Module Name: src
Committed By: snj
Date: Fri Nov 17 20:43:11 UTC 2017
Modified Files:
src/distrib/sets/lists/debug [netbsd-8]: mi
src/distrib/sets/lists/tests [netbsd-8]: mi
src/etc/mtree [netbsd-8]: NetBSD.dist.tests
src/sys/net/npf [netbsd-8]: npf_ctl.c
src/tests/net [netbsd-8]: net_common.sh
src/tests/net/ipsec [netbsd-8]: Makefile algorithms.sh
src/usr.sbin/npf/npfctl [netbsd-8]: npfctl.c
Added Files:
src/tests/net/ipsec [netbsd-8]: natt_terminator.c t_ipsec_natt.sh
Log Message:
Pull up following revision(s) (requested by ozaki-r in ticket #357):
distrib/sets/lists/debug/mi: 1.228
distrib/sets/lists/tests/mi: 1.765-1.766
etc/mtree/NetBSD.dist.tests: 1.149
sys/net/npf/npf_ctl.c: 1.49
tests/net/ipsec/Makefile: 1.10
tests/net/ipsec/algorithms.sh: 1.6
tests/net/ipsec/natt_terminator.c: 1.1
tests/net/ipsec/t_ipsec_natt.sh: 1.1
tests/net/net_common.sh: 1.23-1.24
usr.sbin/npf/npfctl/npfctl.c: 1.54
Handle esp-udp for NAT-T
--
Fix npfclt reload on rump kernels
It fails because npfctl cannot get an errno when it calls ioctl to the (rump)
kernel; npfctl (libnpf) expects that an errno is returned via proplib,
however, the rump library of npf doesn't so. It happens because of mishandlings
of complicate npf kernel options.
PR kern/52643
--
Fix showing translated port (ntohs-ed twice wrongly)
--
Add test cases of NAT-T (transport mode)
A small C program is added to make a special socket (UDP_ENCAP_ESPINUDP)
and keep it to handle UDP-encapsulated ESP packets.
--
Add net/ipsec debug lib directory
--
Add ./usr/libdata/debug/usr/tests/net/ipsec
--
Stop using bpfjit
Because most architectures don't support it and npf still works without it.
To generate a diff of this commit:
cvs rdiff -u -r1.216.2.4 -r1.216.2.5 src/distrib/sets/lists/debug/mi
cvs rdiff -u -r1.752.2.5 -r1.752.2.6 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.147.2.1 -r1.147.2.2 src/etc/mtree/NetBSD.dist.tests
cvs rdiff -u -r1.48 -r1.48.2.1 src/sys/net/npf/npf_ctl.c
cvs rdiff -u -r1.18.2.2 -r1.18.2.3 src/tests/net/net_common.sh
cvs rdiff -u -r1.6.2.1 -r1.6.2.2 src/tests/net/ipsec/Makefile
cvs rdiff -u -r1.4.2.1 -r1.4.2.2 src/tests/net/ipsec/algorithms.sh
cvs rdiff -u -r0 -r1.1.2.2 src/tests/net/ipsec/natt_terminator.c \
src/tests/net/ipsec/t_ipsec_natt.sh
cvs rdiff -u -r1.53 -r1.53.6.1 src/usr.sbin/npf/npfctl/npfctl.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/distrib/sets/lists/debug/mi
diff -u src/distrib/sets/lists/debug/mi:1.216.2.4 src/distrib/sets/lists/debug/mi:1.216.2.5
--- src/distrib/sets/lists/debug/mi:1.216.2.4 Mon Oct 2 13:21:41 2017
+++ src/distrib/sets/lists/debug/mi Fri Nov 17 20:43:10 2017
