#! /usr/bin/atf-sh
#	$NetBSD: net_common.sh,v 1.44.2.1 2024/08/22 19:20:29 martin Exp $
#
# Copyright (c) 2016 Internet Initiative Japan Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#

#
# Common utility functions for tests/net
#

export PATH="/sbin:/usr/sbin:/bin:/usr/bin"

HIJACKING="env LD_PRELOAD=/usr/lib/librumphijack.so \
    RUMPHIJACK=path=/rump,socket=all:nolocal,sysctl=yes"
ONEDAYISH="(23h5[0-9]m|1d0h0m)[0-9]+s ?"

extract_new_packets()
{
	local bus=$1
	local old=./.__old

	if [ ! -f $old ]; then
		old=/dev/null
	fi

	shmif_dumpbus -p - $bus 2>/dev/null |
	    tcpdump -n -e -r - 2>/dev/null > ./.__new
	diff -u $old ./.__new | grep '^+' | cut -d '+' -f 2   > ./.__diff
	mv -f ./.__new ./.__old
	cat ./.__diff
}

check_route()
{
	local target=$1
	local gw=$2
	local flags=${3:-\.\+}
	local ifname=${4:-\.\+}

	target=$(echo $target | sed 's/\./\\./g')
	if [ "$gw" = "" ]; then
		gw=".+"
	else
		gw=$(echo $gw | sed 's/\./\\./g')
	fi

	atf_check -s exit:0 -e ignore \
	    -o match:"^$target +$gw +$flags +- +- +.+ +$ifname" \
	    rump.netstat -rn
}

check_route_flags()
{

	check_route "$1" "" "$2" ""
}

check_route_gw()
{

	check_route "$1" "$2" "" ""
}

check_route_no_entry()
{
	local target=$(echo "$1" | sed 's/\./\\./g')

	atf_check -s exit:0 -e ignore -o not-match:"^$target" rump.netstat -rn
}

get_linklocal_addr()
{

	RUMP_SERVER=${1} rump.ifconfig ${2} inet6 |
	    awk "/fe80/ {sub(/%$2/, \"\"); sub(/\\/[0-9]*/, \"\"); print \$2;}"

	return 0
}

get_macaddr()
{

	RUMP_SERVER=${1} rump.ifconfig ${2} | awk '/address/ {print $2;}'
}

HTTPD_PID=./.__httpd.pid
start_httpd()
{
	local sock=$1
	local ip=$2
	local backup=$RUMP_SERVER

	export RUMP_SERVER=$sock

	# start httpd in daemon mode
	atf_check -s exit:0 env LD_PRELOAD=/usr/lib/librumphijack.so \
	    /usr/libexec/httpd -P $HTTPD_PID -i $ip -b -s $(pwd)

	export RUMP_SERVER=$backup

	sleep 3
}

stop_httpd()
{

	if [ -f $HTTPD_PID ]; then
		kill -9 $(cat $HTTPD_PID)
		rm -f $HTTPD_PID
		sleep 1
	fi
}

NC_PID=./.__nc.pid
start_nc_server()
{
	local sock=$1
	local port=$2
	local outfile=$3
	local proto=${4:-ipv4}
	local extra_opts="$5"
	local backup=$RUMP_SERVER
	local opts=

	export RUMP_SERVER=$sock

	if [ $proto = ipv4 ]; then
		opts="-l -4"
	else
		opts="-l -6"
	fi
	opts="$opts $extra_opts"

	env LD_PRELOAD=/usr/lib/librumphijack.so nc $opts $port > $outfile &
	echo $! > $NC_PID

	if [ $proto = ipv4 ]; then
		$DEBUG && rump.netstat -a -f inet
	else
		$DEBUG && rump.netstat -a -f inet6
	fi

	export RUMP_SERVER=$backup

	sleep 1
}

stop_nc_server()
{

	if [ -f $NC_PID ]; then
		kill -9 $(cat $NC_PID)
		rm -f $NC_PID
		sleep 1
	fi
}

BASIC_LIBS="-lrumpnet -lrumpnet_net -lrumpnet_netinet -lrumpnet_shmif"
FS_LIBS="$BASIC_LIBS -lrumpdev -lrumpvfs -lrumpfs_ffs"
CRYPTO_LIBS="$BASIC_LIBS -lrumpdev -lrumpdev_opencrypto \
    -lrumpkern_z -lrumpkern_crypto"
NPF_LIBS="$BASIC_LIBS -lrumpdev -lrumpvfs -lrumpdev_bpf -lrumpnet_npf"
CRYPTO_NPF_LIBS="$CRYPTO_LIBS -lrumpvfs -lrumpdev_bpf -lrumpnet_npf"
BPF_LIBS="$BASIC_LIBS -lrumpdev -lrumpvfs -lrumpdev_bpf"

# We cannot keep variables between test phases, so need to store in files
_rump_server_socks=./.__socks
_rump_server_ifaces=./.__ifaces
_rump_server_buses=./.__buses
_rump_server_macaddrs=./.__macaddrs

DEBUG_SYSCTL_ENTRIES="net.inet.arp.debug net.inet6.icmp6.nd6_debug \
    net.inet.ipsec.debug"

IPSEC_KEY_DEBUG=${IPSEC_KEY_DEBUG:-false}

_rump_server_start_common()
{
	local sock=$1
	local backup=$RUMP_SERVER

	shift 1

	atf_check -s exit:0 rump_server "$@" "$sock"

	if $DEBUG; then
		# Enable debugging features in the kernel
		export RUMP_SERVER=$sock
		for ent in $DEBUG_SYSCTL_ENTRIES; do
			if rump.sysctl -q $ent; then
				atf_check -s exit:0 rump.sysctl -q -w $ent=1
			fi
		done
		export RUMP_SERVER=$backup
	fi
	if $IPSEC_KEY_DEBUG; then
		# Enable debugging features in the kernel
		export RUMP_SERVER=$sock
		if rump.sysctl -q net.key.debug; then
			atf_check -s exit:0 \
			    rump.sysctl -q -w net.key.debug=0xffff
		fi
		export RUMP_SERVER=$backup
	fi

	echo $sock >> $_rump_server_socks
	$DEBUG && cat $_rump_server_socks
}

rump_server_start()
{
	local sock=$1
	local lib=
	local libs="$BASIC_LIBS"

	shift 1

	for lib
	do
		libs="$libs -lrumpnet_$lib"
	done

	_rump_server_start_common $sock $libs

	return 0
}

rump_server_fs_start()
{
	local sock=$1
	local lib=
	local libs="$FS_LIBS"

	shift 1

	for lib
	do
		libs="$libs -lrumpnet_$lib"
	done

	_rump_server_start_common $sock $libs

	return 0
}

rump_server_crypto_start()
{
	local sock=$1
	local lib=
	local libs="$CRYPTO_LIBS"

