| @@ -1,955 +1,955 @@ | | | @@ -1,955 +1,955 @@ |
| 1 | # $NetBSD: t_ipsec.sh,v 1.4 2018/03/13 03:50:26 knakahara Exp $ | | 1 | # $NetBSD: t_ipsec.sh,v 1.5 2018/12/25 03:28:29 knakahara Exp $ |
| 2 | # | | 2 | # |
| 3 | # Copyright (c) 2017 Internet Initiative Japan Inc. | | 3 | # Copyright (c) 2017 Internet Initiative Japan Inc. |
| 4 | # All rights reserved. | | 4 | # All rights reserved. |
| 5 | # | | 5 | # |
| 6 | # Redistribution and use in source and binary forms, with or without | | 6 | # Redistribution and use in source and binary forms, with or without |
| 7 | # modification, are permitted provided that the following conditions | | 7 | # modification, are permitted provided that the following conditions |
| 8 | # are met: | | 8 | # are met: |
| 9 | # 1. Redistributions of source code must retain the above copyright | | 9 | # 1. Redistributions of source code must retain the above copyright |
| 10 | # notice, this list of conditions and the following disclaimer. | | 10 | # notice, this list of conditions and the following disclaimer. |
| 11 | # 2. Redistributions in binary form must reproduce the above copyright | | 11 | # 2. Redistributions in binary form must reproduce the above copyright |
| 12 | # notice, this list of conditions and the following disclaimer in the | | 12 | # notice, this list of conditions and the following disclaimer in the |
| 13 | # documentation and/or other materials provided with the distribution. | | 13 | # documentation and/or other materials provided with the distribution. |
| 14 | # | | 14 | # |
| 15 | # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS | | 15 | # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
| 16 | # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | | 16 | # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
| 17 | # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 17 | # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 18 | # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 18 | # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
| 19 | # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 19 | # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| 20 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 20 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| 21 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 21 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
| 22 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 22 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
| 23 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 23 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 24 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 24 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
| 25 | # POSSIBILITY OF SUCH DAMAGE. | | 25 | # POSSIBILITY OF SUCH DAMAGE. |
| 26 | # | | 26 | # |
| 27 | | | 27 | |
| 28 | SOCK1=unix://commsock1 # for ROUTER1 | | 28 | SOCK1=unix://commsock1 # for ROUTER1 |
| 29 | SOCK2=unix://commsock2 # for ROUTER2 | | 29 | SOCK2=unix://commsock2 # for ROUTER2 |
| 30 | ROUTER1_LANIP=192.168.1.1 | | 30 | ROUTER1_LANIP=192.168.1.1 |
| 31 | ROUTER1_LANNET=192.168.1.0/24 | | 31 | ROUTER1_LANNET=192.168.1.0/24 |
| 32 | ROUTER1_WANIP=10.0.0.1 | | 32 | ROUTER1_WANIP=10.0.0.1 |
| 33 | ROUTER1_IPSECIP=172.16.1.1 | | 33 | ROUTER1_IPSECIP=172.16.1.1 |
| 34 | ROUTER1_WANIP_DUMMY=10.0.0.11 | | 34 | ROUTER1_WANIP_DUMMY=10.0.0.11 |
| 35 | ROUTER1_IPSECIP_DUMMY=172.16.11.1 | | 35 | ROUTER1_IPSECIP_DUMMY=172.16.11.1 |
| 36 | ROUTER1_IPSECIP_RECURSIVE1=172.16.101.1 | | 36 | ROUTER1_IPSECIP_RECURSIVE1=172.16.101.1 |
| 37 | ROUTER1_IPSECIP_RECURSIVE2=172.16.201.1 | | 37 | ROUTER1_IPSECIP_RECURSIVE2=172.16.201.1 |
| 38 | ROUTER2_LANIP=192.168.2.1 | | 38 | ROUTER2_LANIP=192.168.2.1 |
| 39 | ROUTER2_LANNET=192.168.2.0/24 | | 39 | ROUTER2_LANNET=192.168.2.0/24 |
| 40 | ROUTER2_WANIP=10.0.0.2 | | 40 | ROUTER2_WANIP=10.0.0.2 |
| 41 | ROUTER2_IPSECIP=172.16.2.1 | | 41 | ROUTER2_IPSECIP=172.16.2.1 |
| 42 | ROUTER2_WANIP_DUMMY=10.0.0.12 | | 42 | ROUTER2_WANIP_DUMMY=10.0.0.12 |
| 43 | ROUTER2_IPSECIP_DUMMY=172.16.12.1 | | 43 | ROUTER2_IPSECIP_DUMMY=172.16.12.1 |
| 44 | ROUTER2_IPSECIP_RECURSIVE1=172.16.102.1 | | 44 | ROUTER2_IPSECIP_RECURSIVE1=172.16.102.1 |
| 45 | ROUTER2_IPSECIP_RECURSIVE2=172.16.202.1 | | 45 | ROUTER2_IPSECIP_RECURSIVE2=172.16.202.1 |
| 46 | | | 46 | |
| 47 | ROUTER1_LANIP6=fc00:1::1 | | 47 | ROUTER1_LANIP6=fc00:1::1 |
| 48 | ROUTER1_LANNET6=fc00:1::/64 | | 48 | ROUTER1_LANNET6=fc00:1::/64 |
| 49 | ROUTER1_WANIP6=fc00::1 | | 49 | ROUTER1_WANIP6=fc00::1 |
| 50 | ROUTER1_IPSECIP6=fc00:3::1 | | 50 | ROUTER1_IPSECIP6=fc00:3::1 |
| 51 | ROUTER1_WANIP6_DUMMY=fc00::11 | | 51 | ROUTER1_WANIP6_DUMMY=fc00::11 |
| 52 | ROUTER1_IPSECIP6_DUMMY=fc00:13::1 | | 52 | ROUTER1_IPSECIP6_DUMMY=fc00:13::1 |
| 53 | ROUTER1_IPSECIP6_RECURSIVE1=fc00:103::1 | | 53 | ROUTER1_IPSECIP6_RECURSIVE1=fc00:103::1 |
| 54 | ROUTER1_IPSECIP6_RECURSIVE2=fc00:203::1 | | 54 | ROUTER1_IPSECIP6_RECURSIVE2=fc00:203::1 |
| 55 | ROUTER2_LANIP6=fc00:2::1 | | 55 | ROUTER2_LANIP6=fc00:2::1 |
| 56 | ROUTER2_LANNET6=fc00:2::/64 | | 56 | ROUTER2_LANNET6=fc00:2::/64 |
| 57 | ROUTER2_WANIP6=fc00::2 | | 57 | ROUTER2_WANIP6=fc00::2 |
| 58 | ROUTER2_IPSECIP6=fc00:4::1 | | 58 | ROUTER2_IPSECIP6=fc00:4::1 |
| 59 | ROUTER2_WANIP6_DUMMY=fc00::12 | | 59 | ROUTER2_WANIP6_DUMMY=fc00::12 |
| 60 | ROUTER2_IPSECIP6_DUMMY=fc00:14::1 | | 60 | ROUTER2_IPSECIP6_DUMMY=fc00:14::1 |
| 61 | ROUTER2_IPSECIP6_RECURSIVE1=fc00:104::1 | | 61 | ROUTER2_IPSECIP6_RECURSIVE1=fc00:104::1 |
| 62 | ROUTER2_IPSECIP6_RECURSIVE2=fc00:204::1 | | 62 | ROUTER2_IPSECIP6_RECURSIVE2=fc00:204::1 |
| 63 | | | 63 | |
| 64 | DEBUG=${DEBUG:-false} | | 64 | DEBUG=${DEBUG:-false} |
| 65 | TIMEOUT=7 | | 65 | TIMEOUT=7 |
| 66 | | | 66 | |
| 67 | atf_test_case ipsecif_create_destroy cleanup | | 67 | atf_test_case ipsecif_create_destroy cleanup |
| 68 | ipsecif_create_destroy_head() | | 68 | ipsecif_create_destroy_head() |
| 69 | { | | 69 | { |
| 70 | | | 70 | |
| 71 | atf_set "descr" "Test creating/destroying gif interfaces" | | 71 | atf_set "descr" "Test creating/destroying gif interfaces" |
| 72 | atf_set "require.progs" "rump_server" | | 72 | atf_set "require.progs" "rump_server" |
| 73 | } | | 73 | } |
| 74 | | | 74 | |
| 75 | ipsecif_create_destroy_body() | | 75 | ipsecif_create_destroy_body() |
| 76 | { | | 76 | { |
| 77 | | | 77 | |
| 78 | rump_server_start $SOCK1 ipsec | | 78 | rump_server_start $SOCK1 ipsec |
| 79 | | | 79 | |
| 80 | test_create_destroy_common $SOCK1 ipsec0 | | 80 | test_create_destroy_common $SOCK1 ipsec0 |
| 81 | } | | 81 | } |
| 82 | | | 82 | |
| 83 | ipsecif_create_destroy_cleanup() | | 83 | ipsecif_create_destroy_cleanup() |
| 84 | { | | 84 | { |
| 85 | | | 85 | |
| 86 | $DEBUG && dump | | 86 | $DEBUG && dump |
| 87 | cleanup | | 87 | cleanup |
| 88 | } | | 88 | } |
| 89 | | | 89 | |
| 90 | setup_router() | | 90 | setup_router() |
| 91 | { | | 91 | { |
| 92 | local sock=${1} | | 92 | local sock=${1} |
| 93 | local lan=${2} | | 93 | local lan=${2} |
| 94 | local lan_mode=${3} | | 94 | local lan_mode=${3} |
| 95 | local wan=${4} | | 95 | local wan=${4} |
| 96 | local wan_mode=${5} | | 96 | local wan_mode=${5} |
| 97 | | | 97 | |
| 98 | rump_server_add_iface $sock shmif0 bus0 | | 98 | rump_server_add_iface $sock shmif0 bus0 |
| 99 | rump_server_add_iface $sock shmif1 bus1 | | 99 | rump_server_add_iface $sock shmif1 bus1 |
| 100 | | | 100 | |
| 101 | export RUMP_SERVER=${sock} | | 101 | export RUMP_SERVER=${sock} |
