t_ipsec_natt.sh revision 1.1
1 # $NetBSD: t_ipsec_natt.sh,v 1.1 2018/12/25 03:54:44 knakahara Exp $ 2 # 3 # Copyright (c) 2018 Internet Initiative Japan Inc. 4 # All rights reserved. 5 # 6 # Redistribution and use in source and binary forms, with or without 7 # modification, are permitted provided that the following conditions 8 # are met: 9 # 1. Redistributions of source code must retain the above copyright 10 # notice, this list of conditions and the following disclaimer. 11 # 2. Redistributions in binary form must reproduce the above copyright 12 # notice, this list of conditions and the following disclaimer in the 13 # documentation and/or other materials provided with the distribution. 14 # 15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 # POSSIBILITY OF SUCH DAMAGE. 26 # 27 28 SOCK_LOCAL=unix://ipsec_natt_local 29 SOCK_NAT=unix://ipsec_natt_nat 30 SOCK_REMOTE=unix://ipsec_natt_remote 31 BUS_LOCAL=./bus_ipsec_natt_local 32 BUS_NAT=./bus_ipsec_natt_nat 33 34 DEBUG=${DEBUG:-false} 35 HIJACKING_NPF="${HIJACKING},blanket=/dev/npf" 36 37 setup_servers() 38 { 39 40 rump_server_crypto_start $SOCK_LOCAL netipsec ipsec 41 rump_server_npf_start $SOCK_NAT 42 rump_server_crypto_start $SOCK_REMOTE netipsec ipsec 43 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL 44 rump_server_add_iface $SOCK_NAT shmif0 $BUS_LOCAL 45 rump_server_add_iface $SOCK_NAT shmif1 $BUS_NAT 46 rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_NAT 47 } 48 49 setup_ipsecif() 50 { 51 local sock=$1 52 local ifid=$2 53 local src_ip=$3 54 local src_port=$4 55 local dst_ip=$5 56 local dst_port=$6 57 local ipsecif_ip=$7 58 local peer_ip=$8 59 60 export RUMP_SERVER=$sock 61 atf_check -s exit:0 rump.ifconfig ipsec$ifid create 62 atf_check -s exit:0 rump.ifconfig ipsec$ifid link0 # enable NAT-T 63 atf_check -s exit:0 rump.ifconfig ipsec$ifid tunnel ${src_ip},${src_port} ${dst_ip},${dst_port} 64 atf_check -s exit:0 rump.ifconfig ipsec$ifid ${ipsecif_ip}/32 65 atf_check -s exit:0 -o ignore \ 66 rump.route -n add ${peer_ip}/32 $ipsecif_ip 67 } 68 69 add_sa() 70 { 71 local sock=$1 72 local proto=$2 73 local algo_args="$3" 74 local src_ip=$4 75 local src_port=$5 76 local dst_ip=$6 77 local dst_port=$7 78 local out_spi=$8 79 local in_spi=$9 80 local tmpfile=./tmp 81 82 export RUMP_SERVER=$sock 83 cat > $tmpfile <<-EOF 84 add $src_ip [$src_port] $dst_ip [$dst_port] $proto $out_spi -m transport $algo_args; 85 add $dst_ip [$dst_port] $src_ip [$src_port] $proto $in_spi -m transport $algo_args; 86 EOF 87 $DEBUG && cat $tmpfile 88 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 89 # XXX it can be expired if $lifetime is very short 90 #check_sa_entries $SOCK_LOCAL $ip_local $ip_remote 91 } 92 93 prepare_file() 94 { 95 local file=$1 96 local data="0123456789" 97 98 touch $file 99 for i in `seq 1 512` 100 do 101 echo $data >> $file 102 done 103 } 104 105 build_npf_conf() 106 { 107 local outfile=$1 108 local localnet=$2 109 110 cat > $outfile <<-EOF 111 set bpf.jit off 112 \$int_if = inet4(shmif0) 113 \$ext_if = inet4(shmif1) 114 \$localnet = { $localnet } 115 map \$ext_if dynamic \$localnet -> \$ext_if 116 group "external" on \$ext_if { 117 pass stateful out final all 118 } 119 group "internal" on \$int_if { 120 block in all 121 pass in final from \$localnet 122 pass out final all 123 } 124 group default { 125 pass final on lo0 all 126 block all 127 } 128 EOF 129 } 130 131 PIDSFILE=./terminator.pids 132 start_natt_terminator() 133 { 134 local sock=$1 135 local ip=$2 136 local port=$3 137 local pidsfile=$4 138 local backup=$RUMP_SERVER 139 local pid= 140 local terminator="$(atf_get_srcdir)/../ipsec/natt_terminator" 141 142 export RUMP_SERVER=$sock 143 144 env LD_PRELOAD=/usr/lib/librumphijack.so \ 145 $terminator $ip $port & 146 pid=$! 147 if [ ! -f $PIDSFILE ]; then 148 touch $PIDSFILE 149 fi 150 echo $pid >> $PIDSFILE 151 152 $DEBUG && rump.netstat -a -f inet 153 154 export RUMP_SERVER=$backup 155 156 sleep 1 157 } 158 159 stop_natt_terminators() 160 { 161 local pid= 162 163 if [ ! -f $PIDSFILE ]; then 164 return 165 fi 166 167 for pid in $(cat $PIDSFILE); do 168 kill -9 $pid 169 done 170 rm -f $PIDSFILE 171 } 172 173 check_ping_packets() 174 { 175 local sock=$1 176 local bus=$2 177 local from_ip=$3 178 local to_ip=$4 179 180 local outfile=./out.ping 181 182 extract_new_packets $bus > $outfile 183 184 export RUMP_SERVER=$sock 185 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $to_ip 186 187 extract_new_packets $bus > $outfile 188 $DEBUG && cat $outfile 189 atf_check -s exit:0 \ 190 -o match:"$from_ip > $to_ip: ICMP echo request" \ 191 cat $outfile 192 atf_check -s exit:0 \ 193 -o match:"$to_ip > $from_ip: ICMP echo reply" \ 194 cat $outfile 195 } 196 197 check_ping_packets_over_ipsecif() 198 { 199 local sock=$1 200 local bus=$2 201 local to_ip=$3 202 local nat_from_ip=$4 203 local nat_from_port=$5 204 local nat_to_ip=$6 205 local nat_to_port=$7 206 207 local outfile=./out.ping_over_ipsecif 208 209 extract_new_packets $bus > $outfile 210 211 export RUMP_SERVER=$sock 212 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 7 $to_ip 213 214 # Check both ports and UDP encapsulation 215 extract_new_packets $bus > $outfile 216 $DEBUG && cat $outfile 217 atf_check -s exit:0 \ 218 -o match:"${nat_from_ip}\.$nat_from_port > ${nat_to_ip}\.${nat_to_port}: UDP-encap" \ 219 cat $outfile 220 atf_check -s exit:0 \ 221 -o match:"${nat_to_ip}\.${nat_to_port} > ${nat_from_ip}\.${nat_from_port}: UDP-encap" \ 222 cat $outfile 223 } 224 225 check_tcp_com_prepare() 226 { 227 local server_sock=$1 228 local client_sock=$2 229 local bus=$3 230 local to_ip=$4 231 local nat_from_ip=$5 232 local nat_to_ip=$6 233 234 local outfile=./out.prepare 235 local file_send=./file.send.prepare 236 local file_recv=./file.recv.prepare 237 238 extract_new_packets $bus > $outfile 239 240 start_nc_server $server_sock 4501 $file_recv ipv4 241 242 prepare_file $file_send 243 export RUMP_SERVER=$client_sock 244 atf_check -s exit:0 $HIJACKING nc -w 3 $to_ip 4501 < $file_send 245 atf_check -s exit:0 diff -q $file_send $file_recv 246 extract_new_packets $bus > $outfile 247 $DEBUG && cat $outfile 248 atf_check -s exit:0 \ 249 -o match:"${nat_from_ip}\.