xref: /netbsd-src/tests/net/if_ipsec/t_ipsec.sh (revision 87d689fb734c654d2486f87f7be32f1b53ecdbec) 
1#	$NetBSD: t_ipsec.sh,v 1.2 2018/01/11 07:58:22 ozaki-r Exp $
2#
3# Copyright (c) 2017 Internet Initiative Japan Inc.
4# All rights reserved.
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
18# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25# POSSIBILITY OF SUCH DAMAGE.
26#
27
28SOCK1=unix://commsock1 # for ROUTER1
29SOCK2=unix://commsock2 # for ROUTER2
30ROUTER1_LANIP=192.168.1.1
31ROUTER1_LANNET=192.168.1.0/24
32ROUTER1_WANIP=10.0.0.1
33ROUTER1_IPSECIP=172.16.1.1
34ROUTER1_WANIP_DUMMY=10.0.0.11
35ROUTER1_IPSECIP_DUMMY=172.16.11.1
36ROUTER1_IPSECIP_RECURSIVE1=172.16.101.1
37ROUTER1_IPSECIP_RECURSIVE2=172.16.201.1
38ROUTER2_LANIP=192.168.2.1
39ROUTER2_LANNET=192.168.2.0/24
40ROUTER2_WANIP=10.0.0.2
41ROUTER2_IPSECIP=172.16.2.1
42ROUTER2_WANIP_DUMMY=10.0.0.12
43ROUTER2_IPSECIP_DUMMY=172.16.12.1
44ROUTER2_IPSECIP_RECURSIVE1=172.16.102.1
45ROUTER2_IPSECIP_RECURSIVE2=172.16.202.1
46
47ROUTER1_LANIP6=fc00:1::1
48ROUTER1_LANNET6=fc00:1::/64
49ROUTER1_WANIP6=fc00::1
50ROUTER1_IPSECIP6=fc00:3::1
51ROUTER1_WANIP6_DUMMY=fc00::11
52ROUTER1_IPSECIP6_DUMMY=fc00:13::1
53ROUTER1_IPSECIP6_RECURSIVE1=fc00:103::1
54ROUTER1_IPSECIP6_RECURSIVE2=fc00:203::1
55ROUTER2_LANIP6=fc00:2::1
56ROUTER2_LANNET6=fc00:2::/64
57ROUTER2_WANIP6=fc00::2
58ROUTER2_IPSECIP6=fc00:4::1
59ROUTER2_WANIP6_DUMMY=fc00::12
60ROUTER2_IPSECIP6_DUMMY=fc00:14::1
61ROUTER2_IPSECIP6_RECURSIVE1=fc00:104::1
62ROUTER2_IPSECIP6_RECURSIVE2=fc00:204::1
63
64DEBUG=${DEBUG:-false}
65TIMEOUT=7
66
67setup_router()
68{
69	local sock=${1}
70	local lan=${2}
71	local lan_mode=${3}
72	local wan=${4}
73	local wan_mode=${5}
74
75	rump_server_add_iface $sock shmif0 bus0
76	rump_server_add_iface $sock shmif1 bus1
77
78	export RUMP_SERVER=${sock}
79	if [ ${lan_mode} = "ipv6" ]; then
80		atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan}
81	else
82		atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00
83	fi
84	atf_check -s exit:0 rump.ifconfig shmif0 up
85	rump.ifconfig shmif0
86
87	if [ ${wan_mode} = "ipv6" ]; then
88		atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan}
89	else
90		atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000
91	fi
92	atf_check -s exit:0 rump.ifconfig shmif1 up
93	rump.ifconfig shmif1
94	unset RUMP_SERVER
95}
96
97test_router()
98{
99	local sock=${1}
100	local lan=${2}
101	local lan_mode=${3}
102	local wan=${4}
103	local wan_mode=${5}
104
105	export RUMP_SERVER=${sock}
106	atf_check -s exit:0 -o match:shmif0 rump.ifconfig
107	if [ ${lan_mode} = "ipv6" ]; then
108		atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${lan}
109	else
110		atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan}
111	fi
112
113	atf_check -s exit:0 -o match:shmif1 rump.ifconfig
114	if [ ${wan_mode} = "ipv6" ]; then
115		atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${wan}
116	else
117		atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan}
118	fi
119	unset RUMP_SERVER
120}
121
122setup()
123{
124	local inner=${1}
125	local outer=${2}
126
127	rump_server_crypto_start $SOCK1 netipsec netinet6 ipsec
128	rump_server_crypto_start $SOCK2 netipsec netinet6 ipsec
129
130	router1_lan=""
131	router1_lan_mode=""
132	router2_lan=""
133	router2_lan_mode=""
134	if [ ${inner} = "ipv6" ]; then
135		router1_lan=$ROUTER1_LANIP6
136		router1_lan_mode="ipv6"
