1# $NetBSD: t_ipsec_pfil.sh,v 1.3 2020/08/05 01:10:50 knakahara Exp $ 2# 3# Copyright (c) 2019 Internet Initiative Japan Inc. 4# All rights reserved. 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25# POSSIBILITY OF SUCH DAMAGE. 26# 27 28SOCK_ROUTER1=unix://router1 29SOCK_ROUTER2=unix://router2 30ROUTER1_LANIP=192.168.1.1 31ROUTER1_LANNET=192.168.1.0/24 32ROUTER1_WANIP=10.0.0.1 33ROUTER1_IPSECIP=172.16.1.1 34ROUTER2_LANIP=192.168.2.1 35ROUTER2_LANNET=192.168.2.0/24 36ROUTER2_WANIP=10.0.0.2 37ROUTER2_IPSECIP=172.16.2.1 38 39DEBUG=${DEBUG:-false} 40TIMEOUT=7 41HIJACKING_NPF="${HIJACKING},blanket=/dev/npf" 42 43setup_router() 44{ 45 local sock=$1 46 local lan=$2 47 local wan=$3 48 49 rump_server_add_iface $sock shmif0 bus0 50 rump_server_add_iface $sock shmif1 bus1 51 52 export RUMP_SERVER=${sock} 53 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 54 55 atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00 56 atf_check -s exit:0 rump.ifconfig shmif0 up 57 # Ensure shmif0 is running 58 atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan} 59 $DEBUG && rump.ifconfig shmif0 60 61 atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000 62 atf_check -s exit:0 rump.ifconfig shmif1 up 63 # Ensure shmif1 is running 64 atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan} 65 $DEBUG && rump.ifconfig shmif1 66 67 unset RUMP_SERVER 68} 69 70setup_if_ipsec() 71{ 72 local addr=$1 73 local remote=$2 74 local src=$3 75 local dst=$4 76 local peernet=$5 77 78 rump_server_add_iface $RUMP_SERVER ipsec0 79 atf_check -s exit:0 rump.ifconfig ipsec0 tunnel $src $dst 80 atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 $remote 81 atf_check -s exit:0 -o ignore rump.route add -inet $peernet $addr 82 83 $DEBUG && rump.ifconfig ipsec0 84 $DEBUG && rump.route -nL show -inet 85} 86 87get_if_ipsec_unique() 88{ 89 local src=$1 90 local proto=$2 91 local unique="" 92 93 unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'` 94 95 echo $unique 96} 97 98setup_if_ipsec_sa() 99{ 100 local src=$1 101 local dst=$2 102 local inid=$3 103 local outid=$4 104 local proto=$5 105 local algo=$6 106 107 local tmpfile=./tmp 108 local inunique="" 109 local outunique="" 110 local algo_args="$(generate_algo_args $proto $algo)" 111 112 inunique=`get_if_ipsec_unique $dst "ipv4"` 113 atf_check -s exit:0 test "X$inunique" != "X" 114 outunique=`get_if_ipsec_unique $src "ipv4"` 115 atf_check -s exit:0 test "X$outunique" != "X" 116 117 cat > $tmpfile <<-EOF 118 add $dst $src $proto $inid -u $inunique -m transport $algo_args; 119 add $src $dst $proto $outid -u $outunique -m transport $algo_args; 120 EOF 121 $DEBUG && cat $tmpfile 122 atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 123 $DEBUG && $HIJACKING setkey -D 124 $DEBUG && $HIJACKING setkey -DP 125} 126 127setup_tunnel() 128{ 129 local proto=$1 130 local algo=$2 131 132 local addr= remote= src= dst= peernet= 133 134 export RUMP_SERVER=$SOCK_ROUTER1 135 addr=$ROUTER1_IPSECIP 136 remote=$ROUTER2_IPSECIP 137 src=$ROUTER1_WANIP 138 dst=$ROUTER2_WANIP 139 peernet=$ROUTER2_LANNET 140 setup_if_ipsec $addr $remote $src $dst $peernet 141 setup_if_ipsec_sa $src $dst "10000" "10001" $proto $algo 142 143 export RUMP_SERVER=$SOCK_ROUTER2 144 addr=$ROUTER2_IPSECIP 145 remote=$ROUTER1_IPSECIP 146 src=$ROUTER2_WANIP 147 dst=$ROUTER1_WANIP 148 peernet=$ROUTER1_LANNET 149 setup_if_ipsec $addr $remote $src $dst $peernet 150 setup_if_ipsec_sa $src $dst "10001" "10000" $proto $algo 151 152 # Ensure ipsecif(4) settings have completed. 153 export RUMP_SERVER=$SOCK_ROUTER1 154 atf_check -s exit:0 -o ignore \ 155 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 156 $ROUTER2_LANIP 157 158 export RUMP_SERVER=$SOCK_ROUTER2 159 atf_check -s exit:0 -o ignore \ 160 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 161 $ROUTER1_LANIP 162 163 unset RUMP_SERVER 164} 165 166ipsecif_pfil_setup() 167{ 168 local proto=$1 169 local algo=$2 170 171 rump_server_crypto_npf_start $SOCK_ROUTER1 netipsec ipsec 172 rump_server_crypto_npf_start $SOCK_ROUTER2 netipsec ipsec 173 174 setup_router $SOCK_ROUTER1 $ROUTER1_LANIP $ROUTER1_WANIP 175 setup_router $SOCK_ROUTER2 $ROUTER2_LANIP $ROUTER2_WANIP 176 177 setup_tunnel $proto $algo 178} 179 180prepare_file() 181{ 182 local file=$1 183 local data="0123456789" 184 185 touch $file 186 for i in `seq 1 512` 187 do 188 echo $data >> $file 189 done 190} 191 192build_npf_conf() 193{ 194 local outfile=$1 195 local subnet=$2 196 local direction=$3 197 198 local reverse= 199 if [ "X${direction}" = "Xin" ] ; then 