xref: /aosp_15_r20/external/linux-kselftest/tools/testing/selftests/wireguard/netns.sh (revision 053f45be4e351dfd5e965df293cd45b779f579ee) 
1*053f45beSAndroid Build Coastguard Worker#!/bin/bash
2*053f45beSAndroid Build Coastguard Worker# SPDX-License-Identifier: GPL-2.0
3*053f45beSAndroid Build Coastguard Worker#
4*053f45beSAndroid Build Coastguard Worker# Copyright (C) 2015-2019 Jason A. Donenfeld <[email protected]>. All Rights Reserved.
5*053f45beSAndroid Build Coastguard Worker#
6*053f45beSAndroid Build Coastguard Worker# This script tests the below topology:
7*053f45beSAndroid Build Coastguard Worker#
8*053f45beSAndroid Build Coastguard Worker# ┌─────────────────────┐   ┌──────────────────────────────────┐   ┌─────────────────────┐
9*053f45beSAndroid Build Coastguard Worker# │   $ns1 namespace    │   │          $ns0 namespace          │   │   $ns2 namespace    │
10*053f45beSAndroid Build Coastguard Worker# │                     │   │                                  │   │                     │
11*053f45beSAndroid Build Coastguard Worker# │┌────────┐           │   │            ┌────────┐            │   │           ┌────────┐│
12*053f45beSAndroid Build Coastguard Worker# ││  wg0   │───────────┼───┼────────────│   lo   │────────────┼───┼───────────│  wg0   ││
13*053f45beSAndroid Build Coastguard Worker# │├────────┴──────────┐│   │    ┌───────┴────────┴────────┐   │   │┌──────────┴────────┤│
14*053f45beSAndroid Build Coastguard Worker# ││192.168.241.1/24   ││   │    │(ns1)         (ns2)      │   │   ││192.168.241.2/24   ││
15*053f45beSAndroid Build Coastguard Worker# ││fd00::1/24         ││   │    │127.0.0.1:1   127.0.0.1:2│   │   ││fd00::2/24         ││
16*053f45beSAndroid Build Coastguard Worker# │└───────────────────┘│   │    │[::]:1        [::]:2     │   │   │└───────────────────┘│
17*053f45beSAndroid Build Coastguard Worker# └─────────────────────┘   │    └─────────────────────────┘   │   └─────────────────────┘
18*053f45beSAndroid Build Coastguard Worker#                           └──────────────────────────────────┘
19*053f45beSAndroid Build Coastguard Worker#
20*053f45beSAndroid Build Coastguard Worker# After the topology is prepared we run a series of TCP/UDP iperf3 tests between the
21*053f45beSAndroid Build Coastguard Worker# wireguard peers in $ns1 and $ns2. Note that $ns0 is the endpoint for the wg0
22*053f45beSAndroid Build Coastguard Worker# interfaces in $ns1 and $ns2. See https://www.wireguard.com/netns/ for further
23*053f45beSAndroid Build Coastguard Worker# details on how this is accomplished.
24*053f45beSAndroid Build Coastguard Workerset -e
25*053f45beSAndroid Build Coastguard Workershopt -s extglob
26*053f45beSAndroid Build Coastguard Worker
27*053f45beSAndroid Build Coastguard Workerexec 3>&1
28*053f45beSAndroid Build Coastguard Workerexport LANG=C
29*053f45beSAndroid Build Coastguard Workerexport WG_HIDE_KEYS=never
30*053f45beSAndroid Build Coastguard WorkerNPROC=( /sys/devices/system/cpu/cpu+([0-9]) ); NPROC=${#NPROC[@]}
31*053f45beSAndroid Build Coastguard Workernetns0="wg-test-$$-0"
32*053f45beSAndroid Build Coastguard Workernetns1="wg-test-$$-1"
33*053f45beSAndroid Build Coastguard Workernetns2="wg-test-$$-2"
34*053f45beSAndroid Build Coastguard Workerpretty() { echo -e "\x1b[32m\x1b[1m[+] ${1:+NS$1: }${2}\x1b[0m" >&3; }
35*053f45beSAndroid Build Coastguard Workerpp() { pretty "" "$*"; "$@"; }
36*053f45beSAndroid Build Coastguard Workermaybe_exec() { if [[ $BASHPID -eq $$ ]]; then "$@"; else exec "$@"; fi; }
37*053f45beSAndroid Build Coastguard Workern0() { pretty 0 "$*"; maybe_exec ip netns exec $netns0 "$@"; }
38*053f45beSAndroid Build Coastguard Workern1() { pretty 1 "$*"; maybe_exec ip netns exec $netns1 "$@"; }
39*053f45beSAndroid Build Coastguard Workern2() { pretty 2 "$*"; maybe_exec ip netns exec $netns2 "$@"; }
40*053f45beSAndroid Build Coastguard Workerip0() { pretty 0 "ip $*"; ip -n $netns0 "$@"; }
41*053f45beSAndroid Build Coastguard Workerip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; }
42*053f45beSAndroid Build Coastguard Workerip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; }
43*053f45beSAndroid Build Coastguard Workersleep() { read -t "$1" -N 1 || true; }
44*053f45beSAndroid Build Coastguard Workerwaitiperf() { pretty "${1//*-}" "wait for iperf:${3:-5201} pid $2"; while [[ $(ss -N "$1" -tlpH "sport = ${3:-5201}") != *\"iperf3\",pid=$2,fd=* ]]; do sleep 0.1; done; }
45*053f45beSAndroid Build Coastguard Workerwaitncatudp() { pretty "${1//*-}" "wait for udp:1111 pid $2"; while [[ $(ss -N "$1" -ulpH 'sport = 1111') != *\"ncat\",pid=$2,fd=* ]]; do sleep 0.1; done; }
46*053f45beSAndroid Build Coastguard Workerwaitiface() { pretty "${1//*-}" "wait for $2 to come up"; ip netns exec "$1" bash -c "while [[ \$(< \"/sys/class/net/$2/operstate\") != up ]]; do read -t .1 -N 0 || true; done;"; }
47*053f45beSAndroid Build Coastguard Worker
48*053f45beSAndroid Build Coastguard Workercleanup() {
49*053f45beSAndroid Build Coastguard Worker	set +e
50*053f45beSAndroid Build Coastguard Worker	exec 2>/dev/null
51*053f45beSAndroid Build Coastguard Worker	printf "$orig_message_cost" > /proc/sys/net/core/message_cost
52*053f45beSAndroid Build Coastguard Worker	ip0 link del dev wg0
53*053f45beSAndroid Build Coastguard Worker	ip0 link del dev wg1
54*053f45beSAndroid Build Coastguard Worker	ip1 link del dev wg0
55*053f45beSAndroid Build Coastguard Worker	ip1 link del dev wg1
56*053f45beSAndroid Build Coastguard Worker	ip2 link del dev wg0
57*053f45beSAndroid Build Coastguard Worker	ip2 link del dev wg1
58*053f45beSAndroid Build Coastguard Worker	local to_kill="$(ip netns pids $netns0) $(ip netns pids $netns1) $(ip netns pids $netns2)"
59*053f45beSAndroid Build Coastguard Worker	[[ -n $to_kill ]] && kill $to_kill
