Contents Previous

How to configure to use "make check"

What is "make check"

"make check" is a target in the top level makefile. It takes care of running a number of unit and system tests to confirm that FreeSWAN has been compiled correctly, and that no new bugs have been introduced.

As FreeSWAN contains both kernel and userspace components, doing testing of FreeSWAN requires that the kernel be simulated. This is typically difficult to do as a kernel requires that it be run on bare hardware. A technology has emerged that makes this simpler. This is User Mode Linux.

User-Mode Linux is a way to build a Linux kernel such that it can run as a process under another Linux (or in the future other) kernel. Presently, this can only be done for 2.4 guest kernels. The host kernel can be 2.2 or 2.4.

"make check" expects to be able to build User-Mode Linux kernels with FreeSWAN included. To do this it needs to have some files downloaded and extracted prior to running "make check". This is described in the UML testing document.

After having run the example in the UML testing document and successfully brought up the four machine combination, you are ready to use "make check"

Running "make check"

"make check" works by walking the FreeSWAN source tree invoking the "check" target at each node. At present there are tests defined only for the klips directory. These tests will use the UML infrastructure to test out pieces of the klips code.

The results of the tests can be recorded. If the environment variable $REGRESSRESULTS is non-null, then the results of each test will be recorded. This can be used as part of a nightly regression testing system, see Nightly testing for more details.

"make check" otherwise prints a minimal amount of output for each test, and indicates pass/fail status of each test as they are run. Failed tests do not cause failure of the target in the form of exit codes.

How to write a KLIPS "make check" test

Structure of a test

Each test consists of a directory in klips/test. The list of tests to run is stored in the file klips/test/TESTLIST . The test types are:

means run no test.
ctltest (TBD)
means run a single system without input/output.
means run a single system with input/output networks
plutotest (TBD)
means run a pair of systems
suntest (TBD)
means run a quad of east/west/sunrise/sunset
roadtest (TBD)
means run a trio of east-sunrise + warrior
extrudedtest (TBD)
means run a quad of east-sunrise + warriorsouth + park
At present only klipstest has been defined.

Each test directory has a file in it called . This file sets a number of environment variables to define the parameters of the test.

Common parameters

the name of the test (repeated for checking purposes)
the name of the UML machine to run for the test, typically "east" or "west"
The purpose of the test is one of:
The goal purpose is where a test is defined for code that is not yet finished. The test indicates when the goals have in fact been reached.
This is a test to determine that a previously existing bug has been repaired. This test will initially be created to reproduce the bug in isolation, and then the bug will be fixed.
This is a set of packets/programs that causes a vulnerability to be exposed. It is a specific variation of the regress option.
in the case of a goal test, this is a reference to the requirements document
in the case of regression test, this the problem report number from GNATS
in the case of an exploit, this is a URL referencing the paper explaining the origin of the test and the origin of exploit software
a file in the test directory that contains the sanitized console output against which to compare the output of the actual test.
a list of scripts (found in klips/test/fixups) to apply to sanitize the console output of the machine under test. These are typically perl, awk or sed scripts that remove things in the kernel output that change each time the test is run and/or compiled.

a file of commands that is fed into the virtual machine's console in single user mode prior to starting the tests. This file will usually set up any eroute's and SADB entries that are required for the test.

Lines beginning with # are skipped. Blank lines are skipped. Otherwise, a shell prompted is waited for each time (consisting of \n#) and then the command is sent. Note that the prompt is waited for before the command and not after, so completion of the last command in the script is not required. This is often used to invoke a program to monitor the system, e.g. ipsec pf_key.

KLIPStest paramaters

The klipstest function starts a program ( testing/utils/uml_netjig/uml_netjig) to setup a bunch of I/O sockets (that simulate network interfaces). It then exports the references to these sockets to the environment and invokes (using system()) a given script. It waits for the script to finish.

The script invoked (testing/utils/host-test.tcl) is a TCL expect script that arranges to start the UML and configure it appropriately for the test. The configuration is done with the script given above for SCRIPT . The TCL script then forks, leaves the UML in the background and exits. uml_netjig continues. It then starts listening to the simulated network answering ARPs and inserting packets as appropriate.

The klipstest function invokes uml_netjig with arguments to capture output from network interface(s) and insert packets as appropriate:

a pcap file to feed in on the public (encrypted) interface. (typically, eth1)
a pcap file to feed in on the private (plain-text) interface (typically, eth0).
a text file containing tcpdump output. Packets on the public (eth1) interface are captured to a pcap file by uml_netjig. The klipstest function then uses tcpdump on the file to produce text output, which is compared to the file given.
a program that will filter the TCPDUMP output to do further processing. Defaults to "cat".
a text file containing tcpdump output. Packets on the private (eth0) interface are captured and compared after conversion by tcpdump, as with REFPUBOUTPUT.
a program that will filter the TCPDUMP output to do further processing. Defaults to "cat".
a flag for uml_netjig. It should contain "--exitonempty" of uml_netjig should exit when all of the input ( PUBINPUT,PRIVINPUT) packets have been injected.
a flag for uml_netjig. It should contain "--arpreply" if uml_netjig should reply to ARP requests. One will typically set this to avoid having to fudge the ARP cache manually.
a set of flags for the tcpdump used when converting captured output. Typical values will include "-n" to turn off DNS, and often "-E" to set the decryption key (tcpdump 3.7.1 and higher only) for ESP packets. The "-t" flag (turn off timestamps) is provided automatically

Invoking tests manually

If you need to interactively control the UML under test, then you can invoke netjig directly with the right arguments, but give it "sh" as the startup script. An easy way is to do this is to edit "NETJIGDEBUG" in to "true" and run the test:


cassidy-[nightly/klips/test/east-pass-01] mcr 1009 %NETJIGDEBUG=true ../
/c2/freeswan/sandboxes/nightly/testing/utils/uml_netjig/uml_netjig --tcpdump --exitonempty --playprivate ../inputs/01-sunrise-sunset-ping.pcap --recordpublic OUTPUT/spi1-output.pcap --startup expect -f /c2/freeswan/sandboxes/nightly/testing/utils/host-test.tcl /c2/freeswan/sandboxes/nightly/UMLPOOL/east/ 
so, substitute "sh" for the startup script.
/c2/freeswan/sandboxes/nightly/testing/utils/uml_netjig/uml_netjig --tcpdump --exitonempty --playprivate ../inputs/01-sunrise-sunset-ping.pcap --recordpublic OUTPUT/spi1-output.pcap --startup sh

sh-2.05a$ env | grep UML_

then, in a *new window*, paste those variables in place, and start the UML you need. The scripts looks for UML_{private,public}_{CTL,DATA} and will connect them to eth0/eth1. Setup the UML as appropriate, etc. When you are ready, exit the above shell, and the uml_netjig will start to inject packets and record them.

Current pitfalls

"tcpdump dissector" not available.
This is a non-fatal warning. If uml_netjig is invoked with the -t option, then it will attempt to use tcpdump's dissector to decode each packet that it processes. The dissector is presently not available, so this option it normally turned off at compile time. The dissector library will be released with tcpdump version 4.0.

Contents Previous