Lines Matching +full:route +full:- +full:up
2 # SPDX-License-Identifier: GPL-2.0
4 # Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
24 set -e
29 netns0="wg-test-$$-0"
30 netns1="wg-test-$$-1"
31 netns2="wg-test-$$-2"
32 pretty() { echo -e "\x1b[32m\x1b[1m[+] ${1:+NS$1: }${2}\x1b[0m" >&3; }
34 maybe_exec() { if [[ $BASHPID -eq $$ ]]; then "$@"; else exec "$@"; fi; }
38 ip0() { pretty 0 "ip $*"; ip -n $netns0 "$@"; }
39 ip1() { pretty 1 "ip $*"; ip -n $netns1 "$@"; }
40 ip2() { pretty 2 "ip $*"; ip -n $netns2 "$@"; }
41 sleep() { read -t "$1" -N 1 || true; }
42 waitiperf() { pretty "${1//*-}" "wait for iperf:5201 pid $2"; while [[ $(ss -N "$1" -tlpH 'sport = …
43 waitncatudp() { pretty "${1//*-}" "wait for udp:1111 pid $2"; while [[ $(ss -N "$1" -ulpH 'sport = …
44 …tty "${1//*-}" "wait for $2 to come up"; ip netns exec "$1" bash -c "while [[ \$(< \"/sys/class/ne…
57 [[ -n $to_kill ]] && kill $to_kill
74 ip0 link set up dev lo
89 [[ -n $key1 && -n $key2 && -n $psk ]]
99 private-key <(echo "$key1") \
100 listen-port 1 \
102 preshared-key <(echo "$psk") \
103 allowed-ips 192.168.241.2/32,fd00::2/128
105 private-key <(echo "$key2") \
106 listen-port 2 \
108 preshared-key <(echo "$psk") \
109 allowed-ips 192.168.241.1/32,fd00::1/128
111 ip1 link set up dev wg0
112 ip2 link set up dev wg0
118 n2 ping -c 10 -f -W 1 192.168.241.1
119 n1 ping -c 10 -f -W 1 192.168.241.2
122 n2 ping6 -c 10 -f -W 1 fd00::1
123 n1 ping6 -c 10 -f -W 1 fd00::2
126 n2 iperf3 -s -1 -B 192.168.241.2 &
128 n1 iperf3 -Z -t 3 -c 192.168.241.2
131 n1 iperf3 -s -1 -B fd00::1 &
133 n2 iperf3 -Z -t 3 -c fd00::1
136 n1 iperf3 -s -1 -B 192.168.241.1 &
138 n2 iperf3 -Z -t 3 -b 0 -u -c 192.168.241.1
141 n2 iperf3 -s -1 -B fd00::2 &
143 n1 iperf3 -Z -t 3 -b 0 -u -c fd00::2
146 [[ $(ip1 link show dev wg0) =~ mtu\ ([0-9]+) ]] && orig_mtu="${BASH_REMATCH[1]}"
147 big_mtu=$(( 34816 - 1500 + $orig_mtu ))
153 n2 ping -c 10 -f -W 1 192.168.241.1
154 { read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip2 -stats link show dev …
156 { read _; read _; read _; read rx_bytes _; read _; read tx_bytes _; } < <(ip1 -stats link show dev …
162 read _ timestamp < <(n1 wg show wg0 latest-handshakes)
181 # Test that route MTUs work with the padding
186 n0 iptables -A INPUT -m length --length 1360 -j DROP
187 n1 ip route add 192.168.241.2/32 dev wg0 mtu 1299
188 n2 ip route add 192.168.241.1/32 dev wg0 mtu 1299
189 n2 ping -c 1 -W 1 -s 1269 192.168.241.1
190 n2 ip route delete 192.168.241.1/32 dev wg0 mtu 1299
191 n1 ip route delete 192.168.241.2/32 dev wg0 mtu 1299
192 n0 iptables -F INPUT
198 ip0 -4 addr del 127.0.0.1/8 dev lo
199 ip0 -4 addr add 127.212.121.99/8 dev lo
200 n1 wg set wg0 listen-port 9999
202 n1 ping6 -W 1 -c 1 fd00::2
206 n1 wg set wg0 listen-port 9998
208 n1 ping -W 1 -c 1 192.168.241.2
211 # Test that crypto-RP filter works
212 n1 wg set wg0 peer "$pub2" allowed-ips 192.168.241.0/24
213 exec 4< <(n1 ncat -l -u -p 1111)
216 n2 ncat -u 192.168.241.1 1111 <<<"X"
217 read -r -N 1 -t 1 out <&4 && [[ $out == "X" ]]
220 n1 wg set wg0 peer "$more_specific_key" allowed-ips 192.168.241.2/32
221 n2 wg set wg0 listen-port 9997
222 exec 4< <(n1 ncat -l -u -p 1111)
225 n2 ncat -u 192.168.241.1 1111 <<<"X"
226 ! read -r -N 1 -t 1 out <&4 || false
