tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
5#
6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups
7# for various permutations:
8# 1. icmp, tcp, udp and netfilter
9# 2. client, server, no-server
10# 3. global address on interface
11# 4. global address on 'lo'
12# 5. remote and local traffic
13# 6. VRF and non-VRF permutations
14#
15# Setup:
16# ns-A | ns-B
17# No VRF case:
18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ]
19# remote address
20# VRF case:
21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ]
22#
23# ns-A:
24# eth1: 172.16.1.1/24, 2001:db8:1::1/64
25# lo: 127.0.0.1/8, ::1/128
26# 172.16.2.1/32, 2001:db8:2::1/128
27# red: 127.0.0.1/8, ::1/128
28# 172.16.3.1/32, 2001:db8:3::1/128
29#
30# ns-B:
31# eth1: 172.16.1.2/24, 2001:db8:1::2/64
32# lo2: 127.0.0.1/8, ::1/128
33# 172.16.2.2/32, 2001:db8:2::2/128
34#
35# ns-A to ns-C connection - only for VRF and same config
36# as ns-A to ns-B
37#
38# server / client nomenclature relative to ns-A
39
40source lib.sh
41
42PATH=$PWD:$PWD/tools/testing/selftests/net:$PATH
43
44VERBOSE=0
45
46NSA_DEV=eth1
47NSA_DEV2=eth2
48NSB_DEV=eth1
49NSC_DEV=eth2
50VRF=red
51VRF_TABLE=1101
52
53# IPv4 config
54NSA_IP=172.16.1.1
55NSB_IP=172.16.1.2
56VRF_IP=172.16.3.1
57NS_NET=172.16.1.0/24
58
59# IPv6 config
60NSA_IP6=2001:db8:1::1
61NSB_IP6=2001:db8:1::2
62VRF_IP6=2001:db8:3::1
63NS_NET6=2001:db8:1::/120
64
65NSA_LO_IP=172.16.2.1
66NSB_LO_IP=172.16.2.2
67NSA_LO_IP6=2001:db8:2::1
68NSB_LO_IP6=2001:db8:2::2
69
70# non-local addresses for freebind tests
71NL_IP=172.17.1.1
72NL_IP6=2001:db8:4::1
73
74# multicast and broadcast addresses
75MCAST_IP=224.0.0.1
76BCAST_IP=255.255.255.255
77
78MD5_PW=abc123
79MD5_WRONG_PW=abc1234
80
81MCAST=ff02::1
82# set after namespace create
83NSA_LINKIP6=
84NSB_LINKIP6=
85
86which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
87
88# Check if FIPS mode is enabled
89if [ -f /proc/sys/crypto/fips_enabled ]; then
90 fips_enabled=`cat /proc/sys/crypto/fips_enabled`
91else
92 fips_enabled=0
93fi
94
95################################################################################
96# utilities
97
98log_test()
99{
100 local rc=$1
101 local expected=$2
102 local msg="$3"
103 local ans
104
105 [ "${VERBOSE}" = "1" ] && echo
106
107 if [ ${rc} -eq ${expected} ]; then
108 nsuccess=$((nsuccess+1))
109 printf "TEST: %-70s [ OK ]\n" "${msg}"
110 else
111 nfail=$((nfail+1))
112 printf "TEST: %-70s [FAIL]\n" "${msg}"
113 echo " expected rc $expected; actual rc $rc"
114 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
115 echo
116 echo "hit enter to continue, 'q' to quit"
117 read ans
118 [ "$ans" = "q" ] && exit 1
119 fi
120 fi
121
122 if [ "${PAUSE}" = "yes" ]; then
123 echo
124 echo "hit enter to continue, 'q' to quit"
125 read ans
126 [ "$ans" = "q" ] && exit 1
127 fi
128
129 kill_procs
130}
131
132log_test_addr()
133{
134 local addr=$1
135 local rc=$2
136 local expected=$3
137 local msg="$4"
138 local astr
139
140 astr=$(addr2str ${addr})
141 log_test $rc $expected "$msg - ${astr}"
142}
143
144log_section()
145{
146 echo
147 echo "###########################################################################"
148 echo "$*"
149 echo "###########################################################################"
150 echo
151}
152
153log_subsection()
154{
155 echo
156 echo "#################################################################"
157 echo "$*"
158 echo
159}
160
161log_start()
162{
163 # make sure we have no test instances running
164 kill_procs
165
166 if [ "${VERBOSE}" = "1" ]; then
167 echo
168 echo "#######################################################"
169 fi
170}
171
172log_debug()
173{
174 if [ "${VERBOSE}" = "1" ]; then
175 echo
176 echo "$*"
177 echo
178 fi
179}
180
181show_hint()
182{
183 if [ "${VERBOSE}" = "1" ]; then
184 echo "HINT: $*"
185 echo
186 fi
187}
188
189kill_procs()
190{
191 killall nettest ping ping6 >/dev/null 2>&1
192 sleep 1
193}
194
195set_ping_group()
196{
197 if [ "$VERBOSE" = "1" ]; then
198 echo "COMMAND: ${NSA_CMD} sysctl -q -w net.ipv4.ping_group_range='0 2147483647'"
199 fi
200
201 ${NSA_CMD} sysctl -q -w net.ipv4.ping_group_range='0 2147483647'
202}
203
204do_run_cmd()
205{
206 local cmd="$*"
207 local out
208
209 if [ "$VERBOSE" = "1" ]; then
210 echo "COMMAND: ${cmd}"
211 fi
212
213 out=$($cmd 2>&1)
214 rc=$?
215 if [ "$VERBOSE" = "1" -a -n "$out" ]; then
216 echo "$out"
217 fi
218
219 return $rc
220}
221
222run_cmd()
223{
224 do_run_cmd ${NSA_CMD} $*
225}
226
227run_cmd_nsb()
228{
229 do_run_cmd ${NSB_CMD} $*
230}
231
232run_cmd_nsc()
233{
234 do_run_cmd ${NSC_CMD} $*
235}
236
237setup_cmd()
238{
239 local cmd="$*"
240 local rc
241
242 run_cmd ${cmd}
243 rc=$?
244 if [ $rc -ne 0 ]; then
245 # show user the command if not done so already
246 if [ "$VERBOSE" = "0" ]; then
247 echo "setup command: $cmd"
248 fi
249 echo "failed. stopping tests"
250 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
251 echo
252 echo "hit enter to continue"
253 read a
254 fi
255 exit $rc
256 fi
257}
258
259setup_cmd_nsb()
260{
261 local cmd="$*"
262 local rc
263
264 run_cmd_nsb ${cmd}
265 rc=$?
266 if [ $rc -ne 0 ]; then
267 # show user the command if not done so already
268 if [ "$VERBOSE" = "0" ]; then
269 echo "setup command: $cmd"
270 fi
271 echo "failed. stopping tests"
272 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
273 echo
274 echo "hit enter to continue"
275 read a
276 fi
277 exit $rc
278 fi
279}
280
281setup_cmd_nsc()
282{
283 local cmd="$*"
284 local rc
285
286 run_cmd_nsc ${cmd}
287 rc=$?
288 if [ $rc -ne 0 ]; then
289 # show user the command if not done so already
290 if [ "$VERBOSE" = "0" ]; then
291 echo "setup command: $cmd"
292 fi
293 echo "failed. stopping tests"
294 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
295 echo
296 echo "hit enter to continue"
297 read a
298 fi
299 exit $rc
300 fi
301}
302
303# set sysctl values in NS-A
304set_sysctl()
305{
306 echo "SYSCTL: $*"
307 echo
308 run_cmd sysctl -q -w $*
309}
310
311# get sysctl values in NS-A
312get_sysctl()
313{
314 ${NSA_CMD} sysctl -n $*
315}
316
317################################################################################
318# Setup for tests
319
320addr2str()
321{
322 case "$1" in
323 127.0.0.1) echo "loopback";;
324 ::1) echo "IPv6 loopback";;
325
326 ${BCAST_IP}) echo "broadcast";;
327 ${MCAST_IP}) echo "multicast";;
328
329 ${NSA_IP}) echo "ns-A IP";;
330 ${NSA_IP6}) echo "ns-A IPv6";;
331 ${NSA_LO_IP}) echo "ns-A loopback IP";;
332 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";;
333 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";;
334
335 ${NSB_IP}) echo "ns-B IP";;
336 ${NSB_IP6}) echo "ns-B IPv6";;
337 ${NSB_LO_IP}) echo "ns-B loopback IP";;
338 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";;
339 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";;
340
341 ${NL_IP}) echo "nonlocal IP";;
342 ${NL_IP6}) echo "nonlocal IPv6";;
343
344 ${VRF_IP}) echo "VRF IP";;
345 ${VRF_IP6}) echo "VRF IPv6";;
346
347 ${MCAST}%*) echo "multicast IP";;
348
349 *) echo "unknown";;
350 esac
351}
352
353get_linklocal()
354{
355 local ns=$1
356 local dev=$2
357 local addr
358
359 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \
360 awk '{
361 for (i = 3; i <= NF; ++i) {
362 if ($i ~ /^fe80/)
363 print $i
364 }
365 }'
366 )
367 addr=${addr/\/*}
368
369 [ -z "$addr" ] && return 1
370
371 echo $addr
372
373 return 0
374}
375
376################################################################################
377# create namespaces and vrf
378
379create_vrf()
380{
381 local ns=$1
382 local vrf=$2
383 local table=$3
384 local addr=$4
385 local addr6=$5
386
387 ip -netns ${ns} link add ${vrf} type vrf table ${table}
388 ip -netns ${ns} link set ${vrf} up
389 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192
390 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
391
392 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf}
393 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad
394 if [ "${addr}" != "-" ]; then
395 ip -netns ${ns} addr add dev ${vrf} ${addr}
396 fi
397 if [ "${addr6}" != "-" ]; then
398 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6}
399 fi
400
401 ip -netns ${ns} ru del pref 0
402 ip -netns ${ns} ru add pref 32765 from all lookup local
403 ip -netns ${ns} -6 ru del pref 0
404 ip -netns ${ns} -6 ru add pref 32765 from all lookup local
405}
406
407create_ns()
408{
409 local ns=$1
410 local addr=$2
411 local addr6=$3
412
413 if [ "${addr}" != "-" ]; then
414 ip -netns ${ns} addr add dev lo ${addr}
415 fi
416 if [ "${addr6}" != "-" ]; then
417 ip -netns ${ns} -6 addr add dev lo ${addr6}
418 fi
419
420 ip -netns ${ns} ro add unreachable default metric 8192
421 ip -netns ${ns} -6 ro add unreachable default metric 8192
422
423 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
424 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
425 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
426 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
427}
428
429# create veth pair to connect namespaces and apply addresses.
430connect_ns()
431{
432 local ns1=$1
433 local ns1_dev=$2
434 local ns1_addr=$3
435 local ns1_addr6=$4
436 local ns2=$5
437 local ns2_dev=$6
438 local ns2_addr=$7
439 local ns2_addr6=$8
440
441 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
442 ip -netns ${ns1} li set ${ns1_dev} up
443 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
444 ip -netns ${ns2} li set ${ns2_dev} up
445
446 if [ "${ns1_addr}" != "-" ]; then
447 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
448 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
449 fi
450
451 if [ "${ns1_addr6}" != "-" ]; then
452 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
453 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
454 fi
455}
456
457cleanup()
458{
459 # explicit cleanups to check those code paths
460 ip netns | grep -q ${NSA}
461 if [ $? -eq 0 ]; then
462 ip -netns ${NSA} link delete ${VRF}
463 ip -netns ${NSA} ro flush table ${VRF_TABLE}
464
465 ip -netns ${NSA} addr flush dev ${NSA_DEV}
466 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV}
467 ip -netns ${NSA} link set dev ${NSA_DEV} down
468 ip -netns ${NSA} link del dev ${NSA_DEV}
469
470 ip netns pids ${NSA} | xargs kill 2>/dev/null
471 cleanup_ns ${NSA}
472 fi
473
474 ip netns pids ${NSB} | xargs kill 2>/dev/null
475 ip netns pids ${NSC} | xargs kill 2>/dev/null
476 cleanup_ns ${NSB} ${NSC}
477}
478
479cleanup_vrf_dup()
480{
481 ip link del ${NSA_DEV2} >/dev/null 2>&1
482 ip netns pids ${NSC} | xargs kill 2>/dev/null
483 ip netns del ${NSC} >/dev/null 2>&1
484}
485
486setup_vrf_dup()
487{
488 # some VRF tests use ns-C which has the same config as
489 # ns-B but for a device NOT in the VRF
490 setup_ns NSC
491 NSC_CMD="ip netns exec ${NSC}"
492 create_ns ${NSC} "-" "-"
493 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
494 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
495}
496
497setup()
498{
499 local with_vrf=${1}
500
501 # make sure we are starting with a clean slate
502 kill_procs
503 cleanup 2>/dev/null
504
505 log_debug "Configuring network namespaces"
506 set -e
507
508 setup_ns NSA NSB
509 NSA_CMD="ip netns exec ${NSA}"
510 NSB_CMD="ip netns exec ${NSB}"
511
512 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128
513 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128
514 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \
515 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
516
517 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
518 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
519
520 # tell ns-A how to get to remote addresses of ns-B
521 if [ "${with_vrf}" = "yes" ]; then
522 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6}
523
524 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
525 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
526 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
527
528 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
529 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
530 else
531 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
532 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
533 fi
534
535
536 # tell ns-B how to get to remote addresses of ns-A
537 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
538 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
539
540 set +e
541
542 sleep 1
543}
544
545setup_lla_only()
546{
547 # make sure we are starting with a clean slate
548 kill_procs
549 cleanup 2>/dev/null
550
551 log_debug "Configuring network namespaces"
552 set -e
553
554 setup_ns NSA NSB NSC
555 NSA_CMD="ip netns exec ${NSA}"
556 NSB_CMD="ip netns exec ${NSB}"
557 NSC_CMD="ip netns exec ${NSC}"
558 create_ns ${NSA} "-" "-"
559 create_ns ${NSB} "-" "-"
560 create_ns ${NSC} "-" "-"
561 connect_ns ${NSA} ${NSA_DEV} "-" "-" \
562 ${NSB} ${NSB_DEV} "-" "-"
563 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \
564 ${NSC} ${NSC_DEV} "-" "-"
565
566 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
567 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
568 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV})
569
570 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-"
571 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
572 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF}
573
574 set +e
575
576 sleep 1
577}
578
579################################################################################
580# IPv4
581
582ipv4_ping_novrf()
583{
584 local a
585
586 #
587 # out
588 #
589 for a in ${NSB_IP} ${NSB_LO_IP}
590 do
591 log_start
592 run_cmd ping -c1 -w1 ${a}
593 log_test_addr ${a} $? 0 "ping out"
594
595 log_start
596 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
597 log_test_addr ${a} $? 0 "ping out, device bind"
598
599 log_start
600 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a}
601 log_test_addr ${a} $? 0 "ping out, address bind"
602 done
603
604 #
605 # out, but don't use gateway if peer is not on link
606 #
607 a=${NSB_IP}
608 log_start
609 run_cmd ping -c 1 -w 1 -r ${a}
610 log_test_addr ${a} $? 0 "ping out (don't route), peer on link"
611
612 a=${NSB_LO_IP}
613 log_start
614 show_hint "Fails since peer is not on link"
615 run_cmd ping -c 1 -w 1 -r ${a}
616 log_test_addr ${a} $? 1 "ping out (don't route), peer not on link"
617
618 #
619 # in
620 #
621 for a in ${NSA_IP} ${NSA_LO_IP}
622 do
623 log_start
624 run_cmd_nsb ping -c1 -w1 ${a}
625 log_test_addr ${a} $? 0 "ping in"
626 done
627
628 #
629 # local traffic
630 #
631 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
632 do
633 log_start
634 run_cmd ping -c1 -w1 ${a}
635 log_test_addr ${a} $? 0 "ping local"
636 done
637
638 #
639 # local traffic, socket bound to device
640 #
641 # address on device
642 a=${NSA_IP}
643 log_start
644 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
645 log_test_addr ${a} $? 0 "ping local, device bind"
646
647 # loopback addresses not reachable from device bind
648 # fails in a really weird way though because ipv4 special cases
649 # route lookups with oif set.
