xref: /netbsd-src/tests/net/if_ipsec/t_ipsec.sh (revision bdc22b2e01993381dcefeff2bc9b56ca75a4235c) 
1#	$NetBSD: t_ipsec.sh,v 1.4 2018/03/13 03:50:26 knakahara Exp $
2#
3# Copyright (c) 2017 Internet Initiative Japan Inc.
4# All rights reserved.
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
18# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25# POSSIBILITY OF SUCH DAMAGE.
26#
27
28SOCK1=unix://commsock1 # for ROUTER1
29SOCK2=unix://commsock2 # for ROUTER2
30ROUTER1_LANIP=192.168.1.1
31ROUTER1_LANNET=192.168.1.0/24
32ROUTER1_WANIP=10.0.0.1
33ROUTER1_IPSECIP=172.16.1.1
34ROUTER1_WANIP_DUMMY=10.0.0.11
35ROUTER1_IPSECIP_DUMMY=172.16.11.1
36ROUTER1_IPSECIP_RECURSIVE1=172.16.101.1
37ROUTER1_IPSECIP_RECURSIVE2=172.16.201.1
38ROUTER2_LANIP=192.168.2.1
39ROUTER2_LANNET=192.168.2.0/24
40ROUTER2_WANIP=10.0.0.2
41ROUTER2_IPSECIP=172.16.2.1
42ROUTER2_WANIP_DUMMY=10.0.0.12
43ROUTER2_IPSECIP_DUMMY=172.16.12.1
44ROUTER2_IPSECIP_RECURSIVE1=172.16.102.1
45ROUTER2_IPSECIP_RECURSIVE2=172.16.202.1
46
47ROUTER1_LANIP6=fc00:1::1
48ROUTER1_LANNET6=fc00:1::/64
49ROUTER1_WANIP6=fc00::1
50ROUTER1_IPSECIP6=fc00:3::1
51ROUTER1_WANIP6_DUMMY=fc00::11
52ROUTER1_IPSECIP6_DUMMY=fc00:13::1
53ROUTER1_IPSECIP6_RECURSIVE1=fc00:103::1
54ROUTER1_IPSECIP6_RECURSIVE2=fc00:203::1
55ROUTER2_LANIP6=fc00:2::1
56ROUTER2_LANNET6=fc00:2::/64
57ROUTER2_WANIP6=fc00::2
58ROUTER2_IPSECIP6=fc00:4::1
59ROUTER2_WANIP6_DUMMY=fc00::12
60ROUTER2_IPSECIP6_DUMMY=fc00:14::1
61ROUTER2_IPSECIP6_RECURSIVE1=fc00:104::1
62ROUTER2_IPSECIP6_RECURSIVE2=fc00:204::1
63
64DEBUG=${DEBUG:-false}
65TIMEOUT=7
66
67atf_test_case ipsecif_create_destroy cleanup
68ipsecif_create_destroy_head()
69{
70
71	atf_set "descr" "Test creating/destroying gif interfaces"
72	atf_set "require.progs" "rump_server"
73}
74
75ipsecif_create_destroy_body()
76{
77
78	rump_server_start $SOCK1 ipsec
79
80	test_create_destroy_common $SOCK1 ipsec0
81}
82
83ipsecif_create_destroy_cleanup()
84{
85
86	$DEBUG && dump
87	cleanup
88}
89
90setup_router()
91{
92	local sock=${1}
93	local lan=${2}
94	local lan_mode=${3}
95	local wan=${4}
96	local wan_mode=${5}
97
98	rump_server_add_iface $sock shmif0 bus0
99	rump_server_add_iface $sock shmif1 bus1
100
101	export RUMP_SERVER=${sock}
102	if [ ${lan_mode} = "ipv6" ]; then
103		atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan}
104	else
105		atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00
106	fi
107	atf_check -s exit:0 rump.ifconfig shmif0 up
108	rump.ifconfig shmif0
109
110	if [ ${wan_mode} = "ipv6" ]; then
111		atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan}
112	else
113		atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000
114	fi
115	atf_check -s exit:0 rump.ifconfig shmif1 up
116	rump.ifconfig shmif1
117	unset RUMP_SERVER
118}
119
120test_router()
121{
122	local sock=${1}
123	local lan=${2}
124	local lan_mode=${3}
125	local wan=${4}
126	local wan_mode=${5}
127
128	export RUMP_SERVER=${sock}
129	atf_check -s exit:0 -o match:shmif0 rump.ifconfig
130	if [ ${lan_mode} = "ipv6" ]; then
131		atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${lan}
132	else
133		atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan}
134	fi
135
136	atf_check -s exit:0 -o match:shmif1 rump.ifconfig
137	if [ ${wan_mode} = "ipv6" ]; then
138		atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${wan}
139	else
140		atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan}
141	fi
142	unset RUMP_SERVER
143}
144
145setup()
146{
147	local inner=${1}
148	local outer=${2}
149