137		router2_lan=$ROUTER2_LANIP6
138		router2_lan_mode="ipv6"
139	else
140		router1_lan=$ROUTER1_LANIP
141		router1_lan_mode="ipv4"
142		router2_lan=$ROUTER2_LANIP
143		router2_lan_mode="ipv4"
144	fi
145
146	if [ ${outer} = "ipv6" ]; then
147		setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
148			$ROUTER1_WANIP6 ipv6
149		setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
150			$ROUTER2_WANIP6 ipv6
151	else
152		setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
153			$ROUTER1_WANIP ipv4
154		setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
155			$ROUTER2_WANIP ipv4
156	fi
157}
158
159test_setup()
160{
161	local inner=${1}
162	local outer=${2}
163
164	local router1_lan=""
165	local router1_lan_mode=""
166	local router2_lan=""
167	local router2_lan_mode=""
168	if [ ${inner} = "ipv6" ]; then
169		router1_lan=$ROUTER1_LANIP6
170		router1_lan_mode="ipv6"
171		router2_lan=$ROUTER2_LANIP6
172		router2_lan_mode="ipv6"
173	else
174		router1_lan=$ROUTER1_LANIP
175		router1_lan_mode="ipv4"
176		router2_lan=$ROUTER2_LANIP
177		router2_lan_mode="ipv4"
178	fi
179	if [ ${outer} = "ipv6" ]; then
180		test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
181			$ROUTER1_WANIP6 ipv6
182		test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
183			$ROUTER2_WANIP6 ipv6
184	else
185		test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
186			$ROUTER1_WANIP ipv4
187		test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
188			$ROUTER2_WANIP ipv4
189	fi
190}
191
192get_if_ipsec_unique()
193{
194	local sock=${1}
195	local src=${2}
196	local proto=${3}
197	local unique=""
198
199	export RUMP_SERVER=${sock}
200	unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'`
201	unset RUMP_SERVER
202
203	echo $unique
204}
205
206setup_if_ipsec()
207{
208	local sock=${1}
209	local addr=${2}
210	local remote=${3}
211	local inner=${4}
212	local src=${5}
213	local dst=${6}
214	local peernet=${7}
215
216	export RUMP_SERVER=${sock}
217	atf_check -s exit:0 rump.ifconfig ipsec0 create
218	atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst}
219	if [ ${inner} = "ipv6" ]; then
220		atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote}
221		atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr}
222	else
223		atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote}
224		atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr}
225	fi
226
227	rump.ifconfig ipsec0
228	rump.route -nL show
229}
230
231setup_if_ipsec_sa()
232{
233	local sock=${1}
234	local src=${2}
235	local dst=${3}
236	local mode=${4}
237	local proto=${5}
238	local algo=${6}
239	local dir=${7}
240
241	local tmpfile=./tmp
242	local inunique=""
243	local outunique=""
244	local inid=""
245	local outid=""
246	local algo_args="$(generate_algo_args $proto $algo)"
247
248	inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
249	outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
250
251	if [ ${dir} = "1to2" ] ; then
252	    if [ ${mode} = "ipv6" ] ; then
253		inid="10010"
254		outid="10011"
255	    else
256		inid="10000"
257		outid="10001"
258	    fi
259	else
260	    if [ ${mode} = "ipv6" ] ; then
261		inid="10011"
262		outid="10010"
263	    else
264		inid="10001"
265		outid="10000"
266	    fi
267	fi
268
269	cat > $tmpfile <<-EOF
270    	add $dst $src $proto $inid -u $inunique $algo_args;
271    	add $src $dst $proto $outid -u $outunique $algo_args;