60*053f45beSAndroid Build Coastguard Worker	pp ip netns del $netns1
61*053f45beSAndroid Build Coastguard Worker	pp ip netns del $netns2
62*053f45beSAndroid Build Coastguard Worker	pp ip netns del $netns0
63*053f45beSAndroid Build Coastguard Worker	exit
64*053f45beSAndroid Build Coastguard Worker}
65*053f45beSAndroid Build Coastguard Worker
66*053f45beSAndroid Build Coastguard Workerorig_message_cost="$(< /proc/sys/net/core/message_cost)"
67*053f45beSAndroid Build Coastguard Workertrap cleanup EXIT
68*053f45beSAndroid Build Coastguard Workerprintf 0 > /proc/sys/net/core/message_cost
69*053f45beSAndroid Build Coastguard Worker
70*053f45beSAndroid Build Coastguard Workerip netns del $netns0 2>/dev/null || true
71*053f45beSAndroid Build Coastguard Workerip netns del $netns1 2>/dev/null || true
72*053f45beSAndroid Build Coastguard Workerip netns del $netns2 2>/dev/null || true
73*053f45beSAndroid Build Coastguard Workerpp ip netns add $netns0
74*053f45beSAndroid Build Coastguard Workerpp ip netns add $netns1
75*053f45beSAndroid Build Coastguard Workerpp ip netns add $netns2
76*053f45beSAndroid Build Coastguard Workerip0 link set up dev lo
77*053f45beSAndroid Build Coastguard Worker
78*053f45beSAndroid Build Coastguard Workerip0 link add dev wg0 type wireguard
79*053f45beSAndroid Build Coastguard Workerip0 link set wg0 netns $netns1
80*053f45beSAndroid Build Coastguard Workerip0 link add dev wg0 type wireguard
81*053f45beSAndroid Build Coastguard Workerip0 link set wg0 netns $netns2
82*053f45beSAndroid Build Coastguard Workerkey1="$(pp wg genkey)"
83*053f45beSAndroid Build Coastguard Workerkey2="$(pp wg genkey)"
84*053f45beSAndroid Build Coastguard Workerkey3="$(pp wg genkey)"
85*053f45beSAndroid Build Coastguard Workerkey4="$(pp wg genkey)"
86*053f45beSAndroid Build Coastguard Workerpub1="$(pp wg pubkey <<<"$key1")"
87*053f45beSAndroid Build Coastguard Workerpub2="$(pp wg pubkey <<<"$key2")"
88*053f45beSAndroid Build Coastguard Workerpub3="$(pp wg pubkey <<<"$key3")"
89*053f45beSAndroid Build Coastguard Workerpub4="$(pp wg pubkey <<<"$key4")"
90*053f45beSAndroid Build Coastguard Workerpsk="$(pp wg genpsk)"
91*053f45beSAndroid Build Coastguard Worker[[ -n $key1 && -n $key2 && -n $psk ]]
92*053f45beSAndroid Build Coastguard Worker
93*053f45beSAndroid Build Coastguard Workerconfigure_peers() {
94*053f45beSAndroid Build Coastguard Worker	ip1 addr add 192.168.241.1/24 dev wg0
95*053f45beSAndroid Build Coastguard Worker	ip1 addr add fd00::1/112 dev wg0
96*053f45beSAndroid Build Coastguard Worker
97*053f45beSAndroid Build Coastguard Worker	ip2 addr add 192.168.241.2/24 dev wg0
98*053f45beSAndroid Build Coastguard Worker	ip2 addr add fd00::2/112 dev wg0
99*053f45beSAndroid Build Coastguard Worker
100*053f45beSAndroid Build Coastguard Worker	n1 wg set wg0 \
101*053f45beSAndroid Build Coastguard Worker		private-key <(echo "$key1") \
102*053f45beSAndroid Build Coastguard Worker		listen-port 1 \
103*053f45beSAndroid Build Coastguard Worker		peer "$pub2" \
104*053f45beSAndroid Build Coastguard Worker			preshared-key <(echo "$psk") \
105*053f45beSAndroid Build Coastguard Worker			allowed-ips 192.168.241.2/32,fd00::2/128
106*053f45beSAndroid Build Coastguard Worker	n2 wg set wg0 \
107*053f45beSAndroid Build Coastguard Worker		private-key <(echo "$key2") \
108*053f45beSAndroid Build Coastguard Worker		listen-port 2 \
109*053f45beSAndroid Build Coastguard Worker		peer "$pub1" \
110*053f45beSAndroid Build Coastguard Worker			preshared-key <(echo "$psk") \
111*053f45beSAndroid Build Coastguard Worker			allowed-ips 192.168.241.1/32,fd00::1/128
112*053f45beSAndroid Build Coastguard Worker
113*053f45beSAndroid Build Coastguard Worker	ip1 link set up dev wg0
114*053f45beSAndroid Build Coastguard Worker	ip2 link set up dev wg0
115*053f45beSAndroid Build Coastguard Worker}
116*053f45beSAndroid Build Coastguard Workerconfigure_peers
117*053f45beSAndroid Build Coastguard Worker
118*053f45beSAndroid Build Coastguard Workertests() {
119*053f45beSAndroid Build Coastguard Worker	# Ping over IPv4
120*053f45beSAndroid Build Coastguard Worker	n2 ping -c 10 -f -W 1 192.168.241.1
121*053f45beSAndroid Build Coastguard Worker	n1 ping -c 10 -f -W 1 192.168.241.2
122*053f45beSAndroid Build Coastguard Worker
123*053f45beSAndroid Build Coastguard Worker	# Ping over IPv6
124*053f45beSAndroid Build Coastguard Worker	n2 ping6 -c 10 -f -W 1 fd00::1
125*053f45beSAndroid Build Coastguard Worker	n1 ping6 -c 10 -f -W 1 fd00::2
126*053f45beSAndroid Build Coastguard Worker
127*053f45beSAndroid Build Coastguard Worker	# TCP over IPv4
128*053f45beSAndroid Build Coastguard Worker	n2 iperf3 -s -1 -B 192.168.241.2 &
129*053f45beSAndroid Build Coastguard Worker	waitiperf $netns2 $!
130*053f45beSAndroid Build Coastguard Worker	n1 iperf3 -Z -t 3 -c 192.168.241.2
131*053f45beSAndroid Build Coastguard Worker
132*053f45beSAndroid Build Coastguard Worker	# TCP over IPv6
133*053f45beSAndroid Build Coastguard Worker	n1 iperf3 -s -1 -B fd00::1 &
134*053f45beSAndroid Build Coastguard Worker	waitiperf $netns1 $!
135*053f45beSAndroid Build Coastguard Worker	n2 iperf3 -Z -t 3 -c fd00::1
136*053f45beSAndroid Build Coastguard Worker
137*053f45beSAndroid Build Coastguard Worker	# UDP over IPv4
138*053f45beSAndroid Build Coastguard Worker	n1 iperf3 -s -1 -B 192.168.241.1 &
139*053f45beSAndroid Build Coastguard Worker	waitiperf $netns1 $!
140*053f45beSAndroid Build Coastguard Worker	n2 iperf3 -Z -t 3 -b 0 -u -c 192.168.241.1
141*053f45beSAndroid Build Coastguard Worker
142*053f45beSAndroid Build Coastguard Worker	# UDP over IPv6
143*053f45beSAndroid Build Coastguard Worker	n2 iperf3 -s -1 -B fd00::2 &
144*053f45beSAndroid Build Coastguard Worker	waitiperf $netns2 $!
