t_ipsec.sh revision 1.3.4.1
1 # $NetBSD: t_ipsec.sh,v 1.3.4.1 2018/03/15 09:12:08 pgoyette Exp $ 2 # 3 # Copyright (c) 2017 Internet Initiative Japan Inc. 4 # All rights reserved. 5 # 6 # Redistribution and use in source and binary forms, with or without 7 # modification, are permitted provided that the following conditions 8 # are met: 9 # 1. Redistributions of source code must retain the above copyright 10 # notice, this list of conditions and the following disclaimer. 11 # 2. Redistributions in binary form must reproduce the above copyright 12 # notice, this list of conditions and the following disclaimer in the 13 # documentation and/or other materials provided with the distribution. 14 # 15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 # POSSIBILITY OF SUCH DAMAGE. 26 # 27 28 SOCK1=unix://commsock1 # for ROUTER1 29 SOCK2=unix://commsock2 # for ROUTER2 30 ROUTER1_LANIP=192.168.1.1 31 ROUTER1_LANNET=192.168.1.0/24 32 ROUTER1_WANIP=10.0.0.1 33 ROUTER1_IPSECIP=172.16.1.1 34 ROUTER1_WANIP_DUMMY=10.0.0.11 35 ROUTER1_IPSECIP_DUMMY=172.16.11.1 36 ROUTER1_IPSECIP_RECURSIVE1=172.16.101.1 37 ROUTER1_IPSECIP_RECURSIVE2=172.16.201.1 38 ROUTER2_LANIP=192.168.2.1 39 ROUTER2_LANNET=192.168.2.0/24 40 ROUTER2_WANIP=10.0.0.2 41 ROUTER2_IPSECIP=172.16.2.1 42 ROUTER2_WANIP_DUMMY=10.0.0.12 43 ROUTER2_IPSECIP_DUMMY=172.16.12.1 44 ROUTER2_IPSECIP_RECURSIVE1=172.16.102.1 45 ROUTER2_IPSECIP_RECURSIVE2=172.16.202.1 46 47 ROUTER1_LANIP6=fc00:1::1 48 ROUTER1_LANNET6=fc00:1::/64 49 ROUTER1_WANIP6=fc00::1 50 ROUTER1_IPSECIP6=fc00:3::1 51 ROUTER1_WANIP6_DUMMY=fc00::11 52 ROUTER1_IPSECIP6_DUMMY=fc00:13::1 53 ROUTER1_IPSECIP6_RECURSIVE1=fc00:103::1 54 ROUTER1_IPSECIP6_RECURSIVE2=fc00:203::1 55 ROUTER2_LANIP6=fc00:2::1 56 ROUTER2_LANNET6=fc00:2::/64 57 ROUTER2_WANIP6=fc00::2 58 ROUTER2_IPSECIP6=fc00:4::1 59 ROUTER2_WANIP6_DUMMY=fc00::12 60 ROUTER2_IPSECIP6_DUMMY=fc00:14::1 61 ROUTER2_IPSECIP6_RECURSIVE1=fc00:104::1 62 ROUTER2_IPSECIP6_RECURSIVE2=fc00:204::1 63 64 DEBUG=${DEBUG:-false} 65 TIMEOUT=7 66 67 atf_test_case ipsecif_create_destroy cleanup 68 ipsecif_create_destroy_head() 69 { 70 71 atf_set "descr" "Test creating/destroying gif interfaces" 72 atf_set "require.progs" "rump_server" 73 } 74 75 ipsecif_create_destroy_body() 76 { 77 78 rump_server_start $SOCK1 ipsec 79 80 test_create_destroy_common $SOCK1 ipsec0 81 } 82 83 ipsecif_create_destroy_cleanup() 84 { 85 86 $DEBUG && dump 87 cleanup 88 } 89 90 setup_router() 91 { 92 local sock=${1} 93 local lan=${2} 94 local lan_mode=${3} 95 local wan=${4} 96 local wan_mode=${5} 97 98 rump_server_add_iface $sock shmif0 bus0 99 rump_server_add_iface $sock shmif1 bus1 100 101 export RUMP_SERVER=${sock} 102 if [ ${lan_mode} = "ipv6" ]; then 103 atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan} 104 else 105 atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00 106 fi 107 atf_check -s exit:0 rump.ifconfig shmif0 up 108 rump.ifconfig shmif0 109 110 if [ ${wan_mode} = "ipv6" ]; then 111 atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan} 112 else 113 atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000 114 fi 115 atf_check -s exit:0 rump.ifconfig shmif1 up 116 rump.ifconfig shmif1 117 unset RUMP_SERVER 118 } 119 120 test_router() 121 { 122 local sock=${1} 123 local lan=${2} 124 local lan_mode=${3} 125 local wan=${4} 126 local wan_mode=${5} 127 128 export RUMP_SERVER=${sock} 129 atf_check -s exit:0 -o