1*57870677Sknakahara# $NetBSD: t_ipsec_pfil.sh,v 1.3 2020/08/05 01:10:50 knakahara Exp $ 26e581475Sknakahara# 36e581475Sknakahara# Copyright (c) 2019 Internet Initiative Japan Inc. 46e581475Sknakahara# All rights reserved. 56e581475Sknakahara# 66e581475Sknakahara# Redistribution and use in source and binary forms, with or without 76e581475Sknakahara# modification, are permitted provided that the following conditions 86e581475Sknakahara# are met: 96e581475Sknakahara# 1. Redistributions of source code must retain the above copyright 106e581475Sknakahara# notice, this list of conditions and the following disclaimer. 116e581475Sknakahara# 2. Redistributions in binary form must reproduce the above copyright 126e581475Sknakahara# notice, this list of conditions and the following disclaimer in the 136e581475Sknakahara# documentation and/or other materials provided with the distribution. 146e581475Sknakahara# 156e581475Sknakahara# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 166e581475Sknakahara# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 176e581475Sknakahara# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 186e581475Sknakahara# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 196e581475Sknakahara# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 206e581475Sknakahara# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 216e581475Sknakahara# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 226e581475Sknakahara# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 236e581475Sknakahara# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 246e581475Sknakahara# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 256e581475Sknakahara# POSSIBILITY OF SUCH DAMAGE. 266e581475Sknakahara# 276e581475Sknakahara 286e581475SknakaharaSOCK_ROUTER1=unix://router1 296e581475SknakaharaSOCK_ROUTER2=unix://router2 306e581475SknakaharaROUTER1_LANIP=192.168.1.1 316e581475SknakaharaROUTER1_LANNET=192.168.1.0/24 326e581475SknakaharaROUTER1_WANIP=10.0.0.1 336e581475SknakaharaROUTER1_IPSECIP=172.16.1.1 346e581475SknakaharaROUTER2_LANIP=192.168.2.1 356e581475SknakaharaROUTER2_LANNET=192.168.2.0/24 366e581475SknakaharaROUTER2_WANIP=10.0.0.2 376e581475SknakaharaROUTER2_IPSECIP=172.16.2.1 386e581475Sknakahara 396e581475SknakaharaDEBUG=${DEBUG:-false} 406e581475SknakaharaTIMEOUT=7 416e581475SknakaharaHIJACKING_NPF="${HIJACKING},blanket=/dev/npf" 426e581475Sknakahara 436e581475Sknakaharasetup_router() 446e581475Sknakahara{ 456e581475Sknakahara local sock=$1 466e581475Sknakahara local lan=$2 476e581475Sknakahara local wan=$3 486e581475Sknakahara 496e581475Sknakahara rump_server_add_iface $sock shmif0 bus0 506e581475Sknakahara rump_server_add_iface $sock shmif1 bus1 516e581475Sknakahara 526e581475Sknakahara export RUMP_SERVER=${sock} 536e581475Sknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 546e581475Sknakahara 556e581475Sknakahara atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00 566e581475Sknakahara atf_check -s exit:0 rump.ifconfig shmif0 up 576e581475Sknakahara # Ensure shmif0 is running 586e581475Sknakahara atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan} 596e581475Sknakahara $DEBUG && rump.ifconfig shmif0 606e581475Sknakahara 616e581475Sknakahara atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000 626e581475Sknakahara atf_check -s exit:0 rump.ifconfig shmif1 up 636e581475Sknakahara # Ensure shmif1 is running 646e581475Sknakahara atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan} 656e581475Sknakahara $DEBUG && rump.ifconfig shmif1 666e581475Sknakahara 676e581475Sknakahara unset RUMP_SERVER 686e581475Sknakahara} 696e581475Sknakahara 706e581475Sknakaharasetup_if_ipsec() 716e581475Sknakahara{ 726e581475Sknakahara local addr=$1 736e581475Sknakahara local remote=$2 746e581475Sknakahara local src=$3 756e581475Sknakahara local dst=$4 766e581475Sknakahara local peernet=$5 776e581475Sknakahara 78ce0ae1dfSozaki-r rump_server_add_iface $RUMP_SERVER ipsec0 796e581475Sknakahara atf_check -s exit:0 rump.ifconfig ipsec0 tunnel $src $dst 806e581475Sknakahara atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 $remote 816e581475Sknakahara atf_check -s exit:0 -o ignore rump.route