1 # $NetBSD: t_ipsec.sh,v 1.11 2020/08/05 01:10:50 knakahara Exp $ 2 # 3 # Copyright (c) 2017 Internet Initiative Japan Inc. 4 # All rights reserved. 5 # 6 # Redistribution and use in source and binary forms, with or without 7 # modification, are permitted provided that the following conditions 8 # are met: 9 # 1. Redistributions of source code must retain the above copyright 10 # notice, this list of conditions and the following disclaimer. 11 # 2. Redistributions in binary form must reproduce the above copyright 12 # notice, this list of conditions and the following disclaimer in the 13 # documentation and/or other materials provided with the distribution. 14 # 15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 # POSSIBILITY OF SUCH DAMAGE. 26 # 27 28 SOCK1=unix://commsock1 # for ROUTER1 29 SOCK2=unix://commsock2 # for ROUTER2 30 ROUTER1_LANIP=192.168.1.1 31 ROUTER1_LANNET=192.168.1.0/24 32 ROUTER1_WANIP=10.0.0.1 33 ROUTER1_IPSECIP=172.16.1.1 34 ROUTER1_WANIP_DUMMY=10.0.0.11 35 ROUTER1_IPSECIP_DUMMY=172.16.11.1 36 ROUTER1_IPSECIP_RECURSIVE1=172.16.101.1 37 ROUTER1_IPSECIP_RECURSIVE2=172.16.201.1 38 ROUTER2_LANIP=192.168.2.1 39 ROUTER2_LANNET=192.168.2.0/24 40 ROUTER2_WANIP=10.0.0.2 41 ROUTER2_IPSECIP=172.16.2.1 42 ROUTER2_WANIP_DUMMY=10.0.0.12 43 ROUTER2_IPSECIP_DUMMY=172.16.12.1 44 ROUTER2_IPSECIP_RECURSIVE1=172.16.102.1 45 ROUTER2_IPSECIP_RECURSIVE2=172.16.202.1 46 47 ROUTER1_LANIP6=fc00:1::1 48 ROUTER1_LANNET6=fc00:1::/64 49 ROUTER1_WANIP6=fc00::1 50 ROUTER1_IPSECIP6=fc00:3::1 51 ROUTER1_WANIP6_DUMMY=fc00::11 52 ROUTER1_IPSECIP6_DUMMY=fc00:13::1 53 ROUTER1_IPSECIP6_RECURSIVE1=fc00:103::1 54 ROUTER1_IPSECIP6_RECURSIVE2=fc00:203::1 55 ROUTER2_LANIP6=fc00:2::1 56 ROUTER2_LANNET6=fc00:2::/64 57 ROUTER2_WANIP6=fc00::2 58 ROUTER2_IPSECIP6=fc00:4::1 59 ROUTER2_WANIP6_DUMMY=fc00::12 60 ROUTER2_IPSECIP6_DUMMY=fc00:14::1 61 ROUTER2_IPSECIP6_RECURSIVE1=fc00:104::1 62 ROUTER2_IPSECIP6_RECURSIVE2=fc00:204::1 63 64 DEBUG=${DEBUG:-false} 65 TIMEOUT=7 66 67 atf_test_case ipsecif_create_destroy cleanup 68 ipsecif_create_destroy_head() 69 { 70 71 atf_set "descr" "Test creating/destroying gif interfaces" 72 atf_set "require.progs" "rump_server" 73 } 74 75 ipsecif_create_destroy_body() 76 { 77 78 rump_server_start $SOCK1 ipsec 79 80 test_create_destroy_common $SOCK1 ipsec0 81 } 82 83 ipsecif_create_destroy_cleanup() 84 { 85 86 $DEBUG && dump 87 cleanup 88 } 89 90 setup_router() 91 { 92 local sock=${1} 93 local lan=${2} 94 local lan_mode=${3} 95 local wan=${4} 96 local wan_mode=${5} 97 98 rump_server_add_iface $sock shmif0 bus0 99 rump_server_add_iface $sock shmif1 bus1 100 101 export RUMP_SERVER=${sock} 102 103 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 104 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 105 106 if [ ${lan_mode} = "ipv6" ]; then 107 atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan} 108 else 109 atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00 110 fi 111 atf_check -s exit:0 rump.ifconfig shmif0 up 112 $DEBUG && rump.ifconfig shmif0 113 114 if [ ${wan_mode} = "ipv6" ]; then 115 atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan} 116 else 117 atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000 118 fi 119 atf_check -s exit:0 rump.ifconfig shmif1 up 120 atf_check -s exit:0 rump.ifconfig -w 10 121 $DEBUG && rump.ifconfig shmif1 122 123 unset RUMP_SERVER 124 } 125 126 test_router() 127 { 128 local sock=${1} 129 local lan=${2} 130 local lan_mode=${3} 131 local wan=${4} 132 local wan_mode=${5} 133 134 export RUMP_SERVER=${sock} 135 atf_check -s exit:0 -o match:shmif0 rump.ifconfig 136 if [ ${lan_mode} = "ipv6" ]; then 137 atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${lan} 138 else 139 atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan} 140 fi 141 142 atf_check -s exit:0 -o match:shmif1 rump.ifconfig 143 if [ ${wan_mode} = "ipv6" ]; then 144 atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${wan} 145 else 146 atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan} 147 fi 148 unset RUMP_SERVER 149 } 150 151 setup() 152 { 153 local inner=${1} 154 local outer=${2} 155 156 rump_server_crypto_start $SOCK1 netipsec netinet6 ipsec 157 rump_server_crypto_start $SOCK2 netipsec netinet6 ipsec 158 159 router1_lan="" 160 router1_lan_mode="" 161 router2_lan="" 162 router2_lan_mode="" 163 if [ ${inner} = "ipv6" ]; then 164 router1_lan=$ROUTER1_LANIP6 165 router1_lan_mode="ipv6" 166 router2_lan=$ROUTER2_LANIP6 167 router2_lan_mode="ipv6" 168 else 169 router1_lan=$ROUTER1_LANIP 170 router1_lan_mode="ipv4" 171 router2_lan=$ROUTER2_LANIP 172 router2_lan_mode="ipv4" 173 fi 174 175 if [ ${outer} = "ipv6" ]; then 176 setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 177 $ROUTER1_WANIP6 ipv6 178 setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 179 $ROUTER2_WANIP6 ipv6 180 else 181 setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 182 $ROUTER1_WANIP ipv4 183 setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 184 $ROUTER2_WANIP ipv4 185 fi 186 } 187 188 test_setup() 189 { 190 local inner=${1} 191 local outer=${2} 192 193 local router1_lan="" 194 local router1_lan_mode="" 195 local router2_lan="" 196 local router2_lan_mode="" 197 if [ ${inner} = "ipv6" ]; then 198 router1_lan=$ROUTER1_LANIP6 199 router1_lan_mode="ipv6" 200 router2_lan=$ROUTER2_LANIP6 201 router2_lan_mode="ipv6" 202 else 203 router1_lan=$ROUTER1_LANIP 204 router1_lan_mode="ipv4" 205 router2_lan=$ROUTER2_LANIP 206 router2_lan_mode="ipv4" 207 fi 208 if [ ${outer} = "ipv6" ]; then 209 test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 210 $ROUTER1_WANIP6 ipv6 211 test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 212 $ROUTER2_WANIP6 ipv6 213 else 214 test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 215 $ROUTER1_WANIP ipv4 216 test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 217 $ROUTER2_WANIP ipv4 218 fi 219 } 220 221 get_if_ipsec_unique() 222 { 223 local sock=${1} 224 local src=${2} 225 local proto=${3} 226 local unique="" 227 228 export RUMP_SERVER=${sock} 229 unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'` 