Home | History | Annotate | Line # | Download | only in if_ipsec
t_ipsec.sh revision 1.3 
      1 #	$NetBSD: t_ipsec.sh,v 1.3 2018/02/01 05:22:01 ozaki-r Exp $
      2 #
      3 # Copyright (c) 2017 Internet Initiative Japan Inc.
      4 # All rights reserved.
      5 #
      6 # Redistribution and use in source and binary forms, with or without
      7 # modification, are permitted provided that the following conditions
      8 # are met:
      9 # 1. Redistributions of source code must retain the above copyright
     10 #    notice, this list of conditions and the following disclaimer.
     11 # 2. Redistributions in binary form must reproduce the above copyright
     12 #    notice, this list of conditions and the following disclaimer in the
     13 #    documentation and/or other materials provided with the distribution.
     14 #
     15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
     16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
     17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     18 # PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
     19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
     20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
     21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
     22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
     23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
     25 # POSSIBILITY OF SUCH DAMAGE.
     26 #
     27 
     28 SOCK1=unix://commsock1 # for ROUTER1
     29 SOCK2=unix://commsock2 # for ROUTER2
     30 ROUTER1_LANIP=192.168.1.1
     31 ROUTER1_LANNET=192.168.1.0/24
     32 ROUTER1_WANIP=10.0.0.1
     33 ROUTER1_IPSECIP=172.16.1.1
     34 ROUTER1_WANIP_DUMMY=10.0.0.11
     35 ROUTER1_IPSECIP_DUMMY=172.16.11.1
     36 ROUTER1_IPSECIP_RECURSIVE1=172.16.101.1
     37 ROUTER1_IPSECIP_RECURSIVE2=172.16.201.1
     38 ROUTER2_LANIP=192.168.2.1
     39 ROUTER2_LANNET=192.168.2.0/24
     40 ROUTER2_WANIP=10.0.0.2
     41 ROUTER2_IPSECIP=172.16.2.1
     42 ROUTER2_WANIP_DUMMY=10.0.0.12
     43 ROUTER2_IPSECIP_DUMMY=172.16.12.1
     44 ROUTER2_IPSECIP_RECURSIVE1=172.16.102.1
     45 ROUTER2_IPSECIP_RECURSIVE2=172.16.202.1
     46 
     47 ROUTER1_LANIP6=fc00:1::1
     48 ROUTER1_LANNET6=fc00:1::/64
     49 ROUTER1_WANIP6=fc00::1
     50 ROUTER1_IPSECIP6=fc00:3::1
     51 ROUTER1_WANIP6_DUMMY=fc00::11
     52 ROUTER1_IPSECIP6_DUMMY=fc00:13::1
     53 ROUTER1_IPSECIP6_RECURSIVE1=fc00:103::1
     54 ROUTER1_IPSECIP6_RECURSIVE2=fc00:203::1
     55 ROUTER2_LANIP6=fc00:2::1
     56 ROUTER2_LANNET6=fc00:2::/64
     57 ROUTER2_WANIP6=fc00::2
     58 ROUTER2_IPSECIP6=fc00:4::1
     59 ROUTER2_WANIP6_DUMMY=fc00::12
     60 ROUTER2_IPSECIP6_DUMMY=fc00:14::1
     61 ROUTER2_IPSECIP6_RECURSIVE1=fc00:104::1
     62 ROUTER2_IPSECIP6_RECURSIVE2=fc00:204::1
     63 
     64 DEBUG=${DEBUG:-false}
     65 TIMEOUT=7
     66 
     67 atf_test_case ipsecif_create_destroy cleanup
     68 ipsecif_create_destroy_head()
     69 {
     70 
     71 	atf_set "descr" "Test creating/destroying gif interfaces"
     72 	atf_set "require.progs" "rump_server"
     73 }
     74 
     75 ipsecif_create_destroy_body()
     76 {
     77 
     78 	rump_server_start $SOCK1 ipsec
     79 
     80 	test_create_destroy_common $SOCK1 ipsec0
     81 }
     82 
     83 ipsecif_create_destroy_cleanup()
     84 {
     85 
     86 	$DEBUG && dump
     87 	cleanup
     88 }
     89 
     90 setup_router()
     91 {
     92 	local sock=${1}
     93 	local lan=${2}
     94 	local lan_mode=${3}
     95 	local wan=${4}
     96 	local wan_mode=${5}
     97 
     98 	rump_server_add_iface $sock shmif0 bus0
