1 1.2 knakahar # $NetBSD: t_ipsec_forwarding.sh,v 1.2 2022/11/24 02:58:28 knakahara Exp $ 2 1.1 knakahar # 3 1.1 knakahar # Copyright (c) 2022 Internet Initiative Japan Inc. 4 1.1 knakahar # All rights reserved. 5 1.1 knakahar # 6 1.1 knakahar # Redistribution and use in source and binary forms, with or without 7 1.1 knakahar # modification, are permitted provided that the following conditions 8 1.1 knakahar # are met: 9 1.1 knakahar # 1. Redistributions of source code must retain the above copyright 10 1.1 knakahar # notice, this list of conditions and the following disclaimer. 11 1.1 knakahar # 2. Redistributions in binary form must reproduce the above copyright 12 1.1 knakahar # notice, this list of conditions and the following disclaimer in the 13 1.1 knakahar # documentation and/or other materials provided with the distribution. 14 1.1 knakahar # 15 1.1 knakahar # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 1.1 knakahar # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 1.1 knakahar # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 1.1 knakahar # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 1.1 knakahar # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 1.1 knakahar # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 1.1 knakahar # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 1.1 knakahar # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 1.1 knakahar # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 1.1 knakahar # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 1.1 knakahar # POSSIBILITY OF SUCH DAMAGE. 26 1.1 knakahar # 27 1.1 knakahar 28 1.1 knakahar SOCK_LOCAL=unix://ipsec_local 29 1.1 knakahar SOCK_FORWARD=unix://ipsec_forward 30 1.1 knakahar SOCK_REMOTE=unix://ipsec_remote 31 1.1 knakahar BUS_LOCAL_I=./bus_ipsec_local 32 1.1 knakahar BUS_LOCAL_F=./bus_ipsec_local_forward 33 1.1 knakahar BUS_REMOTE_F=./bus_ipsec_remote_forward 34 1.1 knakahar BUS_REMOTE_I=./bus_ipsec_remote 35 1.1 knakahar 36 1.1 knakahar DEBUG=${DEBUG:-false} 37 1.1 knakahar 38 1.1 knakahar setup_servers_ipv4() 39 1.1 knakahar { 40 1.1 knakahar 41 1.1 knakahar rump_server_crypto_start $SOCK_LOCAL netipsec 42 1.1 knakahar rump_server_crypto_start $SOCK_FORWARD netipsec 43 1.1 knakahar rump_server_crypto_start $SOCK_REMOTE netipsec 44 1.1 knakahar rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL_F 45 1.1 knakahar rump_server_add_iface $SOCK_LOCAL shmif1 $BUS_LOCAL_I 46 1.1 knakahar rump_server_add_iface $SOCK_FORWARD shmif0 $BUS_LOCAL_F 47 1.1 knakahar rump_server_add_iface $SOCK_FORWARD shmif1 $BUS_REMOTE_F 48 1.1 knakahar rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE_F 49 1.1 knakahar rump_server_add_iface $SOCK_REMOTE shmif1 $BUS_REMOTE_I 50 1.1 knakahar } 51 1.1 knakahar 52 1.1 knakahar setup_servers_ipv6() 53 1.1 knakahar { 54 1.1 knakahar 55 1.1 knakahar rump_server_crypto_start $SOCK_LOCAL netipsec netinet6 56 1.1 knakahar rump_server_crypto_start $SOCK_FORWARD netipsec netinet6 57 1.1 knakahar rump_server_crypto_start $SOCK_REMOTE netipsec netinet6 58 1.1 knakahar rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL_F 59 1.1 knakahar rump_server_add_iface $SOCK_LOCAL shmif1 $BUS_LOCAL_I 60 1.1 knakahar rump_server_add_iface $SOCK_FORWARD shmif0 $BUS_LOCAL_F 61 1.1 knakahar rump_server_add_iface $SOCK_FORWARD shmif1 $BUS_REMOTE_F 62 1.1 knakahar rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE_F 63 1.1 knakahar rump_server_add_iface $SOCK_REMOTE shmif1 $BUS_REMOTE_I 64 1.1 knakahar } 65 1.1 knakahar 66 1.1 knakahar setup_servers() 67 1.1 knakahar { 68 1.1 knakahar local proto=$1 69 1.1 knakahar 70 1.1 knakahar setup_servers_$proto 71 1.1 knakahar } 72 1.1 knakahar 73 1.1 knakahar setup_sp_port() 74 1.1 knakahar { 75 1.1 knakahar local proto=$1 76 1.1 knakahar local algo_args="$2" 77 1.1 knakahar local tunnel_src=$3 78 1.1 knakahar local tunnel_dst=$4 79 1.1 knakahar local subnet_src=$5 80 1.1 knakahar local subnet_dst=$6 81 1.1 knakahar local port_src=$7 82 1.1 knakahar local port_dst=$8 83 1.1 knakahar local tmpfile=./tmp 84 1.1 knakahar 85 1.1 knakahar export RUMP_SERVER=$SOCK_LOCAL 86 1.1 knakahar cat > $tmpfile <<-EOF 87 1.1 knakahar spdadd $subnet_src[$port_src] $subnet_dst[$port_dst] tcp -P out ipsec $proto/tunnel/$tunnel_src-$tunnel_dst/require; 88 1.1 knakahar spdadd $subnet_dst[$port_dst] $subnet_src[$port_src] tcp -P in ipsec $proto/tunnel/$tunnel_dst-$tunnel_src/require; 89 1.1 knakahar EOF 90 1.1 knakahar $DEBUG && cat $tmpfile 91 1.1 knakahar atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 92 1.1 knakahar $DEBUG && $HIJACKING setkey -DP 93 1.1 knakahar 94 1.1 knakahar export RUMP_SERVER=$SOCK_FORWARD 95 1.1 knakahar cat > $tmpfile <<-EOF 96 1.1 knakahar spdadd $subnet_dst[$port_dst] $subnet_src[$port_src] tcp -P out ipsec $proto/tunnel/$tunnel_dst-$tunnel_src/require; 97 1.1 knakahar spdadd $subnet_src[$port_src] $subnet_dst[$port_dst] tcp -P in ipsec $proto/tunnel/$tunnel_src-$tunnel_dst/require; 98 1.1 knakahar EOF 99 1.1 knakahar $DEBUG && cat $tmpfile 100 1.1 knakahar atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 101 1.1 knakahar $DEBUG && $HIJACKING setkey -DP 102 1.1 knakahar } 103 1.1 knakahar 104 1.1 knakahar add_sa() 105 1.1 knakahar { 106 1.1 knakahar local proto=$1 107 1.1 knakahar local algo_args="$2" 108 1.1 knakahar local tunnel_src=$3 109 1.1 knakahar local tunnel_dst=$4 110 1.1 knakahar local spi=$5 111 1.1 knakahar local port_src=$6 112 1.1 knakahar local port_dst=$7 113 1.1 knakahar local tmpfile=./tmp 114 1.1 knakahar 115 1.1 knakahar export RUMP_SERVER=$SOCK_LOCAL 116 1.1 knakahar cat > $tmpfile <<-EOF 117 1.1 knakahar add $tunnel_src [$port_src] $tunnel_dst [$port_dst] $proto $((spi)) $algo_args; 118 1.1 knakahar add $tunnel_dst [$port_dst] $tunnel_src [$port_src] $proto $((spi + 1)) $algo_args; 119 1.1 knakahar EOF 120 1.1 knakahar $DEBUG && cat $tmpfile 121 1.1 knakahar atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 122 1.1 knakahar $DEBUG && $HIJACKING setkey -D 123 1.1 knakahar # XXX it can be expired if $lifetime is very short 124 1.1 knakahar #check_sa_entries $SOCK_LOCAL $ip_local $ip_remote 125 1.1 knakahar 126 1.1 knakahar export RUMP_SERVER=$SOCK_FORWARD 127 1.1 knakahar cat > $tmpfile <<-EOF 128 1.1 knakahar add $tunnel_src [$port_src] $tunnel_dst [$port_dst] $proto $((spi)) $algo_args; 129 1.1 knakahar add $tunnel_dst [$port_dst] $tunnel_src [$port_src] $proto $((spi + 1)) $algo_args; 130 1.1 knakahar EOF 131 1.1 knakahar $DEBUG && cat $tmpfile 132 1.1 knakahar atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 133 1.1 knakahar $DEBUG && $HIJACKING setkey -D 134 1.1 knakahar } 135 1.1 knakahar 136 1.1 knakahar prepare_file() 137 1.1 knakahar { 138 1.1 