diff options
| author | Florian Westphal <fw@strlen.de> | 2019-01-04 14:16:59 +0100 |
|---|---|---|
| committer | Steffen Klassert <steffen.klassert@secunet.com> | 2019-01-09 13:58:23 +0100 |
| commit | 0977b2383de69dc48e9fa61c5c77878ed08d87fe (patch) | |
| tree | f26c4316dbe15a64a58bdfb4ddcc4e9b2bc69718 /net/xfrm/xfrm_policy.c | |
| parent | d972f3dce8d161e2142da0ab1ef25df00e2f21a9 (diff) | |
selftests: xfrm: add block rules with adjacent/overlapping subnets
The existing script lacks a policy pattern that triggers 'tree node
merges' in the kernel.
Consider adding policy affecting following subnet:
pol1: dst 10.0.0.0/22
pol2: dst 10.0.0.0/23 # adds to existing 10.0.0.0/22 node
-> no problems here. But now, lets consider reverse order:
pol1: dst 10.0.0.0/24
pol2: dst 10.0.0.0/23 # CANNOT add to existing node
When second policy gets added, the kernel must check that the new node
("10.0.0.0/23") doesn't overlap with any existing subnet.
Example:
dst 10.0.0.0/24
dst 10.0.0.1/24
dst 10.0.0.0/23
When the third policy gets added, the kernel must replace the nodes for
the 10.0.0.0/24 and 10.0.0.1/24 policies with a single one and must merge
all the subtrees/lists stored in those nodes into the new node.
The existing test cases only have overlaps with a single node, so no
merging takes place (we can always remove the 'old' node and replace
it with the new subnet prefix).
Add a few 'block policies' in a pattern that triggers this, with a priority
that will make kernel prefer the 'esp' rules.
Make sure the 'tunnel ping' tests still pass after they have been added.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Diffstat (limited to 'net/xfrm/xfrm_policy.c')
0 files changed, 0 insertions, 0 deletions