xref: /openbmc/linux/tools/testing/selftests/net/ipsec.c (revision 360823a09426347ea8f232b0b0b5156d0aed0302)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * ipsec.c - Check xfrm on veth inside a net-ns.
4  * Copyright (c) 2018 Dmitry Safonov
5  */
6 
7 #define _GNU_SOURCE
8 
9 #include <arpa/inet.h>
10 #include <asm/types.h>
11 #include <errno.h>
12 #include <fcntl.h>
13 #include <limits.h>
14 #include <linux/limits.h>
15 #include <linux/netlink.h>
16 #include <linux/random.h>
17 #include <linux/rtnetlink.h>
18 #include <linux/veth.h>
19 #include <linux/xfrm.h>
20 #include <netinet/in.h>
21 #include <net/if.h>
22 #include <sched.h>
23 #include <stdbool.h>
24 #include <stdint.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <sys/mman.h>
29 #include <sys/socket.h>
30 #include <sys/stat.h>
31 #include <sys/syscall.h>
32 #include <sys/types.h>
33 #include <sys/wait.h>
34 #include <time.h>
35 #include <unistd.h>
36 
37 #include "../kselftest.h"
38 
39 #define printk(fmt, ...)						\
40 	ksft_print_msg("%d[%u] " fmt "\n", getpid(), __LINE__, ##__VA_ARGS__)
41 
42 #define pr_err(fmt, ...)	printk(fmt ": %m", ##__VA_ARGS__)
43 
44 #define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)]))
45 
46 #define IPV4_STR_SZ	16	/* xxx.xxx.xxx.xxx is longest + \0 */
47 #define MAX_PAYLOAD	2048
48 #define XFRM_ALGO_KEY_BUF_SIZE	512
49 #define MAX_PROCESSES	(1 << 14) /* /16 mask divided by /30 subnets */
50 #define INADDR_A	((in_addr_t) 0x0a000000) /* 10.0.0.0 */
51 #define INADDR_B	((in_addr_t) 0xc0a80000) /* 192.168.0.0 */
52 
53 /* /30 mask for one veth connection */
54 #define PREFIX_LEN	30
55 #define child_ip(nr)	(4*nr + 1)
56 #define grchild_ip(nr)	(4*nr + 2)
57 
58 #define VETH_FMT	"ktst-%d"
59 #define VETH_LEN	12
60 
61 #define XFRM_ALGO_NR_KEYS 29
62 
63 static int nsfd_parent	= -1;
64 static int nsfd_childa	= -1;
65 static int nsfd_childb	= -1;
66 static long page_size;
67 
68 /*
69  * ksft_cnt is static in kselftest, so isn't shared with children.
70  * We have to send a test result back to parent and count there.
71  * results_fd is a pipe with test feedback from children.
72  */
73 static int results_fd[2];
74 
75 const unsigned int ping_delay_nsec	= 50 * 1000 * 1000;
76 const unsigned int ping_timeout		= 300;
77 const unsigned int ping_count		= 100;
78 const unsigned int ping_success		= 80;
79 
80 struct xfrm_key_entry {
81 	char algo_name[35];
82 	int key_len;
83 };
84 
85 struct xfrm_key_entry xfrm_key_entries[] = {
86 	{"digest_null", 0},
87 	{"ecb(cipher_null)", 0},
88 	{"cbc(des)", 64},
89 	{"hmac(md5)", 128},
90 	{"cmac(aes)", 128},
91 	{"xcbc(aes)", 128},
92 	{"cbc(cast5)", 128},
93 	{"cbc(serpent)", 128},
94 	{"hmac(sha1)", 160},
95 	{"hmac(rmd160)", 160},
96 	{"cbc(des3_ede)", 192},
97 	{"hmac(sha256)", 256},
98 	{"cbc(aes)", 256},
99 	{"cbc(camellia)", 256},
100 	{"cbc(twofish)", 256},
101 	{"rfc3686(ctr(aes))", 288},
102 	{"hmac(sha384)", 384},
103 	{"cbc(blowfish)", 448},
104 	{"hmac(sha512)", 512},
105 	{"rfc4106(gcm(aes))-128", 160},
106 	{"rfc4543(gcm(aes))-128", 160},
107 	{"rfc4309(ccm(aes))-128", 152},
108 	{"rfc4106(gcm(aes))-192", 224},
109 	{"rfc4543(gcm(aes))-192", 224},
110 	{"rfc4309(ccm(aes))-192", 216},
111 	{"rfc4106(gcm(aes))-256", 288},
112 	{"rfc4543(gcm(aes))-256", 288},
113 	{"rfc4309(ccm(aes))-256", 280},
114 	{"rfc7539(chacha20,poly1305)-128", 0}
115 };
116 
randomize_buffer(void * buf,size_t buflen)117 static void randomize_buffer(void *buf, size_t buflen)
118 {
119 	int *p = (int *)buf;
120 	size_t words = buflen / sizeof(int);
121 	size_t leftover = buflen % sizeof(int);
122 
123 	if (!buflen)
124 		return;
125 
126 	while (words--)
127 		*p++ = rand();
128 
129 	if (leftover) {
130 		int tmp = rand();
131 
132 		memcpy(buf + buflen - leftover, &tmp, leftover);
133 	}
134 
135 	return;
136 }
137 
unshare_open(void)138 static int unshare_open(void)
139 {
140 	const char *netns_path = "/proc/self/ns/net";
141 	int fd;
142 
143 	if (unshare(CLONE_NEWNET) != 0) {
144 		pr_err("unshare()");
145 		return -1;
146 	}
147 
148 	fd = open(netns_path, O_RDONLY);
149 	if (fd <= 0) {
150 		pr_err("open(%s)", netns_path);
151 		return -1;
152 	}
153 
154 	return fd;
155 }
156 
switch_ns(int fd)157 static int switch_ns(int fd)
158 {
159 	if (setns(fd, CLONE_NEWNET)) {
160 		pr_err("setns()");
161 		return -1;
162 	}
163 	return 0;
164 }
165 
166 /*
167  * Running the test inside a new parent net namespace to bother less
168  * about cleanup on error-path.
169  */
init_namespaces(void)170 static int init_namespaces(void)
171 {
172 	nsfd_parent = unshare_open();
173 	if (nsfd_parent <= 0)
174 		return -1;
175 
176 	nsfd_childa = unshare_open();
177 	if (nsfd_childa <= 0)
178 		return -1;
179 
180 	if (switch_ns(nsfd_parent))
181 		return -1;
182 
183 	nsfd_childb = unshare_open();
184 	if (nsfd_childb <= 0)
185 		return -1;
186 
187 	if (switch_ns(nsfd_parent))
188 		return -1;
189 	return 0;
190 }
191 
netlink_sock(int * sock,uint32_t * seq_nr,int proto)192 static int netlink_sock(int *sock, uint32_t *seq_nr, int proto)
193 {
194 	if (*sock > 0) {
195 		seq_nr++;
196 		return 0;
197 	}
198 
199 	*sock = socket(AF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, proto);
200 	if (*sock <= 0) {
201 		pr_err("socket(AF_NETLINK)");
202 		return -1;
203 	}
204 
205 	randomize_buffer(seq_nr, sizeof(*seq_nr));
206 
207 	return 0;
208 }
209 
rtattr_hdr(struct nlmsghdr * nh)210 static inline struct rtattr *rtattr_hdr(struct nlmsghdr *nh)
211 {
212 	return (struct rtattr *)((char *)(nh) + RTA_ALIGN((nh)->nlmsg_len));
213 }
214 
rtattr_pack(struct nlmsghdr * nh,size_t req_sz,unsigned short rta_type,const void * payload,size_t size)215 static int rtattr_pack(struct nlmsghdr *nh, size_t req_sz,
216 		unsigned short rta_type, const void *payload, size_t size)
217 {
218 	/* NLMSG_ALIGNTO == RTA_ALIGNTO, nlmsg_len already aligned */
219 	struct rtattr *attr = rtattr_hdr(nh);
220 	size_t nl_size = RTA_ALIGN(nh->nlmsg_len) + RTA_LENGTH(size);
221 
222 	if (req_sz < nl_size) {
223 		printk("req buf is too small: %zu < %zu", req_sz, nl_size);
224 		return -1;
225 	}
226 	nh->nlmsg_len = nl_size;
227 
228 	attr->rta_len = RTA_LENGTH(size);
229 	attr->rta_type = rta_type;
230 	if (payload)
231 		memcpy(RTA_DATA(attr), payload, size);
232 
233 	return 0;
234 }
235 
_rtattr_begin(struct nlmsghdr * nh,size_t req_sz,unsigned short rta_type,const void * payload,size_t size)236 static struct rtattr *_rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
237 		unsigned short rta_type, const void *payload, size_t size)
238 {
239 	struct rtattr *ret = rtattr_hdr(nh);
240 
241 	if (rtattr_pack(nh, req_sz, rta_type, payload, size))
242 		return 0;
243 
244 	return ret;
245 }
246 
rtattr_begin(struct nlmsghdr * nh,size_t req_sz,unsigned short rta_type)247 static inline struct rtattr *rtattr_begin(struct nlmsghdr *nh, size_t req_sz,
248 		unsigned short rta_type)
249 {
250 	return _rtattr_begin(nh, req_sz, rta_type, 0, 0);
251 }
252 
rtattr_end(struct nlmsghdr * nh,struct rtattr * attr)253 static inline void rtattr_end(struct nlmsghdr *nh, struct rtattr *attr)
254 {
255 	char *nlmsg_end = (char *)nh + nh->nlmsg_len;
256 
257 	attr->rta_len = nlmsg_end - (char *)attr;
258 }
259 
veth_pack_peerb(struct nlmsghdr * nh,size_t req_sz,const char * peer,int ns)260 static int veth_pack_peerb(struct nlmsghdr *nh, size_t req_sz,
261 		const char *peer, int ns)
262 {
263 	struct ifinfomsg pi;
264 	struct rtattr *peer_attr;
265 
266 	memset(&pi, 0, sizeof(pi));
267 	pi.ifi_family	= AF_UNSPEC;
268 	pi.ifi_change	= 0xFFFFFFFF;
269 
270 	peer_attr = _rtattr_begin(nh, req_sz, VETH_INFO_PEER, &pi, sizeof(pi));
271 	if (!peer_attr)
272 		return -1;
273 
274 	if (rtattr_pack(nh, req_sz, IFLA_IFNAME, peer, strlen(peer)))
275 		return -1;
276 
277 	if (rtattr_pack(nh, req_sz, IFLA_NET_NS_FD, &ns, sizeof(ns)))
278 		return -1;
279 
280 	rtattr_end(nh, peer_attr);
281 
282 	return 0;
283 }
284 
netlink_check_answer(int sock)285 static int netlink_check_answer(int sock)
286 {
287 	struct nlmsgerror {
288 		struct nlmsghdr hdr;
289 		int error;
290 		struct nlmsghdr orig_msg;
291 	} answer;
292 
293 	if (recv(sock, &answer, sizeof(answer), 0) < 0) {
294 		pr_err("recv()");
295 		return -1;
296 	} else if (answer.hdr.nlmsg_type != NLMSG_ERROR) {
297 		printk("expected NLMSG_ERROR, got %d", (int)answer.hdr.nlmsg_type);
298 		return -1;
299 	} else if (answer.error) {
300 		printk("NLMSG_ERROR: %d: %s",
301 			answer.error, strerror(-answer.error));
302 		return answer.error;
303 	}
304 
305 	return 0;
306 }
307 
veth_add(int sock,uint32_t seq,const char * peera,int ns_a,const char * peerb,int ns_b)308 static int veth_add(int sock, uint32_t seq, const char *peera, int ns_a,
309 		const char *peerb, int ns_b)
310 {
311 	uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
312 	struct {
313 		struct nlmsghdr		nh;
