strongswan测试流程
测试shell脚本文件testing/do-tests,测试配置文件testing/testing.conf。do-tests脚本不加参数,将依次执行testing/tests/目录下的所有测试用例。do-tests脚本有两个参数-v和-t,前者在测试中记录详细信息,后者在输出信息中增加时间戳。另外,可以指定单个或者多个测试用例来执行。
# cd strongswan-5.9.14/testing
# ./make-testing
# ./start-testing
# ./do-tests
$ ls -l /srv/strongswan-testing/testing
lrwxrwxrwx 1 root root 40 11月 8 18:15 /srv/strongswan-testing/testing -> /home/kai/work/strongswan-5.9.14/testing
全局配置testing.conf
定义测试的目录(TESTDIR),以及测试所用的虚机的默认IPv4地址(HOSTNAMEIPV4)等全局信息。需要某个虚机的IPv4地址的时候,需要由 HOSTNAMEIPV4变量中取得,之后将会看到,这种定义IPv4地址的方式看起来不太方便。
# Root directory of testing
: ${TESTDIR=/srv/strongswan-testing}
: ${HOSTNAMEIPV4="\
alice,10.1.0.10,192.168.0.50 \
venus,10.1.0.20 \
moon,192.168.0.1,10.1.0.1 \
carol,192.168.0.100,10.3.0.1 \
winnetou,192.168.0.150 \
dave,192.168.0.200,10.3.0.2 \
sun,192.168.0.2,10.2.0.1 \
bob,10.2.0.10"}
定义默认的主机/VPN网关列表(STRONGSWANHOSTS)等.
# VPN gateways / clients
# The hosts stated here will be created. Possible values
# are sun, moon, dave, carol, alice, venus, bob, winnetou.
#
: ${STRONGSWANHOSTS="alice bob carol dave moon sun venus winnetou"}
单个用例配置test.conf
每个具体的测试用例的配置文件为test.conf,如testing/tests/af-alg/alg-camellia/test.conf,其中指定测试过程用到的虚机、拓扑图、需要运行tcpdump命令的主机列表,运行IPSec进程的虚机列表,以及是否使用swanctl命令配置charon进程。
# All guest instances that are required for this test
VIRTHOSTS="alice moon carol winnetou"
# Corresponding block diagram
DIAGRAM="a-m-c-w.png"
# Guest instances on which tcpdump is to be started
TCPDUMPHOSTS="moon"
# Guest instances on which IPsec is started. Used for IPsec logging purposes
IPSECHOSTS="moon carol"
# charon controlled by swanctl
SWANCTL=1
加载测试load-testconfig
do-tests脚本调用load-testconfig,来加载测试用例的配置,参数为测试用例的名称。此脚本位于scripts/load-testconfig,其将测试用例的配置发送到参与测试的主机上。
首先,将strongswan代码目录中的测试用例(如testname=af-alg/alg-camellia)文件夹下所有内容拷贝到测试目录,测试目录为:/srv/strongswan-testing/build/tests/af-alg/alg-camellia
TESTSDIR=$BUILDDIR/tests
[ -d $TESTSDIR ] || mkdir $TESTSDIR
TESTDIR=$TESTSDIR/${testname}
rm -rf $TESTDIR
mkdir -p $TESTDIR
cp -rfp $DEFAULTTESTSDIR/${testname}/* $TESTDIR
拷贝完成之后,测试目录内容如下。由于测试过程可能修改测试用例中的文件,需要执行此拷贝。
/srv/strongswan-testing/build/tests/af-alg/alg-camellia/
├── description.txt
├── evaltest.dat
├── hosts
│ ├── carol
│ │ └── etc
│ │ ├── strongswan.conf
│ │ └── swanctl
│ │ └── swanctl.conf
│ └── moon
│ └── etc
│ ├── strongswan.conf
│ └── swanctl
│ └── swanctl.conf
├── posttest.dat
├── pretest.dat
└── test.conf
7 directories, 9 files
以下语句处理testing.conf文件中定义的HOSTNAMEIPV4和HOSTNAMEIPV6变量,取出各个测试虚机的IPv4和IPv6地址。
for host in $STRONGSWANHOSTS
do
eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
eval ipv6_${host}="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
case $host in
moon)
eval ipv4_moon1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
eval ipv6_moon1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
;;
sun)
eval ipv4_sun1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
eval ipv6_sun1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
;;
...