	shift 1

	for lib
	do
		libs="$libs -lrumpnet_$lib"
	done

	_rump_server_start_common $sock $libs

	return 0
}

rump_server_npf_start()
{
	local sock=$1
	local lib=
	local libs="$NPF_LIBS"

	shift 1

	for lib
	do
		libs="$libs -lrumpnet_$lib"
	done

	_rump_server_start_common $sock $libs

	return 0
}

rump_server_crypto_npf_start()
{
	local sock=$1
	local lib=
	local libs="$CRYPTO_NPF_LIBS"

	shift 1

	for lib
	do
		libs="$libs -lrumpnet_$lib"
	done

	_rump_server_start_common $sock $libs

	return 0
}

rump_server_bpf_start()
{
	local sock=$1
	local lib=
	local libs="$BPF_LIBS"

	shift 1

	for lib
	do
		libs="$libs -lrumpnet_$lib"
	done

	_rump_server_start_common $sock $libs

	return 0
}

rump_server_add_iface()
{
	local sock=$1
	local ifname=$2
	local bus=$3
	local backup=$RUMP_SERVER
	local macaddr=

	export RUMP_SERVER=$sock
	atf_check -s exit:0 rump.ifconfig $ifname create
	if [ -n "$bus" ]; then
		atf_check -s exit:0 rump.ifconfig $ifname linkstr $bus
	fi

	macaddr=$(get_macaddr $sock $ifname)
	if [ -n "$macaddr" ]; then
		if [ -f $_rump_server_macaddrs ]; then
			atf_check -s not-exit:0 \
			    grep -q $macaddr $_rump_server_macaddrs
		fi
		echo $macaddr >> $_rump_server_macaddrs
	fi

	export RUMP_SERVER=$backup

	echo $sock $ifname >> $_rump_server_ifaces
	$DEBUG && cat $_rump_server_ifaces

	echo $bus >> $_rump_server_buses
	cat $_rump_server_buses |sort -u >./.__tmp
	mv -f ./.__tmp $_rump_server_buses
	$DEBUG && cat $_rump_server_buses

	return 0
}

rump_server_check_poolleaks()
{
	local target=$1

	# XXX rumphijack doesn't work with a binary with suid/sgid bits like
	# vmstat.  Use a copied one to drop sgid bit as a workaround until
	# vmstat stops using kvm(3) for /dev/kmem and the sgid bit.
	cp /usr/bin/vmstat ./vmstat
	reqs=$($HIJACKING ./vmstat -mv | awk "/$target/ {print \$3;}")
	rels=$($HIJACKING ./vmstat -mv | awk "/$target/ {print \$5;}")
	rm -f ./vmstat
	atf_check_equal '$target$reqs' '$target$rels'
}

#
# rump_server_check_memleaks detects memory leaks.  It can detect leaks of pool
# objects that are guaranteed to be all deallocated at this point, i.e., all
# created interfaces are destroyed.  Currently only llentpl satisfies this
# constraint.  This mechanism can't be applied to objects allocated through
# pool_cache(9) because it doesn't track released objects explicitly.
#
rump_server_check_memleaks()
{

	rump_server_check_poolleaks llentrypl
	# This doesn't work for objects allocated through pool_cache
	#rump_server_check_poolleaks mbpl
	#rump_server_check_poolleaks mclpl
	#rump_server_check_poolleaks socket
}

rump_server_destroy_ifaces()
{
	local backup=$RUMP_SERVER
	local output=ignore
	local reqs= rels=

	$DEBUG && cat $_rump_server_ifaces

	# Try to dump states before destroying interfaces
	for sock in $(cat $_rump_server_socks); do
		export RUMP_SERVER=$sock
		if $DEBUG; then
			output=save:/dev/stdout
		fi
		atf_check -s exit:0 -o $output rump.ifconfig
		atf_check -s exit:0 -o $output rump.netstat -nr
		# XXX still need hijacking
		atf_check -s exit:0 -o $output $HIJACKING rump.netstat -nai
		atf_check -s exit:0 -o $output rump.arp -na
		atf_check -s exit:0 -o $output rump.ndp -na
		atf_check -s exit:0 -o $output $HIJACKING ifmcstat
	done

	# XXX using pipe doesn't work. See PR bin/51667
	#cat $_rump_server_ifaces | while read sock ifname; do
	# Destroy interfaces in the reverse order
	tac $_rump_server_ifaces > __ifaces
	while read sock ifname; do
		export RUMP_SERVER=$sock
		if rump.ifconfig -l |grep -q $ifname; then
			if $DEBUG; then
				rump.ifconfig -v $ifname
			fi
			atf_check -s exit:0 rump.ifconfig $ifname destroy
		fi
		atf_check -s exit:0 -o ignore rump.ifconfig
	done < __ifaces
	rm -f __ifaces

	for sock in $(cat $_rump_server_socks); do
		export RUMP_SERVER=$sock
		rump_server_check_memleaks
	done

	export RUMP_SERVER=$backup

	return 0
}

rump_server_halt_servers()
{
	local backup=$RUMP_SERVER

	$DEBUG && cat $_rump_server_socks
	for sock in $(cat $_rump_server_socks); do
		env RUMP_SERVER=$sock rump.halt
	done
	export RUMP_SERVER=$backup

	return 0
}

extract_rump_server_core()
{

	if [ -f rump_server.core ]; then
		gdb -ex bt /usr/bin/rump_server rump_server.core
		# Extract kernel logs including a panic message
		strings rump_server.core |grep -E '^\[.+\] '
	fi
}

dump_kernel_stats()
{
	local sock=$1

	echo "### Dumping $sock"
	export RUMP_SERVER=$sock
	rump.ifconfig -av
	rump.netstat -nr
	# XXX still need hijacking
	$HIJACKING rump.netstat -nai
	# XXX workaround for vmstat with the sgid bit
	cp /usr/bin/vmstat ./vmstat
	$HIJACKING ./vmstat -m
	rm -f ./vmstat
	rump.arp -na
	rump.ndp -na
	$HIJACKING ifmcstat
	$HIJACKING dmesg
}

rump_server_dump_servers()
{
	local backup=$RUMP_SERVER

	$DEBUG && cat $_rump_server_socks
	for sock in $(cat $_rump_server_socks); do
		dump_kernel_stats $sock
	done
	export RUMP_SERVER=$backup

	extract_rump_server_core
	return 0
}

rump_server_dump_buses()
{

	if [ ! -f $_rump_server_buses ]; then
		return 0
	fi

	$DEBUG && cat $_rump_server_buses
	for bus in $(cat $_rump_server_buses); do
		echo "### Dumping $bus"
		shmif_dumpbus -p - $bus 2>/dev/null| tcpdump -n -e -r -
	done
	return 0
}