match:shmif0 rump.ifconfig 130 if [ ${lan_mode} = "ipv6" ]; then 131 atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${lan} 132 else 133 atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan} 134 fi 135 136 atf_check -s exit:0 -o match:shmif1 rump.ifconfig 137 if [ ${wan_mode} = "ipv6" ]; then 138 atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${wan} 139 else 140 atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan} 141 fi 142 unset RUMP_SERVER 143 } 144 145 setup() 146 { 147 local inner=${1} 148 local outer=${2} 149 150 rump_server_crypto_start $SOCK1 netipsec netinet6 ipsec 151 rump_server_crypto_start $SOCK2 netipsec netinet6 ipsec 152 153 router1_lan="" 154 router1_lan_mode="" 155 router2_lan="" 156 router2_lan_mode="" 157 if [ ${inner} = "ipv6" ]; then 158 router1_lan=$ROUTER1_LANIP6 159 router1_lan_mode="ipv6" 160 router2_lan=$ROUTER2_LANIP6 161 router2_lan_mode="ipv6" 162 else 163 router1_lan=$ROUTER1_LANIP 164 router1_lan_mode="ipv4" 165 router2_lan=$ROUTER2_LANIP 166 router2_lan_mode="ipv4" 167 fi 168 169 if [ ${outer} = "ipv6" ]; then 170 setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 171 $ROUTER1_WANIP6 ipv6 172 setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 173 $ROUTER2_WANIP6 ipv6 174 else 175 setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 176 $ROUTER1_WANIP ipv4 177 setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 178 $ROUTER2_WANIP ipv4 179 fi 180 } 181 182 test_setup() 183 { 184 local inner=${1} 185 local outer=${2} 186 187 local router1_lan="" 188 local router1_lan_mode="" 189 local router2_lan="" 190 local router2_lan_mode="" 191 if [ ${inner} = "ipv6" ]; then 192 router1_lan=$ROUTER1_LANIP6 193 router1_lan_mode="ipv6" 194 router2_lan=$ROUTER2_LANIP6 195 router2_lan_mode="ipv6" 196 else 197 router1_lan=$ROUTER1_LANIP 198 router1_lan_mode="ipv4" 199 router2_lan=$ROUTER2_LANIP 200 router2_lan_mode="ipv4" 201 fi 202 if [ ${outer} = "ipv6" ]; then 203 test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 204 $ROUTER1_WANIP6 ipv6 205 test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 206 $ROUTER2_WANIP6 ipv6 207 else 208 test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 209 $ROUTER1_WANIP ipv4 210 test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 211 $ROUTER2_WANIP ipv4 212 fi 213 } 214 215 get_if_ipsec_unique() 216 { 217 local sock=${1} 218 local src=${2} 219 local proto=${3} 220 local unique="" 221 222 export RUMP_SERVER=${sock} 223 unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'` 224 unset RUMP_SERVER 225 226 echo $unique 227 } 228 229 setup_if_ipsec() 230 { 231 local sock=${1} 232 local addr=${2} 233 local remote=${3} 234 local inner=${4} 235 local src=${5} 236 local dst=${6} 237 local peernet=${7} 238 239 export RUMP_SERVER=${sock} 240 atf_check -s exit:0 rump.ifconfig ipsec0 create 241 atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst} 242 if [ ${inner} = "ipv6" ]; then 243 atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote} 244 atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr} 245 else 246 atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote} 247 atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr} 248 fi 249 250 rump.ifconfig ipsec0 251 rump.route -nL show 252 } 253 254 setup_if_ipsec_sa() 255 { 256 local sock=${1} 257 local src=${2} 258 local dst=${3} 259 local mode=${4} 260 local proto=${5} 261 