knakahar local file=$1 139 1.1 knakahar local data="0123456789" 140 1.1 knakahar 141 1.1 knakahar touch $file 142 1.1 knakahar for i in `seq 1 512` 143 1.1 knakahar do 144 1.1 knakahar echo $data >> $file 145 1.1 knakahar done 146 1.1 knakahar } 147 1.1 knakahar 148 1.1 knakahar test_ipsec_sp_port_ipv4() 149 1.1 knakahar { 150 1.1 knakahar 151 1.1 knakahar local algo=$1 152 1.1 knakahar local ip_local_i=192.168.11.1 153 1.1 knakahar local ip_local_i_subnet=192.168.11.0/24 154 1.1 knakahar local ip_local_f=10.22.22.2 155 1.1 knakahar local ip_local_f_subnet=10.22.22.0/24 156 1.1 knakahar local ip_forward_l=10.22.22.1 157 1.1 knakahar local ip_forward_l_subnet=10.22.22.0/24 158 1.1 knakahar local ip_forward_r=10.33.33.1 159 1.1 knakahar local ip_forward_r_subnet=10.33.33.0/24 160 1.1 knakahar local ip_remote_f=10.33.33.2 161 1.1 knakahar local ip_remote_f_subnet=10.33.33.0/24 162 1.1 knakahar local ip_remote_i=192.168.44.1 163 1.1 knakahar local ip_remote_i_subnet=192.168.44.0/24 164 1.1 knakahar local port=1234 165 1.1 knakahar local loutfile=./out_local 166 1.1 knakahar local routfile=./out_remote 167 1.1 knakahar local file_send=./file.send 168 1.1 knakahar local file_recv=./file.recv 169 1.1 knakahar local algo_args="$(generate_algo_args esp $algo)" 170 1.1 knakahar local pid= 171 1.1 knakahar 172 1.1 knakahar setup_servers ipv4 173 1.1 knakahar 174 1.1 knakahar export RUMP_SERVER=$SOCK_LOCAL 175 1.1 knakahar atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 176 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif0 inet $ip_local_f/24 177 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif1 inet $ip_local_i/24 178 1.1 knakahar atf_check -s exit:0 -o ignore \ 179 1.1 knakahar rump.route add -inet default $ip_forward_l 180 1.1 knakahar 181 1.1 knakahar export RUMP_SERVER=$SOCK_FORWARD 182 1.1 knakahar atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 183 1.1 knakahar atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 184 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif0 inet $ip_forward_l/24 185 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif1 inet $ip_forward_r/24 186 1.1 knakahar atf_check -s exit:0 -o ignore \ 187 1.1 knakahar rump.route add -inet $ip_local_i_subnet $ip_local_f 188 1.1 knakahar atf_check -s exit:0 -o ignore \ 189 1.1 knakahar rump.route add -inet $ip_remote_i_subnet $ip_remote_f 190 1.1 knakahar 191 1.1 knakahar export RUMP_SERVER=$SOCK_REMOTE 192 1.1 knakahar atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 193 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif0 inet $ip_remote_f/24 194 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif1 inet $ip_remote_i/24 195 1.1 knakahar atf_check -s exit:0 -o ignore \ 196 1.1 knakahar rump.route add -inet default $ip_forward_r 197 1.1 knakahar 198 1.1 knakahar extract_new_packets $BUS_LOCAL_F > $loutfile 199 1.1 knakahar extract_new_packets $BUS_REMOTE_F > $routfile 200 1.1 knakahar 201 1.1 knakahar export RUMP_SERVER=$SOCK_LOCAL 202 1.1 knakahar atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 -I $ip_local_i \ 203 1.1 knakahar $ip_remote_i 204 1.1 knakahar 205 1.1 knakahar extract_new_packets $BUS_LOCAL_F > $loutfile 206 1.1 knakahar extract_new_packets $BUS_REMOTE_F > $routfile 207 1.1 knakahar $DEBUG && cat $loutfile 208 1.1 knakahar atf_check -s exit:0 \ 209 1.1 knakahar -o