cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

icmp.sh (2618B)

      1#!/bin/bash
      2# SPDX-License-Identifier: GPL-2.0
      3
      4# Test for checking ICMP response with dummy address instead of 0.0.0.0.
      5# Sets up two namespaces like:
      6# +----------------------+                          +--------------------+
      7# | ns1                  |    v4-via-v6 routes:     | ns2                |
      8# |                      |                  '       |                    |
      9# |             +--------+   -> 172.16.1.0/24 ->    +--------+           |
     10# |             | veth0  +--------------------------+  veth0 |           |
     11# |             +--------+   <- 172.16.0.0/24 <-    +--------+           |
     12# |           172.16.0.1 |                          | 2001:db8:1::2/64   |
     13# |     2001:db8:1::2/64 |                          |                    |
     14# +----------------------+                          +--------------------+
     15#
     16# And then tries to ping 172.16.1.1 from ns1. This results in a "net
     17# unreachable" message being sent from ns2, but there is no IPv4 address set in
     18# that address space, so the kernel should substitute the dummy address
     19# 192.0.0.8 defined in RFC7600.
     20
     21NS1=ns1
     22NS2=ns2
     23H1_IP=172.16.0.1/32
     24H1_IP6=2001:db8:1::1
     25RT1=172.16.1.0/24
     26PINGADDR=172.16.1.1
     27RT2=172.16.0.0/24
     28H2_IP6=2001:db8:1::2
     29
     30TMPFILE=$(mktemp)
     31
     32cleanup()
     33{
     34    rm -f "$TMPFILE"
     35    ip netns del $NS1
     36    ip netns del $NS2
     37}
     38
     39trap cleanup EXIT
     40
     41# Namespaces
     42ip netns add $NS1
     43ip netns add $NS2
     44
     45# Connectivity
     46ip -netns $NS1 link add veth0 type veth peer name veth0 netns $NS2
     47ip -netns $NS1 link set dev veth0 up
     48ip -netns $NS2 link set dev veth0 up
     49ip -netns $NS1 addr add $H1_IP dev veth0
     50ip -netns $NS1 addr add $H1_IP6/64 dev veth0 nodad
     51ip -netns $NS2 addr add $H2_IP6/64 dev veth0 nodad
     52ip -netns $NS1 route add $RT1 via inet6 $H2_IP6
     53ip -netns $NS2 route add $RT2 via inet6 $H1_IP6
     54
     55# Make sure ns2 will respond with ICMP unreachable
     56ip netns exec $NS2 sysctl -qw net.ipv4.icmp_ratelimit=0 net.ipv4.ip_forward=1
     57
     58# Run the test - a ping runs in the background, and we capture ICMP responses
     59# with tcpdump; -c 1 means it should exit on the first ping, but add a timeout
     60# in case something goes wrong
     61ip netns exec $NS1 ping -w 3 -i 0.5 $PINGADDR >/dev/null &
     62ip netns exec $NS1 timeout 10 tcpdump -tpni veth0 -c 1 'icmp and icmp[icmptype] != icmp-echo' > $TMPFILE 2>/dev/null
     63
     64# Parse response and check for dummy address
     65# tcpdump output looks like:
     66# IP 192.0.0.8 > 172.16.0.1: ICMP net 172.16.1.1 unreachable, length 92
     67RESP_IP=$(awk '{print $2}' < $TMPFILE)
     68if [[ "$RESP_IP" != "192.0.0.8" ]]; then
     69    echo "FAIL - got ICMP response from $RESP_IP, should be 192.0.0.8"
     70    exit 1
     71else
     72    echo "OK"
     73    exit 0
     74fi