[src/trunk]: src Add ATF for ipsecif(4) pfil.

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src Add ATF for ipsecif(4) pfil.
From: knakahara <knakahara%NetBSD.org@localhost>
Date: Thu, 17 Jan 2019 04:55:36 +0000
details:   https://anonhg.NetBSD.org/src/rev/32f6be3bed1a
branches:  trunk
changeset: 447571:32f6be3bed1a
user:      knakahara <knakahara%NetBSD.org@localhost>
date:      Thu Jan 17 02:49:11 2019 +0000

description:
Add ATF for ipsecif(4) pfil.

diffstat:

 distrib/sets/lists/tests/mi        |    3 +-
 tests/net/if_ipsec/Makefile        |    4 +-
 tests/net/if_ipsec/t_ipsec_pfil.sh |  364 +++++++++++++++++++++++++++++++++++++
 tests/net/net_common.sh            |   21 ++-
 4 files changed, 388 insertions(+), 4 deletions(-)

diffs (truncated from 444 to 300 lines):

diff -r 28fb8a9da9a9 -r 32f6be3bed1a distrib/sets/lists/tests/mi
--- a/distrib/sets/lists/tests/mi       Thu Jan 17 02:47:15 2019 +0000
+++ b/distrib/sets/lists/tests/mi       Thu Jan 17 02:49:11 2019 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.802 2018/12/27 19:35:31 christos Exp $
+# $NetBSD: mi,v 1.803 2019/01/17 02:49:11 knakahara Exp $
 #
 # Note: don't delete entries from here - mark them as "obsolete" instead.
 #
@@ -3338,6 +3338,7 @@
 ./usr/tests/net/if_ipsec/Kyuafile              tests-net-tests         atf,rump,kyua
 ./usr/tests/net/if_ipsec/t_ipsec               tests-net-tests         atf,rump
 ./usr/tests/net/if_ipsec/t_ipsec_natt          tests-net-tests         atf,rump
+./usr/tests/net/if_ipsec/t_ipsec_pfil          tests-net-tests         atf,rump
 ./usr/tests/net/if_l2tp                                tests-net-tests         compattestfile,atf
 ./usr/tests/net/if_l2tp/Atffile                        tests-net-tests         atf,rump
 ./usr/tests/net/if_l2tp/Kyuafile               tests-net-tests         atf,rump,kyua
diff -r 28fb8a9da9a9 -r 32f6be3bed1a tests/net/if_ipsec/Makefile
--- a/tests/net/if_ipsec/Makefile       Thu Jan 17 02:47:15 2019 +0000
+++ b/tests/net/if_ipsec/Makefile       Thu Jan 17 02:49:11 2019 +0000
@@ -1,11 +1,11 @@
-# $NetBSD: Makefile,v 1.2 2018/12/25 03:54:44 knakahara Exp $
+# $NetBSD: Makefile,v 1.3 2019/01/17 02:49:11 knakahara Exp $
 #
 
