1# $OpenBSD: Makefile,v 1.33 2021/10/31 18:24:08 bluhm Exp $ 2 3# This test needs a manual setup of four machines, the make 4# target create-setup can be used to distribute the configuration. 5# The setup is the same as for regress/sys/net/pf_forward. 6# Set up machines: SRC IPS RT ECO 7# SRC is the machine where this makefile is running. 8# IPS is running IPsec, it is reflecting or forwarding packets. 9# RT is a router forwarding packets, maximum MTU is 1300. 10# ECO is reflecting the ping and UDP and TCP echo packets. 11# 12# By choosing the net prefix of the outgoing packet the mode is selected 13# 5 -> 5 : transport v4 14# 4 -> 5 : transport v6 15# 8 -> c : tunnel v4 stack v4 16# 8 -> c : tunnel v4 stack v6 17# 8 -> d : tunnel v6 stack v4 18# 8 -> d : tunnel v6 stack v6 19# 8 -> e : tunnel v4 forward v4 20# 8 -> e : tunnel v4 forward v6 21# 8 -> f : tunnel v6 forward v4 22# 8 -> f : tunnel v6 forward v6 23# 24# 1400 1300 25# +---+ 06 +---+ 1 +---+ 2 +---+ 26# |SRC| ----> |IPS| ----> |RT | ----> |ECO| 27# +---+ 458 5 +---+ cd +---+ ef +---+ 28# out in out in out in 29# 30# The encapsulation is chosen by the digit before 31# 0,1 ESP 32# 2,3 AH 33# 4,5 IPIP 34# 6,7 IPCOMP 35# 8,9 BUNDLE 36 37PREFIX_IPV4 ?= 10.188.1 38PREFIX_IPV6 ?= fdd7:e83e:66bc:1 39 40# IPv4 outgoing address is selected by route if address of cloning route, 41# so SRC_TRANSP_IPV4 and IPS_TRANSP_IPV4 must be in same net 42# IPv6 outgoing address is selected common prefix, 4 and 5 are close together 43# SRC_TRANSP_IPV6 and IPS_TRANSP_IPV6 should be in different network 44# to avoid encryption of neighbor discovery packets 45 46SRC_OUT_IPV4 ?= ${PREFIX_IPV4}00.17 47SRC_OUT_IPV6 ?= ${PREFIX_IPV6}00::17 48SRC_BUNDLE_IPV4 ?= ${PREFIX_IPV4}06.17 49SRC_BUNDLE_IPV6 ?= ${PREFIX_IPV6}06::17 50SRC_ESP_TRANSP_IPV4 ?= ${PREFIX_IPV4}05.17 51SRC_ESP_TRANSP_IPV6 ?= ${PREFIX_IPV6}04::17 52SRC_ESP_TUNNEL_IPV4 ?= ${PREFIX_IPV4}08.17 53SRC_ESP_TUNNEL_IPV6 ?= ${PREFIX_IPV6}08::17 54SRC_AH_TRANSP_IPV4 ?= ${PREFIX_IPV4}25.17 55SRC_AH_TRANSP_IPV6 ?= ${PREFIX_IPV6}24::17 56SRC_AH_TUNNEL_IPV4 ?= ${PREFIX_IPV4}28.17 57SRC_AH_TUNNEL_IPV6 ?= ${PREFIX_IPV6}28::17 58SRC_IPIP_TRANSP_IPV4 ?= ${PREFIX_IPV4}45.17 59SRC_IPIP_TRANSP_IPV6 ?= ${PREFIX_IPV6}44::17 60SRC_IPIP_TUNNEL_IPV4 ?= ${PREFIX_IPV4}48.17 61SRC_IPIP_TUNNEL_IPV6 ?= ${PREFIX_IPV6}48::17 62SRC_IPCOMP_TRANSP_IPV4 ?= ${PREFIX_IPV4}65.17 63SRC_IPCOMP_TRANSP_IPV6 ?= ${PREFIX_IPV6}64::17 64SRC_IPCOMP_TUNNEL_IPV4 ?= ${PREFIX_IPV4}68.17 65SRC_IPCOMP_TUNNEL_IPV6 ?= ${PREFIX_IPV6}68::17 66SRC_BUNDLE_TRANSP_IPV4 ?= ${PREFIX_IPV4}85.17 67SRC_BUNDLE_TRANSP_IPV6 ?= ${PREFIX_IPV6}84::17 68SRC_BUNDLE_TUNNEL_IPV4 ?= ${PREFIX_IPV4}88.17 69SRC_BUNDLE_TUNNEL_IPV6 ?= ${PREFIX_IPV6}88::17 70 71IPS_IN_IPV4 ?= ${PREFIX_IPV4}00.70 72IPS_IN_IPV6 ?= ${PREFIX_IPV6}00::70 73IPS_OUT_IPV4 ?= ${PREFIX_IPV4}01.70 74IPS_OUT_IPV6 ?= ${PREFIX_IPV6}01::70 75IPS_BUNDLE_IPV4 ?= ${PREFIX_IPV4}06.70 76IPS_BUNDLE_IPV6 ?= ${PREFIX_IPV6}06::70 77IPS_ESP_TRANSP_IPV4 ?= ${PREFIX_IPV4}05.70 78IPS_ESP_TRANSP_IPV6 ?= ${PREFIX_IPV6}05::70 79IPS_ESP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}12.70 80IPS_ESP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}0c::70 81IPS_ESP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}13.70 82IPS_ESP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}0d::70 83IPS_AH_TRANSP_IPV4 ?= ${PREFIX_IPV4}25.70 84IPS_AH_TRANSP_IPV6 ?= ${PREFIX_IPV6}25::70 85IPS_AH_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}32.70 86IPS_AH_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}2c::70 87IPS_AH_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}33.70 88IPS_AH_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}2d::70 89IPS_IPIP_TRANSP_IPV4 ?= ${PREFIX_IPV4}45.70 90IPS_IPIP_TRANSP_IPV6 ?= ${PREFIX_IPV6}45::70 91IPS_IPIP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}52.70 92IPS_IPIP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}4c::70 93IPS_IPIP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}53.70 94IPS_IPIP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}4d::70 95IPS_IPCOMP_TRANSP_IPV4 ?= ${PREFIX_IPV4}65.70 96IPS_IPCOMP_TRANSP_IPV6 ?= ${PREFIX_IPV6}65::70 97IPS_IPCOMP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}72.70 98IPS_IPCOMP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}6c::70 99IPS_IPCOMP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}73.70 100IPS_IPCOMP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}6d::70 101IPS_BUNDLE_TRANSP_IPV4 ?= ${PREFIX_IPV4}85.70 102IPS_BUNDLE_TRANSP_IPV6 ?= ${PREFIX_IPV6}85::70 103IPS_BUNDLE_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}92.70 104IPS_BUNDLE_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}8c::70 105IPS_BUNDLE_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}93.70 106IPS_BUNDLE_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}8d::70 107 108RT_IN_IPV4 ?= ${PREFIX_IPV4}01.71 109RT_IN_IPV6 ?= ${PREFIX_IPV6}01::71 110RT_OUT_IPV4 ?= ${PREFIX_IPV4}02.71 111RT_OUT_IPV6 ?= ${PREFIX_IPV6}02::71 112 113ECO_IN_IPV4 ?= ${PREFIX_IPV4}02.72 114ECO_IN_IPV6 ?