From 1e74a908b7de2cb744efbfb81f57c871defc2e66 Mon Sep 17 00:00:00 2001
From: seantywork <seantywork@gmail.com>
Date: Sun, 14 Dec 2025 11:14:39 +0000
Subject: [PATCH] okay

---
 virsh-create-dut/dut/vpn/dev1/bin/Makefile    |   4 +
 virsh-create-dut/dut/vpn/dev1/bin/bpf_ctl.c   |  81 +++++++++++++
 .../dut/vpn/dev1/bin/xsk_def_xdp_prog.h       |   9 ++
 .../dut/{ => vpn}/dev1/install.sh             |   1 +
 .../dut/{dev1 => vpn/dev1/net}/network-del.sh |   0
 .../dut/{dev1 => vpn/dev1/net}/network.sh     |   2 +
 virsh-create-dut/dut/vpn/dev1/vpn/.gitignore  |   4 +
 virsh-create-dut/dut/vpn/dev1/vpn/install.sh  |  39 ++++++
 .../dut/vpn/dev1/vpn/swanctl.conf             |  34 ++++++
 virsh-create-dut/dut/vpn/dev2/install.sh      | 113 ++++++++++++++++++
 .../dut/vpn/dev2/net/network-del.sh           |   5 +
 virsh-create-dut/dut/vpn/dev2/net/network.sh  |   8 ++
 virsh-create-dut/dut/vpn/dev2/vpn/.gitignore  |   0
 virsh-create-dut/dut/vpn/dev2/vpn/install.sh  |  14 +++
 .../dut/vpn/dev2/vpn/swanctl.conf             |  23 ++++
 15 files changed, 337 insertions(+)
 create mode 100644 virsh-create-dut/dut/vpn/dev1/bin/Makefile
 create mode 100644 virsh-create-dut/dut/vpn/dev1/bin/bpf_ctl.c
 create mode 100644 virsh-create-dut/dut/vpn/dev1/bin/xsk_def_xdp_prog.h
 rename virsh-create-dut/dut/{ => vpn}/dev1/install.sh (99%)
 rename virsh-create-dut/dut/{dev1 => vpn/dev1/net}/network-del.sh (100%)
 rename virsh-create-dut/dut/{dev1 => vpn/dev1/net}/network.sh (98%)
 create mode 100644 virsh-create-dut/dut/vpn/dev1/vpn/.gitignore
 create mode 100755 virsh-create-dut/dut/vpn/dev1/vpn/install.sh
 create mode 100644 virsh-create-dut/dut/vpn/dev1/vpn/swanctl.conf
 create mode 100755 virsh-create-dut/dut/vpn/dev2/install.sh
 create mode 100755 virsh-create-dut/dut/vpn/dev2/net/network-del.sh
 create mode 100755 virsh-create-dut/dut/vpn/dev2/net/network.sh
 create mode 100644 virsh-create-dut/dut/vpn/dev2/vpn/.gitignore
 create mode 100755 virsh-create-dut/dut/vpn/dev2/vpn/install.sh
 create mode 100644 virsh-create-dut/dut/vpn/dev2/vpn/swanctl.conf

diff --git a/virsh-create-dut/dut/vpn/dev1/bin/Makefile b/virsh-create-dut/dut/vpn/dev1/bin/Makefile
new file mode 100644
index 0000000..e4d4361
--- /dev/null
+++ b/virsh-create-dut/dut/vpn/dev1/bin/Makefile
@@ -0,0 +1,4 @@
+all:
+	clang -O2 -g -Wall -c -target bpf -o bpf_ctl.o bpf_ctl.c
+clean:
+	rm -rf *.o
\ No newline at end of file
diff --git a/virsh-create-dut/dut/vpn/dev1/bin/bpf_ctl.c b/virsh-create-dut/dut/vpn/dev1/bin/bpf_ctl.c
new file mode 100644
index 0000000..b628446
--- /dev/null
+++ b/virsh-create-dut/dut/vpn/dev1/bin/bpf_ctl.c
@@ -0,0 +1,81 @@
+
+#define AF_INET		2	/* Internet IP Protocol 	*/
+#define ETH_ALEN    6
+#define PROTO_IP     0x0800
+
+#include <linux/bpf.h>
+
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_endian.h>
