xref: /netbsd-src/tests/net/if_ipsec/t_ipsec.sh (revision 57870677c161a191a9ab3b2bfa845dd80bebd304) 
1#	$NetBSD: t_ipsec.sh,v 1.11 2020/08/05 01:10:50 knakahara Exp $
2#
3# Copyright (c) 2017 Internet Initiative Japan Inc.
4# All rights reserved.
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
18# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25# POSSIBILITY OF SUCH DAMAGE.
26#
27
28SOCK1=unix://commsock1 # for ROUTER1
29SOCK2=unix://commsock2 # for ROUTER2
30ROUTER1_LANIP=192.168.1.1
31ROUTER1_LANNET=192.168.1.0/24
32ROUTER1_WANIP=10.0.0.1
33ROUTER1_IPSECIP=172.16.1.1
34ROUTER1_WANIP_DUMMY=10.0.0.11
35ROUTER1_IPSECIP_DUMMY=172.16.11.1
36ROUTER1_IPSECIP_RECURSIVE1=172.16.101.1
37ROUTER1_IPSECIP_RECURSIVE2=172.16.201.1
38ROUTER2_LANIP=192.168.2.1
39ROUTER2_LANNET=192.168.2.0/24
40ROUTER2_WANIP=10.0.0.2
41ROUTER2_IPSECIP=172.16.2.1
42ROUTER2_WANIP_DUMMY=10.0.0.12
43ROUTER2_IPSECIP_DUMMY=172.16.12.1
44ROUTER2_IPSECIP_RECURSIVE1=172.16.102.1
45ROUTER2_IPSECIP_RECURSIVE2=172.16.202.1
46
47ROUTER1_LANIP6=fc00:1::1
48ROUTER1_LANNET6=fc00:1::/64
49ROUTER1_WANIP6=fc00::1
50ROUTER1_IPSECIP6=fc00:3::1
51ROUTER1_WANIP6_DUMMY=fc00::11
52ROUTER1_IPSECIP6_DUMMY=fc00:13::1
53ROUTER1_IPSECIP6_RECURSIVE1=fc00:103::1
54ROUTER1_IPSECIP6_RECURSIVE2=fc00:203::1
55ROUTER2_LANIP6=fc00:2::1
56ROUTER2_LANNET6=fc00:2::/64
57ROUTER2_WANIP6=fc00::2
58ROUTER2_IPSECIP6=fc00:4::1
59ROUTER2_WANIP6_DUMMY=fc00::12
60ROUTER2_IPSECIP6_DUMMY=fc00:14::1
61ROUTER2_IPSECIP6_RECURSIVE1=fc00:104::1
62ROUTER2_IPSECIP6_RECURSIVE2=fc00:204::1
63
64DEBUG=${DEBUG:-false}
65TIMEOUT=7
66
67atf_test_case ipsecif_create_destroy cleanup
68ipsecif_create_destroy_head()
69{
70
71	atf_set "descr" "Test creating/destroying gif interfaces"
72	atf_set "require.progs" "rump_server"
73}
74
75ipsecif_create_destroy_body()
76{
77
78	rump_server_start $SOCK1 ipsec
79
80	test_create_destroy_common $SOCK1 ipsec0
81}
82
83ipsecif_create_destroy_cleanup()
84{
85
86	$DEBUG && dump
87	cleanup
88}
89
90setup_router()
91{
92	local sock=${1}
93	local lan=${2}
94	local lan_mode=${3}
95	local wan=${4}
96	local wan_mode=${5}
97
98	rump_server_add_iface $sock shmif0 bus0
99	rump_server_add_iface $sock shmif1 bus1
100
101	export RUMP_SERVER=${sock}
102
103	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
104	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0
105
106	if [ ${lan_mode} = "ipv6" ]; then
107		atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan}
108	else
109		atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00
110	fi
111	atf_check -s exit:0 rump.ifconfig shmif0 up
112	$DEBUG && rump.ifconfig shmif0
113
114	if [ ${wan_mode} = "ipv6" ]; then
115		atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan}
116	else
117		atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000
118	fi
119	atf_check -s exit:0 rump.ifconfig shmif1 up
120	atf_check -s exit:0 rump.ifconfig -w 10
121	$DEBUG && rump.ifconfig shmif1
122
123	unset RUMP_SERVER
124}
125
126test_router()
127{
128	local sock=${1}
129	local lan=${2}
130	local lan_mode=${3}
131	local wan=${4}
132	local wan_mode=${5}
133
134	export RUMP_SERVER=${sock}
135	atf_check -s exit:0 -o match:shmif0 rump.ifconfig
136	if [ ${lan_mode} = "ipv6" ]; then
137		atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${lan}
138	else
139		atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan}
140	fi
141
142	atf_check -s exit:0 -o match:shmif1 rump.ifconfig
143	if [ ${wan_mode} = "ipv6" ]; then
144		atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${wan}
145	else
146		atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan}
