Commit 2752d4ca authored by Lubomir Rintel's avatar Lubomir Rintel 🥕 Committed by Vladimír Beneš
Browse files

ipsec: avoid disabling ipv6 for *swan tests

Long ago, Libreswan's pluto got confused upon seeing tentative IPv6 addresses
and we ended up disabling IPv6 globally for tests that involved it.

We, however, have a test where Libreswan is used along with an IPv6 OpenVPN
network. The afforementioned hack causes the OpenVPN tun device to be
created with IPv6 off, causing the assertion that an IPv6 address is
present to fail.

This used to be okay because NetworkManager ended up setting disable_ipv6=0
for said interface. This changed in NetworkManager/next branch and I
believe we new behavior is perhaps more correct.

Do away with the Libreswan hack, ensuring that the libreswan version we got
is good enough.
parent 27229ad5
......@@ -1144,12 +1144,24 @@ def teardown_testveth_as(ctx, scen):
_register_tag("teardown_testveth", None, teardown_testveth_as)
def libreswan_bs(ctx, scen):
nmci.lib.wait_for_testeth0(ctx)
if ctx.command_code("rpm -q NetworkManager-libreswan") != 0:
ctx.run("sudo yum -y install NetworkManager-libreswan")
nmci.lib.restart_NM_service(ctx)
# We need libreswan at least of version 3.17, that contains
# commit 453167 ("pluto: ignore tentative and failed IPv6 addresses),
# otherwise pluto would get very very confused.
# That is RHEL 7.4, RHEL 8.0 or newer.
swan_ver = ctx.command_output("rpm -q --qf '%{version}' libreswan")
if ctx.command_code ("""rpm --eval '%%{lua:
if rpm.vercmp(\"%s\", \"3.17\") < 0 then
error(\"Libreswan too old\");
end }'""" % swan_ver) != 0:
print("Skipping with old Libreswan")
sys.exit(77)
ctx.run("/usr/sbin/ipsec --checknss")
mode = "aggressive"
if "ikev2" in scen.tags:
......
......@@ -145,13 +145,6 @@ libreswan_gen_netconfig ()
ip netns add libreswan
# IPv6 on a veth confuses pluto. Sigh. (TODO: check id still true)
# ERROR: bind() for 80/80 fe80::94bf:8cff:fe1b:7620:500 in process_raw_ifaces(). Errno 22: Invalid argument
# We don't need it in RHEL9/Fedoras
if grep -q -e 'release [7|8]' /etc/redhat-release; then
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
ip netns exec libreswan echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
fi
ip link add libreswan0 type veth peer name libreswan1
ip link set libreswan0 netns libreswan
......@@ -229,9 +222,6 @@ libreswan_setup ()
libreswan_teardown ()
{
[ -f "$LIBRESWAN_DIR/pluto.pid" ] && kill $(cat "$LIBRESWAN_DIR/pluto.pid")
if grep -q -e 'release [7|8]' /etc/redhat-release; then
echo 0 > /proc/sys/net/ipv6/conf/default/disable_ipv6
fi
ip netns list | grep -q libreswan && ip netns del libreswan
ip link | grep -q libreswan1 && ip link del libreswan1
nmcli -f NAME c show | grep -q 'lib1' && nmcli connection del lib1
......
......@@ -109,13 +109,7 @@ function racoon_setup ()
# Create a network namespace allowing the VPN client and the VPN serve to run in the
# isolated areas on the same machine.
ip netns add racoon
# IPv6 on a veth confuses pluto. Sigh.
# ERROR: bind() for 80/80 fe80::94bf:8cff:fe1b:7620:500 in process_raw_ifaces(). Errno 22: Invalid argument
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
ip netns exec racoon echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
ip link add racoon0 type veth peer name racoon1
ip link set racoon0 netns racoon
ip netns exec racoon ip link set lo up
......@@ -175,7 +169,6 @@ function racoon_teardown ()
echo ${line// /-}
userdel -r budulinek
echo 0 > /proc/sys/net/ipv6/conf/default/disable_ipv6
kill -INT $(ps aux|grep dns|grep racoon|grep -v grep |awk {'print $2'})
if systemctl --quiet is-active nm-racoon; then
systemctl stop nm-racoon
......
......@@ -108,10 +108,6 @@ EOF
strongswan_gen_netconfig ()
{
ip netns add strongswan
# IPv6 on a veth confuses pluto. Sigh. (TODO: check id still true)
# ERROR: bind() for 80/80 fe80::94bf:8cff:fe1b:7620:500 in process_raw_ifaces(). Errno 22: Invalid argument
echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
ip netns exec strongswan echo 1 > /proc/sys/net/ipv6/conf/default/disable_ipv6
ip link add strongswan0 type veth peer name strongswan1
ip link set strongswan0 netns strongswan
......@@ -182,7 +178,6 @@ strongswan_setup ()
strongswan_teardown ()
{
ip netns exec strongswan strongswan stop
echo 0 > /proc/sys/net/ipv6/conf/default/disable_ipv6
ip netns del strongswan
ip link del strongswan1
kill_dnsmasq
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment