diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-06-01 10:45:21 +0200 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2021-06-01 15:12:30 +0200 |
commit | 3be23818a151c902ea2f13251b8afed4e37d4569 (patch) | |
tree | f1f3b47a6324cff40cd0adfdd5f67f7475cf44f3 /tests/if_wg_test.sh | |
parent | if_wg: pass back result of selftests and enable in CI (diff) | |
download | wireguard-freebsd-3be23818a151c902ea2f13251b8afed4e37d4569.tar.xz wireguard-freebsd-3be23818a151c902ea2f13251b8afed4e37d4569.zip |
netns: trim test to working parts and rework jail logic
Rather than agonizing on and on about finishing this, just get what
actually works in a tidy place.
We also make everything happen in a dedicated child jail, and work with
JIDs instead of labels. This should improve isolation and reliability.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to '')
-rwxr-xr-x | tests/if_wg_test.sh | 164 |
1 files changed, 0 insertions, 164 deletions
diff --git a/tests/if_wg_test.sh b/tests/if_wg_test.sh deleted file mode 100755 index 69e90d9..0000000 --- a/tests/if_wg_test.sh +++ /dev/null @@ -1,164 +0,0 @@ -# $FreeBSD$ -# -# SPDX-License-Identifier: BSD-2-Clause-FreeBSD -# -# Copyright (c) 2021 The FreeBSD Foundation - -. $(atf_get_srcdir)/../common/vnet.subr - -atf_test_case "wg_basic" "cleanup" -wg_basic_head() -{ - atf_set descr 'Create a wg(4) tunnel over an epair and pass traffic between jails' - atf_set require.user root -} - -wg_basic_body() -{ - local epair pri1 pri2 pub1 pub2 wg1 wg2 - local endpoint1 endpoint2 tunnel1 tunnel2 - - kldload -n if_wg - - pri1=$(openssl rand -base64 32) - pri2=$(openssl rand -base64 32) - - endpoint1=192.168.2.1 - endpoint2=192.168.2.2 - tunnel1=169.254.0.1 - tunnel2=169.254.0.2 - - epair=$(vnet_mkepair) - - vnet_init - - vnet_mkjail wgtest1 ${epair}a - vnet_mkjail wgtest2 ${epair}b - - # Workaround for PR 254212. - jexec wgtest1 ifconfig lo0 up - jexec wgtest2 ifconfig lo0 up - - jexec wgtest1 ifconfig ${epair}a $endpoint1 up - jexec wgtest2 ifconfig ${epair}b $endpoint2 up - - wg1=$(jexec wgtest1 ifconfig wg create listen-port 12345 private-key "$pri1") - pub1=$(jexec wgtest1 ifconfig $wg1 | awk '/public-key:/ {print $2}') - wg2=$(jexec wgtest2 ifconfig wg create listen-port 12345 private-key "$pri2") - pub2=$(jexec wgtest2 ifconfig $wg2 | awk '/public-key:/ {print $2}') - - atf_check -s exit:0 -o ignore \ - jexec wgtest1 ifconfig $wg1 peer public-key "$pub2" \ - endpoint ${endpoint2}:12345 allowed-ips ${tunnel2}/32 - atf_check -s exit:0 \ - jexec wgtest1 ifconfig $wg1 inet $tunnel1 up - - atf_check -s exit:0 -o ignore \ - jexec wgtest2 ifconfig $wg2 peer public-key "$pub1" \ - endpoint ${endpoint1}:12345 allowed-ips ${tunnel1}/32 - atf_check -s exit:0 \ - jexec wgtest2 ifconfig $wg2 inet $tunnel2 up - - # Generous timeout since the handshake takes some time. - atf_check -s exit:0 -o ignore jexec wgtest1 ping -o -t 5 -i 0.25 $tunnel2 - atf_check -s exit:0 -o ignore jexec wgtest2 ping -o -t 5 -i 0.25 $tunnel1 -} - -wg_basic_cleanup() -{ - vnet_cleanup -} - -# The kernel is expecteld to silently ignore any attempt to add a peer with a -# public key identical to the host's. -atf_test_case "wg_key_peerdev_shared" "cleanup" -wg_key_peerdev_shared_head() -{ - atf_set descr 'Create a wg(4) interface with a shared pubkey between device and a peer' - atf_set require.user root -} - -wg_key_peerdev_shared_body() -{ - local epair pri1 pub1 wg1 - local endpoint1 tunnel1 - - kldload -n if_wg - - pri1=$(openssl rand -base64 32) - - endpoint1=192.168.2.1 - tunnel1=169.254.0.1 - - vnet_mkjail wgtest1 - - wg1=$(jexec wgtest1 ifconfig wg create listen-port 12345 private-key "$pri1") - pub1=$(jexec wgtest1 ifconfig $wg1 | awk '/public-key:/ {print $2}') - - atf_check -s exit:0 \ - jexec wgtest1 ifconfig ${wg1} peer public-key "${pub1}" \ - allowed-ips "${tunnel1}/32" - - atf_check -o empty jexec wgtest1 ifconfig ${wg1} peers -} - -wg_key_peerdev_shared_cleanup() -{ - vnet_cleanup -} - -# When a wg(8) interface has a private key reassigned that corresponds to the -# public key already on a peer, the kernel is expected to deconfigure the peer -# to resolve the conflict. -atf_test_case "wg_key_peerdev_makeshared" "cleanup" -wg_key_peerdev_makeshared_head() -{ - atf_set descr 'Create a wg(4) interface and assign peer key to device' - atf_set require.progs wg -} - -wg_key_peerdev_makeshared_body() -{ - local epair pri1 pub1 pri2 wg1 wg2 - local endpoint1 tunnel1 - - kldload -n if_wg - - pri1=$(openssl rand -base64 32) - pri2=$(openssl rand -base64 32) - - endpoint1=192.168.2.1 - tunnel1=169.254.0.1 - - vnet_mkjail wgtest1 - - wg1=$(jexec wgtest1 ifconfig wg create listen-port 12345 private-key "$pri1") - pub1=$(jexec wgtest1 ifconfig $wg1 | awk '/public-key:/ {print $2}') - - wg2=$(jexec wgtest1 ifconfig wg create listen-port 12345 private-key "$pri2") - - atf_check -s exit:0 -o ignore \ - jexec wgtest1 ifconfig ${wg2} peer public-key "${pub1}" \ - allowed-ips "${tunnel1}/32" - - atf_check -o not-empty jexec wgtest1 ifconfig ${wg2} peers - - jexec wgtest1 sh -c "echo '${pri1}' > pri1" - - atf_check -s exit:0 \ - jexec wgtest1 wg set ${wg2} private-key pri1 - - atf_check -o empty jexec wgtest1 ifconfig ${wg2} peers -} - -wg_key_peerdev_makeshared_cleanup() -{ - vnet_cleanup -} - -atf_init_test_cases() -{ - atf_add_test_case "wg_basic" - atf_add_test_case "wg_key_peerdev_shared" - atf_add_test_case "wg_key_peerdev_makeshared" -} |