From 57c2b152c5f0866be5bf1acda2f341ba26ba9448 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1t=C3=A9=20Eckl?= <ecklm94@gmail.com>
Date: Wed, 5 Sep 2018 11:16:44 +0200
Subject: src: add ipsec (xfrm) expression
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This allows matching on ipsec tunnel/beet addresses in xfrm state
associated with a packet, ipsec request id and the SPI.

Examples:

 ipsec in ip saddr 192.168.1.0/24
 ipsec out ip6 daddr @endpoints
 ipsec in spi 1-65536

Joint work with Florian Westphal.

Cc: Máté Eckl <ecklm94@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 tests/py/inet/ipsec.t         |  21 +++++++
 tests/py/inet/ipsec.t.json    | 136 ++++++++++++++++++++++++++++++++++++++++++
 tests/py/inet/ipsec.t.payload |  40 +++++++++++++
 3 files changed, 197 insertions(+)
 create mode 100644 tests/py/inet/ipsec.t
 create mode 100644 tests/py/inet/ipsec.t.json
 create mode 100644 tests/py/inet/ipsec.t.payload

(limited to 'tests/py')

diff --git a/tests/py/inet/ipsec.t b/tests/py/inet/ipsec.t
new file mode 100644
index 00000000..e924e9bc
--- /dev/null
+++ b/tests/py/inet/ipsec.t
@@ -0,0 +1,21 @@
+:ipsec-forw;type filter hook forward priority 0
+
+*ip;ipsec-ip4;ipsec-forw
+*ip6;ipsec-ip6;ipsec-forw
+*inet;ipsec-inet;ipsec-forw
+
+ipsec in reqid 1;ok
+ipsec in spnum 0 reqid 1;ok;ipsec in reqid 1
+
+ipsec out reqid 0xffffffff;ok;ipsec out reqid 4294967295
+ipsec out spnum 0x100000000;fail
+
+ipsec i reqid 1;fail
+
+ipsec out spi 1-561;ok
+
+ipsec in spnum 2 ip saddr { 1.2.3.4, 10.6.0.0/16 };ok
+ipsec in ip6 daddr dead::beef;ok
+ipsec out ip6 saddr dead::feed;ok
+
+ipsec in spnum 256 reqid 1;fail
diff --git a/tests/py/inet/ipsec.t.json b/tests/py/inet/ipsec.t.json
new file mode 100644
index 00000000..d7d3a03c
--- /dev/null
+++ b/tests/py/inet/ipsec.t.json
@@ -0,0 +1,136 @@
+# ipsec in reqid 1
+[
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "in",
+                    "key": "reqid",
+                    "spnum": 0
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# ipsec in spnum 0 reqid 1
+[
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "in",
+                    "key": "reqid",
+                    "spnum": 0
+                }
+            },
+            "op": "==",
+            "right": 1
+        }
+    }
+]
+
+# ipsec out reqid 0xffffffff
+[
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "out",
+                    "key": "reqid",
+                    "spnum": 0
+                }
+            },
+            "op": "==",
+            "right": 4294967295
+        }
+    }
+]
+
+# ipsec out spi 1-561
+[
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "out",
+                    "key": "spi",
+                    "spnum": 0
+                }
+            },
+            "op": "==",
+            "right": {
+                "range": [
+                    1,
+                    561
+                ]
+            }
+        }
+    }
+]
+
+# ipsec in spnum 2 ip saddr { 1.2.3.4, 10.6.0.0/16 }
+[
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "in",
+                    "family": "ip",
+                    "key": "saddr",
+                    "spnum": 2
+                }
+            },
+            "op": "==",
+            "right": {
+                "set": [
+                    "1.2.3.4",
+                    {
+                        "prefix": {
+                            "addr": "10.6.0.0",
+                            "len": 16
+                        }
+                    }
+                ]
+            }
+        }
+    }
+]
+
+# ipsec in ip6 daddr dead::beef
+[
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "in",
+                    "family": "ip6",
+                    "key": "daddr",
+                    "spnum": 0
+                }
+            },
+            "op": "==",
+            "right": "dead::beef"
+        }
+    }
+]
+
+# ipsec out ip6 saddr dead::feed
+[
+    {
+        "match": {
+            "left": {
+                "ipsec": {
+                    "dir": "out",
+                    "family": "ip6",
+                    "key": "saddr",
+                    "spnum": 0
+                }
+            },
+            "op": "==",
+            "right": "dead::feed"
+        }
+    }
+]
diff --git a/tests/py/inet/ipsec.t.payload b/tests/py/inet/ipsec.t.payload
new file mode 100644
index 00000000..6049c664
--- /dev/null
+++ b/tests/py/inet/ipsec.t.payload
@@ -0,0 +1,40 @@
+# ipsec in reqid 1
+ip ipsec-ip4 ipsec-input
+  [ xfrm load in 0 reqid => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# ipsec in spnum 0 reqid 1
+ip ipsec-ip4 ipsec-input
+  [ xfrm load in 0 reqid => reg 1 ]
+  [ cmp eq reg 1 0x00000001 ]
+
+# ipsec out reqid 0xffffffff
+ip ipsec-ip4 ipsec-input
+  [ xfrm load out 0 reqid => reg 1 ]
+  [ cmp eq reg 1 0xffffffff ]
+
+# ipsec out spi 1-561
+inet ipsec-inet ipsec-post
+  [ xfrm load out 0 spi => reg 1 ]
+  [ byteorder reg 1 = hton(reg 1, 4, 4) ]
+  [ cmp gte reg 1 0x01000000 ]
+  [ cmp lte reg 1 0x31020000 ]
+
+# ipsec in spnum 2 ip saddr { 1.2.3.4, 10.6.0.0/16 }
+__set%d ipsec-ip4 7 size 5
+__set%d ipsec-ip4 0
+        element 00000000  : 1 [end]     element 04030201  : 0 [end]     element 05030201  : 1 [end]     element 0000060a  : 0 [end]     element 0000070a  : 1 [end]
+ip ipsec-ip4 ipsec-input
+  [ xfrm load in 2 saddr4 => reg 1 ]
+  [ lookup reg 1 set __set%d ]
+
+# ipsec in ip6 daddr dead::beef
+ip ipsec-ip4 ipsec-forw
+  [ xfrm load in 0 daddr6 => reg 1 ]
+  [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xefbe0000 ]
+
+# ipsec out ip6 saddr dead::feed
+ip ipsec-ip4 ipsec-forw
+  [ xfrm load out 0 saddr6 => reg 1 ]
+  [ cmp eq reg 1 0x0000adde 0x00000000 0x00000000 0xedfe0000 ]
+
-- 
cgit v1.2.3