wireguard: test multiple peers at a time

Extends the wg_reconfig run script to test that the WireGuard component is able to handle multiple peers at the same time if configured. Ref #4520
2025-06-06 17:31:46 +00:00 · 2022-05-27 13:35:45 +02:00 · 2022-05-27 13:35:45 +02:00 · 6f777f90a8
commit 6f777f90a8
parent 36d2374ff9
1 changed files with 96 additions and 31 deletions
--- a/repos/dde_linux/run/wg_reconfig.run
+++ b/repos/dde_linux/run/wg_reconfig.run
@ -1,14 +1,17 @@
 #
-# A ping (peer 1) and a fetchurl (peer 3) both try to reach a server at peer 2
+# Two pings (peer 1 and peer 4) and a fetchurl (peer 3) try to reach a server
-# through a WireGuard VNP (10.0.9.0/24) while the configuration of the server
+# (peer 2) through a WireGuard VNP (10.0.9.0/24) while the configuration of
-# WireGuard changes. Each peer has its own WireGuard instance and talks
+# the server WireGuard changes. Each peer has its own WireGuard instance and
-# to the other peers only through WireGuard. The server WireGuard (peer 2)
+# talks to the other peers only through WireGuard.
-# initially accepts only peer 1. After some time it gets re-configured to
+#
-# accept only peer 3. Then, it gets re-configured to accept only peer 1 again
+# In configuration step 1, the server WireGuard accepts only peer 1. In step 2
-# and, in the end, an attempt is made to re-configure the private key, which
+# it gets re-configured to accept only peer 3. Then, in step 3, it gets
-# should fail. Note that the peer 1 WireGuard has to be reconfigured as well,
+# re-configured to accept both peer 1 and peer 4 and, in the final step 4, an
-# in order to be forced to redo the initiation handshake for the third
+# attempt is made to re-configure the private key, which should fail.
-# configuration phase of the server WireGuard.
+#
 # Note that the peer 1 WireGuard has to be reconfigured as well, in order to
 # be forced to redo the initiation handshake for configuration step 3 of the
 # server WireGuard.
 #
 if {[expr ![have_spec arm_v8a] && ![have_spec x86_64]]} {
@ -33,7 +36,7 @@ proc peer_1_wg_config {peers} {
 		<config private_key="0CtU34qsl97IGiYKSO4tMaF/SJvy04zzeQkhZEbZSk0="
 		        listen_port="49001">
 	}
-	if {$peers == "peer_3"} {
+	if {[lsearch $peers peer_3] != -1} {
 		append result {
 			<peer public_key="GrvyALPZ3PQ2AWM+ovxJqnxSqKpmTyqUui5jH+C8I0E="
 			      endpoint_ip="10.1.2.1"
@ -64,18 +67,22 @@ proc peer_2_wg_config {peers private_key} {
 	append result {
 		listen_port="49002">
 	}
-	switch $peers {
+	if {[lsearch $peers peer_1] != -1} {
-		peer_1 {
+		append result {
-			append result {
+			<peer public_key="r1Gslnm82X8NaijsWzPoSFzDZGl2tTJoPa+EJL4gYQw="
-				<peer public_key="r1Gslnm82X8NaijsWzPoSFzDZGl2tTJoPa+EJL4gYQw="
+			      allowed_ip="10.0.9.1/32" />
 					  allowed_ip="10.0.9.1/32" />
 			}
 		}
-		peer_3 {
+	}
-			append result {
+	if {[lsearch $peers peer_3] != -1} {
-				<peer public_key="gFRbQOj7cVLoLKDIFfNZbguw89vuZrc0i74TV5qOexY="
+		append result {
-					  allowed_ip="10.0.9.3/32" />
+			<peer public_key="gFRbQOj7cVLoLKDIFfNZbguw89vuZrc0i74TV5qOexY="
-			}
+			      allowed_ip="10.0.9.3/32" />
 		}
 	}
 	if {[lsearch $peers peer_4] != -1} {
 		append result {
 			<peer public_key="qBj913LPLPO5543Iaz80wTJdUrdjoCafinRQhREIQF4="
 			      allowed_ip="10.0.9.4/32" />
 		}
 	}
 	append result {
@ -116,26 +123,26 @@ append config {
 		<config verbose="yes">
 			<rom name="peer_2_wg_config">
-				<inline description="permit peer_1_ping only">
+				<inline description="step 1: peer_1_only">
 					} [peer_2_wg_config peer_1 private_key_1] {
 				</inline>
 				<sleep milliseconds="5000"/>
-				<inline description="permit peer_3_fetchurl only">
+				<inline description="step 2: peer_3_only">
 					} [peer_2_wg_config peer_3 private_key_1] {
 				</inline>
 				<sleep milliseconds="5000"/>
-				<inline description="permit peer_1_ping only">