650 for a in ${NSA_LO_IP} 127.0.0.1
651 do
652 log_start
653 show_hint "Fails since address on loopback device is out of device scope"
654 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
655 log_test_addr ${a} $? 1 "ping local, device bind"
656 done
657
658 #
659 # ip rule blocks reachability to remote address
660 #
661 log_start
662 setup_cmd ip rule add pref 32765 from all lookup local
663 setup_cmd ip rule del pref 0 from all lookup local
664 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
665 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
666
667 a=${NSB_LO_IP}
668 run_cmd ping -c1 -w1 ${a}
669 log_test_addr ${a} $? 2 "ping out, blocked by rule"
670
671 # NOTE: ipv4 actually allows the lookup to fail and yet still create
672 # a viable rtable if the oif (e.g., bind to device) is set, so this
673 # case succeeds despite the rule
674 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
675
676 a=${NSA_LO_IP}
677 log_start
678 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule"
679 run_cmd_nsb ping -c1 -w1 ${a}
680 log_test_addr ${a} $? 1 "ping in, blocked by rule"
681
682 [ "$VERBOSE" = "1" ] && echo
683 setup_cmd ip rule del pref 32765 from all lookup local
684 setup_cmd ip rule add pref 0 from all lookup local
685 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
686 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
687
688 #
689 # route blocks reachability to remote address
690 #
691 log_start
692 setup_cmd ip route replace unreachable ${NSB_LO_IP}
693 setup_cmd ip route replace unreachable ${NSB_IP}
694
695 a=${NSB_LO_IP}
696 run_cmd ping -c1 -w1 ${a}
697 log_test_addr ${a} $? 2 "ping out, blocked by route"
698
699 # NOTE: ipv4 actually allows the lookup to fail and yet still create
700 # a viable rtable if the oif (e.g., bind to device) is set, so this
701 # case succeeds despite not having a route for the address
702 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
703
704 a=${NSA_LO_IP}
705 log_start
706 show_hint "Response is dropped (or arp request is ignored) due to ip route"
707 run_cmd_nsb ping -c1 -w1 ${a}
708 log_test_addr ${a} $? 1 "ping in, blocked by route"
709
710 #
711 # remove 'remote' routes; fallback to default
712 #
713 log_start
714 setup_cmd ip ro del ${NSB_LO_IP}
715
716 a=${NSB_LO_IP}
717 run_cmd ping -c1 -w1 ${a}
718 log_test_addr ${a} $? 2 "ping out, unreachable default route"
719
720 # NOTE: ipv4 actually allows the lookup to fail and yet still create
721 # a viable rtable if the oif (e.g., bind to device) is set, so this
722 # case succeeds despite not having a route for the address
723 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
724}
725
726ipv4_ping_vrf()
727{
728 local a
729
730 # should default on; does not exist on older kernels
731 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
732
733 #
734 # out
735 #
736 for a in ${NSB_IP} ${NSB_LO_IP}
737 do
738 log_start
739 run_cmd ping -c1 -w1 -I ${VRF} ${a}
740 log_test_addr ${a} $? 0 "ping out, VRF bind"
741
742 log_start
743 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
744 log_test_addr ${a} $? 0 "ping out, device bind"
745
746 log_start
747 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a}
748 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind"
749
750 log_start
751 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a}
752 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind"
753 done
754
755 #
756 # in
757 #
758 for a in ${NSA_IP} ${VRF_IP}
759 do
760 log_start
761 run_cmd_nsb ping -c1 -w1 ${a}
762 log_test_addr ${a} $? 0 "ping in"
763 done
764
765 #
766 # local traffic, local address
767 #
768 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
769 do
770 log_start
771 show_hint "Source address should be ${a}"
772 run_cmd ping -c1 -w1 -I ${VRF} ${a}
773 log_test_addr ${a} $? 0 "ping local, VRF bind"
774 done
775
776 #
777 # local traffic, socket bound to device
778 #
779 # address on device
780 a=${NSA_IP}
781 log_start
782 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
783 log_test_addr ${a} $? 0 "ping local, device bind"
784
785 # vrf device is out of scope
786 for a in ${VRF_IP} 127.0.0.1
787 do
788 log_start
789 show_hint "Fails since address on vrf device is out of device scope"
790 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
791 log_test_addr ${a} $? 2 "ping local, device bind"
792 done
793
794 #
795 # ip rule blocks address
796 #
797 log_start
798 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
799 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
800
801 a=${NSB_LO_IP}
802 run_cmd ping -c1 -w1 -I ${VRF} ${a}
803 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule"
804
805 log_start
806 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
807 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
808
809 a=${NSA_LO_IP}
810 log_start
811 show_hint "Response lost due to ip rule"
812 run_cmd_nsb ping -c1 -w1 ${a}
813 log_test_addr ${a} $? 1 "ping in, blocked by rule"
814
815 [ "$VERBOSE" = "1" ] && echo
816 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
817 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
818
819 #
820 # remove 'remote' routes; fallback to default
821 #
822 log_start
823 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP}
824
825 a=${NSB_LO_IP}
826 run_cmd ping -c1 -w1 -I ${VRF} ${a}
827 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route"
828
829 log_start
830 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
831 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
832
833 a=${NSA_LO_IP}
834 log_start
835 show_hint "Response lost by unreachable route"
836 run_cmd_nsb ping -c1 -w1 ${a}
837 log_test_addr ${a} $? 1 "ping in, unreachable route"
838}
839
840ipv4_ping()
841{
842 log_section "IPv4 ping"
843
844 log_subsection "No VRF"
845 setup
846 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
847 ipv4_ping_novrf
848 setup
849 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
850 ipv4_ping_novrf
851 setup
852 set_ping_group
853 ipv4_ping_novrf
854
855 log_subsection "With VRF"
856 setup "yes"
857 ipv4_ping_vrf
858 setup "yes"
859 set_ping_group
860 ipv4_ping_vrf
861}
862
863################################################################################
864# IPv4 TCP
865
866#
867# MD5 tests without VRF
868#
869ipv4_tcp_md5_novrf()
870{
871 #
872 # single address
873 #
874
875 # basic use case
876 log_start
877 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
878 sleep 1
879 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
880 log_test $? 0 "MD5: Single address config"
881
882 # client sends MD5, server not configured
883 log_start
884 show_hint "Should timeout due to MD5 mismatch"
885 run_cmd nettest -s &
886 sleep 1
887 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
888 log_test $? 2 "MD5: Server no config, client uses password"
889
890 # wrong password
891 log_start
892 show_hint "Should timeout since client uses wrong password"
893 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
894 sleep 1
895 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
896 log_test $? 2 "MD5: Client uses wrong password"
897
898 # client from different address
899 log_start
900 show_hint "Should timeout due to MD5 mismatch"
901 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} &
902 sleep 1
903 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
904 log_test $? 2 "MD5: Client address does not match address configured with password"
905
906 #
907 # MD5 extension - prefix length
908 #
909
910 # client in prefix
911 log_start
912 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
913 sleep 1
914 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
915 log_test $? 0 "MD5: Prefix config"
916
917 # client in prefix, wrong password
918 log_start
919 show_hint "Should timeout since client uses wrong password"
920 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
921 sleep 1
922 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
923 log_test $? 2 "MD5: Prefix config, client uses wrong password"
924
925 # client outside of prefix
926 log_start
927 show_hint "Should timeout due to MD5 mismatch"
928 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
929 sleep 1
930 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
931 log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
932}
933
934#
935# MD5 tests with VRF
936#
937ipv4_tcp_md5()
938{
939 #
940 # single address
941 #
942
943 # basic use case
944 log_start
945 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
946 sleep 1
947 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
948 log_test $? 0 "MD5: VRF: Single address config"
949
950 # client sends MD5, server not configured
951 log_start
952 show_hint "Should timeout since server does not have MD5 auth"
953 run_cmd nettest -s -I ${VRF} &
954 sleep 1
955 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
956 log_test $? 2 "MD5: VRF: Server no config, client uses password"
957
958 # wrong password
959 log_start
960 show_hint "Should timeout since client uses wrong password"
961 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
962 sleep 1
963 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
964 log_test $? 2 "MD5: VRF: Client uses wrong password"
965
966 # client from different address
967 log_start
968 show_hint "Should timeout since server config differs from client"
969 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} &
970 sleep 1
971 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
972 log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
973
974 #
975 # MD5 extension - prefix length
976 #
977
978 # client in prefix
979 log_start
980 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
981 sleep 1
982 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
983 log_test $? 0 "MD5: VRF: Prefix config"
984
985 # client in prefix, wrong password
986 log_start
987 show_hint "Should timeout since client uses wrong password"
988 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
989 sleep 1
990 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
991 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
992
993 # client outside of prefix
994 log_start
995 show_hint "Should timeout since client address is outside of prefix"
996 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
997 sleep 1
998 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
999 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
1000
1001 #
1002 # duplicate config between default VRF and a VRF
1003 #
1004
1005 log_start
1006 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1007 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1008 sleep 1
1009 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1010 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
1011
1012 log_start
1013 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1014 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1015 sleep 1
1016 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1017 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
1018
1019 log_start
1020 show_hint "Should timeout since client in default VRF uses VRF password"
1021 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1022 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1023 sleep 1
1024 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1025 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
1026
1027 log_start
1028 show_hint "Should timeout since client in VRF uses default VRF password"
1029 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1030 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1031 sleep 1
1032 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1033 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
1034
1035 log_start
1036 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1037 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1038 sleep 1
1039 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1040 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
1041
1042 log_start
1043 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1044 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1045 sleep 1
1046 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1047 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
1048
1049 log_start
1050 show_hint "Should timeout since client in default VRF uses VRF password"
1051 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1052 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1053 sleep 1
1054 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1055 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
1056
1057 log_start
1058 show_hint "Should timeout since client in VRF uses default VRF password"
1059 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1060 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1061 sleep 1
1062 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1063 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
1064
1065 #
1066 # negative tests
1067 #
1068 log_start
1069 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP}
1070 log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
1071
1072 log_start
1073 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET}
1074 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
1075
1076 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex
1077 test_ipv4_md5_vrf__global_server__bind_ifindex0
1078}
1079
1080test_ipv4_md5_vrf__vrf_server__no_bind_ifindex()
1081{
1082 log_start
1083 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX"
1084 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1085 sleep 1
1086 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1087 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection"
1088
1089 log_start
1090 show_hint "Binding both the socket and the key is not required but it works"
1091 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1092 sleep 1
1093 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1094 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection"
1095}
1096
1097test_ipv4_md5_vrf__global_server__bind_ifindex0()
1098{
1099 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections
1100 local old_tcp_l3mdev_accept
1101 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept)
1102 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1103
1104 log_start
1105 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1106 sleep 1
1107 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1108 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection"
1109
1110 log_start
1111 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1112 sleep 1
1113 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1114 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection"
1115 log_start
1116
1117 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1118 sleep 1
1119 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1120 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection"
1121
1122 log_start
1123 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1124 sleep 1
1125 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1126 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection"
1127
1128 # restore value
1129 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept"
1130}
1131
1132ipv4_tcp_dontroute()
1133{
1134 local syncookies=$1
1135 local nsa_syncookies
1136 local nsb_syncookies
1137 local a
1138
1139 #
1140 # Link local connection tests (SO_DONTROUTE).
1141 # Connections should succeed only when the remote IP address is
1142 # on link (doesn't need to be routed through a gateway).
1143 #
1144
1145 nsa_syncookies=$(ip netns exec "${NSA}" sysctl -n net.ipv4.tcp_syncookies)
1146 nsb_syncookies=$(ip netns exec "${NSB}" sysctl -n net.ipv4.tcp_syncookies)
1147 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies}
1148 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies}
1149
1150 # Test with eth1 address (on link).
1151
1152 a=${NSB_IP}
1153 log_start
1154 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1155 log_test_addr ${a} $? 0 "SO_DONTROUTE client, syncookies=${syncookies}"
1156
1157 a=${NSB_IP}
1158 log_start
1159 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --server-dontroute
1160 log_test_addr ${a} $? 0 "SO_DONTROUTE server, syncookies=${syncookies}"
1161
1162 # Test with loopback address (routed).
1163 #
1164 # The client would use the eth1 address as source IP by default.