 .include <bsd.own.mk>
 
 TESTSDIR=      ${TESTSBASE}/net/if_ipsec
 
-.for name in ipsec ipsec_natt
+.for name in ipsec ipsec_natt ipsec_pfil
 TESTS_SH+=             t_${name}
 TESTS_SH_SRC_t_${name}=        ../net_common.sh t_${name}.sh \
        ../ipsec/common.sh ../ipsec/algorithms.sh
diff -r 28fb8a9da9a9 -r 32f6be3bed1a tests/net/if_ipsec/t_ipsec_pfil.sh
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/net/if_ipsec/t_ipsec_pfil.sh        Thu Jan 17 02:49:11 2019 +0000
@@ -0,0 +1,364 @@
+#      $NetBSD: t_ipsec_pfil.sh,v 1.1 2019/01/17 02:49:11 knakahara Exp $
+#
+# Copyright (c) 2019 Internet Initiative Japan Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+SOCK_ROUTER1=unix://router1
+SOCK_ROUTER2=unix://router2
+ROUTER1_LANIP=192.168.1.1
+ROUTER1_LANNET=192.168.1.0/24
+ROUTER1_WANIP=10.0.0.1
+ROUTER1_IPSECIP=172.16.1.1
+ROUTER2_LANIP=192.168.2.1
+ROUTER2_LANNET=192.168.2.0/24
+ROUTER2_WANIP=10.0.0.2
+ROUTER2_IPSECIP=172.16.2.1
+
+DEBUG=${DEBUG:-false}
+TIMEOUT=7
+HIJACKING_NPF="${HIJACKING},blanket=/dev/npf"
+
+setup_router()
+{
+       local sock=$1
+       local lan=$2
+       local wan=$3
+
+       rump_server_add_iface $sock shmif0 bus0
+       rump_server_add_iface $sock shmif1 bus1
+
+       export RUMP_SERVER=${sock}
+       atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
+
+       atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00
+       atf_check -s exit:0 rump.ifconfig shmif0 up
+       # Ensure shmif0 is running
+       atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan}
+       $DEBUG && rump.ifconfig shmif0
+
+       atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000
+       atf_check -s exit:0 rump.ifconfig shmif1 up
+       # Ensure shmif1 is running
+       atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan}
+       $DEBUG && rump.ifconfig shmif1
+
+       unset RUMP_SERVER
+}
+
+setup_if_ipsec()
+{
+       local addr=$1
+       local remote=$2
+       local src=$3
+       local dst=$4
+       local peernet=$5
+
+       atf_check -s exit:0 rump.ifconfig ipsec0 create
+       atf_check -s exit:0 rump.ifconfig ipsec0 tunnel $src $dst
+       atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 $remote
+       atf_check -s exit:0 -o ignore rump.route add -inet $peernet $addr
+
+       $DEBUG && rump.ifconfig ipsec0
+       $DEBUG && rump.route -nL show -inet
+}
+
+get_if_ipsec_unique()
+{
+       local src=$1
+       local proto=$2
+       local unique=""
+
+       unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'`
+
+       echo $unique
+}
+
+setup_if_ipsec_sa()
+{
+       local src=$1
+       local dst=$2
+       local inid=$3
+       local outid=$4
+       local proto=$5
+       local algo=$6
+
+       local tmpfile=./tmp
+       local inunique=""
+       local outunique=""
+       local algo_args="$(generate_algo_args $proto $algo)"
+
+       inunique=`get_if_ipsec_unique $dst "ipv4"`
+       atf_check -s exit:0 test "X$inunique" != "X"
+       outunique=`get_if_ipsec_unique $src "ipv4"`
+       atf_check -s exit:0 test "X$outunique" != "X"
+
+       cat > $tmpfile <<-EOF
+       add $dst $src $proto $inid -u $inunique $algo_args;
+       add $src $dst $proto $outid -u $outunique $algo_args;
+       EOF
+       $DEBUG && cat $tmpfile
+       atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
+       $DEBUG && $HIJACKING setkey -D
+       $DEBUG && $HIJACKING setkey -DP
+}
+
+setup_tunnel()
+{
+       local proto=$1
+       local algo=$2
+
+       local addr= remote= src= dst= peernet=
+
+       export RUMP_SERVER=$SOCK_ROUTER1
+       addr=$ROUTER1_IPSECIP
+       remote=$ROUTER2_IPSECIP
+       src=$ROUTER1_WANIP
+       dst=$ROUTER2_WANIP
+       peernet=$ROUTER2_LANNET
+       setup_if_ipsec $addr $remote $src $dst $peernet
+       setup_if_ipsec_sa $src $dst "10000" "10001" $proto $algo
+
+       export RUMP_SERVER=$SOCK_ROUTER2
+       addr=$ROUTER2_IPSECIP
+       remote=$ROUTER1_IPSECIP