     99 	rump_server_add_iface $sock shmif1 bus1
    100 
    101 	export RUMP_SERVER=${sock}
    102 	if [ ${lan_mode} = "ipv6" ]; then
    103 		atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan}
    104 	else
    105 		atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00
    106 	fi
    107 	atf_check -s exit:0 rump.ifconfig shmif0 up
    108 	rump.ifconfig shmif0
    109 
    110 	if [ ${wan_mode} = "ipv6" ]; then
    111 		atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan}
    112 	else
    113 		atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000
    114 	fi
    115 	atf_check -s exit:0 rump.ifconfig shmif1 up
    116 	rump.ifconfig shmif1
    117 	unset RUMP_SERVER
    118 }
    119 
    120 test_router()
    121 {
    122 	local sock=${1}
    123 	local lan=${2}
    124 	local lan_mode=${3}
    125 	local wan=${4}
    126 	local wan_mode=${5}
    127 
    128 	export RUMP_SERVER=${sock}
    129 	atf_check -s exit:0 -o match:shmif0 rump.ifconfig
    130 	if [ ${lan_mode} = "ipv6" ]; then
    131 		atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${lan}
    132 	else
    133 		atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan}
    134 	fi
    135 
    136 	atf_check -s exit:0 -o match:shmif1 rump.ifconfig
    137 	if [ ${wan_mode} = "ipv6" ]; then
    138 		atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${wan}
    139 	else
    140 		atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan}
    141 	fi
    142 	unset RUMP_SERVER
    143 }
    144 
    145 setup()
    146 {
    147 	local inner=${1}
    148 	local outer=${2}
    149 
    150 	rump_server_crypto_start $SOCK1 netipsec netinet6 ipsec
    151 	rump_server_crypto_start $SOCK2 netipsec netinet6 ipsec
    152 
    153 	router1_lan=""
    154 	router1_lan_mode=""
    155 	router2_lan=""
    156 	router2_lan_mode=""
    157 	if [ ${inner} = "ipv6" ]; then
    158 		router1_lan=$ROUTER1_LANIP6
    159 		router1_lan_mode="ipv6"
    160 		router2_lan=$ROUTER2_LANIP6
    161 		router2_lan_mode="ipv6"
    162 	else
    163 		router1_lan=$ROUTER1_LANIP
    164 		router1_lan_mode="ipv4"
    165 		router2_lan=$ROUTER2_LANIP
    166 		router2_lan_mode="ipv4"
    167 	fi
    168 
    169 	if [ ${outer} = "ipv6" ]; then
    170 		setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
    171 			$ROUTER1_WANIP6 ipv6
    172 		setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
    173 			$ROUTER2_WANIP6 ipv6
    174 	else
    175 		setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
    176 			$ROUTER1_WANIP ipv4
    177 		setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
    178 			$ROUTER2_WANIP ipv4
    179 	fi
    180 }
    181 
    182 test_setup()
    183 {
    184 	local inner=${1}
    185 	local outer=${2}
    186 
    187 	local router1_lan=""
    188 	local router1_lan_mode=""
    189 	local router2_lan=""
    190 	local router2_lan_mode=""
    191 	if [ ${inner} = "ipv6" ]; then
    192 		router1_lan=$ROUTER1_LANIP6
    193 		router1_lan_mode="ipv6"
    194 		router2_lan=$ROUTER2_LANIP6
    195 		router2_lan_mode="ipv6"
    196 	else
    197 		router1_lan=$ROUTER1_LANIP
    198 		router1_lan_mode="ipv4"
    199 		router2_lan=$ROUTER2_LANIP
    200 		router2_lan_mode="ipv4"
    201 	fi
    202 	if [ ${outer} = "ipv6" ]; then
    203 		test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
    204 			$ROUTER1_WANIP6 ipv6
    205 		test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
    206 			$ROUTER2_WANIP6 ipv6
    207 	else
    208 		test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
    209 			$ROUTER1_WANIP ipv4