cleanup()
{

	if [ -f $_rump_server_socks ]; then
		rump_server_halt_servers
	fi
}

dump()
{

	rump_server_dump_servers
	rump_server_dump_buses
}

skip_if_qemu()
{
	if drvctl -l qemufwcfg0 >/dev/null 2>&1
	then
	    atf_skip "unreliable under qemu, skip until PR kern/43997 fixed"
	fi
}

test_create_destroy_common()
{
	local sock=$1
	local ifname=$2
	local test_address=${3:-false}
	local ipv4="10.0.0.1/24"
	local ipv6="fc00::1"

	export RUMP_SERVER=$sock

	atf_check -s exit:0 rump.ifconfig $ifname create
	atf_check -s exit:0 rump.ifconfig $ifname destroy

	atf_check -s exit:0 rump.ifconfig $ifname create
	atf_check -s exit:0 rump.ifconfig $ifname up
	atf_check -s exit:0 rump.ifconfig $ifname down
	atf_check -s exit:0 rump.ifconfig $ifname destroy

	# Destroy while UP
	atf_check -s exit:0 rump.ifconfig $ifname create
	atf_check -s exit:0 rump.ifconfig $ifname up
	atf_check -s exit:0 rump.ifconfig $ifname destroy

	if ! $test_address; then
		return
	fi

	# With an IPv4 address
	atf_check -s exit:0 rump.ifconfig $ifname create
	atf_check -s exit:0 rump.ifconfig $ifname inet $ipv4
	atf_check -s exit:0 rump.ifconfig $ifname up
	atf_check -s exit:0 rump.ifconfig $ifname destroy

	# With an IPv6 address
	atf_check -s exit:0 rump.ifconfig $ifname create
	atf_check -s exit:0 rump.ifconfig $ifname inet6 $ipv6
	atf_check -s exit:0 rump.ifconfig $ifname up
	atf_check -s exit:0 rump.ifconfig $ifname destroy

	unset RUMP_SERVER
}
#	$NetBSD: t_ipsec.sh,v 1.11 2020/08/05 01:10:50 knakahara Exp $
#
# Copyright (c) 2017 Internet Initiative Japan Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#

SOCK1=unix://commsock1 # for ROUTER1
SOCK2=unix://commsock2 # for ROUTER2
ROUTER1_LANIP=192.168.1.1
ROUTER1_LANNET=192.168.1.0/24
ROUTER1_WANIP=10.0.0.1
ROUTER1_IPSECIP=172.16.1.1
ROUTER1_WANIP_DUMMY=10.0.0.11
ROUTER1_IPSECIP_DUMMY=172.16.11.1
ROUTER1_IPSECIP_RECURSIVE1=172.16.101.1
ROUTER1_IPSECIP_RECURSIVE2=172.16.201.1
ROUTER2_LANIP=192.168.2.1
ROUTER2_LANNET=192.168.2.0/24
ROUTER2_WANIP=10.0.0.2
ROUTER2_IPSECIP=172.16.2.1
ROUTER2_WANIP_DUMMY=10.0.0.12
ROUTER2_IPSECIP_DUMMY=172.16.12.1
ROUTER2_IPSECIP_RECURSIVE1=172.16.102.1
ROUTER2_IPSECIP_RECURSIVE2=172.16.202.1

ROUTER1_LANIP6=fc00:1::1
ROUTER1_LANNET6=fc00:1::/64
ROUTER1_WANIP6=fc00::1
ROUTER1_IPSECIP6=fc00:3::1
ROUTER1_WANIP6_DUMMY=fc00::11
ROUTER1_IPSECIP6_DUMMY=fc00:13::1
ROUTER1_IPSECIP6_RECURSIVE1=fc00:103::1
ROUTER1_IPSECIP6_RECURSIVE2=fc00:203::1
ROUTER2_LANIP6=fc00:2::1
ROUTER2_LANNET6=fc00:2::/64
ROUTER2_WANIP6=fc00::2
ROUTER2_IPSECIP6=fc00:4::1
ROUTER2_WANIP6_DUMMY=fc00::12
ROUTER2_IPSECIP6_DUMMY=fc00:14::1
ROUTER2_IPSECIP6_RECURSIVE1=fc00:104::1
ROUTER2_IPSECIP6_RECURSIVE2=fc00:204::1

DEBUG=${DEBUG:-false}
TIMEOUT=7

atf_test_case ipsecif_create_destroy cleanup
ipsecif_create_destroy_head()
{

	atf_set "descr" "Test creating/destroying gif interfaces"
	atf_set "require.progs" "rump_server"
}

ipsecif_create_destroy_body()
{

	rump_server_start $SOCK1 ipsec

	test_create_destroy_common $SOCK1 ipsec0
}

ipsecif_create_destroy_cleanup()
{

	$DEBUG && dump
	cleanup
}

setup_router()
{
	local sock=${1}
	local lan=${2}
	local lan_mode=${3}
	local wan=${4}
	local wan_mode=${5}

	rump_server_add_iface $sock shmif0 bus0
	rump_server_add_iface $sock shmif1 bus1

	export RUMP_SERVER=${sock}

	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
	atf_check -s exit:0 rump.sysctl -q -w net.inet6.ip6.dad_count=0

	if [ ${lan_mode} = "ipv6" ]; then
		atf_check -s exit:0 rump.ifconfig shmif0 inet6 ${lan}
	else
		atf_check -s exit:0 rump.ifconfig shmif0 inet ${lan} netmask 0xffffff00
	fi
	atf_check -s exit:0 rump.ifconfig shmif0 up
	$DEBUG && rump.ifconfig shmif0

	if [ ${wan_mode} = "ipv6" ]; then
		atf_check -s exit:0 rump.ifconfig shmif1 inet6 ${wan}
	else
		atf_check -s exit:0 rump.ifconfig shmif1 inet ${wan} netmask 0xff000000
	fi
	atf_check -s exit:0 rump.ifconfig shmif1 up
	atf_check -s exit:0 rump.ifconfig -w 10
	$DEBUG && rump.ifconfig shmif1

	unset RUMP_SERVER
}

test_router()
{
	local sock=${1}
	local lan=${2}
	local lan_mode=${3}
	local wan=${4}
	local wan_mode=${5}

	export RUMP_SERVER=${sock}
	atf_check -s exit:0 -o match:shmif0 rump.ifconfig
	if [ ${lan_mode} = "ipv6" ]; then
		atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${lan}
	else
		atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${lan}
	fi

	atf_check -s exit:0 -o match:shmif1 rump.ifconfig
	if [ ${wan_mode} = "ipv6" ]; then
		atf_check -s exit:0 -o ignore rump.ping6 -n -c 1 -X $TIMEOUT ${wan}
	else
		atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w $TIMEOUT ${wan}
	fi
	unset RUMP_SERVER
}

