t_ipsec.sh revision 1.6
1 # $NetBSD: t_ipsec.sh,v 1.6 2019/01/10 00:45:08 knakahara Exp $ 2 # 3 # Copyright (c) 2017 Internet Initiative Japan Inc. 4 # All rights reserved. 5 # 6 # Redistribution and use in source and binary forms, with or without 7 # modification, are permitted provided that the following conditions 8 # are met: 9 # 1. Redistributions of source code must retain the above copyright 10 # notice, this list of conditions and the following disclaimer. 11 # 2. Redistributions in binary form must reproduce the above copyright 12 # notice, this list of conditions and the following disclaimer in the 13 # documentation and/or other materials provided with the distribution. 14 # 15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 # POSSIBILITY OF SUCH DAMAGE. 26 # 27 28 SOCK1=unix://commsock1 # for ROUTER1 29 SOCK2=unix://commsock2 # for ROUTER2 30 ROUTER1_LANIP=192.168.1.1 31 ROUTER1_LANNET=192.168.1.0/24 32 ROUTER1_WANIP=10.0.0.1 33 ROUTER1_IPSECIP=172.16.1.1 34 ROUTER1_WANIP_DUMMY=10.0.0.11 35 ROUTER1_IPSECIP_DUMMY=172.16.11.1 36 ROUTER1_IPSECIP_RECURSIVE1=172.16.101.1 37 ROUTER1_IPSECIP_RECURSIVE2=172.16.201.1 38 ROUTER2_LANIP=192.168.2.1 39 ROUTER2_LANNET=192.168.2.0/24 40 ROUTER2_WANIP=10.0.0.2 41 ROUTER2_IPSECIP=172.16.2.1 42 ROUTER2_WANIP_DUMMY=10.0.0.12 43 ROUTER2_IPSECIP_DUMMY=172.16.12.1 44 ROUTER2_IPSECIP_RECURSIVE1=172.16.102.1 45 ROUTER2_IPSECIP_RECURSIVE2=172.16.202.1 46 47 ROUTER1_LANIP6=fc00:1::1 48 ROUTER1_LANNET6=fc00:1::/64 49 ROUTER1_WANIP6=fc00::1 50 ROUTER1_IPSECIP6=fc00:3::1 51 ROUTER1_WANIP6_DUMMY=fc00::11 52 ROUTER1_IPSECIP6_DUMMY=fc00:13::1 53 ROUTER1_IPSECIP6_RECURSIVE1=fc00:103::1 54 ROUTER1_IPSECIP6_RECURSIVE2=fc00:203::1 55 ROUTER2_LANIP6=fc00:2::1 56 ROUTER2_LANNET6=fc00:2::/64 57 ROUTER2_WANIP6=fc00::2 58 ROUTER2_IPSECIP6=fc00:4::1 59 ROUTER2_WANIP6_DUMMY=fc00::12 60 ROUTER2_IPSECIP6_DUMMY=fc00:14::1 61 ROUTER2_IPSECIP6_RECURSIVE1=fc00:104::1 62 ROUTER2_IPSECIP6_RECURSIVE2=fc00:204::1 63 64 DEBUG=${DEBUG:-false} 65 TIMEOUT=7 66 67 atf_test_case ipsecif_create_destroy cleanup 68 ipsecif_create_destroy_head() 69 { 70 71 atf_set "descr" "Test creating/destroying gif interfaces" 72 atf_set "require.progs" "rump_server" 73 } 74 75 ipsecif_create_destroy_body() 76 { 77 78 rump_server_start $SOCK1 ipsec 79 80 test_create_destroy_common $SOCK1 ipsec0 81 } 82 83 ipsecif_create_destroy_cleanup() 84 { 85 86 $DEBUG && dump 87 cleanup 88 } 89 90 setup_router() 91 { 92 local sock=${1} 93 local lan=${2} 94 local lan_mode=${3} 95 local wan=${4} 96 local wan_mode=${5} 97 98 rump_server_add_iface $sock shmif0 bus0 99 rump_server_add_iface $sock shmif1 bus1 100 101 export RUMP_SERVER=${sock} 102 if [ ${lan_mode} = "ipv6" ]; then 103 atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan} 104 else 105 atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00 106 fi 107 atf_check -s exit:0 rump.ifconfig shmif0 up 108 $DEBUG && rump.ifconfig shmif0 109 110 if [ ${wan_mode} = "ipv6" ]; then 111 atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan} 