+
+#include <linux/if_ether.h>
+#include <linux/if_vlan.h>
+#include <linux/ip.h>
+#include <linux/tcp.h>
+#include <linux/udp.h>
+#include <linux/in.h>
+#include <linux/string.h>
+
+#include "xsk_def_xdp_prog.h"
+
+struct hwaddr {
+  __u8 data[6];
+  __u8 rsvd[2];
+};
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+  __type(key, __u32);
+  __type(value, struct hwaddr);
+  __uint(map_flags, BPF_F_NO_PREALLOC);
+  __uint(max_entries, 64); 
+} inline_hw SEC(".maps");
+
+
+SEC("xdp_pass")
+int xdp_pass_prog(struct xdp_md *ctx){
+
+  unsigned char *data_end = (unsigned char *)(long)ctx->data_end;
+  unsigned char *data = (unsigned char *)(long)ctx->data;
+
+
+  struct ethhdr *ether = (struct ethhdr *)data;
+  if (data + sizeof(*ether) > data_end) {
+
+    return XDP_DROP;
+  }
+
+//  bpf_printk("h proto: %d\n", bpf_ntohs(ether->h_proto));
+  __u16 h_proto = ether->h_proto;
+
+  //bpf_printk("h_proto orig: %02x\n", h_proto);
+  //bpf_printk("h_proto hton: %02x\n", bpf_htons(h_proto));
+
+  if (bpf_htons(h_proto) != PROTO_IP) { 
+    // bpf_printk("proto not ip\n");
+    return XDP_PASS;
+  }
+
+  //broadcast & multicast
+  if(ether->h_dest[0] & 0x01){
+    return XDP_PASS;
+  }
+
+  __u32 key = 0;
+  struct hwaddr *value = NULL;
+
+  value = bpf_map_lookup_elem(&inline_hw, &key);
+
+  if(!value){
+    bpf_printk("inline hw addr not found\n");
+    return XDP_DROP;
+  }
+
+  //bpf_printk("inline hwaddr: %02x:%02x:%02x:%02x:%02x:%02x\n", value->data[0], value->data[1], value->data[2], value->data[3], value->data[4], value->data[5]);
+
+  memcpy(ether->h_dest, value->data, 6);
+
+  return XDP_PASS;
+}
+
+char _license[] SEC("license") = "GPL";
\ No newline at end of file
diff --git a/virsh-create-dut/dut/vpn/dev1/bin/xsk_def_xdp_prog.h b/virsh-create-dut/dut/vpn/dev1/bin/xsk_def_xdp_prog.h
new file mode 100644
index 0000000..f9fb6cd
--- /dev/null
+++ b/virsh-create-dut/dut/vpn/dev1/bin/xsk_def_xdp_prog.h
@@ -0,0 +1,9 @@
+// SPDX-License-Identifier: (GPL-2.0 OR BSD-2-Clause)
+
+#ifndef __LIBXDP_XSK_DEF_XDP_PROG_H
+#define __LIBXDP_XSK_DEF_XDP_PROG_H
+
+#define XDP_METADATA_SECTION "xdp_metadata"
+#define XSK_PROG_VERSION 1
+
+#endif /* __LIBXDP_XSK_DEF_XDP_PROG_H */
\ No newline at end of file
diff --git a/virsh-create-dut/dut/dev1/install.sh b/virsh-create-dut/dut/vpn/dev1/install.sh
similarity index 99%
rename from virsh-create-dut/dut/dev1/install.sh
rename to virsh-create-dut/dut/vpn/dev1/install.sh
index b2817f9..9f86257 100755
--- a/virsh-create-dut/dut/dev1/install.sh
+++ b/virsh-create-dut/dut/vpn/dev1/install.sh
@@ -144,3 +144,4 @@ sudo make install
 popd
 
 popd
+
diff --git a/virsh-create-dut/dut/dev1/network-del.sh b/virsh-create-dut/dut/vpn/dev1/net/network-del.sh
similarity index 100%
rename from virsh-create-dut/dut/dev1/network-del.sh
rename to virsh-create-dut/dut/vpn/dev1/net/network-del.sh
