From nobody Fri Jul 25 17:39:21 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bpZqt60qPz627tT;
	Fri, 25 Jul 2025 17:39:22 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bpZqt0PXNz3SFM;
	Fri, 25 Jul 2025 17:39:22 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1753465162;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EXqJSG1DQbmbt/Bc3OTvawiPdoGJqM4efHZEBB4p+9M=;
	b=n081ZXIl8k4E9M3aD6cTdukPlmH+8bsPVDzwpeS5alwcLRUSIgMLXl1GIkuxrkkoOAkd6F
	WxuDn5gBEAKDCtYecmiShPx+Soo1TJfoBpMNBjl4X46AmUoa8VRJDVGEM+RCeE+a94IqMv
	p6E19XDiTy8T1vUQOjm+grnyBdRsNRwDov1RDl4iCW2drUAgM5f4cKTuakXmliy64RF5Id
	jJ8C6e0kZ/mIDUa43VVgGQNEROQ2cuqlxoT8zLt7jqqfuVy/9ZoJOjhZ2YRZk73ZJZj6QQ
	GIopupKrvvbjsi4jT6ywtpjnlytKMfgKy2eNo2CnE2qjQZVcWfPVJGBwMteh0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1753465162;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=EXqJSG1DQbmbt/Bc3OTvawiPdoGJqM4efHZEBB4p+9M=;
	b=q+Ylm6Y67qXURRvwlKsV50K+CY1DoADeY1VHR3P2Ym7ssk+g3SgiXQ1KiSU4CmQKwBNNhD
	XpX838LFQvOIHuqlZVwefzbyj7Z1bTs18VlY+MdP4wZXJJlO2GvM+IW1AUCmtCYCVaaWwk
	8mqrL7YxCMZxlMCImrauMEczGaseL2h2Bs0iKBESCKv7GDTyxlqYnmkzP0zTcsw8p0Tus0
	/J0cAgk8GGr6F/DhVifFOAVYtPVgTB9M+Itpzyfje+jmzvafI6RzVbSVgWLRGkokAovdSv
	L+cntzGf5C3TAbhuGu84LSebbLmN84ZQZpsqfLUJwXF+DfC4LwRGVpBCGJT8Ow==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1753465162; a=rsa-sha256; cv=none;
	b=jpTHflIy+CToF897yrFsSo2ISBgvB/cg1td5f8SmdWnlBPSV4P7vqy1R8sB/+5HDqv5v83
	0QDO3YRo4YEwfNiNlfMaHJvLDQ4vPnqJqNbvM31Oea0fA4pVSitZOIeftdQSgn9R+5avkO
	pLZaisTitJU6mcxPzC2Et6Xfi4jdj8D4wr8w5wHv54E7QYvb2xr3nQjseoAjykSek41VRg
	HIaLzrCUGtKPGVFJkX6qsoySuinQTlTR0hOn/BJ3LMSVIiwC/rw5wtuX9H1BLioN3nQDWv
	18x8KbJmD6eINuPkRM8X+wxw14FcTt2FpuFRVlKLvNPdFArekebkr9gUJqS3ag==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bpZqs6QzwztNC;
	Fri, 25 Jul 2025 17:39:21 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 56PHdLum012896;
	Fri, 25 Jul 2025 17:39:21 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 56PHdLJN012893;
	Fri, 25 Jul 2025 17:39:21 GMT
	(envelope-from git)
Date: Fri, 25 Jul 2025 17:39:21 GMT
Message-Id: <202507251739.56PHdLJN012893@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: 0bfcfb3cb1cb - main - if_ovpn tests: Exercise the
  multihome option
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 0bfcfb3cb1cbfa383cbd24eff39d39f143eb63ba
Auto-Submitted: auto-generated

The branch main has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=0bfcfb3cb1cbfa383cbd24eff39d39f143eb63ba

commit 0bfcfb3cb1cbfa383cbd24eff39d39f143eb63ba
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-07-25 13:15:39 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-07-25 17:39:01 +0000

    if_ovpn tests: Exercise the multihome option
    
    These test cases are variants of the 4in4 and 6in6 tests wherein the
    server interface has an alias assigned and the client is configured to
    connect to the alias rather than the primary address.
    
