[mirror_ovs.git] / tests / ovs-monitor-ipsec.at

AT_BANNER([ovs-monitor-ipsec])

AT_SETUP([ovs-monitor-ipsec])
AT_SKIP_IF([test $HAVE_PYTHON = no])
AT_SKIP_IF([$non_ascii_cwd])

OVS_RUNDIR=`pwd`; export OVS_RUNDIR
OVS_DBDIR=`pwd`; export OVS_DBDIR
OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR
cp "$top_srcdir/vswitchd/vswitch.ovsschema" .

ON_EXIT([kill `cat pid ovs-monitor-ipsec.pid`])

mkdir etc etc/init.d etc/racoon etc/racoon/certs
mkdir usr usr/sbin

AT_DATA([etc/init.d/racoon], [dnl
#! /bin/sh
echo "racoon: $@" >&3
exit 0
])
chmod +x etc/init.d/racoon

AT_DATA([usr/sbin/setkey], [dnl
#! /bin/sh
exec >&3
echo "setkey:"
while read line; do
      echo "> $line"
done
])
chmod +x usr/sbin/setkey

touch etc/racoon/certs/ovs-stale.pem

ovs_vsctl () {
    ovs-vsctl --no-wait -vreconnect:emer --db=unix:socket "$@"
}
trim () {  # Removes blank lines and lines starting with # from input.
    sed -e '/^#/d' -e '/^[       ]*$/d' "$@"
}

###
### Start ovsdb-server.
###
OVS_VSCTL_SETUP

###
### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
###
AT_CHECK(
  [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
        "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
        unix:socket 2>log 3>actions &])
AT_CAPTURE_FILE([log])
AT_CAPTURE_FILE([actions])
OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])

###
### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
###
AT_CHECK([ovs_vsctl \
              -- add-br br0 \
              -- add-port br0 gre0 \
              -- set interface gre0 type=ipsec_gre \
                                    options:remote_ip=1.2.3.4 \
                                    options:psk=swordfish])
OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
AT_CHECK([cat actions], [0], [dnl
setkey:
> flush;
setkey:
> spdflush;
racoon: reload
racoon: reload
setkey:
> spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
> spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4   swordfish
])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 1.2.3.4 {
        exchange_mode main;
        nat_traversal on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])

###
### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
###
AT_CHECK([ovs_vsctl del-port gre0])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
AT_CHECK([sed '1,9d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
> spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])

###
### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
###
AT_DATA([cert.pem], [dnl
-----BEGIN CERTIFICATE-----
(not a real certificate)
-----END CERTIFICATE-----
])
AT_DATA([key.pem], [dnl
-----BEGIN RSA PRIVATE KEY-----
(not a real private key)
-----END RSA PRIVATE KEY-----
])
AT_CHECK([ovs_vsctl \
              -- add-port br0 gre1 \
              -- set Interface gre1 type=ipsec_gre \
                 options:remote_ip=2.3.4.5 \
                 options:peer_cert='"-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
"' \
                 options:certificate='"/cert.pem"' \
                 options:private_key='"/key.pem"'])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
AT_CHECK([sed '1,17d' actions], [0], [dnl
racoon: reload
setkey:
> spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
> spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 2.3.4.5 {
        exchange_mode main;
        nat_traversal on;
        ike_frag on;
        certificate_type x509 "/cert.pem" "/key.pem";
        my_identifier asn1dn;
        peers_identifier asn1dn;
        peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
        verify_identifier on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
])

###
### Delete the ipsec_gre certificate interface.
###
AT_CHECK([ovs_vsctl del-port gre1])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
AT_CHECK([sed '1,21d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
> spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])