local algo=${6} 262 local dir=${7} 263 264 local tmpfile=./tmp 265 local inunique="" 266 local outunique="" 267 local inid="" 268 local outid="" 269 local algo_args="$(generate_algo_args $proto $algo)" 270 271 inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` 272 atf_check -s exit:0 test "X$inunique" != "X" 273 outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` 274 atf_check -s exit:0 test "X$outunique" != "X" 275 276 if [ ${dir} = "1to2" ] ; then 277 if [ ${mode} = "ipv6" ] ; then 278 inid="10010" 279 outid="10011" 280 else 281 inid="10000" 282 outid="10001" 283 fi 284 else 285 if [ ${mode} = "ipv6" ] ; then 286 inid="10011" 287 outid="10010" 288 else 289 inid="10001" 290 outid="10000" 291 fi 292 fi 293 294 cat > $tmpfile <<-EOF 295 add $dst $src $proto $inid -u $inunique $algo_args; 296 add $src $dst $proto $outid -u $outunique $algo_args; 297 EOF 298 $DEBUG && cat $tmpfile 299 export RUMP_SERVER=$sock 300 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 301 $DEBUG && $HIJACKING setkey -D 302 $DEBUG && $HIJACKING setkey -DP 303 unset RUMP_SERVER 304 } 305 306 setup_tunnel() 307 { 308 local inner=${1} 309 local outer=${2} 310 local proto=${3} 311 local algo=${4} 312 313 local addr="" 314 local remote="" 315 local src="" 316 local dst="" 317 local peernet="" 318 319 if [ ${inner} = "ipv6" ]; then 320 addr=$ROUTER1_IPSECIP6 321 remote=$ROUTER2_IPSECIP6 322 peernet=$ROUTER2_LANNET6 323 else 324 addr=$ROUTER1_IPSECIP 325 remote=$ROUTER2_IPSECIP 326 peernet=$ROUTER2_LANNET 327 fi 328 if [ ${outer} = "ipv6" ]; then 329 src=$ROUTER1_WANIP6 330 dst=$ROUTER2_WANIP6 331 else 332 src=$ROUTER1_WANIP 333 dst=$ROUTER2_WANIP 334 fi 335 setup_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \ 336 ${src} ${dst} ${peernet} 337 338 if [ $inner = "ipv6" -a $outer = "ipv4" ]; then 339 setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${outer} ${proto} ${algo} "1to2" 340 fi 341 setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2" 342 343 if [ $inner = "ipv6" ]; then 344 addr=$ROUTER2_IPSECIP6 345 remote=$ROUTER1_IPSECIP6 346 peernet=$ROUTER1_LANNET6 347 else 348 addr=$ROUTER2_IPSECIP 349 remote=$ROUTER1_IPSECIP 350 peernet=$ROUTER1_LANNET 351 fi 352 if [ $outer = "ipv6" ]; then 353 src=$ROUTER2_WANIP6 354 dst=$ROUTER1_WANIP6 355 else 356 src=$ROUTER2_WANIP 357 dst=$ROUTER1_WANIP 358 fi 359 setup_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \ 360 ${src} ${dst} ${peernet} ${proto} ${algo} 361 if [ $inner = "ipv6" -a $outer = "ipv4" ]; then 362 setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${outer} ${proto} ${algo} "2to1" 363 fi 364 setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1" 365 } 366 367 test_setup_tunnel() 368 { 369 local mode=${1} 370 371 local peernet="" 372 local opt="" 373 if [ ${mode} = "ipv6" ]; then 374 peernet=$ROUTER2_LANNET6 375 opt="-inet6" 376 else 377 peernet=$ROUTER2_LANNET 378 opt="-inet" 379 fi 380 export RUMP_SERVER=$SOCK1 381 atf_check -s exit:0 -o match:ipsec0 rump.ifconfig 382 atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet} 383 384 if [ ${mode} = "ipv6" ]; then 385 peernet=$ROUTER1_LANNET6 386 opt="-inet6" 387 else 388 peernet=$ROUTER1_LANNET 389 opt="-inet" 390 fi 391 export RUMP_SERVER=$SOCK2 392 atf_check -s exit:0 -o match:ipsec0 rump.ifconfig 393 atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet} 394 } 395 396 teardown_tunnel() 397 { 398 export RUMP_SERVER=$SOCK1 