tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
5#
6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups
7# for various permutations:
8# 1. icmp, tcp, udp and netfilter
9# 2. client, server, no-server
10# 3. global address on interface
11# 4. global address on 'lo'
12# 5. remote and local traffic
13# 6. VRF and non-VRF permutations
14#
15# Setup:
16# ns-A | ns-B
17# No VRF case:
18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ]
19# remote address
20# VRF case:
21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ]
22#
23# ns-A:
24# eth1: 172.16.1.1/24, 2001:db8:1::1/64
25# lo: 127.0.0.1/8, ::1/128
26# 172.16.2.1/32, 2001:db8:2::1/128
27# red: 127.0.0.1/8, ::1/128
28# 172.16.3.1/32, 2001:db8:3::1/128
29#
30# ns-B:
31# eth1: 172.16.1.2/24, 2001:db8:1::2/64
32# lo2: 127.0.0.1/8, ::1/128
33# 172.16.2.2/32, 2001:db8:2::2/128
34#
35# ns-A to ns-C connection - only for VRF and same config
36# as ns-A to ns-B
37#
38# server / client nomenclature relative to ns-A
39
40# Kselftest framework requirement - SKIP code is 4.
41ksft_skip=4
42
43VERBOSE=0
44
45NSA_DEV=eth1
46NSA_DEV2=eth2
47NSB_DEV=eth1
48NSC_DEV=eth2
49VRF=red
50VRF_TABLE=1101
51
52# IPv4 config
53NSA_IP=172.16.1.1
54NSB_IP=172.16.1.2
55VRF_IP=172.16.3.1
56NS_NET=172.16.1.0/24
57
58# IPv6 config
59NSA_IP6=2001:db8:1::1
60NSB_IP6=2001:db8:1::2
61VRF_IP6=2001:db8:3::1
62NS_NET6=2001:db8:1::/120
63
64NSA_LO_IP=172.16.2.1
65NSB_LO_IP=172.16.2.2
66NSA_LO_IP6=2001:db8:2::1
67NSB_LO_IP6=2001:db8:2::2
68
69# non-local addresses for freebind tests
70NL_IP=172.17.1.1
71NL_IP6=2001:db8:4::1
72
73# multicast and broadcast addresses
74MCAST_IP=224.0.0.1
75BCAST_IP=255.255.255.255
76
77MD5_PW=abc123
78MD5_WRONG_PW=abc1234
79
80MCAST=ff02::1
81# set after namespace create
82NSA_LINKIP6=
83NSB_LINKIP6=
84
85NSA=ns-A
86NSB=ns-B
87NSC=ns-C
88
89NSA_CMD="ip netns exec ${NSA}"
90NSB_CMD="ip netns exec ${NSB}"
91NSC_CMD="ip netns exec ${NSC}"
92
93which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
94
95################################################################################
96# utilities
97
98log_test()
99{
100 local rc=$1
101 local expected=$2
102 local msg="$3"
103
104 [ "${VERBOSE}" = "1" ] && echo
105
106 if [ ${rc} -eq ${expected} ]; then
107 nsuccess=$((nsuccess+1))
108 printf "TEST: %-70s [ OK ]\n" "${msg}"
109 else
110 nfail=$((nfail+1))
111 printf "TEST: %-70s [FAIL]\n" "${msg}"
112 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
113 echo
114 echo "hit enter to continue, 'q' to quit"
115 read a
116 [ "$a" = "q" ] && exit 1
117 fi
118 fi
119
120 if [ "${PAUSE}" = "yes" ]; then
121 echo
122 echo "hit enter to continue, 'q' to quit"
123 read a
124 [ "$a" = "q" ] && exit 1
125 fi
126
127 kill_procs
128}
129
130log_test_addr()
131{
132 local addr=$1
133 local rc=$2
134 local expected=$3
135 local msg="$4"
136 local astr
137
138 astr=$(addr2str ${addr})
139 log_test $rc $expected "$msg - ${astr}"
140}
141
142log_section()
143{
144 echo
145 echo "###########################################################################"
146 echo "$*"
147 echo "###########################################################################"
148 echo
149}
150
151log_subsection()
152{
153 echo
154 echo "#################################################################"
155 echo "$*"
156 echo
157}
158
159log_start()
160{
161 # make sure we have no test instances running
162 kill_procs
163
164 if [ "${VERBOSE}" = "1" ]; then
165 echo
166 echo "#######################################################"
167 fi
168}
169
170log_debug()
171{
172 if [ "${VERBOSE}" = "1" ]; then
173 echo
174 echo "$*"
175 echo
176 fi
177}
178
179show_hint()
180{
181 if [ "${VERBOSE}" = "1" ]; then
182 echo "HINT: $*"
183 echo
184 fi
185}
186
187kill_procs()
188{
189 killall nettest ping ping6 >/dev/null 2>&1
190 sleep 1
191}
192
193do_run_cmd()
194{
195 local cmd="$*"
196 local out
197
198 if [ "$VERBOSE" = "1" ]; then
199 echo "COMMAND: ${cmd}"
200 fi
201
202 out=$($cmd 2>&1)
203 rc=$?
204 if [ "$VERBOSE" = "1" -a -n "$out" ]; then
205 echo "$out"
206 fi
207
208 return $rc
209}
210
211run_cmd()
212{
213 do_run_cmd ${NSA_CMD} $*
214}
215
216run_cmd_nsb()
217{
218 do_run_cmd ${NSB_CMD} $*
219}
220
221run_cmd_nsc()
222{
223 do_run_cmd ${NSC_CMD} $*
224}
225
226setup_cmd()
227{
228 local cmd="$*"
229 local rc
230
231 run_cmd ${cmd}
232 rc=$?
233 if [ $rc -ne 0 ]; then
234 # show user the command if not done so already
235 if [ "$VERBOSE" = "0" ]; then
236 echo "setup command: $cmd"
237 fi
238 echo "failed. stopping tests"
239 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
240 echo
241 echo "hit enter to continue"
242 read a
243 fi
244 exit $rc
245 fi
246}
247
248setup_cmd_nsb()
249{
250 local cmd="$*"
251 local rc
252
253 run_cmd_nsb ${cmd}
254 rc=$?
255 if [ $rc -ne 0 ]; then
256 # show user the command if not done so already
257 if [ "$VERBOSE" = "0" ]; then
258 echo "setup command: $cmd"
259 fi
260 echo "failed. stopping tests"
261 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
262 echo
263 echo "hit enter to continue"
264 read a
265 fi
266 exit $rc
267 fi
268}
269
270setup_cmd_nsc()
271{
272 local cmd="$*"
273 local rc
274
275 run_cmd_nsc ${cmd}
276 rc=$?
277 if [ $rc -ne 0 ]; then
278 # show user the command if not done so already
279 if [ "$VERBOSE" = "0" ]; then
280 echo "setup command: $cmd"
281 fi
282 echo "failed. stopping tests"
283 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
284 echo
285 echo "hit enter to continue"
286 read a
287 fi
288 exit $rc
289 fi
290}
291
292# set sysctl values in NS-A
293set_sysctl()
294{
295 echo "SYSCTL: $*"
296 echo
297 run_cmd sysctl -q -w $*
298}
299
300# get sysctl values in NS-A
301get_sysctl()
302{
303 ${NSA_CMD} sysctl -n $*
304}
305
306################################################################################
307# Setup for tests
308
309addr2str()
310{
311 case "$1" in
312 127.0.0.1) echo "loopback";;
313 ::1) echo "IPv6 loopback";;
314
315 ${BCAST_IP}) echo "broadcast";;
316 ${MCAST_IP}) echo "multicast";;
317
318 ${NSA_IP}) echo "ns-A IP";;
319 ${NSA_IP6}) echo "ns-A IPv6";;
320 ${NSA_LO_IP}) echo "ns-A loopback IP";;
321 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";;
322 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";;
323
324 ${NSB_IP}) echo "ns-B IP";;
325 ${NSB_IP6}) echo "ns-B IPv6";;
326 ${NSB_LO_IP}) echo "ns-B loopback IP";;
327 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";;
328 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";;
329
330 ${NL_IP}) echo "nonlocal IP";;
331 ${NL_IP6}) echo "nonlocal IPv6";;
332
333 ${VRF_IP}) echo "VRF IP";;
334 ${VRF_IP6}) echo "VRF IPv6";;
335
336 ${MCAST}%*) echo "multicast IP";;
337
338 *) echo "unknown";;
339 esac
340}
341
342get_linklocal()
343{
344 local ns=$1
345 local dev=$2
346 local addr
347
348 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \
349 awk '{
350 for (i = 3; i <= NF; ++i) {
351 if ($i ~ /^fe80/)
352 print $i
353 }
354 }'
355 )
356 addr=${addr/\/*}
357
358 [ -z "$addr" ] && return 1
359
360 echo $addr
361
362 return 0
363}
364
365################################################################################
366# create namespaces and vrf
367
368create_vrf()
369{
370 local ns=$1
371 local vrf=$2
372 local table=$3
373 local addr=$4
374 local addr6=$5
375
376 ip -netns ${ns} link add ${vrf} type vrf table ${table}
377 ip -netns ${ns} link set ${vrf} up
378 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192
379 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
380
381 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf}
382 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad
383 if [ "${addr}" != "-" ]; then
384 ip -netns ${ns} addr add dev ${vrf} ${addr}
385 fi
386 if [ "${addr6}" != "-" ]; then
387 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6}
388 fi
389
390 ip -netns ${ns} ru del pref 0
391 ip -netns ${ns} ru add pref 32765 from all lookup local
392 ip -netns ${ns} -6 ru del pref 0
393 ip -netns ${ns} -6 ru add pref 32765 from all lookup local
394}
395
396create_ns()
397{
398 local ns=$1
399 local addr=$2
400 local addr6=$3
401
402 ip netns add ${ns}
403
404 ip -netns ${ns} link set lo up
405 if [ "${addr}" != "-" ]; then
406 ip -netns ${ns} addr add dev lo ${addr}
407 fi
408 if [ "${addr6}" != "-" ]; then
409 ip -netns ${ns} -6 addr add dev lo ${addr6}
410 fi
411
412 ip -netns ${ns} ro add unreachable default metric 8192
413 ip -netns ${ns} -6 ro add unreachable default metric 8192
414
415 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
416 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
417 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
418 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
419}
420
421# create veth pair to connect namespaces and apply addresses.
422connect_ns()
423{
424 local ns1=$1
425 local ns1_dev=$2
426 local ns1_addr=$3
427 local ns1_addr6=$4
428 local ns2=$5
429 local ns2_dev=$6
430 local ns2_addr=$7
431 local ns2_addr6=$8
432
433 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
434 ip -netns ${ns1} li set ${ns1_dev} up
435 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
436 ip -netns ${ns2} li set ${ns2_dev} up
437
438 if [ "${ns1_addr}" != "-" ]; then
439 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
440 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
441 fi
442
443 if [ "${ns1_addr6}" != "-" ]; then
444 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
445 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
446 fi
447}
448
449cleanup()
450{
451 # explicit cleanups to check those code paths
452 ip netns | grep -q ${NSA}
453 if [ $? -eq 0 ]; then
454 ip -netns ${NSA} link delete ${VRF}
455 ip -netns ${NSA} ro flush table ${VRF_TABLE}
456
457 ip -netns ${NSA} addr flush dev ${NSA_DEV}
458 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV}
459 ip -netns ${NSA} link set dev ${NSA_DEV} down
460 ip -netns ${NSA} link del dev ${NSA_DEV}
461
462 ip netns pids ${NSA} | xargs kill 2>/dev/null
463 ip netns del ${NSA}
464 fi
465
466 ip netns pids ${NSB} | xargs kill 2>/dev/null
467 ip netns del ${NSB}
468 ip netns pids ${NSC} | xargs kill 2>/dev/null
469 ip netns del ${NSC} >/dev/null 2>&1
470}
471
472cleanup_vrf_dup()
473{
474 ip link del ${NSA_DEV2} >/dev/null 2>&1
475 ip netns pids ${NSC} | xargs kill 2>/dev/null
476 ip netns del ${NSC} >/dev/null 2>&1
477}
478
479setup_vrf_dup()
480{
481 # some VRF tests use ns-C which has the same config as
482 # ns-B but for a device NOT in the VRF
483 create_ns ${NSC} "-" "-"
484 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
485 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
486}
487
488setup()
489{
490 local with_vrf=${1}
491
492 # make sure we are starting with a clean slate
493 kill_procs
494 cleanup 2>/dev/null
495
496 log_debug "Configuring network namespaces"
497 set -e
498
499 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128
500 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128
501 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \
502 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
503
504 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
505 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
506
507 # tell ns-A how to get to remote addresses of ns-B
508 if [ "${with_vrf}" = "yes" ]; then
509 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6}
510
511 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
512 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
513 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
514
515 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
516 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
517 else
518 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
519 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
520 fi
521
522
523 # tell ns-B how to get to remote addresses of ns-A
524 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
525 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
526
527 set +e
528
529 sleep 1
530}
531
532setup_lla_only()
533{
534 # make sure we are starting with a clean slate
535 kill_procs
536 cleanup 2>/dev/null
537
538 log_debug "Configuring network namespaces"
539 set -e
540
541 create_ns ${NSA} "-" "-"
542 create_ns ${NSB} "-" "-"
543 create_ns ${NSC} "-" "-"
544 connect_ns ${NSA} ${NSA_DEV} "-" "-" \
545 ${NSB} ${NSB_DEV} "-" "-"
546 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \
547 ${NSC} ${NSC_DEV} "-" "-"
548
549 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
550 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
551 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV})
552
553 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-"
554 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
555 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF}
556
557 set +e
558
559 sleep 1
560}
561
562################################################################################
563# IPv4
564
565ipv4_ping_novrf()
566{
567 local a
568
569 #
570 # out
571 #
572 for a in ${NSB_IP} ${NSB_LO_IP}
573 do
574 log_start
575 run_cmd ping -c1 -w1 ${a}
576 log_test_addr ${a} $? 0 "ping out"
577
578 log_start
579 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
580 log_test_addr ${a} $? 0 "ping out, device bind"
581
582 log_start
583 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a}
584 log_test_addr ${a} $? 0 "ping out, address bind"
585 done
586
587 #
588 # in
589 #
590 for a in ${NSA_IP} ${NSA_LO_IP}
591 do
592 log_start
593 run_cmd_nsb ping -c1 -w1 ${a}
594 log_test_addr ${a} $? 0 "ping in"
595 done
596
597 #
598 # local traffic
599 #
600 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
601 do
602 log_start
603 run_cmd ping -c1 -w1 ${a}
604 log_test_addr ${a} $? 0 "ping local"
605 done
606
607 #
608 # local traffic, socket bound to device
609 #
610 # address on device
611 a=${NSA_IP}
612 log_start
613 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
614 log_test_addr ${a} $? 0 "ping local, device bind"
615
616 # loopback addresses not reachable from device bind
617 # fails in a really weird way though because ipv4 special cases
618 # route lookups with oif set.