232 n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips 192…
233 n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") a…
234 n1 ping -W 1 -c 1 192.168.241.2
235 n1 wg set wg0 private-key <(echo "$key3")
236 n2 wg set wg0 peer "$pub3" preshared-key <(echo "$psk") allowed-ips 192.168.241.1/32 peer "$pub1" r…
237 n1 ping -W 1 -c 1 192.168.241.2
240 # Test that we can route wg through wg
245 n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk") allowed-ips fd0…
246 n2 wg set wg0 private-key <(echo "$key2") listen-port 2 peer "$pub1" preshared-key <(echo "$psk") a…
253 ip1 link set mtu 1340 up dev wg1
254 ip2 link set mtu 1340 up dev wg1
255 n1 wg set wg1 listen-port 5 private-key <(echo "$key3") peer "$pub4" allowed-ips 192.168.241.2/32,f…
256 n2 wg set wg1 listen-port 5 private-key <(echo "$key4") peer "$pub3" allowed-ips 192.168.241.1/32,f…
258 # Try to set up a routing loop between the two namespaces
261 ip0 link set up dev wg1
262 n0 ping -W 1 -c 1 192.168.241.2
266 ! n0 ping -W 1 -c 10 -f 192.168.241.2 || false # Should not crash kernel
291 ip0 link set vethrc up
292 ip0 link set vethrs up
296 ip1 link set vethc up
297 ip1 route add default via 192.168.1.1
299 ip2 link set veths up
305 n0 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
306 n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout'
307 n0 bash -c 'printf 2 > /proc/sys/net/netfilter/nf_conntrack_udp_timeout_stream'
308 n0 iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/24 -j SNAT --to 10.0.0.1
310 n1 wg set wg0 peer "$pub2" endpoint 10.0.0.100:2 persistent-keepalive 1
311 n1 ping -W 1 -c 1 192.168.241.2
312 n2 ping -W 1 -c 1 192.168.241.1
314 …kets to n1, since persistent-keepalive will prevent connection tracking entry from expiring (to se…
316 n2 ping -W 1 -c 1 192.168.241.1
317 n1 wg set wg0 peer "$pub2" persistent-keepalive 0
320 n1 ping -I wg0 -c 1 -W 1 192.168.241.2
322 n1 iptables -t mangle -I OUTPUT -j MARK --set-xmark 1
323 n1 ping -c 1 -W 1 192.168.241.2 # First the boring case
324 n1 ping -I wg0 -c 1 -W 1 192.168.241.2 # Then the sk_bound_dev_if case
325 n1 iptables -t mangle -D OUTPUT -j MARK --set-xmark 1
328 n1 wg set wg0 peer "$pub3" allowed-ips 192.168.242.2/32 endpoint 192.168.241.2:5
332 n2 wg set wg1 private-key <(echo "$key3") listen-port 5 peer "$pub1" allowed-ips 192.168.242.1/32
333 ip2 link set wg1 up
334 n1 ping -W 1 -c 1 192.168.242.2
337 ! n1 ping -W 1 -c 1 192.168.242.2 || false # Should not crash kernel
341 # Do a wg-quick(8)-style policy routing for the default route, making sure vethc has a v6 address t…
342 ip1 -6 addr add fc00::9/96 dev vethc
343 ip1 -6 route add default via fc00::1
344 ip2 -4 addr add 192.168.99.7/32 dev wg0
345 ip2 -6 addr add abab::1111/128 dev wg0
346 n1 wg set wg0 fwmark 51820 peer "$pub2" allowed-ips 192.168.99.7,abab::1111
347 ip1 -6 route add default dev wg0 table 51820
348 ip1 -6 rule add not fwmark 51820 table 51820
349 ip1 -6 rule add table main suppress_prefixlength 0
350 ip1 -4 route add default dev wg0 table 51820
351 ip1 -4 rule add not fwmark 51820 table 51820
352 ip1 -4 rule add table main suppress_prefixlength 0
354 n1 ping -W 1 -c 100 -f 192.168.99.7
355 n1 ping -W 1 -c 100 -f abab::1111
357 # Have ns2 NAT into wg0 packets from ns0, but return an icmp error along the right route.