setup()
{
	local inner=${1}
	local outer=${2}

	rump_server_crypto_start $SOCK1 netipsec netinet6 ipsec
	rump_server_crypto_start $SOCK2 netipsec netinet6 ipsec

	router1_lan=""
	router1_lan_mode=""
	router2_lan=""
	router2_lan_mode=""
	if [ ${inner} = "ipv6" ]; then
		router1_lan=$ROUTER1_LANIP6
		router1_lan_mode="ipv6"
		router2_lan=$ROUTER2_LANIP6
		router2_lan_mode="ipv6"
	else
		router1_lan=$ROUTER1_LANIP
		router1_lan_mode="ipv4"
		router2_lan=$ROUTER2_LANIP
		router2_lan_mode="ipv4"
	fi

	if [ ${outer} = "ipv6" ]; then
		setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
			$ROUTER1_WANIP6 ipv6
		setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
			$ROUTER2_WANIP6 ipv6
	else
		setup_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
			$ROUTER1_WANIP ipv4
		setup_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
			$ROUTER2_WANIP ipv4
	fi
}

test_setup()
{
	local inner=${1}
	local outer=${2}

	local router1_lan=""
	local router1_lan_mode=""
	local router2_lan=""
	local router2_lan_mode=""
	if [ ${inner} = "ipv6" ]; then
		router1_lan=$ROUTER1_LANIP6
		router1_lan_mode="ipv6"
		router2_lan=$ROUTER2_LANIP6
		router2_lan_mode="ipv6"
	else
		router1_lan=$ROUTER1_LANIP
		router1_lan_mode="ipv4"
		router2_lan=$ROUTER2_LANIP
		router2_lan_mode="ipv4"
	fi
	if [ ${outer} = "ipv6" ]; then
		test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
			$ROUTER1_WANIP6 ipv6
		test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
			$ROUTER2_WANIP6 ipv6
	else
		test_router $SOCK1 ${router1_lan} ${router1_lan_mode} \
			$ROUTER1_WANIP ipv4
		test_router $SOCK2 ${router2_lan} ${router2_lan_mode} \
			$ROUTER2_WANIP ipv4
	fi
}

get_if_ipsec_unique()
{
	local sock=${1}
	local src=${2}
	local proto=${3}
	local unique=""

	export RUMP_SERVER=${sock}
	unique=`$HIJACKING setkey -DP | grep -A2 "^${src}.*(${proto})$" | grep unique | sed 's/.*unique#//'`
	unset RUMP_SERVER

	echo $unique
}

setup_if_ipsec()
{
	local sock=${1}
	local addr=${2}
	local remote=${3}
	local inner=${4}
	local src=${5}
	local dst=${6}
	local peernet=${7}

	export RUMP_SERVER=${sock}
	rump_server_add_iface $sock ipsec0
	atf_check -s exit:0 rump.ifconfig ipsec0 tunnel ${src} ${dst}
	if [ ${inner} = "ipv6" ]; then
		atf_check -s exit:0 rump.ifconfig ipsec0 inet6 ${addr}/128 ${remote}
		atf_check -s exit:0 -o ignore rump.route add -inet6 ${peernet} ${addr}
	else
		atf_check -s exit:0 rump.ifconfig ipsec0 inet ${addr}/32 ${remote}
		atf_check -s exit:0 -o ignore rump.route add -inet ${peernet} ${addr}
	fi

	atf_check -s exit:0 rump.ifconfig -w 10

	$DEBUG && rump.ifconfig ipsec0
	$DEBUG && rump.route -nL show
}

setup_if_ipsec_sa()
{
	local sock=${1}
	local src=${2}
	local dst=${3}
	local mode=${4}
	local proto=${5}
	local algo=${6}
	local dir=${7}

	local tmpfile=./tmp
	local inunique=""
	local outunique=""
	local inid=""
	local outid=""
	local algo_args="$(generate_algo_args $proto $algo)"

	inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
	atf_check -s exit:0 test "X$inunique" != "X"
	outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
	atf_check -s exit:0 test "X$outunique" != "X"

	if [ ${dir} = "1to2" ] ; then
	    if [ ${mode} = "ipv6" ] ; then
		inid="10010"
		outid="10011"
	    else
		inid="10000"
		outid="10001"
	    fi
	else
	    if [ ${mode} = "ipv6" ] ; then
		inid="10011"
		outid="10010"
	    else
		inid="10001"
		outid="10000"
	    fi
	fi

	cat > $tmpfile <<-EOF
	add $dst $src $proto $inid -u $inunique -m transport $algo_args;
	add $src $dst $proto $outid -u $outunique -m transport $algo_args;
	EOF
	$DEBUG && cat $tmpfile
	export RUMP_SERVER=$sock
	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
	$DEBUG && $HIJACKING setkey -D
	$DEBUG && $HIJACKING setkey -DP
	unset RUMP_SERVER
}

setup_tunnel()
{
	local inner=${1}
	local outer=${2}
	local proto=${3}
	local algo=${4}

	local addr=""
	local remote=""
	local src=""
	local dst=""
	local peernet=""

	if [ ${inner} = "ipv6" ]; then
		addr=$ROUTER1_IPSECIP6
		remote=$ROUTER2_IPSECIP6
		peernet=$ROUTER2_LANNET6
	else
		addr=$ROUTER1_IPSECIP
		remote=$ROUTER2_IPSECIP
		peernet=$ROUTER2_LANNET
	fi
	if [ ${outer} = "ipv6" ]; then
		src=$ROUTER1_WANIP6
		dst=$ROUTER2_WANIP6
	else
		src=$ROUTER1_WANIP
		dst=$ROUTER2_WANIP
	fi
	setup_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \
		     ${src} ${dst} ${peernet}

	if [ $inner = "ipv6" -a $outer = "ipv4" ]; then
	    setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${outer} ${proto} ${algo} "1to2"
	fi
	setup_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2"

	if [ $inner = "ipv6" ]; then
		addr=$ROUTER2_IPSECIP6
		remote=$ROUTER1_IPSECIP6
		peernet=$ROUTER1_LANNET6
	else
		addr=$ROUTER2_IPSECIP
		remote=$ROUTER1_IPSECIP
		peernet=$ROUTER1_LANNET
	fi
	if [ $outer = "ipv6" ]; then
		src=$ROUTER2_WANIP6
		dst=$ROUTER1_WANIP6
	else
		src=$ROUTER2_WANIP
		dst=$ROUTER1_WANIP
	fi
	setup_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \
		     ${src} ${dst} ${peernet} ${proto} ${algo}
	if [ $inner = "ipv6" -a $outer = "ipv4" ]; then
	    setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${outer} ${proto} ${algo} "2to1"
	fi
	setup_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1"
}