match:"$ip_local_i > $ip_remote_i: ICMP echo request" \ 210 1.1 knakahar cat $loutfile 211 1.1 knakahar atf_check -s exit:0 \ 212 1.1 knakahar -o match:"$ip_remote_i > $ip_local_i: ICMP echo reply" \ 213 1.1 knakahar cat $loutfile 214 1.1 knakahar $DEBUG && cat $routfile 215 1.1 knakahar atf_check -s exit:0 \ 216 1.1 knakahar -o match:"$ip_local_i > $ip_remote_i: ICMP echo request" \ 217 1.1 knakahar cat $routfile 218 1.1 knakahar atf_check -s exit:0 \ 219 1.1 knakahar -o match:"$ip_remote_i > $ip_local_i: ICMP echo reply" \ 220 1.1 knakahar cat $routfile 221 1.1 knakahar 222 1.1 knakahar # Try TCP communications just in case 223 1.1 knakahar start_nc_server $SOCK_REMOTE $port $file_recv ipv4 224 1.1 knakahar prepare_file $file_send 225 1.1 knakahar export RUMP_SERVER=$SOCK_LOCAL 226 1.1 knakahar atf_check -s exit:0 $HIJACKING nc -w 7 -s $ip_local_i \ 227 1.1 knakahar $ip_remote_i $port < $file_send 228 1.1 knakahar atf_check -s exit:0 diff -q $file_send $file_recv 229 1.1 knakahar stop_nc_server 230 1.1 knakahar 231 1.1 knakahar extract_new_packets $BUS_LOCAL_F > $loutfile 232 1.1 knakahar extract_new_packets $BUS_REMOTE_F > $routfile 233 1.1 knakahar $DEBUG && cat $loutfile 234 1.1 knakahar atf_check -s exit:0 \ 235 1.1 knakahar -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 236 1.1 knakahar cat $loutfile 237 1.1 knakahar atf_check -s exit:0 \ 238 1.1 knakahar -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 239 1.1 knakahar cat $loutfile 240 1.1 knakahar $DEBUG && cat $routfile 241 1.1 knakahar atf_check -s exit:0 \ 242 1.1 knakahar -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 243 1.1 knakahar cat $routfile 244 1.1 knakahar atf_check -s exit:0 \ 245 1.1 knakahar -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 246 1.1 knakahar cat $routfile 247 1.1 knakahar 248 1.1 knakahar # Create IPsec connections 249 1.1 knakahar setup_sp_port esp "$algo_args" $ip_local_i $ip_forward_r \ 250 1.1 knakahar $ip_local_i_subnet $ip_remote_i_subnet any $port 251 1.1 knakahar add_sa esp "$algo_args" $ip_local_i $ip_forward_r \ 252 1.1 knakahar 10000 any $port 253 1.1 knakahar 254 1.1 knakahar extract_new_packets $BUS_LOCAL_F > $loutfile 255 1.1 knakahar extract_new_packets $BUS_REMOTE_F > $routfile 256 1.1 knakahar 257 1.1 knakahar export RUMP_SERVER=$SOCK_LOCAL 258 1.1 knakahar atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 -I $ip_local_i \ 259 1.1 knakahar $ip_remote_i 260 1.1 knakahar 261 1.1 knakahar extract_new_packets $BUS_LOCAL_F > $loutfile 262 1.1 knakahar extract_new_packets $BUS_REMOTE_F > $routfile 263 1.1 knakahar $DEBUG && cat $loutfile 264 1.1 knakahar atf_check -s exit:0 \ 265 1.1 knakahar -o match:"$ip_local_i > $ip_remote_i: ICMP echo request" \ 266 1.1 knakahar cat $loutfile 267 1.1 knakahar atf_check -s exit:0 \ 268 1.1 knakahar -o match:"$ip_remote_i > $ip_local_i: ICMP echo reply" \ 269 1.1 knakahar cat $loutfile 270 1.1 knakahar $DEBUG && cat $routfile 271 1.1 knakahar atf_check -s exit:0 \ 272 1.1 knakahar -o match:"$ip_local_i > $ip_remote_i: ICMP echo request" \ 273 1.1 knakahar cat $routfile 274 1.1 knakahar atf_check -s exit:0 \ 275 1.1 knakahar -o match:"$ip_remote_i > $ip_local_i: ICMP echo reply" \ 276 1.1 knakahar cat $routfile 277 1.1 knakahar 278 1.1 knakahar # Check TCP communications from local to remote 279 1.1 knakahar start_nc_server $SOCK_REMOTE $port $file_recv ipv4 280 1.1 knakahar prepare_file $file_send 281 1.1 knakahar export RUMP_SERVER=$SOCK_LOCAL 282 1.1 knakahar atf_check -s exit:0 $HIJACKING nc -w 15 -s $ip_local_i \ 283 1.1 knakahar $ip_remote_i $port < $file_send 284 1.1 knakahar atf_check -s exit:0 diff -q $file_send $file_recv 285 1.1 knakahar stop_nc_server 286 1.1 knakahar 287 1.1 knakahar extract_new_packets $BUS_LOCAL_F > $loutfile 288 1.1 knakahar extract_new_packets $BUS_REMOTE_F > $routfile 289 1.1 knakahar $DEBUG && cat $loutfile 290 1.1 knakahar atf_check -s exit:0 \ 291 1.1 knakahar -o match:"${ip_local_i} > ${ip_forward_r}: ESP" \ 292 1.1 knakahar cat $loutfile 293 1.1 knakahar atf_check -s exit:0 \ 294 1.1 knakahar -o match:"${ip_forward_r} > ${ip_local_i}: ESP" \ 295 1.1 knakahar cat $loutfile 296 1.1 knakahar $DEBUG && cat $routfile 297 1.1 knakahar atf_check -s exit:0 \ 298 1.1 knakahar -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 299 1.1 knakahar cat $routfile 300 1.1 knakahar atf_check -s exit:0 \ 301 1.1 knakahar -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 302 1.1 knakahar cat $routfile 303 1.1 knakahar } 304 1.1 knakahar 305 1.1 knakahar test_ipsec_sp_port_ipv6() 306 1.1 knakahar { 307 1.1 knakahar local algo=$1 308 1.1 knakahar local ip_local_i=fc00:1111::1 309 1.1 knakahar local ip_local_i_subnet=fc00:1111::/64 310 1.1 knakahar local ip_local_f=fc00:2222::2 311 1.1 knakahar local ip_local_f_subnet=fc00:2222::/64 312 1.1 knakahar local ip_forward_l=fc00:2222::1 313 1.1 knakahar local ip_forward_l_subnet=fc00:2222::/64 314 1.1 knakahar local ip_forward_r=fc00:3333::1 315 1.1 knakahar local ip_forward_r_subnet=fc00:3333::/64 316 1.1 knakahar local ip_remote_f=fc00:3333::2 317 1.1 knakahar local ip_remote_f_subnet=fc00:3333::/64 318 1.1 knakahar local ip_remote_i=fc00:4444::1 319 1.1 knakahar local ip_remote_i_subnet=fc00:4444::/64 320 1.1 knakahar local port=1234 321 1.1 knakahar local loutfile=./out_local 322 1.1 knakahar local routfile=./out_remote 323 1.1 knakahar local file_send=./file.send 324 1.1 knakahar local file_recv=./file.recv 325 1.1 knakahar local algo_args="$(generate_algo_args esp $algo)" 326 1.1 knakahar local pid= 327 1.1 knakahar 328 1.1 knakahar setup_servers ipv6 329 1.1 knakahar 330 1.1 knakahar export RUMP_SERVER=$SOCK_LOCAL 331 1.1 knakahar atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 332 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local_f/64 333 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_local_i/64 334 1.1 knakahar atf_check -s exit:0 -o ignore \ 335 1.1 knakahar rump.route add -inet6 default $ip_forward_l 336 1.1 knakahar 337 1.1 knakahar export RUMP_SERVER=$SOCK_FORWARD 338 1.1 knakahar atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 339 1.1 knakahar atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1 340 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_forward_l/64 341 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_forward_r/64 342 1.1 knakahar atf_check -s exit:0 -o ignore \ 343 1.1 knakahar rump.route add -inet6 $ip_local_i_subnet $ip_local_f 344 1.1 knakahar atf_check -s exit:0 -o ignore \ 345 1.1 knakahar rump.route add -inet6 $ip_remote_i_subnet $ip_remote_f 346 1.1 knakahar 347 1.1 knakahar export RUMP_SERVER=$SOCK_REMOTE 348 1.1 knakahar atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 349 