diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-02-08 17:59:00 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-02-08 17:59:00 +0000 |
| commit | 48b54bcc0d4893b10741670656ea0896c172cedf (patch) | |
| tree | 2b36300ea3f5dfdd4ce4182668f722f3af720316 /regress/sys/netinet | |
| parent | 8b0e6372258ecf4a5ec63ec595d42ef623a66a53 (diff) | |
Encrypt UDP and TCP packets in test. Use a sane transport config.
Diffstat (limited to 'regress/sys/netinet')
| -rw-r--r-- | regress/sys/netinet/ipsec/Makefile | 41 | ||||
| -rw-r--r-- | regress/sys/netinet/ipsec/README | 9 | ||||
| -rw-r--r-- | regress/sys/netinet/ipsec/ipsec.conf | 6 |
3 files changed, 49 insertions, 7 deletions
diff --git a/regress/sys/netinet/ipsec/Makefile b/regress/sys/netinet/ipsec/Makefile index 1c967f44106..c45b7510cf9 100644 --- a/regress/sys/netinet/ipsec/Makefile +++ b/regress/sys/netinet/ipsec/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.2 2017/02/06 22:58:51 bluhm Exp $ +# $OpenBSD: Makefile,v 1.3 2017/02/08 17:58:59 bluhm Exp $ # This test needs a manual setup of four machines, the make # target create-setup can be used distribute the configuration. @@ -72,6 +72,7 @@ ECO_TUNNEL6_IPV6 ?= ${PREFIX_IPV6}f::72 # setup. To control the remote machine you need a hostname for # ssh to log in. # +# IPS and ECO need inetd echo service on TRANSP and TUNNEL addresses. # Run make create-setup to copy hostname.if files to the machines # Run make check-setup to see if you got the setup correct. @@ -144,6 +145,11 @@ run-regress-ping-IPS_TRANSP_IPV6: @echo 'request does not create state and echo reply does not pass pf.' @echo DISABLED +run-regress-tcp-IPS_TRANSP_IPV6: + @echo '\n======== $@ ========' + @echo 'IPv6 IPsec input does not filter enc0 interface with pf. TCP' + @echo 'SYN does not create state and SYN+ACK does not pass pf.' + @echo DISABLED .for host dir in SRC OUT SRC TRANSP SRC TUNNEL \ IPS IN IPS OUT IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \ @@ -163,6 +169,29 @@ run-regress-ping-${host}_${dir}_${ipv}: .endfor .endfor +.for host dir in IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 \ + ECO TUNNEL4 ECO TUNNEL6 +.for ipv in IPV4 IPV6 +TARGETS += udp-${host}_${dir}_${ipv} +run-regress-udp-${host}_${dir}_${ipv}: + @echo '\n======== $@ ========' + netstat -s -p esp | awk '/input ESP /{print $$1}' >esp.in + netstat -s -p esp | awk '/output ESP /{print $$1}' >esp.out + echo $$$$ | nc -n -u -w 1 ${${host}_${dir}_${ipv}} 7 | fgrep $$$$ + netstat -s -p esp | awk '/input ESP /{print $$1-1}' | diff esp.in - + netstat -s -p esp | awk '/output ESP /{print $$1-1}' | diff esp.out - + +TARGETS += tcp-${host}_${dir}_${ipv} +run-regress-tcp-${host}_${dir}_${ipv}: + @echo '\n======== $@ ========' + netstat -s -p esp | awk '/input ESP /{print $$1}' >esp.in + netstat -s -p esp | awk '/output ESP /{print $$1}' >esp.out + echo $$$$ | nc -n -N -w 3 ${${host}_${dir}_${ipv}} 7 | fgrep $$$$ + netstat -s -p esp | awk '/input ESP /{print $$1-4}' | diff esp.in - + netstat -s -p esp | awk '/output ESP /{print $$1-6}' | diff esp.out - +.endfor +.endfor + REGRESS_TARGETS = ${TARGETS:S/^/run-regress-/} ${REGRESS_TARGETS}: stamp-ipsec @@ -397,6 +426,11 @@ check-setup-ips: ssh ${IPS_SSH} route -n get -${inet} ${${host}_${dir}_${ipv}} |\ grep -q 'flags: .