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.216.2.4 2017/10/02 13:21:41 martin Exp $
+# $NetBSD: mi,v 1.216.2.5 2017/11/17 20:43:10 snj Exp $
./etc/mtree/set.debug comp-sys-root
./usr/lib comp-sys-usr compatdir
./usr/lib/i18n/libBIG5_g.a comp-c-debuglib debuglib,compatfile
@@ -2276,6 +2276,7 @@
./usr/libdata/debug/usr/tests/net/if/t_compat.debug tests-net-debug debug,atf,rump
./usr/libdata/debug/usr/tests/net/if_loop/t_pr.debug tests-net-debug debug,atf,rump
./usr/libdata/debug/usr/tests/net/in_cksum/in_cksum.debug tests-net-debug debug,atf,compattestfile
+./usr/libdata/debug/usr/tests/net/ipsec/natt_terminator.debug tests-net-debug debug,atf,rump
./usr/libdata/debug/usr/tests/net/mcast/mcast.debug tests-net-debug debug,atf,rump
./usr/libdata/debug/usr/tests/net/mcast/t_mcast.debug tests-obsolete debug,atf,rump,obsolete
./usr/libdata/debug/usr/tests/net/net/t_pktinfo.debug tests-net-debug debug,atf,compattestfile
Index: src/distrib/sets/lists/tests/mi
diff -u src/distrib/sets/lists/tests/mi:1.752.2.5 src/distrib/sets/lists/tests/mi:1.752.2.6
--- src/distrib/sets/lists/tests/mi:1.752.2.5 Tue Oct 24 08:55:55 2017
+++ src/distrib/sets/lists/tests/mi Fri Nov 17 20:43:10 2017
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.752.2.5 2017/10/24 08:55:55 snj Exp $
+# $NetBSD: mi,v 1.752.2.6 2017/11/17 20:43:10 snj Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -162,6 +162,7 @@
./usr/libdata/debug/usr/tests/net/if tests-net-debug compattestfile,atf
./usr/libdata/debug/usr/tests/net/if_loop tests-net-debug compattestfile,atf
./usr/libdata/debug/usr/tests/net/in_cksum tests-net-debug compattestfile,atf
+./usr/libdata/debug/usr/tests/net/ipsec tests-net-debug compattestfile,atf
./usr/libdata/debug/usr/tests/net/mcast tests-net-debug compattestfile,atf
./usr/libdata/debug/usr/tests/net/net tests-net-debug compattestfile,atf
./usr/libdata/debug/usr/tests/net/sys tests-net-debug compattestfile,atf
@@ -3316,11 +3317,13 @@
./usr/tests/net/ipsec tests-net-tests compattestfile,atf
./usr/tests/net/ipsec/Atffile tests-net-tests atf,rump
./usr/tests/net/ipsec/Kyuafile tests-net-tests atf,rump,kyua
+./usr/tests/net/ipsec/natt_terminator tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_ah_keys tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_esp_keys tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_gif tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_l2tp tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_misc tests-net-tests atf,rump
+./usr/tests/net/ipsec/t_ipsec_natt tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_sockopt tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_sysctl tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_tcp tests-net-tests atf,rump