112 else 113 atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000 114 fi 115 atf_check -s exit:0 rump.ifconfig shmif1 up 116 $DEBUG && rump.ifconfig shmif1 117 118 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 119 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 120 unset RUMP_SERVER 121 } 122 123 test_router() 124 { 125 local sock=${1} 126 local lan=${2} 127 local lan_mode=${3} 128 local wan=${4} 129 local wan_mode=${5} 130 131 export RUMP_SERVER=${sock} 132 atf_check -s exit:0 -o match:shmif0 rump.ifconfig 133 if [ ${lan_mode} = "ipv6" ]; then 134 atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${lan} 135 else 136 atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan} 137 fi 138 139 atf_check -s exit:0 -o match:shmif1 rump.ifconfig 140 if [ ${wan_mode} = "ipv6" ]; then 141 atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${wan} 142 else 143 atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan} 144 fi 145 unset RUMP_SERVER 146 } 147 148 setup() 149 { 150 local inner=${1} 151 local outer=${2} 152 153 rump_server_crypto_start $SOCK1 netipsec netinet6 ipsec 154 rump_server_crypto_start $SOCK2 netipsec netinet6 ipsec 155 156 router1_lan="" 157 router1_lan_mode="" 158 router2_lan="" 159 router2_lan_mode="" 160 if [ ${inner} = "ipv6" ]; then 161 router1_lan=$ROUTER1_LANIP6 162 router1_lan_mode="ipv6" 163 router2_lan=$ROUTER2_LANIP6 164 router2_lan_mode="ipv6" 165 else 166 router1_lan=$ROUTER1_LANIP 167 router1_lan_mode="ipv4" 168 router2_lan=$ROUTER2_LANIP 169 router2_lan_mode="ipv4" 170 fi 171 172 if [ ${outer} = "ipv6" ]; then 173 setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 174 $ROUTER1_WANIP6 ipv6 175 setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 176 $ROUTER2_WANIP6 ipv6 177 else 178 setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 179 $ROUTER1_WANIP ipv4 180 setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 181 $ROUTER2_WANIP ipv4 182 fi 183 } 184 185 test_setup() 186 { 187 local inner=${1} 188 local outer=${2} 189 190 local router1_lan="" 191 local router1_lan_mode="" 192 local router2_lan="" 193 local router2_lan_mode="" 194 if [ ${inner} = "ipv6" ]; then 195 router1_lan=$ROUTER1_LANIP6 196 router1_lan_mode="ipv6" 197 router2_lan=$ROUTER2_LANIP6 198 router2_lan_mode="ipv6" 199 else 200 router1_lan=$ROUTER1_LANIP 201 router1_lan_mode="ipv4" 202 router2_lan=$ROUTER2_LANIP 203 router2_lan_mode="ipv4" 204 fi 205 if [ ${outer} = "ipv6" ]; then 206 test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 207 $ROUTER1_WANIP6 ipv6 208 test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 209 $ROUTER2_WANIP6 ipv6 210 else 211 test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ 212 $ROUTER1_WANIP ipv4 213 test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ 214 $ROUTER2_WANIP ipv4 215 fi 216 } 217 218 get_if_ipsec_unique() 219 { 220 local sock=${1} 221 local src=${2} 222 local proto=${3} 223 local unique="" 224 225 export RUMP_SERVER=${sock} 226 unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'` 