[26-06-02 09:52:29] START switch_ztrust scenario: cases/switch_ztrust.sh header : verify ztrust enable/disable with guest and token-derived knock controls topology: vpn1 10.93.0.10; v OpenVPN tcp/1194; sw1 192.59.0.1:8081; ZTrust guest + knock gates service access topology: # Topology: topology: # - Diagram: topology: # vpn1 10.93.0.10 topology: # | topology: # v OpenVPN tcp/1194 topology: # sw1 192.59.0.1:8081 topology: # ZTrust guest + knock gates service access topology: # - Docker mgmt network: 172.245.0.0/24 topology: # sw1=172.245.0.241. topology: # - OpenLAN service network "example": 192.59.0.0/24 topology: # sw1=192.59.0.1. topology: # - OpenVPN overlay on sw1: topology: # tcp/1194, subnet 10.93.0.0/24, vpn1@example fixed address 10.93.0.10. topology: # Validation: topology: # vpn1 -> sw1:8081 is reachable before ztrust; blocked after ztrust enable; topology: # allowed after guest+knock; blocked after knock remove; restored when disabled. Started switch pause container: tests-sw-ztrust-pause Started switch frr container: tests-sw-ztrust-frr Started switch ipsec container: tests-sw-ztrust-ipsec Started switch container: tests-sw-ztrust [26-06-02 09:52:30][ASSERT#0001][expect] at cases/switch_ztrust.sh:43 fn=setup_sw1 retry=30 cmd="docker logs -f tests-sw-ztrust" expect="Http.Start" 2026/06/02 09:52:31 INFO|root|Wait: ... 2026/06/02 09:52:31 INFO|root|UdpServer.Listen: udp://0.0.0.0:10002 2026/06/02 09:52:31 INFO|root|TcpServer.Listen: tcp://0.0.0.0:10002 2026/06/02 09:52:31 INFO|root|Http.Start 0.0.0.0:10000 [26-06-02 09:52:31][ASSERT#0001][OK] cost=1.033s [26-06-02 09:52:31][ASSERT#0002][cmd] at cases/switch_ztrust.sh:45 fn=setup_sw1 cmd="docker exec tests-sw-ztrust openlan network --name example add --address 192.59.0.1/24" [26-06-02 09:52:31][ASSERT#0002][OK] cost=0.247s [26-06-02 09:52:31][ASSERT#0003][match] at cases/switch_ztrust.sh:46 fn=setup_sw1 retry=1 cmd="docker exec tests-sw-ztrust openlan network ls" expect="name: example" bridge: address: 192.59.0.1/24 name: br-example name: example snat: enable subnet: netmask: 255.255.255.0 name: example openvpnStatus: disabled - config: name: ipsec [26-06-02 09:52:32][ASSERT#0003][OK] cost=0.067s [26-06-02 09:52:32][ASSERT#0004][cmd] at cases/switch_ztrust.sh:47 fn=setup_sw1 cmd="docker exec tests-sw-ztrust openlan user add --name vpn1@example --password 123456" # total 1 username password role lease vpn1@example 123456 guest 2027-06-02T09 [26-06-02 09:52:32][ASSERT#0004][OK] cost=0.074s [26-06-02 09:52:32][ASSERT#0005][cmd] at cases/switch_ztrust.sh:48 fn=setup_sw1 cmd="docker exec tests-sw-ztrust openlan user add --name vpn2@example --password 123457" # total 1 username password role lease vpn2@example 123457 guest 2027-06-02T09 [26-06-02 09:52:32][ASSERT#0005][OK] cost=0.062s [26-06-02 09:52:32][ASSERT#0006][cmd] at cases/switch_ztrust.sh:49 fn=setup_sw1 cmd="docker exec tests-sw-ztrust openlan user add --name vpn3@example --password 123458" # total 1 username password role lease vpn3@example 123458 guest 2027-06-02T09 [26-06-02 09:52:32][ASSERT#0006][OK] cost=0.067s [26-06-02 09:52:32][ASSERT#0007][cmd] at cases/switch_ztrust.sh:50 fn=setup_sw1 cmd="docker exec tests-sw-ztrust openlan user add --name vpn4@example --password 123459" # total 1 username password role lease vpn4@example 123459 