| version 1.1, 2017/10/30 15:59:23 |
version 1.2, 2018/11/22 04:51:41 |
| Line 31 SOCK_REMOTE=unix://ipsec_natt_remote |
|
| Line 31 SOCK_REMOTE=unix://ipsec_natt_remote |
|
| BUS_LOCAL=./bus_ipsec_natt_local |
BUS_LOCAL=./bus_ipsec_natt_local |
| BUS_NAT=./bus_ipsec_natt_nat |
BUS_NAT=./bus_ipsec_natt_nat |
| BUS_REMOTE=./bus_ipsec_natt_remote |
BUS_REMOTE=./bus_ipsec_natt_remote |
| |
BUS_GLOBAL=./bus_ipsec_natt_global |
| |
|
| DEBUG=${DEBUG:-false} |
DEBUG=${DEBUG:-false} |
| HIJACKING_NPF="${HIJACKING},blanket=/dev/npf" |
HIJACKING_NPF="${HIJACKING},blanket=/dev/npf" |
| |
|
| setup_servers() |
setup_servers_ipv4() |
| { |
{ |
| |
|
| rump_server_crypto_start $SOCK_LOCAL netipsec |
rump_server_crypto_start $SOCK_LOCAL netipsec |
|
|
| rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_NAT |
rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_NAT |
| } |
} |
| |
|
| |
setup_servers_ipv6() |
| |
{ |
| |
|
| |
rump_server_crypto_start $SOCK_LOCAL netipsec netinet6 ipsec |
| |
rump_server_crypto_start $SOCK_REMOTE netipsec netinet6 ipsec |
| |
rump_server_add_iface $SOCK_LOCAL shmif0 $BUS_GLOBAL |
| |
rump_server_add_iface $SOCK_REMOTE shmif0 $BUS_GLOBAL |
| |
} |
| |
|
| |
setup_servers() |
| |
{ |
| |
local proto=$1 |
| |
|
| |
setup_servers_$proto |
| |
} |
| |
|
| setup_sp() |
setup_sp() |
| { |
{ |
| local proto=$1 |
local proto=$1 |
| Line 151 PIDSFILE=./terminator.pids |
|
| Line 168 PIDSFILE=./terminator.pids |
|
| start_natt_terminator() |
start_natt_terminator() |
| { |
{ |
| local sock=$1 |
local sock=$1 |
| local ip=$2 |
local proto=$2 |
| local port=$3 |
local ip=$3 |
| local pidsfile=$4 |
local port=$4 |
| |
local pidsfile=$5 |
| local backup=$RUMP_SERVER |
local backup=$RUMP_SERVER |
| local pid= |
local pid= opt= |
| local terminator="$(atf_get_srcdir)/natt_terminator" |
local terminator="$(atf_get_srcdir)/natt_terminator" |
| |
|
| |
if [ "$proto" = "ipv6" ]; then |
| |
opt="-6" |
| |
else |
| |
opt="-4" |
| |
fi |
| |
|
| export RUMP_SERVER=$sock |
export RUMP_SERVER=$sock |
| |
|
| env LD_PRELOAD=/usr/lib/librumphijack.so \ |
env LD_PRELOAD=/usr/lib/librumphijack.so \ |
| $terminator $ip $port & |
$terminator $opt $ip $port & |
| pid=$! |
pid=$! |
| if [ ! -f $PIDSFILE ]; then |
if [ ! -f $PIDSFILE ]; then |
| touch $PIDSFILE |
touch $PIDSFILE |
| Line 189 stop_natt_terminators() |
|
| Line 213 stop_natt_terminators() |
|
| rm -f $PIDSFILE |
rm -f $PIDSFILE |
| } |
} |
| |
|
| test_ipsec_natt_transport() |
test_ipsec_natt_transport_ipv4() |
| { |
{ |
| local algo=$1 |
local algo=$1 |
| local ip_local=10.0.1.2 |
local ip_local=10.0.1.2 |
| Line 204 test_ipsec_natt_transport() |
|
| Line 228 test_ipsec_natt_transport() |
|
| local algo_args="$(generate_algo_args esp-udp $algo)" |
local algo_args="$(generate_algo_args esp-udp $algo)" |
| local pid= port= |
local pid= port= |
| |
|
| setup_servers |
setup_servers ipv4 |
| |
|
| export RUMP_SERVER=$SOCK_LOCAL |
export RUMP_SERVER=$SOCK_LOCAL |
| atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 |
atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 |
| Line 278 test_ipsec_natt_transport() |
