Module Name: src
Committed By: knakahara
Date: Thu Jan 17 02:49:11 UTC 2019
Modified Files:
src/distrib/sets/lists/tests: mi
src/tests/net: net_common.sh
src/tests/net/if_ipsec: Makefile
Added Files:
src/tests/net/if_ipsec: t_ipsec_pfil.sh
Log Message:
Add ATF for ipsecif(4) pfil.
To generate a diff of this commit:
cvs rdiff -u -r1.802 -r1.803 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.28 -r1.29 src/tests/net/net_common.sh
cvs rdiff -u -r1.2 -r1.3 src/tests/net/if_ipsec/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/net/if_ipsec/t_ipsec_pfil.sh
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/distrib/sets/lists/tests/mi
diff -u src/distrib/sets/lists/tests/mi:1.802 src/distrib/sets/lists/tests/mi:1.803
--- src/distrib/sets/lists/tests/mi:1.802 Thu Dec 27 19:35:31 2018
+++ src/distrib/sets/lists/tests/mi Thu Jan 17 02:49:11 2019
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.802 2018/12/27 19:35:31 christos Exp $
+# $NetBSD: mi,v 1.803 2019/01/17 02:49:11 knakahara Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -3338,6 +3338,7 @@
./usr/tests/net/if_ipsec/Kyuafile tests-net-tests atf,rump,kyua
./usr/tests/net/if_ipsec/t_ipsec tests-net-tests atf,rump
./usr/tests/net/if_ipsec/t_ipsec_natt tests-net-tests atf,rump
+./usr/tests/net/if_ipsec/t_ipsec_pfil tests-net-tests atf,rump
./usr/tests/net/if_l2tp tests-net-tests compattestfile,atf
./usr/tests/net/if_l2tp/Atffile tests-net-tests atf,rump
./usr/tests/net/if_l2tp/Kyuafile tests-net-tests atf,rump,kyua
Index: src/tests/net/net_common.sh
diff -u src/tests/net/net_common.sh:1.28 src/tests/net/net_common.sh:1.29
--- src/tests/net/net_common.sh:1.28 Sat Apr 7 12:36:58 2018
+++ src/tests/net/net_common.sh Thu Jan 17 02:49:11 2019
@@ -1,4 +1,4 @@
-# $NetBSD: net_common.sh,v 1.28 2018/04/07 12:36:58 ozaki-r Exp $
+# $NetBSD: net_common.sh,v 1.29 2019/01/17 02:49:11 knakahara Exp $
#
# Copyright (c) 2016 Internet Initiative Japan Inc.
# All rights reserved.
@@ -177,6 +177,7 @@ FS_LIBS="$BASIC_LIBS -lrumpvfs -lrumpfs_
CRYPTO_LIBS="$BASIC_LIBS -lrumpvfs -lrumpdev_opencrypto \
-lrumpkern_z -lrumpkern_crypto"
NPF_LIBS="$BASIC_LIBS -lrumpvfs -lrumpdev_bpf -lrumpnet_npf"
+CRYPTO_NPF_LIBS="$CRYPTO_LIBS -lrumpdev_bpf -lrumpnet_npf"
# We cannot keep variables between test phases, so need to store in files
_rump_server_socks=./.__socks
@@ -293,6 +294,24 @@ rump_server_npf_start()
return 0
}
+rump_server_crypto_npf_start()
+{
+ local sock=$1
+ local lib=
+ local libs="$CRYPTO_NPF_LIBS"
+
+ shift 1
+
+ for lib
+ do
+ libs="$libs -lrumpnet_$lib"
+ done
+
+ _rump_server_start_common $sock $libs
+
+ return 0
+}
+
rump_server_add_iface()
{
local sock=$1
Index: src/tests/net/if_ipsec/Makefile
diff -u src/tests/net/if_ipsec/Makefile:1.2 src/tests/net/if_ipsec/Makefile:1.3
