t_ipsec_pfil.sh revision 1.1.4.2
1 1.1.4.2 christos # $NetBSD: t_ipsec_pfil.sh,v 1.1.4.2 2019/06/10 22:10:09 christos Exp $ 2 1.1.4.2 christos # 3 1.1.4.2 christos # Copyright (c) 2019 Internet Initiative Japan Inc. 4 1.1.4.2 christos # All rights reserved. 5 1.1.4.2 christos # 6 1.1.4.2 christos # Redistribution and use in source and binary forms, with or without 7 1.1.4.2 christos # modification, are permitted provided that the following conditions 8 1.1.4.2 christos # are met: 9 1.1.4.2 christos # 1. Redistributions of source code must retain the above copyright 10 1.1.4.2 christos # notice, this list of conditions and the following disclaimer. 11 1.1.4.2 christos # 2. Redistributions in binary form must reproduce the above copyright 12 1.1.4.2 christos # notice, this list of conditions and the following disclaimer in the 13 1.1.4.2 christos # documentation and/or other materials provided with the distribution. 14 1.1.4.2 christos # 15 1.1.4.2 christos # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 1.1.4.2 christos # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 1.1.4.2 christos # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 1.1.4.2 christos # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 1.1.4.2 christos # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 1.1.4.2 christos # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 1.1.4.2 christos # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 1.1.4.2 christos # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 1.1.4.2 christos # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 1.1.4.2 christos # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 1.1.4.2 christos # POSSIBILITY OF SUCH DAMAGE. 26 1.1.4.2 christos # 27 1.1.4.2 christos 28 1.1.4.2 christos SOCK_ROUTER1=unix://router1 29 1.1.4.2 christos SOCK_ROUTER2=unix://router2 30 1.1.4.2 christos ROUTER1_LANIP=192.168.1.1 31 1.1.4.2 christos ROUTER1_LANNET=192.168.1.0/24 32 1.1.4.2 christos ROUTER1_WANIP=10.0.0.1 33 1.1.4.2 christos ROUTER1_IPSECIP=172.16.1.1 34 1.1.4.2 christos ROUTER2_LANIP=192.168.2.1 35 1.1.4.2 christos ROUTER2_LANNET=192.168.2.0/24 36 1.1.4.2 christos ROUTER2_WANIP=10.0.0.2 37 1.1.4.2 christos ROUTER2_IPSECIP=172.16.2.1 38 1.1.4.2 christos 39 1.1.4.2 christos DEBUG=${DEBUG:-false} 40 1.1.4.2 christos TIMEOUT=7 41 1.1.4.2 christos HIJACKING_NPF="${HIJACKING},blanket=/dev/npf" 42 1.1.4.2 christos 43 1.1.4.2 christos setup_router() 44 1.1.4.2 christos { 45 1.1.4.2 christos local sock=$1 46 1.1.4.2 christos local lan=$2 47 1.1.4.2 christos local wan=$3 48 1.1.4.2 christos 49 1.1.4.2 christos rump_server_add_iface $sock shmif0 bus0 50 1.1.4.2 christos rump_server_add_iface $sock shmif1 bus1 51 1.1.4.2 christos 52 1.1.4.2 christos export RUMP_SERVER=${sock} 53 1.1.4.2 christos atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 54 1.1.4.2 christos 55 1.1.4.2 christos atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00 56 1.1.4.2 christos atf_check -s exit:0 rump.ifconfig shmif0 up 57 1.1.4.2 christos # Ensure shmif0 is running 58 1.1.4.2 christos atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan} 59 1.1.4.2 christos $DEBUG && rump.ifconfig shmif0 60 1.1.4.2 christos 61 1.1.4.2 christos atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000 62 1.1.4.2 