314 		struct ifinfomsg	info;
315 		char			attrbuf[MAX_PAYLOAD];
316 	} req;
317 	const char veth_type[] = "veth";
318 	struct rtattr *link_info, *info_data;
319 
320 	memset(&req, 0, sizeof(req));
321 	req.nh.nlmsg_len	= NLMSG_LENGTH(sizeof(req.info));
322 	req.nh.nlmsg_type	= RTM_NEWLINK;
323 	req.nh.nlmsg_flags	= flags;
324 	req.nh.nlmsg_seq	= seq;
325 	req.info.ifi_family	= AF_UNSPEC;
326 	req.info.ifi_change	= 0xFFFFFFFF;
327 
328 	if (rtattr_pack(&req.nh, sizeof(req), IFLA_IFNAME, peera, strlen(peera)))
329 		return -1;
330 
331 	if (rtattr_pack(&req.nh, sizeof(req), IFLA_NET_NS_FD, &ns_a, sizeof(ns_a)))
332 		return -1;
333 
334 	link_info = rtattr_begin(&req.nh, sizeof(req), IFLA_LINKINFO);
335 	if (!link_info)
336 		return -1;
337 
338 	if (rtattr_pack(&req.nh, sizeof(req), IFLA_INFO_KIND, veth_type, sizeof(veth_type)))
339 		return -1;
340 
341 	info_data = rtattr_begin(&req.nh, sizeof(req), IFLA_INFO_DATA);
342 	if (!info_data)
343 		return -1;
344 
345 	if (veth_pack_peerb(&req.nh, sizeof(req), peerb, ns_b))
346 		return -1;
347 
348 	rtattr_end(&req.nh, info_data);
349 	rtattr_end(&req.nh, link_info);
350 
351 	if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
352 		pr_err("send()");
353 		return -1;
354 	}
355 	return netlink_check_answer(sock);
356 }
357 
ip4_addr_set(int sock,uint32_t seq,const char * intf,struct in_addr addr,uint8_t prefix)358 static int ip4_addr_set(int sock, uint32_t seq, const char *intf,
359 		struct in_addr addr, uint8_t prefix)
360 {
361 	uint16_t flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_EXCL | NLM_F_CREATE;
362 	struct {
363 		struct nlmsghdr		nh;
364 		struct ifaddrmsg	info;
365 		char			attrbuf[MAX_PAYLOAD];
366 	} req;
367 
368 	memset(&req, 0, sizeof(req));
369 	req.nh.nlmsg_len	= NLMSG_LENGTH(sizeof(req.info));
370 	req.nh.nlmsg_type	= RTM_NEWADDR;
371 	req.nh.nlmsg_flags	= flags;
372 	req.nh.nlmsg_seq	= seq;
373 	req.info.ifa_family	= AF_INET;
374 	req.info.ifa_prefixlen	= prefix;
375 	req.info.ifa_index	= if_nametoindex(intf);
376 
377 #ifdef DEBUG
378 	{
379 		char addr_str[IPV4_STR_SZ] = {};
380 
381 		strncpy(addr_str, inet_ntoa(addr), IPV4_STR_SZ - 1);
382 
383 		printk("ip addr set %s", addr_str);
384 	}
385 #endif
386 
387 	if (rtattr_pack(&req.nh, sizeof(req), IFA_LOCAL, &addr, sizeof(addr)))
388 		return -1;
389 
390 	if (rtattr_pack(&req.nh, sizeof(req), IFA_ADDRESS, &addr, sizeof(addr)))
391 		return -1;
392 
393 	if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
394 		pr_err("send()");
395 		return -1;
396 	}
397 	return netlink_check_answer(sock);
398 }
399 
link_set_up(int sock,uint32_t seq,const char * intf)400 static int link_set_up(int sock, uint32_t seq, const char *intf)
401 {
402 	struct {
403 		struct nlmsghdr		nh;
404 		struct ifinfomsg	info;
405 		char			attrbuf[MAX_PAYLOAD];
406 	} req;
407 
408 	memset(&req, 0, sizeof(req));
409 	req.nh.nlmsg_len	= NLMSG_LENGTH(sizeof(req.info));
410 	req.nh.nlmsg_type	= RTM_NEWLINK;
411 	req.nh.nlmsg_flags	= NLM_F_REQUEST | NLM_F_ACK;
412 	req.nh.nlmsg_seq	= seq;
413 	req.info.ifi_family	= AF_UNSPEC;
414 	req.info.ifi_change	= 0xFFFFFFFF;
415 	req.info.ifi_index	= if_nametoindex(intf);
416 	req.info.ifi_flags	= IFF_UP;
417 	req.info.ifi_change	= IFF_UP;
418 
419 	if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
420 		pr_err("send()");
421 		return -1;
422 	}
423 	return netlink_check_answer(sock);
424 }
425 
ip4_route_set(int sock,uint32_t seq,const char * intf,struct in_addr src,struct in_addr dst)426 static int ip4_route_set(int sock, uint32_t seq, const char *intf,
427 		struct in_addr src, struct in_addr dst)
428 {
429 	struct {
430 		struct nlmsghdr	nh;
431 		struct rtmsg	rt;
432 		char		attrbuf[MAX_PAYLOAD];
433 	} req;
434 	unsigned int index = if_nametoindex(intf);
435 
436 	memset(&req, 0, sizeof(req));
437 	req.nh.nlmsg_len	= NLMSG_LENGTH(sizeof(req.rt));
438 	req.nh.nlmsg_type	= RTM_NEWROUTE;
439 	req.nh.nlmsg_flags	= NLM_F_REQUEST | NLM_F_ACK | NLM_F_CREATE;
440 	req.nh.nlmsg_seq	= seq;
441 	req.rt.rtm_family	= AF_INET;
442 	req.rt.rtm_dst_len	= 32;
443 	req.rt.rtm_table	= RT_TABLE_MAIN;
444 	req.rt.rtm_protocol	= RTPROT_BOOT;
445 	req.rt.rtm_scope	= RT_SCOPE_LINK;
446 	req.rt.rtm_type		= RTN_UNICAST;
447 
448 	if (rtattr_pack(&req.nh, sizeof(req), RTA_DST, &dst, sizeof(dst)))
449 		return -1;
450 
451 	if (rtattr_pack(&req.nh, sizeof(req), RTA_PREFSRC, &src, sizeof(src)))
452 		return -1;
453 
454 	if (rtattr_pack(&req.nh, sizeof(req), RTA_OIF, &index, sizeof(index)))
455 		return -1;
456 
457 	if (send(sock, &req, req.nh.nlmsg_len, 0) < 0) {
458 		pr_err("send()");
459 		return -1;
460 	}
461 
462 	return netlink_check_answer(sock);
463 }
464 
tunnel_set_route(int route_sock,uint32_t * route_seq,char * veth,struct in_addr tunsrc,struct in_addr tundst)465 static int tunnel_set_route(int route_sock, uint32_t *route_seq, char *veth,
466 		struct in_addr tunsrc, struct in_addr tundst)
467 {
468 	if (ip4_addr_set(route_sock, (*route_seq)++, "lo",
469 			tunsrc, PREFIX_LEN)) {
470 		printk("Failed to set ipv4 addr");
471 		return -1;
472 	}
473 
474 	if (ip4_route_set(route_sock, (*route_seq)++, veth, tunsrc, tundst)) {
475 		printk("Failed to set ipv4 route");
476 		return -1;
477 	}
478 
479 	return 0;
480 }
481 
init_child(int nsfd,char * veth,unsigned int src,unsigned int dst)482 static int init_child(int nsfd, char *veth, unsigned int src, unsigned int dst)
483 {
484 	struct in_addr intsrc = inet_makeaddr(INADDR_B, src);
485 	struct in_addr tunsrc = inet_makeaddr(INADDR_A, src);
486 	struct in_addr tundst = inet_makeaddr(INADDR_A, dst);
487 	int route_sock = -1, ret = -1;
488 	uint32_t route_seq;
489 
490 	if (switch_ns(nsfd))
491 		return -1;
492 
493 	if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE)) {
494 		printk("Failed to open netlink route socket in child");
495 		return -1;
496 	}
497 
498 	if (ip4_addr_set(route_sock, route_seq++, veth, intsrc, PREFIX_LEN)) {
499 		printk("Failed to set ipv4 addr");
500 		goto err;
501 	}
502 
503 	if (link_set_up(route_sock, route_seq++, veth)) {
504 		printk("Failed to bring up %s", veth);
505 		goto err;
506 	}
507 
508 	if (tunnel_set_route(route_sock, &route_seq, veth, tunsrc, tundst)) {
509 		printk("Failed to add tunnel route on %s", veth);
510 		goto err;
511 	}
512 	ret = 0;
513 
514 err:
515 	close(route_sock);
516 	return ret;
517 }
518 
519 #define ALGO_LEN	64
520 enum desc_type {
521 	CREATE_TUNNEL	= 0,
522 	ALLOCATE_SPI,
523 	MONITOR_ACQUIRE,
524 	EXPIRE_STATE,
525 	EXPIRE_POLICY,
526 	SPDINFO_ATTRS,
527 };
528 const char *desc_name[] = {
529 	"create tunnel",
530 	"alloc spi",
531 	"monitor acquire",
532 	"expire state",
533 	"expire policy",
534 	"spdinfo attributes",
535 	""
536 };
537 struct xfrm_desc {
538 	enum desc_type	type;
539 	uint8_t		proto;
540 	char		a_algo[ALGO_LEN];
541 	char		e_algo[ALGO_LEN];
542 	char		c_algo[ALGO_LEN];
543 	char		ae_algo[ALGO_LEN];
544 	unsigned int	icv_len;
545 	/* unsigned key_len; */
546 };
547 
548 enum msg_type {
549 	MSG_ACK		= 0,
550 	MSG_EXIT,
551 	MSG_PING,
552 	MSG_XFRM_PREPARE,
553 	MSG_XFRM_ADD,
554 	MSG_XFRM_DEL,
555 	MSG_XFRM_CLEANUP,
556 };
557 
558 struct test_desc {
559 	enum msg_type type;
560 	union {
561 		struct {
562 			in_addr_t reply_ip;
563 			unsigned int port;
564 		} ping;
565 		struct xfrm_desc xfrm_desc;
566 	} body;
567 };
568 
569 struct test_result {
570 	struct xfrm_desc desc;
571 	unsigned int res;
572 };
573 
write_test_result(unsigned int res,struct xfrm_desc * d)574 static void write_test_result(unsigned int res, struct xfrm_desc *d)
575 {
576 	struct test_result tr = {};
577 	ssize_t ret;
578 
579 	tr.desc = *d;
580 	tr.res = res;
581 
582 	ret = write(results_fd[1], &tr, sizeof(tr));
583 	if (ret != sizeof(tr))
584 		pr_err("Failed to write the result in pipe %zd", ret);
585 }
586 
write_msg(int fd,struct test_desc * msg,bool exit_of_fail)587 static void write_msg(int fd, struct test_desc *msg, bool exit_of_fail)
588 {
589 	ssize_t bytes = write(fd, msg, sizeof(*msg));
590 
591 	/* Make sure that write/read is atomic to a pipe */
592 	BUILD_BUG_ON(sizeof(struct test_desc) > PIPE_BUF);
593 
594 	if (bytes < 0) {
595 		pr_err("write()");
596 		if (exit_of_fail)
597 			exit(KSFT_FAIL);
598 	}
599 	if (bytes != sizeof(*msg)) {
600 		pr_err("sent part of the message %zd/%zu", bytes, sizeof(*msg));
601 		if (exit_of_fail)
602 			exit(KSFT_FAIL);
603 	}
604 }
605 
read_msg(int fd,struct test_desc * msg,bool exit_of_fail)606 static void read_msg(int fd, struct test_desc *msg, bool exit_of_fail)
607 {
608 	ssize_t bytes = read(fd, msg, sizeof(*msg));
609 
610 	if (bytes < 0) {
611 		pr_err("read()");
612 		if (exit_of_fail)
613 			exit(KSFT_FAIL);
614 	}
615 	if (bytes != sizeof(*msg)) {
616 		pr_err("got incomplete message %zd/%zu", bytes, sizeof(*msg));
617 		if (exit_of_fail)
618 			exit(KSFT_FAIL);