230 unset RUMP_SERVER 231 232 echo $unique 233 } 234 235 setup_if_ipsec() 236 { 237 local sock=${1} 238 local addr=${2} 239 local remote=${3} 240 local inner=${4} 241 local src=${5} 242 local dst=${6} 243 local peernet=${7} 244 245 export RUMP_SERVER=${sock} 246 rump_server_add_iface $sock ipsec0 247 atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst} 248 if [ ${inner} = "ipv6" ]; then 249 atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote} 250 atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr} 251 else 252 atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote} 253 atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr} 254 fi 255 256 atf_check -s exit:0 rump.ifconfig -w 10 257 258 $DEBUG && rump.ifconfig ipsec0 259 $DEBUG && rump.route -nL show 260 } 261 262 setup_if_ipsec_sa() 263 { 264 local sock=${1} 265 local src=${2} 266 local dst=${3} 267 local mode=${4} 268 local proto=${5} 269 local algo=${6} 270 local dir=${7} 271 272 local tmpfile=./tmp 273 local inunique="" 274 local outunique="" 275 local inid="" 276 local outid="" 277 local algo_args="$(generate_algo_args $proto $algo)" 278 279 inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` 280 atf_check -s exit:0 test "X$inunique" != "X" 281 outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` 282 atf_check -s exit:0 test "X$outunique" != "X" 283 284 if [ ${dir} = "1to2" ] ; then 285 if [ ${mode} = "ipv6" ] ; then 286 inid="10010" 287 outid="10011" 288 else 289 inid="10000" 290 outid="10001" 291 fi 292 else 293 if [ ${mode} = "ipv6" ] ; then 294 inid="10011" 295 outid="10010" 296 else 297 inid="10001" 298 outid="10000" 299 fi 300 fi 301 302 cat > $tmpfile <<-EOF 303 add $dst $src $proto $inid -u $inunique -m transport $algo_args; 304 add $src $dst $proto $outid -u $outunique -m transport $algo_args; 305 EOF 306 $DEBUG && cat $tmpfile 307 export RUMP_SERVER=$sock 308 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 309 $DEBUG && $HIJACKING setkey -D 310 $DEBUG && $HIJACKING setkey -DP 311 unset RUMP_SERVER 312 } 313 314 setup_tunnel() 315 { 316 local inner=${1} 317 local outer=${2} 318 local proto=${3} 319 local algo=${4} 320 321 local addr="" 322 local remote="" 323 local src="" 324 local dst="" 325 local peernet="" 326 327 if [ ${inner} = "ipv6" ]; then 328 addr=$ROUTER1_IPSECIP6 329 remote=$ROUTER2_IPSECIP6 330 peernet=$ROUTER2_LANNET6 331 else 332 addr=$ROUTER1_IPSECIP 333 remote=$ROUTER2_IPSECIP 334 peernet=$ROUTER2_LANNET 335 fi 336 if [ ${outer} = "ipv6" ]; then 337 src=$ROUTER1_WANIP6 338 dst=$ROUTER2_WANIP6 339 else 340 src=$ROUTER1_WANIP 341 dst=$ROUTER2_WANIP 342 fi 343 setup_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \ 344 ${src} ${dst} ${peernet} 345 346 if [ $inner = "ipv6" -a $outer = "ipv4" ]; then 347 setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${outer} ${proto} ${algo} "1to2" 348 fi 349 setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2" 350 351 if [ $inner = "ipv6" ]; then 352 addr=$ROUTER2_IPSECIP6 353 remote=$ROUTER1_IPSECIP6 