| 102 | if [ ${lan_mode} = "ipv6" ]; then | | 102 | if [ ${lan_mode} = "ipv6" ]; then |
| 103 | atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan} | | 103 | atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan} |
| 104 | else | | 104 | else |
| 105 | atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00 | | 105 | atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00 |
| 106 | fi | | 106 | fi |
| 107 | atf_check -s exit:0 rump.ifconfig shmif0 up | | 107 | atf_check -s exit:0 rump.ifconfig shmif0 up |
| 108 | rump.ifconfig shmif0 | | 108 | $DEBUG && rump.ifconfig shmif0 |
| 109 | | | 109 | |
| 110 | if [ ${wan_mode} = "ipv6" ]; then | | 110 | if [ ${wan_mode} = "ipv6" ]; then |
| 111 | atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan} | | 111 | atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan} |
| 112 | else | | 112 | else |
| 113 | atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000 | | 113 | atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000 |
| 114 | fi | | 114 | fi |
| 115 | atf_check -s exit:0 rump.ifconfig shmif1 up | | 115 | atf_check -s exit:0 rump.ifconfig shmif1 up |
| 116 | rump.ifconfig shmif1 | | 116 | $DEBUG && rump.ifconfig shmif1 |
| 117 | unset RUMP_SERVER | | 117 | unset RUMP_SERVER |
| 118 | } | | 118 | } |
| 119 | | | 119 | |
| 120 | test_router() | | 120 | test_router() |
| 121 | { | | 121 | { |
| 122 | local sock=${1} | | 122 | local sock=${1} |
| 123 | local lan=${2} | | 123 | local lan=${2} |
| 124 | local lan_mode=${3} | | 124 | local lan_mode=${3} |
| 125 | local wan=${4} | | 125 | local wan=${4} |
| 126 | local wan_mode=${5} | | 126 | local wan_mode=${5} |
| 127 | | | 127 | |
| 128 | export RUMP_SERVER=${sock} | | 128 | export RUMP_SERVER=${sock} |
| 129 | atf_check -s exit:0 -o match:shmif0 rump.ifconfig | | 129 | atf_check -s exit:0 -o match:shmif0 rump.ifconfig |
| 130 | if [ ${lan_mode} = "ipv6" ]; then | | 130 | if [ ${lan_mode} = "ipv6" ]; then |
| 131 | atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${lan} | | 131 | atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${lan} |
| 132 | else | | 132 | else |
| 133 | atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan} | | 133 | atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan} |
| 134 | fi | | 134 | fi |
| 135 | | | 135 | |
| 136 | atf_check -s exit:0 -o match:shmif1 rump.ifconfig | | 136 | atf_check -s exit:0 -o match:shmif1 rump.ifconfig |
| 137 | if [ ${wan_mode} = "ipv6" ]; then | | 137 | if [ ${wan_mode} = "ipv6" ]; then |
| 138 | atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${wan} | | 138 | atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${wan} |
| 139 | else | | 139 | else |
| 140 | atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan} | | 140 | atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan} |
| 141 | fi | | 141 | fi |
| 142 | unset RUMP_SERVER | | 142 | unset RUMP_SERVER |
| 143 | } | | 143 | } |
| 144 | | | 144 | |
| 145 | setup() | | 145 | setup() |
| 146 | { | | 146 | { |
| 147 | local inner=${1} | | 147 | local inner=${1} |
| 148 | local outer=${2} | | 148 | local outer=${2} |
| 149 | | | 149 | |
| 150 | rump_server_crypto_start $SOCK1 netipsec netinet6 ipsec | | 150 | rump_server_crypto_start $SOCK1 netipsec netinet6 ipsec |
| 151 | rump_server_crypto_start $SOCK2 netipsec netinet6 ipsec | | 151 | rump_server_crypto_start $SOCK2 netipsec netinet6 ipsec |
| 152 | | | 152 | |
| 153 | router1_lan="" | | 153 | router1_lan="" |
| 154 | router1_lan_mode="" | | 154 | router1_lan_mode="" |
| 155 | router2_lan="" | | 155 | router2_lan="" |
| 156 | router2_lan_mode="" | | 156 | router2_lan_mode="" |
| 157 | if [ ${inner} = "ipv6" ]; then | | 157 | if [ ${inner} = "ipv6" ]; then |
| 158 | router1_lan=$ROUTER1_LANIP6 | | 158 | router1_lan=$ROUTER1_LANIP6 |
| 159 | router1_lan_mode="ipv6" | | 159 | router1_lan_mode="ipv6" |
| 160 | router2_lan=$ROUTER2_LANIP6 | | 160 | router2_lan=$ROUTER2_LANIP6 |
| 161 | router2_lan_mode="ipv6" | | 161 | router2_lan_mode="ipv6" |
| 162 | else | | 162 | else |
| 163 | router1_lan=$ROUTER1_LANIP | | 163 | router1_lan=$ROUTER1_LANIP |
| 164 | router1_lan_mode="ipv4" | | 164 | router1_lan_mode="ipv4" |
| 165 | router2_lan=$ROUTER2_LANIP | | 165 | router2_lan=$ROUTER2_LANIP |
| 166 | router2_lan_mode="ipv4" | | 166 | router2_lan_mode="ipv4" |
| 167 | fi | | 167 | fi |
| 168 | | | 168 | |
| 169 | if [ ${outer} = "ipv6" ]; then | | 169 | if [ ${outer} = "ipv6" ]; then |
| 170 | setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ | | 170 | setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ |
| 171 | $ROUTER1_WANIP6 ipv6 | | 171 | $ROUTER1_WANIP6 ipv6 |
| 172 | setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ | | 172 | setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ |
| 173 | $ROUTER2_WANIP6 ipv6 | | 173 | $ROUTER2_WANIP6 ipv6 |
| 174 | else | | 174 | else |
| 175 | setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ | | 175 | setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ |
| 176 | $ROUTER1_WANIP ipv4 | | 176 | $ROUTER1_WANIP ipv4 |
| 177 | setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ | | 177 | setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ |
| 178 | $ROUTER2_WANIP ipv4 | | 178 | $ROUTER2_WANIP ipv4 |
| 179 | fi | | 179 | fi |
| 180 | } | | 180 | } |
| 181 | | | 181 | |
| 182 | test_setup() | | 182 | test_setup() |
| 183 | { | | 183 | { |
| 184 | local inner=${1} | | 184 | local inner=${1} |
| 185 | local outer=${2} | | 185 | local outer=${2} |
| 186 | | | 186 | |
| 187 | local router1_lan="" | | 187 | local router1_lan="" |
| 188 | local router1_lan_mode="" | | 188 | local router1_lan_mode="" |
| 189 | local router2_lan="" | | 189 | local router2_lan="" |
| 190 | local router2_lan_mode="" | | 190 | local router2_lan_mode="" |
| 191 | if [ ${inner} = "ipv6" ]; then | | 191 | if [ ${inner} = "ipv6" ]; then |
| 192 | router1_lan=$ROUTER1_LANIP6 | | 192 | router1_lan=$ROUTER1_LANIP6 |
| 193 | router1_lan_mode="ipv6" | | 193 | router1_lan_mode="ipv6" |
| 194 | router2_lan=$ROUTER2_LANIP6 | | 194 | router2_lan=$ROUTER2_LANIP6 |
| 195 | router2_lan_mode="ipv6" | | 195 | router2_lan_mode="ipv6" |
| 196 | else | | 196 | else |
| 197 | router1_lan=$ROUTER1_LANIP | | 197 | router1_lan=$ROUTER1_LANIP |
| 198 | router1_lan_mode="ipv4" | | 198 | router1_lan_mode="ipv4" |
| 199 | router2_lan=$ROUTER2_LANIP | | 199 | router2_lan=$ROUTER2_LANIP |
| 200 | router2_lan_mode="ipv4" | | 200 | router2_lan_mode="ipv4" |
| 201 | fi | | 201 | fi |
| 202 | if [ ${outer} = "ipv6" ]; then | | 202 | if [ ${outer} = "ipv6" ]; then |
| 203 | test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ | | 203 | test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ |
| 204 | $ROUTER1_WANIP6 ipv6 | | 204 | $ROUTER1_WANIP6 ipv6 |
| 205 | test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ | | 205 | test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ |
| 206 | $ROUTER2_WANIP6 ipv6 | | 206 | $ROUTER2_WANIP6 ipv6 |
| 207 | else | | 207 | else |
| 208 | test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ | | 208 | test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \ |
| 209 | $ROUTER1_WANIP ipv4 | | 209 | $ROUTER1_WANIP ipv4 |
| 210 | test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ | | 210 | test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \ |
| 211 | $ROUTER2_WANIP ipv4 | | 211 | $ROUTER2_WANIP ipv4 |
| 212 | fi | | 212 | fi |
| 213 | } | | 213 | } |
| 214 | | | 214 | |
| 215 | get_if_ipsec_unique() | | 215 | get_if_ipsec_unique() |