619 	}
620 }
621 
udp_ping_init(struct in_addr listen_ip,unsigned int u_timeout,unsigned int * server_port,int sock[2])622 static int udp_ping_init(struct in_addr listen_ip, unsigned int u_timeout,
623 		unsigned int *server_port, int sock[2])
624 {
625 	struct sockaddr_in server;
626 	struct timeval t = { .tv_sec = 0, .tv_usec = u_timeout };
627 	socklen_t s_len = sizeof(server);
628 
629 	sock[0] = socket(AF_INET, SOCK_DGRAM, 0);
630 	if (sock[0] < 0) {
631 		pr_err("socket()");
632 		return -1;
633 	}
634 
635 	server.sin_family	= AF_INET;
636 	server.sin_port		= 0;
637 	memcpy(&server.sin_addr.s_addr, &listen_ip, sizeof(struct in_addr));
638 
639 	if (bind(sock[0], (struct sockaddr *)&server, s_len)) {
640 		pr_err("bind()");
641 		goto err_close_server;
642 	}
643 
644 	if (getsockname(sock[0], (struct sockaddr *)&server, &s_len)) {
645 		pr_err("getsockname()");
646 		goto err_close_server;
647 	}
648 
649 	*server_port = ntohs(server.sin_port);
650 
651 	if (setsockopt(sock[0], SOL_SOCKET, SO_RCVTIMEO, (const char *)&t, sizeof t)) {
652 		pr_err("setsockopt()");
653 		goto err_close_server;
654 	}
655 
656 	sock[1] = socket(AF_INET, SOCK_DGRAM, 0);
657 	if (sock[1] < 0) {
658 		pr_err("socket()");
659 		goto err_close_server;
660 	}
661 
662 	return 0;
663 
664 err_close_server:
665 	close(sock[0]);
666 	return -1;
667 }
668 
udp_ping_send(int sock[2],in_addr_t dest_ip,unsigned int port,char * buf,size_t buf_len)669 static int udp_ping_send(int sock[2], in_addr_t dest_ip, unsigned int port,
670 		char *buf, size_t buf_len)
671 {
672 	struct sockaddr_in server;
673 	const struct sockaddr *dest_addr = (struct sockaddr *)&server;
674 	char *sock_buf[buf_len];
675 	ssize_t r_bytes, s_bytes;
676 
677 	server.sin_family	= AF_INET;
678 	server.sin_port		= htons(port);
679 	server.sin_addr.s_addr	= dest_ip;
680 
681 	s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
682 	if (s_bytes < 0) {
683 		pr_err("sendto()");
684 		return -1;
685 	} else if (s_bytes != buf_len) {
686 		printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
687 		return -1;
688 	}
689 
690 	r_bytes = recv(sock[0], sock_buf, buf_len, 0);
691 	if (r_bytes < 0) {
692 		if (errno != EAGAIN)
693 			pr_err("recv()");
694 		return -1;
695 	} else if (r_bytes == 0) { /* EOF */
696 		printk("EOF on reply to ping");
697 		return -1;
698 	} else if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
699 		printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
700 		return -1;
701 	}
702 
703 	return 0;
704 }
705 
udp_ping_reply(int sock[2],in_addr_t dest_ip,unsigned int port,char * buf,size_t buf_len)706 static int udp_ping_reply(int sock[2], in_addr_t dest_ip, unsigned int port,
707 		char *buf, size_t buf_len)
708 {
709 	struct sockaddr_in server;
710 	const struct sockaddr *dest_addr = (struct sockaddr *)&server;
711 	char *sock_buf[buf_len];
712 	ssize_t r_bytes, s_bytes;
713 
714 	server.sin_family	= AF_INET;
715 	server.sin_port		= htons(port);
716 	server.sin_addr.s_addr	= dest_ip;
717 
718 	r_bytes = recv(sock[0], sock_buf, buf_len, 0);
719 	if (r_bytes < 0) {
720 		if (errno != EAGAIN)
721 			pr_err("recv()");
722 		return -1;
723 	}
724 	if (r_bytes == 0) { /* EOF */
725 		printk("EOF on reply to ping");
726 		return -1;
727 	}
728 	if (r_bytes != buf_len || memcmp(buf, sock_buf, buf_len)) {
729 		printk("ping reply packet is corrupted %zd/%zu", r_bytes, buf_len);
730 		return -1;
731 	}
732 
733 	s_bytes = sendto(sock[1], buf, buf_len, 0, dest_addr, sizeof(server));
734 	if (s_bytes < 0) {
735 		pr_err("sendto()");
736 		return -1;
737 	} else if (s_bytes != buf_len) {
738 		printk("send part of the message: %zd/%zu", s_bytes, sizeof(server));
739 		return -1;
740 	}
741 
742 	return 0;
743 }
744 
745 typedef int (*ping_f)(int sock[2], in_addr_t dest_ip, unsigned int port,
746 		char *buf, size_t buf_len);
do_ping(int cmd_fd,char * buf,size_t buf_len,struct in_addr from,bool init_side,int d_port,in_addr_t to,ping_f func)747 static int do_ping(int cmd_fd, char *buf, size_t buf_len, struct in_addr from,
748 		bool init_side, int d_port, in_addr_t to, ping_f func)
749 {
750 	struct test_desc msg;
751 	unsigned int s_port, i, ping_succeeded = 0;
752 	int ping_sock[2];
753 	char to_str[IPV4_STR_SZ] = {}, from_str[IPV4_STR_SZ] = {};
754 
755 	if (udp_ping_init(from, ping_timeout, &s_port, ping_sock)) {
756 		printk("Failed to init ping");
757 		return -1;
758 	}
759 
760 	memset(&msg, 0, sizeof(msg));
761 	msg.type		= MSG_PING;
762 	msg.body.ping.port	= s_port;
763 	memcpy(&msg.body.ping.reply_ip, &from, sizeof(from));
764 
765 	write_msg(cmd_fd, &msg, 0);
766 	if (init_side) {
767 		/* The other end sends ip to ping */
768 		read_msg(cmd_fd, &msg, 0);
769 		if (msg.type != MSG_PING)
770 			return -1;
771 		to = msg.body.ping.reply_ip;
772 		d_port = msg.body.ping.port;
773 	}
774 
775 	for (i = 0; i < ping_count ; i++) {
776 		struct timespec sleep_time = {
777 			.tv_sec = 0,
778 			.tv_nsec = ping_delay_nsec,
779 		};
780 
781 		ping_succeeded += !func(ping_sock, to, d_port, buf, page_size);
782 		nanosleep(&sleep_time, 0);
783 	}
784 
785 	close(ping_sock[0]);
786 	close(ping_sock[1]);
787 
788 	strncpy(to_str, inet_ntoa(*(struct in_addr *)&to), IPV4_STR_SZ - 1);
789 	strncpy(from_str, inet_ntoa(from), IPV4_STR_SZ - 1);
790 
791 	if (ping_succeeded < ping_success) {
792 		printk("ping (%s) %s->%s failed %u/%u times",
793 			init_side ? "send" : "reply", from_str, to_str,
794 			ping_count - ping_succeeded, ping_count);
795 		return -1;
796 	}
797 
798 #ifdef DEBUG
799 	printk("ping (%s) %s->%s succeeded %u/%u times",
800 		init_side ? "send" : "reply", from_str, to_str,
801 		ping_succeeded, ping_count);
802 #endif
803 
804 	return 0;
805 }
806 
xfrm_fill_key(char * name,char * buf,size_t buf_len,unsigned int * key_len)807 static int xfrm_fill_key(char *name, char *buf,
808 		size_t buf_len, unsigned int *key_len)
809 {
810 	int i;
811 
812 	for (i = 0; i < XFRM_ALGO_NR_KEYS; i++) {
813 		if (strncmp(name, xfrm_key_entries[i].algo_name, ALGO_LEN) == 0)
814 			*key_len = xfrm_key_entries[i].key_len;
815 	}
816 
817 	if (*key_len > buf_len) {
818 		printk("Can't pack a key - too big for buffer");
819 		return -1;
820 	}
821 
822 	randomize_buffer(buf, *key_len);
823 
824 	return 0;
825 }
826 
xfrm_state_pack_algo(struct nlmsghdr * nh,size_t req_sz,struct xfrm_desc * desc)827 static int xfrm_state_pack_algo(struct nlmsghdr *nh, size_t req_sz,
828 		struct xfrm_desc *desc)
829 {
830 	struct {
831 		union {
832 			struct xfrm_algo	alg;
833 			struct xfrm_algo_aead	aead;
834 			struct xfrm_algo_auth	auth;
835 		} u;
836 		char buf[XFRM_ALGO_KEY_BUF_SIZE];
837 	} alg = {};
838 	size_t alen, elen, clen, aelen;
839 	unsigned short type;
840 
841 	alen = strlen(desc->a_algo);
842 	elen = strlen(desc->e_algo);
843 	clen = strlen(desc->c_algo);
844 	aelen = strlen(desc->ae_algo);
845 
846 	/* Verify desc */
847 	switch (desc->proto) {
848 	case IPPROTO_AH:
849 		if (!alen || elen || clen || aelen) {
850 			printk("BUG: buggy ah desc");
851 			return -1;
852 		}
853 		strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN - 1);
854 		if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
855 				sizeof(alg.buf), &alg.u.alg.alg_key_len))
856 			return -1;
857 		type = XFRMA_ALG_AUTH;
858 		break;
859 	case IPPROTO_COMP:
860 		if (!clen || elen || alen || aelen) {
861 			printk("BUG: buggy comp desc");
862 			return -1;
863 		}
864 		strncpy(alg.u.alg.alg_name, desc->c_algo, ALGO_LEN - 1);
865 		if (xfrm_fill_key(desc->c_algo, alg.u.alg.alg_key,
866 				sizeof(alg.buf), &alg.u.alg.alg_key_len))
867 			return -1;
868 		type = XFRMA_ALG_COMP;
869 		break;
870 	case IPPROTO_ESP:
871 		if (!((alen && elen) ^ aelen) || clen) {
872 			printk("BUG: buggy esp desc");
873 			return -1;
874 		}
875 		if (aelen) {
876 			alg.u.aead.alg_icv_len = desc->icv_len;
877 			strncpy(alg.u.aead.alg_name, desc->ae_algo, ALGO_LEN - 1);
878 			if (xfrm_fill_key(desc->ae_algo, alg.u.aead.alg_key,
879 						sizeof(alg.buf), &alg.u.aead.alg_key_len))
880 				return -1;
881 			type = XFRMA_ALG_AEAD;
882 		} else {
883 
884 			strncpy(alg.u.alg.alg_name, desc->e_algo, ALGO_LEN - 1);
885 			type = XFRMA_ALG_CRYPT;
886 			if (xfrm_fill_key(desc->e_algo, alg.u.alg.alg_key,
887 						sizeof(alg.buf), &alg.u.alg.alg_key_len))
888 				return -1;
889 			if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
890 				return -1;
891 
892 			strncpy(alg.u.alg.alg_name, desc->a_algo, ALGO_LEN);
893 			type = XFRMA_ALG_AUTH;
894 			if (xfrm_fill_key(desc->a_algo, alg.u.alg.alg_key,
895 						sizeof(alg.buf), &alg.u.alg.alg_key_len))
896 				return -1;
897 		}
898 		break;
899 	default:
900 		printk("BUG: unknown proto in desc");
901 		return -1;
902 	}
903 
904 	if (rtattr_pack(nh, req_sz, type, &alg, sizeof(alg)))
905 		return -1;
906 
907 	return 0;
