Training courses

Kernel and Embedded Linux

Bootlin training courses

Embedded Linux, kernel,
Yocto Project, Buildroot, real-time,
graphics, boot time, debugging...

Bootlin logo

Elixir Cross Referencer

#	$NetBSD: t_ipsec_pfil.sh,v 1.1.6.1 2020/11/10 11:44:22 martin Exp $
#
# Copyright (c) 2019 Internet Initiative Japan Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#

SOCK_ROUTER1=unix://router1
SOCK_ROUTER2=unix://router2
ROUTER1_LANIP=192.168.1.1
ROUTER1_LANNET=192.168.1.0/24
ROUTER1_WANIP=10.0.0.1
ROUTER1_IPSECIP=172.16.1.1
ROUTER2_LANIP=192.168.2.1
ROUTER2_LANNET=192.168.2.0/24
ROUTER2_WANIP=10.0.0.2
ROUTER2_IPSECIP=172.16.2.1

DEBUG=${DEBUG:-false}
TIMEOUT=7
HIJACKING_NPF="${HIJACKING},blanket=/dev/npf"

setup_router()
{
	local sock=$1
	local lan=$2
	local wan=$3

	rump_server_add_iface $sock shmif0 bus0
	rump_server_add_iface $sock shmif1 bus1

	export RUMP_SERVER=${sock}
	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0

	atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00
	atf_check -s exit:0 rump.ifconfig shmif0 up
	# Ensure shmif0 is running
	atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan}
	$DEBUG && rump.ifconfig shmif0

	atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000
	atf_check -s exit:0 rump.ifconfig shmif1 up
	# Ensure shmif1 is running
	atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan}
	$DEBUG && rump.ifconfig shmif1

	unset RUMP_SERVER
}

setup_if_ipsec()
{
	local addr=$1
	local remote=$2
	local src=$3
	local dst=$4
	local peernet=$5

	atf_check -s exit:0 rump.ifconfig ipsec0 create
	atf_check -s exit:0 rump.ifconfig ipsec0 tunnel $src $dst
	atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 $remote
	atf_check -s exit:0 -o ignore rump.route add -inet $peernet $addr

	$DEBUG && rump.ifconfig ipsec0
	$DEBUG && rump.route -nL show -inet
}

get_if_ipsec_unique()
{
	local src=$1
	local proto=$2
	local unique=""

	unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'`

	echo $unique
}

setup_if_ipsec_sa()
{
	local src=$1
	local dst=$2
	local inid=$3
	local outid=$4
	local proto=$5
	local algo=$6

	local tmpfile=./tmp
	local inunique=""
	local outunique=""
	local algo_args="$(generate_algo_args $proto $algo)"

	inunique=`get_if_ipsec_unique $dst "ipv4"`
	atf_check -s exit:0 test "X$inunique" != "X"
	outunique=`get_if_ipsec_unique $src "ipv4"`
	atf_check -s exit:0 test "X$outunique" != "X"

	cat > $tmpfile <<-EOF
	add $dst $src $proto $inid -u $inunique -m transport $algo_args;
	add $src $dst $proto $outid -u $outunique -m transport $algo_args;
	EOF
	$DEBUG && cat $tmpfile
	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
	$DEBUG && $HIJACKING setkey -D
	$DEBUG && $HIJACKING setkey -DP
}

setup_tunnel()
{
	local proto=$1
	local algo=$2

	local addr= remote= src= dst= peernet=

	export RUMP_SERVER=$SOCK_ROUTER1
	addr=$ROUTER1_IPSECIP
	remote=$ROUTER2_IPSECIP
	src=$ROUTER1_WANIP
	dst=$ROUTER2_WANIP
	peernet=$ROUTER2_LANNET
	setup_if_ipsec $addr $remote $src $dst $peernet
	setup_if_ipsec_sa $src $dst "10000" "10001" $proto $algo

	export RUMP_SERVER=$SOCK_ROUTER2
	addr=$ROUTER2_IPSECIP
	remote=$ROUTER1_IPSECIP
	src=$ROUTER2_WANIP
	dst=$ROUTER1_WANIP
	peernet=$ROUTER1_LANNET
	setup_if_ipsec $addr $remote $src $dst $peernet
	setup_if_ipsec_sa $src $dst "10001" "10000" $proto $algo

	# Ensure ipsecif(4) settings have completed.
	export RUMP_SERVER=$SOCK_ROUTER1
	atf_check -s exit:0 -o ignore \
			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
			$ROUTER2_LANIP

	export RUMP_SERVER=$SOCK_ROUTER2
	atf_check -s exit:0 -o ignore \
			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
			$ROUTER1_LANIP

	unset RUMP_SERVER
}

ipsecif_pfil_setup()
{
	local proto=$1
	local algo=$2

	rump_server_crypto_npf_start $SOCK_ROUTER1 netipsec ipsec
	rump_server_crypto_npf_start $SOCK_ROUTER2 netipsec ipsec

	setup_router $SOCK_ROUTER1 $ROUTER1_LANIP $ROUTER1_WANIP
	setup_router $SOCK_ROUTER2 $ROUTER2_LANIP $ROUTER2_WANIP