Index: src/etc/mtree/NetBSD.dist.tests
diff -u src/etc/mtree/NetBSD.dist.tests:1.147.2.1 src/etc/mtree/NetBSD.dist.tests:1.147.2.2
--- src/etc/mtree/NetBSD.dist.tests:1.147.2.1 Wed Jul 5 20:01:01 2017
+++ src/etc/mtree/NetBSD.dist.tests Fri Nov 17 20:43:11 2017
@@ -1,4 +1,4 @@
-# $NetBSD: NetBSD.dist.tests,v 1.147.2.1 2017/07/05 20:01:01 snj Exp $
+# $NetBSD: NetBSD.dist.tests,v 1.147.2.2 2017/11/17 20:43:11 snj Exp $
./usr/libdata/debug/usr/tests
./usr/libdata/debug/usr/tests/atf
@@ -142,6 +142,7 @@
./usr/libdata/debug/usr/tests/net/if
./usr/libdata/debug/usr/tests/net/if_loop
./usr/libdata/debug/usr/tests/net/in_cksum
+./usr/libdata/debug/usr/tests/net/ipsec
./usr/libdata/debug/usr/tests/net/mcast
./usr/libdata/debug/usr/tests/net/net
./usr/libdata/debug/usr/tests/net/sys
Index: src/sys/net/npf/npf_ctl.c
diff -u src/sys/net/npf/npf_ctl.c:1.48 src/sys/net/npf/npf_ctl.c:1.48.2.1
--- src/sys/net/npf/npf_ctl.c:1.48 Wed May 17 18:56:12 2017
+++ src/sys/net/npf/npf_ctl.c Fri Nov 17 20:43:11 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.48 2017/05/17 18:56:12 christos Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.48.2.1 2017/11/17 20:43:11 snj Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -38,7 +38,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.48 2017/05/17 18:56:12 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.48.2.1 2017/11/17 20:43:11 snj Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -630,15 +630,31 @@ fail:
if (tblset) {
npf_tableset_destroy(tblset);
}
- prop_object_release(npf_dict);
+#if defined(_NPF_TESTING) || defined(_NPF_STANDALONE)
+ /* Free only if allocated by prop_dictionary_copyin_ioctl_size. */
+ if (!npfctl_testing)
+#endif
+ prop_object_release(npf_dict);
- /* Error report. */
-#if !defined(_NPF_TESTING) && !defined(_NPF_STANDALONE)
- prop_dictionary_set_int32(errdict, "errno", error);
- prop_dictionary_copyout_ioctl(pref, cmd, errdict);
- prop_object_release(errdict);
- error = 0;
+ /*
+ * - _NPF_STANDALONE doesn't require to set prop.
+ * - For _NPF_TESTING, if npfctl_testing, setting prop isn't needed,
+ * otherwise it's needed.
+ */
+#ifndef _NPF_STANDALONE
+#ifdef _NPF_TESTING
+ if (!npfctl_testing) {
+#endif
+ /* Error report. */
+ prop_dictionary_set_int32(errdict, "errno", error);
+ prop_dictionary_copyout_ioctl(pref, cmd, errdict);
+ error = 0;
+#ifdef _NPF_TESTING
+ }
#endif
+#endif /* _NPF_STANDALONE */
+ prop_object_release(errdict);
+
return error;
}
Index: src/tests/net/net_common.sh
diff -u src/tests/net/net_common.sh:1.18.2.2 src/tests/net/net_common.sh:1.18.2.3
