CoCalc -- if

GitHub Repository: freebsd/freebsd-src
Path: blob/main/tests/sys/net/if_wg.sh
³⁹⁵⁸⁶ views
1
#
2
# SPDX-License-Identifier: BSD-2-Clause
3
#
4
# Copyright (c) 2021 The FreeBSD Foundation
5
#
6
# This software was developed by Mark Johnston under sponsorship
7
# from the FreeBSD Foundation.
8
#
9
# Redistribution and use in source and binary forms, with or without
10
# modification, are permitted provided that the following conditions
11
# are met:
12
# 1. Redistributions of source code must retain the above copyright
13
#    notice, this list of conditions and the following disclaimer.
14
# 2. Redistributions in binary form must reproduce the above copyright
15
#    notice, this list of conditions and the following disclaimer in the
16
#    documentation and/or other materials provided with the distribution.
17
#
18
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
19
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21
# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
22
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28
# SUCH DAMAGE.
29

30
. $(atf_get_srcdir)/../common/vnet.subr
31

32
atf_test_case "wg_basic" "cleanup"
33
wg_basic_head()
34
{
35
	atf_set descr 'Create a wg(4) tunnel over an epair and pass traffic between jails'
36
	atf_set require.user root
37
	atf_set require.kmods if_wg
38
}
39

40
wg_basic_body()
41
{
42
	local epair pri1 pri2 pub1 pub2 wg1 wg2
43
        local endpoint1 endpoint2 tunnel1 tunnel2
44

45
	pri1=$(wg genkey)
46
	pri2=$(wg genkey)
47

48
	endpoint1=192.168.2.1
49
	endpoint2=192.168.2.2
50
	tunnel1=169.254.0.1
51
	tunnel2=169.254.0.2
52

53
	epair=$(vnet_mkepair)
54

55
	vnet_init
56

57
	vnet_mkjail wgtest1 ${epair}a
58
	vnet_mkjail wgtest2 ${epair}b
59

60
	jexec wgtest1 ifconfig ${epair}a ${endpoint1}/24 up
61
	jexec wgtest2 ifconfig ${epair}b ${endpoint2}/24 up
62

63
	wg1=$(jexec wgtest1 ifconfig wg create)
64
	echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \
65
	    private-key /dev/stdin
66
	pub1=$(jexec wgtest1 wg show $wg1 public-key)
67
	wg2=$(jexec wgtest2 ifconfig wg create)
68
	echo "$pri2" | jexec wgtest2 wg set $wg2 listen-port 12345 \
69
	    private-key /dev/stdin
70
	pub2=$(jexec wgtest2 wg show $wg2 public-key)
71

72
	atf_check -s exit:0 -o ignore \
73
	    jexec wgtest1 wg set $wg1 peer "$pub2" \
74
	    endpoint ${endpoint2}:12345 allowed-ips ${tunnel2}/32
75
	atf_check -s exit:0 \
76
	    jexec wgtest1 ifconfig $wg1 inet ${tunnel1}/24 up
77

78
	atf_check -s exit:0 -o ignore \
79
	    jexec wgtest2 wg set $wg2 peer "$pub1" \
80
	    endpoint ${endpoint1}:12345 allowed-ips ${tunnel1}/32
81
	atf_check -s exit:0 \
82
	    jexec wgtest2 ifconfig $wg2 inet ${tunnel2}/24 up
83

84
	# Generous timeout since the handshake takes some time.
85
	atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 5 $tunnel2
86
	atf_check -s exit:0 -o ignore jexec wgtest2 ping -c 1 $tunnel1
87
}
88

89
wg_basic_cleanup()
90
{
91
	vnet_cleanup
92
}
93

94
atf_test_case "wg_basic_crossaf" "cleanup"
95
wg_basic_crossaf_head()
96
{
97
	atf_set descr 'Create a wg(4) tunnel and pass IPv4 traffic over an IPv6 nexthop'
98
	atf_set require.user root
99
}
100

