Add test for sys/netipsec/ipsec.c:r1.176.

Add test for sadb_x_policy->sadb_x_policy_flags.

Add test cases of NAT-T (transport mode)

A small C program is added to make a special socket (UDP_ENCAP_ESPINUDP)
and keep it to handle UDP-encapsulated ESP packets.

Add test cases for setsockopt(IP_IPSEC_POLICY)

branches: 1.8.2;
Separate test files

Add test cases for IPComp

branches: 1.6.2;
Add test cases for SA lifetime

Test tunnel mode with IPv4 over IPv6 and IPv6 over IPv4

Test flushing SAD/SPD entries

Add test cases for L2TP/IPsec

Add test cases for gif/IPsec

branches: 1.1.2; 1.1.4; 1.1.6;
Add tests for ipsec

- Check if setkey correctly handles algorithms for AH/ESP
- Check IPsec of transport mode with AH/ESP over IPv4/IPv6
- Check IPsec of tunnel mode with AH/ESP over IPv4/IPv6

s/encript/encrypt/ in comment.

Handle esp-udp for NAT-T

Add test cases for IPComp

branches: 1.4.2;
Dedup some routines

Prefer rijndael-cbc

Add minimum sets of algorithms for testing

branches: 1.1.2; 1.1.4; 1.1.6;
Add tests for ipsec

- Check if setkey correctly handles algorithms for AH/ESP
- Check IPsec of transport mode with AH/ESP over IPv4/IPv6
- Check IPsec of tunnel mode with AH/ESP over IPv4/IPv6

Refactor a little and follow new format of "npfctl list".

Fix the below ATF failures.
- net/if_ipsec/t_ipsec_natt:ipsecif_natt_transport_null
- net/if_ipsec/t_ipsec_natt:ipsecif_natt_transport_rijndaelcbc
- net/ipsec/t_ipsec_natt:ipsec_natt_transport_ipv4_null
- net/ipsec/t_ipsec_natt:ipsec_natt_transport_ipv4_rijndaelcbc

ok'ed by ozaki-r@n.o, thanks.

branches: 1.7.6;
Fix incomplete SP setups

Fix setkey -D -P outputs

The outputs were tweaked (by me), but I forgot updating libipsec
in my local ATF environment...

Add test cases that there are SPs but no relevant SAs

Add test cases for IPComp

branches: 1.3.2;
Fix typo

branches: 1.2.2;
Introduce check_sa_entries to remove lots of duplicated codes

Test flushing SAD/SPD entries

Add ATF for IPv6 NAT-T.

We use IPv6 NAT-T to avoid IPsec slowing down caused by dropping ESP packets
by some Customer Premises Equipments (CPE). I implement ATF to test such
situation.

I think it can also work with nat66, but I have not tested to the fine details.

branches: 1.1.2; 1.1.4; 1.1.6;
Add test cases of NAT-T (transport mode)

A small C program is added to make a special socket (UDP_ENCAP_ESPINUDP)
and keep it to handle UDP-encapsulated ESP packets.

Repair test coverage. I revert by proxy as the committer seems too busy to even reply mail.

TODO:
Provide some way for small machines to run subset test so that they get
shorter run time at the expense of test coverage.

The ATF design is O(N^2) in the number of TCs in one TP, which on some
slower platforms causes the net/ipsec tests to take as much as 30% of
the total time to run all of the ATF tests. Reduce the number of TCs
in various net/ipsec TPs by iterating over *_ALGORITHMS_MINIMUM rather
than *_ALGORITHMS. Various of the net/ipsec tests already use the
smaller lists, so change the rest of them to do so as well.

Clean up clunky eval strings

- Remove unnecessary \ at EOL
- This allows to omit ; too
- Remove unnecessary quotes for arguments of atf_set
- Don't expand $DEBUG in eval
- We expect it's expanded on execution

Suggested by kre@

branches: 1.1.2; 1.1.4; 1.1.8;
Add tests for ipsec

- Check if setkey correctly handles algorithms for AH/ESP
- Check IPsec of transport mode with AH/ESP over IPv4/IPv6
- Check IPsec of tunnel mode with AH/ESP over IPv4/IPv6

Repair test coverage. I revert by proxy as the committer seems too busy to even reply mail.