--- src/tests/net/if_ipsec/Makefile:1.2 Tue Dec 25 03:54:44 2018
+++ src/tests/net/if_ipsec/Makefile Thu Jan 17 02:49:11 2019
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.2 2018/12/25 03:54:44 knakahara Exp $
+# $NetBSD: Makefile,v 1.3 2019/01/17 02:49:11 knakahara Exp $
#
.include <bsd.own.mk>
TESTSDIR= ${TESTSBASE}/net/if_ipsec
-.for name in ipsec ipsec_natt
+.for name in ipsec ipsec_natt ipsec_pfil
TESTS_SH+= t_${name}
TESTS_SH_SRC_t_${name}= ../net_common.sh t_${name}.sh \
../ipsec/common.sh ../ipsec/algorithms.sh
Added files:
Index: src/tests/net/if_ipsec/t_ipsec_pfil.sh
diff -u /dev/null src/tests/net/if_ipsec/t_ipsec_pfil.sh:1.1
--- /dev/null Thu Jan 17 02:49:11 2019
+++ src/tests/net/if_ipsec/t_ipsec_pfil.sh Thu Jan 17 02:49:11 2019
@@ -0,0 +1,364 @@
+# $NetBSD: t_ipsec_pfil.sh,v 1.1 2019/01/17 02:49:11 knakahara Exp $
+#
+# Copyright (c) 2019 Internet Initiative Japan Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+SOCK_ROUTER1=unix://router1
+SOCK_ROUTER2=unix://router2
+ROUTER1_LANIP=192.168.1.1
+ROUTER1_LANNET=192.168.1.0/24
+ROUTER1_WANIP=10.0.0.1
+ROUTER1_IPSECIP=172.16.1.1
+ROUTER2_LANIP=192.168.2.1
+ROUTER2_LANNET=192.168.2.0/24
+ROUTER2_WANIP=10.0.0.2
+ROUTER2_IPSECIP=172.16.2.1
+
+DEBUG=${DEBUG:-false}
+TIMEOUT=7
+HIJACKING_NPF="${HIJACKING},blanket=/dev/npf"
+
+setup_router()
+{
+ local sock=$1
+ local lan=$2
+ local wan=$3
+
+ rump_server_add_iface $sock shmif0 bus0
+ rump_server_add_iface $sock shmif1 bus1
+
+ export RUMP_SERVER=${sock}
+ atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
+
+ atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00
+ atf_check -s exit:0 rump.ifconfig shmif0 up
+ # Ensure shmif0 is running
+ atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan}
+ $DEBUG && rump.ifconfig shmif0
+
+ atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000
+ atf_check -s exit:0 rump.ifconfig shmif1 up
+ # Ensure shmif1 is running
+ atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan}
+ $DEBUG && rump.ifconfig shmif1
+
+ unset RUMP_SERVER
+}
+
+setup_if_ipsec()
+{
+ local addr=$1
+ local remote=$2
+ local src=$3
+ local dst=$4
+ local peernet=$5
+
+ atf_check -s exit:0 rump.ifconfig ipsec0 create
+ atf_check -s exit:0 rump.ifconfig ipsec0 tunnel $src $dst
+ atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 $remote
+ atf_check -s exit:0 -o ignore rump.route add -inet $peernet $addr
+
+ $DEBUG && rump.ifconfig ipsec0
+ $DEBUG && rump.route -nL show -inet
+}
+
+get_if_ipsec_unique()
+{
+ local src=$1
+ local proto=$2
+ local unique=""
+
+ unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'`
+
+ echo $unique
+}
+
+setup_if_ipsec_sa()
+{
+ local src=$1
+ local dst=$2
+ local inid=$3
+ local outid=$4
+ local proto=$5
+ local algo=$6
+
+ local tmpfile=./tmp
+ local inunique=""
+ local outunique=""
