1# $OpenBSD: Makefile,v 1.31 2021/02/01 18:11:46 bluhm Exp $ 2 3# This test needs a manual setup of four machines, the make 4# target create-setup can be used to distribute the configuration. 5# The setup is the same as for regress/sys/net/pf_forward. 6# Set up machines: SRC IPS RT ECO 7# SRC is the machine where this makefile is running. 8# IPS is running IPsec, it is reflecting or forwarding packets. 9# RT is a router forwarding packets, maximum MTU is 1300. 10# ECO is reflecting the ping and UDP and TCP echo packets. 11# 12# By choosing the net prefix of the outgoing packet the mode is selected 13# 5 -> 5 : transport v4 14# 4 -> 5 : transport v6 15# 8 -> c : tunnel v4 stack v4 16# 8 -> c : tunnel v4 stack v6 17# 8 -> d : tunnel v6 stack v4 18# 8 -> d : tunnel v6 stack v6 19# 8 -> e : tunnel v4 forward v4 20# 8 -> e : tunnel v4 forward v6 21# 8 -> f : tunnel v6 forward v4 22# 8 -> f : tunnel v6 forward v6 23# 24# 1400 1300 25# +---+ 06 +---+ 1 +---+ 2 +---+ 26# |SRC| ----> |IPS| ----> |RT | ----> |ECO| 27# +---+ 458 5 +---+ cd +---+ ef +---+ 28# out in out in out in 29# 30# The encapsulation is chosen by the digit before 31# 0,1 ESP 32# 2,3 AH 33# 4,5 IPIP 34# 6,7 IPCOMP 35# 8,9 BUNDLE 36 37PREFIX_IPV4 ?= 10.188.1 38PREFIX_IPV6 ?= fdd7:e83e:66bc:1 39 40# IPv4 outgoing address is selected by route if address of cloning route, 41# so SRC_TRANSP_IPV4 and IPS_TRANSP_IPV4 must be in same net 42# IPv6 outgoing address is selected common prefix, 4 and 5 are close together 43# SRC_TRANSP_IPV6 and IPS_TRANSP_IPV6 should be in different network 44# to avoid encryption of neighbor discovery packets 45 46SRC_OUT_IPV4 ?= ${PREFIX_IPV4}00.17 47SRC_OUT_IPV6 ?= ${PREFIX_IPV6}00::17 48SRC_BUNDLE_IPV4 ?= ${PREFIX_IPV4}06.17 49SRC_BUNDLE_IPV6 ?= ${PREFIX_IPV6}06::17 50SRC_ESP_TRANSP_IPV4 ?= ${PREFIX_IPV4}05.17 51SRC_ESP_TRANSP_IPV6 ?= ${PREFIX_IPV6}04::17 52SRC_ESP_TUNNEL_IPV4 ?= ${PREFIX_IPV4}08.17 53SRC_ESP_TUNNEL_IPV6 ?= ${PREFIX_IPV6}08::17 54SRC_AH_TRANSP_IPV4 ?= ${PREFIX_IPV4}25.17 55SRC_AH_TRANSP_IPV6 ?= ${PREFIX_IPV6}24::17 56SRC_AH_TUNNEL_IPV4 ?= ${PREFIX_IPV4}28.17 57SRC_AH_TUNNEL_IPV6 ?= ${PREFIX_IPV6}28::17 58SRC_IPIP_TRANSP_IPV4 ?= ${PREFIX_IPV4}45.17 59SRC_IPIP_TRANSP_IPV6 ?= ${PREFIX_IPV6}44::17 60SRC_IPIP_TUNNEL_IPV4 ?= ${PREFIX_IPV4}48.17 61SRC_IPIP_TUNNEL_IPV6 ?= ${PREFIX_IPV6}48::17 62SRC_IPCOMP_TRANSP_IPV4 ?= ${PREFIX_IPV4}65.17 63SRC_IPCOMP_TRANSP_IPV6 ?= ${PREFIX_IPV6}64::17 64SRC_IPCOMP_TUNNEL_IPV4 ?= ${PREFIX_IPV4}68.17 65SRC_IPCOMP_TUNNEL_IPV6 ?= ${PREFIX_IPV6}68::17 66SRC_BUNDLE_TRANSP_IPV4 ?= ${PREFIX_IPV4}85.17 67SRC_BUNDLE_TRANSP_IPV6 ?= ${PREFIX_IPV6}84::17 68SRC_BUNDLE_TUNNEL_IPV4 ?= ${PREFIX_IPV4}88.17 69SRC_BUNDLE_TUNNEL_IPV6 ?= ${PREFIX_IPV6}88::17 70 71IPS_IN_IPV4 ?= ${PREFIX_IPV4}00.70 72IPS_IN_IPV6 ?= ${PREFIX_IPV6}00::70 73IPS_OUT_IPV4 ?= ${PREFIX_IPV4}01.70 74IPS_OUT_IPV6 ?= ${PREFIX_IPV6}01::70 75IPS_BUNDLE_IPV4 ?= ${PREFIX_IPV4}06.70 76IPS_BUNDLE_IPV6 ?= ${PREFIX_IPV6}06::70 77IPS_ESP_TRANSP_IPV4 ?= ${PREFIX_IPV4}05.70 78IPS_ESP_TRANSP_IPV6 ?= ${PREFIX_IPV6}05::70 79IPS_ESP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}12.70 80IPS_ESP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}0c::70 81IPS_ESP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}13.70 82IPS_ESP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}0d::70 83IPS_AH_TRANSP_IPV4 ?= ${PREFIX_IPV4}25.70 84IPS_AH_TRANSP_IPV6 ?= ${PREFIX_IPV6}25::70 85IPS_AH_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}32.70 86IPS_AH_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}2c::70 87IPS_AH_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}33.70 88IPS_AH_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}2d::70 89IPS_IPIP_TRANSP_IPV4 ?= ${PREFIX_IPV4}45.70 90IPS_IPIP_TRANSP_IPV6 ?= ${PREFIX_IPV6}45::70 91IPS_IPIP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}52.70 92IPS_IPIP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}4c::70 93IPS_IPIP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}53.70 94IPS_IPIP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}4d::70 95IPS_IPCOMP_TRANSP_IPV4 ?= ${PREFIX_IPV4}65.70 96IPS_IPCOMP_TRANSP_IPV6 ?= ${PREFIX_IPV6}65::70 97IPS_IPCOMP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}72.70 98IPS_IPCOMP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}6c::70 99IPS_IPCOMP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}73.70 100IPS_IPCOMP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}6d::70 101IPS_BUNDLE_TRANSP_IPV4 ?= ${PREFIX_IPV4}85.70 102IPS_BUNDLE_TRANSP_IPV6 ?= ${PREFIX_IPV6}85::70 103IPS_BUNDLE_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}92.70 104IPS_BUNDLE_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}8c::70 105IPS_BUNDLE_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}93.70 106IPS_BUNDLE_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}8d::70 107 108RT_IN_IPV4 ?= ${PREFIX_IPV4}01.71 109RT_IN_IPV6 ?= ${PREFIX_IPV6}01::71 110RT_OUT_IPV4 ?= ${PREFIX_IPV4}02.71 111RT_OUT_IPV6 ?= ${PREFIX_IPV6}02::71 112 113ECO_IN_IPV4 ?= ${PREFIX_IPV4}02.72 114ECO_IN_IPV6 ?