TODO:
Provide some way for small machines to run subset test so that they get
shorter run time at the expense of test coverage.

The ATF design is O(N^2) in the number of TCs in one TP, which on some
slower platforms causes the net/ipsec tests to take as much as 30% of
the total time to run all of the ATF tests. Reduce the number of TCs
in various net/ipsec TPs by iterating over *_ALGORITHMS_MINIMUM rather
than *_ALGORITHMS. Various of the net/ipsec tests already use the
smaller lists, so change the rest of them to do so as well.

Clean up clunky eval strings

- Remove unnecessary \ at EOL
- This allows to omit ; too
- Remove unnecessary quotes for arguments of atf_set
- Don't expand $DEBUG in eval
- We expect it's expanded on execution

Suggested by kre@

branches: 1.1.2; 1.1.4; 1.1.8;
Add tests for ipsec

- Check if setkey correctly handles algorithms for AH/ESP
- Check IPsec of transport mode with AH/ESP over IPv4/IPv6
- Check IPsec of tunnel mode with AH/ESP over IPv4/IPv6

clean up

Add test for sys/netipsec/ipsec.c:r1.176.

t_ipsec_{gif,l2tp}: Adjust for tcpdump 4.99.4

It does not longer output redundant `` (ipip-proto-4)'':
https://github.com/the-tcpdump-group/tcpdump/commit/cba9b77a98e9dde764abde71a899ee8937ca56e8

Now, these tests become passing again.

Thanks mlelstv@ for finding out upstream commit.
OK ozaki-r@

tests: add missing ifconfig -w

This change mitigates PR kern/54897.

tests: use rump_server_add_iface to create interfaces

branches: 1.7.4;
Clean up clunky eval strings

- Remove unnecessary \ at EOL
- This allows to omit ; too
- Remove unnecessary quotes for arguments of atf_set
- Don't expand $DEBUG in eval
- We expect it's expanded on execution

Suggested by kre@

Enable DEBUG for babylon5

branches: 1.5.2;
Dedup some routines

Introduce check_sa_entries to remove lots of duplicated codes

Test flushing SAD/SPD entries

branches: 1.2.2;
Test transport mode as well as tunnel mode

Add test cases for gif/IPsec

t_ipsec_{gif,l2tp}: Adjust for tcpdump 4.99.4

It does not longer output redundant `` (ipip-proto-4)'':
https://github.com/the-tcpdump-group/tcpdump/commit/cba9b77a98e9dde764abde71a899ee8937ca56e8

Now, these tests become passing again.

Thanks mlelstv@ for finding out upstream commit.
OK ozaki-r@

tests: add missing ifconfig -w

This change mitigates PR kern/54897.

tests: use rump_server_add_iface to create interfaces

branches: 1.7.4;
Clean up clunky eval strings

- Remove unnecessary \ at EOL
- This allows to omit ; too
- Remove unnecessary quotes for arguments of atf_set
- Don't expand $DEBUG in eval
- We expect it's expanded on execution

Suggested by kre@

Enable DEBUG for babylon5

branches: 1.5.2;
Dedup some routines

Introduce check_sa_entries to remove lots of duplicated codes

Test flushing SAD/SPD entries

branches: 1.2.2;
Test transport mode as well as tunnel mode

Add test cases for L2TP/IPsec

s/udpate/update/

Skip timeout tests, pointing to PR 55632.

tests: add tests for getspi and udpate

branches: 1.22.4;
Dedup some checks

And the change a bit optimizes checks of SA expirations, which
may shorten testing time.

"Mark key_timehandler_ch callout as MP-safe" change needs one more sec to make lifetime tests stable

Add test cases for one SP with multiple SAs

These are for a bug reported recently which modifies SPs accidentally.

