966 lines
22 KiB
Bash
966 lines
22 KiB
Bash
# $NetBSD: t_ipsec.sh,v 1.10 2019/08/19 03:22:05 ozaki-r Exp $
|
|
#
|
|
# Copyright (c) 2017 Internet Initiative Japan Inc.
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions
|
|
# are met:
|
|
# 1. Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
# 2. Redistributions in binary form must reproduce the above copyright
|
|
# notice, this list of conditions and the following disclaimer in the
|
|
# documentation and/or other materials provided with the distribution.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
# POSSIBILITY OF SUCH DAMAGE.
|
|
#
|
|
|
|
SOCK1=unix://commsock1 # for ROUTER1
|
|
SOCK2=unix://commsock2 # for ROUTER2
|
|
ROUTER1_LANIP=192.168.1.1
|
|
ROUTER1_LANNET=192.168.1.0/24
|
|
ROUTER1_WANIP=10.0.0.1
|
|
ROUTER1_IPSECIP=172.16.1.1
|
|
ROUTER1_WANIP_DUMMY=10.0.0.11
|
|
ROUTER1_IPSECIP_DUMMY=172.16.11.1
|
|
ROUTER1_IPSECIP_RECURSIVE1=172.16.101.1
|
|
ROUTER1_IPSECIP_RECURSIVE2=172.16.201.1
|
|
ROUTER2_LANIP=192.168.2.1
|
|
ROUTER2_LANNET=192.168.2.0/24
|
|
ROUTER2_WANIP=10.0.0.2
|
|
ROUTER2_IPSECIP=172.16.2.1
|
|
ROUTER2_WANIP_DUMMY=10.0.0.12
|
|
ROUTER2_IPSECIP_DUMMY=172.16.12.1
|
|
ROUTER2_IPSECIP_RECURSIVE1=172.16.102.1
|
|
ROUTER2_IPSECIP_RECURSIVE2=172.16.202.1
|
|
|
|
ROUTER1_LANIP6=fc00:1::1
|
|
ROUTER1_LANNET6=fc00:1::/64
|
|
ROUTER1_WANIP6=fc00::1
|
|
ROUTER1_IPSECIP6=fc00:3::1
|
|
ROUTER1_WANIP6_DUMMY=fc00::11
|
|
ROUTER1_IPSECIP6_DUMMY=fc00:13::1
|
|
ROUTER1_IPSECIP6_RECURSIVE1=fc00:103::1
|
|
ROUTER1_IPSECIP6_RECURSIVE2=fc00:203::1
|
|
ROUTER2_LANIP6=fc00:2::1
|
|
ROUTER2_LANNET6=fc00:2::/64
|
|
ROUTER2_WANIP6=fc00::2
|
|
ROUTER2_IPSECIP6=fc00:4::1
|
|
ROUTER2_WANIP6_DUMMY=fc00::12
|
|
ROUTER2_IPSECIP6_DUMMY=fc00:14::1
|
|
ROUTER2_IPSECIP6_RECURSIVE1=fc00:104::1
|
|
ROUTER2_IPSECIP6_RECURSIVE2=fc00:204::1
|
|
|
|
DEBUG=${DEBUG:-false}
|
|
TIMEOUT=7
|
|
|
|
atf_test_case ipsecif_create_destroy cleanup
|
|
ipsecif_create_destroy_head()
|
|
{
|
|
|
|
atf_set "descr" "Test creating/destroying gif interfaces"
|
|
atf_set "require.progs" "rump_server"
|
|
}
|
|
|
|
ipsecif_create_destroy_body()
|
|
{
|
|
|
|
rump_server_start $SOCK1 ipsec
|
|
|
|
test_create_destroy_common $SOCK1 ipsec0
|
|
}
|
|
|
|
ipsecif_create_destroy_cleanup()
|
|
{
|
|
|
|
$DEBUG && dump
|
|
cleanup
|
|
}
|
|
|
|
setup_router()
|
|
{
|
|
local sock=${1}
|
|
local lan=${2}
|
|
local lan_mode=${3}
|
|
local wan=${4}
|
|
local wan_mode=${5}
|
|
|
|
rump_server_add_iface $sock shmif0 bus0
|
|
rump_server_add_iface $sock shmif1 bus1
|
|
|
|
export RUMP_SERVER=${sock}
|
|
|
|
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
|
|
atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
|
|
|
|
if [ ${lan_mode} = "ipv6" ]; then
|
|
atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan}
|
|
else
|
|
atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00
|
|
fi
|
|
atf_check -s exit:0 rump.ifconfig shmif0 up
|
|
$DEBUG && rump.ifconfig shmif0
|
|
|
|
if [ ${wan_mode} = "ipv6" ]; then
|
|
atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan}
|
|
else
|
|
atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000
|
|
fi
|
|
atf_check -s exit:0 rump.ifconfig shmif1 up
|
|
atf_check -s exit:0 rump.ifconfig -w 10
|
|
$DEBUG && rump.ifconfig shmif1
|
|
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
test_router()
|
|
{
|
|
local sock=${1}
|
|
local lan=${2}
|
|
local lan_mode=${3}
|
|
local wan=${4}
|
|
local wan_mode=${5}
|
|
|
|
export RUMP_SERVER=${sock}
|
|
atf_check -s exit:0 -o match:shmif0 rump.ifconfig
|
|
if [ ${lan_mode} = "ipv6" ]; then
|
|
atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${lan}
|
|
else
|
|
atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan}
|
|
fi
|
|
|
|
atf_check -s exit:0 -o match:shmif1 rump.ifconfig
|
|
if [ ${wan_mode} = "ipv6" ]; then
|
|
atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${wan}
|
|
else
|
|
atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan}
|
|
fi
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
setup()
|
|
{
|
|
local inner=${1}
|
|
local outer=${2}
|
|
|
|
rump_server_crypto_start $SOCK1 netipsec netinet6 ipsec
|
|
rump_server_crypto_start $SOCK2 netipsec netinet6 ipsec
|
|
|
|
router1_lan=""
|
|
router1_lan_mode=""
|
|
router2_lan=""
|
|
router2_lan_mode=""
|
|
if [ ${inner} = "ipv6" ]; then
|
|
router1_lan=$ROUTER1_LANIP6
|
|
router1_lan_mode="ipv6"
|
|
router2_lan=$ROUTER2_LANIP6
|
|
router2_lan_mode="ipv6"
|
|
else
|
|
router1_lan=$ROUTER1_LANIP
|
|
router1_lan_mode="ipv4"
|
|
router2_lan=$ROUTER2_LANIP
|
|
router2_lan_mode="ipv4"
|
|
fi
|
|
|
|
if [ ${outer} = "ipv6" ]; then
|
|
setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
|
|
$ROUTER1_WANIP6 ipv6
|
|
setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
|
|
$ROUTER2_WANIP6 ipv6
|
|
else
|
|
setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
|
|
$ROUTER1_WANIP ipv4
|
|
setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
|
|
$ROUTER2_WANIP ipv4
|
|
fi
|
|
}
|
|
|
|
test_setup()
|
|
{
|
|
local inner=${1}
|
|
local outer=${2}
|
|
|
|
local router1_lan=""
|
|
local router1_lan_mode=""
|
|
local router2_lan=""
|
|
local router2_lan_mode=""
|
|
if [ ${inner} = "ipv6" ]; then
|
|
router1_lan=$ROUTER1_LANIP6
|
|
router1_lan_mode="ipv6"
|
|
router2_lan=$ROUTER2_LANIP6
|
|
router2_lan_mode="ipv6"
|
|
else
|
|
router1_lan=$ROUTER1_LANIP
|
|
router1_lan_mode="ipv4"
|
|
router2_lan=$ROUTER2_LANIP
|
|
router2_lan_mode="ipv4"
|
|
fi
|
|
if [ ${outer} = "ipv6" ]; then
|
|
test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
|
|
$ROUTER1_WANIP6 ipv6
|
|
test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
|
|
$ROUTER2_WANIP6 ipv6
|
|
else
|
|
test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
|
|
$ROUTER1_WANIP ipv4
|
|
test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
|
|
$ROUTER2_WANIP ipv4
|
|
fi
|
|
}
|
|
|
|
get_if_ipsec_unique()
|
|
{
|
|
local sock=${1}
|
|
local src=${2}
|
|
local proto=${3}
|
|
local unique=""
|
|
|
|
export RUMP_SERVER=${sock}
