1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40# Kselftest framework requirement - SKIP code is 4. 41ksft_skip=4 42 43VERBOSE=0 44 45NSA_DEV=eth1 46NSA_DEV2=eth2 47NSB_DEV=eth1 48NSC_DEV=eth2 49VRF=red 50VRF_TABLE=1101 51 52# IPv4 config 53NSA_IP=172.16.1.1 54NSB_IP=172.16.1.2 55VRF_IP=172.16.3.1 56NS_NET=172.16.1.0/24 57 58# IPv6 config 59NSA_IP6=2001:db8:1::1 60NSB_IP6=2001:db8:1::2 61VRF_IP6=2001:db8:3::1 62NS_NET6=2001:db8:1::/120 63 64NSA_LO_IP=172.16.2.1 65NSB_LO_IP=172.16.2.2 66NSA_LO_IP6=2001:db8:2::1 67NSB_LO_IP6=2001:db8:2::2 68 69# non-local addresses for freebind tests 70NL_IP=172.17.1.1 71NL_IP6=2001:db8:4::1 72 73# multicast and broadcast addresses 74MCAST_IP=224.0.0.1 75BCAST_IP=255.255.255.255 76 77MD5_PW=abc123 78MD5_WRONG_PW=abc1234 79 80MCAST=ff02::1 81# set after namespace create 82NSA_LINKIP6= 83NSB_LINKIP6= 84 85NSA=ns-A 86NSB=ns-B 87NSC=ns-C 88 89NSA_CMD="ip netns exec ${NSA}" 90NSB_CMD="ip netns exec ${NSB}" 91NSC_CMD="ip netns exec ${NSC}" 92 93which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 94 95# Check if FIPS mode is enabled 96if [ -f /proc/sys/crypto/fips_enabled ]; then 97 fips_enabled=`cat /proc/sys/crypto/fips_enabled` 98else 99 fips_enabled=0 100fi 101 102################################################################################ 103# utilities 104 105log_test() 106{ 107 local rc=$1 108 local expected=$2 109 local msg="$3" 110 111 [ "${VERBOSE}" = "1" ] && echo 112 113 if [ ${rc} -eq ${expected} ]; then 114 nsuccess=$((nsuccess+1)) 115 printf "TEST: %-70s [ OK ]\n" "${msg}" 116 else 117 nfail=$((nfail+1)) 118 printf "TEST: %-70s [FAIL]\n" "${msg}" 119 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 120 echo 121 echo "hit enter to continue, 'q' to quit" 122 read a 123 [ "$a" = "q" ] && exit 1 124 fi 125 fi 126 127 if [ "${PAUSE}" = "yes" ]; then 128 echo 129 echo "hit enter to continue, 'q' to quit" 130 read a 131 [ "$a" = "q" ] && exit 1 132 fi 133 134 kill_procs 135} 136 137log_test_addr() 138{ 139 local addr=$1 140 local rc=$2 141 local expected=$3 142 local msg="$4" 143 local astr 144 145 astr=$(addr2str ${addr}) 146 log_test $rc $expected "$msg - ${astr}" 147} 148 149log_section() 150{ 151 echo 152 echo "###########################################################################" 153 echo "$*" 154 echo "###########################################################################" 155 echo 156} 157 158log_subsection() 159{ 160 echo 161 echo "#################################################################" 162 echo "$*" 163 echo 164} 165 166log_start() 167{ 168 # make sure we have no test instances running 169 kill_procs 170 171 if [ "${VERBOSE}" = "1" ]; then 172 echo 173 echo "#######################################################" 174 fi 175} 176 177log_debug() 178{ 179 if [ "${VERBOSE}" = "1" ]; then 180 echo 181 echo "$*" 182 echo 183 fi 184} 185 186show_hint() 187{ 188 if [ "${VERBOSE}" = "1" ]; then 189 echo "HINT: $*" 190 echo 191 fi 192} 193 194kill_procs() 195{ 196 killall nettest ping ping6 >/dev/null 2>&1 197 sleep 1 198} 199 200do_run_cmd() 201{ 202 local cmd="$*" 203 local out 204 205 if [ "$VERBOSE" = "1" ]; then 206 echo "COMMAND: ${cmd}" 207 fi 208 209 out=$($cmd 2>&1) 210 rc=$? 211 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 212 echo "$out" 213 fi 214 215 return $rc 216} 217 218run_cmd() 219{ 220 do_run_cmd ${NSA_CMD} $* 221} 222 223run_cmd_nsb() 224{ 225 do_run_cmd ${NSB_CMD} $* 226} 227 228run_cmd_nsc() 229{ 230 do_run_cmd ${NSC_CMD} $* 231} 232 233setup_cmd() 234{ 235 local cmd="$*" 236 local rc 237 238 run_cmd ${cmd} 239 rc=$? 240 if [ $rc -ne 0 ]; then 241 # show user the command if not done so already 242 if [ "$VERBOSE" = "0" ]; then 243 echo "setup command: $cmd" 244 fi 245 echo "failed. stopping tests" 246 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 247 echo 248 echo "hit enter to continue" 249 read a 250 fi 251 exit $rc 252 fi 253} 254 255setup_cmd_nsb() 256{ 257 local cmd="$*" 258 local rc 259 260 run_cmd_nsb ${cmd} 261 rc=$? 262 if [ $rc -ne 0 ]; then 263 # show user the command if not done so already 264 if [ "$VERBOSE" = "0" ]; then 265 echo "setup command: $cmd" 266 fi 267 echo "failed. stopping tests" 268 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 269 echo 270 echo "hit enter to continue" 271 read a 272 fi 273 exit $rc 274 fi 275} 276 277setup_cmd_nsc() 278{ 279 local cmd="$*" 280 local rc 281 282 run_cmd_nsc ${cmd} 283 rc=$? 284 if [ $rc -ne 0 ]; then 285 # show user the command if not done so already 286 if [ "$VERBOSE" = "0" ]; then 287 echo "setup command: $cmd" 288 fi 289 echo "failed. stopping tests" 290 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 291 echo 292 echo "hit enter to continue" 293 read a 294 fi 295 exit $rc 296 fi 297} 298 299# set sysctl values in NS-A 300set_sysctl() 301{ 302 echo "SYSCTL: $*" 303 echo 304 run_cmd sysctl -q -w $* 305} 306 307# get sysctl values in NS-A 308get_sysctl() 309{ 310 ${NSA_CMD} sysctl -n $* 311} 312 313################################################################################ 314# Setup for tests 315 316addr2str() 317{ 318 case "$1" in 319 127.0.0.1) echo "loopback";; 320 ::1) echo "IPv6 loopback";; 321 322 ${BCAST_IP}) echo "broadcast";; 323 ${MCAST_IP}) echo "multicast";; 324 325 ${NSA_IP}) echo "ns-A IP";; 326 ${NSA_IP6}) echo "ns-A IPv6";; 327 ${NSA_LO_IP}) echo "ns-A loopback IP";; 328 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 329 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 330 331 ${NSB_IP}) echo "ns-B IP";; 332 ${NSB_IP6}) echo "ns-B IPv6";; 333 ${NSB_LO_IP}) echo "ns-B loopback IP";; 334 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 335 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 336 337 ${NL_IP}) echo "nonlocal IP";; 338 ${NL_IP6}) echo "nonlocal IPv6";; 339 340 ${VRF_IP}) echo "VRF IP";; 341 ${VRF_IP6}) echo "VRF IPv6";; 342 343 ${MCAST}%*) echo "multicast IP";; 344 345 *) echo "unknown";; 346 esac 347} 348 349get_linklocal() 350{ 351 local ns=$1 352 local dev=$2 353 local addr 354 355 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 356 awk '{ 357 for (i = 3; i <= NF; ++i) { 358 if ($i ~ /^fe80/) 359 print $i 360 } 361 }' 362 ) 363 addr=${addr/\/*} 364 365 [ -z "$addr" ] && return 1 366 367 echo $addr 368 369 return 0 370} 371 372################################################################################ 373# create namespaces and vrf 374 375create_vrf() 376{ 377 local ns=$1 378 local vrf=$2 379 local table=$3 380 local addr=$4 381 local addr6=$5 382 383 ip -netns ${ns} link add ${vrf} type vrf table ${table} 384 ip -netns ${ns} link set ${vrf} up 385 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 386 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 387 388 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 389 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 390 if [ "${addr}" != "-" ]; then 391 ip -netns ${ns} addr add dev ${vrf} ${addr} 392 fi 393 if [ "${addr6}" != "-" ]; then 394 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 395 fi 396 397 ip -netns ${ns} ru del pref 0 398 ip -netns ${ns} ru add pref 32765 from all lookup local 399 ip -netns ${ns} -6 ru del pref 0 400 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 401} 402 403create_ns() 404{ 405 local ns=$1 406 local addr=$2 407 local addr6=$3 408 409 ip netns add ${ns} 410 411 ip -netns ${ns} link set lo up 412 if [ "${addr}" != "-" ]; then 413 ip -netns ${ns} addr add dev lo ${addr} 414 fi 415 if [ "${addr6}" != "-" ]; then 416 ip -netns ${ns} -6 addr add dev lo ${addr6} 417 fi 418 419 ip -netns ${ns} ro add unreachable default metric 8192 420 ip -netns ${ns} -6 ro add unreachable default metric 8192 421 422 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 423 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 424 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 425 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 426} 427 428# create veth pair to connect namespaces and apply addresses. 429connect_ns() 430{ 431 local ns1=$1 432 local ns1_dev=$2 433 local ns1_addr=$3 434 local ns1_addr6=$4 435 local ns2=$5 436 local ns2_dev=$6 437 local ns2_addr=$7 438 local ns2_addr6=$8 439 440 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 441 ip -netns ${ns1} li set ${ns1_dev} up 442 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 443 ip -netns ${ns2} li set ${ns2_dev} up 444 445 if [ "${ns1_addr}" != "-" ]; then 446 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 447 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 448 fi 449 450 if [ "${ns1_addr6}" != "-" ]; then 451 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 452 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 453 fi 454} 455 456cleanup() 457{ 458 # explicit cleanups to check those code paths 459 ip netns | grep -q ${NSA} 460 if [ $? -eq 0 ]; then 461 ip -netns ${NSA} link delete ${VRF} 462 ip -netns ${NSA} ro flush table ${VRF_TABLE} 463 464 ip -netns ${NSA} addr flush dev ${NSA_DEV} 465 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 466 ip -netns ${NSA} link set dev ${NSA_DEV} down 467 ip -netns ${NSA} link del dev ${NSA_DEV} 468 469 ip netns pids ${NSA} | xargs kill 2>/dev/null 470 ip netns del ${NSA} 471 fi 472 473 ip netns pids ${NSB} | xargs kill 2>/dev/null 474 ip netns del ${NSB} 475 ip netns pids ${NSC} | xargs kill 2>/dev/null 476 ip netns del ${NSC} >/dev/null 2>&1 477} 478 479cleanup_vrf_dup() 480{ 481 ip link del ${NSA_DEV2} >/dev/null 2>&1 482 ip netns pids ${NSC} | xargs kill 2>/dev/null 483 ip netns del ${NSC} >/dev/null 2>&1 484} 485 486setup_vrf_dup() 487{ 488 # some VRF tests use ns-C which has the same config as 489 # ns-B but for a device NOT in the VRF 490 create_ns ${NSC} "-" "-" 491 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 492 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 493} 494 495setup() 496{ 497 local with_vrf=${1} 498 499 # make sure we are starting with a clean slate 500 kill_procs 501 cleanup 2>/dev/null 502 503 log_debug "Configuring network namespaces" 504 set -e 505 506 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 507 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 508 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 509 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 510 511 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 512 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 513 514 # tell ns-A how to get to remote addresses of ns-B 515 if [ "${with_vrf}" = "yes" ]; then 516 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 517 518 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 519 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 520 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 521 522 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 523 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 524 else 525 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 526 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 527 fi 528 529 530 # tell ns-B how to get to remote addresses of ns-A 531 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 532 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 533 534 set +e 535 536 sleep 1 537} 538 539setup_lla_only() 540{ 541 # make sure we are starting with a clean slate 542 kill_procs 543 cleanup 2>/dev/null 544 545 log_debug "Configuring network namespaces" 546 set -e 547 548 create_ns ${NSA} "-" "-" 549 create_ns ${NSB} "-" "-" 550 create_ns ${NSC} "-" "-" 551 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 552 ${NSB} ${NSB_DEV} "-" "-" 553 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 554 ${NSC} ${NSC_DEV} "-" "-" 555 556 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 557 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 558 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 559 560 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 561 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 562 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 563 564 set +e 565 566 sleep 1 567} 568 569################################################################################ 570# IPv4 571 572ipv4_ping_novrf() 573{ 574 local a 575 576 # 577 # out 578 # 579 for a in ${NSB_IP} ${NSB_LO_IP} 580 do 581 log_start 582 run_cmd ping -c1 -w1 ${a} 583 log_test_addr ${a} $? 0 "ping out" 584 585 log_start 586 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 587 log_test_addr ${a} $? 0 "ping out, device bind" 588 589 log_start 590 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 591 log_test_addr ${a} $? 0 "ping out, address bind" 592 done 593 594 # 595 # out, but don't use gateway if peer is not on link 596 # 597 a=${NSB_IP} 598 log_start 599 run_cmd ping -c 1 -w 1 -r ${a} 600 log_test_addr ${a} $? 0 "ping out (don't route), peer on link" 601 602 a=${NSB_LO_IP} 603 log_start 604 show_hint "Fails since peer is not on link" 605 run_cmd ping -c 1 -w 1 -r ${a} 606 log_test_addr ${a} $? 