145*053f45beSAndroid Build Coastguard Worker	n1 iperf3 -Z -t 3 -b 0 -u -c fd00::2
146*053f45beSAndroid Build Coastguard Worker
147*053f45beSAndroid Build Coastguard Worker	# TCP over IPv4, in parallel
148*053f45beSAndroid Build Coastguard Worker	local pids=( ) i
149*053f45beSAndroid Build Coastguard Worker	for ((i=0; i < NPROC; ++i)) do
150*053f45beSAndroid Build Coastguard Worker		n2 iperf3 -p $(( 5200 + i )) -s -1 -B 192.168.241.2 &
151*053f45beSAndroid Build Coastguard Worker		pids+=( $! ); waitiperf $netns2 $! $(( 5200 + i ))
152*053f45beSAndroid Build Coastguard Worker	done
153*053f45beSAndroid Build Coastguard Worker	for ((i=0; i < NPROC; ++i)) do
154*053f45beSAndroid Build Coastguard Worker		n1 iperf3 -Z -t 3 -p $(( 5200 + i )) -c 192.168.241.2 &
155*053f45beSAndroid Build Coastguard Worker	done
156*053f45beSAndroid Build Coastguard Worker	wait "${pids[@]}"
157*053f45beSAndroid Build Coastguard Worker}
158*053f45beSAndroid Build Coastguard Worker
159*053f45beSAndroid Build Coastguard Worker[[ $(ip1 link show dev wg0) =~ mtu\ ([0-9]+) ]] && orig_mtu="${BASH_REMATCH[1]}"
160*053f45beSAndroid Build Coastguard Workerbig_mtu=$(( 34816 - 1500 + $orig_mtu ))
161*053f45beSAndroid Build Coastguard Worker
162*053f45beSAndroid Build Coastguard Worker# Test using IPv4 as outer transport
163*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
164*053f45beSAndroid Build Coastguard Workern2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
165*053f45beSAndroid Build Coastguard Worker# Before calling tests, we first make sure that the stats counters and timestamper are working
166*053f45beSAndroid Build Coastguard Workern2 ping -c 10 -f -W 1 192.168.241.1
167*053f45beSAndroid Build Coastguard Worker{ read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip2 -stats link show dev wg0)
168*053f45beSAndroid Build Coastguard Worker(( rx_bytes == 1372 && (tx_bytes == 1428 || tx_bytes == 1460) ))
169*053f45beSAndroid Build Coastguard Worker{ read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip1 -stats link show dev wg0)
170*053f45beSAndroid Build Coastguard Worker(( tx_bytes == 1372 && (rx_bytes == 1428 || rx_bytes == 1460) ))
171*053f45beSAndroid Build Coastguard Workerread _ rx_bytes tx_bytes < <(n2 wg show wg0 transfer)
172*053f45beSAndroid Build Coastguard Worker(( rx_bytes == 1372 && (tx_bytes == 1428 || tx_bytes == 1460) ))
173*053f45beSAndroid Build Coastguard Workerread _ rx_bytes tx_bytes < <(n1 wg show wg0 transfer)
174*053f45beSAndroid Build Coastguard Worker(( tx_bytes == 1372 && (rx_bytes == 1428 || rx_bytes == 1460) ))
175*053f45beSAndroid Build Coastguard Workerread _ timestamp < <(n1 wg show wg0 latest-handshakes)
176*053f45beSAndroid Build Coastguard Worker(( timestamp != 0 ))
177*053f45beSAndroid Build Coastguard Worker
178*053f45beSAndroid Build Coastguard Workertests
179*053f45beSAndroid Build Coastguard Workerip1 link set wg0 mtu $big_mtu
180*053f45beSAndroid Build Coastguard Workerip2 link set wg0 mtu $big_mtu
181*053f45beSAndroid Build Coastguard Workertests
182*053f45beSAndroid Build Coastguard Worker
183*053f45beSAndroid Build Coastguard Workerip1 link set wg0 mtu $orig_mtu
184*053f45beSAndroid Build Coastguard Workerip2 link set wg0 mtu $orig_mtu
185*053f45beSAndroid Build Coastguard Worker
186*053f45beSAndroid Build Coastguard Worker# Test using IPv6 as outer transport
187*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub2" endpoint [::1]:2
188*053f45beSAndroid Build Coastguard Workern2 wg set wg0 peer "$pub1" endpoint [::1]:1
189*053f45beSAndroid Build Coastguard Workertests
190*053f45beSAndroid Build Coastguard Workerip1 link set wg0 mtu $big_mtu
191*053f45beSAndroid Build Coastguard Workerip2 link set wg0 mtu $big_mtu
192*053f45beSAndroid Build Coastguard Workertests
193*053f45beSAndroid Build Coastguard Worker
194*053f45beSAndroid Build Coastguard Worker# Test that route MTUs work with the padding
195*053f45beSAndroid Build Coastguard Workerip1 link set wg0 mtu 1300
196*053f45beSAndroid Build Coastguard Workerip2 link set wg0 mtu 1300
197*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
198*053f45beSAndroid Build Coastguard Workern2 wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
199*053f45beSAndroid Build Coastguard Workern0 iptables -A INPUT -m length --length 1360 -j DROP
200*053f45beSAndroid Build Coastguard Workern1 ip route add 192.168.241.2/32 dev wg0 mtu 1299
201*053f45beSAndroid Build Coastguard Workern2 ip route add 192.168.241.1/32 dev wg0 mtu 1299
202*053f45beSAndroid Build Coastguard Workern2 ping -c 1 -W 1 -s 1269 192.168.241.1
203*053f45beSAndroid Build Coastguard Workern2 ip route delete 192.168.241.1/32 dev wg0 mtu 1299
204*053f45beSAndroid Build Coastguard Workern1 ip route delete 192.168.241.2/32 dev wg0 mtu 1299
205*053f45beSAndroid Build Coastguard Workern0 iptables -F INPUT
206*053f45beSAndroid Build Coastguard Worker
207*053f45beSAndroid Build Coastguard Workerip1 link set wg0 mtu $orig_mtu
208*053f45beSAndroid Build Coastguard Workerip2 link set wg0 mtu $orig_mtu
209*053f45beSAndroid Build Coastguard Worker
210*053f45beSAndroid Build Coastguard Worker# Test using IPv4 that roaming works
211*053f45beSAndroid Build Coastguard Workerip0 -4 addr del 127.0.0.1/8 dev lo
212*053f45beSAndroid Build Coastguard Workerip0 -4 addr add 127.212.121.99/8 dev lo
213*053f45beSAndroid Build Coastguard Workern1 wg set wg0 listen-port 9999
214*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
215*053f45beSAndroid Build Coastguard Workern1 ping6 -W 1 -c 1 fd00::2
216*053f45beSAndroid Build Coastguard Worker[[ $(n2 wg show wg0 endpoints) == "$pub1	127.212.121.99:9999" ]]
217*053f45beSAndroid Build Coastguard Worker
218*053f45beSAndroid Build Coastguard Worker# Test using IPv6 that roaming works
219*053f45beSAndroid Build Coastguard Workern1 wg set wg0 listen-port 9998
220*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub2" endpoint [::1]:2
221*053f45beSAndroid Build Coastguard Workern1 ping -W 1 -c 1 192.168.241.2
222*053f45beSAndroid Build Coastguard Worker[[ $(n2 wg show wg0 endpoints) == "$pub1	[::1]:9998" ]]
223*053f45beSAndroid Build Coastguard Worker
224*053f45beSAndroid Build Coastguard Worker# Test that crypto-RP filter works
225*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub2" allowed-ips 192.168.241.0/24
226*053f45beSAndroid Build Coastguard Workerexec 4< <(n1 ncat -l -u -p 1111)
227*053f45beSAndroid Build Coastguard Workerncat_pid=$!
228*053f45beSAndroid Build Coastguard Workerwaitncatudp $netns1 $ncat_pid
229*053f45beSAndroid Build Coastguard Workern2 ncat -u 192.168.241.1 1111 <<<"X"
230*053f45beSAndroid Build Coastguard Workerread -r -N 1 -t 1 out <&4 && [[ $out == "X" ]]
231*053f45beSAndroid Build Coastguard Workerkill $ncat_pid
232*053f45beSAndroid Build Coastguard Workermore_specific_key="$(pp wg genkey | pp wg pubkey)"
233*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$more_specific_key" allowed-ips 192.168.241.2/32
234*053f45beSAndroid Build Coastguard Workern2 wg set wg0 listen-port 9997
235*053f45beSAndroid Build Coastguard Workerexec 4< <(n1 ncat -l -u -p 1111)
236*053f45beSAndroid Build Coastguard Workerncat_pid=$!
