summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Bluhm <bluhm@cvs.openbsd.org>2017-05-12 00:09:18 +0000
committerAlexander Bluhm <bluhm@cvs.openbsd.org>2017-05-12 00:09:18 +0000
commit5daf49fc6508d787eee6b3a179e2ade8f902444f (patch)
tree459940b4b462037707af49ab7dd2967f700a55bf
parent907e6caad731b0673cfe638a080b828bf7250be6 (diff)
Run all IPsec tests with a pf rule that logs everything on the enc0
interface. Use tcpdump to write the pflog0 output into a file. Then grep can verify that all encrypted packets have been processed by pf.
-rw-r--r--regress/sys/netinet/ipsec/Makefile65
-rw-r--r--regress/sys/netinet/ipsec/README16
-rw-r--r--regress/sys/netinet/ipsec/pf.conf3
3 files changed, 69 insertions, 15 deletions
diff --git a/regress/sys/netinet/ipsec/Makefile b/regress/sys/netinet/ipsec/Makefile
index 91a7f67c6e1..1df7fea5e79 100644
--- a/regress/sys/netinet/ipsec/Makefile
+++ b/regress/sys/netinet/ipsec/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.12 2017/05/11 12:18:37 bluhm Exp $
+# $OpenBSD: Makefile,v 1.13 2017/05/12 00:09:17 bluhm Exp $
# This test needs a manual setup of four machines, the make
# target create-setup can be used distribute the configuration.
@@ -164,13 +164,14 @@ regress:
@echo
${SUDO} true
ssh -t ${IPS_SSH} ${SUDO} true
- rm -f stamp-ipsec stamp-bpf stamp-stop
+ rm -f stamp-ipsec stamp-pfctl stamp-bpf stamp-pflog stamp-stop
.endif
depend: addr.py
# Create python include file containing the addresses.
addr.py: Makefile
+ @echo '\n======== $@ ========'
rm -f $@ $@.tmp
.for host in SRC IPS RT ECO
.for dir in IN OUT BUNDLE
@@ -202,23 +203,52 @@ stamp-ipsec: addr.py ipsec.conf
-f - -D FROM=to -D TO=from -D LOCAL=peer -D PEER=local
@date >$@
+# load a pf log enc0 pass any rule into the kernel of the IPS machine
+stamp-pfctl: addr.py pf.conf
+ @echo '\n======== $@ ========'
+ cat addr.py ${.CURDIR}/pf.conf | pfctl -n -f -
+ cat addr.py ${.CURDIR}/pf.conf | \
+ ssh ${IPS_SSH} ${SUDO} pfctl -a regress -f -
+ @date >$@
+
DUMPCMD= tcpdump -l -e -vvv -s 2048 -ni
# run tcpdump on enc device of IPS machine
stamp-bpf: Makefile
@echo '\n======== $@ ========'
rm -f enc0.tcpdump
- -ssh ${IPS_SSH} ${SUDO} pkill -f "'${DUMPCMD}' enc0" || true
+ -ssh ${IPS_SSH} ${SUDO} pkill -f "'${DUMPCMD} enc0'" || true
ssh ${IPS_SSH} ${SUDO} ${DUMPCMD} enc0 >enc0.tcpdump &
sleep 5 # XXX
rm -f stamp-stop
@date >$@
+# run tcpdump on pflog device of IPS machine
+stamp-pflog: stamp-pfctl
+ @echo '\n======== $@ ========'
+ rm -f pflog0.tcpdump
+ -ssh ${IPS_SSH} ${SUDO} pkill -f "'${DUMPCMD} pflog0'" || true
+ ssh ${IPS_SSH} ${SUDO} ${DUMPCMD} pflog0 >pflog0.tcpdump &
+ sleep 5 # XXX
+ rm -f stamp-stop
+ @date >$@
+
stamp-stop:
@echo '\n======== $@ ========'
-ssh ${IPS_SSH} ${SUDO} pkill -f "'${DUMPCMD}'"
@date >$@
+# Disable tests that do not pass.
+
+run-regress-pflog-ping-IPS_AH_TRANSP_IPV6 \
+ run-regress-pflog-udp-IPS_AH_TRANSP_IPV6 \
+ run-regress-pflog-tcp-IPS_AH_TRANSP_IPV6:
+ @echo '\n======== $@ ========'
+ @echo IPv6 AH packets are treated as their payload protocol by pf.
+ @echo So they match the floating state on the physical interface
+ @echo and are not logged by the enc0 pf rule.