908 }
909 
gen_spi(struct in_addr src)910 static inline uint32_t gen_spi(struct in_addr src)
911 {
912 	return htonl(inet_lnaof(src));
913 }
914 
xfrm_state_add(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,struct xfrm_desc * desc)915 static int xfrm_state_add(int xfrm_sock, uint32_t seq, uint32_t spi,
916 		struct in_addr src, struct in_addr dst,
917 		struct xfrm_desc *desc)
918 {
919 	struct {
920 		struct nlmsghdr		nh;
921 		struct xfrm_usersa_info	info;
922 		char			attrbuf[MAX_PAYLOAD];
923 	} req;
924 
925 	memset(&req, 0, sizeof(req));
926 	req.nh.nlmsg_len	= NLMSG_LENGTH(sizeof(req.info));
927 	req.nh.nlmsg_type	= XFRM_MSG_NEWSA;
928 	req.nh.nlmsg_flags	= NLM_F_REQUEST | NLM_F_ACK;
929 	req.nh.nlmsg_seq	= seq;
930 
931 	/* Fill selector. */
932 	memcpy(&req.info.sel.daddr, &dst, sizeof(dst));
933 	memcpy(&req.info.sel.saddr, &src, sizeof(src));
934 	req.info.sel.family		= AF_INET;
935 	req.info.sel.prefixlen_d	= PREFIX_LEN;
936 	req.info.sel.prefixlen_s	= PREFIX_LEN;
937 
938 	/* Fill id */
939 	memcpy(&req.info.id.daddr, &dst, sizeof(dst));
940 	/* Note: zero-spi cannot be deleted */
941 	req.info.id.spi = spi;
942 	req.info.id.proto	= desc->proto;
943 
944 	memcpy(&req.info.saddr, &src, sizeof(src));
945 
946 	/* Fill lifteme_cfg */
947 	req.info.lft.soft_byte_limit	= XFRM_INF;
948 	req.info.lft.hard_byte_limit	= XFRM_INF;
949 	req.info.lft.soft_packet_limit	= XFRM_INF;
950 	req.info.lft.hard_packet_limit	= XFRM_INF;
951 
952 	req.info.family		= AF_INET;
953 	req.info.mode		= XFRM_MODE_TUNNEL;
954 
955 	if (xfrm_state_pack_algo(&req.nh, sizeof(req), desc))
956 		return -1;
957 
958 	if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
959 		pr_err("send()");
960 		return -1;
961 	}
962 
963 	return netlink_check_answer(xfrm_sock);
964 }
965 
xfrm_usersa_found(struct xfrm_usersa_info * info,uint32_t spi,struct in_addr src,struct in_addr dst,struct xfrm_desc * desc)966 static bool xfrm_usersa_found(struct xfrm_usersa_info *info, uint32_t spi,
967 		struct in_addr src, struct in_addr dst,
968 		struct xfrm_desc *desc)
969 {
970 	if (memcmp(&info->sel.daddr, &dst, sizeof(dst)))
971 		return false;
972 
973 	if (memcmp(&info->sel.saddr, &src, sizeof(src)))
974 		return false;
975 
976 	if (info->sel.family != AF_INET					||
977 			info->sel.prefixlen_d != PREFIX_LEN		||
978 			info->sel.prefixlen_s != PREFIX_LEN)
979 		return false;
980 
981 	if (info->id.spi != spi || info->id.proto != desc->proto)
982 		return false;
983 
984 	if (memcmp(&info->id.daddr, &dst, sizeof(dst)))
985 		return false;
986 
987 	if (memcmp(&info->saddr, &src, sizeof(src)))
988 		return false;
989 
990 	if (info->lft.soft_byte_limit != XFRM_INF			||
991 			info->lft.hard_byte_limit != XFRM_INF		||
992 			info->lft.soft_packet_limit != XFRM_INF		||
993 			info->lft.hard_packet_limit != XFRM_INF)
994 		return false;
995 
996 	if (info->family != AF_INET || info->mode != XFRM_MODE_TUNNEL)
997 		return false;
998 
999 	/* XXX: check xfrm algo, see xfrm_state_pack_algo(). */
1000 
1001 	return true;
1002 }
1003 
xfrm_state_check(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,struct xfrm_desc * desc)1004 static int xfrm_state_check(int xfrm_sock, uint32_t seq, uint32_t spi,
1005 		struct in_addr src, struct in_addr dst,
1006 		struct xfrm_desc *desc)
1007 {
1008 	struct {
1009 		struct nlmsghdr		nh;
1010 		char			attrbuf[MAX_PAYLOAD];
1011 	} req;
1012 	struct {
1013 		struct nlmsghdr		nh;
1014 		union {
1015 			struct xfrm_usersa_info	info;
1016 			int error;
1017 		};
1018 		char			attrbuf[MAX_PAYLOAD];
1019 	} answer;
1020 	struct xfrm_address_filter filter = {};
1021 	bool found = false;
1022 
1023 
1024 	memset(&req, 0, sizeof(req));
1025 	req.nh.nlmsg_len	= NLMSG_LENGTH(0);
1026 	req.nh.nlmsg_type	= XFRM_MSG_GETSA;
1027 	req.nh.nlmsg_flags	= NLM_F_REQUEST | NLM_F_DUMP;
1028 	req.nh.nlmsg_seq	= seq;
1029 
1030 	/*
1031 	 * Add dump filter by source address as there may be other tunnels
1032 	 * in this netns (if tests run in parallel).
1033 	 */
1034 	filter.family = AF_INET;
1035 	filter.splen = 0x1f;	/* 0xffffffff mask see addr_match() */
1036 	memcpy(&filter.saddr, &src, sizeof(src));
1037 	if (rtattr_pack(&req.nh, sizeof(req), XFRMA_ADDRESS_FILTER,
1038 				&filter, sizeof(filter)))
1039 		return -1;
1040 
1041 	if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1042 		pr_err("send()");
1043 		return -1;
1044 	}
1045 
1046 	while (1) {
1047 		if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
1048 			pr_err("recv()");
1049 			return -1;
1050 		}
1051 		if (answer.nh.nlmsg_type == NLMSG_ERROR) {
1052 			printk("NLMSG_ERROR: %d: %s",
1053 				answer.error, strerror(-answer.error));
1054 			return -1;
1055 		} else if (answer.nh.nlmsg_type == NLMSG_DONE) {
1056 			if (found)
1057 				return 0;
1058 			printk("didn't find allocated xfrm state in dump");
1059 			return -1;
1060 		} else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
1061 			if (xfrm_usersa_found(&answer.info, spi, src, dst, desc))
1062 				found = true;
1063 		}
1064 	}
1065 }
1066 
xfrm_set(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst,struct xfrm_desc * desc)1067 static int xfrm_set(int xfrm_sock, uint32_t *seq,
1068 		struct in_addr src, struct in_addr dst,
1069 		struct in_addr tunsrc, struct in_addr tundst,
1070 		struct xfrm_desc *desc)
1071 {
1072 	int err;
1073 
1074 	err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
1075 	if (err) {
1076 		printk("Failed to add xfrm state");
1077 		return -1;
1078 	}
1079 
1080 	err = xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
1081 	if (err) {
1082 		printk("Failed to add xfrm state");
1083 		return -1;
1084 	}
1085 
1086 	/* Check dumps for XFRM_MSG_GETSA */
1087 	err = xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc);
1088 	err |= xfrm_state_check(xfrm_sock, (*seq)++, gen_spi(src), dst, src, desc);
1089 	if (err) {
1090 		printk("Failed to check xfrm state");
1091 		return -1;
1092 	}
1093 
1094 	return 0;
1095 }
1096 
xfrm_policy_add(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,uint8_t dir,struct in_addr tunsrc,struct in_addr tundst,uint8_t proto)1097 static int xfrm_policy_add(int xfrm_sock, uint32_t seq, uint32_t spi,
1098 		struct in_addr src, struct in_addr dst, uint8_t dir,
1099 		struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1100 {
1101 	struct {
1102 		struct nlmsghdr			nh;
1103 		struct xfrm_userpolicy_info	info;
1104 		char				attrbuf[MAX_PAYLOAD];
1105 	} req;
1106 	struct xfrm_user_tmpl tmpl;
1107 
1108 	memset(&req, 0, sizeof(req));
1109 	memset(&tmpl, 0, sizeof(tmpl));
1110 	req.nh.nlmsg_len	= NLMSG_LENGTH(sizeof(req.info));
1111 	req.nh.nlmsg_type	= XFRM_MSG_NEWPOLICY;
1112 	req.nh.nlmsg_flags	= NLM_F_REQUEST | NLM_F_ACK;
1113 	req.nh.nlmsg_seq	= seq;
1114 
1115 	/* Fill selector. */
1116 	memcpy(&req.info.sel.daddr, &dst, sizeof(tundst));
1117 	memcpy(&req.info.sel.saddr, &src, sizeof(tunsrc));
1118 	req.info.sel.family		= AF_INET;
1119 	req.info.sel.prefixlen_d	= PREFIX_LEN;
1120 	req.info.sel.prefixlen_s	= PREFIX_LEN;
1121 
1122 	/* Fill lifteme_cfg */
1123 	req.info.lft.soft_byte_limit	= XFRM_INF;
1124 	req.info.lft.hard_byte_limit	= XFRM_INF;
1125 	req.info.lft.soft_packet_limit	= XFRM_INF;
1126 	req.info.lft.hard_packet_limit	= XFRM_INF;
1127 
1128 	req.info.dir = dir;
1129 
1130 	/* Fill tmpl */
1131 	memcpy(&tmpl.id.daddr, &dst, sizeof(dst));
1132 	/* Note: zero-spi cannot be deleted */
1133 	tmpl.id.spi = spi;
1134 	tmpl.id.proto	= proto;
1135 	tmpl.family	= AF_INET;
1136 	memcpy(&tmpl.saddr, &src, sizeof(src));
1137 	tmpl.mode	= XFRM_MODE_TUNNEL;
1138 	tmpl.aalgos = (~(uint32_t)0);
1139 	tmpl.ealgos = (~(uint32_t)0);
1140 	tmpl.calgos = (~(uint32_t)0);
1141 
1142 	if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &tmpl, sizeof(tmpl)))
1143 		return -1;
1144 
1145 	if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1146 		pr_err("send()");
1147 		return -1;
1148 	}
1149 
1150 	return netlink_check_answer(xfrm_sock);
1151 }
1152 
xfrm_prepare(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst,uint8_t proto)1153 static int xfrm_prepare(int xfrm_sock, uint32_t *seq,
1154 		struct in_addr src, struct in_addr dst,
1155 		struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1156 {
1157 	if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
1158 				XFRM_POLICY_OUT, tunsrc, tundst, proto)) {
1159 		printk("Failed to add xfrm policy");
1160 		return -1;
1161 	}
1162 
1163 	if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), dst, src,
1164 				XFRM_POLICY_IN, tunsrc, tundst, proto)) {
1165 		printk("Failed to add xfrm policy");
1166 		return -1;
1167 	}
1168 
1169 	return 0;
1170 }
1171 
xfrm_policy_del(int xfrm_sock,uint32_t seq,struct in_addr src,struct in_addr dst,uint8_t dir,struct in_addr tunsrc,struct in_addr tundst)1172 static int xfrm_policy_del(int xfrm_sock, uint32_t seq,
