cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

ip_defrag.sh (2087B)

      1#!/bin/sh
      2# SPDX-License-Identifier: GPL-2.0
      3#
      4# Run a couple of IP defragmentation tests.
      5
      6set +x
      7set -e
      8
      9modprobe -q nf_defrag_ipv6
     10
     11readonly NETNS="ns-$(mktemp -u XXXXXX)"
     12
     13setup() {
     14	ip netns add "${NETNS}"
     15	ip -netns "${NETNS}" link set lo up
     16
     17	ip netns exec "${NETNS}" sysctl -w net.ipv4.ipfrag_high_thresh=9000000 >/dev/null 2>&1
     18	ip netns exec "${NETNS}" sysctl -w net.ipv4.ipfrag_low_thresh=7000000 >/dev/null 2>&1
     19	ip netns exec "${NETNS}" sysctl -w net.ipv4.ipfrag_time=1 >/dev/null 2>&1
     20
     21	ip netns exec "${NETNS}" sysctl -w net.ipv6.ip6frag_high_thresh=9000000 >/dev/null 2>&1
     22	ip netns exec "${NETNS}" sysctl -w net.ipv6.ip6frag_low_thresh=7000000 >/dev/null 2>&1
     23	ip netns exec "${NETNS}" sysctl -w net.ipv6.ip6frag_time=1 >/dev/null 2>&1
     24
     25	ip netns exec "${NETNS}" sysctl -w net.netfilter.nf_conntrack_frag6_high_thresh=9000000 >/dev/null 2>&1
     26	ip netns exec "${NETNS}" sysctl -w net.netfilter.nf_conntrack_frag6_low_thresh=7000000  >/dev/null 2>&1
     27	ip netns exec "${NETNS}" sysctl -w net.netfilter.nf_conntrack_frag6_timeout=1 >/dev/null 2>&1
     28
     29	# DST cache can get full with a lot of frags, with GC not keeping up with the test.
     30	ip netns exec "${NETNS}" sysctl -w net.ipv6.route.max_size=65536 >/dev/null 2>&1
     31}
     32
     33cleanup() {
     34	ip netns del "${NETNS}"
     35}
     36
     37trap cleanup EXIT
     38setup
     39
     40echo "ipv4 defrag"
     41ip netns exec "${NETNS}" ./ip_defrag -4
     42
     43echo "ipv4 defrag with overlaps"
     44ip netns exec "${NETNS}" ./ip_defrag -4o
     45
     46echo "ipv6 defrag"
     47ip netns exec "${NETNS}" ./ip_defrag -6
     48
     49echo "ipv6 defrag with overlaps"
     50ip netns exec "${NETNS}" ./ip_defrag -6o
     51
     52# insert an nf_conntrack rule so that the codepath in nf_conntrack_reasm.c taken
     53ip netns exec "${NETNS}" ip6tables -A INPUT  -m conntrack --ctstate INVALID -j ACCEPT
     54
     55echo "ipv6 nf_conntrack defrag"
     56ip netns exec "${NETNS}" ./ip_defrag -6
     57
     58echo "ipv6 nf_conntrack defrag with overlaps"
     59# netfilter will drop some invalid packets, so we run the test in
     60# permissive mode: i.e. pass the test if the packet is correctly assembled
     61# even if we sent an overlap
     62ip netns exec "${NETNS}" ./ip_defrag -6op
     63
     64echo "all tests done"