147	fi
148	unset RUMP_SERVER
149}
150
151setup()
152{
153	local inner=${1}
154	local outer=${2}
155
156	rump_server_crypto_start $SOCK1 netipsec netinet6 ipsec
157	rump_server_crypto_start $SOCK2 netipsec netinet6 ipsec
158
159	router1_lan=""
160	router1_lan_mode=""
161	router2_lan=""
162	router2_lan_mode=""
163	if [ ${inner} = "ipv6" ]; then
164		router1_lan=$ROUTER1_LANIP6
165		router1_lan_mode="ipv6"
166		router2_lan=$ROUTER2_LANIP6
167		router2_lan_mode="ipv6"
168	else
169		router1_lan=$ROUTER1_LANIP
170		router1_lan_mode="ipv4"
171		router2_lan=$ROUTER2_LANIP
172		router2_lan_mode="ipv4"
173	fi
174
175	if [ ${outer} = "ipv6" ]; then
176		setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
177			$ROUTER1_WANIP6 ipv6
178		setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
179			$ROUTER2_WANIP6 ipv6
180	else
181		setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
182			$ROUTER1_WANIP ipv4
183		setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
184			$ROUTER2_WANIP ipv4
185	fi
186}
187
188test_setup()
189{
190	local inner=${1}
191	local outer=${2}
192
193	local router1_lan=""
194	local router1_lan_mode=""
195	local router2_lan=""
196	local router2_lan_mode=""
197	if [ ${inner} = "ipv6" ]; then
198		router1_lan=$ROUTER1_LANIP6
199		router1_lan_mode="ipv6"
200		router2_lan=$ROUTER2_LANIP6
201		router2_lan_mode="ipv6"
202	else
203		router1_lan=$ROUTER1_LANIP
204		router1_lan_mode="ipv4"
205		router2_lan=$ROUTER2_LANIP
206		router2_lan_mode="ipv4"
207	fi
208	if [ ${outer} = "ipv6" ]; then
209		test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
210			$ROUTER1_WANIP6 ipv6
211		test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
212			$ROUTER2_WANIP6 ipv6
213	else
214		test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
215			$ROUTER1_WANIP ipv4
216		test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
217			$ROUTER2_WANIP ipv4
218	fi
219}
220
221get_if_ipsec_unique()
222{
223	local sock=${1}
224	local src=${2}
225	local proto=${3}
226	local unique=""
227
228	export RUMP_SERVER=${sock}
229	unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'`
230	unset RUMP_SERVER
231
232	echo $unique
233}
234
235setup_if_ipsec()
236{
237	local sock=${1}
238	local addr=${2}
239	local remote=${3}
240	local inner=${4}
241	local src=${5}
242	local dst=${6}
243	local peernet=${7}
244
245	export RUMP_SERVER=${sock}
246	rump_server_add_iface $sock ipsec0
247	atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst}
248	if [ ${inner} = "ipv6" ]; then
249		atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote}
250		atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr}
251	else
252		atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote}
253		atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr}
254	fi
255
256	atf_check -s exit:0 rump.ifconfig -w 10
257
258	$DEBUG && rump.ifconfig ipsec0
259	$DEBUG && rump.route -nL show
260}
261
262setup_if_ipsec_sa()
263{
264	local sock=${1}
265	local src=${2}
266	local dst=${3}
267	local mode=${4}
268	local proto=${5}
269	local algo=${6}
270	local dir=${7}
271
272	local tmpfile=./tmp
273	local inunique=""
274	local outunique=""
275	local inid=""
276	local outid=""
277	local algo_args="$(generate_algo_args $proto $algo)"
278
279	inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
280	atf_check -s exit:0 test "X$inunique" != "X"
281	outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
282	atf_check -s exit:0 test "X$outunique" != "X"
283
284	if [ ${dir} = "1to2" ] ; then
285	    if [ ${mode} = "ipv6" ] ; then
