| @@ -1,441 +1,525 @@ | | | @@ -1,441 +1,525 @@ |
1 | # $NetBSD: t_ipsec_natt.sh,v 1.1 2018/12/25 03:54:44 knakahara Exp $ | | 1 | # $NetBSD: t_ipsec_natt.sh,v 1.2 2018/12/26 08:59:41 knakahara Exp $ |
2 | # | | 2 | # |
3 | # Copyright (c) 2018 Internet Initiative Japan Inc. | | 3 | # Copyright (c) 2018 Internet Initiative Japan Inc. |
4 | # All rights reserved. | | 4 | # All rights reserved. |
5 | # | | 5 | # |
6 | # Redistribution and use in source and binary forms, with or without | | 6 | # Redistribution and use in source and binary forms, with or without |
7 | # modification, are permitted provided that the following conditions | | 7 | # modification, are permitted provided that the following conditions |
8 | # are met: | | 8 | # are met: |
9 | # 1. Redistributions of source code must retain the above copyright | | 9 | # 1. Redistributions of source code must retain the above copyright |
10 | # notice, this list of conditions and the following disclaimer. | | 10 | # notice, this list of conditions and the following disclaimer. |
11 | # 2. Redistributions in binary form must reproduce the above copyright | | 11 | # 2. Redistributions in binary form must reproduce the above copyright |
12 | # notice, this list of conditions and the following disclaimer in the | | 12 | # notice, this list of conditions and the following disclaimer in the |
13 | # documentation and/or other materials provided with the distribution. | | 13 | # documentation and/or other materials provided with the distribution. |
14 | # | | 14 | # |
15 | # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS | | 15 | # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
16 | # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | | 16 | # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
17 | # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 17 | # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
18 | # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 18 | # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
19 | # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 19 | # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
20 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 20 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
21 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 21 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
22 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 22 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
23 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 23 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
24 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 24 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
25 | # POSSIBILITY OF SUCH DAMAGE. | | 25 | # POSSIBILITY OF SUCH DAMAGE. |
26 | # | | 26 | # |
27 | | | 27 | |
28 | SOCK_LOCAL=unix://ipsec_natt_local | | 28 | SOCK_LOCAL_A=unix://ipsec_natt_local_a |
| | | 29 | SOCK_LOCAL_B=unix://ipsec_natt_local_b |
29 | SOCK_NAT=unix://ipsec_natt_nat | | 30 | SOCK_NAT=unix://ipsec_natt_nat |
30 | SOCK_REMOTE=unix://ipsec_natt_remote | | 31 | SOCK_REMOTE=unix://ipsec_natt_remote |
31 | BUS_LOCAL=./bus_ipsec_natt_local | | 32 | BUS_LOCAL=./bus_ipsec_natt_local |
32 | BUS_NAT=./bus_ipsec_natt_nat | | 33 | BUS_NAT=./bus_ipsec_natt_nat |
33 | | | 34 | |
34 | DEBUG=${DEBUG:-false} | | 35 | DEBUG=${DEBUG:-false} |
35 | HIJACKING_NPF="${HIJACKING},blanket=/dev/npf" | | 36 | HIJACKING_NPF="${HIJACKING},blanket=/dev/npf" |
36 | | | 37 | |
37 | setup_servers() | | 38 | setup_servers() |
38 | { | | 39 | { |
39 | | | 40 | |
40 | rump_server_crypto_start $SOCK_LOCAL netipsec ipsec | | 41 | rump_server_crypto_start $SOCK_LOCAL_A netipsec ipsec |
| | | 42 | rump_server_crypto_start $SOCK_LOCAL_B netipsec ipsec |
41 | rump_server_npf_start $SOCK_NAT | | 43 | rump_server_npf_start $SOCK_NAT |
42 | rump_server_crypto_start $SOCK_REMOTE netipsec ipsec | | 44 | rump_server_crypto_start $SOCK_REMOTE netipsec ipsec |
43 | rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL | | 45 | rump_server_add_iface $SOCK_LOCAL_A shmif0 $BUS_LOCAL |
| | | 46 | rump_server_add_iface $SOCK_LOCAL_B shmif0 $BUS_LOCAL |
44 | rump_server_add_iface $SOCK_NAT shmif0 $BUS_LOCAL | | 47 | rump_server_add_iface $SOCK_NAT shmif0 $BUS_LOCAL |
45 | rump_server_add_iface $SOCK_NAT shmif1 $BUS_NAT | | 48 | rump_server_add_iface $SOCK_NAT shmif1 $BUS_NAT |
