1 1.3 knakahar # $NetBSD: t_ipsec_pfil.sh,v 1.3 2020/08/05 01:10:50 knakahara Exp $ 2 1.1 knakahar # 3 1.1 knakahar # Copyright (c) 2019 Internet Initiative Japan Inc. 4 1.1 knakahar # All rights reserved. 5 1.1 knakahar # 6 1.1 knakahar # Redistribution and use in source and binary forms, with or without 7 1.1 knakahar # modification, are permitted provided that the following conditions 8 1.1 knakahar # are met: 9 1.1 knakahar # 1. Redistributions of source code must retain the above copyright 10 1.1 knakahar # notice, this list of conditions and the following disclaimer. 11 1.1 knakahar # 2. Redistributions in binary form must reproduce the above copyright 12 1.1 knakahar # notice, this list of conditions and the following disclaimer in the 13 1.1 knakahar # documentation and/or other materials provided with the distribution. 14 1.1 knakahar # 15 1.1 knakahar # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 1.1 knakahar # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 1.1 knakahar # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 1.1 knakahar # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 1.1 knakahar # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 1.1 knakahar # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 1.1 knakahar # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 1.1 knakahar # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 1.1 knakahar # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 1.1 knakahar # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 1.1 knakahar # POSSIBILITY OF SUCH DAMAGE. 26 1.1 knakahar # 27 1.1 knakahar 28 1.1 knakahar SOCK_ROUTER1=unix://router1 29 1.1 knakahar SOCK_ROUTER2=unix://router2 30 1.1 knakahar ROUTER1_LANIP=192.168.1.1 31 1.1 knakahar ROUTER1_LANNET=192.168.1.0/24 32 1.1 knakahar ROUTER1_WANIP=10.0.0.1 33 1.1 knakahar ROUTER1_IPSECIP=172.16.1.1 34 1.1 knakahar ROUTER2_LANIP=192.168.2.1 35 1.1 knakahar ROUTER2_LANNET=192.168.2.0/24 36 1.1 knakahar ROUTER2_WANIP=10.0.0.2 37 1.1 knakahar ROUTER2_IPSECIP=172.16.2.1 38 1.1 knakahar 39 1.1 knakahar DEBUG=${DEBUG:-false} 40 1.1 knakahar TIMEOUT=7 41 1.1 knakahar HIJACKING_NPF="${HIJACKING},blanket=/dev/npf" 42 1.1 knakahar 43 1.1 knakahar setup_router() 44 1.1 knakahar { 45 1.1 knakahar local sock=$1 46 1.1 knakahar local lan=$2 47 1.1 knakahar local wan=$3 48 1.1 knakahar 49 1.1 knakahar rump_server_add_iface $sock shmif0 bus0 50 1.1 knakahar rump_server_add_iface $sock shmif1 bus1 51 1.1 knakahar 52 1.1 knakahar export RUMP_SERVER=${sock} 53 1.1 knakahar atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 54 1.1 knakahar 55 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00 56 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif0 up 57 1.1 knakahar # Ensure shmif0 is running 58 1.1 knakahar atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan} 59 1.1 knakahar $DEBUG && rump.ifconfig shmif0 60 1.1 knakahar 61 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000 62 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif1 up 63 1.1 knakahar # Ensure shmif1 is running 64 1.1 knakahar atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan} 65 1.1 knakahar $DEBUG && rump.ifconfig shmif1 66 1.1 knakahar 67 1.1 knakahar unset RUMP_SERVER 68 1.1 knakahar } 69 1.1 knakahar 70 1.1 knakahar setup_if_ipsec() 71 1.1 knakahar { 72 1.1 knakahar local addr=$1 73 1.1 knakahar local remote=$2 74 1.1 knakahar local src=$3 75 1.1 knakahar local dst=$4 76 1.1 knakahar local peernet=$5 77 1.1 knakahar 78 1.2 ozaki rump_server_add_iface $RUMP_SERVER ipsec0 79 1.1 knakahar atf_check -s exit:0 rump.ifconfig ipsec0 tunnel $src $dst 80 1.1 knakahar atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 $remote 81 1.1 knakahar atf_check -s exit:0 -o ignore rump.route add -inet $peernet $addr 82 1.1 knakahar 83 1.1 knakahar $DEBUG && rump.ifconfig ipsec0 84 1.1 knakahar $DEBUG && rump.route -nL show -inet 85 1.1 knakahar } 86 1.1 knakahar 87 1.1 knakahar get_if_ipsec_unique() 88 1.1 knakahar { 89 1.1 knakahar local src=$1 90 1.1 knakahar local proto=$2 91 1.1 knakahar local unique="" 92 1.1 knakahar 93 1.1 knakahar unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'` 94 1.1 knakahar 95 1.1 knakahar echo $unique 96 1.1 knakahar } 97 1.1 knakahar 98 1.1 knakahar setup_if_ipsec_sa() 99 1.1 knakahar { 100 1.1 knakahar local src=$1 101 1.1 knakahar local dst=$2 102 1.1 knakahar local inid=$3 103 1.1 knakahar local outid=$4 104 1.1 knakahar local proto=$5 105 1.1 knakahar local algo=$6 106 1.1 knakahar 107 1.1 knakahar local tmpfile=./tmp 108 1.1 knakahar local inunique="" 109 1.1 knakahar local outunique="" 110 1.1 knakahar local algo_args="$(generate_algo_args $proto $algo)" 111 1.1 knakahar 112 1.1 knakahar inunique=`get_if_ipsec_unique $dst "ipv4"` 113 1.1 knakahar atf_check -s exit:0 test "X$inunique" != "X" 114 1.1 knakahar outunique=`get_if_ipsec_unique $src "ipv4"` 115 1.1 knakahar atf_check -s exit:0 test "X$outunique" != "X" 116 1.1 knakahar 117 1.1 knakahar cat > $tmpfile <<-EOF 118 1.3 knakahar add $dst $src $proto $inid -u $inunique -m transport $algo_args; 119 1.3 knakahar add $src $dst $proto $outid -u $outunique -m transport $algo_args; 120 1.1 knakahar EOF 121 1.1 knakahar $DEBUG && cat $tmpfile 122 1.1 knakahar atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 123 1.1 knakahar $DEBUG && $HIJACKING setkey -D 124 1.1 knakahar $DEBUG && $HIJACKING setkey -DP 125 1.1 knakahar } 126 1.1 knakahar 127 1.1 knakahar setup_tunnel() 128 1.1 knakahar { 129 1.1 knakahar local proto=$1 130 1.1 knakahar local algo=$2 131 1.1 knakahar 132 1.1 knakahar local addr= remote= src= dst= peernet= 133 1.1 knakahar 134 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER1 135 1.1 knakahar addr=$ROUTER1_IPSECIP 136 1.1 knakahar remote=$ROUTER2_IPSECIP 137 1.1 knakahar src=$ROUTER1_WANIP 138 1.1 knakahar dst=$ROUTER2_WANIP 139 1.1 knakahar peernet=$ROUTER2_LANNET 140 1.1 knakahar setup_if_ipsec $addr $remote $src $dst $peernet 141 1.1 knakahar setup_if_ipsec_sa $src $dst "10000" "10001" $proto $algo 142 1.1 knakahar 143 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER2 144 1.1 knakahar addr=$ROUTER2_IPSECIP 145 1.1 knakahar remote=$ROUTER1_IPSECIP 146 1.1 knakahar src=$ROUTER2_WANIP 147 1.1 knakahar dst=$ROUTER1_WANIP 148 1.1 knakahar peernet=$ROUTER1_LANNET 149 1.1 knakahar setup_if_ipsec $addr $remote $src $dst $peernet 150 1.1 knakahar setup_if_ipsec_sa $src $dst "10001" "10000" $proto $algo 151 1.1 knakahar 152 1.1 knakahar # Ensure ipsecif(4) settings have completed. 153 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER1 154 1.1 knakahar atf_check -s exit:0 -o ignore \ 155 1.1 knakahar rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 156 1.1 knakahar $ROUTER2_LANIP 157 1.1 knakahar 158 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER2 159 1.1 knakahar atf_check -s exit:0 -o ignore \ 160 1.1 knakahar rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 161 1.1 knakahar $ROUTER1_LANIP 162 1.1 knakahar 163 1.1 knakahar unset RUMP_SERVER 164 1.1 knakahar } 165 1.1 knakahar 166 1.1 knakahar ipsecif_pfil_setup() 167 1.1 knakahar { 168 1.1 knakahar local proto=$1 169 1.1 knakahar local algo=$2 170 1.1 knakahar 171 1.1 knakahar rump_server_crypto_npf_start $SOCK_ROUTER1 netipsec ipsec 172 1.1 knakahar rump_server_crypto_npf_start $SOCK_ROUTER2 netipsec ipsec 173 1.1 knakahar 174 1.1 knakahar setup_router $SOCK_ROUTER1 $ROUTER1_LANIP $ROUTER1_WANIP 175 1.1 knakahar setup_router $SOCK_ROUTER2 $ROUTER2_LANIP $ROUTER2_WANIP 176 1.1 knakahar 177 1.1 knakahar setup_tunnel $proto $algo 178 1.1 knakahar } 179 1.1 knakahar 180 1.1 knakahar prepare_file() 181 1.1 knakahar { 182 1.1 knakahar local file=$1 183 1.1 knakahar local data="0123456789" 184 1.1 knakahar 185 1.1 knakahar touch $file 186 1.1 knakahar for i in `seq 1 512` 187 1.1 knakahar do 188 1.1 knakahar echo $data >> $file 189 1.1 knakahar done 190 1.1 knakahar } 191 1.1 knakahar 192 1.1 knakahar build_npf_conf() 193 1.1 knakahar { 194 1.1 knakahar local outfile=$1 195 1.1 knakahar local subnet=$2 196 1.1 knakahar local direction=$3 197 1.1 knakahar 198 1.1 knakahar local reverse= 199 1.1 knakahar if [ "X${direction}" = "Xin" ] ; then 200 1.1 knakahar reverse="out" 201 1.1 knakahar else 202 1.1 knakahar reverse="in" 203 1.1 knakahar fi 204 1.1 knakahar 205 1.1 knakahar cat > $outfile <<-EOF 206 1.1 knakahar set bpf.jit off 207 1.1 knakahar \$if = inet4(ipsec0) 208 1.1 knakahar \$subnet = { $subnet } 209 1.1 knakahar 210 1.1 knakahar procedure "log0" { 211 1.1 knakahar log: npflog0 212 1.1 knakahar } 213 1.1 knakahar 214 1.1 knakahar group default { 215 1.1 knakahar block $direction on \$if proto tcp from \$subnet apply "log0" 216 1.1 knakahar pass $reverse on \$if proto tcp from \$subnet 217 1.1 knakahar pass in on \$if proto icmp from 0.0.0.0/0 218 1.1 knakahar pass out on \$if proto icmp from 0.0.0.0/0 219 1.1 knakahar pass final on shmif0 all 220 1.1 knakahar pass final on shmif1 all 221 1.1 knakahar } 222 1.1 knakahar EOF 223 1.1 knakahar } 224 1.1 knakahar 225 1.1 knakahar ipsecif_pfil_test() 226 1.1 knakahar { 227 1.1 knakahar local outfile=./out 228 1.1 knakahar local npffile=./npf.conf 229 1.1 knakahar local file_send=./file.send 230 1.1 knakahar local file_recv=./file.recv 231 1.1 knakahar 232 1.1 knakahar local subnet="172.16.0.0/16" 233 1.1 knakahar 234 1.1 knakahar # Try TCP communications just in case. 235 1.1 knakahar start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4 236 1.1 knakahar prepare_file $file_send 237 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER1 238 1.1 knakahar atf_check -s exit:0 $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send 239 1.1 knakahar atf_check -s exit:0 diff -q $file_send $file_recv 240 1.1 knakahar stop_nc_server 241 1.1 knakahar 242 1.1 knakahar # Setup npf to block *out* direction for ipsecif(4). 243 1.1 knakahar build_npf_conf $npffile $subnet "out" 244 1.1 knakahar $DEBUG && cat $npffile 245 1.1 knakahar 246 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER1 247 1.1 knakahar atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile 248 1.1 knakahar atf_check -s exit:0 $HIJACKING_NPF npfctl start 249 1.1 knakahar $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 250 1.1 knakahar 251 1.1 knakahar # ping should still work 252 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER1 253 1.1 knakahar atf_check -s exit:0 -o ignore \ 254 1.1 knakahar rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 255 1.1 knakahar $ROUTER2_LANIP 256 1.1 knakahar 257 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER2 258 1.1 knakahar atf_check -s exit:0 -o ignore \ 259 1.1 knakahar rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 260 1.1 knakahar $ROUTER1_LANIP 261 1.1 knakahar 262 1.1 knakahar # TCP communications should be blocked. 263 1.1 knakahar start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4 264 1.1 knakahar prepare_file $file_send 265 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER1 266 1.1 knakahar atf_check -s exit:1 -o ignore $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send 267 1.1 knakahar stop_nc_server 268 1.1 knakahar 269 1.1 knakahar atf_check -s exit:0 $HIJACKING_NPF npfctl stop 270 1.1 knakahar $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 271 1.1 knakahar 272 1.1 knakahar # Setup npf to block *in* direction for ipsecif(4). 