= ${PREFIX_IPV6}02::72 115ECO_ESP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}14.72 116ECO_ESP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}0e::72 117ECO_ESP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}15.72 118ECO_ESP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}0f::72 119ECO_AH_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}34.72 120ECO_AH_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}2e::72 121ECO_AH_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}35.72 122ECO_AH_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}2f::72 123ECO_IPIP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}54.72 124ECO_IPIP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}4e::72 125ECO_IPIP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}55.72 126ECO_IPIP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}4f::72 127ECO_IPCOMP_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}74.72 128ECO_IPCOMP_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}6e::72 129ECO_IPCOMP_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}75.72 130ECO_IPCOMP_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}6f::72 131ECO_BUNDLE_TUNNEL4_IPV4 ?= ${PREFIX_IPV4}94.72 132ECO_BUNDLE_TUNNEL4_IPV6 ?= ${PREFIX_IPV6}8e::72 133ECO_BUNDLE_TUNNEL6_IPV4 ?= ${PREFIX_IPV4}95.72 134ECO_BUNDLE_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}8f::72 135 136# Configure Addresses on the machines, there must be routes for the 137# networks. Adapt interface and addresse variables to your local 138# setup. To control the remote machine you need a hostname for 139# ssh to log in. 140# 141# IPS and ECO need inetd echo service on TRANSP and TUNNEL addresses. 142# Run make create-setup to copy hostname.if files to the machines. 143# Run make check-setup to see if you got the setup correct. 144 145SRC_OUT_IF ?= tap4 146IPS_IN_IF ?= vio1 147IPS_OUT_IF ?= vio2 148RT_IN_IF ?= vio1 149RT_OUT_IF ?= vio2 150ECO_IN_IF ?= vio1 151 152PROGS = nonxt-sendrecv nonxt-reflect 153 154.MAIN: all 155 156.if empty (IPS_SSH) || empty (RT_SSH) || empty (ECO_SSH) 157regress: 158 @echo This tests needs three remote machines to operate on. 159 @echo IPS_SSH RT_SSH ECO_SSH are empty. 160 @echo Fill out these variables for additional tests, then 161 @echo check whether your test machines are set up properly. 162 @echo SKIPPED 163 164.elif make (regress) || make (all) 165.BEGIN: 166 ${SUDO} true 167 ssh -t ${IPS_SSH} ${SUDO} true 168 rm -f stamp-* 169 @echo 170.endif 171 172# Create python include file containing the addresses. 173addr.py: Makefile 174 rm -f $@ $@.tmp 175.for host in SRC IPS RT ECO 176.for dir in IN OUT BUNDLE 177.for ipv in IF IPV4 IPV6 178 echo '${host}_${dir}_${ipv}="${${host}_${dir}_${ipv}}"' >>$@.tmp 179.endfor 180.endfor 181.endfor 182.for sec in ESP AH IPIP IPCOMP BUNDLE 183.for host mode in SRC TRANSP SRC TUNNEL \ 184 IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \ 185 ECO TUNNEL4 ECO TUNNEL6 186.for ipv in IPV4 IPV6 187 echo '${host}_${sec}_${mode}_${ipv}="${${host}_${sec}_${mode}_${ipv}}"'\ 188 >>$@.tmp 189.endfor 190.endfor 191.endfor 192 mv $@.tmp $@ 193 194REGRESS_SETUP_ONCE += ipsec 195stamp-ipsec: addr.py ipsec.conf 196ipsec: 197 # Load the ipsec sa and flow into the kernel of the SRC and IPS machine. 198 cat addr.py ${.CURDIR}/ipsec.conf | /sbin/ipsecctl -n -f - 199 ${SUDO} ipsecctl -F 200 cat addr.py ${.CURDIR}/ipsec.conf | ${SUDO} ipsecctl -f - 201 ssh ${IPS_SSH} ${SUDO} ipsecctl -F 202 cat addr.py ${.CURDIR}/ipsec.conf | ssh ${IPS_SSH} ${SUDO} ipsecctl\ 203 -f - -D FROM=to -D TO=from -D LOCAL=peer -D PEER=local 204 205REGRESS_SETUP_ONCE += pfctl 206stamp-pfctl: addr.py pf.conf 207pfctl: 208 # Load a pf log enc0 pass any rule into the kernel of the IPS machine. 209 cat addr.py ${.CURDIR}/pf.conf | /sbin/pfctl -n -f - 210 cat addr.py ${.CURDIR}/pf.conf | \ 211 ssh ${IPS_SSH} ${SUDO} pfctl -a regress -f - 212 213REGRESS_SETUP_ONCE += reflect 214stamp-reflect: nonxt-reflect 215reflect: 216 # Build and start packet reflection program on IPS and ECO machine. 217 ssh ${IPS_SSH} make -C ${.CURDIR} nonxt-reflect 218 ssh ${IPS_SSH} ${SUDO} rcctl start inetd nonxt_reflect 219 ssh ${ECO_SSH} make -C ${.CURDIR} nonxt-reflect 220 ssh ${ECO_SSH} ${SUDO} rcctl start inetd nonxt_reflect 221 222DUMPCMD= tcpdump -l -e -vvv -s 2048 -ni 223 224stamp-bpf: Makefile stamp-drop 225 # Run tcpdump on enc device of IPS machine. 226 rm -f enc0.tcpdump 227 -ssh ${IPS_SSH} ${SUDO} pkill -f "'^${DUMPCMD} enc0'" || true 228 ssh ${IPS_SSH} ${SUDO} ${DUMPCMD} enc0 >enc0.tcpdump & 229 sleep 5 # XXX 230 rm -f stamp-stop 231 @date >$@ 232 233stamp-pflog: stamp-pfctl stamp-drop 234 # Run tcpdump on pflog device of IPS machine. 235 rm -f pflog0.tcpdump 236 -ssh ${IPS_SSH} ${SUDO} pkill -f "'^${DUMPCMD} pflog0'" || true 237 ssh ${IPS_SSH} ${SUDO} ${DUMPCMD} pflog0 >pflog0.tcpdump & 238 sleep 5 # XXX 239 rm -f stamp-stop 240 @date >$@ 241 242stamp-stop: 243 # Stop tcpdump on enc and pflog device of IPS machine. 244 sleep 5 # XXX 245 -ssh ${IPS_SSH} ${SUDO} pkill -f "'^${DUMPCMD}'" 246 @date >$@ 247 248# Old TCP connections send packets from time to time. These confuse 249# the checks that count the IPsec packets with netstat -ss. 250stamp-drop: 251 # Drop old TCP connections. 252 netstat -nv -p tcp |\ 253 perl -ne '\ 254 / ${PREFIX_IPV6}.* ${PREFIX_IPV6}/ ||\ 255 / ${PREFIX_IPV4}.* ${PREFIX_IPV4}/ or next;\ 256 my ($$laddr,$$faddr) = (split)[3,4];\ 257 my ($$lip,$$lport) = $$laddr =~ /(.*)\.(\d+)/;\ 258 my ($$fip,$$fport) = $$faddr =~ /(.*)\.