    210 		test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
    211 			$ROUTER2_WANIP ipv4
    212 	fi
    213 }
    214 
    215 get_if_ipsec_unique()
    216 {
    217 	local sock=${1}
    218 	local src=${2}
    219 	local proto=${3}
    220 	local unique=""
    221 
    222 	export RUMP_SERVER=${sock}
    223 	unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'`
    224 	unset RUMP_SERVER
    225 
    226 	echo $unique
    227 }
    228 
    229 setup_if_ipsec()
    230 {
    231 	local sock=${1}
    232 	local addr=${2}
    233 	local remote=${3}
    234 	local inner=${4}
    235 	local src=${5}
    236 	local dst=${6}
    237 	local peernet=${7}
    238 
    239 	export RUMP_SERVER=${sock}
    240 	atf_check -s exit:0 rump.ifconfig ipsec0 create
    241 	atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst}
    242 	if [ ${inner} = "ipv6" ]; then
    243 		atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote}
    244 		atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr}
    245 	else
    246 		atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote}
    247 		atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr}
    248 	fi
    249 
    250 	rump.ifconfig ipsec0
    251 	rump.route -nL show
    252 }
    253 
    254 setup_if_ipsec_sa()
    255 {
    256 	local sock=${1}
    257 	local src=${2}
    258 	local dst=${3}
    259 	local mode=${4}
    260 	local proto=${5}
    261 	local algo=${6}
    262 	local dir=${7}
    263 
    264 	local tmpfile=./tmp
    265 	local inunique=""
    266 	local outunique=""
    267 	local inid=""
    268 	local outid=""
    269 	local algo_args="$(generate_algo_args $proto $algo)"
    270 
    271 	inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
    272 	outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
    273 
    274 	if [ ${dir} = "1to2" ] ; then
    275 	    if [ ${mode} = "ipv6" ] ; then
    276 		inid="10010"
    277 		outid="10011"
    278 	    else
    279 		inid="10000"
    280 		outid="10001"
    281 	    fi
    282 	else
    283 	    if [ ${mode} = "ipv6" ] ; then
    284 		inid="10011"
    285 		outid="10010"
    286 	    else
    287 		inid="10001"
    288 		outid="10000"
    289 	    fi
    290 	fi
    291 
    292 	cat > $tmpfile <<-EOF
    293     	add $dst $src $proto $inid -u $inunique $algo_args;
    294     	add $src $dst $proto $outid -u $outunique $algo_args;
    295 	EOF
    296 	$DEBUG && cat $tmpfile
    297 	export RUMP_SERVER=$sock
    298 	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
    299 	$DEBUG && $HIJACKING setkey -D
    300 	$DEBUG && $HIJACKING setkey -DP
    301 	unset RUMP_SERVER
    302 }
    303 
    304 setup_tunnel()
    305 {
    306 	local inner=${1}
    307 	local outer=${2}
    308 	local proto=${3}
    309 	local algo=${4}
    310 
    311 	local addr=""
    312 	local remote=""
    313 	local src=""
    314 	local dst=""
    315 	local peernet=""
    316 
    317 	if [ ${inner} = "ipv6" ]; then
    318 		addr=$ROUTER1_IPSECIP6
    319 		remote=$ROUTER2_IPSECIP6
    320 		peernet=$ROUTER2_LANNET6
    321 	else
    322 		addr=$ROUTER1_IPSECIP
    323 		remote=$ROUTER2_IPSECIP
    324 		peernet=$ROUTER2_LANNET
    325 	fi
    326 	if [ ${outer} = "ipv6" ]; then
    327 		src=$ROUTER1_WANIP6
    328 		dst=$ROUTER2_WANIP6
    329 	else
    330 		src=$ROUTER1_WANIP
    331 		dst=$ROUTER2_WANIP
    332 	fi
    333 	setup_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \
    334 		     ${src} ${dst} ${peernet}
    335 
    336 	if [ $inner = "ipv6" -a $outer = "ipv4" ]; then