46 | rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_NAT | | 49 | rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_NAT |
47 | } | | 50 | } |
48 | | | 51 | |
49 | setup_ipsecif() | | 52 | setup_ipsecif() |
50 | { | | 53 | { |
51 | local sock=$1 | | 54 | local sock=$1 |
52 | local ifid=$2 | | 55 | local ifid=$2 |
53 | local src_ip=$3 | | 56 | local src_ip=$3 |
54 | local src_port=$4 | | 57 | local src_port=$4 |
55 | local dst_ip=$5 | | 58 | local dst_ip=$5 |
56 | local dst_port=$6 | | 59 | local dst_port=$6 |
57 | local ipsecif_ip=$7 | | 60 | local ipsecif_ip=$7 |
58 | local peer_ip=$8 | | 61 | local peer_ip=$8 |
59 | | | 62 | |
60 | export RUMP_SERVER=$sock | | 63 | export RUMP_SERVER=$sock |
61 | atf_check -s exit:0 rump.ifconfig ipsec$ifid create | | 64 | atf_check -s exit:0 rump.ifconfig ipsec$ifid create |
62 | atf_check -s exit:0 rump.ifconfig ipsec$ifid link0 # enable NAT-T | | 65 | atf_check -s exit:0 rump.ifconfig ipsec$ifid link0 # enable NAT-T |
63 | atf_check -s exit:0 rump.ifconfig ipsec$ifid tunnel ${src_ip},${src_port} ${dst_ip},${dst_port} | | 66 | atf_check -s exit:0 rump.ifconfig ipsec$ifid tunnel ${src_ip},${src_port} ${dst_ip},${dst_port} |
64 | atf_check -s exit:0 rump.ifconfig ipsec$ifid ${ipsecif_ip}/32 | | 67 | atf_check -s exit:0 rump.ifconfig ipsec$ifid ${ipsecif_ip}/32 |
65 | atf_check -s exit:0 -o ignore \ | | 68 | atf_check -s exit:0 -o ignore \ |
66 | rump.route -n add ${peer_ip}/32 $ipsecif_ip | | 69 | rump.route -n add ${peer_ip}/32 $ipsecif_ip |
67 | } | | 70 | } |
68 | | | 71 | |
69 | add_sa() | | 72 | add_sa() |
70 | { | | 73 | { |
71 | local sock=$1 | | 74 | local sock=$1 |
72 | local proto=$2 | | 75 | local proto=$2 |
73 | local algo_args="$3" | | 76 | local algo_args="$3" |
74 | local src_ip=$4 | | 77 | local src_ip=$4 |
75 | local src_port=$5 | | 78 | local src_port=$5 |
76 | local dst_ip=$6 | | 79 | local dst_ip=$6 |
77 | local dst_port=$7 | | 80 | local dst_port=$7 |
78 | local out_spi=$8 | | 81 | local out_spi=$8 |
79 | local in_spi=$9 | | 82 | local in_spi=$9 |
80 | local tmpfile=./tmp | | 83 | local tmpfile=./tmp |
81 | | | 84 | |
82 | export RUMP_SERVER=$sock | | 85 | export RUMP_SERVER=$sock |
83 | cat > $tmpfile <<-EOF | | 86 | cat > $tmpfile <<-EOF |
84 | add $src_ip [$src_port] $dst_ip [$dst_port] $proto $out_spi -m transport $algo_args; | | 87 | add $src_ip [$src_port] $dst_ip [$dst_port] $proto $out_spi -m transport $algo_args; |
85 | add $dst_ip [$dst_port] $src_ip [$src_port] $proto $in_spi -m transport $algo_args; | | 88 | add $dst_ip [$dst_port] $src_ip [$src_port] $proto $in_spi -m transport $algo_args; |
86 | EOF | | 89 | EOF |
87 | $DEBUG && cat $tmpfile | | 90 | $DEBUG && cat $tmpfile |
88 | atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile | | 91 | atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile |
89 | # XXX it can be expired if $lifetime is very short | | 92 | # XXX it can be expired if $lifetime is very short |
90 | #check_sa_entries $SOCK_LOCAL $ip_local $ip_remote | | 93 | #check_sa_entries $SOCK_LOCAL $ip_local $ip_remote |
91 | } | | 94 | } |
92 | | | 95 | |
93 | prepare_file() | | 96 | prepare_file() |
94 | { | | 97 | { |
95 | local file=$1 | | 98 | local file=$1 |
96 | local data="0123456789" | | 99 | local data="0123456789" |
97 | | | 100 | |
98 | touch $file | | 101 | touch $file |
99 | for i in `seq 1 512` | | 102 | for i in `seq 1 512` |
100 | do | | 103 | do |
101 | echo $data >> $file | | 104 | echo $data >> $file |
102 | done | | 105 | done |
103 | } | | 106 | } |
104 | | | 107 | |
105 | build_npf_conf() | | 108 | build_npf_conf() |
106 | { | | 109 | { |
107 | local outfile=$1 | | 110 | local outfile=$1 |
108 | local localnet=$2 | | 111 | local localnet=$2 |
109 | | | 112 | |
110 | cat > $outfile <<-EOF | | 113 | cat > $outfile <<-EOF |
111 | set bpf.jit off | | 114 | set bpf.jit off |
112 | \$int_if = inet4(shmif0) | | 115 | \$int_if = inet4(shmif0) |
113 | \$ext_if = inet4(shmif1) | | 116 | \$ext_if = inet4(shmif1) |
114 | \$localnet = { $localnet } | | 117 | \$localnet = { $localnet } |
115 | map \$ext_if dynamic \$localnet -> \$ext_if | | 118 | map \$ext_if dynamic \$localnet -> \$ext_if |
116 | group "external" on \$ext_if { | | 119 | group "external" on \$ext_if { |
117 | pass stateful out final all | | 120 | pass stateful out final all |
