blob: 33b53d26d6d21b3d4adf670ce2b2afff3138cc31 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
#!/bin/bash
set -e
DIR=/root/w/packet_ebpf
CERTS=/tmp/ebpf_certs
PIDS=()
# Cleanup on exit
cleanup() { kill "${PIDS[@]}" 2>/dev/null; rm -rf "$CERTS"; }
trap cleanup EXIT
# Start background process and track PID
bg() { "$@" &>/dev/null & PIDS+=($!); }
# Print result
ok() { echo " $1: OK"; }
fail() { echo " $1: FAIL"; }
# Build
echo "=== Building ==="
cd "$DIR"
cargo xtask build-ebpf --release &>/dev/null
cargo build --release -p packet-detector &>/dev/null
echo "Done"
echo
# Test 1: UDP - test actual packet delivery
echo "=== UDP Magic Word (only 'hell0123' passes) ==="
# Start XDP filter
./target/release/packet-detector lo &>/dev/null & PIDS+=($!)
sleep 1
RECV_FILE=$(mktemp)
# Test valid packet
timeout 2 bash -c "nc -u -l 127.0.0.1 9999 > $RECV_FILE" &
sleep 0.3
echo 'hell0123' | nc -u -w1 127.0.0.1 9999 2>/dev/null || true
sleep 0.5
grep -q 'hell0123' "$RECV_FILE" && ok "hell0123 passed (XDP_PASS)" || fail "hell0123 dropped"
# Test invalid packet
> "$RECV_FILE" # clear file
timeout 2 bash -c "nc -u -l 127.0.0.1 9999 > $RECV_FILE" &
sleep 0.3
echo 'wrongmsg' | nc -u -w1 127.0.0.1 9999 2>/dev/null || true
sleep 0.5
grep -q 'wrongmsg' "$RECV_FILE" && fail "wrongmsg passed (should drop)" || ok "wrongmsg dropped (XDP_DROP)"
rm -f "$RECV_FILE"
kill "${PIDS[-1]}" 2>/dev/null; unset 'PIDS[-1]'
echo
# Test 2: TLS
echo "=== TLS Certificate ==="
# Create two separate PKI environments
BAD_CERTS="$CERTS/bad"
GOOD_CERTS="$CERTS/good"
mkdir -p "$BAD_CERTS" "$GOOD_CERTS"
# Start server with UNTRUSTED certs on port 8443
cd "$BAD_CERTS"
bg "$DIR/target/release/tls_server" 8443
sleep 3
# Start server with TRUSTED certs on port 8444
cd "$GOOD_CERTS"
bg "$DIR/target/release/tls_server" 8444
sleep 3
# Start packet-detector with ONLY the good CA (won't trust bad server)
"$DIR/target/release/packet-detector" lo "$GOOD_CERTS/ca_cert.pem" &>/dev/null & PIDS+=($!)
sleep 2
# Test 1: Connect to BAD server (untrusted cert)
# Handshake completes, but HTTP request should fail (blocked after validation)
cd "$BAD_CERTS"
BAD_OUT=$(timeout 5 "$DIR/target/release/tls_client" 127.0.0.1 8443 2>&1) || true
if echo "$BAD_OUT" | grep -q "HTTP/1.1 200"; then
fail "Untrusted cert - HTTP should have been blocked"
else
ok "Untrusted cert - HTTP blocked (XDP_DROP after validation)"
fi
# Test 2: Connect to GOOD server (trusted cert) - should succeed fully
cd "$GOOD_CERTS"
GOOD_OUT=$(timeout 5 "$DIR/target/release/tls_client" 127.0.0.1 8444 2>&1) || true
if echo "$GOOD_OUT" | grep -q "HTTP/1.1 200"; then
ok "Trusted cert - HTTP succeeded (XDP_PASS)"
else
fail "Trusted cert - HTTP failed"
fi
echo
echo "=== Done ==="
|