    337 	    setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${outer} ${proto} ${algo} "1to2"
    338 	fi
    339 	setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2"
    340 
    341 	if [ $inner = "ipv6" ]; then
    342 		addr=$ROUTER2_IPSECIP6
    343 		remote=$ROUTER1_IPSECIP6
    344 		peernet=$ROUTER1_LANNET6
    345 	else
    346 		addr=$ROUTER2_IPSECIP
    347 		remote=$ROUTER1_IPSECIP
    348 		peernet=$ROUTER1_LANNET
    349 	fi
    350 	if [ $outer = "ipv6" ]; then
    351 		src=$ROUTER2_WANIP6
    352 		dst=$ROUTER1_WANIP6
    353 	else
    354 		src=$ROUTER2_WANIP
    355 		dst=$ROUTER1_WANIP
    356 	fi
    357 	setup_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \
    358 		     ${src} ${dst} ${peernet} ${proto} ${algo}
    359 	if [ $inner = "ipv6" -a $outer = "ipv4" ]; then
    360 	    setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${outer} ${proto} ${algo} "2to1"
    361 	fi
    362 	setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1"
    363 }
    364 
    365 test_setup_tunnel()
    366 {
    367 	local mode=${1}
    368 
    369 	local peernet=""
    370 	local opt=""
    371 	if [ ${mode} = "ipv6" ]; then
    372 		peernet=$ROUTER2_LANNET6
    373 		opt="-inet6"
    374 	else
    375 		peernet=$ROUTER2_LANNET
    376 		opt="-inet"
    377 	fi
    378 	export RUMP_SERVER=$SOCK1
    379 	atf_check -s exit:0 -o match:ipsec0 rump.ifconfig
    380 	atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet}
    381 
    382 	if [ ${mode} = "ipv6" ]; then
    383 		peernet=$ROUTER1_LANNET6
    384 		opt="-inet6"
    385 	else
    386 		peernet=$ROUTER1_LANNET
    387 		opt="-inet"
    388 	fi
    389 	export RUMP_SERVER=$SOCK2
    390 	atf_check -s exit:0 -o match:ipsec0 rump.ifconfig
    391 	atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet}
    392 }
    393 
    394 teardown_tunnel()
    395 {
    396 	export RUMP_SERVER=$SOCK1
    397 	atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
    398 	atf_check -s exit:0 rump.ifconfig ipsec0 destroy
    399 	$HIJACKING setkey -F
    400 
    401 	export RUMP_SERVER=$SOCK2
    402 	atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
    403 	atf_check -s exit:0 rump.ifconfig ipsec0 destroy
    404 	$HIJACKING setkey -F
    405 
    406 	unset RUMP_SERVER
    407 }
    408 
    409 setup_dummy_if_ipsec()
    410 {
    411 	local sock=${1}
    412 	local addr=${2}
    413 	local remote=${3}
    414 	local inner=${4}
    415 	local src=${5}
    416 	local dst=${6}
    417 
    418 	export RUMP_SERVER=${sock}
    419 	atf_check -s exit:0 rump.ifconfig ipsec1 create
    420 	atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst}
    421 	if [ ${inner} = "ipv6" ]; then
    422 		atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote}
    423 	else
    424 		atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote}
    425 	fi
    426 
    427 	rump.ifconfig ipsec1
    428 	unset RUMP_SERVER
    429 }
    430 
    431 setup_dummy_if_ipsec_sa()
    432 {
    433 	local sock=${1}
    434 	local src=${2}
    435 	local dst=${3}
    436 	local mode=${4}
    437 	local proto=${5}
    438 	local algo=${6}
    439 	local dir=${7}
    440 
    441 	local tmpfile=./tmp
    442 	local inunique=""
    443 	local outunique=""
    444 	local inid=""
    445 	local outid=""
    446 	local algo_args="$(generate_algo_args $proto $algo)"
    447 
    448 	inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
    449 	outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
    450 
    451 	if [ ${dir} = "1to2" ] ; then
    452 	    inid="20000"
    453 	    outid="20001"
    454 	else
    455 	    inid="20001"
