Home | History | Annotate | Line # | Download | only in if_ipsec
t_ipsec.sh revision 1.1 
      1 #	$NetBSD: t_ipsec.sh,v 1.1 2018/01/10 11:06:06 knakahara Exp $
      2 #
      3 # Copyright (c) 2017 Internet Initiative Japan Inc.
      4 # All rights reserved.
      5 #
      6 # Redistribution and use in source and binary forms, with or without
      7 # modification, are permitted provided that the following conditions
      8 # are met:
      9 # 1. Redistributions of source code must retain the above copyright
     10 #    notice, this list of conditions and the following disclaimer.
     11 # 2. Redistributions in binary form must reproduce the above copyright
     12 #    notice, this list of conditions and the following disclaimer in the
     13 #    documentation and/or other materials provided with the distribution.
     14 #
     15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
     16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
     17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     18 # PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
     19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
     20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
     21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
     22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
     23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
     25 # POSSIBILITY OF SUCH DAMAGE.
     26 #
     27 
     28 SOCK1=unix://commsock1 # for ROUTER1
     29 SOCK2=unix://commsock2 # for ROUTER2
     30 ROUTER1_LANIP=192.168.1.1
     31 ROUTER1_LANNET=192.168.1.0/24
     32 ROUTER1_WANIP=10.0.0.1
     33 ROUTER1_IPSECIP=172.16.1.1
     34 ROUTER1_WANIP_DUMMY=10.0.0.11
     35 ROUTER1_IPSECIP_DUMMY=172.16.11.1
     36 ROUTER1_IPSECIP_RECURSIVE1=172.16.101.1
     37 ROUTER1_IPSECIP_RECURSIVE2=172.16.201.1
     38 ROUTER2_LANIP=192.168.2.1
     39 ROUTER2_LANNET=192.168.2.0/24
     40 ROUTER2_WANIP=10.0.0.2
     41 ROUTER2_IPSECIP=172.16.2.1
     42 ROUTER2_WANIP_DUMMY=10.0.0.12
     43 ROUTER2_IPSECIP_DUMMY=172.16.12.1
     44 ROUTER2_IPSECIP_RECURSIVE1=172.16.102.1
     45 ROUTER2_IPSECIP_RECURSIVE2=172.16.202.1
     46 
     47 ROUTER1_LANIP6=fc00:1::1
     48 ROUTER1_LANNET6=fc00:1::/64
     49 ROUTER1_WANIP6=fc00::1
     50 ROUTER1_IPSECIP6=fc00:3::1
     51 ROUTER1_WANIP6_DUMMY=fc00::11
     52 ROUTER1_IPSECIP6_DUMMY=fc00:13::1
     53 ROUTER1_IPSECIP6_RECURSIVE1=fc00:103::1
     54 ROUTER1_IPSECIP6_RECURSIVE2=fc00:203::1
     55 ROUTER2_LANIP6=fc00:2::1
     56 ROUTER2_LANNET6=fc00:2::/64
     57 ROUTER2_WANIP6=fc00::2
     58 ROUTER2_IPSECIP6=fc00:4::1
     59 ROUTER2_WANIP6_DUMMY=fc00::12
     60 ROUTER2_IPSECIP6_DUMMY=fc00:14::1
     61 ROUTER2_IPSECIP6_RECURSIVE1=fc00:104::1
     62 ROUTER2_IPSECIP6_RECURSIVE2=fc00:204::1
     63 
     64 DEBUG=${DEBUG:-false}
     65 TIMEOUT=7
     66 
     67 setup_router()
     68 {
     69 	local sock=${1}
     70 	local lan=${2}
     71 	local lan_mode=${3}
     72 	local wan=${4}
     73 	local wan_mode=${5}
     74 
     75 	rump_server_add_iface $sock shmif0 bus0
     76 	rump_server_add_iface $sock shmif1 bus1
     77 
     78 	export RUMP_SERVER=${sock}
     79 	if [ ${lan_mode} = "ipv6" ]; then
     80 		atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan}
     81 	else
     82 		atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00
     83 	fi
     84 	atf_check -s exit:0 rump.ifconfig shmif0 up
     85 	rump.ifconfig shmif0
     86 
     87 	if [ ${wan_mode} = "ipv6" ]; then