|
|
unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'`
|
|
unset RUMP_SERVER
|
|
|
|
echo $unique
|
|
}
|
|
|
|
setup_if_ipsec()
|
|
{
|
|
local sock=${1}
|
|
local addr=${2}
|
|
local remote=${3}
|
|
local inner=${4}
|
|
local src=${5}
|
|
local dst=${6}
|
|
local peernet=${7}
|
|
|
|
export RUMP_SERVER=${sock}
|
|
rump_server_add_iface $sock ipsec0
|
|
atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst}
|
|
if [ ${inner} = "ipv6" ]; then
|
|
atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote}
|
|
atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr}
|
|
else
|
|
atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote}
|
|
atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr}
|
|
fi
|
|
|
|
atf_check -s exit:0 rump.ifconfig -w 10
|
|
|
|
$DEBUG && rump.ifconfig ipsec0
|
|
$DEBUG && rump.route -nL show
|
|
}
|
|
|
|
setup_if_ipsec_sa()
|
|
{
|
|
local sock=${1}
|
|
local src=${2}
|
|
local dst=${3}
|
|
local mode=${4}
|
|
local proto=${5}
|
|
local algo=${6}
|
|
local dir=${7}
|
|
|
|
local tmpfile=./tmp
|
|
local inunique=""
|
|
local outunique=""
|
|
local inid=""
|
|
local outid=""
|
|
local algo_args="$(generate_algo_args $proto $algo)"
|
|
|
|
inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
|
|
atf_check -s exit:0 test "X$inunique" != "X"
|
|
outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
|
|
atf_check -s exit:0 test "X$outunique" != "X"
|
|
|
|
if [ ${dir} = "1to2" ] ; then
|
|
if [ ${mode} = "ipv6" ] ; then
|
|
inid="10010"
|
|
outid="10011"
|
|
else
|
|
inid="10000"
|
|
outid="10001"
|
|
fi
|
|
else
|
|
if [ ${mode} = "ipv6" ] ; then
|
|
inid="10011"
|
|
outid="10010"
|
|
else
|
|
inid="10001"
|
|
outid="10000"
|
|
fi
|
|
fi
|
|
|
|
cat > $tmpfile <<-EOF
|
|
add $dst $src $proto $inid -u $inunique $algo_args;
|
|
add $src $dst $proto $outid -u $outunique $algo_args;
|
|
EOF
|
|
$DEBUG && cat $tmpfile
|
|
export RUMP_SERVER=$sock
|
|
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
|
|
$DEBUG && $HIJACKING setkey -D
|
|
$DEBUG && $HIJACKING setkey -DP
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
setup_tunnel()
|
|
{
|
|
local inner=${1}
|
|
local outer=${2}
|
|
local proto=${3}
|
|
local algo=${4}
|
|
|
|
local addr=""
|
|
local remote=""
|
|
local src=""
|
|
local dst=""
|
|
local peernet=""
|
|
|
|
if [ ${inner} = "ipv6" ]; then
|
|
addr=$ROUTER1_IPSECIP6
|
|
remote=$ROUTER2_IPSECIP6
|
|
peernet=$ROUTER2_LANNET6
|
|
else
|
|
addr=$ROUTER1_IPSECIP
|
|
remote=$ROUTER2_IPSECIP
|
|
peernet=$ROUTER2_LANNET
|
|
fi
|
|
if [ ${outer} = "ipv6" ]; then
|
|
src=$ROUTER1_WANIP6
|
|
dst=$ROUTER2_WANIP6
|
|
else
|
|
src=$ROUTER1_WANIP
|
|
dst=$ROUTER2_WANIP
|
|
fi
|
|
setup_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \
|
|
${src} ${dst} ${peernet}
|
|
|
|
if [ $inner = "ipv6" -a $outer = "ipv4" ]; then
|
|
setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${outer} ${proto} ${algo} "1to2"
|
|
fi
|
|
setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2"
|
|
|
|