+       src=$ROUTER2_WANIP
+       dst=$ROUTER1_WANIP
+       peernet=$ROUTER1_LANNET
+       setup_if_ipsec $addr $remote $src $dst $peernet
+       setup_if_ipsec_sa $src $dst "10001" "10000" $proto $algo
+
+       # Ensure ipsecif(4) settings have completed.
+       export RUMP_SERVER=$SOCK_ROUTER1
+       atf_check -s exit:0 -o ignore \
+                       rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
+                       $ROUTER2_LANIP
+
+       export RUMP_SERVER=$SOCK_ROUTER2
+       atf_check -s exit:0 -o ignore \
+                       rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
+                       $ROUTER1_LANIP
+
+       unset RUMP_SERVER
+}
+
+ipsecif_pfil_setup()
+{
+       local proto=$1
+       local algo=$2
+
+       rump_server_crypto_npf_start $SOCK_ROUTER1 netipsec ipsec
+       rump_server_crypto_npf_start $SOCK_ROUTER2 netipsec ipsec
+
+       setup_router $SOCK_ROUTER1 $ROUTER1_LANIP $ROUTER1_WANIP
+       setup_router $SOCK_ROUTER2 $ROUTER2_LANIP $ROUTER2_WANIP
+
+       setup_tunnel $proto $algo
+}
+
+prepare_file()
+{
+       local file=$1
+       local data="0123456789"
+
+       touch $file
+       for i in `seq 1 512`
+       do
+               echo $data >> $file
+       done
+}
+
+build_npf_conf()
+{
+       local outfile=$1
+       local subnet=$2
+       local direction=$3
+
+       local reverse=
+       if [ "X${direction}" = "Xin" ] ; then
+               reverse="out"
+       else
+               reverse="in"
+       fi
+
+       cat > $outfile <<-EOF
+       set bpf.jit off
+       \$if = inet4(ipsec0)
+       \$subnet = { $subnet }
+
+       procedure "log0" {
+               log: npflog0
+       }
+
+       group default {
+               block $direction on \$if proto tcp from \$subnet apply "log0"
+               pass $reverse on \$if proto tcp from \$subnet
+               pass in on \$if proto icmp from 0.0.0.0/0
+               pass out on \$if proto icmp from 0.0.0.0/0
+               pass final on shmif0 all
+               pass final on shmif1 all
+       }
+       EOF
+}
+
+ipsecif_pfil_test()
+{
+       local outfile=./out
+       local npffile=./npf.conf
+       local file_send=./file.send
+       local file_recv=./file.recv
+
+       local subnet="172.16.0.0/16"
+
+       # Try TCP communications just in case.
+       start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4
+       prepare_file $file_send
+       export RUMP_SERVER=$SOCK_ROUTER1
+       atf_check -s exit:0 $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send
+       atf_check -s exit:0 diff -q $file_send $file_recv
+       stop_nc_server
+
+       # Setup npf to block *out* direction for ipsecif(4).
+       build_npf_conf $npffile $subnet "out"
+       $DEBUG && cat $npffile
+
+       export RUMP_SERVER=$SOCK_ROUTER1
+       atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile
+       atf_check -s exit:0 $HIJACKING_NPF npfctl start
+       $DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show
+
+       # ping should still work
+       export RUMP_SERVER=$SOCK_ROUTER1
+       atf_check -s exit:0 -o ignore \
+                       rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
+                       $ROUTER2_LANIP
+
+       export RUMP_SERVER=$SOCK_ROUTER2
+       atf_check -s exit:0 -o ignore \
+                       rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
+                       $ROUTER1_LANIP
+
+       # TCP communications should be blocked.
Prev by Date: [src/trunk]: src/sys Fix ipsecif(4) cannot apply input direction packet filte...
Next by Date: [src/trunk]: src/usr.sbin/btpand btpand(8): replace dhclient(8) references wi...
Previous by Thread: [src/trunk]: src/sys Fix ipsecif(4) cannot apply input direction packet filte...
Next by Thread: [src/trunk]: src/usr.sbin/btpand btpand(8): replace dhclient(8) references wi...
Indexes:
Home | Main Index | Thread Index | Old Index