272	EOF
273	$DEBUG && cat $tmpfile
274	export RUMP_SERVER=$sock
275	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
276	$DEBUG && $HIJACKING setkey -D
277	$DEBUG && $HIJACKING setkey -DP
278	unset RUMP_SERVER
279}
280
281setup_tunnel()
282{
283	local inner=${1}
284	local outer=${2}
285	local proto=${3}
286	local algo=${4}
287
288	local addr=""
289	local remote=""
290	local src=""
291	local dst=""
292	local peernet=""
293
294	if [ ${inner} = "ipv6" ]; then
295		addr=$ROUTER1_IPSECIP6
296		remote=$ROUTER2_IPSECIP6
297		peernet=$ROUTER2_LANNET6
298	else
299		addr=$ROUTER1_IPSECIP
300		remote=$ROUTER2_IPSECIP
301		peernet=$ROUTER2_LANNET
302	fi
303	if [ ${outer} = "ipv6" ]; then
304		src=$ROUTER1_WANIP6
305		dst=$ROUTER2_WANIP6
306	else
307		src=$ROUTER1_WANIP
308		dst=$ROUTER2_WANIP
309	fi
310	setup_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \
311		     ${src} ${dst} ${peernet}
312
313	if [ $inner = "ipv6" -a $outer = "ipv4" ]; then
314	    setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${outer} ${proto} ${algo} "1to2"
315	fi
316	setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2"
317
318	if [ $inner = "ipv6" ]; then
319		addr=$ROUTER2_IPSECIP6
320		remote=$ROUTER1_IPSECIP6
321		peernet=$ROUTER1_LANNET6
322	else
323		addr=$ROUTER2_IPSECIP
324		remote=$ROUTER1_IPSECIP
325		peernet=$ROUTER1_LANNET
326	fi
327	if [ $outer = "ipv6" ]; then
328		src=$ROUTER2_WANIP6
329		dst=$ROUTER1_WANIP6
330	else
331		src=$ROUTER2_WANIP
332		dst=$ROUTER1_WANIP
333	fi
334	setup_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \
335		     ${src} ${dst} ${peernet} ${proto} ${algo}
336	if [ $inner = "ipv6" -a $outer = "ipv4" ]; then
337	    setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${outer} ${proto} ${algo} "2to1"
338	fi
339	setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1"
340}
341
342test_setup_tunnel()
343{
344	local mode=${1}
345
346	local peernet=""
347	local opt=""
348	if [ ${mode} = "ipv6" ]; then
349		peernet=$ROUTER2_LANNET6
350		opt="-inet6"
351	else
352		peernet=$ROUTER2_LANNET
353		opt="-inet"
354	fi
355	export RUMP_SERVER=$SOCK1
356	atf_check -s exit:0 -o match:ipsec0 rump.ifconfig
357	atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet}
358
359	if [ ${mode} = "ipv6" ]; then
360		peernet=$ROUTER1_LANNET6
361		opt="-inet6"
362	else
363		peernet=$ROUTER1_LANNET
364		opt="-inet"
365	fi
366	export RUMP_SERVER=$SOCK2
367	atf_check -s exit:0 -o match:ipsec0 rump.ifconfig
368	atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet}
369}
370
371teardown_tunnel()
372{
373	export RUMP_SERVER=$SOCK1
374	atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
375	atf_check -s exit:0 rump.ifconfig ipsec0 destroy
376	$HIJACKING setkey -F
377
378	export RUMP_SERVER=$SOCK2
379	atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
380	atf_check -s exit:0 rump.ifconfig ipsec0 destroy
381	$HIJACKING setkey -F
382
383	unset RUMP_SERVER
384}
385
386setup_dummy_if_ipsec()
387{
388	local sock=${1}
389	local addr=${2}
390	local remote=${3}
391	local inner=${4}
392	local src=${5}
393	local dst=${6}
394
395	export RUMP_SERVER=${sock}
396	atf_check -s exit:0 rump.ifconfig ipsec1 create
397	atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst}
398	if [ ${inner} = "ipv6" ]; then
399		atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote}
400	else