###
### Add an SSL certificate interface.
###
cp cert.pem ssl-cert.pem
cp key.pem ssl-key.pem
AT_DATA([ssl-cacert.pem], [dnl
-----BEGIN CERTIFICATE-----
(not a real CA certificate)
-----END CERTIFICATE-----
])
AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
              -- add-port br0 gre2 \
              -- set Interface gre2 type=ipsec_gre \
                 options:remote_ip=3.4.5.6 \
                 options:peer_cert='"-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
"' \
                 options:use_ssl_cert='"true"'])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
AT_CHECK([sed '1,29d' actions], [0], [dnl
racoon: reload
setkey:
> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 3.4.5.6 {
        exchange_mode main;
        nat_traversal on;
        ike_frag on;
        certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
        my_identifier asn1dn;
        peers_identifier asn1dn;
        peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
        verify_identifier on;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method rsasig;
                dh_group 2;
        }
}
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
-----BEGIN CERTIFICATE-----
(not a real peer certificate)
-----END CERTIFICATE-----
])

###
### Delete the SSL certificate interface.
###
AT_CHECK([ovs_vsctl del-port gre2])
OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
AT_CHECK([sed '1,33d' actions], [0], [dnl
racoon: reload
setkey:
> spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
> spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
setkey:
> dump ;
setkey:
> dump ;
])
AT_CHECK([trim etc/racoon/psk.txt], [0], [])
AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
sainfo anonymous {
        pfs_group 2;
        lifetime time 1 hour;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;
}
])
AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])