619 for a in ${NSA_LO_IP} 127.0.0.1
620 do
621 log_start
622 show_hint "Fails since address on loopback device is out of device scope"
623 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
624 log_test_addr ${a} $? 1 "ping local, device bind"
625 done
626
627 #
628 # ip rule blocks reachability to remote address
629 #
630 log_start
631 setup_cmd ip rule add pref 32765 from all lookup local
632 setup_cmd ip rule del pref 0 from all lookup local
633 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
634 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
635
636 a=${NSB_LO_IP}
637 run_cmd ping -c1 -w1 ${a}
638 log_test_addr ${a} $? 2 "ping out, blocked by rule"
639
640 # NOTE: ipv4 actually allows the lookup to fail and yet still create
641 # a viable rtable if the oif (e.g., bind to device) is set, so this
642 # case succeeds despite the rule
643 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
644
645 a=${NSA_LO_IP}
646 log_start
647 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule"
648 run_cmd_nsb ping -c1 -w1 ${a}
649 log_test_addr ${a} $? 1 "ping in, blocked by rule"
650
651 [ "$VERBOSE" = "1" ] && echo
652 setup_cmd ip rule del pref 32765 from all lookup local
653 setup_cmd ip rule add pref 0 from all lookup local
654 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
655 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
656
657 #
658 # route blocks reachability to remote address
659 #
660 log_start
661 setup_cmd ip route replace unreachable ${NSB_LO_IP}
662 setup_cmd ip route replace unreachable ${NSB_IP}
663
664 a=${NSB_LO_IP}
665 run_cmd ping -c1 -w1 ${a}
666 log_test_addr ${a} $? 2 "ping out, blocked by route"
667
668 # NOTE: ipv4 actually allows the lookup to fail and yet still create
669 # a viable rtable if the oif (e.g., bind to device) is set, so this
670 # case succeeds despite not having a route for the address
671 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
672
673 a=${NSA_LO_IP}
674 log_start
675 show_hint "Response is dropped (or arp request is ignored) due to ip route"
676 run_cmd_nsb ping -c1 -w1 ${a}
677 log_test_addr ${a} $? 1 "ping in, blocked by route"
678
679 #
680 # remove 'remote' routes; fallback to default
681 #
682 log_start
683 setup_cmd ip ro del ${NSB_LO_IP}
684
685 a=${NSB_LO_IP}
686 run_cmd ping -c1 -w1 ${a}
687 log_test_addr ${a} $? 2 "ping out, unreachable default route"
688
689 # NOTE: ipv4 actually allows the lookup to fail and yet still create
690 # a viable rtable if the oif (e.g., bind to device) is set, so this
691 # case succeeds despite not having a route for the address
692 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
693}
694
695ipv4_ping_vrf()
696{
697 local a
698
699 # should default on; does not exist on older kernels
700 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
701
702 #
703 # out
704 #
705 for a in ${NSB_IP} ${NSB_LO_IP}
706 do
707 log_start
708 run_cmd ping -c1 -w1 -I ${VRF} ${a}
709 log_test_addr ${a} $? 0 "ping out, VRF bind"
710
711 log_start
712 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
713 log_test_addr ${a} $? 0 "ping out, device bind"
714
715 log_start
716 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a}
717 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind"
718
719 log_start
720 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a}
721 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind"
722 done
723
724 #
725 # in
726 #
727 for a in ${NSA_IP} ${VRF_IP}
728 do
729 log_start
730 run_cmd_nsb ping -c1 -w1 ${a}
731 log_test_addr ${a} $? 0 "ping in"
732 done
733
734 #
735 # local traffic, local address
736 #
737 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
738 do
739 log_start
740 show_hint "Source address should be ${a}"
741 run_cmd ping -c1 -w1 -I ${VRF} ${a}
742 log_test_addr ${a} $? 0 "ping local, VRF bind"
743 done
744
745 #
746 # local traffic, socket bound to device
747 #
748 # address on device
749 a=${NSA_IP}
750 log_start
751 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
752 log_test_addr ${a} $? 0 "ping local, device bind"
753
754 # vrf device is out of scope
755 for a in ${VRF_IP} 127.0.0.1
756 do
757 log_start
758 show_hint "Fails since address on vrf device is out of device scope"
759 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
760 log_test_addr ${a} $? 2 "ping local, device bind"
761 done
762
763 #
764 # ip rule blocks address
765 #
766 log_start
767 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
768 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
769
770 a=${NSB_LO_IP}
771 run_cmd ping -c1 -w1 -I ${VRF} ${a}
772 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule"
773
774 log_start
775 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
776 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
777
778 a=${NSA_LO_IP}
779 log_start
780 show_hint "Response lost due to ip rule"
781 run_cmd_nsb ping -c1 -w1 ${a}
782 log_test_addr ${a} $? 1 "ping in, blocked by rule"
783
784 [ "$VERBOSE" = "1" ] && echo
785 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
786 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
787
788 #
789 # remove 'remote' routes; fallback to default
790 #
791 log_start
792 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP}
793
794 a=${NSB_LO_IP}
795 run_cmd ping -c1 -w1 -I ${VRF} ${a}
796 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route"
797
798 log_start
799 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
800 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
801
802 a=${NSA_LO_IP}
803 log_start
804 show_hint "Response lost by unreachable route"
805 run_cmd_nsb ping -c1 -w1 ${a}
806 log_test_addr ${a} $? 1 "ping in, unreachable route"
807}
808
809ipv4_ping()
810{
811 log_section "IPv4 ping"
812
813 log_subsection "No VRF"
814 setup
815 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
816 ipv4_ping_novrf
817 setup
818 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
819 ipv4_ping_novrf
820 setup
821 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
822 ipv4_ping_novrf
823
824 log_subsection "With VRF"
825 setup "yes"
826 ipv4_ping_vrf
827 setup "yes"
828 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
829 ipv4_ping_vrf
830}
831
832################################################################################
833# IPv4 TCP
834
835#
836# MD5 tests without VRF
837#
838ipv4_tcp_md5_novrf()
839{
840 #
841 # single address
842 #
843
844 # basic use case
845 log_start
846 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
847 sleep 1
848 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
849 log_test $? 0 "MD5: Single address config"
850
851 # client sends MD5, server not configured
852 log_start
853 show_hint "Should timeout due to MD5 mismatch"
854 run_cmd nettest -s &
855 sleep 1
856 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
857 log_test $? 2 "MD5: Server no config, client uses password"
858
859 # wrong password
860 log_start
861 show_hint "Should timeout since client uses wrong password"
862 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
863 sleep 1
864 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
865 log_test $? 2 "MD5: Client uses wrong password"
866
867 # client from different address
868 log_start
869 show_hint "Should timeout due to MD5 mismatch"
870 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} &
871 sleep 1
872 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
873 log_test $? 2 "MD5: Client address does not match address configured with password"
874
875 #
876 # MD5 extension - prefix length
877 #
878
879 # client in prefix
880 log_start
881 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
882 sleep 1
883 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
884 log_test $? 0 "MD5: Prefix config"
885
886 # client in prefix, wrong password
887 log_start
888 show_hint "Should timeout since client uses wrong password"
889 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
890 sleep 1
891 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
892 log_test $? 2 "MD5: Prefix config, client uses wrong password"
893
894 # client outside of prefix
895 log_start
896 show_hint "Should timeout due to MD5 mismatch"
897 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
898 sleep 1
899 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
900 log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
901}
902
903#
904# MD5 tests with VRF
905#
906ipv4_tcp_md5()
907{
908 #
909 # single address
910 #
911
912 # basic use case
913 log_start
914 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
915 sleep 1
916 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
917 log_test $? 0 "MD5: VRF: Single address config"
918
919 # client sends MD5, server not configured
920 log_start
921 show_hint "Should timeout since server does not have MD5 auth"
922 run_cmd nettest -s -I ${VRF} &
923 sleep 1
924 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
925 log_test $? 2 "MD5: VRF: Server no config, client uses password"
926
927 # wrong password
928 log_start
929 show_hint "Should timeout since client uses wrong password"
930 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
931 sleep 1
932 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
933 log_test $? 2 "MD5: VRF: Client uses wrong password"
934
935 # client from different address
936 log_start
937 show_hint "Should timeout since server config differs from client"
938 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} &
939 sleep 1
940 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
941 log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
942
943 #
944 # MD5 extension - prefix length
945 #
946
947 # client in prefix
948 log_start
949 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
950 sleep 1
951 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
952 log_test $? 0 "MD5: VRF: Prefix config"
953
954 # client in prefix, wrong password
955 log_start
956 show_hint "Should timeout since client uses wrong password"
957 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
958 sleep 1
959 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
960 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
961
962 # client outside of prefix
963 log_start
964 show_hint "Should timeout since client address is outside of prefix"
965 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
966 sleep 1
967 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
968 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
969
970 #
971 # duplicate config between default VRF and a VRF
972 #
973
974 log_start
975 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
976 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
977 sleep 1
978 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
979 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
980
981 log_start
982 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
983 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
984 sleep 1
985 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
986 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
987
988 log_start
989 show_hint "Should timeout since client in default VRF uses VRF password"
990 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
991 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
992 sleep 1
993 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
994 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
995
996 log_start
997 show_hint "Should timeout since client in VRF uses default VRF password"
998 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
999 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1000 sleep 1
1001 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1002 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
1003
1004 log_start
1005 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1006 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1007 sleep 1
1008 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1009 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
1010
1011 log_start
1012 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1013 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1014 sleep 1
1015 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1016 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
1017
1018 log_start
1019 show_hint "Should timeout since client in default VRF uses VRF password"
1020 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1021 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1022 sleep 1
1023 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1024 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
1025
1026 log_start
1027 show_hint "Should timeout since client in VRF uses default VRF password"
1028 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1029 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1030 sleep 1
1031 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1032 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
1033
1034 #
1035 # negative tests
1036 #
1037 log_start
1038 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP}
1039 log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
1040
1041 log_start
1042 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET}
1043 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
1044
1045 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex
1046 test_ipv4_md5_vrf__global_server__bind_ifindex0
1047}
1048
1049test_ipv4_md5_vrf__vrf_server__no_bind_ifindex()
1050{
1051 log_start
1052 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX"
1053 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1054 sleep 1
1055 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1056 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection"
1057
1058 log_start
1059 show_hint "Binding both the socket and the key is not required but it works"
1060 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1061 sleep 1