399 atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 400 atf_check -s exit:0 rump.ifconfig ipsec0 destroy 401 $HIJACKING setkey -F 402 403 export RUMP_SERVER=$SOCK2 404 atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 405 atf_check -s exit:0 rump.ifconfig ipsec0 destroy 406 $HIJACKING setkey -F 407 408 unset RUMP_SERVER 409 } 410 411 setup_dummy_if_ipsec() 412 { 413 local sock=${1} 414 local addr=${2} 415 local remote=${3} 416 local inner=${4} 417 local src=${5} 418 local dst=${6} 419 420 export RUMP_SERVER=${sock} 421 atf_check -s exit:0 rump.ifconfig ipsec1 create 422 atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst} 423 if [ ${inner} = "ipv6" ]; then 424 atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote} 425 else 426 atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote} 427 fi 428 429 rump.ifconfig ipsec1 430 unset RUMP_SERVER 431 } 432 433 setup_dummy_if_ipsec_sa() 434 { 435 local sock=${1} 436 local src=${2} 437 local dst=${3} 438 local mode=${4} 439 local proto=${5} 440 local algo=${6} 441 local dir=${7} 442 443 local tmpfile=./tmp 444 local inunique="" 445 local outunique="" 446 local inid="" 447 local outid="" 448 local algo_args="$(generate_algo_args $proto $algo)" 449 450 inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` 451 atf_check -s exit:0 test "X$inunique" != "X" 452 outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` 453 atf_check -s exit:0 test "X$outunique" != "X" 454 455 if [ ${dir} = "1to2" ] ; then 456 inid="20000" 457 outid="20001" 458 else 459 inid="20001" 460 outid="20000" 461 fi 462 463 cat > $tmpfile <<-EOF 464 add $dst $src $proto $inid -u $inunique $algo_args; 465 add $src $dst $proto $outid -u $outunique $algo_args; 466 EOF 467 $DEBUG && cat $tmpfile 468 export RUMP_SERVER=$sock 469 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 470 $DEBUG && $HIJACKING setkey -D 471 $DEBUG && $HIJACKING setkey -DP 472 unset RUMP_SERVER 473 } 474 475 setup_dummy_tunnel() 476 { 477 local inner=${1} 478 local outer=${2} 479 local proto=${3} 480 local algo=${4} 481 482 local addr="" 483 local remote="" 484 local src="" 485 local dst="" 486 487 if [ ${inner} = "ipv6" ]; then 488 addr=$ROUTER1_IPSECIP6_DUMMY 489 remote=$ROUTER2_IPSECIP6_DUMMY 490 else 491 addr=$ROUTER1_IPSECIP_DUMMY 492 remote=$ROUTER2_IPSECIP_DUMMY 493 fi 494 if [ ${outer} = "ipv6" ]; then 495 src=$ROUTER1_WANIP6_DUMMY 496 dst=$ROUTER2_WANIP6_DUMMY 497 else 498 src=$ROUTER1_WANIP_DUMMY 499 dst=$ROUTER2_WANIP_DUMMY 500 fi 501 setup_dummy_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \ 502 ${src} ${dst} ${proto} ${algo} "1to2" 503 setup_dummy_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2" 504 505 if [ $inner = "ipv6" ]; then 506 addr=$ROUTER2_IPSECIP6_DUMMY 507 remote=$ROUTER1_IPSECIP6_DUMMY 508 else 509 addr=$ROUTER2_IPSECIP_DUMMY 510 remote=$ROUTER1_IPSECIP_DUMMY 511 fi 512 if [ $outer = "ipv6" ]; then 513 src=$ROUTER2_WANIP6_DUMMY 514 dst=$ROUTER1_WANIP6_DUMMY 515 else 516 src=$ROUTER2_WANIP_DUMMY 517 dst=$ROUTER1_WANIP_DUMMY 518 fi 519 setup_dummy_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \ 520 ${src} ${dst} ${proto} ${algo} "2to1" 521 setup_dummy_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1" 522 } 523 524 test_setup_dummy_tunnel() 525 { 526 export RUMP_SERVER=$SOCK1 527 atf_check -s exit:0 -o match:ipsec1 rump.ifconfig 528 529 export RUMP_SERVER=$SOCK2 530 atf_check -s exit:0 -o match:ipsec1 rump.ifconfig 531 532 unset RUMP_SERVER 533 } 534 535 teardown_dummy_tunnel() 536 { 537 export RUMP_SERVER=$SOCK1 538 atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel 539 atf_check -s exit:0 rump.ifconfig ipsec1 destroy 540 541 export RUMP_SERVER=$SOCK2 542 atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel 543 atf_check -s exit:0 rump.ifconfig ipsec1 destroy 544 545 unset RUMP_SERVER 546 } 547 548 setup_recursive_if_ipsec() 549 { 550 local sock=${1} 551 local ipsec=${2} 552 local addr=${3} 553 local remote=${4} 554 local inner=${5} 555 local src=${6} 556 local dst=${7} 557 local proto=${8} 558 local algo=${9} 559 local dir=${10} 560 561 export RUMP_SERVER=${sock} 562 atf_check -s exit:0 rump.ifconfig ${ipsec} create 563 atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst} 564 if [ ${inner} = "ipv6" ]; then 565 atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote} 566 else 567 atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote} 568 fi 569 setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir} 570 571 export RUMP_SERVER=${sock} 572 rump.ifconfig ${ipsec} 573 unset RUMP_SERVER 574 } 575 576 # test in ROUTER1 only 577 setup_recursive_tunnels() 578 { 579 local mode=${1} 580 local proto=${2} 581 local algo=${3} 582 583 local addr="" 584 local remote="" 585 local src="" 586 local dst="" 587 588 if [ ${mode} = "ipv6" ]; then 589 addr=$ROUTER1_IPSECIP6_RECURSIVE1 590 remote=$ROUTER2_IPSECIP6_RECURSIVE1 591 src=$ROUTER1_IPSECIP6 592 dst=$ROUTER2_IPSECIP6 593 else 594 addr=$ROUTER1_IPSECIP_RECURSIVE1 595 remote=$ROUTER2_IPSECIP_RECURSIVE1 596 src=$ROUTER1_IPSECIP 597 dst=$ROUTER2_IPSECIP 598 fi 599 setup_recursive_if_ipsec $SOCK1 ipsec1 ${addr} ${remote} ${mode} \ 600 ${src} ${dst} ${proto} ${algo} "1to2" 601 602 if [ ${mode} = "ipv6" ]; then 603 addr=$ROUTER1_IPSECIP6_RECURSIVE2 604 remote=$ROUTER2_IPSECIP6_RECURSIVE2 605 src=$ROUTER1_IPSECIP6_RECURSIVE1 606 dst=$ROUTER2_IPSECIP6_RECURSIVE1 607 else 608 addr=$ROUTER1_IPSECIP_RECURSIVE2 609 remote=$ROUTER2_IPSECIP_RECURSIVE2 610 src=$ROUTER1_IPSECIP_RECURSIVE1 611 dst=$ROUTER2_IPSECIP_RECURSIVE1 612 fi 613 setup_recursive_if_ipsec $SOCK1 ipsec2 ${addr} ${remote} ${mode} \ 614 ${src} ${dst} ${proto} ${algo} "1to2" 615 } 616 617 # test in router1 only 618 test_recursive_check() 619 { 620 local mode=$1 621 622 export RUMP_SERVER=$SOCK1 623 if [ ${mode} = "ipv6" ]; then 624 atf_check -s not-exit:0 -o ignore -e ignore \ 625 rump.ping6 -n -X $TIMEOUT -c 1 $ROUTER2_IPSECIP6_RECURSIVE2 626 else 627 atf_check -s not-exit:0 -o ignore -e ignore \ 628 rump.ping -n -w $TIMEOUT -c 1 $ROUTER2_IPSECIP_RECURSIVE2 629 fi 630 631 atf_check -o match:'ipsec0: recursively called too many times' \ 632 -x "$HIJACKING dmesg" 633 634 $HIJACKING dmesg 635 636 unset RUMP_SERVER 637 } 638 639 teardown_recursive_tunnels() 640 { 641 export RUMP_SERVER=$SOCK1 642 atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel 643 atf_check -s exit:0 rump.ifconfig ipsec1 destroy 644 atf_check -s exit:0 rump.ifconfig ipsec2 deletetunnel 645 atf_check -s exit:0 rump.ifconfig ipsec2 destroy 646 unset RUMP_SERVER 647 } 648 649 test_ping_failure() 650 { 651 local mode=$1 652 653 export RUMP_SERVER=$SOCK1 654 if [ ${mode} = "ipv6" ]; then 655 atf_check -s not-exit:0 -o ignore -e ignore \ 656 rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ 657 $ROUTER2_LANIP6 658 else 659 atf_check -s not-exit:0 -o ignore -e ignore \ 660 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 661 $ROUTER2_LANIP 662 fi 663 664 export RUMP_SERVER=$SOCK2 665 if [ ${mode} = "ipv6" ]; then 666 atf_check -s not-exit:0 -o ignore -e ignore \ 667 rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ 668 $ROUTER1_LANIP6 669 else 670 atf_check -s not-exit:0 -o ignore -e ignore \ 671 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 672 $ROUTER2_LANIP 673 fi 674 675 unset RUMP_SERVER 676 } 677 678 test_ping_success() 679 { 680 mode=$1 681 682 export RUMP_SERVER=$SOCK1 683 rump.ifconfig -v ipsec0 684 if [ ${mode} = "ipv6" ]; then 685 # XXX 686 # rump.ping6 rarely fails with the message that 687 # "failed to get receiving hop limit". 688 # This is a known issue being analyzed. 689 atf_check -s exit:0 -o ignore \ 690 rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ 691 $ROUTER2_LANIP6 692 else 693 atf_check -s exit:0 -o ignore \ 694 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 695 $ROUTER2_LANIP 696 fi 697 rump.ifconfig -v ipsec0 698 699 export RUMP_SERVER=$SOCK2 700 rump.ifconfig -v ipsec0 701 if [ ${mode} = "ipv6" ]; then 702 atf_check -s exit:0 -o ignore \ 703 rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ 704 $ROUTER1_LANIP6 705 else 706 atf_check -s exit:0 -o ignore \ 707 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 708 $ROUTER1_LANIP 709 fi 710 rump.ifconfig -v ipsec0 711 712 unset RUMP_SERVER 713 } 714 715 test_change_tunnel_duplicate() 716 { 717 local mode=$1 718 719 local newsrc="" 720 local newdst="" 721 if [ ${mode} = "ipv6" ]; then 722 newsrc=$ROUTER1_WANIP6_DUMMY 723 newdst=$ROUTER2_WANIP6_DUMMY 724 else 725 newsrc=$ROUTER1_WANIP_DUMMY 726 newdst=$ROUTER2_WANIP_DUMMY 727 fi 728 export RUMP_SERVER=$SOCK1 729 rump.ifconfig -v ipsec0 730 rump.ifconfig -v ipsec1 731 atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ 732 rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 733 rump.ifconfig -v ipsec0 734 rump.ifconfig -v ipsec1 735 736 if [ ${mode} = "ipv6" ]; then 737 newsrc=$ROUTER2_WANIP6_DUMMY 738 newdst=$ROUTER1_WANIP6_DUMMY 739 else 740 newsrc=$ROUTER2_WANIP_DUMMY 741 newdst=$ROUTER1_WANIP_DUMMY 742 fi 743 export RUMP_SERVER=$SOCK2 744 rump.ifconfig -v ipsec0 745 rump.ifconfig -v ipsec1 746 atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ 747 rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 748 rump.ifconfig -v ipsec0 749 rump.ifconfig -v ipsec1 750 751 unset RUMP_SERVER 752 } 753 754 test_change_tunnel_success() 755 { 756 local mode=$1 757 758 local newsrc="" 759 local newdst="" 760 if [ ${mode} = "ipv6" ]; then 761 newsrc=$ROUTER1_WANIP6_DUMMY 762 newdst=$ROUTER2_WANIP6_DUMMY 763 else 764 newsrc=$ROUTER1_WANIP_DUMMY 765 newdst=$ROUTER2_WANIP_DUMMY 766 fi 767 export RUMP_SERVER=$SOCK1 768 rump.ifconfig -v ipsec0 769 atf_check -s exit:0 \ 770 rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 771 rump.ifconfig -v ipsec0 772 773 if [ ${mode} = "ipv6" ]; then 774 newsrc=$ROUTER2_WANIP6_DUMMY 775 newdst=$ROUTER1_WANIP6_DUMMY 776 else 777 newsrc=$ROUTER2_WANIP_DUMMY 778 newdst=$ROUTER1_WANIP_DUMMY 779 fi 780 export RUMP_SERVER=$SOCK2 781 rump.ifconfig -v ipsec0 782 atf_check -s exit:0 \ 783 rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 784 rump.ifconfig -v ipsec0 785 786 unset RUMP_SERVER 787 } 788 789 basic_setup() 790 { 791 local inner=$1 792 local outer=$2 793 local