     88 		atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan}
     89 	else
     90 		atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000
     91 	fi
     92 	atf_check -s exit:0 rump.ifconfig shmif1 up
     93 	rump.ifconfig shmif1
     94 	unset RUMP_SERVER
     95 }
     96 
     97 test_router()
     98 {
     99 	local sock=${1}
    100 	local lan=${2}
    101 	local lan_mode=${3}
    102 	local wan=${4}
    103 	local wan_mode=${5}
    104 
    105 	export RUMP_SERVER=${sock}
    106 	atf_check -s exit:0 -o match:shmif0 rump.ifconfig
    107 	if [ ${lan_mode} = "ipv6" ]; then
    108 		atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${lan}
    109 	else
    110 		atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan}
    111 	fi
    112 
    113 	atf_check -s exit:0 -o match:shmif1 rump.ifconfig
    114 	if [ ${wan_mode} = "ipv6" ]; then
    115 		atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${wan}
    116 	else
    117 		atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan}
    118 	fi
    119 	unset RUMP_SERVER
    120 }
    121 
    122 setup()
    123 {
    124 	local inner=${1}
    125 	local outer=${2}
    126 
    127 	rump_server_crypto_start $SOCK1 netipsec netinet6 ipsec
    128 	rump_server_crypto_start $SOCK2 netipsec netinet6 ipsec
    129 
    130 	router1_lan=""
    131 	router1_lan_mode=""
    132 	router2_lan=""
    133 	router2_lan_mode=""
    134 	if [ ${inner} = "ipv6" ]; then
    135 		router1_lan=$ROUTER1_LANIP6
    136 		router1_lan_mode="ipv6"
    137 		router2_lan=$ROUTER2_LANIP6
    138 		router2_lan_mode="ipv6"
    139 	else
    140 		router1_lan=$ROUTER1_LANIP
    141 		router1_lan_mode="ipv4"
    142 		router2_lan=$ROUTER2_LANIP
    143 		router2_lan_mode="ipv4"
    144 	fi
    145 
    146 	if [ ${outer} = "ipv6" ]; then
    147 		setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
    148 			$ROUTER1_WANIP6 ipv6
    149 		setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
    150 			$ROUTER2_WANIP6 ipv6
    151 	else
    152 		setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
    153 			$ROUTER1_WANIP ipv4
    154 		setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
    155 			$ROUTER2_WANIP ipv4
    156 	fi
    157 }
    158 
    159 test_setup()
    160 {
    161 	local inner=${1}
    162 	local outer=${2}
    163 
    164 	local router1_lan=""
    165 	local router1_lan_mode=""
    166 	local router2_lan=""
    167 	local router2_lan_mode=""
    168 	if [ ${inner} = "ipv6" ]; then
    169 		router1_lan=$ROUTER1_LANIP6
    170 		router1_lan_mode="ipv6"
    171 		router2_lan=$ROUTER2_LANIP6
    172 		router2_lan_mode="ipv6"
    173 	else
    174 		router1_lan=$ROUTER1_LANIP
    175 		router1_lan_mode="ipv4"
    176 		router2_lan=$ROUTER2_LANIP
    177 		router2_lan_mode="ipv4"
    178 	fi
    179 	if [ ${outer} = "ipv6" ]; then
    180 		test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
    181 			$ROUTER1_WANIP6 ipv6
    182 		test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
    183 			$ROUTER2_WANIP6 ipv6
    184 	else
    185 		test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
    186 			$ROUTER1_WANIP ipv4
    187 		test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
    188 			$ROUTER2_WANIP ipv4
    189 	fi
    190 }
    191 
    192 get_if_ipsec_unique()
    193 {
    194 	local sock=${1}
    195 	local src=${2}
    196 	local proto=${3}
    197 	local unique=""
    198 
    199 	export RUMP_SERVER=${sock}
    200 	unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'`