--- src/tests/net/net_common.sh:1.18.2.2 Sat Oct 21 19:43:55 2017
+++ src/tests/net/net_common.sh Fri Nov 17 20:43:11 2017
@@ -1,4 +1,4 @@
-# $NetBSD: net_common.sh,v 1.18.2.2 2017/10/21 19:43:55 snj Exp $
+# $NetBSD: net_common.sh,v 1.18.2.3 2017/11/17 20:43:11 snj Exp $
#
# Copyright (c) 2016 Internet Initiative Japan Inc.
# All rights reserved.
@@ -183,6 +183,7 @@ BASIC_LIBS="-lrumpnet -lrumpnet_net -lru
FS_LIBS="$BASIC_LIBS -lrumpvfs -lrumpfs_ffs"
CRYPTO_LIBS="$BASIC_LIBS -lrumpvfs -lrumpdev_opencrypto \
-lrumpkern_z -lrumpkern_crypto"
+NPF_LIBS="$BASIC_LIBS -lrumpvfs -lrumpdev_bpf -lrumpnet_npf"
# We cannot keep variables between test phases, so need to store in files
_rump_server_socks=./.__socks
@@ -283,6 +284,24 @@ rump_server_crypto_start()
return 0
}
+rump_server_npf_start()
+{
+ local sock=$1
+ local _libs=
+ local libs="$NPF_LIBS"
+
+ shift 1
+ _libs="$*"
+
+ for lib in $_libs; do
+ libs="$libs -lrumpnet_$lib"
+ done
+
+ _rump_server_start_common $sock $libs
+
+ return 0
+}
+
rump_server_add_iface()
{
local sock=$1
Index: src/tests/net/ipsec/Makefile
diff -u src/tests/net/ipsec/Makefile:1.6.2.1 src/tests/net/ipsec/Makefile:1.6.2.2
--- src/tests/net/ipsec/Makefile:1.6.2.1 Sat Oct 21 19:43:55 2017
+++ src/tests/net/ipsec/Makefile Fri Nov 17 20:43:11 2017
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.6.2.1 2017/10/21 19:43:55 snj Exp $
+# $NetBSD: Makefile,v 1.6.2.2 2017/11/17 20:43:11 snj Exp $
#
.include <bsd.own.mk>
@@ -6,11 +6,15 @@
TESTSDIR= ${TESTSBASE}/net/ipsec
.for name in ipsec_ah_keys ipsec_esp_keys ipsec_gif ipsec_l2tp ipsec_misc \
- ipsec_sockopt ipsec_sysctl ipsec_tcp ipsec_transport ipsec_tunnel \
- ipsec_tunnel_ipcomp ipsec_tunnel_odd
+ ipsec_natt ipsec_sockopt ipsec_sysctl ipsec_tcp ipsec_transport \
+ ipsec_tunnel ipsec_tunnel_ipcomp ipsec_tunnel_odd
TESTS_SH+= t_${name}
TESTS_SH_SRC_t_${name}= ../net_common.sh ./common.sh ./algorithms.sh \
t_${name}.sh
.endfor
+PROGS= natt_terminator
+MAN.natt_terminator= # empty
+BINDIR.natt_terminator= ${TESTSDIR}
+
.include <bsd.test.mk>
Index: src/tests/net/ipsec/algorithms.sh
diff -u src/tests/net/ipsec/algorithms.sh:1.4.2.1 src/tests/net/ipsec/algorithms.sh:1.4.2.2
--- src/tests/net/ipsec/algorithms.sh:1.4.2.1 Sat Oct 21 19:43:55 2017
+++ src/tests/net/ipsec/algorithms.sh Fri Nov 17 20:43:11 2017
@@ -1,4 +1,4 @@
-# $NetBSD: algorithms.sh,v 1.4.2.1 2017/10/21 19:43:55 snj Exp $
+# $NetBSD: algorithms.sh,v 1.4.2.2 2017/11/17 20:43:11 snj Exp $
#
# Copyright (c) 2017 Internet Initiative Japan Inc.
# All rights reserved.
@@ -174,7 +174,7 @@ generate_algo_args()
local keylen=$(get_one_valid_keylen $algo)
local key=$(generate_key $keylen)
- if [ $proto = esp ]; then
+ if [ $proto = esp -o $proto = "esp-udp" ]; then
echo "-E $algo $key"
elif [ $proto = ah ]; then
