From: Tobias Brunner <tobias@strongswan.org>
Date: Wed, 22 Sep 2021 11:28:53 +0000 (+0200)
Subject: testing: Allow DNS via TCP in net2net-dnscert scenario
X-Git-Tag: 5.9.4dr3~12^2~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ccac9c30479e37464f02676b55a4521de13b2e67;p=thirdparty%2Fstrongswan.git

testing: Allow DNS via TCP in net2net-dnscert scenario

New versions of Bind limit the maximum UDP message size to 1232 bytes,
which is the same that newer versions of libunbound propose as maximum via
EDNS in requests, so increasing the limit on the server wouldn't help.

Instead we allow DNS via TCP so the client can switch after receiving the
truncated UDP response.
---

diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules
index b2c425289c..7d1bea9717 100644
--- a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules
@@ -25,4 +25,8 @@
 -A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
 -A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
 
+# allow DNSSEC fetch from winnetou via TCP
+-A INPUT  -i eth0 -p tcp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
 COMMIT
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules
index b2c425289c..7d1bea9717 100644
--- a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules
@@ -25,4 +25,8 @@
 -A INPUT  -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
 -A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
 
+# allow DNSSEC fetch from winnetou via TCP
+-A INPUT  -i eth0 -p tcp --sport 53 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 53 -d PH_IP_WINNETOU -j ACCEPT
+
 COMMIT