    201 	unset RUMP_SERVER
    202 
    203 	echo $unique
    204 }
    205 
    206 setup_if_ipsec()
    207 {
    208 	local sock=${1}
    209 	local addr=${2}
    210 	local remote=${3}
    211 	local inner=${4}
    212 	local src=${5}
    213 	local dst=${6}
    214 	local peernet=${7}
    215 
    216 	export RUMP_SERVER=${sock}
    217 	atf_check -s exit:0 rump.ifconfig ipsec0 create
    218 	atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst}
    219 	if [ ${inner} = "ipv6" ]; then
    220 		atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote}
    221 		atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr}
    222 	else
    223 		atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote}
    224 		atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr}
    225 	fi
    226 
    227 	rump.ifconfig ipsec0
    228 	rump.route -nL show
    229 }
    230 
    231 setup_if_ipsec_sa()
    232 {
    233 	local sock=${1}
    234 	local src=${2}
    235 	local dst=${3}
    236 	local mode=${4}
    237 	local proto=${5}
    238 	local algo=${6}
    239 	local dir=${7}
    240 
    241 	local tmpfile=./tmp
    242 	local inunique=""
    243 	local outunique=""
    244 	local inid=""
    245 	local outid=""
    246 	local algo_args="$(generate_algo_args $proto $algo)"
    247 
    248 	inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
    249 	outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
    250 
    251 	if [ ${dir} = "1to2" ] ; then
    252 	    if [ ${mode} = "ipv6" ] ; then
    253 		inid="10010"
    254 		outid="10011"
    255 	    else
    256 		inid="10000"
    257 		outid="10001"
    258 	    fi
    259 	else
    260 	    if [ ${mode} = "ipv6" ] ; then
    261 		inid="10011"
    262 		outid="10010"
    263 	    else
    264 		inid="10001"
    265 		outid="10000"
    266 	    fi
    267 	fi
    268 
    269 	cat > $tmpfile <<-EOF
    270     	add $dst $src $proto $inid -u $inunique $algo_args;
    271     	add $src $dst $proto $outid -u $outunique $algo_args;
    272 	EOF
    273 	$DEBUG && cat $tmpfile
    274 	export RUMP_SERVER=$sock
    275 	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
    276 	$DEBUG && $HIJACKING setkey -D
    277 	$DEBUG && $HIJACKING setkey -DP
    278 	unset RUMP_SERVER
    279 }
    280 
    281 setup_tunnel()
    282 {
    283 	local inner=${1}
    284 	local outer=${2}
    285 	local proto=${3}
    286 	local algo=${4}
    287 
    288 	local addr=""
    289 	local remote=""
    290 	local src=""
    291 	local dst=""
    292 	local peernet=""
    293 
    294 	if [ ${inner} = "ipv6" ]; then
    295 		addr=$ROUTER1_IPSECIP6
    296 		remote=$ROUTER2_IPSECIP6
    297 		peernet=$ROUTER2_LANNET6
    298 	else
    299 		addr=$ROUTER1_IPSECIP
    300 		remote=$ROUTER2_IPSECIP
    301 		peernet=$ROUTER2_LANNET
    302 	fi
    303 	if [ ${outer} = "ipv6" ]; then
    304 		src=$ROUTER1_WANIP6
    305 		dst=$ROUTER2_WANIP6
    306 	else
    307 		src=$ROUTER1_WANIP
    308 		dst=$ROUTER2_WANIP
    309 	fi
    310 	setup_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \
    311 		     ${src} ${dst} ${peernet}
    312 
    313 	if [ $inner = "ipv6" -a $outer = "ipv4" ]; then
    314 	    setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${outer} ${proto} ${algo} "1to2"
    315 	fi
    316 	setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2"
    317 
    318 	if [ $inner = "ipv6" ]; then
    319 		addr=$ROUTER2_IPSECIP6
    320 		remote=$ROUTER1_IPSECIP6
    321 		peernet=$ROUTER1_LANNET6