test_setup_tunnel()
{
	local mode=${1}

	local peernet=""
	local opt=""
	if [ ${mode} = "ipv6" ]; then
		peernet=$ROUTER2_LANNET6
		opt="-inet6"
	else
		peernet=$ROUTER2_LANNET
		opt="-inet"
	fi
	export RUMP_SERVER=$SOCK1
	atf_check -s exit:0 -o match:ipsec0 rump.ifconfig
	atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet}

	if [ ${mode} = "ipv6" ]; then
		peernet=$ROUTER1_LANNET6
		opt="-inet6"
	else
		peernet=$ROUTER1_LANNET
		opt="-inet"
	fi
	export RUMP_SERVER=$SOCK2
	atf_check -s exit:0 -o match:ipsec0 rump.ifconfig
	atf_check -s exit:0 -o match:ipsec0 rump.route -nL get ${opt} ${peernet}
}

teardown_tunnel()
{
	export RUMP_SERVER=$SOCK1
	atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
	atf_check -s exit:0 rump.ifconfig ipsec0 destroy
	$HIJACKING setkey -F

	export RUMP_SERVER=$SOCK2
	atf_check -s exit:0 rump.ifconfig ipsec0 deletetunnel
	atf_check -s exit:0 rump.ifconfig ipsec0 destroy
	$HIJACKING setkey -F

	unset RUMP_SERVER
}

setup_dummy_if_ipsec()
{
	local sock=${1}
	local addr=${2}
	local remote=${3}
	local inner=${4}
	local src=${5}
	local dst=${6}

	export RUMP_SERVER=${sock}
	rump_server_add_iface $sock ipsec1
	atf_check -s exit:0 rump.ifconfig ipsec1 tunnel ${src} ${dst}
	if [ ${inner} = "ipv6" ]; then
		atf_check -s exit:0 rump.ifconfig ipsec1 inet6 ${addr}/128 ${remote}
	else
		atf_check -s exit:0 rump.ifconfig ipsec1 inet ${addr}/32 ${remote}
	fi
	atf_check -s exit:0 rump.ifconfig -w 10

	$DEBUG && rump.ifconfig ipsec1
	unset RUMP_SERVER
}

setup_dummy_if_ipsec_sa()
{
	local sock=${1}
	local src=${2}
	local dst=${3}
	local mode=${4}
	local proto=${5}
	local algo=${6}
	local dir=${7}

	local tmpfile=./tmp
	local inunique=""
	local outunique=""
	local inid=""
	local outid=""
	local algo_args="$(generate_algo_args $proto $algo)"

	inunique=`get_if_ipsec_unique ${sock} ${dst} ${mode}`
	atf_check -s exit:0 test "X$inunique" != "X"
	outunique=`get_if_ipsec_unique ${sock} ${src} ${mode}`
	atf_check -s exit:0 test "X$outunique" != "X"

	if [ ${dir} = "1to2" ] ; then
	    inid="20000"
	    outid="20001"
	else
	    inid="20001"
	    outid="20000"
	fi

	cat > $tmpfile <<-EOF
    	add $dst $src $proto $inid -u $inunique $algo_args;
    	add $src $dst $proto $outid -u $outunique $algo_args;
	EOF
	$DEBUG && cat $tmpfile
	export RUMP_SERVER=$sock
	atf_check -s exit:0 -o empty $HIJACKING setkey -c < $tmpfile
	$DEBUG && $HIJACKING setkey -D
	$DEBUG && $HIJACKING setkey -DP
	unset RUMP_SERVER
}

setup_dummy_tunnel()
{
	local inner=${1}
	local outer=${2}
	local proto=${3}
	local algo=${4}

	local addr=""
	local remote=""
	local src=""
	local dst=""

	if [ ${inner} = "ipv6" ]; then
		addr=$ROUTER1_IPSECIP6_DUMMY
		remote=$ROUTER2_IPSECIP6_DUMMY
	else
		addr=$ROUTER1_IPSECIP_DUMMY
		remote=$ROUTER2_IPSECIP_DUMMY
	fi
	if [ ${outer} = "ipv6" ]; then
		src=$ROUTER1_WANIP6_DUMMY
		dst=$ROUTER2_WANIP6_DUMMY
	else
		src=$ROUTER1_WANIP_DUMMY
		dst=$ROUTER2_WANIP_DUMMY
	fi
	setup_dummy_if_ipsec $SOCK1 ${addr} ${remote} ${inner} \
			   ${src} ${dst} ${proto} ${algo} "1to2"
	setup_dummy_if_ipsec_sa $SOCK1 ${src} ${dst} ${inner} ${proto} ${algo} "1to2"

	if [ $inner = "ipv6" ]; then
		addr=$ROUTER2_IPSECIP6_DUMMY
		remote=$ROUTER1_IPSECIP6_DUMMY
	else
		addr=$ROUTER2_IPSECIP_DUMMY
		remote=$ROUTER1_IPSECIP_DUMMY
	fi
	if [ $outer = "ipv6" ]; then
		src=$ROUTER2_WANIP6_DUMMY
		dst=$ROUTER1_WANIP6_DUMMY
	else
		src=$ROUTER2_WANIP_DUMMY
		dst=$ROUTER1_WANIP_DUMMY
	fi
	setup_dummy_if_ipsec $SOCK2 ${addr} ${remote} ${inner} \
			   ${src} ${dst} ${proto} ${algo} "2to1"
	setup_dummy_if_ipsec_sa $SOCK2 ${src} ${dst} ${inner} ${proto} ${algo} "2to1"
}

test_setup_dummy_tunnel()
{
	export RUMP_SERVER=$SOCK1
	atf_check -s exit:0 -o match:ipsec1 rump.ifconfig

	export RUMP_SERVER=$SOCK2
	atf_check -s exit:0 -o match:ipsec1 rump.ifconfig

	unset RUMP_SERVER
}

teardown_dummy_tunnel()
{
	export RUMP_SERVER=$SOCK1
	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
	atf_check -s exit:0 rump.ifconfig ipsec1 destroy

	export RUMP_SERVER=$SOCK2
	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
	atf_check -s exit:0 rump.ifconfig ipsec1 destroy

	unset RUMP_SERVER
}

setup_recursive_if_ipsec()
{
	local sock=${1}
	local ipsec=${2}
	local addr=${3}
	local remote=${4}
	local inner=${5}
	local src=${6}
	local dst=${7}
	local proto=${8}
	local algo=${9}
	local dir=${10}

	export RUMP_SERVER=${sock}
	rump_server_add_iface $sock $ipsec
	atf_check -s exit:0 rump.ifconfig ${ipsec} tunnel ${src} ${dst}
	if [ ${inner} = "ipv6" ]; then
		atf_check -s exit:0 rump.ifconfig ${ipsec} inet6 ${addr}/128 ${remote}
	else
		atf_check -s exit:0 rump.ifconfig ${ipsec} inet ${addr}/32 ${remote}
	fi
	atf_check -s exit:0 rump.ifconfig -w 10
	setup_if_ipsec_sa $sock ${src} ${dst} ${inner} ${proto} ${algo} ${dir}

	export RUMP_SERVER=${sock}
	$DEBUG && rump.ifconfig ${ipsec}
	unset RUMP_SERVER
}