227 unset RUMP_SERVER 228 229 echo $unique 230 } 231 232 setup_if_ipsec() 233 { 234 local sock=${1} 235 local addr=${2} 236 local remote=${3} 237 local inner=${4} 238 local src=${5} 239 local dst=${6} 240 local peernet=${7} 241 242 export RUMP_SERVER=${sock} 243 atf_check -s exit:0 rump.ifconfig ipsec0 create 244 atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst} 245 if [ ${inner} = "ipv6" ]; then 246 atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote} 247 atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr} 248 else 249 atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote} 250 atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr} 251 fi 252 253 $DEBUG && rump.ifconfig ipsec0 254 $DEBUG && rump.route -nL show 255 } 256 257 setup_if_ipsec_sa() 258 { 259 local sock=${1} 260 local src=${2} 261 local dst=${3} 262 local mode=${4} 263 local proto=${5} 264 local algo=${6} 265 local dir=${7} 266 267 local tmpfile=./tmp 268 local inunique="" 269 local outunique="" 270 local inid="" 271 local outid="" 272 local algo_args="$(generate_algo_args $proto $algo)" 273 274 inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` 275 atf_check -s exit:0 test "X$inunique" != "X" 276 outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` 277 atf_check -s exit:0 test "X$outunique" != "X" 278 279 if [ ${dir} = "1to2" ] ; then 280 if [ ${mode} = "ipv6" ] ; then 281 inid="10010" 282 outid="10011" 283 else 284 inid="10000" 285 outid="10001" 286 fi 287 else 288 if [ ${mode} = "ipv6" ] ; then 289 inid="10011" 290 outid="10010" 291 else 292 inid="10001" 293 outid="10000" 294 fi 295 fi 296 297 cat > $tmpfile <<-EOF 298 add $dst $src $proto $inid -u $inunique $algo_args; 299 add $src $dst $proto $outid -u $outunique $algo_args; 300 EOF 301 $DEBUG && cat $tmpfile 302 export RUMP_SERVER=$sock 303 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 304 $DEBUG && $HIJACKING setkey -D 305 $DEBUG && $HIJACKING setkey -DP 306 unset RUMP_SERVER 307 } 308 309 setup_tunnel() 310 { 311 local inner=${1} 312 local outer=${2} 313 local proto=${3} 314 local algo=${4} 315 316 local addr="" 317 local remote="" 318 local src="" 319 local dst="" 320 local peernet="" 321 322 if [ ${inner} = "ipv6" ]; then 323 addr=$ROUTER1_IPSECIP6 324 remote=$ROUTER2_IPSECIP6 325 peernet=$ROUTER2_LANNET6 326 else 327 addr=$ROUTER1_IPSECIP 328 remote=$ROUTER2_IPSECIP 329 peernet=$ROUTER2_LANNET 330 fi 331 if [ ${outer} = "ipv6" ]; then 332 src=$ROUTER1_WANIP6 333 dst=$ROUTER2_WANIP6 334 else 335 src=$ROUTER1_WANIP 336 dst=$ROUTER2_WANIP 337 fi 338 setup_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \ 339 ${src} ${dst} ${peernet} 340 341 if [ $inner = "ipv6" -a $outer = "ipv4" ]; then 342 setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${outer} ${proto} ${algo} "1to2" 343 fi 344 setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2" 345 346 if [ $inner = "ipv6" ]; then 347 addr=$ROUTER2_IPSECIP6 348 remote=$ROUTER1_IPSECIP6 349 peernet=$ROUTER1_LANNET6 350 