echo "-A $algo $key"
Index: src/usr.sbin/npf/npfctl/npfctl.c
diff -u src/usr.sbin/npf/npfctl/npfctl.c:1.53 src/usr.sbin/npf/npfctl/npfctl.c:1.53.6.1
--- src/usr.sbin/npf/npfctl/npfctl.c:1.53 Wed Jan 11 02:10:44 2017
+++ src/usr.sbin/npf/npfctl/npfctl.c Fri Nov 17 20:43:11 2017
@@ -1,4 +1,4 @@
-/* $NetBSD: npfctl.c,v 1.53 2017/01/11 02:10:44 christos Exp $ */
+/* $NetBSD: npfctl.c,v 1.53.6.1 2017/11/17 20:43:11 snj Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: npfctl.c,v 1.53 2017/01/11 02:10:44 christos Exp $");
+__RCSID("$NetBSD: npfctl.c,v 1.53.6.1 2017/11/17 20:43:11 snj Exp $");
#include <sys/stat.h>
#include <sys/types.h>
@@ -624,7 +624,7 @@ npfctl_conn_print(unsigned alen, const n
fputc('\n', fp);
return 1;
}
- fprintf(fp, " via %s:%d\n", ifname, ntohs(p[2]));
+ fprintf(fp, " via %s:%d\n", ifname, p[2]);
return 1;
}
Added files:
Index: src/tests/net/ipsec/natt_terminator.c
diff -u /dev/null src/tests/net/ipsec/natt_terminator.c:1.1.2.2
--- /dev/null Fri Nov 17 20:43:11 2017
+++ src/tests/net/ipsec/natt_terminator.c Fri Nov 17 20:43:11 2017
@@ -0,0 +1,108 @@
+/* $NetBSD: natt_terminator.c,v 1.1.2.2 2017/11/17 20:43:11 snj Exp $ */
+
+/*-
+ * Copyright (c) 2017 Internet Initiative Japan Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+
+#include <netinet/in.h>
+#include <netinet/udp.h>
+
+#include <stdio.h>
+#include <err.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+int
+main(int argc, char **argv)
+{
+ struct addrinfo hints;
+ struct addrinfo *res;
+ int s, e;
+ const char *addr, *port;
+ int option;
+
+ if (argc != 3) {
+ fprintf(stderr, "Usage: %s <addr> <port>\n", argv[0]);
+ return 1;
+ }
+
+ addr = argv[1];
+ port = argv[2];
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_INET;
+ hints.ai_socktype = SOCK_DGRAM;
+ hints.ai_protocol = IPPROTO_UDP;
+ hints.ai_flags = 0;
+
+ e = getaddrinfo(addr, port, &hints, &res);
+ if (e != 0)
+ errx(EXIT_FAILURE, "getaddrinfo failed: %s", gai_strerror(e));
+
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ if (s == -1)
+ err(EXIT_FAILURE, "socket");
+
+ /*
+ * Set the option to tell the kernel that the socket can handle
+ * UDP-encapsulated ESP packets for NAT-T.
+ */
+ option = UDP_ENCAP_ESPINUDP;
+ e = setsockopt(s, IPPROTO_UDP, UDP_ENCAP, &option, sizeof(option));
+ if (e == -1)
+ err(EXIT_FAILURE, "setsockopt(UDP_ENCAP)");
+
+ e = bind(s, res->ai_addr, res->ai_addrlen);
+ if (e == -1)
+ err(EXIT_FAILURE, "bind");
+
+ /* Receiving a packet make the NAPT create a mapping. */
+ {
+ char buf[64];
+ struct sockaddr_storage z;
+ socklen_t len = sizeof(z);
+
+ e = recvfrom(s, buf, 64, MSG_PEEK,
+ (struct sockaddr *)&z, &len);
+ if (e == -1)
+ err(EXIT_FAILURE, "recvfrom");
+ }
+
+ /*
+ * Keep the socket in the kernel to handle UDP-encapsulated ESP packets.