286		inid="10010"
287		outid="10011"
288	    else
289		inid="10000"
290		outid="10001"
291	    fi
292	else
293	    if [ ${mode} = "ipv6" ] ; then
294		inid="10011"
295		outid="10010"
296	    else
297		inid="10001"
298		outid="10000"
299	    fi
300	fi
301
302	cat > $tmpfile <<-EOF
303	add $dst $src $proto $inid -u $inunique -m transport $algo_args;
304	add $src $dst $proto $outid -u $outunique -m transport $algo_args;
305	EOF
306	$DEBUG && cat $tmpfile
307	export RUMP_SERVER=$sock
308	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
309	$DEBUG && $HIJACKING setkey -D
310	$DEBUG && $HIJACKING setkey -DP
311	unset RUMP_SERVER
312}
313
314setup_tunnel()
315{
316	local inner=${1}
317	local outer=${2}
318	local proto=${3}
319	local algo=${4}
320
321	local addr=""
322	local remote=""
323	local src=""
324	local dst=""
325	local peernet=""
326
327	if [ ${inner} = "ipv6" ]; then
328		addr=$ROUTER1_IPSECIP6
329		remote=$ROUTER2_IPSECIP6
330		peernet=$ROUTER2_LANNET6
331	else
332		addr=$ROUTER1_IPSECIP
333		remote=$ROUTER2_IPSECIP
334		peernet=$ROUTER2_LANNET
335	fi
336	if [ ${outer} = "ipv6" ]; then
337		src=$ROUTER1_WANIP6
338		dst=$ROUTER2_WANIP6
339	else
340		src=$ROUTER1_WANIP
341		dst=$ROUTER2_WANIP
342	fi
343	setup_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \
344		     ${src} ${dst} ${peernet}
345
346	if [ $inner = "ipv6" -a $outer = "ipv4" ]; then
347	    setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${outer} ${proto} ${algo} "1to2"
348	fi
349	setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2"
350
351	if [ $inner = "ipv6" ]; then
352		addr=$ROUTER2_IPSECIP6
353		remote=$ROUTER1_IPSECIP6
354		peernet=$ROUTER1_LANNET6
355	else
356		addr=$ROUTER2_IPSECIP
357		remote=$ROUTER1_IPSECIP
358		peernet=$ROUTER1_LANNET
359	fi
360	if [ $outer = "ipv6" ]; then
361		src=$ROUTER2_WANIP6
362		dst=$ROUTER1_WANIP6
363	else
364		src=$ROUTER2_WANIP
365		dst=$ROUTER1_WANIP
366	fi
367	setup_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \
368		     ${src} ${dst} ${peernet} ${proto} ${algo}
369	if [ $inner = "ipv6" -a $outer = "ipv4" ]; then
370	    setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${outer} ${proto} ${algo} "2to1"
371	fi
372	setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1"
373}
374
375test_setup_tunnel()
376{
377	local mode=${1}
378
379	local peernet=""
380	local opt=""
381	if [ ${mode} = "ipv6" ]; then
382		peernet=$ROUTER2_LANNET6
383		opt="-inet6"
384	else
385		peernet=$ROUTER2_LANNET
386		opt="-inet"
387	fi
388	export RUMP_SERVER=$SOCK1
389	atf_check -s exit:0 -o match:ipsec0 rump.ifconfig
390	atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet}
391
392	if [ ${mode} = "ipv6" ]; then
393		peernet=$ROUTER1_LANNET6
394		opt="-inet6"
395	else
396		peernet=$ROUTER1_LANNET
397		opt="-inet"
398	fi
399	export RUMP_SERVER=$SOCK2
400	atf_check -s exit:0 -o match:ipsec0 rump.ifconfig
401	atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet}
402}
403
404teardown_tunnel()
405{
406	export RUMP_SERVER=$SOCK1
407	atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
408	atf_check -s exit:0 rump.ifconfig ipsec0 destroy
409	$HIJACKING setkey -F
410
411	export RUMP_SERVER=$SOCK2
412	atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
413	atf_check -s exit:0 rump.ifconfig ipsec0 destroy
414	$HIJACKING setkey -F
415
416	unset RUMP_SERVER
417}
418
419setup_dummy_if_ipsec()
420{
421	local sock=${1}
422	local addr=${2}
423	local remote=${3}
424	local inner=${4}
425	local src=${5}
426	local dst=${6}
427
428	export RUMP_SERVER=${sock}
429	rump_server_add_iface $sock ipsec1