[0-9]+ > ${nat_to_ip}\.4501" \ 250 cat $outfile 251 atf_check -s exit:0 \ 252 -o match:"${nat_to_ip}\.4501 > ${nat_from_ip}\.[0-9]+" \ 253 cat $outfile 254 255 stop_nc_server 256 } 257 258 check_tcp_com_over_ipsecif() 259 { 260 local server_sock=$1 261 local client_sock=$2 262 local bus=$3 263 local to_ip=$4 264 local nat_from_ip=$5 265 local nat_from_port=$6 266 local nat_to_ip=$7 267 local nat_to_port=$8 268 269 local outfile=./out.ipsecif 270 local file_send=./file.send.ipsecif 271 local file_recv=./file.recv.ipsecif 272 273 extract_new_packets $bus > $outfile 274 275 start_nc_server $server_sock 4501 $file_recv ipv4 276 prepare_file $file_send 277 export RUMP_SERVER=$client_sock 278 atf_check -s exit:0 -o ignore $HIJACKING nc -w 7 $to_ip 4501 < $file_send 279 atf_check -s exit:0 diff -q $file_send $file_recv 280 stop_nc_server 281 282 # Check both ports and UDP encapsulation 283 extract_new_packets $bus > $outfile 284 $DEBUG && cat $outfile 285 atf_check -s exit:0 \ 286 -o match:"${nat_from_ip}\.$nat_from_port > ${nat_to_ip}\.${nat_to_port}: UDP-encap" \ 287 cat $outfile 288 atf_check -s exit:0 \ 289 -o match:"${nat_to_ip}\.${nat_to_port} > ${nat_from_ip}\.${nat_from_port}: UDP-encap" \ 290 cat $outfile 291 } 292 293 test_ipsecif_natt_transport() 294 { 295 local algo=$1 296 local ip_local=192.168.0.2 297 local ip_nat_local=192.168.0.1 298 local ip_nat_remote=10.0.0.1 299 local ip_remote=10.0.0.2 300 local subnet_local=192.168.0.0 301 local ip_local_ipsecif=172.16.100.1 302 local ip_remote_ipsecif=172.16.10.1 303 304 local npffile=./npf.conf 305 local file_send=./file.send 306 local algo_args="$(generate_algo_args esp-udp $algo)" 307 local pid= port= 308 309 setup_servers 310 311 export RUMP_SERVER=$SOCK_LOCAL 312 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 313 atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 314 atf_check -s exit:0 -o ignore \ 315 rump.route -n add default $ip_nat_local 316 317 export RUMP_SERVER=$SOCK_NAT 318 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 319 atf_check -s exit:0 rump.ifconfig shmif0 $ip_nat_local/24 320 atf_check -s exit:0 rump.ifconfig shmif1 $ip_nat_remote/24 321 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 322 323 export RUMP_SERVER=$SOCK_REMOTE 324 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 325 atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 326 atf_check -s exit:0 -o ignore \ 327 rump.route -n add -net $subnet_local $ip_nat_remote 328 329 # There is no NAT/NAPT. ping should just work. 330 check_ping_packets $SOCK_LOCAL $BUS_NAT $ip_local $ip_remote 331 332 # Setup an NAPT with npf 333 build_npf_conf $npffile "$subnet_local/24" 334 335 export RUMP_SERVER=$SOCK_NAT 336 atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile 337 atf_check -s exit:0 $HIJACKING_NPF npfctl start 338 $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 339 340 # There is an NAPT. ping works but source IP/port are translated 341 check_ping_packets $SOCK_LOCAL $BUS_NAT $ip_nat_remote $ip_remote 342 343 # Try TCP communications just in case 344 check_tcp_com_prepare $SOCK_REMOTE $SOCK_LOCAL $BUS_NAT \ 345 $ip_remote $ip_nat_remote $ip_remote 346 347 # Launch a nc server as a terminator of NAT-T on outside the NAPT 348 start_natt_terminator $SOCK_REMOTE $ip_remote 4500 349 echo zzz > $file_send 350 351 352 export RUMP_SERVER=$SOCK_LOCAL 353 # Send a UDP packet to the remote server at port 4500 from the local 354 # host of port 4500. This makes a mapping on the NAPT between them 355 atf_check -s exit:0 $HIJACKING \ 356 nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send 357 # Launch a nc server as a terminator of NAT-T on inside the NAPT, 358 # taking over port 4500 of the local host. 359 start_natt_terminator $SOCK_LOCAL $ip_local 4500 360 361 # We need to keep the servers for NAT-T 362 363 export RUMP_SERVER=$SOCK_LOCAL 364 $DEBUG && rump.netstat -na -f inet 365 export RUMP_SERVER=$SOCK_REMOTE 366 $DEBUG && rump.netstat -na -f inet 367 368 # Get a translated port number from 4500 on the NAPT 369 export RUMP_SERVER=$SOCK_NAT 370 $DEBUG && $HIJACKING_NPF npfctl list 371 # 192.168.0.2:4500 10.0.0.2:4500 via shmif1:65248 372 port=$($HIJACKING_NPF npfctl list | grep $ip_local | awk -F 'shmif1:' '/4500/ {print $2;}') 373 $DEBUG && echo port=$port 374 if [ -z "$port" ]; then 375 atf_fail "Failed to get a traslated port on NAPT" 376 fi 377 378 # Setup ESP-UDP ipsecif(4) for first client under NAPT 379 setup_ipsecif $SOCK_LOCAL 0 $ip_local 4500 $ip_remote 4500 \ 380 $ip_local_ipsecif $ip_remote_ipsecif 381 setup_ipsecif $SOCK_REMOTE 0 $ip_remote 4500 $ip_nat_remote $port \ 382 $ip_remote_ipsecif $ip_local_ipsecif 383 384 add_sa $SOCK_LOCAL "esp-udp" "$algo_args" \ 385 $ip_local 4500 $ip_remote 4500 10000 10001 386 add_sa $SOCK_REMOTE "esp-udp" "$algo_args" \ 387 $ip_remote 4500 $ip_nat_remote $port 10001 10000 388 389 export RUMP_SERVER=$SOCK_LOCAL 390 # ping should still work 391 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote 392 393 # Try ping over the ESP-UDP ipsecif(4) 394 check_ping_packets_over_ipsecif $SOCK_LOCAL $BUS_NAT \ 395 $ip_remote_ipsecif $ip_nat_remote $port $ip_remote 4500 396 397 # Try TCP communications over the ESP-UDP ipsecif(4) 398 check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL $BUS_NAT \ 399 $ip_remote_ipsecif $ip_nat_remote $port $ip_remote 4500 400 401 # Kill the NAT-T terminator 402 stop_natt_terminators 403 } 404 405 add_test_ipsecif_natt_transport() 406 { 407 local algo=$1 408 local _algo=$(echo $algo | sed 's/-//g') 409 local name= desc= 410 411 desc="Test ipsecif(4) NAT-T ($algo)" 412 name="ipsecif_natt_transport_${_algo}" 413 414 atf_test_case ${name} cleanup 415 eval " 416 ${name}_head() { 417 atf_set descr \"$desc\" 418 atf_set require.progs rump_server setkey nc 419 } 420 ${name}_body() { 421 test_ipsecif_natt_transport $algo 422 rump_server_destroy_ifaces 423 } 424 ${name}_cleanup() { 425 stop_nc_server 426 stop_natt_terminators 427 \$DEBUG && dump 428 cleanup 429 } 430 " 431 atf_add_test_case ${name} 432 } 433 434 atf_init_test_cases() 435 { 436 local algo= 437 438 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 439 add_test_ipsecif_natt_transport $algo 440 done 441 } 442
Indexes created Tue Sep 23 07:09:52 GMT 2025