if [ $inner = "ipv6" ]; then
|
|
addr=$ROUTER2_IPSECIP6
|
|
remote=$ROUTER1_IPSECIP6
|
|
peernet=$ROUTER1_LANNET6
|
|
else
|
|
addr=$ROUTER2_IPSECIP
|
|
remote=$ROUTER1_IPSECIP
|
|
peernet=$ROUTER1_LANNET
|
|
fi
|
|
if [ $outer = "ipv6" ]; then
|
|
src=$ROUTER2_WANIP6
|
|
dst=$ROUTER1_WANIP6
|
|
else
|
|
src=$ROUTER2_WANIP
|
|
dst=$ROUTER1_WANIP
|
|
fi
|
|
setup_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \
|
|
${src} ${dst} ${peernet} ${proto} ${algo}
|
|
if [ $inner = "ipv6" -a $outer = "ipv4" ]; then
|
|
setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${outer} ${proto} ${algo} "2to1"
|
|
fi
|
|
setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1"
|
|
}
|
|
|
|
test_setup_tunnel()
|
|
{
|
|
local mode=${1}
|
|
|
|
local peernet=""
|
|
local opt=""
|
|
if [ ${mode} = "ipv6" ]; then
|
|
peernet=$ROUTER2_LANNET6
|
|
opt="-inet6"
|
|
else
|
|
peernet=$ROUTER2_LANNET
|
|
opt="-inet"
|
|
fi
|
|
export RUMP_SERVER=$SOCK1
|
|
atf_check -s exit:0 -o match:ipsec0 rump.ifconfig
|
|
atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet}
|
|
|
|
if [ ${mode} = "ipv6" ]; then
|
|
peernet=$ROUTER1_LANNET6
|
|
opt="-inet6"
|
|
else
|
|
peernet=$ROUTER1_LANNET
|
|
opt="-inet"
|
|
fi
|
|
export RUMP_SERVER=$SOCK2
|
|
atf_check -s exit:0 -o match:ipsec0 rump.ifconfig
|
|
atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet}
|
|
}
|
|
|
|
teardown_tunnel()
|
|
{
|
|
export RUMP_SERVER=$SOCK1
|
|
atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
|
|
atf_check -s exit:0 rump.ifconfig ipsec0 destroy
|
|
$HIJACKING setkey -F
|
|
|
|
export RUMP_SERVER=$SOCK2
|
|
atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
|
|
atf_check -s exit:0 rump.ifconfig ipsec0 destroy
|
|
$HIJACKING setkey -F
|
|
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
setup_dummy_if_ipsec()
|
|
{
|
|
local sock=${1}
|
|
local addr=${2}
|
|
local remote=${3}
|
|
local inner=${4}
|
|
local src=${5}
|
|
local dst=${6}
|
|
|
|
export RUMP_SERVER=${sock}
|
|
rump_server_add_iface $sock ipsec1
|
|
atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst}
|
|
if [ ${inner} = "ipv6" ]; then
|
|
atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote}
|
|
else
|
|
atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote}
|
|
fi
|
|
atf_check -s exit:0 rump.ifconfig -w 10
|
|
|
|
$DEBUG && rump.ifconfig ipsec1
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
setup_dummy_if_ipsec_sa()
|
|
{
|
|
local sock=${1}
|
|
local src=${2}
|
|
local dst=${3}
|
|
local mode=${4}
|
|
local proto=${5}
|
|
local algo=${6}
|
|
local dir=${7}
|
|
|
|
local tmpfile=./tmp
|
|
local inunique=""
|
|
local outunique=""
|
|
local inid=""
|
|
local outid=""
|
|
local algo_args="$(generate_algo_args $proto $algo)"
|
|
|
|
inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
|
|
atf_check -s exit:0 test "X$inunique" != "X"
|
|
outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
|
|
atf_check -s exit:0 test "X$outunique" != "X"
|
|
|
|
if [ ${dir} = "1to2" ] ; then
|
|