430	atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst}
431	if [ ${inner} = "ipv6" ]; then
432		atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote}
433	else
434		atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote}
435	fi
436	atf_check -s exit:0 rump.ifconfig -w 10
437
438	$DEBUG && rump.ifconfig ipsec1
439	unset RUMP_SERVER
440}
441
442setup_dummy_if_ipsec_sa()
443{
444	local sock=${1}
445	local src=${2}
446	local dst=${3}
447	local mode=${4}
448	local proto=${5}
449	local algo=${6}
450	local dir=${7}
451
452	local tmpfile=./tmp
453	local inunique=""
454	local outunique=""
455	local inid=""
456	local outid=""
457	local algo_args="$(generate_algo_args $proto $algo)"
458
459	inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
460	atf_check -s exit:0 test "X$inunique" != "X"
461	outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
462	atf_check -s exit:0 test "X$outunique" != "X"
463
464	if [ ${dir} = "1to2" ] ; then
465	    inid="20000"
466	    outid="20001"
467	else
468	    inid="20001"
469	    outid="20000"
470	fi
471
472	cat > $tmpfile <<-EOF
473    	add $dst $src $proto $inid -u $inunique $algo_args;
474    	add $src $dst $proto $outid -u $outunique $algo_args;
475	EOF
476	$DEBUG && cat $tmpfile
477	export RUMP_SERVER=$sock
478	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
479	$DEBUG && $HIJACKING setkey -D
480	$DEBUG && $HIJACKING setkey -DP
481	unset RUMP_SERVER
482}
483
484setup_dummy_tunnel()
485{
486	local inner=${1}
487	local outer=${2}
488	local proto=${3}
489	local algo=${4}
490
491	local addr=""
492	local remote=""
493	local src=""
494	local dst=""
495
496	if [ ${inner} = "ipv6" ]; then
497		addr=$ROUTER1_IPSECIP6_DUMMY
498		remote=$ROUTER2_IPSECIP6_DUMMY
499	else
500		addr=$ROUTER1_IPSECIP_DUMMY
501		remote=$ROUTER2_IPSECIP_DUMMY
502	fi
503	if [ ${outer} = "ipv6" ]; then
504		src=$ROUTER1_WANIP6_DUMMY
505		dst=$ROUTER2_WANIP6_DUMMY
506	else
507		src=$ROUTER1_WANIP_DUMMY
508		dst=$ROUTER2_WANIP_DUMMY
509	fi
510	setup_dummy_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \
511			   ${src} ${dst} ${proto} ${algo} "1to2"
512	setup_dummy_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2"
513
514	if [ $inner = "ipv6" ]; then
515		addr=$ROUTER2_IPSECIP6_DUMMY
516		remote=$ROUTER1_IPSECIP6_DUMMY
517	else
518		addr=$ROUTER2_IPSECIP_DUMMY
519		remote=$ROUTER1_IPSECIP_DUMMY
520	fi
521	if [ $outer = "ipv6" ]; then
522		src=$ROUTER2_WANIP6_DUMMY
523		dst=$ROUTER1_WANIP6_DUMMY
524	else
525		src=$ROUTER2_WANIP_DUMMY
526		dst=$ROUTER1_WANIP_DUMMY
527	fi
528	setup_dummy_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \
529			   ${src} ${dst} ${proto} ${algo} "2to1"
530	setup_dummy_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1"
531}
532
533test_setup_dummy_tunnel()
534{
535	export RUMP_SERVER=$SOCK1
536	atf_check -s exit:0 -o match:ipsec1 rump.ifconfig
537
538	export RUMP_SERVER=$SOCK2
539	atf_check -s exit:0 -o match:ipsec1 rump.ifconfig
540
541	unset RUMP_SERVER
542}
543
544teardown_dummy_tunnel()
545{
546	export RUMP_SERVER=$SOCK1
547	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
548	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
549
550	export RUMP_SERVER=$SOCK2
551	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
552	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
553
554	unset RUMP_SERVER
555}
556
557setup_recursive_if_ipsec()
558{
559	local sock=${1}
560	local ipsec=${2}
561	local addr=${3}
562	local remote=${4}
563	local inner=${5}
564	local src=${6}
565	local dst=${7}
566	local proto=${8}
567	local algo=${9}
568	local dir=${10}