|
| Line 302 test_ipsec_natt_transport() |
|
| cat $outfile |
cat $outfile |
| |
|
| # Launch a nc server as a terminator of NAT-T on outside the NAPT |
# Launch a nc server as a terminator of NAT-T on outside the NAPT |
| start_natt_terminator $SOCK_REMOTE $ip_remote 4500 |
start_natt_terminator $SOCK_REMOTE ipv4 $ip_remote 4500 |
| echo zzz > $file_send |
echo zzz > $file_send |
| |
|
| export RUMP_SERVER=$SOCK_LOCAL |
export RUMP_SERVER=$SOCK_LOCAL |
| Line 288 test_ipsec_natt_transport() |
|
| Line 312 test_ipsec_natt_transport() |
|
| nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send |
nc -u -w 3 -p 4500 $ip_remote 4500 < $file_send |
| # Launch a nc server as a terminator of NAT-T on inside the NAPT, |
# Launch a nc server as a terminator of NAT-T on inside the NAPT, |
| # taking over port 4500 of the local host. |
# taking over port 4500 of the local host. |
| start_natt_terminator $SOCK_LOCAL $ip_local 4500 |
start_natt_terminator $SOCK_LOCAL ipv4 $ip_local 4500 |
| |
|
| # We need to keep the servers for NAT-T |
# We need to keep the servers for NAT-T |
| |
|
| Line 337 test_ipsec_natt_transport() |
|
| Line 361 test_ipsec_natt_transport() |
|
| stop_natt_terminators |
stop_natt_terminators |
| } |
} |
| |
|
| add_test_ipsec_natt_transport() |
test_ipsec_natt_transport_ipv6_without_nat() |
| { |
{ |
| local algo=$1 |
local algo=$1 |
| |
local ip_local_phys=fc00::1 |
| |
local ip_local_ipsecif=fc00:1111::1 |
| |
local ip_remote_phys=fc00::2 |
| |
local ip_remote_ipsecif=fc00:2222::1 |
| |
local outfile=./out |
| |
local npffile=./npf.conf |
| |
local file_send=./file.send |
| |
local file_recv=./file.recv |
| |
local algo_args="$(generate_algo_args esp-udp $algo)" |
| |
local pid= |
| |
local port=4500 |
| |
|
| |
setup_servers ipv6 |
| |
|
| |
export RUMP_SERVER=$SOCK_LOCAL |
| |
atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 |
| |
atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_local_phys/64 |
| |
|
| |
export RUMP_SERVER=$SOCK_REMOTE |
| |
atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0 |
| |
atf_check -s exit:0 rump.ifconfig shmif0 inet6 $ip_remote_phys/64 |
| |
|
| |
extract_new_packets $BUS_GLOBAL > $outfile |
| |
|
| |
export RUMP_SERVER=$SOCK_LOCAL |
| |
atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 3 $ip_remote_phys |
| |
|
| |
extract_new_packets $BUS_GLOBAL > $outfile |
| |
$DEBUG && cat $outfile |
| |
atf_check -s exit:0 \ |
| |
-o match:"$ip_local_phys > $ip_remote_phys: ICMP6, echo request" \ |
| |
cat $outfile |
| |
atf_check -s exit:0 \ |
| |
-o match:"$ip_remote_phys > $ip_local_phys: ICMP6, echo reply" \ |
| |
cat $outfile |
| |
|
| |
# Create ESP-UDP ipsecif(4) connections |
| |
export RUMP_SERVER=$SOCK_LOCAL |
| |
atf_check -s exit:0 rump.ifconfig ipsec0 create |
| |
atf_check -s exit:0 rump.ifconfig ipsec0 link0 # enable nat-t |
| |
atf_check -s exit:0 rump.ifconfig ipsec0 link2 # ensure IPv6 forward |
| |
atf_check -s exit:0 rump.ifconfig ipsec0 tunnel $ip_local_phys $ip_remote_phys |
| |
atf_check -s exit:0 rump.ifconfig ipsec0 inet6 $ip_local_ipsecif |
| |