OVSDB_SERVER_SHUTDOWN

AT_CLEANUP
Commit	Line	Data
b54bdbe9 BP	1	AT_BANNER([ovs-monitor-ipsec])
	2
	3	AT_SETUP([ovs-monitor-ipsec])
	4	AT_SKIP_IF([test $HAVE_PYTHON = no])
e6e590a7	5	AT_SKIP_IF([$non_ascii_cwd])
b54bdbe9	6
bb474bb3	7	OVS_RUNDIR=`pwd`; export OVS_RUNDIR
f973f2af	8	OVS_DBDIR=`pwd`; export OVS_DBDIR
b54bdbe9 BP	9	OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR
	10	cp "$top_srcdir/vswitchd/vswitch.ovsschema" .
	11
0b7140bb	12	ON_EXIT([kill `cat pid ovs-monitor-ipsec.pid`])
b54bdbe9 BP	13
	14	mkdir etc etc/init.d etc/racoon etc/racoon/certs
	15	mkdir usr usr/sbin
	16
	17	AT_DATA([etc/init.d/racoon], [dnl
	18	#! /bin/sh
	19	echo "racoon: $@" >&3
	20	exit 0
	21	])
	22	chmod +x etc/init.d/racoon
	23
	24	AT_DATA([usr/sbin/setkey], [dnl
	25	#! /bin/sh
	26	exec >&3
	27	echo "setkey:"
	28	while read line; do
	29	echo "> $line"
	30	done
	31	])
	32	chmod +x usr/sbin/setkey
	33
	34	touch etc/racoon/certs/ovs-stale.pem
	35
	36	ovs_vsctl () {
fba6bd1d	37	ovs-vsctl --no-wait -vreconnect:emer --db=unix:socket "$@"
b54bdbe9 BP	38	}
	39	trim () { # Removes blank lines and lines starting with # from input.
	40	sed -e '/^#/d' -e '/^[ ]*$/d' "$@"
	41	}
	42
	43	###
	44	### Start ovsdb-server.
	45	###
	46	OVS_VSCTL_SETUP
	47
	48	###
	49	### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
	50	###
	51	AT_CHECK(
	52	[$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
b153e667	53	"--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
b54bdbe9 BP	54	unix:socket 2>log 3>actions &])
	55	AT_CAPTURE_FILE([log])
	56	AT_CAPTURE_FILE([actions])
	57	OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])
	58
	59	###
	60	### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
	61	###
	62	AT_CHECK([ovs_vsctl \
	63	-- add-br br0 \
	64	-- add-port br0 gre0 \
	65	-- set interface gre0 type=ipsec_gre \
	66	options:remote_ip=1.2.3.4 \
	67	options:psk=swordfish])
	68	OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
	69	AT_CHECK([cat actions], [0], [dnl
	70	setkey:
	71	> flush;
	72	setkey:
	73	> spdflush;
	74	racoon: reload
	75	racoon: reload
	76	setkey:
	77	> spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
	78	> spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
	79	])
	80	AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4 swordfish
	81	])
	82	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
	83	path pre_shared_key "/etc/racoon/psk.txt";
	84	path certificate "/etc/racoon/certs";
	85	remote 1.2.3.4 {
	86	exchange_mode main;
	87	nat_traversal on;
	88	proposal {
	89	encryption_algorithm aes;
	90	hash_algorithm sha1;
	91	authentication_method pre_shared_key;
	92	dh_group 2;
	93	}
	94	}
	95	sainfo anonymous {
	96	pfs_group 2;
	97	lifetime time 1 hour;
	98	encryption_algorithm aes;
	99	authentication_algorithm hmac_sha1, hmac_md5;
	100	compression_algorithm deflate;
	101	}
	102	])
	103
	104	###
	105	### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
	106	###
	107	AT_CHECK([ovs_vsctl del-port gre0])
	108	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
	109	AT_CHECK([sed '1,9d' actions], [0], [dnl
	110	racoon: reload
	111	setkey:
	112	> spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
	113	> spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
	114	setkey:
	115	> dump ;
	116	setkey:
	117	> dump ;
118	])
119	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
120	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
121	path pre_shared_key "/etc/racoon/psk.txt";
122	path certificate "/etc/racoon/certs";
123	sainfo anonymous {
124	pfs_group 2;
125	lifetime time 1 hour;
126	encryption_algorithm aes;
127	authentication_algorithm hmac_sha1, hmac_md5;
128	compression_algorithm deflate;
129	}
130	])
131
132	###
133	### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
134	###
135	AT_DATA([cert.pem], [dnl
136	-----BEGIN CERTIFICATE-----
137	(not a real certificate)
138	-----END CERTIFICATE-----
139	])
140	AT_DATA([key.pem], [dnl
141	-----BEGIN RSA PRIVATE KEY-----
142	(not a real private key)
143	-----END RSA PRIVATE KEY-----
144	])
145	AT_CHECK([ovs_vsctl \
146	-- add-port br0 gre1 \
147	-- set Interface gre1 type=ipsec_gre \
148	options:remote_ip=2.3.4.5 \
149	options:peer_cert='"-----BEGIN CERTIFICATE-----
150	(not a real peer certificate)
151	-----END CERTIFICATE-----
152	"' \
153	options:certificate='"/cert.pem"' \
154	options:private_key='"/key.pem"'])
155	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
156	AT_CHECK([sed '1,17d' actions], [0], [dnl
157	racoon: reload
158	setkey:
159	> spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
160	> spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
161	])
162	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