(\d+)/;\ 259 print join(" ",$$lip,$$lport,$$fip,$$fport),"\n"' |\ 260 xargs -r -L1 ${SUDO} tcpdrop 261 @date >$@ 262 263# Disable tests that do not pass. 264 265run-pflog-ping-IPS_AH_TRANSP_IPV4 \ 266 run-pflog-udp-IPS_AH_TRANSP_IPV4 \ 267 run-pflog-tcp-IPS_AH_TRANSP_IPV4 \ 268 run-pflog-nonxt-IPS_AH_TRANSP_IPV4 \ 269 run-pflog-ping-IPS_AH_TRANSP_IPV6 \ 270 run-pflog-udp-IPS_AH_TRANSP_IPV6 \ 271 run-pflog-tcp-IPS_AH_TRANSP_IPV6 \ 272 run-pflog-nonxt-IPS_AH_TRANSP_IPV6: 273 # IPv6 AH packets are treated as their payload protocol by pf. 274 # So they match the floating state on the physical interface 275 # and are not logged by the enc0 pf rule. 276 @echo DISABLED 277 278# Ping all addresses. This ensures that the IP addresses are configured 279# and all routing table are set up to allow bidirectional packet flow. 280 281.for host dir in SRC OUT IPS IN IPS OUT RT IN RT OUT ECO IN 282.for ping ipv in ping IPV4 ping6 IPV6 283TARGETS += ping-${host}_${dir}_${ipv} 284run-send-ping-${host}_${dir}_${ipv}: 285 ${ping} -n -c 1 -w 2 ${${host}_${dir}_${ipv}} 286.endfor 287.endfor 288 289# Send IPsec packets from SRC to IPS and expect response. 290 291.for sec in ESP AH IPIP IPCOMP BUNDLE 292 293.for host mode in SRC TRANSP SRC TUNNEL \ 294 IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \ 295 ECO TUNNEL4 ECO TUNNEL6 296.for ping ipv in ping IPV4 ping6 IPV6 297.for len size in small -s24 big -s1000 298 299TARGETS += ping-${len}-${host}_${sec}_${mode}_${ipv} 300ping ${host:L} ${sec:L} ${mode:L} ${ipv:L}:\ 301 run-send-ping-${len}-${host}_${sec}_${mode}_${ipv} 302run-send-ping-${len}-${host}_${sec}_${mode}_${ipv}: 303 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 304 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1}' >pkt.in 305 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 306 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1}' >pkt.out 307 ${ping} ${size} -n -c 1 -w 2 ${${host}_${sec}_${mode}_${ipv}} 308.if "${host}" == SRC || ( "${len}" == small && "${sec}" == IPCOMP ) 309 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 310 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1}' |\ 311 diff pkt.in - 312 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 313 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1}' |\ 314 diff pkt.out - 315.else 316 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 317 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1-1}' |\ 318 diff pkt.in - 319 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 320 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1-1}' |\ 321 diff pkt.out - 322.endif 323 324.endfor 325.endfor 326.endfor 327 328.for host mode in IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \ 329 ECO TUNNEL4 ECO TUNNEL6 330.for ipv in IPV4 IPV6 331 332TARGETS += udp-${host}_${sec}_${mode}_${ipv} 333udp ${host:L} ${sec:L} ${mode:L} ${ipv:L}:\ 334 run-send-udp-${host}_${sec}_${mode}_${ipv} 335run-send-udp-${host}_${sec}_${mode}_${ipv}: 336 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 337 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1}' >pkt.in 338 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 339 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1}' >pkt.out 340 echo $$$$ | nc -n -u -W 1 -w 3 ${${host}_${sec}_${mode}_${ipv}} 7 |\ 341 fgrep $$$$ 342.if "${sec}" == IPCOMP 343 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 344 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1}' |\ 345 diff pkt.in - 346 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 347 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1}' |\ 348 diff pkt.out - 349.else 350 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 351 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1-1}' |\ 352 diff pkt.in - 353 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 354 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1-1}' |\ 355 diff pkt.out - 356.endif 357 358TARGETS += tcp-${host}_${sec}_${mode}_${ipv} 359tcp ${host:L} ${sec:L} ${mode:L} ${ipv:L}:\ 360 run-send-tcp-${host}_${sec}_${mode}_${ipv} 361run-send-tcp-${host}_${sec}_${mode}_${ipv}: 362 echo $$$$ | nc -n -N -w 3 ${${host}_${sec}_${mode}_${ipv}} 7 |\ 363 fgrep $$$$ 364 365# Send large tcp stream, this should trigger path mtu discovery. 366# but it works only fo a few cases 367 368.if "${sec}" == ESP && ("${mode}" == TUNNEL4 || "${mode}" == TUNNEL6) 369TARGETS += tcp-pmtu-${host}_${sec}_${mode}_${ipv} 370tcp pmtu ${host:L} ${sec:L} ${mode:L} ${ipv:L}:\ 371 run-send-tcp-pmtu-${host}_${sec}_${mode}_${ipv} 372run-send-tcp-pmtu-${host}_${sec}_${mode}_${ipv}: 373 ${SUDO} route delete -host ${${host}_${sec}_${mode}_${ipv}} || true 374.if "${host}" == ECO 375 ssh ${IPS_SSH} ${SUDO}\ 376 route delete -host ${${host}_${sec}_${mode}_${ipv}} || true 377.endif 378 openssl rand -base64 10000 |\ 379 nc -n -N -w 8 ${${host}_${sec}_${mode}_${ipv}} 7 |\ 380 wc | fgrep ' 209 209 13545' 381.endif 382 383# Send no next header protocol 59 packets through the IPsec test. 384# They consist solely of an IPv6 header chain and trigger edge cases. 