| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | # $NetBSD: t_ipsec.sh,v 1.4 2018/03/13 03:50:26 knakahara Exp $ | | 1 | # $NetBSD: t_ipsec.sh,v 1.5 2018/12/25 03:28:29 knakahara Exp $ |
2 | # | | 2 | # |
3 | # Copyright (c) 2017 Internet Initiative Japan Inc. | | 3 | # Copyright (c) 2017 Internet Initiative Japan Inc. |
4 | # All rights reserved. | | 4 | # All rights reserved. |
5 | # | | 5 | # |
6 | # Redistribution and use in source and binary forms, with or without | | 6 | # Redistribution and use in source and binary forms, with or without |
7 | # modification, are permitted provided that the following conditions | | 7 | # modification, are permitted provided that the following conditions |
8 | # are met: | | 8 | # are met: |
9 | # 1. Redistributions of source code must retain the above copyright | | 9 | # 1. Redistributions of source code must retain the above copyright |
10 | # notice, this list of conditions and the following disclaimer. | | 10 | # notice, this list of conditions and the following disclaimer. |
11 | # 2. Redistributions in binary form must reproduce the above copyright | | 11 | # 2. Redistributions in binary form must reproduce the above copyright |
12 | # notice, this list of conditions and the following disclaimer in the | | 12 | # notice, this list of conditions and the following disclaimer in the |
13 | # documentation and/or other materials provided with the distribution. | | 13 | # documentation and/or other materials provided with the distribution. |
14 | # | | 14 | # |
| @@ -95,35 +95,35 @@ setup_router() | | | @@ -95,35 +95,35 @@ setup_router() |
95 | local wan=${4} | | 95 | local wan=${4} |
96 | local wan_mode=${5} | | 96 | local wan_mode=${5} |
97 | | | 97 | |
98 | rump_server_add_iface $sock shmif0 bus0 | | 98 | rump_server_add_iface $sock shmif0 bus0 |
99 | rump_server_add_iface $sock shmif1 bus1 | | 99 | rump_server_add_iface $sock shmif1 bus1 |
100 | | | 100 | |
101 | export RUMP_SERVER=${sock} | | 101 | export RUMP_SERVER=${sock} |
102 | if [ ${lan_mode} = "ipv6" ]; then | | 102 | if [ ${lan_mode} = "ipv6" ]; then |
103 | atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan} | | 103 | atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan} |
104 | else | | 104 | else |
105 | atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00 | | 105 | atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00 |
106 | fi | | 106 | fi |
107 | atf_check -s exit:0 rump.ifconfig shmif0 up | | 107 | atf_check -s exit:0 rump.ifconfig shmif0 up |
108 | rump.ifconfig shmif0 | | 108 | $DEBUG && rump.ifconfig shmif0 |
109 | | | 109 | |
110 | if [ ${wan_mode} = "ipv6" ]; then | | 110 | if [ ${wan_mode} = "ipv6" ]; then |
111 | atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan} | | 111 | atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan} |
112 | else | | 112 | else |
113 | atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000 | | 113 | atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000 |
114 | fi | | 114 | fi |
115 | atf_check -s exit:0 rump.ifconfig shmif1 up | | 115 | atf_check -s exit:0 rump.ifconfig shmif1 up |
116 | rump.ifconfig shmif1 | | 116 | $DEBUG && rump.ifconfig shmif1 |
117 | unset RUMP_SERVER | | 117 | unset RUMP_SERVER |
118 | } | | 118 | } |
119 | | | 119 | |
120 | test_router() | | 120 | test_router() |
121 | { | | 121 | { |
122 | local sock=${1} | | 122 | local sock=${1} |