在测试用例目录,查找文件中使用IP变量,如PH_IP_MOON1,PH_IP_MOON等的地方,替换为真正的IP地址,由以上变量ipv4_moon1和ipv4_moon等指定。
for host in $STRONGSWANHOSTS
do
case $host in
moon)
searchandreplace PH_IP_MOON1 $ipv4_moon1 $TESTDIR
searchandreplace PH_IP_MOON $ipv4_moon $TESTDIR
searchandreplace PH_IP6_MOON1 $ipv6_moon1 $TESTDIR
searchandreplace PH_IP6_MOON $ipv6_moon $TESTDIR
;;
sun)
searchandreplace PH_IP_SUN1 $ipv4_sun1 $TESTDIR
searchandreplace PH_IP_SUN $ipv4_sun $TESTDIR
searchandreplace PH_IP6_SUN1 $ipv6_sun1 $TESTDIR
searchandreplace PH_IP6_SUN $ipv6_sun $TESTDIR
;;
...
例如evaltest.dat文件中的PH_IP_ALICE变量,替换成IP地址之后为10.1.0.10。如下:
$ cat tests/af-alg/alg-camellia/evaltest.dat
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
//替换IP地址修改之后。
$ cat /srv/strongswan-testing/build/tests/af-alg/alg-camellia/evaltest.dat
carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_.eq=1::YES
使用scp命令,将测试所需的文件发送到测试主机上。
if [ -d $TESTDIR/hosts ]
then
for host in `ls $TESTDIR/hosts`
do
eval HOSTLOGIN=root@\$ipv4_${host}
scp $SSHCONF -r $TESTDIR/hosts/$host/etc $HOSTLOGIN:/ > /dev/null 2>&1
done
fi
例如,将测试目录中的用例alg-camellia的位于hosts子目录下的主机配置,包括carol主机和moon网关的测试配置发送到测试机,carol的IP为192.168.0.100,moon的IP为192.168.0.1。
以上可见,对于alg-camellia测试用例,carol和moon的etc目录下的配置文件有两个,分别为strongswan.conf和swanctl/swanctl.conf。
scp $SSHCONF -r /srv/strongswan-testing/build/tests/af-alg/alg-camellia/hosts/carol/etc root@192.168.0.100:/
scp $SSHCONF -r /srv/strongswan-testing/build/tests/af-alg/alg-camellia/hosts/moon/etc root@192.168.0.1:/
此脚本文件中也会执行一些清理工作。如下清除了运行ipsec进程的虚机上的日志文件,删除了虚机上的文件/var/log/auth.log和/var/log/daemon.log,停止rsyslogd日志进程。
for host in $IPSECHOSTS
do
eval HOSTLOGIN=root@\$ipv4_${host}
ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/auth.log /var/log/daemon.log; \
pkill -SIGHUP rsyslogd' > /dev/null 2>&1
done
删除radius服务虚机上的日志文件/var/log/daemon.log和/var/log/freeradius/radius.log,并且停掉rsyslogd进程。
for host in $RADIUSHOSTS
do
eval HOSTLOGIN=root@\$ipv4_${host}
ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/daemon.log /var/log/freeradius/radius.log; \
pkill -SIGHUP rsyslogd' > /dev/null 2>&1
done
准备tcpdump
根据测试用例的test.conf中配置的TCPDUMPHOSTS主机列表,在相应主机上启动tcpdump命令,后台方式运行。可在TCPDUMPHOSTS中通过冒号(:)指定主机上tcpdump使用的接口,默认为eth0。
# run tcpdump in the background
if [ "$TCPDUMPHOSTS" != "" ]
then
echo -e "TCPDUMP\n" >> $CONSOLE_LOG 2>&1
for host_iface in $TCPDUMPHOSTS
do
host=`echo $host_iface | awk -F ":" '{print $1}'`
iface=`echo $host_iface | awk -F ":" '{if ($2 != "") { print $2 } else { printf("eth0") }}'`
tcpdump_cmd="tcpdump -l $TCPDUMP_IM -i $iface not port ssh and not port domain >/tmp/tcpdump.log 2>/tmp/tcpdump.err.log &"
echo "$(print_time)${host}# $tcpdump_cmd" >> $CONSOLE_LOG
ssh $SSHCONF root@`eval echo \\\$ipv4_$host '$tcpdump_cmd'`
eval TDUP_${host}="true"
done
fi
tcpdump抓取报文的过滤条件中去掉ssh和dns协议报文,结果保存到文件/tmp/tcpdump.log。设置变量TDUP_KaTeX parse error: Expected group after '_' at position 63: …cpdump抓包,变量TDUP_̲{host}设置为false。
function stop_tcpdump {
# wait for packets to get processed, but don't wait longer than 1s
eval ssh $SSHCONF root@\$ipv4_${1} "\"i=100; while [ \\\$i -gt 0 ]; do pkill -USR1 tcpdump; tail -1 /tmp/tcpdump.err.lo g | perl -n -e '/(\\d+).*?(\\d+)/; exit (\\\$1 == \\\$2)' || break; sleep 0.01; i=\\\$((\\\$i-1)); done;\""