101
wg_basic_crossaf_body()
102
{
103
	local epair pri1 pri2 pub1 pub2 wg1 wg2
104
	local endpoint1 endpoint2 tunnel1 tunnel2
105
	local testnet testlocal testremote
106

107
	kldload -n if_wg || atf_skip "This test requires if_wg and could not load it"
108

109
	pri1=$(wg genkey)
110
	pri2=$(wg genkey)
111

112
	endpoint1=192.168.2.1
113
	endpoint2=192.168.2.2
114
	tunnel1=2001:db8:1::1
115
	tunnel2=2001:db8:1::2
116

117
	testnet=192.168.3.0/24
118
	testlocal=192.168.3.1
119
	testremote=192.168.3.2
120

121
	epair=$(vnet_mkepair)
122

123
	vnet_init
124

125
	vnet_mkjail wgtest1 ${epair}a
126
	vnet_mkjail wgtest2 ${epair}b
127

128
	jexec wgtest1 ifconfig ${epair}a ${endpoint1}/24 up
129
	jexec wgtest2 ifconfig ${epair}b ${endpoint2}/24 up
130

131
	wg1=$(jexec wgtest1 ifconfig wg create)
132
	echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \
133
	    private-key /dev/stdin
134
	pub1=$(jexec wgtest1 wg show $wg1 public-key)
135
	wg2=$(jexec wgtest2 ifconfig wg create)
136
	echo "$pri2" | jexec wgtest2 wg set $wg2 listen-port 12345 \
137
	    private-key /dev/stdin
138
	pub2=$(jexec wgtest2 wg show $wg2 public-key)
139

140
	atf_check -s exit:0 -o ignore \
141
	    jexec wgtest1 wg set $wg1 peer "$pub2" \
142
	    endpoint ${endpoint2}:12345 allowed-ips ${tunnel2}/128,${testnet}
143
	atf_check -s exit:0 \
144
	    jexec wgtest1 ifconfig $wg1 inet6 ${tunnel1}/64 up
145

146
	atf_check -s exit:0 -o ignore \
147
	    jexec wgtest2 wg set $wg2 peer "$pub1" \
148
	    endpoint ${endpoint1}:12345 allowed-ips ${tunnel1}/128,${testnet}
149
	atf_check -s exit:0 \
150
	    jexec wgtest2 ifconfig $wg2 inet6 ${tunnel2}/64 up
151

152
	atf_check -s exit:0 jexec wgtest1 ifconfig $wg1 inet ${testlocal}/32
153
	atf_check -s exit:0 jexec wgtest2 ifconfig $wg2 inet ${testremote}/32
154

155
	# Generous timeout since the handshake takes some time.
156
	atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 5 "$tunnel2"
157

158
	# Setup our IPv6 endpoint and routing
159
	atf_check -s exit:0 -o ignore \
160
		jexec wgtest1 route add -inet ${testnet} -inet6 "$tunnel2"
161
	atf_check -s exit:0 -o ignore \
162
		jexec wgtest2 route add -inet ${testnet} -inet6 "$tunnel1"
163
	# Now ping an address on the other side
164
	atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 3 ${testremote}
165
}
166

167
wg_basic_crossaf_cleanup()
168
{
169
	vnet_cleanup
170
}
171

172
atf_test_case "wg_basic_netmap" "cleanup"
173
wg_basic_netmap_head()
174
{
175
	atf_set descr 'Create a wg(4) tunnel over an epair and pass traffic between jails with netmap'
176
	atf_set require.user root
177
	atf_set require.kmods if_wg netmap
178
}
179

180
wg_basic_netmap_body()
181
{
182
	local epair pri1 pri2 pub1 pub2 wg1 wg2
183
        local endpoint1 endpoint2 tunnel1 tunnel2 tunnel3 tunnel4
184
	local pid status
185

186
	pri1=$(wg genkey)
187
	pri2=$(wg genkey)
188

189
	endpoint1=192.168.2.1
190
	endpoint2=192.168.2.2
191
	tunnel1=192.168.3.1
192
	tunnel2=192.168.3.2
193
	tunnel3=192.168.3.3
194
	tunnel4=192.168.3.4
195