= ${PREFIX_IPV6}02::72 115ECO_ESP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}14.72 116ECO_ESP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}0e::72 117ECO_ESP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}15.72 118ECO_ESP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}0f::72 119ECO_AH_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}34.72 120ECO_AH_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}2e::72 121ECO_AH_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}35.72 122ECO_AH_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}2f::72 123ECO_IPIP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}54.72 124ECO_IPIP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}4e::72 125ECO_IPIP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}55.72 126ECO_IPIP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}4f::72 127ECO_IPCOMP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}74.72 128ECO_IPCOMP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}6e::72 129ECO_IPCOMP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}75.72 130ECO_IPCOMP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}6f::72 131ECO_BUNDLE_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}94.72 132ECO_BUNDLE_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}8e::72 133ECO_BUNDLE_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}95.72 134ECO_BUNDLE_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}8f::72 135 136# Configure Addresses on the machines, there must be routes for the 137# networks. Adapt interface and addresse variables to your local 138# setup. To control the remote machine you need a hostname for 139# ssh to log in. 140# 141# IPS and ECO need inetd echo service on TRANSP and TUNNEL addresses. 142# Run make create-setup to copy hostname.if files to the machines. 143# Run make check-setup to see if you got the setup correct. 144 145SRC_OUT_IF ?= tap4 146IPS_IN_IF ?= vio1 147IPS_OUT_IF ?= vio2 148RT_IN_IF ?= vio1 149RT_OUT_IF ?= vio2 150ECO_IN_IF ?= vio1 151 152PROGS = nonxt-sendrecv nonxt-reflect 153 154.MAIN: all 155 156.if empty (IPS_SSH) || empty (RT_SSH) || empty (ECO_SSH) 157regress: 158 @echo This tests needs three remote machines to operate on. 159 @echo IPS_SSH RT_SSH ECO_SSH are empty. 160 @echo Fill out these variables for additional tests, then 161 @echo check whether your test machines are set up properly. 162 @echo SKIPPED 163 164.elif make (regress) || make (all) 165.BEGIN: 166 ${SUDO} true 167 ssh -t ${IPS_SSH} ${SUDO} true 168 rm -f stamp-* 169 @echo 170.endif 171 172# Create python include file containing the addresses. 173addr.py: Makefile 174 rm -f $@ $@.tmp 175.for host in SRC IPS RT ECO 176.for dir in IN OUT BUNDLE 177.for ipv in IF IPV4 IPV6 178 echo '${host}_${dir}_${ipv}="${${host}_${dir}_${ipv}}"' >>$@.tmp 179.endfor 180.endfor 181.endfor 182.for sec in ESP AH IPIP IPCOMP BUNDLE 183.for host mode in SRC TRANSP SRC TUNNEL \ 184 IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \ 185 ECO TUNNEL4 ECO TUNNEL6 186.for ipv in IPV4 IPV6 187 echo '${host}_${sec}_${mode}_${ipv}="${${host}_${sec}_${mode}_${ipv}}"'\ 188 >>$@.tmp 189.endfor 190.endfor 191.endfor 192 mv $@.tmp $@ 193 194REGRESS_SETUP_ONCE += ipsec 195stamp-ipsec: addr.py ipsec.conf 196ipsec: 197 # Load the ipsec sa and flow into the kernel of the SRC and IPS machine. 198 cat addr.py ${.CURDIR}/ipsec.conf | /sbin/ipsecctl -n -f - 199 ${SUDO} ipsecctl -F 200 cat addr.py ${.CURDIR}/ipsec.conf | ${SUDO} ipsecctl -f - 201 ssh ${IPS_SSH} ${SUDO} ipsecctl -F 202 cat addr.py ${.CURDIR}/ipsec.conf | ssh ${IPS_SSH} ${SUDO} ipsecctl\ 203 -f - -D FROM=to -D TO=from -D LOCAL=peer -D PEER=local 204 205REGRESS_SETUP_ONCE += pfctl 206stamp-pfctl: addr.py pf.conf 207pfctl: 208 # Load a pf log enc0 pass any rule into the kernel of the IPS machine. 209 cat addr.py ${.CURDIR}/pf.conf | /sbin/pfctl -n -f - 210 cat addr.py ${.CURDIR}/pf.conf | \ 211 ssh ${IPS_SSH} ${SUDO} pfctl -a regress -f - 212 213REGRESS_SETUP_ONCE += reflect 214stamp-reflect: nonxt-reflect 215reflect: 216 # Build and start packet reflection program on IPS and ECO machine. 217 ssh ${IPS_SSH} make -C ${.CURDIR} nonxt-reflect 218 ssh ${IPS_SSH} ${SUDO} rcctl start inetd nonxt_reflect 219 ssh ${ECO_SSH} make -C ${.CURDIR} nonxt-reflect 220 ssh ${ECO_SSH} ${SUDO} rcctl start inetd nonxt_reflect 221 222DUMPCMD= tcpdump -s 2048 -ni 223 224stamp-bpf: Makefile stamp-drop 225 # Run tcpdump on enc device of IPS machine. 226 rm -f enc0.tcpdump 227 -ssh ${IPS_SSH} ${SUDO} pkill -f "'^${DUMPCMD} enc0'" || true 228 ssh -f ${IPS_SSH} ${SUDO} ${DUMPCMD} enc0 -w ${.OBJDIR}/enc0.pcap 229 sleep 5 # XXX 230 rm -f stamp-stop 231 @date >$@ 232 233stamp-pflog: stamp-pfctl stamp-drop 234 # Run tcpdump on pflog device of IPS machine. 235 rm -f pflog0.tcpdump 236 -ssh ${IPS_SSH} ${SUDO} pkill -f "'^${DUMPCMD} pflog0'" || true 237 ssh -f ${IPS_SSH} ${SUDO} ${DUMPCMD} pflog0 -w ${.OBJDIR}/pflog0.pcap 238 sleep 5 # XXX 239 rm -f stamp-stop 240 @date >$@ 241 242stamp-stop: 243 # Stop tcpdump on enc and pflog device of IPS machine. 244 sleep 5 # XXX 245 -ssh ${IPS_SSH} ${SUDO} pkill -f "'^${DUMPCMD}'" 246.for i in enc0 pflog0 247 ssh ${IPS_SSH} cat ${.OBJDIR}/$i.pcap | tcpdump -evvvnr - >$i.tcpdump 248.endfor 249 @date >$@ 250 251# Old TCP connections send packets from time to time. These confuse 252# the checks that count the IPsec packets with netstat -ss. 253stamp-drop: 254 # Drop old TCP connections. 255 netstat -nv -p tcp |\ 256 perl -ne '\ 257 / ${PREFIX_IPV6}.* ${PREFIX_IPV6}/ ||\ 258 / ${PREFIX_IPV4}.* ${PREFIX_IPV4}/ or next;\ 259 my ($$laddr,$$faddr) = (split)[3,4];\ 260 my ($$lip,$$lport) = $$laddr =~ /(.*)\.(\d+)/;\ 261 my ($$fip,$$fport) = $$faddr =~ /(.*)\.