1173 		struct in_addr src, struct in_addr dst, uint8_t dir,
1174 		struct in_addr tunsrc, struct in_addr tundst)
1175 {
1176 	struct {
1177 		struct nlmsghdr			nh;
1178 		struct xfrm_userpolicy_id	id;
1179 		char				attrbuf[MAX_PAYLOAD];
1180 	} req;
1181 
1182 	memset(&req, 0, sizeof(req));
1183 	req.nh.nlmsg_len	= NLMSG_LENGTH(sizeof(req.id));
1184 	req.nh.nlmsg_type	= XFRM_MSG_DELPOLICY;
1185 	req.nh.nlmsg_flags	= NLM_F_REQUEST | NLM_F_ACK;
1186 	req.nh.nlmsg_seq	= seq;
1187 
1188 	/* Fill id */
1189 	memcpy(&req.id.sel.daddr, &dst, sizeof(tundst));
1190 	memcpy(&req.id.sel.saddr, &src, sizeof(tunsrc));
1191 	req.id.sel.family		= AF_INET;
1192 	req.id.sel.prefixlen_d		= PREFIX_LEN;
1193 	req.id.sel.prefixlen_s		= PREFIX_LEN;
1194 	req.id.dir = dir;
1195 
1196 	if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1197 		pr_err("send()");
1198 		return -1;
1199 	}
1200 
1201 	return netlink_check_answer(xfrm_sock);
1202 }
1203 
xfrm_cleanup(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst)1204 static int xfrm_cleanup(int xfrm_sock, uint32_t *seq,
1205 		struct in_addr src, struct in_addr dst,
1206 		struct in_addr tunsrc, struct in_addr tundst)
1207 {
1208 	if (xfrm_policy_del(xfrm_sock, (*seq)++, src, dst,
1209 				XFRM_POLICY_OUT, tunsrc, tundst)) {
1210 		printk("Failed to add xfrm policy");
1211 		return -1;
1212 	}
1213 
1214 	if (xfrm_policy_del(xfrm_sock, (*seq)++, dst, src,
1215 				XFRM_POLICY_IN, tunsrc, tundst)) {
1216 		printk("Failed to add xfrm policy");
1217 		return -1;
1218 	}
1219 
1220 	return 0;
1221 }
1222 
xfrm_state_del(int xfrm_sock,uint32_t seq,uint32_t spi,struct in_addr src,struct in_addr dst,uint8_t proto)1223 static int xfrm_state_del(int xfrm_sock, uint32_t seq, uint32_t spi,
1224 		struct in_addr src, struct in_addr dst, uint8_t proto)
1225 {
1226 	struct {
1227 		struct nlmsghdr		nh;
1228 		struct xfrm_usersa_id	id;
1229 		char			attrbuf[MAX_PAYLOAD];
1230 	} req;
1231 	xfrm_address_t saddr = {};
1232 
1233 	memset(&req, 0, sizeof(req));
1234 	req.nh.nlmsg_len	= NLMSG_LENGTH(sizeof(req.id));
1235 	req.nh.nlmsg_type	= XFRM_MSG_DELSA;
1236 	req.nh.nlmsg_flags	= NLM_F_REQUEST | NLM_F_ACK;
1237 	req.nh.nlmsg_seq	= seq;
1238 
1239 	memcpy(&req.id.daddr, &dst, sizeof(dst));
1240 	req.id.family		= AF_INET;
1241 	req.id.proto		= proto;
1242 	/* Note: zero-spi cannot be deleted */
1243 	req.id.spi = spi;
1244 
1245 	memcpy(&saddr, &src, sizeof(src));
1246 	if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SRCADDR, &saddr, sizeof(saddr)))
1247 		return -1;
1248 
1249 	if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1250 		pr_err("send()");
1251 		return -1;
1252 	}
1253 
1254 	return netlink_check_answer(xfrm_sock);
1255 }
1256 
xfrm_delete(int xfrm_sock,uint32_t * seq,struct in_addr src,struct in_addr dst,struct in_addr tunsrc,struct in_addr tundst,uint8_t proto)1257 static int xfrm_delete(int xfrm_sock, uint32_t *seq,
1258 		struct in_addr src, struct in_addr dst,
1259 		struct in_addr tunsrc, struct in_addr tundst, uint8_t proto)
1260 {
1261 	if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), src, dst, proto)) {
1262 		printk("Failed to remove xfrm state");
1263 		return -1;
1264 	}
1265 
1266 	if (xfrm_state_del(xfrm_sock, (*seq)++, gen_spi(src), dst, src, proto)) {
1267 		printk("Failed to remove xfrm state");
1268 		return -1;
1269 	}
1270 
1271 	return 0;
1272 }
1273 
xfrm_state_allocspi(int xfrm_sock,uint32_t * seq,uint32_t spi,uint8_t proto)1274 static int xfrm_state_allocspi(int xfrm_sock, uint32_t *seq,
1275 		uint32_t spi, uint8_t proto)
1276 {
1277 	struct {
1278 		struct nlmsghdr			nh;
1279 		struct xfrm_userspi_info	spi;
1280 	} req;
1281 	struct {
1282 		struct nlmsghdr			nh;
1283 		union {
1284 			struct xfrm_usersa_info	info;
1285 			int error;
1286 		};
1287 	} answer;
1288 
1289 	memset(&req, 0, sizeof(req));
1290 	req.nh.nlmsg_len	= NLMSG_LENGTH(sizeof(req.spi));
1291 	req.nh.nlmsg_type	= XFRM_MSG_ALLOCSPI;
1292 	req.nh.nlmsg_flags	= NLM_F_REQUEST;
1293 	req.nh.nlmsg_seq	= (*seq)++;
1294 
1295 	req.spi.info.family	= AF_INET;
1296 	req.spi.min		= spi;
1297 	req.spi.max		= spi;
1298 	req.spi.info.id.proto	= proto;
1299 
1300 	if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1301 		pr_err("send()");
1302 		return KSFT_FAIL;
1303 	}
1304 
1305 	if (recv(xfrm_sock, &answer, sizeof(answer), 0) < 0) {
1306 		pr_err("recv()");
1307 		return KSFT_FAIL;
1308 	} else if (answer.nh.nlmsg_type == XFRM_MSG_NEWSA) {
1309 		uint32_t new_spi = htonl(answer.info.id.spi);
1310 
1311 		if (new_spi != spi) {
1312 			printk("allocated spi is different from requested: %#x != %#x",
1313 					new_spi, spi);
1314 			return KSFT_FAIL;
1315 		}
1316 		return KSFT_PASS;
1317 	} else if (answer.nh.nlmsg_type != NLMSG_ERROR) {
1318 		printk("expected NLMSG_ERROR, got %d", (int)answer.nh.nlmsg_type);
1319 		return KSFT_FAIL;
1320 	}
1321 
1322 	printk("NLMSG_ERROR: %d: %s", answer.error, strerror(-answer.error));
1323 	return (answer.error) ? KSFT_FAIL : KSFT_PASS;
1324 }
1325 
netlink_sock_bind(int * sock,uint32_t * seq,int proto,uint32_t groups)1326 static int netlink_sock_bind(int *sock, uint32_t *seq, int proto, uint32_t groups)
1327 {
1328 	struct sockaddr_nl snl = {};
1329 	socklen_t addr_len;
1330 	int ret = -1;
1331 
1332 	snl.nl_family = AF_NETLINK;
1333 	snl.nl_groups = groups;
1334 
1335 	if (netlink_sock(sock, seq, proto)) {
1336 		printk("Failed to open xfrm netlink socket");
1337 		return -1;
1338 	}
1339 
1340 	if (bind(*sock, (struct sockaddr *)&snl, sizeof(snl)) < 0) {
1341 		pr_err("bind()");
1342 		goto out_close;
1343 	}
1344 
1345 	addr_len = sizeof(snl);
1346 	if (getsockname(*sock, (struct sockaddr *)&snl, &addr_len) < 0) {
1347 		pr_err("getsockname()");
1348 		goto out_close;
1349 	}
1350 	if (addr_len != sizeof(snl)) {
1351 		printk("Wrong address length %d", addr_len);
1352 		goto out_close;
1353 	}
1354 	if (snl.nl_family != AF_NETLINK) {
1355 		printk("Wrong address family %d", snl.nl_family);
1356 		goto out_close;
1357 	}
1358 	return 0;
1359 
1360 out_close:
1361 	close(*sock);
1362 	return ret;
1363 }
1364 
xfrm_monitor_acquire(int xfrm_sock,uint32_t * seq,unsigned int nr)1365 static int xfrm_monitor_acquire(int xfrm_sock, uint32_t *seq, unsigned int nr)
1366 {
1367 	struct {
1368 		struct nlmsghdr nh;
1369 		union {
1370 			struct xfrm_user_acquire acq;
1371 			int error;
1372 		};
1373 		char attrbuf[MAX_PAYLOAD];
1374 	} req;
1375 	struct xfrm_user_tmpl xfrm_tmpl = {};
1376 	int xfrm_listen = -1, ret = KSFT_FAIL;
1377 	uint32_t seq_listen;
1378 
1379 	if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_ACQUIRE))
1380 		return KSFT_FAIL;
1381 
1382 	memset(&req, 0, sizeof(req));
1383 	req.nh.nlmsg_len	= NLMSG_LENGTH(sizeof(req.acq));
1384 	req.nh.nlmsg_type	= XFRM_MSG_ACQUIRE;
1385 	req.nh.nlmsg_flags	= NLM_F_REQUEST | NLM_F_ACK;
1386 	req.nh.nlmsg_seq	= (*seq)++;
1387 
1388 	req.acq.policy.sel.family	= AF_INET;
1389 	req.acq.aalgos	= 0xfeed;
1390 	req.acq.ealgos	= 0xbaad;
1391 	req.acq.calgos	= 0xbabe;
1392 
1393 	xfrm_tmpl.family = AF_INET;
1394 	xfrm_tmpl.id.proto = IPPROTO_ESP;
1395 	if (rtattr_pack(&req.nh, sizeof(req), XFRMA_TMPL, &xfrm_tmpl, sizeof(xfrm_tmpl)))
1396 		goto out_close;
1397 
1398 	if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1399 		pr_err("send()");
1400 		goto out_close;
1401 	}
1402 
1403 	if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1404 		pr_err("recv()");
1405 		goto out_close;
1406 	} else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1407 		printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1408 		goto out_close;
1409 	}
1410 
1411 	if (req.error) {
1412 		printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1413 		ret = req.error;
1414 		goto out_close;
1415 	}
1416 
1417 	if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1418 		pr_err("recv()");
1419 		goto out_close;
1420 	}
1421 
1422 	if (req.acq.aalgos != 0xfeed || req.acq.ealgos != 0xbaad
1423 			|| req.acq.calgos != 0xbabe) {
1424 		printk("xfrm_user_acquire has changed  %x %x %x",
1425 				req.acq.aalgos, req.acq.ealgos, req.acq.calgos);
1426 		goto out_close;
1427 	}
1428 
1429 	ret = KSFT_PASS;
1430 out_close:
1431 	close(xfrm_listen);
1432 	return ret;
1433 }
1434 
xfrm_expire_state(int xfrm_sock,uint32_t * seq,unsigned int nr,struct xfrm_desc * desc)1435 static int xfrm_expire_state(int xfrm_sock, uint32_t *seq,
1436 		unsigned int nr, struct xfrm_desc *desc)
1437 {
1438 	struct {
1439 		struct nlmsghdr nh;
1440 		union {
1441 			struct xfrm_user_expire expire;
1442 			int error;
1443 		};
1444 	} req;
1445 	struct in_addr src, dst;
1446 	int xfrm_listen = -1, ret = KSFT_FAIL;
1447 	uint32_t seq_listen;
1448 
1449 	src = inet_makeaddr(INADDR_B, child_ip(nr));
1450 	dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1451 