| 216 | { | | 216 | { |
| 217 | local sock=${1} | | 217 | local sock=${1} |
| 218 | local src=${2} | | 218 | local src=${2} |
| 219 | local proto=${3} | | 219 | local proto=${3} |
| 220 | local unique="" | | 220 | local unique="" |
| 221 | | | 221 | |
| 222 | export RUMP_SERVER=${sock} | | 222 | export RUMP_SERVER=${sock} |
| 223 | unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'` | | 223 | unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'` |
| 224 | unset RUMP_SERVER | | 224 | unset RUMP_SERVER |
| 225 | | | 225 | |
| 226 | echo $unique | | 226 | echo $unique |
| 227 | } | | 227 | } |
| 228 | | | 228 | |
| 229 | setup_if_ipsec() | | 229 | setup_if_ipsec() |
| 230 | { | | 230 | { |
| 231 | local sock=${1} | | 231 | local sock=${1} |
| 232 | local addr=${2} | | 232 | local addr=${2} |
| 233 | local remote=${3} | | 233 | local remote=${3} |
| 234 | local inner=${4} | | 234 | local inner=${4} |
| 235 | local src=${5} | | 235 | local src=${5} |
| 236 | local dst=${6} | | 236 | local dst=${6} |
| 237 | local peernet=${7} | | 237 | local peernet=${7} |
| 238 | | | 238 | |
| 239 | export RUMP_SERVER=${sock} | | 239 | export RUMP_SERVER=${sock} |
| 240 | atf_check -s exit:0 rump.ifconfig ipsec0 create | | 240 | atf_check -s exit:0 rump.ifconfig ipsec0 create |
| 241 | atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst} | | 241 | atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst} |
| 242 | if [ ${inner} = "ipv6" ]; then | | 242 | if [ ${inner} = "ipv6" ]; then |
| 243 | atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote} | | 243 | atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote} |
| 244 | atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr} | | 244 | atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr} |
| 245 | else | | 245 | else |
| 246 | atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote} | | 246 | atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote} |
| 247 | atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr} | | 247 | atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr} |
| 248 | fi | | 248 | fi |
| 249 | | | 249 | |
| 250 | rump.ifconfig ipsec0 | | 250 | $DEBUG && rump.ifconfig ipsec0 |
| 251 | rump.route -nL show | | 251 | $DEBUG && rump.route -nL show |
| 252 | } | | 252 | } |
| 253 | | | 253 | |
| 254 | setup_if_ipsec_sa() | | 254 | setup_if_ipsec_sa() |
| 255 | { | | 255 | { |
| 256 | local sock=${1} | | 256 | local sock=${1} |
| 257 | local src=${2} | | 257 | local src=${2} |
| 258 | local dst=${3} | | 258 | local dst=${3} |
| 259 | local mode=${4} | | 259 | local mode=${4} |
| 260 | local proto=${5} | | 260 | local proto=${5} |
| 261 | local algo=${6} | | 261 | local algo=${6} |
| 262 | local dir=${7} | | 262 | local dir=${7} |
| 263 | | | 263 | |
| 264 | local tmpfile=./tmp | | 264 | local tmpfile=./tmp |
| 265 | local inunique="" | | 265 | local inunique="" |
| 266 | local outunique="" | | 266 | local outunique="" |
| 267 | local inid="" | | 267 | local inid="" |
| 268 | local outid="" | | 268 | local outid="" |
| 269 | local algo_args="$(generate_algo_args $proto $algo)" | | 269 | local algo_args="$(generate_algo_args $proto $algo)" |
| 270 | | | 270 | |
| 271 | inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` | | 271 | inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` |
| 272 | atf_check -s exit:0 test "X$inunique" != "X" | | 272 | atf_check -s exit:0 test "X$inunique" != "X" |
| 273 | outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` | | 273 | outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` |
| 274 | atf_check -s exit:0 test "X$outunique" != "X" | | 274 | atf_check -s exit:0 test "X$outunique" != "X" |
| 275 | | | 275 | |
| 276 | if [ ${dir} = "1to2" ] ; then | | 276 | if [ ${dir} = "1to2" ] ; then |
| 277 | if [ ${mode} = "ipv6" ] ; then | | 277 | if [ ${mode} = "ipv6" ] ; then |
| 278 | inid="10010" | | 278 | inid="10010" |
| 279 | outid="10011" | | 279 | outid="10011" |
| 280 | else | | 280 | else |
| 281 | inid="10000" | | 281 | inid="10000" |
| 282 | outid="10001" | | 282 | outid="10001" |
| 283 | fi | | 283 | fi |
| 284 | else | | 284 | else |
| 285 | if [ ${mode} = "ipv6" ] ; then | | 285 | if [ ${mode} = "ipv6" ] ; then |
| 286 | inid="10011" | | 286 | inid="10011" |
| 287 | outid="10010" | | 287 | outid="10010" |
| 288 | else | | 288 | else |
| 289 | inid="10001" | | 289 | inid="10001" |
| 290 | outid="10000" | | 290 | outid="10000" |
| 291 | fi | | 291 | fi |
| 292 | fi | | 292 | fi |
| 293 | | | 293 | |
| 294 | cat > $tmpfile <<-EOF | | 294 | cat > $tmpfile <<-EOF |
| 295 | add $dst $src $proto $inid -u $inunique $algo_args; | | 295 | add $dst $src $proto $inid -u $inunique $algo_args; |
| 296 | add $src $dst $proto $outid -u $outunique $algo_args; | | 296 | add $src $dst $proto $outid -u $outunique $algo_args; |
| 297 | EOF | | 297 | EOF |
| 298 | $DEBUG && cat $tmpfile | | 298 | $DEBUG && cat $tmpfile |
| 299 | export RUMP_SERVER=$sock | | 299 | export RUMP_SERVER=$sock |
| 300 | atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile | | 300 | atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile |
| 301 | $DEBUG && $HIJACKING setkey -D | | 301 | $DEBUG && $HIJACKING setkey -D |
| 302 | $DEBUG && $HIJACKING setkey -DP | | 302 | $DEBUG && $HIJACKING setkey -DP |
| 303 | unset RUMP_SERVER | | 303 | unset RUMP_SERVER |
| 304 | } | | 304 | } |
| 305 | | | 305 | |
| 306 | setup_tunnel() | | 306 | setup_tunnel() |
| 307 | { | | 307 | { |
| 308 | local inner=${1} | | 308 | local inner=${1} |
| 309 | local outer=${2} | | 309 | local outer=${2} |
| 310 | local proto=${3} | | 310 | local proto=${3} |
| 311 | local algo=${4} | | 311 | local algo=${4} |
| 312 | | | 312 | |
| 313 | local addr="" | | 313 | local addr="" |
| 314 | local remote="" | | 314 | local remote="" |
| 315 | local src="" | | 315 | local src="" |
| 316 | local dst="" | | 316 | local dst="" |
| 317 | local peernet="" | | 317 | local peernet="" |
| 318 | | | 318 | |
| 319 | if [ ${inner} = "ipv6" ]; then | | 319 | if [ ${inner} = "ipv6" ]; then |
| 320 | addr=$ROUTER1_IPSECIP6 | | 320 | addr=$ROUTER1_IPSECIP6 |
| 321 | remote=$ROUTER2_IPSECIP6 | | 321 | remote=$ROUTER2_IPSECIP6 |
| 322 | peernet=$ROUTER2_LANNET6 | | 322 | peernet=$ROUTER2_LANNET6 |
| 323 | else | | 323 | else |
| 324 | addr=$ROUTER1_IPSECIP | | 324 | addr=$ROUTER1_IPSECIP |
| 325 | remote=$ROUTER2_IPSECIP | | 325 | remote=$ROUTER2_IPSECIP |
| 326 | peernet=$ROUTER2_LANNET | | 326 | peernet=$ROUTER2_LANNET |
| 327 | fi | | 327 | fi |
| 328 | if [ ${outer} = "ipv6" ]; then | | 328 | if [ ${outer} = "ipv6" ]; then |
| 329 | src=$ROUTER1_WANIP6 | | 329 | src=$ROUTER1_WANIP6 |
| 330 | dst=$ROUTER2_WANIP6 | | 330 | dst=$ROUTER2_WANIP6 |
| 331 | else | | 331 | else |
| 332 | src=$ROUTER1_WANIP | | 332 | src=$ROUTER1_WANIP |
| 333 | dst=$ROUTER2_WANIP | | 333 | dst=$ROUTER2_WANIP |
| 334 | fi | | 334 | fi |
| 335 | setup_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \ | | 335 | setup_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \ |
| 336 | ${src} ${dst} ${peernet} | | 336 | ${src} ${dst} ${peernet} |
| 337 | | | 337 | |
| 338 | if [ $inner = "ipv6" -a $outer = "ipv4" ]; then | | 338 | if [ $inner = "ipv6" -a $outer = "ipv4" ]; then |
| 339 | setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${outer} ${proto} ${algo} "1to2" | | 339 | setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${outer} ${proto} ${algo} "1to2" |
| 340 | fi | | 340 | fi |
