1*708e59ebSknakahara# $NetBSD: t_ipsec_forwarding.sh,v 1.2 2022/11/24 02:58:28 knakahara Exp $ 29d1cf4afSknakahara# 39d1cf4afSknakahara# Copyright (c) 2022 Internet Initiative Japan Inc. 49d1cf4afSknakahara# All rights reserved. 59d1cf4afSknakahara# 69d1cf4afSknakahara# Redistribution and use in source and binary forms, with or without 79d1cf4afSknakahara# modification, are permitted provided that the following conditions 89d1cf4afSknakahara# are met: 99d1cf4afSknakahara# 1. Redistributions of source code must retain the above copyright 109d1cf4afSknakahara# notice, this list of conditions and the following disclaimer. 119d1cf4afSknakahara# 2. Redistributions in binary form must reproduce the above copyright 129d1cf4afSknakahara# notice, this list of conditions and the following disclaimer in the 139d1cf4afSknakahara# documentation and/or other materials provided with the distribution. 149d1cf4afSknakahara# 159d1cf4afSknakahara# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 169d1cf4afSknakahara# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 179d1cf4afSknakahara# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 189d1cf4afSknakahara# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 199d1cf4afSknakahara# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 209d1cf4afSknakahara# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 219d1cf4afSknakahara# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 229d1cf4afSknakahara# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 239d1cf4afSknakahara# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 249d1cf4afSknakahara# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 259d1cf4afSknakahara# POSSIBILITY OF SUCH DAMAGE. 269d1cf4afSknakahara# 279d1cf4afSknakahara 289d1cf4afSknakaharaSOCK_LOCAL=unix://ipsec_local 299d1cf4afSknakaharaSOCK_FORWARD=unix://ipsec_forward 309d1cf4afSknakaharaSOCK_REMOTE=unix://ipsec_remote 319d1cf4afSknakaharaBUS_LOCAL_I=./bus_ipsec_local 329d1cf4afSknakaharaBUS_LOCAL_F=./bus_ipsec_local_forward 339d1cf4afSknakaharaBUS_REMOTE_F=./bus_ipsec_remote_forward 349d1cf4afSknakaharaBUS_REMOTE_I=./bus_ipsec_remote 359d1cf4afSknakahara 369d1cf4afSknakaharaDEBUG=${DEBUG:-false} 379d1cf4afSknakahara 389d1cf4afSknakaharasetup_servers_ipv4() 399d1cf4afSknakahara{ 409d1cf4afSknakahara 419d1cf4afSknakahara rump_server_crypto_start $SOCK_LOCAL netipsec 429d1cf4afSknakahara rump_server_crypto_start $SOCK_FORWARD netipsec 439d1cf4afSknakahara rump_server_crypto_start $SOCK_REMOTE netipsec 449d1cf4afSknakahara rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL_F 459d1cf4afSknakahara rump_server_add_iface $SOCK_LOCAL shmif1 $BUS_LOCAL_I 469d1cf4afSknakahara rump_server_add_iface $SOCK_FORWARD shmif0 $BUS_LOCAL_F 479d1cf4afSknakahara rump_server_add_iface $SOCK_FORWARD shmif1 $BUS_REMOTE_F 489d1cf4afSknakahara rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE_F 499d1cf4afSknakahara rump_server_add_iface $SOCK_REMOTE shmif1 $BUS_REMOTE_I 509d1cf4afSknakahara} 519d1cf4afSknakahara 529d1cf4afSknakaharasetup_servers_ipv6() 539d1cf4afSknakahara{ 549d1cf4afSknakahara 559d1cf4afSknakahara rump_server_crypto_start $SOCK_LOCAL netipsec netinet6 569d1cf4afSknakahara rump_server_crypto_start $SOCK_FORWARD