echo "$(print_time)${1}# killall tcpdump" >> $CONSOLE_LOG
eval ssh $SSHCONF root@\$ipv4_${1} "\"killall tcpdump; while true; do killall -q -0 tcpdump || break; sleep 0.01; done; \""
eval TDUP_${1}="false"
echo "" >> $CONSOLE_LOG
}
测试预备阶段
do-tests脚本在此阶段,执行写在测试用例pretest.dat文件中的命令。
echo -n "pre.."
echo -e "\nPRE-TEST\n" >> $CONSOLE_LOG 2>&1
eval `awk -F "::" '{
if ($0 ~ /^#.*/)
{
printf("echo \"%s\"; ", $0);
}
else if ($2 != "")
{
printf("echo \"$(print_time)%s# %s\"; ", $1, $2)
printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
printf("echo;\n")
}
}' $TESTDIR/pretest.dat` >> $CONSOLE_LOG 2>&1
例如af-alg/alg-camellia的pretest.dat文件。双冒号前后分别为虚机名和要执行的命令。如下,设置iptables规则,启动strongswan进程,分别在主机moon和carol上启动名称为net和home的连接。在carol主机上发起home连接。
$ cat af-alg/alg-camellia/pretest.dat
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::systemctl start strongswan
carol::systemctl start strongswan
moon::expect-connection net
carol::expect-connection home
carol::swanctl --initiate --child home 2> /dev/null
测试用例af-alg/alg-camellia中moon虚机的swanctl.conf配置文件如下,配置了名称为rw的连接和net子连接。
$ cat /srv/strongswan-testing/build/tests/af-alg/alg-camellia/hosts/moon/etc/swanctl/swanctl.conf
connections {
rw {
local_addrs = 192.168.0.1
local {
auth = pubkey
certs = moonCert.pem
id = moon.strongswan.org
}
remote {
auth = pubkey
}
children {
net {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = camellia192-sha384
}
}
version = 2
proposals = camellia256-sha512-modp3072
}
}
语句moon::expect-connection net检查net子连接是否正常加载。expect-connection脚本调用了swanctl命令,如下显示。
# ssh root@192.168.0.1
moon:~#
moon:/etc/swanctl# swanctl --list-conns
rw: IKEv2, no reauthentication, rekeying every 14400s
local: 192.168.0.1
remote: %any
local public key authentication:
id: moon.strongswan.org
certs: C=CH, O=strongSwan Project, CN=moon.strongswan.org
remote public key authentication:
net: TUNNEL, rekeying every 3600s
local: 10.1.0.0/16
remote: dynamic
No leaks detected, 172 suppressed by whitelist
carol虚机的swanctl.conf文件如下,其中配置的连接和子连接名称都为home。
$ cat /srv/strongswan-testing/build/tests/af-alg/alg-camellia/hosts/carol/etc/swanctl/swanctl.conf
connections {
home {
local_addrs = 192.168.0.100
remote_addrs = 192.168.0.1
local {
auth = pubkey
certs = carolCert.pem
id = carol@strongswan.org
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
esp_proposals = camellia192-sha384
}
}
version = 2
proposals = camellia256-sha512-modp3072
}
}
在carol虚机上发起连接。carol::swanctl --initiate --child home。测试预备阶段完成。
测试预备阶段日志,日志文件:/srv/strongswan-testing/testresults/202xxxxx-1607-20/af-alg/alg-camellia/console.log。tcpdump需要在测试之前开启。
TCPDUMP
moon# tcpdump -l --immediate-mode -i eth0 not port ssh and not port domain >/tmp/tcpdump.log 2>/tmp/tcpdump.err.log &
PRE-TEST
moon# iptables-restore < /etc/iptables.rules
carol# iptables-restore < /etc/iptables.rules
moon# systemctl start strongswan
carol# systemctl start strongswan
moon# expect-connection net
carol# expect-connection home
发起IPSec连接的日志。
carol# swanctl --initiate --child home 2> /dev/null
[IKE] initiating IKE_SA home[1] to 192.168.0.1
[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (590 bytes)
[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (623 bytes)
...