+ */
+ pause();
+
+ close(s);
+
+ return 0;
+}
Index: src/tests/net/ipsec/t_ipsec_natt.sh
diff -u /dev/null src/tests/net/ipsec/t_ipsec_natt.sh:1.1.2.2
--- /dev/null Fri Nov 17 20:43:11 2017
+++ src/tests/net/ipsec/t_ipsec_natt.sh Fri Nov 17 20:43:11 2017
@@ -0,0 +1,376 @@
+# $NetBSD: t_ipsec_natt.sh,v 1.1.2.2 2017/11/17 20:43:11 snj Exp $
+#
+# Copyright (c) 2017 Internet Initiative Japan Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+SOCK_LOCAL=unix://ipsec_natt_local
+SOCK_NAT=unix://ipsec_natt_nat
+SOCK_REMOTE=unix://ipsec_natt_remote
+BUS_LOCAL=./bus_ipsec_natt_local
+BUS_NAT=./bus_ipsec_natt_nat
+BUS_REMOTE=./bus_ipsec_natt_remote
+
+DEBUG=${DEBUG:-false}
+HIJACKING_NPF="${HIJACKING},blanket=/dev/npf"
+
+setup_servers()
+{
+
+ rump_server_crypto_start $SOCK_LOCAL netipsec
+ rump_server_npf_start $SOCK_NAT
+ rump_server_crypto_start $SOCK_REMOTE netipsec
+ rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_LOCAL
+ rump_server_add_iface $SOCK_NAT shmif0 $BUS_LOCAL
+ rump_server_add_iface $SOCK_NAT shmif1 $BUS_NAT
+ rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_NAT
+}
+
+setup_sp()
+{
+ local proto=$1
+ local algo_args="$2"
+ local ip_local=$3
+ local ip_remote=$4
+ local ip_nat_remote=$5
+ local tmpfile=./tmp
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ cat > $tmpfile <<-EOF
+ spdadd $ip_local $ip_remote any -P out ipsec $proto/transport//require;
+ spdadd $ip_remote $ip_local any -P in ipsec $proto/transport//require;
+ EOF
+ $DEBUG && cat $tmpfile
+ atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+ #check_sp_entries $SOCK_LOCAL $ip_local $ip_remote
+
+ export RUMP_SERVER=$SOCK_REMOTE
+ cat > $tmpfile <<-EOF
+ spdadd $ip_remote $ip_nat_remote any -P out ipsec $proto/transport//require;
+ spdadd $ip_local $ip_remote any -P in ipsec $proto/transport//require;
+ EOF
+ $DEBUG && cat $tmpfile
+ atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+ #check_sp_entries $SOCK_REMOTE $ip_remote $ip_local
+}
+
+add_sa()
+{
+ local proto=$1
+ local algo_args="$2"
+ local ip_local=$3
+ local ip_remote=$4
+ local ip_nat_remote=$5
+ local spi=$6
+ local port=$7
+ local tmpfile=./tmp
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ cat > $tmpfile <<-EOF
+ add $ip_local [4500] $ip_remote [4500] $proto $((spi)) $algo_args;
+ add $ip_remote [4500] $ip_local [4500] $proto $((spi + 1)) $algo_args;
+ EOF
+ $DEBUG && cat $tmpfile
+ atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+ $DEBUG && $HIJACKING setkey -D
+ # XXX it can be expired if $lifetime is very short
+ #check_sa_entries $SOCK_LOCAL $ip_local $ip_remote
+
+ export RUMP_SERVER=$SOCK_REMOTE
+ cat > $tmpfile <<-EOF
+ add $ip_local [$port] $ip_remote [4500] $proto $((spi)) $algo_args;
+ add $ip_remote [4500] $ip_nat_remote [$port] $proto $((spi + 1)) $algo_args;
+ EOF
+ $DEBUG && cat $tmpfile
+ atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+ $DEBUG && $HIJACKING setkey -D
+ # XXX it can be expired if $lifetime is very short
+ #check_sa_entries $SOCK_PEER $ip_local $ip_remote
+}
+
+prepare_file()
+{
+ local file=$1
+ local data="0123456789"
+
+ touch $file
+ for i in `seq 1 512`
+ do
+ echo $data >> $file
+ done
+}
+
+build_npf_conf()
+{
+ local outfile=$1
+ local localnet=$2
+
+ cat > $outfile <<-EOF
+ set bpf.jit off
+ \$int_if = inet4(shmif0)
+ \$ext_if = inet4(shmif1)
+ \$localnet = { $localnet }
+ map \$ext_if dynamic \$localnet -> \$ext_if
+ group "external" on \$ext_if {
+ pass stateful out final all
+ }
+ group "internal" on \$int_if {
+ block in all
+ pass in final from \$localnet
+ pass out final all
+ }
+ group default {
+ pass final on lo0 all
+ block all
+ }
+ EOF
+}
+
+PIDSFILE=./terminator.pids
+start_natt_terminator()
+{
+ local sock=$1
+ local ip=$2
+ local port=$3
+ local pidsfile=$4
+ local backup=$RUMP_SERVER
+ local pid=
+ local terminator="$(atf_get_srcdir)/natt_terminator"
+
+ export RUMP_SERVER=$sock
+
+ env LD_PRELOAD=/usr/lib/librumphijack.so \
+ $terminator $ip $port &
+ pid=$!