385 386TARGETS += nonxt-${host}_${sec}_${mode}_${ipv} 387nonxt ${host:L} ${sec:L} ${mode:L} ${ipv:L}:\ 388 run-send-nonxt-${host}_${sec}_${mode}_${ipv} 389run-send-nonxt-${host}_${sec}_${mode}_${ipv}: nonxt-sendrecv 390 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 391 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1}' >pkt.in 392 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 393 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1}' >pkt.out 394 ${SUDO} ./nonxt-sendrecv ${${host}_${sec}_${mode}_${ipv}} 395.if "${sec}" == IPCOMP 396 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 397 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1}' |\ 398 diff pkt.in - 399 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 400 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1}' |\ 401 diff pkt.out - 402.else 403 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 404 awk '/input ${sec:S/BUNDLE/ESP/} /{print $$1-1}' |\ 405 diff pkt.in - 406 netstat -s -p ${sec:L:S/ipip/ipencap/:S/bundle/esp/} |\ 407 awk '/output ${sec:S/BUNDLE/ESP/} /{print $$1-1}' |\ 408 diff pkt.out - 409.endif 410 411.endfor 412.endfor 413 414.endfor 415 416# Check bpf has dumped all IPsec packets to enc0 on IPS. 417 418REGEX_ESP= \(authentic,confidential\): SPI 0x[0-9a-f]*: 419REGEX_AH= \(authentic\): SPI 0x[0-9a-f]*: 420REGEX_IPCOMP= \(unprotected\): SPI 0x[0-9a-f]*: 421 422REGEX_REQ_TRANSP= * 423REGEX_REQ_TUNNEL4= ${SRC_OUT_IPV4} > ${IPS_IN_IPV4}: 424REGEX_REQ_TUNNEL6= ${SRC_OUT_IPV6} > ${IPS_IN_IPV6}: 425 426REGEX_RPL_TRANSP= * 427REGEX_RPL_TUNNEL4= ${IPS_IN_IPV4} > ${SRC_OUT_IPV4}: 428REGEX_RPL_TUNNEL6= ${IPS_IN_IPV6} > ${SRC_OUT_IPV6}: 429 430REGEX_REQ_PING= icmp6?: echo request 431REGEX_REQ_UDP= .* udp 432REGEX_REQ_TCP= S 433REGEX_REQ_NONXT=(ip-proto-59|no next header) 434 435REGEX_RPL_PING= icmp6*: echo reply 436REGEX_RPL_UDP= .* udp 437REGEX_RPL_TCP= S .* ack 438REGEX_RPL_NONXT=(ip-proto-59|no next header) 439 440.for host in IPS ECO 441.for sec in ESP AH IPIP IPCOMP BUNDLE 442.for mode in TRANSP TUNNEL4 TUNNEL6 443.for ipv in IPV4 IPV6 444 445REGEX_REQ_${host}_${sec}_${mode}_${ipv}_PING=\ 446 ${SRC_${sec}_${mode:C/[46]$//}_${ipv}} >\ 447 ${${host}_${sec}_${mode}_${ipv}}: 448REGEX_REQ_${host}_${sec}_${mode}_${ipv}_UDP=\ 449 ${SRC_${sec}_${mode:C/[46]$//}_${ipv}}\.[0-9][0-9]* >\ 450 ${${host}_${sec}_${mode}_${ipv}}\.7: 451REGEX_REQ_${host}_${sec}_${mode}_${ipv}_TCP=\ 452 ${REGEX_REQ_${host}_${sec}_${mode}_${ipv}_UDP} 453REGEX_REQ_${host}_${sec}_${mode}_${ipv}_NONXT=\ 454 ${REGEX_REQ_${host}_${sec}_${mode}_${ipv}_PING} 455 456REGEX_RPL_${host}_${sec}_${mode}_${ipv}_PING=\ 457 ${${host}_${sec}_${mode}_${ipv}} >\ 458 ${SRC_${sec}_${mode:C/[46]$//}_${ipv}}: 459REGEX_RPL_${host}_${sec}_${mode}_${ipv}_UDP=\ 460 ${${host}_${sec}_${mode}_${ipv}}\.7 >\ 461 ${SRC_${sec}_${mode:C/[46]$//}_${ipv}}\.[0-9][0-9]*: 462REGEX_RPL_${host}_${sec}_${mode}_${ipv}_TCP=\ 463 ${REGEX_RPL_${host}_${sec}_${mode}_${ipv}_UDP} 464REGEX_RPL_${host}_${sec}_${mode}_${ipv}_NONXT=\ 465 ${REGEX_RPL_${host}_${sec}_${mode}_${ipv}_PING} 466 467.for proto in PING UDP TCP NONXT 468 469run-bpf-${proto:L}-${host}_${sec}_${mode}_${ipv}: stamp-stop 470 egrep -q '\ 471 ${REGEX_${sec}}\ 472 ${REGEX_REQ_${mode}}\ 473 ${REGEX_REQ_${host}_${sec}_${mode}_${ipv}_${proto}}\ 474 ${REGEX_REQ_${proto}} ' enc0.tcpdump 475 egrep -q '\ 476 ${REGEX_${sec}}\ 477 ${REGEX_RPL_${mode}}\ 478 ${REGEX_RPL_${host}_${sec}_${mode}_${ipv}_${proto}}\ 479 ${REGEX_RPL_${proto}} ' enc0.tcpdump 480 481run-pflog-${proto:L}-${host}_${sec}_${mode}_${ipv}: stamp-stop 482 egrep -q '\ 483 rule .*regress.0/\(match\) .*\ 484 pass in on enc0:.*\ 485 ${REGEX_REQ_${host}_${sec}_${mode}_${ipv}_${proto}}\ 486 ${REGEX_REQ_${proto}} ' pflog0.tcpdump 487 egrep -q '\ 488 rule .*/\(match\) .*\ 489 pass out on enc0:.*\ 490 ${REGEX_RPL_${host}_${sec}_${mode}_${ipv}_${proto}}\ 491 ${REGEX_RPL_${proto}} ' pflog0.tcpdump 492 493.endfor 494.endfor 495.endfor 496.endfor 497.endfor 498 499run-bpf-tcp-pmtu-IPS_ESP_TUNNEL4_IPV4: stamp-stop 500 egrep -q '\ 501 ${REGEX_ESP}\ 502 ${REGEX_REQ_TUNNEL4}\ 503 ${REGEX_REQ_IPS_ESP_TUNNEL4_IPV4_TCP}\ 504 .* 1:1...\(1372\) ack ' enc0.tcpdump 505 506run-bpf-tcp-pmtu-IPS_ESP_TUNNEL4_IPV6: stamp-stop 507 egrep -q '\ 508 ${REGEX_ESP}\ 509 ${REGEX_REQ_TUNNEL4}\ 510 ${REGEX_REQ_IPS_ESP_TUNNEL4_IPV6_TCP}\ 511 .* 1:1...\(1352\) ack ' enc0.tcpdump 512 513run-bpf-tcp-pmtu-IPS_ESP_TUNNEL6_IPV4: stamp-stop 514 egrep -q '\ 515 ${REGEX_ESP}\ 516 ${REGEX_REQ_TUNNEL6}\ 517 ${REGEX_REQ_IPS_ESP_TUNNEL6_IPV4_TCP}\ 518 .* 1:1...\(1352\) ack ' enc0.tcpdump 519 520run-bpf-tcp-pmtu-IPS_ESP_TUNNEL6_IPV6: stamp-stop 521 egrep -q '\ 522 ${REGEX_ESP}\ 523 ${REGEX_REQ_TUNNEL6}\ 524 ${REGEX_REQ_IPS_ESP_TUNNEL6_IPV6_TCP}\ 525 .* 1:1...\(1332\) ack ' enc0.tcpdump 526 527run-bpf-tcp-pmtu-ECO_ESP_TUNNEL4_IPV4: stamp-stop 528 egrep -q '\ 529 ${REGEX_ESP}\ 530 ${REGEX_REQ_TUNNEL4}\ 531 ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV4_TCP}\ 532 .* 1:1...\(1372\) ack ' enc0.tcpdump 533 egrep -q '\ 534 ${REGEX_ESP}\ 535 ${REGEX_RPL_TUNNEL4}\ 536 ${IPS_IN_IPV4} > ${SRC_ESP_TUNNEL_IPV4}:\ 537 icmp: ${ECO_ESP_TUNNEL4_IPV4} unreachable -\ 538 need to frag \(mtu 1400\) ' enc0.tcpdump 539 egrep -q '\ 540 ${REGEX_ESP}\ 541 ${REGEX_REQ_TUNNEL4}\ 542 ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV4_TCP}\ 543 .* 1:1...\(1348\) ack ' enc0.tcpdump 544 egrep -q '\ 545 ${REGEX_ESP}\ 546 ${REGEX_RPL_TUNNEL4}\ 547 ${RT_IN_IPV4} > ${SRC_ESP_TUNNEL_IPV4}:\ 548 icmp: ${ECO_ESP_TUNNEL4_IPV4} unreachable -\ 549 need to frag \(mtu 1300\) ' enc0.tcpdump 550 egrep -q '\ 551 ${REGEX_ESP}\ 552 ${REGEX_REQ_TUNNEL4}\ 553 ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV4_TCP}\ 554 .* 1:1...\(1248\) ack ' enc0.tcpdump 555 556run-bpf-tcp-pmtu-ECO_ESP_TUNNEL4_IPV6: stamp-stop 557 egrep -q '\ 558 ${REGEX_ESP}\ 559 ${REGEX_REQ_TUNNEL4}\ 560 ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV6_TCP}\ 561 .