[IKE] IKE_SA home[1] established between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]
[IKE] CHILD_SA home{1} established with SPIs c834da8a_i c0de5763_o and TS 192.168.0.100/32 === 10.1.0.0/16
initiate completed successfully
cat testing/hosts/default/usr/local/bin/expect-connection
#!/bin/bash
# Wait until a given IPsec connection becomes available
# Params:
# $1 - connection name
# $2 - maximum time to wait in seconds, default is 5 seconds
secs=$2
[ ! $secs ] && secs=5
cmd="swanctl --list-conns"
grep 'load.*stroke' /etc/strongswan.conf >/dev/null
if [ $? -eq 0 -o -n "$DAEMON_NAME" ]; then
cmd="ipsec statusall"
fi
let steps=$secs*10
for i in `seq 1 $steps`
do
$cmd 2>&1 | grep ^[[:space:]]*$1: >/dev/null
[ $? -eq 0 ] && exit 0
sleep 0.1
测试阶段
do-tests脚本在此阶段,执行写在测试用例的evaltest.dat文件中的命令。每一行包括四个部分:虚机名、执行命令、判断条件和期望结果。以下为af-alg/alg-camellia测试用例的evaltest.data文件,省略了部分内容(使用…表示)。
kai@logging:/srv/strongswan-testing/build/tests$ cat af-alg/alg-camellia/evaltest.dat
carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_.eq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 ... integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 ... integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
moon:: ip xfrm state::enc cbc(camellia)::YES
carol::ip xfrm state::enc cbc(camellia)::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES
do-test文件中测试代码如下。evaltest.dat文件中每行的四个部分为变量(-F指定::为分隔符):$1,$2,$3和$4,分别赋值与host,command,pattern和hit。变量$0表示当前行的所有内容。以井号(#)开头的行,或者command为空的行,不处理,跳到下一行。
echo -n "test.."
echo -e "\nTEST\n" >> $CONSOLE_LOG 2>&1
STATUS="passed"
eval `awk -F "::" '{
host=$1
command=$2
pattern=$3
hit=$4
if ($0 ~ /^#.*/)
{
printf("echo \"%s\"; ", $0);
next
}
else if (command == "")
{
next
}
使用命令mktemp创建两个临时文件保存测试过程中的错误日志和正常输出日志,例如文件test.PhfKyt.err和test.bSCZq4.out,中间为6个随机字符,mktemp命令参数中XXXXXX表示随机字符的数量。文件目录为当前目录,例如:strongswan-5.9.14/testing/。对于evaltest.dat中的每一行测试命令,都会生成这两个文件。
SSH登录到虚机,执行定义的命令,命令输出重定向到cmd_out,错误输出定向到cmd_err。对于tcpdump命令,先停止tcpdump运行,之后cat日志文件/tmp/tcpdump.log的内容到cmd_out文件中。
八进制\044表示美元符$。
printf("cmd_err=\044(mktemp --suff .err test.XXXXXX); ")
printf("cmd_out=\044(mktemp --suff .out test.XXXXXX); ")
printf("start_time=\044(print_time); ")
if (command == "tcpdump")
{
printf("if [ \044TDUP_%s == \"true\" ]; then stop_tcpdump %s; fi; \n", host, host)
printf("ssh \044SSHCONF root@\044ipv4_%s cat /tmp/tcpdump.log > \044cmd_out; ", host)
}
else
{
printf("ssh \044SSHCONF root@\044ipv4_%s %s >\044cmd_out 2>\044cmd_err; ", host, command)
}
在cmd_out文件中查找定义的匹配pattern,命令输出保存在cmd_res变量,命令执行结果保存在cmd_exit中($?表示执行结果)。hit的取值为YES,NO,ESP字符串或者数字,或者为空。