else 351 addr=$ROUTER2_IPSECIP 352 remote=$ROUTER1_IPSECIP 353 peernet=$ROUTER1_LANNET 354 fi 355 if [ $outer = "ipv6" ]; then 356 src=$ROUTER2_WANIP6 357 dst=$ROUTER1_WANIP6 358 else 359 src=$ROUTER2_WANIP 360 dst=$ROUTER1_WANIP 361 fi 362 setup_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \ 363 ${src} ${dst} ${peernet} ${proto} ${algo} 364 if [ $inner = "ipv6" -a $outer = "ipv4" ]; then 365 setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${outer} ${proto} ${algo} "2to1" 366 fi 367 setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1" 368 } 369 370 test_setup_tunnel() 371 { 372 local mode=${1} 373 374 local peernet="" 375 local opt="" 376 if [ ${mode} = "ipv6" ]; then 377 peernet=$ROUTER2_LANNET6 378 opt="-inet6" 379 else 380 peernet=$ROUTER2_LANNET 381 opt="-inet" 382 fi 383 export RUMP_SERVER=$SOCK1 384 atf_check -s exit:0 -o match:ipsec0 rump.ifconfig 385 atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet} 386 387 if [ ${mode} = "ipv6" ]; then 388 peernet=$ROUTER1_LANNET6 389 opt="-inet6" 390 else 391 peernet=$ROUTER1_LANNET 392 opt="-inet" 393 fi 394 export RUMP_SERVER=$SOCK2 395 atf_check -s exit:0 -o match:ipsec0 rump.ifconfig 396 atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet} 397 } 398 399 teardown_tunnel() 400 { 401 export RUMP_SERVER=$SOCK1 402 atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 403 atf_check -s exit:0 rump.ifconfig ipsec0 destroy 404 $HIJACKING setkey -F 405 406 export RUMP_SERVER=$SOCK2 407 atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 408 atf_check -s exit:0 rump.ifconfig ipsec0 destroy 409 $HIJACKING setkey -F 410 411 unset RUMP_SERVER 412 } 413 414 setup_dummy_if_ipsec() 415 { 416 local sock=${1} 417 local addr=${2} 418 local remote=${3} 419 local inner=${4} 420 local src=${5} 421 local dst=${6} 422 423 export RUMP_SERVER=${sock} 424 atf_check -s exit:0 rump.ifconfig ipsec1 create 425 atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst} 426 if [ ${inner} = "ipv6" ]; then 427 atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote} 428 else 429 atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote} 430 fi 431 432 $DEBUG && rump.ifconfig ipsec1 433 unset RUMP_SERVER 434 } 435 436 setup_dummy_if_ipsec_sa() 437 { 438 local sock=${1} 439 local src=${2} 440 local dst=${3} 441 local mode=${4} 442 local proto=${5} 443 local algo=${6} 444 local dir=${7} 445 446 local tmpfile=./tmp 447 local inunique="" 448 local outunique="" 449 local inid="" 450 local outid="" 451 local algo_args="$(generate_algo_args $proto $algo)" 452 453 inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` 454 atf_check -s exit:0 test "X$inunique" != "X" 455 outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` 456 atf_check -s exit:0 test "X$outunique" != "X" 457 458 if [ ${dir} = "1to2" ] ; then 459 inid="20000" 460 outid="20001" 461 else 462 inid="20001" 463 outid="20000" 464 fi 465 466 cat > $tmpfile <<-EOF 467 add $dst $src $proto $inid -u $inunique $algo_args; 468 add $src $dst $proto $outid -u $outunique $algo_args; 469 EOF 470 $DEBUG && cat $tmpfile 471 export RUMP_SERVER=$sock 472 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 473 $DEBUG && $HIJACKING setkey -D 474 $DEBUG && $HIJACKING setkey -DP 475 unset RUMP_SERVER 476 } 477 478 setup_dummy_tunnel() 479 { 480 local inner=${1} 481 local outer=${2} 482 local proto=${3} 483 local algo=${4} 484 485 local addr="" 486 local remote="" 487 local src="" 488 local dst="" 489 490 if [ ${inner} = "ipv6" ]; then 491 addr=$ROUTER1_IPSECIP6_DUMMY 492 remote=$ROUTER2_IPSECIP6_DUMMY 493 else 494 addr=$ROUTER1_IPSECIP_DUMMY 495 remote=$ROUTER2_IPSECIP_DUMMY 496 fi 497 if [ ${outer} = "ipv6" ]; then 498 src=$ROUTER1_WANIP6_DUMMY 499 dst=$ROUTER2_WANIP6_DUMMY 500 else 501 src=$ROUTER1_WANIP_DUMMY 502 dst=$ROUTER2_WANIP_DUMMY 503 fi 504 setup_dummy_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \ 505 ${src} ${dst} ${proto} ${algo} "1to2" 506 setup_dummy_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2" 507 508 if [ $inner = "ipv6" ]; then 509 addr=$ROUTER2_IPSECIP6_DUMMY 510 remote=$ROUTER1_IPSECIP6_DUMMY 511 else 512 addr=$ROUTER2_IPSECIP_DUMMY 513 remote=$ROUTER1_IPSECIP_DUMMY 514 fi 515 if [ $outer = "ipv6" ]; then 516 src=$ROUTER2_WANIP6_DUMMY 517 dst=$ROUTER1_WANIP6_DUMMY 518 else 519 src=$ROUTER2_WANIP_DUMMY 520 dst=$ROUTER1_WANIP_DUMMY 521 fi 522 setup_dummy_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \ 523 ${src} ${dst} ${proto} ${algo} "2to1" 524 setup_dummy_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1" 525 } 526 527 test_setup_dummy_tunnel() 528 { 529 export RUMP_SERVER=$SOCK1 530 atf_check -s exit:0 -o match:ipsec1 rump.ifconfig 531 532 export RUMP_SERVER=$SOCK2 533 atf_check -s exit:0 -o match:ipsec1 rump.ifconfig 534 535 unset RUMP_SERVER 536 } 537 538 teardown_dummy_tunnel() 539 { 540 export RUMP_SERVER=$SOCK1 541 atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel 542 atf_check -s exit:0 rump.ifconfig ipsec1 destroy 543 544 export RUMP_SERVER=$SOCK2 545 atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel 546 atf_check -s exit:0 rump.ifconfig ipsec1 destroy 547 548 unset RUMP_SERVER 549 } 550 551 setup_recursive_if_ipsec() 552 { 553 local sock=${1} 554 local ipsec=${2} 555 local addr=${3} 556 local remote=${4} 557 local inner=${5} 558 local src=${6} 559 local dst=${7} 560 local proto=${8} 561 local algo=${9} 562 local dir=${10} 563 564 export RUMP_SERVER=${sock} 565 atf_check -s exit:0 rump.ifconfig ${ipsec} create 566 atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst} 567 if [ ${inner} = "ipv6" ]; then 568 atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote} 569 else 570 atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote} 571 fi 572 setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir} 573 574 export RUMP_SERVER=${sock} 575 $DEBUG && rump.ifconfig ${ipsec} 576 unset RUMP_SERVER 577 } 578 579 # test in ROUTER1 only 580 setup_recursive_tunnels() 581 { 582 local mode=${1} 583 local proto=${2} 584 local algo=${3} 585 586 local addr="" 