123 | local lan=${2} | | 123 | local lan=${2} |
124 | local lan_mode=${3} | | 124 | local lan_mode=${3} |
125 | local wan=${4} | | 125 | local wan=${4} |
126 | local wan_mode=${5} | | 126 | local wan_mode=${5} |
127 | | | 127 | |
128 | export RUMP_SERVER=${sock} | | 128 | export RUMP_SERVER=${sock} |
129 | atf_check -s exit:0 -o match:shmif0 rump.ifconfig | | 129 | atf_check -s exit:0 -o match:shmif0 rump.ifconfig |
| @@ -237,28 +237,28 @@ setup_if_ipsec() | | | @@ -237,28 +237,28 @@ setup_if_ipsec() |
237 | local peernet=${7} | | 237 | local peernet=${7} |
238 | | | 238 | |
239 | export RUMP_SERVER=${sock} | | 239 | export RUMP_SERVER=${sock} |
240 | atf_check -s exit:0 rump.ifconfig ipsec0 create | | 240 | atf_check -s exit:0 rump.ifconfig ipsec0 create |
241 | atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst} | | 241 | atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst} |
242 | if [ ${inner} = "ipv6" ]; then | | 242 | if [ ${inner} = "ipv6" ]; then |
243 | atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote} | | 243 | atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote} |
244 | atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr} | | 244 | atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr} |
245 | else | | 245 | else |
246 | atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote} | | 246 | atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote} |
247 | atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr} | | 247 | atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr} |
248 | fi | | 248 | fi |
249 | | | 249 | |
250 | rump.ifconfig ipsec0 | | 250 | $DEBUG && rump.ifconfig ipsec0 |
251 | rump.route -nL show | | 251 | $DEBUG && rump.route -nL show |
252 | } | | 252 | } |
253 | | | 253 | |
254 | setup_if_ipsec_sa() | | 254 | setup_if_ipsec_sa() |
255 | { | | 255 | { |
256 | local sock=${1} | | 256 | local sock=${1} |
257 | local src=${2} | | 257 | local src=${2} |
258 | local dst=${3} | | 258 | local dst=${3} |
259 | local mode=${4} | | 259 | local mode=${4} |
260 | local proto=${5} | | 260 | local proto=${5} |
261 | local algo=${6} | | 261 | local algo=${6} |
262 | local dir=${7} | | 262 | local dir=${7} |
263 | | | 263 | |
264 | local tmpfile=./tmp | | 264 | local tmpfile=./tmp |
| @@ -416,27 +416,27 @@ setup_dummy_if_ipsec() | | | @@ -416,27 +416,27 @@ setup_dummy_if_ipsec() |
416 | local inner=${4} | | 416 | local inner=${4} |
417 | local src=${5} | | 417 | local src=${5} |
418 | local dst=${6} | | 418 | local dst=${6} |
419 | | | 419 | |
420 | export RUMP_SERVER=${sock} | | 420 | export RUMP_SERVER=${sock} |
421 | atf_check -s exit:0 rump.ifconfig ipsec1 create | | 421 | atf_check -s exit:0 rump.ifconfig ipsec1 create |
422 | atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst} | | 422 | atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst} |
423 | if [ ${inner} = "ipv6" ]; then | | 423 | if [ ${inner} = "ipv6" ]; then |
424 | atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote} | | 424 | atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote} |
425 | else | | 425 | else |
426 | atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote} | | 426 | atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote} |
427 | fi | | 427 | fi |
428 | | | 428 | |
429 | rump.ifconfig ipsec1 | | 429 | $DEBUG && rump.ifconfig ipsec1 |