+ @echo DISABLED
+
# Ping all addresses. This ensures that the IP addresses are configured
# and all routing table are set up to allow bidirectional packet flow.
@@ -356,7 +386,7 @@ REGEX_RPL_UDP= .* udp
REGEX_RPL_TCP= S .* ack
.for host in IPS ECO
-.for sec in ESP AH IPCOMP BUNDLE
+.for sec in ESP AH IPIP IPCOMP BUNDLE
.for mode in TRANSP TUNNEL4 TUNNEL6
.for ipv in IPV4 IPV6
@@ -379,11 +409,9 @@ REGEX_RPL_${host}_${sec}_${mode}_${ipv}_TCP=\
${REGEX_RPL_${host}_${sec}_${mode}_${ipv}_UDP}
.for proto in PING UDP TCP
+
run-regress-bpf-${proto:L}-${host}_${sec}_${mode}_${ipv}: stamp-stop
@echo '\n======== $@ ========'
-.if "${sec}" == IPCOMP && "${sec}" != PING
- @echo packet too small to be compressed
-.else
grep -q '\
${REGEX_${sec}}\
${REGEX_REQ_${mode}}\
@@ -394,17 +422,30 @@ run-regress-bpf-${proto:L}-${host}_${sec}_${mode}_${ipv}: stamp-stop
${REGEX_RPL_${mode}}\
${REGEX_RPL_${host}_${sec}_${mode}_${ipv}_${proto}}\
${REGEX_RPL_${proto}} ' enc0.tcpdump
-.endif
-.endfor
+run-regress-pflog-${proto:L}-${host}_${sec}_${mode}_${ipv}: stamp-stop
+ @echo '\n======== $@ ========'
+ grep -q '\
+ rule .*regress.0/(match) .*\
+ pass in on enc0: .*\
+ ${REGEX_REQ_${host}_${sec}_${mode}_${ipv}_${proto}}\
+ ${REGEX_REQ_${proto}} ' pflog0.tcpdump
+ grep -q '\
+ rule .*/(match) .*\
+ pass out on enc0: .*\
+ ${REGEX_RPL_${host}_${sec}_${mode}_${ipv}_${proto}}\
+ ${REGEX_RPL_${proto}} ' pflog0.tcpdump
+
+.endfor
.endfor
.endfor
.endfor
.endfor
REGRESS_TARGETS = ${TARGETS:S/^/run-regress-send-/} \
- ${TARGETS:N*_IPIP_*:N*_BUNDLE_*:N*_IN_*:N*_OUT_*:N*-SRC_*:N*-small-*:S/^/run-regress-bpf-/:S/-big-/-/}
-${REGRESS_TARGETS:Mrun-regress-send-*}: stamp-ipsec stamp-bpf
+ ${TARGETS:N*_IPIP_*:N*_BUNDLE_*:N*_IN_*:N*_OUT_*:N*-SRC_*:Nudp-*_IPCOMP_*:Ntcp-*_IPCOMP_*:N*-small-*:S/-big-/-/:S/^/run-regress-bpf-/} \
+ ${TARGETS:N*_IPIP_*:N*_IPCOMP_*:N*_IN_*:N*_OUT_*:N*-SRC_*:N*-small-*:S/-big-/-/:S/^/run-regress-pflog-/}
+${REGRESS_TARGETS:Mrun-regress-send-*}: stamp-ipsec stamp-bpf stamp-pflog
CLEANFILES += addr.py *.pyc *.log stamp-* */hostname.* *.{in,out} *.tcdump
@@ -741,6 +782,8 @@ check-setup-ips:
ssh ${IPS_SSH} sysctl net.inet.ah.enable | fgrep =1
ssh ${IPS_SSH} sysctl net.inet.ipip.allow | fgrep =1
ssh ${IPS_SSH} sysctl net.inet.ipcomp.enable | fgrep =1
+ ssh ${PF_SSH} ${SUDO} pfctl -sr | grep '^anchor "regress" all$$'
+ ssh ${PF_SSH} ${SUDO} pfctl -si | grep '^Status: Enabled '
check-setup-rt:
@echo '\n======== $@ ========'
diff --git a/regress/sys/netinet/ipsec/README b/regress/sys/netinet/ipsec/README
index bece1a95824..9c004332e68 100644
--- a/regress/sys/netinet/ipsec/README
+++ b/regress/sys/netinet/ipsec/README
@@ -4,13 +4,21 @@ or forward it after decryption. By reflecting the packets, the way
back is also tested. When the response is received at the generating
machine, the test is considered successful.
-Currently ICMP ping, UDP and TCP packets are protected with ESP and AH.
+Currently ICMP ping, UDP, TCP packets are protected with ESP and
+AH. Also IPIP encapsulation and IP compression flows are tested.
Transport and tunnel mode are tested with all combinations of IPv4
-and IPv6.
+and IPv6. SA bundles that do IPComp, ESP, AH with a single flow
+are tested with all combinations of encapsulation mode, and both
+ip versions, and the ip protocols ping, UDP, TCP. Small and big
+ping packets are used, as IPComp skips small packets.
-The BPF output of the enc0 interface is checked.
+The netstat -s counters are checked to ensure that encrypted packets
+are processed in both ways.
+
+The BPF output of the enc0 and pflog0 interface is checked. This
+ensures that all IPsec packets are passed to bpf and pf.
TODO:
-BPF output of pflog0 should be checked.
Tests for fragments and path MTU discovery are planned.
Test TCP MD5 signatures.
+Test NAT-Traversal over UDP.
diff --git a/regress/sys/netinet/ipsec/pf.conf b/regress/sys/netinet/ipsec/pf.conf
new file mode 100644
index 00000000000..f2fea4b858b
--- /dev/null
+++ b/regress/sys/netinet/ipsec/pf.conf
@@ -0,0 +1,3 @@
+# pf on IPS must have this rule in the regress anchor
+
+pass log ( all ) on enc0