Fix incomplete SP setups

Clean up clunky eval strings

- Remove unnecessary \ at EOL
- This allows to omit ; too
- Remove unnecessary quotes for arguments of atf_set
- Don't expand $DEBUG in eval
- We expect it's expanded on execution

Suggested by kre@

Add test cases that there are SPs but no relevant SAs

Skip ipsec_spi_*_*_preferred_new_timeout when running on qemu

Probably due to PR 43997

Stop setting isr->sav on looking up sav in key_checkrequest

Don't make SAs expired on tests that delete SAs explicitly

Add tests that explicitly delete SAs instead of waiting for expirations

Make tests more stable

sleep command seems to wait longer than expected on anita so
use polling to wait for a state change.

branches: 1.11.2;
Separate test files

Fix wrong argument handling

Add test cases for SAs with different SPIs

Add test cases for updating SA/SP

The tests require newly-added udpate command of setkey.

Add test cases of TCP/IPsec on an IPv4-mapped IPv6 address

It reproduces the same panic reported in PR kern/52304
(but not sure that its cause is also same).

branches: 1.6.2;
Test TCP communications over IPsec transport mode with ESP or AH

This tests SP caches of PCB.

Remove a unused local variable

Enable DEBUG to know what is happening on anita/sparc

branches: 1.3.2;
Don't check the existence of SA entries eagerly

They can be expired at that point if their lifetime is very short.
This may fix unexpected failures of tests running on anita.

Add test cases of TCP communications with IPsec enabled

The test cases transfer data over TCP by using nc with IPsec just enabled
(no SA/SP is configured) and confirm the commit "Fix diagnostic assertion
failure in ipsec_init_policy" really fixes the issue.

Add test cases for SA lifetime

Refactor a little and follow new format of "npfctl list".

Fix the below ATF failures.
- net/if_ipsec/t_ipsec_natt:ipsecif_natt_transport_null
- net/if_ipsec/t_ipsec_natt:ipsecif_natt_transport_rijndaelcbc
- net/ipsec/t_ipsec_natt:ipsec_natt_transport_ipv4_null
- net/ipsec/t_ipsec_natt:ipsec_natt_transport_ipv4_rijndaelcbc

ok'ed by ozaki-r@n.o, thanks.

Typo in error message

tests: use rump_server_add_iface to create interfaces

branches: 1.2.2;
Add ATF for IPv6 NAT-T.

We use IPv6 NAT-T to avoid IPsec slowing down caused by dropping ESP packets
by some Customer Premises Equipments (CPE). I implement ATF to test such
situation.

I think it can also work with nat66, but I have not tested to the fine details.

branches: 1.1.2; 1.1.4; 1.1.6;
Add test cases of NAT-T (transport mode)

A small C program is added to make a special socket (UDP_ENCAP_ESPINUDP)
and keep it to handle UDP-encapsulated ESP packets.

branches: 1.2.2;
Clean up clunky eval strings

- Remove unnecessary \ at EOL
- This allows to omit ; too
- Remove unnecessary quotes for arguments of atf_set
- Don't expand $DEBUG in eval
- We expect it's expanded on execution

Suggested by kre@

Add test cases for setsockopt(IP_IPSEC_POLICY)

Add test for sadb_x_policy->sadb_x_policy_flags.

branches: 1.1.2; 1.1.4;
Add tests for ipsec

- Check if setkey correctly handles algorithms for AH/ESP
- Check IPsec of transport mode with AH/ESP over IPv4/IPv6
- Check IPsec of tunnel mode with AH/ESP over IPv4/IPv6

branches: 1.2.2;
Clean up clunky eval strings

- Remove unnecessary \ at EOL
- This allows to omit ; too
- Remove unnecessary quotes for arguments of atf_set
- Don't expand $DEBUG in eval
- We expect it's expanded on execution

Suggested by kre@

branches: 1.1.2;
Separate test files

Repair test coverage. I revert by proxy as the committer seems too busy to even reply mail.

TODO:
Provide some way for small machines to run subset test so that they get
shorter run time at the expense of test coverage.

The ATF design is O(N^2) in the number of TCs in one TP, which on some
slower platforms causes the net/ipsec tests to take as much as 30% of
the total time to run all of the ATF tests. Reduce the number of TCs
in various net/ipsec TPs by iterating over *_ALGORITHMS_MINIMUM rather
than *_ALGORITHMS. Various of the net/ipsec tests already use the
smaller lists, so change the rest of them to do so as well.