inid="20000"
|
|
outid="20001"
|
|
else
|
|
inid="20001"
|
|
outid="20000"
|
|
fi
|
|
|
|
cat > $tmpfile <<-EOF
|
|
add $dst $src $proto $inid -u $inunique $algo_args;
|
|
add $src $dst $proto $outid -u $outunique $algo_args;
|
|
EOF
|
|
$DEBUG && cat $tmpfile
|
|
export RUMP_SERVER=$sock
|
|
atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
|
|
$DEBUG && $HIJACKING setkey -D
|
|
$DEBUG && $HIJACKING setkey -DP
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
setup_dummy_tunnel()
|
|
{
|
|
local inner=${1}
|
|
local outer=${2}
|
|
local proto=${3}
|
|
local algo=${4}
|
|
|
|
local addr=""
|
|
local remote=""
|
|
local src=""
|
|
local dst=""
|
|
|
|
if [ ${inner} = "ipv6" ]; then
|
|
addr=$ROUTER1_IPSECIP6_DUMMY
|
|
remote=$ROUTER2_IPSECIP6_DUMMY
|
|
else
|
|
addr=$ROUTER1_IPSECIP_DUMMY
|
|
remote=$ROUTER2_IPSECIP_DUMMY
|
|
fi
|
|
if [ ${outer} = "ipv6" ]; then
|
|
src=$ROUTER1_WANIP6_DUMMY
|
|
dst=$ROUTER2_WANIP6_DUMMY
|
|
else
|
|
src=$ROUTER1_WANIP_DUMMY
|
|
dst=$ROUTER2_WANIP_DUMMY
|
|
fi
|
|
setup_dummy_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \
|
|
${src} ${dst} ${proto} ${algo} "1to2"
|
|
setup_dummy_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2"
|
|
|
|
if [ $inner = "ipv6" ]; then
|
|
addr=$ROUTER2_IPSECIP6_DUMMY
|
|
remote=$ROUTER1_IPSECIP6_DUMMY
|
|
else
|
|
addr=$ROUTER2_IPSECIP_DUMMY
|
|
remote=$ROUTER1_IPSECIP_DUMMY
|
|
fi
|
|
if [ $outer = "ipv6" ]; then
|
|
src=$ROUTER2_WANIP6_DUMMY
|
|
dst=$ROUTER1_WANIP6_DUMMY
|
|
else
|
|
src=$ROUTER2_WANIP_DUMMY
|
|
dst=$ROUTER1_WANIP_DUMMY
|
|
fi
|
|
setup_dummy_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \
|
|
${src} ${dst} ${proto} ${algo} "2to1"
|
|
setup_dummy_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1"
|
|
}
|
|
|
|
test_setup_dummy_tunnel()
|
|
{
|
|
export RUMP_SERVER=$SOCK1
|
|
atf_check -s exit:0 -o match:ipsec1 rump.ifconfig
|
|
|
|
export RUMP_SERVER=$SOCK2
|
|
atf_check -s exit:0 -o match:ipsec1 rump.ifconfig
|
|
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
teardown_dummy_tunnel()
|
|
{
|
|
export RUMP_SERVER=$SOCK1
|
|
atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
|
|
atf_check -s exit:0 rump.ifconfig ipsec1 destroy
|
|
|
|
export RUMP_SERVER=$SOCK2
|
|
atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
|
|
atf_check -s exit:0 rump.ifconfig ipsec1 destroy
|
|
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
setup_recursive_if_ipsec()
|
|
{
|
|
local sock=${1}
|
|
local ipsec=${2}
|
|
local addr=${3}
|
|
local remote=${4}
|
|
local inner=${5}
|
|
local src=${6}
|
|
local dst=${7}
|
|
local proto=${8}
|
|
local algo=${9}
|
|
local dir=${10}
|
|
|
|
export RUMP_SERVER=${sock}
|
|
rump_server_add_iface $sock $ipsec
|
|
atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst}
|
|
if [ ${inner} = "ipv6" ]; then
|
|
atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote}
|
|
else
|
|
atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote}
|
|
fi
|
|
atf_check -s exit:0 rump.ifconfig -w 10
|
|
setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir}
|
|
|
|
export RUMP_SERVER=${sock}
|
|
$DEBUG && rump.ifconfig ${ipsec}
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
# test in ROUTER1 only
|
|
setup_recursive_tunnels()
|
|
{
|
|
local mode=${1}
|
|
local proto=${2}
|
|
local algo=${3}
|
|
|
|
local addr=""
|
|
local remote=""
|
|
local src=""
|
|
local dst=""
|
|
|
|
if [ ${mode} = "ipv6" ]; then
|
|
addr=$ROUTER1_IPSECIP6_RECURSIVE1
|
|
remote=$ROUTER2_IPSECIP6_RECURSIVE1
|
|
src=$ROUTER1_IPSECIP6
|
|
dst=$ROUTER2_IPSECIP6
|
|
else
|
|
addr=$ROUTER1_IPSECIP_RECURSIVE1
|
|
remote=$ROUTER2_IPSECIP_RECURSIVE1
|
|
src=$ROUTER1_IPSECIP
|
|
dst=$ROUTER2_IPSECIP
|
|
fi
|
|
setup_recursive_if_ipsec $SOCK1 ipsec1 ${addr} ${remote} ${mode} \
|
|
${src} ${dst} ${proto} ${algo} "1to2"
|
|
|
|
if [ ${mode} = "ipv6" ]; then
|
|
addr=$ROUTER1_IPSECIP6_RECURSIVE2
|
|
remote=$ROUTER2_IPSECIP6_RECURSIVE2
|
|
src=$ROUTER1_IPSECIP6_RECURSIVE1
|
|
dst=$ROUTER2_IPSECIP6_RECURSIVE1
|
|
else
|
|
addr=$ROUTER1_IPSECIP_RECURSIVE2
|
|
remote=$ROUTER2_IPSECIP_RECURSIVE2
|
|
src=$ROUTER1_IPSECIP_RECURSIVE1
|
|
dst=$ROUTER2_IPSECIP_RECURSIVE1
|
|
fi
|
|
setup_recursive_if_ipsec $SOCK1 ipsec2 ${addr} ${remote} ${mode} \
|
|
${src} ${dst} ${proto} ${algo} "1to2"
|
|
}
|
|
|
|
# test in router1 only
|
|
test_recursive_check()
|
|
{
|
|
local mode=$1
|
|
|
|
export RUMP_SERVER=$SOCK1
|
|
if [ ${mode} = "ipv6" ]; then
|
|
atf_check -s not-exit:0 -o ignore -e ignore \
|
|
rump.ping6 -n -X $TIMEOUT -c 1 $ROUTER2_IPSECIP6_RECURSIVE2
|
|
else
|
|
atf_check -s not-exit:0 -o ignore -e ignore \
|
|
rump.ping -n -w $TIMEOUT -c 1 $ROUTER2_IPSECIP_RECURSIVE2
|
|
fi
|
|
|
|
atf_check -o match:'ipsec0: recursively called too many times' \
|
|
-x "$HIJACKING dmesg"
|
|
|
|
$HIJACKING dmesg
|
|
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
teardown_recursive_tunnels()
|
|
{
|
|
export RUMP_SERVER=$SOCK1
|
|
atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
|
|
atf_check -s exit:0 rump.ifconfig ipsec1 destroy
|
|
atf_check -s exit:0 rump.ifconfig ipsec2 deletetunnel
|
|
atf_check -s exit:0 rump.ifconfig ipsec2 destroy
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
test_ping_failure()
|
|
{
|
|
local mode=$1
|
|
|
|
export RUMP_SERVER=$SOCK1
|
|
if [ ${mode} = "ipv6" ]; then
|
|
atf_check -s not-exit:0 -o ignore -e ignore \
|
|
rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \
|
|
$ROUTER2_LANIP6
|
|
else
|
|
atf_check -s not-exit:0 -o ignore -e ignore \
|
|
rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
|
|
$ROUTER2_LANIP
|
|
fi
|
|
|
|
export RUMP_SERVER=$SOCK2
|
|
if [ ${mode} = "ipv6" ]; then
|
|
atf_check -s not-exit:0 -o ignore -e ignore \
|
|
rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \
|
|
$ROUTER1_LANIP6
|
|
else
|
|
atf_check -s not-exit:0 -o ignore -e ignore \
|
|
rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
|
|
$ROUTER2_LANIP
|
|
fi
|
|
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
test_ping_success()