430 | unset RUMP_SERVER | | 430 | unset RUMP_SERVER |
431 | } | | 431 | } |
432 | | | 432 | |
433 | setup_dummy_if_ipsec_sa() | | 433 | setup_dummy_if_ipsec_sa() |
434 | { | | 434 | { |
435 | local sock=${1} | | 435 | local sock=${1} |
436 | local src=${2} | | 436 | local src=${2} |
437 | local dst=${3} | | 437 | local dst=${3} |
438 | local mode=${4} | | 438 | local mode=${4} |
439 | local proto=${5} | | 439 | local proto=${5} |
440 | local algo=${6} | | 440 | local algo=${6} |
441 | local dir=${7} | | 441 | local dir=${7} |
442 | | | 442 | |
| @@ -559,27 +559,27 @@ setup_recursive_if_ipsec() | | | @@ -559,27 +559,27 @@ setup_recursive_if_ipsec() |
559 | local dir=${10} | | 559 | local dir=${10} |
560 | | | 560 | |
561 | export RUMP_SERVER=${sock} | | 561 | export RUMP_SERVER=${sock} |
562 | atf_check -s exit:0 rump.ifconfig ${ipsec} create | | 562 | atf_check -s exit:0 rump.ifconfig ${ipsec} create |
563 | atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst} | | 563 | atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst} |
564 | if [ ${inner} = "ipv6" ]; then | | 564 | if [ ${inner} = "ipv6" ]; then |
565 | atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote} | | 565 | atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote} |
566 | else | | 566 | else |
567 | atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote} | | 567 | atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote} |
568 | fi | | 568 | fi |
569 | setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir} | | 569 | setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir} |
570 | | | 570 | |
571 | export RUMP_SERVER=${sock} | | 571 | export RUMP_SERVER=${sock} |
572 | rump.ifconfig ${ipsec} | | 572 | $DEBUG && rump.ifconfig ${ipsec} |
573 | unset RUMP_SERVER | | 573 | unset RUMP_SERVER |
574 | } | | 574 | } |
575 | | | 575 | |
576 | # test in ROUTER1 only | | 576 | # test in ROUTER1 only |
577 | setup_recursive_tunnels() | | 577 | setup_recursive_tunnels() |
578 | { | | 578 | { |
579 | local mode=${1} | | 579 | local mode=${1} |
580 | local proto=${2} | | 580 | local proto=${2} |
581 | local algo=${3} | | 581 | local algo=${3} |
582 | | | 582 | |
583 | local addr="" | | 583 | local addr="" |
584 | local remote="" | | 584 | local remote="" |
585 | local src="" | | 585 | local src="" |
| @@ -670,128 +670,128 @@ test_ping_failure() | | | @@ -670,128 +670,128 @@ test_ping_failure() |
670 | atf_check -s not-exit:0 -o ignore -e ignore \ | | 670 | atf_check -s not-exit:0 -o ignore -e ignore \ |
671 | rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ | | 671 | rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ |
672 | $ROUTER2_LANIP | | 672 | $ROUTER2_LANIP |
673 | fi | | 673 | fi |
674 | | | 674 | |
675 | unset RUMP_SERVER | | 675 | unset RUMP_SERVER |
676 | } | | 676 | } |
677 | | | 677 | |
678 | test_ping_success() | | 678 | test_ping_success() |
679 | { | | 679 | { |
680 | mode=$1 | | 680 | mode=$1 |
681 | | | 681 | |
682 | export RUMP_SERVER=$SOCK1 | | 682 | export RUMP_SERVER=$SOCK1 |
683 | rump.ifconfig -v ipsec0 | | 683 | $DEBUG && rump.ifconfig -v ipsec0 |
684 | if [ ${mode} = "ipv6" ]; then | | 684 | if [ ${mode} = "ipv6" ]; then |
685 | # XXX | | 685 | # XXX |
686 | # rump.ping6 rarely fails with the message that | | 686 | # rump.ping6 rarely fails with the message that |
687 | # "failed to get receiving hop limit". | | 687 | # "failed to get receiving hop limit". |