    322 	else
    323 		addr=$ROUTER2_IPSECIP
    324 		remote=$ROUTER1_IPSECIP
    325 		peernet=$ROUTER1_LANNET
    326 	fi
    327 	if [ $outer = "ipv6" ]; then
    328 		src=$ROUTER2_WANIP6
    329 		dst=$ROUTER1_WANIP6
    330 	else
    331 		src=$ROUTER2_WANIP
    332 		dst=$ROUTER1_WANIP
    333 	fi
    334 	setup_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \
    335 		     ${src} ${dst} ${peernet} ${proto} ${algo}
    336 	if [ $inner = "ipv6" -a $outer = "ipv4" ]; then
    337 	    setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${outer} ${proto} ${algo} "2to1"
    338 	fi
    339 	setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1"
    340 }
    341 
    342 test_setup_tunnel()
    343 {
    344 	local mode=${1}
    345 
    346 	local peernet=""
    347 	local opt=""
    348 	if [ ${mode} = "ipv6" ]; then
    349 		peernet=$ROUTER2_LANNET6
    350 		opt="-inet6"
    351 	else
    352 		peernet=$ROUTER2_LANNET
    353 		opt="-inet"
    354 	fi
    355 	export RUMP_SERVER=$SOCK1
    356 	atf_check -s exit:0 -o match:ipsec0 rump.ifconfig
    357 	atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet}
    358 
    359 	if [ ${mode} = "ipv6" ]; then
    360 		peernet=$ROUTER1_LANNET6
    361 		opt="-inet6"
    362 	else
    363 		peernet=$ROUTER1_LANNET
    364 		opt="-inet"
    365 	fi
    366 	export RUMP_SERVER=$SOCK2
    367 	atf_check -s exit:0 -o match:ipsec0 rump.ifconfig
    368 	atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet}
    369 }
    370 
    371 teardown_tunnel()
    372 {
    373 	export RUMP_SERVER=$SOCK1
    374 	atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
    375 	atf_check -s exit:0 rump.ifconfig ipsec0 destroy
    376 	$HIJACKING setkey -F
    377 
    378 	export RUMP_SERVER=$SOCK2
    379 	atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
    380 	atf_check -s exit:0 rump.ifconfig ipsec0 destroy
    381 	$HIJACKING setkey -F
    382 
    383 	unset RUMP_SERVER
    384 }
    385 
    386 setup_dummy_if_ipsec()
    387 {
    388 	local sock=${1}
    389 	local addr=${2}
    390 	local remote=${3}
    391 	local inner=${4}
    392 	local src=${5}
    393 	local dst=${6}
    394 
    395 	export RUMP_SERVER=${sock}
    396 	atf_check -s exit:0 rump.ifconfig ipsec1 create
    397 	atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst}
    398 	if [ ${inner} = "ipv6" ]; then
    399 		atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote}
    400 	else
    401 		atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote}
    402 	fi
    403 
    404 	rump.ifconfig ipsec1
    405 	unset RUMP_SERVER
    406 }
    407 
    408 setup_dummy_if_ipsec_sa()
    409 {
    410 	local sock=${1}
    411 	local src=${2}
    412 	local dst=${3}
    413 	local mode=${4}
    414 	local proto=${5}
    415 	local algo=${6}
    416 	local dir=${7}
    417 
    418 	local tmpfile=./tmp
    419 	local inunique=""
    420 	local outunique=""
    421 	local inid=""
    422 	local outid=""
    423 	local algo_args="$(generate_algo_args $proto $algo)"
    424 
    425 	inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
    426 	outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
    427 
    428 	if [ ${dir} = "1to2" ] ; then
    429 	    inid="20000"
    430 	    outid="20001"
    431 	else
    432 	    inid="20001"
    433 	    outid="20000"
    434 	fi
    435 
    436 	cat > $tmpfile <<-EOF
    437     	add $dst $src $proto $inid -u $inunique $algo_args;