1165 # Therefore, we need to use the -c option here, to force the use of the
1166 # routed (loopback) address as source IP (so that the server will try
1167 # to respond to a routed address and not a link local one).
1168
1169 a=${NSB_LO_IP}
1170 log_start
1171 show_hint "Should fail 'Network is unreachable' since server is not on link"
1172 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --client-dontroute
1173 log_test_addr ${a} $? 1 "SO_DONTROUTE client, syncookies=${syncookies}"
1174
1175 a=${NSB_LO_IP}
1176 log_start
1177 show_hint "Should timeout since server cannot respond (client is not on link)"
1178 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --server-dontroute
1179 log_test_addr ${a} $? 2 "SO_DONTROUTE server, syncookies=${syncookies}"
1180
1181 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${nsb_syncookies}
1182 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${nsa_syncookies}
1183}
1184
1185ipv4_tcp_novrf()
1186{
1187 local a
1188
1189 #
1190 # server tests
1191 #
1192 for a in ${NSA_IP} ${NSA_LO_IP}
1193 do
1194 log_start
1195 run_cmd nettest -s &
1196 sleep 1
1197 run_cmd_nsb nettest -r ${a}
1198 log_test_addr ${a} $? 0 "Global server"
1199 done
1200
1201 a=${NSA_IP}
1202 log_start
1203 run_cmd nettest -s -I ${NSA_DEV} &
1204 sleep 1
1205 run_cmd_nsb nettest -r ${a}
1206 log_test_addr ${a} $? 0 "Device server"
1207
1208 # verify TCP reset sent and received
1209 for a in ${NSA_IP} ${NSA_LO_IP}
1210 do
1211 log_start
1212 show_hint "Should fail 'Connection refused' since there is no server"
1213 run_cmd_nsb nettest -r ${a}
1214 log_test_addr ${a} $? 1 "No server"
1215 done
1216
1217 #
1218 # client
1219 #
1220 for a in ${NSB_IP} ${NSB_LO_IP}
1221 do
1222 log_start
1223 run_cmd_nsb nettest -s &
1224 sleep 1
1225 run_cmd nettest -r ${a} -0 ${NSA_IP}
1226 log_test_addr ${a} $? 0 "Client"
1227
1228 log_start
1229 run_cmd_nsb nettest -s &
1230 sleep 1
1231 run_cmd nettest -r ${a} -d ${NSA_DEV}
1232 log_test_addr ${a} $? 0 "Client, device bind"
1233
1234 log_start
1235 show_hint "Should fail 'Connection refused'"
1236 run_cmd nettest -r ${a}
1237 log_test_addr ${a} $? 1 "No server, unbound client"
1238
1239 log_start
1240 show_hint "Should fail 'Connection refused'"
1241 run_cmd nettest -r ${a} -d ${NSA_DEV}
1242 log_test_addr ${a} $? 1 "No server, device client"
1243 done
1244
1245 #
1246 # local address tests
1247 #
1248 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1249 do
1250 log_start
1251 run_cmd nettest -s &
1252 sleep 1
1253 run_cmd nettest -r ${a} -0 ${a} -1 ${a}
1254 log_test_addr ${a} $? 0 "Global server, local connection"
1255 done
1256
1257 a=${NSA_IP}
1258 log_start
1259 run_cmd nettest -s -I ${NSA_DEV} &
1260 sleep 1
1261 run_cmd nettest -r ${a} -0 ${a}
1262 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1263
1264 for a in ${NSA_LO_IP} 127.0.0.1
1265 do
1266 log_start
1267 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
1268 run_cmd nettest -s -I ${NSA_DEV} &
1269 sleep 1
1270 run_cmd nettest -r ${a}
1271 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1272 done
1273
1274 a=${NSA_IP}
1275 log_start
1276 run_cmd nettest -s &
1277 sleep 1
1278 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV}
1279 log_test_addr ${a} $? 0 "Global server, device client, local connection"
1280
1281 for a in ${NSA_LO_IP} 127.0.0.1
1282 do
1283 log_start
1284 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
1285 run_cmd nettest -s &
1286 sleep 1
1287 run_cmd nettest -r ${a} -d ${NSA_DEV}
1288 log_test_addr ${a} $? 1 "Global server, device client, local connection"
1289 done
1290
1291 a=${NSA_IP}
1292 log_start
1293 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1294 sleep 1
1295 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a}
1296 log_test_addr ${a} $? 0 "Device server, device client, local connection"
1297
1298 log_start
1299 show_hint "Should fail 'Connection refused'"
1300 run_cmd nettest -d ${NSA_DEV} -r ${a}
1301 log_test_addr ${a} $? 1 "No server, device client, local conn"
1302
1303 [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf
1304
1305 ipv4_tcp_dontroute 0
1306 ipv4_tcp_dontroute 2
1307}
1308
1309ipv4_tcp_vrf()
1310{
1311 local a
1312
1313 # disable global server
1314 log_subsection "Global server disabled"
1315
1316 set_sysctl net.ipv4.tcp_l3mdev_accept=0
1317
1318 #
1319 # server tests
1320 #
1321 for a in ${NSA_IP} ${VRF_IP}
1322 do
1323 log_start
1324 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1325 run_cmd nettest -s &
1326 sleep 1
1327 run_cmd_nsb nettest -r ${a}
1328 log_test_addr ${a} $? 1 "Global server"
1329
1330 log_start
1331 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1332 sleep 1
1333 run_cmd_nsb nettest -r ${a}
1334 log_test_addr ${a} $? 0 "VRF server"
1335
1336 log_start
1337 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1338 sleep 1
1339 run_cmd_nsb nettest -r ${a}
1340 log_test_addr ${a} $? 0 "Device server"
1341
1342 # verify TCP reset received
1343 log_start
1344 show_hint "Should fail 'Connection refused' since there is no server"
1345 run_cmd_nsb nettest -r ${a}
1346 log_test_addr ${a} $? 1 "No server"
1347 done
1348
1349 # local address tests
1350 # (${VRF_IP} and 127.0.0.1 both timeout)
1351 a=${NSA_IP}
1352 log_start
1353 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1354 run_cmd nettest -s &
1355 sleep 1
1356 run_cmd nettest -r ${a} -d ${NSA_DEV}
1357 log_test_addr ${a} $? 1 "Global server, local connection"
1358
1359 # run MD5 tests
1360 if [ "$fips_enabled" = "0" ]; then
1361 setup_vrf_dup
1362 ipv4_tcp_md5
1363 cleanup_vrf_dup
1364 fi
1365
1366 #
1367 # enable VRF global server
1368 #
1369 log_subsection "VRF Global server enabled"
1370 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1371
1372 for a in ${NSA_IP} ${VRF_IP}
1373 do
1374 log_start
1375 show_hint "client socket should be bound to VRF"
1376 run_cmd nettest -s -3 ${VRF} &
1377 sleep 1
1378 run_cmd_nsb nettest -r ${a}
1379 log_test_addr ${a} $? 0 "Global server"
1380
1381 log_start
1382 show_hint "client socket should be bound to VRF"
1383 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1384 sleep 1
1385 run_cmd_nsb nettest -r ${a}
1386 log_test_addr ${a} $? 0 "VRF server"
1387
1388 # verify TCP reset received
1389 log_start
1390 show_hint "Should fail 'Connection refused'"
1391 run_cmd_nsb nettest -r ${a}
1392 log_test_addr ${a} $? 1 "No server"
1393 done
1394
1395 a=${NSA_IP}
1396 log_start
1397 show_hint "client socket should be bound to device"
1398 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1399 sleep 1
1400 run_cmd_nsb nettest -r ${a}
1401 log_test_addr ${a} $? 0 "Device server"
1402
1403 # local address tests
1404 for a in ${NSA_IP} ${VRF_IP}
1405 do
1406 log_start
1407 show_hint "Should fail 'Connection refused' since client is not bound to VRF"
1408 run_cmd nettest -s -I ${VRF} &
1409 sleep 1
1410 run_cmd nettest -r ${a}
1411 log_test_addr ${a} $? 1 "Global server, local connection"
1412 done
1413
1414 #
1415 # client
1416 #
1417 for a in ${NSB_IP} ${NSB_LO_IP}
1418 do
1419 log_start
1420 run_cmd_nsb nettest -s &
1421 sleep 1
1422 run_cmd nettest -r ${a} -d ${VRF}
1423 log_test_addr ${a} $? 0 "Client, VRF bind"
1424
1425 log_start
1426 run_cmd_nsb nettest -s &
1427 sleep 1
1428 run_cmd nettest -r ${a} -d ${NSA_DEV}
1429 log_test_addr ${a} $? 0 "Client, device bind"
1430
1431 log_start
1432 show_hint "Should fail 'Connection refused'"
1433 run_cmd nettest -r ${a} -d ${VRF}
1434 log_test_addr ${a} $? 1 "No server, VRF client"
1435
1436 log_start
1437 show_hint "Should fail 'Connection refused'"
1438 run_cmd nettest -r ${a} -d ${NSA_DEV}
1439 log_test_addr ${a} $? 1 "No server, device client"
1440 done
1441
1442 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1443 do
1444 log_start
1445 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1446 sleep 1
1447 run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1448 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
1449 done
1450
1451 a=${NSA_IP}
1452 log_start
1453 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1454 sleep 1
1455 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1456 log_test_addr ${a} $? 0 "VRF server, device client, local connection"
1457
1458 log_start
1459 show_hint "Should fail 'No route to host' since client is out of VRF scope"
1460 run_cmd nettest -s -I ${VRF} &
1461 sleep 1
1462 run_cmd nettest -r ${a}
1463 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
1464
1465 log_start
1466 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1467 sleep 1
1468 run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1469 log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
1470
1471 log_start
1472 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1473 sleep 1
1474 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1475 log_test_addr ${a} $? 0 "Device server, device client, local connection"
1476}
1477
1478ipv4_tcp()
1479{
1480 log_section "IPv4/TCP"
1481 log_subsection "No VRF"
1482 setup
1483
1484 # tcp_l3mdev_accept should have no affect without VRF;
1485 # run tests with it enabled and disabled to verify
1486 log_subsection "tcp_l3mdev_accept disabled"
1487 set_sysctl net.ipv4.tcp_l3mdev_accept=0
1488 ipv4_tcp_novrf
1489 log_subsection "tcp_l3mdev_accept enabled"
1490 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1491 ipv4_tcp_novrf
1492
1493 log_subsection "With VRF"
1494 setup "yes"
1495 ipv4_tcp_vrf
1496}
1497
1498################################################################################
1499# IPv4 UDP
1500
1501ipv4_udp_novrf()
1502{
1503 local a
1504
1505 #
1506 # server tests
1507 #
1508 for a in ${NSA_IP} ${NSA_LO_IP}
1509 do
1510 log_start
1511 run_cmd nettest -D -s -3 ${NSA_DEV} &
1512 sleep 1
1513 run_cmd_nsb nettest -D -r ${a}
1514 log_test_addr ${a} $? 0 "Global server"
1515
1516 log_start
1517 show_hint "Should fail 'Connection refused' since there is no server"
1518 run_cmd_nsb nettest -D -r ${a}
1519 log_test_addr ${a} $? 1 "No server"
1520 done
1521
1522 a=${NSA_IP}
1523 log_start
1524 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1525 sleep 1
1526 run_cmd_nsb nettest -D -r ${a}
1527 log_test_addr ${a} $? 0 "Device server"
1528
1529 #
1530 # client
1531 #
1532 for a in ${NSB_IP} ${NSB_LO_IP}
1533 do
1534 log_start
1535 run_cmd_nsb nettest -D -s &
1536 sleep 1
1537 run_cmd nettest -D -r ${a} -0 ${NSA_IP}
1538 log_test_addr ${a} $? 0 "Client"
1539
1540 log_start
1541 run_cmd_nsb nettest -D -s &
1542 sleep 1
1543 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP}
1544 log_test_addr ${a} $? 0 "Client, device bind"
1545
1546 log_start
1547 run_cmd_nsb nettest -D -s &
1548 sleep 1
1549 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP}
1550 log_test_addr ${a} $? 0 "Client, device send via cmsg"
1551
1552 log_start
1553 run_cmd_nsb nettest -D -s &
1554 sleep 1
1555 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
1556 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
1557
1558 log_start
1559 run_cmd_nsb nettest -D -s &
1560 sleep 1
1561 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U
1562 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()"
1563
1564
1565 log_start
1566 show_hint "Should fail 'Connection refused'"
1567 run_cmd nettest -D -r ${a}
1568 log_test_addr ${a} $? 1 "No server, unbound client"
1569
1570 log_start
1571 show_hint "Should fail 'Connection refused'"
1572 run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1573 log_test_addr ${a} $? 1 "No server, device client"
1574 done
1575
1576 #
1577 # local address tests
1578 #
1579 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1580 do
1581 log_start
1582 run_cmd nettest -D -s &
1583 sleep 1
1584 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a}
1585 log_test_addr ${a} $? 0 "Global server, local connection"
1586 done
1587
1588 a=${NSA_IP}
1589 log_start
1590 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1591 sleep 1
1592 run_cmd nettest -D -r ${a}
1593 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1594
1595 for a in ${NSA_LO_IP} 127.0.0.1
1596 do
1597 log_start
1598 show_hint "Should fail 'Connection refused' since address is out of device scope"
1599 run_cmd nettest -s -D -I ${NSA_DEV} &
1600 sleep 1
1601 run_cmd nettest -D -r ${a}
1602 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1603 done
1604
1605 a=${NSA_IP}
1606 log_start
1607 run_cmd nettest -s -D &
1608 sleep 1
1609 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1610 log_test_addr ${a} $? 0 "Global server, device client, local connection"
1611
1612 log_start
1613 run_cmd nettest -s -D &
1614 sleep 1
1615 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a}
1616 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
1617
1618 log_start
1619 run_cmd nettest -s -D &
1620 sleep 1
1621 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
1622 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
1623
1624 log_start
1625 run_cmd nettest -s -D &
1626 sleep 1
1627 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U
1628 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
1629
1630
1631 # IPv4 with device bind has really weird behavior - it overrides the
1632 # fib lookup, generates an rtable and tries to send the packet. This
1633 # causes failures for local traffic at different places
1634 for a in ${NSA_LO_IP} 127.0.0.1
1635 do
1636 log_start
1637 show_hint "Should fail since addresses on loopback are out of device scope"
1638 run_cmd nettest -D -s &
1639 sleep 1
1640 run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1641 log_test_addr ${a} $? 2 "Global server, device client, local connection"
1642
1643 log_start
1644 show_hint "Should fail since addresses on loopback are out of device scope"
1645 run_cmd nettest -D -s &
1646 sleep 1
1647 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C
1648 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
1649
1650 log_start
1651 show_hint "Should fail since addresses on loopback are out of device scope"
1652 run_cmd nettest -D -s &
1653 sleep 1
1654 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
1655 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
1656
1657 log_start
1658 show_hint "Should fail since addresses on loopback are out of device scope"
1659 run_cmd nettest -D -s &
1660 sleep 1
1661 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U
1662 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
1663
1664
1665 done
1666
1667 a=${NSA_IP}
1668 log_start
1669 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1670 sleep 1
1671 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a}
1672 log_test_addr ${a} $? 0 "Device server, device client, local conn"
1673
1674 log_start
1675 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1676 log_test_addr ${a} $? 2 "No server, device client, local conn"
1677
1678 #
1679 # Link local connection tests (SO_DONTROUTE).