# test in ROUTER1 only
setup_recursive_tunnels()
{
	local mode=${1}
	local proto=${2}
	local algo=${3}

	local addr=""
	local remote=""
	local src=""
	local dst=""

	if [ ${mode} = "ipv6" ]; then
		addr=$ROUTER1_IPSECIP6_RECURSIVE1
		remote=$ROUTER2_IPSECIP6_RECURSIVE1
		src=$ROUTER1_IPSECIP6
		dst=$ROUTER2_IPSECIP6
	else
		addr=$ROUTER1_IPSECIP_RECURSIVE1
		remote=$ROUTER2_IPSECIP_RECURSIVE1
		src=$ROUTER1_IPSECIP
		dst=$ROUTER2_IPSECIP
	fi
	setup_recursive_if_ipsec $SOCK1 ipsec1 ${addr} ${remote} ${mode} \
		      ${src} ${dst} ${proto} ${algo} "1to2"

	if [ ${mode} = "ipv6" ]; then
		addr=$ROUTER1_IPSECIP6_RECURSIVE2
		remote=$ROUTER2_IPSECIP6_RECURSIVE2
		src=$ROUTER1_IPSECIP6_RECURSIVE1
		dst=$ROUTER2_IPSECIP6_RECURSIVE1
	else
		addr=$ROUTER1_IPSECIP_RECURSIVE2
		remote=$ROUTER2_IPSECIP_RECURSIVE2
		src=$ROUTER1_IPSECIP_RECURSIVE1
		dst=$ROUTER2_IPSECIP_RECURSIVE1
	fi
	setup_recursive_if_ipsec $SOCK1 ipsec2 ${addr} ${remote} ${mode} \
		      ${src} ${dst} ${proto} ${algo} "1to2"
}

# test in router1 only
test_recursive_check()
{
	local mode=$1

	export RUMP_SERVER=$SOCK1
	if [ ${mode} = "ipv6" ]; then
		atf_check -s not-exit:0 -o ignore -e ignore \
			rump.ping6 -n -X $TIMEOUT -c 1 $ROUTER2_IPSECIP6_RECURSIVE2
	else
		atf_check -s not-exit:0 -o ignore -e ignore \
			rump.ping -n -w $TIMEOUT -c 1 $ROUTER2_IPSECIP_RECURSIVE2
	fi

	atf_check -o match:'ipsec0: recursively called too many times' \
		-x "$HIJACKING dmesg"

	$HIJACKING dmesg

	unset RUMP_SERVER
}

teardown_recursive_tunnels()
{
	export RUMP_SERVER=$SOCK1
	atf_check -s exit:0 rump.ifconfig ipsec1 deletetunnel
	atf_check -s exit:0 rump.ifconfig ipsec1 destroy
	atf_check -s exit:0 rump.ifconfig ipsec2 deletetunnel
	atf_check -s exit:0 rump.ifconfig ipsec2 destroy
	unset RUMP_SERVER
}

test_ping_failure()
{
	local mode=$1

	export RUMP_SERVER=$SOCK1
	if [ ${mode} = "ipv6" ]; then
		atf_check -s not-exit:0 -o ignore -e ignore \
			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \
			$ROUTER2_LANIP6
	else
		atf_check -s not-exit:0 -o ignore -e ignore \
			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
			$ROUTER2_LANIP
	fi

	export RUMP_SERVER=$SOCK2
	if [ ${mode} = "ipv6" ]; then
		atf_check -s not-exit:0 -o ignore -e ignore \
			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \
			$ROUTER1_LANIP6
	else
		atf_check -s not-exit:0 -o ignore -e ignore \
			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
			$ROUTER2_LANIP
	fi

	unset RUMP_SERVER
}

test_ping_success()
{
	mode=$1

	export RUMP_SERVER=$SOCK1
	$DEBUG && rump.ifconfig -v ipsec0
	if [ ${mode} = "ipv6" ]; then
		# XXX
		# rump.ping6 rarely fails with the message that
		# "failed to get receiving hop limit".
		# This is a known issue being analyzed.
		atf_check -s exit:0 -o ignore \
			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER1_LANIP6 \
			$ROUTER2_LANIP6
	else
		atf_check -s exit:0 -o ignore \
			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER1_LANIP \
			$ROUTER2_LANIP
	fi
	$DEBUG && rump.ifconfig -v ipsec0

	export RUMP_SERVER=$SOCK2
	$DEBUG && rump.ifconfig -v ipsec0
	if [ ${mode} = "ipv6" ]; then
		atf_check -s exit:0 -o ignore \
			rump.ping6 -n -X $TIMEOUT -c 1 -S $ROUTER2_LANIP6 \
			$ROUTER1_LANIP6
	else
		atf_check -s exit:0 -o ignore \
			rump.ping -n -w $TIMEOUT -c 1 -I $ROUTER2_LANIP \
			$ROUTER1_LANIP
	fi
	$DEBUG && rump.ifconfig -v ipsec0

	unset RUMP_SERVER
}

test_change_tunnel_duplicate()
{
	local mode=$1

	local newsrc=""
	local newdst=""
	if [ ${mode} = "ipv6" ]; then
		newsrc=$ROUTER1_WANIP6_DUMMY
		newdst=$ROUTER2_WANIP6_DUMMY
	else
		newsrc=$ROUTER1_WANIP_DUMMY
		newdst=$ROUTER2_WANIP_DUMMY
	fi
	export RUMP_SERVER=$SOCK1
	$DEBUG && rump.ifconfig -v ipsec0
	$DEBUG && rump.ifconfig -v ipsec1
	atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \
		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
	$DEBUG && rump.ifconfig -v ipsec0
	$DEBUG && rump.ifconfig -v ipsec1

	if [ ${mode} = "ipv6" ]; then
		newsrc=$ROUTER2_WANIP6_DUMMY
		newdst=$ROUTER1_WANIP6_DUMMY
	else
		newsrc=$ROUTER2_WANIP_DUMMY
		newdst=$ROUTER1_WANIP_DUMMY
	fi
	export RUMP_SERVER=$SOCK2
	$DEBUG && rump.ifconfig -v ipsec0
	$DEBUG && rump.ifconfig -v ipsec1
	atf_check -s exit:0 -e match:SIOCSLIFPHYADDR \
		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
	$DEBUG && rump.ifconfig -v ipsec0
	$DEBUG && rump.ifconfig -v ipsec1