(\d+)/;\ 262 print join(" ",$$lip,$$lport,$$fip,$$fport),"\n"' |\ 263 xargs -r -L1 ${SUDO} tcpdrop 264 @date >$@ 265 266# Disable tests that do not pass. 267 268run-pflog-ping-IPS_AH_TRANSP_IPV4 \ 269 run-pflog-udp-IPS_AH_TRANSP_IPV4 \ 270 run-pflog-tcp-IPS_AH_TRANSP_IPV4 \ 271 run-pflog-nonxt-IPS_AH_TRANSP_IPV4 \ 272 run-pflog-ping-IPS_AH_TRANSP_IPV6 \ 273 run-pflog-udp-IPS_AH_TRANSP_IPV6 \ 274 run-pflog-tcp-IPS_AH_TRANSP_IPV6 \ 275 run-pflog-nonxt-IPS_AH_TRANSP_IPV6: 276 # IPv6 AH packets are treated as their payload protocol by pf. 277 # So they match the floating state on the physical interface 278 # and are not logged by the enc0 pf rule. 279 @echo DISABLED 280 281# Ping all addresses. This ensures that the IP addresses are configured 282# and all routing table are set up to allow bidirectional packet flow. 283 284.for host dir in SRC OUT IPS IN IPS OUT RT IN RT OUT ECO IN 285.for ping ipv in ping IPV4 ping6 IPV6 286TARGETS += ping-${host}_${dir}_${ipv} 287run-send-ping-${host}_${dir}_${ipv}: 288 ${ping} -n -c 1 -w 2 ${${host}_${dir}_${ipv}} 289.endfor 290.endfor 291 292# Send IPsec packets from SRC to IPS and expect response. 293 294.for sec in ESP AH IPIP IPCOMP BUNDLE 295 296.for host mode in SRC TRANSP SRC TUNNEL \ 297 IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \ 298 ECO TUNNEL4 ECO TUNNEL6 299.for ping ipv in ping IPV4 ping6 IPV6 300.for len size in small -s24 big -s1000 301 302TARGETS += ping-${len}-${host}_${sec}_${mode}_${ipv} 303ping ${host:L} ${sec:L} ${mode:L} ${ipv:L}:\ 304 run-send-ping-${len}-${host}_${sec}_${mode}_${ipv} 305run-send-ping-${len}-${host}_${sec}_${mode}_${ipv}: 306 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 307 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1}' >pkt.in 308 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 309 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1}' >pkt.out 310 ${ping} ${size} -n -c 1 -w 2 ${${host}_${sec}_${mode}_${ipv}} 311.if "${host}" == SRC || ( "${len}" == small && "${sec}" == IPCOMP ) 312 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 313 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1}' |\ 314 diff pkt.in - 315 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 316 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1}' |\ 317 diff pkt.out - 318.else 319 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 320 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1-1}' |\ 321 diff pkt.in - 322 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 323 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1-1}' |\ 324 diff pkt.out - 325.endif 326 327.endfor 328.endfor 329.endfor 330 331.for host mode in IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \ 332 ECO TUNNEL4 ECO TUNNEL6 333.for ipv in IPV4 IPV6 334 335TARGETS += udp-${host}_${sec}_${mode}_${ipv} 336udp ${host:L} ${sec:L} ${mode:L} ${ipv:L}:\ 337 run-send-udp-${host}_${sec}_${mode}_${ipv} 338run-send-udp-${host}_${sec}_${mode}_${ipv}: 339 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 340 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1}' >pkt.in 341 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 342 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1}' >pkt.out 343 echo $$$$ | nc -n -u -W 1 -w 3 ${${host}_${sec}_${mode}_${ipv}} 7 |\ 344 fgrep $$$$ 345.if "${sec}" == IPCOMP 346 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 347 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1}' |\ 348 diff pkt.in - 349 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 350 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1}' |\ 351 diff pkt.out - 352.else 353 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 354 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1-1}' |\ 355 diff pkt.in - 356 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 357 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1-1}' |\ 358 diff pkt.out - 359.endif 360 361TARGETS += tcp-${host}_${sec}_${mode}_${ipv} 362tcp ${host:L} ${sec:L} ${mode:L} ${ipv:L}:\ 363 run-send-tcp-${host}_${sec}_${mode}_${ipv} 364run-send-tcp-${host}_${sec}_${mode}_${ipv}: 365 echo $$$$ | nc -n -N -w 3 ${${host}_${sec}_${mode}_${ipv}} 7 |\ 366 fgrep $$$$ 367 368# Send no next header protocol 59 packets through the IPsec test. 369# They consist solely of an IPv6 header chain and trigger edge cases. 370 371TARGETS += nonxt-${host}_${sec}_${mode}_${ipv} 372nonxt ${host:L} ${sec:L} ${mode:L} ${ipv:L}:\ 373 run-send-nonxt-${host}_${sec}_${mode}_${ipv} 374run-send-nonxt-${host}_${sec}_${mode}_${ipv}: nonxt-sendrecv 375 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 376 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1}' >pkt.in 377 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 378 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1}' >pkt.out 379 ${SUDO} ./nonxt-sendrecv ${${host}_${sec}_${mode}_${ipv}} 380.if "${sec}" == IPCOMP 381 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 382 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1}' |\ 383 diff pkt.in - 384 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 385 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1}' |\ 386 diff pkt.out - 387.else 388 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 389 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1-1}' |\ 390 diff pkt.in - 391 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 392 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1-1}' |\ 393 diff pkt.out - 394.endif 395 396# Send large tcp stream, this should trigger path mtu discovery. 