1 "ping out (don't route), peer not on link" 607 608 # 609 # in 610 # 611 for a in ${NSA_IP} ${NSA_LO_IP} 612 do 613 log_start 614 run_cmd_nsb ping -c1 -w1 ${a} 615 log_test_addr ${a} $? 0 "ping in" 616 done 617 618 # 619 # local traffic 620 # 621 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 622 do 623 log_start 624 run_cmd ping -c1 -w1 ${a} 625 log_test_addr ${a} $? 0 "ping local" 626 done 627 628 # 629 # local traffic, socket bound to device 630 # 631 # address on device 632 a=${NSA_IP} 633 log_start 634 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 635 log_test_addr ${a} $? 0 "ping local, device bind" 636 637 # loopback addresses not reachable from device bind 638 # fails in a really weird way though because ipv4 special cases 639 # route lookups with oif set. 640 for a in ${NSA_LO_IP} 127.0.0.1 641 do 642 log_start 643 show_hint "Fails since address on loopback device is out of device scope" 644 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 645 log_test_addr ${a} $? 1 "ping local, device bind" 646 done 647 648 # 649 # ip rule blocks reachability to remote address 650 # 651 log_start 652 setup_cmd ip rule add pref 32765 from all lookup local 653 setup_cmd ip rule del pref 0 from all lookup local 654 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 655 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 656 657 a=${NSB_LO_IP} 658 run_cmd ping -c1 -w1 ${a} 659 log_test_addr ${a} $? 2 "ping out, blocked by rule" 660 661 # NOTE: ipv4 actually allows the lookup to fail and yet still create 662 # a viable rtable if the oif (e.g., bind to device) is set, so this 663 # case succeeds despite the rule 664 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 665 666 a=${NSA_LO_IP} 667 log_start 668 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 669 run_cmd_nsb ping -c1 -w1 ${a} 670 log_test_addr ${a} $? 1 "ping in, blocked by rule" 671 672 [ "$VERBOSE" = "1" ] && echo 673 setup_cmd ip rule del pref 32765 from all lookup local 674 setup_cmd ip rule add pref 0 from all lookup local 675 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 676 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 677 678 # 679 # route blocks reachability to remote address 680 # 681 log_start 682 setup_cmd ip route replace unreachable ${NSB_LO_IP} 683 setup_cmd ip route replace unreachable ${NSB_IP} 684 685 a=${NSB_LO_IP} 686 run_cmd ping -c1 -w1 ${a} 687 log_test_addr ${a} $? 2 "ping out, blocked by route" 688 689 # NOTE: ipv4 actually allows the lookup to fail and yet still create 690 # a viable rtable if the oif (e.g., bind to device) is set, so this 691 # case succeeds despite not having a route for the address 692 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 693 694 a=${NSA_LO_IP} 695 log_start 696 show_hint "Response is dropped (or arp request is ignored) due to ip route" 697 run_cmd_nsb ping -c1 -w1 ${a} 698 log_test_addr ${a} $? 1 "ping in, blocked by route" 699 700 # 701 # remove 'remote' routes; fallback to default 702 # 703 log_start 704 setup_cmd ip ro del ${NSB_LO_IP} 705 706 a=${NSB_LO_IP} 707 run_cmd ping -c1 -w1 ${a} 708 log_test_addr ${a} $? 2 "ping out, unreachable default route" 709 710 # NOTE: ipv4 actually allows the lookup to fail and yet still create 711 # a viable rtable if the oif (e.g., bind to device) is set, so this 712 # case succeeds despite not having a route for the address 713 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 714} 715 716ipv4_ping_vrf() 717{ 718 local a 719 720 # should default on; does not exist on older kernels 721 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 722 723 # 724 # out 725 # 726 for a in ${NSB_IP} ${NSB_LO_IP} 727 do 728 log_start 729 run_cmd ping -c1 -w1 -I ${VRF} ${a} 730 log_test_addr ${a} $? 0 "ping out, VRF bind" 731 732 log_start 733 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 734 log_test_addr ${a} $? 0 "ping out, device bind" 735 736 log_start 737 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 738 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 739 740 log_start 741 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 742 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 743 done 744 745 # 746 # in 747 # 748 for a in ${NSA_IP} ${VRF_IP} 749 do 750 log_start 751 run_cmd_nsb ping -c1 -w1 ${a} 752 log_test_addr ${a} $? 0 "ping in" 753 done 754 755 # 756 # local traffic, local address 757 # 758 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 759 do 760 log_start 761 show_hint "Source address should be ${a}" 762 run_cmd ping -c1 -w1 -I ${VRF} ${a} 763 log_test_addr ${a} $? 0 "ping local, VRF bind" 764 done 765 766 # 767 # local traffic, socket bound to device 768 # 769 # address on device 770 a=${NSA_IP} 771 log_start 772 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 773 log_test_addr ${a} $? 0 "ping local, device bind" 774 775 # vrf device is out of scope 776 for a in ${VRF_IP} 127.0.0.1 777 do 778 log_start 779 show_hint "Fails since address on vrf device is out of device scope" 780 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 781 log_test_addr ${a} $? 2 "ping local, device bind" 782 done 783 784 # 785 # ip rule blocks address 786 # 787 log_start 788 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 789 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 790 791 a=${NSB_LO_IP} 792 run_cmd ping -c1 -w1 -I ${VRF} ${a} 793 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 794 795 log_start 796 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 797 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 798 799 a=${NSA_LO_IP} 800 log_start 801 show_hint "Response lost due to ip rule" 802 run_cmd_nsb ping -c1 -w1 ${a} 803 log_test_addr ${a} $? 1 "ping in, blocked by rule" 804 805 [ "$VERBOSE" = "1" ] && echo 806 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 807 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 808 809 # 810 # remove 'remote' routes; fallback to default 811 # 812 log_start 813 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 814 815 a=${NSB_LO_IP} 816 run_cmd ping -c1 -w1 -I ${VRF} ${a} 817 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 818 819 log_start 820 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 821 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 822 823 a=${NSA_LO_IP} 824 log_start 825 show_hint "Response lost by unreachable route" 826 run_cmd_nsb ping -c1 -w1 ${a} 827 log_test_addr ${a} $? 1 "ping in, unreachable route" 828} 829 830ipv4_ping() 831{ 832 log_section "IPv4 ping" 833 834 log_subsection "No VRF" 835 setup 836 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 837 ipv4_ping_novrf 838 setup 839 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 840 ipv4_ping_novrf 841 setup 842 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 843 ipv4_ping_novrf 844 845 log_subsection "With VRF" 846 setup "yes" 847 ipv4_ping_vrf 848 setup "yes" 849 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 850 ipv4_ping_vrf 851} 852 853################################################################################ 854# IPv4 TCP 855 856# 857# MD5 tests without VRF 858# 859ipv4_tcp_md5_novrf() 860{ 861 # 862 # single address 863 # 864 865 # basic use case 866 log_start 867 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 868 sleep 1 869 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 870 log_test $? 0 "MD5: Single address config" 871 872 # client sends MD5, server not configured 873 log_start 874 show_hint "Should timeout due to MD5 mismatch" 875 run_cmd nettest -s & 876 sleep 1 877 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 878 log_test $? 2 "MD5: Server no config, client uses password" 879 880 # wrong password 881 log_start 882 show_hint "Should timeout since client uses wrong password" 883 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 884 sleep 1 885 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 886 log_test $? 2 "MD5: Client uses wrong password" 887 888 # client from different address 889 log_start 890 show_hint "Should timeout due to MD5 mismatch" 891 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 892 sleep 1 893 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 894 log_test $? 2 "MD5: Client address does not match address configured with password" 895 896 # 897 # MD5 extension - prefix length 898 # 899 900 # client in prefix 901 log_start 902 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 903 sleep 1 904 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 905 log_test $? 0 "MD5: Prefix config" 906 907 # client in prefix, wrong password 908 log_start 909 show_hint "Should timeout since client uses wrong password" 910 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 911 sleep 1 912 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 913 log_test $? 2 "MD5: Prefix config, client uses wrong password" 914 915 # client outside of prefix 916 log_start 917 show_hint "Should timeout due to MD5 mismatch" 918 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 919 sleep 1 920 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 921 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 922} 923 924# 925# MD5 tests with VRF 926# 927ipv4_tcp_md5() 928{ 929 # 930 # single address 931 # 932 933 # basic use case 934 log_start 935 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 936 sleep 1 937 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 938 log_test $? 0 "MD5: VRF: Single address config" 939 940 # client sends MD5, server not configured 941 log_start 942 show_hint "Should timeout since server does not have MD5 auth" 943 run_cmd nettest -s -I ${VRF} & 944 sleep 1 945 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 946 log_test $? 2 "MD5: VRF: Server no config, client uses password" 947 948 # wrong password 949 log_start 950 show_hint "Should timeout since client uses wrong password" 951 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 952 sleep 1 953 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 954 log_test $? 2 "MD5: VRF: Client uses wrong password" 955 956 # client from different address 957 log_start 958 show_hint "Should timeout since server config differs from client" 959 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 960 sleep 1 961 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 962 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 963 964 # 965 # MD5 extension - prefix length 966 # 967 968 # client in prefix 969 log_start 970 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 971 sleep 1 972 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 973 log_test $? 0 "MD5: VRF: Prefix config" 974 975 # client in prefix, wrong password 976 log_start 977 show_hint "Should timeout since client uses wrong password" 978 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 979 sleep 1 980 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 981 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 982 983 # client outside of prefix 984 log_start 985 show_hint "Should timeout since client address is outside of prefix" 986 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 987 sleep 1 988 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 989 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 990 991 # 992 # duplicate config between default VRF and a VRF 993 # 994 995 log_start 996 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 997 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 998 sleep 1 999 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1000 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 1001 1002 log_start 1003 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1004 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1005 sleep 1 1006 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1007 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 1008 1009 log_start 1010 show_hint "Should timeout since client in default VRF uses VRF password" 1011 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1012 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1013 sleep 1 1014 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1015 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 1016 1017 log_start 1018 show_hint "Should timeout since client in VRF uses default VRF password" 1019 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1020 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1021 sleep 1 1022 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1023 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 1024 1025 log_start 1026 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1027 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1028 sleep 1 1029 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1030 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 