237*053f45beSAndroid Build Coastguard Workerwaitncatudp $netns1 $ncat_pid
238*053f45beSAndroid Build Coastguard Workern2 ncat -u 192.168.241.1 1111 <<<"X"
239*053f45beSAndroid Build Coastguard Worker! read -r -N 1 -t 1 out <&4 || false
240*053f45beSAndroid Build Coastguard Workerkill $ncat_pid
241*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$more_specific_key" remove
242*053f45beSAndroid Build Coastguard Worker[[ $(n1 wg show wg0 endpoints) == "$pub2	[::1]:9997" ]]
243*053f45beSAndroid Build Coastguard Worker
244*053f45beSAndroid Build Coastguard Worker# Test that we can change private keys keys and immediately handshake
245*053f45beSAndroid Build Coastguard Workern1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips 192.168.241.2/32 endpoint 127.0.0.1:2
246*053f45beSAndroid Build Coastguard Workern2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32
247*053f45beSAndroid Build Coastguard Workern1 ping -W 1 -c 1 192.168.241.2
248*053f45beSAndroid Build Coastguard Workern1 wg set wg0 private-key <(echo "$key3")
249*053f45beSAndroid Build Coastguard Workern2 wg set wg0 peer "$pub3" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32 peer "$pub1" remove
250*053f45beSAndroid Build Coastguard Workern1 ping -W 1 -c 1 192.168.241.2
251*053f45beSAndroid Build Coastguard Workern2 wg set wg0 peer "$pub3" remove
252*053f45beSAndroid Build Coastguard Worker
253*053f45beSAndroid Build Coastguard Worker# Test that we can route wg through wg
254*053f45beSAndroid Build Coastguard Workerip1 addr flush dev wg0
255*053f45beSAndroid Build Coastguard Workerip2 addr flush dev wg0
256*053f45beSAndroid Build Coastguard Workerip1 addr add fd00::5:1/112 dev wg0
257*053f45beSAndroid Build Coastguard Workerip2 addr add fd00::5:2/112 dev wg0
258*053f45beSAndroid Build Coastguard Workern1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips fd00::5:2/128 endpoint 127.0.0.1:2
259*053f45beSAndroid Build Coastguard Workern2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") allowed-ips fd00::5:1/128 endpoint 127.212.121.99:9998
260*053f45beSAndroid Build Coastguard Workerip1 link add wg1 type wireguard
261*053f45beSAndroid Build Coastguard Workerip2 link add wg1 type wireguard
262*053f45beSAndroid Build Coastguard Workerip1 addr add 192.168.241.1/24 dev wg1
263*053f45beSAndroid Build Coastguard Workerip1 addr add fd00::1/112 dev wg1
264*053f45beSAndroid Build Coastguard Workerip2 addr add 192.168.241.2/24 dev wg1
265*053f45beSAndroid Build Coastguard Workerip2 addr add fd00::2/112 dev wg1
266*053f45beSAndroid Build Coastguard Workerip1 link set mtu 1340 up dev wg1
267*053f45beSAndroid Build Coastguard Workerip2 link set mtu 1340 up dev wg1
268*053f45beSAndroid Build Coastguard Workern1 wg set wg1 listen-port 5 private-key <(echo "$key3") peer "$pub4" allowed-ips 192.168.241.2/32,fd00::2/128 endpoint [fd00::5:2]:5
269*053f45beSAndroid Build Coastguard Workern2 wg set wg1 listen-port 5 private-key <(echo "$key4") peer "$pub3" allowed-ips 192.168.241.1/32,fd00::1/128 endpoint [fd00::5:1]:5
270*053f45beSAndroid Build Coastguard Workertests
271*053f45beSAndroid Build Coastguard Worker# Try to set up a routing loop between the two namespaces
272*053f45beSAndroid Build Coastguard Workerip1 link set netns $netns0 dev wg1
273*053f45beSAndroid Build Coastguard Workerip0 addr add 192.168.241.1/24 dev wg1
274*053f45beSAndroid Build Coastguard Workerip0 link set up dev wg1
275*053f45beSAndroid Build Coastguard Workern0 ping -W 1 -c 1 192.168.241.2
276*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub2" endpoint 192.168.241.2:7
277*053f45beSAndroid Build Coastguard Workerip2 link del wg0
278*053f45beSAndroid Build Coastguard Workerip2 link del wg1
279*053f45beSAndroid Build Coastguard Workerread _ _ tx_bytes_before < <(n0 wg show wg1 transfer)
280*053f45beSAndroid Build Coastguard Worker! n0 ping -W 1 -c 10 -f 192.168.241.2 || false
281*053f45beSAndroid Build Coastguard Workersleep 1
282*053f45beSAndroid Build Coastguard Workerread _ _ tx_bytes_after < <(n0 wg show wg1 transfer)
283*053f45beSAndroid Build Coastguard Workerif ! (( tx_bytes_after - tx_bytes_before < 70000 )); then
284*053f45beSAndroid Build Coastguard Worker	errstart=$'\x1b[37m\x1b[41m\x1b[1m'
285*053f45beSAndroid Build Coastguard Worker	errend=$'\x1b[0m'
286*053f45beSAndroid Build Coastguard Worker	echo "${errstart}                                                ${errend}"
287*053f45beSAndroid Build Coastguard Worker	echo "${errstart}                   E  R  R  O  R                ${errend}"
288*053f45beSAndroid Build Coastguard Worker	echo "${errstart}                                                ${errend}"
289*053f45beSAndroid Build Coastguard Worker	echo "${errstart} This architecture does not do the right thing  ${errend}"
290*053f45beSAndroid Build Coastguard Worker	echo "${errstart} with cross-namespace routing loops. This test  ${errend}"
291*053f45beSAndroid Build Coastguard Worker	echo "${errstart} has thus technically failed but, as this issue ${errend}"
292*053f45beSAndroid Build Coastguard Worker	echo "${errstart} is as yet unsolved, these tests will continue  ${errend}"
293*053f45beSAndroid Build Coastguard Worker	echo "${errstart} onward. :(                                     ${errend}"
294*053f45beSAndroid Build Coastguard Worker	echo "${errstart}                                                ${errend}"
295*053f45beSAndroid Build Coastguard Workerfi
296*053f45beSAndroid Build Coastguard Worker
297*053f45beSAndroid Build Coastguard Workerip0 link del wg1
298*053f45beSAndroid Build Coastguard Workerip1 link del wg0
299*053f45beSAndroid Build Coastguard Worker
300*053f45beSAndroid Build Coastguard Worker# Test using NAT. We now change the topology to this:
301*053f45beSAndroid Build Coastguard Worker# ┌────────────────────────────────────────┐    ┌────────────────────────────────────────────────┐     ┌────────────────────────────────────────┐
302*053f45beSAndroid Build Coastguard Worker# │             $ns1 namespace             │    │                 $ns0 namespace                 │     │             $ns2 namespace             │
303*053f45beSAndroid Build Coastguard Worker# │                                        │    │                                                │     │                                        │
304*053f45beSAndroid Build Coastguard Worker# │  ┌─────┐             ┌─────┐           │    │    ┌──────┐              ┌──────┐              │     │  ┌─────┐            ┌─────┐            │
305*053f45beSAndroid Build Coastguard Worker# │  │ wg0 │─────────────│vethc│───────────┼────┼────│vethrc│              │vethrs│──────────────┼─────┼──│veths│────────────│ wg0 │            │
306*053f45beSAndroid Build Coastguard Worker# │  ├─────┴──────────┐  ├─────┴──────────┐│    │    ├──────┴─────────┐    ├──────┴────────────┐ │     │  ├─────┴──────────┐ ├─────┴──────────┐ │
307*053f45beSAndroid Build Coastguard Worker# │  │192.168.241.1/24│  │192.168.1.100/24││    │    │192.168.1.1/24  │    │10.0.0.1/24        │ │     │  │10.0.0.100/24   │ │192.168.241.2/24│ │
308*053f45beSAndroid Build Coastguard Worker# │  │fd00::1/24      │  │                ││    │    │                │    │SNAT:192.168.1.0/24│ │     │  │                │ │fd00::2/24      │ │
309*053f45beSAndroid Build Coastguard Worker# │  └────────────────┘  └────────────────┘│    │    └────────────────┘    └───────────────────┘ │     │  └────────────────┘ └────────────────┘ │
310*053f45beSAndroid Build Coastguard Worker# └────────────────────────────────────────┘    └────────────────────────────────────────────────┘     └────────────────────────────────────────┘
311*053f45beSAndroid Build Coastguard Worker
312*053f45beSAndroid Build Coastguard Workerip1 link add dev wg0 type wireguard
313*053f45beSAndroid Build Coastguard Workerip2 link add dev wg0 type wireguard
314*053f45beSAndroid Build Coastguard Workerconfigure_peers
315*053f45beSAndroid Build Coastguard Worker
316*053f45beSAndroid Build Coastguard Workerip0 link add vethrc type veth peer name vethc
317*053f45beSAndroid Build Coastguard Workerip0 link add vethrs type veth peer name veths
318*053f45beSAndroid Build Coastguard Workerip0 link set vethc netns $netns1
319*053f45beSAndroid Build Coastguard Workerip0 link set veths netns $netns2
320*053f45beSAndroid Build Coastguard Workerip0 link set vethrc up
321*053f45beSAndroid Build Coastguard Workerip0 link set vethrs up
322*053f45beSAndroid Build Coastguard Workerip0 addr add 192.168.1.1/24 dev vethrc
323*053f45beSAndroid Build Coastguard Workerip0 addr add 10.0.0.1/24 dev vethrs
324*053f45beSAndroid Build Coastguard Workerip1 addr add 192.168.1.100/24 dev vethc
325*053f45beSAndroid Build Coastguard Workerip1 link set vethc up
326*053f45beSAndroid Build Coastguard Workerip1 route add default via 192.168.1.1
327*053f45beSAndroid Build Coastguard Workerip2 addr add 10.0.0.100/24 dev veths
328*053f45beSAndroid Build Coastguard Workerip2 link set veths up
329*053f45beSAndroid Build Coastguard Workerwaitiface $netns0 vethrc
330*053f45beSAndroid Build Coastguard Workerwaitiface $netns0 vethrs
331*053f45beSAndroid Build Coastguard Workerwaitiface $netns1 vethc
332*053f45beSAndroid Build Coastguard Workerwaitiface $netns2 veths
333*053f45beSAndroid Build Coastguard Worker
334*053f45beSAndroid Build Coastguard Workern0 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
335*053f45beSAndroid Build Coastguard Workern0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout'
336*053f45beSAndroid Build Coastguard Workern0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream'
337*053f45beSAndroid Build Coastguard Workern0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j SNAT --to 10.0.0.1
338*053f45beSAndroid Build Coastguard Worker
339*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub2" endpoint 10.0.0.100:2 persistent-keepalive 1
340*053f45beSAndroid Build Coastguard Workern1 ping -W 1 -c 1 192.168.241.2
341*053f45beSAndroid Build Coastguard Workern2 ping -W 1 -c 1 192.168.241.1
342*053f45beSAndroid Build Coastguard Worker[[ $(n2 wg show wg0 endpoints) == "$pub1	10.0.0.1:1" ]]
343*053f45beSAndroid Build Coastguard Worker# Demonstrate n2 can still send packets to n1, since persistent-keepalive will prevent connection tracking entry from expiring (to see entries: `n0 conntrack -L`).
