Module Name: src Committed By: knakahara Date: Wed Jan 10 11:06:06 UTC 2018
Modified Files: src/distrib/sets/lists/tests: mi src/etc/mtree: NetBSD.dist.tests src/tests/net: Makefile Added Files: src/tests/net/if_ipsec: Makefile t_ipsec.sh Log Message: add ipsec(4) interface ATF. To generate a diff of this commit: cvs rdiff -u -r1.771 -r1.772 src/distrib/sets/lists/tests/mi cvs rdiff -u -r1.149 -r1.150 src/etc/mtree/NetBSD.dist.tests cvs rdiff -u -r1.33 -r1.34 src/tests/net/Makefile cvs rdiff -u -r0 -r1.1 src/tests/net/if_ipsec/Makefile \ src/tests/net/if_ipsec/t_ipsec.sh Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/distrib/sets/lists/tests/mi diff -u src/distrib/sets/lists/tests/mi:1.771 src/distrib/sets/lists/tests/mi:1.772 --- src/distrib/sets/lists/tests/mi:1.771 Sun Dec 10 15:39:37 2017 +++ src/distrib/sets/lists/tests/mi Wed Jan 10 11:06:06 2018 @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.771 2017/12/10 15:39:37 christos Exp $ +# $NetBSD: mi,v 1.772 2018/01/10 11:06:06 knakahara Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. # @@ -3295,6 +3295,10 @@ ./usr/tests/net/if_gif/Atffile tests-net-tests atf,rump ./usr/tests/net/if_gif/Kyuafile tests-net-tests atf,rump,kyua ./usr/tests/net/if_gif/t_gif tests-net-tests atf,rump +./usr/tests/net/if_ipsec tests-net-tests compattestfile,atf +./usr/tests/net/if_ipsec/Atffile tests-net-tests atf,rump +./usr/tests/net/if_ipsec/Kyuafile tests-net-tests atf,rump,kyua +./usr/tests/net/if_ipsec/t_ipsec tests-net-tests atf,rump ./usr/tests/net/if_l2tp tests-net-tests compattestfile,atf ./usr/tests/net/if_l2tp/Atffile tests-net-tests atf,rump ./usr/tests/net/if_l2tp/Kyuafile tests-net-tests atf,rump,kyua Index: src/etc/mtree/NetBSD.dist.tests diff -u src/etc/mtree/NetBSD.dist.tests:1.149 src/etc/mtree/NetBSD.dist.tests:1.150 --- src/etc/mtree/NetBSD.dist.tests:1.149 Wed Nov 1 08:32:07 2017 +++ src/etc/mtree/NetBSD.dist.tests Wed Jan 10 11:06:06 2018 @@ -1,4 +1,4 @@ -# $NetBSD: NetBSD.dist.tests,v 1.149 2017/11/01 08:32:07 martin Exp $ +# $NetBSD: NetBSD.dist.tests,v 1.150 2018/01/10 11:06:06 knakahara Exp $ ./usr/libdata/debug/usr/tests ./usr/libdata/debug/usr/tests/atf @@ -332,6 +332,7 @@ ./usr/tests/net/if ./usr/tests/net/if_bridge ./usr/tests/net/if_gif +./usr/tests/net/if_ipsec ./usr/tests/net/if_l2tp ./usr/tests/net/if_loop ./usr/tests/net/if_pppoe Index: src/tests/net/Makefile diff -u src/tests/net/Makefile:1.33 src/tests/net/Makefile:1.34 --- src/tests/net/Makefile:1.33 Sat May 27 21:02:56 2017 +++ src/tests/net/Makefile Wed Jan 10 11:06:06 2018 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.33 2017/05/27 21:02:56 bouyer Exp $ +# $NetBSD: Makefile,v 1.34 2018/01/10 11:06:06 knakahara Exp $ .include <bsd.own.mk> @@ -7,7 +7,7 @@ TESTSDIR= ${TESTSBASE}/net TESTS_SUBDIRS= fdpass in_cksum net sys .if (${MKRUMP} != "no") && !defined(BSD_MK_COMPAT_FILE) TESTS_SUBDIRS+= arp bpf bpfilter can carp icmp if if_bridge if_gif -TESTS_SUBDIRS+= if_l2tp if_loop if_pppoe if_tap if_tun ipsec +TESTS_SUBDIRS+= if_ipsec if_l2tp if_loop if_pppoe if_tap if_tun ipsec