    438     	add $src $dst $proto $outid -u $outunique $algo_args;
    439 	EOF
    440 	$DEBUG && cat $tmpfile
    441 	export RUMP_SERVER=$sock
    442 	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
    443 	$DEBUG && $HIJACKING setkey -D
    444 	$DEBUG && $HIJACKING setkey -DP
    445 	unset RUMP_SERVER
    446 }
    447 
    448 setup_dummy_tunnel()
    449 {
    450 	local inner=${1}
    451 	local outer=${2}
    452 	local proto=${3}
    453 	local algo=${4}
    454 
    455 	local addr=""
    456 	local remote=""
    457 	local src=""
    458 	local dst=""
    459 
    460 	if [ ${inner} = "ipv6" ]; then
    461 		addr=$ROUTER1_IPSECIP6_DUMMY
    462 		remote=$ROUTER2_IPSECIP6_DUMMY
    463 	else
    464 		addr=$ROUTER1_IPSECIP_DUMMY
    465 		remote=$ROUTER2_IPSECIP_DUMMY
    466 	fi
    467 	if [ ${outer} = "ipv6" ]; then
    468 		src=$ROUTER1_WANIP6_DUMMY
    469 		dst=$ROUTER2_WANIP6_DUMMY
    470 	else
    471 		src=$ROUTER1_WANIP_DUMMY
    472 		dst=$ROUTER2_WANIP_DUMMY
    473 	fi
    474 	setup_dummy_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \
    475 			   ${src} ${dst} ${proto} ${algo} "1to2"
    476 	setup_dummy_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2"
    477 
    478 	if [ $inner = "ipv6" ]; then
    479 		addr=$ROUTER2_IPSECIP6_DUMMY
    480 		remote=$ROUTER1_IPSECIP6_DUMMY
    481 	else
    482 		addr=$ROUTER2_IPSECIP_DUMMY
    483 		remote=$ROUTER1_IPSECIP_DUMMY
    484 	fi
    485 	if [ $outer = "ipv6" ]; then
    486 		src=$ROUTER2_WANIP6_DUMMY
    487 		dst=$ROUTER1_WANIP6_DUMMY
    488 	else
    489 		src=$ROUTER2_WANIP_DUMMY
    490 		dst=$ROUTER1_WANIP_DUMMY
    491 	fi
    492 	setup_dummy_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \
    493 			   ${src} ${dst} ${proto} ${algo} "2to1"
    494 	setup_dummy_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1"
    495 }
    496 
    497 test_setup_dummy_tunnel()
    498 {
    499 	export RUMP_SERVER=$SOCK1
    500 	atf_check -s exit:0 -o match:ipsec1 rump.ifconfig
    501 
    502 	export RUMP_SERVER=$SOCK2
    503 	atf_check -s exit:0 -o match:ipsec1 rump.ifconfig
    504 
    505 	unset RUMP_SERVER
    506 }
    507 
    508 teardown_dummy_tunnel()
    509 {
    510 	export RUMP_SERVER=$SOCK1
    511 	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
    512 	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
    513 
    514 	export RUMP_SERVER=$SOCK2
    515 	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
    516 	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
    517 
    518 	unset RUMP_SERVER
    519 }
    520 
    521 setup_recursive_if_ipsec()
    522 {
    523 	local sock=${1}
    524 	local ipsec=${2}
    525 	local addr=${3}
    526 	local remote=${4}
    527 	local inner=${5}
    528 	local src=${6}
    529 	local dst=${7}
    530 	local proto=${8}
    531 	local algo=${9}
    532 	local dir=${10}
    533 
    534 	export RUMP_SERVER=${sock}
    535 	atf_check -s exit:0 rump.ifconfig ${ipsec} create
    536 	atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst}
    537 	if [ ${inner} = "ipv6" ]; then
    538 		atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote}
    539 	else
    540 		atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote}
    541 	fi
    542 	setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir}
    543 
    544 	export RUMP_SERVER=${sock}
    545 	rump.ifconfig ${ipsec}
    546 	unset RUMP_SERVER
    547 }
    548 
    549 # test in ROUTER1 only
    550 setup_recursive_tunnels()
    551 {
    552 	local mode=${1}
