Nitsi: Add test for port bonding

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Fix function port_get_slaves

This functions failed when we set the SLAVES variable before in another
function.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Merge remote-tracking branch 'upstream/master'

ipsec: security policies: Make integrity command plural

References: #11446

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'upstream/master'

Move vpn tests into an own directory structure

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

ipsec: security policies: Make group type command plural

References: #11446

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Adjust include paths because of the new include path feature

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

ipsec: security policies: Show PRFs when dumping SecPol conf

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: security polices: Make cipher command plural

References: #11446

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Use new include path feature of nitsi

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

ipsec: security-policies: Make PRF command plural

References: #11446

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: security-policies: Add CLI to modify PRFs

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipsec: Generate IKE proposals with PRFs

This is now a requirement for AEAD ciphers and strongswan
refuses to start.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Nitsi: port vlan test- check if detach works

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Add vlan port test for nitsi

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Merge remote-tracking branch 'jschlag/master'

nitsi: Add test for PPPoE server/client

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pppoe: Bring up port when zone is coming up

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add VPN n2n tests for vti

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Use new phase1 and setup recipes in vpn tests

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

nitsi: Make sure that we are always running with the most recent source

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nitsi: Automatically drop to a shell in case a test fails

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pppoe-server: Run with absolute path

Because PATH has been changed this script is executing
itself recursively

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

pppoe-server: Read configuration again

This was broken since config IDs have been introduced

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Install ppp scripts with executable permissions

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge remote-tracking branch 'upstream/master'

nitsi: Drop Hello World test

This is a little bit useless now that we have tests
that do stuff that is more useful.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nitsi: Add phase1

This is supposed to be a good base to build on for any test that
needs a working layer 2 and some IP addresses on the network
to reach any other machines

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Make make distcheck happy

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Change ipv6 addresses from global to "private" addresses in nitsi

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Make setting of traffic selectors in nitsi test easier

We now include the file for ipv4 and for ipv6 into the file for ipv64
which makes maintenance easier.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Include ping test of ipv4 and ipv6 into ipv64 test

This make changing ip addresses easier.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Makefile: Install dhclient-helper as an executable script

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Change ipv6 addresses from global to "private" addresses in nitsi

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Make setting of traffic selectors in nitsi test easier

We now include the file for ipv4 and for ipv6 into the file for ipv64
which makes maintenance easier.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Include ping test of ipv4 and ipv6 into ipv64 test

This make changing ip addresses easier.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

vpn: Poly1305 is AEAD

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nitsi: Rename make-install include file to setup

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nitsi: Include some inital commands in make-install template

This allows us to have a couple fewer includes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nitsi: Install configuration files into the right place

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nitsi: Remove lines that are already in the default settings file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

nitsi: Remove reference to non-existant strongswan.conf file

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Merge branch 'nitsi-zone-commands'

IPsec: Add support for ChaCha20-Poly1305

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix hook for static address configuration.

Add the required hook_new function and "id" information which have been
introduced in earlier commits to make this hook work again.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Tested-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add recipe for port vars

These vars contain the port name which is plugged into the virtual
network.

As this relation changes every reboot these vars make it possible to
write recipes which depends on correct links between two ports.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Add gitignore in include dir of nitsi recipes

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Add include recipe for nitsi vpn n2n tests

This recipes are the base for all n2n ipsec tests.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Add default settings file for nitsi tests

This makes writing a test much faster.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

reset: Trigger udev to re-add all network interfaces

Fixes: #11815
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Remove registration of functions called on init

Only one function used this and it was slow since it got initialised
every time the functions were loaded.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

dns: Re-generate resolv.conf when flushing settings

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add a test to check that we can attach ports to a zone of type bridge

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Add new test zone-new-bridge

This test checks if we can create a new zone of type bridge.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Add test for command raw device-get-by-mac-address

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add new function device_get_by_mac_address()

We need this function and the command to identify ports in a nitsi test.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add recipe to set network settings

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add recipe to reset network configuration

We use --force here to avoid the y/n question.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add include dir for nitsi test

When we include recipes in our recipe we must be shure in some cases
that the recipe are generated out of a .in file.

All files in the include dir will be generated before every test so we
can be shure that these files are present.

This is useful for recipes like the make-install recipe in this test,
which needs to be generated and will be included in nearly every test.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix network reset

The functions zone_destroy and zone_destroy_now where merged to
zone_destroy in an earlier commit. So we have to use zone_destroy here.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

We need to change the path of the image in the settings file to

When we do not change this path accordingly to the place where we store
our images the copy in feature does not work.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Adapt settings file of nitsi tests to new syntax

Nitsi is using a new syntax for settings file so we need to change the
settings files of our tests.

