1 # $NetBSD: t_ipsec_forwarding.sh,v 1.2 2022/11/24 02:58:28 knakahara Exp $ 2 # 3 # Copyright (c) 2022 Internet Initiative Japan Inc. 4 # All rights reserved. 5 # 6 # Redistribution and use in source and binary forms, with or without 7 # modification, are permitted provided that the following conditions 8 # are met: 9 # 1. Redistributions of source code must retain the above copyright 10 # notice, this list of conditions and the following disclaimer. 11 # 2. Redistributions in binary form must reproduce the above copyright 12 # notice, this list of conditions and the following disclaimer in the 13 # documentation and/or other materials provided with the distribution. 14 # 15 # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 # POSSIBILITY OF SUCH DAMAGE. 26 # 27 28 SOCK_LOCAL=unix://ipsec_local 29 SOCK_FORWARD=unix://ipsec_forward 30 SOCK_REMOTE=unix://ipsec_remote 31 BUS_LOCAL_I=./bus_ipsec_local 32 BUS_LOCAL_F=./bus_ipsec_local_forward 33 BUS_REMOTE_F=./bus_ipsec_remote_forward 34 BUS_REMOTE_I=./bus_ipsec_remote 35 36 DEBUG=${DEBUG:-false} 37 38 setup_servers_ipv4() 39 { 40 41 rump_server_crypto_start $SOCK_LOCAL netipsec 42 rump_server_crypto_start $SOCK_FORWARD netipsec 43 rump_server_crypto_start $SOCK_REMOTE netipsec 44 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL_F 45 rump_server_add_iface $SOCK_LOCAL shmif1 $BUS_LOCAL_I 46 rump_server_add_iface $SOCK_FORWARD shmif0 $BUS_LOCAL_F 47 rump_server_add_iface $SOCK_FORWARD shmif1 $BUS_REMOTE_F 48 rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE_F 49 rump_server_add_iface $SOCK_REMOTE shmif1 $BUS_REMOTE_I 50 } 51 52 setup_servers_ipv6() 53 { 54 55 rump_server_crypto_start $SOCK_LOCAL netipsec netinet6 56 rump_server_crypto_start $SOCK_FORWARD netipsec netinet6 57 rump_server_crypto_start $SOCK_REMOTE netipsec netinet6 58 rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL_F 59 rump_server_add_iface $SOCK_LOCAL shmif1 $BUS_LOCAL_I 60 rump_server_add_iface $SOCK_FORWARD shmif0 $BUS_LOCAL_F 61 rump_server_add_iface $SOCK_FORWARD shmif1 $BUS_REMOTE_F 62 rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE_F 63 rump_server_add_iface $SOCK_REMOTE shmif1 $BUS_REMOTE_I 64 } 65 66 setup_servers() 67 { 68 local proto=$1 69 70 setup_servers_$proto 71 } 72 73 setup_sp_port() 74 { 75 local proto=$1 76 local algo_args="$2" 77 local tunnel_src=$3 78 local tunnel_dst=$4 79 local subnet_src=$5 80 local subnet_dst=$6 81 local port_src=$7 82 local port_dst=$8 83 local tmpfile=./tmp 84 85 export RUMP_SERVER=$SOCK_LOCAL 86 cat > $tmpfile <<-EOF 87 spdadd $subnet_src[$port_src] $subnet_dst[$port_dst] tcp -P out ipsec $proto/tunnel/$tunnel_src-$tunnel_dst/require; 88 spdadd $subnet_dst[$port_dst] $subnet_src[$port_src] tcp -P in ipsec $proto/tunnel/$tunnel_dst-$tunnel_src/require; 89 EOF 90 $DEBUG && cat $tmpfile 91 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 92 $DEBUG && $HIJACKING setkey -DP 93 94 export RUMP_SERVER=$SOCK_FORWARD 95 cat > $tmpfile <<-EOF 96 spdadd $subnet_dst[$port_dst] $subnet_src[$port_src] tcp -P out ipsec $proto/tunnel/$tunnel_dst-$tunnel_src/require; 97 spdadd $subnet_src[$port_src] $subnet_dst[$port_dst] tcp -P in ipsec $proto/tunnel/$tunnel_src-$tunnel_dst/require; 98 EOF 99 $DEBUG && cat $tmpfile 100 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 101 $DEBUG && $HIJACKING setkey -DP 102 } 103 104 add_sa() 105 { 106 local proto=$1 107 local algo_args="$2" 108 local tunnel_src=$3 109 local tunnel_dst=$4 110 local spi=$5 111 local port_src=$6 112 local port_dst=$7 113 local tmpfile=./tmp 114 115 export RUMP_SERVER=$SOCK_LOCAL 116 cat > $tmpfile <<-EOF 117 add $tunnel_src [$port_src] $tunnel_dst [$port_dst] $proto $((spi)) $algo_args; 118 add $tunnel_dst [$port_dst] $tunnel_src [$port_src] $proto $((spi + 1)) $algo_args; 119 EOF 120 $DEBUG && cat $tmpfile 121 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 122 $DEBUG && $HIJACKING setkey -D 123 # XXX it can be expired if $lifetime is very short 124 #check_sa_entries $SOCK_LOCAL $ip_local $ip_remote 125 126 export RUMP_SERVER=$SOCK_FORWARD 127 cat > $tmpfile <<-EOF 128 add $tunnel_src [$port_src] $tunnel_dst [$port_dst] $proto $((spi)) $algo_args; 129 add $tunnel_dst [$port_dst] $tunnel_src [$port_src] $proto $((spi + 1)) $algo_args; 130 EOF 131 $DEBUG && cat $tmpfile 132 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 133 $DEBUG && $HIJACKING setkey -D 134 } 135 136 prepare_file() 137 { 138 local file=$1 139 local data="0123456789" 140 141 touch $file 142 for i in `seq 1 512` 143 do 144 echo $data >> $file 145 done 146 } 147 148 test_ipsec_sp_port_ipv4() 149 { 150 151 local algo=$1 152 local ip_local_i=192.168.11.1 153 local ip_local_i_subnet=192.168.11.0/24 154 local ip_local_f=10.22.22.2 155 local ip_local_f_subnet=10.22.22.0/24 156 local ip_forward_l=10.22.22.1 157 local ip_forward_l_subnet=10.22.22.0/24 158 local ip_forward_r=10.33.33.1 159 local ip_forward_r_subnet=10.33.33.0/24 160 local ip_remote_f=10.33.33.2 161 local ip_remote_f_subnet=10.33.33.0/24 162 local ip_remote_i=192.168.44.1 163 local ip_remote_i_subnet=192.168.44.0/24 164 local port=1234 165 local loutfile=./out_local 166 local routfile=./out_remote 167 local file_send=./file.send 168 local file_recv=./file.recv 169 local algo_args="$(generate_algo_args esp $algo)" 170 local pid= 171 172 setup_servers ipv4 173 174 export RUMP_SERVER=$SOCK_LOCAL 175 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 176 atf_check -s exit:0 rump.ifconfig shmif0 inet $ip_local_f/24 177 atf_check -s exit:0 rump.ifconfig shmif1 inet $ip_local_i/24 178 atf_check -s exit:0 -o ignore \ 179 rump.route add -inet default $ip_forward_l 180 181 export RUMP_SERVER=$SOCK_FORWARD 182 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 183 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 184 atf_check -s exit:0 rump.ifconfig shmif0 inet $ip_forward_l/24 185 atf_check -s exit:0 rump.ifconfig shmif1 inet $ip_forward_r/24 186 atf_check -s exit:0 -o ignore \ 187 rump.route add -inet $ip_local_i_subnet $ip_local_f 188 atf_check -s exit:0 -o ignore \ 189 rump.route add -inet $ip_remote_i_subnet $ip_remote_f 190 191 export RUMP_SERVER=$SOCK_REMOTE 192 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 193 atf_check -s exit:0 rump.ifconfig shmif0 inet $ip_remote_f/24 194 atf_check -s exit:0 rump.ifconfig shmif1 inet $ip_remote_i/24 195 atf_check -s exit:0 -o ignore \ 196 rump.route add -inet default $ip_forward_r 197 198 extract_new_packets $BUS_LOCAL_F > $loutfile 199 extract_new_packets $BUS_REMOTE_F > $routfile 200 201 export RUMP_SERVER=$SOCK_LOCAL 202 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 -I $ip_local_i \ 203 $ip_remote_i 204 205 extract_new_packets $BUS_LOCAL_F > $loutfile 206 extract_new_packets $BUS_REMOTE_F > $routfile 207 $DEBUG && cat $loutfile 208 atf_check -s exit:0 \ 209 -o match:"$ip_local_i > $ip_remote_i: ICMP echo request" \ 210 cat $loutfile 211 atf_check -s exit:0 \ 212 -o match:"$ip_remote_i > $ip_local_i: ICMP echo reply" \ 213 cat $loutfile 214 $DEBUG && cat $routfile 215 atf_check -s exit:0 \ 216 -o match:"$ip_local_i > $ip_remote_i: ICMP echo request" \ 217 cat $routfile 218 atf_check -s exit:0 \ 219 -o match:"$ip_remote_i > $ip_local_i: ICMP echo reply" \ 220 cat $routfile 221 222 # Try TCP communications just in case 223 start_nc_server $SOCK_REMOTE $port $file_recv ipv4 224 prepare_file $file_send 225 export RUMP_SERVER=$SOCK_LOCAL 226 atf_check -s exit:0 $HIJACKING nc -w 7 -s $ip_local_i \ 227 $ip_remote_i $port < $file_send 228 atf_check -s exit:0 diff -q $file_send $file_recv 229 stop_nc_server 230 231 extract_new_packets $BUS_LOCAL_F > $loutfile 232 extract_new_packets $BUS_REMOTE_F > $routfile 233 $DEBUG && cat $loutfile 234 atf_check -s exit:0 \ 235 -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 236 cat $loutfile 237 atf_check -s exit:0 \ 238 -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 239 cat $loutfile 240 $DEBUG && cat $routfile 241 atf_check -s exit:0 \ 242 -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 243 cat $routfile 244 atf_check -s exit:0 \ 245 -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 246 cat $routfile 247 248 # Create IPsec connections 249 setup_sp_port esp "$algo_args" $ip_local_i $ip_forward_r \ 250 $ip_local_i_subnet $ip_remote_i_subnet any $port 251 add_sa esp "$algo_args" $ip_local_i $ip_forward_r \ 252 10000 any $port 253 254 extract_new_packets $BUS_LOCAL_F > $loutfile 255 extract_new_packets $BUS_REMOTE_F > $routfile 256 257 export RUMP_SERVER=$SOCK_LOCAL 258 atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 -I $ip_local_i \ 259 $ip_remote_i 260 261 extract_new_packets $BUS_LOCAL_F > $loutfile 262 extract_new_packets $BUS_REMOTE_F > $routfile 263 $DEBUG && cat $loutfile 264 atf_check -s exit:0 \ 265 -o match:"$ip_local_i > $ip_remote_i: ICMP echo request" \ 266 cat $loutfile 267 atf_check -s exit:0 \ 268 -o match:"$ip_remote_i > $ip_local_i: ICMP echo reply" \ 269 cat $loutfile 270 $DEBUG && cat $routfile 271 atf_check -s exit:0 \ 272 -o match:"$ip_local_i > $ip_remote_i: ICMP echo request" \ 273 cat $routfile 274 atf_check -s exit:0 \ 275 -o match:"$ip_remote_i > $ip_local_i: ICMP echo reply" \ 276 cat $routfile 277 278 # Check TCP communications from local to remote 279 start_nc_server $SOCK_REMOTE $port $file_recv ipv4 280 prepare_file $file_send 281 export RUMP_SERVER=$SOCK_LOCAL 282 atf_check -s exit:0 $HIJACKING nc -w 15 -s $ip_local_i \ 283 $ip_remote_i $port < $file_send 284 atf_check -s exit:0 diff -q $file_send $file_recv 285 stop_nc_server 286 287 extract_new_packets $BUS_LOCAL_F > $loutfile 288 extract_new_packets $BUS_REMOTE_F > $routfile 289 $DEBUG && cat $loutfile 290 atf_check -s exit:0 \ 291 -o match:"${ip_local_i} > ${ip_forward_r}: ESP" \ 292 cat $loutfile 293 atf_check -s exit:0 \ 294 -o match:"${ip_forward_r} > ${ip_local_i}: ESP" \ 295 cat $loutfile 296 $DEBUG && cat $routfile 297 atf_check -s exit:0 \ 298 -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 299 cat $routfile 300 atf_check -s exit:0 \ 301 -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 302 cat $routfile 303 } 304 305 test_ipsec_sp_port_ipv6() 306 { 307 local algo=$1 308 local ip_local_i=fc00:1111::1 309 local ip_local_i_subnet=fc00:1111::/64 310 local ip_local_f=fc00:2222::2 311 local ip_local_f_subnet=fc00:2222::/64 312 local ip_forward_l=fc00:2222::1 313 local ip_forward_l_subnet=fc00:2222::/64 314 local ip_forward_r=fc00:3333::1 315 local ip_forward_r_subnet=fc00:3333::/64 316 local ip_remote_f=fc00:3333::2 317 local ip_remote_f_subnet=fc00:3333::/64 318 local ip_remote_i=fc00:4444::1 319 local ip_remote_i_subnet=fc00:4444::/64 320 local port=1234 321 local loutfile=./out_local 322 local routfile=./out_remote 323 local file_send=./file.send 324 local file_recv=./file.recv 325 local algo_args="$(generate_algo_args esp $algo)" 326 local pid= 327 328 setup_servers ipv6 329 330 export RUMP_SERVER=$SOCK_LOCAL 331 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 332 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local_f/64 333 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_local_i/64 334 atf_check -s exit:0 -o ignore \ 335 rump.route add -inet6 default $ip_forward_l 336 337 export RUMP_SERVER=$SOCK_FORWARD 338 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 339 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1 340 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_forward_l/64 341 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_forward_r/64 342 atf_check -s exit:0 -o ignore \ 343 rump.route add -inet6 $ip_local_i_subnet $ip_local_f 344 atf_check -s exit:0 -o ignore \ 345 rump.route add -inet6 $ip_remote_i_subnet $ip_remote_f 346 347 export RUMP_SERVER=$SOCK_REMOTE 348 atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 349 atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote_f/64 350 atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_remote_i/64 351 atf_check -s exit:0 -o ignore \ 352 rump.route add -inet6 default $ip_forward_r 353 354 extract_new_packets $BUS_LOCAL_F > $loutfile 355 extract_new_packets $BUS_REMOTE_F > $routfile 356 357 export RUMP_SERVER=$SOCK_LOCAL 358 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 -S $ip_local_i \ 359 $ip_remote_i 360 361 extract_new_packets $BUS_LOCAL_F > $loutfile 362 extract_new_packets $BUS_REMOTE_F > $routfile 363 $DEBUG && cat $loutfile 364 atf_check -s exit:0 \ 365 -o match:"$ip_local_i > $ip_remote_i: ICMP6, echo request" \ 366 cat $loutfile 367 atf_check -s exit:0 \ 368 -o match:"$ip_remote_i > $ip_local_i: ICMP6, echo reply" \ 369 cat $loutfile 370 $DEBUG && cat $routfile 371 atf_check -s exit:0 \ 372 -o match:"$ip_local_i > $ip_remote_i: ICMP6, echo request" \ 373 cat $routfile 374 atf_check -s exit:0 \ 375 -o match:"$ip_remote_i > $ip_local_i: ICMP6, echo reply" \ 376 cat $routfile 377 378 # Try TCP communications just in case 379 start_nc_server $SOCK_REMOTE $port $file_recv ipv6 380 prepare_file $file_send 381 export RUMP_SERVER=$SOCK_LOCAL 382 atf_check -s exit:0 $HIJACKING nc -w 7 -s $ip_local_i \ 383 $ip_remote_i $port < $file_send 384 atf_check -s exit:0 diff -q $file_send $file_recv 385 stop_nc_server 386 387 extract_new_packets $BUS_LOCAL_F > $loutfile 388 extract_new_packets $BUS_REMOTE_F > $routfile 389 $DEBUG && cat $loutfile 390 atf_check -s exit:0 \ 391 -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 392 cat $loutfile 393 atf_check -s exit:0 \ 394 -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 395 cat $loutfile 396 $DEBUG && cat $routfile 397 atf_check -s exit:0 \ 398 -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 399 cat $routfile 400 atf_check -s exit:0 \ 401 -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 402 cat $routfile 403 404 # Create IPsec connections 405 setup_sp_port esp "$algo_args" $ip_local_i $ip_forward_r \ 406 $ip_local_i_subnet $ip_remote_i_subnet any $port 407 add_sa esp "$algo_args" $ip_local_i $ip_forward_r \ 408 10000 any $port 409 410 extract_new_packets $BUS_LOCAL_F > $loutfile 411 extract_new_packets $BUS_REMOTE_F > $routfile 412 413 export RUMP_SERVER=$SOCK_LOCAL 414 atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 -S $ip_local_i \ 415 $ip_remote_i 416 417 extract_new_packets $BUS_LOCAL_F > $loutfile 418 extract_new_packets $BUS_REMOTE_F > $routfile 419 $DEBUG && cat $loutfile 420 atf_check -s exit:0 \ 421 -o match:"$ip_local_i > $ip_remote_i: ICMP6, echo request" \ 422 cat $loutfile 423 atf_check -s exit:0 \ 424 -o match:"$ip_remote_i > $ip_local_i: ICMP6, echo reply" \ 425 cat $loutfile 426 $DEBUG && cat $routfile 427 atf_check -s exit:0 \ 428 -o match:"$ip_local_i > $ip_remote_i: ICMP6, echo request" \ 429 cat $routfile 430 atf_check -s exit:0 \ 431 -o match:"$ip_remote_i > $ip_local_i: ICMP6, echo reply" \ 432 cat $routfile 433 434 # Check TCP communications from local to remote 435 start_nc_server $SOCK_REMOTE $port $file_recv ipv6 436 prepare_file $file_send 437 export RUMP_SERVER=$SOCK_LOCAL 438 atf_check -s exit:0 $HIJACKING nc -w 7 -s $ip_local_i \ 439 $ip_remote_i $port < $file_send 440 atf_check -s exit:0 diff -q $file_send $file_recv 441 stop_nc_server 442 443 extract_new_packets $BUS_LOCAL_F > $loutfile 444 extract_new_packets $BUS_REMOTE_F > $routfile 445 $DEBUG && cat $loutfile 446 atf_check -s exit:0 \ 447 -o match:"${ip_local_i} > ${ip_forward_r}: ESP" \ 448 cat $loutfile 449 atf_check -s exit:0 \ 450 -o match:"${ip_forward_r} > ${ip_local_i}: ESP" \ 451 cat $loutfile 452 $DEBUG && cat $routfile 453 atf_check -s exit:0 \ 454 -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 455 cat $routfile 456 atf_check -s exit:0 \ 457 -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 458 cat $routfile 459 } 460 461 add_test_ipsec_sp_port() 462 { 463 local proto=$1 464 local algo=$2 465 local _algo=$(echo $algo | sed 's/-//g') 466 local name= desc= 467 468 desc="Test IPsec $proto forwarding SP port ($algo)" 469 name="ipsec_sp_port_${proto}_${_algo}" 470 471 atf_test_case ${name} cleanup 472 eval " 473 ${name}_head() { 474 atf_set descr \"$desc\" 475 atf_set require.progs rump_server setkey nc 476 } 477 ${name}_body() { 478 test_ipsec_sp_port_$proto $algo 479 rump_server_destroy_ifaces 480 } 481 ${name}_cleanup() { 482 stop_nc_server 483 \$DEBUG && dump 484 cleanup 485 } 486 " 487 atf_add_test_case ${name} 488 } 489 490 atf_init_test_cases() 491 { 492 local algo= 493 494 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 495 add_test_ipsec_sp_port ipv4 $algo 496 add_test_ipsec_sp_port ipv6 $algo 497 done 498 } 499
Indexes created Mon Sep 22 13:09:51 GMT 2025