587 local remote="" 588 local src="" 589 local dst="" 590 591 if [ ${mode} = "ipv6" ]; then 592 addr=$ROUTER1_IPSECIP6_RECURSIVE1 593 remote=$ROUTER2_IPSECIP6_RECURSIVE1 594 src=$ROUTER1_IPSECIP6 595 dst=$ROUTER2_IPSECIP6 596 else 597 addr=$ROUTER1_IPSECIP_RECURSIVE1 598 remote=$ROUTER2_IPSECIP_RECURSIVE1 599 src=$ROUTER1_IPSECIP 600 dst=$ROUTER2_IPSECIP 601 fi 602 setup_recursive_if_ipsec $SOCK1 ipsec1 ${addr} ${remote} ${mode} \ 603 ${src} ${dst} ${proto} ${algo} "1to2" 604 605 if [ ${mode} = "ipv6" ]; then 606 addr=$ROUTER1_IPSECIP6_RECURSIVE2 607 remote=$ROUTER2_IPSECIP6_RECURSIVE2 608 src=$ROUTER1_IPSECIP6_RECURSIVE1 609 dst=$ROUTER2_IPSECIP6_RECURSIVE1 610 else 611 addr=$ROUTER1_IPSECIP_RECURSIVE2 612 remote=$ROUTER2_IPSECIP_RECURSIVE2 613 src=$ROUTER1_IPSECIP_RECURSIVE1 614 dst=$ROUTER2_IPSECIP_RECURSIVE1 615 fi 616 setup_recursive_if_ipsec $SOCK1 ipsec2 ${addr} ${remote} ${mode} \ 617 ${src} ${dst} ${proto} ${algo} "1to2" 618 } 619 620 # test in router1 only 621 test_recursive_check() 622 { 623 local mode=$1 624 625 export RUMP_SERVER=$SOCK1 626 if [ ${mode} = "ipv6" ]; then 627 atf_check -s not-exit:0 -o ignore -e ignore \ 628 rump.ping6 -n -X $TIMEOUT -c 1 $ROUTER2_IPSECIP6_RECURSIVE2 629 else 630 atf_check -s not-exit:0 -o ignore -e ignore \ 631 rump.ping -n -w $TIMEOUT -c 1 $ROUTER2_IPSECIP_RECURSIVE2 632 fi 633 634 atf_check -o match:'ipsec0: recursively called too many times' \ 635 -x "$HIJACKING dmesg" 636 637 $HIJACKING dmesg 638 639 unset RUMP_SERVER 640 } 641 642 teardown_recursive_tunnels() 643 { 644 export RUMP_SERVER=$SOCK1 645 atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel 646 atf_check -s exit:0 rump.ifconfig ipsec1 destroy 647 atf_check -s exit:0 rump.ifconfig ipsec2 deletetunnel 648 atf_check -s exit:0 rump.ifconfig ipsec2 destroy 649 unset RUMP_SERVER 650 } 651 652 test_ping_failure() 653 { 654 local mode=$1 655 656 export RUMP_SERVER=$SOCK1 657 if [ ${mode} = "ipv6" ]; then 658 atf_check -s not-exit:0 -o ignore -e ignore \ 659 rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ 660 $ROUTER2_LANIP6 661 else 662 atf_check -s not-exit:0 -o ignore -e ignore \ 663 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 664 $ROUTER2_LANIP 665 fi 666 667 export RUMP_SERVER=$SOCK2 668 if [ ${mode} = "ipv6" ]; then 669 atf_check -s not-exit:0 -o ignore -e ignore \ 670 rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ 671 $ROUTER1_LANIP6 672 else 673 atf_check -s not-exit:0 -o ignore -e ignore \ 674 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 675 $ROUTER2_LANIP 676 fi 677 678 unset RUMP_SERVER 679 } 680 681 test_ping_success() 682 { 683 mode=$1 684 685 export RUMP_SERVER=$SOCK1 686 $DEBUG && rump.ifconfig -v ipsec0 687 if [ ${mode} = "ipv6" ]; then 688 # XXX 689 # rump.ping6 rarely fails with the message that 690 # "failed to get receiving hop limit". 691 # This is a known issue being analyzed. 