| 341 | setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2" | | 341 | setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2" |
| 342 | | | 342 | |
| 343 | if [ $inner = "ipv6" ]; then | | 343 | if [ $inner = "ipv6" ]; then |
| 344 | addr=$ROUTER2_IPSECIP6 | | 344 | addr=$ROUTER2_IPSECIP6 |
| 345 | remote=$ROUTER1_IPSECIP6 | | 345 | remote=$ROUTER1_IPSECIP6 |
| 346 | peernet=$ROUTER1_LANNET6 | | 346 | peernet=$ROUTER1_LANNET6 |
| 347 | else | | 347 | else |
| 348 | addr=$ROUTER2_IPSECIP | | 348 | addr=$ROUTER2_IPSECIP |
| 349 | remote=$ROUTER1_IPSECIP | | 349 | remote=$ROUTER1_IPSECIP |
| 350 | peernet=$ROUTER1_LANNET | | 350 | peernet=$ROUTER1_LANNET |
| 351 | fi | | 351 | fi |
| 352 | if [ $outer = "ipv6" ]; then | | 352 | if [ $outer = "ipv6" ]; then |
| 353 | src=$ROUTER2_WANIP6 | | 353 | src=$ROUTER2_WANIP6 |
| 354 | dst=$ROUTER1_WANIP6 | | 354 | dst=$ROUTER1_WANIP6 |
| 355 | else | | 355 | else |
| 356 | src=$ROUTER2_WANIP | | 356 | src=$ROUTER2_WANIP |
| 357 | dst=$ROUTER1_WANIP | | 357 | dst=$ROUTER1_WANIP |
| 358 | fi | | 358 | fi |
| 359 | setup_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \ | | 359 | setup_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \ |
| 360 | ${src} ${dst} ${peernet} ${proto} ${algo} | | 360 | ${src} ${dst} ${peernet} ${proto} ${algo} |
| 361 | if [ $inner = "ipv6" -a $outer = "ipv4" ]; then | | 361 | if [ $inner = "ipv6" -a $outer = "ipv4" ]; then |
| 362 | setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${outer} ${proto} ${algo} "2to1" | | 362 | setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${outer} ${proto} ${algo} "2to1" |
| 363 | fi | | 363 | fi |
| 364 | setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1" | | 364 | setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1" |
| 365 | } | | 365 | } |
| 366 | | | 366 | |
| 367 | test_setup_tunnel() | | 367 | test_setup_tunnel() |
| 368 | { | | 368 | { |
| 369 | local mode=${1} | | 369 | local mode=${1} |
| 370 | | | 370 | |
| 371 | local peernet="" | | 371 | local peernet="" |
| 372 | local opt="" | | 372 | local opt="" |
| 373 | if [ ${mode} = "ipv6" ]; then | | 373 | if [ ${mode} = "ipv6" ]; then |
| 374 | peernet=$ROUTER2_LANNET6 | | 374 | peernet=$ROUTER2_LANNET6 |
| 375 | opt="-inet6" | | 375 | opt="-inet6" |
| 376 | else | | 376 | else |
| 377 | peernet=$ROUTER2_LANNET | | 377 | peernet=$ROUTER2_LANNET |
| 378 | opt="-inet" | | 378 | opt="-inet" |
| 379 | fi | | 379 | fi |
| 380 | export RUMP_SERVER=$SOCK1 | | 380 | export RUMP_SERVER=$SOCK1 |
| 381 | atf_check -s exit:0 -o match:ipsec0 rump.ifconfig | | 381 | atf_check -s exit:0 -o match:ipsec0 rump.ifconfig |
| 382 | atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet} | | 382 | atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet} |
| 383 | | | 383 | |
| 384 | if [ ${mode} = "ipv6" ]; then | | 384 | if [ ${mode} = "ipv6" ]; then |
| 385 | peernet=$ROUTER1_LANNET6 | | 385 | peernet=$ROUTER1_LANNET6 |
| 386 | opt="-inet6" | | 386 | opt="-inet6" |
| 387 | else | | 387 | else |
| 388 | peernet=$ROUTER1_LANNET | | 388 | peernet=$ROUTER1_LANNET |
| 389 | opt="-inet" | | 389 | opt="-inet" |
| 390 | fi | | 390 | fi |
| 391 | export RUMP_SERVER=$SOCK2 | | 391 | export RUMP_SERVER=$SOCK2 |
| 392 | atf_check -s exit:0 -o match:ipsec0 rump.ifconfig | | 392 | atf_check -s exit:0 -o match:ipsec0 rump.ifconfig |
| 393 | atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet} | | 393 | atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet} |
| 394 | } | | 394 | } |
| 395 | | | 395 | |
| 396 | teardown_tunnel() | | 396 | teardown_tunnel() |
| 397 | { | | 397 | { |
| 398 | export RUMP_SERVER=$SOCK1 | | 398 | export RUMP_SERVER=$SOCK1 |
| 399 | atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel | | 399 | atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel |
| 400 | atf_check -s exit:0 rump.ifconfig ipsec0 destroy | | 400 | atf_check -s exit:0 rump.ifconfig ipsec0 destroy |
| 401 | $HIJACKING setkey -F | | 401 | $HIJACKING setkey -F |
| 402 | | | 402 | |
| 403 | export RUMP_SERVER=$SOCK2 | | 403 | export RUMP_SERVER=$SOCK2 |
| 404 | atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel | | 404 | atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel |
| 405 | atf_check -s exit:0 rump.ifconfig ipsec0 destroy | | 405 | atf_check -s exit:0 rump.ifconfig ipsec0 destroy |
| 406 | $HIJACKING setkey -F | | 406 | $HIJACKING setkey -F |
| 407 | | | 407 | |
| 408 | unset RUMP_SERVER | | 408 | unset RUMP_SERVER |
| 409 | } | | 409 | } |
| 410 | | | 410 | |
| 411 | setup_dummy_if_ipsec() | | 411 | setup_dummy_if_ipsec() |
| 412 | { | | 412 | { |
| 413 | local sock=${1} | | 413 | local sock=${1} |
| 414 | local addr=${2} | | 414 | local addr=${2} |
| 415 | local remote=${3} | | 415 | local remote=${3} |
| 416 | local inner=${4} | | 416 | local inner=${4} |
| 417 | local src=${5} | | 417 | local src=${5} |
| 418 | local dst=${6} | | 418 | local dst=${6} |
| 419 | | | 419 | |
| 420 | export RUMP_SERVER=${sock} | | 420 | export RUMP_SERVER=${sock} |
| 421 | atf_check -s exit:0 rump.ifconfig ipsec1 create | | 421 | atf_check -s exit:0 rump.ifconfig ipsec1 create |
| 422 | atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst} | | 422 | atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst} |
| 423 | if [ ${inner} = "ipv6" ]; then | | 423 | if [ ${inner} = "ipv6" ]; then |
| 424 | atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote} | | 424 | atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote} |
| 425 | else | | 425 | else |
| 426 | atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote} | | 426 | atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote} |
| 427 | fi | | 427 | fi |
| 428 | | | 428 | |
| 429 | rump.ifconfig ipsec1 | | 429 | $DEBUG && rump.ifconfig ipsec1 |
| 430 | unset RUMP_SERVER | | 430 | unset RUMP_SERVER |
| 431 | } | | 431 | } |
| 432 | | | 432 | |
| 433 | setup_dummy_if_ipsec_sa() | | 433 | setup_dummy_if_ipsec_sa() |
| 434 | { | | 434 | { |
| 435 | local sock=${1} | | 435 | local sock=${1} |
| 436 | local src=${2} | | 436 | local src=${2} |
| 437 | local dst=${3} | | 437 | local dst=${3} |
| 438 | local mode=${4} | | 438 | local mode=${4} |
| 439 | local proto=${5} | | 439 | local proto=${5} |
| 440 | local algo=${6} | | 440 | local algo=${6} |
| 441 | local dir=${7} | | 441 | local dir=${7} |
| 442 | | | 442 | |
| 443 | local tmpfile=./tmp | | 443 | local tmpfile=./tmp |
| 444 | local inunique="" | | 444 | local inunique="" |
| 445 | local outunique="" | | 445 | local outunique="" |
| 446 | local inid="" | | 446 | local inid="" |
| 447 | local outid="" | | 447 | local outid="" |
| 448 | local algo_args="$(generate_algo_args $proto $algo)" | | 448 | local algo_args="$(generate_algo_args $proto $algo)" |
| 449 | | | 449 | |
| 450 | inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` | | 450 | inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}` |
| 451 | atf_check -s exit:0 test "X$inunique" != "X" | | 451 | atf_check -s exit:0 test "X$inunique" != "X" |
| 452 | outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` | | 452 | outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}` |
| 453 | atf_check -s exit:0 test "X$outunique" != "X" | | 453 | atf_check -s exit:0 test "X$outunique" != "X" |
| 454 | | | 454 | |
| 455 | if [ ${dir} = "1to2" ] ; then | | 455 | if [ ${dir} = "1to2" ] ; then |
| 456 | inid="20000" | | 456 | inid="20000" |
| 457 | outid="20001" | | 457 | outid="20001" |
| 458 | else | | 458 | else |
| 459 | inid="20001" | | 459 | inid="20001" |
| 460 | outid="20000" | | 460 | outid="20000" |