TESTS_SUBDIRS+= mcast mpls ndp npf route if_vlan .if (${MKSLJIT} != "no") TESTS_SUBDIRS+= bpfjit Added files: Index: src/tests/net/if_ipsec/Makefile diff -u /dev/null src/tests/net/if_ipsec/Makefile:1.1 --- /dev/null Wed Jan 10 11:06:06 2018 +++ src/tests/net/if_ipsec/Makefile Wed Jan 10 11:06:06 2018 @@ -0,0 +1,14 @@ +# $NetBSD: Makefile,v 1.1 2018/01/10 11:06:06 knakahara Exp $ +# + +.include <bsd.own.mk> + +TESTSDIR= ${TESTSBASE}/net/if_ipsec + +.for name in ipsec +TESTS_SH+= t_${name} +TESTS_SH_SRC_t_${name}= ../net_common.sh t_${name}.sh \ + ../ipsec/common.sh ../ipsec/algorithms.sh +.endfor + +.include <bsd.test.mk> Index: src/tests/net/if_ipsec/t_ipsec.sh diff -u /dev/null src/tests/net/if_ipsec/t_ipsec.sh:1.1 --- /dev/null Wed Jan 10 11:06:06 2018 +++ src/tests/net/if_ipsec/t_ipsec.sh Wed Jan 10 11:06:06 2018 @@ -0,0 +1,925 @@ +# $NetBSD: t_ipsec.sh,v 1.1 2018/01/10 11:06:06 knakahara Exp $ +# +# Copyright (c) 2017 Internet Initiative Japan Inc. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +SOCK1=unix://commsock1 # for ROUTER1 +SOCK2=unix://commsock2 # for ROUTER2 +ROUTER1_LANIP=192.168.1.1 +ROUTER1_LANNET=192.168.1.0/24 +ROUTER1_WANIP=10.0.0.1 +ROUTER1_IPSECIP=172.16.1.1 +ROUTER1_WANIP_DUMMY=10.0.0.11 +ROUTER1_IPSECIP_DUMMY=172.16.11.1 +ROUTER1_IPSECIP_RECURSIVE1=172.16.101.1 +ROUTER1_IPSECIP_RECURSIVE2=172.16.201.1 +ROUTER2_LANIP=192.168.2.1 +ROUTER2_LANNET=192.168.2.0/24 +ROUTER2_WANIP=10.0.0.2 +ROUTER2_IPSECIP=172.16.2.1 +ROUTER2_WANIP_DUMMY=10.0.0.12 +ROUTER2_IPSECIP_DUMMY=172.16.12.1 +ROUTER2_IPSECIP_RECURSIVE1=172.16.102.1 +ROUTER2_IPSECIP_RECURSIVE2=172.16.202.1 + +ROUTER1_LANIP6=fc00:1::1 +ROUTER1_LANNET6=fc00:1::/64 +ROUTER1_WANIP6=fc00::1 +ROUTER1_IPSECIP6=fc00:3::1 +ROUTER1_WANIP6_DUMMY=fc00::11 +ROUTER1_IPSECIP6_DUMMY=fc00:13::1 +ROUTER1_IPSECIP6_RECURSIVE1=fc00:103::1 +ROUTER1_IPSECIP6_RECURSIVE2=fc00:203::1 +ROUTER2_LANIP6=fc00:2::1 +ROUTER2_LANNET6=fc00:2::/64 +ROUTER2_WANIP6=fc00::2 +ROUTER2_IPSECIP6=fc00:4::1 +ROUTER2_WANIP6_DUMMY=fc00::12 +ROUTER2_IPSECIP6_DUMMY=fc00:14::1 +ROUTER2_IPSECIP6_RECURSIVE1=fc00:104::1 +ROUTER2_IPSECIP6_RECURSIVE2=fc00:204::1 + +DEBUG=${DEBUG:-false} +TIMEOUT=7 + +setup_router() +{ + local sock=${1} + local lan=${2} + local lan_mode=${3} + local wan=${4} + local wan_mode=${5} + + rump_server_add_iface $sock shmif0 bus0 + rump_server_add_iface $sock shmif1 bus1 + + export RUMP_SERVER=${sock} + if [ ${lan_mode} = "ipv6" ]; then + atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan} + else + atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00 + fi + atf_check -s exit:0 rump.ifconfig shmif0 up + rump.ifconfig shmif0 + + if [ ${wan_mode} = "ipv6" ]; then + atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan} + else + atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000 + fi + atf_check -s exit:0 rump.ifconfig shmif1 up + rump.ifconfig shmif1 + unset RUMP_SERVER +} + +test_router() +{ + local sock=${1} + local lan=${2} + local lan_mode=${3} + local wan=${4} + local wan_mode=${5} + + export RUMP_SERVER=${sock} + atf_check -s exit:0 -o