+ local algo_args="$(generate_algo_args $proto $algo)"
+
+ inunique=`get_if_ipsec_unique $dst "ipv4"`
+ atf_check -s exit:0 test "X$inunique" != "X"
+ outunique=`get_if_ipsec_unique $src "ipv4"`
+ atf_check -s exit:0 test "X$outunique" != "X"
+
+ cat > $tmpfile <<-EOF
+ add $dst $src $proto $inid -u $inunique $algo_args;
+ add $src $dst $proto $outid -u $outunique $algo_args;
+ EOF
+ $DEBUG && cat $tmpfile
+ atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+ $DEBUG && $HIJACKING setkey -D
+ $DEBUG && $HIJACKING setkey -DP
+}
+
+setup_tunnel()
+{
+ local proto=$1
+ local algo=$2
+
+ local addr= remote= src= dst= peernet=
+
+ export RUMP_SERVER=$SOCK_ROUTER1
+ addr=$ROUTER1_IPSECIP
+ remote=$ROUTER2_IPSECIP
+ src=$ROUTER1_WANIP
+ dst=$ROUTER2_WANIP
+ peernet=$ROUTER2_LANNET
+ setup_if_ipsec $addr $remote $src $dst $peernet
+ setup_if_ipsec_sa $src $dst "10000" "10001" $proto $algo
+
+ export RUMP_SERVER=$SOCK_ROUTER2
+ addr=$ROUTER2_IPSECIP
+ remote=$ROUTER1_IPSECIP
+ src=$ROUTER2_WANIP
+ dst=$ROUTER1_WANIP
+ peernet=$ROUTER1_LANNET
+ setup_if_ipsec $addr $remote $src $dst $peernet
+ setup_if_ipsec_sa $src $dst "10001" "10000" $proto $algo
+
+ # Ensure ipsecif(4) settings have completed.
+ export RUMP_SERVER=$SOCK_ROUTER1
+ atf_check -s exit:0 -o ignore \
+ rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
+ $ROUTER2_LANIP
+
+ export RUMP_SERVER=$SOCK_ROUTER2
+ atf_check -s exit:0 -o ignore \
+ rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
+ $ROUTER1_LANIP
+
+ unset RUMP_SERVER
+}
+
+ipsecif_pfil_setup()
+{
+ local proto=$1
+ local algo=$2
+
+ rump_server_crypto_npf_start $SOCK_ROUTER1 netipsec ipsec
+ rump_server_crypto_npf_start $SOCK_ROUTER2 netipsec ipsec
+
+ setup_router $SOCK_ROUTER1 $ROUTER1_LANIP $ROUTER1_WANIP
+ setup_router $SOCK_ROUTER2 $ROUTER2_LANIP $ROUTER2_WANIP
+
+ setup_tunnel $proto $algo
+}
+
+prepare_file()
+{
+ local file=$1
+ local data="0123456789"
+
+ touch $file
+ for i in `seq 1 512`
+ do
+ echo $data >> $file
+ done
+}
+
+build_npf_conf()
+{
+ local outfile=$1
+ local subnet=$2
+ local direction=$3
+
+ local reverse=
+ if [ "X${direction}" = "Xin" ] ; then
+ reverse="out"
+ else
+ reverse="in"
+ fi
+
+ cat > $outfile <<-EOF
+ set bpf.jit off
+ \$if = inet4(ipsec0)
+ \$subnet = { $subnet }
+
+ procedure "log0" {
+ log: npflog0
+ }
+
+ group default {
+ block $direction on \$if proto tcp from \$subnet apply "log0"
+ pass $reverse on \$if proto tcp from \$subnet
+ pass in on \$if proto icmp from 0.0.0.0/0
+ pass out on \$if proto icmp from 0.0.0.0/0
+ pass final on shmif0 all
+ pass final on shmif1 all
+ }
+ EOF
+}
+
+ipsecif_pfil_test()
+{
+ local outfile=./out
+ local npffile=./npf.conf
+ local file_send=./file.send
+ local file_recv=./file.recv
+
+ local subnet="172.16.0.0/16"
+
+ # Try TCP communications just in case.
