def _CheckPolicyDifferByDirection(self, version):
"""Tests that policies can differ only by direction."""
family = net_test.GetAddressFamily(version)
tmpl = xfrm.UserTemplate(family, 0xdead, 0, None)
sel = xfrm.EmptySelector(family)
mark = xfrm.XfrmMark(mark=0xf00, mask=xfrm_base.MARK_MASK_ALL)
policy = xfrm.UserPolicy(xfrm.XFRM_POLICY_OUT, sel)
self.xfrm.AddPolicyInfo(policy, tmpl, mark)
policy = xfrm.UserPolicy(xfrm.XFRM_POLICY_IN, sel)
self.xfrm.AddPolicyInfo(policy, tmpl, mark)
def ApplySocketPolicy(sock, family, direction, spi, reqid, tun_addrs):
"""Create and apply an ESP policy to a socket.
A socket may have only one policy per direction, so applying a policy will
remove any policy that was previously applied in that direction.
Args:
sock: The socket that needs a policy
family: AF_INET or AF_INET6
direction: XFRM_POLICY_IN or XFRM_POLICY_OUT
spi: 32-bit SPI in host byte order
reqid: 32-bit ID matched against SAs
tun_addrs: A tuple of (local, remote) addresses for tunnel mode, or None
to request a transport mode SA.
"""
# Create a selector that matches all packets of the specified address family.
selector = xfrm.EmptySelector(family)
# Create an XFRM policy and template.
policy = xfrm.UserPolicy(direction, selector)
template = xfrm.UserTemplate(family, spi, reqid, tun_addrs)
# Set the policy and template on our socket.
opt_data = policy.Pack() + template.Pack()
# The policy family might not match the socket family. For example, we might
# have an IPv4 policy on a dual-stack socket.
sockfamily = sock.getsockopt(SOL_SOCKET, net_test.SO_DOMAIN)
SetPolicySockopt(sock, sockfamily, opt_data)
def _CheckUpdatePolicy(self, version):
"""Tests that we can can update the template on a policy."""
family = net_test.GetAddressFamily(version)
tmpl1 = xfrm.UserTemplate(family, 0xdead, 0, None)
tmpl2 = xfrm.UserTemplate(family, 0xbeef, 0, None)
sel = xfrm.EmptySelector(family)
policy = xfrm.UserPolicy(xfrm.XFRM_POLICY_OUT, sel)
mark = xfrm.XfrmMark(mark=0xf00, mask=xfrm_base.MARK_MASK_ALL)
def _CheckTemplateMatch(tmpl):
"""Dump the SPD and match a single template on a single policy."""
dump = self.xfrm.DumpPolicyInfo()
self.assertEquals(1, len(dump))
_, attributes = dump[0]
self.assertEquals(attributes['XFRMA_TMPL'], tmpl)
# Create a new policy using update.
self.xfrm.UpdatePolicyInfo(policy, tmpl1, mark)
# NEWPOLICY will not update the existing policy. This checks both that
# UPDPOLICY created a policy and that NEWPOLICY will not perform updates.
_CheckTemplateMatch(tmpl1)
with self.assertRaisesErrno(EEXIST):
self.xfrm.AddPolicyInfo(policy, tmpl2, mark)
# Update the policy using UPDPOLICY.
self.xfrm.UpdatePolicyInfo(policy, tmpl2, mark)
# There should only be one policy after update, and it should have the
# updated template.
_CheckTemplateMatch(tmpl2)
def _CheckGlobalPoliciesByMark(self, version):
"""Tests that global policies may differ by only the mark."""
family = net_test.GetAddressFamily(version)
sel = xfrm.EmptySelector(family)
# Pick 2 arbitrary mark values.
mark1 = xfrm.XfrmMark(mark=0xf00, mask=xfrm_base.MARK_MASK_ALL)
mark2 = xfrm.XfrmMark(mark=0xf00d, mask=xfrm_base.MARK_MASK_ALL)
# Create a global policy.
policy = xfrm.UserPolicy(xfrm.XFRM_POLICY_OUT, sel)
tmpl = xfrm.UserTemplate(AF_UNSPEC, 0xfeed, 0, None)
# Create the policy with the first mark.
self.xfrm.AddPolicyInfo(policy, tmpl, mark1)
# Create the same policy but with the second (different) mark.
self.xfrm.AddPolicyInfo(policy, tmpl, mark2)
# Delete the policies individually
self.xfrm.DeletePolicyInfo(sel, xfrm.XFRM_POLICY_OUT, mark1)
self.xfrm.DeletePolicyInfo(sel, xfrm.XFRM_POLICY_OUT, mark2)