354 peernet=$ROUTER1_LANNET6 355 else 356 addr=$ROUTER2_IPSECIP 357 remote=$ROUTER1_IPSECIP 358 peernet=$ROUTER1_LANNET 359 fi 360 if [ $outer = "ipv6" ]; then 361 src=$ROUTER2_WANIP6 362 dst=$ROUTER1_WANIP6 363 else 364 src=$ROUTER2_WANIP 365 dst=$ROUTER1_WANIP 366 fi 367 setup_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \ 368 ${src} ${dst} ${peernet} ${proto} ${algo} 369 if [ $inner = "ipv6" -a $outer = "ipv4" ]; then 370 setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${outer} ${proto} ${algo} "2to1" 371 fi 372 setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1" 373 } 374 375 test_setup_tunnel() 376 { 377 local mode=${1} 378 379 local peernet="" 380 local opt="" 381 if [ ${mode} = "ipv6" ]; then 382 peernet=$ROUTER2_LANNET6 383 opt="-inet6" 384 else 385 peernet=$ROUTER2_LANNET 386 opt="-inet" 387 fi 388 export RUMP_SERVER=$SOCK1 389 atf_check -s exit:0 -o match:ipsec0 rump.ifconfig 390 atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet} 391 392 if [ ${mode} = "ipv6" ]; then 393 peernet=$ROUTER1_LANNET6 394 opt="-inet6" 395 else 396 peernet=$ROUTER1_LANNET 397 opt="-inet" 398 fi 399 export RUMP_SERVER=$SOCK2 400 atf_check -s exit:0 -o match:ipsec0 rump.ifconfig 401 atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet} 402 } 403 404 teardown_tunnel() 405 { 406 export RUMP_SERVER=$SOCK1 407 atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 408 atf_check -s exit:0 rump.ifconfig ipsec0 destroy 409 $HIJACKING setkey -F 410 411 export RUMP_SERVER=$SOCK2 412 atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 413 atf_check -s exit:0 rump.ifconfig ipsec0 destroy 414 $HIJACKING setkey -F 415 416 unset RUMP_SERVER 417 } 418 419 setup_dummy_if_ipsec() 420 { 421 local sock=${1} 422 local addr=${2} 423 local remote=${3} 424 local inner=${4} 425 local src=${5} 426 local dst=${6} 427 428 export RUMP_SERVER=${sock} 429 rump_server_add_iface $sock ipsec1 430 atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst} 431 if [ ${inner} = "ipv6" ]; then 432 atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote} 433 else 434 atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote} 435 fi 436 atf_check -s exit:0 rump.ifconfig -w 10 437 438 $DEBUG && rump.ifconfig ipsec1 439 unset RUMP_SERVER 440 } 441 442 setup_dummy_if_ipsec_sa() 443 { 444 local sock=${1} 445 local src=${2} 446 local dst=${3} 447 local mode=${4} 448 local proto=${5} 449 local algo=${6} 450 local dir=${7} 451 452 local tmpfile=./tmp 453 local inunique="" 454 local outunique="" 455 local inid="" 456 local outid="" 457 local algo_args="$(generate_algo_args $proto $algo)" 458 459 inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` 460 atf_check -s exit:0 test "X$inunique" != "X" 461 outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` 462 atf_check -s exit:0 test "X$outunique" != "X" 463 464 if [ ${dir} = "1to2" ] ; then 465 inid="20000" 466 outid="20001" 467 else 468 inid="20001" 469 outid="20000" 470 fi 471 472 cat > $tmpfile <<-EOF 473 add $dst $src $proto $inid -u $inunique $algo_args; 474 add $src $dst $proto $outid -u $outunique $algo_args; 475 EOF 476 $DEBUG && cat $tmpfile 477 export RUMP_SERVER=$sock 478 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 479 $DEBUG && $HIJACKING setkey -D 480 $DEBUG && $HIJACKING setkey -DP 481 unset RUMP_SERVER 482 } 483 484 setup_dummy_tunnel() 485 { 486 local inner=${1} 487 local outer=${2} 488 local proto=${3} 489 local algo=${4} 490 491 local addr="" 492 local remote="" 493 local src="" 494 local dst="" 495 496 if [ ${inner} = "ipv6" ]; then 497 addr=$ROUTER1_IPSECIP6_DUMMY 498 remote=$ROUTER2_IPSECIP6_DUMMY 499 else 500 addr=$ROUTER1_IPSECIP_DUMMY 501 remote=$ROUTER2_IPSECIP_DUMMY 502 fi 503 if [ ${outer} = "ipv6" ]; then 504 src=$ROUTER1_WANIP6_DUMMY 505 dst=$ROUTER2_WANIP6_DUMMY 506 else 507 src=$ROUTER1_WANIP_DUMMY 508 dst=$ROUTER2_WANIP_DUMMY 509 fi 510 setup_dummy_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \ 511 ${src} ${dst} ${proto} ${algo} "1to2" 512 setup_dummy_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2" 513 514 if [ $inner = "ipv6" ]; then 515 addr=$ROUTER2_IPSECIP6_DUMMY 516 remote=$ROUTER1_IPSECIP6_DUMMY 517 else 518 addr=$ROUTER2_IPSECIP_DUMMY 519 remote=$ROUTER1_IPSECIP_DUMMY 520 fi 521 if [ $outer = "ipv6" ]; then 522 src=$ROUTER2_WANIP6_DUMMY 523 dst=$ROUTER1_WANIP6_DUMMY 524 else 525 src=$ROUTER2_WANIP_DUMMY 526 dst=$ROUTER1_WANIP_DUMMY 527 fi 528 setup_dummy_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \ 529 ${src} ${dst} ${proto} ${algo} "2to1" 530 setup_dummy_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1" 531 } 532 533 test_setup_dummy_tunnel() 534 { 535 export RUMP_SERVER=$SOCK1 536 atf_check -s exit:0 -o match:ipsec1 rump.ifconfig 537 538 export RUMP_SERVER=$SOCK2 539 atf_check -s exit:0 -o match:ipsec1 rump.ifconfig 540 541 unset RUMP_SERVER 542 } 543 544 teardown_dummy_tunnel() 545 { 546 export RUMP_SERVER=$SOCK1 547 atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel 548 atf_check -s exit:0 rump.ifconfig ipsec1 destroy 549 550 export RUMP_SERVER=$SOCK2 551 atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel 552 atf_check -s exit:0 rump.ifconfig ipsec1 destroy 553 554 unset RUMP_SERVER 555 } 556 557 setup_recursive_if_ipsec() 558 { 559 local sock=${1} 560 local ipsec=${2} 561 local addr=${3} 562 local remote=${4} 563 local inner=${5} 564 local src=${6} 565 local dst=${7} 566 local proto=${8} 567 local algo=${9} 568 local dir=${10} 569 570 export RUMP_SERVER=${sock} 571 rump_server_add_iface $sock $ipsec 572 atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst} 573 if [ ${inner} = "ipv6" ]; then 574 atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote} 575 else 576 atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote} 577 fi 578 atf_check -s exit:0 rump.ifconfig -w 10 579 setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir} 580 581 export RUMP_SERVER=${sock} 582 $DEBUG && rump.ifconfig ${ipsec} 583 unset RUMP_SERVER 584 } 585 586 # test in ROUTER1 only 587 setup_recursive_tunnels() 588 { 589 local mode=${1} 590 