    456 	    outid="20000"
    457 	fi
    458 
    459 	cat > $tmpfile <<-EOF
    460     	add $dst $src $proto $inid -u $inunique $algo_args;
    461     	add $src $dst $proto $outid -u $outunique $algo_args;
    462 	EOF
    463 	$DEBUG && cat $tmpfile
    464 	export RUMP_SERVER=$sock
    465 	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
    466 	$DEBUG && $HIJACKING setkey -D
    467 	$DEBUG && $HIJACKING setkey -DP
    468 	unset RUMP_SERVER
    469 }
    470 
    471 setup_dummy_tunnel()
    472 {
    473 	local inner=${1}
    474 	local outer=${2}
    475 	local proto=${3}
    476 	local algo=${4}
    477 
    478 	local addr=""
    479 	local remote=""
    480 	local src=""
    481 	local dst=""
    482 
    483 	if [ ${inner} = "ipv6" ]; then
    484 		addr=$ROUTER1_IPSECIP6_DUMMY
    485 		remote=$ROUTER2_IPSECIP6_DUMMY
    486 	else
    487 		addr=$ROUTER1_IPSECIP_DUMMY
    488 		remote=$ROUTER2_IPSECIP_DUMMY
    489 	fi
    490 	if [ ${outer} = "ipv6" ]; then
    491 		src=$ROUTER1_WANIP6_DUMMY
    492 		dst=$ROUTER2_WANIP6_DUMMY
    493 	else
    494 		src=$ROUTER1_WANIP_DUMMY
    495 		dst=$ROUTER2_WANIP_DUMMY
    496 	fi
    497 	setup_dummy_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \
    498 			   ${src} ${dst} ${proto} ${algo} "1to2"
    499 	setup_dummy_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2"
    500 
    501 	if [ $inner = "ipv6" ]; then
    502 		addr=$ROUTER2_IPSECIP6_DUMMY
    503 		remote=$ROUTER1_IPSECIP6_DUMMY
    504 	else
    505 		addr=$ROUTER2_IPSECIP_DUMMY
    506 		remote=$ROUTER1_IPSECIP_DUMMY
    507 	fi
    508 	if [ $outer = "ipv6" ]; then
    509 		src=$ROUTER2_WANIP6_DUMMY
    510 		dst=$ROUTER1_WANIP6_DUMMY
    511 	else
    512 		src=$ROUTER2_WANIP_DUMMY
    513 		dst=$ROUTER1_WANIP_DUMMY
    514 	fi
    515 	setup_dummy_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \
    516 			   ${src} ${dst} ${proto} ${algo} "2to1"
    517 	setup_dummy_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1"
    518 }
    519 
    520 test_setup_dummy_tunnel()
    521 {
    522 	export RUMP_SERVER=$SOCK1
    523 	atf_check -s exit:0 -o match:ipsec1 rump.ifconfig
    524 
    525 	export RUMP_SERVER=$SOCK2
    526 	atf_check -s exit:0 -o match:ipsec1 rump.ifconfig
    527 
    528 	unset RUMP_SERVER
    529 }
    530 
    531 teardown_dummy_tunnel()
    532 {
    533 	export RUMP_SERVER=$SOCK1
    534 	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
    535 	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
    536 
    537 	export RUMP_SERVER=$SOCK2
    538 	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
    539 	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
    540 
    541 	unset RUMP_SERVER
    542 }
    543 
    544 setup_recursive_if_ipsec()
    545 {
    546 	local sock=${1}
    547 	local ipsec=${2}
    548 	local addr=${3}
    549 	local remote=${4}
    550 	local inner=${5}
    551 	local src=${6}
    552 	local dst=${7}
    553 	local proto=${8}
    554 	local algo=${9}
    555 	local dir=${10}
    556 
    557 	export RUMP_SERVER=${sock}
    558 	atf_check -s exit:0 rump.ifconfig ${ipsec} create
    559 	atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst}
    560 	if [ ${inner} = "ipv6" ]; then
    561 		atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote}
    562 	else
    563 		atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote}
    564 	fi
    565 	setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir}
    566 
    567 	export RUMP_SERVER=${sock}
    568 	rump.ifconfig ${ipsec}
    569 	unset RUMP_SERVER
    570 }
    571 