1680 # Connections should succeed only when the remote IP address is
1681 # on link (doesn't need to be routed through a gateway).
1682 #
1683
1684 a=${NSB_IP}
1685 log_start
1686 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1687 log_test_addr ${a} $? 0 "SO_DONTROUTE client"
1688
1689 a=${NSB_LO_IP}
1690 log_start
1691 show_hint "Should fail 'Network is unreachable' since server is not on link"
1692 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1693 log_test_addr ${a} $? 1 "SO_DONTROUTE client"
1694}
1695
1696ipv4_udp_vrf()
1697{
1698 local a
1699
1700 # disable global server
1701 log_subsection "Global server disabled"
1702 set_sysctl net.ipv4.udp_l3mdev_accept=0
1703
1704 #
1705 # server tests
1706 #
1707 for a in ${NSA_IP} ${VRF_IP}
1708 do
1709 log_start
1710 show_hint "Fails because ingress is in a VRF and global server is disabled"
1711 run_cmd nettest -D -s &
1712 sleep 1
1713 run_cmd_nsb nettest -D -r ${a}
1714 log_test_addr ${a} $? 1 "Global server"
1715
1716 log_start
1717 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1718 sleep 1
1719 run_cmd_nsb nettest -D -r ${a}
1720 log_test_addr ${a} $? 0 "VRF server"
1721
1722 log_start
1723 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1724 sleep 1
1725 run_cmd_nsb nettest -D -r ${a}
1726 log_test_addr ${a} $? 0 "Enslaved device server"
1727
1728 log_start
1729 show_hint "Should fail 'Connection refused' since there is no server"
1730 run_cmd_nsb nettest -D -r ${a}
1731 log_test_addr ${a} $? 1 "No server"
1732
1733 log_start
1734 show_hint "Should fail 'Connection refused' since global server is out of scope"
1735 run_cmd nettest -D -s &
1736 sleep 1
1737 run_cmd nettest -D -d ${VRF} -r ${a}
1738 log_test_addr ${a} $? 1 "Global server, VRF client, local connection"
1739 done
1740
1741 a=${NSA_IP}
1742 log_start
1743 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1744 sleep 1
1745 run_cmd nettest -D -d ${VRF} -r ${a}
1746 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1747
1748 log_start
1749 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1750 sleep 1
1751 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1752 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection"
1753
1754 a=${NSA_IP}
1755 log_start
1756 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1757 sleep 1
1758 run_cmd nettest -D -d ${VRF} -r ${a}
1759 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1760
1761 log_start
1762 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1763 sleep 1
1764 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1765 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1766
1767 # enable global server
1768 log_subsection "Global server enabled"
1769 set_sysctl net.ipv4.udp_l3mdev_accept=1
1770
1771 #
1772 # server tests
1773 #
1774 for a in ${NSA_IP} ${VRF_IP}
1775 do
1776 log_start
1777 run_cmd nettest -D -s -3 ${NSA_DEV} &
1778 sleep 1
1779 run_cmd_nsb nettest -D -r ${a}
1780 log_test_addr ${a} $? 0 "Global server"
1781
1782 log_start
1783 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1784 sleep 1
1785 run_cmd_nsb nettest -D -r ${a}
1786 log_test_addr ${a} $? 0 "VRF server"
1787
1788 log_start
1789 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1790 sleep 1
1791 run_cmd_nsb nettest -D -r ${a}
1792 log_test_addr ${a} $? 0 "Enslaved device server"
1793
1794 log_start
1795 show_hint "Should fail 'Connection refused'"
1796 run_cmd_nsb nettest -D -r ${a}
1797 log_test_addr ${a} $? 1 "No server"
1798 done
1799
1800 #
1801 # client tests
1802 #
1803 log_start
1804 run_cmd_nsb nettest -D -s &
1805 sleep 1
1806 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP}
1807 log_test $? 0 "VRF client"
1808
1809 log_start
1810 run_cmd_nsb nettest -D -s &
1811 sleep 1
1812 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP}
1813 log_test $? 0 "Enslaved device client"
1814
1815 # negative test - should fail
1816 log_start
1817 show_hint "Should fail 'Connection refused'"
1818 run_cmd nettest -D -d ${VRF} -r ${NSB_IP}
1819 log_test $? 1 "No server, VRF client"
1820
1821 log_start
1822 show_hint "Should fail 'Connection refused'"
1823 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP}
1824 log_test $? 1 "No server, enslaved device client"
1825
1826 #
1827 # local address tests
1828 #
1829 a=${NSA_IP}
1830 log_start
1831 run_cmd nettest -D -s -3 ${NSA_DEV} &
1832 sleep 1
1833 run_cmd nettest -D -d ${VRF} -r ${a}
1834 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1835
1836 log_start
1837 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1838 sleep 1
1839 run_cmd nettest -D -d ${VRF} -r ${a}
1840 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1841
1842 log_start
1843 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1844 sleep 1
1845 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1846 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
1847
1848 log_start
1849 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1850 sleep 1
1851 run_cmd nettest -D -d ${VRF} -r ${a}
1852 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1853
1854 log_start
1855 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1856 sleep 1
1857 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1858 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1859
1860 for a in ${VRF_IP} 127.0.0.1
1861 do
1862 log_start
1863 run_cmd nettest -D -s -3 ${VRF} &
1864 sleep 1
1865 run_cmd nettest -D -d ${VRF} -r ${a}
1866 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1867 done
1868
1869 for a in ${VRF_IP} 127.0.0.1
1870 do
1871 log_start
1872 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} &
1873 sleep 1
1874 run_cmd nettest -D -d ${VRF} -r ${a}
1875 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1876 done
1877
1878 # negative test - should fail
1879 # verifies ECONNREFUSED
1880 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1881 do
1882 log_start
1883 show_hint "Should fail 'Connection refused'"
1884 run_cmd nettest -D -d ${VRF} -r ${a}
1885 log_test_addr ${a} $? 1 "No server, VRF client, local conn"
1886 done
1887}
1888
1889ipv4_udp()
1890{
1891 log_section "IPv4/UDP"
1892 log_subsection "No VRF"
1893
1894 setup
1895
1896 # udp_l3mdev_accept should have no affect without VRF;
1897 # run tests with it enabled and disabled to verify
1898 log_subsection "udp_l3mdev_accept disabled"
1899 set_sysctl net.ipv4.udp_l3mdev_accept=0
1900 ipv4_udp_novrf
1901 log_subsection "udp_l3mdev_accept enabled"
1902 set_sysctl net.ipv4.udp_l3mdev_accept=1
1903 ipv4_udp_novrf
1904
1905 log_subsection "With VRF"
1906 setup "yes"
1907 ipv4_udp_vrf
1908}
1909
1910################################################################################
1911# IPv4 address bind
1912#
1913# verifies ability or inability to bind to an address / device
1914
1915ipv4_addr_bind_novrf()
1916{
1917 #
1918 # raw socket
1919 #
1920 for a in ${NSA_IP} ${NSA_LO_IP}
1921 do
1922 log_start
1923 run_cmd nettest -s -R -P icmp -l ${a} -b
1924 log_test_addr ${a} $? 0 "Raw socket bind to local address"
1925
1926 log_start
1927 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1928 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1929 done
1930
1931 #
1932 # tests for nonlocal bind
1933 #
1934 a=${NL_IP}
1935 log_start
1936 run_cmd nettest -s -R -f -l ${a} -b
1937 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
1938
1939 log_start
1940 run_cmd nettest -s -f -l ${a} -b
1941 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address"
1942
1943 log_start
1944 run_cmd nettest -s -D -P icmp -f -l ${a} -b
1945 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address"
1946
1947 #
1948 # check that ICMP sockets cannot bind to broadcast and multicast addresses
1949 #
1950 a=${BCAST_IP}
1951 log_start
1952 run_cmd nettest -s -D -P icmp -l ${a} -b
1953 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address"
1954
1955 a=${MCAST_IP}
1956 log_start
1957 run_cmd nettest -s -D -P icmp -l ${a} -b
1958 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address"
1959
1960 #
1961 # tcp sockets
1962 #
1963 a=${NSA_IP}
1964 log_start
1965 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b
1966 log_test_addr ${a} $? 0 "TCP socket bind to local address"
1967
1968 log_start
1969 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b
1970 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1971
1972 # Sadly, the kernel allows binding a socket to a device and then
1973 # binding to an address not on the device. The only restriction
1974 # is that the address is valid in the L3 domain. So this test
1975 # passes when it really should not
1976 #a=${NSA_LO_IP}
1977 #log_start
1978 #show_hint "Should fail with 'Cannot assign requested address'"
1979 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1980 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
1981}
1982
1983ipv4_addr_bind_vrf()
1984{
1985 #
1986 # raw socket
1987 #
1988 for a in ${NSA_IP} ${VRF_IP}
1989 do
1990 log_start
1991 show_hint "Socket not bound to VRF, but address is in VRF"
1992 run_cmd nettest -s -R -P icmp -l ${a} -b
1993 log_test_addr ${a} $? 1 "Raw socket bind to local address"
1994
1995 log_start
1996 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1997 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1998 log_start
1999 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
2000 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind"
2001 done
2002
2003 a=${NSA_LO_IP}
2004 log_start
2005 show_hint "Address on loopback is out of VRF scope"
2006 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
2007 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind"
2008
2009 #
2010 # tests for nonlocal bind
2011 #
2012 a=${NL_IP}
2013 log_start
2014 run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b
2015 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
2016
2017 log_start
2018 run_cmd nettest -s -f -l ${a} -I ${VRF} -b
2019 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind"
2020
2021 log_start
2022 run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b
2023 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind"
2024
2025 #
2026 # check that ICMP sockets cannot bind to broadcast and multicast addresses
2027 #
2028 a=${BCAST_IP}
2029 log_start
2030 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
2031 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind"
2032
2033 a=${MCAST_IP}
2034 log_start
2035 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
2036 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind"
2037
2038 #
2039 # tcp sockets
2040 #
2041 for a in ${NSA_IP} ${VRF_IP}
2042 do
2043 log_start
2044 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
2045 log_test_addr ${a} $? 0 "TCP socket bind to local address"
2046
2047 log_start
2048 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
2049 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
2050 done
2051
2052 a=${NSA_LO_IP}
2053 log_start
2054 show_hint "Address on loopback out of scope for VRF"
2055 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
2056 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
2057
2058 log_start
2059 show_hint "Address on loopback out of scope for device in VRF"
2060 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
2061 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
2062}
2063
2064ipv4_addr_bind()
2065{
2066 log_section "IPv4 address binds"
2067
2068 log_subsection "No VRF"
2069 setup
2070 set_ping_group
2071 ipv4_addr_bind_novrf
2072
2073 log_subsection "With VRF"
2074 setup "yes"
2075 set_ping_group
2076 ipv4_addr_bind_vrf
2077}
2078
2079################################################################################
2080# IPv4 runtime tests
2081
2082ipv4_rt()
2083{
2084 local desc="$1"
2085 local varg="$2"
2086 local with_vrf="yes"
2087 local a
2088
2089 #
2090 # server tests
2091 #
2092 for a in ${NSA_IP} ${VRF_IP}
2093 do
2094 log_start
2095 run_cmd nettest ${varg} -s &
2096 sleep 1
2097 run_cmd_nsb nettest ${varg} -r ${a} &
2098 sleep 3
2099 run_cmd ip link del ${VRF}
2100 sleep 1
2101 log_test_addr ${a} 0 0 "${desc}, global server"
2102
2103 setup ${with_vrf}
2104 done
2105
2106 for a in ${NSA_IP} ${VRF_IP}
2107 do
2108 log_start
2109 run_cmd nettest ${varg} -s -I ${VRF} &
2110 sleep 1
2111 run_cmd_nsb nettest ${varg} -r ${a} &
2112 sleep 3
2113 run_cmd ip link del ${VRF}
2114 sleep 1
2115 log_test_addr ${a} 0 0 "${desc}, VRF server"
2116
2117 setup ${with_vrf}
2118 done
2119
2120 a=${NSA_IP}
2121 log_start
2122 run_cmd nettest ${varg} -s -I ${NSA_DEV} &
2123 sleep 1
2124 run_cmd_nsb nettest ${varg} -r ${a} &
2125 sleep 3
2126 run_cmd ip link del ${VRF}
2127 sleep 1
2128 log_test_addr ${a} 0 0 "${desc}, enslaved device server"
2129
2130 setup ${with_vrf}
2131
2132 #
2133 # client test
2134 #
2135 log_start
2136 run_cmd_nsb nettest ${varg} -s &
2137 sleep 1
2138 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} &
2139 sleep 3
2140 run_cmd ip link del ${VRF}
2141 sleep 1
2142 log_test_addr ${a} 0 0 "${desc}, VRF client"
2143
2144 setup ${with_vrf}
2145
2146 log_start
2147 run_cmd_nsb nettest ${varg} -s &
2148 sleep 1
2149 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} &
2150 sleep 3
2151 run_cmd ip link del ${VRF}
2152 sleep 1
2153 log_test_addr ${a} 0 0 "${desc}, enslaved device client"
2154
2155 setup ${with_vrf}
2156
2157 #
2158 # local address tests
2159 #
2160 for a in ${NSA_IP} ${VRF_IP}
2161 do
2162 log_start
2163 run_cmd nettest ${varg} -s &
2164 sleep 1
2165 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2166 sleep 3
2167 run_cmd ip link del ${VRF}
2168 sleep 1
2169 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local"
2170
2171 setup ${with_vrf}
2172 done
2173
2174 for a in ${NSA_IP} ${VRF_IP}
2175 do
2176 log_start
2177 run_cmd nettest ${varg} -I ${VRF} -s &
2178 sleep 1
2179 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2180 sleep 3
2181 run_cmd ip link del ${VRF}
2182 sleep 1
2183 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local"
2184