	unset RUMP_SERVER
}

test_change_tunnel_success()
{
	local mode=$1

	local newsrc=""
	local newdst=""
	if [ ${mode} = "ipv6" ]; then
		newsrc=$ROUTER1_WANIP6_DUMMY
		newdst=$ROUTER2_WANIP6_DUMMY
	else
		newsrc=$ROUTER1_WANIP_DUMMY
		newdst=$ROUTER2_WANIP_DUMMY
	fi
	export RUMP_SERVER=$SOCK1
	$DEBUG && rump.ifconfig -v ipsec0
	atf_check -s exit:0 \
		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
	$DEBUG && rump.ifconfig -v ipsec0

	if [ ${mode} = "ipv6" ]; then
		newsrc=$ROUTER2_WANIP6_DUMMY
		newdst=$ROUTER1_WANIP6_DUMMY
	else
		newsrc=$ROUTER2_WANIP_DUMMY
		newdst=$ROUTER1_WANIP_DUMMY
	fi
	export RUMP_SERVER=$SOCK2
	$DEBUG && rump.ifconfig -v ipsec0
	atf_check -s exit:0 \
		rump.ifconfig ipsec0 tunnel ${newsrc} ${newdst}
	$DEBUG && rump.ifconfig -v ipsec0

	unset RUMP_SERVER
}

basic_setup()
{
	local inner=$1
	local outer=$2
	local proto=$3
	local algo=$4

	setup ${inner} ${outer}
	test_setup ${inner} ${outer}

	# Enable once PR kern/49219 is fixed
	#test_ping_failure

	setup_tunnel ${inner} ${outer} ${proto} ${algo}
	sleep 1
	test_setup_tunnel ${inner}
}

basic_test()
{
	local inner=$1
	local outer=$2 # not use

	test_ping_success ${inner}
}

basic_teardown()
{
	local inner=$1
	local outer=$2 # not use

	teardown_tunnel
	test_ping_failure ${inner}
}

ioctl_setup()
{
	local inner=$1
	local outer=$2
	local proto=$3
	local algo=$4

	setup ${inner} ${outer}
	test_setup ${inner} ${outer}

	# Enable once PR kern/49219 is fixed
	#test_ping_failure

	setup_tunnel ${inner} ${outer} ${proto} ${algo}
	setup_dummy_tunnel ${inner} ${outer} ${proto} ${algo}
	sleep 1
	test_setup_tunnel ${inner}
}

ioctl_test()
{
	local inner=$1
	local outer=$2

	test_ping_success ${inner}

	test_change_tunnel_duplicate ${outer}

	teardown_dummy_tunnel
	test_change_tunnel_success ${outer}
}

ioctl_teardown()
{
	local inner=$1
	local outer=$2 # not use

	teardown_tunnel
	test_ping_failure ${inner}
}

recursive_setup()
{
	local inner=$1
	local outer=$2
	local proto=$3
	local algo=$4

	setup ${inner} ${outer}
	test_setup ${inner} ${outer}

	# Enable once PR kern/49219 is fixed
	#test_ping_failure

	setup_tunnel ${inner} ${outer} ${proto} ${algo}
	setup_recursive_tunnels ${inner} ${proto} ${algo}
	sleep 1
	test_setup_tunnel ${inner}
}

recursive_test()
{
	local inner=$1
	local outer=$2 # not use

	test_recursive_check ${inner}
}

recursive_teardown()
{
	local inner=$1 # not use
	local outer=$2 # not use

	teardown_recursive_tunnels
	teardown_tunnel
}

add_test()
{
	local category=$1
	local desc=$2
	local inner=$3
	local outer=$4
	local proto=$5
	local algo=$6
	local _algo=$(echo $algo | sed 's/-//g')

	name="ipsecif_${category}_${inner}over${outer}_${proto}_${_algo}"
	fulldesc="Does ${inner} over ${outer} if_ipsec ${desc}"

	atf_test_case ${name} cleanup
	eval "${name}_head() {
			atf_set descr \"${fulldesc}\"
			atf_set require.progs rump_server setkey
		}
	    ${name}_body() {
			${category}_setup ${inner} ${outer} ${proto} ${algo}
			${category}_test ${inner} ${outer}
			${category}_teardown ${inner} ${outer}
			rump_server_destroy_ifaces
	    }
	    ${name}_cleanup() {
			\$DEBUG && dump
			cleanup
		}"
	atf_add_test_case ${name}
}

add_test_allproto()
{
	local category=$1
	local desc=$2

	for algo in $ESP_ENCRYPTION_ALGORITHMS_MINIMUM; do
		add_test ${category} "${desc}" ipv4 ipv4 esp $algo
		add_test ${category} "${desc}" ipv4 ipv6 esp $algo
		add_test ${category} "${desc}" ipv6 ipv4 esp $algo
		add_test ${category} "${desc}" ipv6 ipv6 esp $algo
	done

	# ah does not support yet
}

atf_init_test_cases()
{

	atf_add_test_case ipsecif_create_destroy

	add_test_allproto basic "basic tests"
	add_test_allproto ioctl "ioctl tests"
	add_test_allproto recursive "recursive check tests"
}
#	$NetBSD: common.sh,v 1.8 2020/06/05 03:24:58 knakahara Exp $
#
# Copyright (c) 2017 Internet Initiative Japan Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#

HIJACKING_NPF="${HIJACKING},blanket=/dev/npf"

test_flush_entries()
{
	local sock=$1

	export RUMP_SERVER=$sock

	atf_check -s exit:0 -o empty $HIJACKING setkey -F
	atf_check -s exit:0 -o empty $HIJACKING setkey -F -P
	atf_check -s exit:0 -o match:"No SAD entries." $HIJACKING setkey -D -a
	atf_check -s exit:0 -o match:"No SPD entries." $HIJACKING setkey -D -P
}

check_sa_entries()
{
	local sock=$1
	local local_addr=$2
	local remote_addr=$3

	export RUMP_SERVER=$sock

	$DEBUG && $HIJACKING setkey -D

	atf_check -s exit:0 -o match:"$local_addr $remote_addr" \
	    $HIJACKING setkey -D
	atf_check -s exit:0 -o match:"$remote_addr $local_addr" \
	    $HIJACKING setkey -D
	# TODO: more detail checks
}

check_sp_entries()
{
	local sock=$1
	local local_addr=$2
	local remote_addr=$3

	export RUMP_SERVER=$sock

	$DEBUG && $HIJACKING setkey -D -P

	atf_check -s exit:0 \
	    -o match:"$local_addr\[any\] $remote_addr\[any\] 255\(reserved\)" \
	    $HIJACKING setkey -D -P
	atf_check -s exit:0 \
	    -o match:"$remote_addr\[any\] $local_addr\[any\] 255\(reserved\)" \
	    $HIJACKING setkey -D -P
	# TODO: more detail checks
}

generate_pktproto()
{
	local proto=$1

	if [ $proto = ipcomp ]; then
		echo IPComp
	else
		echo $proto | tr 'a-z' 'A-Z'
	fi
}

get_natt_port()
{
	local local_addr=$1
	local remote_addr=$2
	local port=""