150	rump_server_crypto_start $SOCK1 netipsec netinet6 ipsec
151	rump_server_crypto_start $SOCK2 netipsec netinet6 ipsec
152
153	router1_lan=""
154	router1_lan_mode=""
155	router2_lan=""
156	router2_lan_mode=""
157	if [ ${inner} = "ipv6" ]; then
158		router1_lan=$ROUTER1_LANIP6
159		router1_lan_mode="ipv6"
160		router2_lan=$ROUTER2_LANIP6
161		router2_lan_mode="ipv6"
162	else
163		router1_lan=$ROUTER1_LANIP
164		router1_lan_mode="ipv4"
165		router2_lan=$ROUTER2_LANIP
166		router2_lan_mode="ipv4"
167	fi
168
169	if [ ${outer} = "ipv6" ]; then
170		setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
171			$ROUTER1_WANIP6 ipv6
172		setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
173			$ROUTER2_WANIP6 ipv6
174	else
175		setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
176			$ROUTER1_WANIP ipv4
177		setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
178			$ROUTER2_WANIP ipv4
179	fi
180}
181
182test_setup()
183{
184	local inner=${1}
185	local outer=${2}
186
187	local router1_lan=""
188	local router1_lan_mode=""
189	local router2_lan=""
190	local router2_lan_mode=""
191	if [ ${inner} = "ipv6" ]; then
192		router1_lan=$ROUTER1_LANIP6
193		router1_lan_mode="ipv6"
194		router2_lan=$ROUTER2_LANIP6
195		router2_lan_mode="ipv6"
196	else
197		router1_lan=$ROUTER1_LANIP
198		router1_lan_mode="ipv4"
199		router2_lan=$ROUTER2_LANIP
200		router2_lan_mode="ipv4"
201	fi
202	if [ ${outer} = "ipv6" ]; then
203		test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
204			$ROUTER1_WANIP6 ipv6
205		test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
206			$ROUTER2_WANIP6 ipv6
207	else
208		test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
209			$ROUTER1_WANIP ipv4
210		test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
211			$ROUTER2_WANIP ipv4
212	fi
213}
214
215get_if_ipsec_unique()
216{
217	local sock=${1}
218	local src=${2}
219	local proto=${3}
220	local unique=""
221
222	export RUMP_SERVER=${sock}
223	unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'`
224	unset RUMP_SERVER
225
226	echo $unique
227}
228
229setup_if_ipsec()
230{
231	local sock=${1}
232	local addr=${2}
233	local remote=${3}
234	local inner=${4}
235	local src=${5}
236	local dst=${6}
237	local peernet=${7}
238
239	export RUMP_SERVER=${sock}
240	atf_check -s exit:0 rump.ifconfig ipsec0 create
241	atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst}
242	if [ ${inner} = "ipv6" ]; then
243		atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote}
244		atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr}
245	else
246		atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote}
247		atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr}
248	fi
249
250	rump.ifconfig ipsec0
251	rump.route -nL show
252}
253
254setup_if_ipsec_sa()
255{
256	local sock=${1}
257	local src=${2}
258	local dst=${3}
259	local mode=${4}
260	local proto=${5}
261	local algo=${6}
262	local dir=${7}
263
264	local tmpfile=./tmp
265	local inunique=""
266	local outunique=""
267	local inid=""
268	local outid=""
269	local algo_args="$(generate_algo_args $proto $algo)"
270
271	inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
272	atf_check -s exit:0 test "X$inunique" != "X"
273	outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
274	atf_check -s exit:0 test "X$outunique" != "X"
275
276	if [ ${dir} = "1to2" ] ; then
277	    if [ ${mode} = "ipv6" ] ; then
278		inid="10010"
279		outid="10011"
280	    else
281		inid="10000"
282		outid="10001"
283	    fi
284	else