+ if [ ! -f $PIDSFILE ]; then
+ touch $PIDSFILE
+ fi
+ echo $pid >> $PIDSFILE
+
+ $DEBUG && rump.netstat -a -f inet
+
+ export RUMP_SERVER=$backup
+
+ sleep 1
+}
+
+stop_natt_terminators()
+{
+ local pid=
+
+ if [ ! -f $PIDSFILE ]; then
+ return
+ fi
+
+ for pid in $(cat $PIDSFILE); do
+ kill -9 $pid
+ done
+ rm -f $PIDSFILE
+}
+
+test_ipsec_natt_transport()
+{
+ local algo=$1
+ local ip_local=10.0.1.2
+ local ip_nat_local=10.0.1.1
+ local ip_nat_remote=20.0.0.1
+ local ip_remote=20.0.0.2
+ local subnet_local=10.0.1.0
+ local outfile=./out
+ local npffile=./npf.conf
+ local file_send=./file.send
+ local file_recv=./file.recv
+ local algo_args="$(generate_algo_args esp-udp $algo)"
+ local pid= port=
+
+ setup_servers
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
+ atf_check -s exit:0 rump.ifconfig shmif0 $ip_local/24
+ atf_check -s exit:0 -o ignore \
+ rump.route -n add default $ip_nat_local
+
+ export RUMP_SERVER=$SOCK_NAT
+ atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
+ atf_check -s exit:0 rump.ifconfig shmif0 $ip_nat_local/24
+ atf_check -s exit:0 rump.ifconfig shmif1 $ip_nat_remote/24
+ atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.forwarding=1
+
+ export RUMP_SERVER=$SOCK_REMOTE
+ atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
+ atf_check -s exit:0 rump.ifconfig shmif0 $ip_remote/24
+ atf_check -s exit:0 -o ignore \
+ rump.route -n add -net $subnet_local $ip_nat_remote
+
+ extract_new_packets $BUS_NAT > $outfile
+
+ # There is no NAT/NAPT. ping should just work.
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
+
+ extract_new_packets $BUS_NAT > $outfile
+ $DEBUG && cat $outfile
+ atf_check -s exit:0 \
+ -o match:"$ip_local > $ip_remote: ICMP echo request" \
+ cat $outfile
+ atf_check -s exit:0 \
+ -o match:"$ip_remote > $ip_local: ICMP echo reply" \
+ cat $outfile
+
+ # Setup an NAPT with npf
+ build_npf_conf $npffile "$subnet_local/24"
+
+ export RUMP_SERVER=$SOCK_NAT
+ atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile
+ atf_check -s exit:0 $HIJACKING_NPF npfctl start
+ $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show
+
+ # There is an NAPT. ping works but source IP/port are translated
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
+
+ extract_new_packets $BUS_NAT > $outfile
+ $DEBUG && cat $outfile
+ atf_check -s exit:0 \
+ -o match:"$ip_nat_remote > $ip_remote: ICMP echo request" \
+ cat $outfile
+ atf_check -s exit:0 \
+ -o match:"$ip_remote > $ip_nat_remote: ICMP echo reply" \
+ cat $outfile
+
+ # Try TCP communications just in case
+ start_nc_server $SOCK_REMOTE 4501 $file_recv ipv4
+ prepare_file $file_send
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 $HIJACKING nc -w 3 $ip_remote 4501 < $file_send
+ atf_check -s exit:0 diff -q $file_send $file_recv
+ stop_nc_server
+
+ extract_new_packets $BUS_NAT > $outfile
+ $DEBUG && cat $outfile
+ atf_check -s exit:0 \
+ -o match:"${ip_nat_remote}\.[0-9]+ > ${ip_remote}\.4501" \
+ cat $outfile
+ atf_check -s exit:0 \
+ -o match:"${ip_remote}\.4501 > ${ip_nat_remote}\.[0-9]+" \
+ cat $outfile
+
+ # Launch a nc server as a terminator of NAT-T on outside the NAPT
+ start_natt_terminator $SOCK_REMOTE $ip_remote 4500
+ echo zzz > $file_send
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ # Send a UDP packet to the remote server at port 4500 from the local
+ # host of port 4500. This makes a mapping on the NAPT between them
+ atf_check -s exit:0 $HIJACKING \
+ nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send
+ # Launch a nc server as a terminator of NAT-T on inside the NAPT,
+ # taking over port 4500 of the local host.