正则表达式(/1+ / )表示数字开头 ( ) 并且结尾 ( /)表示数字开头(^)并且结尾( /)表示数字开头()并且结尾(),+表示一个或者多个数字。即如果hit为数字,判断cmd_res与hit是否相等。否则,根据命令执行结果cmd_exit的值为零或者非零,以及hit值是否等于NO或者YES,这里-a为与运算符(AND),需要两个条件同时成立。
例如cmd_exit等于0,并且hit等于NO,条件不符合,STATUS设置为failed,cmd_fail置1。
printf("cmd_res=\044(cat \044cmd_out | grep \"%s\"); ", pattern)
printf("cmd_exit=\044?; ")
printf("cmd_fail=0; ")
if (hit ~ /^[0-9]+$/)
{
printf("if [ \044(echo \"\044cmd_res\" | wc -l) -ne %d ] ", hit)
}
else
{
printf("if [ \044cmd_exit -eq 0 -a \"%s\" = \"NO\" ] ", hit)
printf("|| [ \044cmd_exit -ne 0 -a \"%s\" = \"YES\" ] ", hit)
}
printf("; then STATUS=\"failed\"; cmd_fail=1; fi; \n")
printf("if [ \044cmd_fail -ne 0 ]; then echo \"~~~~~~~ FAIL ~~~~~~~\"; fi; \n")
八进制\047为ASCII的单引号字符。当cmd_res非空(-n)时,打印其值。接下来打印错误输出文件cmd_err的值。如果命令失败(cmd_fail非零),打印输出文件cmd_out的内容,在设置verbose的情况下,打印cmd_out的全部内容,否则,打印头部几行的内容(head命令)。
最后删除两个临时文件cmd_out和cmd_err。此过程中的输出内容重定向到了控制台文件$CONSOLE_LOG。
如果在执行do-test脚本时,指定了-t选项,变量start_time会被赋予当前的时间戳,默认其为空。
if (command == "tcpdump")
{
printf("echo \"\044{start_time}%s# cat /tmp/tcpdump.log | grep \047%s\047 [%s]\"; ", host, pattern, hit) /* 打印信息参见(B) */
}
else
{
printf("echo \"\044{start_time}%s# %s | grep \047%s\047 [%s]\"; ", host, command, pattern, hit) /* 打印信息参见(A) */
}
printf("if [ -n \"\044cmd_res\" ]; then echo \"\044cmd_res\"; fi; \n")
printf("cat \044cmd_err; \n")
printf("if [ \044cmd_fail -ne 0 ]; then \n")
printf("if [ -s \044cmd_out ]; then echo \"~~ output ~~~~~~~~~~\"; \n")
printf("if [ \"\044verbose\" == \"YES\" ]; then cat \044cmd_out;\n")
printf("else cat \044cmd_out | head; fi; fi; \n")
printf("echo \"~~~~~~~~~~~~~~~~~~~~\"; fi; \n")
printf("rm -f -- \044cmd_out \044cmd_err; \n")
printf("echo; ")
}' $TESTDIR/evaltest.dat` >> $CONSOLE_LOG 2>&1
此阶段的测试日志:
TEST
carol# ping -c 1 -s 120 -p deadbeef 10.1.0.10 | grep '128 bytes from 10.1.0.10: icmp_.eq=1' [YES] /* 以上语句(A)的打印*/
128 bytes from 10.1.0.10: icmp_seq=1 ttl=63 time=2.51 ms
carol# swanctl --list-sas --raw 2> /dev/null | grep 'home.*version=2 ... integ-alg=HMAC_SHA2_384_192.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]' [YES] /* 以上语句(A)的打印*/
list-sa event {home {uniqueid=1 version=2 ... integ-alg=HMAC_SHA2_384_192 bytes-in=148 packets-in=1 use-in=0 bytes-out=148 packets-out=1 use-out=0 rekey-time=3460 life-time=3960 install-time=0 local-ts=[192.168.0.100/32] remote-ts=[10.1.0.0/16]}}}}
moon# swanctl --list-sas --raw 2> /dev/null | grep 'rw.*version=2 ... integ-alg=HMAC_SHA2_384_192.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]' [YES] /* 以上语句(A)的打印*/
list-sa event {rw {uniqueid=1 version=2 ... integ-alg=HMAC_SHA2_384_192 bytes-in=148 packets-in=1 use-in=0 bytes-out=148 packets-out=1 use-out=0 rekey-time=3386 life-time=3960 install-time=0 local-ts=[10.1.0.0/16] remote-ts=[192.168.0.100/32]}}}}