    572 # test in ROUTER1 only
    573 setup_recursive_tunnels()
    574 {
    575 	local mode=${1}
    576 	local proto=${2}
    577 	local algo=${3}
    578 
    579 	local addr=""
    580 	local remote=""
    581 	local src=""
    582 	local dst=""
    583 
    584 	if [ ${mode} = "ipv6" ]; then
    585 		addr=$ROUTER1_IPSECIP6_RECURSIVE1
    586 		remote=$ROUTER2_IPSECIP6_RECURSIVE1
    587 		src=$ROUTER1_IPSECIP6
    588 		dst=$ROUTER2_IPSECIP6
    589 	else
    590 		addr=$ROUTER1_IPSECIP_RECURSIVE1
    591 		remote=$ROUTER2_IPSECIP_RECURSIVE1
    592 		src=$ROUTER1_IPSECIP
    593 		dst=$ROUTER2_IPSECIP
    594 	fi
    595 	setup_recursive_if_ipsec $SOCK1 ipsec1 ${addr} ${remote} ${mode} \
    596 		      ${src} ${dst} ${proto} ${algo} "1to2"
    597 
    598 	if [ ${mode} = "ipv6" ]; then
    599 		addr=$ROUTER1_IPSECIP6_RECURSIVE2
    600 		remote=$ROUTER2_IPSECIP6_RECURSIVE2
    601 		src=$ROUTER1_IPSECIP6_RECURSIVE1
    602 		dst=$ROUTER2_IPSECIP6_RECURSIVE1
    603 	else
    604 		addr=$ROUTER1_IPSECIP_RECURSIVE2
    605 		remote=$ROUTER2_IPSECIP_RECURSIVE2
    606 		src=$ROUTER1_IPSECIP_RECURSIVE1
    607 		dst=$ROUTER2_IPSECIP_RECURSIVE1
    608 	fi
    609 	setup_recursive_if_ipsec $SOCK1 ipsec2 ${addr} ${remote} ${mode} \
    610 		      ${src} ${dst} ${proto} ${algo} "1to2"
    611 }
    612 
    613 # test in router1 only
    614 test_recursive_check()
    615 {
    616 	local mode=$1
    617 
    618 	export RUMP_SERVER=$SOCK1
    619 	if [ ${mode} = "ipv6" ]; then
    620 		atf_check -s not-exit:0 -o ignore -e ignore \
    621 			rump.ping6 -n -X $TIMEOUT -c 1 $ROUTER2_IPSECIP6_RECURSIVE2
    622 	else
    623 		atf_check -s not-exit:0 -o ignore -e ignore \
    624 			rump.ping -n -w $TIMEOUT -c 1 $ROUTER2_IPSECIP_RECURSIVE2
    625 	fi
    626 
    627 	atf_check -o match:'ipsec0: recursively called too many times' \
    628 		-x "$HIJACKING dmesg"
    629 
    630 	$HIJACKING dmesg
    631 
    632 	unset RUMP_SERVER
    633 }
    634 
    635 teardown_recursive_tunnels()
    636 {
    637 	export RUMP_SERVER=$SOCK1
    638 	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
    639 	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
    640 	atf_check -s exit:0 rump.ifconfig ipsec2 deletetunnel
    641 	atf_check -s exit:0 rump.ifconfig ipsec2 destroy
    642 	unset RUMP_SERVER
    643 }
    644 
    645 test_ping_failure()
    646 {
    647 	local mode=$1
    648 
    649 	export RUMP_SERVER=$SOCK1
    650 	if [ ${mode} = "ipv6" ]; then
    651 		atf_check -s not-exit:0 -o ignore -e ignore \
    652 			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \
    653 			$ROUTER2_LANIP6
    654 	else
    655 		atf_check -s not-exit:0 -o ignore -e ignore \
    656 			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
    657 			$ROUTER2_LANIP
    658 	fi
    659 
    660 	export RUMP_SERVER=$SOCK2
    661 	if [ ${mode} = "ipv6" ]; then
    662 		atf_check -s not-exit:0 -o ignore -e ignore \
    663 			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \
    664 			$ROUTER1_LANIP6
    665 	else
    666 		atf_check -s not-exit:0 -o ignore -e ignore \
    667 			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
    668 			$ROUTER2_LANIP
    669 	fi
    670 
    671 	unset RUMP_SERVER
    672 }
    673 
    674 test_ping_success()
    675 {
    676 	mode=$1
    677 
    678 	export RUMP_SERVER=$SOCK1
    679 	rump.ifconfig -v ipsec0
    680 	if [ ${mode} = "ipv6" ]; then
    681 		# XXX
    682 		# rump.ping6 rarely fails with the message that
    683 		# "failed to get receiving hop limit".
    684 		# This is a known issue being analyzed.