196
	epair=$(vnet_mkepair)
197

198
	vnet_init
199

200
	vnet_mkjail wgtest1 ${epair}a
201
	vnet_mkjail wgtest2 ${epair}b
202

203
	jexec wgtest1 ifconfig ${epair}a ${endpoint1}/24 up
204
	jexec wgtest2 ifconfig ${epair}b ${endpoint2}/24 up
205

206
	wg1=$(jexec wgtest1 ifconfig wg create)
207
	echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \
208
	    private-key /dev/stdin
209
	pub1=$(jexec wgtest1 wg show $wg1 public-key)
210
	wg2=$(jexec wgtest2 ifconfig wg create)
211
	echo "$pri2" | jexec wgtest2 wg set $wg2 listen-port 12345 \
212
	    private-key /dev/stdin
213
	pub2=$(jexec wgtest2 wg show $wg2 public-key)
214

215
	atf_check -s exit:0 -o ignore \
216
	    jexec wgtest1 wg set $wg1 peer "$pub2" \
217
	    endpoint ${endpoint2}:12345 allowed-ips ${tunnel2}/32,${tunnel4}/32
218
	atf_check -s exit:0 \
219
	    jexec wgtest1 ifconfig $wg1 inet ${tunnel1}/24 up
220

221
	atf_check -s exit:0 -o ignore \
222
	    jexec wgtest2 wg set $wg2 peer "$pub1" \
223
	    endpoint ${endpoint1}:12345 allowed-ips ${tunnel1}/32,${tunnel3}/32
224
	atf_check -s exit:0 \
225
	    jexec wgtest2 ifconfig $wg2 inet ${tunnel2}/24 up
226

227
	atf_check -s exit:0 -o ignore \
228
	    jexec wgtest1 sysctl net.inet.ip.forwarding=1
229
	atf_check -s exit:0 -o ignore \
230
	    jexec wgtest2 sysctl net.inet.ip.forwarding=1
231

232
	jexec wgtest1 $(atf_get_srcdir)/bridge -w 0 -i netmap:wg0 -i netmap:wg0^ &
233
	pid=$!
234

235
	# Generous timeout since the handshake takes some time.
236
	atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 5 $tunnel2
237
	atf_check -s exit:0 -o ignore jexec wgtest2 ping -c 1 $tunnel1
238

239
	# Verify that we cannot ping non-existent tunnel addresses.  In general
240
	# the remote side should respond with an ICMP message.
241
	atf_check -s exit:2 -o ignore jexec wgtest1 ping -c 1 -t 2 $tunnel4
242
	atf_check -s exit:2 -o ignore jexec wgtest2 ping -c 1 -t 2 $tunnel3
243

244
	# Make sure that the bridge is still functional.
245
	atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 $tunnel2
246
	atf_check -s exit:0 -o ignore jexec wgtest2 ping -c 1 $tunnel1
247

248
	atf_check -s exit:0 kill -TERM $pid
249
	wait $pid
250
	status=$?
251

252
	# Make sure that SIGTERM was received and handled.
253
	atf_check_equal $status 143
254
}
255

256
wg_basic_netmap_cleanup()
257
{
258
	vnet_cleanup
259
}
260

261
# The kernel is expected to silently ignore any attempt to add a peer with a
262
# public key identical to the host's.
263
atf_test_case "wg_key_peerdev_shared" "cleanup"
264
wg_key_peerdev_shared_head()
265
{
266
	atf_set descr 'Create a wg(4) interface with a shared pubkey between device and a peer'
267
	atf_set require.user root
268
	atf_set require.kmods if_wg
269
}
270

271
wg_key_peerdev_shared_body()
272
{
273
	local epair pri1 pub1 wg1
274
        local endpoint1 tunnel1
275