1062 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1063 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection"
1064}
1065
1066test_ipv4_md5_vrf__global_server__bind_ifindex0()
1067{
1068 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections
1069 local old_tcp_l3mdev_accept
1070 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept)
1071 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1072
1073 log_start
1074 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1075 sleep 1
1076 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1077 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection"
1078
1079 log_start
1080 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1081 sleep 1
1082 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1083 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection"
1084 log_start
1085
1086 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1087 sleep 1
1088 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1089 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection"
1090
1091 log_start
1092 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1093 sleep 1
1094 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1095 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection"
1096
1097 # restore value
1098 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept"
1099}
1100
1101ipv4_tcp_novrf()
1102{
1103 local a
1104
1105 #
1106 # server tests
1107 #
1108 for a in ${NSA_IP} ${NSA_LO_IP}
1109 do
1110 log_start
1111 run_cmd nettest -s &
1112 sleep 1
1113 run_cmd_nsb nettest -r ${a}
1114 log_test_addr ${a} $? 0 "Global server"
1115 done
1116
1117 a=${NSA_IP}
1118 log_start
1119 run_cmd nettest -s -I ${NSA_DEV} &
1120 sleep 1
1121 run_cmd_nsb nettest -r ${a}
1122 log_test_addr ${a} $? 0 "Device server"
1123
1124 # verify TCP reset sent and received
1125 for a in ${NSA_IP} ${NSA_LO_IP}
1126 do
1127 log_start
1128 show_hint "Should fail 'Connection refused' since there is no server"
1129 run_cmd_nsb nettest -r ${a}
1130 log_test_addr ${a} $? 1 "No server"
1131 done
1132
1133 #
1134 # client
1135 #
1136 for a in ${NSB_IP} ${NSB_LO_IP}
1137 do
1138 log_start
1139 run_cmd_nsb nettest -s &
1140 sleep 1
1141 run_cmd nettest -r ${a} -0 ${NSA_IP}
1142 log_test_addr ${a} $? 0 "Client"
1143
1144 log_start
1145 run_cmd_nsb nettest -s &
1146 sleep 1
1147 run_cmd nettest -r ${a} -d ${NSA_DEV}
1148 log_test_addr ${a} $? 0 "Client, device bind"
1149
1150 log_start
1151 show_hint "Should fail 'Connection refused'"
1152 run_cmd nettest -r ${a}
1153 log_test_addr ${a} $? 1 "No server, unbound client"
1154
1155 log_start
1156 show_hint "Should fail 'Connection refused'"
1157 run_cmd nettest -r ${a} -d ${NSA_DEV}
1158 log_test_addr ${a} $? 1 "No server, device client"
1159 done
1160
1161 #
1162 # local address tests
1163 #
1164 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1165 do
1166 log_start
1167 run_cmd nettest -s &
1168 sleep 1
1169 run_cmd nettest -r ${a} -0 ${a} -1 ${a}
1170 log_test_addr ${a} $? 0 "Global server, local connection"
1171 done
1172
1173 a=${NSA_IP}
1174 log_start
1175 run_cmd nettest -s -I ${NSA_DEV} &
1176 sleep 1
1177 run_cmd nettest -r ${a} -0 ${a}
1178 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1179
1180 for a in ${NSA_LO_IP} 127.0.0.1
1181 do
1182 log_start
1183 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
1184 run_cmd nettest -s -I ${NSA_DEV} &
1185 sleep 1
1186 run_cmd nettest -r ${a}
1187 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1188 done
1189
1190 a=${NSA_IP}
1191 log_start
1192 run_cmd nettest -s &
1193 sleep 1
1194 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV}
1195 log_test_addr ${a} $? 0 "Global server, device client, local connection"
1196
1197 for a in ${NSA_LO_IP} 127.0.0.1
1198 do
1199 log_start
1200 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
1201 run_cmd nettest -s &
1202 sleep 1
1203 run_cmd nettest -r ${a} -d ${NSA_DEV}
1204 log_test_addr ${a} $? 1 "Global server, device client, local connection"
1205 done
1206
1207 a=${NSA_IP}
1208 log_start
1209 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1210 sleep 1
1211 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a}
1212 log_test_addr ${a} $? 0 "Device server, device client, local connection"
1213
1214 log_start
1215 show_hint "Should fail 'Connection refused'"
1216 run_cmd nettest -d ${NSA_DEV} -r ${a}
1217 log_test_addr ${a} $? 1 "No server, device client, local conn"
1218
1219 ipv4_tcp_md5_novrf
1220}
1221
1222ipv4_tcp_vrf()
1223{
1224 local a
1225
1226 # disable global server
1227 log_subsection "Global server disabled"
1228
1229 set_sysctl net.ipv4.tcp_l3mdev_accept=0
1230
1231 #
1232 # server tests
1233 #
1234 for a in ${NSA_IP} ${VRF_IP}
1235 do
1236 log_start
1237 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1238 run_cmd nettest -s &
1239 sleep 1
1240 run_cmd_nsb nettest -r ${a}
1241 log_test_addr ${a} $? 1 "Global server"
1242
1243 log_start
1244 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1245 sleep 1
1246 run_cmd_nsb nettest -r ${a}
1247 log_test_addr ${a} $? 0 "VRF server"
1248
1249 log_start
1250 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1251 sleep 1
1252 run_cmd_nsb nettest -r ${a}
1253 log_test_addr ${a} $? 0 "Device server"
1254
1255 # verify TCP reset received
1256 log_start
1257 show_hint "Should fail 'Connection refused' since there is no server"
1258 run_cmd_nsb nettest -r ${a}
1259 log_test_addr ${a} $? 1 "No server"
1260 done
1261
1262 # local address tests
1263 # (${VRF_IP} and 127.0.0.1 both timeout)
1264 a=${NSA_IP}
1265 log_start
1266 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1267 run_cmd nettest -s &
1268 sleep 1
1269 run_cmd nettest -r ${a} -d ${NSA_DEV}
1270 log_test_addr ${a} $? 1 "Global server, local connection"
1271
1272 # run MD5 tests
1273 setup_vrf_dup
1274 ipv4_tcp_md5
1275 cleanup_vrf_dup
1276
1277 #
1278 # enable VRF global server
1279 #
1280 log_subsection "VRF Global server enabled"
1281 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1282
1283 for a in ${NSA_IP} ${VRF_IP}
1284 do
1285 log_start
1286 show_hint "client socket should be bound to VRF"
1287 run_cmd nettest -s -3 ${VRF} &
1288 sleep 1
1289 run_cmd_nsb nettest -r ${a}
1290 log_test_addr ${a} $? 0 "Global server"
1291
1292 log_start
1293 show_hint "client socket should be bound to VRF"
1294 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1295 sleep 1
1296 run_cmd_nsb nettest -r ${a}
1297 log_test_addr ${a} $? 0 "VRF server"
1298
1299 # verify TCP reset received
1300 log_start
1301 show_hint "Should fail 'Connection refused'"
1302 run_cmd_nsb nettest -r ${a}
1303 log_test_addr ${a} $? 1 "No server"
1304 done
1305
1306 a=${NSA_IP}
1307 log_start
1308 show_hint "client socket should be bound to device"
1309 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1310 sleep 1
1311 run_cmd_nsb nettest -r ${a}
1312 log_test_addr ${a} $? 0 "Device server"
1313
1314 # local address tests
1315 for a in ${NSA_IP} ${VRF_IP}
1316 do
1317 log_start
1318 show_hint "Should fail 'Connection refused' since client is not bound to VRF"
1319 run_cmd nettest -s -I ${VRF} &
1320 sleep 1
1321 run_cmd nettest -r ${a}
1322 log_test_addr ${a} $? 1 "Global server, local connection"
1323 done
1324
1325 #
1326 # client
1327 #
1328 for a in ${NSB_IP} ${NSB_LO_IP}
1329 do
1330 log_start
1331 run_cmd_nsb nettest -s &
1332 sleep 1
1333 run_cmd nettest -r ${a} -d ${VRF}
1334 log_test_addr ${a} $? 0 "Client, VRF bind"
1335
1336 log_start
1337 run_cmd_nsb nettest -s &
1338 sleep 1
1339 run_cmd nettest -r ${a} -d ${NSA_DEV}
1340 log_test_addr ${a} $? 0 "Client, device bind"
1341
1342 log_start
1343 show_hint "Should fail 'Connection refused'"
1344 run_cmd nettest -r ${a} -d ${VRF}
1345 log_test_addr ${a} $? 1 "No server, VRF client"
1346
1347 log_start
1348 show_hint "Should fail 'Connection refused'"
1349 run_cmd nettest -r ${a} -d ${NSA_DEV}
1350 log_test_addr ${a} $? 1 "No server, device client"
1351 done
1352
1353 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1354 do
1355 log_start
1356 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1357 sleep 1
1358 run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1359 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
1360 done
1361
1362 a=${NSA_IP}
1363 log_start
1364 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1365 sleep 1
1366 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1367 log_test_addr ${a} $? 0 "VRF server, device client, local connection"
1368
1369 log_start
1370 show_hint "Should fail 'No route to host' since client is out of VRF scope"
1371 run_cmd nettest -s -I ${VRF} &
1372 sleep 1
1373 run_cmd nettest -r ${a}
1374 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
1375
1376 log_start
1377 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1378 sleep 1
1379 run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1380 log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
1381
1382 log_start
1383 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1384 sleep 1
1385 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1386 log_test_addr ${a} $? 0 "Device server, device client, local connection"
1387}
1388
1389ipv4_tcp()
1390{
1391 log_section "IPv4/TCP"
1392 log_subsection "No VRF"
1393 setup
1394
1395 # tcp_l3mdev_accept should have no affect without VRF;
1396 # run tests with it enabled and disabled to verify
1397 log_subsection "tcp_l3mdev_accept disabled"
1398 set_sysctl net.ipv4.tcp_l3mdev_accept=0
1399 ipv4_tcp_novrf
1400 log_subsection "tcp_l3mdev_accept enabled"
1401 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1402 ipv4_tcp_novrf
1403
1404 log_subsection "With VRF"
1405 setup "yes"
1406 ipv4_tcp_vrf
1407}
1408
1409################################################################################
1410# IPv4 UDP
1411
1412ipv4_udp_novrf()
1413{
1414 local a
1415
1416 #
1417 # server tests
1418 #
1419 for a in ${NSA_IP} ${NSA_LO_IP}
1420 do
1421 log_start
1422 run_cmd nettest -D -s -3 ${NSA_DEV} &
1423 sleep 1
1424 run_cmd_nsb nettest -D -r ${a}
1425 log_test_addr ${a} $? 0 "Global server"
1426
1427 log_start
1428 show_hint "Should fail 'Connection refused' since there is no server"
1429 run_cmd_nsb nettest -D -r ${a}
1430 log_test_addr ${a} $? 1 "No server"
1431 done
1432
1433 a=${NSA_IP}
1434 log_start
1435 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1436 sleep 1
1437 run_cmd_nsb nettest -D -r ${a}
1438 log_test_addr ${a} $? 0 "Device server"
1439
1440 #
1441 # client
1442 #
1443 for a in ${NSB_IP} ${NSB_LO_IP}
1444 do
1445 log_start
1446 run_cmd_nsb nettest -D -s &
1447 sleep 1
1448 run_cmd nettest -D -r ${a} -0 ${NSA_IP}
1449 log_test_addr ${a} $? 0 "Client"
1450
1451 log_start
1452 run_cmd_nsb nettest -D -s &
1453 sleep 1
1454 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP}
1455 log_test_addr ${a} $? 0 "Client, device bind"
1456
1457 log_start
1458 run_cmd_nsb nettest -D -s &
1459 sleep 1
1460 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP}
1461 log_test_addr ${a} $? 0 "Client, device send via cmsg"
1462
1463 log_start
1464 run_cmd_nsb nettest -D -s &
1465 sleep 1
1466 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
1467 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
1468
1469 log_start
1470 show_hint "Should fail 'Connection refused'"
1471 run_cmd nettest -D -r ${a}
1472 log_test_addr ${a} $? 1 "No server, unbound client"
1473
1474 log_start
1475 show_hint "Should fail 'Connection refused'"
1476 run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1477 log_test_addr ${a} $? 1 "No server, device client"
1478 done
1479
1480 #
1481 # local address tests
1482 #
1483 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1484 do
1485 log_start
1486 run_cmd nettest -D -s &
1487 sleep 1
1488 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a}
1489 log_test_addr ${a} $? 0 "Global server, local connection"
1490 done
1491
1492 a=${NSA_IP}
1493 log_start
1494 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1495 sleep 1
1496 run_cmd nettest -D -r ${a}
1497 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1498
1499 for a in ${NSA_LO_IP} 127.0.0.1
1500 do
1501 log_start
1502 show_hint "Should fail 'Connection refused' since address is out of device scope"
1503 run_cmd nettest -s -D -I ${NSA_DEV} &
1504 sleep 1
1505 run_cmd nettest -D -r ${a}
1506 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1507 done
1508
1509 a=${NSA_IP}
1510 log_start
1511 run_cmd nettest -s -D &
1512 sleep 1
1513 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1514 log_test_addr ${a} $? 0 "Global server, device client, local connection"
1515
1516 log_start
1517 run_cmd nettest -s -D &
1518 sleep 1
1519 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a}
1520 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
1521
1522 log_start
1523 run_cmd nettest -s -D &
1524 sleep 1
1525 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
1526 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
1527
1528 # IPv4 with device bind has really weird behavior - it overrides the
1529 # fib lookup, generates an rtable and tries to send the packet. This
1530 # causes failures for local traffic at different places
1531 for a in ${NSA_LO_IP} 127.0.0.1
1532 do
1533 log_start
1534 show_hint "Should fail since addresses on loopback are out of device scope"
1535 run_cmd nettest -D -s &
1536 sleep 1
1537 run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1538 log_test_addr ${a} $? 2 "Global server, device client, local connection"
1539
1540 log_start
1541 show_hint "Should fail since addresses on loopback are out of device scope"
1542 run_cmd nettest -D -s &
1543 sleep 1
1544 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C
1545 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
1546
1547 log_start
1548 show_hint "Should fail since addresses on loopback are out of device scope"
1549 run_cmd nettest -D -s &
1550 sleep 1
1551 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