2185 setup ${with_vrf}
2186 done
2187
2188 a=${NSA_IP}
2189 log_start
2190
2191 run_cmd nettest ${varg} -s &
2192 sleep 1
2193 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2194 sleep 3
2195 run_cmd ip link del ${VRF}
2196 sleep 1
2197 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local"
2198
2199 setup ${with_vrf}
2200
2201 log_start
2202 run_cmd nettest ${varg} -I ${VRF} -s &
2203 sleep 1
2204 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2205 sleep 3
2206 run_cmd ip link del ${VRF}
2207 sleep 1
2208 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local"
2209
2210 setup ${with_vrf}
2211
2212 log_start
2213 run_cmd nettest ${varg} -I ${NSA_DEV} -s &
2214 sleep 1
2215 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2216 sleep 3
2217 run_cmd ip link del ${VRF}
2218 sleep 1
2219 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local"
2220}
2221
2222ipv4_ping_rt()
2223{
2224 local with_vrf="yes"
2225 local a
2226
2227 for a in ${NSA_IP} ${VRF_IP}
2228 do
2229 log_start
2230 run_cmd_nsb ping -f ${a} &
2231 sleep 3
2232 run_cmd ip link del ${VRF}
2233 sleep 1
2234 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
2235
2236 setup ${with_vrf}
2237 done
2238
2239 a=${NSB_IP}
2240 log_start
2241 run_cmd ping -f -I ${VRF} ${a} &
2242 sleep 3
2243 run_cmd ip link del ${VRF}
2244 sleep 1
2245 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
2246}
2247
2248ipv4_runtime()
2249{
2250 log_section "Run time tests - ipv4"
2251
2252 setup "yes"
2253 ipv4_ping_rt
2254
2255 setup "yes"
2256 ipv4_rt "TCP active socket" "-n -1"
2257
2258 setup "yes"
2259 ipv4_rt "TCP passive socket" "-i"
2260}
2261
2262################################################################################
2263# IPv6
2264
2265ipv6_ping_novrf()
2266{
2267 local a
2268
2269 # should not have an impact, but make a known state
2270 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
2271
2272 #
2273 # out
2274 #
2275 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2276 do
2277 log_start
2278 run_cmd ${ping6} -c1 -w1 ${a}
2279 log_test_addr ${a} $? 0 "ping out"
2280 done
2281
2282 for a in ${NSB_IP6} ${NSB_LO_IP6}
2283 do
2284 log_start
2285 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2286 log_test_addr ${a} $? 0 "ping out, device bind"
2287
2288 log_start
2289 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a}
2290 log_test_addr ${a} $? 0 "ping out, loopback address bind"
2291 done
2292
2293 #
2294 # in
2295 #
2296 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2297 do
2298 log_start
2299 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2300 log_test_addr ${a} $? 0 "ping in"
2301 done
2302
2303 #
2304 # local traffic, local address
2305 #
2306 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2307 do
2308 log_start
2309 run_cmd ${ping6} -c1 -w1 ${a}
2310 log_test_addr ${a} $? 0 "ping local, no bind"
2311 done
2312
2313 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2314 do
2315 log_start
2316 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2317 log_test_addr ${a} $? 0 "ping local, device bind"
2318 done
2319
2320 for a in ${NSA_LO_IP6} ::1
2321 do
2322 log_start
2323 show_hint "Fails since address on loopback is out of device scope"
2324 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2325 log_test_addr ${a} $? 2 "ping local, device bind"
2326 done
2327
2328 #
2329 # ip rule blocks address
2330 #
2331 log_start
2332 setup_cmd ip -6 rule add pref 32765 from all lookup local
2333 setup_cmd ip -6 rule del pref 0 from all lookup local
2334 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2335 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2336
2337 a=${NSB_LO_IP6}
2338 run_cmd ${ping6} -c1 -w1 ${a}
2339 log_test_addr ${a} $? 2 "ping out, blocked by rule"
2340
2341 log_start
2342 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2343 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2344
2345 a=${NSA_LO_IP6}
2346 log_start
2347 show_hint "Response lost due to ip rule"
2348 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2349 log_test_addr ${a} $? 1 "ping in, blocked by rule"
2350
2351 setup_cmd ip -6 rule add pref 0 from all lookup local
2352 setup_cmd ip -6 rule del pref 32765 from all lookup local
2353 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2354 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2355
2356 #
2357 # route blocks reachability to remote address
2358 #
2359 log_start
2360 setup_cmd ip -6 route del ${NSB_LO_IP6}
2361 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10
2362 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10
2363
2364 a=${NSB_LO_IP6}
2365 run_cmd ${ping6} -c1 -w1 ${a}
2366 log_test_addr ${a} $? 2 "ping out, blocked by route"
2367
2368 log_start
2369 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2370 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route"
2371
2372 a=${NSA_LO_IP6}
2373 log_start
2374 show_hint "Response lost due to ip route"
2375 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2376 log_test_addr ${a} $? 1 "ping in, blocked by route"
2377
2378
2379 #
2380 # remove 'remote' routes; fallback to default
2381 #
2382 log_start
2383 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6}
2384 setup_cmd ip -6 ro del unreachable ${NSB_IP6}
2385
2386 a=${NSB_LO_IP6}
2387 run_cmd ${ping6} -c1 -w1 ${a}
2388 log_test_addr ${a} $? 2 "ping out, unreachable route"
2389
2390 log_start
2391 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2392 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2393}
2394
2395ipv6_ping_vrf()
2396{
2397 local a
2398
2399 # should default on; does not exist on older kernels
2400 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
2401
2402 #
2403 # out
2404 #
2405 for a in ${NSB_IP6} ${NSB_LO_IP6}
2406 do
2407 log_start
2408 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2409 log_test_addr ${a} $? 0 "ping out, VRF bind"
2410 done
2411
2412 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF}
2413 do
2414 log_start
2415 show_hint "Fails since VRF device does not support linklocal or multicast"
2416 run_cmd ${ping6} -c1 -w1 ${a}
2417 log_test_addr ${a} $? 1 "ping out, VRF bind"
2418 done
2419
2420 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2421 do
2422 log_start
2423 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2424 log_test_addr ${a} $? 0 "ping out, device bind"
2425 done
2426
2427 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2428 do
2429 log_start
2430 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a}
2431 log_test_addr ${a} $? 0 "ping out, vrf device+address bind"
2432 done
2433
2434 #
2435 # in
2436 #
2437 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2438 do
2439 log_start
2440 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2441 log_test_addr ${a} $? 0 "ping in"
2442 done
2443
2444 a=${NSA_LO_IP6}
2445 log_start
2446 show_hint "Fails since loopback address is out of VRF scope"
2447 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2448 log_test_addr ${a} $? 1 "ping in"
2449
2450 #
2451 # local traffic, local address
2452 #
2453 for a in ${NSA_IP6} ${VRF_IP6} ::1
2454 do
2455 log_start
2456 show_hint "Source address should be ${a}"
2457 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2458 log_test_addr ${a} $? 0 "ping local, VRF bind"
2459 done
2460
2461 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2462 do
2463 log_start
2464 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2465 log_test_addr ${a} $? 0 "ping local, device bind"
2466 done
2467
2468 # LLA to GUA - remove ipv6 global addresses from ns-B
2469 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2470 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo
2471 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2472
2473 for a in ${NSA_IP6} ${VRF_IP6}
2474 do
2475 log_start
2476 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
2477 log_test_addr ${a} $? 0 "ping in, LLA to GUA"
2478 done
2479
2480 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2481 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV}
2482 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo
2483
2484 #
2485 # ip rule blocks address
2486 #
2487 log_start
2488 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2489 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2490
2491 a=${NSB_LO_IP6}
2492 run_cmd ${ping6} -c1 -w1 ${a}
2493 log_test_addr ${a} $? 2 "ping out, blocked by rule"
2494
2495 log_start
2496 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2497 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2498
2499 a=${NSA_LO_IP6}
2500 log_start
2501 show_hint "Response lost due to ip rule"
2502 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2503 log_test_addr ${a} $? 1 "ping in, blocked by rule"
2504
2505 log_start
2506 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2507 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2508
2509 #
2510 # remove 'remote' routes; fallback to default
2511 #
2512 log_start
2513 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF}
2514
2515 a=${NSB_LO_IP6}
2516 run_cmd ${ping6} -c1 -w1 ${a}
2517 log_test_addr ${a} $? 2 "ping out, unreachable route"
2518
2519 log_start
2520 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2521 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2522
2523 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6}
2524 a=${NSA_LO_IP6}
2525 log_start
2526 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2527 log_test_addr ${a} $? 2 "ping in, unreachable route"
2528}
2529
2530ipv6_ping()
2531{
2532 log_section "IPv6 ping"
2533
2534 log_subsection "No VRF"
2535 setup
2536 ipv6_ping_novrf
2537 setup
2538 set_ping_group
2539 ipv6_ping_novrf
2540
2541 log_subsection "With VRF"
2542 setup "yes"
2543 ipv6_ping_vrf
2544 setup "yes"
2545 set_ping_group
2546 ipv6_ping_vrf
2547}
2548
2549################################################################################
2550# IPv6 TCP
2551
2552#
2553# MD5 tests without VRF
2554#
2555ipv6_tcp_md5_novrf()
2556{
2557 #
2558 # single address
2559 #
2560
2561 # basic use case
2562 log_start
2563 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2564 sleep 1
2565 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2566 log_test $? 0 "MD5: Single address config"
2567
2568 # client sends MD5, server not configured
2569 log_start
2570 show_hint "Should timeout due to MD5 mismatch"
2571 run_cmd nettest -6 -s &
2572 sleep 1
2573 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2574 log_test $? 2 "MD5: Server no config, client uses password"
2575
2576 # wrong password
2577 log_start
2578 show_hint "Should timeout since client uses wrong password"
2579 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2580 sleep 1
2581 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2582 log_test $? 2 "MD5: Client uses wrong password"
2583
2584 # client from different address
2585 log_start
2586 show_hint "Should timeout due to MD5 mismatch"
2587 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} &
2588 sleep 1
2589 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2590 log_test $? 2 "MD5: Client address does not match address configured with password"
2591
2592 #
2593 # MD5 extension - prefix length
2594 #
2595
2596 # client in prefix
2597 log_start
2598 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2599 sleep 1
2600 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2601 log_test $? 0 "MD5: Prefix config"
2602
2603 # client in prefix, wrong password
2604 log_start
2605 show_hint "Should timeout since client uses wrong password"
2606 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2607 sleep 1
2608 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2609 log_test $? 2 "MD5: Prefix config, client uses wrong password"
2610
2611 # client outside of prefix
2612 log_start
2613 show_hint "Should timeout due to MD5 mismatch"
2614 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2615 sleep 1
2616 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2617 log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
2618}
2619
2620#
2621# MD5 tests with VRF
2622#
2623ipv6_tcp_md5()
2624{
2625 #
2626 # single address
2627 #
2628
2629 # basic use case
2630 log_start
2631 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2632 sleep 1
2633 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2634 log_test $? 0 "MD5: VRF: Single address config"
2635
2636 # client sends MD5, server not configured
2637 log_start
2638 show_hint "Should timeout since server does not have MD5 auth"
2639 run_cmd nettest -6 -s -I ${VRF} &
2640 sleep 1
2641 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2642 log_test $? 2 "MD5: VRF: Server no config, client uses password"
2643
2644 # wrong password
2645 log_start
2646 show_hint "Should timeout since client uses wrong password"
2647 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2648 sleep 1
2649 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2650 log_test $? 2 "MD5: VRF: Client uses wrong password"
2651
2652 # client from different address
2653 log_start
2654 show_hint "Should timeout since server config differs from client"
2655 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} &
2656 sleep 1
2657 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2658 log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
2659
2660 #
2661 # MD5 extension - prefix length
2662 #
2663
2664 # client in prefix
2665 log_start
2666 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2667 sleep 1
2668 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2669 log_test $? 0 "MD5: VRF: Prefix config"
2670
2671 # client in prefix, wrong password
2672 log_start
2673 show_hint "Should timeout since client uses wrong password"
2674 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2675 sleep 1
2676 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2677 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
2678
2679 # client outside of prefix
2680 log_start