344*053f45beSAndroid Build Coastguard Workerpp sleep 3
345*053f45beSAndroid Build Coastguard Workern2 ping -W 1 -c 1 192.168.241.1
346*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub2" persistent-keepalive 0
347*053f45beSAndroid Build Coastguard Worker
348*053f45beSAndroid Build Coastguard Worker# Test that sk_bound_dev_if works
349*053f45beSAndroid Build Coastguard Workern1 ping -I wg0 -c 1 -W 1 192.168.241.2
350*053f45beSAndroid Build Coastguard Worker# What about when the mark changes and the packet must be rerouted?
351*053f45beSAndroid Build Coastguard Workern1 iptables -t mangle -I OUTPUT -j MARK --set-xmark 1
352*053f45beSAndroid Build Coastguard Workern1 ping -c 1 -W 1 192.168.241.2 # First the boring case
353*053f45beSAndroid Build Coastguard Workern1 ping -I wg0 -c 1 -W 1 192.168.241.2 # Then the sk_bound_dev_if case
354*053f45beSAndroid Build Coastguard Workern1 iptables -t mangle -D OUTPUT -j MARK --set-xmark 1
355*053f45beSAndroid Build Coastguard Worker
356*053f45beSAndroid Build Coastguard Worker# Test that onion routing works, even when it loops
357*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub3" allowed-ips 192.168.242.2/32 endpoint 192.168.241.2:5
358*053f45beSAndroid Build Coastguard Workerip1 addr add 192.168.242.1/24 dev wg0
359*053f45beSAndroid Build Coastguard Workerip2 link add wg1 type wireguard
360*053f45beSAndroid Build Coastguard Workerip2 addr add 192.168.242.2/24 dev wg1
361*053f45beSAndroid Build Coastguard Workern2 wg set wg1 private-key <(echo "$key3") listen-port 5 peer "$pub1" allowed-ips 192.168.242.1/32
362*053f45beSAndroid Build Coastguard Workerip2 link set wg1 up
363*053f45beSAndroid Build Coastguard Workern1 ping -W 1 -c 1 192.168.242.2
364*053f45beSAndroid Build Coastguard Workerip2 link del wg1
365*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub3" endpoint 192.168.242.2:5
366*053f45beSAndroid Build Coastguard Worker! n1 ping -W 1 -c 1 192.168.242.2 || false # Should not crash kernel
367*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub3" remove
368*053f45beSAndroid Build Coastguard Workerip1 addr del 192.168.242.1/24 dev wg0
369*053f45beSAndroid Build Coastguard Worker
370*053f45beSAndroid Build Coastguard Worker# Do a wg-quick(8)-style policy routing for the default route, making sure vethc has a v6 address to tease out bugs.
371*053f45beSAndroid Build Coastguard Workerip1 -6 addr add fc00::9/96 dev vethc
372*053f45beSAndroid Build Coastguard Workerip1 -6 route add default via fc00::1
373*053f45beSAndroid Build Coastguard Workerip2 -4 addr add 192.168.99.7/32 dev wg0
374*053f45beSAndroid Build Coastguard Workerip2 -6 addr add abab::1111/128 dev wg0
375*053f45beSAndroid Build Coastguard Workern1 wg set wg0 fwmark 51820 peer "$pub2" allowed-ips 192.168.99.7,abab::1111
376*053f45beSAndroid Build Coastguard Workerip1 -6 route add default dev wg0 table 51820
377*053f45beSAndroid Build Coastguard Workerip1 -6 rule add not fwmark 51820 table 51820
378*053f45beSAndroid Build Coastguard Workerip1 -6 rule add table main suppress_prefixlength 0
379*053f45beSAndroid Build Coastguard Workerip1 -4 route add default dev wg0 table 51820
380*053f45beSAndroid Build Coastguard Workerip1 -4 rule add not fwmark 51820 table 51820
381*053f45beSAndroid Build Coastguard Workerip1 -4 rule add table main suppress_prefixlength 0
382*053f45beSAndroid Build Coastguard Workern1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/vethc/rp_filter'
383*053f45beSAndroid Build Coastguard Worker# Flood the pings instead of sending just one, to trigger routing table reference counting bugs.
384*053f45beSAndroid Build Coastguard Workern1 ping -W 1 -c 100 -f 192.168.99.7
385*053f45beSAndroid Build Coastguard Workern1 ping -W 1 -c 100 -f abab::1111
386*053f45beSAndroid Build Coastguard Worker
387*053f45beSAndroid Build Coastguard Worker# Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route.
388*053f45beSAndroid Build Coastguard Workern2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2
389*053f45beSAndroid Build Coastguard Workern0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be explicit.
390*053f45beSAndroid Build Coastguard Workern2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
391*053f45beSAndroid Build Coastguard Workerip0 -4 route add 192.168.241.1 via 10.0.0.100
392*053f45beSAndroid Build Coastguard Workern2 wg set wg0 peer "$pub1" remove
393*053f45beSAndroid Build Coastguard Worker[[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host Unreachable"* ]]
394*053f45beSAndroid Build Coastguard Worker
395*053f45beSAndroid Build Coastguard Workern0 iptables -t nat -F
396*053f45beSAndroid Build Coastguard Workern0 iptables -t filter -F
397*053f45beSAndroid Build Coastguard Workern2 iptables -t nat -F
398*053f45beSAndroid Build Coastguard Workerip0 link del vethrc
399*053f45beSAndroid Build Coastguard Workerip0 link del vethrs
400*053f45beSAndroid Build Coastguard Workerip1 link del wg0
401*053f45beSAndroid Build Coastguard Workerip2 link del wg0
402*053f45beSAndroid Build Coastguard Worker
403*053f45beSAndroid Build Coastguard Worker# Test that saddr routing is sticky but not too sticky, changing to this topology:
404*053f45beSAndroid Build Coastguard Worker# ┌────────────────────────────────────────┐    ┌────────────────────────────────────────┐
405*053f45beSAndroid Build Coastguard Worker# │             $ns1 namespace             │    │             $ns2 namespace             │
406*053f45beSAndroid Build Coastguard Worker# │                                        │    │                                        │
407*053f45beSAndroid Build Coastguard Worker# │  ┌─────┐             ┌─────┐           │    │  ┌─────┐            ┌─────┐            │