1552 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
1553 done
1554
1555 a=${NSA_IP}
1556 log_start
1557 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1558 sleep 1
1559 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a}
1560 log_test_addr ${a} $? 0 "Device server, device client, local conn"
1561
1562 log_start
1563 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1564 log_test_addr ${a} $? 2 "No server, device client, local conn"
1565}
1566
1567ipv4_udp_vrf()
1568{
1569 local a
1570
1571 # disable global server
1572 log_subsection "Global server disabled"
1573 set_sysctl net.ipv4.udp_l3mdev_accept=0
1574
1575 #
1576 # server tests
1577 #
1578 for a in ${NSA_IP} ${VRF_IP}
1579 do
1580 log_start
1581 show_hint "Fails because ingress is in a VRF and global server is disabled"
1582 run_cmd nettest -D -s &
1583 sleep 1
1584 run_cmd_nsb nettest -D -r ${a}
1585 log_test_addr ${a} $? 1 "Global server"
1586
1587 log_start
1588 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1589 sleep 1
1590 run_cmd_nsb nettest -D -r ${a}
1591 log_test_addr ${a} $? 0 "VRF server"
1592
1593 log_start
1594 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1595 sleep 1
1596 run_cmd_nsb nettest -D -r ${a}
1597 log_test_addr ${a} $? 0 "Enslaved device server"
1598
1599 log_start
1600 show_hint "Should fail 'Connection refused' since there is no server"
1601 run_cmd_nsb nettest -D -r ${a}
1602 log_test_addr ${a} $? 1 "No server"
1603
1604 log_start
1605 show_hint "Should fail 'Connection refused' since global server is out of scope"
1606 run_cmd nettest -D -s &
1607 sleep 1
1608 run_cmd nettest -D -d ${VRF} -r ${a}
1609 log_test_addr ${a} $? 1 "Global server, VRF client, local connection"
1610 done
1611
1612 a=${NSA_IP}
1613 log_start
1614 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1615 sleep 1
1616 run_cmd nettest -D -d ${VRF} -r ${a}
1617 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1618
1619 log_start
1620 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1621 sleep 1
1622 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1623 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection"
1624
1625 a=${NSA_IP}
1626 log_start
1627 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1628 sleep 1
1629 run_cmd nettest -D -d ${VRF} -r ${a}
1630 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1631
1632 log_start
1633 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1634 sleep 1
1635 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1636 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1637
1638 # enable global server
1639 log_subsection "Global server enabled"
1640 set_sysctl net.ipv4.udp_l3mdev_accept=1
1641
1642 #
1643 # server tests
1644 #
1645 for a in ${NSA_IP} ${VRF_IP}
1646 do
1647 log_start
1648 run_cmd nettest -D -s -3 ${NSA_DEV} &
1649 sleep 1
1650 run_cmd_nsb nettest -D -r ${a}
1651 log_test_addr ${a} $? 0 "Global server"
1652
1653 log_start
1654 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1655 sleep 1
1656 run_cmd_nsb nettest -D -r ${a}
1657 log_test_addr ${a} $? 0 "VRF server"
1658
1659 log_start
1660 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1661 sleep 1
1662 run_cmd_nsb nettest -D -r ${a}
1663 log_test_addr ${a} $? 0 "Enslaved device server"
1664
1665 log_start
1666 show_hint "Should fail 'Connection refused'"
1667 run_cmd_nsb nettest -D -r ${a}
1668 log_test_addr ${a} $? 1 "No server"
1669 done
1670
1671 #
1672 # client tests
1673 #
1674 log_start
1675 run_cmd_nsb nettest -D -s &
1676 sleep 1
1677 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP}
1678 log_test $? 0 "VRF client"
1679
1680 log_start
1681 run_cmd_nsb nettest -D -s &
1682 sleep 1
1683 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP}
1684 log_test $? 0 "Enslaved device client"
1685
1686 # negative test - should fail
1687 log_start
1688 show_hint "Should fail 'Connection refused'"
1689 run_cmd nettest -D -d ${VRF} -r ${NSB_IP}
1690 log_test $? 1 "No server, VRF client"
1691
1692 log_start
1693 show_hint "Should fail 'Connection refused'"
1694 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP}
1695 log_test $? 1 "No server, enslaved device client"
1696
1697 #
1698 # local address tests
1699 #
1700 a=${NSA_IP}
1701 log_start
1702 run_cmd nettest -D -s -3 ${NSA_DEV} &
1703 sleep 1
1704 run_cmd nettest -D -d ${VRF} -r ${a}
1705 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1706
1707 log_start
1708 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1709 sleep 1
1710 run_cmd nettest -D -d ${VRF} -r ${a}
1711 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1712
1713 log_start
1714 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1715 sleep 1
1716 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1717 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
1718
1719 log_start
1720 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1721 sleep 1
1722 run_cmd nettest -D -d ${VRF} -r ${a}
1723 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1724
1725 log_start
1726 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1727 sleep 1
1728 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1729 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1730
1731 for a in ${VRF_IP} 127.0.0.1
1732 do
1733 log_start
1734 run_cmd nettest -D -s -3 ${VRF} &
1735 sleep 1
1736 run_cmd nettest -D -d ${VRF} -r ${a}
1737 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1738 done
1739
1740 for a in ${VRF_IP} 127.0.0.1
1741 do
1742 log_start
1743 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} &
1744 sleep 1
1745 run_cmd nettest -D -d ${VRF} -r ${a}
1746 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1747 done
1748
1749 # negative test - should fail
1750 # verifies ECONNREFUSED
1751 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1752 do
1753 log_start
1754 show_hint "Should fail 'Connection refused'"
1755 run_cmd nettest -D -d ${VRF} -r ${a}
1756 log_test_addr ${a} $? 1 "No server, VRF client, local conn"
1757 done
1758}
1759
1760ipv4_udp()
1761{
1762 log_section "IPv4/UDP"
1763 log_subsection "No VRF"
1764
1765 setup
1766
1767 # udp_l3mdev_accept should have no affect without VRF;
1768 # run tests with it enabled and disabled to verify
1769 log_subsection "udp_l3mdev_accept disabled"
1770 set_sysctl net.ipv4.udp_l3mdev_accept=0
1771 ipv4_udp_novrf
1772 log_subsection "udp_l3mdev_accept enabled"
1773 set_sysctl net.ipv4.udp_l3mdev_accept=1
1774 ipv4_udp_novrf
1775
1776 log_subsection "With VRF"
1777 setup "yes"
1778 ipv4_udp_vrf
1779}
1780
1781################################################################################
1782# IPv4 address bind
1783#
1784# verifies ability or inability to bind to an address / device
1785
1786ipv4_addr_bind_novrf()
1787{
1788 #
1789 # raw socket
1790 #
1791 for a in ${NSA_IP} ${NSA_LO_IP}
1792 do
1793 log_start
1794 run_cmd nettest -s -R -P icmp -l ${a} -b
1795 log_test_addr ${a} $? 0 "Raw socket bind to local address"
1796
1797 log_start
1798 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1799 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1800 done
1801
1802 #
1803 # tests for nonlocal bind
1804 #
1805 a=${NL_IP}
1806 log_start
1807 run_cmd nettest -s -R -f -l ${a} -b
1808 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
1809
1810 log_start
1811 run_cmd nettest -s -f -l ${a} -b
1812 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address"
1813
1814 log_start
1815 run_cmd nettest -s -D -P icmp -f -l ${a} -b
1816 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address"
1817
1818 #
1819 # check that ICMP sockets cannot bind to broadcast and multicast addresses
1820 #
1821 a=${BCAST_IP}
1822 log_start
1823 run_cmd nettest -s -D -P icmp -l ${a} -b
1824 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address"
1825
1826 a=${MCAST_IP}
1827 log_start
1828 run_cmd nettest -s -D -P icmp -l ${a} -b
1829 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address"
1830
1831 #
1832 # tcp sockets
1833 #
1834 a=${NSA_IP}
1835 log_start
1836 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b
1837 log_test_addr ${a} $? 0 "TCP socket bind to local address"
1838
1839 log_start
1840 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b
1841 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1842
1843 # Sadly, the kernel allows binding a socket to a device and then
1844 # binding to an address not on the device. The only restriction
1845 # is that the address is valid in the L3 domain. So this test
1846 # passes when it really should not
1847 #a=${NSA_LO_IP}
1848 #log_start
1849 #show_hint "Should fail with 'Cannot assign requested address'"
1850 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1851 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
1852}
1853
1854ipv4_addr_bind_vrf()
1855{
1856 #
1857 # raw socket
1858 #
1859 for a in ${NSA_IP} ${VRF_IP}
1860 do
1861 log_start
1862 show_hint "Socket not bound to VRF, but address is in VRF"
1863 run_cmd nettest -s -R -P icmp -l ${a} -b
1864 log_test_addr ${a} $? 1 "Raw socket bind to local address"
1865
1866 log_start
1867 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1868 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1869 log_start
1870 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1871 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind"
1872 done
1873
1874 a=${NSA_LO_IP}
1875 log_start
1876 show_hint "Address on loopback is out of VRF scope"
1877 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1878 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind"
1879
1880 #
1881 # tests for nonlocal bind
1882 #
1883 a=${NL_IP}
1884 log_start
1885 run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b
1886 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
1887
1888 log_start
1889 run_cmd nettest -s -f -l ${a} -I ${VRF} -b
1890 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind"
1891
1892 log_start
1893 run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b
1894 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind"
1895
1896 #
1897 # check that ICMP sockets cannot bind to broadcast and multicast addresses
1898 #
1899 a=${BCAST_IP}
1900 log_start
1901 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
1902 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind"
1903
1904 a=${MCAST_IP}
1905 log_start
1906 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
1907 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind"
1908
1909 #
1910 # tcp sockets
1911 #
1912 for a in ${NSA_IP} ${VRF_IP}
1913 do
1914 log_start
1915 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
1916 log_test_addr ${a} $? 0 "TCP socket bind to local address"
1917
1918 log_start
1919 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1920 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1921 done
1922
1923 a=${NSA_LO_IP}
1924 log_start
1925 show_hint "Address on loopback out of scope for VRF"
1926 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
1927 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
1928
1929 log_start
1930 show_hint "Address on loopback out of scope for device in VRF"
1931 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1932 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
1933}
1934
1935ipv4_addr_bind()
1936{
1937 log_section "IPv4 address binds"
1938
1939 log_subsection "No VRF"
1940 setup
1941 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
1942 ipv4_addr_bind_novrf
1943
1944 log_subsection "With VRF"
1945 setup "yes"
1946 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
1947 ipv4_addr_bind_vrf
1948}
1949
1950################################################################################
1951# IPv4 runtime tests
1952
1953ipv4_rt()
1954{
1955 local desc="$1"
1956 local varg="$2"
1957 local with_vrf="yes"
1958 local a
1959
1960 #
1961 # server tests
1962 #
1963 for a in ${NSA_IP} ${VRF_IP}
1964 do
1965 log_start
1966 run_cmd nettest ${varg} -s &
1967 sleep 1
1968 run_cmd_nsb nettest ${varg} -r ${a} &
1969 sleep 3
1970 run_cmd ip link del ${VRF}
1971 sleep 1
1972 log_test_addr ${a} 0 0 "${desc}, global server"
1973
1974 setup ${with_vrf}
1975 done
1976
1977 for a in ${NSA_IP} ${VRF_IP}
1978 do
1979 log_start
1980 run_cmd nettest ${varg} -s -I ${VRF} &
1981 sleep 1
1982 run_cmd_nsb nettest ${varg} -r ${a} &
1983 sleep 3
1984 run_cmd ip link del ${VRF}
1985 sleep 1
1986 log_test_addr ${a} 0 0 "${desc}, VRF server"
1987
1988 setup ${with_vrf}
1989 done
1990
1991 a=${NSA_IP}
1992 log_start
1993 run_cmd nettest ${varg} -s -I ${NSA_DEV} &
1994 sleep 1
1995 run_cmd_nsb nettest ${varg} -r ${a} &
1996 sleep 3
1997 run_cmd ip link del ${VRF}
1998 sleep 1
1999 log_test_addr ${a} 0 0 "${desc}, enslaved device server"
2000
2001 setup ${with_vrf}
2002
2003 #
2004 # client test
2005 #
2006 log_start
2007 run_cmd_nsb nettest ${varg} -s &
2008 sleep 1
2009 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} &
2010 sleep 3
2011 run_cmd ip link del ${VRF}
2012 sleep 1
2013 log_test_addr ${a} 0 0 "${desc}, VRF client"
2014
2015 setup ${with_vrf}
2016
2017 log_start
2018 run_cmd_nsb nettest ${varg} -s &
2019 sleep 1
2020 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} &
2021 sleep 3
2022 run_cmd ip link del ${VRF}
2023 sleep 1
2024 log_test_addr ${a} 0 0 "${desc}, enslaved device client"
2025
2026 setup ${with_vrf}
2027
2028 #
2029 # local address tests
2030 #
2031 for a in ${NSA_IP} ${VRF_IP}
2032 do
2033 log_start
2034 run_cmd nettest ${varg} -s &
2035 sleep 1
2036 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2037 sleep 3
2038 run_cmd ip link del ${VRF}
2039 sleep 1
2040 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local"
2041
2042 setup ${with_vrf}
2043 done
2044
2045 for a in ${NSA_IP} ${VRF_IP}
2046 do
2047 log_start
2048 run_cmd nettest ${varg} -I ${VRF} -s &
2049 sleep 1
2050 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2051 sleep 3
2052 run_cmd ip link del ${VRF}
2053 sleep 1
2054 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local"