1452 	if (xfrm_state_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst, desc)) {
1453 		printk("Failed to add xfrm state");
1454 		return KSFT_FAIL;
1455 	}
1456 
1457 	if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
1458 		return KSFT_FAIL;
1459 
1460 	memset(&req, 0, sizeof(req));
1461 	req.nh.nlmsg_len	= NLMSG_LENGTH(sizeof(req.expire));
1462 	req.nh.nlmsg_type	= XFRM_MSG_EXPIRE;
1463 	req.nh.nlmsg_flags	= NLM_F_REQUEST | NLM_F_ACK;
1464 	req.nh.nlmsg_seq	= (*seq)++;
1465 
1466 	memcpy(&req.expire.state.id.daddr, &dst, sizeof(dst));
1467 	req.expire.state.id.spi		= gen_spi(src);
1468 	req.expire.state.id.proto	= desc->proto;
1469 	req.expire.state.family		= AF_INET;
1470 	req.expire.hard			= 0xff;
1471 
1472 	if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1473 		pr_err("send()");
1474 		goto out_close;
1475 	}
1476 
1477 	if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1478 		pr_err("recv()");
1479 		goto out_close;
1480 	} else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1481 		printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1482 		goto out_close;
1483 	}
1484 
1485 	if (req.error) {
1486 		printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1487 		ret = req.error;
1488 		goto out_close;
1489 	}
1490 
1491 	if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1492 		pr_err("recv()");
1493 		goto out_close;
1494 	}
1495 
1496 	if (req.expire.hard != 0x1) {
1497 		printk("expire.hard is not set: %x", req.expire.hard);
1498 		goto out_close;
1499 	}
1500 
1501 	ret = KSFT_PASS;
1502 out_close:
1503 	close(xfrm_listen);
1504 	return ret;
1505 }
1506 
xfrm_expire_policy(int xfrm_sock,uint32_t * seq,unsigned int nr,struct xfrm_desc * desc)1507 static int xfrm_expire_policy(int xfrm_sock, uint32_t *seq,
1508 		unsigned int nr, struct xfrm_desc *desc)
1509 {
1510 	struct {
1511 		struct nlmsghdr nh;
1512 		union {
1513 			struct xfrm_user_polexpire expire;
1514 			int error;
1515 		};
1516 	} req;
1517 	struct in_addr src, dst, tunsrc, tundst;
1518 	int xfrm_listen = -1, ret = KSFT_FAIL;
1519 	uint32_t seq_listen;
1520 
1521 	src = inet_makeaddr(INADDR_B, child_ip(nr));
1522 	dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1523 	tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
1524 	tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
1525 
1526 	if (xfrm_policy_add(xfrm_sock, (*seq)++, gen_spi(src), src, dst,
1527 				XFRM_POLICY_OUT, tunsrc, tundst, desc->proto)) {
1528 		printk("Failed to add xfrm policy");
1529 		return KSFT_FAIL;
1530 	}
1531 
1532 	if (netlink_sock_bind(&xfrm_listen, &seq_listen, NETLINK_XFRM, XFRMNLGRP_EXPIRE))
1533 		return KSFT_FAIL;
1534 
1535 	memset(&req, 0, sizeof(req));
1536 	req.nh.nlmsg_len	= NLMSG_LENGTH(sizeof(req.expire));
1537 	req.nh.nlmsg_type	= XFRM_MSG_POLEXPIRE;
1538 	req.nh.nlmsg_flags	= NLM_F_REQUEST | NLM_F_ACK;
1539 	req.nh.nlmsg_seq	= (*seq)++;
1540 
1541 	/* Fill selector. */
1542 	memcpy(&req.expire.pol.sel.daddr, &dst, sizeof(tundst));
1543 	memcpy(&req.expire.pol.sel.saddr, &src, sizeof(tunsrc));
1544 	req.expire.pol.sel.family	= AF_INET;
1545 	req.expire.pol.sel.prefixlen_d	= PREFIX_LEN;
1546 	req.expire.pol.sel.prefixlen_s	= PREFIX_LEN;
1547 	req.expire.pol.dir		= XFRM_POLICY_OUT;
1548 	req.expire.hard			= 0xff;
1549 
1550 	if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1551 		pr_err("send()");
1552 		goto out_close;
1553 	}
1554 
1555 	if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1556 		pr_err("recv()");
1557 		goto out_close;
1558 	} else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1559 		printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1560 		goto out_close;
1561 	}
1562 
1563 	if (req.error) {
1564 		printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1565 		ret = req.error;
1566 		goto out_close;
1567 	}
1568 
1569 	if (recv(xfrm_listen, &req, sizeof(req), 0) < 0) {
1570 		pr_err("recv()");
1571 		goto out_close;
1572 	}
1573 
1574 	if (req.expire.hard != 0x1) {
1575 		printk("expire.hard is not set: %x", req.expire.hard);
1576 		goto out_close;
1577 	}
1578 
1579 	ret = KSFT_PASS;
1580 out_close:
1581 	close(xfrm_listen);
1582 	return ret;
1583 }
1584 
xfrm_spdinfo_set_thresh(int xfrm_sock,uint32_t * seq,unsigned thresh4_l,unsigned thresh4_r,unsigned thresh6_l,unsigned thresh6_r,bool add_bad_attr)1585 static int xfrm_spdinfo_set_thresh(int xfrm_sock, uint32_t *seq,
1586 		unsigned thresh4_l, unsigned thresh4_r,
1587 		unsigned thresh6_l, unsigned thresh6_r,
1588 		bool add_bad_attr)
1589 
1590 {
1591 	struct {
1592 		struct nlmsghdr		nh;
1593 		union {
1594 			uint32_t	unused;
1595 			int		error;
1596 		};
1597 		char			attrbuf[MAX_PAYLOAD];
1598 	} req;
1599 	struct xfrmu_spdhthresh thresh;
1600 
1601 	memset(&req, 0, sizeof(req));
1602 	req.nh.nlmsg_len	= NLMSG_LENGTH(sizeof(req.unused));
1603 	req.nh.nlmsg_type	= XFRM_MSG_NEWSPDINFO;
1604 	req.nh.nlmsg_flags	= NLM_F_REQUEST | NLM_F_ACK;
1605 	req.nh.nlmsg_seq	= (*seq)++;
1606 
1607 	thresh.lbits = thresh4_l;
1608 	thresh.rbits = thresh4_r;
1609 	if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SPD_IPV4_HTHRESH, &thresh, sizeof(thresh)))
1610 		return -1;
1611 
1612 	thresh.lbits = thresh6_l;
1613 	thresh.rbits = thresh6_r;
1614 	if (rtattr_pack(&req.nh, sizeof(req), XFRMA_SPD_IPV6_HTHRESH, &thresh, sizeof(thresh)))
1615 		return -1;
1616 
1617 	if (add_bad_attr) {
1618 		BUILD_BUG_ON(XFRMA_IF_ID <= XFRMA_SPD_MAX + 1);
1619 		if (rtattr_pack(&req.nh, sizeof(req), XFRMA_IF_ID, NULL, 0)) {
1620 			pr_err("adding attribute failed: no space");
1621 			return -1;
1622 		}
1623 	}
1624 
1625 	if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1626 		pr_err("send()");
1627 		return -1;
1628 	}
1629 
1630 	if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1631 		pr_err("recv()");
1632 		return -1;
1633 	} else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1634 		printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1635 		return -1;
1636 	}
1637 
1638 	if (req.error) {
1639 		printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1640 		return -1;
1641 	}
1642 
1643 	return 0;
1644 }
1645 
xfrm_spdinfo_attrs(int xfrm_sock,uint32_t * seq)1646 static int xfrm_spdinfo_attrs(int xfrm_sock, uint32_t *seq)
1647 {
1648 	struct {
1649 		struct nlmsghdr			nh;
1650 		union {
1651 			uint32_t	unused;
1652 			int		error;
1653 		};
1654 		char			attrbuf[MAX_PAYLOAD];
1655 	} req;
1656 
1657 	if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 31, 120, 16, false)) {
1658 		pr_err("Can't set SPD HTHRESH");
1659 		return KSFT_FAIL;
1660 	}
1661 
1662 	memset(&req, 0, sizeof(req));
1663 
1664 	req.nh.nlmsg_len	= NLMSG_LENGTH(sizeof(req.unused));
1665 	req.nh.nlmsg_type	= XFRM_MSG_GETSPDINFO;
1666 	req.nh.nlmsg_flags	= NLM_F_REQUEST;
1667 	req.nh.nlmsg_seq	= (*seq)++;
1668 	if (send(xfrm_sock, &req, req.nh.nlmsg_len, 0) < 0) {
1669 		pr_err("send()");
1670 		return KSFT_FAIL;
1671 	}
1672 
1673 	if (recv(xfrm_sock, &req, sizeof(req), 0) < 0) {
1674 		pr_err("recv()");
1675 		return KSFT_FAIL;
1676 	} else if (req.nh.nlmsg_type == XFRM_MSG_NEWSPDINFO) {
1677 		size_t len = NLMSG_PAYLOAD(&req.nh, sizeof(req.unused));
1678 		struct rtattr *attr = (void *)req.attrbuf;
1679 		int got_thresh = 0;
1680 
1681 		for (; RTA_OK(attr, len); attr = RTA_NEXT(attr, len)) {
1682 			if (attr->rta_type == XFRMA_SPD_IPV4_HTHRESH) {
1683 				struct xfrmu_spdhthresh *t = RTA_DATA(attr);
1684 
1685 				got_thresh++;
1686 				if (t->lbits != 32 || t->rbits != 31) {
1687 					pr_err("thresh differ: %u, %u",
1688 							t->lbits, t->rbits);
1689 					return KSFT_FAIL;
1690 				}
1691 			}
1692 			if (attr->rta_type == XFRMA_SPD_IPV6_HTHRESH) {
1693 				struct xfrmu_spdhthresh *t = RTA_DATA(attr);
1694 
1695 				got_thresh++;
1696 				if (t->lbits != 120 || t->rbits != 16) {
1697 					pr_err("thresh differ: %u, %u",
1698 							t->lbits, t->rbits);
1699 					return KSFT_FAIL;
1700 				}
1701 			}
1702 		}
1703 		if (got_thresh != 2) {
1704 			pr_err("only %d thresh returned by XFRM_MSG_GETSPDINFO", got_thresh);
1705 			return KSFT_FAIL;
1706 		}
1707 	} else if (req.nh.nlmsg_type != NLMSG_ERROR) {
1708 		printk("expected NLMSG_ERROR, got %d", (int)req.nh.nlmsg_type);
1709 		return KSFT_FAIL;
1710 	} else {
1711 		printk("NLMSG_ERROR: %d: %s", req.error, strerror(-req.error));
1712 		return -1;
1713 	}
1714 
1715 	/* Restore the default */
1716 	if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 32, 128, 128, false)) {
1717 		pr_err("Can't restore SPD HTHRESH");
1718 		return KSFT_FAIL;
1719 	}
1720 
1721 	/*
1722 	 * At this moment xfrm uses nlmsg_parse_deprecated(), which
1723 	 * implies NL_VALIDATE_LIBERAL - ignoring attributes with
1724 	 * (type > maxtype). nla_parse_depricated_strict() would enforce
1725 	 * it. Or even stricter nla_parse().
1726 	 * Right now it's not expected to fail, but to be ignored.