guest 2027-06-02T09 [26-06-02 09:52:32][ASSERT#0007][OK] cost=0.071s [26-06-02 09:52:32][ASSERT#0008][cmd] at cases/switch_ztrust.sh:51 fn=setup_sw1 cmd="docker exec tests-sw-ztrust openlan network --name example openvpn add --listen :1194 --protocol tcp --subnet 10.93.0.0/24" [26-06-02 09:52:32][ASSERT#0008][OK] cost=0.123s [26-06-02 09:52:32][ASSERT#0009][cmd] at cases/switch_ztrust.sh:52 fn=setup_sw1 cmd="docker exec tests-sw-ztrust openlan network --name example client add --user vpn1@example --address 10.93.0.10" [26-06-02 09:52:32][ASSERT#0009][OK] cost=0.070s [26-06-02 09:52:32][ASSERT#0010][cmd] at cases/switch_ztrust.sh:53 fn=setup_sw1 cmd="docker exec tests-sw-ztrust openlan network --name example client add --user vpn2@example --address 10.93.0.11" [26-06-02 09:52:32][ASSERT#0010][OK] cost=0.068s Started OpenVPN client container: tests-sw-ztrust.vpn1 [26-06-02 09:52:32][ASSERT#0011][expect] at cases/switch_ztrust.sh:67 fn=setup_openvpn_client retry=40 cmd="docker logs -f tests-sw-ztrust.vpn1" expect="Initialization Sequence Completed" 2026-06-02 09:52:33 net_addr_v4_add: 10.93.0.10/24 dev tun0 2026-06-02 09:52:33 net_route_v4_add: 10.93.0.0/24 via 10.93.0.1 dev [NULL] table 0 metric 300 2026-06-02 09:52:33 net_route_v4_add: 192.59.0.0/24 via 10.93.0.1 dev [NULL] table 0 metric 300 2026-06-02 09:52:33 Initialization Sequence Completed [26-06-02 09:52:33][ASSERT#0011][OK] cost=1.029s [26-06-02 09:52:33][ASSERT#0012][cmd] at cases/switch_ztrust.sh:71 fn=setup_local_service cmd="docker exec tests-sw-ztrust sh -c nohup sh -c 'while true; do printf "HTTP/1.1 200 OK\r\nContent-Length: 11\r\n\r\nztrust-8081" | socat - TCP-LISTEN:8081,reuseaddr; done' >/tmp/ztrust-8081.log 2>&1 &" [26-06-02 09:52:33][ASSERT#0012][OK] cost=0.047s [26-06-02 09:52:33][ASSERT#0013][match] at cases/switch_ztrust.sh:75 fn=test_ztrust_flow retry=3 cmd="docker exec tests-sw-ztrust.vpn1 wget -qO- -T 3 -t 1 http://192.59.0.1:8081" expect="ztrust-8081" ztrust-8081 [26-06-02 09:52:34][ASSERT#0013][OK] cost=0.085s [26-06-02 09:52:34][ASSERT#0014][cmd] at cases/switch_ztrust.sh:77 fn=test_ztrust_flow cmd="docker exec tests-sw-ztrust openlan ztrust --network example enable" [26-06-02 09:52:34][ASSERT#0014][OK] cost=0.068s [26-06-02 09:52:34][ASSERT#0015][match] at cases/switch_ztrust.sh:78 fn=test_ztrust_flow retry=1 cmd="docker exec tests-sw-ztrust iptables -t mangle -S TT_pre-example" expect="Goto Zero Trust" -N TT_pre-example -A TT_pre-example -i tun1194 -m comment --comment "Goto Zero Trust" -j ZT_example [26-06-02 09:52:34][ASSERT#0015][OK] cost=0.071s [26-06-02 09:52:34][ASSERT#0016][match] at cases/switch_ztrust.sh:79 fn=test_ztrust_flow retry=1 cmd="docker exec tests-sw-ztrust iptables -t mangle -S ZT_example" expect="ZTrust Deny All" -N ZT_example -A ZT_example -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Forwarding Accpted" -j ACCEPT -A ZT_example -m comment --comment "ZTrust Deny All" -j DROP [26-06-02 09:52:34][ASSERT#0016][OK] cost=0.059s [26-06-02 09:52:34][ASSERT#0017][unmatch] at cases/switch_ztrust.sh:80 fn=test_ztrust_flow retry=3 cmd="docker exec tests-sw-ztrust.vpn1 wget -qO- -T 3 -t 1 http://192.59.0.1:8081" unexpected="ztrust-8081" Last output: [26-06-02 09:52:46][ASSERT#0017][OK] cost=12.261s [26-06-02 09:52:46][ASSERT#0018][cmd] at cases/switch_ztrust.sh:82 