401		atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote}
402	fi
403
404	rump.ifconfig ipsec1
405	unset RUMP_SERVER
406}
407
408setup_dummy_if_ipsec_sa()
409{
410	local sock=${1}
411	local src=${2}
412	local dst=${3}
413	local mode=${4}
414	local proto=${5}
415	local algo=${6}
416	local dir=${7}
417
418	local tmpfile=./tmp
419	local inunique=""
420	local outunique=""
421	local inid=""
422	local outid=""
423	local algo_args="$(generate_algo_args $proto $algo)"
424
425	inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
426	outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
427
428	if [ ${dir} = "1to2" ] ; then
429	    inid="20000"
430	    outid="20001"
431	else
432	    inid="20001"
433	    outid="20000"
434	fi
435
436	cat > $tmpfile <<-EOF
437    	add $dst $src $proto $inid -u $inunique $algo_args;
438    	add $src $dst $proto $outid -u $outunique $algo_args;
439	EOF
440	$DEBUG && cat $tmpfile
441	export RUMP_SERVER=$sock
442	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
443	$DEBUG && $HIJACKING setkey -D
444	$DEBUG && $HIJACKING setkey -DP
445	unset RUMP_SERVER
446}
447
448setup_dummy_tunnel()
449{
450	local inner=${1}
451	local outer=${2}
452	local proto=${3}
453	local algo=${4}
454
455	local addr=""
456	local remote=""
457	local src=""
458	local dst=""
459
460	if [ ${inner} = "ipv6" ]; then
461		addr=$ROUTER1_IPSECIP6_DUMMY
462		remote=$ROUTER2_IPSECIP6_DUMMY
463	else
464		addr=$ROUTER1_IPSECIP_DUMMY
465		remote=$ROUTER2_IPSECIP_DUMMY
466	fi
467	if [ ${outer} = "ipv6" ]; then
468		src=$ROUTER1_WANIP6_DUMMY
469		dst=$ROUTER2_WANIP6_DUMMY
470	else
471		src=$ROUTER1_WANIP_DUMMY
472		dst=$ROUTER2_WANIP_DUMMY
473	fi
474	setup_dummy_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \
475			   ${src} ${dst} ${proto} ${algo} "1to2"
476	setup_dummy_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2"
477
478	if [ $inner = "ipv6" ]; then
479		addr=$ROUTER2_IPSECIP6_DUMMY
480		remote=$ROUTER1_IPSECIP6_DUMMY
481	else
482		addr=$ROUTER2_IPSECIP_DUMMY
483		remote=$ROUTER1_IPSECIP_DUMMY
484	fi
485	if [ $outer = "ipv6" ]; then
486		src=$ROUTER2_WANIP6_DUMMY
487		dst=$ROUTER1_WANIP6_DUMMY
488	else
489		src=$ROUTER2_WANIP_DUMMY
490		dst=$ROUTER1_WANIP_DUMMY
491	fi
492	setup_dummy_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \
493			   ${src} ${dst} ${proto} ${algo} "2to1"
494	setup_dummy_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1"
495}
496
497test_setup_dummy_tunnel()
498{
499	export RUMP_SERVER=$SOCK1
500	atf_check -s exit:0 -o match:ipsec1 rump.ifconfig
501
502	export RUMP_SERVER=$SOCK2
503	atf_check -s exit:0 -o match:ipsec1 rump.ifconfig
504
505	unset RUMP_SERVER
506}
507
508teardown_dummy_tunnel()
509{
510	export RUMP_SERVER=$SOCK1
511	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
512	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
513
514	export RUMP_SERVER=$SOCK2
515	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
516	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
517
518	unset RUMP_SERVER
519}
520
521setup_recursive_if_ipsec()
522{
523	local sock=${1}
524	local ipsec=${2}
525	local addr=${3}
526	local remote=${4}
527	local inner=${5}
528	local src=${6}
529	local dst=${7}
530	local proto=${8}
531	local algo=${9}
532	local dir=${10}
533
534	export RUMP_SERVER=${sock}
535	atf_check -s exit:0 rump.ifconfig ${ipsec} create
536	atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst}