276
	pri1=$(wg genkey)
277

278
	endpoint1=192.168.2.1
279
	tunnel1=169.254.0.1
280

281
	vnet_mkjail wgtest1
282

283
	wg1=$(jexec wgtest1 ifconfig wg create)
284
	echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \
285
	    private-key /dev/stdin
286
	pub1=$(jexec wgtest1 wg show $wg1 public-key)
287

288
	atf_check -s exit:0 \
289
	    jexec wgtest1 wg set ${wg1} peer "${pub1}" \
290
	    allowed-ips "${tunnel1}/32"
291

292
	atf_check -o empty jexec wgtest1 wg show ${wg1} peers
293
}
294

295
wg_key_peerdev_shared_cleanup()
296
{
297
	vnet_cleanup
298
}
299

300
# When a wg(8) interface has a private key reassigned that corresponds to the
301
# public key already on a peer, the kernel is expected to deconfigure the peer
302
# to resolve the conflict.
303
atf_test_case "wg_key_peerdev_makeshared" "cleanup"
304
wg_key_peerdev_makeshared_head()
305
{
306
	atf_set descr 'Create a wg(4) interface and assign peer key to device'
307
	atf_set require.progs wg
308
}
309

310
wg_key_peerdev_makeshared_body()
311
{
312
	local epair pri1 pub1 pri2 wg1 wg2
313
        local endpoint1 tunnel1
314

315
	pri1=$(wg genkey)
316
	pri2=$(wg genkey)
317

318
	endpoint1=192.168.2.1
319
	tunnel1=169.254.0.1
320

321
	vnet_mkjail wgtest1
322

323
	wg1=$(jexec wgtest1 ifconfig wg create)
324
	echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \
325
	    private-key /dev/stdin
326
	pub1=$(jexec wgtest1 wg show $wg1 public-key)
327
	wg2=$(jexec wgtest1 ifconfig wg create)
328
	echo "$pri2" | jexec wgtest1 wg set $wg2 listen-port 12345 \
329
	    private-key /dev/stdin
330

331
	atf_check -s exit:0 -o ignore \
332
	    jexec wgtest1 wg set ${wg2} peer "${pub1}" \
333
	    allowed-ips "${tunnel1}/32"
334

335
	atf_check -o not-empty jexec wgtest1 wg show ${wg2} peers
336

337
	jexec wgtest1 sh -c "echo '${pri1}' > pri1"
338

339
	atf_check -s exit:0 \
340
	   jexec wgtest1 wg set ${wg2} private-key pri1
341

342
	atf_check -o empty jexec wgtest1 wg show ${wg2} peers
343
}
344

345
wg_key_peerdev_makeshared_cleanup()
346
{
347
	vnet_cleanup
348
}
349

350
# The kernel is expected to create the wg socket in the jail context that the
351
# wg interface was created in, even if the interface is moved to a different
352
# vnet.
353
atf_test_case "wg_vnet_parent_routing" "cleanup"
354
wg_vnet_parent_routing_head()
355
{
356
	atf_set descr 'Create a wg(4) tunnel without epairs and pass traffic between jails'
357
	atf_set require.user root
358
	atf_set require.kmods if_wg
359
}
360

361
wg_vnet_parent_routing_body()
362
{
363
	local pri1 pri2 pub1 pub2 wg1 wg2
364
        local tunnel1 tunnel2
365

366
	pri1=$(wg genkey)
367
	pri2=$(wg genkey)
368

369
	tunnel1=169.254.0.1
370
	tunnel2=169.254.0.2
371

372
	vnet_init
373

374
	wg1=$(ifconfig wg create)
375
	wg2=$(ifconfig wg create)
376

377
	vnet_mkjail wgtest1 ${wg1}
378
	vnet_mkjail wgtest2 ${wg2}
379

380
	echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \
381
	    private-key /dev/stdin
382
	pub1=$(jexec wgtest1 wg show $wg1 public-key)
383
	echo "$pri2" | jexec wgtest2 wg set $wg2 listen-port 12346 \
384
	    private-key /dev/stdin
385
	pub2=$(jexec wgtest2 wg show $wg2 public-key)
386