	# 10.0.1.2:4500         20.0.0.2:4500         shmif1     20.0.0.1:35574
	port=$($HIJACKING_NPF npfctl list | grep $local_addr | awk -F "${remote_addr}:" '/4500/ {print $2;}')
	echo $port
}
#	$NetBSD: algorithms.sh,v 1.7 2021/12/05 02:49:21 msaitoh Exp $
#
# Copyright (c) 2017 Internet Initiative Japan Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
#    notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
#    notice, this list of conditions and the following disclaimer in the
#    documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#

ESP_ENCRYPTION_ALGORITHMS="des-cbc 3des-cbc null blowfish-cbc cast128-cbc \
    des-deriv rijndael-cbc aes-ctr camellia-cbc aes-gcm-16 aes-gmac"
ESP_ENCRYPTION_ALGORITHMS_MINIMUM="null rijndael-cbc"

# Valid key lengths of ESP encryption algorithms
#    des-cbc         64
#    3des-cbc        192
#    null            0 to 2048     XXX only accept 0 length
#    blowfish-cbc    40 to 448
#    cast128-cbc     40 to 128
#    des-deriv       64
#    3des-deriv      192           XXX not implemented
#    rijndael-cbc    128/192/256
#    twofish-cbc     0 to 256      XXX not supported
#    aes-ctr         160/224/288
#    camellia-cbc    128/192/256
#    aes-gcm-16      160/224/288
#    aes-gmac        160/224/288
valid_keys_descbc="64"
invalid_keys_descbc="56 72"
valid_keys_3descbc="192"
invalid_keys_3descbc="184 200"
#valid_keys_null="0 2048"
valid_keys_null="0"
invalid_keys_null="8"
valid_keys_blowfishcbc="40 448"
invalid_keys_blowfishcbc="32 456"
valid_keys_cast128cbc="40 128"
invalid_keys_cast128cbc="32 136"
valid_keys_desderiv="64"
invalid_keys_desderiv="56 72"
#valid_keys_3desderiv="192"
#invalid_keys_3desderiv="184 200"
valid_keys_rijndaelcbc="128 192 256"
invalid_keys_rijndaelcbc="120 136 184 200 248 264"
#valid_keys_twofishcbc="0 256"
#invalid_keys_twofishcbc="264"
valid_keys_aesctr="160 224 288"
invalid_keys_aesctr="152 168 216 232 280 296"
valid_keys_camelliacbc="128 192 256"
invalid_keys_camelliacbc="120 136 184 200 248 264"
valid_keys_aesgcm16="160 224 288"
invalid_keys_aesgcm16="152 168 216 232 280 296"
valid_keys_aesgmac="160 224 288"
invalid_keys_aesgmac="152 168 216 232 280 296"

AH_AUTHENTICATION_ALGORITHMS="hmac-md5 hmac-sha1 keyed-md5 keyed-sha1 null \
    hmac-sha256 hmac-sha384 hmac-sha512 hmac-ripemd160 aes-xcbc-mac"
AH_AUTHENTICATION_ALGORITHMS_MINIMUM="null hmac-sha512"

# Valid key lengths of AH authentication algorithms
#    hmac-md5        128
#    hmac-sha1       160
#    keyed-md5       128
#    keyed-sha1      160
#    null            0 to 2048
#    hmac-sha256     256
#    hmac-sha384     384
#    hmac-sha512     512
#    hmac-ripemd160  160
#    aes-xcbc-mac    128
#    tcp-md5         8 to 640  XXX not enabled in rump kernels
valid_keys_hmacmd5="128"
invalid_keys_hmacmd5="120 136"
valid_keys_hmacsha1="160"
invalid_keys_hmacsha1="152 168"
valid_keys_keyedmd5="128"
invalid_keys_keyedmd5="120 136"
valid_keys_keyedsha1="160"
invalid_keys_keyedsha1="152 168"
#valid_keys_null="0 2048"
valid_keys_null="0"
invalid_keys_null="8"
valid_keys_hmacsha256="256"
invalid_keys_hmacsha256="248 264"
valid_keys_hmacsha384="384"
invalid_keys_hmacsha384="376 392"
valid_keys_hmacsha512="512"
invalid_keys_hmacsha512="504 520"
valid_keys_hmacripemd160="160"
invalid_keys_hmacripemd160="152 168"
valid_keys_aesxcbcmac="128"
invalid_keys_aesxcbcmac="120 136"
#valid_keys_tcpmd5="8 640"
#invalid_keys_tcpmd5="648"

IPCOMP_COMPRESSION_ALGORITHMS="deflate"
IPCOMP_COMPRESSION_ALGORITHMS_MINIMUM="deflate"
valid_keys_deflate="0"
invalid_keys_deflate="8"
minlen_deflate="90"

get_one_valid_keylen()
{
	local algo=$1
	local _algo=$(echo $algo | sed 's/-//g')
	local len=
	local keylengths=

	eval keylengths="\$valid_keys_${_algo}"

	for len in $(echo $keylengths); do
		break;
	done

	echo $len
}

get_valid_keylengths()
{
	local algo=$1
	local _algo=$(echo $algo | sed 's/-//g')

	eval keylengths="\$valid_keys_${_algo}"
	echo $keylengths
}

get_invalid_keylengths()
{
	local algo=$1
	local _algo=$(echo $algo | sed 's/-//g')

	eval keylengths="\$invalid_keys_${_algo}"
	echo $keylengths
}

generate_key()
{
	local keylen=$(($1 / 8))
	local key=

	while [ $keylen -gt 0 ]; do
		key="${key}a"
		keylen=$((keylen - 1))
	done
	if [ ! -z "$key" ]; then
		key="\"$key\""
	fi

	echo $key
}

generate_algo_args()
{
	local proto=$1
	local algo=$2
	local keylen=$(get_one_valid_keylen $algo)
	local key=$(generate_key $keylen)

	if [ $proto = esp -o $proto = "esp-udp" ]; then
		echo "-E $algo $key"
	elif [ $proto = ah ]; then
		echo "-A $algo $key"
	else
		echo "-C $algo $key"
	fi
}

get_minlen()
{
	local algo=$1
	local minlen=

	eval minlen="\$minlen_${algo}"
	echo $minlen
}