match:shmif0 rump.ifconfig + if [ ${lan_mode} = "ipv6" ]; then + atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${lan} + else + atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan} + fi + + atf_check -s exit:0 -o match:shmif1 rump.ifconfig + if [ ${wan_mode} = "ipv6" ]; then + atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${wan} + else + atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan} + fi + unset RUMP_SERVER +} + +setup() +{ + local inner=${1} + local outer=${2} + + rump_server_crypto_start $SOCK1 netipsec netinet6 ipsec + rump_server_crypto_start $SOCK2 netipsec netinet6 ipsec + + router1_lan="" + router1_lan_mode="" + router2_lan="" + router2_lan_mode="" + if [ ${inner} = "ipv6" ]; then + router1_lan=$ROUTER1_LANIP6 + router1_lan_mode="ipv6" + router2_lan=$ROUTER2_LANIP6 + router2_lan_mode="ipv6" + else + router1_lan=$ROUTER1_LANIP + router1_lan_mode="ipv4" + router2_lan=$ROUTER2_LANIP + router2_lan_mode="ipv4" + fi + + if [ ${outer} = "ipv6" ]; then + setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ + $ROUTER1_WANIP6 ipv6 + setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ + $ROUTER2_WANIP6 ipv6 + else + setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ + $ROUTER1_WANIP ipv4 + setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ + $ROUTER2_WANIP ipv4 + fi +} + +test_setup() +{ + local inner=${1} + local outer=${2} + + local router1_lan="" + local router1_lan_mode="" + local router2_lan="" + local router2_lan_mode="" + if [ ${inner} = "ipv6" ]; then + router1_lan=$ROUTER1_LANIP6 + router1_lan_mode="ipv6" + router2_lan=$ROUTER2_LANIP6 + router2_lan_mode="ipv6" + else + router1_lan=$ROUTER1_LANIP + router1_lan_mode="ipv4" + router2_lan=$ROUTER2_LANIP + router2_lan_mode="ipv4" + fi + if [ ${outer} = "ipv6" ]; then + test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ + $ROUTER1_WANIP6 ipv6 + test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ + $ROUTER2_WANIP6 ipv6 + else + test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ + $ROUTER1_WANIP ipv4 + test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ + $ROUTER2_WANIP ipv4 + fi +} + +get_if_ipsec_unique() +{ + local sock=${1} + local src=${2} + local proto=${3} + local unique="" + + export RUMP_SERVER=${sock} + unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'` + unset RUMP_SERVER + + echo $unique +} + +setup_if_ipsec() +{ + local sock=${1} + local addr=${2} + local remote=${3} + local inner=${4} + local src=${5} + local dst=${6} + local peernet=${7} + + export RUMP_SERVER=${sock} + atf_check -s exit:0 rump.ifconfig ipsec0 create + atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst} + if [ ${inner} = "ipv6" ]; then + atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote} + atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr} + else + atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote} + atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr} + fi + + rump.ifconfig ipsec0 + rump.route -nL show +} + +setup_if_ipsec_sa() +{ + local sock=${1} + local src=${2} + local