1031 1032 log_start 1033 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1034 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1035 sleep 1 1036 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1037 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 1038 1039 log_start 1040 show_hint "Should timeout since client in default VRF uses VRF password" 1041 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1042 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1043 sleep 1 1044 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1045 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1046 1047 log_start 1048 show_hint "Should timeout since client in VRF uses default VRF password" 1049 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1050 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1051 sleep 1 1052 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1053 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1054 1055 # 1056 # negative tests 1057 # 1058 log_start 1059 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1060 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1061 1062 log_start 1063 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1064 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1065 1066 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1067 test_ipv4_md5_vrf__global_server__bind_ifindex0 1068} 1069 1070test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1071{ 1072 log_start 1073 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1074 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1075 sleep 1 1076 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1077 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1078 1079 log_start 1080 show_hint "Binding both the socket and the key is not required but it works" 1081 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1082 sleep 1 1083 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1084 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1085} 1086 1087test_ipv4_md5_vrf__global_server__bind_ifindex0() 1088{ 1089 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1090 local old_tcp_l3mdev_accept 1091 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1092 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1093 1094 log_start 1095 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1096 sleep 1 1097 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1098 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1099 1100 log_start 1101 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1102 sleep 1 1103 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1104 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1105 log_start 1106 1107 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1108 sleep 1 1109 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1110 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1111 1112 log_start 1113 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1114 sleep 1 1115 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1116 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1117 1118 # restore value 1119 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1120} 1121 1122ipv4_tcp_dontroute() 1123{ 1124 local syncookies=$1 1125 local nsa_syncookies 1126 local nsb_syncookies 1127 local a 1128 1129 # 1130 # Link local connection tests (SO_DONTROUTE). 1131 # Connections should succeed only when the remote IP address is 1132 # on link (doesn't need to be routed through a gateway). 1133 # 1134 1135 nsa_syncookies=$(ip netns exec "${NSA}" sysctl -n net.ipv4.tcp_syncookies) 1136 nsb_syncookies=$(ip netns exec "${NSB}" sysctl -n net.ipv4.tcp_syncookies) 1137 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies} 1138 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies} 1139 1140 # Test with eth1 address (on link). 1141 1142 a=${NSB_IP} 1143 log_start 1144 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1145 log_test_addr ${a} $? 0 "SO_DONTROUTE client, syncookies=${syncookies}" 1146 1147 a=${NSB_IP} 1148 log_start 1149 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --server-dontroute 1150 log_test_addr ${a} $? 0 "SO_DONTROUTE server, syncookies=${syncookies}" 1151 1152 # Test with loopback address (routed). 1153 # 1154 # The client would use the eth1 address as source IP by default. 1155 # Therefore, we need to use the -c option here, to force the use of the 1156 # routed (loopback) address as source IP (so that the server will try 1157 # to respond to a routed address and not a link local one). 1158 1159 a=${NSB_LO_IP} 1160 log_start 1161 show_hint "Should fail 'Network is unreachable' since server is not on link" 1162 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --client-dontroute 1163 log_test_addr ${a} $? 1 "SO_DONTROUTE client, syncookies=${syncookies}" 1164 1165 a=${NSB_LO_IP} 1166 log_start 1167 show_hint "Should timeout since server cannot respond (client is not on link)" 1168 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --server-dontroute 1169 log_test_addr ${a} $? 2 "SO_DONTROUTE server, syncookies=${syncookies}" 1170 1171 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${nsb_syncookies} 1172 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${nsa_syncookies} 1173} 1174 1175ipv4_tcp_novrf() 1176{ 1177 local a 1178 1179 # 1180 # server tests 1181 # 1182 for a in ${NSA_IP} ${NSA_LO_IP} 1183 do 1184 log_start 1185 run_cmd nettest -s & 1186 sleep 1 1187 run_cmd_nsb nettest -r ${a} 1188 log_test_addr ${a} $? 0 "Global server" 1189 done 1190 1191 a=${NSA_IP} 1192 log_start 1193 run_cmd nettest -s -I ${NSA_DEV} & 1194 sleep 1 1195 run_cmd_nsb nettest -r ${a} 1196 log_test_addr ${a} $? 0 "Device server" 1197 1198 # verify TCP reset sent and received 1199 for a in ${NSA_IP} ${NSA_LO_IP} 1200 do 1201 log_start 1202 show_hint "Should fail 'Connection refused' since there is no server" 1203 run_cmd_nsb nettest -r ${a} 1204 log_test_addr ${a} $? 1 "No server" 1205 done 1206 1207 # 1208 # client 1209 # 1210 for a in ${NSB_IP} ${NSB_LO_IP} 1211 do 1212 log_start 1213 run_cmd_nsb nettest -s & 1214 sleep 1 1215 run_cmd nettest -r ${a} -0 ${NSA_IP} 1216 log_test_addr ${a} $? 0 "Client" 1217 1218 log_start 1219 run_cmd_nsb nettest -s & 1220 sleep 1 1221 run_cmd nettest -r ${a} -d ${NSA_DEV} 1222 log_test_addr ${a} $? 0 "Client, device bind" 1223 1224 log_start 1225 show_hint "Should fail 'Connection refused'" 1226 run_cmd nettest -r ${a} 1227 log_test_addr ${a} $? 1 "No server, unbound client" 1228 1229 log_start 1230 show_hint "Should fail 'Connection refused'" 1231 run_cmd nettest -r ${a} -d ${NSA_DEV} 1232 log_test_addr ${a} $? 1 "No server, device client" 1233 done 1234 1235 # 1236 # local address tests 1237 # 1238 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1239 do 1240 log_start 1241 run_cmd nettest -s & 1242 sleep 1 1243 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1244 log_test_addr ${a} $? 0 "Global server, local connection" 1245 done 1246 1247 a=${NSA_IP} 1248 log_start 1249 run_cmd nettest -s -I ${NSA_DEV} & 1250 sleep 1 1251 run_cmd nettest -r ${a} -0 ${a} 1252 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1253 1254 for a in ${NSA_LO_IP} 127.0.0.1 1255 do 1256 log_start 1257 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1258 run_cmd nettest -s -I ${NSA_DEV} & 1259 sleep 1 1260 run_cmd nettest -r ${a} 1261 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1262 done 1263 1264 a=${NSA_IP} 1265 log_start 1266 run_cmd nettest -s & 1267 sleep 1 1268 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1269 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1270 1271 for a in ${NSA_LO_IP} 127.0.0.1 1272 do 1273 log_start 1274 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1275 run_cmd nettest -s & 1276 sleep 1 1277 run_cmd nettest -r ${a} -d ${NSA_DEV} 1278 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1279 done 1280 1281 a=${NSA_IP} 1282 log_start 1283 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1284 sleep 1 1285 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1286 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1287 1288 log_start 1289 show_hint "Should fail 'Connection refused'" 1290 run_cmd nettest -d ${NSA_DEV} -r ${a} 1291 log_test_addr ${a} $? 1 "No server, device client, local conn" 1292 1293 [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf 1294 1295 ipv4_tcp_dontroute 0 1296 ipv4_tcp_dontroute 2 1297} 1298 1299ipv4_tcp_vrf() 1300{ 1301 local a 1302 1303 # disable global server 1304 log_subsection "Global server disabled" 1305 1306 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1307 1308 # 1309 # server tests 1310 # 1311 for a in ${NSA_IP} ${VRF_IP} 1312 do 1313 log_start 1314 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1315 run_cmd nettest -s & 1316 sleep 1 1317 run_cmd_nsb nettest -r ${a} 1318 log_test_addr ${a} $? 1 "Global server" 1319 1320 log_start 1321 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1322 sleep 1 1323 run_cmd_nsb nettest -r ${a} 1324 log_test_addr ${a} $? 0 "VRF server" 1325 1326 log_start 1327 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1328 sleep 1 1329 run_cmd_nsb nettest -r ${a} 1330 log_test_addr ${a} $? 0 "Device server" 1331 1332 # verify TCP reset received 1333 log_start 1334 show_hint "Should fail 'Connection refused' since there is no server" 1335 run_cmd_nsb nettest -r ${a} 1336 log_test_addr ${a} $? 1 "No server" 1337 done 1338 1339 # local address tests 1340 # (${VRF_IP} and 127.0.0.1 both timeout) 1341 a=${NSA_IP} 1342 log_start 1343 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1344 run_cmd nettest -s & 1345 sleep 1 1346 run_cmd nettest -r ${a} -d ${NSA_DEV} 1347 log_test_addr ${a} $? 1 "Global server, local connection" 1348 1349 # run MD5 tests 1350 if [ "$fips_enabled" = "0" ]; then 1351 setup_vrf_dup 1352 ipv4_tcp_md5 1353 cleanup_vrf_dup 1354 fi 1355 1356 # 1357 # enable VRF global server 1358 # 1359 log_subsection "VRF Global server enabled" 1360 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1361 1362 for a in ${NSA_IP} ${VRF_IP} 1363 do 1364 log_start 1365 show_hint "client socket should be bound to VRF" 1366 run_cmd nettest -s -3 ${VRF} & 1367 sleep 1 1368 run_cmd_nsb nettest -r ${a} 1369 log_test_addr ${a} $? 0 "Global server" 1370 1371 log_start 1372 show_hint "client socket should be bound to VRF" 1373 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1374 sleep 1 1375 run_cmd_nsb nettest -r ${a} 1376 log_test_addr ${a} $? 0 "VRF server" 1377 1378 # verify TCP reset received 1379 log_start 1380 show_hint "Should fail 'Connection refused'" 1381 run_cmd_nsb nettest -r ${a} 1382 log_test_addr ${a} $? 1 "No server" 1383 done 1384 1385 a=${NSA_IP} 1386 log_start 1387 show_hint "client socket should be bound to device" 1388 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1389 sleep 1 1390 run_cmd_nsb nettest -r ${a} 1391 log_test_addr ${a} $? 0 "Device server" 1392 1393 # local address tests 1394 for a in ${NSA_IP} ${VRF_IP} 1395 do 1396 log_start 1397 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1398 run_cmd nettest -s -I ${VRF} & 1399 sleep 1 1400 run_cmd nettest -r ${a} 1401 log_test_addr ${a} $? 1 "Global server, local connection" 1402 done 1403 1404 # 1405 # client 1406 # 1407 for a in ${NSB_IP} ${NSB_LO_IP} 1408 do 1409 log_start 1410 run_cmd_nsb nettest -s & 1411 sleep 1 1412 run_cmd nettest -r ${a} -d ${VRF} 1413 log_test_addr ${a} $? 0 "Client, VRF bind" 1414 1415 log_start 1416 run_cmd_nsb nettest -s & 1417 sleep 1 1418 run_cmd nettest -r ${a} -d ${NSA_DEV} 1419 log_test_addr ${a} $? 0 "Client, device bind" 1420 1421 log_start 1422 show_hint "Should fail 'Connection refused'" 1423 run_cmd nettest -r ${a} -d ${VRF} 1424 log_test_addr ${a} $? 1 "No server, VRF client" 1425 1426 log_start 1427 show_hint "Should fail 'Connection refused'" 1428 run_cmd nettest -r ${a} -d ${NSA_DEV} 1429 log_test_addr ${a} $? 