2055
2056 setup ${with_vrf}
2057 done
2058
2059 a=${NSA_IP}
2060 log_start
2061
2062 run_cmd nettest ${varg} -s &
2063 sleep 1
2064 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2065 sleep 3
2066 run_cmd ip link del ${VRF}
2067 sleep 1
2068 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local"
2069
2070 setup ${with_vrf}
2071
2072 log_start
2073 run_cmd nettest ${varg} -I ${VRF} -s &
2074 sleep 1
2075 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2076 sleep 3
2077 run_cmd ip link del ${VRF}
2078 sleep 1
2079 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local"
2080
2081 setup ${with_vrf}
2082
2083 log_start
2084 run_cmd nettest ${varg} -I ${NSA_DEV} -s &
2085 sleep 1
2086 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2087 sleep 3
2088 run_cmd ip link del ${VRF}
2089 sleep 1
2090 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local"
2091}
2092
2093ipv4_ping_rt()
2094{
2095 local with_vrf="yes"
2096 local a
2097
2098 for a in ${NSA_IP} ${VRF_IP}
2099 do
2100 log_start
2101 run_cmd_nsb ping -f ${a} &
2102 sleep 3
2103 run_cmd ip link del ${VRF}
2104 sleep 1
2105 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
2106
2107 setup ${with_vrf}
2108 done
2109
2110 a=${NSB_IP}
2111 log_start
2112 run_cmd ping -f -I ${VRF} ${a} &
2113 sleep 3
2114 run_cmd ip link del ${VRF}
2115 sleep 1
2116 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
2117}
2118
2119ipv4_runtime()
2120{
2121 log_section "Run time tests - ipv4"
2122
2123 setup "yes"
2124 ipv4_ping_rt
2125
2126 setup "yes"
2127 ipv4_rt "TCP active socket" "-n -1"
2128
2129 setup "yes"
2130 ipv4_rt "TCP passive socket" "-i"
2131}
2132
2133################################################################################
2134# IPv6
2135
2136ipv6_ping_novrf()
2137{
2138 local a
2139
2140 # should not have an impact, but make a known state
2141 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
2142
2143 #
2144 # out
2145 #
2146 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2147 do
2148 log_start
2149 run_cmd ${ping6} -c1 -w1 ${a}
2150 log_test_addr ${a} $? 0 "ping out"
2151 done
2152
2153 for a in ${NSB_IP6} ${NSB_LO_IP6}
2154 do
2155 log_start
2156 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2157 log_test_addr ${a} $? 0 "ping out, device bind"
2158
2159 log_start
2160 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a}
2161 log_test_addr ${a} $? 0 "ping out, loopback address bind"
2162 done
2163
2164 #
2165 # in
2166 #
2167 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2168 do
2169 log_start
2170 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2171 log_test_addr ${a} $? 0 "ping in"
2172 done
2173
2174 #
2175 # local traffic, local address
2176 #
2177 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2178 do
2179 log_start
2180 run_cmd ${ping6} -c1 -w1 ${a}
2181 log_test_addr ${a} $? 0 "ping local, no bind"
2182 done
2183
2184 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2185 do
2186 log_start
2187 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2188 log_test_addr ${a} $? 0 "ping local, device bind"
2189 done
2190
2191 for a in ${NSA_LO_IP6} ::1
2192 do
2193 log_start
2194 show_hint "Fails since address on loopback is out of device scope"
2195 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2196 log_test_addr ${a} $? 2 "ping local, device bind"
2197 done
2198
2199 #
2200 # ip rule blocks address
2201 #
2202 log_start
2203 setup_cmd ip -6 rule add pref 32765 from all lookup local
2204 setup_cmd ip -6 rule del pref 0 from all lookup local
2205 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2206 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2207
2208 a=${NSB_LO_IP6}
2209 run_cmd ${ping6} -c1 -w1 ${a}
2210 log_test_addr ${a} $? 2 "ping out, blocked by rule"
2211
2212 log_start
2213 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2214 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2215
2216 a=${NSA_LO_IP6}
2217 log_start
2218 show_hint "Response lost due to ip rule"
2219 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2220 log_test_addr ${a} $? 1 "ping in, blocked by rule"
2221
2222 setup_cmd ip -6 rule add pref 0 from all lookup local
2223 setup_cmd ip -6 rule del pref 32765 from all lookup local
2224 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2225 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2226
2227 #
2228 # route blocks reachability to remote address
2229 #
2230 log_start
2231 setup_cmd ip -6 route del ${NSB_LO_IP6}
2232 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10
2233 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10
2234
2235 a=${NSB_LO_IP6}
2236 run_cmd ${ping6} -c1 -w1 ${a}
2237 log_test_addr ${a} $? 2 "ping out, blocked by route"
2238
2239 log_start
2240 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2241 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route"
2242
2243 a=${NSA_LO_IP6}
2244 log_start
2245 show_hint "Response lost due to ip route"
2246 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2247 log_test_addr ${a} $? 1 "ping in, blocked by route"
2248
2249
2250 #
2251 # remove 'remote' routes; fallback to default
2252 #
2253 log_start
2254 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6}
2255 setup_cmd ip -6 ro del unreachable ${NSB_IP6}
2256
2257 a=${NSB_LO_IP6}
2258 run_cmd ${ping6} -c1 -w1 ${a}
2259 log_test_addr ${a} $? 2 "ping out, unreachable route"
2260
2261 log_start
2262 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2263 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2264}
2265
2266ipv6_ping_vrf()
2267{
2268 local a
2269
2270 # should default on; does not exist on older kernels
2271 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
2272
2273 #
2274 # out
2275 #
2276 for a in ${NSB_IP6} ${NSB_LO_IP6}
2277 do
2278 log_start
2279 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2280 log_test_addr ${a} $? 0 "ping out, VRF bind"
2281 done
2282
2283 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF}
2284 do
2285 log_start
2286 show_hint "Fails since VRF device does not support linklocal or multicast"
2287 run_cmd ${ping6} -c1 -w1 ${a}
2288 log_test_addr ${a} $? 1 "ping out, VRF bind"
2289 done
2290
2291 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2292 do
2293 log_start
2294 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2295 log_test_addr ${a} $? 0 "ping out, device bind"
2296 done
2297
2298 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2299 do
2300 log_start
2301 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a}
2302 log_test_addr ${a} $? 0 "ping out, vrf device+address bind"
2303 done
2304
2305 #
2306 # in
2307 #
2308 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2309 do
2310 log_start
2311 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2312 log_test_addr ${a} $? 0 "ping in"
2313 done
2314
2315 a=${NSA_LO_IP6}
2316 log_start
2317 show_hint "Fails since loopback address is out of VRF scope"
2318 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2319 log_test_addr ${a} $? 1 "ping in"
2320
2321 #
2322 # local traffic, local address
2323 #
2324 for a in ${NSA_IP6} ${VRF_IP6} ::1
2325 do
2326 log_start
2327 show_hint "Source address should be ${a}"
2328 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2329 log_test_addr ${a} $? 0 "ping local, VRF bind"
2330 done
2331
2332 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2333 do
2334 log_start
2335 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2336 log_test_addr ${a} $? 0 "ping local, device bind"
2337 done
2338
2339 # LLA to GUA - remove ipv6 global addresses from ns-B
2340 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2341 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo
2342 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2343
2344 for a in ${NSA_IP6} ${VRF_IP6}
2345 do
2346 log_start
2347 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
2348 log_test_addr ${a} $? 0 "ping in, LLA to GUA"
2349 done
2350
2351 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2352 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV}
2353 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo
2354
2355 #
2356 # ip rule blocks address
2357 #
2358 log_start
2359 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2360 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2361
2362 a=${NSB_LO_IP6}
2363 run_cmd ${ping6} -c1 -w1 ${a}
2364 log_test_addr ${a} $? 2 "ping out, blocked by rule"
2365
2366 log_start
2367 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2368 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2369
2370 a=${NSA_LO_IP6}
2371 log_start
2372 show_hint "Response lost due to ip rule"
2373 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2374 log_test_addr ${a} $? 1 "ping in, blocked by rule"
2375
2376 log_start
2377 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2378 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2379
2380 #
2381 # remove 'remote' routes; fallback to default
2382 #
2383 log_start
2384 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF}
2385
2386 a=${NSB_LO_IP6}
2387 run_cmd ${ping6} -c1 -w1 ${a}
2388 log_test_addr ${a} $? 2 "ping out, unreachable route"
2389
2390 log_start
2391 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2392 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2393
2394 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6}
2395 a=${NSA_LO_IP6}
2396 log_start
2397 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2398 log_test_addr ${a} $? 2 "ping in, unreachable route"
2399}
2400
2401ipv6_ping()
2402{
2403 log_section "IPv6 ping"
2404
2405 log_subsection "No VRF"
2406 setup
2407 ipv6_ping_novrf
2408 setup
2409 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
2410 ipv6_ping_novrf
2411
2412 log_subsection "With VRF"
2413 setup "yes"
2414 ipv6_ping_vrf
2415 setup "yes"
2416 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
2417 ipv6_ping_vrf
2418}
2419
2420################################################################################
2421# IPv6 TCP
2422
2423#
2424# MD5 tests without VRF
2425#
2426ipv6_tcp_md5_novrf()
2427{
2428 #
2429 # single address
2430 #
2431
2432 # basic use case
2433 log_start
2434 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2435 sleep 1
2436 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2437 log_test $? 0 "MD5: Single address config"
2438
2439 # client sends MD5, server not configured
2440 log_start
2441 show_hint "Should timeout due to MD5 mismatch"
2442 run_cmd nettest -6 -s &
2443 sleep 1
2444 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2445 log_test $? 2 "MD5: Server no config, client uses password"
2446
2447 # wrong password
2448 log_start
2449 show_hint "Should timeout since client uses wrong password"
2450 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2451 sleep 1
2452 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2453 log_test $? 2 "MD5: Client uses wrong password"
2454
2455 # client from different address
2456 log_start
2457 show_hint "Should timeout due to MD5 mismatch"
2458 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} &
2459 sleep 1
2460 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2461 log_test $? 2 "MD5: Client address does not match address configured with password"
2462
2463 #
2464 # MD5 extension - prefix length
2465 #
2466
2467 # client in prefix
2468 log_start
2469 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2470 sleep 1
2471 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2472 log_test $? 0 "MD5: Prefix config"
2473
2474 # client in prefix, wrong password
2475 log_start
2476 show_hint "Should timeout since client uses wrong password"
2477 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2478 sleep 1
2479 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2480 log_test $? 2 "MD5: Prefix config, client uses wrong password"
2481
2482 # client outside of prefix
2483 log_start
2484 show_hint "Should timeout due to MD5 mismatch"
2485 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2486 sleep 1
2487 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2488 log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
2489}
2490
2491#
2492# MD5 tests with VRF
2493#
2494ipv6_tcp_md5()
2495{
2496 #
2497 # single address
2498 #
2499
2500 # basic use case
2501 log_start
2502 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2503 sleep 1
2504 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2505 log_test $? 0 "MD5: VRF: Single address config"
2506
2507 # client sends MD5, server not configured
2508 log_start
2509 show_hint "Should timeout since server does not have MD5 auth"
2510 run_cmd nettest -6 -s -I ${VRF} &
2511 sleep 1
2512 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2513 log_test $? 2 "MD5: VRF: Server no config, client uses password"
2514
2515 # wrong password
2516 log_start
2517 show_hint "Should timeout since client uses wrong password"
2518 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2519 sleep 1
2520 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2521 log_test $? 2 "MD5: VRF: Client uses wrong password"
2522
2523 # client from different address
2524 log_start
2525 show_hint "Should timeout since server config differs from client"
2526 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} &
2527 sleep 1
2528 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2529 log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
2530
2531 #
2532 # MD5 extension - prefix length
2533 #
2534
2535 # client in prefix
2536 log_start
2537 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2538 sleep 1
2539 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2540 log_test $? 0 "MD5: VRF: Prefix config"
2541
2542 # client in prefix, wrong password
2543 log_start
2544 show_hint "Should timeout since client uses wrong password"
2545 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2546 sleep 1
2547 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2548 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