1727 	 */
1728 	if (xfrm_spdinfo_set_thresh(xfrm_sock, seq, 32, 32, 128, 128, true))
1729 		return KSFT_PASS;
1730 
1731 	return KSFT_PASS;
1732 }
1733 
child_serv(int xfrm_sock,uint32_t * seq,unsigned int nr,int cmd_fd,void * buf,struct xfrm_desc * desc)1734 static int child_serv(int xfrm_sock, uint32_t *seq,
1735 		unsigned int nr, int cmd_fd, void *buf, struct xfrm_desc *desc)
1736 {
1737 	struct in_addr src, dst, tunsrc, tundst;
1738 	struct test_desc msg;
1739 	int ret = KSFT_FAIL;
1740 
1741 	src = inet_makeaddr(INADDR_B, child_ip(nr));
1742 	dst = inet_makeaddr(INADDR_B, grchild_ip(nr));
1743 	tunsrc = inet_makeaddr(INADDR_A, child_ip(nr));
1744 	tundst = inet_makeaddr(INADDR_A, grchild_ip(nr));
1745 
1746 	/* UDP pinging without xfrm */
1747 	if (do_ping(cmd_fd, buf, page_size, src, true, 0, 0, udp_ping_send)) {
1748 		printk("ping failed before setting xfrm");
1749 		return KSFT_FAIL;
1750 	}
1751 
1752 	memset(&msg, 0, sizeof(msg));
1753 	msg.type = MSG_XFRM_PREPARE;
1754 	memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1755 	write_msg(cmd_fd, &msg, 1);
1756 
1757 	if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
1758 		printk("failed to prepare xfrm");
1759 		goto cleanup;
1760 	}
1761 
1762 	memset(&msg, 0, sizeof(msg));
1763 	msg.type = MSG_XFRM_ADD;
1764 	memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1765 	write_msg(cmd_fd, &msg, 1);
1766 	if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
1767 		printk("failed to set xfrm");
1768 		goto delete;
1769 	}
1770 
1771 	/* UDP pinging with xfrm tunnel */
1772 	if (do_ping(cmd_fd, buf, page_size, tunsrc,
1773 				true, 0, 0, udp_ping_send)) {
1774 		printk("ping failed for xfrm");
1775 		goto delete;
1776 	}
1777 
1778 	ret = KSFT_PASS;
1779 delete:
1780 	/* xfrm delete */
1781 	memset(&msg, 0, sizeof(msg));
1782 	msg.type = MSG_XFRM_DEL;
1783 	memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1784 	write_msg(cmd_fd, &msg, 1);
1785 
1786 	if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst, desc->proto)) {
1787 		printk("failed ping to remove xfrm");
1788 		ret = KSFT_FAIL;
1789 	}
1790 
1791 cleanup:
1792 	memset(&msg, 0, sizeof(msg));
1793 	msg.type = MSG_XFRM_CLEANUP;
1794 	memcpy(&msg.body.xfrm_desc, desc, sizeof(*desc));
1795 	write_msg(cmd_fd, &msg, 1);
1796 	if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
1797 		printk("failed ping to cleanup xfrm");
1798 		ret = KSFT_FAIL;
1799 	}
1800 	return ret;
1801 }
1802 
child_f(unsigned int nr,int test_desc_fd,int cmd_fd,void * buf)1803 static int child_f(unsigned int nr, int test_desc_fd, int cmd_fd, void *buf)
1804 {
1805 	struct xfrm_desc desc;
1806 	struct test_desc msg;
1807 	int xfrm_sock = -1;
1808 	uint32_t seq;
1809 
1810 	if (switch_ns(nsfd_childa))
1811 		exit(KSFT_FAIL);
1812 
1813 	if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
1814 		printk("Failed to open xfrm netlink socket");
1815 		exit(KSFT_FAIL);
1816 	}
1817 
1818 	/* Check that seq sock is ready, just for sure. */
1819 	memset(&msg, 0, sizeof(msg));
1820 	msg.type = MSG_ACK;
1821 	write_msg(cmd_fd, &msg, 1);
1822 	read_msg(cmd_fd, &msg, 1);
1823 	if (msg.type != MSG_ACK) {
1824 		printk("Ack failed");
1825 		exit(KSFT_FAIL);
1826 	}
1827 
1828 	for (;;) {
1829 		ssize_t received = read(test_desc_fd, &desc, sizeof(desc));
1830 		int ret;
1831 
1832 		if (received == 0) /* EOF */
1833 			break;
1834 
1835 		if (received != sizeof(desc)) {
1836 			pr_err("read() returned %zd", received);
1837 			exit(KSFT_FAIL);
1838 		}
1839 
1840 		switch (desc.type) {
1841 		case CREATE_TUNNEL:
1842 			ret = child_serv(xfrm_sock, &seq, nr,
1843 					 cmd_fd, buf, &desc);
1844 			break;
1845 		case ALLOCATE_SPI:
1846 			ret = xfrm_state_allocspi(xfrm_sock, &seq,
1847 						  -1, desc.proto);
1848 			break;
1849 		case MONITOR_ACQUIRE:
1850 			ret = xfrm_monitor_acquire(xfrm_sock, &seq, nr);
1851 			break;
1852 		case EXPIRE_STATE:
1853 			ret = xfrm_expire_state(xfrm_sock, &seq, nr, &desc);
1854 			break;
1855 		case EXPIRE_POLICY:
1856 			ret = xfrm_expire_policy(xfrm_sock, &seq, nr, &desc);
1857 			break;
1858 		case SPDINFO_ATTRS:
1859 			ret = xfrm_spdinfo_attrs(xfrm_sock, &seq);
1860 			break;
1861 		default:
1862 			printk("Unknown desc type %d", desc.type);
1863 			exit(KSFT_FAIL);
1864 		}
1865 		write_test_result(ret, &desc);
1866 	}
1867 
1868 	close(xfrm_sock);
1869 
1870 	msg.type = MSG_EXIT;
1871 	write_msg(cmd_fd, &msg, 1);
1872 	exit(KSFT_PASS);
1873 }
1874 
grand_child_serv(unsigned int nr,int cmd_fd,void * buf,struct test_desc * msg,int xfrm_sock,uint32_t * seq)1875 static void grand_child_serv(unsigned int nr, int cmd_fd, void *buf,
1876 		struct test_desc *msg, int xfrm_sock, uint32_t *seq)
1877 {
1878 	struct in_addr src, dst, tunsrc, tundst;
1879 	bool tun_reply;
1880 	struct xfrm_desc *desc = &msg->body.xfrm_desc;
1881 
1882 	src = inet_makeaddr(INADDR_B, grchild_ip(nr));
1883 	dst = inet_makeaddr(INADDR_B, child_ip(nr));
1884 	tunsrc = inet_makeaddr(INADDR_A, grchild_ip(nr));
1885 	tundst = inet_makeaddr(INADDR_A, child_ip(nr));
1886 
1887 	switch (msg->type) {
1888 	case MSG_EXIT:
1889 		exit(KSFT_PASS);
1890 	case MSG_ACK:
1891 		write_msg(cmd_fd, msg, 1);
1892 		break;
1893 	case MSG_PING:
1894 		tun_reply = memcmp(&dst, &msg->body.ping.reply_ip, sizeof(in_addr_t));
1895 		/* UDP pinging without xfrm */
1896 		if (do_ping(cmd_fd, buf, page_size, tun_reply ? tunsrc : src,
1897 				false, msg->body.ping.port,
1898 				msg->body.ping.reply_ip, udp_ping_reply)) {
1899 			printk("ping failed before setting xfrm");
1900 		}
1901 		break;
1902 	case MSG_XFRM_PREPARE:
1903 		if (xfrm_prepare(xfrm_sock, seq, src, dst, tunsrc, tundst,
1904 					desc->proto)) {
1905 			xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1906 			printk("failed to prepare xfrm");
1907 		}
1908 		break;
1909 	case MSG_XFRM_ADD:
1910 		if (xfrm_set(xfrm_sock, seq, src, dst, tunsrc, tundst, desc)) {
1911 			xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1912 			printk("failed to set xfrm");
1913 		}
1914 		break;
1915 	case MSG_XFRM_DEL:
1916 		if (xfrm_delete(xfrm_sock, seq, src, dst, tunsrc, tundst,
1917 					desc->proto)) {
1918 			xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst);
1919 			printk("failed to remove xfrm");
1920 		}
1921 		break;
1922 	case MSG_XFRM_CLEANUP:
1923 		if (xfrm_cleanup(xfrm_sock, seq, src, dst, tunsrc, tundst)) {
1924 			printk("failed to cleanup xfrm");
1925 		}
1926 		break;
1927 	default:
1928 		printk("got unknown msg type %d", msg->type);
1929 	}
1930 }
1931 
grand_child_f(unsigned int nr,int cmd_fd,void * buf)1932 static int grand_child_f(unsigned int nr, int cmd_fd, void *buf)
1933 {
1934 	struct test_desc msg;
1935 	int xfrm_sock = -1;
1936 	uint32_t seq;
1937 
1938 	if (switch_ns(nsfd_childb))
1939 		exit(KSFT_FAIL);
1940 
1941 	if (netlink_sock(&xfrm_sock, &seq, NETLINK_XFRM)) {
1942 		printk("Failed to open xfrm netlink socket");
1943 		exit(KSFT_FAIL);
1944 	}
1945 
1946 	do {
1947 		read_msg(cmd_fd, &msg, 1);
1948 		grand_child_serv(nr, cmd_fd, buf, &msg, xfrm_sock, &seq);
1949 	} while (1);
1950 
1951 	close(xfrm_sock);
1952 	exit(KSFT_FAIL);
1953 }
1954 
start_child(unsigned int nr,char * veth,int test_desc_fd[2])1955 static int start_child(unsigned int nr, char *veth, int test_desc_fd[2])
1956 {
1957 	int cmd_sock[2];
1958 	void *data_map;
1959 	pid_t child;
1960 
1961 	if (init_child(nsfd_childa, veth, child_ip(nr), grchild_ip(nr)))
1962 		return -1;
1963 
1964 	if (init_child(nsfd_childb, veth, grchild_ip(nr), child_ip(nr)))
1965 		return -1;
1966 
1967 	child = fork();
1968 	if (child < 0) {
1969 		pr_err("fork()");
1970 		return -1;
1971 	} else if (child) {
1972 		/* in parent - selftest */
1973 		return switch_ns(nsfd_parent);
1974 	}
1975 
1976 	if (close(test_desc_fd[1])) {
1977 		pr_err("close()");
1978 		return -1;
1979 	}
1980 
1981 	/* child */
1982 	data_map = mmap(0, page_size, PROT_READ | PROT_WRITE,
1983 			MAP_SHARED | MAP_ANONYMOUS, -1, 0);
1984 	if (data_map == MAP_FAILED) {
1985 		pr_err("mmap()");
1986 		return -1;
1987 	}
1988 
1989 	randomize_buffer(data_map, page_size);
1990 
1991 	if (socketpair(PF_LOCAL, SOCK_SEQPACKET, 0, cmd_sock)) {
1992 		pr_err("socketpair()");
1993 		return -1;
1994 	}
1995 
1996 	child = fork();
1997 	if (child < 0) {
1998 		pr_err("fork()");
1999 		return -1;
2000 	} else if (child) {
2001 		if (close(cmd_sock[0])) {
2002 			pr_err("close()");
2003 			return -1;
2004 		}
2005 		return child_f(nr, test_desc_fd[0], cmd_sock[1], data_map);
2006 	}
2007 	if (close(cmd_sock[1])) {
2008 		pr_err("close()");
2009 		return -1;
2010 	}
2011 	return grand_child_f(nr, cmd_sock[0], data_map);
2012 }
2013 
exit_usage(char ** argv)2014 static void exit_usage(char **argv)
2015 {
2016 	printk("Usage: %s [nr_process]", argv[0]);
2017 	exit(KSFT_FAIL);
2018 }
2019 
__write_desc(int test_desc_fd,struct xfrm_desc * desc)2020 static int __write_desc(int test_desc_fd, struct xfrm_desc *desc)
2021 {
2022 	ssize_t ret;
2023 
2024 	ret = write(test_desc_fd, desc, sizeof(*desc));