1 "No server, device client" 1430 done 1431 1432 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1433 do 1434 log_start 1435 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1436 sleep 1 1437 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1438 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1439 done 1440 1441 a=${NSA_IP} 1442 log_start 1443 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1444 sleep 1 1445 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1446 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1447 1448 log_start 1449 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1450 run_cmd nettest -s -I ${VRF} & 1451 sleep 1 1452 run_cmd nettest -r ${a} 1453 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1454 1455 log_start 1456 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1457 sleep 1 1458 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1459 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1460 1461 log_start 1462 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1463 sleep 1 1464 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1465 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1466} 1467 1468ipv4_tcp() 1469{ 1470 log_section "IPv4/TCP" 1471 log_subsection "No VRF" 1472 setup 1473 1474 # tcp_l3mdev_accept should have no affect without VRF; 1475 # run tests with it enabled and disabled to verify 1476 log_subsection "tcp_l3mdev_accept disabled" 1477 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1478 ipv4_tcp_novrf 1479 log_subsection "tcp_l3mdev_accept enabled" 1480 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1481 ipv4_tcp_novrf 1482 1483 log_subsection "With VRF" 1484 setup "yes" 1485 ipv4_tcp_vrf 1486} 1487 1488################################################################################ 1489# IPv4 UDP 1490 1491ipv4_udp_novrf() 1492{ 1493 local a 1494 1495 # 1496 # server tests 1497 # 1498 for a in ${NSA_IP} ${NSA_LO_IP} 1499 do 1500 log_start 1501 run_cmd nettest -D -s -3 ${NSA_DEV} & 1502 sleep 1 1503 run_cmd_nsb nettest -D -r ${a} 1504 log_test_addr ${a} $? 0 "Global server" 1505 1506 log_start 1507 show_hint "Should fail 'Connection refused' since there is no server" 1508 run_cmd_nsb nettest -D -r ${a} 1509 log_test_addr ${a} $? 1 "No server" 1510 done 1511 1512 a=${NSA_IP} 1513 log_start 1514 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1515 sleep 1 1516 run_cmd_nsb nettest -D -r ${a} 1517 log_test_addr ${a} $? 0 "Device server" 1518 1519 # 1520 # client 1521 # 1522 for a in ${NSB_IP} ${NSB_LO_IP} 1523 do 1524 log_start 1525 run_cmd_nsb nettest -D -s & 1526 sleep 1 1527 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1528 log_test_addr ${a} $? 0 "Client" 1529 1530 log_start 1531 run_cmd_nsb nettest -D -s & 1532 sleep 1 1533 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1534 log_test_addr ${a} $? 0 "Client, device bind" 1535 1536 log_start 1537 run_cmd_nsb nettest -D -s & 1538 sleep 1 1539 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1540 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1541 1542 log_start 1543 run_cmd_nsb nettest -D -s & 1544 sleep 1 1545 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1546 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1547 1548 log_start 1549 run_cmd_nsb nettest -D -s & 1550 sleep 1 1551 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U 1552 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()" 1553 1554 1555 log_start 1556 show_hint "Should fail 'Connection refused'" 1557 run_cmd nettest -D -r ${a} 1558 log_test_addr ${a} $? 1 "No server, unbound client" 1559 1560 log_start 1561 show_hint "Should fail 'Connection refused'" 1562 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1563 log_test_addr ${a} $? 1 "No server, device client" 1564 done 1565 1566 # 1567 # local address tests 1568 # 1569 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1570 do 1571 log_start 1572 run_cmd nettest -D -s & 1573 sleep 1 1574 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1575 log_test_addr ${a} $? 0 "Global server, local connection" 1576 done 1577 1578 a=${NSA_IP} 1579 log_start 1580 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1581 sleep 1 1582 run_cmd nettest -D -r ${a} 1583 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1584 1585 for a in ${NSA_LO_IP} 127.0.0.1 1586 do 1587 log_start 1588 show_hint "Should fail 'Connection refused' since address is out of device scope" 1589 run_cmd nettest -s -D -I ${NSA_DEV} & 1590 sleep 1 1591 run_cmd nettest -D -r ${a} 1592 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1593 done 1594 1595 a=${NSA_IP} 1596 log_start 1597 run_cmd nettest -s -D & 1598 sleep 1 1599 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1600 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1601 1602 log_start 1603 run_cmd nettest -s -D & 1604 sleep 1 1605 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1606 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1607 1608 log_start 1609 run_cmd nettest -s -D & 1610 sleep 1 1611 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1612 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1613 1614 log_start 1615 run_cmd nettest -s -D & 1616 sleep 1 1617 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U 1618 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1619 1620 1621 # IPv4 with device bind has really weird behavior - it overrides the 1622 # fib lookup, generates an rtable and tries to send the packet. This 1623 # causes failures for local traffic at different places 1624 for a in ${NSA_LO_IP} 127.0.0.1 1625 do 1626 log_start 1627 show_hint "Should fail since addresses on loopback are out of device scope" 1628 run_cmd nettest -D -s & 1629 sleep 1 1630 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1631 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1632 1633 log_start 1634 show_hint "Should fail since addresses on loopback are out of device scope" 1635 run_cmd nettest -D -s & 1636 sleep 1 1637 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1638 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1639 1640 log_start 1641 show_hint "Should fail since addresses on loopback are out of device scope" 1642 run_cmd nettest -D -s & 1643 sleep 1 1644 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1645 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1646 1647 log_start 1648 show_hint "Should fail since addresses on loopback are out of device scope" 1649 run_cmd nettest -D -s & 1650 sleep 1 1651 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U 1652 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1653 1654 1655 done 1656 1657 a=${NSA_IP} 1658 log_start 1659 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1660 sleep 1 1661 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1662 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1663 1664 log_start 1665 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1666 log_test_addr ${a} $? 2 "No server, device client, local conn" 1667 1668 # 1669 # Link local connection tests (SO_DONTROUTE). 1670 # Connections should succeed only when the remote IP address is 1671 # on link (doesn't need to be routed through a gateway). 1672 # 1673 1674 a=${NSB_IP} 1675 log_start 1676 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1677 log_test_addr ${a} $? 0 "SO_DONTROUTE client" 1678 1679 a=${NSB_LO_IP} 1680 log_start 1681 show_hint "Should fail 'Network is unreachable' since server is not on link" 1682 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1683 log_test_addr ${a} $? 1 "SO_DONTROUTE client" 1684} 1685 1686ipv4_udp_vrf() 1687{ 1688 local a 1689 1690 # disable global server 1691 log_subsection "Global server disabled" 1692 set_sysctl net.ipv4.udp_l3mdev_accept=0 1693 1694 # 1695 # server tests 1696 # 1697 for a in ${NSA_IP} ${VRF_IP} 1698 do 1699 log_start 1700 show_hint "Fails because ingress is in a VRF and global server is disabled" 1701 run_cmd nettest -D -s & 1702 sleep 1 1703 run_cmd_nsb nettest -D -r ${a} 1704 log_test_addr ${a} $? 1 "Global server" 1705 1706 log_start 1707 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1708 sleep 1 1709 run_cmd_nsb nettest -D -r ${a} 1710 log_test_addr ${a} $? 0 "VRF server" 1711 1712 log_start 1713 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1714 sleep 1 1715 run_cmd_nsb nettest -D -r ${a} 1716 log_test_addr ${a} $? 0 "Enslaved device server" 1717 1718 log_start 1719 show_hint "Should fail 'Connection refused' since there is no server" 1720 run_cmd_nsb nettest -D -r ${a} 1721 log_test_addr ${a} $? 1 "No server" 1722 1723 log_start 1724 show_hint "Should fail 'Connection refused' since global server is out of scope" 1725 run_cmd nettest -D -s & 1726 sleep 1 1727 run_cmd nettest -D -d ${VRF} -r ${a} 1728 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1729 done 1730 1731 a=${NSA_IP} 1732 log_start 1733 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1734 sleep 1 1735 run_cmd nettest -D -d ${VRF} -r ${a} 1736 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1737 1738 log_start 1739 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1740 sleep 1 1741 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1742 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1743 1744 a=${NSA_IP} 1745 log_start 1746 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1747 sleep 1 1748 run_cmd nettest -D -d ${VRF} -r ${a} 1749 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1750 1751 log_start 1752 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1753 sleep 1 1754 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1755 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1756 1757 # enable global server 1758 log_subsection "Global server enabled" 1759 set_sysctl net.ipv4.udp_l3mdev_accept=1 1760 1761 # 1762 # server tests 1763 # 1764 for a in ${NSA_IP} ${VRF_IP} 1765 do 1766 log_start 1767 run_cmd nettest -D -s -3 ${NSA_DEV} & 1768 sleep 1 1769 run_cmd_nsb nettest -D -r ${a} 1770 log_test_addr ${a} $? 0 "Global server" 1771 1772 log_start 1773 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1774 sleep 1 1775 run_cmd_nsb nettest -D -r ${a} 1776 log_test_addr ${a} $? 0 "VRF server" 1777 1778 log_start 1779 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1780 sleep 1 1781 run_cmd_nsb nettest -D -r ${a} 1782 log_test_addr ${a} $? 0 "Enslaved device server" 1783 1784 log_start 1785 show_hint "Should fail 'Connection refused'" 1786 run_cmd_nsb nettest -D -r ${a} 1787 log_test_addr ${a} $? 1 "No server" 1788 done 1789 1790 # 1791 # client tests 1792 # 1793 log_start 1794 run_cmd_nsb nettest -D -s & 1795 sleep 1 1796 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1797 log_test $? 0 "VRF client" 1798 1799 log_start 1800 run_cmd_nsb nettest -D -s & 1801 sleep 1 1802 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1803 log_test $? 0 "Enslaved device client" 1804 1805 # negative test - should fail 1806 log_start 1807 show_hint "Should fail 'Connection refused'" 1808 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1809 log_test $? 1 "No server, VRF client" 1810 1811 log_start 1812 show_hint "Should fail 'Connection refused'" 1813 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1814 log_test $? 1 "No server, enslaved device client" 1815 1816 # 1817 # local address tests 1818 # 1819 a=${NSA_IP} 1820 log_start 1821 run_cmd nettest -D -s -3 ${NSA_DEV} & 1822 sleep 1 1823 run_cmd nettest -D -d ${VRF} -r ${a} 1824 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1825 1826 log_start 1827 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1828 sleep 1 1829 run_cmd nettest -D -d ${VRF} -r ${a} 1830 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1831 1832 log_start 1833 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1834 sleep 1 1835 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1836 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1837 1838 log_start 1839 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1840 sleep 1 1841 run_cmd nettest -D -d ${VRF} -r ${a} 1842 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1843 1844 log_start 1845 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1846 sleep 1 1847 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1848 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1849 1850 for a in ${VRF_IP} 127.0.0.1 1851 do 1852 log_start 1853 run_cmd nettest -D -s -3 ${VRF} & 1854 sleep 1 1855 run_cmd nettest -D -d ${VRF} -r ${a} 1856 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1857 done 1858 1859 for a in ${VRF_IP} 127.0.0.1 1860 do 1861 log_start 1862 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1863 sleep 1 1864 run_cmd nettest -D -d ${VRF} -r ${a} 1865 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1866 done 1867 1868 # negative test - should fail 1869 # verifies ECONNREFUSED 1870 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1871 do 1872 log_start 1873 show_hint "Should fail 'Connection refused'" 1874 run_cmd nettest -D -d ${VRF} -r ${a} 1875 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1876 done 1877} 1878 1879ipv4_udp() 1880{ 1881 log_section "IPv4/UDP" 1882 log_subsection "No VRF" 1883 1884 setup 1885 1886 # udp_l3mdev_accept should have no affect without VRF; 1887 # run tests with it enabled and disabled to verify 1888 log_subsection "udp_l3mdev_accept disabled" 1889 set_sysctl net.ipv4.udp_l3mdev_accept=0 1890 ipv4_udp_novrf 1891 log_subsection "udp_l3mdev_accept enabled" 1892 set_sysctl net.ipv4.udp_l3mdev_accept=1 1893 ipv4_udp_novrf 1894 1895 log_subsection "With VRF" 1896 setup "yes" 1897 ipv4_udp_vrf 1898} 1899 1900################################################################################ 1901# IPv4 address bind 1902# 1903# verifies ability or inability to bind to an address / device 