	setup_tunnel $proto $algo
}

prepare_file()
{
	local file=$1
	local data="0123456789"

	touch $file
	for i in `seq 1 512`
	do
		echo $data >> $file
	done
}

build_npf_conf()
{
	local outfile=$1
	local subnet=$2
	local direction=$3

	local reverse=
	if [ "X${direction}" = "Xin" ] ; then
		reverse="out"
	else
		reverse="in"
	fi

	cat > $outfile <<-EOF
	set bpf.jit off
	\$if = inet4(ipsec0)
	\$subnet = { $subnet }

	procedure "log0" {
		log: npflog0
	}

	group default {
		block $direction on \$if proto tcp from \$subnet apply "log0"
		pass $reverse on \$if proto tcp from \$subnet
		pass in on \$if proto icmp from 0.0.0.0/0
		pass out on \$if proto icmp from 0.0.0.0/0
		pass final on shmif0 all
		pass final on shmif1 all
	}
	EOF
}

ipsecif_pfil_test()
{
	local outfile=./out
	local npffile=./npf.conf
	local file_send=./file.send
	local file_recv=./file.recv

	local subnet="172.16.0.0/16"

	# Try TCP communications just in case.
	start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4
	prepare_file $file_send
	export RUMP_SERVER=$SOCK_ROUTER1
	atf_check -s exit:0 $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send
	atf_check -s exit:0 diff -q $file_send $file_recv
	stop_nc_server

	# Setup npf to block *out* direction for ipsecif(4).
	build_npf_conf $npffile $subnet "out"
	$DEBUG && cat $npffile

	export RUMP_SERVER=$SOCK_ROUTER1
	atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile
	atf_check -s exit:0 $HIJACKING_NPF npfctl start
	$DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show

	# ping should still work
	export RUMP_SERVER=$SOCK_ROUTER1
	atf_check -s exit:0 -o ignore \
			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
			$ROUTER2_LANIP

	export RUMP_SERVER=$SOCK_ROUTER2
	atf_check -s exit:0 -o ignore \
			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
			$ROUTER1_LANIP

	# TCP communications should be blocked.
	start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4
	prepare_file $file_send
	export RUMP_SERVER=$SOCK_ROUTER1
	atf_check -s exit:1 -o ignore $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send
	stop_nc_server

	atf_check -s exit:0 $HIJACKING_NPF npfctl stop
	$DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show

	# Setup npf to block *in* direction for ipsecif(4).
	build_npf_conf $npffile $subnet "in"
	$DEBUG && cat $npffile

	export RUMP_SERVER=$SOCK_ROUTER2
	atf_check -s exit:0 $HIJACKING_NPF npfctl reload $npffile
	atf_check -s exit:0 $HIJACKING_NPF npfctl start
	$DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show

	# ping should still work.
	export RUMP_SERVER=$SOCK_ROUTER1
	atf_check -s exit:0 -o ignore \
			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
			$ROUTER2_LANIP

	export RUMP_SERVER=$SOCK_ROUTER2
	atf_check -s exit:0 -o ignore \
			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
			$ROUTER1_LANIP

	# TCP communications should be blocked.
	start_nc_server $SOCK_ROUTER2 8888 $file_recv ipv4
	prepare_file $file_send
	export RUMP_SERVER=$SOCK_ROUTER1
	atf_check -s exit:1 -o ignore $HIJACKING nc -w 3 $ROUTER2_IPSECIP 8888 < $file_send
	stop_nc_server

	atf_check -s exit:0 $HIJACKING_NPF npfctl stop
	$DEBUG && ${HIJACKING},"blanket=/dev/npf" npfctl show


	unset RUMP_SERVER
}

ipsecif_pfil_teardown()
{

	export RUMP_SERVER=$SOCK_ROUTER1
	atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
	atf_check -s exit:0 rump.ifconfig ipsec0 destroy
	$HIJACKING setkey -F

	export RUMP_SERVER=$SOCK_ROUTER2
	atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
	atf_check -s exit:0 rump.ifconfig ipsec0 destroy
	$HIJACKING setkey -F

	unset RUMP_SERVER
}

add_test()
{
	local proto=$1
	local algo=$2
	local _algo=$(echo $algo | sed 's/-//g')

	name="ipsecif_pfil_${proto}_${_algo}"
	desc="Does ipsecif filter tests"

	atf_test_case ${name} cleanup
	eval "${name}_head() {
			atf_set descr \"${desc}\"
			atf_set require.progs rump_server setkey
		}
	    ${name}_body() {
			ipsecif_pfil_setup ${proto} ${algo}
			ipsecif_pfil_test
			ipsecif_pfil_teardown
			rump_server_destroy_ifaces
	    }
	    ${name}_cleanup() {
			\$DEBUG && dump
			cleanup
		}"
	atf_add_test_case ${name}
}

add_test_allalgo()
{
	local desc=$1

	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
		add_test esp $algo
	done

	# ah does not support yet
}

atf_init_test_cases()
{

	add_test_allalgo ipsecif_pfil
}