local proto=${2} 591 local algo=${3} 592 593 local addr="" 594 local remote="" 595 local src="" 596 local dst="" 597 598 if [ ${mode} = "ipv6" ]; then 599 addr=$ROUTER1_IPSECIP6_RECURSIVE1 600 remote=$ROUTER2_IPSECIP6_RECURSIVE1 601 src=$ROUTER1_IPSECIP6 602 dst=$ROUTER2_IPSECIP6 603 else 604 addr=$ROUTER1_IPSECIP_RECURSIVE1 605 remote=$ROUTER2_IPSECIP_RECURSIVE1 606 src=$ROUTER1_IPSECIP 607 dst=$ROUTER2_IPSECIP 608 fi 609 setup_recursive_if_ipsec $SOCK1 ipsec1 ${addr} ${remote} ${mode} \ 610 ${src} ${dst} ${proto} ${algo} "1to2" 611 612 if [ ${mode} = "ipv6" ]; then 613 addr=$ROUTER1_IPSECIP6_RECURSIVE2 614 remote=$ROUTER2_IPSECIP6_RECURSIVE2 615 src=$ROUTER1_IPSECIP6_RECURSIVE1 616 dst=$ROUTER2_IPSECIP6_RECURSIVE1 617 else 618 addr=$ROUTER1_IPSECIP_RECURSIVE2 619 remote=$ROUTER2_IPSECIP_RECURSIVE2 620 src=$ROUTER1_IPSECIP_RECURSIVE1 621 dst=$ROUTER2_IPSECIP_RECURSIVE1 622 fi 623 setup_recursive_if_ipsec $SOCK1 ipsec2 ${addr} ${remote} ${mode} \ 624 ${src} ${dst} ${proto} ${algo} "1to2" 625 } 626 627 # test in router1 only 628 test_recursive_check() 629 { 630 local mode=$1 631 632 export RUMP_SERVER=$SOCK1 633 if [ ${mode} = "ipv6" ]; then 634 atf_check -s not-exit:0 -o ignore -e ignore \ 635 rump.ping6 -n -X $TIMEOUT -c 1 $ROUTER2_IPSECIP6_RECURSIVE2 636 else 637 atf_check -s not-exit:0 -o ignore -e ignore \ 638 rump.ping -n -w $TIMEOUT -c 1 $ROUTER2_IPSECIP_RECURSIVE2 639 fi 640 641 atf_check -o match:'ipsec0: recursively called too many times' \ 642 -x "$HIJACKING dmesg" 643 644 $HIJACKING dmesg 645 646 unset RUMP_SERVER 647 } 648 649 teardown_recursive_tunnels() 650 { 651 export RUMP_SERVER=$SOCK1 652 atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel 653 atf_check -s exit:0 rump.ifconfig ipsec1 destroy 654 atf_check -s exit:0 rump.ifconfig ipsec2 deletetunnel 655 atf_check -s exit:0 rump.ifconfig ipsec2 destroy 656 unset RUMP_SERVER 657 } 658 659 test_ping_failure() 660 { 661 local mode=$1 662 663 export RUMP_SERVER=$SOCK1 664 if [ ${mode} = "ipv6" ]; then 665 atf_check -s not-exit:0 -o ignore -e ignore \ 666 rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ 667 $ROUTER2_LANIP6 668 else 669 atf_check -s not-exit:0 -o ignore -e ignore \ 670 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 671 $ROUTER2_LANIP 672 fi 673 674 export RUMP_SERVER=$SOCK2 675 if [ ${mode} = "ipv6" ]; then 676 atf_check -s not-exit:0 -o ignore -e ignore \ 677 rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ 678 $ROUTER1_LANIP6 679 else 680 atf_check -s not-exit:0 -o ignore -e ignore \ 681 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 682 $ROUTER2_LANIP 683 fi 684 685 unset RUMP_SERVER 686 } 687 688 test_ping_success() 689 { 690 mode=$1 691 692 export RUMP_SERVER=$SOCK1 693 $DEBUG && rump.ifconfig -v ipsec0 694 if [ ${mode} = "ipv6" ]; then 695 # XXX 696 # rump.ping6 rarely fails with the message that 697 # "failed to get receiving hop limit". 698 # This is a known issue being analyzed. 