1904 1905ipv4_addr_bind_novrf() 1906{ 1907 # 1908 # raw socket 1909 # 1910 for a in ${NSA_IP} ${NSA_LO_IP} 1911 do 1912 log_start 1913 run_cmd nettest -s -R -P icmp -l ${a} -b 1914 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1915 1916 log_start 1917 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1918 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1919 done 1920 1921 # 1922 # tests for nonlocal bind 1923 # 1924 a=${NL_IP} 1925 log_start 1926 run_cmd nettest -s -R -f -l ${a} -b 1927 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 1928 1929 log_start 1930 run_cmd nettest -s -f -l ${a} -b 1931 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address" 1932 1933 log_start 1934 run_cmd nettest -s -D -P icmp -f -l ${a} -b 1935 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address" 1936 1937 # 1938 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1939 # 1940 a=${BCAST_IP} 1941 log_start 1942 run_cmd nettest -s -D -P icmp -l ${a} -b 1943 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address" 1944 1945 a=${MCAST_IP} 1946 log_start 1947 run_cmd nettest -s -D -P icmp -l ${a} -b 1948 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address" 1949 1950 # 1951 # tcp sockets 1952 # 1953 a=${NSA_IP} 1954 log_start 1955 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1956 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1957 1958 log_start 1959 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1960 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1961 1962 # Sadly, the kernel allows binding a socket to a device and then 1963 # binding to an address not on the device. The only restriction 1964 # is that the address is valid in the L3 domain. So this test 1965 # passes when it really should not 1966 #a=${NSA_LO_IP} 1967 #log_start 1968 #show_hint "Should fail with 'Cannot assign requested address'" 1969 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1970 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1971} 1972 1973ipv4_addr_bind_vrf() 1974{ 1975 # 1976 # raw socket 1977 # 1978 for a in ${NSA_IP} ${VRF_IP} 1979 do 1980 log_start 1981 show_hint "Socket not bound to VRF, but address is in VRF" 1982 run_cmd nettest -s -R -P icmp -l ${a} -b 1983 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1984 1985 log_start 1986 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1987 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1988 log_start 1989 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1990 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1991 done 1992 1993 a=${NSA_LO_IP} 1994 log_start 1995 show_hint "Address on loopback is out of VRF scope" 1996 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1997 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1998 1999 # 2000 # tests for nonlocal bind 2001 # 2002 a=${NL_IP} 2003 log_start 2004 run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b 2005 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 2006 2007 log_start 2008 run_cmd nettest -s -f -l ${a} -I ${VRF} -b 2009 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind" 2010 2011 log_start 2012 run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b 2013 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind" 2014 2015 # 2016 # check that ICMP sockets cannot bind to broadcast and multicast addresses 2017 # 2018 a=${BCAST_IP} 2019 log_start 2020 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 2021 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind" 2022 2023 a=${MCAST_IP} 2024 log_start 2025 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 2026 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind" 2027 2028 # 2029 # tcp sockets 2030 # 2031 for a in ${NSA_IP} ${VRF_IP} 2032 do 2033 log_start 2034 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 2035 log_test_addr ${a} $? 0 "TCP socket bind to local address" 2036 2037 log_start 2038 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 2039 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 2040 done 2041 2042 a=${NSA_LO_IP} 2043 log_start 2044 show_hint "Address on loopback out of scope for VRF" 2045 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 2046 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 2047 2048 log_start 2049 show_hint "Address on loopback out of scope for device in VRF" 2050 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 2051 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 2052} 2053 2054ipv4_addr_bind() 2055{ 2056 log_section "IPv4 address binds" 2057 2058 log_subsection "No VRF" 2059 setup 2060 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2061 ipv4_addr_bind_novrf 2062 2063 log_subsection "With VRF" 2064 setup "yes" 2065 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2066 ipv4_addr_bind_vrf 2067} 2068 2069################################################################################ 2070# IPv4 runtime tests 2071 2072ipv4_rt() 2073{ 2074 local desc="$1" 2075 local varg="$2" 2076 local with_vrf="yes" 2077 local a 2078 2079 # 2080 # server tests 2081 # 2082 for a in ${NSA_IP} ${VRF_IP} 2083 do 2084 log_start 2085 run_cmd nettest ${varg} -s & 2086 sleep 1 2087 run_cmd_nsb nettest ${varg} -r ${a} & 2088 sleep 3 2089 run_cmd ip link del ${VRF} 2090 sleep 1 2091 log_test_addr ${a} 0 0 "${desc}, global server" 2092 2093 setup ${with_vrf} 2094 done 2095 2096 for a in ${NSA_IP} ${VRF_IP} 2097 do 2098 log_start 2099 run_cmd nettest ${varg} -s -I ${VRF} & 2100 sleep 1 2101 run_cmd_nsb nettest ${varg} -r ${a} & 2102 sleep 3 2103 run_cmd ip link del ${VRF} 2104 sleep 1 2105 log_test_addr ${a} 0 0 "${desc}, VRF server" 2106 2107 setup ${with_vrf} 2108 done 2109 2110 a=${NSA_IP} 2111 log_start 2112 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 2113 sleep 1 2114 run_cmd_nsb nettest ${varg} -r ${a} & 2115 sleep 3 2116 run_cmd ip link del ${VRF} 2117 sleep 1 2118 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 2119 2120 setup ${with_vrf} 2121 2122 # 2123 # client test 2124 # 2125 log_start 2126 run_cmd_nsb nettest ${varg} -s & 2127 sleep 1 2128 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 2129 sleep 3 2130 run_cmd ip link del ${VRF} 2131 sleep 1 2132 log_test_addr ${a} 0 0 "${desc}, VRF client" 2133 2134 setup ${with_vrf} 2135 2136 log_start 2137 run_cmd_nsb nettest ${varg} -s & 2138 sleep 1 2139 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 2140 sleep 3 2141 run_cmd ip link del ${VRF} 2142 sleep 1 2143 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 2144 2145 setup ${with_vrf} 2146 2147 # 2148 # local address tests 2149 # 2150 for a in ${NSA_IP} ${VRF_IP} 2151 do 2152 log_start 2153 run_cmd nettest ${varg} -s & 2154 sleep 1 2155 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2156 sleep 3 2157 run_cmd ip link del ${VRF} 2158 sleep 1 2159 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 2160 2161 setup ${with_vrf} 2162 done 2163 2164 for a in ${NSA_IP} ${VRF_IP} 2165 do 2166 log_start 2167 run_cmd nettest ${varg} -I ${VRF} -s & 2168 sleep 1 2169 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2170 sleep 3 2171 run_cmd ip link del ${VRF} 2172 sleep 1 2173 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 2174 2175 setup ${with_vrf} 2176 done 2177 2178 a=${NSA_IP} 2179 log_start 2180 2181 run_cmd nettest ${varg} -s & 2182 sleep 1 2183 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2184 sleep 3 2185 run_cmd ip link del ${VRF} 2186 sleep 1 2187 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 2188 2189 setup ${with_vrf} 2190 2191 log_start 2192 run_cmd nettest ${varg} -I ${VRF} -s & 2193 sleep 1 2194 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2195 sleep 3 2196 run_cmd ip link del ${VRF} 2197 sleep 1 2198 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 2199 2200 setup ${with_vrf} 2201 2202 log_start 2203 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2204 sleep 1 2205 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2206 sleep 3 2207 run_cmd ip link del ${VRF} 2208 sleep 1 2209 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2210} 2211 2212ipv4_ping_rt() 2213{ 2214 local with_vrf="yes" 2215 local a 2216 2217 for a in ${NSA_IP} ${VRF_IP} 2218 do 2219 log_start 2220 run_cmd_nsb ping -f ${a} & 2221 sleep 3 2222 run_cmd ip link del ${VRF} 2223 sleep 1 2224 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2225 2226 setup ${with_vrf} 2227 done 2228 2229 a=${NSB_IP} 2230 log_start 2231 run_cmd ping -f -I ${VRF} ${a} & 2232 sleep 3 2233 run_cmd ip link del ${VRF} 2234 sleep 1 2235 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2236} 2237 2238ipv4_runtime() 2239{ 2240 log_section "Run time tests - ipv4" 2241 2242 setup "yes" 2243 ipv4_ping_rt 2244 2245 setup "yes" 2246 ipv4_rt "TCP active socket" "-n -1" 2247 2248 setup "yes" 2249 ipv4_rt "TCP passive socket" "-i" 2250} 2251 2252################################################################################ 2253# IPv6 2254 2255ipv6_ping_novrf() 2256{ 2257 local a 2258 2259 # should not have an impact, but make a known state 2260 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2261 2262 # 2263 # out 2264 # 2265 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2266 do 2267 log_start 2268 run_cmd ${ping6} -c1 -w1 ${a} 2269 log_test_addr ${a} $? 0 "ping out" 2270 done 2271 2272 for a in ${NSB_IP6} ${NSB_LO_IP6} 2273 do 2274 log_start 2275 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2276 log_test_addr ${a} $? 0 "ping out, device bind" 2277 2278 log_start 2279 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2280 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2281 done 2282 2283 # 2284 # in 2285 # 2286 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2287 do 2288 log_start 2289 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2290 log_test_addr ${a} $? 0 "ping in" 2291 done 2292 2293 # 2294 # local traffic, local address 2295 # 2296 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2297 do 2298 log_start 2299 run_cmd ${ping6} -c1 -w1 ${a} 2300 log_test_addr ${a} $? 0 "ping local, no bind" 2301 done 2302 2303 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2304 do 2305 log_start 2306 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2307 log_test_addr ${a} $? 0 "ping local, device bind" 2308 done 2309 2310 for a in ${NSA_LO_IP6} ::1 2311 do 2312 log_start 2313 show_hint "Fails since address on loopback is out of device scope" 2314 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2315 log_test_addr ${a} $? 2 "ping local, device bind" 2316 done 2317 2318 # 2319 # ip rule blocks address 2320 # 2321 log_start 2322 setup_cmd ip -6 rule add pref 32765 from all lookup local 2323 setup_cmd ip -6 rule del pref 0 from all lookup local 2324 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2325 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2326 2327 a=${NSB_LO_IP6} 2328 run_cmd ${ping6} -c1 -w1 ${a} 2329 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2330 2331 log_start 2332 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2333 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2334 2335 a=${NSA_LO_IP6} 2336 log_start 2337 show_hint "Response lost due to ip rule" 2338 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2339 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2340 2341 setup_cmd ip -6 rule add pref 0 from all lookup local 2342 setup_cmd ip -6 rule del pref 32765 from all lookup local 2343 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2344 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2345 2346 # 2347 # route blocks reachability to remote address 2348 # 2349 log_start 2350 setup_cmd ip -6 route del ${NSB_LO_IP6} 2351 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2352 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2353 2354 a=${NSB_LO_IP6} 2355 run_cmd ${ping6} -c1 -w1 ${a} 2356 log_test_addr ${a} $? 2 "ping out, blocked by route" 2357 2358 log_start 2359 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2360 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2361 2362 a=${NSA_LO_IP6} 2363 log_start 2364 show_hint "Response lost due to ip route" 2365 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2366 log_test_addr ${a} $? 1 "ping in, blocked by route" 2367 2368 2369 # 2370 # remove 'remote' routes; fallback to default 2371 # 2372 log_start 2373 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2374 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2375 2376 a=${NSB_LO_IP6} 2377 run_cmd ${ping6} -c1 -w1 ${a} 2378 log_test_addr ${a} $? 2 "ping out, unreachable route" 2379 2380 log_start 2381 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2382 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2383} 2384 2385ipv6_ping_vrf() 2386{ 2387 local a 2388 2389 # should default on; does not exist on older kernels 2390 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2391 2392 # 2393 # out 2394 # 2395 for a in ${NSB_IP6} ${NSB_LO_IP6} 2396 do 2397 log_start 2398 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2399 log_test_addr ${a} $? 