* 1:1...\(1352\) ack ' enc0.tcpdump 562 egrep -q '\ 563 ${REGEX_ESP}\ 564 ${REGEX_RPL_TUNNEL6}\ 565 ${IPS_IN_IPV6} > ${SRC_ESP_TUNNEL_IPV6}:\ 566 icmp6: too big 1400 ' enc0.tcpdump 567 egrep -q '\ 568 ${REGEX_ESP}\ 569 ${REGEX_REQ_TUNNEL4}\ 570 ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV6_TCP}\ 571 .* 1:1...\(1328\) ack ' enc0.tcpdump 572 egrep -q '\ 573 ${REGEX_ESP}\ 574 ${REGEX_RPL_TUNNEL6}\ 575 ${RT_IN_IPV6} > ${SRC_ESP_TUNNEL_IPV6}:\ 576 icmp6: too big 1300 ' enc0.tcpdump 577 egrep -q '\ 578 ${REGEX_ESP}\ 579 ${REGEX_REQ_TUNNEL4}\ 580 ${REGEX_REQ_ECO_ESP_TUNNEL4_IPV6_TCP}\ 581 .* 1:1...\(1228\) ack ' enc0.tcpdump 582 583run-bpf-tcp-pmtu-ECO_ESP_TUNNEL6_IPV4: stamp-stop 584 egrep -q '\ 585 ${REGEX_ESP}\ 586 ${REGEX_REQ_TUNNEL6}\ 587 ${REGEX_REQ_ECO_ESP_TUNNEL6_IPV4_TCP}\ 588 .* 1:1...\(1352\) ack ' enc0.tcpdump 589 egrep -q '\ 590 ${REGEX_ESP}\ 591 ${REGEX_RPL_TUNNEL4}\ 592 ${IPS_IN_IPV4} > ${SRC_ESP_TUNNEL_IPV4}:\ 593 icmp: ${ECO_ESP_TUNNEL6_IPV4} unreachable -\ 594 need to frag \(mtu 1400\) ' enc0.tcpdump 595 egrep -q '\ 596 ${REGEX_ESP}\ 597 ${REGEX_REQ_TUNNEL6}\ 598 ${REGEX_REQ_ECO_ESP_TUNNEL6_IPV4_TCP}\ 599 .* 1:1...\(1348\) ack ' enc0.tcpdump 600 egrep -q '\ 601 ${REGEX_ESP}\ 602 ${REGEX_RPL_TUNNEL4}\ 603 ${RT_IN_IPV4} > ${SRC_ESP_TUNNEL_IPV4}:\ 604 icmp: ${ECO_ESP_TUNNEL6_IPV4} unreachable -\ 605 need to frag \(mtu 1300\) ' enc0.tcpdump 606 egrep -q '\ 607 ${REGEX_ESP}\ 608 ${REGEX_REQ_TUNNEL6}\ 609 ${REGEX_REQ_ECO_ESP_TUNNEL6_IPV4_TCP}\ 610 .* 1:1...\(1248\) ack ' enc0.tcpdump 611 612run-bpf-tcp-pmtu-ECO_ESP_TUNNEL6_IPV6: stamp-stop 613 egrep '\ 614 ${REGEX_ESP}\ 615 ${REGEX_REQ_TUNNEL6}\ 616 ${REGEX_REQ_ECO_ESP_TUNNEL6_IPV6_TCP}\ 617 .* 1:1...\(1332\) ack ' enc0.tcpdump 618 egrep -q '\ 619 ${REGEX_ESP}\ 620 ${REGEX_RPL_TUNNEL6}\ 621 ${IPS_IN_IPV6} > ${SRC_ESP_TUNNEL_IPV6}:\ 622 icmp6: too big 1400 ' enc0.tcpdump 623 egrep '\ 624 ${REGEX_ESP}\ 625 ${REGEX_REQ_TUNNEL6}\ 626 ${REGEX_REQ_ECO_ESP_TUNNEL6_IPV6_TCP}\ 627 .* 1:1...\(1328\) ack ' enc0.tcpdump 628 egrep -q '\ 629 ${REGEX_ESP}\ 630 ${REGEX_RPL_TUNNEL6}\ 631 ${RT_IN_IPV6} > ${SRC_ESP_TUNNEL_IPV6}:\ 632 icmp6: too big 1300 ' enc0.tcpdump 633 egrep '\ 634 ${REGEX_ESP}\ 635 ${REGEX_REQ_TUNNEL6}\ 636 ${REGEX_REQ_ECO_ESP_TUNNEL6_IPV6_TCP}\ 637 .* 1:1...\(1228\) ack ' enc0.tcpdump 638 639REGRESS_TARGETS = ${TARGETS:S/^/run-send-/} \ 640 ${TARGETS:N*_IPIP_*:N*_BUNDLE_*:N*_IN_*:N*_OUT_*:N*-SRC_*:Nudp-*_IPCOMP_*:Ntcp-*_IPCOMP_*:N*-small-*:Nnonxt-*_IPCOMP_*:S/-big-/-/:S/^/run-bpf-/} \ 641 ${TARGETS:N*_IPIP_*:N*_IPCOMP_*:N*_IN_*:N*_OUT_*:N*-SRC_*:N*-small-*:N*-pmtu-*:S/-big-/-/:S/^/run-pflog-/} 642 643${REGRESS_TARGETS:Mrun-send-*}: stamp-bpf stamp-pflog stamp-drop 644 645CLEANFILES += addr.py *.pyc *.log stamp-* */hostname.* *.{in,out} *.tcpdump 646 647# Run make create-setup to configure remote machines for test. 648 649.PHONY: create-setup 650 651create-setup: stamp-hostname stamp-inetd stamp-nonxt-reflect 652 653# Create hostname.if files, copy them to the machines and install addresses. 654 655etc/hostname.${SRC_OUT_IF}: Makefile 656 mkdir -p ${@:H} 657 rm -f $@ $@.tmp 658 echo '### regress ipsec $@' >$@.tmp 659.for dir in OUT BUNDLE 660 echo '# SRC_${dir}' >>$@.tmp 661.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 662 echo '${inet} alias ${SRC_${dir}_${ipv}} ${masklen}' >>$@.tmp 663.endfor 664.endfor 665.for sec in ESP AH IPIP IPCOMP BUNDLE 666 echo '## SRC_${sec}' >>$@.tmp 667.for mode in TRANSP TUNNEL 668 echo '# SRC_${sec}_${mode}' >>$@.tmp 669.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 670 echo '${inet} alias ${SRC_${sec}_${mode}_${ipv}} ${masklen}' >>$@.tmp 671.endfor 672.endfor 673 echo '# IPS_${sec}_TRANSP_IPV6/64 IPS_IN_IPV6' >>$@.tmp 674 echo '!route -q delete -inet6 ${IPS_${sec}_TRANSP_IPV6}/64' >>$@.tmp 675 echo '!route add -inet6 ${IPS_${sec}_TRANSP_IPV6}/64 ${IPS_IN_IPV6}'\ 676 >>$@.tmp 677.for host dir in RT IN ECO IN 678 echo '# ${host}_${dir}/pfxlen IPS_IN' >>$@.tmp 679.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 680 echo '!route -q delete -${inet} ${${host}_${dir}_${ipv}}/${pfxlen}'\ 681 >>$@.tmp 682 echo '!route add -${inet} ${${host}_${dir}_${ipv}}/${pfxlen}\ 683 ${IPS_IN_${ipv}}' >>$@.tmp 684.endfor 685.endfor 686.for host in IPS ECO 687.for mode in TUNNEL4 TUNNEL6 688 echo '# ${host}_${sec}_${mode}/pfxlen\ 689 ${SRC_${sec}_TUNNEL_${ipv}}' >>$@.tmp 690.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 691 echo '!route -q delete -${inet}\ 692 ${${host}_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp 693 echo '!route add -${inet} ${${host}_${sec}_${mode}_${ipv}}/${pfxlen}\ 694 ${SRC_${sec}_TUNNEL_${ipv}}' >>$@.tmp 695.endfor 696.endfor 697.endfor 698.endfor 699 mv $@.tmp $@ 700 701${IPS_SSH}/hostname.${IPS_IN_IF}: Makefile 702 mkdir -p ${@:H} 703 rm -f $@ $@.tmp 704 echo '### regress ipsec $@' >$@.tmp 705.for dir in IN BUNDLE 706 echo '# IPS_${dir}' >>$@.tmp 707.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 708 echo '${inet} alias ${IPS_${dir}_${ipv}} ${masklen}' >>$@.tmp 709.endfor 710.endfor 711.for sec in ESP AH IPIP IPCOMP BUNDLE 712 echo '## IPS_${sec}' >>$@.tmp 713 echo '# IPS_${sec}_TRANSP' >>$@.tmp 714.