From nobody Tue Aug  5 13:59:23 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bxFR14K38z63GDF;
	Tue, 05 Aug 2025 13:59:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bxFQz4PbBz49w0;
	Tue, 05 Aug 2025 13:59:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1754402363;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=L2EnG6XAaNgGZpwOFYKSeENouqbFgtlimMC+kbybPz4=;
	b=We4LfxXwfCzGa7Lp0ngk4a8oN3qIvSw9efb4sic8zjlo8UnsktkqukmjbrT+dHwRO5v7PZ
	VjhMDe0JGSsG2WK3Auq+Yg0sGnnhNCNw72qp9qLngsBT8XgmwY7P5Ln4F0i8iYIaCqeFNU
	ImJZ7iMv2RMAUrEb9iSRawUR3z2VQHSrH0rQ41sZ9q1dS52YGkTyWwdOEIZ3y0rq0II/VB
	Yx/qXL28fxw7Ax6w4hgsps20quLszObEGC5tuLWFPMp2jkiDl0TXGUMG77vJzt1wiHoqfx
	pdpWWvYNXfm1oC1AoJn4IeDcVdKgDn+XUrxeXgSZyuhOX2nOHv6wA3Bh3xVCNw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1754402363;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=L2EnG6XAaNgGZpwOFYKSeENouqbFgtlimMC+kbybPz4=;
	b=E9lEpcG4BCEFuXEjazLr49WnHYq4zcDoeMyTJEXz2U6lIQvbcGR9S/6X+UXHJ6EM/g6tlk
	qgXOODNlIDtqOaaVx6oXEPQyLVaA5Vc7uMaQSy8hgQOlCKgko6mI07n+mB0ZaJe5GxJU5A
	wqfETgqQMg3UxaunbkfyvGIjMDgWCtvpzfFmzoxsNxZ3igOesXu2yqh2npY70JJ3n4ci5w
	WEtRVOjO32sWSL/iGEnKEFuYKlDqT8gfnGf7r1eJwDtU2V5hp/7XiT2laBKDluFOVUbZoV
	gTOgXOQUVeRQPPFPOt2kJnriOug50A9ksFzFHjVGhpWxvvghtQdiitEm61/tWw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1754402363; a=rsa-sha256; cv=none;
	b=pg101SddUQ9uvHrggJa6XPLIq6tQh27/vEted2/v85En/8n6SYJzThut1KKCrpxcaHir7h
	aLoxc0UK6fa0MhIWeyIrw5NtEmHD74t9Utapo2A+BoSDMRNij0llpPa9GaRaKgP0IquU3s
	2aRWRYYBCWw4FW6iITNxvJJ6ZBMy+IG1zzh2H/xJohE+wiA67xHUNyhB7tvQXpqwOUvPdg
	3UkDQO8ECcJ6hGTZnb2T2Fj/wtkvt1N+AGFiKVspEXzJUfvS1q0+tWPyL2mhFI+I5mh7B4
	LjMS/fywK4PQ5lap9PydgoG1iwQY162zP/Rm+Mdv5ZtK3qqGrddXs2335BZ0tg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4bxFQz40Mjzdd1;
	Tue, 05 Aug 2025 13:59:23 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 575DxNLj053034;
	Tue, 5 Aug 2025 13:59:23 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 575DxNOV053031;
	Tue, 5 Aug 2025 13:59:23 GMT
	(envelope-from git)
Date: Tue, 5 Aug 2025 13:59:23 GMT
Message-Id: <202508051359.575DxNOV053031@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Mark Johnston <markj@FreeBSD.org>
Subject: git: d05b81a8edd4 - stable/14 - if_ovpn tests: Exercise
  the multihome option
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: markj
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: d05b81a8edd461db0d40920f7c35a69da2dd7a65
Auto-Submitted: auto-generated

The branch stable/14 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=d05b81a8edd461db0d40920f7c35a69da2dd7a65

commit d05b81a8edd461db0d40920f7c35a69da2dd7a65
Author:     Mark Johnston <markj@FreeBSD.org>
AuthorDate: 2025-07-25 13:15:39 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2025-08-05 13:59:12 +0000

    if_ovpn tests: Exercise the multihome option
    
    These test cases are variants of the 4in4 and 6in6 tests wherein the
    server interface has an alias assigned and the client is configured to
    connect to the alias rather than the primary address.
    
    Reviewed by:    kp
    MFC after:      1 month
    Sponsored by:   Stormshield
    Sponsored by:   Klara, Inc.
    Differential Revision:  https://reviews.freebsd.org/D51499
    
    (cherry picked from commit 0bfcfb3cb1cbfa383cbd24eff39d39f143eb63ba)
---
 tests/sys/net/if_ovpn/if_ovpn.sh | 172 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 172 insertions(+)

diff --git a/tests/sys/net/if_ovpn/if_ovpn.sh b/tests/sys/net/if_ovpn/if_ovpn.sh
index b0967c992b5d..c7e2f928e340 100644
--- a/tests/sys/net/if_ovpn/if_ovpn.sh
+++ b/tests/sys/net/if_ovpn/if_ovpn.sh
@@ -1110,6 +1110,176 @@ gcm_128_cleanup()
 	ovpn_cleanup
 }
 