0 "ping out, VRF bind" 2400 done 2401 2402 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2403 do 2404 log_start 2405 show_hint "Fails since VRF device does not support linklocal or multicast" 2406 run_cmd ${ping6} -c1 -w1 ${a} 2407 log_test_addr ${a} $? 1 "ping out, VRF bind" 2408 done 2409 2410 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2411 do 2412 log_start 2413 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2414 log_test_addr ${a} $? 0 "ping out, device bind" 2415 done 2416 2417 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2418 do 2419 log_start 2420 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2421 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2422 done 2423 2424 # 2425 # in 2426 # 2427 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2428 do 2429 log_start 2430 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2431 log_test_addr ${a} $? 0 "ping in" 2432 done 2433 2434 a=${NSA_LO_IP6} 2435 log_start 2436 show_hint "Fails since loopback address is out of VRF scope" 2437 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2438 log_test_addr ${a} $? 1 "ping in" 2439 2440 # 2441 # local traffic, local address 2442 # 2443 for a in ${NSA_IP6} ${VRF_IP6} ::1 2444 do 2445 log_start 2446 show_hint "Source address should be ${a}" 2447 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2448 log_test_addr ${a} $? 0 "ping local, VRF bind" 2449 done 2450 2451 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2452 do 2453 log_start 2454 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2455 log_test_addr ${a} $? 0 "ping local, device bind" 2456 done 2457 2458 # LLA to GUA - remove ipv6 global addresses from ns-B 2459 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2460 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2461 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2462 2463 for a in ${NSA_IP6} ${VRF_IP6} 2464 do 2465 log_start 2466 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2467 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2468 done 2469 2470 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2471 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2472 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2473 2474 # 2475 # ip rule blocks address 2476 # 2477 log_start 2478 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2479 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2480 2481 a=${NSB_LO_IP6} 2482 run_cmd ${ping6} -c1 -w1 ${a} 2483 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2484 2485 log_start 2486 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2487 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2488 2489 a=${NSA_LO_IP6} 2490 log_start 2491 show_hint "Response lost due to ip rule" 2492 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2493 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2494 2495 log_start 2496 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2497 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2498 2499 # 2500 # remove 'remote' routes; fallback to default 2501 # 2502 log_start 2503 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2504 2505 a=${NSB_LO_IP6} 2506 run_cmd ${ping6} -c1 -w1 ${a} 2507 log_test_addr ${a} $? 2 "ping out, unreachable route" 2508 2509 log_start 2510 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2511 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2512 2513 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2514 a=${NSA_LO_IP6} 2515 log_start 2516 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2517 log_test_addr ${a} $? 2 "ping in, unreachable route" 2518} 2519 2520ipv6_ping() 2521{ 2522 log_section "IPv6 ping" 2523 2524 log_subsection "No VRF" 2525 setup 2526 ipv6_ping_novrf 2527 setup 2528 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2529 ipv6_ping_novrf 2530 2531 log_subsection "With VRF" 2532 setup "yes" 2533 ipv6_ping_vrf 2534 setup "yes" 2535 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2536 ipv6_ping_vrf 2537} 2538 2539################################################################################ 2540# IPv6 TCP 2541 2542# 2543# MD5 tests without VRF 2544# 2545ipv6_tcp_md5_novrf() 2546{ 2547 # 2548 # single address 2549 # 2550 2551 # basic use case 2552 log_start 2553 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2554 sleep 1 2555 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2556 log_test $? 0 "MD5: Single address config" 2557 2558 # client sends MD5, server not configured 2559 log_start 2560 show_hint "Should timeout due to MD5 mismatch" 2561 run_cmd nettest -6 -s & 2562 sleep 1 2563 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2564 log_test $? 2 "MD5: Server no config, client uses password" 2565 2566 # wrong password 2567 log_start 2568 show_hint "Should timeout since client uses wrong password" 2569 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2570 sleep 1 2571 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2572 log_test $? 2 "MD5: Client uses wrong password" 2573 2574 # client from different address 2575 log_start 2576 show_hint "Should timeout due to MD5 mismatch" 2577 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2578 sleep 1 2579 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2580 log_test $? 2 "MD5: Client address does not match address configured with password" 2581 2582 # 2583 # MD5 extension - prefix length 2584 # 2585 2586 # client in prefix 2587 log_start 2588 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2589 sleep 1 2590 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2591 log_test $? 0 "MD5: Prefix config" 2592 2593 # client in prefix, wrong password 2594 log_start 2595 show_hint "Should timeout since client uses wrong password" 2596 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2597 sleep 1 2598 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2599 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2600 2601 # client outside of prefix 2602 log_start 2603 show_hint "Should timeout due to MD5 mismatch" 2604 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2605 sleep 1 2606 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2607 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2608} 2609 2610# 2611# MD5 tests with VRF 2612# 2613ipv6_tcp_md5() 2614{ 2615 # 2616 # single address 2617 # 2618 2619 # basic use case 2620 log_start 2621 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2622 sleep 1 2623 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2624 log_test $? 0 "MD5: VRF: Single address config" 2625 2626 # client sends MD5, server not configured 2627 log_start 2628 show_hint "Should timeout since server does not have MD5 auth" 2629 run_cmd nettest -6 -s -I ${VRF} & 2630 sleep 1 2631 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2632 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2633 2634 # wrong password 2635 log_start 2636 show_hint "Should timeout since client uses wrong password" 2637 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2638 sleep 1 2639 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2640 log_test $? 2 "MD5: VRF: Client uses wrong password" 2641 2642 # client from different address 2643 log_start 2644 show_hint "Should timeout since server config differs from client" 2645 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2646 sleep 1 2647 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2648 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2649 2650 # 2651 # MD5 extension - prefix length 2652 # 2653 2654 # client in prefix 2655 log_start 2656 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2657 sleep 1 2658 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2659 log_test $? 0 "MD5: VRF: Prefix config" 2660 2661 # client in prefix, wrong password 2662 log_start 2663 show_hint "Should timeout since client uses wrong password" 2664 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2665 sleep 1 2666 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2667 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2668 2669 # client outside of prefix 2670 log_start 2671 show_hint "Should timeout since client address is outside of prefix" 2672 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2673 sleep 1 2674 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2675 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2676 2677 # 2678 # duplicate config between default VRF and a VRF 2679 # 2680 2681 log_start 2682 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2683 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2684 sleep 1 2685 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2686 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2687 2688 log_start 2689 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2690 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2691 sleep 1 2692 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2693 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2694 2695 log_start 2696 show_hint "Should timeout since client in default VRF uses VRF password" 2697 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2698 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2699 sleep 1 2700 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2701 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2702 2703 log_start 2704 show_hint "Should timeout since client in VRF uses default VRF password" 2705 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2706 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2707 sleep 1 2708 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2709 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2710 2711 log_start 2712 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2713 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2714 sleep 1 2715 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2716 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2717 2718 log_start 2719 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2720 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2721 sleep 1 2722 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2723 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2724 2725 log_start 2726 show_hint "Should timeout since client in default VRF uses VRF password" 2727 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2728 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2729 sleep 1 2730 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2731 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2732 2733 log_start 2734 show_hint "Should timeout since client in VRF uses default VRF password" 2735 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2736 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2737 sleep 1 2738 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2739 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2740 2741 # 2742 # negative tests 2743 # 2744 log_start 2745 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2746 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2747 2748 log_start 2749 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2750 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2751 2752} 2753 2754ipv6_tcp_novrf() 2755{ 2756 local a 2757 2758 # 2759 # server tests 2760 # 2761 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2762 do 2763 log_start 2764 run_cmd nettest -6 -s & 2765 sleep 1 2766 run_cmd_nsb nettest -6 -r ${a} 2767 log_test_addr ${a} $? 0 "Global server" 2768 done 2769 2770 # verify TCP reset received 2771 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2772 do 2773 log_start 2774 show_hint "Should fail 'Connection refused'" 2775 run_cmd_nsb nettest -6 -r ${a} 2776 log_test_addr ${a} $? 1 "No server" 2777 done 2778 2779 # 2780 # client 2781 # 2782 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2783 do 2784 log_start 2785 run_cmd_nsb nettest -6 -s & 2786 sleep 1 2787 run_cmd nettest -6 -r ${a} 2788 log_test_addr ${a} $? 0 "Client" 2789 done 2790 2791 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2792 do 2793 log_start 2794 run_cmd_nsb nettest -6 -s & 2795 sleep 1 2796 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2797 log_test_addr ${a} $? 0 "Client, device bind" 2798 done 2799 2800 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2801 do 2802 log_start 2803 show_hint "Should fail 'Connection refused'" 2804 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2805 log_test_addr ${a} $? 1 "No server, device client" 2806 done 2807 2808 # 2809 # local address tests 2810 # 2811 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2812 do 2813 log_start 2814 run_cmd nettest -6 -s & 2815 sleep 1 2816 run_cmd nettest -6 -r ${a} 2817 log_test_addr ${a} $? 