moon# ip xfrm state | grep 'enc cbc(camellia)' [YES] /* 以上语句(A)的打印*/
enc cbc(camellia) 0xb821b5ea62a441a642d064d2bd1537768af53bc6277c1c27
enc cbc(camellia) 0xc5c34e3931ce3a64781fdbebc5cb0793bb1c8a0c238f58d6
carol# ip xfrm state | grep 'enc cbc(camellia)' [YES] /* 以上语句(A)的打印*/
enc cbc(camellia) 0xc5c34e3931ce3a64781fdbebc5cb0793bb1c8a0c238f58d6
enc cbc(camellia) 0xb821b5ea62a441a642d064d2bd1537768af53bc6277c1c27
moon# killall tcpdump /* stop_tcpdump函数打印。 */
moon# cat /tmp/tcpdump.log | grep 'IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208' [YES] /* 以上语句(B)的打印*/
08:07:12.188904 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0de5763,seq=0x1), length 208
moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208' [YES] /* 以上语句(B)的打印*/
08:07:12.190869 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc834da8a,seq=0x1), length 208
测试后期处理
此阶段的命令写在测试用例的posttest.dat文件中。每一行包括两个部分:虚机名和执行命令。这里和测试预备节点相对于,顺序相反。依次为在carol虚机上停止IKE连接home,在carol和moon虚机上停止strongswan进程。最后恢复iptables规则。
$ cat tests/af-alg/alg-camellia/posttest.dat
carol::swanctl --terminate --ike home
carol::systemctl stop strongswan
moon::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
do-test文件中测试后期处理代码如下。SSH登录到相应虚机上执行指定命令。
# execute post-test commands
echo -n "post"
echo -e "\nPOST-TEST\n" >> $CONSOLE_LOG 2>&1
eval `awk -F "::" '{
if ($0 ~ /^#.*/)
{
printf("echo \"%s\"; ", $0);
}
else if ($2 != "")
{
printf("echo \"$(print_time)%s# %s\"; ", $1, $2)
printf("ssh \044SSHCONF root@\044ipv4_%s \"%s\"; ", $1, $2)
printf("echo;\n")
}
}' $TESTDIR/posttest.dat` >> $CONSOLE_LOG 2>&1
此阶段的日志如下。
POST-TEST
carol# swanctl --terminate --ike home
[IKE] deleting IKE_SA home[1] between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]
[IKE] sending DELETE for IKE_SA home[1]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (96 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (96 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully
carol# systemctl stop strongswan
moon# systemctl stop strongswan
moon# iptables-restore < /etc/iptables.flush
carol# iptables-restore < /etc/iptables.flush
恢复配置脚本restore-defaults
测试结束之后,do-tests执行一系列的记录和清理工作,比如停止tcpdump运行等。
# copy default host config back if necessary
#
$DIR/scripts/restore-defaults $testname
将strongswan-5.9.14/testing/hosts/目录下的default/etc子目录内存scp到测试虚机,并且将${host}/etc子目录scp到测试虚机。
if [ -d $TESTSDIR/${testname}/hosts ]
then
for host in `ls $TESTSDIR/${testname}/hosts`
do
eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
scp $SSHCONF -r $HOSTCONFIGDIR/default/etc $HOSTLOGIN:/ > /dev/null 2>&1
scp $SSHCONF -r $HOSTCONFIGDIR/${host}/etc $HOSTLOGIN:/ > /dev/null 2>&1
done
fi
0-9 ↩︎