285	    if [ ${mode} = "ipv6" ] ; then
286		inid="10011"
287		outid="10010"
288	    else
289		inid="10001"
290		outid="10000"
291	    fi
292	fi
293
294	cat > $tmpfile <<-EOF
295    	add $dst $src $proto $inid -u $inunique $algo_args;
296    	add $src $dst $proto $outid -u $outunique $algo_args;
297	EOF
298	$DEBUG && cat $tmpfile
299	export RUMP_SERVER=$sock
300	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
301	$DEBUG && $HIJACKING setkey -D
302	$DEBUG && $HIJACKING setkey -DP
303	unset RUMP_SERVER
304}
305
306setup_tunnel()
307{
308	local inner=${1}
309	local outer=${2}
310	local proto=${3}
311	local algo=${4}
312
313	local addr=""
314	local remote=""
315	local src=""
316	local dst=""
317	local peernet=""
318
319	if [ ${inner} = "ipv6" ]; then
320		addr=$ROUTER1_IPSECIP6
321		remote=$ROUTER2_IPSECIP6
322		peernet=$ROUTER2_LANNET6
323	else
324		addr=$ROUTER1_IPSECIP
325		remote=$ROUTER2_IPSECIP
326		peernet=$ROUTER2_LANNET
327	fi
328	if [ ${outer} = "ipv6" ]; then
329		src=$ROUTER1_WANIP6
330		dst=$ROUTER2_WANIP6
331	else
332		src=$ROUTER1_WANIP
333		dst=$ROUTER2_WANIP
334	fi
335	setup_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \
336		     ${src} ${dst} ${peernet}
337
338	if [ $inner = "ipv6" -a $outer = "ipv4" ]; then
339	    setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${outer} ${proto} ${algo} "1to2"
340	fi
341	setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2"
342
343	if [ $inner = "ipv6" ]; then
344		addr=$ROUTER2_IPSECIP6
345		remote=$ROUTER1_IPSECIP6
346		peernet=$ROUTER1_LANNET6
347	else
348		addr=$ROUTER2_IPSECIP
349		remote=$ROUTER1_IPSECIP
350		peernet=$ROUTER1_LANNET
351	fi
352	if [ $outer = "ipv6" ]; then
353		src=$ROUTER2_WANIP6
354		dst=$ROUTER1_WANIP6
355	else
356		src=$ROUTER2_WANIP
357		dst=$ROUTER1_WANIP
358	fi
359	setup_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \
360		     ${src} ${dst} ${peernet} ${proto} ${algo}
361	if [ $inner = "ipv6" -a $outer = "ipv4" ]; then
362	    setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${outer} ${proto} ${algo} "2to1"
363	fi
364	setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1"
365}
366
367test_setup_tunnel()
368{
369	local mode=${1}
370
371	local peernet=""
372	local opt=""
373	if [ ${mode} = "ipv6" ]; then
374		peernet=$ROUTER2_LANNET6
375		opt="-inet6"
376	else
377		peernet=$ROUTER2_LANNET
378		opt="-inet"
379	fi
380	export RUMP_SERVER=$SOCK1
381	atf_check -s exit:0 -o match:ipsec0 rump.ifconfig
382	atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet}
383
384	if [ ${mode} = "ipv6" ]; then
385		peernet=$ROUTER1_LANNET6
386		opt="-inet6"
387	else
388		peernet=$ROUTER1_LANNET
389		opt="-inet"
390	fi
391	export RUMP_SERVER=$SOCK2
392	atf_check -s exit:0 -o match:ipsec0 rump.ifconfig
393	atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet}
394}
395
396teardown_tunnel()
397{
398	export RUMP_SERVER=$SOCK1
399	atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
400	atf_check -s exit:0 rump.ifconfig ipsec0 destroy
401	$HIJACKING setkey -F
402
403	export RUMP_SERVER=$SOCK2
404	atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
405	atf_check -s exit:0 rump.ifconfig ipsec0 destroy
406	$HIJACKING setkey -F
407
408	unset RUMP_SERVER
409}
410
411setup_dummy_if_ipsec()
412{
413	local sock=${1}
414	local addr=${2}
415	local remote=${3}
416	local inner=${4}
417	local src=${5}
418	local dst=${6}
419
420	export RUMP_SERVER=${sock}
421	atf_check -s exit:0 rump.ifconfig ipsec1 create
422	atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst}