Clean up clunky eval strings

- Remove unnecessary \ at EOL
- This allows to omit ; too
- Remove unnecessary quotes for arguments of atf_set
- Don't expand $DEBUG in eval
- We expect it's expanded on execution

Suggested by kre@

Add test cases for IPComp

branches: 1.4.2;
Dedup some routines

Introduce check_sa_entries to remove lots of duplicated codes

Test flushing SAD/SPD entries

branches: 1.1.2; 1.1.4; 1.1.6;
Add tests for ipsec

- Check if setkey correctly handles algorithms for AH/ESP
- Check IPsec of transport mode with AH/ESP over IPv4/IPv6
- Check IPsec of tunnel mode with AH/ESP over IPv4/IPv6

Repair test coverage. I revert by proxy as the committer seems too busy to even reply mail.

TODO:
Provide some way for small machines to run subset test so that they get
shorter run time at the expense of test coverage.

The ATF design is O(N^2) in the number of TCs in one TP, which on some
slower platforms causes the net/ipsec tests to take as much as 30% of
the total time to run all of the ATF tests. Reduce the number of TCs
in various net/ipsec TPs by iterating over *_ALGORITHMS_MINIMUM rather
than *_ALGORITHMS. Various of the net/ipsec tests already use the
smaller lists, so change the rest of them to do so as well.

Clean up clunky eval strings

- Remove unnecessary \ at EOL
- This allows to omit ; too
- Remove unnecessary quotes for arguments of atf_set
- Don't expand $DEBUG in eval
- We expect it's expanded on execution

Suggested by kre@

branches: 1.8.2;
Dedup some routines

Disable DAD rather than waiting its completion every time

Dedup some routines

Introduce check_sa_entries to remove lots of duplicated codes

Test flushing SAD/SPD entries

branches: 1.3.2; 1.3.4; 1.3.6;
Revert "Mark tests of tunnel/AH/IPv6 as expected failure (PR kern/52161)"

The issue was fixed by christos@

Mark tests of tunnel/AH/IPv6 as expected failure (PR kern/52161)

Add tests for ipsec

- Check if setkey correctly handles algorithms for AH/ESP
- Check IPsec of transport mode with AH/ESP over IPv4/IPv6
- Check IPsec of tunnel mode with AH/ESP over IPv4/IPv6

Repair test coverage. I revert by proxy as the committer seems too busy to even reply mail.

TODO:
Provide some way for small machines to run subset test so that they get
shorter run time at the expense of test coverage.

The ATF design is O(N^2) in the number of TCs in one TP, which on some
slower platforms causes the net/ipsec tests to take as much as 30% of
the total time to run all of the ATF tests. Reduce the number of TCs
in various net/ipsec TPs by iterating over *_ALGORITHMS_MINIMUM rather
than *_ALGORITHMS. Various of the net/ipsec tests already use the
smaller lists, so change the rest of them to do so as well.

branches: 1.2.2;
Clean up clunky eval strings

- Remove unnecessary \ at EOL
- This allows to omit ; too
- Remove unnecessary quotes for arguments of atf_set
- Don't expand $DEBUG in eval
- We expect it's expanded on execution

Suggested by kre@

Add test cases for IPComp

Repair test coverage. I revert by proxy as the committer seems too busy to even reply mail.

TODO:
Provide some way for small machines to run subset test so that they get
shorter run time at the expense of test coverage.

The ATF design is O(N^2) in the number of TCs in one TP, which on some
slower platforms causes the net/ipsec tests to take as much as 30% of
the total time to run all of the ATF tests. Reduce the number of TCs
in various net/ipsec TPs by iterating over *_ALGORITHMS_MINIMUM rather
than *_ALGORITHMS. Various of the net/ipsec tests already use the
smaller lists, so change the rest of them to do so as well.

Clean up clunky eval strings

- Remove unnecessary \ at EOL
- This allows to omit ; too
- Remove unnecessary quotes for arguments of atf_set
- Don't expand $DEBUG in eval
- We expect it's expanded on execution

Suggested by kre@

branches: 1.2.2;
Dedup some routines

branches: 1.1.2;
Test tunnel mode with IPv4 over IPv6 and IPv6 over IPv4