118 | } | | 121 | } |
119 | group "internal" on \$int_if { | | 122 | group "internal" on \$int_if { |
120 | block in all | | 123 | block in all |
121 | pass in final from \$localnet | | 124 | pass in final from \$localnet |
122 | pass out final all | | 125 | pass out final all |
123 | } | | 126 | } |
124 | group default { | | 127 | group default { |
125 | pass final on lo0 all | | 128 | pass final on lo0 all |
126 | block all | | 129 | block all |
127 | } | | 130 | } |
128 | EOF | | 131 | EOF |
129 | } | | 132 | } |
130 | | | 133 | |
131 | PIDSFILE=./terminator.pids | | 134 | PIDSFILE=./terminator.pids |
132 | start_natt_terminator() | | 135 | start_natt_terminator() |
133 | { | | 136 | { |
134 | local sock=$1 | | 137 | local sock=$1 |
135 | local ip=$2 | | 138 | local ip=$2 |
136 | local port=$3 | | 139 | local port=$3 |
137 | local pidsfile=$4 | | 140 | local pidsfile=$4 |
138 | local backup=$RUMP_SERVER | | 141 | local backup=$RUMP_SERVER |
139 | local pid= | | 142 | local pid= |
140 | local terminator="$(atf_get_srcdir)/../ipsec/natt_terminator" | | 143 | local terminator="$(atf_get_srcdir)/../ipsec/natt_terminator" |
141 | | | 144 | |
142 | export RUMP_SERVER=$sock | | 145 | export RUMP_SERVER=$sock |
143 | | | 146 | |
144 | env LD_PRELOAD=/usr/lib/librumphijack.so \ | | 147 | env LD_PRELOAD=/usr/lib/librumphijack.so \ |
145 | $terminator $ip $port & | | 148 | $terminator $ip $port & |
146 | pid=$! | | 149 | pid=$! |
147 | if [ ! -f $PIDSFILE ]; then | | 150 | if [ ! -f $PIDSFILE ]; then |
148 | touch $PIDSFILE | | 151 | touch $PIDSFILE |
149 | fi | | 152 | fi |
150 | echo $pid >> $PIDSFILE | | 153 | echo $pid >> $PIDSFILE |
151 | | | 154 | |
152 | $DEBUG && rump.netstat -a -f inet | | 155 | $DEBUG && rump.netstat -a -f inet |
153 | | | 156 | |
154 | export RUMP_SERVER=$backup | | 157 | export RUMP_SERVER=$backup |
155 | | | 158 | |
156 | sleep 1 | | 159 | sleep 1 |
157 | } | | 160 | } |
158 | | | 161 | |
159 | stop_natt_terminators() | | 162 | stop_natt_terminators() |
160 | { | | 163 | { |
161 | local pid= | | 164 | local pid= |
162 | | | 165 | |
163 | if [ ! -f $PIDSFILE ]; then | | 166 | if [ ! -f $PIDSFILE ]; then |
164 | return | | 167 | return |
165 | fi | | 168 | fi |
166 | | | 169 | |
167 | for pid in $(cat $PIDSFILE); do | | 170 | for pid in $(cat $PIDSFILE); do |
168 | kill -9 $pid | | 171 | kill -9 $pid |
169 | done | | 172 | done |
170 | rm -f $PIDSFILE | | 173 | rm -f $PIDSFILE |
171 | } | | 174 | } |
172 | | | 175 | |
173 | check_ping_packets() | | 176 | check_ping_packets() |
174 | { | | 177 | { |
175 | local sock=$1 | | 178 | local sock=$1 |
176 | local bus=$2 | | 179 | local bus=$2 |
177 | local from_ip=$3 | | 180 | local from_ip=$3 |
178 | local to_ip=$4 | | 181 | local to_ip=$4 |
179 | | | 182 | |
180 | local outfile=./out.ping | | 183 | local outfile=./out.ping |
181 | | | 184 | |
182 | extract_new_packets $bus > $outfile | | 185 | extract_new_packets $bus > $outfile |
183 | | | 186 | |
184 | export RUMP_SERVER=$sock | | 187 | export RUMP_SERVER=$sock |
185 | atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $to_ip | | 188 | atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $to_ip |
186 | | | 189 | |
187 | extract_new_packets $bus > $outfile | | 190 | extract_new_packets $bus > $outfile |
188 | $DEBUG && cat $outfile | | 191 | $DEBUG && cat $outfile |
189 | atf_check -s exit:0 \ | | 192 | atf_check -s exit:0 \ |
190 | -o match:"$from_ip > $to_ip: ICMP echo request" \ | | 193 | -o match:"$from_ip > $to_ip: ICMP echo request" \ |
191 | cat $outfile | | 194 | cat $outfile |
192 | atf_check -s exit:0 \ | | 195 | atf_check -s exit:0 \ |
193 | -o match:"$to_ip > $from_ip: ICMP echo reply" \ | | 196 | -o match:"$to_ip > $from_ip: ICMP echo reply" \ |
194 | cat $outfile | | 197 | cat $outfile |
195 | } | | 198 | } |
196 | | | 199 | |
197 | check_ping_packets_over_ipsecif() | | 200 | check_ping_packets_over_ipsecif() |
198 | { | | 201 | { |
199 | local sock=$1 | | 202 | local sock=$1 |
200 | local bus=$2 | | 203 | local bus=$2 |
201 | local to_ip=$3 | | 204 | local to_ip=$3 |
202 | local nat_from_ip=$4 | | 205 | local nat_from_ip=$4 |
203 | local nat_from_port=$5 | | 206 | local nat_from_port=$5 |
204 | local nat_to_ip=$6 | | 207 | local nat_to_ip=$6 |
205 | local nat_to_port=$7 | | 208 | local nat_to_port=$7 |