423	if [ ${inner} = "ipv6" ]; then
424		atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote}
425	else
426		atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote}
427	fi
428
429	rump.ifconfig ipsec1
430	unset RUMP_SERVER
431}
432
433setup_dummy_if_ipsec_sa()
434{
435	local sock=${1}
436	local src=${2}
437	local dst=${3}
438	local mode=${4}
439	local proto=${5}
440	local algo=${6}
441	local dir=${7}
442
443	local tmpfile=./tmp
444	local inunique=""
445	local outunique=""
446	local inid=""
447	local outid=""
448	local algo_args="$(generate_algo_args $proto $algo)"
449
450	inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
451	atf_check -s exit:0 test "X$inunique" != "X"
452	outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
453	atf_check -s exit:0 test "X$outunique" != "X"
454
455	if [ ${dir} = "1to2" ] ; then
456	    inid="20000"
457	    outid="20001"
458	else
459	    inid="20001"
460	    outid="20000"
461	fi
462
463	cat > $tmpfile <<-EOF
464    	add $dst $src $proto $inid -u $inunique $algo_args;
465    	add $src $dst $proto $outid -u $outunique $algo_args;
466	EOF
467	$DEBUG && cat $tmpfile
468	export RUMP_SERVER=$sock
469	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
470	$DEBUG && $HIJACKING setkey -D
471	$DEBUG && $HIJACKING setkey -DP
472	unset RUMP_SERVER
473}
474
475setup_dummy_tunnel()
476{
477	local inner=${1}
478	local outer=${2}
479	local proto=${3}
480	local algo=${4}
481
482	local addr=""
483	local remote=""
484	local src=""
485	local dst=""
486
487	if [ ${inner} = "ipv6" ]; then
488		addr=$ROUTER1_IPSECIP6_DUMMY
489		remote=$ROUTER2_IPSECIP6_DUMMY
490	else
491		addr=$ROUTER1_IPSECIP_DUMMY
492		remote=$ROUTER2_IPSECIP_DUMMY
493	fi
494	if [ ${outer} = "ipv6" ]; then
495		src=$ROUTER1_WANIP6_DUMMY
496		dst=$ROUTER2_WANIP6_DUMMY
497	else
498		src=$ROUTER1_WANIP_DUMMY
499		dst=$ROUTER2_WANIP_DUMMY
500	fi
501	setup_dummy_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \
502			   ${src} ${dst} ${proto} ${algo} "1to2"
503	setup_dummy_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2"
504
505	if [ $inner = "ipv6" ]; then
506		addr=$ROUTER2_IPSECIP6_DUMMY
507		remote=$ROUTER1_IPSECIP6_DUMMY
508	else
509		addr=$ROUTER2_IPSECIP_DUMMY
510		remote=$ROUTER1_IPSECIP_DUMMY
511	fi
512	if [ $outer = "ipv6" ]; then
513		src=$ROUTER2_WANIP6_DUMMY
514		dst=$ROUTER1_WANIP6_DUMMY
515	else
516		src=$ROUTER2_WANIP_DUMMY
517		dst=$ROUTER1_WANIP_DUMMY
518	fi
519	setup_dummy_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \
520			   ${src} ${dst} ${proto} ${algo} "2to1"
521	setup_dummy_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1"
522}
523
524test_setup_dummy_tunnel()
525{
526	export RUMP_SERVER=$SOCK1
527	atf_check -s exit:0 -o match:ipsec1 rump.ifconfig
528
529	export RUMP_SERVER=$SOCK2
530	atf_check -s exit:0 -o match:ipsec1 rump.ifconfig
531
532	unset RUMP_SERVER
533}
534
535teardown_dummy_tunnel()
536{
537	export RUMP_SERVER=$SOCK1
538	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
539	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
540
541	export RUMP_SERVER=$SOCK2
542	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
543	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
544
545	unset RUMP_SERVER
546}
547
548setup_recursive_if_ipsec()
549{
550	local sock=${1}
551	local ipsec=${2}
552	local addr=${3}
553	local remote=${4}
554	local inner=${5}
555	local src=${6}
556	local dst=${7}
557	local proto=${8}
558	local algo=${9}
559	local dir=${10}
560