358 n2 iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 192.168.241.0/24 -j SNAT --to 192.168.241.2
359 n0 iptables -t filter -A INPUT \! -s 10.0.0.0/24 -i vethrs -j DROP # Manual rpfilter just to be exp…
360 n2 bash -c 'printf 1 > /proc/sys/net/ipv4/ip_forward'
361 ip0 -4 route add 192.168.241.1 via 10.0.0.100
363 [[ $(! n0 ping -W 1 -c 1 192.168.241.1 || false) == *"From 10.0.0.100 icmp_seq=1 Destination Host U…
365 n0 iptables -t nat -F
366 n0 iptables -t filter -F
367 n2 iptables -t nat -F
390 n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
391 n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/all/accept_dad'
392 n1 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth1/accept_dad'
393 n2 bash -c 'printf 0 > /proc/sys/net/ipv6/conf/veth2/accept_dad'
394 n1 bash -c 'printf 1 > /proc/sys/net/ipv4/conf/veth1/promote_secondaries'
401 ip1 link set veth1 up
402 ip2 link set veth2 up
406 n1 ping -W 1 -c 1 192.168.241.2
409 n1 ping -W 1 -c 1 192.168.241.2
411 n1 ping -W 1 -c 1 192.168.241.2
414 n1 ping -W 1 -c 1 192.168.241.2
427 ip1 link set veth1 up
428 ip2 link set veth2 up
432 n2 ping -W 1 -c 1 192.168.241.1
435 n2 ping -W 1 -c 1 192.168.241.1
438 n2 ping -W 1 -c 1 192.168.241.1
441 n2 ping -W 1 -c 1 192.168.241.1
444 …t happens if the inbound destination address belongs to a different interface as the default route?
447 ip1 link set dummy0 up
448 ip2 route add 10.50.0.0/24 dev veth2
450 n2 ping -W 1 -c 1 192.168.241.1
456 ip1 route flush dev veth1
457 ip2 route flush dev veth2
459 # Now we see what happens if another interface route takes precedence over an ongoing one
465 ip1 link set veth1 up
466 ip2 link set veth2 up
467 ip1 link set veth3 up
468 ip2 link set veth4 up
473 ip1 route flush dev veth1
474 ip1 route flush dev veth3
475 ip1 route add 10.0.0.0/24 dev veth1 src 10.0.0.1 metric 2
477 n1 ping -W 1 -c 1 192.168.241.2
479 ip1 route add 10.0.0.0/24 dev veth3 src 10.0.0.3 metric 1
480 n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth1/rp_filter'
481 n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/veth4/rp_filter'
482 n1 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
483 n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
484 n1 ping -W 1 -c 1 192.168.241.2
502 for ip in $(n0 wg show wg0 allowed-ips); do
517 while read -r line; do
524 done < <(n0 wg show wg0 allowed-ips)
547 n0 wg set wg0 peer "$pub2" allowed-ips "$allowedips"
549 read -r pub allowedips
551 read -r pub allowedips
558 } < <(n0 wg show wg0 allowed-ips)
564 n0 wg set wg0 private-key <(echo "$key1") peer "$pub2" preshared-key <(echo "$psk")
565 [[ $(n0 wg show wg0 private-key) == "$key1" ]]
566 [[ $(n0 wg show wg0 preshared-keys) == "$pub2 $psk" ]]
567 n0 wg set wg0 private-key /dev/null peer "$pub2" preshared-key /dev/null
568 [[ $(n0 wg show wg0 private-key) == "(none)" ]]
569 [[ $(n0 wg show wg0 preshared-keys) == "$pub2 (none)" ]]
571 n0 wg set wg0 private-key <(echo "$key2")
572 [[ $(n0 wg show wg0 public-key) == "$pub2" ]]
573 [[ -z $(n0 wg show wg0 peers) ]]
575 [[ -z $(n0 wg show wg0 peers) ]]
576 n0 wg set wg0 private-key <(echo "$key1")
579 n0 wg set wg0 private-key <(echo "/${key1:1}")
580 [[ $(n0 wg show wg0 private-key) == "+${key1:1}" ]]
581 n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0,10.0.0.0/8,100.0.0.0/10,172.16.0.0/12,192.168.0.0/…
582 n0 wg set wg0 peer "$pub2" allowed-ips 0.0.0.0/0
583 n0 wg set wg0 peer "$pub2" allowed-ips ::/0,1700::/111,5000::/4,e000::/37,9000::/75
584 n0 wg set wg0 peer "$pub2" allowed-ips ::/0
587 n0 wg set wg0 peer "$low_order_point" persistent-keepalive 1 endpoint 127.0.0.1:1111
589 [[ -n $(n0 wg show wg0 peers) ]]
590 exec 4< <(n0 ncat -l -u -p 1111)
593 ip0 link set wg0 up
594 ! read -r -n 1 -t 2 <&4 || false
609 declare -A objects
610 while read -t 0.1 -r line 2>/dev/null || [[ $? -ne 142 ]]; do
611 [[ $line =~ .*(wg[0-9]+:\ [A-Z][a-z]+\ ?[0-9]*)\ .*(created|destroyed).* ]] || continue
621 [[ $alldeleted -eq 1 ]]