| 461 | fi | | 461 | fi |
| 462 | | | 462 | |
| 463 | cat > $tmpfile <<-EOF | | 463 | cat > $tmpfile <<-EOF |
| 464 | add $dst $src $proto $inid -u $inunique $algo_args; | | 464 | add $dst $src $proto $inid -u $inunique $algo_args; |
| 465 | add $src $dst $proto $outid -u $outunique $algo_args; | | 465 | add $src $dst $proto $outid -u $outunique $algo_args; |
| 466 | EOF | | 466 | EOF |
| 467 | $DEBUG && cat $tmpfile | | 467 | $DEBUG && cat $tmpfile |
| 468 | export RUMP_SERVER=$sock | | 468 | export RUMP_SERVER=$sock |
| 469 | atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile | | 469 | atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile |
| 470 | $DEBUG && $HIJACKING setkey -D | | 470 | $DEBUG && $HIJACKING setkey -D |
| 471 | $DEBUG && $HIJACKING setkey -DP | | 471 | $DEBUG && $HIJACKING setkey -DP |
| 472 | unset RUMP_SERVER | | 472 | unset RUMP_SERVER |
| 473 | } | | 473 | } |
| 474 | | | 474 | |
| 475 | setup_dummy_tunnel() | | 475 | setup_dummy_tunnel() |
| 476 | { | | 476 | { |
| 477 | local inner=${1} | | 477 | local inner=${1} |
| 478 | local outer=${2} | | 478 | local outer=${2} |
| 479 | local proto=${3} | | 479 | local proto=${3} |
| 480 | local algo=${4} | | 480 | local algo=${4} |
| 481 | | | 481 | |
| 482 | local addr="" | | 482 | local addr="" |
| 483 | local remote="" | | 483 | local remote="" |
| 484 | local src="" | | 484 | local src="" |
| 485 | local dst="" | | 485 | local dst="" |
| 486 | | | 486 | |
| 487 | if [ ${inner} = "ipv6" ]; then | | 487 | if [ ${inner} = "ipv6" ]; then |
| 488 | addr=$ROUTER1_IPSECIP6_DUMMY | | 488 | addr=$ROUTER1_IPSECIP6_DUMMY |
| 489 | remote=$ROUTER2_IPSECIP6_DUMMY | | 489 | remote=$ROUTER2_IPSECIP6_DUMMY |
| 490 | else | | 490 | else |
| 491 | addr=$ROUTER1_IPSECIP_DUMMY | | 491 | addr=$ROUTER1_IPSECIP_DUMMY |
| 492 | remote=$ROUTER2_IPSECIP_DUMMY | | 492 | remote=$ROUTER2_IPSECIP_DUMMY |
| 493 | fi | | 493 | fi |
| 494 | if [ ${outer} = "ipv6" ]; then | | 494 | if [ ${outer} = "ipv6" ]; then |
| 495 | src=$ROUTER1_WANIP6_DUMMY | | 495 | src=$ROUTER1_WANIP6_DUMMY |
| 496 | dst=$ROUTER2_WANIP6_DUMMY | | 496 | dst=$ROUTER2_WANIP6_DUMMY |
| 497 | else | | 497 | else |
| 498 | src=$ROUTER1_WANIP_DUMMY | | 498 | src=$ROUTER1_WANIP_DUMMY |
| 499 | dst=$ROUTER2_WANIP_DUMMY | | 499 | dst=$ROUTER2_WANIP_DUMMY |
| 500 | fi | | 500 | fi |
| 501 | setup_dummy_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \ | | 501 | setup_dummy_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \ |
| 502 | ${src} ${dst} ${proto} ${algo} "1to2" | | 502 | ${src} ${dst} ${proto} ${algo} "1to2" |
| 503 | setup_dummy_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2" | | 503 | setup_dummy_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2" |
| 504 | | | 504 | |
| 505 | if [ $inner = "ipv6" ]; then | | 505 | if [ $inner = "ipv6" ]; then |
| 506 | addr=$ROUTER2_IPSECIP6_DUMMY | | 506 | addr=$ROUTER2_IPSECIP6_DUMMY |
| 507 | remote=$ROUTER1_IPSECIP6_DUMMY | | 507 | remote=$ROUTER1_IPSECIP6_DUMMY |
| 508 | else | | 508 | else |
| 509 | addr=$ROUTER2_IPSECIP_DUMMY | | 509 | addr=$ROUTER2_IPSECIP_DUMMY |
| 510 | remote=$ROUTER1_IPSECIP_DUMMY | | 510 | remote=$ROUTER1_IPSECIP_DUMMY |
| 511 | fi | | 511 | fi |
| 512 | if [ $outer = "ipv6" ]; then | | 512 | if [ $outer = "ipv6" ]; then |
| 513 | src=$ROUTER2_WANIP6_DUMMY | | 513 | src=$ROUTER2_WANIP6_DUMMY |
| 514 | dst=$ROUTER1_WANIP6_DUMMY | | 514 | dst=$ROUTER1_WANIP6_DUMMY |
| 515 | else | | 515 | else |
| 516 | src=$ROUTER2_WANIP_DUMMY | | 516 | src=$ROUTER2_WANIP_DUMMY |
| 517 | dst=$ROUTER1_WANIP_DUMMY | | 517 | dst=$ROUTER1_WANIP_DUMMY |
| 518 | fi | | 518 | fi |
| 519 | setup_dummy_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \ | | 519 | setup_dummy_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \ |
| 520 | ${src} ${dst} ${proto} ${algo} "2to1" | | 520 | ${src} ${dst} ${proto} ${algo} "2to1" |
| 521 | setup_dummy_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1" | | 521 | setup_dummy_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1" |
| 522 | } | | 522 | } |
| 523 | | | 523 | |
| 524 | test_setup_dummy_tunnel() | | 524 | test_setup_dummy_tunnel() |
| 525 | { | | 525 | { |
| 526 | export RUMP_SERVER=$SOCK1 | | 526 | export RUMP_SERVER=$SOCK1 |
| 527 | atf_check -s exit:0 -o match:ipsec1 rump.ifconfig | | 527 | atf_check -s exit:0 -o match:ipsec1 rump.ifconfig |
| 528 | | | 528 | |
| 529 | export RUMP_SERVER=$SOCK2 | | 529 | export RUMP_SERVER=$SOCK2 |
| 530 | atf_check -s exit:0 -o match:ipsec1 rump.ifconfig | | 530 | atf_check -s exit:0 -o match:ipsec1 rump.ifconfig |
| 531 | | | 531 | |
| 532 | unset RUMP_SERVER | | 532 | unset RUMP_SERVER |
| 533 | } | | 533 | } |
| 534 | | | 534 | |
| 535 | teardown_dummy_tunnel() | | 535 | teardown_dummy_tunnel() |
| 536 | { | | 536 | { |
| 537 | export RUMP_SERVER=$SOCK1 | | 537 | export RUMP_SERVER=$SOCK1 |
| 538 | atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel | | 538 | atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel |
| 539 | atf_check -s exit:0 rump.ifconfig ipsec1 destroy | | 539 | atf_check -s exit:0 rump.ifconfig ipsec1 destroy |
| 540 | | | 540 | |
| 541 | export RUMP_SERVER=$SOCK2 | | 541 | export RUMP_SERVER=$SOCK2 |
| 542 | atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel | | 542 | atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel |
| 543 | atf_check -s exit:0 rump.ifconfig ipsec1 destroy | | 543 | atf_check -s exit:0 rump.ifconfig ipsec1 destroy |
| 544 | | | 544 | |
| 545 | unset RUMP_SERVER | | 545 | unset RUMP_SERVER |
| 546 | } | | 546 | } |
| 547 | | | 547 | |
| 548 | setup_recursive_if_ipsec() | | 548 | setup_recursive_if_ipsec() |
| 549 | { | | 549 | { |
| 550 | local sock=${1} | | 550 | local sock=${1} |
| 551 | local ipsec=${2} | | 551 | local ipsec=${2} |
| 552 | local addr=${3} | | 552 | local addr=${3} |
| 553 | local remote=${4} | | 553 | local remote=${4} |
| 554 | local inner=${5} | | 554 | local inner=${5} |
| 555 | local src=${6} | | 555 | local src=${6} |
| 556 | local dst=${7} | | 556 | local dst=${7} |
| 557 | local proto=${8} | | 557 | local proto=${8} |
| 558 | local algo=${9} | | 558 | local algo=${9} |
| 559 | local dir=${10} | | 559 | local dir=${10} |
| 560 | | | 560 | |
| 561 | export RUMP_SERVER=${sock} | | 561 | export RUMP_SERVER=${sock} |
| 562 | atf_check -s exit:0 rump.ifconfig ${ipsec} create | | 562 | atf_check -s exit:0 rump.ifconfig ${ipsec} create |
| 563 | atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst} | | 563 | atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst} |
| 564 | if [ ${inner} = "ipv6" ]; then | | 564 | if [ ${inner} = "ipv6" ]; then |
| 565 | atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote} | | 565 | atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote} |
| 566 | else | | 566 | else |
| 567 | atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote} | | 567 | atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote} |
| 568 | fi | | 568 | fi |
| 569 | setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir} | | 569 | setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir} |
| 570 | | | 570 | |
| 571 | export RUMP_SERVER=${sock} | | 571 | export RUMP_SERVER=${sock} |
| 572 | rump.ifconfig ${ipsec} | | 572 | $DEBUG && rump.ifconfig ${ipsec} |
| 573 | unset RUMP_SERVER | | 573 | unset RUMP_SERVER |
| 574 | } | | 574 | } |
| 575 | | | 575 | |
| 576 | # test in ROUTER1 only | | 576 | # test in ROUTER1 only |
| 577 | setup_recursive_tunnels() | | 577 | setup_recursive_tunnels() |