fn=test_ztrust_flow cmd="docker exec tests-sw-ztrust openlan reload --save" Save configuraion ... success # reloading pid:43 .... PID 43 CMD: /usr/bin/openlan-switch -conf:dir /etc/openlan/switch -log:level 20 # max wait 60s... # during 1s, new pid:595 ... PID 595 CMD: /usr/bin/openlan-switch -conf:dir /etc/openlan/switch -log:level 20 [26-06-02 09:52:47][ASSERT#0018][OK] cost=1.079s [26-06-02 09:52:47][ASSERT#0019][match] at cases/switch_ztrust.sh:84 fn=test_ztrust_flow retry=1 cmd="docker exec tests-sw-ztrust iptables -t mangle -S TT_pre-example" expect="Goto Zero Trust" -N TT_pre-example -A TT_pre-example -i tun1194 -m comment --comment "Goto Zero Trust" -j ZT_example [26-06-02 09:52:47][ASSERT#0019][OK] cost=0.064s [26-06-02 09:52:47][ASSERT#0020][match] at cases/switch_ztrust.sh:85 fn=test_ztrust_flow retry=1 cmd="docker exec tests-sw-ztrust iptables -t mangle -S ZT_example" expect="ZTrust Deny All" -N ZT_example -A ZT_example -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Forwarding Accpted" -j ACCEPT -A ZT_example -m comment --comment "ZTrust Deny All" -j DROP [26-06-02 09:52:47][ASSERT#0020][OK] cost=0.067s [26-06-02 09:52:47][ASSERT#0021][unmatch] at cases/switch_ztrust.sh:86 fn=test_ztrust_flow retry=3 cmd="docker exec tests-sw-ztrust.vpn1 wget -qO- -T 3 -t 1 http://192.59.0.1:8081" unexpected="ztrust-8081" Last output: [26-06-02 09:53:00][ASSERT#0021][OK] cost=12.251s [26-06-02 09:53:00][ASSERT#0022][cmd] at cases/switch_ztrust.sh:88 fn=test_ztrust_flow cmd="docker exec tests-sw-ztrust openlan ztrust --network example guest add --user vpn1 --address 10.93.0.10" [26-06-02 09:53:00][ASSERT#0022][OK] cost=0.077s [26-06-02 09:53:00][ASSERT#0023][cmd] at cases/switch_ztrust.sh:89 fn=test_ztrust_flow cmd="docker exec tests-sw-ztrust openlan --token vpn2@example:123457 ztrust guest add --address 10.93.0.11" [26-06-02 09:53:00][ASSERT#0023][OK] cost=0.189s [26-06-02 09:53:00][ASSERT#0024][match] at cases/switch_ztrust.sh:90 fn=test_ztrust_flow retry=1 cmd="docker exec tests-sw-ztrust openlan ztrust --network example guest ls" expect="vpn2@example" # total 2 username address vpn1@example 10.93.0.10 vpn2@example 10.93.0.11 [26-06-02 09:53:00][ASSERT#0024][OK] cost=0.074s [26-06-02 09:53:00][ASSERT#0025][match] at cases/switch_ztrust.sh:91 fn=test_ztrust_flow retry=1 cmd="docker exec tests-sw-ztrust openlan ztrust --network example guest ls" expect="10.93.0.11" # total 2 username address vpn1@example 10.93.0.10 vpn2@example 10.93.0.11 [26-06-02 09:53:00][ASSERT#0025][OK] cost=0.066s [26-06-02 09:53:00][ASSERT#0026][match] at cases/switch_ztrust.sh:92 fn=test_ztrust_flow retry=1 cmd="docker exec tests-sw-ztrust sh -c 'openlan --token vpn4@example:123459 ztrust guest add 2>&1 || true'" expect="can't find address" 2026/06/02 09:53:00 400 Bad Request can't find address [26-06-02 09:53:00][ASSERT#0026][OK] cost=0.189s [26-06-02 09:53:00][ASSERT#0027][cmd_fail] at cases/switch_ztrust.sh:93 fn=test_ztrust_flow cmd="docker exec tests-sw-ztrust openlan --token vpn3@example:123458 ztrust knock add --protocol tcp --socket 192.59.0.1:8081 --age 120" 2026/06/02 09:53:00 400 Bad Request Knock: not found vpn3 [26-06-02 09:53:00][ASSERT#0027][OK] cost=0.184s [26-06-02 09:53:00][ASSERT#0028][cmd] at cases/switch_ztrust.sh:94 fn=test_ztrust_flow