688 | # This is a known issue being analyzed. | | 688 | # This is a known issue being analyzed. |
689 | atf_check -s exit:0 -o ignore \ | | 689 | atf_check -s exit:0 -o ignore \ |
690 | rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ | | 690 | rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ |
691 | $ROUTER2_LANIP6 | | 691 | $ROUTER2_LANIP6 |
692 | else | | 692 | else |
693 | atf_check -s exit:0 -o ignore \ | | 693 | atf_check -s exit:0 -o ignore \ |
694 | rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ | | 694 | rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ |
695 | $ROUTER2_LANIP | | 695 | $ROUTER2_LANIP |
696 | fi | | 696 | fi |
697 | rump.ifconfig -v ipsec0 | | 697 | $DEBUG && rump.ifconfig -v ipsec0 |
698 | | | 698 | |
699 | export RUMP_SERVER=$SOCK2 | | 699 | export RUMP_SERVER=$SOCK2 |
700 | rump.ifconfig -v ipsec0 | | 700 | $DEBUG && rump.ifconfig -v ipsec0 |
701 | if [ ${mode} = "ipv6" ]; then | | 701 | if [ ${mode} = "ipv6" ]; then |
702 | atf_check -s exit:0 -o ignore \ | | 702 | atf_check -s exit:0 -o ignore \ |
703 | rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ | | 703 | rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ |
704 | $ROUTER1_LANIP6 | | 704 | $ROUTER1_LANIP6 |
705 | else | | 705 | else |
706 | atf_check -s exit:0 -o ignore \ | | 706 | atf_check -s exit:0 -o ignore \ |
707 | rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ | | 707 | rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ |
708 | $ROUTER1_LANIP | | 708 | $ROUTER1_LANIP |
709 | fi | | 709 | fi |
710 | rump.ifconfig -v ipsec0 | | 710 | $DEBUG && rump.ifconfig -v ipsec0 |
711 | | | 711 | |
712 | unset RUMP_SERVER | | 712 | unset RUMP_SERVER |
713 | } | | 713 | } |
714 | | | 714 | |
715 | test_change_tunnel_duplicate() | | 715 | test_change_tunnel_duplicate() |
716 | { | | 716 | { |
717 | local mode=$1 | | 717 | local mode=$1 |
718 | | | 718 | |
719 | local newsrc="" | | 719 | local newsrc="" |
720 | local newdst="" | | 720 | local newdst="" |
721 | if [ ${mode} = "ipv6" ]; then | | 721 | if [ ${mode} = "ipv6" ]; then |
722 | newsrc=$ROUTER1_WANIP6_DUMMY | | 722 | newsrc=$ROUTER1_WANIP6_DUMMY |
723 | newdst=$ROUTER2_WANIP6_DUMMY | | 723 | newdst=$ROUTER2_WANIP6_DUMMY |
724 | else | | 724 | else |
725 | newsrc=$ROUTER1_WANIP_DUMMY | | 725 | newsrc=$ROUTER1_WANIP_DUMMY |
726 | newdst=$ROUTER2_WANIP_DUMMY | | 726 | newdst=$ROUTER2_WANIP_DUMMY |
727 | fi | | 727 | fi |
728 | export RUMP_SERVER=$SOCK1 | | 728 | export RUMP_SERVER=$SOCK1 |
729 | rump.ifconfig -v ipsec0 | | 729 | $DEBUG && rump.ifconfig -v ipsec0 |
730 | rump.ifconfig -v ipsec1 | | 730 | $DEBUG && rump.ifconfig -v ipsec1 |
731 | atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ | | 731 | atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ |
732 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} | | 732 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} |
733 | rump.ifconfig -v ipsec0 | | 733 | $DEBUG && rump.ifconfig -v ipsec0 |
734 | rump.ifconfig -v ipsec1 | | 734 | $DEBUG && rump.ifconfig -v ipsec1 |
735 | | | 735 | |
736 | if [ ${mode} = "ipv6" ]; then | | 736 | if [ ${mode} = "ipv6" ]; then |
737 | newsrc=$ROUTER2_WANIP6_DUMMY | | 737 | newsrc=$ROUTER2_WANIP6_DUMMY |
738 | newdst=$ROUTER1_WANIP6_DUMMY | | 738 | newdst=$ROUTER1_WANIP6_DUMMY |
739 | else | | 739 | else |