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 715 echo '${inet} alias ${IPS_${sec}_TRANSP_${ipv}} ${masklen}' >>$@.tmp 716.endfor 717 echo '# SRC_${sec}_TRANSP_IPV6/64 SRC_OUT_IPV6' >>$@.tmp 718 echo '!route -q delete -inet6 ${SRC_${sec}_TRANSP_IPV6}/64' >>$@.tmp 719 echo '!route add -inet6 ${SRC_${sec}_TRANSP_IPV6}/64 ${SRC_OUT_IPV6}'\ 720 >>$@.tmp 721.for mode in TUNNEL 722 echo '# SRC_${sec}_${mode}/pfxlen ${IPS_IN_${ipv}}' >>$@.tmp 723.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 724 echo '!route -q delete -${inet}\ 725 ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp 726 echo '!route add -${inet} ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}\ 727 ${IPS_IN_${ipv}}' >>$@.tmp 728.endfor 729.endfor 730.endfor 731 mv $@.tmp $@ 732 733${IPS_SSH}/hostname.${IPS_OUT_IF}: Makefile 734 mkdir -p ${@:H} 735 rm -f $@ $@.tmp 736 echo '### regress ipsec $@' >$@.tmp 737 echo '# IPS_OUT' >>$@.tmp 738.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 739 echo '${inet} alias ${IPS_OUT_${ipv}} ${masklen}' >>$@.tmp 740.endfor 741 echo '# ECO_IN/pfxlen RT_IN' >>$@.tmp 742.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 743 echo '!route -q delete -${inet} ${ECO_IN_${ipv}}/${pfxlen}'\ 744 >>$@.tmp 745 echo '!route add -${inet} ${ECO_IN_${ipv}}/${pfxlen} ${RT_IN_${ipv}}'\ 746 >>$@.tmp 747.endfor 748.for sec in ESP AH IPIP IPCOMP BUNDLE 749 echo '## IPS_${sec}' >>$@.tmp 750.for mode in TUNNEL4 TUNNEL6 751 echo '# IPS_${sec}_${mode}' >>$@.tmp 752.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 753 echo '${inet} alias ${IPS_${sec}_${mode}_${ipv}} ${masklen}' >>$@.tmp 754.endfor 755.endfor 756.for mode in TUNNEL4 TUNNEL6 757 echo '# ECO_${sec}_${mode}/pfxlen RT_IN' >>$@.tmp 758.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 759 echo '!route -q delete -${inet}\ 760 ${ECO_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp 761 echo '!route add -${inet} ${ECO_${sec}_${mode}_${ipv}}/${pfxlen}\ 762 ${RT_IN_${ipv}}' >>$@.tmp 763.endfor 764.endfor 765.endfor 766 mv $@.tmp $@ 767 768${RT_SSH}/hostname.${RT_IN_IF}: Makefile 769 mkdir -p ${@:H} 770 rm -f $@ $@.tmp 771 echo '### regress ipsec $@' >$@.tmp 772 echo '# RT_IN' >>$@.tmp 773.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 774 echo '${inet} alias ${RT_IN_${ipv}} ${masklen}' >>$@.tmp 775.endfor 776 echo '# SRC_OUT/pfxlen IPS_OUT' >>$@.tmp 777.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 778 echo '!route -q delete -${inet} ${SRC_OUT_${ipv}}/${pfxlen}'\ 779 >>$@.tmp 780 echo '!route add -${inet} ${SRC_OUT_${ipv}}/${pfxlen}'\ 781 ${IPS_OUT_${ipv}} >>$@.tmp 782.endfor 783.for sec in ESP AH IPIP IPCOMP BUNDLE 784 echo '## IPS_${sec}' >>$@.tmp 785.for mode in TUNNEL 786 echo '# SRC_${mode}/pfxlen IPS_OUT' >>$@.tmp 787.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 788 echo '!route -q delete -${inet} ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}'\ 789 >>$@.tmp 790 echo '!route add -${inet} ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}\ 791 ${IPS_OUT_${ipv}}' >>$@.tmp 792.endfor 793.endfor 794.endfor 795 mv $@.tmp $@ 796 797${RT_SSH}/hostname.${RT_OUT_IF}: Makefile 798 mkdir -p ${@:H} 799 rm -f $@ $@.tmp 800 echo '### regress ipsec $@' >$@.tmp 801 echo '# RT_OUT' >>$@.tmp 802.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 803 echo '${inet} alias ${RT_OUT_${ipv}} ${masklen}' >>$@.tmp 804.endfor 805.for sec in ESP AH IPIP IPCOMP BUNDLE 806 echo '## IPS_${sec}' >>$@.tmp 807.for mode in TUNNEL4 TUNNEL6 808 echo '# ECO_${sec}_${mode}/pfxlen ECO_IN' >>$@.tmp 809.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 810 echo '!route -q delete -${inet}\ 811 ${ECO_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp 812 echo '!route add -${inet} ${ECO_${sec}_${mode}_${ipv}}/${pfxlen}\ 813 ${ECO_IN_${ipv}}' >>$@.tmp 814.endfor 815.endfor 816.endfor 817 mv $@.tmp $@ 818 819${ECO_SSH}/hostname.${ECO_IN_IF}: Makefile 820 mkdir -p ${@:H} 821 rm -f $@ $@.tmp 822 echo '### regress ipsec $@' >$@.tmp 823 echo '# ECO_IN' >>$@.tmp 824.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 825 echo '${inet} alias ${ECO_IN_${ipv}} ${masklen}' >>$@.tmp 826.endfor 827.for host in IPS SRC 828 echo '# ${host}_OUT/pfxlen RT_OUT' >>$@.tmp 829.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 830 echo '!route -q delete -${inet} ${${host}_OUT_${ipv}}/${pfxlen}'\ 831 >>$@.tmp 832 echo '!route add -${inet} ${${host}_OUT_${ipv}}/${pfxlen}\ 833 ${RT_OUT_${ipv}}' >>$@.tmp 834.endfor 835.endfor 836.for sec in ESP AH IPIP IPCOMP BUNDLE 837 echo '## IPS_${sec}' >>$@.tmp 838.for mode in TUNNEL4 TUNNEL6 839 echo '# ECO_${sec}_${mode}' >>$@.tmp 840.for inet ipv masklen in inet IPV4 255.255.255.0 inet6 IPV6 64 841 echo '${inet} alias ${ECO_${sec}_${mode}_${ipv}} ${masklen}' >>$@.tmp 842.endfor 843.endfor 844.for mode in TUNNEL 845 echo '# SRC_${sec}_${mode}/pfxlen RT_OUT' >>$@.tmp 846.for inet ipv pfxlen in inet IPV4 24 inet6 IPV6 64 847 echo '!route -q delete -${inet}\ 848 ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}' >>$@.tmp 849 echo '!route add -${inet} ${SRC_${sec}_${mode}_${ipv}}/${pfxlen}\ 850 ${RT_OUT_${ipv}}' >>$@.tmp 851.endfor 852.endfor 853.endfor 854 mv $@.tmp $@ 855 856stamp-hostname: etc/hostname.${SRC_OUT_IF} \ 857 ${IPS_SSH}/hostname.${IPS_IN_IF} ${IPS_SSH}/hostname.${IPS_OUT_IF} \ 858 ${RT_SSH}/hostname.${RT_IN_IF} ${RT_SSH}/hostname.${RT_OUT_IF} \ 859 ${ECO_SSH}/hostname.${ECO_IN_IF} 860 ${SUDO} sh -c "umask 027;\ 861 { sed '/^### regress/,\$$d' /etc/hostname.${SRC_OUT_IF} &&\ 862 cat; } >/etc/hostname.${SRC_OUT_IF}.tmp"\ 863 <etc/hostname.