+ start_natt_terminator $SOCK_LOCAL $ip_local 4500
+
+ # We need to keep the servers for NAT-T
+
+ export RUMP_SERVER=$SOCK_LOCAL
+ $DEBUG && rump.netstat -na -f inet
+ export RUMP_SERVER=$SOCK_REMOTE
+ $DEBUG && rump.netstat -na -f inet
+
+ # Get a translated port number from 4500 on the NAPT
+ export RUMP_SERVER=$SOCK_NAT
+ $DEBUG && $HIJACKING_NPF npfctl list
+ # 10.0.1.2:4500 20.0.0.2:4500 via shmif1:9696
+ port=$($HIJACKING_NPF npfctl list | awk -F 'shmif1:' '/4500/ {print $2;}')
+ $DEBUG && echo port=$port
+ if [ -z "$port" ]; then
+ atf_fail "Failed to get a traslated port on NAPT"
+ fi
+
+ # Create ESP-UDP IPsec connections
+ setup_sp esp "$algo_args" $ip_local $ip_remote $ip_nat_remote
+ add_sa "esp-udp" "$algo_args" $ip_local $ip_remote $ip_nat_remote 10000 $port
+
+ # ping should still work
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 -o ignore rump.ping -c 1 -n -w 3 $ip_remote
+
+ # Try TCP communications over the ESP-UDP connections
+ start_nc_server $SOCK_REMOTE 4501 $file_recv ipv4
+ prepare_file $file_send
+ export RUMP_SERVER=$SOCK_LOCAL
+ atf_check -s exit:0 -o ignore $HIJACKING nc -w 3 $ip_remote 4501 < $file_send
+ atf_check -s exit:0 diff -q $file_send $file_recv
+ stop_nc_server
+
+ # Check both ports and UDP encapsulation
+ extract_new_packets $BUS_NAT > $outfile
+ $DEBUG && cat $outfile
+ atf_check -s exit:0 \
+ -o match:"${ip_nat_remote}\.$port > ${ip_remote}\.4500: UDP-encap" \
+ cat $outfile
+ atf_check -s exit:0 \
+ -o match:"${ip_remote}\.4500 > ${ip_nat_remote}\.$port: UDP-encap" \
+ cat $outfile
+
+ # Kill the NAT-T terminator
+ stop_natt_terminators
+}
+
+add_test_ipsec_natt_transport()
+{
+ local algo=$1
+ local _algo=$(echo $algo | sed 's/-//g')
+ local name= desc=
+
+ desc="Test IPsec NAT-T ($algo)"
+ name="ipsec_natt_transport_${_algo}"
+
+ atf_test_case ${name} cleanup
+ eval "
+ ${name}_head() {
+ atf_set descr \"$desc\"
+ atf_set require.progs rump_server setkey nc
+ }
+ ${name}_body() {
+ test_ipsec_natt_transport $algo
+ rump_server_destroy_ifaces
+ }
+ ${name}_cleanup() {
+ stop_nc_server
+ stop_natt_terminators
+ \$DEBUG && dump
+ cleanup
+ }
+ "
+ atf_add_test_case ${name}
+}
+
+atf_init_test_cases()
+{
+ local algo=
+
+ for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
+ add_test_ipsec_natt_transport $algo
+ done
+}