387
	atf_check -s exit:0 -o ignore \
388
	    jexec wgtest1 wg set $wg1 peer "$pub2" \
389
	    endpoint 127.0.0.1:12346 allowed-ips ${tunnel2}/32
390
	atf_check -s exit:0 \
391
	    jexec wgtest1 ifconfig $wg1 inet ${tunnel1}/24 up
392

393
	atf_check -s exit:0 -o ignore \
394
	    jexec wgtest2 wg set $wg2 peer "$pub1" \
395
	    endpoint 127.0.0.1:12345 allowed-ips ${tunnel1}/32
396
	atf_check -s exit:0 \
397
	    jexec wgtest2 ifconfig $wg2 inet ${tunnel2}/24 up
398

399
	# Sanity check ICMP counters; should clearly be nothing on these new
400
	# jails.  We'll check them as we go to ensure that the ICMP packets
401
	# generated really are being handled by the jails' vnets.
402
	atf_check -o not-match:"histogram" jexec wgtest1 netstat -s -p icmp
403
	atf_check -o not-match:"histogram" jexec wgtest2 netstat -s -p icmp
404

405
	# Generous timeout since the handshake takes some time.
406
	atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 5 $tunnel2
407
	atf_check -o match:"echo reply: 1" jexec wgtest1 netstat -s -p icmp
408
	atf_check -o match:"echo: 1" jexec wgtest2 netstat -s -p icmp
409

410
	atf_check -s exit:0 -o ignore jexec wgtest2 ping -c 1 $tunnel1
411
	atf_check -o match:"echo reply: 1" jexec wgtest2 netstat -s -p icmp
412
	atf_check -o match:"echo: 1" jexec wgtest1 netstat -s -p icmp
413
}
414

415
wg_vnet_parent_routing_cleanup()
416
{
417
	vnet_cleanup
418
}
419

420
# The kernel should now allow removing a single allowed-ip without having to
421
# replace the whole list.  We can't really test the atomicity of it all that
422
# easily, but we'll trust that it worked right if just that addr/mask is gone.
423
atf_test_case "wg_allowedip_incremental" "cleanup"
424
wg_allowedip_incremental_head()
425
{
426
	atf_set descr "Add/remove allowed-ips from a peer with the +/- incremental syntax"
427
	atf_set require.user root
428
}
429

430
wg_allowedip_incremental_body()
431
{
432
	local pri1 pri2 pub1 pub2 wg1
433
	local tunnel1 tunnel2 tunnel3
434

435
	kldload -n if_wg || atf_skip "This test requires if_wg and could not load it"
436

437
	pri1=$(wg genkey)
438
	pri2=$(wg genkey)
439
	pub2=$(echo "$pri2" | wg pubkey)
440

441
	tunnel1=169.254.0.1
442
	tunnel2=169.254.0.2
443
	tunnel3=169.254.0.3
444

445
	vnet_mkjail wgtest1
446

447
	wg1=$(jexec wgtest1 ifconfig wg create)
448
	echo "$pri1" | jexec wgtest1 wg set $wg1 private-key /dev/stdin
449
	pub1=$(jexec wgtest1 wg show $wg1 public-key)
450

451
	atf_check -s exit:0 \
452
	    jexec wgtest1 wg set $wg1 peer $pub2 \
453
	    allowed-ips "${tunnel1}/32,${tunnel2}/32"
454

455
	atf_check -o save:wg.allowed jexec wgtest1 wg show $wg1 allowed-ips
456
	atf_check grep -q "${tunnel1}/32" wg.allowed
457
	atf_check grep -q "${tunnel2}/32" wg.allowed
458

459
	atf_check -s exit:0 \
460
	    jexec wgtest1 wg set $wg1 peer $pub2 \
461
	    allowed-ips "-${tunnel2}/32"
462

463
	atf_check -o save:wg-2.allowed jexec wgtest1 wg show $wg1 allowed-ips
464
	atf_check grep -q "${tunnel1}/32" wg-2.allowed
465
	atf_check -s not-exit:0 grep -q "${tunnel2}/32" wg-2.allowed
466