+destroy_unused_cleanup()
+{
+	ovpn_cleanup
+}
+
+atf_test_case "multihome4" "cleanup"
+multihome4_head()
+{
+	atf_set descr 'Test multihome IPv4 with OpenVPN'
+	atf_set require.user root
+	atf_set require.progs openvpn
+}
+
+multihome4_body()
+{
+	pft_init
+	ovpn_init
+
+	l=$(vnet_mkepair)
+
+	vnet_mkjail a ${l}a
+	atf_check jexec a ifconfig ${l}a inet 192.0.2.1/24
+	atf_check jexec a ifconfig ${l}a alias 192.0.2.2/24
+	vnet_mkjail b ${l}b
+	atf_check jexec b ifconfig ${l}b inet 192.0.2.3/24
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore jexec b ping -c 1 192.0.2.1
+	atf_check -s exit:0 -o ignore jexec b ping -c 1 192.0.2.2
+
+	ovpn_start a "
+		dev ovpn0
+		dev-type tun
+		proto udp4
+
+		cipher AES-256-GCM
+		auth SHA256
+
+		multihome
+		server 198.51.100.0 255.255.255.0
+		ca $(atf_get_srcdir)/ca.crt
+		cert $(atf_get_srcdir)/server.crt
+		key $(atf_get_srcdir)/server.key
+		dh $(atf_get_srcdir)/dh.pem
+
+		mode server
+		script-security 2
+		auth-user-pass-verify /usr/bin/true via-env
+		topology subnet
+
+		keepalive 100 600
+	"
+	ovpn_start b "
+		dev tun0
+		dev-type tun
+
+		client
+
+		remote 192.0.2.2
+		auth-user-pass $(atf_get_srcdir)/user.pass
+
+		ca $(atf_get_srcdir)/ca.crt
+		cert $(atf_get_srcdir)/client.crt
+		key $(atf_get_srcdir)/client.key
+		dh $(atf_get_srcdir)/dh.pem
+
+		keepalive 100 600
+	"
+
+	# Block packets from the primary address, openvpn should only use the
+	# configured remote address.
+	jexec b pfctl -e
+	pft_set_rules b \
+		"block in quick from 192.0.2.1 to any" \
+		"pass all"
+
+	# Give the tunnel time to come up
+	sleep 10
+
+	atf_check -s exit:0 -o ignore jexec b ping -c 3 198.51.100.1
+}
+
+multihome4_cleanup()
+{
+	ovpn_cleanup
+	pft_cleanup
+}
+
+multihome6_head()
+{
+	atf_set descr 'Test multihome IPv6 with OpenVPN'
+	atf_set require.user root
+	atf_set require.progs openvpn
+}
+
+multihome6_body()
+{
+	ovpn_init
+
+	l=$(vnet_mkepair)
+
+	vnet_mkjail a ${l}a
+	atf_check jexec a ifconfig ${l}a inet6 2001:db8::1/64 no_dad
+	atf_check jexec a ifconfig ${l}a inet6 alias 2001:db8::2/64 no_dad
+	vnet_mkjail b ${l}b
+	atf_check jexec b ifconfig ${l}b inet6 2001:db8::3/64 no_dad
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore jexec b ping6 -c 1 2001:db8::1
+	atf_check -s exit:0 -o ignore jexec b ping6 -c 1 2001:db8::2
+
+	ovpn_start a "
+		dev ovpn0
+		dev-type tun
+		proto udp6
+
+		cipher AES-256-GCM
+		auth SHA256
+
+		multihome
+		server-ipv6 2001:db8:1::/64
+
+		ca $(atf_get_srcdir)/ca.crt
+		cert $(atf_get_srcdir)/server.crt
+		key $(atf_get_srcdir)/server.key
+		dh $(atf_get_srcdir)/dh.pem
+
+		mode server
+		script-security 2
+		auth-user-pass-verify /usr/bin/true via-env
+		topology subnet
+
+		keepalive 100 600
+	"
+	ovpn_start b "
+		dev tun0
+		dev-type tun
+
+		client
+
+		remote 2001:db8::2
+		auth-user-pass $(atf_get_srcdir)/user.pass
+
+		ca $(atf_get_srcdir)/ca.crt
+		cert $(atf_get_srcdir)/client.crt
+		key $(atf_get_srcdir)/client.key
+		dh $(atf_get_srcdir)/dh.pem
+
+		keepalive 100 600
+	"
+
+	# Block packets from the primary address, openvpn should only use the
+	# configured remote address.
+	jexec b pfctl -e
+	pft_set_rules b \
+		"block in quick from 2001:db8::1 to any" \
+		"pass all"
+
+	# Give the tunnel time to come up
+	sleep 10
+
+	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 2001:db8:1::1
+	atf_check -s exit:0 -o ignore jexec b ping6 -c 3 -z 16 2001:db8:1::1
+}
+
+multihome6_cleanup()
+{
+	ovpn_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "4in4"
@@ -1125,4 +1295,6 @@ atf_init_test_cases()
 	atf_add_test_case "ra"
 	atf_add_test_case "chacha"
 	atf_add_test_case "gcm_128"
+	atf_add_test_case "multihome4"
+	atf_add_test_case "multihome6"
 }