0 "Global server, local connection" 2818 done 2819 2820 a=${NSA_IP6} 2821 log_start 2822 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2823 sleep 1 2824 run_cmd nettest -6 -r ${a} -0 ${a} 2825 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2826 2827 for a in ${NSA_LO_IP6} ::1 2828 do 2829 log_start 2830 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2831 run_cmd nettest -6 -s -I ${NSA_DEV} & 2832 sleep 1 2833 run_cmd nettest -6 -r ${a} 2834 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2835 done 2836 2837 a=${NSA_IP6} 2838 log_start 2839 run_cmd nettest -6 -s & 2840 sleep 1 2841 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2842 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2843 2844 for a in ${NSA_LO_IP6} ::1 2845 do 2846 log_start 2847 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2848 run_cmd nettest -6 -s & 2849 sleep 1 2850 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2851 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2852 done 2853 2854 for a in ${NSA_IP6} ${NSA_LINKIP6} 2855 do 2856 log_start 2857 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2858 sleep 1 2859 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2860 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2861 done 2862 2863 for a in ${NSA_IP6} ${NSA_LINKIP6} 2864 do 2865 log_start 2866 show_hint "Should fail 'Connection refused'" 2867 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2868 log_test_addr ${a} $? 1 "No server, device client, local conn" 2869 done 2870 2871 [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf 2872} 2873 2874ipv6_tcp_vrf() 2875{ 2876 local a 2877 2878 # disable global server 2879 log_subsection "Global server disabled" 2880 2881 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2882 2883 # 2884 # server tests 2885 # 2886 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2887 do 2888 log_start 2889 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2890 run_cmd nettest -6 -s & 2891 sleep 1 2892 run_cmd_nsb nettest -6 -r ${a} 2893 log_test_addr ${a} $? 1 "Global server" 2894 done 2895 2896 for a in ${NSA_IP6} ${VRF_IP6} 2897 do 2898 log_start 2899 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2900 sleep 1 2901 run_cmd_nsb nettest -6 -r ${a} 2902 log_test_addr ${a} $? 0 "VRF server" 2903 done 2904 2905 # link local is always bound to ingress device 2906 a=${NSA_LINKIP6}%${NSB_DEV} 2907 log_start 2908 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2909 sleep 1 2910 run_cmd_nsb nettest -6 -r ${a} 2911 log_test_addr ${a} $? 0 "VRF server" 2912 2913 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2914 do 2915 log_start 2916 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2917 sleep 1 2918 run_cmd_nsb nettest -6 -r ${a} 2919 log_test_addr ${a} $? 0 "Device server" 2920 done 2921 2922 # verify TCP reset received 2923 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2924 do 2925 log_start 2926 show_hint "Should fail 'Connection refused'" 2927 run_cmd_nsb nettest -6 -r ${a} 2928 log_test_addr ${a} $? 1 "No server" 2929 done 2930 2931 # local address tests 2932 a=${NSA_IP6} 2933 log_start 2934 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2935 run_cmd nettest -6 -s & 2936 sleep 1 2937 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2938 log_test_addr ${a} $? 1 "Global server, local connection" 2939 2940 # run MD5 tests 2941 if [ "$fips_enabled" = "0" ]; then 2942 setup_vrf_dup 2943 ipv6_tcp_md5 2944 cleanup_vrf_dup 2945 fi 2946 2947 # 2948 # enable VRF global server 2949 # 2950 log_subsection "VRF Global server enabled" 2951 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2952 2953 for a in ${NSA_IP6} ${VRF_IP6} 2954 do 2955 log_start 2956 run_cmd nettest -6 -s -3 ${VRF} & 2957 sleep 1 2958 run_cmd_nsb nettest -6 -r ${a} 2959 log_test_addr ${a} $? 0 "Global server" 2960 done 2961 2962 for a in ${NSA_IP6} ${VRF_IP6} 2963 do 2964 log_start 2965 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2966 sleep 1 2967 run_cmd_nsb nettest -6 -r ${a} 2968 log_test_addr ${a} $? 0 "VRF server" 2969 done 2970 2971 # For LLA, child socket is bound to device 2972 a=${NSA_LINKIP6}%${NSB_DEV} 2973 log_start 2974 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2975 sleep 1 2976 run_cmd_nsb nettest -6 -r ${a} 2977 log_test_addr ${a} $? 0 "Global server" 2978 2979 log_start 2980 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2981 sleep 1 2982 run_cmd_nsb nettest -6 -r ${a} 2983 log_test_addr ${a} $? 0 "VRF server" 2984 2985 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2986 do 2987 log_start 2988 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2989 sleep 1 2990 run_cmd_nsb nettest -6 -r ${a} 2991 log_test_addr ${a} $? 0 "Device server" 2992 done 2993 2994 # verify TCP reset received 2995 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2996 do 2997 log_start 2998 show_hint "Should fail 'Connection refused'" 2999 run_cmd_nsb nettest -6 -r ${a} 3000 log_test_addr ${a} $? 1 "No server" 3001 done 3002 3003 # local address tests 3004 for a in ${NSA_IP6} ${VRF_IP6} 3005 do 3006 log_start 3007 show_hint "Fails 'Connection refused' since client is not in VRF" 3008 run_cmd nettest -6 -s -I ${VRF} & 3009 sleep 1 3010 run_cmd nettest -6 -r ${a} 3011 log_test_addr ${a} $? 1 "Global server, local connection" 3012 done 3013 3014 3015 # 3016 # client 3017 # 3018 for a in ${NSB_IP6} ${NSB_LO_IP6} 3019 do 3020 log_start 3021 run_cmd_nsb nettest -6 -s & 3022 sleep 1 3023 run_cmd nettest -6 -r ${a} -d ${VRF} 3024 log_test_addr ${a} $? 0 "Client, VRF bind" 3025 done 3026 3027 a=${NSB_LINKIP6} 3028 log_start 3029 show_hint "Fails since VRF device does not allow linklocal addresses" 3030 run_cmd_nsb nettest -6 -s & 3031 sleep 1 3032 run_cmd nettest -6 -r ${a} -d ${VRF} 3033 log_test_addr ${a} $? 1 "Client, VRF bind" 3034 3035 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 3036 do 3037 log_start 3038 run_cmd_nsb nettest -6 -s & 3039 sleep 1 3040 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 3041 log_test_addr ${a} $? 0 "Client, device bind" 3042 done 3043 3044 for a in ${NSB_IP6} ${NSB_LO_IP6} 3045 do 3046 log_start 3047 show_hint "Should fail 'Connection refused'" 3048 run_cmd nettest -6 -r ${a} -d ${VRF} 3049 log_test_addr ${a} $? 1 "No server, VRF client" 3050 done 3051 3052 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 3053 do 3054 log_start 3055 show_hint "Should fail 'Connection refused'" 3056 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 3057 log_test_addr ${a} $? 1 "No server, device client" 3058 done 3059 3060 for a in ${NSA_IP6} ${VRF_IP6} ::1 3061 do 3062 log_start 3063 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 3064 sleep 1 3065 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3066 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 3067 done 3068 3069 a=${NSA_IP6} 3070 log_start 3071 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 3072 sleep 1 3073 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3074 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 3075 3076 a=${NSA_IP6} 3077 log_start 3078 show_hint "Should fail since unbound client is out of VRF scope" 3079 run_cmd nettest -6 -s -I ${VRF} & 3080 sleep 1 3081 run_cmd nettest -6 -r ${a} 3082 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 3083 3084 log_start 3085 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3086 sleep 1 3087 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3088 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 3089 3090 for a in ${NSA_IP6} ${NSA_LINKIP6} 3091 do 3092 log_start 3093 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3094 sleep 1 3095 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3096 log_test_addr ${a} $? 0 "Device server, device client, local connection" 3097 done 3098} 3099 3100ipv6_tcp() 3101{ 3102 log_section "IPv6/TCP" 3103 log_subsection "No VRF" 3104 setup 3105 3106 # tcp_l3mdev_accept should have no affect without VRF; 3107 # run tests with it enabled and disabled to verify 3108 log_subsection "tcp_l3mdev_accept disabled" 3109 set_sysctl net.ipv4.tcp_l3mdev_accept=0 3110 ipv6_tcp_novrf 3111 log_subsection "tcp_l3mdev_accept enabled" 3112 set_sysctl net.ipv4.tcp_l3mdev_accept=1 3113 ipv6_tcp_novrf 3114 3115 log_subsection "With VRF" 3116 setup "yes" 3117 ipv6_tcp_vrf 3118} 3119 3120################################################################################ 3121# IPv6 UDP 3122 3123ipv6_udp_novrf() 3124{ 3125 local a 3126 3127 # 3128 # server tests 3129 # 3130 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3131 do 3132 log_start 3133 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3134 sleep 1 3135 run_cmd_nsb nettest -6 -D -r ${a} 3136 log_test_addr ${a} $? 0 "Global server" 3137 3138 log_start 3139 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3140 sleep 1 3141 run_cmd_nsb nettest -6 -D -r ${a} 3142 log_test_addr ${a} $? 0 "Device server" 3143 done 3144 3145 a=${NSA_LO_IP6} 3146 log_start 3147 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3148 sleep 1 3149 run_cmd_nsb nettest -6 -D -r ${a} 3150 log_test_addr ${a} $? 0 "Global server" 3151 3152 # should fail since loopback address is out of scope for a device 3153 # bound server, but it does not - hence this is more documenting 3154 # behavior. 3155 #log_start 3156 #show_hint "Should fail since loopback address is out of scope" 3157 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3158 #sleep 1 3159 #run_cmd_nsb nettest -6 -D -r ${a} 3160 #log_test_addr ${a} $? 1 "Device server" 3161 3162 # negative test - should fail 3163 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3164 do 3165 log_start 3166 show_hint "Should fail 'Connection refused' since there is no server" 3167 run_cmd_nsb nettest -6 -D -r ${a} 3168 log_test_addr ${a} $? 1 "No server" 3169 done 3170 3171 # 3172 # client 3173 # 3174 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 3175 do 3176 log_start 3177 run_cmd_nsb nettest -6 -D -s & 3178 sleep 1 3179 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 3180 log_test_addr ${a} $? 0 "Client" 3181 3182 log_start 3183 run_cmd_nsb nettest -6 -D -s & 3184 sleep 1 3185 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 3186 log_test_addr ${a} $? 0 "Client, device bind" 3187 3188 log_start 3189 run_cmd_nsb nettest -6 -D -s & 3190 sleep 1 3191 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 3192 log_test_addr ${a} $? 0 "Client, device send via cmsg" 3193 3194 log_start 3195 run_cmd_nsb nettest -6 -D -s & 3196 sleep 1 3197 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 3198 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 3199 3200 log_start 3201 show_hint "Should fail 'Connection refused'" 3202 run_cmd nettest -6 -D -r ${a} 3203 log_test_addr ${a} $? 1 "No server, unbound client" 3204 3205 log_start 3206 show_hint "Should fail 'Connection refused'" 3207 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3208 log_test_addr ${a} $? 1 "No server, device client" 3209 done 3210 3211 # 3212 # local address tests 3213 # 3214 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3215 do 3216 log_start 3217 run_cmd nettest -6 -D -s & 3218 sleep 1 3219 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3220 log_test_addr ${a} $? 0 "Global server, local connection" 3221 done 3222 3223 a=${NSA_IP6} 3224 log_start 3225 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3226 sleep 1 3227 run_cmd nettest -6 -D -r ${a} 3228 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3229 3230 for a in ${NSA_LO_IP6} ::1 3231 do 3232 log_start 3233 show_hint "Should fail 'Connection refused' since address is out of device scope" 3234 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3235 sleep 1 3236 run_cmd nettest -6 -D -r ${a} 3237 log_test_addr ${a} $? 1 "Device server, local connection" 3238 done 3239 3240 a=${NSA_IP6} 3241 log_start 3242 run_cmd nettest -6 -s -D & 3243 sleep 1 3244 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3245 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3246 3247 log_start 3248 run_cmd nettest -6 -s -D & 3249 sleep 1 3250 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3251 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3252 3253 log_start 3254 run_cmd nettest -6 -s -D & 3255 sleep 1 3256 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3257 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3258 3259 for a in ${NSA_LO_IP6} ::1 3260 do 3261 log_start 3262 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3263 run_cmd nettest -6 -D -s & 3264 sleep 1 3265 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3266 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3267 3268 log_start 3269 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3270 run_cmd nettest -6 -D -s & 3271 sleep 1 3272 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3273 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3274 3275 log_start 3276 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3277 run_cmd nettest -6 -D -s & 3278 sleep 1 3279 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3280 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3281 3282 log_start 3283 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3284 run_cmd nettest -6 -D -s & 3285 sleep 1 3286 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U 3287 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 3288 done 3289 3290 a=${NSA_IP6} 3291 log_start 3292 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3293 sleep 1 3294 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3295 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3296 3297 log_start 3298 show_hint "Should fail 'Connection refused'" 3299 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3300 log_test_addr ${a} $? 