christos atf_check -s exit:0 rump.ifconfig shmif1 up 63 1.1.4.2 christos # Ensure shmif1 is running 64 1.1.4.2 christos atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan} 65 1.1.4.2 christos $DEBUG && rump.ifconfig shmif1 66 1.1.4.2 christos 67 1.1.4.2 christos unset RUMP_SERVER 68 1.1.4.2 christos } 69 1.1.4.2 christos 70 1.1.4.2 christos setup_if_ipsec() 71 1.1.4.2 christos { 72 1.1.4.2 christos local addr=$1 73 1.1.4.2 christos local remote=$2 74 1.1.4.2 christos local src=$3 75 1.1.4.2 christos local dst=$4 76 1.1.4.2 christos local peernet=$5 77 1.1.4.2 christos 78 1.1.4.2 christos atf_check -s exit:0 rump.ifconfig ipsec0 create 79 1.1.4.2 christos atf_check -s exit:0 rump.ifconfig ipsec0 tunnel $src $dst 80 1.1.4.2 christos atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 $remote 81 1.1.4.2 christos atf_check -s exit:0 -o ignore rump.route add -inet $peernet $addr 82 1.1.4.2 christos 83 1.1.4.2 christos $DEBUG && rump.ifconfig ipsec0 84 1.1.4.2 christos $DEBUG && rump.route -nL show -inet 85 1.1.4.2 christos } 86 1.1.4.2 christos 87 1.1.4.2 christos get_if_ipsec_unique() 88 1.1.4.2 christos { 89 1.1.4.2 christos local src=$1 90 1.1.4.2 christos local proto=$2 91 1.1.4.2 christos local unique="" 92 1.1.4.2 christos 93 1.1.4.2 christos unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'` 94 1.1.4.2 christos 95 1.1.4.2 christos echo $unique 96 1.1.4.2 christos } 97 1.1.4.2 christos 98 1.1.4.2 christos setup_if_ipsec_sa() 99 1.1.4.2 christos { 100 1.1.4.2 christos local src=$1 101 1.1.4.2 christos local dst=$2 102 1.1.4.2 christos local inid=$3 103 1.1.4.2 christos local outid=$4 104 1.1.4.2 christos local proto=$5 105 1.1.4.2 christos local algo=$6 106 1.1.4.2 christos 107 1.1.4.2 christos local tmpfile=./tmp 108 1.1.4.2 christos local inunique="" 109 1.1.4.2 christos local outunique="" 110 1.1.4.2 christos local algo_args="$(generate_algo_args $proto $algo)" 111 1.1.4.2 christos 112 1.1.4.2 christos inunique=`get_if_ipsec_unique $dst "ipv4"` 113 1.1.4.2 christos atf_check -s exit:0 test "X$inunique" != "X" 114 1.1.4.2 christos outunique=`get_if_ipsec_unique $src "ipv4"` 115 1.1.4.2 christos atf_check -s exit:0 test "X$outunique" != "X" 116 1.1.4.2 christos 117 1.1.4.2 christos cat > $tmpfile <<-EOF 118 1.1.4.2 christos add $dst $src $proto $inid -u $inunique $algo_args; 119 1.1.4.2 christos add $src $dst $proto $outid -u $outunique $algo_args; 120 1.1.4.2 christos EOF 121 1.1.4.2 christos $DEBUG && cat $tmpfile 122 1.1.4.2 christos atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 123 1.1.4.2 christos $DEBUG && $HIJACKING setkey -D 124 1.1.4.2 christos $DEBUG && $HIJACKING setkey -DP 125 1.1.4.2 christos } 126 1.1.4.2 christos 127 1.1.4.2 christos setup_tunnel() 128 1.1.4.2 christos { 129 1.1.4.2 christos local proto=$1 130 1.1.4.2 christos local algo=$2 131 1.1.4.2 christos 132 1.1.4.2 christos local addr= remote= src= dst= peernet= 133 1.1.4.2 christos 134 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER1 135 1.1.4.2 christos addr=$ROUTER1_IPSECIP 136 1.1.4.2 christos remote=$ROUTER2_IPSECIP 137 1.1.4.2 christos src=$ROUTER1_WANIP 138 1.1.4.2 christos dst=$ROUTER2_WANIP 139 1.1.4.2 christos peernet=$ROUTER2_LANNET 140 1.1.4.2 christos setup_if_ipsec $addr $remote $src $dst $peernet 141 1.1.4.2 