    Reviewed by:    kp
    MFC after:      1 month
    Sponsored by:   Stormshield
    Sponsored by:   Klara, Inc.
    Differential Revision:  https://reviews.freebsd.org/D51499
---
 tests/sys/net/if_ovpn/if_ovpn.sh | 167 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 167 insertions(+)

diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh
index 2138e0f666ec..26807a095455 100644
--- a/tests/sys/net/if_ovpn/if_ovpn.sh
+++ b/tests/sys/net/if_ovpn/if_ovpn.sh
@@ -1149,6 +1149,171 @@ destroy_unused_cleanup()
 	ovpn_cleanup
 }
 
+atf_test_case "multihome4" "cleanup"
+multihome4_head()
+{
+	atf_set descr 'Test multihome IPv4 with OpenVPN'
+	atf_set require.user root
+	atf_set require.progs openvpn
+}
+
+multihome4_body()
+{
+	pft_init
+	ovpn_init
+
+	l=$(vnet_mkepair)
+
+	vnet_mkjail a ${l}a
+	atf_check jexec a ifconfig ${l}a inet 192.0.2.1/24
+	atf_check jexec a ifconfig ${l}a alias 192.0.2.2/24
+	vnet_mkjail b ${l}b
+	atf_check jexec b ifconfig ${l}b inet 192.0.2.3/24
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore jexec b ping -c 1 192.0.2.1
+	atf_check -s exit:0 -o ignore jexec b ping -c 1 192.0.2.2
+
+	ovpn_start a "
+		dev ovpn0
+		dev-type tun
+		proto udp4
+
+		cipher AES-256-GCM
+		auth SHA256
+
+		multihome
+		server 198.51.100.0 255.255.255.0
+		ca $(atf_get_srcdir)/ca.crt
+		cert $(atf_get_srcdir)/server.crt
+		key $(atf_get_srcdir)/server.key
+		dh $(atf_get_srcdir)/dh.pem
+
+		mode server
+		script-security 2
+		auth-user-pass-verify /usr/bin/true via-env
+		topology subnet
+
+		keepalive 100 600
+	"
+	ovpn_start b "
+		dev tun0
+		dev-type tun
+
+		client
+
+		remote 192.0.2.2
+		auth-user-pass $(atf_get_srcdir)/user.pass
+
+		ca $(atf_get_srcdir)/ca.crt
+		cert $(atf_get_srcdir)/client.crt
+		key $(atf_get_srcdir)/client.key
+		dh $(atf_get_srcdir)/dh.pem
+
+		keepalive 100 600
+	"
+
+	# Block packets from the primary address, openvpn should only use the
+	# configured remote address.
+	jexec b pfctl -e
+	pft_set_rules b \
+		"block in quick from 192.0.2.1 to any" \
+		"pass all"
+
+	# Give the tunnel time to come up
+	sleep 10
+
+	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
+}
+
+multihome4_cleanup()
+{
+	ovpn_cleanup
+	pft_cleanup
+}
+
+multihome6_head()
+{
+	atf_set descr 'Test multihome IPv6 with OpenVPN'
+	atf_set require.user root
+	atf_set require.progs openvpn
+}
+
+multihome6_body()
+{
+	ovpn_init
+
+	l=$(vnet_mkepair)
+
+	vnet_mkjail a ${l}a
+	atf_check jexec a ifconfig ${l}a inet6 2001:db8::1/64 no_dad
+	atf_check jexec a ifconfig ${l}a inet6 alias 2001:db8::2/64 no_dad
+	vnet_mkjail b ${l}b
+	atf_check jexec b ifconfig ${l}b inet6 2001:db8::3/64 no_dad
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore jexec b ping6 -c 1 2001:db8::1
+	atf_check -s exit:0 -o ignore jexec b ping6 -c 1 2001:db8::2
+
+	ovpn_start a "
+		dev ovpn0
+		dev-type tun
+		proto udp6
+
+		cipher AES-256-GCM
+		auth SHA256
+
+		multihome
+		server-ipv6 2001:db8:1::/64
+
+		ca $(atf_get_srcdir)/ca.crt
+		cert $(atf_get_srcdir)/server.crt
+		key $(atf_get_srcdir)/server.key
+		dh $(atf_get_srcdir)/dh.pem
+
+		mode server
+		script-security 2
+		auth-user-pass-verify /usr/bin/true via-env
+		topology subnet
+
+		keepalive 100 600
+	"
+	ovpn_start b "
+		dev tun0
+		dev-type tun
+
+		client
+
+		remote 2001:db8::2
+		auth-user-pass $(atf_get_srcdir)/user.pass
+
+		ca $(atf_get_srcdir)/ca.crt
+		cert $(atf_get_srcdir)/client.crt
+		key $(atf_get_srcdir)/client.key
+		dh $(atf_get_srcdir)/dh.pem
+
+		keepalive 100 600
+	"
+
+	# Block packets from the primary address, openvpn should only use the
+	# configured remote address.
+	jexec b pfctl -e
+	pft_set_rules b \
+		"block in quick from 2001:db8::1 to any" \
+		"pass all"
+
+	# Give the tunnel time to come up
+	sleep 10
+
+	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
+	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1
+}
+
+multihome6_cleanup()
+{
+	ovpn_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "4in4"
@@ -1165,4 +1330,6 @@ atf_init_test_cases()
 	atf_add_test_case "chacha"
 	atf_add_test_case "gcm_128"
 	atf_add_test_case "destroy_unused"
+	atf_add_test_case "multihome4"
+	atf_add_test_case "multihome6"
 }