2681 show_hint "Should timeout since client address is outside of prefix"
2682 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2683 sleep 1
2684 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2685 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
2686
2687 #
2688 # duplicate config between default VRF and a VRF
2689 #
2690
2691 log_start
2692 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2693 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2694 sleep 1
2695 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2696 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
2697
2698 log_start
2699 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2700 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2701 sleep 1
2702 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2703 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
2704
2705 log_start
2706 show_hint "Should timeout since client in default VRF uses VRF password"
2707 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2708 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2709 sleep 1
2710 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2711 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
2712
2713 log_start
2714 show_hint "Should timeout since client in VRF uses default VRF password"
2715 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2716 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2717 sleep 1
2718 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2719 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
2720
2721 log_start
2722 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2723 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2724 sleep 1
2725 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2726 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
2727
2728 log_start
2729 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2730 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2731 sleep 1
2732 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2733 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
2734
2735 log_start
2736 show_hint "Should timeout since client in default VRF uses VRF password"
2737 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2738 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2739 sleep 1
2740 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2741 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
2742
2743 log_start
2744 show_hint "Should timeout since client in VRF uses default VRF password"
2745 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2746 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2747 sleep 1
2748 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2749 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
2750
2751 #
2752 # negative tests
2753 #
2754 log_start
2755 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6}
2756 log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
2757
2758 log_start
2759 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6}
2760 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
2761
2762}
2763
2764ipv6_tcp_novrf()
2765{
2766 local a
2767
2768 #
2769 # server tests
2770 #
2771 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2772 do
2773 log_start
2774 run_cmd nettest -6 -s &
2775 sleep 1
2776 run_cmd_nsb nettest -6 -r ${a}
2777 log_test_addr ${a} $? 0 "Global server"
2778 done
2779
2780 # verify TCP reset received
2781 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2782 do
2783 log_start
2784 show_hint "Should fail 'Connection refused'"
2785 run_cmd_nsb nettest -6 -r ${a}
2786 log_test_addr ${a} $? 1 "No server"
2787 done
2788
2789 #
2790 # client
2791 #
2792 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2793 do
2794 log_start
2795 run_cmd_nsb nettest -6 -s &
2796 sleep 1
2797 run_cmd nettest -6 -r ${a}
2798 log_test_addr ${a} $? 0 "Client"
2799 done
2800
2801 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2802 do
2803 log_start
2804 run_cmd_nsb nettest -6 -s &
2805 sleep 1
2806 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2807 log_test_addr ${a} $? 0 "Client, device bind"
2808 done
2809
2810 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2811 do
2812 log_start
2813 show_hint "Should fail 'Connection refused'"
2814 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2815 log_test_addr ${a} $? 1 "No server, device client"
2816 done
2817
2818 #
2819 # local address tests
2820 #
2821 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2822 do
2823 log_start
2824 run_cmd nettest -6 -s &
2825 sleep 1
2826 run_cmd nettest -6 -r ${a}
2827 log_test_addr ${a} $? 0 "Global server, local connection"
2828 done
2829
2830 a=${NSA_IP6}
2831 log_start
2832 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2833 sleep 1
2834 run_cmd nettest -6 -r ${a} -0 ${a}
2835 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2836
2837 for a in ${NSA_LO_IP6} ::1
2838 do
2839 log_start
2840 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2841 run_cmd nettest -6 -s -I ${NSA_DEV} &
2842 sleep 1
2843 run_cmd nettest -6 -r ${a}
2844 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
2845 done
2846
2847 a=${NSA_IP6}
2848 log_start
2849 run_cmd nettest -6 -s &
2850 sleep 1
2851 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2852 log_test_addr ${a} $? 0 "Global server, device client, local connection"
2853
2854 for a in ${NSA_LO_IP6} ::1
2855 do
2856 log_start
2857 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2858 run_cmd nettest -6 -s &
2859 sleep 1
2860 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2861 log_test_addr ${a} $? 1 "Global server, device client, local connection"
2862 done
2863
2864 for a in ${NSA_IP6} ${NSA_LINKIP6}
2865 do
2866 log_start
2867 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2868 sleep 1
2869 run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2870 log_test_addr ${a} $? 0 "Device server, device client, local conn"
2871 done
2872
2873 for a in ${NSA_IP6} ${NSA_LINKIP6}
2874 do
2875 log_start
2876 show_hint "Should fail 'Connection refused'"
2877 run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2878 log_test_addr ${a} $? 1 "No server, device client, local conn"
2879 done
2880
2881 [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf
2882}
2883
2884ipv6_tcp_vrf()
2885{
2886 local a
2887
2888 # disable global server
2889 log_subsection "Global server disabled"
2890
2891 set_sysctl net.ipv4.tcp_l3mdev_accept=0
2892
2893 #
2894 # server tests
2895 #
2896 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2897 do
2898 log_start
2899 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2900 run_cmd nettest -6 -s &
2901 sleep 1
2902 run_cmd_nsb nettest -6 -r ${a}
2903 log_test_addr ${a} $? 1 "Global server"
2904 done
2905
2906 for a in ${NSA_IP6} ${VRF_IP6}
2907 do
2908 log_start
2909 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2910 sleep 1
2911 run_cmd_nsb nettest -6 -r ${a}
2912 log_test_addr ${a} $? 0 "VRF server"
2913 done
2914
2915 # link local is always bound to ingress device
2916 a=${NSA_LINKIP6}%${NSB_DEV}
2917 log_start
2918 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2919 sleep 1
2920 run_cmd_nsb nettest -6 -r ${a}
2921 log_test_addr ${a} $? 0 "VRF server"
2922
2923 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2924 do
2925 log_start
2926 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2927 sleep 1
2928 run_cmd_nsb nettest -6 -r ${a}
2929 log_test_addr ${a} $? 0 "Device server"
2930 done
2931
2932 # verify TCP reset received
2933 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2934 do
2935 log_start
2936 show_hint "Should fail 'Connection refused'"
2937 run_cmd_nsb nettest -6 -r ${a}
2938 log_test_addr ${a} $? 1 "No server"
2939 done
2940
2941 # local address tests
2942 a=${NSA_IP6}
2943 log_start
2944 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2945 run_cmd nettest -6 -s &
2946 sleep 1
2947 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2948 log_test_addr ${a} $? 1 "Global server, local connection"
2949
2950 # run MD5 tests
2951 if [ "$fips_enabled" = "0" ]; then
2952 setup_vrf_dup
2953 ipv6_tcp_md5
2954 cleanup_vrf_dup
2955 fi
2956
2957 #
2958 # enable VRF global server
2959 #
2960 log_subsection "VRF Global server enabled"
2961 set_sysctl net.ipv4.tcp_l3mdev_accept=1
2962
2963 for a in ${NSA_IP6} ${VRF_IP6}
2964 do
2965 log_start
2966 run_cmd nettest -6 -s -3 ${VRF} &
2967 sleep 1
2968 run_cmd_nsb nettest -6 -r ${a}
2969 log_test_addr ${a} $? 0 "Global server"
2970 done
2971
2972 for a in ${NSA_IP6} ${VRF_IP6}
2973 do
2974 log_start
2975 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2976 sleep 1
2977 run_cmd_nsb nettest -6 -r ${a}
2978 log_test_addr ${a} $? 0 "VRF server"
2979 done
2980
2981 # For LLA, child socket is bound to device
2982 a=${NSA_LINKIP6}%${NSB_DEV}
2983 log_start
2984 run_cmd nettest -6 -s -3 ${NSA_DEV} &
2985 sleep 1
2986 run_cmd_nsb nettest -6 -r ${a}
2987 log_test_addr ${a} $? 0 "Global server"
2988
2989 log_start
2990 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2991 sleep 1
2992 run_cmd_nsb nettest -6 -r ${a}
2993 log_test_addr ${a} $? 0 "VRF server"
2994
2995 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2996 do
2997 log_start
2998 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2999 sleep 1
3000 run_cmd_nsb nettest -6 -r ${a}
3001 log_test_addr ${a} $? 0 "Device server"
3002 done
3003
3004 # verify TCP reset received
3005 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3006 do
3007 log_start
3008 show_hint "Should fail 'Connection refused'"
3009 run_cmd_nsb nettest -6 -r ${a}
3010 log_test_addr ${a} $? 1 "No server"
3011 done
3012
3013 # local address tests
3014 for a in ${NSA_IP6} ${VRF_IP6}
3015 do
3016 log_start
3017 show_hint "Fails 'Connection refused' since client is not in VRF"
3018 run_cmd nettest -6 -s -I ${VRF} &
3019 sleep 1
3020 run_cmd nettest -6 -r ${a}
3021 log_test_addr ${a} $? 1 "Global server, local connection"
3022 done
3023
3024
3025 #
3026 # client
3027 #
3028 for a in ${NSB_IP6} ${NSB_LO_IP6}
3029 do
3030 log_start
3031 run_cmd_nsb nettest -6 -s &
3032 sleep 1
3033 run_cmd nettest -6 -r ${a} -d ${VRF}
3034 log_test_addr ${a} $? 0 "Client, VRF bind"
3035 done
3036
3037 a=${NSB_LINKIP6}
3038 log_start
3039 show_hint "Fails since VRF device does not allow linklocal addresses"
3040 run_cmd_nsb nettest -6 -s &
3041 sleep 1
3042 run_cmd nettest -6 -r ${a} -d ${VRF}
3043 log_test_addr ${a} $? 1 "Client, VRF bind"
3044
3045 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
3046 do
3047 log_start
3048 run_cmd_nsb nettest -6 -s &
3049 sleep 1
3050 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
3051 log_test_addr ${a} $? 0 "Client, device bind"
3052 done
3053
3054 for a in ${NSB_IP6} ${NSB_LO_IP6}
3055 do
3056 log_start
3057 show_hint "Should fail 'Connection refused'"
3058 run_cmd nettest -6 -r ${a} -d ${VRF}
3059 log_test_addr ${a} $? 1 "No server, VRF client"
3060 done
3061
3062 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
3063 do
3064 log_start
3065 show_hint "Should fail 'Connection refused'"
3066 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
3067 log_test_addr ${a} $? 1 "No server, device client"
3068 done
3069
3070 for a in ${NSA_IP6} ${VRF_IP6} ::1
3071 do
3072 log_start
3073 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
3074 sleep 1
3075 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
3076 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
3077 done
3078
3079 a=${NSA_IP6}
3080 log_start
3081 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
3082 sleep 1
3083 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
3084 log_test_addr ${a} $? 0 "VRF server, device client, local connection"
3085
3086 a=${NSA_IP6}
3087 log_start
3088 show_hint "Should fail since unbound client is out of VRF scope"
3089 run_cmd nettest -6 -s -I ${VRF} &
3090 sleep 1
3091 run_cmd nettest -6 -r ${a}
3092 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
3093
3094 log_start
3095 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3096 sleep 1
3097 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
3098 log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
3099
3100 for a in ${NSA_IP6} ${NSA_LINKIP6}
3101 do
3102 log_start
3103 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3104 sleep 1
3105 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
3106 log_test_addr ${a} $? 0 "Device server, device client, local connection"
3107 done
3108}
3109
3110ipv6_tcp()
3111{
3112 log_section "IPv6/TCP"
3113 log_subsection "No VRF"
3114 setup
3115
3116 # tcp_l3mdev_accept should have no affect without VRF;
3117 # run tests with it enabled and disabled to verify
3118 log_subsection "tcp_l3mdev_accept disabled"
3119 set_sysctl net.ipv4.tcp_l3mdev_accept=0
3120 ipv6_tcp_novrf
3121 log_subsection "tcp_l3mdev_accept enabled"
3122 set_sysctl net.ipv4.tcp_l3mdev_accept=1
3123 ipv6_tcp_novrf
3124
3125 log_subsection "With VRF"
3126 setup "yes"
3127 ipv6_tcp_vrf
3128}
3129
3130################################################################################
3131# IPv6 UDP
3132
3133ipv6_udp_novrf()
3134{
3135 local a
3136
3137 #
3138 # server tests
3139 #
3140 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3141 do
3142 log_start
3143 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3144 sleep 1
3145 run_cmd_nsb nettest -6 -D -r ${a}
3146 log_test_addr ${a} $? 0 "Global server"
3147
3148 log_start
3149 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3150 sleep 1
3151 run_cmd_nsb nettest -6 -D -r ${a}
3152 log_test_addr ${a} $? 0 "Device server"
3153 done
3154
3155 a=${NSA_LO_IP6}
3156 log_start
3157 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3158 sleep 1
3159 run_cmd_nsb nettest -6 -D -r ${a}
3160 log_test_addr ${a} $? 0 "Global server"
3161
3162 # should fail since loopback address is out of scope for a device
3163 # bound server, but it does not - hence this is more documenting
3164 # behavior.