569
570	export RUMP_SERVER=${sock}
571	rump_server_add_iface $sock $ipsec
572	atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst}
573	if [ ${inner} = "ipv6" ]; then
574		atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote}
575	else
576		atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote}
577	fi
578	atf_check -s exit:0 rump.ifconfig -w 10
579	setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir}
580
581	export RUMP_SERVER=${sock}
582	$DEBUG && rump.ifconfig ${ipsec}
583	unset RUMP_SERVER
584}
585
586# test in ROUTER1 only
587setup_recursive_tunnels()
588{
589	local mode=${1}
590	local proto=${2}
591	local algo=${3}
592
593	local addr=""
594	local remote=""
595	local src=""
596	local dst=""
597
598	if [ ${mode} = "ipv6" ]; then
599		addr=$ROUTER1_IPSECIP6_RECURSIVE1
600		remote=$ROUTER2_IPSECIP6_RECURSIVE1
601		src=$ROUTER1_IPSECIP6
602		dst=$ROUTER2_IPSECIP6
603	else
604		addr=$ROUTER1_IPSECIP_RECURSIVE1
605		remote=$ROUTER2_IPSECIP_RECURSIVE1
606		src=$ROUTER1_IPSECIP
607		dst=$ROUTER2_IPSECIP
608	fi
609	setup_recursive_if_ipsec $SOCK1 ipsec1 ${addr} ${remote} ${mode} \
610		      ${src} ${dst} ${proto} ${algo} "1to2"
611
612	if [ ${mode} = "ipv6" ]; then
613		addr=$ROUTER1_IPSECIP6_RECURSIVE2
614		remote=$ROUTER2_IPSECIP6_RECURSIVE2
615		src=$ROUTER1_IPSECIP6_RECURSIVE1
616		dst=$ROUTER2_IPSECIP6_RECURSIVE1
617	else
618		addr=$ROUTER1_IPSECIP_RECURSIVE2
619		remote=$ROUTER2_IPSECIP_RECURSIVE2
620		src=$ROUTER1_IPSECIP_RECURSIVE1
621		dst=$ROUTER2_IPSECIP_RECURSIVE1
622	fi
623	setup_recursive_if_ipsec $SOCK1 ipsec2 ${addr} ${remote} ${mode} \
624		      ${src} ${dst} ${proto} ${algo} "1to2"
625}
626
627# test in router1 only
628test_recursive_check()
629{
630	local mode=$1
631
632	export RUMP_SERVER=$SOCK1
633	if [ ${mode} = "ipv6" ]; then
634		atf_check -s not-exit:0 -o ignore -e ignore \
635			rump.ping6 -n -X $TIMEOUT -c 1 $ROUTER2_IPSECIP6_RECURSIVE2
636	else
637		atf_check -s not-exit:0 -o ignore -e ignore \
638			rump.ping -n -w $TIMEOUT -c 1 $ROUTER2_IPSECIP_RECURSIVE2
639	fi
640
641	atf_check -o match:'ipsec0: recursively called too many times' \
642		-x "$HIJACKING dmesg"
643
644	$HIJACKING dmesg
645
646	unset RUMP_SERVER
647}
648
649teardown_recursive_tunnels()
650{
651	export RUMP_SERVER=$SOCK1
652	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
653	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
654	atf_check -s exit:0 rump.ifconfig ipsec2 deletetunnel
655	atf_check -s exit:0 rump.ifconfig ipsec2 destroy
656	unset RUMP_SERVER
657}
658
659test_ping_failure()
660{
661	local mode=$1
662
663	export RUMP_SERVER=$SOCK1
664	if [ ${mode} = "ipv6" ]; then
665		atf_check -s not-exit:0 -o ignore -e ignore \
666			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \
667			$ROUTER2_LANIP6
668	else
669		atf_check -s not-exit:0 -o ignore -e ignore \
670			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
671			$ROUTER2_LANIP
672	fi
673
674	export RUMP_SERVER=$SOCK2
675	if [ ${mode} = "ipv6" ]; then
676		atf_check -s not-exit:0 -o ignore -e ignore \
677			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \
678			$ROUTER1_LANIP6
679	else
680		atf_check -s not-exit:0 -o ignore -e ignore \
681			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
682			$ROUTER2_LANIP
683	fi
684
685	unset RUMP_SERVER
686}
687
688test_ping_success()
689{
690	mode=$1
691
692	export RUMP_SERVER=$SOCK1
693	$DEBUG && rump.ifconfig -v ipsec0
694	if [ ${mode} = "ipv6" ]; then
695		# XXX
696		# rump.ping6 rarely fails with the message that
697		# "failed to get receiving hop limit".