${SRC_OUT_IF} 864 ${SUDO} sh -c "mv /etc/hostname.${SRC_OUT_IF}.tmp\ 865 /etc/hostname.${SRC_OUT_IF} &&\ 866 sh /etc/netstart ${SRC_OUT_IF}" 867.for host dir in IPS IN IPS OUT RT IN RT OUT ECO IN 868 ssh root@${${host}_SSH} "umask 027;\ 869 { sed '/^### regress/,\$$d' /etc/hostname.${${host}_${dir}_IF} &&\ 870 cat; } >/etc/hostname.${${host}_${dir}_IF}.tmp"\ 871 <${${host}_SSH}/hostname.${${host}_${dir}_IF} 872 ssh root@${${host}_SSH} "mv /etc/hostname.${${host}_${dir}_IF}.tmp\ 873 /etc/hostname.${${host}_${dir}_IF} &&\ 874 sh /etc/netstart ${${host}_${dir}_IF}" 875.endfor 876 date >$@ 877 878# Create inetd.conf files, copy them to the machines and start inetd. 879 880.for host in IPS ECO 881${${host}_SSH}/inetd.conf: Makefile 882 mkdir -p ${@:H} 883 rm -f $@ $@.tmp 884 echo '### regress ipsec $@' >$@.tmp 885 echo echo stream tcp nowait root internal >>$@.tmp 886 echo echo stream tcp6 nowait root internal >>$@.tmp 887.for sec in ESP AH IPIP IPCOMP BUNDLE 888.for mode in TRANSP TUNNEL4 TUNNEL6 889.if ! empty(${host}_${sec}_${mode}_IPV4) 890 echo '${${host}_${sec}_${mode}_IPV4}:echo'\ 891 dgram udp wait root internal >>$@.tmp 892 echo '[${${host}_${sec}_${mode}_IPV6}]:echo'\ 893 dgram udp6 wait root internal >>$@.tmp 894.endif 895.endfor 896.endfor 897 mv $@.tmp $@ 898.endfor 899 900stamp-inetd: ${IPS_SSH}/inetd.conf ${ECO_SSH}/inetd.conf 901.for host in IPS ECO 902 ssh root@${${host}_SSH} "umask 022;\ 903 { sed '/^### regress/,\$$d' /etc/inetd.conf && cat; }\ 904 >/etc/inetd.conf.tmp" <${${host}_SSH}/inetd.conf 905 ssh root@${${host}_SSH} "mv /etc/inetd.conf.tmp /etc/inetd.conf &&\ 906 rcctl enable inetd && rcctl restart inetd" 907.endfor 908 date >$@ 909 910# Create rc.d/nonxt_reflect startup scripts, 911# copy them to the remote machines, 912# build remote nonxt-reflect binary, 913# and start nonext protocol 59 reflector daemons. 914 915.for host in IPS ECO 916${${host}_SSH}/nonxt_reflect: nonxt_reflect.sh Makefile 917 mkdir -p ${@:H} 918 rm -f $@ $@.tmp 919 echo '#!/bin/ksh' >$@.tmp 920 echo '### regress ipsec $@' >>$@.tmp 921 echo 'local_addresses="' >>$@.tmp 922.for sec in ESP AH IPIP IPCOMP BUNDLE 923.for mode in TRANSP TUNNEL4 TUNNEL6 924.for ipv in IPV4 IPV6 925.if ! empty(${host}_${sec}_${mode}_${ipv}) 926 echo '${${host}_${sec}_${mode}_${ipv}}' >>$@.tmp 927.endif 928.endfor 929.endfor 930.endfor 931 echo '"' >>$@.tmp 932 cat ${.CURDIR}/nonxt_reflect.sh >>$@.tmp 933 sh -n $@.tmp 934 chmod 755 $@.tmp 935 mv $@.tmp $@ 936.endfor 937 938stamp-nonxt-reflect: ${IPS_SSH}/nonxt_reflect ${ECO_SSH}/nonxt_reflect \ 939 nonxt-reflect 940.for host in IPS ECO 941 ssh ${${host}_SSH} make -C ${.CURDIR} nonxt-reflect 942 scp ${${host}_SSH}/nonxt_reflect root@${${host}_SSH}:/etc/rc.d/ 943 ssh root@${${host}_SSH}\ 944 "rcctl enable nonxt_reflect && rcctl restart nonxt_reflect" 945.endfor 946 date >$@ 947 948# Check whether the address, route and remote setup is correct. 949 950.PHONY: check-setup 951 952check-setup: check-setup-src check-setup-ips check-setup-rt check-setup-eco 953 954check-setup-src: 955 @echo '\n======== $@ ========' 956.for ping inet ipv in ping inet IPV4 ping6 inet6 IPV6 957.for host dir in SRC OUT SRC BUNDLE 958 ${ping} -n -c 1 ${${host}_${dir}_${ipv}} # ${host}_${dir}_${ipv} 959 route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 960 grep -q 'flags: .*LOCAL' # ${host}_${dir}_${ipv} 961.endfor 962 ${ping} -n -c 1 ${IPS_IN_${ipv}} # IPS_IN_${ipv} 963 ${ping} -n -c 1 ${IPS_BUNDLE_${ipv}} # IPS_BUNDLE_${ipv} 964.for host dir in IPS OUT RT IN RT OUT ECO IN 965 route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 966 fgrep -q 'gateway: ${IPS_IN_${ipv}}' \ 967 # ${host}_${dir}_${ipv} IPS_IN_${ipv} 968.endfor 969.for sec in ESP AH IPIP IPCOMP BUNDLE 970.for host mode in SRC TRANSP SRC TUNNEL 971 ${ping} -n -c 1 ${${host}_${sec}_${mode}_${ipv}} \ 972 # ${host}_${sec}_${mode}_${ipv} 973 route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 974 grep -q 'flags: .*LOCAL' # ${host}_${sec}_${mode}_${ipv} 975.endfor 976.for host mode in IPS TUNNEL4 IPS TUNNEL6 ECO TUNNEL4 ECO TUNNEL6 977 route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 978 grep -q 'flags: .*STATIC' # ${host}_${sec}_${mode}_${ipv} 979.endfor 980.endfor 981.endfor 982.for sec in ESP AH IPIP IPCOMP BUNDLE 983 route -n get -inet ${IPS_${sec}_TRANSP_IPV4} |\ 984 egrep -q 'flags: .*(CLONING|CLONED)' # IPS_${sec}_TRANSP_IPV4 985 route -n get -inet6 ${IPS_${sec}_TRANSP_IPV6} |\ 986 fgrep -q 'gateway: ${IPS_IN_IPV6}' \ 987 # IPS_${sec}_TRANSP_IPV6 IPS_IN_IPV6 988.endfor 989 sysctl net.inet.esp.enable | fgrep =1 990 sysctl net.inet.ah.enable | fgrep =1 991 sysctl net.inet.ipip.allow | fgrep =1 992 sysctl net.inet.ipcomp.enable | fgrep =1 993 994check-setup-ips: 995 @echo '\n======== $@ ========' 996.for ping inet ip ipv in ping inet ip IPV4 ping6 inet6 ip6 IPV6 997.for host dir in IPS IN IPS OUT IPS BUNDLE 998 ssh ${IPS_SSH} ${ping} -n -c 1 ${${host}_${dir}_${ipv}} \ 999 # ${host}_${dir}_${ipv} 1000 ssh ${IPS_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 1001 grep -q 'flags: .