273 1.1 knakahar build_npf_conf $npffile $subnet "in" 274 1.1 knakahar $DEBUG && cat $npffile 275 1.1 knakahar 276 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER2 277 1.1 knakahar atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile 278 1.1 knakahar atf_check -s exit:0 $HIJACKING_NPF npfctl start 279 1.1 knakahar $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 280 1.1 knakahar 281 1.1 knakahar # ping should still work. 282 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER1 283 1.1 knakahar atf_check -s exit:0 -o ignore \ 284 1.1 knakahar rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 285 1.1 knakahar $ROUTER2_LANIP 286 1.1 knakahar 287 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER2 288 1.1 knakahar atf_check -s exit:0 -o ignore \ 289 1.1 knakahar rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 290 1.1 knakahar $ROUTER1_LANIP 291 1.1 knakahar 292 1.1 knakahar # TCP communications should be blocked. 293 1.1 knakahar start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4 294 1.1 knakahar prepare_file $file_send 295 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER1 296 1.1 knakahar atf_check -s exit:1 -o ignore $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send 297 1.1 knakahar stop_nc_server 298 1.1 knakahar 299 1.1 knakahar atf_check -s exit:0 $HIJACKING_NPF npfctl stop 300 1.1 knakahar $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 301 1.1 knakahar 302 1.1 knakahar 303 1.1 knakahar unset RUMP_SERVER 304 1.1 knakahar } 305 1.1 knakahar 306 1.1 knakahar ipsecif_pfil_teardown() 307 1.1 knakahar { 308 1.1 knakahar 309 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER1 310 1.1 knakahar atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 311 1.1 knakahar atf_check -s exit:0 rump.ifconfig ipsec0 destroy 312 1.1 knakahar $HIJACKING setkey -F 313 1.1 knakahar 314 1.1 knakahar export RUMP_SERVER=$SOCK_ROUTER2 315 1.1 knakahar atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 316 1.1 knakahar atf_check -s exit:0 rump.ifconfig ipsec0 destroy 317 1.1 knakahar $HIJACKING setkey -F 318 1.1 knakahar 319 1.1 knakahar unset RUMP_SERVER 320 1.1 knakahar } 321 1.1 knakahar 322 1.1 knakahar add_test() 323 1.1 knakahar { 324 1.1 knakahar local proto=$1 325 1.1 knakahar local algo=$2 326 1.1 knakahar local _algo=$(echo $algo | sed 's/-//g') 327 1.1 knakahar 328 1.1 knakahar name="ipsecif_pfil_${proto}_${_algo}" 329 1.1 knakahar desc="Does ipsecif filter tests" 330 1.1 knakahar 331 1.1 knakahar atf_test_case ${name} cleanup 332 1.1 knakahar eval "${name}_head() { 333 1.1 knakahar atf_set descr \"${desc}\" 334 1.1 knakahar atf_set require.progs rump_server setkey 335 1.1 knakahar } 336 1.1 knakahar ${name}_body() { 337 1.1 knakahar ipsecif_pfil_setup ${proto} ${algo} 338 1.1 knakahar ipsecif_pfil_test 339 1.1 knakahar ipsecif_pfil_teardown 340 1.1 knakahar rump_server_destroy_ifaces 341 1.1 knakahar } 342 1.1 knakahar ${name}_cleanup() { 343 1.1 knakahar \$DEBUG && dump 344 1.1 knakahar cleanup 345 1.1 knakahar }" 346 1.1 knakahar atf_add_test_case ${name} 347 1.1 knakahar } 348 1.1 knakahar 349 1.1 knakahar add_test_allalgo() 350 1.1 knakahar { 351 1.1 knakahar local desc=$1 352 1.1 knakahar 353 1.1 knakahar for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 354 1.1 knakahar add_test esp $algo 355 1.1 knakahar done 356 1.1 knakahar 357 1.1 knakahar # ah does not support yet 358 1.1 knakahar } 359 1.1 knakahar 360 1.1 knakahar atf_init_test_cases() 361 1.1 knakahar { 362 1.1 knakahar 363 1.1 knakahar add_test_allalgo ipsecif_pfil 364 1.1 knakahar } 365
Indexes created Sun Sep 21 20:09:37 GMT 2025