| 578 | { | | 578 | { |
| 579 | local mode=${1} | | 579 | local mode=${1} |
| 580 | local proto=${2} | | 580 | local proto=${2} |
| 581 | local algo=${3} | | 581 | local algo=${3} |
| 582 | | | 582 | |
| 583 | local addr="" | | 583 | local addr="" |
| 584 | local remote="" | | 584 | local remote="" |
| 585 | local src="" | | 585 | local src="" |
| 586 | local dst="" | | 586 | local dst="" |
| 587 | | | 587 | |
| 588 | if [ ${mode} = "ipv6" ]; then | | 588 | if [ ${mode} = "ipv6" ]; then |
| 589 | addr=$ROUTER1_IPSECIP6_RECURSIVE1 | | 589 | addr=$ROUTER1_IPSECIP6_RECURSIVE1 |
| 590 | remote=$ROUTER2_IPSECIP6_RECURSIVE1 | | 590 | remote=$ROUTER2_IPSECIP6_RECURSIVE1 |
| 591 | src=$ROUTER1_IPSECIP6 | | 591 | src=$ROUTER1_IPSECIP6 |
| 592 | dst=$ROUTER2_IPSECIP6 | | 592 | dst=$ROUTER2_IPSECIP6 |
| 593 | else | | 593 | else |
| 594 | addr=$ROUTER1_IPSECIP_RECURSIVE1 | | 594 | addr=$ROUTER1_IPSECIP_RECURSIVE1 |
| 595 | remote=$ROUTER2_IPSECIP_RECURSIVE1 | | 595 | remote=$ROUTER2_IPSECIP_RECURSIVE1 |
| 596 | src=$ROUTER1_IPSECIP | | 596 | src=$ROUTER1_IPSECIP |
| 597 | dst=$ROUTER2_IPSECIP | | 597 | dst=$ROUTER2_IPSECIP |
| 598 | fi | | 598 | fi |
| 599 | setup_recursive_if_ipsec $SOCK1 ipsec1 ${addr} ${remote} ${mode} \ | | 599 | setup_recursive_if_ipsec $SOCK1 ipsec1 ${addr} ${remote} ${mode} \ |
| 600 | ${src} ${dst} ${proto} ${algo} "1to2" | | 600 | ${src} ${dst} ${proto} ${algo} "1to2" |
| 601 | | | 601 | |
| 602 | if [ ${mode} = "ipv6" ]; then | | 602 | if [ ${mode} = "ipv6" ]; then |
| 603 | addr=$ROUTER1_IPSECIP6_RECURSIVE2 | | 603 | addr=$ROUTER1_IPSECIP6_RECURSIVE2 |
| 604 | remote=$ROUTER2_IPSECIP6_RECURSIVE2 | | 604 | remote=$ROUTER2_IPSECIP6_RECURSIVE2 |
| 605 | src=$ROUTER1_IPSECIP6_RECURSIVE1 | | 605 | src=$ROUTER1_IPSECIP6_RECURSIVE1 |
| 606 | dst=$ROUTER2_IPSECIP6_RECURSIVE1 | | 606 | dst=$ROUTER2_IPSECIP6_RECURSIVE1 |
| 607 | else | | 607 | else |
| 608 | addr=$ROUTER1_IPSECIP_RECURSIVE2 | | 608 | addr=$ROUTER1_IPSECIP_RECURSIVE2 |
| 609 | remote=$ROUTER2_IPSECIP_RECURSIVE2 | | 609 | remote=$ROUTER2_IPSECIP_RECURSIVE2 |
| 610 | src=$ROUTER1_IPSECIP_RECURSIVE1 | | 610 | src=$ROUTER1_IPSECIP_RECURSIVE1 |
| 611 | dst=$ROUTER2_IPSECIP_RECURSIVE1 | | 611 | dst=$ROUTER2_IPSECIP_RECURSIVE1 |
| 612 | fi | | 612 | fi |
| 613 | setup_recursive_if_ipsec $SOCK1 ipsec2 ${addr} ${remote} ${mode} \ | | 613 | setup_recursive_if_ipsec $SOCK1 ipsec2 ${addr} ${remote} ${mode} \ |
| 614 | ${src} ${dst} ${proto} ${algo} "1to2" | | 614 | ${src} ${dst} ${proto} ${algo} "1to2" |
| 615 | } | | 615 | } |
| 616 | | | 616 | |
| 617 | # test in router1 only | | 617 | # test in router1 only |
| 618 | test_recursive_check() | | 618 | test_recursive_check() |
| 619 | { | | 619 | { |
| 620 | local mode=$1 | | 620 | local mode=$1 |
| 621 | | | 621 | |
| 622 | export RUMP_SERVER=$SOCK1 | | 622 | export RUMP_SERVER=$SOCK1 |
| 623 | if [ ${mode} = "ipv6" ]; then | | 623 | if [ ${mode} = "ipv6" ]; then |
| 624 | atf_check -s not-exit:0 -o ignore -e ignore \ | | 624 | atf_check -s not-exit:0 -o ignore -e ignore \ |
| 625 | rump.ping6 -n -X $TIMEOUT -c 1 $ROUTER2_IPSECIP6_RECURSIVE2 | | 625 | rump.ping6 -n -X $TIMEOUT -c 1 $ROUTER2_IPSECIP6_RECURSIVE2 |
| 626 | else | | 626 | else |
| 627 | atf_check -s not-exit:0 -o ignore -e ignore \ | | 627 | atf_check -s not-exit:0 -o ignore -e ignore \ |
| 628 | rump.ping -n -w $TIMEOUT -c 1 $ROUTER2_IPSECIP_RECURSIVE2 | | 628 | rump.ping -n -w $TIMEOUT -c 1 $ROUTER2_IPSECIP_RECURSIVE2 |
| 629 | fi | | 629 | fi |
| 630 | | | 630 | |
| 631 | atf_check -o match:'ipsec0: recursively called too many times' \ | | 631 | atf_check -o match:'ipsec0: recursively called too many times' \ |
| 632 | -x "$HIJACKING dmesg" | | 632 | -x "$HIJACKING dmesg" |
| 633 | | | 633 | |
| 634 | $HIJACKING dmesg | | 634 | $HIJACKING dmesg |
| 635 | | | 635 | |
| 636 | unset RUMP_SERVER | | 636 | unset RUMP_SERVER |
| 637 | } | | 637 | } |
| 638 | | | 638 | |
| 639 | teardown_recursive_tunnels() | | 639 | teardown_recursive_tunnels() |
| 640 | { | | 640 | { |
| 641 | export RUMP_SERVER=$SOCK1 | | 641 | export RUMP_SERVER=$SOCK1 |
| 642 | atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel | | 642 | atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel |
| 643 | atf_check -s exit:0 rump.ifconfig ipsec1 destroy | | 643 | atf_check -s exit:0 rump.ifconfig ipsec1 destroy |
| 644 | atf_check -s exit:0 rump.ifconfig ipsec2 deletetunnel | | 644 | atf_check -s exit:0 rump.ifconfig ipsec2 deletetunnel |
| 645 | atf_check -s exit:0 rump.ifconfig ipsec2 destroy | | 645 | atf_check -s exit:0 rump.ifconfig ipsec2 destroy |
| 646 | unset RUMP_SERVER | | 646 | unset RUMP_SERVER |
| 647 | } | | 647 | } |
| 648 | | | 648 | |
| 649 | test_ping_failure() | | 649 | test_ping_failure() |
| 650 | { | | 650 | { |
| 651 | local mode=$1 | | 651 | local mode=$1 |
| 652 | | | 652 | |
| 653 | export RUMP_SERVER=$SOCK1 | | 653 | export RUMP_SERVER=$SOCK1 |
| 654 | if [ ${mode} = "ipv6" ]; then | | 654 | if [ ${mode} = "ipv6" ]; then |
| 655 | atf_check -s not-exit:0 -o ignore -e ignore \ | | 655 | atf_check -s not-exit:0 -o ignore -e ignore \ |
| 656 | rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ | | 656 | rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ |
| 657 | $ROUTER2_LANIP6 | | 657 | $ROUTER2_LANIP6 |
| 658 | else | | 658 | else |
| 659 | atf_check -s not-exit:0 -o ignore -e ignore \ | | 659 | atf_check -s not-exit:0 -o ignore -e ignore \ |
| 660 | rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ | | 660 | rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ |
| 661 | $ROUTER2_LANIP | | 661 | $ROUTER2_LANIP |
| 662 | fi | | 662 | fi |
| 663 | | | 663 | |
| 664 | export RUMP_SERVER=$SOCK2 | | 664 | export RUMP_SERVER=$SOCK2 |
| 665 | if [ ${mode} = "ipv6" ]; then | | 665 | if [ ${mode} = "ipv6" ]; then |
| 666 | atf_check -s not-exit:0 -o ignore -e ignore \ | | 666 | atf_check -s not-exit:0 -o ignore -e ignore \ |
| 667 | rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ | | 667 | rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ |
| 668 | $ROUTER1_LANIP6 | | 668 | $ROUTER1_LANIP6 |
| 669 | else | | 669 | else |
| 670 | atf_check -s not-exit:0 -o ignore -e ignore \ | | 670 | atf_check -s not-exit:0 -o ignore -e ignore \ |
| 671 | rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ | | 671 | rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ |
| 672 | $ROUTER2_LANIP | | 672 | $ROUTER2_LANIP |
| 673 | fi | | 673 | fi |
| 674 | | | 674 | |
| 675 | unset RUMP_SERVER | | 675 | unset RUMP_SERVER |
| 676 | } | | 676 | } |
| 677 | | | 677 | |
| 678 | test_ping_success() | | 678 | test_ping_success() |
| 679 | { | | 679 | { |
| 680 | mode=$1 | | 680 | mode=$1 |
| 681 | | | 681 | |
| 682 | export RUMP_SERVER=$SOCK1 | | 682 | export RUMP_SERVER=$SOCK1 |
| 683 | rump.ifconfig -v ipsec0 | | 683 | $DEBUG && rump.ifconfig -v ipsec0 |
| 684 | if [ ${mode} = "ipv6" ]; then | | 684 | if [ ${mode} = "ipv6" ]; then |
| 685 | # XXX | | 685 | # XXX |
| 686 | # rump.ping6 rarely fails with the message that | | 686 | # rump.ping6 rarely fails with the message that |
| 687 | # "failed to get receiving hop limit". | | 687 | # "failed to get receiving hop limit". |
| 688 | # This is a known issue being analyzed. | | 688 | # This is a known issue being analyzed. |
| 689 | atf_check -s exit:0 -o ignore \ | | 689 | atf_check -s exit:0 -o ignore \ |
| 690 | rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ | | 690 | rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \ |
| 691 | $ROUTER2_LANIP6 | | 691 | $ROUTER2_LANIP6 |