    553 	local proto=${2}
    554 	local algo=${3}
    555 
    556 	local addr=""
    557 	local remote=""
    558 	local src=""
    559 	local dst=""
    560 
    561 	if [ ${mode} = "ipv6" ]; then
    562 		addr=$ROUTER1_IPSECIP6_RECURSIVE1
    563 		remote=$ROUTER2_IPSECIP6_RECURSIVE1
    564 		src=$ROUTER1_IPSECIP6
    565 		dst=$ROUTER2_IPSECIP6
    566 	else
    567 		addr=$ROUTER1_IPSECIP_RECURSIVE1
    568 		remote=$ROUTER2_IPSECIP_RECURSIVE1
    569 		src=$ROUTER1_IPSECIP
    570 		dst=$ROUTER2_IPSECIP
    571 	fi
    572 	setup_recursive_if_ipsec $SOCK1 ipsec1 ${addr} ${remote} ${mode} \
    573 		      ${src} ${dst} ${proto} ${algo} "1to2"
    574 
    575 	if [ ${mode} = "ipv6" ]; then
    576 		addr=$ROUTER1_IPSECIP6_RECURSIVE2
    577 		remote=$ROUTER2_IPSECIP6_RECURSIVE2
    578 		src=$ROUTER1_IPSECIP6_RECURSIVE1
    579 		dst=$ROUTER2_IPSECIP6_RECURSIVE1
    580 	else
    581 		addr=$ROUTER1_IPSECIP_RECURSIVE2
    582 		remote=$ROUTER2_IPSECIP_RECURSIVE2
    583 		src=$ROUTER1_IPSECIP_RECURSIVE1
    584 		dst=$ROUTER2_IPSECIP_RECURSIVE1
    585 	fi
    586 	setup_recursive_if_ipsec $SOCK1 ipsec2 ${addr} ${remote} ${mode} \
    587 		      ${src} ${dst} ${proto} ${algo} "1to2"
    588 }
    589 
    590 # test in router1 only
    591 test_recursive_check()
    592 {
    593 	local mode=$1
    594 
    595 	export RUMP_SERVER=$SOCK1
    596 	if [ ${mode} = "ipv6" ]; then
    597 		atf_check -s not-exit:0 -o ignore -e ignore \
    598 			rump.ping6 -n -X $TIMEOUT -c 1 $ROUTER2_IPSECIP6_RECURSIVE2
    599 	else
    600 		atf_check -s not-exit:0 -o ignore -e ignore \
    601 			rump.ping -n -w $TIMEOUT -c 1 $ROUTER2_IPSECIP_RECURSIVE2
    602 	fi
    603 
    604 	atf_check -o match:'ipsec0: recursively called too many times' \
    605 		-x "$HIJACKING dmesg"
    606 
    607 	$HIJACKING dmesg
    608 
    609 	unset RUMP_SERVER
    610 }
    611 
    612 teardown_recursive_tunnels()
    613 {
    614 	export RUMP_SERVER=$SOCK1
    615 	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
    616 	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
    617 	atf_check -s exit:0 rump.ifconfig ipsec2 deletetunnel
    618 	atf_check -s exit:0 rump.ifconfig ipsec2 destroy
    619 	unset RUMP_SERVER
    620 }
    621 
    622 test_ping_failure()
    623 {
    624 	local mode=$1
    625 
    626 	export RUMP_SERVER=$SOCK1
    627 	if [ ${mode} = "ipv6" ]; then
    628 		atf_check -s not-exit:0 -o ignore -e ignore \
    629 			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \
    630 			$ROUTER2_LANIP6
    631 	else
    632 		atf_check -s not-exit:0 -o ignore -e ignore \
    633 			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
    634 			$ROUTER2_LANIP
    635 	fi
    636 
    637 	export RUMP_SERVER=$SOCK2
    638 	if [ ${mode} = "ipv6" ]; then
    639 		atf_check -s not-exit:0 -o ignore -e ignore \
    640 			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \
    641 			$ROUTER1_LANIP6
    642 	else
    643 		atf_check -s not-exit:0 -o ignore -e ignore \
    644 			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
    645 			$ROUTER2_LANIP
    646 	fi
    647 
    648 	unset RUMP_SERVER
    649 }
    650 
    651 test_ping_success()
    652 {
    653 	mode=$1
    654 
    655 	export RUMP_SERVER=$SOCK1
    656 	rump.ifconfig -v ipsec0
    657 	if [ ${mode} = "ipv6" ]; then
    658 		# XXX
    659 		# rump.ping6 rarely fails with the message that
    660 		# "failed to get receiving hop limit".
    661 		# This is a known issue being analyzed.
