || false
245 n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips 192…
246 n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") a…
247 n1 ping -W 1 -c 1 192.168.241.2
248 n1 wg set wg0 private-key <(echo "$key3")
249 n2 wg set wg0 peer "$pub3" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32 peer "$pub1" r…
250 n1 ping -W 1 -c 1 192.168.241.2
253 # Test that we can route wg through wg
258 n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips fd0…
259 n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") a…
266 ip1 link set mtu 1340 up dev wg1
267 ip2 link set mtu 1340 up dev wg1
268 n1 wg set wg1 listen-port 5 private-key <(echo "$key3") peer "$pub4" allowed-ips 192.168.241.2/32,f…
269 n2 wg set wg1 listen-port 5 private-key <(echo "$key4") peer "$pub3" allowed-ips 192.168.241.1/32,f…
271 # Try to set up a routing loop between the two namespaces
274 ip0 link set up dev wg1
275 n0 ping -W 1 -c 1 192.168.241.2
280 ! n0 ping -W 1 -c 10 -f 192.168.241.2 || false
283 (( tx_bytes_after - tx_bytes_before < 70000 ))
308 ip0 link set vethrc up
309 ip0 link set vethrs up
313 ip1 link set vethc up
314 ip1 route add default via 192.168.1.1
316 ip2 link set veths up
322 n0 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
323 n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout'
324 n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream'
325 n0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j SNAT --to 10.0.0.1
327 n1 wg set wg0 peer "$pub2" endpoint 10.0.0.100:2 persistent-keepalive 1
328 n1 ping -W 1 -c 1 192.168.241.2
329 n2 ping -W 1 -c 1 192.168.241.1
331 …kets to n1, since persistent-keepalive will prevent connection tracking entry from expiring (to se…
333 n2 ping -W 1 -c 1 192.168.241.1
334 n1 wg set wg0 peer "$pub2" persistent-keepalive 0
337 n1 ping -I wg0 -c 1 -W 1 192.168.241.2
339 n1 iptables -t mangle -I OUTPUT -j MARK --set-xmark 1
340 n1 ping -c 1 -W 1 192.168.241.2 # First the boring case
341 n1 ping -I wg0 -c 1 -W 1 192.168.241.2 # Then the sk_bound_dev_if case
342 n1 iptables -t mangle -D OUTPUT -j MARK --set-xmark 1
345 n1 wg set wg0 peer "$pub3" allowed-ips 192.168.242.2/32 endpoint 192.168.241.2:5
349 n2 wg set wg1 private-key <(echo "$key3") listen-port 5 peer "$pub1" allowed-ips 192.168.242.1/32
350 ip2 link set wg1 up
351 n1 ping -W 1 -c 1 192.168.242.2
354 ! n1 ping -W 1 -c 1 192.168.242.2 || false # Should not crash kernel
358 # Do a wg-quick(8)-style policy routing for the default route, making sure vethc has a v6 address t…
359 ip1 -6 addr add fc00::9/96 dev vethc
360 ip1 -6 route add default via fc00::1
361 ip2 -4 addr add 192.168.99.7/32 dev wg0
362 ip2 -6 addr add abab::1111/128 dev wg0
363 n1 wg set wg0 fwmark 51820 peer "$pub2" allowed-ips 192.168.99.7,abab::1111
364 ip1 -6 route add default dev wg0 table 51820
365 ip1 -6 rule add not fwmark 51820 table 51820
366 ip1 -6 rule add table main suppress_prefixlength 0
367 ip1 -4 route add default dev wg0 table 51820
368 ip1 -4 rule add not fwmark 51820 table 51820
369 ip1 -4 rule add table main suppress_prefixlength 0
370 n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/vethc/rp_filter'
372 n1 ping -W 1 -c 100 -f 192.168.99.7
373 n1 ping -W 1 -c 100 -f abab::1111
375 # Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route.