I dropped some settings in the hello-world test because we do not need
them for this test.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Adapt nitsi command line to new syntax

Nitsi is now using subparsers so we have to add 'run-test' to the
command line.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Drop README file from virtual environment

Those instructions are no longer valid

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

NITSI: Automatically download required images

This patch lets make automatically download all required
images and extracts them.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Makefile: Ship virtual environment files in release tarball

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

nitsi: Add a test that calls "make check" in the virtual environment

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Makefile: Remove any excess substitution rules

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

Build source tarball before running any NITSI tests

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Jonatan Schlag <jonatan.schlag@ipfire.org>

nitsi: Create "nitsi" Makefile target

Calling "make nitsi" will run all nitsi tests

Reviewed-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix test hello-world

In the moment a single all statement is not supported by nitsi.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix path to virtual environment of hello-world test

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add first test for nitsi

This commit introduce NITSI. Nitsi is the "Networking integration test
suite for IPFire". We can test the network code in a virtual environment
on any system.

This test has the only purpose to check if nitsi is working.

For more information about nitsi see the manpages and the git
repository on git.ipfire.org

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add simple Readme for the basic virtual-environment

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add first basic virtual environment for nitsi

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

IPsec: regenerate a swanctl config on connection startup if no config is found

This is an easy way to forcing a regenration if we do not want to change any setting.

Fixes: #11627
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ip-tunnel: choose the correct type based on the ip protocol

IPv4 and IPv6 need different types for iproute2.
So in the _add function we have to determine the mode
based on the IP protocol of the ${remote_address}.

When we change ikey and okey we have to dertermine the mode the device
have currently.

Fixes: #11431
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ip-tunnel: Improve checks

We cannot mix ipv6 and ipv4 and we also need to detect the IP protocol
version to decide which mode we have to use.
This is done in a seperated commit.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

device: add new function device_tunnel_get_type()

If we already know that the device must be a ip-tunnel device
we can save time when we check just for the types
a ip-tunnel device can have.

To avoid code duplication we call this function from device_get_type()

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

device: add new function device_is_vti6

This functions checks if a device is a vti6 device.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ip-tunnel: add new function

To be undependent from the IP protocol we use, when we use tunnel modes
in our code, this function converts the modes
to the modes the iproute2 tool uses
which often depend on the IP protocol version.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

IPsec: Fix routing in tunnel mode

Two syntax errors make the routing in tunnel mode non working

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall: Disable PMTU by default

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall: Enable ECN by default

Apple has tried this and it seems to be safe now

https://www.ietf.org/proceedings/98/slides/slides-98-maprg-tcp-ecn-experience-with-enabling-ecn-on-the-internet-padma-bhooma-00.pdf

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

firewall: Enable ECN fallback mechanism when ECN is enabled

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

IPsec: Fix routing

Based on the examples found in strongswan
we need to specific the source IP for our routes through an IPsec VPN.
If we have no source IP (a router can route packages
which do not belong to the network assigned to our zones) we set no routes,
but clients can still use the tunnel.

For IPsec VPNs in tunnel mode we
also need the device which has the ${PLUTO_ME} IP address asigned.

The source IP  is determined ip_get_assigned_addresses_from_net()
the device is determined by the  device_get_by_ip_address() function.

For tunnel mode see:
https://www.strongswan.org/testing/testresults/ipv6-stroke/net2net-ip4-in-ip6-ikev2/moon.ip.route

Fixes: #11629
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

IPsec: Log the content of all PLUTO variables in debug mode

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add new function ip_get__assigned_addresses_from_net()

This function is neede by IPsec to set the routes correctly.
We can now now find a source IP for a given net.
This way is ugly because the source IP
is unpredictable if we get multiple IPs.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Add new function: device_get_by_assigned_ip_address()

This function is used to get a device from an IP address
which is assigned to the device.
This function needs to be introduced
to set the routes for IPsec correctly.

Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix zone_config_check_same_setting

Every time we edited a config zone_config_check_same_setting
returns that a identical config was found but this config was the config
we want to edit. So we now generate the id inside hook_new and pass the
id always to hook_parse_cmdline and to zone_config_check_same_setting.

So we can skip this config.

Fixes: #11451
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Fix radvd startup

We now only start radvd when we write a config for a zone into the config
file.

Fixes: #11450
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Replace ipv[64]-static by one static hook

There is no need to split this into multiple hooks
since they share a lot of common configuration, etc.

There is no migration path provided here.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

ipv6-static: Remove shell switches to define address and prefix

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Makefile: All shell library files where executable which they shouldn't be

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

functions: Include path to new utils

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

network-phy-list-ht-caps: Don't print empty lines

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libnetwork: Don't fail when wireless devices are not supported by nl80211

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

libnetwork: Properly handle errors from netlink messages

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

network-phy-list-ht-caps: Fix SEGV when no PHY was found

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>