netipsec netinet6 579d1cf4afSknakahara rump_server_crypto_start $SOCK_REMOTE netipsec netinet6 589d1cf4afSknakahara rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL_F 599d1cf4afSknakahara rump_server_add_iface $SOCK_LOCAL shmif1 $BUS_LOCAL_I 609d1cf4afSknakahara rump_server_add_iface $SOCK_FORWARD shmif0 $BUS_LOCAL_F 619d1cf4afSknakahara rump_server_add_iface $SOCK_FORWARD shmif1 $BUS_REMOTE_F 629d1cf4afSknakahara rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_REMOTE_F 639d1cf4afSknakahara rump_server_add_iface $SOCK_REMOTE shmif1 $BUS_REMOTE_I 649d1cf4afSknakahara} 659d1cf4afSknakahara 669d1cf4afSknakaharasetup_servers() 679d1cf4afSknakahara{ 689d1cf4afSknakahara local proto=$1 699d1cf4afSknakahara 709d1cf4afSknakahara setup_servers_$proto 719d1cf4afSknakahara} 729d1cf4afSknakahara 739d1cf4afSknakaharasetup_sp_port() 749d1cf4afSknakahara{ 759d1cf4afSknakahara local proto=$1 769d1cf4afSknakahara local algo_args="$2" 779d1cf4afSknakahara local tunnel_src=$3 789d1cf4afSknakahara local tunnel_dst=$4 799d1cf4afSknakahara local subnet_src=$5 809d1cf4afSknakahara local subnet_dst=$6 819d1cf4afSknakahara local port_src=$7 829d1cf4afSknakahara local port_dst=$8 839d1cf4afSknakahara local tmpfile=./tmp 849d1cf4afSknakahara 859d1cf4afSknakahara export RUMP_SERVER=$SOCK_LOCAL 869d1cf4afSknakahara cat > $tmpfile <<-EOF 879d1cf4afSknakahara spdadd $subnet_src[$port_src] $subnet_dst[$port_dst] tcp -P out ipsec $proto/tunnel/$tunnel_src-$tunnel_dst/require; 889d1cf4afSknakahara spdadd $subnet_dst[$port_dst] $subnet_src[$port_src] tcp -P in ipsec $proto/tunnel/$tunnel_dst-$tunnel_src/require; 899d1cf4afSknakahara EOF 909d1cf4afSknakahara $DEBUG && cat $tmpfile 919d1cf4afSknakahara atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 929d1cf4afSknakahara $DEBUG && $HIJACKING setkey -DP 939d1cf4afSknakahara 949d1cf4afSknakahara export RUMP_SERVER=$SOCK_FORWARD 959d1cf4afSknakahara cat > $tmpfile <<-EOF 969d1cf4afSknakahara spdadd $subnet_dst[$port_dst] $subnet_src[$port_src] tcp -P out ipsec $proto/tunnel/$tunnel_dst-$tunnel_src/require; 979d1cf4afSknakahara spdadd $subnet_src[$port_src] $subnet_dst[$port_dst] tcp -P in ipsec $proto/tunnel/$tunnel_src-$tunnel_dst/require; 989d1cf4afSknakahara EOF 999d1cf4afSknakahara $DEBUG && cat $tmpfile 1009d1cf4afSknakahara atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 1019d1cf4afSknakahara $DEBUG && $HIJACKING setkey -DP 1029d1cf4afSknakahara} 1039d1cf4afSknakahara 1049d1cf4afSknakaharaadd_sa() 1059d1cf4afSknakahara{ 1069d1cf4afSknakahara local proto=$1 1079d1cf4afSknakahara local algo_args="$2" 1089d1cf4afSknakahara local tunnel_src=$3 1099d1cf4afSknakahara local tunnel_dst=$4 1109d1cf4afSknakahara local spi=$5 1119d1cf4afSknakahara local port_src=$6 1129d1cf4afSknakahara local port_dst=$7 1139d1cf4afSknakahara local tmpfile=./tmp 1149d1cf4afSknakahara 1159d1cf4afSknakahara export RUMP_SERVER=$SOCK_LOCAL 1169d1cf4afSknakahara cat > $tmpfile <<-EOF 1179d1cf4afSknakahara add $tunnel_src [$port_src] $tunnel_dst [$port_dst] $proto $((spi)) $algo_args; 1189d1cf4afSknakahara add $tunnel_dst [$port_dst] $tunnel_src [$port_src] $proto $((spi + 1)) $algo_args; 1199d1cf4afSknakahara EOF 1209d1cf4afSknakahara $DEBUG && cat $tmpfile 1219d1cf4afSknakahara atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 1229d1cf4afSknakahara $DEBUG && $HIJACKING setkey -D 1239d1cf4afSknakahara # XXX it can be expired if $lifetime is very short 1249d1cf4afSknakahara #check_sa_entries $SOCK_LOCAL $ip_local $ip_remote 1259d1cf4afSknakahara 1269d1cf4afSknakahara export RUMP_SERVER=$SOCK_FORWARD 1279d1cf4afSknakahara cat > $tmpfile <<-EOF 1289d1cf4afSknakahara add $tunnel_src [$port_src] $tunnel_dst [$port_dst] $proto $((spi)) $algo_args; 1299d1cf4afSknakahara add $tunnel_dst [$port_dst] $tunnel_src [$port_src] $proto $((spi + 1)) $algo_args; 1309d1cf4afSknakahara EOF 1319d1cf4afSknakahara $DEBUG && cat $tmpfile 1329d1cf4afSknakahara atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile 1339d1cf4afSknakahara $DEBUG && $HIJACKING setkey -D 1349d1cf4afSknakahara} 1359d1cf4afSknakahara 1369d1cf4afSknakaharaprepare_file() 1379d1cf4afSknakahara{ 1389d1cf4afSknakahara local file=$1 1399d1cf4afSknakahara local data="0123456789" 1409d1cf4afSknakahara 1419d1cf4afSknakahara touch $file 1429d1cf4afSknakahara for i in `seq 1 512` 1439d1cf4afSknakahara do 1449d1cf4afSknakahara echo $data >> $file 1459d1cf4afSknakahara done 1469d1cf4afSknakahara} 1479d1cf4afSknakahara 1489d1cf4afSknakaharatest_ipsec_sp_port_ipv4() 1499d1cf4afSknakahara{ 1509d1cf4afSknakahara 1519d1cf4afSknakahara local algo=$1 1529d1cf4afSknakahara local ip_local_i=192.168.11.1 1539d1cf4afSknakahara local ip_local_i_subnet=192.168.11.0/24 1549d1cf4afSknakahara local ip_local_f=10.22.22.2 1559d1cf4afSknakahara local ip_local_f_subnet=10.22.22.0/24 1569d1cf4afSknakahara local ip_forward_l=10.22.22.1 1579d1cf4afSknakahara local ip_forward_l_subnet=10.22.22.0/24 1589d1cf4afSknakahara local ip_forward_r=10.33.33.1 1599d1cf4afSknakahara local ip_forward_r_subnet=10.33.33.0/24 1609d1cf4afSknakahara local ip_remote_f=10.33.33.2 1619d1cf4afSknakahara local ip_remote_f_subnet=10.33.33.0/24 1629d1cf4afSknakahara local ip_remote_i=192.168.44.1 1639d1cf4afSknakahara local ip_remote_i_subnet=192.168.44.0/24 1649d1cf4afSknakahara local port=1234 1659d1cf4afSknakahara local loutfile=./out_local 1669d1cf4afSknakahara local routfile=./out_remote 1679d1cf4afSknakahara local file_send=./file.send 1689d1cf4afSknakahara local file_recv=./file.recv 1699d1cf4afSknakahara local algo_args="$(generate_algo_args esp $algo)" 1709d1cf4afSknakahara local pid= 1719d1cf4afSknakahara 1729d1cf4afSknakahara setup_servers ipv4 1739d1cf4afSknakahara 1749d1cf4afSknakahara export RUMP_SERVER=$SOCK_LOCAL 1759d1cf4afSknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 1769d1cf4afSknakahara atf_check -s exit:0 rump.ifconfig shmif0 inet $ip_local_f/24 1779d1cf4afSknakahara atf_check -s exit:0 rump.ifconfig shmif1 inet $ip_local_i/24 1789d1cf4afSknakahara atf_check -s exit:0 -o ignore \ 1799d1cf4afSknakahara rump.route add -inet default $ip_forward_l 1809d1cf4afSknakahara 1819d1cf4afSknakahara export RUMP_SERVER=$SOCK_FORWARD 1829d1cf4afSknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 1839d1cf4afSknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1 1849d1cf4afSknakahara atf_check -s exit:0 rump.ifconfig shmif0 inet $ip_forward_l/24 1859d1cf4afSknakahara atf_check -s exit:0 rump.ifconfig shmif1 inet $ip_forward_r/24 