diff --git a/virsh-create-dut/dut/dev1/network.sh b/virsh-create-dut/dut/vpn/dev1/net/network.sh
similarity index 98%
rename from virsh-create-dut/dut/dev1/network.sh
rename to virsh-create-dut/dut/vpn/dev1/net/network.sh
index dce42cd..370b6de 100755
--- a/virsh-create-dut/dut/dev1/network.sh
+++ b/virsh-create-dut/dut/vpn/dev1/net/network.sh
@@ -2,6 +2,8 @@
 
 set -exo pipefail
 
+sudo modprobe br_netfilter
+
 sudo ip netns add net1
 sudo ip netns add net2
 sudo ip link add dev veth1 type veth peer name veth2 netns net1
diff --git a/virsh-create-dut/dut/vpn/dev1/vpn/.gitignore b/virsh-create-dut/dut/vpn/dev1/vpn/.gitignore
new file mode 100644
index 0000000..de7ac14
--- /dev/null
+++ b/virsh-create-dut/dut/vpn/dev1/vpn/.gitignore
@@ -0,0 +1,4 @@
+*.pem
+*.srl
+*.csr
+*.tar.gz
\ No newline at end of file
diff --git a/virsh-create-dut/dut/vpn/dev1/vpn/install.sh b/virsh-create-dut/dut/vpn/dev1/vpn/install.sh
new file mode 100755
index 0000000..a59914f
--- /dev/null
+++ b/virsh-create-dut/dut/vpn/dev1/vpn/install.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+
+
+SCONFIG="authorityKeyIdentifier = keyid,issuer:always\n" && \
+SCONFIG="${SCONFIG}basicConstraints = CA:FALSE\n" && \
+SCONFIG="${SCONFIG}keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\n" && \
+SCONFIG="${SCONFIG}extendedKeyUsage = serverAuth\n" 
+
+CCONFIG="authorityKeyIdentifier = keyid,issuer:always\n" && \
+CCONFIG="${CCONFIG}basicConstraints = CA:FALSE\n" && \
+CCONFIG="${CCONFIG}keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment\n" && \
+CCONFIG="${CCONFIG}extendedKeyUsage = clientAuth\n" 
+
+
+openssl genrsa -out ca_priv.pem 4096
+openssl rsa -in ca_priv.pem -outform PEM -pubout -out ca_pub.pem
+openssl req -x509 -new -key ca_priv.pem -days 365 -out ca.cert.pem -subj "/CN=dev1ca"
+
+openssl genrsa -out server.key.pem 4096
+openssl rsa -in server.key.pem -outform PEM -pubout -out ser_pub.pem
+openssl req -key server.key.pem -new -sha256 -out server.csr -subj "/CN=dev1server"
+openssl x509 -req -days 180 -in server.csr -extfile <(printf "${SCONFIG}") -CA ca.cert.pem -CAkey ca_priv.pem -CAcreateserial -sha256 -out server.cert.pem 
+
+openssl genrsa -out client.key.pem 4096
+openssl rsa -in client.key.pem -outform PEM -pubout -out cli_pub.pem
+openssl req -key client.key.pem -new -sha256 -out client.csr -subj "/CN=dev1client"
+openssl x509 -req -days 180 -in client.csr -extfile <(printf "${CCONFIG}") -CA ca.cert.pem -CAkey ca_priv.pem -CAcreateserial -sha256 -out client.cert.pem 
+
+sudo /bin/cp -Rf swanctl.conf /etc/swanctl/swanctl.conf
+sudo /bin/cp -Rf ca.cert.pem /etc/swanctl/x509ca/
+sudo /bin/cp -Rf server.cert.pem /etc/swanctl/x509
+sudo /bin/cp -Rf server.key.pem /etc/swanctl/private
+
+tar czf dev2.vpn.tar.gz ca.cert.pem client.cert.pem client.key.pem
+