| 692 | else | | 692 | else |
| 693 | atf_check -s exit:0 -o ignore \ | | 693 | atf_check -s exit:0 -o ignore \ |
| 694 | rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ | | 694 | rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ |
| 695 | $ROUTER2_LANIP | | 695 | $ROUTER2_LANIP |
| 696 | fi | | 696 | fi |
| 697 | rump.ifconfig -v ipsec0 | | 697 | $DEBUG && rump.ifconfig -v ipsec0 |
| 698 | | | 698 | |
| 699 | export RUMP_SERVER=$SOCK2 | | 699 | export RUMP_SERVER=$SOCK2 |
| 700 | rump.ifconfig -v ipsec0 | | 700 | $DEBUG && rump.ifconfig -v ipsec0 |
| 701 | if [ ${mode} = "ipv6" ]; then | | 701 | if [ ${mode} = "ipv6" ]; then |
| 702 | atf_check -s exit:0 -o ignore \ | | 702 | atf_check -s exit:0 -o ignore \ |
| 703 | rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ | | 703 | rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \ |
| 704 | $ROUTER1_LANIP6 | | 704 | $ROUTER1_LANIP6 |
| 705 | else | | 705 | else |
| 706 | atf_check -s exit:0 -o ignore \ | | 706 | atf_check -s exit:0 -o ignore \ |
| 707 | rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ | | 707 | rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ |
| 708 | $ROUTER1_LANIP | | 708 | $ROUTER1_LANIP |
| 709 | fi | | 709 | fi |
| 710 | rump.ifconfig -v ipsec0 | | 710 | $DEBUG && rump.ifconfig -v ipsec0 |
| 711 | | | 711 | |
| 712 | unset RUMP_SERVER | | 712 | unset RUMP_SERVER |
| 713 | } | | 713 | } |
| 714 | | | 714 | |
| 715 | test_change_tunnel_duplicate() | | 715 | test_change_tunnel_duplicate() |
| 716 | { | | 716 | { |
| 717 | local mode=$1 | | 717 | local mode=$1 |
| 718 | | | 718 | |
| 719 | local newsrc="" | | 719 | local newsrc="" |
| 720 | local newdst="" | | 720 | local newdst="" |
| 721 | if [ ${mode} = "ipv6" ]; then | | 721 | if [ ${mode} = "ipv6" ]; then |
| 722 | newsrc=$ROUTER1_WANIP6_DUMMY | | 722 | newsrc=$ROUTER1_WANIP6_DUMMY |
| 723 | newdst=$ROUTER2_WANIP6_DUMMY | | 723 | newdst=$ROUTER2_WANIP6_DUMMY |
| 724 | else | | 724 | else |
| 725 | newsrc=$ROUTER1_WANIP_DUMMY | | 725 | newsrc=$ROUTER1_WANIP_DUMMY |
| 726 | newdst=$ROUTER2_WANIP_DUMMY | | 726 | newdst=$ROUTER2_WANIP_DUMMY |
| 727 | fi | | 727 | fi |
| 728 | export RUMP_SERVER=$SOCK1 | | 728 | export RUMP_SERVER=$SOCK1 |
| 729 | rump.ifconfig -v ipsec0 | | 729 | $DEBUG && rump.ifconfig -v ipsec0 |
| 730 | rump.ifconfig -v ipsec1 | | 730 | $DEBUG && rump.ifconfig -v ipsec1 |
| 731 | atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ | | 731 | atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ |
| 732 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} | | 732 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} |
| 733 | rump.ifconfig -v ipsec0 | | 733 | $DEBUG && rump.ifconfig -v ipsec0 |
| 734 | rump.ifconfig -v ipsec1 | | 734 | $DEBUG && rump.ifconfig -v ipsec1 |
| 735 | | | 735 | |
| 736 | if [ ${mode} = "ipv6" ]; then | | 736 | if [ ${mode} = "ipv6" ]; then |
| 737 | newsrc=$ROUTER2_WANIP6_DUMMY | | 737 | newsrc=$ROUTER2_WANIP6_DUMMY |
| 738 | newdst=$ROUTER1_WANIP6_DUMMY | | 738 | newdst=$ROUTER1_WANIP6_DUMMY |
| 739 | else | | 739 | else |
| 740 | newsrc=$ROUTER2_WANIP_DUMMY | | 740 | newsrc=$ROUTER2_WANIP_DUMMY |
| 741 | newdst=$ROUTER1_WANIP_DUMMY | | 741 | newdst=$ROUTER1_WANIP_DUMMY |
| 742 | fi | | 742 | fi |
| 743 | export RUMP_SERVER=$SOCK2 | | 743 | export RUMP_SERVER=$SOCK2 |
| 744 | rump.ifconfig -v ipsec0 | | 744 | $DEBUG && rump.ifconfig -v ipsec0 |
| 745 | rump.ifconfig -v ipsec1 | | 745 | $DEBUG && rump.ifconfig -v ipsec1 |
| 746 | atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ | | 746 | atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \ |
| 747 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} | | 747 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} |
| 748 | rump.ifconfig -v ipsec0 | | 748 | $DEBUG && rump.ifconfig -v ipsec0 |
| 749 | rump.ifconfig -v ipsec1 | | 749 | $DEBUG && rump.ifconfig -v ipsec1 |
| 750 | | | 750 | |
| 751 | unset RUMP_SERVER | | 751 | unset RUMP_SERVER |
| 752 | } | | 752 | } |
| 753 | | | 753 | |
| 754 | test_change_tunnel_success() | | 754 | test_change_tunnel_success() |
| 755 | { | | 755 | { |
| 756 | local mode=$1 | | 756 | local mode=$1 |
| 757 | | | 757 | |
| 758 | local newsrc="" | | 758 | local newsrc="" |
| 759 | local newdst="" | | 759 | local newdst="" |
| 760 | if [ ${mode} = "ipv6" ]; then | | 760 | if [ ${mode} = "ipv6" ]; then |
| 761 | newsrc=$ROUTER1_WANIP6_DUMMY | | 761 | newsrc=$ROUTER1_WANIP6_DUMMY |
| 762 | newdst=$ROUTER2_WANIP6_DUMMY | | 762 | newdst=$ROUTER2_WANIP6_DUMMY |
| 763 | else | | 763 | else |
| 764 | newsrc=$ROUTER1_WANIP_DUMMY | | 764 | newsrc=$ROUTER1_WANIP_DUMMY |
| 765 | newdst=$ROUTER2_WANIP_DUMMY | | 765 | newdst=$ROUTER2_WANIP_DUMMY |
| 766 | fi | | 766 | fi |
| 767 | export RUMP_SERVER=$SOCK1 | | 767 | export RUMP_SERVER=$SOCK1 |
| 768 | rump.ifconfig -v ipsec0 | | 768 | $DEBUG && rump.ifconfig -v ipsec0 |
| 769 | atf_check -s exit:0 \ | | 769 | atf_check -s exit:0 \ |
| 770 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} | | 770 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} |
| 771 | rump.ifconfig -v ipsec0 | | 771 | $DEBUG && rump.ifconfig -v ipsec0 |
| 772 | | | 772 | |
| 773 | if [ ${mode} = "ipv6" ]; then | | 773 | if [ ${mode} = "ipv6" ]; then |
| 774 | newsrc=$ROUTER2_WANIP6_DUMMY | | 774 | newsrc=$ROUTER2_WANIP6_DUMMY |
| 775 | newdst=$ROUTER1_WANIP6_DUMMY | | 775 | newdst=$ROUTER1_WANIP6_DUMMY |
| 776 | else | | 776 | else |
| 777 | newsrc=$ROUTER2_WANIP_DUMMY | | 777 | newsrc=$ROUTER2_WANIP_DUMMY |
| 778 | newdst=$ROUTER1_WANIP_DUMMY | | 778 | newdst=$ROUTER1_WANIP_DUMMY |
| 779 | fi | | 779 | fi |
| 780 | export RUMP_SERVER=$SOCK2 | | 780 | export RUMP_SERVER=$SOCK2 |
| 781 | rump.ifconfig -v ipsec0 | | 781 | $DEBUG && rump.ifconfig -v ipsec0 |
| 782 | atf_check -s exit:0 \ | | 782 | atf_check -s exit:0 \ |
| 783 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} | | 783 | rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst} |
| 784 | rump.ifconfig -v ipsec0 | | 784 | $DEBUG && rump.ifconfig -v ipsec0 |
| 785 | | | 785 | |
| 786 | unset RUMP_SERVER | | 786 | unset RUMP_SERVER |
| 787 | } | | 787 | } |
| 788 | | | 788 | |
| 789 | basic_setup() | | 789 | basic_setup() |
| 790 | { | | 790 | { |
| 791 | local inner=$1 | | 791 | local inner=$1 |
| 792 | local outer=$2 | | 792 | local outer=$2 |
| 793 | local proto=$3 | | 793 | local proto=$3 |
| 794 | local algo=$4 | | 794 | local algo=$4 |
| 795 | | | 795 | |
| 796 | setup ${inner} ${outer} | | 796 | setup ${inner} ${outer} |
| 797 | test_setup ${inner} ${outer} | | 797 | test_setup ${inner} ${outer} |
| 798 | | | 798 | |
| 799 | # Enable once PR kern/49219 is fixed | | 799 | # Enable once PR kern/49219 is fixed |
| 800 | #test_ping_failure | | 800 | #test_ping_failure |
| 801 | | | 801 | |
| 802 | setup_tunnel ${inner} ${outer} ${proto} ${algo} | | 802 | setup_tunnel ${inner} ${outer} ${proto} ${algo} |
| 803 | sleep 1 | | 803 | sleep 1 |
| 804 | test_setup_tunnel ${inner} | | 804 | test_setup_tunnel ${inner} |
| 805 | } | | 805 | } |
| 806 | | | 806 | |
| 807 | basic_test() | | 807 | basic_test() |
| 808 | { | | 808 | { |
| 809 | local inner=$1 | | 809 | local inner=$1 |
| 810 | local outer=$2 # not use | | 810 | local outer=$2 # not use |
| 811 | | | 811 | |
| 812 | test_ping_success ${inner} | | 812 | test_ping_success ${inner} |
| 813 | } | | 813 | } |
| 814 | | | 814 | |
| 815 | basic_teardown() | | 815 | basic_teardown() |
| 816 | { | | 816 | { |
| 817 | local inner=$1 | | 817 | local inner=$1 |