561	export RUMP_SERVER=${sock}
562	atf_check -s exit:0 rump.ifconfig ${ipsec} create
563	atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst}
564	if [ ${inner} = "ipv6" ]; then
565		atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote}
566	else
567		atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote}
568	fi
569	setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir}
570
571	export RUMP_SERVER=${sock}
572	rump.ifconfig ${ipsec}
573	unset RUMP_SERVER
574}
575
576# test in ROUTER1 only
577setup_recursive_tunnels()
578{
579	local mode=${1}
580	local proto=${2}
581	local algo=${3}
582
583	local addr=""
584	local remote=""
585	local src=""
586	local dst=""
587
588	if [ ${mode} = "ipv6" ]; then
589		addr=$ROUTER1_IPSECIP6_RECURSIVE1
590		remote=$ROUTER2_IPSECIP6_RECURSIVE1
591		src=$ROUTER1_IPSECIP6
592		dst=$ROUTER2_IPSECIP6
593	else
594		addr=$ROUTER1_IPSECIP_RECURSIVE1
595		remote=$ROUTER2_IPSECIP_RECURSIVE1
596		src=$ROUTER1_IPSECIP
597		dst=$ROUTER2_IPSECIP
598	fi
599	setup_recursive_if_ipsec $SOCK1 ipsec1 ${addr} ${remote} ${mode} \
600		      ${src} ${dst} ${proto} ${algo} "1to2"
601
602	if [ ${mode} = "ipv6" ]; then
603		addr=$ROUTER1_IPSECIP6_RECURSIVE2
604		remote=$ROUTER2_IPSECIP6_RECURSIVE2
605		src=$ROUTER1_IPSECIP6_RECURSIVE1
606		dst=$ROUTER2_IPSECIP6_RECURSIVE1
607	else
608		addr=$ROUTER1_IPSECIP_RECURSIVE2
609		remote=$ROUTER2_IPSECIP_RECURSIVE2
610		src=$ROUTER1_IPSECIP_RECURSIVE1
611		dst=$ROUTER2_IPSECIP_RECURSIVE1
612	fi
613	setup_recursive_if_ipsec $SOCK1 ipsec2 ${addr} ${remote} ${mode} \
614		      ${src} ${dst} ${proto} ${algo} "1to2"
615}
616
617# test in router1 only
618test_recursive_check()
619{
620	local mode=$1
621
622	export RUMP_SERVER=$SOCK1
623	if [ ${mode} = "ipv6" ]; then
624		atf_check -s not-exit:0 -o ignore -e ignore \
625			rump.ping6 -n -X $TIMEOUT -c 1 $ROUTER2_IPSECIP6_RECURSIVE2
626	else
627		atf_check -s not-exit:0 -o ignore -e ignore \
628			rump.ping -n -w $TIMEOUT -c 1 $ROUTER2_IPSECIP_RECURSIVE2
629	fi
630
631	atf_check -o match:'ipsec0: recursively called too many times' \
632		-x "$HIJACKING dmesg"
633
634	$HIJACKING dmesg
635
636	unset RUMP_SERVER
637}
638
639teardown_recursive_tunnels()
640{
641	export RUMP_SERVER=$SOCK1
642	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
643	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
644	atf_check -s exit:0 rump.ifconfig ipsec2 deletetunnel
645	atf_check -s exit:0 rump.ifconfig ipsec2 destroy
646	unset RUMP_SERVER
647}
648
649test_ping_failure()
650{
651	local mode=$1
652
653	export RUMP_SERVER=$SOCK1
654	if [ ${mode} = "ipv6" ]; then
655		atf_check -s not-exit:0 -o ignore -e ignore \
656			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \
657			$ROUTER2_LANIP6
658	else
659		atf_check -s not-exit:0 -o ignore -e ignore \
660			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
661			$ROUTER2_LANIP
662	fi
663
664	export RUMP_SERVER=$SOCK2
665	if [ ${mode} = "ipv6" ]; then
666		atf_check -s not-exit:0 -o ignore -e ignore \
667			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \
668			$ROUTER1_LANIP6
669	else
670		atf_check -s not-exit:0 -o ignore -e ignore \
671			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
672			$ROUTER2_LANIP
673	fi
674
675	unset RUMP_SERVER
676}
677
678test_ping_success()
679{
680	mode=$1
681
682	export RUMP_SERVER=$SOCK1
683	rump.ifconfig -v ipsec0
684	if [ ${mode} = "ipv6" ]; then
685		# XXX
686		# rump.ping6 rarely fails with the message that
687		# "failed to get receiving hop limit".