3165 #log_start
3166 #show_hint "Should fail since loopback address is out of scope"
3167 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3168 #sleep 1
3169 #run_cmd_nsb nettest -6 -D -r ${a}
3170 #log_test_addr ${a} $? 1 "Device server"
3171
3172 # negative test - should fail
3173 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3174 do
3175 log_start
3176 show_hint "Should fail 'Connection refused' since there is no server"
3177 run_cmd_nsb nettest -6 -D -r ${a}
3178 log_test_addr ${a} $? 1 "No server"
3179 done
3180
3181 #
3182 # client
3183 #
3184 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
3185 do
3186 log_start
3187 run_cmd_nsb nettest -6 -D -s &
3188 sleep 1
3189 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6}
3190 log_test_addr ${a} $? 0 "Client"
3191
3192 log_start
3193 run_cmd_nsb nettest -6 -D -s &
3194 sleep 1
3195 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6}
3196 log_test_addr ${a} $? 0 "Client, device bind"
3197
3198 log_start
3199 run_cmd_nsb nettest -6 -D -s &
3200 sleep 1
3201 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6}
3202 log_test_addr ${a} $? 0 "Client, device send via cmsg"
3203
3204 log_start
3205 run_cmd_nsb nettest -6 -D -s &
3206 sleep 1
3207 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6}
3208 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF"
3209
3210 log_start
3211 show_hint "Should fail 'Connection refused'"
3212 run_cmd nettest -6 -D -r ${a}
3213 log_test_addr ${a} $? 1 "No server, unbound client"
3214
3215 log_start
3216 show_hint "Should fail 'Connection refused'"
3217 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3218 log_test_addr ${a} $? 1 "No server, device client"
3219 done
3220
3221 #
3222 # local address tests
3223 #
3224 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
3225 do
3226 log_start
3227 run_cmd nettest -6 -D -s &
3228 sleep 1
3229 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a}
3230 log_test_addr ${a} $? 0 "Global server, local connection"
3231 done
3232
3233 a=${NSA_IP6}
3234 log_start
3235 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
3236 sleep 1
3237 run_cmd nettest -6 -D -r ${a}
3238 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
3239
3240 for a in ${NSA_LO_IP6} ::1
3241 do
3242 log_start
3243 show_hint "Should fail 'Connection refused' since address is out of device scope"
3244 run_cmd nettest -6 -s -D -I ${NSA_DEV} &
3245 sleep 1
3246 run_cmd nettest -6 -D -r ${a}
3247 log_test_addr ${a} $? 1 "Device server, local connection"
3248 done
3249
3250 a=${NSA_IP6}
3251 log_start
3252 run_cmd nettest -6 -s -D &
3253 sleep 1
3254 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3255 log_test_addr ${a} $? 0 "Global server, device client, local connection"
3256
3257 log_start
3258 run_cmd nettest -6 -s -D &
3259 sleep 1
3260 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a}
3261 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
3262
3263 log_start
3264 run_cmd nettest -6 -s -D &
3265 sleep 1
3266 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a}
3267 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection"
3268
3269 for a in ${NSA_LO_IP6} ::1
3270 do
3271 log_start
3272 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3273 run_cmd nettest -6 -D -s &
3274 sleep 1
3275 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3276 log_test_addr ${a} $? 1 "Global server, device client, local connection"
3277
3278 log_start
3279 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3280 run_cmd nettest -6 -D -s &
3281 sleep 1
3282 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C
3283 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
3284
3285 log_start
3286 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3287 run_cmd nettest -6 -D -s &
3288 sleep 1
3289 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
3290 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
3291
3292 log_start
3293 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3294 run_cmd nettest -6 -D -s &
3295 sleep 1
3296 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U
3297 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
3298 done
3299
3300 a=${NSA_IP6}
3301 log_start
3302 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3303 sleep 1
3304 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a}
3305 log_test_addr ${a} $? 0 "Device server, device client, local conn"
3306
3307 log_start
3308 show_hint "Should fail 'Connection refused'"
3309 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3310 log_test_addr ${a} $? 1 "No server, device client, local conn"
3311
3312 # LLA to GUA
3313 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3314 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3315 log_start
3316 run_cmd nettest -6 -s -D &
3317 sleep 1
3318 run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3319 log_test $? 0 "UDP in - LLA to GUA"
3320
3321 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3322 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3323}
3324
3325ipv6_udp_vrf()
3326{
3327 local a
3328
3329 # disable global server
3330 log_subsection "Global server disabled"
3331 set_sysctl net.ipv4.udp_l3mdev_accept=0
3332
3333 #
3334 # server tests
3335 #
3336 for a in ${NSA_IP6} ${VRF_IP6}
3337 do
3338 log_start
3339 show_hint "Should fail 'Connection refused' since global server is disabled"
3340 run_cmd nettest -6 -D -s &
3341 sleep 1
3342 run_cmd_nsb nettest -6 -D -r ${a}
3343 log_test_addr ${a} $? 1 "Global server"
3344 done
3345
3346 for a in ${NSA_IP6} ${VRF_IP6}
3347 do
3348 log_start
3349 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3350 sleep 1
3351 run_cmd_nsb nettest -6 -D -r ${a}
3352 log_test_addr ${a} $? 0 "VRF server"
3353 done
3354
3355 for a in ${NSA_IP6} ${VRF_IP6}
3356 do
3357 log_start
3358 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3359 sleep 1
3360 run_cmd_nsb nettest -6 -D -r ${a}
3361 log_test_addr ${a} $? 0 "Enslaved device server"
3362 done
3363
3364 # negative test - should fail
3365 for a in ${NSA_IP6} ${VRF_IP6}
3366 do
3367 log_start
3368 show_hint "Should fail 'Connection refused' since there is no server"
3369 run_cmd_nsb nettest -6 -D -r ${a}
3370 log_test_addr ${a} $? 1 "No server"
3371 done
3372
3373 #
3374 # local address tests
3375 #
3376 for a in ${NSA_IP6} ${VRF_IP6}
3377 do
3378 log_start
3379 show_hint "Should fail 'Connection refused' since global server is disabled"
3380 run_cmd nettest -6 -D -s &
3381 sleep 1
3382 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3383 log_test_addr ${a} $? 1 "Global server, VRF client, local conn"
3384 done
3385
3386 for a in ${NSA_IP6} ${VRF_IP6}
3387 do
3388 log_start
3389 run_cmd nettest -6 -D -I ${VRF} -s &
3390 sleep 1
3391 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3392 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3393 done
3394
3395 a=${NSA_IP6}
3396 log_start
3397 show_hint "Should fail 'Connection refused' since global server is disabled"
3398 run_cmd nettest -6 -D -s &
3399 sleep 1
3400 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3401 log_test_addr ${a} $? 1 "Global server, device client, local conn"
3402
3403 log_start
3404 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3405 sleep 1
3406 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3407 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3408
3409 log_start
3410 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3411 sleep 1
3412 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3413 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
3414
3415 log_start
3416 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3417 sleep 1
3418 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3419 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
3420
3421 # disable global server
3422 log_subsection "Global server enabled"
3423 set_sysctl net.ipv4.udp_l3mdev_accept=1
3424
3425 #
3426 # server tests
3427 #
3428 for a in ${NSA_IP6} ${VRF_IP6}
3429 do
3430 log_start
3431 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3432 sleep 1
3433 run_cmd_nsb nettest -6 -D -r ${a}
3434 log_test_addr ${a} $? 0 "Global server"
3435 done
3436
3437 for a in ${NSA_IP6} ${VRF_IP6}
3438 do
3439 log_start
3440 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3441 sleep 1
3442 run_cmd_nsb nettest -6 -D -r ${a}
3443 log_test_addr ${a} $? 0 "VRF server"
3444 done
3445
3446 for a in ${NSA_IP6} ${VRF_IP6}
3447 do
3448 log_start
3449 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3450 sleep 1
3451 run_cmd_nsb nettest -6 -D -r ${a}
3452 log_test_addr ${a} $? 0 "Enslaved device server"
3453 done
3454
3455 # negative test - should fail
3456 for a in ${NSA_IP6} ${VRF_IP6}
3457 do
3458 log_start
3459 run_cmd_nsb nettest -6 -D -r ${a}
3460 log_test_addr ${a} $? 1 "No server"
3461 done
3462
3463 #
3464 # client tests
3465 #
3466 log_start
3467 run_cmd_nsb nettest -6 -D -s &
3468 sleep 1
3469 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3470 log_test $? 0 "VRF client"
3471
3472 # negative test - should fail
3473 log_start
3474 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3475 log_test $? 1 "No server, VRF client"
3476
3477 log_start
3478 run_cmd_nsb nettest -6 -D -s &
3479 sleep 1
3480 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3481 log_test $? 0 "Enslaved device client"
3482
3483 # negative test - should fail
3484 log_start
3485 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3486 log_test $? 1 "No server, enslaved device client"
3487
3488 #
3489 # local address tests
3490 #
3491 a=${NSA_IP6}
3492 log_start
3493 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3494 sleep 1
3495 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3496 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3497
3498 #log_start
3499 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3500 sleep 1
3501 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3502 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3503
3504
3505 a=${VRF_IP6}
3506 log_start
3507 run_cmd nettest -6 -D -s -3 ${VRF} &
3508 sleep 1
3509 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3510 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3511
3512 log_start
3513 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} &
3514 sleep 1
3515 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3516 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3517
3518 # negative test - should fail
3519 for a in ${NSA_IP6} ${VRF_IP6}
3520 do
3521 log_start
3522 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3523 log_test_addr ${a} $? 1 "No server, VRF client, local conn"
3524 done
3525
3526 # device to global IP
3527 a=${NSA_IP6}
3528 log_start
3529 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3530 sleep 1
3531 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3532 log_test_addr ${a} $? 0 "Global server, device client, local conn"
3533
3534 log_start
3535 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3536 sleep 1
3537 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3538 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3539
3540 log_start
3541 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3542 sleep 1
3543 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3544 log_test_addr ${a} $? 0 "Device server, VRF client, local conn"
3545
3546 log_start
3547 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3548 sleep 1
3549 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3550 log_test_addr ${a} $? 0 "Device server, device client, local conn"
3551
3552 log_start
3553 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3554 log_test_addr ${a} $? 1 "No server, device client, local conn"
3555
3556
3557 # link local addresses
3558 log_start
3559 run_cmd nettest -6 -D -s &
3560 sleep 1
3561 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3562 log_test $? 0 "Global server, linklocal IP"
3563
3564 log_start
3565 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3566 log_test $? 1 "No server, linklocal IP"
3567
3568
3569 log_start
3570 run_cmd_nsb nettest -6 -D -s &
3571 sleep 1
3572 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3573 log_test $? 0 "Enslaved device client, linklocal IP"
3574
3575 log_start
3576 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3577 log_test $? 1 "No server, device client, peer linklocal IP"
3578
3579
3580 log_start
3581 run_cmd nettest -6 -D -s &
3582 sleep 1
3583 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3584 log_test $? 0 "Enslaved device client, local conn - linklocal IP"
3585
3586 log_start
3587 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3588 log_test $? 1 "No server, device client, local conn - linklocal IP"
3589
3590 # LLA to GUA
3591 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3592 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3593 log_start
3594 run_cmd nettest -6 -s -D &
3595 sleep 1
3596 run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3597 log_test $? 0 "UDP in - LLA to GUA"
3598
3599 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3600 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3601}
3602
3603ipv6_udp()
3604{
3605 # should not matter, but set to known state
3606 set_sysctl net.ipv4.udp_early_demux=1
3607
3608 log_section "IPv6/UDP"
3609 log_subsection "No VRF"
3610 setup
3611
3612 # udp_l3mdev_accept should have no affect without VRF;
3613 # run tests with it enabled and disabled to verify
3614 log_subsection "udp_l3mdev_accept disabled"
3615 set_sysctl net.ipv4.udp_l3mdev_accept=0
3616 ipv6_udp_novrf
3617 log_subsection "udp_l3mdev_accept enabled"
3618 set_sysctl net.ipv4.udp_l3mdev_accept=1
3619 ipv6_udp_novrf
3620
3621 log_subsection "With VRF"
3622 setup "yes"
3623 ipv6_udp_vrf
3624}
3625
3626################################################################################
3627# IPv6 address bind
3628
3629ipv6_addr_bind_novrf()
3630{
3631 #
3632 # raw socket
3633 #
3634 for a in ${NSA_IP6} ${NSA_LO_IP6}
3635 do
3636 log_start
3637 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b
3638 log_test_addr ${a} $? 0 "Raw socket bind to local address"
3639
3640 log_start
3641 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3642 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3643 done
3644
3645 #
3646 # raw socket with nonlocal bind
3647 #
3648 a=${NL_IP6}
3649 log_start
3650 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b
3651 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
3652
3653 #
3654 # tcp sockets
3655 #
3656 a=${NSA_IP6}
3657 log_start
3658 run_cmd nettest -6 -s -l ${a} -t1 -b
3659 log_test_addr ${a} $? 0 "TCP socket bind to local address"
3660
3661 log_start
3662 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3663 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
3664
3665 # Sadly, the kernel allows binding a socket to a device and then
3666 # binding to an address not on the device. So this test passes
3667 # when it really should not
3668 a=${NSA_LO_IP6}
3669 log_start
3670 show_hint "Technically should fail since address is not on device but kernel allows"
3671 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3672 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address"
3673}
3674
3675ipv6_addr_bind_vrf()
3676{
3677 #
3678 # raw socket
3679 #
3680 for a in ${NSA_IP6} ${VRF_IP6}
3681 do
3682 log_start
3683 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3684 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind"
3685
3686 log_start
3687 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3688 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3689 done
3690
3691 a=${NSA_LO_IP6}
3692 log_start
3693 show_hint "Address on loopback is out of VRF scope"
3694 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3695 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind"
3696
3697 #
3698 # raw socket with nonlocal bind
3699 #
3700 a=${NL_IP6}
3701 log_start
3702 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b
3703 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
3704
3705 #
3706 # tcp sockets
3707 #
3708 # address on enslaved device is valid for the VRF or device in a VRF
3709 for a in ${NSA_IP6} ${VRF_IP6}
3710 do
3711 log_start
3712 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3713 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind"
3714 done
3715
3716 a=${NSA_IP6}
3717 log_start
3718 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3719 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
3720
3721 # Sadly, the kernel allows binding a socket to a device and then