397# but it works only in a few cases 398 399.if "${sec}" == ESP && ("${mode}" == TUNNEL4 || "${mode}" == TUNNEL6) 400TARGETS += tcp-pmtu-${host}_${sec}_${mode}_${ipv} 401tcp pmtu ${host:L} ${sec:L} ${mode:L} ${ipv:L}:\ 402 run-send-tcp-pmtu-${host}_${sec}_${mode}_${ipv} 403run-send-tcp-pmtu-${host}_${sec}_${mode}_${ipv}: 404 ${SUDO} route delete -host ${${host}_${sec}_${mode}_${ipv}} || true 405.if "${host}" == ECO 406 ssh ${IPS_SSH} ${SUDO}\ 407 route delete -host ${${host}_${sec}_${mode}_${ipv}} || true 408.endif 409 openssl rand -base64 10000 |\ 410 nc -n -N -w 8 ${${host}_${sec}_${mode}_${ipv}} 7 |\ 411 wc | fgrep ' 209 209 13545' 412.endif 413 414.endfor 415.endfor 416 417.endfor 418 419# Check bpf has dumped all IPsec packets to enc0 on IPS. 420 421REGEX_ESP= \(authentic,confidential\): SPI 0x[0-9a-f]*: 422REGEX_AH= \(authentic\): SPI 0x[0-9a-f]*: 423REGEX_IPCOMP= \(unprotected\): SPI 0x[0-9a-f]*: 424 425REGEX_REQ_TRANSP= * 426REGEX_REQ_TUNNEL4= ${SRC_OUT_IPV4} > ${IPS_IN_IPV4}: 427REGEX_REQ_TUNNEL6= ${SRC_OUT_IPV6} > ${IPS_IN_IPV6}: 428 429REGEX_RPL_TRANSP= * 430REGEX_RPL_TUNNEL4= ${IPS_IN_IPV4} > ${SRC_OUT_IPV4}: 431REGEX_RPL_TUNNEL6= ${IPS_IN_IPV6} > ${SRC_OUT_IPV6}: 432 433REGEX_REQ_PING= icmp6?: echo request 434REGEX_REQ_UDP= .* udp 435REGEX_REQ_TCP= S 436REGEX_REQ_NONXT=(ip-proto-59|no next header) 437 438REGEX_RPL_PING= icmp6*: echo reply 439REGEX_RPL_UDP= .* udp 440REGEX_RPL_TCP= S .* ack 441REGEX_RPL_NONXT=(ip-proto-59|no next header) 442 443.for host in IPS ECO 444.for sec in ESP AH IPIP IPCOMP BUNDLE 445.for mode in TRANSP TUNNEL4 TUNNEL6 446.for ipv in IPV4 IPV6 447 448REGEX_REQ_${host}_${sec}_${mode}_${ipv}_PING=\ 449 ${SRC_${sec}_${mode:C/[46]$//}_${ipv}} >\ 450 ${${host}_${sec}_${mode}_${ipv}}: 451REGEX_REQ_${host}_${sec}_${mode}_${ipv}_UDP=\ 452 ${SRC_${sec}_${mode:C/[46]$//}_${ipv}}\.[0-9][0-9]* >\ 453 ${${host}_${sec}_${mode}_${ipv}}\.7: 454REGEX_REQ_${host}_${sec}_${mode}_${ipv}_TCP=\ 455 ${REGEX_REQ_${host}_${sec}_${mode}_${ipv}_UDP} 456REGEX_REQ_${host}_${sec}_${mode}_${ipv}_NONXT=\ 457 ${REGEX_REQ_${host}_${sec}_${mode}_${ipv}_PING} 458 459REGEX_RPL_${host}_${sec}_${mode}_${ipv}_PING=\ 460 ${${host}_${sec}_${mode}_${ipv}} >\ 461 ${SRC_${sec}_${mode:C/[46]$//}_${ipv}}: 462REGEX_RPL_${host}_${sec}_${mode}_${ipv}_UDP=\ 463 ${${host}_${sec}_${mode}_${ipv}}\.7 >\ 464 ${SRC_${sec}_${mode:C/[46]$//}_${ipv}}\.[0-9][0-9]*: 465REGEX_RPL_${host}_${sec}_${mode}_${ipv}_TCP=\ 466 ${REGEX_RPL_${host}_${sec}_${mode}_${ipv}_UDP} 467REGEX_RPL_${host}_${sec}_${mode}_${ipv}_NONXT=\ 468 ${REGEX_RPL_${host}_${sec}_${mode}_${ipv}_PING} 469 470.for proto in PING UDP TCP NONXT 471 472run-bpf-${proto:L}-${host}_${sec}_${mode}_${ipv}: stamp-stop 473 egrep -q '\ 474 ${REGEX_${sec}}\ 475 ${REGEX_REQ_${mode}}\ 476 ${REGEX_REQ_${host}_${sec}_${mode}_${ipv}_${proto}}\ 477 ${REGEX_REQ_${proto}} ' enc0.tcpdump 478 egrep -q '\ 479 ${REGEX_${sec}}\ 480 ${REGEX_RPL_${mode}}\ 481 ${REGEX_RPL_${host}_${sec}_${mode}_${ipv}_${proto}}\ 482 ${REGEX_RPL_${proto}} ' enc0.tcpdump 483 484run-pflog-${proto:L}-${host}_${sec}_${mode}_${ipv}: stamp-stop 485 egrep -q '\ 486 rule .*regress.0/\(match\) .*\ 487 pass in on enc0:.*\ 488 ${REGEX_REQ_${host}_${sec}_${mode}_${ipv}_${proto}}\ 489 ${REGEX_REQ_${proto}} ' pflog0.tcpdump 490 egrep -q '\ 491 rule .*/\(match\) .*\ 492 pass out on enc0:.*\ 493 ${REGEX_RPL_${host}_${sec}_${mode}_${ipv}_${proto}}\ 494 ${REGEX_RPL_${proto}} ' pflog0.tcpdump 495 496.endfor 497.endfor 498.endfor 499.endfor 500.endfor 501 502run-bpf-tcp-pmtu-IPS_ESP_TUNNEL4_IPV4: stamp-stop 503 egrep -q '\ 504 ${REGEX_ESP}\ 505 ${REGEX_REQ_TUNNEL4}\ 506 ${REGEX_REQ_IPS_ESP_TUNNEL4_IPV4_TCP}\ 507 .* 1:1...\(1372\) ack ' enc0.tcpdump 508 509run-bpf-tcp-pmtu-IPS_ESP_TUNNEL4_IPV6: stamp-stop 510 egrep -q '\ 511 ${REGEX_ESP}\ 512 ${REGEX_REQ_TUNNEL4}\ 513 ${REGEX_REQ_IPS_ESP_TUNNEL4_IPV6_TCP}\ 514 .* 1:1...\(1352\) ack ' enc0.tcpdump 515 516run-bpf-tcp-pmtu-IPS_ESP_TUNNEL6_IPV4: stamp-stop 517 egrep -q '\ 518 ${REGEX_ESP}\ 519 ${REGEX_REQ_TUNNEL6}\ 520 ${REGEX_REQ_IPS_ESP_TUNNEL6_IPV4_TCP}\ 521 .* 1:1...\(1352\) ack ' enc0.tcpdump 522 523run-bpf-tcp-pmtu-IPS_ESP_TUNNEL6_IPV6: stamp-stop 524 egrep -q '\ 525 ${REGEX_ESP}\ 526 ${REGEX_REQ_TUNNEL6}\ 527 ${REGEX_REQ_IPS_ESP_TUNNEL6_IPV6_TCP}\ 528 .* 1:1...\(1332\) ack ' enc0.tcpdump 529 530run-bpf-tcp-pmtu-ECO_ESP_TUNNEL4_IPV4: stamp-stop 531 egrep -q '\ 532 ${REGEX_ESP}\ 533 ${REGEX_REQ_TUNNEL4}\ 534 ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV4_TCP}\ 535 .* 1:1...\(1372\) ack ' enc0.tcpdump 536 egrep -q '\ 537 ${REGEX_ESP}\ 538 ${REGEX_RPL_TUNNEL4}\ 539 ${IPS_IN_IPV4} > ${SRC_ESP_TUNNEL_IPV4}:\ 540 icmp: ${ECO_ESP_TUNNEL4_IPV4} unreachable -\ 541 need to frag \(mtu 1400\) ' enc0.tcpdump 542 egrep -q '\ 543 ${REGEX_ESP}\ 544 ${REGEX_REQ_TUNNEL4}\ 545 ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV4_TCP}\ 546 .* 1:1...\(1348\) ack ' enc0.tcpdump 547 egrep -q '\ 548 ${REGEX_ESP}\ 549 ${REGEX_RPL_TUNNEL4}\ 550 ${RT_IN_IPV4} > ${SRC_ESP_TUNNEL_IPV4}:\ 551 icmp: ${ECO_ESP_TUNNEL4_IPV4} unreachable -\ 552 need to frag \(mtu 1300\) ' enc0.tcpdump 553 egrep -q '\ 554 ${REGEX_ESP}\ 555 ${REGEX_REQ_TUNNEL4}\ 556 ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV4_TCP}\ 557 .* 1:1...