1869d1cf4afSknakahara atf_check -s exit:0 -o ignore \ 1879d1cf4afSknakahara rump.route add -inet $ip_local_i_subnet $ip_local_f 1889d1cf4afSknakahara atf_check -s exit:0 -o ignore \ 1899d1cf4afSknakahara rump.route add -inet $ip_remote_i_subnet $ip_remote_f 1909d1cf4afSknakahara 1919d1cf4afSknakahara export RUMP_SERVER=$SOCK_REMOTE 1929d1cf4afSknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 1939d1cf4afSknakahara atf_check -s exit:0 rump.ifconfig shmif0 inet $ip_remote_f/24 1949d1cf4afSknakahara atf_check -s exit:0 rump.ifconfig shmif1 inet $ip_remote_i/24 1959d1cf4afSknakahara atf_check -s exit:0 -o ignore \ 1969d1cf4afSknakahara rump.route add -inet default $ip_forward_r 1979d1cf4afSknakahara 1989d1cf4afSknakahara extract_new_packets $BUS_LOCAL_F > $loutfile 1999d1cf4afSknakahara extract_new_packets $BUS_REMOTE_F > $routfile 2009d1cf4afSknakahara 2019d1cf4afSknakahara export RUMP_SERVER=$SOCK_LOCAL 2029d1cf4afSknakahara atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 -I $ip_local_i \ 2039d1cf4afSknakahara $ip_remote_i 2049d1cf4afSknakahara 2059d1cf4afSknakahara extract_new_packets $BUS_LOCAL_F > $loutfile 2069d1cf4afSknakahara extract_new_packets $BUS_REMOTE_F > $routfile 2079d1cf4afSknakahara $DEBUG && cat $loutfile 2089d1cf4afSknakahara atf_check -s exit:0 \ 2099d1cf4afSknakahara -o match:"$ip_local_i > $ip_remote_i: ICMP echo request" \ 2109d1cf4afSknakahara cat $loutfile 2119d1cf4afSknakahara atf_check -s exit:0 \ 2129d1cf4afSknakahara -o match:"$ip_remote_i > $ip_local_i: ICMP echo reply" \ 2139d1cf4afSknakahara cat $loutfile 2149d1cf4afSknakahara $DEBUG && cat $routfile 2159d1cf4afSknakahara atf_check -s exit:0 \ 2169d1cf4afSknakahara -o match:"$ip_local_i > $ip_remote_i: ICMP echo request" \ 2179d1cf4afSknakahara cat $routfile 2189d1cf4afSknakahara atf_check -s exit:0 \ 2199d1cf4afSknakahara -o match:"$ip_remote_i > $ip_local_i: ICMP echo reply" \ 2209d1cf4afSknakahara cat $routfile 2219d1cf4afSknakahara 2229d1cf4afSknakahara # Try TCP communications just in case 2239d1cf4afSknakahara start_nc_server $SOCK_REMOTE $port $file_recv ipv4 2249d1cf4afSknakahara prepare_file $file_send 2259d1cf4afSknakahara export RUMP_SERVER=$SOCK_LOCAL 2269d1cf4afSknakahara atf_check -s exit:0 $HIJACKING nc -w 7 -s $ip_local_i \ 2279d1cf4afSknakahara $ip_remote_i $port < $file_send 2289d1cf4afSknakahara atf_check -s exit:0 diff -q $file_send $file_recv 2299d1cf4afSknakahara stop_nc_server 2309d1cf4afSknakahara 2319d1cf4afSknakahara extract_new_packets $BUS_LOCAL_F > $loutfile 2329d1cf4afSknakahara extract_new_packets $BUS_REMOTE_F > $routfile 2339d1cf4afSknakahara $DEBUG && cat $loutfile 2349d1cf4afSknakahara atf_check -s exit:0 \ 2359d1cf4afSknakahara -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 2369d1cf4afSknakahara cat $loutfile 2379d1cf4afSknakahara atf_check -s exit:0 \ 2389d1cf4afSknakahara -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 2399d1cf4afSknakahara cat $loutfile 2409d1cf4afSknakahara $DEBUG && cat $routfile 2419d1cf4afSknakahara atf_check -s exit:0 \ 2429d1cf4afSknakahara -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 2439d1cf4afSknakahara cat $routfile 2449d1cf4afSknakahara atf_check -s exit:0 \ 2459d1cf4afSknakahara -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 2469d1cf4afSknakahara cat $routfile 2479d1cf4afSknakahara 2489d1cf4afSknakahara # Create IPsec connections 2499d1cf4afSknakahara setup_sp_port esp "$algo_args" $ip_local_i $ip_forward_r \ 2509d1cf4afSknakahara $ip_local_i_subnet $ip_remote_i_subnet any $port 2519d1cf4afSknakahara add_sa esp "$algo_args" $ip_local_i $ip_forward_r \ 2529d1cf4afSknakahara 10000 any $port 2539d1cf4afSknakahara 2549d1cf4afSknakahara extract_new_packets $BUS_LOCAL_F > $loutfile 2559d1cf4afSknakahara extract_new_packets $BUS_REMOTE_F > $routfile 2569d1cf4afSknakahara 2579d1cf4afSknakahara export RUMP_SERVER=$SOCK_LOCAL 2589d1cf4afSknakahara atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 -I $ip_local_i \ 2599d1cf4afSknakahara $ip_remote_i 2609d1cf4afSknakahara 2619d1cf4afSknakahara extract_new_packets $BUS_LOCAL_F > $loutfile 2629d1cf4afSknakahara extract_new_packets $BUS_REMOTE_F > $routfile 2639d1cf4afSknakahara $DEBUG && cat $loutfile 2649d1cf4afSknakahara atf_check -s exit:0 \ 2659d1cf4afSknakahara -o match:"$ip_local_i > $ip_remote_i: ICMP echo request" \ 2669d1cf4afSknakahara cat $loutfile 2679d1cf4afSknakahara atf_check -s exit:0 \ 2689d1cf4afSknakahara -o match:"$ip_remote_i > $ip_local_i: ICMP echo reply" \ 2699d1cf4afSknakahara cat $loutfile 2709d1cf4afSknakahara $DEBUG && cat $routfile 2719d1cf4afSknakahara atf_check -s exit:0 \ 2729d1cf4afSknakahara -o match:"$ip_local_i > $ip_remote_i: ICMP echo request" \ 2739d1cf4afSknakahara cat $routfile 2749d1cf4afSknakahara atf_check -s exit:0 \ 2759d1cf4afSknakahara -o match:"$ip_remote_i > $ip_local_i: ICMP echo reply" \ 2769d1cf4afSknakahara cat $routfile 2779d1cf4afSknakahara 2789d1cf4afSknakahara # Check TCP communications from local to remote 2799d1cf4afSknakahara start_nc_server $SOCK_REMOTE $port $file_recv ipv4 2809d1cf4afSknakahara prepare_file $file_send 2819d1cf4afSknakahara export RUMP_SERVER=$SOCK_LOCAL 2829d1cf4afSknakahara atf_check -s exit:0 $HIJACKING nc -w 15 -s $ip_local_i \ 2839d1cf4afSknakahara $ip_remote_i $port < $file_send 2849d1cf4afSknakahara atf_check -s exit:0 diff -q $file_send $file_recv 2859d1cf4afSknakahara stop_nc_server 2869d1cf4afSknakahara 2879d1cf4afSknakahara extract_new_packets $BUS_LOCAL_F > $loutfile 2889d1cf4afSknakahara extract_new_packets $BUS_REMOTE_F > $routfile 2899d1cf4afSknakahara $DEBUG && cat $loutfile 2909d1cf4afSknakahara atf_check -s exit:0 \ 2919d1cf4afSknakahara -o match:"${ip_local_i} > ${ip_forward_r}: ESP" \ 2929d1cf4afSknakahara cat $loutfile 2939d1cf4afSknakahara atf_check -s exit:0 \ 2949d1cf4afSknakahara -o match:"${ip_forward_r} > ${ip_local_i}: ESP" \ 2959d1cf4afSknakahara cat $loutfile 2969d1cf4afSknakahara $DEBUG && cat $routfile 2979d1cf4afSknakahara atf_check -s exit:0 \ 2989d1cf4afSknakahara -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 2999d1cf4afSknakahara cat $routfile 3009d1cf4afSknakahara atf_check -s exit:0 \ 3019d1cf4afSknakahara -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 3029d1cf4afSknakahara cat $routfile 3039d1cf4afSknakahara} 3049d1cf4afSknakahara 3059d1cf4afSknakaharatest_ipsec_sp_port_ipv6() 3069d1cf4afSknakahara{ 3079d1cf4afSknakahara local algo=$1 3089d1cf4afSknakahara local ip_local_i=fc00:1111::1 3099d1cf4afSknakahara