    685 		atf_check -s exit:0 -o ignore \
    686 			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \
    687 			$ROUTER2_LANIP6
    688 	else
    689 		atf_check -s exit:0 -o ignore \
    690 			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
    691 			$ROUTER2_LANIP
    692 	fi
    693 	rump.ifconfig -v ipsec0
    694 
    695 	export RUMP_SERVER=$SOCK2
    696 	rump.ifconfig -v ipsec0
    697 	if [ ${mode} = "ipv6" ]; then
    698 		atf_check -s exit:0 -o ignore \
    699 			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \
    700 			$ROUTER1_LANIP6
    701 	else
    702 		atf_check -s exit:0 -o ignore \
    703 			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
    704 			$ROUTER1_LANIP
    705 	fi
    706 	rump.ifconfig -v ipsec0
    707 
    708 	unset RUMP_SERVER
    709 }
    710 
    711 test_change_tunnel_duplicate()
    712 {
    713 	local mode=$1
    714 
    715 	local newsrc=""
    716 	local newdst=""
    717 	if [ ${mode} = "ipv6" ]; then
    718 		newsrc=$ROUTER1_WANIP6_DUMMY
    719 		newdst=$ROUTER2_WANIP6_DUMMY
    720 	else
    721 		newsrc=$ROUTER1_WANIP_DUMMY
    722 		newdst=$ROUTER2_WANIP_DUMMY
    723 	fi
    724 	export RUMP_SERVER=$SOCK1
    725 	rump.ifconfig -v ipsec0
    726 	rump.ifconfig -v ipsec1
    727 	atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \
    728 		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
    729 	rump.ifconfig -v ipsec0
    730 	rump.ifconfig -v ipsec1
    731 
    732 	if [ ${mode} = "ipv6" ]; then
    733 		newsrc=$ROUTER2_WANIP6_DUMMY
    734 		newdst=$ROUTER1_WANIP6_DUMMY
    735 	else
    736 		newsrc=$ROUTER2_WANIP_DUMMY
    737 		newdst=$ROUTER1_WANIP_DUMMY
    738 	fi
    739 	export RUMP_SERVER=$SOCK2
    740 	rump.ifconfig -v ipsec0
    741 	rump.ifconfig -v ipsec1
    742 	atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \
    743 		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
    744 	rump.ifconfig -v ipsec0
    745 	rump.ifconfig -v ipsec1
    746 
    747 	unset RUMP_SERVER
    748 }
    749 
    750 test_change_tunnel_success()
    751 {
    752 	local mode=$1
    753 
    754 	local newsrc=""
    755 	local newdst=""
    756 	if [ ${mode} = "ipv6" ]; then
    757 		newsrc=$ROUTER1_WANIP6_DUMMY
    758 		newdst=$ROUTER2_WANIP6_DUMMY
    759 	else
    760 		newsrc=$ROUTER1_WANIP_DUMMY
    761 		newdst=$ROUTER2_WANIP_DUMMY
    762 	fi
    763 	export RUMP_SERVER=$SOCK1
    764 	rump.ifconfig -v ipsec0
    765 	atf_check -s exit:0 \
    766 		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
    767 	rump.ifconfig -v ipsec0
    768 
    769 	if [ ${mode} = "ipv6" ]; then
    770 		newsrc=$ROUTER2_WANIP6_DUMMY
    771 		newdst=$ROUTER1_WANIP6_DUMMY
    772 	else
    773 		newsrc=$ROUTER2_WANIP_DUMMY
    774 		newdst=$ROUTER1_WANIP_DUMMY
    775 	fi
    776 	export RUMP_SERVER=$SOCK2
    777 	rump.ifconfig -v ipsec0
    778 	atf_check -s exit:0 \
    779 		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
    780 	rump.ifconfig -v ipsec0
    781 
    782 	unset RUMP_SERVER
    783 }
    784 
    785 basic_setup()
    786 {
    787 	local inner=$1
    788 	local outer=$2
    789 	local proto=$3
    790 	local algo=$4
    791 
    792 	setup ${inner} ${outer}
    793 	test_setup ${inner} ${outer}
    794 
    795 	# Enable once PR kern/49219 is fixed
    796 	#test_ping_failure
    797 
    798 	setup_tunnel ${inner} ${outer} ${proto} ${algo}
    799 	sleep 1
    800 	test_setup_tunnel ${inner}
    801 }
    802 
    803 basic_test()
    804 {
    805 	local inner=$1
    806 	local outer=$2 # not use
    807 
    808 	test_ping_success ${inner}
    809 }
    810 
    811 basic_teardown()