dst=${3} + local mode=${4} + local proto=${5} + local algo=${6} + local dir=${7} + + local tmpfile=./tmp + local inunique="" + local outunique="" + local inid="" + local outid="" + local algo_args="$(generate_algo_args $proto $algo)" + + inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` + outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` + + if [ ${dir} = "1to2" ] ; then + if [ ${mode} = "ipv6" ] ; then + inid="10010" + outid="10011" + else + inid="10000" + outid="10001" + fi + else + if [ ${mode} = "ipv6" ] ; then + inid="10011" + outid="10010" + else + inid="10001" + outid="10000" + fi + fi + + cat > $tmpfile <<-EOF + add $dst $src $proto $inid -u $inunique $algo_args; + add $src $dst $proto $outid -u $outunique $algo_args; + EOF + $DEBUG && cat $tmpfile + export RUMP_SERVER=$sock + atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile + $DEBUG && $HIJACKING setkey -D + $DEBUG && $HIJACKING setkey -DP + unset RUMP_SERVER +} + +setup_tunnel() +{ + local inner=${1} + local outer=${2} + local proto=${3} + local algo=${4} + + local addr="" + local remote="" + local src="" + local dst="" + local peernet="" + + if [ ${inner} = "ipv6" ]; then + addr=$ROUTER1_IPSECIP6 + remote=$ROUTER2_IPSECIP6 + peernet=$ROUTER2_LANNET6 + else + addr=$ROUTER1_IPSECIP + remote=$ROUTER2_IPSECIP + peernet=$ROUTER2_LANNET + fi + if [ ${outer} = "ipv6" ]; then + src=$ROUTER1_WANIP6 + dst=$ROUTER2_WANIP6 + else + src=$ROUTER1_WANIP + dst=$ROUTER2_WANIP + fi + setup_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \ + ${src} ${dst} ${peernet} + + if [ $inner = "ipv6" -a $outer = "ipv4" ]; then + setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${outer} ${proto} ${algo} "1to2" + fi + setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2" + + if [ $inner = "ipv6" ]; then + addr=$ROUTER2_IPSECIP6 + remote=$ROUTER1_IPSECIP6 + peernet=$ROUTER1_LANNET6 + else + addr=$ROUTER2_IPSECIP + remote=$ROUTER1_IPSECIP + peernet=$ROUTER1_LANNET + fi + if [ $outer = "ipv6" ]; then + src=$ROUTER2_WANIP6 + dst=$ROUTER1_WANIP6 + else + src=$ROUTER2_WANIP + dst=$ROUTER1_WANIP + fi + setup_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \ + ${src} ${dst} ${peernet} ${proto} ${algo} + if [ $inner = "ipv6" -a $outer = "ipv4" ]; then + setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${outer} ${proto} ${algo} "2to1" + fi + setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1" +} + +test_setup_tunnel() +{ + local mode=${1} + + local peernet="" + local opt="" + if [ ${mode} = "ipv6" ]; then + peernet=$ROUTER2_LANNET6 + opt="-inet6" + else + peernet=$ROUTER2_LANNET + opt="-inet" + fi + export RUMP_SERVER=$SOCK1 + atf_check -s exit:0 -o match:ipsec0 rump.ifconfig + atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet} + + if [ ${mode} = "ipv6" ]; then + peernet=$ROUTER1_LANNET6 + opt="-inet6" + else + peernet=$ROUTER1_LANNET + opt="-inet" + fi + export RUMP_SERVER=$SOCK2 + atf_check -s exit:0 -o match:ipsec0 rump.ifconfig + atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet} +} + +teardown_tunnel() +{ + export RUMP_SERVER=$SOCK1 + atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel + atf_check -s exit:0 rump.ifconfig ipsec0 destroy + $HIJACKING setkey -F + + export RUMP_SERVER=$SOCK2 + atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel + atf_check -s exit:0 rump.ifconfig ipsec0 destroy + $HIJACKING setkey -F + + unset RUMP_SERVER +} + +setup_dummy_if_ipsec() +{ + local sock=${1} + local addr=${2} + local remote=${3} + local inner=${4} + local src=${5} + local dst=${6} + + export RUMP_SERVER=${sock} + atf_check -s exit:0 rump.ifconfig ipsec1 create + atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst} + if [ ${inner} = "ipv6" ]; then + atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote} + else + atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote} + fi + + rump.ifconfig ipsec1 + unset RUMP_SERVER +} + +setup_dummy_if_ipsec_sa() +{ + local sock=${1} + local src=${2} + local dst=${3} + local mode=${4} + local proto=${5} + local algo=${6} + local dir=${7} + + local tmpfile=./tmp + local inunique="" + local outunique="" + local inid="" + local outid="" + local algo_args="$(generate_algo_args $proto $algo)" + + inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` + outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` + + if [ ${dir} = "1to2" ] ; then + inid="20000" + outid="20001" + else + inid="20001" + outid="20000" + fi + + cat > $tmpfile <<-EOF + add $dst $src $proto $inid -u $inunique $algo_args; + add $src $dst $proto $outid -u $outunique $algo_args; + EOF + $DEBUG && cat $tmpfile + export RUMP_SERVER=$sock + atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile + $DEBUG && $HIJACKING setkey -D + $DEBUG && $HIJACKING setkey -DP + unset RUMP_SERVER +} + +setup_dummy_tunnel() +{ + local inner=${1} + local outer=${2} + local proto=${3} + local algo=${4} + + local addr="" + local remote="" + local src="" + local dst="" + + if [ ${inner} = "ipv6" ]; then + addr=$ROUTER1_IPSECIP6_DUMMY + remote=$ROUTER2_IPSECIP6_DUMMY + else + addr=$ROUTER1_IPSECIP_DUMMY + remote=$ROUTER2_IPSECIP_DUMMY + fi + if [ ${outer} = "ipv6" ]; then + src=$ROUTER1_WANIP6_DUMMY + dst=$ROUTER2_WANIP6_DUMMY + else + src=$ROUTER1_WANIP_DUMMY + dst=$ROUTER2_WANIP_DUMMY + fi + setup_dummy_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \ + ${src} ${dst} ${proto} ${algo} "1to2" + setup_dummy_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2" + + if [ $inner = "ipv6" ]; then + addr=$ROUTER2_IPSECIP6_DUMMY + remote=$ROUTER1_IPSECIP6_DUMMY + else + addr=$ROUTER2_IPSECIP_DUMMY + remote=$ROUTER1_IPSECIP_DUMMY + fi + if [ $outer = "ipv6" ]; then + src=$ROUTER2_WANIP6_DUMMY + dst=$ROUTER1_WANIP6_DUMMY + else + src=$ROUTER2_WANIP_DUMMY + dst=$ROUTER1_WANIP_DUMMY + fi + setup_dummy_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \ + ${src} ${dst} ${proto} ${algo} "2to1" + setup_dummy_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1" +} + +test_setup_dummy_tunnel() +{ + export RUMP_SERVER=$SOCK1 + atf_check -s exit:0 -o match:ipsec1 rump.ifconfig + + export RUMP_SERVER=$SOCK2 + atf_check -s exit:0 -o match:ipsec1 rump.ifconfig + + unset RUMP_SERVER +} + +teardown_dummy_tunnel() +{ + export RUMP_SERVER=$SOCK1 + atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel + atf_check -s exit:0 rump.ifconfig ipsec1 destroy + + export RUMP_SERVER=$SOCK2 + atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel + atf_check -s exit:0 rump.ifconfig ipsec1 destroy + + unset RUMP_SERVER +} + +setup_recursive_if_ipsec() +{ + local sock=${1} + local ipsec=${2} + local addr=${3} + local remote=${4} + local inner=${5} + local src=${6} + local dst=${7} + local proto=${8} + local algo=${9} + local dir=${10} + + export RUMP_SERVER=${sock} + atf_check -s exit:0 rump.ifconfig ${ipsec} create + atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst} + if [ ${inner} = "ipv6" ]; then + atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote} + else + atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote} + fi + setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir} + + export RUMP_SERVER=${sock} + rump.ifconfig ${ipsec} + unset RUMP_SERVER +} + +# test in ROUTER1 only +setup_recursive_tunnels() +{ + local mode=${1} + local proto=${2} + local algo=${3} + + local addr="" + local remote="" + local src="" + local dst="" + + if [ ${mode} = "ipv6" ]; then + addr=$ROUTER1_IPSECIP6_RECURSIVE1 + remote=$ROUTER2_IPSECIP6_RECURSIVE1 + src=$ROUTER1_IPSECIP6 + dst=$ROUTER2_IPSECIP6 + else + addr=$ROUTER1_IPSECIP_RECURSIVE1 + remote=$ROUTER2_IPSECIP_RECURSIVE1 + src=$ROUTER1_IPSECIP + dst=$ROUTER2_IPSECIP + fi + setup_recursive_if_ipsec $SOCK1 ipsec1 ${addr} ${remote} ${mode} \ + ${src} ${dst} ${proto} ${algo} "1to2" + + if [ ${mode} = "ipv6" ]; then + addr=$ROUTER1_IPSECIP6_RECURSIVE2 + remote=$ROUTER2_IPSECIP6_RECURSIVE2 + src=$ROUTER1_IPSECIP6_RECURSIVE1 + dst=$ROUTER2_IPSECIP6_RECURSIVE1 + else + addr=$ROUTER1_IPSECIP_RECURSIVE2 + remote=$ROUTER2_IPSECIP_RECURSIVE2 + src=$ROUTER1_IPSECIP_RECURSIVE1 + dst=$ROUTER2_IPSECIP_RECURSIVE1 + fi + setup_recursive_if_ipsec $SOCK1 ipsec2 ${addr} ${remote} ${mode} \ + ${src} ${dst} ${proto} ${algo} "1to2" +} + +# test in router1 only +test_recursive_check() +{ + local mode=$1 + + export RUMP_SERVER=$SOCK1 + if [ ${mode} = "ipv6" ]; then + atf_check -s not-exit:0 -o ignore -e ignore \ + rump.ping6 -n -X $TIMEOUT -c 1 $ROUTER2_IPSECIP6_RECURSIVE2 + else + atf_check -s not-exit:0 -o ignore -e ignore \ + rump.ping -n -w $TIMEOUT -c 1 $ROUTER2_IPSECIP_RECURSIVE2 + fi + + atf_check -o match:'ipsec0: recursively called too many times' \ + -x "$HIJACKING dmesg" + + $HIJACKING dmesg + + unset RUMP_SERVER +} + +teardown_recursive_tunnels() +{ + export RUMP_SERVER=$SOCK1 + atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel + atf_check -s exit:0 rump.ifconfig ipsec1 destroy + atf_check -s exit:0 rump.ifconfig ipsec2 deletetunnel + atf_check -s exit:0 rump.ifconfig ipsec2 destroy + unset RUMP_SERVER +} + +test_ping_failure() +{ + local mode=$1 + + export RUMP_SERVER=$SOCK1 + if [ ${mode} = "ipv6" ]; then + atf_check -s not-exit:0 -o ignore -e ignore \ + rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ + $ROUTER2_LANIP6 + else + atf_check -s not-exit:0 -o ignore -e ignore \ + rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ + $ROUTER2_LANIP + fi + + export RUMP_SERVER=$SOCK2 + if [ ${mode} = "ipv6" ]; then + atf_check -s not-exit:0 -o ignore -e ignore \ + rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ + $ROUTER1_LANIP6 + else + atf_check -s not-exit:0 -o ignore -e ignore \ + rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ + $ROUTER2_LANIP + fi + + unset RUMP_SERVER +} + +test_ping_success() +{ + mode=$1 + + export RUMP_SERVER=$SOCK1 + rump.ifconfig -v ipsec0 + if [ ${mode} = "ipv6" ]; then + # XXX + # rump.ping6 rarely fails with the message that + # "failed to get receiving hop limit". + # This is a known issue being analyzed. + atf_check -s exit:0 -o ignore \ + rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ + $ROUTER2_LANIP6 + else + atf_check -s exit:0 -o ignore \ + rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ + $ROUTER2_LANIP + fi + rump.ifconfig -v ipsec0 + + export RUMP_SERVER=$SOCK2 + rump.ifconfig -v ipsec0 + if [ ${mode} = "ipv6" ]; then + atf_check -s exit:0 -o ignore \ + rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ + $ROUTER1_LANIP6 + else + atf_check -s exit:0 -o ignore \ + rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ + $ROUTER1_LANIP + fi + rump.ifconfig -v ipsec0 + + unset RUMP_SERVER +} + +test_change_tunnel_duplicate() +{ + local mode=$1 + + local newsrc="" + local newdst="" + if [ ${mode} = "ipv6" ]; then + newsrc=$ROUTER1_WANIP6_DUMMY + newdst=$ROUTER2_WANIP6_DUMMY + else + newsrc=$ROUTER1_WANIP_DUMMY + newdst=$ROUTER2_WANIP_DUMMY + fi + export RUMP_SERVER=$SOCK1 + rump.ifconfig -v ipsec0 + rump.ifconfig -v ipsec1 + atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ + rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} + rump.ifconfig -v ipsec0 + rump.ifconfig -v ipsec1 + + if [ ${mode} = "ipv6" ]; then + newsrc=$ROUTER2_WANIP6_DUMMY + newdst=$ROUTER1_WANIP6_DUMMY + else + newsrc=$ROUTER2_WANIP_DUMMY + newdst=$ROUTER1_WANIP_DUMMY + fi + export RUMP_SERVER=$SOCK2 + rump.ifconfig -v ipsec0 + rump.ifconfig -v ipsec1 + atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ + rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} + rump.ifconfig -v ipsec0 + rump.ifconfig -v ipsec1 + + unset RUMP_SERVER +} + +test_change_tunnel_success() +{ + local mode=$1 + + local newsrc="" + local newdst="" + if [ ${mode} = "ipv6" ]; then + newsrc=$ROUTER1_WANIP6_DUMMY + newdst=$ROUTER2_WANIP6_DUMMY + else + newsrc=$ROUTER1_WANIP_DUMMY + newdst=$ROUTER2_WANIP_DUMMY + fi + export RUMP_SERVER=$SOCK1 + rump.ifconfig -v ipsec0 + atf_check -s exit:0 \ + rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} + rump.ifconfig -v ipsec0 + + if [ ${mode} = "ipv6" ]; then + newsrc=$ROUTER2_WANIP6_DUMMY + newdst=$ROUTER1_WANIP6_DUMMY + else + newsrc=$ROUTER2_WANIP_DUMMY + newdst=$ROUTER1_WANIP_DUMMY + fi + export RUMP_SERVER=$SOCK2 + rump.ifconfig -v ipsec0 + atf_check -s exit:0 \ + rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} + rump.ifconfig -v ipsec0 + + unset RUMP_SERVER +} + +basic_setup() +{ + local inner=$1 + local outer=$2 + local proto=$3 + local algo=$4 + + setup ${inner} ${outer} + test_setup ${inner} ${outer} + + # Enable once PR kern/49219 is fixed + #test_ping_failure + + setup_tunnel ${inner} ${outer} ${proto} ${algo} + sleep 1 + test_setup_tunnel ${inner} +} + +basic_test() +{ + local inner=$1 + local outer=$2 # not use + + test_ping_success ${inner} +} + +basic_teardown() +{ + local inner=$1 + local outer=$2 # not use + + teardown_tunnel + test_ping_failure ${inner} +} + +ioctl_setup() +{ + local inner=$1 + local outer=$2 + local proto=$3 + local algo=$4 + + setup ${inner} ${outer} + test_setup ${inner} ${outer} + + # Enable once PR kern/49219 is fixed + #test_ping_failure + + setup_tunnel ${inner} ${outer} ${proto} ${algo} + setup_dummy_tunnel ${inner} ${outer} ${proto} ${algo} + sleep 1 + test_setup_tunnel ${inner} +} + +ioctl_test() +{ + local inner=$1 + local outer=$2 + + test_ping_success ${inner} + + test_change_tunnel_duplicate ${outer} + + teardown_dummy_tunnel + test_change_tunnel_success ${outer} +} + +ioctl_teardown() +{ + local inner=$1 + local outer=$2 # not use + + teardown_tunnel + test_ping_failure ${inner} +} + +recursive_setup() +{ + local inner=$1 + local outer=$2 + local proto=$3 + local algo=$4 + + setup ${inner} ${outer} + test_setup ${inner} ${outer} + + # Enable once PR kern/49219 is fixed + #test_ping_failure + + setup_tunnel ${inner} ${outer} ${proto} ${algo} + setup_recursive_tunnels ${inner} ${proto} ${algo} + sleep 1 + test_setup_tunnel ${inner} +} + +recursive_test() +{ + local inner=$1 + local outer=$2 # not use + + test_recursive_check ${inner} +} + +recursive_teardown() +{ + local inner=$1 # not use + local outer=$2 # not use + + teardown_recursive_tunnels + teardown_tunnel +} + +add_test() +{ + local category=$1 + local desc=$2 + local inner=$3 + local outer=$4 + local proto=$5 + local algo=$6 + local _algo=$(echo $algo | sed 's/-//g') + + name="ipsec_${category}_${inner}over${outer}_${proto}_${_algo}" + fulldesc="Does ${inner} over ${outer} if_ipsec ${desc}" + + atf_test_case ${name} cleanup + eval "${name}_head() { + atf_set descr \"${fulldesc}\" + atf_set require.progs rump_server setkey + } + ${name}_body() { + ${category}_setup ${inner} ${outer} ${proto} ${algo} + ${category}_test ${inner} ${outer} + ${category}_teardown ${inner} ${outer} + rump_server_destroy_ifaces + } + ${name}_cleanup() { + \$DEBUG && dump + cleanup + }" + atf_add_test_case ${name} +} + +add_test_allproto() +{ + local category=$1 + local desc=$2 + + for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do + add_test ${category} "${desc}" ipv4 ipv4 esp $algo + add_test ${category} "${desc}" ipv4 ipv6 esp $algo + add_test ${category} "${desc}" ipv6 ipv4 esp $algo + add_test ${category} "${desc}" ipv6 ipv6 esp $algo + done + + # ah does not support yet +} + +atf_init_test_cases() +{ + add_test_allproto basic "basic tests" + add_test_allproto ioctl "ioctl tests" + add_test_allproto recursive "recursive check tests" +}