698		# This is a known issue being analyzed.
699		atf_check -s exit:0 -o ignore \
700			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \
701			$ROUTER2_LANIP6
702	else
703		atf_check -s exit:0 -o ignore \
704			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
705			$ROUTER2_LANIP
706	fi
707	$DEBUG && rump.ifconfig -v ipsec0
708
709	export RUMP_SERVER=$SOCK2
710	$DEBUG && rump.ifconfig -v ipsec0
711	if [ ${mode} = "ipv6" ]; then
712		atf_check -s exit:0 -o ignore \
713			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \
714			$ROUTER1_LANIP6
715	else
716		atf_check -s exit:0 -o ignore \
717			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
718			$ROUTER1_LANIP
719	fi
720	$DEBUG && rump.ifconfig -v ipsec0
721
722	unset RUMP_SERVER
723}
724
725test_change_tunnel_duplicate()
726{
727	local mode=$1
728
729	local newsrc=""
730	local newdst=""
731	if [ ${mode} = "ipv6" ]; then
732		newsrc=$ROUTER1_WANIP6_DUMMY
733		newdst=$ROUTER2_WANIP6_DUMMY
734	else
735		newsrc=$ROUTER1_WANIP_DUMMY
736		newdst=$ROUTER2_WANIP_DUMMY
737	fi
738	export RUMP_SERVER=$SOCK1
739	$DEBUG && rump.ifconfig -v ipsec0
740	$DEBUG && rump.ifconfig -v ipsec1
741	atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \
742		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
743	$DEBUG && rump.ifconfig -v ipsec0
744	$DEBUG && rump.ifconfig -v ipsec1
745
746	if [ ${mode} = "ipv6" ]; then
747		newsrc=$ROUTER2_WANIP6_DUMMY
748		newdst=$ROUTER1_WANIP6_DUMMY
749	else
750		newsrc=$ROUTER2_WANIP_DUMMY
751		newdst=$ROUTER1_WANIP_DUMMY
752	fi
753	export RUMP_SERVER=$SOCK2
754	$DEBUG && rump.ifconfig -v ipsec0
755	$DEBUG && rump.ifconfig -v ipsec1
756	atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \
757		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
758	$DEBUG && rump.ifconfig -v ipsec0
759	$DEBUG && rump.ifconfig -v ipsec1
760
761	unset RUMP_SERVER
762}
763
764test_change_tunnel_success()
765{
766	local mode=$1
767
768	local newsrc=""
769	local newdst=""
770	if [ ${mode} = "ipv6" ]; then
771		newsrc=$ROUTER1_WANIP6_DUMMY
772		newdst=$ROUTER2_WANIP6_DUMMY
773	else
774		newsrc=$ROUTER1_WANIP_DUMMY
775		newdst=$ROUTER2_WANIP_DUMMY
776	fi
777	export RUMP_SERVER=$SOCK1
778	$DEBUG && rump.ifconfig -v ipsec0
779	atf_check -s exit:0 \
780		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
781	$DEBUG && rump.ifconfig -v ipsec0
782
783	if [ ${mode} = "ipv6" ]; then
784		newsrc=$ROUTER2_WANIP6_DUMMY
785		newdst=$ROUTER1_WANIP6_DUMMY
786	else
787		newsrc=$ROUTER2_WANIP_DUMMY
788		newdst=$ROUTER1_WANIP_DUMMY
789	fi
790	export RUMP_SERVER=$SOCK2
791	$DEBUG && rump.ifconfig -v ipsec0
792	atf_check -s exit:0 \
793		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
794	$DEBUG && rump.ifconfig -v ipsec0
795
796	unset RUMP_SERVER
797}
798
799basic_setup()
800{
801	local inner=$1
802	local outer=$2
803	local proto=$3
804	local algo=$4
805
806	setup ${inner} ${outer}
807	test_setup ${inner} ${outer}
808
809	# Enable once PR kern/49219 is fixed
810	#test_ping_failure
811
812	setup_tunnel ${inner} ${outer} ${proto} ${algo}
813	sleep 1
814	test_setup_tunnel ${inner}
815}