christos setup_if_ipsec_sa $src $dst "10000" "10001" $proto $algo 142 1.1.4.2 christos 143 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER2 144 1.1.4.2 christos addr=$ROUTER2_IPSECIP 145 1.1.4.2 christos remote=$ROUTER1_IPSECIP 146 1.1.4.2 christos src=$ROUTER2_WANIP 147 1.1.4.2 christos dst=$ROUTER1_WANIP 148 1.1.4.2 christos peernet=$ROUTER1_LANNET 149 1.1.4.2 christos setup_if_ipsec $addr $remote $src $dst $peernet 150 1.1.4.2 christos setup_if_ipsec_sa $src $dst "10001" "10000" $proto $algo 151 1.1.4.2 christos 152 1.1.4.2 christos # Ensure ipsecif(4) settings have completed. 153 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER1 154 1.1.4.2 christos atf_check -s exit:0 -o ignore \ 155 1.1.4.2 christos rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 156 1.1.4.2 christos $ROUTER2_LANIP 157 1.1.4.2 christos 158 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER2 159 1.1.4.2 christos atf_check -s exit:0 -o ignore \ 160 1.1.4.2 christos rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 161 1.1.4.2 christos $ROUTER1_LANIP 162 1.1.4.2 christos 163 1.1.4.2 christos unset RUMP_SERVER 164 1.1.4.2 christos } 165 1.1.4.2 christos 166 1.1.4.2 christos ipsecif_pfil_setup() 167 1.1.4.2 christos { 168 1.1.4.2 christos local proto=$1 169 1.1.4.2 christos local algo=$2 170 1.1.4.2 christos 171 1.1.4.2 christos rump_server_crypto_npf_start $SOCK_ROUTER1 netipsec ipsec 172 1.1.4.2 christos rump_server_crypto_npf_start $SOCK_ROUTER2 netipsec ipsec 173 1.1.4.2 christos 174 1.1.4.2 christos setup_router $SOCK_ROUTER1 $ROUTER1_LANIP $ROUTER1_WANIP 175 1.1.4.2 christos setup_router $SOCK_ROUTER2 $ROUTER2_LANIP $ROUTER2_WANIP 176 1.1.4.2 christos 177 1.1.4.2 christos setup_tunnel $proto $algo 178 1.1.4.2 christos } 179 1.1.4.2 christos 180 1.1.4.2 christos prepare_file() 181 1.1.4.2 christos { 182 1.1.4.2 christos local file=$1 183 1.1.4.2 christos local data="0123456789" 184 1.1.4.2 christos 185 1.1.4.2 christos touch $file 186 1.1.4.2 christos for i in `seq 1 512` 187 1.1.4.2 christos do 188 1.1.4.2 christos echo $data >> $file 189 1.1.4.2 christos done 190 1.1.4.2 christos } 191 1.1.4.2 christos 192 1.1.4.2 christos build_npf_conf() 193 1.1.4.2 christos { 194 1.1.4.2 christos local outfile=$1 195 1.1.4.2 christos local subnet=$2 196 1.1.4.2 christos local direction=$3 197 1.1.4.2 christos 198 1.1.4.2 christos local reverse= 199 1.1.4.2 christos if [ "X${direction}" = "Xin" ] ; then 200 1.1.4.2 christos reverse="out" 201 1.1.4.2 christos else 202 1.1.4.2 christos reverse="in" 203 1.1.4.2 christos fi 204 1.1.4.2 christos 205 1.1.4.2 christos cat > $outfile <<-EOF 206 1.1.4.2 christos set bpf.jit off 207 1.1.4.2 christos \$if = inet4(ipsec0) 208 1.1.4.2 christos \$subnet = { $subnet } 209 1.1.4.2 christos 210 1.1.4.2 christos procedure "log0" { 211 1.1.4.2 christos log: npflog0 212 1.1.4.2 christos } 213 1.1.4.2 christos 214 1.1.4.2 christos group default { 215 1.1.4.2 christos block $direction on \$if proto tcp from \$subnet apply "log0" 216 1.1.4.2 christos pass $reverse on \$if proto tcp from \$subnet 217 1.1.4.2 christos pass in on \$if proto icmp from 0.0.0.0/0 218 1.1.4.2 christos pass out on \$if proto icmp from 0.0.0.0/0 219 1.1.4.2 christos pass final on shmif0 all 220 1.1.4.2 christos pass final on shmif1 all 221 