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote_f/64 350 1.1 knakahar atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_remote_i/64 351 1.1 knakahar atf_check -s exit:0 -o ignore \ 352 1.1 knakahar rump.route add -inet6 default $ip_forward_r 353 1.1 knakahar 354 1.1 knakahar extract_new_packets $BUS_LOCAL_F > $loutfile 355 1.1 knakahar extract_new_packets $BUS_REMOTE_F > $routfile 356 1.1 knakahar 357 1.1 knakahar export RUMP_SERVER=$SOCK_LOCAL 358 1.1 knakahar atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 -S $ip_local_i \ 359 1.1 knakahar $ip_remote_i 360 1.1 knakahar 361 1.1 knakahar extract_new_packets $BUS_LOCAL_F > $loutfile 362 1.1 knakahar extract_new_packets $BUS_REMOTE_F > $routfile 363 1.1 knakahar $DEBUG && cat $loutfile 364 1.1 knakahar atf_check -s exit:0 \ 365 1.1 knakahar -o match:"$ip_local_i > $ip_remote_i: ICMP6, echo request" \ 366 1.1 knakahar cat $loutfile 367 1.1 knakahar atf_check -s exit:0 \ 368 1.1 knakahar -o match:"$ip_remote_i > $ip_local_i: ICMP6, echo reply" \ 369 1.1 knakahar cat $loutfile 370 1.1 knakahar $DEBUG && cat $routfile 371 1.1 knakahar atf_check -s exit:0 \ 372 1.1 knakahar -o match:"$ip_local_i > $ip_remote_i: ICMP6, echo request" \ 373 1.1 knakahar cat $routfile 374 1.1 knakahar atf_check -s exit:0 \ 375 1.1 knakahar -o match:"$ip_remote_i > $ip_local_i: ICMP6, echo reply" \ 376 1.1 knakahar cat $routfile 377 1.1 knakahar 378 1.1 knakahar # Try TCP communications just in case 379 1.1 knakahar start_nc_server $SOCK_REMOTE $port $file_recv ipv6 380 1.1 knakahar prepare_file $file_send 381 1.1 knakahar export RUMP_SERVER=$SOCK_LOCAL 382 1.1 knakahar atf_check -s exit:0 $HIJACKING nc -w 7 -s $ip_local_i \ 383 1.1 knakahar $ip_remote_i $port < $file_send 384 1.1 knakahar atf_check -s exit:0 diff -q $file_send $file_recv 385 1.1 knakahar stop_nc_server 386 1.1 knakahar 387 1.1 knakahar extract_new_packets $BUS_LOCAL_F > $loutfile 388 1.1 knakahar extract_new_packets $BUS_REMOTE_F > $routfile 389 1.1 knakahar $DEBUG && cat $loutfile 390 1.1 knakahar atf_check -s exit:0 \ 391 1.1 knakahar -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 392 1.1 knakahar cat $loutfile 393 1.1 knakahar atf_check -s exit:0 \ 394 1.1 knakahar -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 395 1.1 knakahar cat $loutfile 396 1.1 knakahar $DEBUG && cat $routfile 397 1.1 knakahar atf_check -s exit:0 \ 398 1.1 knakahar -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 399 1.1 knakahar cat $routfile 400 1.1 knakahar atf_check -s exit:0 \ 401 1.1 knakahar -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 402 1.1 knakahar cat $routfile 403 1.1 knakahar 404 1.1 knakahar # Create IPsec connections 405 1.1 knakahar setup_sp_port esp "$algo_args" $ip_local_i $ip_forward_r \ 406 1.1 knakahar $ip_local_i_subnet $ip_remote_i_subnet any $port 407 1.1 knakahar add_sa esp "$algo_args" $ip_local_i $ip_forward_r \ 408 1.1 knakahar 10000 any $port 409 1.1 knakahar 410 1.1 knakahar extract_new_packets $BUS_LOCAL_F > $loutfile 411 1.1 knakahar extract_new_packets $BUS_REMOTE_F > $routfile 412 1.1 knakahar 413 1.1 knakahar export RUMP_SERVER=$SOCK_LOCAL 414 1.1 knakahar atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 -S $ip_local_i \ 415 1.1 knakahar $ip_remote_i 416 1.1 knakahar 417 1.1 knakahar extract_new_packets $BUS_LOCAL_F > $loutfile 418 1.1 