200 reverse="out" 201 else 202 reverse="in" 203 fi 204 205 cat > $outfile <<-EOF 206 set bpf.jit off 207 \$if = inet4(ipsec0) 208 \$subnet = { $subnet } 209 210 procedure "log0" { 211 log: npflog0 212 } 213 214 group default { 215 block $direction on \$if proto tcp from \$subnet apply "log0" 216 pass $reverse on \$if proto tcp from \$subnet 217 pass in on \$if proto icmp from 0.0.0.0/0 218 pass out on \$if proto icmp from 0.0.0.0/0 219 pass final on shmif0 all 220 pass final on shmif1 all 221 } 222 EOF 223} 224 225ipsecif_pfil_test() 226{ 227 local outfile=./out 228 local npffile=./npf.conf 229 local file_send=./file.send 230 local file_recv=./file.recv 231 232 local subnet="172.16.0.0/16" 233 234 # Try TCP communications just in case. 235 start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4 236 prepare_file $file_send 237 export RUMP_SERVER=$SOCK_ROUTER1 238 atf_check -s exit:0 $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send 239 atf_check -s exit:0 diff -q $file_send $file_recv 240 stop_nc_server 241 242 # Setup npf to block *out* direction for ipsecif(4). 243 build_npf_conf $npffile $subnet "out" 244 $DEBUG && cat $npffile 245 246 export RUMP_SERVER=$SOCK_ROUTER1 247 atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile 248 atf_check -s exit:0 $HIJACKING_NPF npfctl start 249 $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 250 251 # ping should still work 252 export RUMP_SERVER=$SOCK_ROUTER1 253 atf_check -s exit:0 -o ignore \ 254 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 255 $ROUTER2_LANIP 256 257 export RUMP_SERVER=$SOCK_ROUTER2 258 atf_check -s exit:0 -o ignore \ 259 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 260 $ROUTER1_LANIP 261 262 # TCP communications should be blocked. 263 start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4 264 prepare_file $file_send 265 export RUMP_SERVER=$SOCK_ROUTER1 266 atf_check -s exit:1 -o ignore $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send 267 stop_nc_server 268 269 atf_check -s exit:0 $HIJACKING_NPF npfctl stop 270 $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 271 272 # Setup npf to block *in* direction for ipsecif(4). 273 build_npf_conf $npffile $subnet "in" 274 $DEBUG && cat $npffile 275 276 export RUMP_SERVER=$SOCK_ROUTER2 277 atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile 278 atf_check -s exit:0 $HIJACKING_NPF npfctl start 279 $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 280 281 # ping should still work. 282 export RUMP_SERVER=$SOCK_ROUTER1 283 atf_check -s exit:0 -o ignore \ 284 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 285 $ROUTER2_LANIP 286 287 export RUMP_SERVER=$SOCK_ROUTER2 288 atf_check -s exit:0 -o ignore \ 289 rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 290 $ROUTER1_LANIP 291 292 # TCP communications should be blocked. 293 start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4 294 prepare_file $file_send 295 export RUMP_SERVER=$SOCK_ROUTER1 296 atf_check -s exit:1 -o ignore $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send 297 stop_nc_server 298 299 atf_check -s exit:0 $HIJACKING_NPF npfctl stop 300 $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 301 302 303 unset RUMP_SERVER 304} 305 306ipsecif_pfil_teardown() 307{ 308 309 export RUMP_SERVER=$SOCK_ROUTER1 310 atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 311 atf_check -s exit:0 rump.ifconfig ipsec0 destroy 312 $HIJACKING setkey -F 313 314 export RUMP_SERVER=$SOCK_ROUTER2 315 atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 316 atf_check -s exit:0 rump.ifconfig ipsec0 destroy 317 $HIJACKING setkey -F 318 319 unset RUMP_SERVER 320} 321 322add_test() 323{ 324 local proto=$1 325 local algo=$2 326 local _algo=$(echo $algo | sed 's/-//g') 327 328 name="ipsecif_pfil_${proto}_${_algo}" 329 desc="Does ipsecif filter tests" 330 331 atf_test_case ${name} cleanup 332 eval "${name}_head() { 333 atf_set descr \"${desc}\" 334 atf_set require.progs rump_server setkey 335 } 336 ${name}_body() { 337 ipsecif_pfil_setup ${proto} ${algo} 338 ipsecif_pfil_test 339 ipsecif_pfil_teardown 340 rump_server_destroy_ifaces 341 } 342 ${name}_cleanup() { 343 \$DEBUG && dump 344 cleanup 345 }" 346 atf_add_test_case ${name} 347} 348 349add_test_allalgo() 350{ 351 local desc=$1 352 353 for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 354 add_test esp $algo 355 done 356 357 # ah does not support yet 358} 359 360atf_init_test_cases() 361{ 362 363 add_test_allalgo ipsecif_pfil 364} 365