206 | | | 209 | |
207 | local outfile=./out.ping_over_ipsecif | | 210 | local outfile=./out.ping_over_ipsecif |
208 | | | 211 | |
209 | extract_new_packets $bus > $outfile | | 212 | extract_new_packets $bus > $outfile |
210 | | | 213 | |
211 | export RUMP_SERVER=$sock | | 214 | export RUMP_SERVER=$sock |
212 | atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 7 $to_ip | | 215 | atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 7 $to_ip |
213 | | | 216 | |
214 | # Check both ports and UDP encapsulation | | 217 | # Check both ports and UDP encapsulation |
215 | extract_new_packets $bus > $outfile | | 218 | extract_new_packets $bus > $outfile |
216 | $DEBUG && cat $outfile | | 219 | $DEBUG && cat $outfile |
217 | atf_check -s exit:0 \ | | 220 | atf_check -s exit:0 \ |
218 | -o match:"${nat_from_ip}\.$nat_from_port > ${nat_to_ip}\.${nat_to_port}: UDP-encap" \ | | 221 | -o match:"${nat_from_ip}\.$nat_from_port > ${nat_to_ip}\.${nat_to_port}: UDP-encap" \ |
219 | cat $outfile | | 222 | cat $outfile |
220 | atf_check -s exit:0 \ | | 223 | atf_check -s exit:0 \ |
221 | -o match:"${nat_to_ip}\.${nat_to_port} > ${nat_from_ip}\.${nat_from_port}: UDP-encap" \ | | 224 | -o match:"${nat_to_ip}\.${nat_to_port} > ${nat_from_ip}\.${nat_from_port}: UDP-encap" \ |
222 | cat $outfile | | 225 | cat $outfile |
223 | } | | 226 | } |
224 | | | 227 | |
225 | check_tcp_com_prepare() | | 228 | check_tcp_com_prepare() |
226 | { | | 229 | { |
227 | local server_sock=$1 | | 230 | local server_sock=$1 |
228 | local client_sock=$2 | | 231 | local client_sock=$2 |
229 | local bus=$3 | | 232 | local bus=$3 |
230 | local to_ip=$4 | | 233 | local to_ip=$4 |
231 | local nat_from_ip=$5 | | 234 | local nat_from_ip=$5 |
232 | local nat_to_ip=$6 | | 235 | local nat_to_ip=$6 |
233 | | | 236 | |
234 | local outfile=./out.prepare | | 237 | local outfile=./out.prepare |
235 | local file_send=./file.send.prepare | | 238 | local file_send=./file.send.prepare |
236 | local file_recv=./file.recv.prepare | | 239 | local file_recv=./file.recv.prepare |
237 | | | 240 | |
238 | extract_new_packets $bus > $outfile | | 241 | extract_new_packets $bus > $outfile |
239 | | | 242 | |
240 | start_nc_server $server_sock 4501 $file_recv ipv4 | | 243 | start_nc_server $server_sock 4501 $file_recv ipv4 |
241 | | | 244 | |
242 | prepare_file $file_send | | 245 | prepare_file $file_send |
243 | export RUMP_SERVER=$client_sock | | 246 | export RUMP_SERVER=$client_sock |
244 | atf_check -s exit:0 $HIJACKING nc -w 3 $to_ip 4501 < $file_send | | 247 | atf_check -s exit:0 $HIJACKING nc -w 3 $to_ip 4501 < $file_send |
245 | atf_check -s exit:0 diff -q $file_send $file_recv | | 248 | atf_check -s exit:0 diff -q $file_send $file_recv |
246 | extract_new_packets $bus > $outfile | | 249 | extract_new_packets $bus > $outfile |
247 | $DEBUG && cat $outfile | | 250 | $DEBUG && cat $outfile |
248 | atf_check -s exit:0 \ | | 251 | atf_check -s exit:0 \ |
249 | -o match:"${nat_from_ip}\.[0-9]+ > ${nat_to_ip}\.4501" \ | | 252 | -o match:"${nat_from_ip}\.[0-9]+ > ${nat_to_ip}\.4501" \ |
250 | cat $outfile | | 253 | cat $outfile |
251 | atf_check -s exit:0 \ | | 254 | atf_check -s exit:0 \ |
252 | -o match:"${nat_to_ip}\.4501 > ${nat_from_ip}\.[0-9]+" \ | | 255 | -o match:"${nat_to_ip}\.4501 > ${nat_from_ip}\.[0-9]+" \ |
253 | cat $outfile | | 256 | cat $outfile |
254 | | | 257 | |
255 | stop_nc_server | | 258 | stop_nc_server |
256 | } | | 259 | } |
257 | | | 260 | |
258 | check_tcp_com_over_ipsecif() | | 261 | check_tcp_com_over_ipsecif() |
259 | { | | 262 | { |
260 | local server_sock=$1 | | 263 | local server_sock=$1 |
261 | local client_sock=$2 | | 264 | local client_sock=$2 |
262 | local bus=$3 | | 265 | local bus=$3 |
263 | local to_ip=$4 | | 266 | local to_ip=$4 |
264 | local nat_from_ip=$5 | | 267 | local nat_from_ip=$5 |
265 | local nat_from_port=$6 | | 268 | local nat_from_port=$6 |
266 | local nat_to_ip=$7 | | 269 | local nat_to_ip=$7 |
267 | local nat_to_port=$8 | | 270 | local nat_to_port=$8 |
268 | | | 271 | |
269 | local outfile=./out.ipsecif | | 272 | local outfile=./out.ipsecif |
270 | local file_send=./file.send.ipsecif | | 273 | local file_send=./file.send.ipsecif |
271 | local file_recv=./file.recv.ipsecif | | 274 | local file_recv=./file.recv.ipsecif |
272 | | | 275 | |