2549
2550 # client outside of prefix
2551 log_start
2552 show_hint "Should timeout since client address is outside of prefix"
2553 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2554 sleep 1
2555 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2556 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
2557
2558 #
2559 # duplicate config between default VRF and a VRF
2560 #
2561
2562 log_start
2563 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2564 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2565 sleep 1
2566 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2567 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
2568
2569 log_start
2570 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2571 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2572 sleep 1
2573 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2574 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
2575
2576 log_start
2577 show_hint "Should timeout since client in default VRF uses VRF password"
2578 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2579 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2580 sleep 1
2581 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2582 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
2583
2584 log_start
2585 show_hint "Should timeout since client in VRF uses default VRF password"
2586 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2587 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2588 sleep 1
2589 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2590 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
2591
2592 log_start
2593 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2594 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2595 sleep 1
2596 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2597 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
2598
2599 log_start
2600 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2601 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2602 sleep 1
2603 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2604 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
2605
2606 log_start
2607 show_hint "Should timeout since client in default VRF uses VRF password"
2608 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2609 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2610 sleep 1
2611 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2612 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
2613
2614 log_start
2615 show_hint "Should timeout since client in VRF uses default VRF password"
2616 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2617 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2618 sleep 1
2619 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2620 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
2621
2622 #
2623 # negative tests
2624 #
2625 log_start
2626 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6}
2627 log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
2628
2629 log_start
2630 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6}
2631 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
2632
2633}
2634
2635ipv6_tcp_novrf()
2636{
2637 local a
2638
2639 #
2640 # server tests
2641 #
2642 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2643 do
2644 log_start
2645 run_cmd nettest -6 -s &
2646 sleep 1
2647 run_cmd_nsb nettest -6 -r ${a}
2648 log_test_addr ${a} $? 0 "Global server"
2649 done
2650
2651 # verify TCP reset received
2652 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2653 do
2654 log_start
2655 show_hint "Should fail 'Connection refused'"
2656 run_cmd_nsb nettest -6 -r ${a}
2657 log_test_addr ${a} $? 1 "No server"
2658 done
2659
2660 #
2661 # client
2662 #
2663 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2664 do
2665 log_start
2666 run_cmd_nsb nettest -6 -s &
2667 sleep 1
2668 run_cmd nettest -6 -r ${a}
2669 log_test_addr ${a} $? 0 "Client"
2670 done
2671
2672 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2673 do
2674 log_start
2675 run_cmd_nsb nettest -6 -s &
2676 sleep 1
2677 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2678 log_test_addr ${a} $? 0 "Client, device bind"
2679 done
2680
2681 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2682 do
2683 log_start
2684 show_hint "Should fail 'Connection refused'"
2685 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2686 log_test_addr ${a} $? 1 "No server, device client"
2687 done
2688
2689 #
2690 # local address tests
2691 #
2692 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2693 do
2694 log_start
2695 run_cmd nettest -6 -s &
2696 sleep 1
2697 run_cmd nettest -6 -r ${a}
2698 log_test_addr ${a} $? 0 "Global server, local connection"
2699 done
2700
2701 a=${NSA_IP6}
2702 log_start
2703 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2704 sleep 1
2705 run_cmd nettest -6 -r ${a} -0 ${a}
2706 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2707
2708 for a in ${NSA_LO_IP6} ::1
2709 do
2710 log_start
2711 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2712 run_cmd nettest -6 -s -I ${NSA_DEV} &
2713 sleep 1
2714 run_cmd nettest -6 -r ${a}
2715 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
2716 done
2717
2718 a=${NSA_IP6}
2719 log_start
2720 run_cmd nettest -6 -s &
2721 sleep 1
2722 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2723 log_test_addr ${a} $? 0 "Global server, device client, local connection"
2724
2725 for a in ${NSA_LO_IP6} ::1
2726 do
2727 log_start
2728 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2729 run_cmd nettest -6 -s &
2730 sleep 1
2731 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2732 log_test_addr ${a} $? 1 "Global server, device client, local connection"
2733 done
2734
2735 for a in ${NSA_IP6} ${NSA_LINKIP6}
2736 do
2737 log_start
2738 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2739 sleep 1
2740 run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2741 log_test_addr ${a} $? 0 "Device server, device client, local conn"
2742 done
2743
2744 for a in ${NSA_IP6} ${NSA_LINKIP6}
2745 do
2746 log_start
2747 show_hint "Should fail 'Connection refused'"
2748 run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2749 log_test_addr ${a} $? 1 "No server, device client, local conn"
2750 done
2751
2752 ipv6_tcp_md5_novrf
2753}
2754
2755ipv6_tcp_vrf()
2756{
2757 local a
2758
2759 # disable global server
2760 log_subsection "Global server disabled"
2761
2762 set_sysctl net.ipv4.tcp_l3mdev_accept=0
2763
2764 #
2765 # server tests
2766 #
2767 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2768 do
2769 log_start
2770 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2771 run_cmd nettest -6 -s &
2772 sleep 1
2773 run_cmd_nsb nettest -6 -r ${a}
2774 log_test_addr ${a} $? 1 "Global server"
2775 done
2776
2777 for a in ${NSA_IP6} ${VRF_IP6}
2778 do
2779 log_start
2780 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2781 sleep 1
2782 run_cmd_nsb nettest -6 -r ${a}
2783 log_test_addr ${a} $? 0 "VRF server"
2784 done
2785
2786 # link local is always bound to ingress device
2787 a=${NSA_LINKIP6}%${NSB_DEV}
2788 log_start
2789 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2790 sleep 1
2791 run_cmd_nsb nettest -6 -r ${a}
2792 log_test_addr ${a} $? 0 "VRF server"
2793
2794 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2795 do
2796 log_start
2797 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2798 sleep 1
2799 run_cmd_nsb nettest -6 -r ${a}
2800 log_test_addr ${a} $? 0 "Device server"
2801 done
2802
2803 # verify TCP reset received
2804 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2805 do
2806 log_start
2807 show_hint "Should fail 'Connection refused'"
2808 run_cmd_nsb nettest -6 -r ${a}
2809 log_test_addr ${a} $? 1 "No server"
2810 done
2811
2812 # local address tests
2813 a=${NSA_IP6}
2814 log_start
2815 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2816 run_cmd nettest -6 -s &
2817 sleep 1
2818 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2819 log_test_addr ${a} $? 1 "Global server, local connection"
2820
2821 # run MD5 tests
2822 setup_vrf_dup
2823 ipv6_tcp_md5
2824 cleanup_vrf_dup
2825
2826 #
2827 # enable VRF global server
2828 #
2829 log_subsection "VRF Global server enabled"
2830 set_sysctl net.ipv4.tcp_l3mdev_accept=1
2831
2832 for a in ${NSA_IP6} ${VRF_IP6}
2833 do
2834 log_start
2835 run_cmd nettest -6 -s -3 ${VRF} &
2836 sleep 1
2837 run_cmd_nsb nettest -6 -r ${a}
2838 log_test_addr ${a} $? 0 "Global server"
2839 done
2840
2841 for a in ${NSA_IP6} ${VRF_IP6}
2842 do
2843 log_start
2844 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2845 sleep 1
2846 run_cmd_nsb nettest -6 -r ${a}
2847 log_test_addr ${a} $? 0 "VRF server"
2848 done
2849
2850 # For LLA, child socket is bound to device
2851 a=${NSA_LINKIP6}%${NSB_DEV}
2852 log_start
2853 run_cmd nettest -6 -s -3 ${NSA_DEV} &
2854 sleep 1
2855 run_cmd_nsb nettest -6 -r ${a}
2856 log_test_addr ${a} $? 0 "Global server"
2857
2858 log_start
2859 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2860 sleep 1
2861 run_cmd_nsb nettest -6 -r ${a}
2862 log_test_addr ${a} $? 0 "VRF server"
2863
2864 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2865 do
2866 log_start
2867 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2868 sleep 1
2869 run_cmd_nsb nettest -6 -r ${a}
2870 log_test_addr ${a} $? 0 "Device server"
2871 done
2872
2873 # verify TCP reset received
2874 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2875 do
2876 log_start
2877 show_hint "Should fail 'Connection refused'"
2878 run_cmd_nsb nettest -6 -r ${a}
2879 log_test_addr ${a} $? 1 "No server"
2880 done
2881
2882 # local address tests
2883 for a in ${NSA_IP6} ${VRF_IP6}
2884 do
2885 log_start
2886 show_hint "Fails 'Connection refused' since client is not in VRF"
2887 run_cmd nettest -6 -s -I ${VRF} &
2888 sleep 1
2889 run_cmd nettest -6 -r ${a}
2890 log_test_addr ${a} $? 1 "Global server, local connection"
2891 done
2892
2893
2894 #
2895 # client
2896 #
2897 for a in ${NSB_IP6} ${NSB_LO_IP6}
2898 do
2899 log_start
2900 run_cmd_nsb nettest -6 -s &
2901 sleep 1
2902 run_cmd nettest -6 -r ${a} -d ${VRF}
2903 log_test_addr ${a} $? 0 "Client, VRF bind"
2904 done
2905
2906 a=${NSB_LINKIP6}
2907 log_start
2908 show_hint "Fails since VRF device does not allow linklocal addresses"
2909 run_cmd_nsb nettest -6 -s &
2910 sleep 1
2911 run_cmd nettest -6 -r ${a} -d ${VRF}
2912 log_test_addr ${a} $? 1 "Client, VRF bind"
2913
2914 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2915 do
2916 log_start
2917 run_cmd_nsb nettest -6 -s &
2918 sleep 1
2919 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2920 log_test_addr ${a} $? 0 "Client, device bind"
2921 done
2922
2923 for a in ${NSB_IP6} ${NSB_LO_IP6}
2924 do
2925 log_start
2926 show_hint "Should fail 'Connection refused'"
2927 run_cmd nettest -6 -r ${a} -d ${VRF}
2928 log_test_addr ${a} $? 1 "No server, VRF client"
2929 done
2930
2931 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2932 do
2933 log_start
2934 show_hint "Should fail 'Connection refused'"
2935 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2936 log_test_addr ${a} $? 1 "No server, device client"
2937 done
2938
2939 for a in ${NSA_IP6} ${VRF_IP6} ::1
2940 do
2941 log_start
2942 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2943 sleep 1
2944 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2945 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
2946 done
2947
2948 a=${NSA_IP6}
2949 log_start
2950 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2951 sleep 1
2952 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2953 log_test_addr ${a} $? 0 "VRF server, device client, local connection"
2954
2955 a=${NSA_IP6}
2956 log_start
2957 show_hint "Should fail since unbound client is out of VRF scope"
2958 run_cmd nettest -6 -s -I ${VRF} &
2959 sleep 1
2960 run_cmd nettest -6 -r ${a}
2961 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
2962
2963 log_start
2964 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2965 sleep 1
2966 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2967 log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
2968
2969 for a in ${NSA_IP6} ${NSA_LINKIP6}
2970 do
2971 log_start
2972 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2973 sleep 1
2974 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2975 log_test_addr ${a} $? 0 "Device server, device client, local connection"
2976 done
2977}
2978
2979ipv6_tcp()
2980{
2981 log_section "IPv6/TCP"
2982 log_subsection "No VRF"
2983 setup
2984
2985 # tcp_l3mdev_accept should have no affect without VRF;
2986 # run tests with it enabled and disabled to verify
2987 log_subsection "tcp_l3mdev_accept disabled"
2988 set_sysctl net.ipv4.tcp_l3mdev_accept=0
2989 ipv6_tcp_novrf
2990 log_subsection "tcp_l3mdev_accept enabled"
2991 set_sysctl net.ipv4.tcp_l3mdev_accept=1
2992 ipv6_tcp_novrf
2993
2994 log_subsection "With VRF"
2995 setup "yes"
2996 ipv6_tcp_vrf
2997}
2998
2999################################################################################
3000# IPv6 UDP
3001
3002ipv6_udp_novrf()
3003{
3004 local a
3005
3006 #
3007 # server tests
3008 #
3009 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3010 do
3011 log_start
3012 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3013 sleep 1
3014 run_cmd_nsb nettest -6 -D -r ${a}
3015 log_test_addr ${a} $? 0 "Global server"
3016
3017 log_start
3018 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3019 sleep 1
3020 run_cmd_nsb nettest -6 -D -r ${a}
3021 log_test_addr ${a} $? 0 "Device server"
3022 done
3023
3024 a=${NSA_LO_IP6}
3025 log_start
3026 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3027 sleep 1
3028 run_cmd_nsb nettest -6 -D -r ${a}
3029 log_test_addr ${a} $? 0 "Global server"
3030
3031 # should fail since loopback address is out of scope for a device
3032 # bound server, but it does not - hence this is more documenting
3033 # behavior.