699 atf_check -s exit:0 -o ignore \ 700 rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ 701 $ROUTER2_LANIP6 702 else 703 atf_check -s exit:0 -o ignore \ 704 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 705 $ROUTER2_LANIP 706 fi 707 $DEBUG && rump.ifconfig -v ipsec0 708 709 export RUMP_SERVER=$SOCK2 710 $DEBUG && rump.ifconfig -v ipsec0 711 if [ ${mode} = "ipv6" ]; then 712 atf_check -s exit:0 -o ignore \ 713 rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ 714 $ROUTER1_LANIP6 715 else 716 atf_check -s exit:0 -o ignore \ 717 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 718 $ROUTER1_LANIP 719 fi 720 $DEBUG && rump.ifconfig -v ipsec0 721 722 unset RUMP_SERVER 723 } 724 725 test_change_tunnel_duplicate() 726 { 727 local mode=$1 728 729 local newsrc="" 730 local newdst="" 731 if [ ${mode} = "ipv6" ]; then 732 newsrc=$ROUTER1_WANIP6_DUMMY 733 newdst=$ROUTER2_WANIP6_DUMMY 734 else 735 newsrc=$ROUTER1_WANIP_DUMMY 736 newdst=$ROUTER2_WANIP_DUMMY 737 fi 738 export RUMP_SERVER=$SOCK1 739 $DEBUG && rump.ifconfig -v ipsec0 740 $DEBUG && rump.ifconfig -v ipsec1 741 atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ 742 rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 743 $DEBUG && rump.ifconfig -v ipsec0 744 $DEBUG && rump.ifconfig -v ipsec1 745 746 if [ ${mode} = "ipv6" ]; then 747 newsrc=$ROUTER2_WANIP6_DUMMY 748 newdst=$ROUTER1_WANIP6_DUMMY 749 else 750 newsrc=$ROUTER2_WANIP_DUMMY 751 newdst=$ROUTER1_WANIP_DUMMY 752 fi 753 export RUMP_SERVER=$SOCK2 754 $DEBUG && rump.ifconfig -v ipsec0 755 $DEBUG && rump.ifconfig -v ipsec1 756 atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ 757 rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 758 $DEBUG && rump.ifconfig -v ipsec0 759 $DEBUG && rump.ifconfig -v ipsec1 760 761 unset RUMP_SERVER 762 } 763 764 test_change_tunnel_success() 765 { 766 local mode=$1 767 768 local newsrc="" 769 local newdst="" 770 if [ ${mode} = "ipv6" ]; then 771 newsrc=$ROUTER1_WANIP6_DUMMY 772 newdst=$ROUTER2_WANIP6_DUMMY 773 else 774 newsrc=$ROUTER1_WANIP_DUMMY 775 newdst=$ROUTER2_WANIP_DUMMY 776 fi 777 export RUMP_SERVER=$SOCK1 778 $DEBUG && rump.ifconfig -v ipsec0 779 atf_check -s exit:0 \ 780 rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 781 $DEBUG && rump.ifconfig -v ipsec0 782 783 if [ ${mode} = "ipv6" ]; then 784 newsrc=$ROUTER2_WANIP6_DUMMY 785 newdst=$ROUTER1_WANIP6_DUMMY 786 else 787 newsrc=$ROUTER2_WANIP_DUMMY 788 newdst=$ROUTER1_WANIP_DUMMY 789 fi 790 export RUMP_SERVER=$SOCK2 791 $DEBUG && rump.ifconfig -v ipsec0 792 atf_check -s exit:0 \ 793 rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 794 $DEBUG && rump.ifconfig -v ipsec0 795 796 unset RUMP_SERVER 797 } 798 799 basic_setup() 800 { 801 local inner=$1 802 local outer=$2 803 local proto=$3 804 local algo=$4 805 806 setup ${inner} ${outer} 807 test_setup ${inner} ${outer} 808 809 # Enable once PR kern/49219 is fixed 810 #test_ping_failure 811 812 setup_tunnel ${inner} ${outer} ${proto} ${algo} 813 sleep 1 814 test_setup_tunnel ${inner} 815 } 816 817 basic_test() 818 { 819 local inner=$1 820 local outer=$2 # not use 821 822 test_ping_success ${inner} 823 } 824 825 basic_teardown() 826 { 827 local inner=$1 828 local outer=$2 # not use 829 830 teardown_tunnel 831 test_ping_failure ${inner} 832 } 833 834 ioctl_setup() 835 { 836 local inner=$1 837 local outer=$2 838 local proto=$3 839 local algo=$4 840 841 setup ${inner} ${outer} 842 test_setup ${inner} ${outer} 843 844 # Enable once PR kern/49219 is fixed 845 #test_ping_failure 846 847 setup_tunnel ${inner} ${outer} ${proto} ${algo} 848 setup_dummy_tunnel ${inner} ${outer} ${proto} ${algo} 849 sleep 1 850 test_setup_tunnel ${inner} 851 } 852 853 ioctl_test() 854 { 855 local inner=$1 856 local outer=$2 857 858 test_ping_success ${inner} 859 860 test_change_tunnel_duplicate ${outer} 861 862 teardown_dummy_tunnel 863 test_change_tunnel_success ${outer} 864 } 865 866 ioctl_teardown() 867 { 868 local inner=$1 869 local outer=$2 # not use 870 871 teardown_tunnel 872 test_ping_failure ${inner} 873 } 874 875 recursive_setup() 876 { 877 local inner=$1 878 local outer=$2 879 local proto=$3 880 local algo=$4 881 882 setup ${inner} ${outer} 883 test_setup ${inner} ${outer} 884 885 # Enable once PR kern/49219 is fixed 886 #test_ping_failure 887 888 setup_tunnel ${inner} ${outer} ${proto} ${algo} 889 setup_recursive_tunnels ${inner} ${proto} ${algo} 890 sleep 1 891 test_setup_tunnel ${inner} 892 } 893 894 recursive_test() 895 { 896 local inner=$1 897 local outer=$2 # not use 898 899 test_recursive_check ${inner} 900 } 901 902 recursive_teardown() 903 { 904 local inner=$1 # not use 905 local outer=$2 # not use 906 907 teardown_recursive_tunnels 908 teardown_tunnel 909 } 910 911 add_test() 912 { 913 local category=$1 914 local desc=$2 915 local inner=$3 916 local outer=$4 917 local proto=$5 918 local algo=$6 919 local _algo=$(echo $algo | sed 's/-//g') 920 921 name="ipsecif_${category}_${inner}over${outer}_${proto}_${_algo}" 922 fulldesc="Does ${inner} over ${outer} if_ipsec ${desc}" 923 924 atf_test_case ${name} cleanup 925 eval "${name}_head() { 926 atf_set descr \"${fulldesc}\" 927 atf_set require.progs rump_server setkey 928 } 929 ${name}_body() { 930 ${category}_setup ${inner} ${outer} ${proto} ${algo} 931 ${category}_test ${inner} ${outer} 932 ${category}_teardown ${inner} ${outer} 933 rump_server_destroy_ifaces 934 } 935 ${name}_cleanup() { 936 \$DEBUG && dump 937 cleanup 938 }" 939 atf_add_test_case ${name} 940 } 941 942 add_test_allproto() 943 { 944 local category=$1 945 local desc=$2 946 947 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 948 add_test ${category} "${desc}" ipv4 ipv4 esp $algo 949 add_test ${category} "${desc}" ipv4 ipv6 esp $algo 950 add_test ${category} "${desc}" ipv6 ipv4 esp $algo 951 add_test ${category} "${desc}" ipv6 ipv6 esp $algo 952 done 953 954 # ah does not support yet 955 } 956 957 atf_init_test_cases() 958 { 959 960 atf_add_test_case ipsecif_create_destroy 961 962 add_test_allproto basic "basic tests" 963 add_test_allproto ioctl "ioctl tests" 964 add_test_allproto recursive "recursive check tests" 965 } 966
Indexes created Wed Sep 24 05:09:52 GMT 2025