537	if [ ${inner} = "ipv6" ]; then
538		atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote}
539	else
540		atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote}
541	fi
542	setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir}
543
544	export RUMP_SERVER=${sock}
545	rump.ifconfig ${ipsec}
546	unset RUMP_SERVER
547}
548
549# test in ROUTER1 only
550setup_recursive_tunnels()
551{
552	local mode=${1}
553	local proto=${2}
554	local algo=${3}
555
556	local addr=""
557	local remote=""
558	local src=""
559	local dst=""
560
561	if [ ${mode} = "ipv6" ]; then
562		addr=$ROUTER1_IPSECIP6_RECURSIVE1
563		remote=$ROUTER2_IPSECIP6_RECURSIVE1
564		src=$ROUTER1_IPSECIP6
565		dst=$ROUTER2_IPSECIP6
566	else
567		addr=$ROUTER1_IPSECIP_RECURSIVE1
568		remote=$ROUTER2_IPSECIP_RECURSIVE1
569		src=$ROUTER1_IPSECIP
570		dst=$ROUTER2_IPSECIP
571	fi
572	setup_recursive_if_ipsec $SOCK1 ipsec1 ${addr} ${remote} ${mode} \
573		      ${src} ${dst} ${proto} ${algo} "1to2"
574
575	if [ ${mode} = "ipv6" ]; then
576		addr=$ROUTER1_IPSECIP6_RECURSIVE2
577		remote=$ROUTER2_IPSECIP6_RECURSIVE2
578		src=$ROUTER1_IPSECIP6_RECURSIVE1
579		dst=$ROUTER2_IPSECIP6_RECURSIVE1
580	else
581		addr=$ROUTER1_IPSECIP_RECURSIVE2
582		remote=$ROUTER2_IPSECIP_RECURSIVE2
583		src=$ROUTER1_IPSECIP_RECURSIVE1
584		dst=$ROUTER2_IPSECIP_RECURSIVE1
585	fi
586	setup_recursive_if_ipsec $SOCK1 ipsec2 ${addr} ${remote} ${mode} \
587		      ${src} ${dst} ${proto} ${algo} "1to2"
588}
589
590# test in router1 only
591test_recursive_check()
592{
593	local mode=$1
594
595	export RUMP_SERVER=$SOCK1
596	if [ ${mode} = "ipv6" ]; then
597		atf_check -s not-exit:0 -o ignore -e ignore \
598			rump.ping6 -n -X $TIMEOUT -c 1 $ROUTER2_IPSECIP6_RECURSIVE2
599	else
600		atf_check -s not-exit:0 -o ignore -e ignore \
601			rump.ping -n -w $TIMEOUT -c 1 $ROUTER2_IPSECIP_RECURSIVE2
602	fi
603
604	atf_check -o match:'ipsec0: recursively called too many times' \
605		-x "$HIJACKING dmesg"
606
607	$HIJACKING dmesg
608
609	unset RUMP_SERVER
610}
611
612teardown_recursive_tunnels()
613{
614	export RUMP_SERVER=$SOCK1
615	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
616	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
617	atf_check -s exit:0 rump.ifconfig ipsec2 deletetunnel
618	atf_check -s exit:0 rump.ifconfig ipsec2 destroy
619	unset RUMP_SERVER
620}
621
622test_ping_failure()
623{
624	local mode=$1
625
626	export RUMP_SERVER=$SOCK1
627	if [ ${mode} = "ipv6" ]; then
628		atf_check -s not-exit:0 -o ignore -e ignore \
629			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \
630			$ROUTER2_LANIP6
631	else
632		atf_check -s not-exit:0 -o ignore -e ignore \
633			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
634			$ROUTER2_LANIP
635	fi
636
637	export RUMP_SERVER=$SOCK2
638	if [ ${mode} = "ipv6" ]; then
639		atf_check -s not-exit:0 -o ignore -e ignore \
640			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \
641			$ROUTER1_LANIP6
642	else
643		atf_check -s not-exit:0 -o ignore -e ignore \
644			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
645			$ROUTER2_LANIP
646	fi
647
648	unset RUMP_SERVER
649}
650
651test_ping_success()
652{
653	mode=$1
654
655	export RUMP_SERVER=$SOCK1
656	rump.ifconfig -v ipsec0
657	if [ ${mode} = "ipv6" ]; then
658		# XXX
659		# rump.ping6 rarely fails with the message that
660		# "failed to get receiving hop limit".