163	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
164	path pre_shared_key "/etc/racoon/psk.txt";
165	path certificate "/etc/racoon/certs";
166	remote 2.3.4.5 {
167	exchange_mode main;
168	nat_traversal on;
169	ike_frag on;
170	certificate_type x509 "/cert.pem" "/key.pem";
171	my_identifier asn1dn;
172	peers_identifier asn1dn;
173	peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
174	verify_identifier on;
175	proposal {
176	encryption_algorithm aes;
177	hash_algorithm sha1;
178	authentication_method rsasig;
179	dh_group 2;
180	}
181	}
182	sainfo anonymous {
183	pfs_group 2;
184	lifetime time 1 hour;
185	encryption_algorithm aes;
186	authentication_algorithm hmac_sha1, hmac_md5;
187	compression_algorithm deflate;
188	}
189	])
190	AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
191	-----BEGIN CERTIFICATE-----
192	(not a real peer certificate)
193	-----END CERTIFICATE-----
194	])
195
196	###
197	### Delete the ipsec_gre certificate interface.
198	###
199	AT_CHECK([ovs_vsctl del-port gre1])
200	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
201	AT_CHECK([sed '1,21d' actions], [0], [dnl
202	racoon: reload
203	setkey:
204	> spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
205	> spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
206	setkey:
207	> dump ;
208	setkey:
209	> dump ;
210	])
211	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
212	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
213	path pre_shared_key "/etc/racoon/psk.txt";
214	path certificate "/etc/racoon/certs";
215	sainfo anonymous {
216	pfs_group 2;
217	lifetime time 1 hour;
218	encryption_algorithm aes;
219	authentication_algorithm hmac_sha1, hmac_md5;
220	compression_algorithm deflate;
221	}
222	])
223	AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
224
ad6247f5 BP	225	###
	226	### Add an SSL certificate interface.
	227	###
	228	cp cert.pem ssl-cert.pem
	229	cp key.pem ssl-key.pem
	230	AT_DATA([ssl-cacert.pem], [dnl
	231	-----BEGIN CERTIFICATE-----
	232	(not a real CA certificate)
	233	-----END CERTIFICATE-----
	234	])
	235	AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
	236	-- add-port br0 gre2 \
	237	-- set Interface gre2 type=ipsec_gre \
	238	options:remote_ip=3.4.5.6 \
	239	options:peer_cert='"-----BEGIN CERTIFICATE-----
	240	(not a real peer certificate)
	241	-----END CERTIFICATE-----
	242	"' \
	243	options:use_ssl_cert='"true"'])
dfbf7f35	244	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
ad6247f5 BP	245	AT_CHECK([sed '1,29d' actions], [0], [dnl
	246	racoon: reload
	247	setkey:
	248	> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
	249	> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
	250	])
	251	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
	252	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
	253	path pre_shared_key "/etc/racoon/psk.txt";
	254	path certificate "/etc/racoon/certs";
	255	remote 3.4.5.6 {
	256	exchange_mode main;
	257	nat_traversal on;
	258	ike_frag on;
	259	certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
	260	my_identifier asn1dn;
	261	peers_identifier asn1dn;
	262	peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
	263	verify_identifier on;
	264	proposal {
	265	encryption_algorithm aes;
	266	hash_algorithm sha1;
	267	authentication_method rsasig;
	268	dh_group 2;
	269	}
	270	}
	271	sainfo anonymous {
	272	pfs_group 2;
	273	lifetime time 1 hour;
	274	encryption_algorithm aes;
	275	authentication_algorithm hmac_sha1, hmac_md5;
	276	compression_algorithm deflate;
	277	}
	278	])
	279	AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
	280	-----BEGIN CERTIFICATE-----
	281	(not a real peer certificate)
	282	-----END CERTIFICATE-----
	283	])
	284
	285	###
	286	### Delete the SSL certificate interface.
	287	###
	288	AT_CHECK([ovs_vsctl del-port gre2])
dfbf7f35	289	OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
ad6247f5 BP	290	AT_CHECK([sed '1,33d' actions], [0], [dnl
	291	racoon: reload
	292	setkey:
	293	> spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
	294	> spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
	295	setkey:
	296	> dump ;
	297	setkey:
	298	> dump ;
	299	])
	300	AT_CHECK([trim etc/racoon/psk.txt], [0], [])
	301	AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
	302	path pre_shared_key "/etc/racoon/psk.txt";
	303	path certificate "/etc/racoon/certs";
	304	sainfo anonymous {
	305	pfs_group 2;
	306	lifetime time 1 hour;
	307	encryption_algorithm aes;
	308	authentication_algorithm hmac_sha1, hmac_md5;
	309	compression_algorithm deflate;
	310	}
	311	])
	312	AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
	313
94c33672 BP	314	OVSDB_SERVER_SHUTDOWN
94c33672 BP	315
b54bdbe9	316	AT_CLEANUP