\(1248\) ack ' enc0.tcpdump 558 559run-bpf-tcp-pmtu-ECO_ESP_TUNNEL4_IPV6: stamp-stop 560 egrep -q '\ 561 ${REGEX_ESP}\ 562 ${REGEX_REQ_TUNNEL4}\ 563 ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV6_TCP}\ 564 .* 1:1...\(1352\) ack ' enc0.tcpdump 565 egrep -q '\ 566 ${REGEX_ESP}\ 567 ${REGEX_RPL_TUNNEL6}\ 568 ${IPS_IN_IPV6} > ${SRC_ESP_TUNNEL_IPV6}:\ 569 icmp6: too big 1400 ' enc0.tcpdump 570 egrep -q '\ 571 ${REGEX_ESP}\ 572 ${REGEX_REQ_TUNNEL4}\ 573 ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV6_TCP}\ 574 .* 1:1...\(1328\) ack ' enc0.tcpdump 575 egrep -q '\ 576 ${REGEX_ESP}\ 577 ${REGEX_RPL_TUNNEL6}\ 578 ${RT_IN_IPV6} > ${SRC_ESP_TUNNEL_IPV6}:\ 579 icmp6: too big 1300 ' enc0.tcpdump 580 egrep -q '\ 581 ${REGEX_ESP}\ 582 ${REGEX_REQ_TUNNEL4}\ 583 ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV6_TCP}\ 584 .* 1:1...\(1228\) ack ' enc0.tcpdump 585 586run-bpf-tcp-pmtu-ECO_ESP_TUNNEL6_IPV4: stamp-stop 587 egrep -q '\ 588 ${REGEX_ESP}\ 589 ${REGEX_REQ_TUNNEL6}\ 590 ${REGEX_REQ_ECO_ESP_TUNNEL6_IPV4_TCP}\ 591 .* 1:1...\(1352\) ack ' enc0.tcpdump 592 egrep -q '\ 593 ${REGEX_ESP}\ 594 ${REGEX_RPL_TUNNEL4}\ 595 ${IPS_IN_IPV4} > ${SRC_ESP_TUNNEL_IPV4}:\ 596 icmp: ${ECO_ESP_TUNNEL6_IPV4} unreachable -\ 597 need to frag \(mtu 1400\) ' enc0.tcpdump 598 egrep -q '\ 599 ${REGEX_ESP}\ 600 ${REGEX_REQ_TUNNEL6}\ 601 ${REGEX_REQ_ECO_ESP_TUNNEL6_IPV4_TCP}\ 602 .* 1:1...\(1348\) ack ' enc0.tcpdump 603 egrep -q '\ 604 ${REGEX_ESP}\ 605 ${REGEX_RPL_TUNNEL4}\ 606 ${RT_IN_IPV4} > ${SRC_ESP_TUNNEL_IPV4}:\ 607 icmp: ${ECO_ESP_TUNNEL6_IPV4} unreachable -\ 608 need to frag \(mtu 1300\) ' enc0.tcpdump 609 egrep -q '\ 610 ${REGEX_ESP}\ 611 ${REGEX_REQ_TUNNEL6}\ 612 ${REGEX_REQ_ECO_ESP_TUNNEL6_IPV4_TCP}\ 613 .* 1:1...\(1248\) ack ' enc0.tcpdump 614 615run-bpf-tcp-pmtu-ECO_ESP_TUNNEL6_IPV6: stamp-stop 616 egrep '\ 617 ${REGEX_ESP}\ 618 ${REGEX_REQ_TUNNEL6}\ 619 ${REGEX_REQ_ECO_ESP_TUNNEL6_IPV6_TCP}\ 620 .* 1:1...\(1332\) ack ' enc0.tcpdump 621 egrep -q '\ 622 ${REGEX_ESP}\ 623 ${REGEX_RPL_TUNNEL6}\ 624 ${IPS_IN_IPV6} > ${SRC_ESP_TUNNEL_IPV6}:\ 625 icmp6: too big 1400 ' enc0.tcpdump 626 egrep '\ 627 ${REGEX_ESP}\ 628 ${REGEX_REQ_TUNNEL6}\ 629 ${REGEX_REQ_ECO_ESP_TUNNEL6_IPV6_TCP}\ 630 .* 1:1...\(1328\) ack ' enc0.tcpdump 631 egrep -q '\ 632 ${REGEX_ESP}\ 633 ${REGEX_RPL_TUNNEL6}\ 634 ${RT_IN_IPV6} > ${SRC_ESP_TUNNEL_IPV6}:\ 635 icmp6: too big 1300 ' enc0.tcpdump 636 egrep '\ 637 ${REGEX_ESP}\ 638 ${REGEX_REQ_TUNNEL6}\ 639 ${REGEX_REQ_ECO_ESP_TUNNEL6_IPV6_TCP}\ 640 .* 1:1...\(1228\) ack ' enc0.tcpdump 641 642REGRESS_TARGETS = ${TARGETS:S/^/run-send-/} \ 643 ${TARGETS:N*_IPIP_*:N*_BUNDLE_*:N*_IN_*:N*_OUT_*:N*-SRC_*:Nudp-*_IPCOMP_*:Ntcp-*_IPCOMP_*:N*-small-*:Nnonxt-*_IPCOMP_*:S/-big-/-/:S/^/run-bpf-/} \ 644 ${TARGETS:N*_IPIP_*:N*_IPCOMP_*:N*_IN_*:N*_OUT_*:N*-SRC_*:N*-small-*:N*-pmtu-*:S/-big-/-/:S/^/run-pflog-/} 645 646${REGRESS_TARGETS:Mrun-send-*}: stamp-bpf stamp-pflog stamp-drop 647 648CLEANFILES += addr.py *.pyc *.log stamp-* */hostname.* *.{in,out} 649CLEANFILES += *.pcap *.tcpdump 650 651# Run make create-setup to configure remote machines for test. 652 653.PHONY: create-setup 654 655create-setup: stamp-hostname stamp-inetd stamp-nonxt-reflect 656 657# Create hostname.if files, copy them to the machines and install addresses. 658 659etc/hostname.${SRC_OUT_IF}: Makefile 660 mkdir -p ${@:H} 661 rm -f $@ $@.tmp 662 echo '### regress ipsec $@' >$@.tmp 663.for dir in OUT BUNDLE 664 echo '# SRC_${dir}' >>$@.tmp 665.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 666 echo '${inet} alias ${SRC_${dir}_${ipv}} ${masklen}' >>$@.tmp 667.endfor 668.endfor 669.for sec in ESP AH IPIP IPCOMP BUNDLE 670 echo '## SRC_${sec}' >>$@.tmp 671.for mode in TRANSP TUNNEL 672 echo '# SRC_${sec}_${mode}' >>$@.tmp 673.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 674 echo '${inet} alias ${SRC_${sec}_${mode}_${ipv}} ${masklen}' >>$@.tmp 675.endfor 676.endfor 677 echo '# IPS_${sec}_TRANSP_IPV6/64 IPS_IN_IPV6' >>$@.tmp 678 echo '!route -q delete -inet6 ${IPS_${sec}_TRANSP_IPV6}/64' >>$@.tmp 679 echo '!route add -inet6 ${IPS_${sec}_TRANSP_IPV6}/64 ${IPS_IN_IPV6}'\ 680 >>$@.tmp 681.for host dir in RT IN ECO IN 682 echo '# ${host}_${dir}/pfxlen IPS_IN' >>$@.tmp 683.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 684 echo '!route -q delete -${inet} ${${host}_${dir}_${ipv}}/${pfxlen}'\ 685 >>$@.tmp 686 echo '!route add -${inet} ${${host}_${dir}_${ipv}}/${pfxlen}\ 687 ${IPS_IN_${ipv}}' >>$@.tmp 688.endfor 689.endfor 690.for host in IPS ECO 691.for mode in TUNNEL4 TUNNEL6 692 echo '# ${host}_${sec}_${mode}/pfxlen\ 693 ${SRC_${sec}_TUNNEL_${ipv}}' >>$@.tmp 694.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 695 echo '!route -q delete -${inet}\ 696 ${${host}_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp 697 echo '!route add -${inet} ${${host}_${sec}_${mode}_${ipv}}/${pfxlen}\ 698 ${SRC_${sec}_TUNNEL_${ipv}}' >>$@.tmp 699.endfor 700.endfor 701.endfor 702.endfor 703 mv $@.tmp $@ 704 705${IPS_SSH}/hostname.${IPS_IN_IF}: Makefile 706 mkdir -p ${@:H} 707 rm -f $@ $@.tmp 708 echo '### regress ipsec $@' >$@.tmp 709.for dir in IN BUNDLE 710 echo '# IPS_${dir}' >>$@.tmp 711.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 712 echo '${inet} alias ${IPS_${dir}_${ipv}} ${masklen}' >>$@.tmp 713.endfor 714.endfor 715.for sec in ESP AH IPIP IPCOMP BUNDLE 716 echo '## IPS_${sec}' >>$@.tmp 717 echo '# IPS_${sec}_TRANSP' >>$@.tmp 718.