661		# This is a known issue being analyzed.
662		atf_check -s exit:0 -o ignore \
663			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \
664			$ROUTER2_LANIP6
665	else
666		atf_check -s exit:0 -o ignore \
667			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
668			$ROUTER2_LANIP
669	fi
670	rump.ifconfig -v ipsec0
671
672	export RUMP_SERVER=$SOCK2
673	rump.ifconfig -v ipsec0
674	if [ ${mode} = "ipv6" ]; then
675		atf_check -s exit:0 -o ignore \
676			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \
677			$ROUTER1_LANIP6
678	else
679		atf_check -s exit:0 -o ignore \
680			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
681			$ROUTER1_LANIP
682	fi
683	rump.ifconfig -v ipsec0
684
685	unset RUMP_SERVER
686}
687
688test_change_tunnel_duplicate()
689{
690	local mode=$1
691
692	local newsrc=""
693	local newdst=""
694	if [ ${mode} = "ipv6" ]; then
695		newsrc=$ROUTER1_WANIP6_DUMMY
696		newdst=$ROUTER2_WANIP6_DUMMY
697	else
698		newsrc=$ROUTER1_WANIP_DUMMY
699		newdst=$ROUTER2_WANIP_DUMMY
700	fi
701	export RUMP_SERVER=$SOCK1
702	rump.ifconfig -v ipsec0
703	rump.ifconfig -v ipsec1
704	atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \
705		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
706	rump.ifconfig -v ipsec0
707	rump.ifconfig -v ipsec1
708
709	if [ ${mode} = "ipv6" ]; then
710		newsrc=$ROUTER2_WANIP6_DUMMY
711		newdst=$ROUTER1_WANIP6_DUMMY
712	else
713		newsrc=$ROUTER2_WANIP_DUMMY
714		newdst=$ROUTER1_WANIP_DUMMY
715	fi
716	export RUMP_SERVER=$SOCK2
717	rump.ifconfig -v ipsec0
718	rump.ifconfig -v ipsec1
719	atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \
720		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
721	rump.ifconfig -v ipsec0
722	rump.ifconfig -v ipsec1
723
724	unset RUMP_SERVER
725}
726
727test_change_tunnel_success()
728{
729	local mode=$1
730
731	local newsrc=""
732	local newdst=""
733	if [ ${mode} = "ipv6" ]; then
734		newsrc=$ROUTER1_WANIP6_DUMMY
735		newdst=$ROUTER2_WANIP6_DUMMY
736	else
737		newsrc=$ROUTER1_WANIP_DUMMY
738		newdst=$ROUTER2_WANIP_DUMMY
739	fi
740	export RUMP_SERVER=$SOCK1
741	rump.ifconfig -v ipsec0
742	atf_check -s exit:0 \
743		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
744	rump.ifconfig -v ipsec0
745
746	if [ ${mode} = "ipv6" ]; then
747		newsrc=$ROUTER2_WANIP6_DUMMY
748		newdst=$ROUTER1_WANIP6_DUMMY
749	else
750		newsrc=$ROUTER2_WANIP_DUMMY
751		newdst=$ROUTER1_WANIP_DUMMY
752	fi
753	export RUMP_SERVER=$SOCK2
754	rump.ifconfig -v ipsec0
755	atf_check -s exit:0 \
756		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
757	rump.ifconfig -v ipsec0
758
759	unset RUMP_SERVER
760}
761
762basic_setup()
763{
764	local inner=$1
765	local outer=$2
766	local proto=$3
767	local algo=$4
768
769	setup ${inner} ${outer}
770	test_setup ${inner} ${outer}
771
772	# Enable once PR kern/49219 is fixed
773	#test_ping_failure
774
775	setup_tunnel ${inner} ${outer} ${proto} ${algo}
776	sleep 1
777	test_setup_tunnel ${inner}
778}
779
780basic_test()
781{
782	local inner=$1