1.1.4.2 christos } 222 1.1.4.2 christos EOF 223 1.1.4.2 christos } 224 1.1.4.2 christos 225 1.1.4.2 christos ipsecif_pfil_test() 226 1.1.4.2 christos { 227 1.1.4.2 christos local outfile=./out 228 1.1.4.2 christos local npffile=./npf.conf 229 1.1.4.2 christos local file_send=./file.send 230 1.1.4.2 christos local file_recv=./file.recv 231 1.1.4.2 christos 232 1.1.4.2 christos local subnet="172.16.0.0/16" 233 1.1.4.2 christos 234 1.1.4.2 christos # Try TCP communications just in case. 235 1.1.4.2 christos start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4 236 1.1.4.2 christos prepare_file $file_send 237 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER1 238 1.1.4.2 christos atf_check -s exit:0 $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send 239 1.1.4.2 christos atf_check -s exit:0 diff -q $file_send $file_recv 240 1.1.4.2 christos stop_nc_server 241 1.1.4.2 christos 242 1.1.4.2 christos # Setup npf to block *out* direction for ipsecif(4). 243 1.1.4.2 christos build_npf_conf $npffile $subnet "out" 244 1.1.4.2 christos $DEBUG && cat $npffile 245 1.1.4.2 christos 246 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER1 247 1.1.4.2 christos atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile 248 1.1.4.2 christos atf_check -s exit:0 $HIJACKING_NPF npfctl start 249 1.1.4.2 christos $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 250 1.1.4.2 christos 251 1.1.4.2 christos # ping should still work 252 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER1 253 1.1.4.2 christos atf_check -s exit:0 -o ignore \ 254 1.1.4.2 christos rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 255 1.1.4.2 christos $ROUTER2_LANIP 256 1.1.4.2 christos 257 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER2 258 1.1.4.2 christos atf_check -s exit:0 -o ignore \ 259 1.1.4.2 christos rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 260 1.1.4.2 christos $ROUTER1_LANIP 261 1.1.4.2 christos 262 1.1.4.2 christos # TCP communications should be blocked. 263 1.1.4.2 christos start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4 264 1.1.4.2 christos prepare_file $file_send 265 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER1 266 1.1.4.2 christos atf_check -s exit:1 -o ignore $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send 267 1.1.4.2 christos stop_nc_server 268 1.1.4.2 christos 269 1.1.4.2 christos atf_check -s exit:0 $HIJACKING_NPF npfctl stop 270 1.1.4.2 christos $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 271 1.1.4.2 christos 272 1.1.4.2 christos # Setup npf to block *in* direction for ipsecif(4). 273 1.1.4.2 christos build_npf_conf $npffile $subnet "in" 274 1.1.4.2 christos $DEBUG && cat $npffile 275 1.1.4.2 christos 276 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER2 277 1.1.4.2 christos atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile 278 1.1.4.2 christos atf_check -s exit:0 $HIJACKING_NPF npfctl start 279 1.1.4.2 christos $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 280 1.1.4.2 christos 281 1.1.4.2 christos # ping should still work. 282 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER1 283 1.1.4.2 christos atf_check -s exit:0 -o ignore \ 284 1.1.4.2 christos rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 285 1.1.4.2 christos $ROUTER2_LANIP 286 1.1.4.2 christos 287 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER2 288 1.1.4.2 christos atf_check -s exit:0 -o ignore \ 289 1.1.4.2 christos rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 290 1.1.4.2 christos $ROUTER1_LANIP 291 1.1.4.2 christos 292 1.1.4.2 christos # TCP communications should be blocked. 