273 | extract_new_packets $bus > $outfile | | 276 | extract_new_packets $bus > $outfile |
274 | | | 277 | |
275 | start_nc_server $server_sock 4501 $file_recv ipv4 | | 278 | start_nc_server $server_sock 4501 $file_recv ipv4 |
276 | prepare_file $file_send | | 279 | prepare_file $file_send |
277 | export RUMP_SERVER=$client_sock | | 280 | export RUMP_SERVER=$client_sock |
278 | atf_check -s exit:0 -o ignore $HIJACKING nc -w 7 $to_ip 4501 < $file_send | | 281 | atf_check -s exit:0 -o ignore $HIJACKING nc -w 7 $to_ip 4501 < $file_send |
279 | atf_check -s exit:0 diff -q $file_send $file_recv | | 282 | atf_check -s exit:0 diff -q $file_send $file_recv |
280 | stop_nc_server | | 283 | stop_nc_server |
281 | | | 284 | |
282 | # Check both ports and UDP encapsulation | | 285 | # Check both ports and UDP encapsulation |
283 | extract_new_packets $bus > $outfile | | 286 | extract_new_packets $bus > $outfile |
284 | $DEBUG && cat $outfile | | 287 | $DEBUG && cat $outfile |
285 | atf_check -s exit:0 \ | | 288 | atf_check -s exit:0 \ |
286 | -o match:"${nat_from_ip}\.$nat_from_port > ${nat_to_ip}\.${nat_to_port}: UDP-encap" \ | | 289 | -o match:"${nat_from_ip}\.$nat_from_port > ${nat_to_ip}\.${nat_to_port}: UDP-encap" \ |
287 | cat $outfile | | 290 | cat $outfile |
288 | atf_check -s exit:0 \ | | 291 | atf_check -s exit:0 \ |
289 | -o match:"${nat_to_ip}\.${nat_to_port} > ${nat_from_ip}\.${nat_from_port}: UDP-encap" \ | | 292 | -o match:"${nat_to_ip}\.${nat_to_port} > ${nat_from_ip}\.${nat_from_port}: UDP-encap" \ |
290 | cat $outfile | | 293 | cat $outfile |
291 | } | | 294 | } |
292 | | | 295 | |
293 | test_ipsecif_natt_transport() | | 296 | test_ipsecif_natt_transport() |
294 | { | | 297 | { |
295 | local algo=$1 | | 298 | local algo=$1 |
296 | local ip_local=192.168.0.2 | | 299 | local ip_local_a=192.168.0.2 |
| | | 300 | local ip_local_b=192.168.0.3 |
297 | local ip_nat_local=192.168.0.1 | | 301 | local ip_nat_local=192.168.0.1 |
298 | local ip_nat_remote=10.0.0.1 | | 302 | local ip_nat_remote=10.0.0.1 |
299 | local ip_remote=10.0.0.2 | | 303 | local ip_remote=10.0.0.2 |
300 | local subnet_local=192.168.0.0 | | 304 | local subnet_local=192.168.0.0 |
301 | local ip_local_ipsecif=172.16.100.1 | | 305 | local ip_local_ipsecif_a=172.16.100.1 |
302 | local ip_remote_ipsecif=172.16.10.1 | | 306 | local ip_local_ipsecif_b=172.16.110.1 |
| | | 307 | local ip_remote_ipsecif_a=172.16.10.1 |
| | | 308 | local ip_remote_ipsecif_b=172.16.11.1 |
303 | | | 309 | |
304 | local npffile=./npf.conf | | 310 | local npffile=./npf.conf |
305 | local file_send=./file.send | | 311 | local file_send=./file.send |
306 | local algo_args="$(generate_algo_args esp-udp $algo)" | | 312 | local algo_args="$(generate_algo_args esp-udp $algo)" |
307 | local pid= port= | | 313 | local pid= port_a= port_b= |
308 | | | 314 | |
309 | setup_servers | | 315 | setup_servers |
310 | | | 316 | |
311 | export RUMP_SERVER=$SOCK_LOCAL | | 317 | export RUMP_SERVER=$SOCK_LOCAL_A |
312 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 | | 318 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 |
313 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24 | | 319 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_local_a/24 |
| | | 320 | atf_check -s exit:0 -o ignore \ |
| | | 321 | rump.route -n add default $ip_nat_local |
| | | 322 | |
| | | 323 | export RUMP_SERVER=$SOCK_LOCAL_B |
| | | 324 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 |
| | | 325 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_local_b/24 |
314 | atf_check -s exit:0 -o ignore \ | | 326 | atf_check -s exit:0 -o ignore \ |
315 | rump.route -n add default $ip_nat_local | | 327 | rump.route -n add default $ip_nat_local |
316 | | | 328 | |
317 | export RUMP_SERVER=$SOCK_NAT | | 329 | export RUMP_SERVER=$SOCK_NAT |
318 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 | | 330 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 |
319 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_nat_local/24 | | 331 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_nat_local/24 |
320 | atf_check -s exit:0 rump.ifconfig shmif1 $ip_nat_remote/24 | | 332 | atf_check -s exit:0 rump.ifconfig shmif1 $ip_nat_remote/24 |
321 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 | | 333 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 |
322 | | | 334 | |