+ start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4
+ prepare_file $file_send
+ export RUMP_SERVER=$SOCK_ROUTER1
+ atf_check -s exit:0 $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send
+ atf_check -s exit:0 diff -q $file_send $file_recv
+ stop_nc_server
+
+ # Setup npf to block *out* direction for ipsecif(4).
+ build_npf_conf $npffile $subnet "out"
+ $DEBUG && cat $npffile
+
+ export RUMP_SERVER=$SOCK_ROUTER1
+ atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile
+ atf_check -s exit:0 $HIJACKING_NPF npfctl start
+ $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show
+
+ # ping should still work
+ export RUMP_SERVER=$SOCK_ROUTER1
+ atf_check -s exit:0 -o ignore \
+ rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
+ $ROUTER2_LANIP
+
+ export RUMP_SERVER=$SOCK_ROUTER2
+ atf_check -s exit:0 -o ignore \
+ rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
+ $ROUTER1_LANIP
+
+ # TCP communications should be blocked.
+ start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4
+ prepare_file $file_send
+ export RUMP_SERVER=$SOCK_ROUTER1
+ atf_check -s exit:1 -o ignore $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send
+ stop_nc_server
+
+ atf_check -s exit:0 $HIJACKING_NPF npfctl stop
+ $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show
+
+ # Setup npf to block *in* direction for ipsecif(4).
+ build_npf_conf $npffile $subnet "in"
+ $DEBUG && cat $npffile
+
+ export RUMP_SERVER=$SOCK_ROUTER2
+ atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile
+ atf_check -s exit:0 $HIJACKING_NPF npfctl start
+ $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show
+
+ # ping should still work.
+ export RUMP_SERVER=$SOCK_ROUTER1
+ atf_check -s exit:0 -o ignore \
+ rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
+ $ROUTER2_LANIP
+
+ export RUMP_SERVER=$SOCK_ROUTER2
+ atf_check -s exit:0 -o ignore \
+ rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
+ $ROUTER1_LANIP
+
+ # TCP communications should be blocked.
+ start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4
+ prepare_file $file_send
+ export RUMP_SERVER=$SOCK_ROUTER1
+ atf_check -s exit:1 -o ignore $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send
+ stop_nc_server
+
+ atf_check -s exit:0 $HIJACKING_NPF npfctl stop
+ $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show
+
+
+ unset RUMP_SERVER
+}
+
+ipsecif_pfil_teardown()
+{
+
+ export RUMP_SERVER=$SOCK_ROUTER1
+ atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
+ atf_check -s exit:0 rump.ifconfig ipsec0 destroy
+ $HIJACKING setkey -F
+
+ export RUMP_SERVER=$SOCK_ROUTER2
+ atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
+ atf_check -s exit:0 rump.ifconfig ipsec0 destroy
+ $HIJACKING setkey -F
+
+ unset RUMP_SERVER
+}
+
+add_test()
+{
+ local proto=$1
+ local algo=$2
+ local _algo=$(echo $algo | sed 's/-//g')
+
+ name="ipsecif_pfil_${proto}_${_algo}"
+ desc="Does ipsecif filter tests"
+
+ atf_test_case ${name} cleanup
+ eval "${name}_head() {
+ atf_set descr \"${desc}\"
+ atf_set require.progs rump_server setkey
+ }
+ ${name}_body() {
+ ipsecif_pfil_setup ${proto} ${algo}
+ ipsecif_pfil_test
+ ipsecif_pfil_teardown
+ rump_server_destroy_ifaces
+ }
+ ${name}_cleanup() {
+ \$DEBUG && dump
+ cleanup
+ }"
+ atf_add_test_case ${name}
+}
+
+add_test_allalgo()
+{
+ local desc=$1
+
+ for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
+ add_test esp $algo
+ done
+
+ # ah does not support yet
+}
+
+atf_init_test_cases()
+{
+
+ add_test_allalgo ipsecif_pfil
+}