cmd="docker exec tests-sw-ztrust openlan --token vpn1@example:123456 ztrust knock add --protocol tcp --socket 192.59.0.1:8081 --age 120" [26-06-02 09:53:01][ASSERT#0028][OK] cost=0.181s [26-06-02 09:53:01][ASSERT#0029][match] at cases/switch_ztrust.sh:96 fn=test_ztrust_flow retry=1 cmd="docker exec tests-sw-ztrust openlan ztrust --network example guest ls" expect="vpn1@example" # total 2 username address vpn1@example 10.93.0.10 vpn2@example 10.93.0.11 [26-06-02 09:53:01][ASSERT#0029][OK] cost=0.074s [26-06-02 09:53:01][ASSERT#0030][match] at cases/switch_ztrust.sh:97 fn=test_ztrust_flow retry=1 cmd="docker exec tests-sw-ztrust openlan ztrust --network example knock ls --user vpn1" expect="192.59.0.1:8081" # total 1 username protocol socket age createAt vpn1@example tcp 192.59.0.1:8081 120 2026-06-02 09:53:01 +0000 UTC [26-06-02 09:53:01][ASSERT#0030][OK] cost=0.067s [26-06-02 09:53:01][ASSERT#0031][match] at cases/switch_ztrust.sh:98 fn=test_ztrust_flow retry=1 cmd="docker exec tests-sw-ztrust openlan --token vpn1@example:123456 ztrust knock ls" expect="192.59.0.1:8081" # total 1 username protocol socket age createAt vpn1@example tcp 192.59.0.1:8081 120 2026-06-02 09:53:01 +0000 UTC [26-06-02 09:53:01][ASSERT#0031][OK] cost=0.195s [26-06-02 09:53:01][ASSERT#0032][unmatch] at cases/switch_ztrust.sh:99 fn=test_ztrust_flow retry=1 cmd="docker exec tests-sw-ztrust openlan --token vpn2@example:123457 ztrust knock ls" unexpected="192.59.0.1:8081" Last output: # total 0 username protocol socket age createAt [26-06-02 09:53:02][ASSERT#0032][OK] cost=1.191s [26-06-02 09:53:02][ASSERT#0033][match] at cases/switch_ztrust.sh:100 fn=test_ztrust_flow retry=3 cmd="docker exec tests-sw-ztrust.vpn1 wget -qO- -T 3 -t 1 http://192.59.0.1:8081" expect="ztrust-8081" ztrust-8081 [26-06-02 09:53:02][ASSERT#0033][OK] cost=0.092s [26-06-02 09:53:02][ASSERT#0034][cmd] at cases/switch_ztrust.sh:102 fn=test_ztrust_flow cmd="docker exec tests-sw-ztrust openlan ztrust --network example guest rm --user vpn1" [26-06-02 09:53:02][ASSERT#0034][OK] cost=0.142s [26-06-02 09:53:02][ASSERT#0035][cmd] at cases/switch_ztrust.sh:103 fn=test_ztrust_flow cmd="docker exec tests-sw-ztrust openlan ztrust --network example disable" [26-06-02 09:53:02][ASSERT#0035][OK] cost=0.096s [26-06-02 09:53:02][ASSERT#0036][match] at cases/switch_ztrust.sh:104 fn=test_ztrust_flow retry=3 cmd="docker exec tests-sw-ztrust.vpn1 wget -qO- -T 3 -t 1 http://192.59.0.1:8081" expect="ztrust-8081" ztrust-8081 [26-06-02 09:53:03][ASSERT#0036][OK] cost=0.084s [26-06-02 09:53:03][ASSERT#0037][cmd] at cases/switch_ztrust.sh:106 fn=test_ztrust_flow cmd="docker exec tests-sw-ztrust openlan reload --save" Save configuraion ... success # reloading pid:595 .... PID 595 CMD: /usr/bin/openlan-switch -conf:dir /etc/openlan/switch -log:level 20 # max wait 60s... # during 1s, new pid:973 ... PID 973 CMD: /usr/bin/openlan-switch -conf:dir /etc/openlan/switch -log:level 20 [26-06-02 09:53:04][ASSERT#0037][OK] cost=1.082s [26-06-02 09:53:04][ASSERT#0038][match] at cases/switch_ztrust.sh:107 fn=test_ztrust_flow retry=3 cmd="docker exec tests-sw-ztrust.vpn1 wget -qO- -T 3 -t 1 http://192.59.0.1:8081" expect="ztrust-8081" ztrust-8081 [26-06-02 09:53:04][ASSERT#0038][OK] cost=0.086s [26-06-02 09:53:04] END switch_ztrust status=PASS cost=34.976s