    662 		atf_check -s exit:0 -o ignore \
    663 			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \
    664 			$ROUTER2_LANIP6
    665 	else
    666 		atf_check -s exit:0 -o ignore \
    667 			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
    668 			$ROUTER2_LANIP
    669 	fi
    670 	rump.ifconfig -v ipsec0
    671 
    672 	export RUMP_SERVER=$SOCK2
    673 	rump.ifconfig -v ipsec0
    674 	if [ ${mode} = "ipv6" ]; then
    675 		atf_check -s exit:0 -o ignore \
    676 			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \
    677 			$ROUTER1_LANIP6
    678 	else
    679 		atf_check -s exit:0 -o ignore \
    680 			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
    681 			$ROUTER1_LANIP
    682 	fi
    683 	rump.ifconfig -v ipsec0
    684 
    685 	unset RUMP_SERVER
    686 }
    687 
    688 test_change_tunnel_duplicate()
    689 {
    690 	local mode=$1
    691 
    692 	local newsrc=""
    693 	local newdst=""
    694 	if [ ${mode} = "ipv6" ]; then
    695 		newsrc=$ROUTER1_WANIP6_DUMMY
    696 		newdst=$ROUTER2_WANIP6_DUMMY
    697 	else
    698 		newsrc=$ROUTER1_WANIP_DUMMY
    699 		newdst=$ROUTER2_WANIP_DUMMY
    700 	fi
    701 	export RUMP_SERVER=$SOCK1
    702 	rump.ifconfig -v ipsec0
    703 	rump.ifconfig -v ipsec1
    704 	atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \
    705 		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
    706 	rump.ifconfig -v ipsec0
    707 	rump.ifconfig -v ipsec1
    708 
    709 	if [ ${mode} = "ipv6" ]; then
    710 		newsrc=$ROUTER2_WANIP6_DUMMY
    711 		newdst=$ROUTER1_WANIP6_DUMMY
    712 	else
    713 		newsrc=$ROUTER2_WANIP_DUMMY
    714 		newdst=$ROUTER1_WANIP_DUMMY
    715 	fi
    716 	export RUMP_SERVER=$SOCK2
    717 	rump.ifconfig -v ipsec0
    718 	rump.ifconfig -v ipsec1
    719 	atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \
    720 		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
    721 	rump.ifconfig -v ipsec0
    722 	rump.ifconfig -v ipsec1
    723 
    724 	unset RUMP_SERVER
    725 }
    726 
    727 test_change_tunnel_success()
    728 {
    729 	local mode=$1
    730 
    731 	local newsrc=""
    732 	local newdst=""
    733 	if [ ${mode} = "ipv6" ]; then
    734 		newsrc=$ROUTER1_WANIP6_DUMMY
    735 		newdst=$ROUTER2_WANIP6_DUMMY
    736 	else
    737 		newsrc=$ROUTER1_WANIP_DUMMY
    738 		newdst=$ROUTER2_WANIP_DUMMY
    739 	fi
    740 	export RUMP_SERVER=$SOCK1
    741 	rump.ifconfig -v ipsec0
    742 	atf_check -s exit:0 \
    743 		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
    744 	rump.ifconfig -v ipsec0
    745 
    746 	if [ ${mode} = "ipv6" ]; then
    747 		newsrc=$ROUTER2_WANIP6_DUMMY
    748 		newdst=$ROUTER1_WANIP6_DUMMY
    749 	else
    750 		newsrc=$ROUTER2_WANIP_DUMMY
    751 		newdst=$ROUTER1_WANIP_DUMMY
    752 	fi
    753 	export RUMP_SERVER=$SOCK2
    754 	rump.ifconfig -v ipsec0
    755 	atf_check -s exit:0 \
    756 		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
    757 	rump.ifconfig -v ipsec0
    758 
    759 	unset RUMP_SERVER
    760 }
    761 
    762 basic_setup()
    763 {
    764 	local inner=$1
    765 	local outer=$2
    766 	local proto=$3
    767 	local algo=$4
    768 
    769 	setup ${inner} ${outer}
    770 	test_setup ${inner} ${outer}
    771 
    772 	# Enable once PR kern/49219 is fixed
    773 	#test_ping_failure
    774 
    775 	setup_tunnel ${inner} ${outer} ${proto} ${algo}
    776 	sleep 1
    777 	test_setup_tunnel ${inner}
    778 }
    779 
    780 basic_test()
    781 {
    782 	local inner=$1
    783 	local outer=$2 # not use
    784 
    785 	test_ping_success ${inner}