proto=$3 794 local algo=$4 795 796 setup ${inner} ${outer} 797 test_setup ${inner} ${outer} 798 799 # Enable once PR kern/49219 is fixed 800 #test_ping_failure 801 802 setup_tunnel ${inner} ${outer} ${proto} ${algo} 803 sleep 1 804 test_setup_tunnel ${inner} 805 } 806 807 basic_test() 808 { 809 local inner=$1 810 local outer=$2 # not use 811 812 test_ping_success ${inner} 813 } 814 815 basic_teardown() 816 { 817 local inner=$1 818 local outer=$2 # not use 819 820 teardown_tunnel 821 test_ping_failure ${inner} 822 } 823 824 ioctl_setup() 825 { 826 local inner=$1 827 local outer=$2 828 local proto=$3 829 local algo=$4 830 831 setup ${inner} ${outer} 832 test_setup ${inner} ${outer} 833 834 # Enable once PR kern/49219 is fixed 835 #test_ping_failure 836 837 setup_tunnel ${inner} ${outer} ${proto} ${algo} 838 setup_dummy_tunnel ${inner} ${outer} ${proto} ${algo} 839 sleep 1 840 test_setup_tunnel ${inner} 841 } 842 843 ioctl_test() 844 { 845 local inner=$1 846 local outer=$2 847 848 test_ping_success ${inner} 849 850 test_change_tunnel_duplicate ${outer} 851 852 teardown_dummy_tunnel 853 test_change_tunnel_success ${outer} 854 } 855 856 ioctl_teardown() 857 { 858 local inner=$1 859 local outer=$2 # not use 860 861 teardown_tunnel 862 test_ping_failure ${inner} 863 } 864 865 recursive_setup() 866 { 867 local inner=$1 868 local outer=$2 869 local proto=$3 870 local algo=$4 871 872 setup ${inner} ${outer} 873 test_setup ${inner} ${outer} 874 875 # Enable once PR kern/49219 is fixed 876 #test_ping_failure 877 878 setup_tunnel ${inner} ${outer} ${proto} ${algo} 879 setup_recursive_tunnels ${inner} ${proto} ${algo} 880 sleep 1 881 test_setup_tunnel ${inner} 882 } 883 884 recursive_test() 885 { 886 local inner=$1 887 local outer=$2 # not use 888 889 test_recursive_check ${inner} 890 } 891 892 recursive_teardown() 893 { 894 local inner=$1 # not use 895 local outer=$2 # not use 896 897 teardown_recursive_tunnels 898 teardown_tunnel 899 } 900 901 add_test() 902 { 903 local category=$1 904 local desc=$2 905 local inner=$3 906 local outer=$4 907 local proto=$5 908 local algo=$6 909 local _algo=$(echo $algo | sed 's/-//g') 910 911 name="ipsecif_${category}_${inner}over${outer}_${proto}_${_algo}" 912 fulldesc="Does ${inner} over ${outer} if_ipsec ${desc}" 913 914 atf_test_case ${name} cleanup 915 eval "${name}_head() { 916 atf_set descr \"${fulldesc}\" 917 atf_set require.progs rump_server setkey 918 } 919 ${name}_body() { 920 ${category}_setup ${inner} ${outer} ${proto} ${algo} 921 ${category}_test ${inner} ${outer} 922 ${category}_teardown ${inner} ${outer} 923 rump_server_destroy_ifaces 924 } 925 ${name}_cleanup() { 926 \$DEBUG && dump 927 cleanup 928 }" 929 atf_add_test_case ${name} 930 } 931 932 add_test_allproto() 933 { 934 local category=$1 935 local desc=$2 936 937 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 938 add_test ${category} "${desc}" ipv4 ipv4 esp $algo 939 add_test ${category} "${desc}" ipv4 ipv6 esp $algo 940 add_test ${category} "${desc}" ipv6 ipv4 esp $algo 941 add_test ${category} "${desc}" ipv6 ipv6 esp $algo 942 done 943 944 # ah does not support yet 945 } 946 947 atf_init_test_cases() 948 { 949 950 atf_add_test_case ipsecif_create_destroy 951 952 add_test_allproto basic "basic tests" 953 add_test_allproto ioctl "ioctl tests" 954 add_test_allproto recursive "recursive check tests" 955 } 956
Indexes created Tue Sep 30 11:09:46 GMT 2025