local ip_local_i_subnet=fc00:1111::/64 3109d1cf4afSknakahara local ip_local_f=fc00:2222::2 3119d1cf4afSknakahara local ip_local_f_subnet=fc00:2222::/64 3129d1cf4afSknakahara local ip_forward_l=fc00:2222::1 3139d1cf4afSknakahara local ip_forward_l_subnet=fc00:2222::/64 3149d1cf4afSknakahara local ip_forward_r=fc00:3333::1 3159d1cf4afSknakahara local ip_forward_r_subnet=fc00:3333::/64 3169d1cf4afSknakahara local ip_remote_f=fc00:3333::2 3179d1cf4afSknakahara local ip_remote_f_subnet=fc00:3333::/64 3189d1cf4afSknakahara local ip_remote_i=fc00:4444::1 3199d1cf4afSknakahara local ip_remote_i_subnet=fc00:4444::/64 3209d1cf4afSknakahara local port=1234 3219d1cf4afSknakahara local loutfile=./out_local 3229d1cf4afSknakahara local routfile=./out_remote 3239d1cf4afSknakahara local file_send=./file.send 3249d1cf4afSknakahara local file_recv=./file.recv 3259d1cf4afSknakahara local algo_args="$(generate_algo_args esp $algo)" 3269d1cf4afSknakahara local pid= 3279d1cf4afSknakahara 3289d1cf4afSknakahara setup_servers ipv6 3299d1cf4afSknakahara 3309d1cf4afSknakahara export RUMP_SERVER=$SOCK_LOCAL 3319d1cf4afSknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 3329d1cf4afSknakahara atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local_f/64 3339d1cf4afSknakahara atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_local_i/64 3349d1cf4afSknakahara atf_check -s exit:0 -o ignore \ 3359d1cf4afSknakahara rump.route add -inet6 default $ip_forward_l 3369d1cf4afSknakahara 3379d1cf4afSknakahara export RUMP_SERVER=$SOCK_FORWARD 3389d1cf4afSknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 3399d1cf4afSknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.forwarding=1 3409d1cf4afSknakahara atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_forward_l/64 3419d1cf4afSknakahara atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_forward_r/64 3429d1cf4afSknakahara atf_check -s exit:0 -o ignore \ 3439d1cf4afSknakahara rump.route add -inet6 $ip_local_i_subnet $ip_local_f 3449d1cf4afSknakahara atf_check -s exit:0 -o ignore \ 3459d1cf4afSknakahara rump.route add -inet6 $ip_remote_i_subnet $ip_remote_f 3469d1cf4afSknakahara 3479d1cf4afSknakahara export RUMP_SERVER=$SOCK_REMOTE 3489d1cf4afSknakahara atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 3499d1cf4afSknakahara atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote_f/64 3509d1cf4afSknakahara atf_check -s exit:0 rump.ifconfig shmif1 inet6 $ip_remote_i/64 3519d1cf4afSknakahara atf_check -s exit:0 -o ignore \ 3529d1cf4afSknakahara rump.route add -inet6 default $ip_forward_r 3539d1cf4afSknakahara 3549d1cf4afSknakahara extract_new_packets $BUS_LOCAL_F > $loutfile 3559d1cf4afSknakahara extract_new_packets $BUS_REMOTE_F > $routfile 3569d1cf4afSknakahara 3579d1cf4afSknakahara export RUMP_SERVER=$SOCK_LOCAL 3589d1cf4afSknakahara atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 -S $ip_local_i \ 3599d1cf4afSknakahara $ip_remote_i 3609d1cf4afSknakahara 3619d1cf4afSknakahara extract_new_packets $BUS_LOCAL_F > $loutfile 3629d1cf4afSknakahara extract_new_packets $BUS_REMOTE_F > $routfile 3639d1cf4afSknakahara $DEBUG && cat $loutfile 3649d1cf4afSknakahara atf_check -s exit:0 \ 3659d1cf4afSknakahara -o match:"$ip_local_i > $ip_remote_i: ICMP6, echo request" \ 3669d1cf4afSknakahara cat $loutfile 3679d1cf4afSknakahara atf_check -s exit:0 \ 3689d1cf4afSknakahara -o match:"$ip_remote_i > $ip_local_i: ICMP6, echo reply" \ 3699d1cf4afSknakahara cat $loutfile 3709d1cf4afSknakahara $DEBUG && cat $routfile 3719d1cf4afSknakahara atf_check -s exit:0 \ 3729d1cf4afSknakahara -o match:"$ip_local_i > $ip_remote_i: ICMP6, echo request" \ 3739d1cf4afSknakahara cat $routfile 3749d1cf4afSknakahara atf_check -s exit:0 \ 3759d1cf4afSknakahara -o match:"$ip_remote_i > $ip_local_i: ICMP6, echo reply" \ 3769d1cf4afSknakahara cat $routfile 3779d1cf4afSknakahara 3789d1cf4afSknakahara # Try TCP communications just in case 3799d1cf4afSknakahara start_nc_server $SOCK_REMOTE $port $file_recv ipv6 3809d1cf4afSknakahara prepare_file $file_send 3819d1cf4afSknakahara export RUMP_SERVER=$SOCK_LOCAL 3829d1cf4afSknakahara atf_check -s exit:0 $HIJACKING nc -w 7 -s $ip_local_i \ 3839d1cf4afSknakahara $ip_remote_i $port < $file_send 3849d1cf4afSknakahara atf_check -s exit:0 diff -q $file_send $file_recv 3859d1cf4afSknakahara stop_nc_server 3869d1cf4afSknakahara 3879d1cf4afSknakahara extract_new_packets $BUS_LOCAL_F > $loutfile 3889d1cf4afSknakahara extract_new_packets $BUS_REMOTE_F > $routfile 3899d1cf4afSknakahara $DEBUG && cat $loutfile 3909d1cf4afSknakahara atf_check -s exit:0 \ 3919d1cf4afSknakahara -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 3929d1cf4afSknakahara cat $loutfile 3939d1cf4afSknakahara atf_check -s exit:0 \ 3949d1cf4afSknakahara -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 3959d1cf4afSknakahara cat $loutfile 3969d1cf4afSknakahara $DEBUG && cat $routfile 3979d1cf4afSknakahara atf_check -s exit:0 \ 3989d1cf4afSknakahara -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 3999d1cf4afSknakahara cat $routfile 4009d1cf4afSknakahara atf_check -s exit:0 \ 4019d1cf4afSknakahara -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 4029d1cf4afSknakahara cat $routfile 4039d1cf4afSknakahara 4049d1cf4afSknakahara # Create IPsec connections 4059d1cf4afSknakahara setup_sp_port esp "$algo_args" $ip_local_i $ip_forward_r \ 4069d1cf4afSknakahara $ip_local_i_subnet $ip_remote_i_subnet any $port 4079d1cf4afSknakahara add_sa esp "$algo_args" $ip_local_i $ip_forward_r \ 4089d1cf4afSknakahara 10000 any $port 4099d1cf4afSknakahara 4109d1cf4afSknakahara extract_new_packets $BUS_LOCAL_F > $loutfile 4119d1cf4afSknakahara extract_new_packets $BUS_REMOTE_F > $routfile 4129d1cf4afSknakahara 4139d1cf4afSknakahara export RUMP_SERVER=$SOCK_LOCAL 4149d1cf4afSknakahara atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 -S $ip_local_i \ 4159d1cf4afSknakahara $ip_remote_i 4169d1cf4afSknakahara 4179d1cf4afSknakahara extract_new_packets $BUS_LOCAL_F > $loutfile 4189d1cf4afSknakahara extract_new_packets $BUS_REMOTE_F > $routfile 4199d1cf4afSknakahara $DEBUG && cat $loutfile 4209d1cf4afSknakahara atf_check -s exit:0 \ 4219d1cf4afSknakahara -o match:"$ip_local_i > $ip_remote_i: ICMP6, echo request" \ 4229d1cf4afSknakahara cat $loutfile 4239d1cf4afSknakahara atf_check -s exit:0 \ 4249d1cf4afSknakahara -o match:"$ip_remote_i > $ip_local_i: ICMP6, echo reply" \ 4259d1cf4afSknakahara cat $loutfile 4269d1cf4afSknakahara $DEBUG && cat $routfile 