+sudo cp dev2.vpn.tar.gz /tmp/
+sudo chmod 777 /tmp/dev2.vpn.tar.gz 
+
+sudo systemctl restart strongswan
\ No newline at end of file
diff --git a/virsh-create-dut/dut/vpn/dev1/vpn/swanctl.conf b/virsh-create-dut/dut/vpn/dev1/vpn/swanctl.conf
new file mode 100644
index 0000000..31363c9
--- /dev/null
+++ b/virsh-create-dut/dut/vpn/dev1/vpn/swanctl.conf
@@ -0,0 +1,34 @@
+connections {
+
+   dev1 {
+      local_addrs = 192.168.101.25
+      pools = dev1_pool
+      version = 2
+      proposals = aes256gcm16-sha256-modp2048
+      unique = never
+      encap = yes
+
+      local {
+         auth = pubkey
+         certs = server.cert.pem
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.168.0.0/24
+            mode = tunnel
+            esp_proposals = aes256gcm16-sha256
+            dpd_action = restart
+            rekey_time = 0
+         }
+      }
+   }
+}
+
+pools{
+	dev1_pool {
+		addrs = 10.9.0.0/24
+	}
+}
\ No newline at end of file
diff --git a/virsh-create-dut/dut/vpn/dev2/install.sh b/virsh-create-dut/dut/vpn/dev2/install.sh
new file mode 100755
index 0000000..a8e4ef7
--- /dev/null
+++ b/virsh-create-dut/dut/vpn/dev2/install.sh
@@ -0,0 +1,113 @@
+#!/bin/bash
+
+sudo apt-get update
+
+sudo apt-get -y install build-essential make autoconf automake
+
+sudo apt-get -y install libgmp-dev libsystemd-dev libcurl4-openssl-dev libldap-dev libtss2-dev libgcrypt20-dev libpam0g-dev libip4tc-dev pkg-config init libtss2-tcti-tabrmd0
+
+
+pushd ~
+
+curl -L https://github.com/strongswan/strongswan/releases/download/6.0.1/strongswan-6.0.1.tar.gz -o strongswan-6.0.1.tar.gz
+
+tar -xzf strongswan-6.0.1.tar.gz
+
+pushd strongswan-6.0.1
+
+./configure --prefix=/usr --sysconfdir=/etc --enable-charon --enable-systemd \
+--disable-defaults \
+--enable-static \
+--enable-test-vectors \
+--enable-pki --enable-ikev2 --enable-vici --enable-swanctl \
+--enable-ldap \
+--enable-pkcs11 \
+--enable-tpm \
+--enable-aesni \
+--enable-aes \
+--enable-rc2 \
+--enable-sha2 \
+--enable-sha1 \
+--enable-md5 \
+--enable-mgf1 \
+--enable-rdrand \
+--enable-random \
+--enable-nonce \
+--enable-x509 \
+--enable-revocation \
+--enable-constraints \
+--enable-pubkey \
+--enable-pkcs1 \
+--enable-pkcs7 \
+--enable-pkcs8 \
+--enable-pkcs12 \
+--enable-pgp \
+--enable-dnskey \
+--enable-sshkey \
+--enable-pem \
+--enable-openssl \
+--enable-gcrypt \
+--enable-af-alg \
+--enable-fips-prf  \
+--enable-gmp  \
+--enable-curve25519 \
+--enable-agent \
+--enable-chapoly \
+--enable-xcbc \
+--enable-cmac \
+--enable-hmac \
+--enable-ctr \
+--enable-ccm \
+--enable-gcm \
+--enable-ntru \
+--enable-drbg \
+--enable-curl \
+--enable-attr \
+--enable-kernel-netlink \
+--enable-resolve \
+--enable-socket-default \
+--enable-connmark \
+--enable-forecast \
+--enable-farp \
+--enable-stroke \
+--enable-vici \
+--enable-updown \