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 719 echo '${inet} alias ${IPS_${sec}_TRANSP_${ipv}} ${masklen}' >>$@.tmp 720.endfor 721 echo '# SRC_${sec}_TRANSP_IPV6/64 SRC_OUT_IPV6' >>$@.tmp 722 echo '!route -q delete -inet6 ${SRC_${sec}_TRANSP_IPV6}/64' >>$@.tmp 723 echo '!route add -inet6 ${SRC_${sec}_TRANSP_IPV6}/64 ${SRC_OUT_IPV6}'\ 724 >>$@.tmp 725.for mode in TUNNEL 726 echo '# SRC_${sec}_${mode}/pfxlen ${IPS_IN_${ipv}}' >>$@.tmp 727.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 728 echo '!route -q delete -${inet}\ 729 ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp 730 echo '!route add -${inet} ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}\ 731 ${IPS_IN_${ipv}}' >>$@.tmp 732.endfor 733.endfor 734.endfor 735 mv $@.tmp $@ 736 737${IPS_SSH}/hostname.${IPS_OUT_IF}: Makefile 738 mkdir -p ${@:H} 739 rm -f $@ $@.tmp 740 echo '### regress ipsec $@' >$@.tmp 741 echo '# IPS_OUT' >>$@.tmp 742.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 743 echo '${inet} alias ${IPS_OUT_${ipv}} ${masklen}' >>$@.tmp 744.endfor 745 echo '# ECO_IN/pfxlen RT_IN' >>$@.tmp 746.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 747 echo '!route -q delete -${inet} ${ECO_IN_${ipv}}/${pfxlen}'\ 748 >>$@.tmp 749 echo '!route add -${inet} ${ECO_IN_${ipv}}/${pfxlen} ${RT_IN_${ipv}}'\ 750 >>$@.tmp 751.endfor 752.for sec in ESP AH IPIP IPCOMP BUNDLE 753 echo '## IPS_${sec}' >>$@.tmp 754.for mode in TUNNEL4 TUNNEL6 755 echo '# IPS_${sec}_${mode}' >>$@.tmp 756.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 757 echo '${inet} alias ${IPS_${sec}_${mode}_${ipv}} ${masklen}' >>$@.tmp 758.endfor 759.endfor 760.for mode in TUNNEL4 TUNNEL6 761 echo '# ECO_${sec}_${mode}/pfxlen RT_IN' >>$@.tmp 762.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 763 echo '!route -q delete -${inet}\ 764 ${ECO_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp 765 echo '!route add -${inet} ${ECO_${sec}_${mode}_${ipv}}/${pfxlen}\ 766 ${RT_IN_${ipv}}' >>$@.tmp 767.endfor 768.endfor 769.endfor 770 mv $@.tmp $@ 771 772${RT_SSH}/hostname.${RT_IN_IF}: Makefile 773 mkdir -p ${@:H} 774 rm -f $@ $@.tmp 775 echo '### regress ipsec $@' >$@.tmp 776 echo '# RT_IN' >>$@.tmp 777.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 778 echo '${inet} alias ${RT_IN_${ipv}} ${masklen}' >>$@.tmp 779.endfor 780 echo '# SRC_OUT/pfxlen IPS_OUT' >>$@.tmp 781.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 782 echo '!route -q delete -${inet} ${SRC_OUT_${ipv}}/${pfxlen}'\ 783 >>$@.tmp 784 echo '!route add -${inet} ${SRC_OUT_${ipv}}/${pfxlen}'\ 785 ${IPS_OUT_${ipv}} >>$@.tmp 786.endfor 787.for sec in ESP AH IPIP IPCOMP BUNDLE 788 echo '## IPS_${sec}' >>$@.tmp 789.for mode in TUNNEL 790 echo '# SRC_${mode}/pfxlen IPS_OUT' >>$@.tmp 791.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 792 echo '!route -q delete -${inet} ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}'\ 793 >>$@.tmp 794 echo '!route add -${inet} ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}\ 795 ${IPS_OUT_${ipv}}' >>$@.tmp 796.endfor 797.endfor 798.endfor 799 mv $@.tmp $@ 800 801${RT_SSH}/hostname.${RT_OUT_IF}: Makefile 802 mkdir -p ${@:H} 803 rm -f $@ $@.tmp 804 echo '### regress ipsec $@' >$@.tmp 805 echo '# RT_OUT' >>$@.tmp 806.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 807 echo '${inet} alias ${RT_OUT_${ipv}} ${masklen}' >>$@.tmp 808.endfor 809.for sec in ESP AH IPIP IPCOMP BUNDLE 810 echo '## IPS_${sec}' >>$@.tmp 811.for mode in TUNNEL4 TUNNEL6 812 echo '# ECO_${sec}_${mode}/pfxlen ECO_IN' >>$@.tmp 813.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 814 echo '!route -q delete -${inet}\ 815 ${ECO_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp 816 echo '!route add -${inet} ${ECO_${sec}_${mode}_${ipv}}/${pfxlen}\ 817 ${ECO_IN_${ipv}}' >>$@.tmp 818.endfor 819.endfor 820.endfor 821 mv $@.tmp $@ 822 823${ECO_SSH}/hostname.${ECO_IN_IF}: Makefile 824 mkdir -p ${@:H} 825 rm -f $@ $@.tmp 826 echo '### regress ipsec $@' >$@.tmp 827 echo '# ECO_IN' >>$@.tmp 828.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 829 echo '${inet} alias ${ECO_IN_${ipv}} ${masklen}' >>$@.tmp 830.endfor 831.for host in IPS SRC 832 echo '# ${host}_OUT/pfxlen RT_OUT' >>$@.tmp 833.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 834 echo '!route -q delete -${inet} ${${host}_OUT_${ipv}}/${pfxlen}'\ 835 >>$@.tmp 836 echo '!route add -${inet} ${${host}_OUT_${ipv}}/${pfxlen}\ 837 ${RT_OUT_${ipv}}' >>$@.tmp 838.endfor 839.endfor 840.for sec in ESP AH IPIP IPCOMP BUNDLE 841 echo '## IPS_${sec}' >>$@.tmp 842.for mode in TUNNEL4 TUNNEL6 843 echo '# ECO_${sec}_${mode}' >>$@.tmp 844.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 845 echo '${inet} alias ${ECO_${sec}_${mode}_${ipv}} ${masklen}' >>$@.tmp 846.endfor 847.endfor 848.for mode in TUNNEL 849 echo '# SRC_${sec}_${mode}/pfxlen RT_OUT' >>$@.tmp 850.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 851 echo '!route -q delete -${inet}\ 852 ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp 853 echo '!route add -${inet} ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}\ 854 ${RT_OUT_${ipv}}' >>$@.tmp 855.endfor 856.endfor 857.endfor 858 mv $@.tmp $@ 859 860stamp-hostname: etc/hostname.${SRC_OUT_IF} \ 861 ${IPS_SSH}/hostname.${IPS_IN_IF} ${IPS_SSH}/hostname.${IPS_OUT_IF} \ 862 ${RT_SSH}/hostname.${RT_IN_IF} ${RT_SSH}/hostname.${RT_OUT_IF} \ 863 ${ECO_SSH}/hostname.${ECO_IN_IF} 864 ${SUDO} sh -c "umask 027;\ 865 { sed '/^### regress/,\$$d' /etc/hostname.${SRC_OUT_IF} &&\ 866 cat; } >/etc/hostname.