376 n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2
377 n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be exp…
378 n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
379 ip0 -4 route add 192.168.241.1 via 10.0.0.100
381 [[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host U…
383 n0 iptables -t nat -F
384 n0 iptables -t filter -F
385 n2 iptables -t nat -F
408 n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
409 n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
410 n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth1/accept_dad'
411 n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth2/accept_dad'
412 n1 bash -c 'printf 1 > /proc/sys/net/ipv4/conf/veth1/promote_secondaries'
419 ip1 link set veth1 up
420 ip2 link set veth2 up
424 n1 ping -W 1 -c 1 192.168.241.2
427 n1 ping -W 1 -c 1 192.168.241.2
429 n1 ping -W 1 -c 1 192.168.241.2
432 n1 ping -W 1 -c 1 192.168.241.2
445 ip1 link set veth1 up
446 ip2 link set veth2 up
450 n2 ping -W 1 -c 1 192.168.241.1
453 n2 ping -W 1 -c 1 192.168.241.1
456 n2 ping -W 1 -c 1 192.168.241.1
459 n2 ping -W 1 -c 1 192.168.241.1
462 …t happens if the inbound destination address belongs to a different interface as the default route?
465 ip1 link set dummy0 up
466 ip2 route add 10.50.0.0/24 dev veth2
468 n2 ping -W 1 -c 1 192.168.241.1
474 ip1 route flush dev veth1
475 ip2 route flush dev veth2
477 # Now we see what happens if another interface route takes precedence over an ongoing one
483 ip1 link set veth1 up
484 ip2 link set veth2 up
485 ip1 link set veth3 up
486 ip2 link set veth4 up
491 ip1 route flush dev veth1
492 ip1 route flush dev veth3
493 ip1 route add 10.0.0.0/24 dev veth1 src 10.0.0.1 metric 2
495 n1 ping -W 1 -c 1 192.168.241.2
497 ip1 route add 10.0.0.0/24 dev veth3 src 10.0.0.3 metric 1
498 n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth1/rp_filter'
499 n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth4/rp_filter'
500 n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
501 n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
502 n1 ping -W 1 -c 1 192.168.241.2
520 for ip in $(n0 wg show wg0 allowed-ips); do
535 while read -r line; do
542 done < <(n0 wg show wg0 allowed-ips)
565 n0 wg set wg0 peer "$pub2" allowed-ips "$allowedips"
567 	read -r pub allowedips
569 	read -r pub allowedips
576 } < <(n0 wg show wg0 allowed-ips)
582 n0 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk")
583 [[ $(n0 wg show wg0 private-key) == "$key1" ]]
584 [[ $(n0 wg show wg0 preshared-keys) == "$pub2	$psk" ]]
585 n0 wg set wg0 private-key /dev/null peer "$pub2" preshared-key /dev/null
586 [[ $(n0 wg show wg0 private-key) == "(none)" ]]
587 [[ $(n0 wg show wg0 preshared-keys) == "$pub2	(none)" ]]
589 n0 wg set wg0 private-key <(echo "$key2")
590 [[ $(n0 wg show wg0 public-key) == "$pub2" ]]
591 [[ -z $(n0 wg show wg0 peers) ]]
593 [[ -z $(n0 wg show wg0 peers) ]]
594 n0 wg set wg0 private-key <(echo "$key1")
597 n0 wg set wg0 private-key <(echo "/${key1:1}")
598 [[ $(n0 wg show wg0 private-key) == "+${key1:1}" ]]
599 n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0,10.0.0.0/8,100.0.0.0/10,172.16.0.0/12,192.168.0.0/…
600 n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0
601 n0 wg set wg0 peer "$pub2" allowed-ips ::/0,1700::/111,5000::/4,e000::/37,9000::/75
602 n0 wg set wg0 peer "$pub2" allowed-ips ::/0
605 	n0 wg set wg0 peer "$low_order_point" persistent-keepalive 1 endpoint 127.0.0.1:1111
607 [[ -n $(n0 wg show wg0 peers) ]]
608 exec 4< <(n0 ncat -l -u -p 1111)
611 ip0 link set wg0 up
612 ! read -r -n 1 -t 2 <&4 || false
624 ip1 link set veth1 up
625 ip2 link set veth2 up
628 ip1 -6 route add default dev veth1 via fd00:aa::2
629 ip2 -6 route add default dev veth2 via fd00:aa::1
632 n1 ping6 -c 1 fd00::2
649 declare -A objects
650 while read -t 0.1 -r line 2>/dev/null || [[ $? -ne 142 ]]; do
651 	[[ $line =~ .*(wg[0-9]+:\ [A-Z][a-z]+\ ?[0-9]*)\ .*(created|destroyed).* ]] || continue
661 [[ $alldeleted -eq 1 ]]