688		# This is a known issue being analyzed.
689		atf_check -s exit:0 -o ignore \
690			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \
691			$ROUTER2_LANIP6
692	else
693		atf_check -s exit:0 -o ignore \
694			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
695			$ROUTER2_LANIP
696	fi
697	rump.ifconfig -v ipsec0
698
699	export RUMP_SERVER=$SOCK2
700	rump.ifconfig -v ipsec0
701	if [ ${mode} = "ipv6" ]; then
702		atf_check -s exit:0 -o ignore \
703			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \
704			$ROUTER1_LANIP6
705	else
706		atf_check -s exit:0 -o ignore \
707			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
708			$ROUTER1_LANIP
709	fi
710	rump.ifconfig -v ipsec0
711
712	unset RUMP_SERVER
713}
714
715test_change_tunnel_duplicate()
716{
717	local mode=$1
718
719	local newsrc=""
720	local newdst=""
721	if [ ${mode} = "ipv6" ]; then
722		newsrc=$ROUTER1_WANIP6_DUMMY
723		newdst=$ROUTER2_WANIP6_DUMMY
724	else
725		newsrc=$ROUTER1_WANIP_DUMMY
726		newdst=$ROUTER2_WANIP_DUMMY
727	fi
728	export RUMP_SERVER=$SOCK1
729	rump.ifconfig -v ipsec0
730	rump.ifconfig -v ipsec1
731	atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \
732		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
733	rump.ifconfig -v ipsec0
734	rump.ifconfig -v ipsec1
735
736	if [ ${mode} = "ipv6" ]; then
737		newsrc=$ROUTER2_WANIP6_DUMMY
738		newdst=$ROUTER1_WANIP6_DUMMY
739	else
740		newsrc=$ROUTER2_WANIP_DUMMY
741		newdst=$ROUTER1_WANIP_DUMMY
742	fi
743	export RUMP_SERVER=$SOCK2
744	rump.ifconfig -v ipsec0
745	rump.ifconfig -v ipsec1
746	atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \
747		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
748	rump.ifconfig -v ipsec0
749	rump.ifconfig -v ipsec1
750
751	unset RUMP_SERVER
752}
753
754test_change_tunnel_success()
755{
756	local mode=$1
757
758	local newsrc=""
759	local newdst=""
760	if [ ${mode} = "ipv6" ]; then
761		newsrc=$ROUTER1_WANIP6_DUMMY
762		newdst=$ROUTER2_WANIP6_DUMMY
763	else
764		newsrc=$ROUTER1_WANIP_DUMMY
765		newdst=$ROUTER2_WANIP_DUMMY
766	fi
767	export RUMP_SERVER=$SOCK1
768	rump.ifconfig -v ipsec0
769	atf_check -s exit:0 \
770		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
771	rump.ifconfig -v ipsec0
772
773	if [ ${mode} = "ipv6" ]; then
774		newsrc=$ROUTER2_WANIP6_DUMMY
775		newdst=$ROUTER1_WANIP6_DUMMY
776	else
777		newsrc=$ROUTER2_WANIP_DUMMY
778		newdst=$ROUTER1_WANIP_DUMMY
779	fi
780	export RUMP_SERVER=$SOCK2
781	rump.ifconfig -v ipsec0
782	atf_check -s exit:0 \
783		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
784	rump.ifconfig -v ipsec0
785
786	unset RUMP_SERVER
787}
788
789basic_setup()
790{
791	local inner=$1
792	local outer=$2
793	local proto=$3
794	local algo=$4
795
796	setup ${inner} ${outer}
797	test_setup ${inner} ${outer}
798
799	# Enable once PR kern/49219 is fixed
800	#test_ping_failure
801
802	setup_tunnel ${inner} ${outer} ${proto} ${algo}
803	sleep 1
804	test_setup_tunnel ${inner}
805}
806
807basic_test()
808{
809	local inner=$1
810	local outer=$2 # not use