408*053f45beSAndroid Build Coastguard Worker# │  │ wg0 │─────────────│veth1│───────────┼────┼──│veth2│────────────│ wg0 │            │
409*053f45beSAndroid Build Coastguard Worker# │  ├─────┴──────────┐  ├─────┴──────────┐│    │  ├─────┴──────────┐ ├─────┴──────────┐ │
410*053f45beSAndroid Build Coastguard Worker# │  │192.168.241.1/24│  │10.0.0.1/24     ││    │  │10.0.0.2/24     │ │192.168.241.2/24│ │
411*053f45beSAndroid Build Coastguard Worker# │  │fd00::1/24      │  │fd00:aa::1/96   ││    │  │fd00:aa::2/96   │ │fd00::2/24      │ │
412*053f45beSAndroid Build Coastguard Worker# │  └────────────────┘  └────────────────┘│    │  └────────────────┘ └────────────────┘ │
413*053f45beSAndroid Build Coastguard Worker# └────────────────────────────────────────┘    └────────────────────────────────────────┘
414*053f45beSAndroid Build Coastguard Worker
415*053f45beSAndroid Build Coastguard Workerip1 link add dev wg0 type wireguard
416*053f45beSAndroid Build Coastguard Workerip2 link add dev wg0 type wireguard
417*053f45beSAndroid Build Coastguard Workerconfigure_peers
418*053f45beSAndroid Build Coastguard Workerip1 link add veth1 type veth peer name veth2
419*053f45beSAndroid Build Coastguard Workerip1 link set veth2 netns $netns2
420*053f45beSAndroid Build Coastguard Workern1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
421*053f45beSAndroid Build Coastguard Workern2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
422*053f45beSAndroid Build Coastguard Workern1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth1/accept_dad'
423*053f45beSAndroid Build Coastguard Workern2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth2/accept_dad'
424*053f45beSAndroid Build Coastguard Workern1 bash -c 'printf 1 > /proc/sys/net/ipv4/conf/veth1/promote_secondaries'
425*053f45beSAndroid Build Coastguard Worker
426*053f45beSAndroid Build Coastguard Worker# First we check that we aren't overly sticky and can fall over to new IPs when old ones are removed
427*053f45beSAndroid Build Coastguard Workerip1 addr add 10.0.0.1/24 dev veth1
428*053f45beSAndroid Build Coastguard Workerip1 addr add fd00:aa::1/96 dev veth1
429*053f45beSAndroid Build Coastguard Workerip2 addr add 10.0.0.2/24 dev veth2
430*053f45beSAndroid Build Coastguard Workerip2 addr add fd00:aa::2/96 dev veth2
431*053f45beSAndroid Build Coastguard Workerip1 link set veth1 up
432*053f45beSAndroid Build Coastguard Workerip2 link set veth2 up
433*053f45beSAndroid Build Coastguard Workerwaitiface $netns1 veth1
434*053f45beSAndroid Build Coastguard Workerwaitiface $netns2 veth2
435*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub2" endpoint 10.0.0.2:2
436*053f45beSAndroid Build Coastguard Workern1 ping -W 1 -c 1 192.168.241.2
437*053f45beSAndroid Build Coastguard Workerip1 addr add 10.0.0.10/24 dev veth1
438*053f45beSAndroid Build Coastguard Workerip1 addr del 10.0.0.1/24 dev veth1
439*053f45beSAndroid Build Coastguard Workern1 ping -W 1 -c 1 192.168.241.2
440*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub2" endpoint [fd00:aa::2]:2
441*053f45beSAndroid Build Coastguard Workern1 ping -W 1 -c 1 192.168.241.2
442*053f45beSAndroid Build Coastguard Workerip1 addr add fd00:aa::10/96 dev veth1
443*053f45beSAndroid Build Coastguard Workerip1 addr del fd00:aa::1/96 dev veth1
444*053f45beSAndroid Build Coastguard Workern1 ping -W 1 -c 1 192.168.241.2
445*053f45beSAndroid Build Coastguard Worker
446*053f45beSAndroid Build Coastguard Worker# Now we show that we can successfully do reply to sender routing
447*053f45beSAndroid Build Coastguard Workerip1 link set veth1 down
448*053f45beSAndroid Build Coastguard Workerip2 link set veth2 down
449*053f45beSAndroid Build Coastguard Workerip1 addr flush dev veth1
450*053f45beSAndroid Build Coastguard Workerip2 addr flush dev veth2
451*053f45beSAndroid Build Coastguard Workerip1 addr add 10.0.0.1/24 dev veth1
452*053f45beSAndroid Build Coastguard Workerip1 addr add 10.0.0.2/24 dev veth1
453*053f45beSAndroid Build Coastguard Workerip1 addr add fd00:aa::1/96 dev veth1
454*053f45beSAndroid Build Coastguard Workerip1 addr add fd00:aa::2/96 dev veth1
455*053f45beSAndroid Build Coastguard Workerip2 addr add 10.0.0.3/24 dev veth2
456*053f45beSAndroid Build Coastguard Workerip2 addr add fd00:aa::3/96 dev veth2
457*053f45beSAndroid Build Coastguard Workerip1 link set veth1 up
458*053f45beSAndroid Build Coastguard Workerip2 link set veth2 up
459*053f45beSAndroid Build Coastguard Workerwaitiface $netns1 veth1
460*053f45beSAndroid Build Coastguard Workerwaitiface $netns2 veth2
461*053f45beSAndroid Build Coastguard Workern2 wg set wg0 peer "$pub1" endpoint 10.0.0.1:1
462*053f45beSAndroid Build Coastguard Workern2 ping -W 1 -c 1 192.168.241.1
463*053f45beSAndroid Build Coastguard Worker[[ $(n2 wg show wg0 endpoints) == "$pub1	10.0.0.1:1" ]]
464*053f45beSAndroid Build Coastguard Workern2 wg set wg0 peer "$pub1" endpoint [fd00:aa::1]:1
465*053f45beSAndroid Build Coastguard Workern2 ping -W 1 -c 1 192.168.241.1
466*053f45beSAndroid Build Coastguard Worker[[ $(n2 wg show wg0 endpoints) == "$pub1	[fd00:aa::1]:1" ]]
467*053f45beSAndroid Build Coastguard Workern2 wg set wg0 peer "$pub1" endpoint 10.0.0.2:1
468*053f45beSAndroid Build Coastguard Workern2 ping -W 1 -c 1 192.168.241.1
469*053f45beSAndroid Build Coastguard Worker[[ $(n2 wg show wg0 endpoints) == "$pub1	10.0.0.2:1" ]]
470*053f45beSAndroid Build Coastguard Workern2 wg set wg0 peer "$pub1" endpoint [fd00:aa::2]:1
471*053f45beSAndroid Build Coastguard Workern2 ping -W 1 -c 1 192.168.241.1
472*053f45beSAndroid Build Coastguard Worker[[ $(n2 wg show wg0 endpoints) == "$pub1	[fd00:aa::2]:1" ]]
473*053f45beSAndroid Build Coastguard Worker
474*053f45beSAndroid Build Coastguard Worker# What happens if the inbound destination address belongs to a different interface as the default route?
