def _CheckPolicyDifferByDirection(self, version): """Tests that policies can differ only by direction.""" family = net_test.GetAddressFamily(version) tmpl = xfrm.UserTemplate(family, 0xdead, 0, None) sel = xfrm.EmptySelector(family) mark = xfrm.XfrmMark(mark=0xf00, mask=xfrm_base.MARK_MASK_ALL) policy = xfrm.UserPolicy(xfrm.XFRM_POLICY_OUT, sel) self.xfrm.AddPolicyInfo(policy, tmpl, mark) policy = xfrm.UserPolicy(xfrm.XFRM_POLICY_IN, sel) self.xfrm.AddPolicyInfo(policy, tmpl, mark)
def ApplySocketPolicy(sock, family, direction, spi, reqid, tun_addrs): """Create and apply an ESP policy to a socket. A socket may have only one policy per direction, so applying a policy will remove any policy that was previously applied in that direction. Args: sock: The socket that needs a policy family: AF_INET or AF_INET6 direction: XFRM_POLICY_IN or XFRM_POLICY_OUT spi: 32-bit SPI in host byte order reqid: 32-bit ID matched against SAs tun_addrs: A tuple of (local, remote) addresses for tunnel mode, or None to request a transport mode SA. """ # Create a selector that matches all packets of the specified address family. selector = xfrm.EmptySelector(family) # Create an XFRM policy and template. policy = xfrm.UserPolicy(direction, selector) template = xfrm.UserTemplate(family, spi, reqid, tun_addrs) # Set the policy and template on our socket. opt_data = policy.Pack() + template.Pack() # The policy family might not match the socket family. For example, we might # have an IPv4 policy on a dual-stack socket. sockfamily = sock.getsockopt(SOL_SOCKET, net_test.SO_DOMAIN) SetPolicySockopt(sock, sockfamily, opt_data)
def _CheckUpdatePolicy(self, version): """Tests that we can can update the template on a policy.""" family = net_test.GetAddressFamily(version) tmpl1 = xfrm.UserTemplate(family, 0xdead, 0, None) tmpl2 = xfrm.UserTemplate(family, 0xbeef, 0, None) sel = xfrm.EmptySelector(family) policy = xfrm.UserPolicy(xfrm.XFRM_POLICY_OUT, sel) mark = xfrm.XfrmMark(mark=0xf00, mask=xfrm_base.MARK_MASK_ALL) def _CheckTemplateMatch(tmpl): """Dump the SPD and match a single template on a single policy.""" dump = self.xfrm.DumpPolicyInfo() self.assertEquals(1, len(dump)) _, attributes = dump[0] self.assertEquals(attributes['XFRMA_TMPL'], tmpl) # Create a new policy using update. self.xfrm.UpdatePolicyInfo(policy, tmpl1, mark) # NEWPOLICY will not update the existing policy. This checks both that # UPDPOLICY created a policy and that NEWPOLICY will not perform updates. _CheckTemplateMatch(tmpl1) with self.assertRaisesErrno(EEXIST): self.xfrm.AddPolicyInfo(policy, tmpl2, mark) # Update the policy using UPDPOLICY. self.xfrm.UpdatePolicyInfo(policy, tmpl2, mark) # There should only be one policy after update, and it should have the # updated template. _CheckTemplateMatch(tmpl2)
def _CheckGlobalPoliciesByMark(self, version): """Tests that global policies may differ by only the mark.""" family = net_test.GetAddressFamily(version) sel = xfrm.EmptySelector(family) # Pick 2 arbitrary mark values. mark1 = xfrm.XfrmMark(mark=0xf00, mask=xfrm_base.MARK_MASK_ALL) mark2 = xfrm.XfrmMark(mark=0xf00d, mask=xfrm_base.MARK_MASK_ALL) # Create a global policy. policy = xfrm.UserPolicy(xfrm.XFRM_POLICY_OUT, sel) tmpl = xfrm.UserTemplate(AF_UNSPEC, 0xfeed, 0, None) # Create the policy with the first mark. self.xfrm.AddPolicyInfo(policy, tmpl, mark1) # Create the same policy but with the second (different) mark. self.xfrm.AddPolicyInfo(policy, tmpl, mark2) # Delete the policies individually self.xfrm.DeletePolicyInfo(sel, xfrm.XFRM_POLICY_OUT, mark1) self.xfrm.DeletePolicyInfo(sel, xfrm.XFRM_POLICY_OUT, mark2)