| 818 | local outer=$2 # not use | | 818 | local outer=$2 # not use |
| 819 | | | 819 | |
| 820 | teardown_tunnel | | 820 | teardown_tunnel |
| 821 | test_ping_failure ${inner} | | 821 | test_ping_failure ${inner} |
| 822 | } | | 822 | } |
| 823 | | | 823 | |
| 824 | ioctl_setup() | | 824 | ioctl_setup() |
| 825 | { | | 825 | { |
| 826 | local inner=$1 | | 826 | local inner=$1 |
| 827 | local outer=$2 | | 827 | local outer=$2 |
| 828 | local proto=$3 | | 828 | local proto=$3 |
| 829 | local algo=$4 | | 829 | local algo=$4 |
| 830 | | | 830 | |
| 831 | setup ${inner} ${outer} | | 831 | setup ${inner} ${outer} |
| 832 | test_setup ${inner} ${outer} | | 832 | test_setup ${inner} ${outer} |
| 833 | | | 833 | |
| 834 | # Enable once PR kern/49219 is fixed | | 834 | # Enable once PR kern/49219 is fixed |
| 835 | #test_ping_failure | | 835 | #test_ping_failure |
| 836 | | | 836 | |
| 837 | setup_tunnel ${inner} ${outer} ${proto} ${algo} | | 837 | setup_tunnel ${inner} ${outer} ${proto} ${algo} |
| 838 | setup_dummy_tunnel ${inner} ${outer} ${proto} ${algo} | | 838 | setup_dummy_tunnel ${inner} ${outer} ${proto} ${algo} |
| 839 | sleep 1 | | 839 | sleep 1 |
| 840 | test_setup_tunnel ${inner} | | 840 | test_setup_tunnel ${inner} |
| 841 | } | | 841 | } |
| 842 | | | 842 | |
| 843 | ioctl_test() | | 843 | ioctl_test() |
| 844 | { | | 844 | { |
| 845 | local inner=$1 | | 845 | local inner=$1 |
| 846 | local outer=$2 | | 846 | local outer=$2 |
| 847 | | | 847 | |
| 848 | test_ping_success ${inner} | | 848 | test_ping_success ${inner} |
| 849 | | | 849 | |
| 850 | test_change_tunnel_duplicate ${outer} | | 850 | test_change_tunnel_duplicate ${outer} |
| 851 | | | 851 | |
| 852 | teardown_dummy_tunnel | | 852 | teardown_dummy_tunnel |
| 853 | test_change_tunnel_success ${outer} | | 853 | test_change_tunnel_success ${outer} |
| 854 | } | | 854 | } |
| 855 | | | 855 | |
| 856 | ioctl_teardown() | | 856 | ioctl_teardown() |
| 857 | { | | 857 | { |
| 858 | local inner=$1 | | 858 | local inner=$1 |
| 859 | local outer=$2 # not use | | 859 | local outer=$2 # not use |
| 860 | | | 860 | |
| 861 | teardown_tunnel | | 861 | teardown_tunnel |
| 862 | test_ping_failure ${inner} | | 862 | test_ping_failure ${inner} |
| 863 | } | | 863 | } |
| 864 | | | 864 | |
| 865 | recursive_setup() | | 865 | recursive_setup() |
| 866 | { | | 866 | { |
| 867 | local inner=$1 | | 867 | local inner=$1 |
| 868 | local outer=$2 | | 868 | local outer=$2 |
| 869 | local proto=$3 | | 869 | local proto=$3 |
| 870 | local algo=$4 | | 870 | local algo=$4 |
| 871 | | | 871 | |
| 872 | setup ${inner} ${outer} | | 872 | setup ${inner} ${outer} |
| 873 | test_setup ${inner} ${outer} | | 873 | test_setup ${inner} ${outer} |
| 874 | | | 874 | |
| 875 | # Enable once PR kern/49219 is fixed | | 875 | # Enable once PR kern/49219 is fixed |
| 876 | #test_ping_failure | | 876 | #test_ping_failure |
| 877 | | | 877 | |
| 878 | setup_tunnel ${inner} ${outer} ${proto} ${algo} | | 878 | setup_tunnel ${inner} ${outer} ${proto} ${algo} |
| 879 | setup_recursive_tunnels ${inner} ${proto} ${algo} | | 879 | setup_recursive_tunnels ${inner} ${proto} ${algo} |
| 880 | sleep 1 | | 880 | sleep 1 |
| 881 | test_setup_tunnel ${inner} | | 881 | test_setup_tunnel ${inner} |
| 882 | } | | 882 | } |
| 883 | | | 883 | |
| 884 | recursive_test() | | 884 | recursive_test() |
| 885 | { | | 885 | { |
| 886 | local inner=$1 | | 886 | local inner=$1 |
| 887 | local outer=$2 # not use | | 887 | local outer=$2 # not use |
| 888 | | | 888 | |
| 889 | test_recursive_check ${inner} | | 889 | test_recursive_check ${inner} |
| 890 | } | | 890 | } |
| 891 | | | 891 | |
| 892 | recursive_teardown() | | 892 | recursive_teardown() |
| 893 | { | | 893 | { |
| 894 | local inner=$1 # not use | | 894 | local inner=$1 # not use |
| 895 | local outer=$2 # not use | | 895 | local outer=$2 # not use |
| 896 | | | 896 | |
| 897 | teardown_recursive_tunnels | | 897 | teardown_recursive_tunnels |
| 898 | teardown_tunnel | | 898 | teardown_tunnel |
| 899 | } | | 899 | } |
| 900 | | | 900 | |
| 901 | add_test() | | 901 | add_test() |
| 902 | { | | 902 | { |
| 903 | local category=$1 | | 903 | local category=$1 |
| 904 | local desc=$2 | | 904 | local desc=$2 |
| 905 | local inner=$3 | | 905 | local inner=$3 |
| 906 | local outer=$4 | | 906 | local outer=$4 |
| 907 | local proto=$5 | | 907 | local proto=$5 |
| 908 | local algo=$6 | | 908 | local algo=$6 |
| 909 | local _algo=$(echo $algo | sed 's/-//g') | | 909 | local _algo=$(echo $algo | sed 's/-//g') |
| 910 | | | 910 | |
| 911 | name="ipsecif_${category}_${inner}over${outer}_${proto}_${_algo}" | | 911 | name="ipsecif_${category}_${inner}over${outer}_${proto}_${_algo}" |
| 912 | fulldesc="Does ${inner} over ${outer} if_ipsec ${desc}" | | 912 | fulldesc="Does ${inner} over ${outer} if_ipsec ${desc}" |
| 913 | | | 913 | |
| 914 | atf_test_case ${name} cleanup | | 914 | atf_test_case ${name} cleanup |
| 915 | eval "${name}_head() { | | 915 | eval "${name}_head() { |
| 916 | atf_set descr \"${fulldesc}\" | | 916 | atf_set descr \"${fulldesc}\" |
| 917 | atf_set require.progs rump_server setkey | | 917 | atf_set require.progs rump_server setkey |
| 918 | } | | 918 | } |
| 919 | ${name}_body() { | | 919 | ${name}_body() { |
| 920 | ${category}_setup ${inner} ${outer} ${proto} ${algo} | | 920 | ${category}_setup ${inner} ${outer} ${proto} ${algo} |
| 921 | ${category}_test ${inner} ${outer} | | 921 | ${category}_test ${inner} ${outer} |
| 922 | ${category}_teardown ${inner} ${outer} | | 922 | ${category}_teardown ${inner} ${outer} |
| 923 | rump_server_destroy_ifaces | | 923 | rump_server_destroy_ifaces |
| 924 | } | | 924 | } |
| 925 | ${name}_cleanup() { | | 925 | ${name}_cleanup() { |
| 926 | \$DEBUG && dump | | 926 | \$DEBUG && dump |
| 927 | cleanup | | 927 | cleanup |
| 928 | }" | | 928 | }" |
| 929 | atf_add_test_case ${name} | | 929 | atf_add_test_case ${name} |
| 930 | } | | 930 | } |
| 931 | | | 931 | |
| 932 | add_test_allproto() | | 932 | add_test_allproto() |
| 933 | { | | 933 | { |
| 934 | local category=$1 | | 934 | local category=$1 |
| 935 | local desc=$2 | | 935 | local desc=$2 |
| 936 | | | 936 | |
| 937 | for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do | | 937 | for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do |
| 938 | add_test ${category} "${desc}" ipv4 ipv4 esp $algo | | 938 | add_test ${category} "${desc}" ipv4 ipv4 esp $algo |
| 939 | add_test ${category} "${desc}" ipv4 ipv6 esp $algo | | 939 | add_test ${category} "${desc}" ipv4 ipv6 esp $algo |
| 940 | add_test ${category} "${desc}" ipv6 ipv4 esp $algo | | 940 | add_test ${category} "${desc}" ipv6 ipv4 esp $algo |
| 941 | add_test ${category} "${desc}" ipv6 ipv6 esp $algo | | 941 | add_test ${category} "${desc}" ipv6 ipv6 esp $algo |
| 942 | done | | 942 | done |
| 943 | | | 943 | |
| 944 | # ah does not support yet | | 944 | # ah does not support yet |
| 945 | } | | 945 | } |
| 946 | | | 946 | |
| 947 | atf_init_test_cases() | | 947 | atf_init_test_cases() |
| 948 | { | | 948 | { |
| 949 | | | 949 | |
| 950 | atf_add_test_case ipsecif_create_destroy | | 950 | atf_add_test_case ipsecif_create_destroy |
| 951 | | | 951 | |
| 952 | add_test_allproto basic "basic tests" | | 952 | add_test_allproto basic "basic tests" |
| 953 | add_test_allproto ioctl "ioctl tests" | | 953 | add_test_allproto ioctl "ioctl tests" |
| 954 | add_test_allproto recursive "recursive check tests" | | 954 | add_test_allproto recursive "recursive check tests" |
| 955 | } | | 955 | } |