4279d1cf4afSknakahara atf_check -s exit:0 \ 4289d1cf4afSknakahara -o match:"$ip_local_i > $ip_remote_i: ICMP6, echo request" \ 4299d1cf4afSknakahara cat $routfile 4309d1cf4afSknakahara atf_check -s exit:0 \ 4319d1cf4afSknakahara -o match:"$ip_remote_i > $ip_local_i: ICMP6, echo reply" \ 4329d1cf4afSknakahara cat $routfile 4339d1cf4afSknakahara 4349d1cf4afSknakahara # Check TCP communications from local to remote 4359d1cf4afSknakahara start_nc_server $SOCK_REMOTE $port $file_recv ipv6 4369d1cf4afSknakahara prepare_file $file_send 4379d1cf4afSknakahara export RUMP_SERVER=$SOCK_LOCAL 4389d1cf4afSknakahara atf_check -s exit:0 $HIJACKING nc -w 7 -s $ip_local_i \ 4399d1cf4afSknakahara $ip_remote_i $port < $file_send 4409d1cf4afSknakahara atf_check -s exit:0 diff -q $file_send $file_recv 4419d1cf4afSknakahara stop_nc_server 4429d1cf4afSknakahara 4439d1cf4afSknakahara extract_new_packets $BUS_LOCAL_F > $loutfile 4449d1cf4afSknakahara extract_new_packets $BUS_REMOTE_F > $routfile 4459d1cf4afSknakahara $DEBUG && cat $loutfile 4469d1cf4afSknakahara atf_check -s exit:0 \ 4479d1cf4afSknakahara -o match:"${ip_local_i} > ${ip_forward_r}: ESP" \ 4489d1cf4afSknakahara cat $loutfile 4499d1cf4afSknakahara atf_check -s exit:0 \ 4509d1cf4afSknakahara -o match:"${ip_forward_r} > ${ip_local_i}: ESP" \ 4519d1cf4afSknakahara cat $loutfile 4529d1cf4afSknakahara $DEBUG && cat $routfile 4539d1cf4afSknakahara atf_check -s exit:0 \ 4549d1cf4afSknakahara -o match:"${ip_local_i}\.[0-9]+ > ${ip_remote_i}\.$port" \ 4559d1cf4afSknakahara cat $routfile 4569d1cf4afSknakahara atf_check -s exit:0 \ 4579d1cf4afSknakahara -o match:"${ip_remote_i}\.$port > ${ip_local_i}\.[0-9]+" \ 4589d1cf4afSknakahara cat $routfile 4599d1cf4afSknakahara} 4609d1cf4afSknakahara 4619d1cf4afSknakaharaadd_test_ipsec_sp_port() 4629d1cf4afSknakahara{ 4639d1cf4afSknakahara local proto=$1 4649d1cf4afSknakahara local algo=$2 4659d1cf4afSknakahara local _algo=$(echo $algo | sed 's/-//g') 4669d1cf4afSknakahara local name= desc= 4679d1cf4afSknakahara 4689d1cf4afSknakahara desc="Test IPsec $proto forwarding SP port ($algo)" 4699d1cf4afSknakahara name="ipsec_sp_port_${proto}_${_algo}" 4709d1cf4afSknakahara 4719d1cf4afSknakahara atf_test_case ${name} cleanup 4729d1cf4afSknakahara eval " 4739d1cf4afSknakahara ${name}_head() { 4749d1cf4afSknakahara atf_set descr \"$desc\" 4759d1cf4afSknakahara atf_set require.progs rump_server setkey nc 4769d1cf4afSknakahara } 4779d1cf4afSknakahara ${name}_body() { 4789d1cf4afSknakahara test_ipsec_sp_port_$proto $algo 4799d1cf4afSknakahara rump_server_destroy_ifaces 4809d1cf4afSknakahara } 4819d1cf4afSknakahara ${name}_cleanup() { 4829d1cf4afSknakahara stop_nc_server 4839d1cf4afSknakahara \$DEBUG && dump 4849d1cf4afSknakahara cleanup 4859d1cf4afSknakahara } 4869d1cf4afSknakahara " 4879d1cf4afSknakahara atf_add_test_case ${name} 4889d1cf4afSknakahara} 4899d1cf4afSknakahara 4909d1cf4afSknakaharaatf_init_test_cases() 4919d1cf4afSknakahara{ 4929d1cf4afSknakahara local algo= 4939d1cf4afSknakahara 4949d1cf4afSknakahara for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do 4959d1cf4afSknakahara add_test_ipsec_sp_port ipv4 $algo 4969d1cf4afSknakahara add_test_ipsec_sp_port ipv6 $algo 4979d1cf4afSknakahara done 4989d1cf4afSknakahara} 499