3034 #log_start
3035 #show_hint "Should fail since loopback address is out of scope"
3036 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3037 #sleep 1
3038 #run_cmd_nsb nettest -6 -D -r ${a}
3039 #log_test_addr ${a} $? 1 "Device server"
3040
3041 # negative test - should fail
3042 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3043 do
3044 log_start
3045 show_hint "Should fail 'Connection refused' since there is no server"
3046 run_cmd_nsb nettest -6 -D -r ${a}
3047 log_test_addr ${a} $? 1 "No server"
3048 done
3049
3050 #
3051 # client
3052 #
3053 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
3054 do
3055 log_start
3056 run_cmd_nsb nettest -6 -D -s &
3057 sleep 1
3058 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6}
3059 log_test_addr ${a} $? 0 "Client"
3060
3061 log_start
3062 run_cmd_nsb nettest -6 -D -s &
3063 sleep 1
3064 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6}
3065 log_test_addr ${a} $? 0 "Client, device bind"
3066
3067 log_start
3068 run_cmd_nsb nettest -6 -D -s &
3069 sleep 1
3070 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6}
3071 log_test_addr ${a} $? 0 "Client, device send via cmsg"
3072
3073 log_start
3074 run_cmd_nsb nettest -6 -D -s &
3075 sleep 1
3076 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6}
3077 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF"
3078
3079 log_start
3080 show_hint "Should fail 'Connection refused'"
3081 run_cmd nettest -6 -D -r ${a}
3082 log_test_addr ${a} $? 1 "No server, unbound client"
3083
3084 log_start
3085 show_hint "Should fail 'Connection refused'"
3086 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3087 log_test_addr ${a} $? 1 "No server, device client"
3088 done
3089
3090 #
3091 # local address tests
3092 #
3093 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
3094 do
3095 log_start
3096 run_cmd nettest -6 -D -s &
3097 sleep 1
3098 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a}
3099 log_test_addr ${a} $? 0 "Global server, local connection"
3100 done
3101
3102 a=${NSA_IP6}
3103 log_start
3104 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
3105 sleep 1
3106 run_cmd nettest -6 -D -r ${a}
3107 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
3108
3109 for a in ${NSA_LO_IP6} ::1
3110 do
3111 log_start
3112 show_hint "Should fail 'Connection refused' since address is out of device scope"
3113 run_cmd nettest -6 -s -D -I ${NSA_DEV} &
3114 sleep 1
3115 run_cmd nettest -6 -D -r ${a}
3116 log_test_addr ${a} $? 1 "Device server, local connection"
3117 done
3118
3119 a=${NSA_IP6}
3120 log_start
3121 run_cmd nettest -6 -s -D &
3122 sleep 1
3123 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3124 log_test_addr ${a} $? 0 "Global server, device client, local connection"
3125
3126 log_start
3127 run_cmd nettest -6 -s -D &
3128 sleep 1
3129 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a}
3130 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
3131
3132 log_start
3133 run_cmd nettest -6 -s -D &
3134 sleep 1
3135 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a}
3136 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection"
3137
3138 for a in ${NSA_LO_IP6} ::1
3139 do
3140 log_start
3141 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3142 run_cmd nettest -6 -D -s &
3143 sleep 1
3144 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3145 log_test_addr ${a} $? 1 "Global server, device client, local connection"
3146
3147 log_start
3148 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3149 run_cmd nettest -6 -D -s &
3150 sleep 1
3151 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C
3152 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
3153
3154 log_start
3155 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3156 run_cmd nettest -6 -D -s &
3157 sleep 1
3158 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
3159 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
3160 done
3161
3162 a=${NSA_IP6}
3163 log_start
3164 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3165 sleep 1
3166 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a}
3167 log_test_addr ${a} $? 0 "Device server, device client, local conn"
3168
3169 log_start
3170 show_hint "Should fail 'Connection refused'"
3171 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3172 log_test_addr ${a} $? 1 "No server, device client, local conn"
3173
3174 # LLA to GUA
3175 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3176 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3177 log_start
3178 run_cmd nettest -6 -s -D &
3179 sleep 1
3180 run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3181 log_test $? 0 "UDP in - LLA to GUA"
3182
3183 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3184 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3185}
3186
3187ipv6_udp_vrf()
3188{
3189 local a
3190
3191 # disable global server
3192 log_subsection "Global server disabled"
3193 set_sysctl net.ipv4.udp_l3mdev_accept=0
3194
3195 #
3196 # server tests
3197 #
3198 for a in ${NSA_IP6} ${VRF_IP6}
3199 do
3200 log_start
3201 show_hint "Should fail 'Connection refused' since global server is disabled"
3202 run_cmd nettest -6 -D -s &
3203 sleep 1
3204 run_cmd_nsb nettest -6 -D -r ${a}
3205 log_test_addr ${a} $? 1 "Global server"
3206 done
3207
3208 for a in ${NSA_IP6} ${VRF_IP6}
3209 do
3210 log_start
3211 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3212 sleep 1
3213 run_cmd_nsb nettest -6 -D -r ${a}
3214 log_test_addr ${a} $? 0 "VRF server"
3215 done
3216
3217 for a in ${NSA_IP6} ${VRF_IP6}
3218 do
3219 log_start
3220 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3221 sleep 1
3222 run_cmd_nsb nettest -6 -D -r ${a}
3223 log_test_addr ${a} $? 0 "Enslaved device server"
3224 done
3225
3226 # negative test - should fail
3227 for a in ${NSA_IP6} ${VRF_IP6}
3228 do
3229 log_start
3230 show_hint "Should fail 'Connection refused' since there is no server"
3231 run_cmd_nsb nettest -6 -D -r ${a}
3232 log_test_addr ${a} $? 1 "No server"
3233 done
3234
3235 #
3236 # local address tests
3237 #
3238 for a in ${NSA_IP6} ${VRF_IP6}
3239 do
3240 log_start
3241 show_hint "Should fail 'Connection refused' since global server is disabled"
3242 run_cmd nettest -6 -D -s &
3243 sleep 1
3244 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3245 log_test_addr ${a} $? 1 "Global server, VRF client, local conn"
3246 done
3247
3248 for a in ${NSA_IP6} ${VRF_IP6}
3249 do
3250 log_start
3251 run_cmd nettest -6 -D -I ${VRF} -s &
3252 sleep 1
3253 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3254 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3255 done
3256
3257 a=${NSA_IP6}
3258 log_start
3259 show_hint "Should fail 'Connection refused' since global server is disabled"
3260 run_cmd nettest -6 -D -s &
3261 sleep 1
3262 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3263 log_test_addr ${a} $? 1 "Global server, device client, local conn"
3264
3265 log_start
3266 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3267 sleep 1
3268 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3269 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3270
3271 log_start
3272 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3273 sleep 1
3274 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3275 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
3276
3277 log_start
3278 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3279 sleep 1
3280 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3281 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
3282
3283 # disable global server
3284 log_subsection "Global server enabled"
3285 set_sysctl net.ipv4.udp_l3mdev_accept=1
3286
3287 #
3288 # server tests
3289 #
3290 for a in ${NSA_IP6} ${VRF_IP6}
3291 do
3292 log_start
3293 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3294 sleep 1
3295 run_cmd_nsb nettest -6 -D -r ${a}
3296 log_test_addr ${a} $? 0 "Global server"
3297 done
3298
3299 for a in ${NSA_IP6} ${VRF_IP6}
3300 do
3301 log_start
3302 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3303 sleep 1
3304 run_cmd_nsb nettest -6 -D -r ${a}
3305 log_test_addr ${a} $? 0 "VRF server"
3306 done
3307
3308 for a in ${NSA_IP6} ${VRF_IP6}
3309 do
3310 log_start
3311 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3312 sleep 1
3313 run_cmd_nsb nettest -6 -D -r ${a}
3314 log_test_addr ${a} $? 0 "Enslaved device server"
3315 done
3316
3317 # negative test - should fail
3318 for a in ${NSA_IP6} ${VRF_IP6}
3319 do
3320 log_start
3321 run_cmd_nsb nettest -6 -D -r ${a}
3322 log_test_addr ${a} $? 1 "No server"
3323 done
3324
3325 #
3326 # client tests
3327 #
3328 log_start
3329 run_cmd_nsb nettest -6 -D -s &
3330 sleep 1
3331 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3332 log_test $? 0 "VRF client"
3333
3334 # negative test - should fail
3335 log_start
3336 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3337 log_test $? 1 "No server, VRF client"
3338
3339 log_start
3340 run_cmd_nsb nettest -6 -D -s &
3341 sleep 1
3342 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3343 log_test $? 0 "Enslaved device client"
3344
3345 # negative test - should fail
3346 log_start
3347 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3348 log_test $? 1 "No server, enslaved device client"
3349
3350 #
3351 # local address tests
3352 #
3353 a=${NSA_IP6}
3354 log_start
3355 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3356 sleep 1
3357 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3358 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3359
3360 #log_start
3361 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3362 sleep 1
3363 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3364 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3365
3366
3367 a=${VRF_IP6}
3368 log_start
3369 run_cmd nettest -6 -D -s -3 ${VRF} &
3370 sleep 1
3371 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3372 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3373
3374 log_start
3375 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} &
3376 sleep 1
3377 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3378 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3379
3380 # negative test - should fail
3381 for a in ${NSA_IP6} ${VRF_IP6}
3382 do
3383 log_start
3384 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3385 log_test_addr ${a} $? 1 "No server, VRF client, local conn"
3386 done
3387
3388 # device to global IP
3389 a=${NSA_IP6}
3390 log_start
3391 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3392 sleep 1
3393 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3394 log_test_addr ${a} $? 0 "Global server, device client, local conn"
3395
3396 log_start
3397 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3398 sleep 1
3399 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3400 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3401
3402 log_start
3403 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3404 sleep 1
3405 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3406 log_test_addr ${a} $? 0 "Device server, VRF client, local conn"
3407
3408 log_start
3409 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3410 sleep 1
3411 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3412 log_test_addr ${a} $? 0 "Device server, device client, local conn"
3413
3414 log_start
3415 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3416 log_test_addr ${a} $? 1 "No server, device client, local conn"
3417
3418
3419 # link local addresses
3420 log_start
3421 run_cmd nettest -6 -D -s &
3422 sleep 1
3423 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3424 log_test $? 0 "Global server, linklocal IP"
3425
3426 log_start
3427 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3428 log_test $? 1 "No server, linklocal IP"
3429
3430
3431 log_start
3432 run_cmd_nsb nettest -6 -D -s &
3433 sleep 1
3434 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3435 log_test $? 0 "Enslaved device client, linklocal IP"
3436
3437 log_start
3438 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3439 log_test $? 1 "No server, device client, peer linklocal IP"
3440
3441
3442 log_start
3443 run_cmd nettest -6 -D -s &
3444 sleep 1
3445 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3446 log_test $? 0 "Enslaved device client, local conn - linklocal IP"
3447
3448 log_start
3449 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3450 log_test $? 1 "No server, device client, local conn - linklocal IP"
3451
3452 # LLA to GUA
3453 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3454 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3455 log_start
3456 run_cmd nettest -6 -s -D &
3457 sleep 1
3458 run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3459 log_test $? 0 "UDP in - LLA to GUA"
3460
3461 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3462 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3463}
3464
3465ipv6_udp()
3466{
3467 # should not matter, but set to known state
3468 set_sysctl net.ipv4.udp_early_demux=1
3469
3470 log_section "IPv6/UDP"
3471 log_subsection "No VRF"
3472 setup
3473
3474 # udp_l3mdev_accept should have no affect without VRF;
3475 # run tests with it enabled and disabled to verify
3476 log_subsection "udp_l3mdev_accept disabled"
3477 set_sysctl net.ipv4.udp_l3mdev_accept=0
3478 ipv6_udp_novrf
3479 log_subsection "udp_l3mdev_accept enabled"
3480 set_sysctl net.ipv4.udp_l3mdev_accept=1
3481 ipv6_udp_novrf
3482
3483 log_subsection "With VRF"
3484 setup "yes"
3485 ipv6_udp_vrf
3486}
3487
3488################################################################################
3489# IPv6 address bind
3490
3491ipv6_addr_bind_novrf()
3492{
3493 #
3494 # raw socket
3495 #
3496 for a in ${NSA_IP6} ${NSA_LO_IP6}
3497 do
3498 log_start
3499 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b
3500 log_test_addr ${a} $? 0 "Raw socket bind to local address"
3501
3502 log_start
3503 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3504 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3505 done
3506
3507 #
3508 # raw socket with nonlocal bind
3509 #
3510 a=${NL_IP6}
3511 log_start
3512 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b
3513 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
3514
3515 #
3516 # tcp sockets
3517 #
3518 a=${NSA_IP6}
3519 log_start
3520 run_cmd nettest -6 -s -l ${a} -t1 -b
3521 log_test_addr ${a} $? 0 "TCP socket bind to local address"
3522
3523 log_start
3524 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3525 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
3526
3527 # Sadly, the kernel allows binding a socket to a device and then
3528 # binding to an address not on the device. So this test passes
3529 # when it really should not
3530 a=${NSA_LO_IP6}
3531 log_start
3532 show_hint "Tecnically should fail since address is not on device but kernel allows"
3533 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3534 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address"
3535}
3536
3537ipv6_addr_bind_vrf()
3538{
3539 #
3540 # raw socket
3541 #
3542 for a in ${NSA_IP6} ${VRF_IP6}
3543 do
3544 log_start
3545 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3546 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind"
3547
3548 log_start
3549 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3550 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3551 done
3552
3553 a=${NSA_LO_IP6}
3554 log_start
3555 show_hint "Address on loopback is out of VRF scope"
3556 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3557 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind"
3558
3559 #
3560 # raw socket with nonlocal bind
3561 #
3562 a=${NL_IP6}
3563 log_start
3564 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b
3565 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
3566
3567 #
3568 # tcp sockets
3569 #
3570 # address on enslaved device is valid for the VRF or device in a VRF
3571 for a in ${NSA_IP6} ${VRF_IP6}
3572 do
3573 log_start
3574 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3575 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind"
3576 done
3577
3578 a=${NSA_IP6}
3579 log_start
3580 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3581 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
3582
3583 # Sadly, the kernel allows binding a socket to a device and then
3584 # binding to an address not on the device. The only restriction
3585 # is that the address is valid in the L3 domain. So this test
3586 # passes when it really should not
3587 a=${VRF_IP6}