323 | export RUMP_SERVER=$SOCK_REMOTE | | 335 | export RUMP_SERVER=$SOCK_REMOTE |
324 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 | | 336 | atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 |
325 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 | | 337 | atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24 |
326 | atf_check -s exit:0 -o ignore \ | | 338 | atf_check -s exit:0 -o ignore \ |
327 | rump.route -n add -net $subnet_local $ip_nat_remote | | 339 | rump.route -n add -net $subnet_local $ip_nat_remote |
328 | | | 340 | |
329 | # There is no NAT/NAPT. ping should just work. | | 341 | # There is no NAT/NAPT. ping should just work. |
330 | check_ping_packets $SOCK_LOCAL $BUS_NAT $ip_local $ip_remote | | 342 | check_ping_packets $SOCK_LOCAL_A $BUS_NAT $ip_local_a $ip_remote |
| | | 343 | check_ping_packets $SOCK_LOCAL_B $BUS_NAT $ip_local_b $ip_remote |
331 | | | 344 | |
332 | # Setup an NAPT with npf | | 345 | # Setup an NAPT with npf |
333 | build_npf_conf $npffile "$subnet_local/24" | | 346 | build_npf_conf $npffile "$subnet_local/24" |
334 | | | 347 | |
335 | export RUMP_SERVER=$SOCK_NAT | | 348 | export RUMP_SERVER=$SOCK_NAT |
336 | atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile | | 349 | atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile |
337 | atf_check -s exit:0 $HIJACKING_NPF npfctl start | | 350 | atf_check -s exit:0 $HIJACKING_NPF npfctl start |
338 | $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show | | 351 | $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show |
339 | | | 352 | |
340 | # There is an NAPT. ping works but source IP/port are translated | | 353 | # There is an NAPT. ping works but source IP/port are translated |
341 | check_ping_packets $SOCK_LOCAL $BUS_NAT $ip_nat_remote $ip_remote | | 354 | check_ping_packets $SOCK_LOCAL_A $BUS_NAT $ip_nat_remote $ip_remote |
| | | 355 | check_ping_packets $SOCK_LOCAL_B $BUS_NAT $ip_nat_remote $ip_remote |
342 | | | 356 | |
343 | # Try TCP communications just in case | | 357 | # Try TCP communications just in case |
344 | check_tcp_com_prepare $SOCK_REMOTE $SOCK_LOCAL $BUS_NAT \ | | 358 | check_tcp_com_prepare $SOCK_REMOTE $SOCK_LOCAL_A $BUS_NAT \ |
| | | 359 | $ip_remote $ip_nat_remote $ip_remote |
| | | 360 | check_tcp_com_prepare $SOCK_REMOTE $SOCK_LOCAL_B $BUS_NAT \ |
345 | $ip_remote $ip_nat_remote $ip_remote | | 361 | $ip_remote $ip_nat_remote $ip_remote |
346 | | | 362 | |
347 | # Launch a nc server as a terminator of NAT-T on outside the NAPT | | 363 | # Launch a nc server as a terminator of NAT-T on outside the NAPT |
348 | start_natt_terminator $SOCK_REMOTE $ip_remote 4500 | | 364 | start_natt_terminator $SOCK_REMOTE $ip_remote 4500 |
349 | echo zzz > $file_send | | 365 | echo zzz > $file_send |
350 | | | 366 | |
| | | 367 | #################### Test for primary ipsecif(4) NAT-T. |
| | | 368 | |
| | | 369 | export RUMP_SERVER=$SOCK_LOCAL_A |
| | | 370 | # Send a UDP packet to the remote server at port 4500 from the local |
| | | 371 | # host of port 4500. This makes a mapping on the NAPT between them |
| | | 372 | atf_check -s exit:0 $HIJACKING \ |
| | | 373 | nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send |
| | | 374 | # Launch a nc server as a terminator of NAT-T on inside the NAPT, |
| | | 375 | # taking over port 4500 of the local host. |
| | | 376 | start_natt_terminator $SOCK_LOCAL_A $ip_local_a 4500 |
| | | 377 | |
| | | 378 | # We need to keep the servers for NAT-T |
| | | 379 | |
| | | 380 | export RUMP_SERVER=$SOCK_LOCAL_A |
| | | 381 | $DEBUG && rump.netstat -na -f inet |
| | | 382 | export RUMP_SERVER=$SOCK_REMOTE |
| | | 383 | $DEBUG && rump.netstat -na -f inet |
| | | 384 | |
| | | 385 | # Get a translated port number from 4500 on the NAPT |
| | | 386 | export RUMP_SERVER=$SOCK_NAT |
| | | 387 | $DEBUG && $HIJACKING_NPF npfctl list |
| | | 388 | # 192.168.0.2:4500 10.0.0.2:4500 via shmif1:65248 |
| | | 389 | port_a=$($HIJACKING_NPF npfctl list | grep $ip_local_a | awk -F 'shmif1:' '/4500/ {print $2;}') |
| | | 390 | $DEBUG && echo port_a=$port_a |
| | | 391 | if [ -z "$port_a" ]; then |
| | | 392 | atf_fail "Failed to get a traslated port on NAPT" |
| | | 393 | fi |
| | | 394 | |
| | | 395 | # Setup ESP-UDP ipsecif(4) for first client under NAPT |
| | | 396 | setup_ipsecif $SOCK_LOCAL_A 0 $ip_local_a 4500 $ip_remote 4500 \ |