293 1.1.4.2 christos start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4 294 1.1.4.2 christos prepare_file $file_send 295 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER1 296 1.1.4.2 christos atf_check -s exit:1 -o ignore $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send 297 1.1.4.2 christos stop_nc_server 298 1.1.4.2 christos 299 1.1.4.2 christos atf_check -s exit:0 $HIJACKING_NPF npfctl stop 300 1.1.4.2 christos $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 301 1.1.4.2 christos 302 1.1.4.2 christos 303 1.1.4.2 christos unset RUMP_SERVER 304 1.1.4.2 christos } 305 1.1.4.2 christos 306 1.1.4.2 christos ipsecif_pfil_teardown() 307 1.1.4.2 christos { 308 1.1.4.2 christos 309 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER1 310 1.1.4.2 christos atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 311 1.1.4.2 christos atf_check -s exit:0 rump.ifconfig ipsec0 destroy 312 1.1.4.2 christos $HIJACKING setkey -F 313 1.1.4.2 christos 314 1.1.4.2 christos export RUMP_SERVER=$SOCK_ROUTER2 315 1.1.4.2 christos atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 316 1.1.4.2 christos atf_check -s exit:0 rump.ifconfig ipsec0 destroy 317 1.1.4.2 christos $HIJACKING setkey -F 318 1.1.4.2 christos 319 1.1.4.2 christos unset RUMP_SERVER 320 1.1.4.2 christos } 321 1.1.4.2 christos 322 1.1.4.2 christos add_test() 323 1.1.4.2 christos { 324 1.1.4.2 christos local proto=$1 325 1.1.4.2 christos local algo=$2 326 1.1.4.2 christos local _algo=$(echo $algo | sed 's/-//g') 327 1.1.4.2 christos 328 1.1.4.2 christos name="ipsecif_pfil_${proto}_${_algo}" 329 1.1.4.2 christos desc="Does ipsecif filter tests" 330 1.1.4.2 christos 331 1.1.4.2 christos atf_test_case ${name} cleanup 332 1.1.4.2 christos eval "${name}_head() { 333 1.1.4.2 christos atf_set descr \"${desc}\" 334 1.1.4.2 christos atf_set require.progs rump_server setkey 335 1.1.4.2 christos } 336 1.1.4.2 christos ${name}_body() { 337 1.1.4.2 christos ipsecif_pfil_setup ${proto} ${algo} 338 1.1.4.2 christos ipsecif_pfil_test 339 1.1.4.2 christos ipsecif_pfil_teardown 340 1.1.4.2 christos rump_server_destroy_ifaces 341 1.1.4.2 christos } 342 1.1.4.2 christos ${name}_cleanup() { 343 1.1.4.2 christos \$DEBUG && dump 344 1.1.4.2 christos cleanup 345 1.1.4.2 christos }" 346 1.1.4.2 christos atf_add_test_case ${name} 347 1.1.4.2 christos } 348 1.1.4.2 christos 349 1.1.4.2 christos add_test_allalgo() 350 1.1.4.2 christos { 351 1.1.4.2 christos local desc=$1 352 1.1.4.2 christos 353 1.1.4.2 christos for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 354 1.1.4.2 christos add_test esp $algo 355 1.1.4.2 christos done 356 1.1.4.2 christos 357 1.1.4.2 christos # ah does not support yet 358 1.1.4.2 christos } 359 1.1.4.2 christos 360 1.1.4.2 christos atf_init_test_cases() 361 1.1.4.2 christos { 362 1.1.4.2 christos 363 1.1.4.2 christos add_test_allalgo ipsecif_pfil 364 1.1.4.2 christos } 365
Indexes created Fri Oct 03 02:09:57 GMT 2025