811
812	test_ping_success ${inner}
813}
814
815basic_teardown()
816{
817	local inner=$1
818	local outer=$2 # not use
819
820	teardown_tunnel
821	test_ping_failure ${inner}
822}
823
824ioctl_setup()
825{
826	local inner=$1
827	local outer=$2
828	local proto=$3
829	local algo=$4
830
831	setup ${inner} ${outer}
832	test_setup ${inner} ${outer}
833
834	# Enable once PR kern/49219 is fixed
835	#test_ping_failure
836
837	setup_tunnel ${inner} ${outer} ${proto} ${algo}
838	setup_dummy_tunnel ${inner} ${outer} ${proto} ${algo}
839	sleep 1
840	test_setup_tunnel ${inner}
841}
842
843ioctl_test()
844{
845	local inner=$1
846	local outer=$2
847
848	test_ping_success ${inner}
849
850	test_change_tunnel_duplicate ${outer}
851
852	teardown_dummy_tunnel
853	test_change_tunnel_success ${outer}
854}
855
856ioctl_teardown()
857{
858	local inner=$1
859	local outer=$2 # not use
860
861	teardown_tunnel
862	test_ping_failure ${inner}
863}
864
865recursive_setup()
866{
867	local inner=$1
868	local outer=$2
869	local proto=$3
870	local algo=$4
871
872	setup ${inner} ${outer}
873	test_setup ${inner} ${outer}
874
875	# Enable once PR kern/49219 is fixed
876	#test_ping_failure
877
878	setup_tunnel ${inner} ${outer} ${proto} ${algo}
879	setup_recursive_tunnels ${inner} ${proto} ${algo}
880	sleep 1
881	test_setup_tunnel ${inner}
882}
883
884recursive_test()
885{
886	local inner=$1
887	local outer=$2 # not use
888
889	test_recursive_check ${inner}
890}
891
892recursive_teardown()
893{
894	local inner=$1 # not use
895	local outer=$2 # not use
896
897	teardown_recursive_tunnels
898	teardown_tunnel
899}
900
901add_test()
902{
903	local category=$1
904	local desc=$2
905	local inner=$3
906	local outer=$4
907	local proto=$5
908	local algo=$6
909	local _algo=$(echo $algo | sed 's/-//g')
910
911	name="ipsecif_${category}_${inner}over${outer}_${proto}_${_algo}"
912	fulldesc="Does ${inner} over ${outer} if_ipsec ${desc}"
913
914	atf_test_case ${name} cleanup
915	eval "${name}_head() {
916			atf_set descr \"${fulldesc}\"
917			atf_set require.progs rump_server setkey
918		}
919	    ${name}_body() {
920			${category}_setup ${inner} ${outer} ${proto} ${algo}
921			${category}_test ${inner} ${outer}
922			${category}_teardown ${inner} ${outer}
923			rump_server_destroy_ifaces
924	    }
925	    ${name}_cleanup() {
926			\$DEBUG && dump
927			cleanup
928		}"
929	atf_add_test_case ${name}
930}
931
932add_test_allproto()
933{
934	local category=$1
935	local desc=$2
936
937	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
938		add_test ${category} "${desc}" ipv4 ipv4 esp $algo
939		add_test ${category} "${desc}" ipv4 ipv6 esp $algo
940		add_test ${category} "${desc}" ipv6 ipv4 esp $algo
941		add_test ${category} "${desc}" ipv6 ipv6 esp $algo
942	done
943
944	# ah does not support yet
945}
946
947atf_init_test_cases()
948{
949
950	atf_add_test_case ipsecif_create_destroy
951
952	add_test_allproto basic "basic tests"
953	add_test_allproto ioctl "ioctl tests"
954	add_test_allproto recursive "recursive check tests"
955}
956