knakahar extract_new_packets $BUS_REMOTE_F > $routfile 419 1.1 knakahar $DEBUG && cat $loutfile 420 1.1 knakahar atf_check -s exit:0 \ 421 1.1 knakahar -o match:"$ip_local_i > $ip_remote_i: ICMP6, echo request" \ 422 1.1 knakahar cat $loutfile 423 1.1 knakahar atf_check -s exit:0 \ 424 1.1 knakahar -o match:"$ip_remote_i > $ip_local_i: ICMP6, echo reply" \ 425 1.1 knakahar cat $loutfile 426 1.1 knakahar $DEBUG && cat $routfile 427 1.1 knakahar atf_check -s exit:0 \ 428 1.1 knakahar -o match:"$ip_local_i > $ip_remote_i: ICMP6, echo request" \ 429 1.1 knakahar cat $routfile 430 1.1 knakahar atf_check -s exit:0 \ 431 1.1 knakahar -o match:"$ip_remote_i > $ip_local_i: ICMP6, echo reply" \ 432 1.1 knakahar cat $routfile 433 1.1 knakahar 434 1.1 knakahar # Check TCP communications from local to remote 435 1.1 knakahar start_nc_server $SOCK_REMOTE $port $file_recv ipv6 436 1.1 knakahar prepare_file $file_send 437 1.1 knakahar export RUMP_SERVER=$SOCK_LOCAL 438 1.1 knakahar atf_check -s exit:0 $HIJACKING nc -w 7 -s $ip_local_i \ 439 1.1 knakahar $ip_remote_i $port < $file_send 440 1.1 knakahar atf_check -s exit:0 diff -q $file_send $file_recv 441 1.1 knakahar stop_nc_server 442 1.1 knakahar 443 1.1 knakahar extract_new_packets $BUS_LOCAL_F > $loutfile 444 1.1 knakahar extract_new_packets $BUS_REMOTE_F > $routfile 445 1.1 knakahar $DEBUG && cat $loutfile 446 1.1 knakahar atf_check -s exit:0 \ 447 1.1 knakahar -o match:"${ip_local_i} > ${ip_forward_r}: ESP" \ 448 1.1 knakahar cat $loutfile 449 1.1 knakahar atf_check -s exit:0 \ 450 1.1 knakahar -o match:"${ip_forward_r} > ${ip_local_i}: ESP" \ 451 1.1 knakahar cat $loutfile 452 1.1 knakahar $DEBUG && cat $routfile 453 1.1 knakahar atf_check -s exit:0 \ 454 1.1 knakahar -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 455 1.1 knakahar cat $routfile 456 1.1 knakahar atf_check -s exit:0 \ 457 1.1 knakahar -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 458 1.1 knakahar cat $routfile 459 1.1 knakahar } 460 1.1 knakahar 461 1.1 knakahar add_test_ipsec_sp_port() 462 1.1 knakahar { 463 1.1 knakahar local proto=$1 464 1.1 knakahar local algo=$2 465 1.1 knakahar local _algo=$(echo $algo | sed 's/-//g') 466 1.1 knakahar local name= desc= 467 1.1 knakahar 468 1.1 knakahar desc="Test IPsec $proto forwarding SP port ($algo)" 469 1.1 knakahar name="ipsec_sp_port_${proto}_${_algo}" 470 1.1 knakahar 471 1.1 knakahar atf_test_case ${name} cleanup 472 1.1 knakahar eval " 473 1.1 knakahar ${name}_head() { 474 1.1 knakahar atf_set descr \"$desc\" 475 1.1 knakahar atf_set require.progs rump_server setkey nc 476 1.1 knakahar } 477 1.1 knakahar ${name}_body() { 478 1.1 knakahar test_ipsec_sp_port_$proto $algo 479 1.1 knakahar rump_server_destroy_ifaces 480 1.1 knakahar } 481 1.1 knakahar ${name}_cleanup() { 482 1.1 knakahar stop_nc_server 483 1.1 knakahar \$DEBUG && dump 484 1.1 knakahar cleanup 485 1.1 knakahar } 486 1.1 knakahar " 487 1.1 knakahar atf_add_test_case ${name} 488 1.1 knakahar } 489 1.1 knakahar 490 1.1 knakahar atf_init_test_cases() 491 1.1 knakahar { 492 1.1 knakahar local algo= 493 1.1 knakahar 494 1.1 knakahar for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 495 1.1 knakahar add_test_ipsec_sp_port ipv4 $algo 496 1.1 knakahar add_test_ipsec_sp_port ipv6 $algo 497 1.1 knakahar done 498 1.1 knakahar } 499
Indexes created Sun Sep 21 20:09:37 GMT 2025