${SRC_OUT_IF}.tmp"\ 867 <etc/hostname.${SRC_OUT_IF} 868 ${SUDO} sh -c "mv /etc/hostname.${SRC_OUT_IF}.tmp\ 869 /etc/hostname.${SRC_OUT_IF} &&\ 870 sh /etc/netstart ${SRC_OUT_IF}" 871.for host dir in IPS IN IPS OUT RT IN RT OUT ECO IN 872 ssh root@${${host}_SSH} "umask 027;\ 873 { sed '/^### regress/,\$$d' /etc/hostname.${${host}_${dir}_IF} &&\ 874 cat; } >/etc/hostname.${${host}_${dir}_IF}.tmp"\ 875 <${${host}_SSH}/hostname.${${host}_${dir}_IF} 876 ssh root@${${host}_SSH} "mv /etc/hostname.${${host}_${dir}_IF}.tmp\ 877 /etc/hostname.${${host}_${dir}_IF} &&\ 878 sh /etc/netstart ${${host}_${dir}_IF}" 879.endfor 880 date >$@ 881 882# Create inetd.conf files, copy them to the machines and start inetd. 883 884.for host in IPS ECO 885${${host}_SSH}/inetd.conf: Makefile 886 mkdir -p ${@:H} 887 rm -f $@ $@.tmp 888 echo '### regress ipsec $@' >$@.tmp 889 echo echo stream tcp nowait root internal >>$@.tmp 890 echo echo stream tcp6 nowait root internal >>$@.tmp 891.for sec in ESP AH IPIP IPCOMP BUNDLE 892.for mode in TRANSP TUNNEL4 TUNNEL6 893.if ! empty(${host}_${sec}_${mode}_IPV4) 894 echo '${${host}_${sec}_${mode}_IPV4}:echo'\ 895 dgram udp wait root internal >>$@.tmp 896 echo '[${${host}_${sec}_${mode}_IPV6}]:echo'\ 897 dgram udp6 wait root internal >>$@.tmp 898.endif 899.endfor 900.endfor 901 mv $@.tmp $@ 902.endfor 903 904stamp-inetd: ${IPS_SSH}/inetd.conf ${ECO_SSH}/inetd.conf 905.for host in IPS ECO 906 ssh root@${${host}_SSH} "umask 022;\ 907 { sed '/^### regress/,\$$d' /etc/inetd.conf && cat; }\ 908 >/etc/inetd.conf.tmp" <${${host}_SSH}/inetd.conf 909 ssh root@${${host}_SSH} "mv /etc/inetd.conf.tmp /etc/inetd.conf &&\ 910 rcctl enable inetd && rcctl restart inetd" 911.endfor 912 date >$@ 913 914# Create rc.d/nonxt_reflect startup scripts, 915# copy them to the remote machines, 916# build remote nonxt-reflect binary, 917# and start nonext protocol 59 reflector daemons. 918 919.for host in IPS ECO 920${${host}_SSH}/nonxt_reflect: nonxt_reflect.sh Makefile 921 mkdir -p ${@:H} 922 rm -f $@ $@.tmp 923 echo '#!/bin/ksh' >$@.tmp 924 echo '### regress ipsec $@' >>$@.tmp 925 echo 'local_addresses="' >>$@.tmp 926.for sec in ESP AH IPIP IPCOMP BUNDLE 927.for mode in TRANSP TUNNEL4 TUNNEL6 928.for ipv in IPV4 IPV6 929.if ! empty(${host}_${sec}_${mode}_${ipv}) 930 echo '${${host}_${sec}_${mode}_${ipv}}' >>$@.tmp 931.endif 932.endfor 933.endfor 934.endfor 935 echo '"' >>$@.tmp 936 cat ${.CURDIR}/nonxt_reflect.sh >>$@.tmp 937 sh -n $@.tmp 938 chmod 755 $@.tmp 939 mv $@.tmp $@ 940.endfor 941 942stamp-nonxt-reflect: ${IPS_SSH}/nonxt_reflect ${ECO_SSH}/nonxt_reflect \ 943 nonxt-reflect 944.for host in IPS ECO 945 ssh ${${host}_SSH} make -C ${.CURDIR} nonxt-reflect 946 scp ${${host}_SSH}/nonxt_reflect root@${${host}_SSH}:/etc/rc.d/ 947 ssh root@${${host}_SSH}\ 948 "rcctl enable nonxt_reflect && rcctl restart nonxt_reflect" 949.endfor 950 date >$@ 951 952# Check whether the address, route and remote setup is correct. 953 954.PHONY: check-setup 955 956check-setup: check-setup-src check-setup-ips check-setup-rt check-setup-eco 957 958check-setup-src: 959 @echo '\n======== $@ ========' 960.for ping inet ipv in ping inet IPV4 ping6 inet6 IPV6 961.for host dir in SRC OUT SRC BUNDLE 962 ${ping} -n -c 1 ${${host}_${dir}_${ipv}} # ${host}_${dir}_${ipv} 963 route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 964 grep -q 'flags: .*LOCAL' # ${host}_${dir}_${ipv} 965.endfor 966 ${ping} -n -c 1 ${IPS_IN_${ipv}} # IPS_IN_${ipv} 967 ${ping} -n -c 1 ${IPS_BUNDLE_${ipv}} # IPS_BUNDLE_${ipv} 968.for host dir in IPS OUT RT IN RT OUT ECO IN 969 route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 970 fgrep -q 'gateway: ${IPS_IN_${ipv}}' \ 971 # ${host}_${dir}_${ipv} IPS_IN_${ipv} 972.endfor 973.for sec in ESP AH IPIP IPCOMP BUNDLE 974.for host mode in SRC TRANSP SRC TUNNEL 975 ${ping} -n -c 1 ${${host}_${sec}_${mode}_${ipv}} \ 976 # ${host}_${sec}_${mode}_${ipv} 977 route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 978 grep -q 'flags: .*LOCAL' # ${host}_${sec}_${mode}_${ipv} 979.endfor 980.for host mode in IPS TUNNEL4 IPS TUNNEL6 ECO TUNNEL4 ECO TUNNEL6 981 route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 982 grep -q 'flags: .*STATIC' # ${host}_${sec}_${mode}_${ipv} 983.endfor 984.endfor 985.endfor 986.for sec in ESP AH IPIP IPCOMP BUNDLE 987 route -n get -inet ${IPS_${sec}_TRANSP_IPV4} |\ 988 egrep -q 'flags: .*(CLONING|CLONED)' # IPS_${sec}_TRANSP_IPV4 989 route -n get -inet6 ${IPS_${sec}_TRANSP_IPV6} |\ 990 fgrep -q 'gateway: ${IPS_IN_IPV6}' \ 991 # IPS_${sec}_TRANSP_IPV6 IPS_IN_IPV6 992.endfor 993 sysctl net.inet.esp.enable | fgrep =1 994 sysctl net.inet.ah.enable | fgrep =1 995 sysctl net.inet.ipip.allow | fgrep =1 996 sysctl net.inet.ipcomp.enable | fgrep =1 997 998check-setup-ips: 999 @echo '\n======== $@ ========' 1000.for ping inet ip ipv in ping inet ip IPV4 ping6 inet6 ip6 IPV6 1001.for host dir in IPS IN IPS OUT IPS BUNDLE 1002 ssh ${IPS_SSH} ${ping} -n -c 1 ${${host}_${dir}_${ipv}} \ 1003 # ${host}_${dir}_${ipv} 1004 ssh ${IPS_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 1005 grep -q 'flags: .