| | | 397 | $ip_local_ipsecif_a $ip_remote_ipsecif_a |
| | | 398 | setup_ipsecif $SOCK_REMOTE 0 $ip_remote 4500 $ip_nat_remote $port_a \ |
| | | 399 | $ip_remote_ipsecif_a $ip_local_ipsecif_a |
| | | 400 | |
| | | 401 | add_sa $SOCK_LOCAL_A "esp-udp" "$algo_args" \ |
| | | 402 | $ip_local_a 4500 $ip_remote 4500 10000 10001 |
| | | 403 | add_sa $SOCK_REMOTE "esp-udp" "$algo_args" \ |
| | | 404 | $ip_remote 4500 $ip_nat_remote $port_a 10001 10000 |
| | | 405 | |
| | | 406 | export RUMP_SERVER=$SOCK_LOCAL_A |
| | | 407 | # ping should still work |
| | | 408 | atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote |
351 | | | 409 | |
352 | export RUMP_SERVER=$SOCK_LOCAL | | 410 | # Try ping over the ESP-UDP ipsecif(4) |
| | | 411 | check_ping_packets_over_ipsecif $SOCK_LOCAL_A $BUS_NAT \ |
| | | 412 | $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 |
| | | 413 | |
| | | 414 | # Try TCP communications over the ESP-UDP ipsecif(4) |
| | | 415 | check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL_A $BUS_NAT \ |
| | | 416 | $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 |
| | | 417 | |
| | | 418 | #################### Test for secondary ipsecif(4) NAT-T. |
| | | 419 | |
| | | 420 | export RUMP_SERVER=$SOCK_REMOTE |
| | | 421 | $HIJACKING setkey -D |
| | | 422 | $HIJACKING setkey -DP |
| | | 423 | |
| | | 424 | export RUMP_SERVER=$SOCK_LOCAL_B |
353 | # Send a UDP packet to the remote server at port 4500 from the local | | 425 | # Send a UDP packet to the remote server at port 4500 from the local |
354 | # host of port 4500. This makes a mapping on the NAPT between them | | 426 | # host of port 4500. This makes a mapping on the NAPT between them |
355 | atf_check -s exit:0 $HIJACKING \ | | 427 | atf_check -s exit:0 $HIJACKING \ |
356 | nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send | | 428 | nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send |
357 | # Launch a nc server as a terminator of NAT-T on inside the NAPT, | | 429 | # Launch a nc server as a terminator of NAT-T on inside the NAPT, |
358 | # taking over port 4500 of the local host. | | 430 | # taking over port 4500 of the local host. |
359 | start_natt_terminator $SOCK_LOCAL $ip_local 4500 | | 431 | start_natt_terminator $SOCK_LOCAL_B $ip_local_b 4500 |
360 | | | 432 | |
361 | # We need to keep the servers for NAT-T | | 433 | # We need to keep the servers for NAT-T |
362 | | | 434 | |
363 | export RUMP_SERVER=$SOCK_LOCAL | | 435 | export RUMP_SERVER=$SOCK_LOCAL_B |
364 | $DEBUG && rump.netstat -na -f inet | | 436 | $DEBUG && rump.netstat -na -f inet |
365 | export RUMP_SERVER=$SOCK_REMOTE | | 437 | export RUMP_SERVER=$SOCK_REMOTE |
366 | $DEBUG && rump.netstat -na -f inet | | 438 | $DEBUG && rump.netstat -na -f inet |
367 | | | 439 | |
368 | # Get a translated port number from 4500 on the NAPT | | 440 | # Get a translated port number from 4500 on the NAPT |
369 | export RUMP_SERVER=$SOCK_NAT | | 441 | export RUMP_SERVER=$SOCK_NAT |
370 | $DEBUG && $HIJACKING_NPF npfctl list | | 442 | $DEBUG && $HIJACKING_NPF npfctl list |
371 | # 192.168.0.2:4500 10.0.0.2:4500 via shmif1:65248 | | 443 | # 192.168.0.2:4500 10.0.0.2:4500 via shmif1:65248 |
372 | port=$($HIJACKING_NPF npfctl list | grep $ip_local | awk -F 'shmif1:' '/4500/ {print $2;}') | | 444 | port_b=$($HIJACKING_NPF npfctl list | grep $ip_local_b | awk -F 'shmif1:' '/4500/ {print $2;}') |
373 | $DEBUG && echo port=$port | | 445 | $DEBUG && echo port_b=$port_b |
374 | if [ -z "$port" ]; then | | 446 | if [ -z "$port_b" ]; then |
375 | atf_fail "Failed to get a traslated port on NAPT" | | 447 | atf_fail "Failed to get a traslated port on NAPT" |
376 | fi | | 448 | fi |
377 | | | 449 | |
378 | # Setup ESP-UDP ipsecif(4) for first client under NAPT | | 450 | # Setup ESP-UDP ipsecif(4) for first client under NAPT |
379 | setup_ipsecif $SOCK_LOCAL 0 $ip_local 4500 $ip_remote 4500 \ | | 451 | setup_ipsecif $SOCK_LOCAL_B 0 $ip_local_b 4500 $ip_remote 4500 \ |
380 | $ip_local_ipsecif $ip_remote_ipsecif | | 452 | $ip_local_ipsecif_b $ip_remote_ipsecif_b |
381 | setup_ipsecif $SOCK_REMOTE 0 $ip_remote 4500 $ip_nat_remote $port \ | | 453 | setup_ipsecif $SOCK_REMOTE 1 $ip_remote 4500 $ip_nat_remote $port_b \ |
382 | $ip_remote_ipsecif $ip_local_ipsecif | | 454 | $ip_remote_ipsecif_b $ip_local_ipsecif_b |
| | | 455 | |