692 atf_check -s exit:0 -o ignore \ 693 rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ 694 $ROUTER2_LANIP6 695 else 696 atf_check -s exit:0 -o ignore \ 697 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 698 $ROUTER2_LANIP 699 fi 700 $DEBUG && rump.ifconfig -v ipsec0 701 702 export RUMP_SERVER=$SOCK2 703 $DEBUG && rump.ifconfig -v ipsec0 704 if [ ${mode} = "ipv6" ]; then 705 atf_check -s exit:0 -o ignore \ 706 rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ 707 $ROUTER1_LANIP6 708 else 709 atf_check -s exit:0 -o ignore \ 710 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 711 $ROUTER1_LANIP 712 fi 713 $DEBUG && rump.ifconfig -v ipsec0 714 715 unset RUMP_SERVER 716 } 717 718 test_change_tunnel_duplicate() 719 { 720 local mode=$1 721 722 local newsrc="" 723 local newdst="" 724 if [ ${mode} = "ipv6" ]; then 725 newsrc=$ROUTER1_WANIP6_DUMMY 726 newdst=$ROUTER2_WANIP6_DUMMY 727 else 728 newsrc=$ROUTER1_WANIP_DUMMY 729 newdst=$ROUTER2_WANIP_DUMMY 730 fi 731 export RUMP_SERVER=$SOCK1 732 $DEBUG && rump.ifconfig -v ipsec0 733 $DEBUG && rump.ifconfig -v ipsec1 734 atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ 735 rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 736 $DEBUG && rump.ifconfig -v ipsec0 737 $DEBUG && rump.ifconfig -v ipsec1 738 739 if [ ${mode} = "ipv6" ]; then 740 newsrc=$ROUTER2_WANIP6_DUMMY 741 newdst=$ROUTER1_WANIP6_DUMMY 742 else 743 newsrc=$ROUTER2_WANIP_DUMMY 744 newdst=$ROUTER1_WANIP_DUMMY 745 fi 746 export RUMP_SERVER=$SOCK2 747 $DEBUG && rump.ifconfig -v ipsec0 748 $DEBUG && rump.ifconfig -v ipsec1 749 atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ 750 rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 751 $DEBUG && rump.ifconfig -v ipsec0 752 $DEBUG && rump.ifconfig -v ipsec1 753 754 unset RUMP_SERVER 755 } 756 757 test_change_tunnel_success() 758 { 759 local mode=$1 760 761 local newsrc="" 762 local newdst="" 763 if [ ${mode} = "ipv6" ]; then 764 newsrc=$ROUTER1_WANIP6_DUMMY 765 newdst=$ROUTER2_WANIP6_DUMMY 766 else 767 newsrc=$ROUTER1_WANIP_DUMMY 768 newdst=$ROUTER2_WANIP_DUMMY 769 fi 770 export RUMP_SERVER=$SOCK1 771 $DEBUG && rump.ifconfig -v ipsec0 772 atf_check -s exit:0 \ 773 rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 774 $DEBUG && rump.ifconfig -v ipsec0 775 776 if [ ${mode} = "ipv6" ]; then 777 newsrc=$ROUTER2_WANIP6_DUMMY 778 newdst=$ROUTER1_WANIP6_DUMMY 779 else 780 newsrc=$ROUTER2_WANIP_DUMMY 781 newdst=$ROUTER1_WANIP_DUMMY 782 fi 783 export RUMP_SERVER=$SOCK2 784 $DEBUG && rump.ifconfig -v ipsec0 785 atf_check -s exit:0 \ 786 rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} 787 $DEBUG && rump.ifconfig -v ipsec0 788 789 unset RUMP_SERVER 790 } 791 792 basic_setup() 793 { 794 local inner=$1 795 local outer=$2 796 local proto=$3 797 local algo=$4 798 799 setup ${inner} ${outer} 800 test_setup ${inner} ${outer} 801 802 # Enable once PR kern/49219 is fixed 803 #test_ping_failure 804 805 setup_tunnel ${inner} ${outer} ${proto} ${algo} 806 sleep 1 807 test_setup_tunnel ${inner} 808 } 809 810 basic_test() 811 { 812 local inner=$1 813 local outer=$2 # not use 814 815 test_ping_success ${inner} 816 } 817 818 