add -inet $peernet $addr 826e581475Sknakahara 836e581475Sknakahara $DEBUG && rump.ifconfig ipsec0 846e581475Sknakahara $DEBUG && rump.route -nL show -inet 856e581475Sknakahara} 866e581475Sknakahara 876e581475Sknakaharaget_if_ipsec_unique() 886e581475Sknakahara{ 896e581475Sknakahara local src=$1 906e581475Sknakahara local proto=$2 916e581475Sknakahara local unique="" 926e581475Sknakahara 936e581475Sknakahara unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'` 946e581475Sknakahara 956e581475Sknakahara echo $unique 966e581475Sknakahara} 976e581475Sknakahara 986e581475Sknakaharasetup_if_ipsec_sa() 996e581475Sknakahara{ 1006e581475Sknakahara local src=$1 1016e581475Sknakahara local dst=$2 1026e581475Sknakahara local inid=$3 1036e581475Sknakahara local outid=$4 1046e581475Sknakahara local proto=$5 1056e581475Sknakahara local algo=$6 1066e581475Sknakahara 1076e581475Sknakahara local tmpfile=./tmp 1086e581475Sknakahara local inunique="" 1096e581475Sknakahara local outunique="" 1106e581475Sknakahara local algo_args="$(generate_algo_args $proto $algo)" 1116e581475Sknakahara 1126e581475Sknakahara inunique=`get_if_ipsec_unique $dst "ipv4"` 1136e581475Sknakahara atf_check -s exit:0 test "X$inunique" != "X" 1146e581475Sknakahara outunique=`get_if_ipsec_unique $src "ipv4"` 1156e581475Sknakahara atf_check -s exit:0 test "X$outunique" != "X" 1166e581475Sknakahara 1176e581475Sknakahara cat > $tmpfile <<-EOF 118*57870677Sknakahara add $dst $src $proto $inid -u $inunique -m transport $algo_args; 119*57870677Sknakahara add $src $dst $proto $outid -u $outunique -m transport $algo_args; 1206e581475Sknakahara EOF 1216e581475Sknakahara $DEBUG && cat $tmpfile 1226e581475Sknakahara atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 1236e581475Sknakahara $DEBUG && $HIJACKING setkey -D 1246e581475Sknakahara $DEBUG && $HIJACKING setkey -DP 1256e581475Sknakahara} 1266e581475Sknakahara 1276e581475Sknakaharasetup_tunnel() 1286e581475Sknakahara{ 1296e581475Sknakahara local proto=$1 1306e581475Sknakahara local algo=$2 1316e581475Sknakahara 1326e581475Sknakahara local addr= remote= src= dst= peernet= 1336e581475Sknakahara 1346e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER1 1356e581475Sknakahara addr=$ROUTER1_IPSECIP 1366e581475Sknakahara remote=$ROUTER2_IPSECIP 1376e581475Sknakahara src=$ROUTER1_WANIP 1386e581475Sknakahara dst=$ROUTER2_WANIP 1396e581475Sknakahara peernet=$ROUTER2_LANNET 1406e581475Sknakahara setup_if_ipsec $addr $remote $src $dst $peernet 1416e581475Sknakahara setup_if_ipsec_sa $src $dst "10000" "10001" $proto $algo 1426e581475Sknakahara 1436e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER2 1446e581475Sknakahara addr=$ROUTER2_IPSECIP 1456e581475Sknakahara remote=$ROUTER1_IPSECIP 1466e581475Sknakahara src=$ROUTER2_WANIP 1476e581475Sknakahara dst=$ROUTER1_WANIP 1486e581475Sknakahara peernet=$ROUTER1_LANNET 1496e581475Sknakahara setup_if_ipsec $addr $remote $src $dst $peernet 1506e581475Sknakahara setup_if_ipsec_sa $src $dst "10001" "10000" $proto $algo 1516e581475Sknakahara 1526e581475Sknakahara # Ensure ipsecif(4) settings have completed. 1536e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER1 1546e581475Sknakahara atf_check -s exit:0 -o ignore \ 1556e581475Sknakahara rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 1566e581475Sknakahara $ROUTER2_LANIP 1576e581475Sknakahara 1586e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER2 1596e581475Sknakahara atf_check -s exit:0 -o ignore \ 1606e581475Sknakahara rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 1616e581475Sknakahara $ROUTER1_LANIP 1626e581475Sknakahara 1636e581475Sknakahara unset RUMP_SERVER 1646e581475Sknakahara} 1656e581475Sknakahara 1666e581475Sknakaharaipsecif_pfil_setup() 1676e581475Sknakahara{ 1686e581475Sknakahara local proto=$1 1696e581475Sknakahara local algo=$2 1706e581475Sknakahara 1716e581475Sknakahara rump_server_crypto_npf_start $SOCK_ROUTER1 netipsec ipsec 1726e581475Sknakahara rump_server_crypto_npf_start $SOCK_ROUTER2 netipsec ipsec 1736e581475Sknakahara 1746e581475Sknakahara setup_router $SOCK_ROUTER1 $ROUTER1_LANIP $ROUTER1_WANIP 1756e581475Sknakahara setup_router $SOCK_ROUTER2 $ROUTER2_LANIP $ROUTER2_WANIP 1766e581475Sknakahara 1776e581475Sknakahara setup_tunnel $proto $algo 1786e581475Sknakahara} 1796e581475Sknakahara 1806e581475Sknakaharaprepare_file() 1816e581475Sknakahara{ 1826e581475Sknakahara local file=$1 1836e581475Sknakahara local data="0123456789" 1846e581475Sknakahara 1856e581475Sknakahara touch $file 1866e581475Sknakahara for i in `seq 1 512` 1876e581475Sknakahara do 1886e581475Sknakahara echo $data >> $file 1896e581475Sknakahara done 1906e581475Sknakahara} 1916e581475Sknakahara 1926e581475Sknakaharabuild_npf_conf() 1936e581475Sknakahara{ 1946e581475Sknakahara local outfile=$1 1956e581475Sknakahara local subnet=$2 1966e581475Sknakahara local direction=$3 1976e581475Sknakahara 1986e581475Sknakahara local reverse= 1996e581475Sknakahara if [ "X${direction}" = "Xin" ] ; then 2006e581475Sknakahara reverse="out" 2016e581475Sknakahara else 2026e581475Sknakahara reverse="in" 2036e581475Sknakahara fi 2046e581475Sknakahara 2056e581475Sknakahara cat > $outfile <<-EOF 2066e581475Sknakahara set bpf.jit off 2076e581475Sknakahara \$if = inet4(ipsec0) 2086e581475Sknakahara \$subnet = { $subnet } 2096e581475Sknakahara 2106e581475Sknakahara procedure "log0" { 2116e581475Sknakahara log: npflog0 2126e581475Sknakahara } 2136e581475Sknakahara 2146e581475Sknakahara group default { 2156e581475Sknakahara block $direction on \$if proto tcp from \$subnet apply "log0" 2166e581475Sknakahara pass $reverse on \$if proto tcp from \$subnet 2176e581475Sknakahara pass in on \$if proto icmp from 0.0.0.0/0 2186e581475Sknakahara pass out on \$if proto icmp from 0.0.0.0/0 2196e581475Sknakahara pass final on shmif0 all 2206e581475Sknakahara pass final on shmif1 all 2216e581475Sknakahara } 2226e581475Sknakahara EOF 2236e581475Sknakahara} 2246e581475Sknakahara 2256e581475Sknakaharaipsecif_pfil_test() 2266e581475Sknakahara{ 2276e581475Sknakahara local outfile=./out 2286e581475Sknakahara local npffile=./npf.conf 2296e581475Sknakahara local file_send=./file.send 2306e581475Sknakahara local file_recv=./file.recv 2316e581475Sknakahara 2326e581475Sknakahara local subnet="172.16.0.0/16" 2336e581475Sknakahara 2346e581475Sknakahara # Try TCP communications just in case. 2356e581475Sknakahara start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4 2366e581475Sknakahara prepare_file $file_send 2376e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER1 2386e581475Sknakahara atf_check -s exit:0 $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send 2396e581475Sknakahara atf_check -s exit:0 diff -q $file_send $file_recv 2406e581475Sknakahara stop_nc_server 2416e581475Sknakahara 2426e581475Sknakahara # Setup npf to block *out* direction for ipsecif(4). 2436e581475Sknakahara build_npf_conf $npffile $subnet "out" 2446e581475Sknakahara $DEBUG && cat $npffile 2456e581475Sknakahara 2466e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER1 2476e581475Sknakahara atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile 2486e581475Sknakahara atf_check -s exit:0 $HIJACKING_NPF npfctl start 2496e581475Sknakahara $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 2506e581475Sknakahara 2516e581475Sknakahara # ping should still work 2526e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER1 2536e581475Sknakahara atf_check -s exit:0 -o ignore \ 2546e581475Sknakahara rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 2556e581475Sknakahara $ROUTER2_LANIP 2566e581475Sknakahara 2576e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER2 2586e581475Sknakahara atf_check -s exit:0 -o ignore \ 2596e581475Sknakahara rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 2606e581475Sknakahara $ROUTER1_LANIP 2616e581475Sknakahara 2626e581475Sknakahara # TCP communications should be blocked. 2636e581475Sknakahara start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4 2646e581475Sknakahara prepare_file $file_send 2656e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER1 2666e581475Sknakahara atf_check -s exit:1 -o ignore $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send 2676e581475Sknakahara stop_nc_server 2686e581475Sknakahara 2696e581475Sknakahara atf_check -s exit:0 $HIJACKING_NPF npfctl stop 2706e581475Sknakahara $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 2716e581475Sknakahara 2726e581475Sknakahara # Setup npf to block *in* direction for ipsecif(4). 