467
	atf_check -s exit:0 \
468
	    jexec wgtest1 wg set $wg1 peer $pub2 \
469
	    allowed-ips "+${tunnel2}/32"
470

471
	atf_check -o save:wg-3.allowed jexec wgtest1 wg show $wg1 allowed-ips
472
	atf_check grep -q "${tunnel1}/32" wg-3.allowed
473
	atf_check grep -q "${tunnel2}/32" wg-3.allowed
474

475
	# Now attempt to add the address yet again to confirm that it's not
476
	# harmful.
477
	atf_check -s exit:0 \
478
	    jexec wgtest1 wg set $wg1 peer $pub2 \
479
	    allowed-ips "+${tunnel2}/32"
480

481
	atf_check -o save:wg-4.allowed -x \
482
	    "jexec wgtest1 wg show $wg1 allowed-ips | cut -f2 | tr ' ' '\n'"
483
	atf_check -o match:"2 wg-4.allowed$" wc -l wg-4.allowed
484

485
	# Finally, let's try removing an address that we never had at all and
486
	# confirm that we still have our two addresses.
487
	atf_check -s exit:0 \
488
	    jexec wgtest1 wg set $wg1 peer $pub2 \
489
	    allowed-ips "-${tunnel3}/32"
490

491
	atf_check -o save:wg-5.allowed -x \
492
	    "jexec wgtest1 wg show $wg1 allowed-ips | cut -f2 | tr ' ' '\n'"
493
	atf_check cmp -s wg-4.allowed wg-5.allowed
494
}
495

496
wg_allowedip_incremental_cleanup()
497
{
498
	vnet_cleanup
499
}
500

501
atf_test_case "wg_allowedip_incremental_inet6" "cleanup"
502
wg_allowedip_incremental_inet6_head()
503
{
504
	atf_set descr "Add/remove IPv6 allowed-ips from a peer with the +/- incremental syntax"
505
	atf_set require.user root
506
}
507

508
wg_allowedip_incremental_inet6_body()
509
{
510
	local pri1 pri2 pub1 pub2 wg1
511
	local tunnel1 tunnel2
512

513
	kldload -n if_wg || atf_skip "This test requires if_wg and could not load it"
514

515
	pri1=$(wg genkey)
516
	pri2=$(wg genkey)
517
	pub2=$(echo "$pri2" | wg pubkey)
518

519
	tunnel1=2001:db8:1::1
520
	tunnel2=2001:db8:1::2
521

522
	vnet_mkjail wgtest1
523

524
	wg1=$(jexec wgtest1 ifconfig wg create)
525
	echo "$pri1" | jexec wgtest1 wg set $wg1 private-key /dev/stdin
526
	pub1=$(jexec wgtest1 wg show $wg1 public-key)
527

528
	atf_check -s exit:0 \
529
	    jexec wgtest1 wg set $wg1 peer $pub2 \
530
	    allowed-ips "${tunnel1}/128"
531
	atf_check -o save:wg.allowed jexec wgtest1 wg show $wg1 allowed-ips
532
	atf_check grep -q "${tunnel1}/128" wg.allowed
533

534
	atf_check -s exit:0 \
535
	    jexec wgtest1 wg set $wg1 peer $pub2 \
536
	    allowed-ips "+${tunnel2}/128"
537
	atf_check -o save:wg-2.allowed jexec wgtest1 wg show $wg1 allowed-ips
538
	atf_check grep -q "${tunnel1}/128" wg-2.allowed
539
	atf_check grep -q "${tunnel2}/128" wg-2.allowed
540

541
	atf_check -s exit:0 \
542
	    jexec wgtest1 wg set $wg1 peer $pub2 \
543
	    allowed-ips "-${tunnel1}/128"
544
	atf_check -o save:wg-3.allowed jexec wgtest1 wg show $wg1 allowed-ips
545
	atf_check -s not-exit:0 grep -q "${tunnel1}/128" wg-3.allowed
546
	atf_check grep -q "${tunnel2}/128" wg-3.allowed
547
}
548