atf_check -s exit:0 -o ignore \ |
| |
rump.route -n add -inet6 $ip_remote_ipsecif $ip_local_ipsecif |
| |
start_natt_terminator $SOCK_LOCAL ipv6 $ip_local_phys $port |
| |
|
| |
add_sa "esp-udp" "$algo_args" $ip_local_phys $ip_remote_phys \ |
| |
$ip_local_phys 10000 $port |
| |
|
| |
export RUMP_SERVER=$SOCK_REMOTE |
| |
atf_check -s exit:0 rump.ifconfig ipsec0 create |
| |
atf_check -s exit:0 rump.ifconfig ipsec0 link0 # enable nat-t |
| |
atf_check -s exit:0 rump.ifconfig ipsec0 link2 # ensure IPv6 forward |
| |
atf_check -s exit:0 rump.ifconfig ipsec0 tunnel $ip_remote_phys $ip_local_phys |
| |
atf_check -s exit:0 rump.ifconfig ipsec0 inet6 $ip_remote_ipsecif |
| |
atf_check -s exit:0 -o ignore \ |
| |
rump.route -n add -inet6 $ip_local_ipsecif $ip_remote_ipsecif |
| |
start_natt_terminator $SOCK_REMOTE ipv6 $ip_remote_phys $port |
| |
|
| |
# ping should still work |
| |
export RUMP_SERVER=$SOCK_LOCAL |
| |
atf_check -s exit:0 -o ignore rump.ping6 -c 1 -n -X 5 $ip_remote_ipsecif |
| |
|
| |
# Check UDP encapsulation |
| |
extract_new_packets $BUS_GLOBAL > $outfile |
| |
$DEBUG && cat $outfile |
| |
|
| |
atf_check -s exit:0 \ |
| |
-o match:"${ip_local_phys}\.$port > ${ip_remote_phys}\.4500: UDP-encap" \ |
| |
cat $outfile |
| |
atf_check -s exit:0 \ |
| |
-o match:"${ip_remote_phys}\.4500 > ${ip_local_phys}\.$port: UDP-encap" \ |
| |
cat $outfile |
| |
|
| |
# Kill the NAT-T terminator |
| |
stop_natt_terminators |
| |
export RUMP_SERVER=$SOCK_REMOTE |
| |
stop_natt_terminators |
| |
} |
| |
|
| |
test_ipsec_natt_transport_ipv6() |
| |
{ |
| |
local algo=$1 |
| |
|
| |
test_ipsec_natt_transport_ipv6_without_nat $algo |
| |
} |
| |
|
| |
add_test_ipsec_natt_transport() |
| |
{ |
| |
local proto=$1 |
| |
local algo=$2 |
| local _algo=$(echo $algo | sed 's/-//g') |
local _algo=$(echo $algo | sed 's/-//g') |
| local name= desc= |
local name= desc= |
| |
|
| desc="Test IPsec NAT-T ($algo)" |
desc="Test IPsec $proto NAT-T ($algo)" |
| name="ipsec_natt_transport_${_algo}" |
name="ipsec_natt_transport_${proto}_${_algo}" |
| |
|
| atf_test_case ${name} cleanup |
atf_test_case ${name} cleanup |
| eval " |
eval " |
| Line 353 add_test_ipsec_natt_transport() |
|
| Line 469 add_test_ipsec_natt_transport() |
|
| atf_set require.progs rump_server setkey nc |
atf_set require.progs rump_server setkey nc |
| } |
} |
| ${name}_body() { |
${name}_body() { |
| test_ipsec_natt_transport $algo |
test_ipsec_natt_transport_$proto $algo |
| rump_server_destroy_ifaces |
rump_server_destroy_ifaces |
| } |
} |
| ${name}_cleanup() { |
${name}_cleanup() { |
| Line 371 atf_init_test_cases() |
|
| Line 487 atf_init_test_cases() |
|
| local algo= |
local algo= |
| |
|
| for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do |
for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do |
| add_test_ipsec_natt_transport $algo |
add_test_ipsec_natt_transport ipv4 $algo |
| |
add_test_ipsec_natt_transport ipv6 $algo |
| done |
done |
| } |
} |
![[BACK]](/icons/back.gif){kind=icon}
Return to t_ipsec_natt.sh CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / tests / net / ipsec