783	local outer=$2 # not use
784
785	test_ping_success ${inner}
786}
787
788basic_teardown()
789{
790	local inner=$1
791	local outer=$2 # not use
792
793	teardown_tunnel
794	test_ping_failure ${inner}
795}
796
797ioctl_setup()
798{
799	local inner=$1
800	local outer=$2
801	local proto=$3
802	local algo=$4
803
804	setup ${inner} ${outer}
805	test_setup ${inner} ${outer}
806
807	# Enable once PR kern/49219 is fixed
808	#test_ping_failure
809
810	setup_tunnel ${inner} ${outer} ${proto} ${algo}
811	setup_dummy_tunnel ${inner} ${outer} ${proto} ${algo}
812	sleep 1
813	test_setup_tunnel ${inner}
814}
815
816ioctl_test()
817{
818	local inner=$1
819	local outer=$2
820
821	test_ping_success ${inner}
822
823	test_change_tunnel_duplicate ${outer}
824
825	teardown_dummy_tunnel
826	test_change_tunnel_success ${outer}
827}
828
829ioctl_teardown()
830{
831	local inner=$1
832	local outer=$2 # not use
833
834	teardown_tunnel
835	test_ping_failure ${inner}
836}
837
838recursive_setup()
839{
840	local inner=$1
841	local outer=$2
842	local proto=$3
843	local algo=$4
844
845	setup ${inner} ${outer}
846	test_setup ${inner} ${outer}
847
848	# Enable once PR kern/49219 is fixed
849	#test_ping_failure
850
851	setup_tunnel ${inner} ${outer} ${proto} ${algo}
852	setup_recursive_tunnels ${inner} ${proto} ${algo}
853	sleep 1
854	test_setup_tunnel ${inner}
855}
856
857recursive_test()
858{
859	local inner=$1
860	local outer=$2 # not use
861
862	test_recursive_check ${inner}
863}
864
865recursive_teardown()
866{
867	local inner=$1 # not use
868	local outer=$2 # not use
869
870	teardown_recursive_tunnels
871	teardown_tunnel
872}
873
874add_test()
875{
876	local category=$1
877	local desc=$2
878	local inner=$3
879	local outer=$4
880	local proto=$5
881	local algo=$6
882	local _algo=$(echo $algo | sed 's/-//g')
883
884	name="ipsecif_${category}_${inner}over${outer}_${proto}_${_algo}"
885	fulldesc="Does ${inner} over ${outer} if_ipsec ${desc}"
886
887	atf_test_case ${name} cleanup
888	eval "${name}_head() {
889			atf_set descr \"${fulldesc}\"
890			atf_set require.progs rump_server setkey
891		}
892	    ${name}_body() {
893			${category}_setup ${inner} ${outer} ${proto} ${algo}
894			${category}_test ${inner} ${outer}
895			${category}_teardown ${inner} ${outer}
896			rump_server_destroy_ifaces
897	    }
898	    ${name}_cleanup() {
899			\$DEBUG && dump
900			cleanup
901		}"
902	atf_add_test_case ${name}
903}
904
905add_test_allproto()
906{
907	local category=$1
908	local desc=$2
909
910	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
911		add_test ${category} "${desc}" ipv4 ipv4 esp $algo
912		add_test ${category} "${desc}" ipv4 ipv6 esp $algo
913		add_test ${category} "${desc}" ipv6 ipv4 esp $algo
914		add_test ${category} "${desc}" ipv6 ipv6 esp $algo
915	done
916
917	# ah does not support yet
918}
919
920atf_init_test_cases()
921{
922	add_test_allproto basic "basic tests"
923	add_test_allproto ioctl "ioctl tests"
924	add_test_allproto recursive "recursive check tests"
925}
926