549
wg_allowedip_incremental_inet6_cleanup()
550
{
551
	vnet_cleanup
552
}
553

554

555
atf_test_case "wg_allowedip_incremental_stealing" "cleanup"
556
wg_allowedip_incremental_stealing_head()
557
{
558
	atf_set descr "Add/remove allowed-ips from a peer with the +/- incremental syntax to steal"
559
	atf_set require.user root
560
}
561

562
wg_allowedip_incremental_stealing_body()
563
{
564
	local pri1 pri2 pri3 pub1 pub2 pub3 wg1
565
	local regex2 regex3
566
	local tunnel1 tunnel2
567

568
	kldload -n if_wg || atf_skip "This test requires if_wg and could not load it"
569

570
	pri1=$(wg genkey)
571
	pri2=$(wg genkey)
572
	pri3=$(wg genkey)
573
	pub2=$(echo "$pri2" | wg pubkey)
574
	pub3=$(echo "$pri3" | wg pubkey)
575

576
	regex2=$(echo "$pub2" | sed -e 's/[+]/[+]/g')
577
	regex3=$(echo "$pub3" | sed -e 's/[+]/[+]/g')
578

579
	tunnel1=169.254.0.1
580
	tunnel2=169.254.0.2
581
	tunnel3=169.254.0.3
582

583
	vnet_mkjail wgtest1
584

585
	wg1=$(jexec wgtest1 ifconfig wg create)
586
	echo "$pri1" | jexec wgtest1 wg set $wg1 private-key /dev/stdin
587
	pub1=$(jexec wgtest1 wg show $wg1 public-key)
588

589
	atf_check -s exit:0 \
590
	    jexec wgtest1 wg set $wg1 peer $pub2 \
591
	    allowed-ips "${tunnel1}/32,${tunnel2}/32"
592

593
	atf_check -s exit:0 \
594
	    jexec wgtest1 wg set $wg1 peer $pub3 \
595
	    allowed-ips "${tunnel3}/32"
596

597
	# First, confirm that the negative syntax doesn't do anything because
598
	# we have the wrong peer.
599
	atf_check -s exit:0 \
600
	    jexec wgtest1 wg set $wg1 peer $pub2 \
601
	    allowed-ips "-${tunnel3}/32"
602

603
	atf_check -o save:wg.allowed jexec wgtest1 wg show $wg1 allowed-ips
604
	atf_check grep -Eq "^${regex3}.+${tunnel3}/32" wg.allowed
605

606
	# Next, steal it with an incremental move and check that it moved.
607
	atf_check -s exit:0 \
608
	    jexec wgtest1 wg set $wg1 peer $pub2 \
609
	    allowed-ips "+${tunnel3}/32"
610

611
	atf_check -o save:wg-2.allowed jexec wgtest1 wg show $wg1 allowed-ips
612

613
	atf_check grep -Eq "^${regex2}.+${tunnel3}/32" wg-2.allowed
614
	atf_check grep -Evq "^${regex3}.+${tunnel3}/32" wg-2.allowed
615
}
616

617
wg_allowedip_incremental_stealing_cleanup()
618
{
619
	vnet_cleanup
620
}
621

622
atf_init_test_cases()
623
{
624
	atf_add_test_case "wg_basic"
625
	atf_add_test_case "wg_basic_crossaf"
626
	atf_add_test_case "wg_basic_netmap"
627
	atf_add_test_case "wg_key_peerdev_shared"
628
	atf_add_test_case "wg_key_peerdev_makeshared"
629
	atf_add_test_case "wg_vnet_parent_routing"
630
	atf_add_test_case "wg_allowedip_incremental"
631
	atf_add_test_case "wg_allowedip_incremental_inet6"
632
	atf_add_test_case "wg_allowedip_incremental_stealing"
633
}
634

635
Product

Resources

Company