3588 log_start
3589 show_hint "Tecnically should fail since address is not on device but kernel allows"
3590 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3591 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind"
3592
3593 a=${NSA_LO_IP6}
3594 log_start
3595 show_hint "Address on loopback out of scope for VRF"
3596 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3597 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
3598
3599 log_start
3600 show_hint "Address on loopback out of scope for device in VRF"
3601 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3602 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
3603
3604}
3605
3606ipv6_addr_bind()
3607{
3608 log_section "IPv6 address binds"
3609
3610 log_subsection "No VRF"
3611 setup
3612 ipv6_addr_bind_novrf
3613
3614 log_subsection "With VRF"
3615 setup "yes"
3616 ipv6_addr_bind_vrf
3617}
3618
3619################################################################################
3620# IPv6 runtime tests
3621
3622ipv6_rt()
3623{
3624 local desc="$1"
3625 local varg="-6 $2"
3626 local with_vrf="yes"
3627 local a
3628
3629 #
3630 # server tests
3631 #
3632 for a in ${NSA_IP6} ${VRF_IP6}
3633 do
3634 log_start
3635 run_cmd nettest ${varg} -s &
3636 sleep 1
3637 run_cmd_nsb nettest ${varg} -r ${a} &
3638 sleep 3
3639 run_cmd ip link del ${VRF}
3640 sleep 1
3641 log_test_addr ${a} 0 0 "${desc}, global server"
3642
3643 setup ${with_vrf}
3644 done
3645
3646 for a in ${NSA_IP6} ${VRF_IP6}
3647 do
3648 log_start
3649 run_cmd nettest ${varg} -I ${VRF} -s &
3650 sleep 1
3651 run_cmd_nsb nettest ${varg} -r ${a} &
3652 sleep 3
3653 run_cmd ip link del ${VRF}
3654 sleep 1
3655 log_test_addr ${a} 0 0 "${desc}, VRF server"
3656
3657 setup ${with_vrf}
3658 done
3659
3660 for a in ${NSA_IP6} ${VRF_IP6}
3661 do
3662 log_start
3663 run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3664 sleep 1
3665 run_cmd_nsb nettest ${varg} -r ${a} &
3666 sleep 3
3667 run_cmd ip link del ${VRF}
3668 sleep 1
3669 log_test_addr ${a} 0 0 "${desc}, enslaved device server"
3670
3671 setup ${with_vrf}
3672 done
3673
3674 #
3675 # client test
3676 #
3677 log_start
3678 run_cmd_nsb nettest ${varg} -s &
3679 sleep 1
3680 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} &
3681 sleep 3
3682 run_cmd ip link del ${VRF}
3683 sleep 1
3684 log_test 0 0 "${desc}, VRF client"
3685
3686 setup ${with_vrf}
3687
3688 log_start
3689 run_cmd_nsb nettest ${varg} -s &
3690 sleep 1
3691 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} &
3692 sleep 3
3693 run_cmd ip link del ${VRF}
3694 sleep 1
3695 log_test 0 0 "${desc}, enslaved device client"
3696
3697 setup ${with_vrf}
3698
3699
3700 #
3701 # local address tests
3702 #
3703 for a in ${NSA_IP6} ${VRF_IP6}
3704 do
3705 log_start
3706 run_cmd nettest ${varg} -s &
3707 sleep 1
3708 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3709 sleep 3
3710 run_cmd ip link del ${VRF}
3711 sleep 1
3712 log_test_addr ${a} 0 0 "${desc}, global server, VRF client"
3713
3714 setup ${with_vrf}
3715 done
3716
3717 for a in ${NSA_IP6} ${VRF_IP6}
3718 do
3719 log_start
3720 run_cmd nettest ${varg} -I ${VRF} -s &
3721 sleep 1
3722 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3723 sleep 3
3724 run_cmd ip link del ${VRF}
3725 sleep 1
3726 log_test_addr ${a} 0 0 "${desc}, VRF server and client"
3727
3728 setup ${with_vrf}
3729 done
3730
3731 a=${NSA_IP6}
3732 log_start
3733 run_cmd nettest ${varg} -s &
3734 sleep 1
3735 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3736 sleep 3
3737 run_cmd ip link del ${VRF}
3738 sleep 1
3739 log_test_addr ${a} 0 0 "${desc}, global server, device client"
3740
3741 setup ${with_vrf}
3742
3743 log_start
3744 run_cmd nettest ${varg} -I ${VRF} -s &
3745 sleep 1
3746 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3747 sleep 3
3748 run_cmd ip link del ${VRF}
3749 sleep 1
3750 log_test_addr ${a} 0 0 "${desc}, VRF server, device client"
3751
3752 setup ${with_vrf}
3753
3754 log_start
3755 run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3756 sleep 1
3757 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3758 sleep 3
3759 run_cmd ip link del ${VRF}
3760 sleep 1
3761 log_test_addr ${a} 0 0 "${desc}, device server, device client"
3762}
3763
3764ipv6_ping_rt()
3765{
3766 local with_vrf="yes"
3767 local a
3768
3769 a=${NSA_IP6}
3770 log_start
3771 run_cmd_nsb ${ping6} -f ${a} &
3772 sleep 3
3773 run_cmd ip link del ${VRF}
3774 sleep 1
3775 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
3776
3777 setup ${with_vrf}
3778
3779 log_start
3780 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} &
3781 sleep 1
3782 run_cmd ip link del ${VRF}
3783 sleep 1
3784 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
3785}
3786
3787ipv6_runtime()
3788{
3789 log_section "Run time tests - ipv6"
3790
3791 setup "yes"
3792 ipv6_ping_rt
3793
3794 setup "yes"
3795 ipv6_rt "TCP active socket" "-n -1"
3796
3797 setup "yes"
3798 ipv6_rt "TCP passive socket" "-i"
3799
3800 setup "yes"
3801 ipv6_rt "UDP active socket" "-D -n -1"
3802}
3803
3804################################################################################
3805# netfilter blocking connections
3806
3807netfilter_tcp_reset()
3808{
3809 local a
3810
3811 for a in ${NSA_IP} ${VRF_IP}
3812 do
3813 log_start
3814 run_cmd nettest -s &
3815 sleep 1
3816 run_cmd_nsb nettest -r ${a}
3817 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3818 done
3819}
3820
3821netfilter_icmp()
3822{
3823 local stype="$1"
3824 local arg
3825 local a
3826
3827 [ "${stype}" = "UDP" ] && arg="-D"
3828
3829 for a in ${NSA_IP} ${VRF_IP}
3830 do
3831 log_start
3832 run_cmd nettest ${arg} -s &
3833 sleep 1
3834 run_cmd_nsb nettest ${arg} -r ${a}
3835 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3836 done
3837}
3838
3839ipv4_netfilter()
3840{
3841 log_section "IPv4 Netfilter"
3842 log_subsection "TCP reset"
3843
3844 setup "yes"
3845 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3846
3847 netfilter_tcp_reset
3848
3849 log_start
3850 log_subsection "ICMP unreachable"
3851
3852 log_start
3853 run_cmd iptables -F
3854 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3855 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3856
3857 netfilter_icmp "TCP"
3858 netfilter_icmp "UDP"
3859
3860 log_start
3861 iptables -F
3862}
3863
3864netfilter_tcp6_reset()
3865{
3866 local a
3867
3868 for a in ${NSA_IP6} ${VRF_IP6}
3869 do
3870 log_start
3871 run_cmd nettest -6 -s &
3872 sleep 1
3873 run_cmd_nsb nettest -6 -r ${a}
3874 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3875 done
3876}
3877
3878netfilter_icmp6()
3879{
3880 local stype="$1"
3881 local arg
3882 local a
3883
3884 [ "${stype}" = "UDP" ] && arg="$arg -D"
3885
3886 for a in ${NSA_IP6} ${VRF_IP6}
3887 do
3888 log_start
3889 run_cmd nettest -6 -s ${arg} &
3890 sleep 1
3891 run_cmd_nsb nettest -6 ${arg} -r ${a}
3892 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3893 done
3894}
3895
3896ipv6_netfilter()
3897{
3898 log_section "IPv6 Netfilter"
3899 log_subsection "TCP reset"
3900
3901 setup "yes"
3902 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3903
3904 netfilter_tcp6_reset
3905
3906 log_subsection "ICMP unreachable"
3907
3908 log_start
3909 run_cmd ip6tables -F
3910 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3911 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3912
3913 netfilter_icmp6 "TCP"
3914 netfilter_icmp6 "UDP"
3915
3916 log_start
3917 ip6tables -F
3918}
3919
3920################################################################################
3921# specific use cases
3922
3923# VRF only.
3924# ns-A device enslaved to bridge. Verify traffic with and without
3925# br_netfilter module loaded. Repeat with SVI on bridge.
3926use_case_br()
3927{
3928 setup "yes"
3929
3930 setup_cmd ip link set ${NSA_DEV} down
3931 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24
3932 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64
3933
3934 setup_cmd ip link add br0 type bridge
3935 setup_cmd ip addr add dev br0 ${NSA_IP}/24
3936 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad
3937
3938 setup_cmd ip li set ${NSA_DEV} master br0
3939 setup_cmd ip li set ${NSA_DEV} up
3940 setup_cmd ip li set br0 up
3941 setup_cmd ip li set br0 vrf ${VRF}
3942
3943 rmmod br_netfilter 2>/dev/null
3944 sleep 5 # DAD
3945
3946 run_cmd ip neigh flush all
3947 run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3948 log_test $? 0 "Bridge into VRF - IPv4 ping out"
3949
3950 run_cmd ip neigh flush all
3951 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3952 log_test $? 0 "Bridge into VRF - IPv6 ping out"
3953
3954 run_cmd ip neigh flush all
3955 run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3956 log_test $? 0 "Bridge into VRF - IPv4 ping in"
3957
3958 run_cmd ip neigh flush all
3959 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3960 log_test $? 0 "Bridge into VRF - IPv6 ping in"
3961
3962 modprobe br_netfilter
3963 if [ $? -eq 0 ]; then
3964 run_cmd ip neigh flush all
3965 run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3966 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out"
3967
3968 run_cmd ip neigh flush all
3969 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3970 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out"
3971
3972 run_cmd ip neigh flush all
3973 run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3974 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in"
3975
3976 run_cmd ip neigh flush all
3977 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3978 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in"
3979 fi
3980
3981 setup_cmd ip li set br0 nomaster
3982 setup_cmd ip li add br0.100 link br0 type vlan id 100
3983 setup_cmd ip li set br0.100 vrf ${VRF} up
3984 setup_cmd ip addr add dev br0.100 172.16.101.1/24
3985 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad
3986
3987 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100
3988 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24
3989 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad
3990 setup_cmd_nsb ip li set vlan100 up
3991 sleep 1
3992
3993 rmmod br_netfilter 2>/dev/null
3994
3995 run_cmd ip neigh flush all
3996 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
3997 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out"
3998
3999 run_cmd ip neigh flush all
4000 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4001 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out"
4002
4003 run_cmd ip neigh flush all
4004 run_cmd_nsb ping -c1 -w1 172.16.101.1
4005 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4006
4007 run_cmd ip neigh flush all
4008 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4009 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4010
4011 modprobe br_netfilter
4012 if [ $? -eq 0 ]; then
4013 run_cmd ip neigh flush all
4014 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
4015 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out"
4016
4017 run_cmd ip neigh flush all
4018 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4019 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out"
4020
4021 run_cmd ip neigh flush all
4022 run_cmd_nsb ping -c1 -w1 172.16.101.1
4023 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4024
4025 run_cmd ip neigh flush all
4026 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4027 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4028 fi
4029
4030 setup_cmd ip li del br0 2>/dev/null
4031 setup_cmd_nsb ip li del vlan100 2>/dev/null
4032}
4033
4034# VRF only.
4035# ns-A device is connected to both ns-B and ns-C on a single VRF but only has
4036# LLA on the interfaces
4037use_case_ping_lla_multi()
4038{
4039 setup_lla_only
4040 # only want reply from ns-A
4041 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4042 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4043
4044 log_start
4045 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4046 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B"
4047
4048 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4049 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C"
4050
4051 # cycle/flap the first ns-A interface
4052 setup_cmd ip link set ${NSA_DEV} down
4053 setup_cmd ip link set ${NSA_DEV} up
4054 sleep 1
4055
4056 log_start
4057 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4058 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B"
4059 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4060 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C"
4061
4062 # cycle/flap the second ns-A interface
4063 setup_cmd ip link set ${NSA_DEV2} down
4064 setup_cmd ip link set ${NSA_DEV2} up
4065 sleep 1
4066
4067 log_start
4068 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4069 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B"
4070 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4071 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C"
4072}
4073
4074# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully
4075# established with ns-B.
4076use_case_snat_on_vrf()
4077{
4078 setup "yes"
4079
4080 local port="12345"
4081
4082 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4083 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4084
4085 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} &
4086 sleep 1
4087 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port}
4088 log_test $? 0 "IPv4 TCP connection over VRF with SNAT"
4089
4090 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} &
4091 sleep 1
4092 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port}
4093 log_test $? 0 "IPv6 TCP connection over VRF with SNAT"
4094
4095 # Cleanup
4096 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4097 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4098}
4099
4100use_cases()
4101{
4102 log_section "Use cases"
4103 log_subsection "Device enslaved to bridge"
4104 use_case_br
4105 log_subsection "Ping LLA with multiple interfaces"
4106 use_case_ping_lla_multi
4107 log_subsection "SNAT on VRF"
4108 use_case_snat_on_vrf
4109}
4110
4111################################################################################
4112# usage
4113
4114usage()
4115{
4116 cat <<EOF
4117usage: ${0##*/} OPTS
4118
4119 -4 IPv4 tests only
4120 -6 IPv6 tests only
4121 -t <test> Test name/set to run
4122 -p Pause on fail
4123 -P Pause after each test
4124 -v Be verbose
4125
4126Tests:
4127 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER
4128EOF
4129}
4130
4131################################################################################
4132# main
4133
4134TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter"
4135TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter"
4136TESTS_OTHER="use_cases"
4137
4138PAUSE_ON_FAIL=no
4139PAUSE=no
4140
4141while getopts :46t:pPvh o
4142do
4143 case $o in
4144 4) TESTS=ipv4;;
4145 6) TESTS=ipv6;;
4146 t) TESTS=$OPTARG;;
4147 p) PAUSE_ON_FAIL=yes;;
4148 P) PAUSE=yes;;
4149 v) VERBOSE=1;;
4150 h) usage; exit 0;;
4151 *) usage; exit 1;;
4152 esac
4153done
4154
4155# make sure we don't pause twice
4156[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no
4157
4158#
4159# show user test config
4160#
4161if [ -z "$TESTS" ]; then
4162 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER"
4163elif [ "$TESTS" = "ipv4" ]; then
4164 TESTS="$TESTS_IPV4"
4165elif [ "$TESTS" = "ipv6" ]; then
4166 TESTS="$TESTS_IPV6"
4167fi
4168
4169which nettest >/dev/null
4170if [ $? -ne 0 ]; then
4171 echo "'nettest' command not found; skipping tests"
4172 exit $ksft_skip
4173fi
4174
4175declare -i nfail=0
4176declare -i nsuccess=0
4177
4178for t in $TESTS
4179do
4180 case $t in
4181 ipv4_ping|ping) ipv4_ping;;
4182 ipv4_tcp|tcp) ipv4_tcp;;
4183 ipv4_udp|udp) ipv4_udp;;
4184 ipv4_bind|bind) ipv4_addr_bind;;
4185 ipv4_runtime) ipv4_runtime;;
4186 ipv4_netfilter) ipv4_netfilter;;
4187
4188 ipv6_ping|ping6) ipv6_ping;;
4189 ipv6_tcp|tcp6) ipv6_tcp;;
4190 ipv6_udp|udp6) ipv6_udp;;
4191 ipv6_bind|bind6) ipv6_addr_bind;;
4192 ipv6_runtime) ipv6_runtime;;
4193 ipv6_netfilter) ipv6_netfilter;;
4194
4195 use_cases) use_cases;;
4196
4197 # setup namespaces and config, but do not run any tests
4198 setup) setup; exit 0;;
4199 vrf_setup) setup "yes"; exit 0;;
4200 esac
4201done
4202
4203cleanup 2>/dev/null
4204
4205printf "\nTests passed: %3d\n" ${nsuccess}
4206printf "Tests failed: %3d\n" ${nfail}
4207
4208if [ $nfail -ne 0 ]; then
4209 exit 1 # KSFT_FAIL
4210elif [ $nsuccess -eq 0 ]; then
4211 exit $ksft_skip
4212fi
4213
4214exit 0 # KSFT_PASS