3722 # binding to an address not on the device. The only restriction
3723 # is that the address is valid in the L3 domain. So this test
3724 # passes when it really should not
3725 a=${VRF_IP6}
3726 log_start
3727 show_hint "Technically should fail since address is not on device but kernel allows"
3728 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3729 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind"
3730
3731 a=${NSA_LO_IP6}
3732 log_start
3733 show_hint "Address on loopback out of scope for VRF"
3734 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3735 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
3736
3737 log_start
3738 show_hint "Address on loopback out of scope for device in VRF"
3739 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3740 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
3741
3742}
3743
3744ipv6_addr_bind()
3745{
3746 log_section "IPv6 address binds"
3747
3748 log_subsection "No VRF"
3749 setup
3750 ipv6_addr_bind_novrf
3751
3752 log_subsection "With VRF"
3753 setup "yes"
3754 ipv6_addr_bind_vrf
3755}
3756
3757################################################################################
3758# IPv6 runtime tests
3759
3760ipv6_rt()
3761{
3762 local desc="$1"
3763 local varg="-6 $2"
3764 local with_vrf="yes"
3765 local a
3766
3767 #
3768 # server tests
3769 #
3770 for a in ${NSA_IP6} ${VRF_IP6}
3771 do
3772 log_start
3773 run_cmd nettest ${varg} -s &
3774 sleep 1
3775 run_cmd_nsb nettest ${varg} -r ${a} &
3776 sleep 3
3777 run_cmd ip link del ${VRF}
3778 sleep 1
3779 log_test_addr ${a} 0 0 "${desc}, global server"
3780
3781 setup ${with_vrf}
3782 done
3783
3784 for a in ${NSA_IP6} ${VRF_IP6}
3785 do
3786 log_start
3787 run_cmd nettest ${varg} -I ${VRF} -s &
3788 sleep 1
3789 run_cmd_nsb nettest ${varg} -r ${a} &
3790 sleep 3
3791 run_cmd ip link del ${VRF}
3792 sleep 1
3793 log_test_addr ${a} 0 0 "${desc}, VRF server"
3794
3795 setup ${with_vrf}
3796 done
3797
3798 for a in ${NSA_IP6} ${VRF_IP6}
3799 do
3800 log_start
3801 run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3802 sleep 1
3803 run_cmd_nsb nettest ${varg} -r ${a} &
3804 sleep 3
3805 run_cmd ip link del ${VRF}
3806 sleep 1
3807 log_test_addr ${a} 0 0 "${desc}, enslaved device server"
3808
3809 setup ${with_vrf}
3810 done
3811
3812 #
3813 # client test
3814 #
3815 log_start
3816 run_cmd_nsb nettest ${varg} -s &
3817 sleep 1
3818 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} &
3819 sleep 3
3820 run_cmd ip link del ${VRF}
3821 sleep 1
3822 log_test 0 0 "${desc}, VRF client"
3823
3824 setup ${with_vrf}
3825
3826 log_start
3827 run_cmd_nsb nettest ${varg} -s &
3828 sleep 1
3829 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} &
3830 sleep 3
3831 run_cmd ip link del ${VRF}
3832 sleep 1
3833 log_test 0 0 "${desc}, enslaved device client"
3834
3835 setup ${with_vrf}
3836
3837
3838 #
3839 # local address tests
3840 #
3841 for a in ${NSA_IP6} ${VRF_IP6}
3842 do
3843 log_start
3844 run_cmd nettest ${varg} -s &
3845 sleep 1
3846 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3847 sleep 3
3848 run_cmd ip link del ${VRF}
3849 sleep 1
3850 log_test_addr ${a} 0 0 "${desc}, global server, VRF client"
3851
3852 setup ${with_vrf}
3853 done
3854
3855 for a in ${NSA_IP6} ${VRF_IP6}
3856 do
3857 log_start
3858 run_cmd nettest ${varg} -I ${VRF} -s &
3859 sleep 1
3860 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3861 sleep 3
3862 run_cmd ip link del ${VRF}
3863 sleep 1
3864 log_test_addr ${a} 0 0 "${desc}, VRF server and client"
3865
3866 setup ${with_vrf}
3867 done
3868
3869 a=${NSA_IP6}
3870 log_start
3871 run_cmd nettest ${varg} -s &
3872 sleep 1
3873 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3874 sleep 3
3875 run_cmd ip link del ${VRF}
3876 sleep 1
3877 log_test_addr ${a} 0 0 "${desc}, global server, device client"
3878
3879 setup ${with_vrf}
3880
3881 log_start
3882 run_cmd nettest ${varg} -I ${VRF} -s &
3883 sleep 1
3884 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3885 sleep 3
3886 run_cmd ip link del ${VRF}
3887 sleep 1
3888 log_test_addr ${a} 0 0 "${desc}, VRF server, device client"
3889
3890 setup ${with_vrf}
3891
3892 log_start
3893 run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3894 sleep 1
3895 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3896 sleep 3
3897 run_cmd ip link del ${VRF}
3898 sleep 1
3899 log_test_addr ${a} 0 0 "${desc}, device server, device client"
3900}
3901
3902ipv6_ping_rt()
3903{
3904 local with_vrf="yes"
3905 local a
3906
3907 a=${NSA_IP6}
3908 log_start
3909 run_cmd_nsb ${ping6} -f ${a} &
3910 sleep 3
3911 run_cmd ip link del ${VRF}
3912 sleep 1
3913 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
3914
3915 setup ${with_vrf}
3916
3917 log_start
3918 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} &
3919 sleep 1
3920 run_cmd ip link del ${VRF}
3921 sleep 1
3922 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
3923}
3924
3925ipv6_runtime()
3926{
3927 log_section "Run time tests - ipv6"
3928
3929 setup "yes"
3930 ipv6_ping_rt
3931
3932 setup "yes"
3933 ipv6_rt "TCP active socket" "-n -1"
3934
3935 setup "yes"
3936 ipv6_rt "TCP passive socket" "-i"
3937
3938 setup "yes"
3939 ipv6_rt "UDP active socket" "-D -n -1"
3940}
3941
3942################################################################################
3943# netfilter blocking connections
3944
3945netfilter_tcp_reset()
3946{
3947 local a
3948
3949 for a in ${NSA_IP} ${VRF_IP}
3950 do
3951 log_start
3952 run_cmd nettest -s &
3953 sleep 1
3954 run_cmd_nsb nettest -r ${a}
3955 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3956 done
3957}
3958
3959netfilter_icmp()
3960{
3961 local stype="$1"
3962 local arg
3963 local a
3964
3965 [ "${stype}" = "UDP" ] && arg="-D"
3966
3967 for a in ${NSA_IP} ${VRF_IP}
3968 do
3969 log_start
3970 run_cmd nettest ${arg} -s &
3971 sleep 1
3972 run_cmd_nsb nettest ${arg} -r ${a}
3973 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3974 done
3975}
3976
3977ipv4_netfilter()
3978{
3979 log_section "IPv4 Netfilter"
3980 log_subsection "TCP reset"
3981
3982 setup "yes"
3983 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3984
3985 netfilter_tcp_reset
3986
3987 log_start
3988 log_subsection "ICMP unreachable"
3989
3990 log_start
3991 run_cmd iptables -F
3992 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3993 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3994
3995 netfilter_icmp "TCP"
3996 netfilter_icmp "UDP"
3997
3998 log_start
3999 iptables -F
4000}
4001
4002netfilter_tcp6_reset()
4003{
4004 local a
4005
4006 for a in ${NSA_IP6} ${VRF_IP6}
4007 do
4008 log_start
4009 run_cmd nettest -6 -s &
4010 sleep 1
4011 run_cmd_nsb nettest -6 -r ${a}
4012 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
4013 done
4014}
4015
4016netfilter_icmp6()
4017{
4018 local stype="$1"
4019 local arg
4020 local a
4021
4022 [ "${stype}" = "UDP" ] && arg="$arg -D"
4023
4024 for a in ${NSA_IP6} ${VRF_IP6}
4025 do
4026 log_start
4027 run_cmd nettest -6 -s ${arg} &
4028 sleep 1
4029 run_cmd_nsb nettest -6 ${arg} -r ${a}
4030 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
4031 done
4032}
4033
4034ipv6_netfilter()
4035{
4036 log_section "IPv6 Netfilter"
4037 log_subsection "TCP reset"
4038
4039 setup "yes"
4040 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
4041
4042 netfilter_tcp6_reset
4043
4044 log_subsection "ICMP unreachable"
4045
4046 log_start
4047 run_cmd ip6tables -F
4048 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
4049 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
4050
4051 netfilter_icmp6 "TCP"
4052 netfilter_icmp6 "UDP"
4053
4054 log_start
4055 ip6tables -F
4056}
4057
4058################################################################################
4059# specific use cases
4060
4061# VRF only.
4062# ns-A device enslaved to bridge. Verify traffic with and without
4063# br_netfilter module loaded. Repeat with SVI on bridge.
4064use_case_br()
4065{
4066 setup "yes"
4067
4068 setup_cmd ip link set ${NSA_DEV} down
4069 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24
4070 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64
4071
4072 setup_cmd ip link add br0 type bridge
4073 setup_cmd ip addr add dev br0 ${NSA_IP}/24
4074 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad
4075
4076 setup_cmd ip li set ${NSA_DEV} master br0
4077 setup_cmd ip li set ${NSA_DEV} up
4078 setup_cmd ip li set br0 up
4079 setup_cmd ip li set br0 vrf ${VRF}
4080
4081 rmmod br_netfilter 2>/dev/null
4082 sleep 5 # DAD
4083
4084 run_cmd ip neigh flush all
4085 run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
4086 log_test $? 0 "Bridge into VRF - IPv4 ping out"
4087
4088 run_cmd ip neigh flush all
4089 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
4090 log_test $? 0 "Bridge into VRF - IPv6 ping out"
4091
4092 run_cmd ip neigh flush all
4093 run_cmd_nsb ping -c1 -w1 ${NSA_IP}
4094 log_test $? 0 "Bridge into VRF - IPv4 ping in"
4095
4096 run_cmd ip neigh flush all
4097 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
4098 log_test $? 0 "Bridge into VRF - IPv6 ping in"
4099
4100 modprobe br_netfilter
4101 if [ $? -eq 0 ]; then
4102 run_cmd ip neigh flush all
4103 run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
4104 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out"
4105
4106 run_cmd ip neigh flush all
4107 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
4108 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out"
4109
4110 run_cmd ip neigh flush all
4111 run_cmd_nsb ping -c1 -w1 ${NSA_IP}
4112 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in"
4113
4114 run_cmd ip neigh flush all
4115 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
4116 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in"
4117 fi
4118
4119 setup_cmd ip li set br0 nomaster
4120 setup_cmd ip li add br0.100 link br0 type vlan id 100
4121 setup_cmd ip li set br0.100 vrf ${VRF} up
4122 setup_cmd ip addr add dev br0.100 172.16.101.1/24
4123 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad
4124
4125 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100
4126 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24
4127 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad
4128 setup_cmd_nsb ip li set vlan100 up
4129 sleep 1
4130
4131 rmmod br_netfilter 2>/dev/null
4132
4133 run_cmd ip neigh flush all
4134 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
4135 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out"
4136
4137 run_cmd ip neigh flush all
4138 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4139 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out"
4140
4141 run_cmd ip neigh flush all
4142 run_cmd_nsb ping -c1 -w1 172.16.101.1
4143 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4144
4145 run_cmd ip neigh flush all
4146 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4147 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4148
4149 modprobe br_netfilter
4150 if [ $? -eq 0 ]; then
4151 run_cmd ip neigh flush all
4152 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
4153 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out"
4154
4155 run_cmd ip neigh flush all
4156 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4157 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out"
4158
4159 run_cmd ip neigh flush all
4160 run_cmd_nsb ping -c1 -w1 172.16.101.1
4161 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4162
4163 run_cmd ip neigh flush all
4164 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4165 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4166 fi
4167
4168 setup_cmd ip li del br0 2>/dev/null
4169 setup_cmd_nsb ip li del vlan100 2>/dev/null
4170}
4171
4172# VRF only.
4173# ns-A device is connected to both ns-B and ns-C on a single VRF but only has
4174# LLA on the interfaces
4175use_case_ping_lla_multi()
4176{
4177 setup_lla_only
4178 # only want reply from ns-A
4179 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4180 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4181
4182 log_start
4183 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4184 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B"
4185
4186 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4187 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C"
4188
4189 # cycle/flap the first ns-A interface
4190 setup_cmd ip link set ${NSA_DEV} down
4191 setup_cmd ip link set ${NSA_DEV} up
4192 sleep 1
4193
4194 log_start
4195 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4196 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B"
4197 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4198 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C"
4199
4200 # cycle/flap the second ns-A interface
4201 setup_cmd ip link set ${NSA_DEV2} down
4202 setup_cmd ip link set ${NSA_DEV2} up
4203 sleep 1
4204
4205 log_start
4206 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4207 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B"
4208 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4209 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C"
4210}
4211
4212# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully
4213# established with ns-B.
4214use_case_snat_on_vrf()
4215{
4216 setup "yes"
4217
4218 local port="12345"
4219
4220 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4221 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4222
4223 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} &
4224 sleep 1
4225 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port}
4226 log_test $? 0 "IPv4 TCP connection over VRF with SNAT"
4227
4228 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} &
4229 sleep 1
4230 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port}
4231 log_test $? 0 "IPv6 TCP connection over VRF with SNAT"
4232
4233 # Cleanup
4234 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4235 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4236}
4237
4238use_cases()
4239{
4240 log_section "Use cases"
4241 log_subsection "Device enslaved to bridge"
4242 use_case_br
4243 log_subsection "Ping LLA with multiple interfaces"
4244 use_case_ping_lla_multi
4245 log_subsection "SNAT on VRF"
4246 use_case_snat_on_vrf
4247}
4248
4249################################################################################
4250# usage
4251
4252usage()
4253{
4254 cat <<EOF
4255usage: ${0##*/} OPTS
4256
4257 -4 IPv4 tests only
4258 -6 IPv6 tests only
4259 -t <test> Test name/set to run
4260 -p Pause on fail
4261 -P Pause after each test
4262 -v Be verbose
4263
4264Tests:
4265 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER
4266EOF
4267}
4268
4269################################################################################
4270# main
4271
4272TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter"
4273TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter"
4274TESTS_OTHER="use_cases"
4275
4276PAUSE_ON_FAIL=no
4277PAUSE=no
4278
4279while getopts :46t:pPvh o
4280do
4281 case $o in
4282 4) TESTS=ipv4;;
4283 6) TESTS=ipv6;;
4284 t) TESTS=$OPTARG;;
4285 p) PAUSE_ON_FAIL=yes;;
4286 P) PAUSE=yes;;
4287 v) VERBOSE=1;;
4288 h) usage; exit 0;;
4289 *) usage; exit 1;;
4290 esac
4291done
4292
4293# make sure we don't pause twice
4294[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no
4295
4296#
4297# show user test config
4298#
4299if [ -z "$TESTS" ]; then
4300 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER"
4301elif [ "$TESTS" = "ipv4" ]; then
4302 TESTS="$TESTS_IPV4"
4303elif [ "$TESTS" = "ipv6" ]; then
4304 TESTS="$TESTS_IPV6"
4305fi
4306
4307check_gen_prog "nettest"
4308
4309declare -i nfail=0
4310declare -i nsuccess=0
4311
4312for t in $TESTS
4313do
4314 case $t in
4315 ipv4_ping|ping) ipv4_ping;;
4316 ipv4_tcp|tcp) ipv4_tcp;;
4317 ipv4_udp|udp) ipv4_udp;;
4318 ipv4_bind|bind) ipv4_addr_bind;;
4319 ipv4_runtime) ipv4_runtime;;
4320 ipv4_netfilter) ipv4_netfilter;;
4321
4322 ipv6_ping|ping6) ipv6_ping;;
4323 ipv6_tcp|tcp6) ipv6_tcp;;
4324 ipv6_udp|udp6) ipv6_udp;;
4325 ipv6_bind|bind6) ipv6_addr_bind;;
4326 ipv6_runtime) ipv6_runtime;;
4327 ipv6_netfilter) ipv6_netfilter;;
4328
4329 use_cases) use_cases;;
4330
4331 # setup namespaces and config, but do not run any tests
4332 setup) setup; exit 0;;
4333 vrf_setup) setup "yes"; exit 0;;
4334 esac
4335done
4336
4337cleanup 2>/dev/null
4338
4339printf "\nTests passed: %3d\n" ${nsuccess}
4340printf "Tests failed: %3d\n" ${nfail}
4341
4342if [ $nfail -ne 0 ]; then
4343 exit 1 # KSFT_FAIL
4344elif [ $nsuccess -eq 0 ]; then
4345 exit $ksft_skip
4346fi
4347
4348exit 0 # KSFT_PASS