+--enable-eap-identity \
+--enable-eap-aka \
+--enable-eap-md5 \
+--enable-eap-gtc \
+--enable-eap-mschapv2 \
+--enable-eap-dynamic \
+--enable-eap-radius \
+--enable-eap-tls \
+--enable-eap-ttls \
+--enable-eap-peap \
+--enable-eap-tnc \
+--enable-xauth-generic \
+--enable-xauth-eap \
+--enable-xauth-pam \
+--enable-tnc-tnccs \
+--enable-dhcp \
+--enable-lookip \
+--enable-error-notify \
+--enable-certexpire \
+--enable-led \
+--enable-addrblock \
+--enable-unity \
+--enable-counters \
+--enable-whitelist 
+
+make
+
+sudo make install
+
+popd
+
+popd
+
+
+sudo systemctl enable strongswan
+
+sudo systemctl start strongswan
+
+
diff --git a/virsh-create-dut/dut/vpn/dev2/net/network-del.sh b/virsh-create-dut/dut/vpn/dev2/net/network-del.sh
new file mode 100755
index 0000000..a8871a2
--- /dev/null
+++ b/virsh-create-dut/dut/vpn/dev2/net/network-del.sh
@@ -0,0 +1,5 @@
+#!/bin/bash 
+
+set -exo pipefail
+
+sudo ip netns del net1
diff --git a/virsh-create-dut/dut/vpn/dev2/net/network.sh b/virsh-create-dut/dut/vpn/dev2/net/network.sh
new file mode 100755
index 0000000..5a87c20
--- /dev/null
+++ b/virsh-create-dut/dut/vpn/dev2/net/network.sh
@@ -0,0 +1,8 @@
+#!/bin/bash 
+
+set -exo pipefail
+
+sudo ip netns add net1
+sudo ip link set dev enp7s3 netns net1
+sudo ip addr add 192.168.101.21/24 dev ens3
+sudo ip link set dev ens3 up
diff --git a/virsh-create-dut/dut/vpn/dev2/vpn/.gitignore b/virsh-create-dut/dut/vpn/dev2/vpn/.gitignore
new file mode 100644
index 0000000..e69de29
diff --git a/virsh-create-dut/dut/vpn/dev2/vpn/install.sh b/virsh-create-dut/dut/vpn/dev2/vpn/install.sh
new file mode 100755
index 0000000..dc06066
--- /dev/null
+++ b/virsh-create-dut/dut/vpn/dev2/vpn/install.sh
@@ -0,0 +1,14 @@
+#!/bin/bash 
+
+set -exo pipefail 
+
+scp seantywork@192.168.101.25:/tmp/dev2.vpn.tar.gz .
+
+tar xzf dev2.vpn.tar.gz 
+
+sudo /bin/cp -Rf swanctl.conf /etc/swanctl/swanctl.conf
+sudo /bin/cp -Rf ca.cert.pem /etc/swanctl/x509ca/
+sudo /bin/cp -Rf client.cert.pem /etc/swanctl/x509
+sudo /bin/cp -Rf client.key.pem /etc/swanctl/private
+
+sudo systemctl restart strongswan
diff --git a/virsh-create-dut/dut/vpn/dev2/vpn/swanctl.conf b/virsh-create-dut/dut/vpn/dev2/vpn/swanctl.conf
new file mode 100644
index 0000000..e735c09
--- /dev/null
+++ b/virsh-create-dut/dut/vpn/dev2/vpn/swanctl.conf
@@ -0,0 +1,23 @@
+connections {
+    home {
+      remote_addrs = 192.168.101.25
+      vips = 0.0.0.0
+      version = 2
+      proposals = aes256gcm16-sha256-modp2048
+
+      local {
+        auth = pubkey
+        certs = client.cert.pem
+      }
+      remote {
+        auth = pubkey
+      }
+      children {
+        home {
+          remote_ts  = 10.168.0.0/24
+          start_action = start
+          esp_proposals = aes256gcm16-sha256
+        }
+      }
+    }
+}
\ No newline at end of file
-- 
2.43.0