475*053f45beSAndroid Build Coastguard Workerip1 link add dummy0 type dummy
476*053f45beSAndroid Build Coastguard Workerip1 addr add 10.50.0.1/24 dev dummy0
477*053f45beSAndroid Build Coastguard Workerip1 link set dummy0 up
478*053f45beSAndroid Build Coastguard Workerip2 route add 10.50.0.0/24 dev veth2
479*053f45beSAndroid Build Coastguard Workern2 wg set wg0 peer "$pub1" endpoint 10.50.0.1:1
480*053f45beSAndroid Build Coastguard Workern2 ping -W 1 -c 1 192.168.241.1
481*053f45beSAndroid Build Coastguard Worker[[ $(n2 wg show wg0 endpoints) == "$pub1	10.50.0.1:1" ]]
482*053f45beSAndroid Build Coastguard Worker
483*053f45beSAndroid Build Coastguard Workerip1 link del dummy0
484*053f45beSAndroid Build Coastguard Workerip1 addr flush dev veth1
485*053f45beSAndroid Build Coastguard Workerip2 addr flush dev veth2
486*053f45beSAndroid Build Coastguard Workerip1 route flush dev veth1
487*053f45beSAndroid Build Coastguard Workerip2 route flush dev veth2
488*053f45beSAndroid Build Coastguard Worker
489*053f45beSAndroid Build Coastguard Worker# Now we see what happens if another interface route takes precedence over an ongoing one
490*053f45beSAndroid Build Coastguard Workerip1 link add veth3 type veth peer name veth4
491*053f45beSAndroid Build Coastguard Workerip1 link set veth4 netns $netns2
492*053f45beSAndroid Build Coastguard Workerip1 addr add 10.0.0.1/24 dev veth1
493*053f45beSAndroid Build Coastguard Workerip2 addr add 10.0.0.2/24 dev veth2
494*053f45beSAndroid Build Coastguard Workerip1 addr add 10.0.0.3/24 dev veth3
495*053f45beSAndroid Build Coastguard Workerip1 link set veth1 up
496*053f45beSAndroid Build Coastguard Workerip2 link set veth2 up
497*053f45beSAndroid Build Coastguard Workerip1 link set veth3 up
498*053f45beSAndroid Build Coastguard Workerip2 link set veth4 up
499*053f45beSAndroid Build Coastguard Workerwaitiface $netns1 veth1
500*053f45beSAndroid Build Coastguard Workerwaitiface $netns2 veth2
501*053f45beSAndroid Build Coastguard Workerwaitiface $netns1 veth3
502*053f45beSAndroid Build Coastguard Workerwaitiface $netns2 veth4
503*053f45beSAndroid Build Coastguard Workerip1 route flush dev veth1
504*053f45beSAndroid Build Coastguard Workerip1 route flush dev veth3
505*053f45beSAndroid Build Coastguard Workerip1 route add 10.0.0.0/24 dev veth1 src 10.0.0.1 metric 2
506*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub2" endpoint 10.0.0.2:2
507*053f45beSAndroid Build Coastguard Workern1 ping -W 1 -c 1 192.168.241.2
508*053f45beSAndroid Build Coastguard Worker[[ $(n2 wg show wg0 endpoints) == "$pub1	10.0.0.1:1" ]]
509*053f45beSAndroid Build Coastguard Workerip1 route add 10.0.0.0/24 dev veth3 src 10.0.0.3 metric 1
510*053f45beSAndroid Build Coastguard Workern1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth1/rp_filter'
511*053f45beSAndroid Build Coastguard Workern2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth4/rp_filter'
512*053f45beSAndroid Build Coastguard Workern1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
513*053f45beSAndroid Build Coastguard Workern2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
514*053f45beSAndroid Build Coastguard Workern1 ping -W 1 -c 1 192.168.241.2
515*053f45beSAndroid Build Coastguard Worker[[ $(n2 wg show wg0 endpoints) == "$pub1	10.0.0.3:1" ]]
516*053f45beSAndroid Build Coastguard Worker
517*053f45beSAndroid Build Coastguard Workerip1 link del veth1
518*053f45beSAndroid Build Coastguard Workerip1 link del veth3
519*053f45beSAndroid Build Coastguard Workerip1 link del wg0
520*053f45beSAndroid Build Coastguard Workerip2 link del wg0
521*053f45beSAndroid Build Coastguard Worker
522*053f45beSAndroid Build Coastguard Worker# We test that Netlink/IPC is working properly by doing things that usually cause split responses
523*053f45beSAndroid Build Coastguard Workerip0 link add dev wg0 type wireguard
524*053f45beSAndroid Build Coastguard Workerconfig=( "[Interface]" "PrivateKey=$(wg genkey)" "[Peer]" "PublicKey=$(wg genkey)" )
525*053f45beSAndroid Build Coastguard Workerfor a in {1..255}; do
526*053f45beSAndroid Build Coastguard Worker	for b in {0..255}; do
527*053f45beSAndroid Build Coastguard Worker		config+=( "AllowedIPs=$a.$b.0.0/16,$a::$b/128" )
528*053f45beSAndroid Build Coastguard Worker	done
529*053f45beSAndroid Build Coastguard Workerdone
530*053f45beSAndroid Build Coastguard Workern0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
531*053f45beSAndroid Build Coastguard Workeri=0
532*053f45beSAndroid Build Coastguard Workerfor ip in $(n0 wg show wg0 allowed-ips); do
533*053f45beSAndroid Build Coastguard Worker	((++i))
534*053f45beSAndroid Build Coastguard Workerdone
535*053f45beSAndroid Build Coastguard Worker((i == 255*256*2+1))
536*053f45beSAndroid Build Coastguard Workerip0 link del wg0
537*053f45beSAndroid Build Coastguard Workerip0 link add dev wg0 type wireguard
538*053f45beSAndroid Build Coastguard Workerconfig=( "[Interface]" "PrivateKey=$(wg genkey)" )
539*053f45beSAndroid Build Coastguard Workerfor a in {1..40}; do
540*053f45beSAndroid Build Coastguard Worker	config+=( "[Peer]" "PublicKey=$(wg genkey)" )
541*053f45beSAndroid Build Coastguard Worker	for b in {1..52}; do
542*053f45beSAndroid Build Coastguard Worker		config+=( "AllowedIPs=$a.$b.0.0/16" )
543*053f45beSAndroid Build Coastguard Worker	done
544*053f45beSAndroid Build Coastguard Workerdone
545*053f45beSAndroid Build Coastguard Workern0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
546*053f45beSAndroid Build Coastguard Workeri=0
547*053f45beSAndroid Build Coastguard Workerwhile read -r line; do
548*053f45beSAndroid Build Coastguard Worker	j=0
549*053f45beSAndroid Build Coastguard Worker	for ip in $line; do
550*053f45beSAndroid Build Coastguard Worker		((++j))
551*053f45beSAndroid Build Coastguard Worker	done
552*053f45beSAndroid Build Coastguard Worker	((j == 53))
553*053f45beSAndroid Build Coastguard Worker	((++i))
554*053f45beSAndroid Build Coastguard Workerdone < <(n0 wg show wg0 allowed-ips)
555*053f45beSAndroid Build Coastguard Worker((i == 40))
556*053f45beSAndroid Build Coastguard Workerip0 link del wg0
557*053f45beSAndroid Build Coastguard Workerip0 link add wg0 type wireguard
558*053f45beSAndroid Build Coastguard Workerconfig=( )
559*053f45beSAndroid Build Coastguard Workerfor i in {1..29}; do
560*053f45beSAndroid Build Coastguard Worker	config+=( "[Peer]" "PublicKey=$(wg genkey)" )
561*053f45beSAndroid Build Coastguard Workerdone
562*053f45beSAndroid Build Coastguard Workerconfig+=( "[Peer]" "PublicKey=$(wg genkey)" "AllowedIPs=255.2.3.4/32,abcd::255/128" )
563*053f45beSAndroid Build Coastguard Workern0 wg setconf wg0 <(printf '%s\n' "${config[@]}")
564*053f45beSAndroid Build Coastguard Workern0 wg showconf wg0 > /dev/null
565*053f45beSAndroid Build Coastguard Workerip0 link del wg0
566*053f45beSAndroid Build Coastguard Worker
567*053f45beSAndroid Build Coastguard Workerallowedips=( )
568*053f45beSAndroid Build Coastguard Workerfor i in {1..197}; do
569*053f45beSAndroid Build Coastguard Worker        allowedips+=( abcd::$i )
570*053f45beSAndroid Build Coastguard Workerdone
571*053f45beSAndroid Build Coastguard Workersaved_ifs="$IFS"
572*053f45beSAndroid Build Coastguard WorkerIFS=,
573*053f45beSAndroid Build Coastguard Workerallowedips="${allowedips[*]}"
574*053f45beSAndroid Build Coastguard WorkerIFS="$saved_ifs"
575*053f45beSAndroid Build Coastguard Workerip0 link add wg0 type wireguard
576*053f45beSAndroid Build Coastguard Workern0 wg set wg0 peer "$pub1"
577*053f45beSAndroid Build Coastguard Workern0 wg set wg0 peer "$pub2" allowed-ips "$allowedips"
578*053f45beSAndroid Build Coastguard Worker{
579*053f45beSAndroid Build Coastguard Worker	read -r pub allowedips