2736e581475Sknakahara build_npf_conf $npffile $subnet "in" 2746e581475Sknakahara $DEBUG && cat $npffile 2756e581475Sknakahara 2766e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER2 2776e581475Sknakahara atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile 2786e581475Sknakahara atf_check -s exit:0 $HIJACKING_NPF npfctl start 2796e581475Sknakahara $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 2806e581475Sknakahara 2816e581475Sknakahara # ping should still work. 2826e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER1 2836e581475Sknakahara atf_check -s exit:0 -o ignore \ 2846e581475Sknakahara rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \ 2856e581475Sknakahara $ROUTER2_LANIP 2866e581475Sknakahara 2876e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER2 2886e581475Sknakahara atf_check -s exit:0 -o ignore \ 2896e581475Sknakahara rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \ 2906e581475Sknakahara $ROUTER1_LANIP 2916e581475Sknakahara 2926e581475Sknakahara # TCP communications should be blocked. 2936e581475Sknakahara start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4 2946e581475Sknakahara prepare_file $file_send 2956e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER1 2966e581475Sknakahara atf_check -s exit:1 -o ignore $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send 2976e581475Sknakahara stop_nc_server 2986e581475Sknakahara 2996e581475Sknakahara atf_check -s exit:0 $HIJACKING_NPF npfctl stop 3006e581475Sknakahara $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show 3016e581475Sknakahara 3026e581475Sknakahara 3036e581475Sknakahara unset RUMP_SERVER 3046e581475Sknakahara} 3056e581475Sknakahara 3066e581475Sknakaharaipsecif_pfil_teardown() 3076e581475Sknakahara{ 3086e581475Sknakahara 3096e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER1 3106e581475Sknakahara atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 3116e581475Sknakahara atf_check -s exit:0 rump.ifconfig ipsec0 destroy 3126e581475Sknakahara $HIJACKING setkey -F 3136e581475Sknakahara 3146e581475Sknakahara export RUMP_SERVER=$SOCK_ROUTER2 3156e581475Sknakahara atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel 3166e581475Sknakahara atf_check -s exit:0 rump.ifconfig ipsec0 destroy 3176e581475Sknakahara $HIJACKING setkey -F 3186e581475Sknakahara 3196e581475Sknakahara unset RUMP_SERVER 3206e581475Sknakahara} 3216e581475Sknakahara 3226e581475Sknakaharaadd_test() 3236e581475Sknakahara{ 3246e581475Sknakahara local proto=$1 3256e581475Sknakahara local algo=$2 3266e581475Sknakahara local _algo=$(echo $algo | sed 's/-//g') 3276e581475Sknakahara 3286e581475Sknakahara name="ipsecif_pfil_${proto}_${_algo}" 3296e581475Sknakahara desc="Does ipsecif filter tests" 3306e581475Sknakahara 3316e581475Sknakahara atf_test_case ${name} cleanup 3326e581475Sknakahara eval "${name}_head() { 3336e581475Sknakahara atf_set descr \"${desc}\" 3346e581475Sknakahara atf_set require.progs rump_server setkey 3356e581475Sknakahara } 3366e581475Sknakahara ${name}_body() { 3376e581475Sknakahara ipsecif_pfil_setup ${proto} ${algo} 3386e581475Sknakahara ipsecif_pfil_test 3396e581475Sknakahara ipsecif_pfil_teardown 3406e581475Sknakahara rump_server_destroy_ifaces 3416e581475Sknakahara } 3426e581475Sknakahara ${name}_cleanup() { 3436e581475Sknakahara \$DEBUG && dump 3446e581475Sknakahara cleanup 3456e581475Sknakahara }" 3466e581475Sknakahara atf_add_test_case ${name} 3476e581475Sknakahara} 3486e581475Sknakahara 3496e581475Sknakaharaadd_test_allalgo() 3506e581475Sknakahara{ 3516e581475Sknakahara local desc=$1 3526e581475Sknakahara 3536e581475Sknakahara for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 3546e581475Sknakahara add_test esp $algo 3556e581475Sknakahara done 3566e581475Sknakahara 3576e581475Sknakahara # ah does not support yet 3586e581475Sknakahara} 3596e581475Sknakahara 3606e581475Sknakaharaatf_init_test_cases() 3616e581475Sknakahara{ 3626e581475Sknakahara 3636e581475Sknakahara add_test_allalgo ipsecif_pfil 3646e581475Sknakahara} 365