2025 
2026 	if (ret == sizeof(*desc))
2027 		return 0;
2028 
2029 	pr_err("Writing test's desc failed %ld", ret);
2030 
2031 	return -1;
2032 }
2033 
write_desc(int proto,int test_desc_fd,char * a,char * e,char * c,char * ae)2034 static int write_desc(int proto, int test_desc_fd,
2035 		char *a, char *e, char *c, char *ae)
2036 {
2037 	struct xfrm_desc desc = {};
2038 
2039 	desc.type = CREATE_TUNNEL;
2040 	desc.proto = proto;
2041 
2042 	if (a)
2043 		strncpy(desc.a_algo, a, ALGO_LEN - 1);
2044 	if (e)
2045 		strncpy(desc.e_algo, e, ALGO_LEN - 1);
2046 	if (c)
2047 		strncpy(desc.c_algo, c, ALGO_LEN - 1);
2048 	if (ae)
2049 		strncpy(desc.ae_algo, ae, ALGO_LEN - 1);
2050 
2051 	return __write_desc(test_desc_fd, &desc);
2052 }
2053 
2054 int proto_list[] = { IPPROTO_AH, IPPROTO_COMP, IPPROTO_ESP };
2055 char *ah_list[] = {
2056 	"digest_null", "hmac(md5)", "hmac(sha1)", "hmac(sha256)",
2057 	"hmac(sha384)", "hmac(sha512)", "hmac(rmd160)",
2058 	"xcbc(aes)", "cmac(aes)"
2059 };
2060 char *comp_list[] = {
2061 	"deflate",
2062 #if 0
2063 	/* No compression backend realization */
2064 	"lzs", "lzjh"
2065 #endif
2066 };
2067 char *e_list[] = {
2068 	"ecb(cipher_null)", "cbc(des)", "cbc(des3_ede)", "cbc(cast5)",
2069 	"cbc(blowfish)", "cbc(aes)", "cbc(serpent)", "cbc(camellia)",
2070 	"cbc(twofish)", "rfc3686(ctr(aes))"
2071 };
2072 char *ae_list[] = {
2073 #if 0
2074 	/* not implemented */
2075 	"rfc4106(gcm(aes))", "rfc4309(ccm(aes))", "rfc4543(gcm(aes))",
2076 	"rfc7539esp(chacha20,poly1305)"
2077 #endif
2078 };
2079 
2080 const unsigned int proto_plan = ARRAY_SIZE(ah_list) + ARRAY_SIZE(comp_list) \
2081 				+ (ARRAY_SIZE(ah_list) * ARRAY_SIZE(e_list)) \
2082 				+ ARRAY_SIZE(ae_list);
2083 
write_proto_plan(int fd,int proto)2084 static int write_proto_plan(int fd, int proto)
2085 {
2086 	unsigned int i;
2087 
2088 	switch (proto) {
2089 	case IPPROTO_AH:
2090 		for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
2091 			if (write_desc(proto, fd, ah_list[i], 0, 0, 0))
2092 				return -1;
2093 		}
2094 		break;
2095 	case IPPROTO_COMP:
2096 		for (i = 0; i < ARRAY_SIZE(comp_list); i++) {
2097 			if (write_desc(proto, fd, 0, 0, comp_list[i], 0))
2098 				return -1;
2099 		}
2100 		break;
2101 	case IPPROTO_ESP:
2102 		for (i = 0; i < ARRAY_SIZE(ah_list); i++) {
2103 			int j;
2104 
2105 			for (j = 0; j < ARRAY_SIZE(e_list); j++) {
2106 				if (write_desc(proto, fd, ah_list[i],
2107 							e_list[j], 0, 0))
2108 					return -1;
2109 			}
2110 		}
2111 		for (i = 0; i < ARRAY_SIZE(ae_list); i++) {
2112 			if (write_desc(proto, fd, 0, 0, 0, ae_list[i]))
2113 				return -1;
2114 		}
2115 		break;
2116 	default:
2117 		printk("BUG: Specified unknown proto %d", proto);
2118 		return -1;
2119 	}
2120 
2121 	return 0;
2122 }
2123 
2124 /*
2125  * Some structures in xfrm uapi header differ in size between
2126  * 64-bit and 32-bit ABI:
2127  *
2128  *             32-bit UABI               |            64-bit UABI
2129  *  -------------------------------------|-------------------------------------
2130  *   sizeof(xfrm_usersa_info)     = 220  |  sizeof(xfrm_usersa_info)     = 224
2131  *   sizeof(xfrm_userpolicy_info) = 164  |  sizeof(xfrm_userpolicy_info) = 168
2132  *   sizeof(xfrm_userspi_info)    = 228  |  sizeof(xfrm_userspi_info)    = 232
2133  *   sizeof(xfrm_user_acquire)    = 276  |  sizeof(xfrm_user_acquire)    = 280
2134  *   sizeof(xfrm_user_expire)     = 224  |  sizeof(xfrm_user_expire)     = 232
2135  *   sizeof(xfrm_user_polexpire)  = 168  |  sizeof(xfrm_user_polexpire)  = 176
2136  *
2137  * Check the affected by the UABI difference structures.
2138  * Also, check translation for xfrm_set_spdinfo: it has it's own attributes
2139  * which needs to be correctly copied, but not translated.
2140  */
2141 const unsigned int compat_plan = 5;
write_compat_struct_tests(int test_desc_fd)2142 static int write_compat_struct_tests(int test_desc_fd)
2143 {
2144 	struct xfrm_desc desc = {};
2145 
2146 	desc.type = ALLOCATE_SPI;
2147 	desc.proto = IPPROTO_AH;
2148 	strncpy(desc.a_algo, ah_list[0], ALGO_LEN - 1);
2149 
2150 	if (__write_desc(test_desc_fd, &desc))
2151 		return -1;
2152 
2153 	desc.type = MONITOR_ACQUIRE;
2154 	if (__write_desc(test_desc_fd, &desc))
2155 		return -1;
2156 
2157 	desc.type = EXPIRE_STATE;
2158 	if (__write_desc(test_desc_fd, &desc))
2159 		return -1;
2160 
2161 	desc.type = EXPIRE_POLICY;
2162 	if (__write_desc(test_desc_fd, &desc))
2163 		return -1;
2164 
2165 	desc.type = SPDINFO_ATTRS;
2166 	if (__write_desc(test_desc_fd, &desc))
2167 		return -1;
2168 
2169 	return 0;
2170 }
2171 
write_test_plan(int test_desc_fd)2172 static int write_test_plan(int test_desc_fd)
2173 {
2174 	unsigned int i;
2175 	pid_t child;
2176 
2177 	child = fork();
2178 	if (child < 0) {
2179 		pr_err("fork()");
2180 		return -1;
2181 	}
2182 	if (child) {
2183 		if (close(test_desc_fd))
2184 			printk("close(): %m");
2185 		return 0;
2186 	}
2187 
2188 	if (write_compat_struct_tests(test_desc_fd))
2189 		exit(KSFT_FAIL);
2190 
2191 	for (i = 0; i < ARRAY_SIZE(proto_list); i++) {
2192 		if (write_proto_plan(test_desc_fd, proto_list[i]))
2193 			exit(KSFT_FAIL);
2194 	}
2195 
2196 	exit(KSFT_PASS);
2197 }
2198 
children_cleanup(void)2199 static int children_cleanup(void)
2200 {
2201 	unsigned ret = KSFT_PASS;
2202 
2203 	while (1) {
2204 		int status;
2205 		pid_t p = wait(&status);
2206 
2207 		if ((p < 0) && errno == ECHILD)
2208 			break;
2209 
2210 		if (p < 0) {
2211 			pr_err("wait()");
2212 			return KSFT_FAIL;
2213 		}
2214 
2215 		if (!WIFEXITED(status)) {
2216 			ret = KSFT_FAIL;
2217 			continue;
2218 		}
2219 
2220 		if (WEXITSTATUS(status) == KSFT_FAIL)
2221 			ret = KSFT_FAIL;
2222 	}
2223 
2224 	return ret;
2225 }
2226 
2227 typedef void (*print_res)(const char *, ...);
2228 
check_results(void)2229 static int check_results(void)
2230 {
2231 	struct test_result tr = {};
2232 	struct xfrm_desc *d = &tr.desc;
2233 	int ret = KSFT_PASS;
2234 
2235 	while (1) {
2236 		ssize_t received = read(results_fd[0], &tr, sizeof(tr));
2237 		print_res result;
2238 
2239 		if (received == 0) /* EOF */
2240 			break;
2241 
2242 		if (received != sizeof(tr)) {
2243 			pr_err("read() returned %zd", received);
2244 			return KSFT_FAIL;
2245 		}
2246 
2247 		switch (tr.res) {
2248 		case KSFT_PASS:
2249 			result = ksft_test_result_pass;
2250 			break;
2251 		case KSFT_FAIL:
2252 		default:
2253 			result = ksft_test_result_fail;
2254 			ret = KSFT_FAIL;
2255 		}
2256 
2257 		result(" %s: [%u, '%s', '%s', '%s', '%s', %u]\n",
2258 		       desc_name[d->type], (unsigned int)d->proto, d->a_algo,
2259 		       d->e_algo, d->c_algo, d->ae_algo, d->icv_len);
2260 	}
2261 
2262 	return ret;
2263 }
2264 
main(int argc,char ** argv)2265 int main(int argc, char **argv)
2266 {
2267 	long nr_process = 1;
2268 	int route_sock = -1, ret = KSFT_SKIP;
2269 	int test_desc_fd[2];
2270 	uint32_t route_seq;
2271 	unsigned int i;
2272 
2273 	if (argc > 2)
2274 		exit_usage(argv);
2275 
2276 	if (argc > 1) {
2277 		char *endptr;
2278 
2279 		errno = 0;
2280 		nr_process = strtol(argv[1], &endptr, 10);
2281 		if ((errno == ERANGE && (nr_process == LONG_MAX || nr_process == LONG_MIN))
2282 				|| (errno != 0 && nr_process == 0)
2283 				|| (endptr == argv[1]) || (*endptr != '\0')) {
2284 			printk("Failed to parse [nr_process]");
2285 			exit_usage(argv);
2286 		}
2287 
2288 		if (nr_process > MAX_PROCESSES || nr_process < 1) {
2289 			printk("nr_process should be between [1; %u]",
2290 					MAX_PROCESSES);
2291 			exit_usage(argv);
2292 		}
2293 	}
2294 
2295 	srand(time(NULL));
2296 	page_size = sysconf(_SC_PAGESIZE);
2297 	if (page_size < 1)
2298 		ksft_exit_skip("sysconf(): %m\n");
2299 
2300 	if (pipe2(test_desc_fd, O_DIRECT) < 0)
2301 		ksft_exit_skip("pipe(): %m\n");
2302 
2303 	if (pipe2(results_fd, O_DIRECT) < 0)
2304 		ksft_exit_skip("pipe(): %m\n");
2305 
2306 	if (init_namespaces())
2307 		ksft_exit_skip("Failed to create namespaces\n");
2308 
2309 	if (netlink_sock(&route_sock, &route_seq, NETLINK_ROUTE))
2310 		ksft_exit_skip("Failed to open netlink route socket\n");
2311 
2312 	for (i = 0; i < nr_process; i++) {
2313 		char veth[VETH_LEN];
2314 
2315 		snprintf(veth, VETH_LEN, VETH_FMT, i);
2316 
2317 		if (veth_add(route_sock, route_seq++, veth, nsfd_childa, veth, nsfd_childb)) {
2318 			close(route_sock);
2319 			ksft_exit_fail_msg("Failed to create veth device");
2320 		}
2321 
2322 		if (start_child(i, veth, test_desc_fd)) {
2323 			close(route_sock);
2324 			ksft_exit_fail_msg("Child %u failed to start", i);
2325 		}
2326 	}
2327 
2328 	if (close(route_sock) || close(test_desc_fd[0]) || close(results_fd[1]))
2329 		ksft_exit_fail_msg("close(): %m");
2330 
2331 	ksft_set_plan(proto_plan + compat_plan);
2332 
2333 	if (write_test_plan(test_desc_fd[1]))
2334 		ksft_exit_fail_msg("Failed to write test plan to pipe");
2335 
2336 	ret = check_results();
2337 
2338 	if (children_cleanup() == KSFT_FAIL)
2339 		exit(KSFT_FAIL);
2340 
2341 	exit(ret);
2342 }
2343