*LOCAL' # ${host}_${dir}_${ipv} 1002.endfor 1003 ssh ${IPS_SSH} ${ping} -n -c 1 ${SRC_OUT_${ipv}} # SRC_OUT_${ipv} 1004 ssh ${IPS_SSH} ${ping} -n -c 1 ${SRC_BUNDLE_${ipv}} # SRC_BUNDLE_${ipv} 1005 ssh ${IPS_SSH} ${ping} -n -c 1 ${RT_IN_${ipv}} # RT_IN_${ipv} 1006.for host dir in RT OUT ECO IN 1007 ssh ${IPS_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 1008 fgrep -q 'gateway: ${RT_IN_${ipv}}' \ 1009 # ${host}_${dir}_${ipv} RT_IN_${ipv} 1010.endfor 1011.for sec in ESP AH IPIP IPCOMP BUNDLE 1012.for host mode in IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 1013 ssh ${IPS_SSH} ${ping} -n -c 1 ${${host}_${sec}_${mode}_${ipv}} \ 1014 # ${host}_${sec}_${mode}_${ipv} 1015 ssh ${IPS_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 1016 grep -q 'flags: .*LOCAL' # ${host}_${sec}_${mode}_${ipv} 1017.endfor 1018.for host mode in ECO TUNNEL4 ECO TUNNEL6 1019 ssh ${IPS_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 1020 fgrep -q 'gateway: ${RT_IN_${ipv}}' \ 1021 # ${host}_${sec}_${mode}_${ipv} RT_IN_${ipv} 1022.endfor 1023.for host mode in SRC TUNNEL 1024 ssh ${IPS_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 1025 grep -q 'flags: .*STATIC' # ${host}_${sec}_${mode}_${ipv} 1026.endfor 1027.for host mode in IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 1028 ssh ${IPS_SSH} netstat -nav -f ${inet} -p udp |\ 1029 fgrep ' ${${host}_${sec}_${mode}_${ipv}}.7 ' \ 1030 # ${host}_${sec}_${mode}_${ipv} 1031 ssh ${IPS_SSH} netstat -nav -f ${inet} -p ${ip} |\ 1032 grep ' ${${host}_${sec}_${mode}_${ipv}}\.\* .* *59$$' \ 1033 # ${host}_${sec}_${mode}_${ipv} 1034.endfor 1035.endfor 1036 ssh ${ECO_SSH} netstat -na -f ${inet} -p tcp | fgrep ' *.7 ' 1037.endfor 1038.for sec in ESP AH IPIP IPCOMP BUNDLE 1039 ssh ${IPS_SSH} route -n get -inet ${SRC_${sec}_TRANSP_IPV4} |\ 1040 egrep -q 'flags: .*(CLONING|CLONED)' # SRC_${sec}_TRANSP_IPV4 1041 ssh ${IPS_SSH} route -n get -inet6 ${SRC_${sec}_TRANSP_IPV6} |\ 1042 fgrep -q 'gateway: ${SRC_OUT_IPV6}' \ 1043 # SRC_${sec}_TRANSP_IPV6 SRC_OUT_IPV6 1044.endfor 1045 ssh ${IPS_SSH} sysctl net.inet.esp.enable | fgrep =1 1046 ssh ${IPS_SSH} sysctl net.inet.ah.enable | fgrep =1 1047 ssh ${IPS_SSH} sysctl net.inet.ipip.allow | fgrep =1 1048 ssh ${IPS_SSH} sysctl net.inet.ipcomp.enable | fgrep =1 1049 ssh ${IPS_SSH} sysctl net.inet.ip.forwarding | fgrep =1 1050 ssh ${IPS_SSH} sysctl net.inet6.ip6.forwarding | fgrep =1 1051 ssh ${IPS_SSH} ${SUDO} pfctl -sr | grep '^anchor "regress" all$$' 1052 ssh ${IPS_SSH} ${SUDO} pfctl -si | grep '^Status: Enabled ' 1053 1054check-setup-rt: 1055 @echo '\n======== $@ ========' 1056.for ping inet ipv in ping inet IPV4 ping6 inet6 IPV6 1057.for host dir in RT IN RT OUT 1058 ssh ${RT_SSH} ${ping} -n -c 1 ${${host}_${dir}_${ipv}} \ 1059 # ${host}_${dir}_${ipv} 1060 ssh ${RT_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 1061 grep -q 'flags: .*LOCAL' # ${host}_${dir}_${ipv} 1062.endfor 1063 ssh ${RT_SSH} ${ping} -n -c 1 ${IPS_OUT_${ipv}} # IPS_OUT_${ipv} 1064.for host dir in IPS IN SRC OUT 1065 ssh ${RT_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 1066 fgrep -q 'gateway: ${IPS_OUT_${ipv}}' \ 1067 # ${host}_${dir}_${ipv} IPS_OUT_${ipv} 1068.endfor 1069 ssh ${RT_SSH} ${ping} -n -c 1 ${ECO_IN_${ipv}} # ECO_IN_${ipv} 1070.for sec in ESP AH IPIP IPCOMP BUNDLE 1071.for host mode in SRC TUNNEL 1072 ssh ${RT_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 1073 fgrep -q 'gateway: ${IPS_OUT_${ipv}}' \ 1074 # ${host}_${sec}_${mode}_${ipv} IPS_OUT_${ipv} 1075.endfor 1076.for host mode in ECO TUNNEL4 ECO TUNNEL6 1077 ssh ${RT_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 1078 fgrep -q 'gateway: ${ECO_IN_${ipv}}' \ 1079 # ${host}_${sec}_${mode}_${ipv} ECO_IN_${ipv} 1080.endfor 1081.endfor 1082.endfor 1083 ssh ${RT_SSH} sysctl net.inet.ip.forwarding | fgrep =1 1084 ssh ${RT_SSH} sysctl net.inet6.ip6.forwarding | fgrep =1 1085 1086check-setup-eco: 1087 @echo '\n======== $@ ========' 1088.for ping inet ip ipv in ping inet ip IPV4 ping6 inet6 ip6 IPV6 1089.for host dir in ECO IN 1090 ssh ${ECO_SSH} ${ping} -n -c 1 ${${host}_${dir}_${ipv}} \ 1091 # ${host}_${dir}_${ipv} 1092 ssh ${ECO_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 1093 grep -q 'flags: .*LOCAL' # ${host}_${dir}_${ipv} 1094.endfor 1095 ssh ${ECO_SSH} ${ping} -n -c 1 ${RT_OUT_${ipv}} # RT_OUT_${ipv} 1096.for host dir in RT IN IPS OUT IPS IN SRC OUT 1097 ssh ${ECO_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ 1098 fgrep -q 'gateway: ${RT_OUT_${ipv}}' \ 1099 # ${host}_${dir}_${ipv} RT_OUT_${ipv} 1100.endfor 1101.for sec in ESP AH IPIP IPCOMP BUNDLE 1102.for host mode in ECO TUNNEL4 ECO TUNNEL6 1103 ssh ${ECO_SSH} ${ping} -n -c 1 ${${host}_${sec}_${mode}_${ipv}} \ 1104 # ${host}_${sec}_${mode}_${ipv} 1105 ssh ${ECO_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 1106 grep -q 'flags: .*LOCAL' # ${host}_${sec}_${mode}_${ipv} 1107.endfor 1108.for host mode in SRC TUNNEL 1109 ssh ${ECO_SSH} route -n get -${inet} ${${host}_${sec}_${mode}_${ipv}} |\ 1110 fgrep -q 'gateway: ${RT_OUT_${ipv}}' \ 1111 # ${host}_${sec}_${mode}_${ipv} RT_OUT_${ipv} 1112.endfor 1113.for host mode in ECO TUNNEL4 ECO TUNNEL6 1114 ssh ${ECO_SSH} netstat -nav -f ${inet} -p udp |\ 1115 fgrep ' ${${host}_${sec}_${mode}_${ipv}}.7 ' \ 1116 # ${host}_${sec}_${mode}_${ipv} 1117 ssh ${ECO_SSH} netstat -nav -f ${inet} -p ${ip} |\ 1118 grep ' ${${host}_${sec}_${mode}_${ipv}}\.\* .* *59$$' \ 1119 # ${host}_${sec}_${mode}_${ipv} 1120.endfor 1121.endfor 1122 ssh ${ECO_SSH} netstat -na -f ${inet} -p tcp | fgrep ' *.7 ' 1123.endfor 1124 ssh ${ECO_SSH} sysctl net.inet.ip.forwarding | fgrep =1 1125 ssh ${ECO_SSH} sysctl net.inet6.ip6.forwarding | fgrep =1 1126 1127.include <bsd.regress.mk> 1128