|
|
{
|
|
mode=$1
|
|
|
|
export RUMP_SERVER=$SOCK1
|
|
$DEBUG && rump.ifconfig -v ipsec0
|
|
if [ ${mode} = "ipv6" ]; then
|
|
# XXX
|
|
# rump.ping6 rarely fails with the message that
|
|
# "failed to get receiving hop limit".
|
|
# This is a known issue being analyzed.
|
|
atf_check -s exit:0 -o ignore \
|
|
rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \
|
|
$ROUTER2_LANIP6
|
|
else
|
|
atf_check -s exit:0 -o ignore \
|
|
rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
|
|
$ROUTER2_LANIP
|
|
fi
|
|
$DEBUG && rump.ifconfig -v ipsec0
|
|
|
|
export RUMP_SERVER=$SOCK2
|
|
$DEBUG && rump.ifconfig -v ipsec0
|
|
if [ ${mode} = "ipv6" ]; then
|
|
atf_check -s exit:0 -o ignore \
|
|
rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \
|
|
$ROUTER1_LANIP6
|
|
else
|
|
atf_check -s exit:0 -o ignore \
|
|
rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
|
|
$ROUTER1_LANIP
|
|
fi
|
|
$DEBUG && rump.ifconfig -v ipsec0
|
|
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
test_change_tunnel_duplicate()
|
|
{
|
|
local mode=$1
|
|
|
|
local newsrc=""
|
|
local newdst=""
|
|
if [ ${mode} = "ipv6" ]; then
|
|
newsrc=$ROUTER1_WANIP6_DUMMY
|
|
newdst=$ROUTER2_WANIP6_DUMMY
|
|
else
|
|
newsrc=$ROUTER1_WANIP_DUMMY
|
|
newdst=$ROUTER2_WANIP_DUMMY
|
|
fi
|
|
export RUMP_SERVER=$SOCK1
|
|
$DEBUG && rump.ifconfig -v ipsec0
|
|
$DEBUG && rump.ifconfig -v ipsec1
|
|
atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \
|
|
rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
|
|
$DEBUG && rump.ifconfig -v ipsec0
|
|
$DEBUG && rump.ifconfig -v ipsec1
|
|
|
|
if [ ${mode} = "ipv6" ]; then
|
|
newsrc=$ROUTER2_WANIP6_DUMMY
|
|
newdst=$ROUTER1_WANIP6_DUMMY
|
|
else
|
|
newsrc=$ROUTER2_WANIP_DUMMY
|
|
newdst=$ROUTER1_WANIP_DUMMY
|
|
fi
|
|
export RUMP_SERVER=$SOCK2
|
|
$DEBUG && rump.ifconfig -v ipsec0
|
|
$DEBUG && rump.ifconfig -v ipsec1
|
|
atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \
|
|
rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
|
|
$DEBUG && rump.ifconfig -v ipsec0
|
|
$DEBUG && rump.ifconfig -v ipsec1
|
|
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
test_change_tunnel_success()
|
|
{
|
|
local mode=$1
|
|
|
|
local newsrc=""
|
|
local newdst=""
|
|
if [ ${mode} = "ipv6" ]; then
|
|
newsrc=$ROUTER1_WANIP6_DUMMY
|
|
newdst=$ROUTER2_WANIP6_DUMMY
|
|
else
|
|
newsrc=$ROUTER1_WANIP_DUMMY
|
|
newdst=$ROUTER2_WANIP_DUMMY
|
|
fi
|
|
export RUMP_SERVER=$SOCK1
|
|
$DEBUG && rump.ifconfig -v ipsec0
|
|
atf_check -s exit:0 \
|
|
rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
|
|
$DEBUG && rump.ifconfig -v ipsec0
|
|
|
|
if [ ${mode} = "ipv6" ]; then
|
|
newsrc=$ROUTER2_WANIP6_DUMMY
|
|
newdst=$ROUTER1_WANIP6_DUMMY
|
|
else
|
|
newsrc=$ROUTER2_WANIP_DUMMY
|
|
newdst=$ROUTER1_WANIP_DUMMY
|
|
fi
|
|
export RUMP_SERVER=$SOCK2
|
|
$DEBUG && rump.ifconfig -v ipsec0
|
|
atf_check -s exit:0 \
|
|
rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
|
|
$DEBUG && rump.ifconfig -v ipsec0
|
|
|
|
unset RUMP_SERVER
|
|
}
|
|
|
|
basic_setup()
|
|
{
|
|
local inner=$1
|
|
local outer=$2
|
|
local proto=$3
|
|
local algo=$4
|
|
|
|
setup ${inner} ${outer}
|
|
test_setup ${inner} ${outer}
|
|
|
|
# Enable once PR kern/49219 is fixed
|
|