    786 }
    787 
    788 basic_teardown()
    789 {
    790 	local inner=$1
    791 	local outer=$2 # not use
    792 
    793 	teardown_tunnel
    794 	test_ping_failure ${inner}
    795 }
    796 
    797 ioctl_setup()
    798 {
    799 	local inner=$1
    800 	local outer=$2
    801 	local proto=$3
    802 	local algo=$4
    803 
    804 	setup ${inner} ${outer}
    805 	test_setup ${inner} ${outer}
    806 
    807 	# Enable once PR kern/49219 is fixed
    808 	#test_ping_failure
    809 
    810 	setup_tunnel ${inner} ${outer} ${proto} ${algo}
    811 	setup_dummy_tunnel ${inner} ${outer} ${proto} ${algo}
    812 	sleep 1
    813 	test_setup_tunnel ${inner}
    814 }
    815 
    816 ioctl_test()
    817 {
    818 	local inner=$1
    819 	local outer=$2
    820 
    821 	test_ping_success ${inner}
    822 
    823 	test_change_tunnel_duplicate ${outer}
    824 
    825 	teardown_dummy_tunnel
    826 	test_change_tunnel_success ${outer}
    827 }
    828 
    829 ioctl_teardown()
    830 {
    831 	local inner=$1
    832 	local outer=$2 # not use
    833 
    834 	teardown_tunnel
    835 	test_ping_failure ${inner}
    836 }
    837 
    838 recursive_setup()
    839 {
    840 	local inner=$1
    841 	local outer=$2
    842 	local proto=$3
    843 	local algo=$4
    844 
    845 	setup ${inner} ${outer}
    846 	test_setup ${inner} ${outer}
    847 
    848 	# Enable once PR kern/49219 is fixed
    849 	#test_ping_failure
    850 
    851 	setup_tunnel ${inner} ${outer} ${proto} ${algo}
    852 	setup_recursive_tunnels ${inner} ${proto} ${algo}
    853 	sleep 1
    854 	test_setup_tunnel ${inner}
    855 }
    856 
    857 recursive_test()
    858 {
    859 	local inner=$1
    860 	local outer=$2 # not use
    861 
    862 	test_recursive_check ${inner}
    863 }
    864 
    865 recursive_teardown()
    866 {
    867 	local inner=$1 # not use
    868 	local outer=$2 # not use
    869 
    870 	teardown_recursive_tunnels
    871 	teardown_tunnel
    872 }
    873 
    874 add_test()
    875 {
    876 	local category=$1
    877 	local desc=$2
    878 	local inner=$3
    879 	local outer=$4
    880 	local proto=$5
    881 	local algo=$6
    882 	local _algo=$(echo $algo | sed 's/-//g')
    883 
    884 	name="ipsec_${category}_${inner}over${outer}_${proto}_${_algo}"
    885 	fulldesc="Does ${inner} over ${outer} if_ipsec ${desc}"
    886 
    887 	atf_test_case ${name} cleanup
    888 	eval "${name}_head() {
    889 			atf_set descr \"${fulldesc}\"
    890 			atf_set require.progs rump_server setkey
    891 		}
    892 	    ${name}_body() {
    893 			${category}_setup ${inner} ${outer} ${proto} ${algo}
    894 			${category}_test ${inner} ${outer}
    895 			${category}_teardown ${inner} ${outer}
    896 			rump_server_destroy_ifaces
    897 	    }
    898 	    ${name}_cleanup() {
    899 			\$DEBUG && dump
    900 			cleanup
    901 		}"
    902 	atf_add_test_case ${name}
    903 }
    904 
    905 add_test_allproto()
    906 {
    907 	local category=$1
    908 	local desc=$2
    909 
    910 	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
    911 		add_test ${category} "${desc}" ipv4 ipv4 esp $algo
    912 		add_test ${category} "${desc}" ipv4 ipv6 esp $algo
    913 		add_test ${category} "${desc}" ipv6 ipv4 esp $algo
    914 		add_test ${category} "${desc}" ipv6 ipv6 esp $algo
    915 	done
    916 
    917 	# ah does not support yet
    918 }
    919 
    920 atf_init_test_cases()
    921 {
    922 	add_test_allproto basic "basic tests"
    923 	add_test_allproto ioctl "ioctl tests"
    924 	add_test_allproto recursive "recursive check tests"
    925 }
    926