816
817basic_test()
818{
819	local inner=$1
820	local outer=$2 # not use
821
822	test_ping_success ${inner}
823}
824
825basic_teardown()
826{
827	local inner=$1
828	local outer=$2 # not use
829
830	teardown_tunnel
831	test_ping_failure ${inner}
832}
833
834ioctl_setup()
835{
836	local inner=$1
837	local outer=$2
838	local proto=$3
839	local algo=$4
840
841	setup ${inner} ${outer}
842	test_setup ${inner} ${outer}
843
844	# Enable once PR kern/49219 is fixed
845	#test_ping_failure
846
847	setup_tunnel ${inner} ${outer} ${proto} ${algo}
848	setup_dummy_tunnel ${inner} ${outer} ${proto} ${algo}
849	sleep 1
850	test_setup_tunnel ${inner}
851}
852
853ioctl_test()
854{
855	local inner=$1
856	local outer=$2
857
858	test_ping_success ${inner}
859
860	test_change_tunnel_duplicate ${outer}
861
862	teardown_dummy_tunnel
863	test_change_tunnel_success ${outer}
864}
865
866ioctl_teardown()
867{
868	local inner=$1
869	local outer=$2 # not use
870
871	teardown_tunnel
872	test_ping_failure ${inner}
873}
874
875recursive_setup()
876{
877	local inner=$1
878	local outer=$2
879	local proto=$3
880	local algo=$4
881
882	setup ${inner} ${outer}
883	test_setup ${inner} ${outer}
884
885	# Enable once PR kern/49219 is fixed
886	#test_ping_failure
887
888	setup_tunnel ${inner} ${outer} ${proto} ${algo}
889	setup_recursive_tunnels ${inner} ${proto} ${algo}
890	sleep 1
891	test_setup_tunnel ${inner}
892}
893
894recursive_test()
895{
896	local inner=$1
897	local outer=$2 # not use
898
899	test_recursive_check ${inner}
900}
901
902recursive_teardown()
903{
904	local inner=$1 # not use
905	local outer=$2 # not use
906
907	teardown_recursive_tunnels
908	teardown_tunnel
909}
910
911add_test()
912{
913	local category=$1
914	local desc=$2
915	local inner=$3
916	local outer=$4
917	local proto=$5
918	local algo=$6
919	local _algo=$(echo $algo | sed 's/-//g')
920
921	name="ipsecif_${category}_${inner}over${outer}_${proto}_${_algo}"
922	fulldesc="Does ${inner} over ${outer} if_ipsec ${desc}"
923
924	atf_test_case ${name} cleanup
925	eval "${name}_head() {
926			atf_set descr \"${fulldesc}\"
927			atf_set require.progs rump_server setkey
928		}
929	    ${name}_body() {
930			${category}_setup ${inner} ${outer} ${proto} ${algo}
931			${category}_test ${inner} ${outer}
932			${category}_teardown ${inner} ${outer}
933			rump_server_destroy_ifaces
934	    }
935	    ${name}_cleanup() {
936			\$DEBUG && dump
937			cleanup
938		}"
939	atf_add_test_case ${name}
940}
941
942add_test_allproto()
943{
944	local category=$1
945	local desc=$2
946
947	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
948		add_test ${category} "${desc}" ipv4 ipv4 esp $algo
949		add_test ${category} "${desc}" ipv4 ipv6 esp $algo
950		add_test ${category} "${desc}" ipv6 ipv4 esp $algo
951		add_test ${category} "${desc}" ipv6 ipv6 esp $algo
952	done
953
954	# ah does not support yet
955}
956
957atf_init_test_cases()
958{
959
960	atf_add_test_case ipsecif_create_destroy
961
962	add_test_allproto basic "basic tests"
963	add_test_allproto ioctl "ioctl tests"
964	add_test_allproto recursive "recursive check tests"
965}
966