740 | newsrc=$ROUTER2_WANIP_DUMMY | | 740 | newsrc=$ROUTER2_WANIP_DUMMY |
741 | newdst=$ROUTER1_WANIP_DUMMY | | 741 | newdst=$ROUTER1_WANIP_DUMMY |
742 | fi | | 742 | fi |
743 | export RUMP_SERVER=$SOCK2 | | 743 | export RUMP_SERVER=$SOCK2 |
744 | rump.ifconfig -v ipsec0 | | 744 | $DEBUG && rump.ifconfig -v ipsec0 |
745 | rump.ifconfig -v ipsec1 | | 745 | $DEBUG && rump.ifconfig -v ipsec1 |
746 | atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ | | 746 | atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ |
747 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} | | 747 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} |
748 | rump.ifconfig -v ipsec0 | | 748 | $DEBUG && rump.ifconfig -v ipsec0 |
749 | rump.ifconfig -v ipsec1 | | 749 | $DEBUG && rump.ifconfig -v ipsec1 |
750 | | | 750 | |
751 | unset RUMP_SERVER | | 751 | unset RUMP_SERVER |
752 | } | | 752 | } |
753 | | | 753 | |
754 | test_change_tunnel_success() | | 754 | test_change_tunnel_success() |
755 | { | | 755 | { |
756 | local mode=$1 | | 756 | local mode=$1 |
757 | | | 757 | |
758 | local newsrc="" | | 758 | local newsrc="" |
759 | local newdst="" | | 759 | local newdst="" |
760 | if [ ${mode} = "ipv6" ]; then | | 760 | if [ ${mode} = "ipv6" ]; then |
761 | newsrc=$ROUTER1_WANIP6_DUMMY | | 761 | newsrc=$ROUTER1_WANIP6_DUMMY |
762 | newdst=$ROUTER2_WANIP6_DUMMY | | 762 | newdst=$ROUTER2_WANIP6_DUMMY |
763 | else | | 763 | else |
764 | newsrc=$ROUTER1_WANIP_DUMMY | | 764 | newsrc=$ROUTER1_WANIP_DUMMY |
765 | newdst=$ROUTER2_WANIP_DUMMY | | 765 | newdst=$ROUTER2_WANIP_DUMMY |
766 | fi | | 766 | fi |
767 | export RUMP_SERVER=$SOCK1 | | 767 | export RUMP_SERVER=$SOCK1 |
768 | rump.ifconfig -v ipsec0 | | 768 | $DEBUG && rump.ifconfig -v ipsec0 |
769 | atf_check -s exit:0 \ | | 769 | atf_check -s exit:0 \ |
770 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} | | 770 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} |
771 | rump.ifconfig -v ipsec0 | | 771 | $DEBUG && rump.ifconfig -v ipsec0 |
772 | | | 772 | |
773 | if [ ${mode} = "ipv6" ]; then | | 773 | if [ ${mode} = "ipv6" ]; then |
774 | newsrc=$ROUTER2_WANIP6_DUMMY | | 774 | newsrc=$ROUTER2_WANIP6_DUMMY |
775 | newdst=$ROUTER1_WANIP6_DUMMY | | 775 | newdst=$ROUTER1_WANIP6_DUMMY |
776 | else | | 776 | else |
777 | newsrc=$ROUTER2_WANIP_DUMMY | | 777 | newsrc=$ROUTER2_WANIP_DUMMY |
778 | newdst=$ROUTER1_WANIP_DUMMY | | 778 | newdst=$ROUTER1_WANIP_DUMMY |
779 | fi | | 779 | fi |
780 | export RUMP_SERVER=$SOCK2 | | 780 | export RUMP_SERVER=$SOCK2 |
781 | rump.ifconfig -v ipsec0 | | 781 | $DEBUG && rump.ifconfig -v ipsec0 |
782 | atf_check -s exit:0 \ | | 782 | atf_check -s exit:0 \ |
783 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} | | 783 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} |
784 | rump.ifconfig -v ipsec0 | | 784 | $DEBUG && rump.ifconfig -v ipsec0 |
785 | | | 785 | |
786 | unset RUMP_SERVER | | 786 | unset RUMP_SERVER |
787 | } | | 787 | } |
788 | | | 788 | |
789 | basic_setup() | | 789 | basic_setup() |
790 | { | | 790 | { |
791 | local inner=$1 | | 791 | local inner=$1 |
792 | local outer=$2 | | 792 | local outer=$2 |
793 | local proto=$3 | | 793 | local proto=$3 |
794 | local algo=$4 | | 794 | local algo=$4 |
795 | | | 795 | |
796 | setup ${inner} ${outer} | | 796 | setup ${inner} ${outer} |
797 | test_setup ${inner} ${outer} | | 797 | test_setup ${inner} ${outer} |