+				<inline description="step 3: peer_1_and peer 4">
-					} [peer_2_wg_config peer_1 private_key_1] {
+					} [peer_2_wg_config {peer_1 peer_4} private_key_1] {
 				</inline>
-				<sleep milliseconds="3000"/>
+				<sleep milliseconds="5000"/>
-				<inline description="permit peer_1_ping only">
+				<inline description="step 4: invalid reconfiguration attempt">
-					} [peer_2_wg_config peer_1 private_key_2] {
+					} [peer_2_wg_config {peer_1 peer_4} private_key_2] {
 				</inline>
 				<sleep milliseconds="600000"/>
@ -147,7 +154,7 @@ append config {
 				<sleep milliseconds="9000"/>
-				<inline> } [peer_1_wg_config no_peer] { </inline>
+				<inline> } [peer_1_wg_config { }] { </inline>
 				<sleep milliseconds="1000"/>
@ -192,6 +199,20 @@ append config {
 		</route>
 	</start>
 	<start name="peer_4_ping" caps="100">
 		<binary name="ping"/>
 		<resource name="RAM" quantum="8M"/>
 		<config dst_ip="10.0.9.2" period_sec="1" count="1000"/>
 		<route>
 			<service name="Nic">   <child name="nic_router"/> </service>
 			<service name="Timer"> <child name="timer"/> </service>
 			<service name="ROM">   <parent/> </service>
 			<service name="PD">    <parent/> </service>
 			<service name="CPU">   <parent/> </service>
 			<service name="LOG">   <parent/> </service>
 		</route>
 	</start>
 	<start name="peer_3_fetchurl" caps="200">
 		<binary name="fetchurl"/>
 		<resource name="RAM" quantum="10M"/>
@ -284,6 +305,29 @@ append config {
 		</route>
 	</start>
 	<start name="peer_4_wg" caps="200">
 		<binary name="wireguard"/>
 		<resource name="RAM" quantum="10M"/>
 		<config private_key="2OhXWuHHho3fTVi+7LB/ggK0w4cDvFYFJMC3/Mx6Bls="
 			     listen_port="49004">
 			<peer public_key="GrvyALPZ3PQ2AWM+ovxJqnxSqKpmTyqUui5jH+C8I0E="
 				   endpoint_ip="10.4.2.1"
 				   endpoint_port="49002"
 				   allowed_ip="10.0.9.2/32" />
 		</config>
 		<route>
 			<service name="Timer">  <child name="timer"/> </service>
 			<service name="Nic">    <child name="nic_router"/> </service>
 			<service name="Uplink"> <child name="nic_router"/> </service>
 			<service name="ROM">    <parent/> </service>
 			<service name="PD">     <parent/> </service>
 			<service name="CPU">    <parent/> </service>
 			<service name="LOG">    <parent/> </service>
 		</route>
 	</start>
 	<start name="nic_router" caps="200">
 		<resource name="RAM" quantum="10M"/>
 		<provides>
@ -356,6 +400,27 @@ append config {
 			</domain>
 			<!-- Peer 4 (ping) -->
 			<policy label="peer_4_wg -> nic_session"    domain="peer_4_outer_downlink"/>
 			<policy label="peer_4_wg -> uplink_session" domain="peer_4_inner_uplink"/>
 			<policy label="peer_4_ping -> "             domain="peer_4_inner_downlink"/>
 			<domain name="peer_4_outer_downlink" interface="10.4.2.1/24">
 				<dhcp-server ip_first="10.4.2.2" ip_last="10.4.2.2"/>
 				<udp-forward port="49002" domain="peer_2_outer_downlink" to="10.0.3.2"/>
 			</domain>
 			<domain name="peer_4_inner_uplink" interface="10.0.9.4/24" use_arp="no">
 				<nat domain="peer_4_inner_downlink" icmp-ids="1000"/>
 			</domain>
 			<domain name="peer_4_inner_downlink" interface="10.4.3.1/24">
 				<dhcp-server ip_first="10.4.3.2" ip_last="10.4.3.2"/>
 				<icmp dst="10.0.9.2/24" domain="peer_4_inner_uplink"/>
 			</domain>
 		</config>
 		<route>
 			<service name="Timer"> <child name="timer"/> </service>
@ -510,7 +575,7 @@ append output_pattern   "peer_1_ping. 64 bytes from 10.0.9.2.*\n"
 append output_pattern ".*peer_1_ping. 64 bytes from 10.0.9.2.*\n"
 append output_pattern ".*child \"peer_3_fetchurl\" exited with exit value 0.*\n"
 append output_pattern ".*peer_1_ping. 64 bytes from 10.0.9.2.*\n"
-append output_pattern ".*peer_1_ping. 64 bytes from 10.0.9.2.*\n"
+append output_pattern ".*peer_4_ping. 64 bytes from 10.0.9.2.*\n"
 append output_pattern ".*peer_2_wg. .*Error: Uncaught exception of type .*Invalid_reconfiguration_attempt.*\n"
 run_genode_until $output_pattern 45