*LOCAL' # ${host}_${dir}_${ipv} 1006.endfor 1007 ssh ${IPS_SSH} ${ping} -n -c 1 ${SRC_OUT_${ipv}} # SRC_OUT_${ipv} 1008 ssh ${IPS_SSH} ${ping} -n -c 1 ${SRC_BUNDLE_${ipv}} # SRC_BUNDLE_${ipv} 1009 ssh ${IPS_SSH} ${ping} -n -c 1 ${RT_IN_${ipv}} # RT_IN_${ipv} 1010.for host dir in RT OUT ECO IN 1011 ssh ${IPS_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 1012 fgrep -q 'gateway: ${RT_IN_${ipv}}' \ 1013 # ${host}_${dir}_${ipv} RT_IN_${ipv} 1014.endfor 1015.for sec in ESP AH IPIP IPCOMP BUNDLE 1016.for host mode in IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 1017 ssh ${IPS_SSH} ${ping} -n -c 1 ${${host}_${sec}_${mode}_${ipv}} \ 1018 # ${host}_${sec}_${mode}_${ipv} 1019 ssh ${IPS_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 1020 grep -q 'flags: .*LOCAL' # ${host}_${sec}_${mode}_${ipv} 1021.endfor 1022.for host mode in ECO TUNNEL4 ECO TUNNEL6 1023 ssh ${IPS_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 1024 fgrep -q 'gateway: ${RT_IN_${ipv}}' \ 1025 # ${host}_${sec}_${mode}_${ipv} RT_IN_${ipv} 1026.endfor 1027.for host mode in SRC TUNNEL 1028 ssh ${IPS_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 1029 grep -q 'flags: .*STATIC' # ${host}_${sec}_${mode}_${ipv} 1030.endfor 1031.for host mode in IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 1032 ssh ${IPS_SSH} netstat -nav -f ${inet} -p udp |\ 1033 fgrep ' ${${host}_${sec}_${mode}_${ipv}}.7 ' \ 1034 # ${host}_${sec}_${mode}_${ipv} 1035 ssh ${IPS_SSH} netstat -nav -f ${inet} -p ${ip} |\ 1036 grep ' ${${host}_${sec}_${mode}_${ipv}}\.\* .* *59$$' \ 1037 # ${host}_${sec}_${mode}_${ipv} 1038.endfor 1039.endfor 1040 ssh ${ECO_SSH} netstat -na -f ${inet} -p tcp | fgrep ' *.7 ' 1041.endfor 1042.for sec in ESP AH IPIP IPCOMP BUNDLE 1043 ssh ${IPS_SSH} route -n get -inet ${SRC_${sec}_TRANSP_IPV4} |\ 1044 egrep -q 'flags: .*(CLONING|CLONED)' # SRC_${sec}_TRANSP_IPV4 1045 ssh ${IPS_SSH} route -n get -inet6 ${SRC_${sec}_TRANSP_IPV6} |\ 1046 fgrep -q 'gateway: ${SRC_OUT_IPV6}' \ 1047 # SRC_${sec}_TRANSP_IPV6 SRC_OUT_IPV6 1048.endfor 1049 ssh ${IPS_SSH} sysctl net.inet.esp.enable | fgrep =1 1050 ssh ${IPS_SSH} sysctl net.inet.ah.enable | fgrep =1 1051 ssh ${IPS_SSH} sysctl net.inet.ipip.allow | fgrep =1 1052 ssh ${IPS_SSH} sysctl net.inet.ipcomp.enable | fgrep =1 1053 ssh ${IPS_SSH} sysctl net.inet.ip.forwarding | fgrep =1 1054 ssh ${IPS_SSH} sysctl net.inet6.ip6.forwarding | fgrep =1 1055 ssh ${IPS_SSH} ${SUDO} pfctl -sr | grep '^anchor "regress" all$$' 1056 ssh ${IPS_SSH} ${SUDO} pfctl -si | grep '^Status: Enabled ' 1057 1058check-setup-rt: 1059 @echo '\n======== $@ ========' 1060.for ping inet ipv in ping inet IPV4 ping6 inet6 IPV6 1061.for host dir in RT IN RT OUT 1062 ssh ${RT_SSH} ${ping} -n -c 1 ${${host}_${dir}_${ipv}} \ 1063 # ${host}_${dir}_${ipv} 1064 ssh ${RT_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 1065 grep -q 'flags: .*LOCAL' # ${host}_${dir}_${ipv} 1066.endfor 1067 ssh ${RT_SSH} ${ping} -n -c 1 ${IPS_OUT_${ipv}} # IPS_OUT_${ipv} 1068.for host dir in IPS IN SRC OUT 1069 ssh ${RT_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 1070 fgrep -q 'gateway: ${IPS_OUT_${ipv}}' \ 1071 # ${host}_${dir}_${ipv} IPS_OUT_${ipv} 1072.endfor 1073 ssh ${RT_SSH} ${ping} -n -c 1 ${ECO_IN_${ipv}} # ECO_IN_${ipv} 1074.for sec in ESP AH IPIP IPCOMP BUNDLE 1075.for host mode in SRC TUNNEL 1076 ssh ${RT_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 1077 fgrep -q 'gateway: ${IPS_OUT_${ipv}}' \ 1078 # ${host}_${sec}_${mode}_${ipv} IPS_OUT_${ipv} 1079.endfor 1080.for host mode in ECO TUNNEL4 ECO TUNNEL6 1081 ssh ${RT_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 1082 fgrep -q 'gateway: ${ECO_IN_${ipv}}' \ 1083 # ${host}_${sec}_${mode}_${ipv} ECO_IN_${ipv} 1084.endfor 1085.endfor 1086.endfor 1087 ssh ${RT_SSH} sysctl net.inet.ip.forwarding | fgrep =1 1088 ssh ${RT_SSH} sysctl net.inet6.ip6.forwarding | fgrep =1 1089 1090check-setup-eco: 1091 @echo '\n======== $@ ========' 1092.for ping inet ip ipv in ping inet ip IPV4 ping6 inet6 ip6 IPV6 1093.for host dir in ECO IN 1094 ssh ${ECO_SSH} ${ping} -n -c 1 ${${host}_${dir}_${ipv}} \ 1095 # ${host}_${dir}_${ipv} 1096 ssh ${ECO_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 1097 grep -q 'flags: .*LOCAL' # ${host}_${dir}_${ipv} 1098.endfor 1099 ssh ${ECO_SSH} ${ping} -n -c 1 ${RT_OUT_${ipv}} # RT_OUT_${ipv} 1100.for host dir in RT IN IPS OUT IPS IN SRC OUT 1101 ssh ${ECO_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 1102 fgrep -q 'gateway: ${RT_OUT_${ipv}}' \ 1103 # ${host}_${dir}_${ipv} RT_OUT_${ipv} 1104.endfor 1105.for sec in ESP AH IPIP IPCOMP BUNDLE 1106.for host mode in ECO TUNNEL4 ECO TUNNEL6 1107 ssh ${ECO_SSH} ${ping} -n -c 1 ${${host}_${sec}_${mode}_${ipv}} \ 1108 # ${host}_${sec}_${mode}_${ipv} 1109 ssh ${ECO_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 1110 grep -q 'flags: .*LOCAL' # ${host}_${sec}_${mode}_${ipv} 1111.endfor 1112.for host mode in SRC TUNNEL 1113 ssh ${ECO_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 1114 fgrep -q 'gateway: ${RT_OUT_${ipv}}' \ 1115 # ${host}_${sec}_${mode}_${ipv} RT_OUT_${ipv} 1116.endfor 1117.for host mode in ECO TUNNEL4 ECO TUNNEL6 1118 ssh ${ECO_SSH} netstat -nav -f ${inet} -p udp |\ 1119 fgrep ' ${${host}_${sec}_${mode}_${ipv}}.7 ' \ 1120 # ${host}_${sec}_${mode}_${ipv} 1121 ssh ${ECO_SSH} netstat -nav -f ${inet} -p ${ip} |\ 1122 grep ' ${${host}_${sec}_${mode}_${ipv}}\.\* .* *59$$' \ 1123 # ${host}_${sec}_${mode}_${ipv} 1124.endfor 1125.endfor 1126 ssh ${ECO_SSH} netstat -na -f ${inet} -p tcp | fgrep ' *.7 ' 1127.endfor 1128 ssh ${ECO_SSH} sysctl net.inet.ip.forwarding | fgrep =1 1129 ssh ${ECO_SSH} sysctl net.inet6.ip6.forwarding | fgrep =1 1130 1131.include <bsd.regress.mk> 1132