basic_teardown() 819 { 820 local inner=$1 821 local outer=$2 # not use 822 823 teardown_tunnel 824 test_ping_failure ${inner} 825 } 826 827 ioctl_setup() 828 { 829 local inner=$1 830 local outer=$2 831 local proto=$3 832 local algo=$4 833 834 setup ${inner} ${outer} 835 test_setup ${inner} ${outer} 836 837 # Enable once PR kern/49219 is fixed 838 #test_ping_failure 839 840 setup_tunnel ${inner} ${outer} ${proto} ${algo} 841 setup_dummy_tunnel ${inner} ${outer} ${proto} ${algo} 842 sleep 1 843 test_setup_tunnel ${inner} 844 } 845 846 ioctl_test() 847 { 848 local inner=$1 849 local outer=$2 850 851 test_ping_success ${inner} 852 853 test_change_tunnel_duplicate ${outer} 854 855 teardown_dummy_tunnel 856 test_change_tunnel_success ${outer} 857 } 858 859 ioctl_teardown() 860 { 861 local inner=$1 862 local outer=$2 # not use 863 864 teardown_tunnel 865 test_ping_failure ${inner} 866 } 867 868 recursive_setup() 869 { 870 local inner=$1 871 local outer=$2 872 local proto=$3 873 local algo=$4 874 875 setup ${inner} ${outer} 876 test_setup ${inner} ${outer} 877 878 # Enable once PR kern/49219 is fixed 879 #test_ping_failure 880 881 setup_tunnel ${inner} ${outer} ${proto} ${algo} 882 setup_recursive_tunnels ${inner} ${proto} ${algo} 883 sleep 1 884 test_setup_tunnel ${inner} 885 } 886 887 recursive_test() 888 { 889 local inner=$1 890 local outer=$2 # not use 891 892 test_recursive_check ${inner} 893 } 894 895 recursive_teardown() 896 { 897 local inner=$1 # not use 898 local outer=$2 # not use 899 900 teardown_recursive_tunnels 901 teardown_tunnel 902 } 903 904 add_test() 905 { 906 local category=$1 907 local desc=$2 908 local inner=$3 909 local outer=$4 910 local proto=$5 911 local algo=$6 912 local _algo=$(echo $algo | sed 's/-//g') 913 914 name="ipsecif_${category}_${inner}over${outer}_${proto}_${_algo}" 915 fulldesc="Does ${inner} over ${outer} if_ipsec ${desc}" 916 917 atf_test_case ${name} cleanup 918 eval "${name}_head() { 919 atf_set descr \"${fulldesc}\" 920 atf_set require.progs rump_server setkey 921 } 922 ${name}_body() { 923 ${category}_setup ${inner} ${outer} ${proto} ${algo} 924 ${category}_test ${inner} ${outer} 925 ${category}_teardown ${inner} ${outer} 926 rump_server_destroy_ifaces 927 } 928 ${name}_cleanup() { 929 \$DEBUG && dump 930 cleanup 931 }" 932 atf_add_test_case ${name} 933 } 934 935 add_test_allproto() 936 { 937 local category=$1 938 local desc=$2 939 940 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 941 add_test ${category} "${desc}" ipv4 ipv4 esp $algo 942 add_test ${category} "${desc}" ipv4 ipv6 esp $algo 943 add_test ${category} "${desc}" ipv6 ipv4 esp $algo 944 add_test ${category} "${desc}" ipv6 ipv6 esp $algo 945 done 946 947 # ah does not support yet 948 } 949 950 atf_init_test_cases() 951 { 952 953 atf_add_test_case ipsecif_create_destroy 954 955 add_test_allproto basic "basic tests" 956 add_test_allproto ioctl "ioctl tests" 957 add_test_allproto recursive "recursive check tests" 958 } 959
Indexes created Mon Sep 29 21:09:56 GMT 2025