    812 {
    813 	local inner=$1
    814 	local outer=$2 # not use
    815 
    816 	teardown_tunnel
    817 	test_ping_failure ${inner}
    818 }
    819 
    820 ioctl_setup()
    821 {
    822 	local inner=$1
    823 	local outer=$2
    824 	local proto=$3
    825 	local algo=$4
    826 
    827 	setup ${inner} ${outer}
    828 	test_setup ${inner} ${outer}
    829 
    830 	# Enable once PR kern/49219 is fixed
    831 	#test_ping_failure
    832 
    833 	setup_tunnel ${inner} ${outer} ${proto} ${algo}
    834 	setup_dummy_tunnel ${inner} ${outer} ${proto} ${algo}
    835 	sleep 1
    836 	test_setup_tunnel ${inner}
    837 }
    838 
    839 ioctl_test()
    840 {
    841 	local inner=$1
    842 	local outer=$2
    843 
    844 	test_ping_success ${inner}
    845 
    846 	test_change_tunnel_duplicate ${outer}
    847 
    848 	teardown_dummy_tunnel
    849 	test_change_tunnel_success ${outer}
    850 }
    851 
    852 ioctl_teardown()
    853 {
    854 	local inner=$1
    855 	local outer=$2 # not use
    856 
    857 	teardown_tunnel
    858 	test_ping_failure ${inner}
    859 }
    860 
    861 recursive_setup()
    862 {
    863 	local inner=$1
    864 	local outer=$2
    865 	local proto=$3
    866 	local algo=$4
    867 
    868 	setup ${inner} ${outer}
    869 	test_setup ${inner} ${outer}
    870 
    871 	# Enable once PR kern/49219 is fixed
    872 	#test_ping_failure
    873 
    874 	setup_tunnel ${inner} ${outer} ${proto} ${algo}
    875 	setup_recursive_tunnels ${inner} ${proto} ${algo}
    876 	sleep 1
    877 	test_setup_tunnel ${inner}
    878 }
    879 
    880 recursive_test()
    881 {
    882 	local inner=$1
    883 	local outer=$2 # not use
    884 
    885 	test_recursive_check ${inner}
    886 }
    887 
    888 recursive_teardown()
    889 {
    890 	local inner=$1 # not use
    891 	local outer=$2 # not use
    892 
    893 	teardown_recursive_tunnels
    894 	teardown_tunnel
    895 }
    896 
    897 add_test()
    898 {
    899 	local category=$1
    900 	local desc=$2
    901 	local inner=$3
    902 	local outer=$4
    903 	local proto=$5
    904 	local algo=$6
    905 	local _algo=$(echo $algo | sed 's/-//g')
    906 
    907 	name="ipsecif_${category}_${inner}over${outer}_${proto}_${_algo}"
    908 	fulldesc="Does ${inner} over ${outer} if_ipsec ${desc}"
    909 
    910 	atf_test_case ${name} cleanup
    911 	eval "${name}_head() {
    912 			atf_set descr \"${fulldesc}\"
    913 			atf_set require.progs rump_server setkey
    914 		}
    915 	    ${name}_body() {
    916 			${category}_setup ${inner} ${outer} ${proto} ${algo}
    917 			${category}_test ${inner} ${outer}
    918 			${category}_teardown ${inner} ${outer}
    919 			rump_server_destroy_ifaces
    920 	    }
    921 	    ${name}_cleanup() {
    922 			\$DEBUG && dump
    923 			cleanup
    924 		}"
    925 	atf_add_test_case ${name}
    926 }
    927 
    928 add_test_allproto()
    929 {
    930 	local category=$1
    931 	local desc=$2
    932 
    933 	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
    934 		add_test ${category} "${desc}" ipv4 ipv4 esp $algo
    935 		add_test ${category} "${desc}" ipv4 ipv6 esp $algo
    936 		add_test ${category} "${desc}" ipv6 ipv4 esp $algo
    937 		add_test ${category} "${desc}" ipv6 ipv6 esp $algo
    938 	done
    939 
    940 	# ah does not support yet
    941 }
    942 
    943 atf_init_test_cases()
    944 {
    945 
    946 	atf_add_test_case ipsecif_create_destroy
    947 
    948 	add_test_allproto basic "basic tests"
    949 	add_test_allproto ioctl "ioctl tests"
    950 	add_test_allproto recursive "recursive check tests"
    951 }
    952