580*053f45beSAndroid Build Coastguard Worker	[[ $pub == "$pub1" && $allowedips == "(none)" ]]
581*053f45beSAndroid Build Coastguard Worker	read -r pub allowedips
582*053f45beSAndroid Build Coastguard Worker	[[ $pub == "$pub2" ]]
583*053f45beSAndroid Build Coastguard Worker	i=0
584*053f45beSAndroid Build Coastguard Worker	for _ in $allowedips; do
585*053f45beSAndroid Build Coastguard Worker		((++i))
586*053f45beSAndroid Build Coastguard Worker	done
587*053f45beSAndroid Build Coastguard Worker	((i == 197))
588*053f45beSAndroid Build Coastguard Worker} < <(n0 wg show wg0 allowed-ips)
589*053f45beSAndroid Build Coastguard Workerip0 link del wg0
590*053f45beSAndroid Build Coastguard Worker
591*053f45beSAndroid Build Coastguard Worker! n0 wg show doesnotexist || false
592*053f45beSAndroid Build Coastguard Worker
593*053f45beSAndroid Build Coastguard Workerip0 link add wg0 type wireguard
594*053f45beSAndroid Build Coastguard Workern0 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk")
595*053f45beSAndroid Build Coastguard Worker[[ $(n0 wg show wg0 private-key) == "$key1" ]]
596*053f45beSAndroid Build Coastguard Worker[[ $(n0 wg show wg0 preshared-keys) == "$pub2	$psk" ]]
597*053f45beSAndroid Build Coastguard Workern0 wg set wg0 private-key /dev/null peer "$pub2" preshared-key /dev/null
598*053f45beSAndroid Build Coastguard Worker[[ $(n0 wg show wg0 private-key) == "(none)" ]]
599*053f45beSAndroid Build Coastguard Worker[[ $(n0 wg show wg0 preshared-keys) == "$pub2	(none)" ]]
600*053f45beSAndroid Build Coastguard Workern0 wg set wg0 peer "$pub2"
601*053f45beSAndroid Build Coastguard Workern0 wg set wg0 private-key <(echo "$key2")
602*053f45beSAndroid Build Coastguard Worker[[ $(n0 wg show wg0 public-key) == "$pub2" ]]
603*053f45beSAndroid Build Coastguard Worker[[ -z $(n0 wg show wg0 peers) ]]
604*053f45beSAndroid Build Coastguard Workern0 wg set wg0 peer "$pub2"
605*053f45beSAndroid Build Coastguard Worker[[ -z $(n0 wg show wg0 peers) ]]
606*053f45beSAndroid Build Coastguard Workern0 wg set wg0 private-key <(echo "$key1")
607*053f45beSAndroid Build Coastguard Workern0 wg set wg0 peer "$pub2"
608*053f45beSAndroid Build Coastguard Worker[[ $(n0 wg show wg0 peers) == "$pub2" ]]
609*053f45beSAndroid Build Coastguard Workern0 wg set wg0 private-key <(echo "/${key1:1}")
610*053f45beSAndroid Build Coastguard Worker[[ $(n0 wg show wg0 private-key) == "+${key1:1}" ]]
611*053f45beSAndroid Build Coastguard Workern0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0,10.0.0.0/8,100.0.0.0/10,172.16.0.0/12,192.168.0.0/16
612*053f45beSAndroid Build Coastguard Workern0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0
613*053f45beSAndroid Build Coastguard Workern0 wg set wg0 peer "$pub2" allowed-ips ::/0,1700::/111,5000::/4,e000::/37,9000::/75
614*053f45beSAndroid Build Coastguard Workern0 wg set wg0 peer "$pub2" allowed-ips ::/0
615*053f45beSAndroid Build Coastguard Workern0 wg set wg0 peer "$pub2" remove
616*053f45beSAndroid Build Coastguard Workerfor low_order_point in AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA= 4Ot6fDtBuK4WVuP68Z/EatoJjeucMrH9hmIFFl9JuAA= X5yVvKNQjCSx0LFVnIPvWwREXMRYHI6G2CJO3dCfEVc= 7P///////////////////////////////////////38= 7f///////////////////////////////////////38= 7v///////////////////////////////////////38=; do
617*053f45beSAndroid Build Coastguard Worker	n0 wg set wg0 peer "$low_order_point" persistent-keepalive 1 endpoint 127.0.0.1:1111
618*053f45beSAndroid Build Coastguard Workerdone
619*053f45beSAndroid Build Coastguard Worker[[ -n $(n0 wg show wg0 peers) ]]
620*053f45beSAndroid Build Coastguard Workerexec 4< <(n0 ncat -l -u -p 1111)
621*053f45beSAndroid Build Coastguard Workerncat_pid=$!
622*053f45beSAndroid Build Coastguard Workerwaitncatudp $netns0 $ncat_pid
623*053f45beSAndroid Build Coastguard Workerip0 link set wg0 up
624*053f45beSAndroid Build Coastguard Worker! read -r -n 1 -t 2 <&4 || false
625*053f45beSAndroid Build Coastguard Workerkill $ncat_pid
626*053f45beSAndroid Build Coastguard Workerip0 link del wg0
627*053f45beSAndroid Build Coastguard Worker
628*053f45beSAndroid Build Coastguard Worker# Ensure that dst_cache references don't outlive netns lifetime
629*053f45beSAndroid Build Coastguard Workerip1 link add dev wg0 type wireguard
630*053f45beSAndroid Build Coastguard Workerip2 link add dev wg0 type wireguard
631*053f45beSAndroid Build Coastguard Workerconfigure_peers
632*053f45beSAndroid Build Coastguard Workerip1 link add veth1 type veth peer name veth2
633*053f45beSAndroid Build Coastguard Workerip1 link set veth2 netns $netns2
634*053f45beSAndroid Build Coastguard Workerip1 addr add fd00:aa::1/64 dev veth1
635*053f45beSAndroid Build Coastguard Workerip2 addr add fd00:aa::2/64 dev veth2
636*053f45beSAndroid Build Coastguard Workerip1 link set veth1 up
637*053f45beSAndroid Build Coastguard Workerip2 link set veth2 up
638*053f45beSAndroid Build Coastguard Workerwaitiface $netns1 veth1
639*053f45beSAndroid Build Coastguard Workerwaitiface $netns2 veth2
640*053f45beSAndroid Build Coastguard Workerip1 -6 route add default dev veth1 via fd00:aa::2
641*053f45beSAndroid Build Coastguard Workerip2 -6 route add default dev veth2 via fd00:aa::1
642*053f45beSAndroid Build Coastguard Workern1 wg set wg0 peer "$pub2" endpoint [fd00:aa::2]:2
643*053f45beSAndroid Build Coastguard Workern2 wg set wg0 peer "$pub1" endpoint [fd00:aa::1]:1
644*053f45beSAndroid Build Coastguard Workern1 ping6 -c 1 fd00::2
645*053f45beSAndroid Build Coastguard Workerpp ip netns delete $netns1
646*053f45beSAndroid Build Coastguard Workerpp ip netns delete $netns2
647*053f45beSAndroid Build Coastguard Workerpp ip netns add $netns1
648*053f45beSAndroid Build Coastguard Workerpp ip netns add $netns2
649*053f45beSAndroid Build Coastguard Worker
650*053f45beSAndroid Build Coastguard Worker# Ensure there aren't circular reference loops
651*053f45beSAndroid Build Coastguard Workerip1 link add wg1 type wireguard
652*053f45beSAndroid Build Coastguard Workerip2 link add wg2 type wireguard
653*053f45beSAndroid Build Coastguard Workerip1 link set wg1 netns $netns2
654*053f45beSAndroid Build Coastguard Workerip2 link set wg2 netns $netns1
655*053f45beSAndroid Build Coastguard Workerpp ip netns delete $netns1
656*053f45beSAndroid Build Coastguard Workerpp ip netns delete $netns2
657*053f45beSAndroid Build Coastguard Workerpp ip netns add $netns1
658*053f45beSAndroid Build Coastguard Workerpp ip netns add $netns2
659*053f45beSAndroid Build Coastguard Worker
660*053f45beSAndroid Build Coastguard Workersleep 2 # Wait for cleanup and grace periods
661*053f45beSAndroid Build Coastguard Workerdeclare -A objects
662*053f45beSAndroid Build Coastguard Workerwhile read -t 0.1 -r line 2>/dev/null || [[ $? -ne 142 ]]; do
663*053f45beSAndroid Build Coastguard Worker	[[ $line =~ .*(wg[0-9]+:\ [A-Z][a-z]+\ ?[0-9]*)\ .*(created|destroyed).* ]] || continue
664*053f45beSAndroid Build Coastguard Worker	objects["${BASH_REMATCH[1]}"]+="${BASH_REMATCH[2]}"
665*053f45beSAndroid Build Coastguard Workerdone < /dev/kmsg
666*053f45beSAndroid Build Coastguard Workeralldeleted=1
667*053f45beSAndroid Build Coastguard Workerfor object in "${!objects[@]}"; do
668*053f45beSAndroid Build Coastguard Worker	if [[ ${objects["$object"]} != *createddestroyed && ${objects["$object"]} != *createdcreateddestroyeddestroyed ]]; then
669*053f45beSAndroid Build Coastguard Worker		echo "Error: $object: merely ${objects["$object"]}" >&3
670*053f45beSAndroid Build Coastguard Worker		alldeleted=0
671*053f45beSAndroid Build Coastguard Worker	fi
672*053f45beSAndroid Build Coastguard Workerdone
673*053f45beSAndroid Build Coastguard Worker[[ $alldeleted -eq 1 ]]
674*053f45beSAndroid Build Coastguard Workerpretty "" "Objects that were created were also destroyed."
675