| | | 456 | check_ping_packets_over_ipsecif $SOCK_LOCAL_A $BUS_NAT \ |
| | | 457 | $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 |
383 | | | 458 | |
384 | add_sa $SOCK_LOCAL "esp-udp" "$algo_args" \ | | 459 | add_sa $SOCK_LOCAL_B "esp-udp" "$algo_args" \ |
385 | $ip_local 4500 $ip_remote 4500 10000 10001 | | 460 | $ip_local_b 4500 $ip_remote 4500 11000 11001 |
386 | add_sa $SOCK_REMOTE "esp-udp" "$algo_args" \ | | 461 | add_sa $SOCK_REMOTE "esp-udp" "$algo_args" \ |
387 | $ip_remote 4500 $ip_nat_remote $port 10001 10000 | | 462 | $ip_remote 4500 $ip_nat_remote $port_b 11001 11000 |
388 | | | 463 | |
389 | export RUMP_SERVER=$SOCK_LOCAL | | 464 | export RUMP_SERVER=$SOCK_LOCAL_B |
390 | # ping should still work | | 465 | # ping should still work |
391 | atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote | | 466 | atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote |
392 | | | 467 | |
393 | # Try ping over the ESP-UDP ipsecif(4) | | 468 | # Try ping over the ESP-UDP ipsecif(4) |
394 | check_ping_packets_over_ipsecif $SOCK_LOCAL $BUS_NAT \ | | 469 | check_ping_packets_over_ipsecif $SOCK_LOCAL_B $BUS_NAT \ |
395 | $ip_remote_ipsecif $ip_nat_remote $port $ip_remote 4500 | | 470 | $ip_remote_ipsecif_b $ip_nat_remote $port_b $ip_remote 4500 |
| | | 471 | |
396 | | | 472 | |
397 | # Try TCP communications over the ESP-UDP ipsecif(4) | | 473 | # Try TCP communications over the ESP-UDP ipsecif(4) |
398 | check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL $BUS_NAT \ | | 474 | check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL_B $BUS_NAT \ |
399 | $ip_remote_ipsecif $ip_nat_remote $port $ip_remote 4500 | | 475 | $ip_remote_ipsecif_b $ip_nat_remote $port_b $ip_remote 4500 |
| | | 476 | |
| | | 477 | # Try ping over the ESP-UDP ipsecif(4) for primary again |
| | | 478 | check_ping_packets_over_ipsecif $SOCK_LOCAL_A $BUS_NAT \ |
| | | 479 | $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 |
| | | 480 | |
| | | 481 | # Try TCP communications over the ESP-UDP ipsecif(4) for primary again |
| | | 482 | check_tcp_com_over_ipsecif $SOCK_REMOTE $SOCK_LOCAL_A $BUS_NAT \ |
| | | 483 | $ip_remote_ipsecif_a $ip_nat_remote $port_a $ip_remote 4500 |
400 | | | 484 | |
401 | # Kill the NAT-T terminator | | 485 | # Kill the NAT-T terminator |
402 | stop_natt_terminators | | 486 | stop_natt_terminators |
403 | } | | 487 | } |
404 | | | 488 | |
405 | add_test_ipsecif_natt_transport() | | 489 | add_test_ipsecif_natt_transport() |
406 | { | | 490 | { |
407 | local algo=$1 | | 491 | local algo=$1 |
408 | local _algo=$(echo $algo | sed 's/-//g') | | 492 | local _algo=$(echo $algo | sed 's/-//g') |
409 | local name= desc= | | 493 | local name= desc= |
410 | | | 494 | |
411 | desc="Test ipsecif(4) NAT-T ($algo)" | | 495 | desc="Test ipsecif(4) NAT-T ($algo)" |
412 | name="ipsecif_natt_transport_${_algo}" | | 496 | name="ipsecif_natt_transport_${_algo}" |
413 | | | 497 | |
414 | atf_test_case ${name} cleanup | | 498 | atf_test_case ${name} cleanup |
415 | eval " | | 499 | eval " |
416 | ${name}_head() { | | 500 | ${name}_head() { |
417 | atf_set descr \"$desc\" | | 501 | atf_set descr \"$desc\" |
418 | atf_set require.progs rump_server setkey nc | | 502 | atf_set require.progs rump_server setkey nc |
419 | } | | 503 | } |
420 | ${name}_body() { | | 504 | ${name}_body() { |
421 | test_ipsecif_natt_transport $algo | | 505 | test_ipsecif_natt_transport $algo |
422 | rump_server_destroy_ifaces | | 506 | rump_server_destroy_ifaces |
423 | } | | 507 | } |
424 | ${name}_cleanup() { | | 508 | ${name}_cleanup() { |
425 | stop_nc_server | | 509 | stop_nc_server |
426 | stop_natt_terminators | | 510 | stop_natt_terminators |
427 | \$DEBUG && dump | | 511 | \$DEBUG && dump |
428 | cleanup | | 512 | cleanup |
429 | } | | 513 | } |
430 | " | | 514 | " |
431 | atf_add_test_case ${name} | | 515 | atf_add_test_case ${name} |
432 | } | | 516 | } |
433 | | | 517 | |
434 | atf_init_test_cases() | | 518 | atf_init_test_cases() |
435 | { | | 519 | { |
436 | local algo= | | 520 | local algo= |
437 | | | 521 | |
438 | for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do | | 522 | for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do |
439 | add_test_ipsecif_natt_transport $algo | | 523 | add_test_ipsecif_natt_transport $algo |
440 | done | | 524 | done |
441 | } | | 525 | } |