*REJECT' # ${host}_${dir}_${ipv} .endfor +.for host dir in IPS TRANSP IPS TUNNEL4 IPS TUNNEL6 + ssh ${IPS_SSH} netstat -nav -f ${inet} -p udp |\ + fgrep ' ${${host}_${dir}_${ipv}}.7 ' # ${host}_${dir}_${ipv} +.endfor + ssh ${ECO_SSH} netstat -na -f ${inet} -p tcp | fgrep ' *.7 ' .endfor ssh ${IPS_SSH} route -n get -inet ${SRC_TRANSP_IPV4} |\ egrep -q 'flags: .*(CLONING|CLONED)' # SRC_TRANSP_IPV4 @@ -442,6 +476,11 @@ check-setup-eco: fgrep -q 'gateway: ${RT_OUT_${ipv}}' \ # ${host}_${dir}_${ipv} RT_OUT_${ipv} .endfor +.for host dir in ECO TUNNEL4 ECO TUNNEL6 + ssh ${ECO_SSH} netstat -nav -f ${inet} -p udp |\ + fgrep ' ${${host}_${dir}_${ipv}}.7 ' # ${host}_${dir}_${ipv} +.endfor + ssh ${ECO_SSH} netstat -na -f ${inet} -p tcp | fgrep ' *.7 ' .endfor .include <bsd.regress.mk> diff --git a/regress/sys/netinet/ipsec/README b/regress/sys/netinet/ipsec/README index e35505f2177..55bed875dea 100644 --- a/regress/sys/netinet/ipsec/README +++ b/regress/sys/netinet/ipsec/README @@ -4,7 +4,10 @@ or forward it after decryption. By reflecting the packets, the way back is also tested. When the response is received at the generating machine, the test is considered successful. -Currently only ICMP ping packets are encrypted with ESP. Transport -and tunnel mode are tested with all combinations of IPv4 and IPv6. +Currently ICMP ping, UDP and TCP packets are encrypted with ESP. +Transport and tunnel mode are tested with all combinations of IPv4 +and IPv6. -Tests for UDP, TCP and path MTU discovery are planned. +TODO: +Tests for AH/IPCOMP/IPIP and path MTU discovery are planned. +BPF output of enc0 and pflog0 should be checked. diff --git a/regress/sys/netinet/ipsec/ipsec.conf b/regress/sys/netinet/ipsec/ipsec.conf index da7463e3291..1c0eaf082a8 100644 --- a/regress/sys/netinet/ipsec/ipsec.conf +++ b/regress/sys/netinet/ipsec/ipsec.conf @@ -1,4 +1,4 @@ -# $OpenBSD: ipsec.conf,v 1.1 2017/02/06 21:54:05 bluhm Exp $ +# $OpenBSD: ipsec.conf,v 1.2 2017/02/08 17:58:59 bluhm Exp $ ### regress ipsec ipsec.conf # Install symmetric config by exchanging local and peer keywords. @@ -10,11 +10,11 @@ PEER="peer" # TRANSP flow esp \ - $FROM $SRC_TRANSP_IPV4/24 $TO $IPS_TRANSP_IPV4/24 \ + $FROM $SRC_TRANSP_IPV4 $TO $IPS_TRANSP_IPV4 \ $LOCAL $SRC_TRANSP_IPV4 $PEER $IPS_TRANSP_IPV4 \ type dontacq flow esp \ - $FROM $SRC_TRANSP_IPV6/64 $TO $IPS_TRANSP_IPV6/64 \ + $FROM $SRC_TRANSP_IPV6 $TO $IPS_TRANSP_IPV6 \ $LOCAL $SRC_TRANSP_IPV6 $PEER $IPS_TRANSP_IPV6 \ type dontacq |