#test_ping_failure
|
|
|
|
setup_tunnel ${inner} ${outer} ${proto} ${algo}
|
|
sleep 1
|
|
test_setup_tunnel ${inner}
|
|
}
|
|
|
|
basic_test()
|
|
{
|
|
local inner=$1
|
|
local outer=$2 # not use
|
|
|
|
test_ping_success ${inner}
|
|
}
|
|
|
|
basic_teardown()
|
|
{
|
|
local inner=$1
|
|
local outer=$2 # not use
|
|
|
|
teardown_tunnel
|
|
test_ping_failure ${inner}
|
|
}
|
|
|
|
ioctl_setup()
|
|
{
|
|
local inner=$1
|
|
local outer=$2
|
|
local proto=$3
|
|
local algo=$4
|
|
|
|
setup ${inner} ${outer}
|
|
test_setup ${inner} ${outer}
|
|
|
|
# Enable once PR kern/49219 is fixed
|
|
#test_ping_failure
|
|
|
|
setup_tunnel ${inner} ${outer} ${proto} ${algo}
|
|
setup_dummy_tunnel ${inner} ${outer} ${proto} ${algo}
|
|
sleep 1
|
|
test_setup_tunnel ${inner}
|
|
}
|
|
|
|
ioctl_test()
|
|
{
|
|
local inner=$1
|
|
local outer=$2
|
|
|
|
test_ping_success ${inner}
|
|
|
|
test_change_tunnel_duplicate ${outer}
|
|
|
|
teardown_dummy_tunnel
|
|
test_change_tunnel_success ${outer}
|
|
}
|
|
|
|
ioctl_teardown()
|
|
{
|
|
local inner=$1
|
|
local outer=$2 # not use
|
|
|
|
teardown_tunnel
|
|
test_ping_failure ${inner}
|
|
}
|
|
|
|
recursive_setup()
|
|
{
|
|
local inner=$1
|
|
local outer=$2
|
|
local proto=$3
|
|
local algo=$4
|
|
|
|
setup ${inner} ${outer}
|
|
test_setup ${inner} ${outer}
|
|
|
|
# Enable once PR kern/49219 is fixed
|
|
#test_ping_failure
|
|
|
|
setup_tunnel ${inner} ${outer} ${proto} ${algo}
|
|
setup_recursive_tunnels ${inner} ${proto} ${algo}
|
|
sleep 1
|
|
test_setup_tunnel ${inner}
|
|
}
|
|
|
|
recursive_test()
|
|
{
|
|
local inner=$1
|
|
local outer=$2 # not use
|
|
|
|
test_recursive_check ${inner}
|
|
}
|
|
|
|
recursive_teardown()
|
|
{
|
|
local inner=$1 # not use
|
|
local outer=$2 # not use
|
|
|
|
teardown_recursive_tunnels
|
|
teardown_tunnel
|
|
}
|
|
|
|
add_test()
|
|
{
|
|
local category=$1
|
|
local desc=$2
|
|
local inner=$3
|
|
local outer=$4
|
|
local proto=$5
|
|
local algo=$6
|
|
local _algo=$(echo $algo | sed 's/-//g')
|
|
|
|
name="ipsecif_${category}_${inner}over${outer}_${proto}_${_algo}"
|
|
fulldesc="Does ${inner} over ${outer} if_ipsec ${desc}"
|
|
|
|
atf_test_case ${name} cleanup
|
|
eval "${name}_head() {
|
|
atf_set descr \"${fulldesc}\"
|
|
atf_set require.progs rump_server setkey
|
|
}
|
|
${name}_body() {
|
|
${category}_setup ${inner} ${outer} ${proto} ${algo}
|
|
${category}_test ${inner} ${outer}
|
|
${category}_teardown ${inner} ${outer}
|
|
rump_server_destroy_ifaces
|
|
}
|
|
${name}_cleanup() {
|
|
\$DEBUG && dump
|
|
cleanup
|
|
}"
|
|
atf_add_test_case ${name}
|
|
}
|
|
|
|
add_test_allproto()
|
|
{
|
|
local category=$1
|
|
local desc=$2
|
|
|
|
for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
|
|
add_test ${category} "${desc}" ipv4 ipv4 esp $algo
|
|
add_test ${category} "${desc}" ipv4 ipv6 esp $algo
|
|
add_test ${category} "${desc}" ipv6 ipv4 esp $algo
|
|
add_test ${category} "${desc}" ipv6 ipv6 esp $algo
|
|
done
|
|
|
|
# ah does not support yet
|
|
}
|
|
|
|
atf_init_test_cases()
|
|
{
|
|
|
|
atf_add_test_case ipsecif_create_destroy
|
|
|
|
add_test_allproto basic "basic tests"
|
|
add_test_allproto ioctl "ioctl tests"
|
|
add_test_allproto recursive "recursive check tests"
|
|
}
|