1 "No server, device client, local conn" 3301 3302 # LLA to GUA 3303 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3304 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3305 log_start 3306 run_cmd nettest -6 -s -D & 3307 sleep 1 3308 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3309 log_test $? 0 "UDP in - LLA to GUA" 3310 3311 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3312 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3313} 3314 3315ipv6_udp_vrf() 3316{ 3317 local a 3318 3319 # disable global server 3320 log_subsection "Global server disabled" 3321 set_sysctl net.ipv4.udp_l3mdev_accept=0 3322 3323 # 3324 # server tests 3325 # 3326 for a in ${NSA_IP6} ${VRF_IP6} 3327 do 3328 log_start 3329 show_hint "Should fail 'Connection refused' since global server is disabled" 3330 run_cmd nettest -6 -D -s & 3331 sleep 1 3332 run_cmd_nsb nettest -6 -D -r ${a} 3333 log_test_addr ${a} $? 1 "Global server" 3334 done 3335 3336 for a in ${NSA_IP6} ${VRF_IP6} 3337 do 3338 log_start 3339 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3340 sleep 1 3341 run_cmd_nsb nettest -6 -D -r ${a} 3342 log_test_addr ${a} $? 0 "VRF server" 3343 done 3344 3345 for a in ${NSA_IP6} ${VRF_IP6} 3346 do 3347 log_start 3348 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3349 sleep 1 3350 run_cmd_nsb nettest -6 -D -r ${a} 3351 log_test_addr ${a} $? 0 "Enslaved device server" 3352 done 3353 3354 # negative test - should fail 3355 for a in ${NSA_IP6} ${VRF_IP6} 3356 do 3357 log_start 3358 show_hint "Should fail 'Connection refused' since there is no server" 3359 run_cmd_nsb nettest -6 -D -r ${a} 3360 log_test_addr ${a} $? 1 "No server" 3361 done 3362 3363 # 3364 # local address tests 3365 # 3366 for a in ${NSA_IP6} ${VRF_IP6} 3367 do 3368 log_start 3369 show_hint "Should fail 'Connection refused' since global server is disabled" 3370 run_cmd nettest -6 -D -s & 3371 sleep 1 3372 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3373 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3374 done 3375 3376 for a in ${NSA_IP6} ${VRF_IP6} 3377 do 3378 log_start 3379 run_cmd nettest -6 -D -I ${VRF} -s & 3380 sleep 1 3381 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3382 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3383 done 3384 3385 a=${NSA_IP6} 3386 log_start 3387 show_hint "Should fail 'Connection refused' since global server is disabled" 3388 run_cmd nettest -6 -D -s & 3389 sleep 1 3390 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3391 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3392 3393 log_start 3394 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3395 sleep 1 3396 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3397 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3398 3399 log_start 3400 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3401 sleep 1 3402 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3403 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3404 3405 log_start 3406 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3407 sleep 1 3408 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3409 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3410 3411 # disable global server 3412 log_subsection "Global server enabled" 3413 set_sysctl net.ipv4.udp_l3mdev_accept=1 3414 3415 # 3416 # server tests 3417 # 3418 for a in ${NSA_IP6} ${VRF_IP6} 3419 do 3420 log_start 3421 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3422 sleep 1 3423 run_cmd_nsb nettest -6 -D -r ${a} 3424 log_test_addr ${a} $? 0 "Global server" 3425 done 3426 3427 for a in ${NSA_IP6} ${VRF_IP6} 3428 do 3429 log_start 3430 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3431 sleep 1 3432 run_cmd_nsb nettest -6 -D -r ${a} 3433 log_test_addr ${a} $? 0 "VRF server" 3434 done 3435 3436 for a in ${NSA_IP6} ${VRF_IP6} 3437 do 3438 log_start 3439 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3440 sleep 1 3441 run_cmd_nsb nettest -6 -D -r ${a} 3442 log_test_addr ${a} $? 0 "Enslaved device server" 3443 done 3444 3445 # negative test - should fail 3446 for a in ${NSA_IP6} ${VRF_IP6} 3447 do 3448 log_start 3449 run_cmd_nsb nettest -6 -D -r ${a} 3450 log_test_addr ${a} $? 1 "No server" 3451 done 3452 3453 # 3454 # client tests 3455 # 3456 log_start 3457 run_cmd_nsb nettest -6 -D -s & 3458 sleep 1 3459 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3460 log_test $? 0 "VRF client" 3461 3462 # negative test - should fail 3463 log_start 3464 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3465 log_test $? 1 "No server, VRF client" 3466 3467 log_start 3468 run_cmd_nsb nettest -6 -D -s & 3469 sleep 1 3470 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3471 log_test $? 0 "Enslaved device client" 3472 3473 # negative test - should fail 3474 log_start 3475 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3476 log_test $? 1 "No server, enslaved device client" 3477 3478 # 3479 # local address tests 3480 # 3481 a=${NSA_IP6} 3482 log_start 3483 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3484 sleep 1 3485 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3486 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3487 3488 #log_start 3489 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3490 sleep 1 3491 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3492 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3493 3494 3495 a=${VRF_IP6} 3496 log_start 3497 run_cmd nettest -6 -D -s -3 ${VRF} & 3498 sleep 1 3499 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3500 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3501 3502 log_start 3503 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3504 sleep 1 3505 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3506 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3507 3508 # negative test - should fail 3509 for a in ${NSA_IP6} ${VRF_IP6} 3510 do 3511 log_start 3512 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3513 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3514 done 3515 3516 # device to global IP 3517 a=${NSA_IP6} 3518 log_start 3519 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3520 sleep 1 3521 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3522 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3523 3524 log_start 3525 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3526 sleep 1 3527 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3528 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3529 3530 log_start 3531 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3532 sleep 1 3533 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3534 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3535 3536 log_start 3537 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3538 sleep 1 3539 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3540 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3541 3542 log_start 3543 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3544 log_test_addr ${a} $? 1 "No server, device client, local conn" 3545 3546 3547 # link local addresses 3548 log_start 3549 run_cmd nettest -6 -D -s & 3550 sleep 1 3551 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3552 log_test $? 0 "Global server, linklocal IP" 3553 3554 log_start 3555 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3556 log_test $? 1 "No server, linklocal IP" 3557 3558 3559 log_start 3560 run_cmd_nsb nettest -6 -D -s & 3561 sleep 1 3562 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3563 log_test $? 0 "Enslaved device client, linklocal IP" 3564 3565 log_start 3566 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3567 log_test $? 1 "No server, device client, peer linklocal IP" 3568 3569 3570 log_start 3571 run_cmd nettest -6 -D -s & 3572 sleep 1 3573 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3574 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3575 3576 log_start 3577 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3578 log_test $? 1 "No server, device client, local conn - linklocal IP" 3579 3580 # LLA to GUA 3581 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3582 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3583 log_start 3584 run_cmd nettest -6 -s -D & 3585 sleep 1 3586 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3587 log_test $? 0 "UDP in - LLA to GUA" 3588 3589 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3590 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3591} 3592 3593ipv6_udp() 3594{ 3595 # should not matter, but set to known state 3596 set_sysctl net.ipv4.udp_early_demux=1 3597 3598 log_section "IPv6/UDP" 3599 log_subsection "No VRF" 3600 setup 3601 3602 # udp_l3mdev_accept should have no affect without VRF; 3603 # run tests with it enabled and disabled to verify 3604 log_subsection "udp_l3mdev_accept disabled" 3605 set_sysctl net.ipv4.udp_l3mdev_accept=0 3606 ipv6_udp_novrf 3607 log_subsection "udp_l3mdev_accept enabled" 3608 set_sysctl net.ipv4.udp_l3mdev_accept=1 3609 ipv6_udp_novrf 3610 3611 log_subsection "With VRF" 3612 setup "yes" 3613 ipv6_udp_vrf 3614} 3615 3616################################################################################ 3617# IPv6 address bind 3618 3619ipv6_addr_bind_novrf() 3620{ 3621 # 3622 # raw socket 3623 # 3624 for a in ${NSA_IP6} ${NSA_LO_IP6} 3625 do 3626 log_start 3627 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3628 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3629 3630 log_start 3631 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3632 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3633 done 3634 3635 # 3636 # raw socket with nonlocal bind 3637 # 3638 a=${NL_IP6} 3639 log_start 3640 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 3641 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 3642 3643 # 3644 # tcp sockets 3645 # 3646 a=${NSA_IP6} 3647 log_start 3648 run_cmd nettest -6 -s -l ${a} -t1 -b 3649 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3650 3651 log_start 3652 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3653 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3654 3655 # Sadly, the kernel allows binding a socket to a device and then 3656 # binding to an address not on the device. So this test passes 3657 # when it really should not 3658 a=${NSA_LO_IP6} 3659 log_start 3660 show_hint "Tecnically should fail since address is not on device but kernel allows" 3661 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3662 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3663} 3664 3665ipv6_addr_bind_vrf() 3666{ 3667 # 3668 # raw socket 3669 # 3670 for a in ${NSA_IP6} ${VRF_IP6} 3671 do 3672 log_start 3673 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3674 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3675 3676 log_start 3677 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3678 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3679 done 3680 3681 a=${NSA_LO_IP6} 3682 log_start 3683 show_hint "Address on loopback is out of VRF scope" 3684 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3685 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3686 3687 # 3688 # raw socket with nonlocal bind 3689 # 3690 a=${NL_IP6} 3691 log_start 3692 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b 3693 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 3694 3695 # 3696 # tcp sockets 3697 # 3698 # address on enslaved device is valid for the VRF or device in a VRF 3699 for a in ${NSA_IP6} ${VRF_IP6} 3700 do 3701 log_start 3702 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3703 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3704 done 3705 3706 a=${NSA_IP6} 3707 log_start 3708 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3709 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3710 3711 # Sadly, the kernel allows binding a socket to a device and then 3712 # binding to an address not on the device. The only restriction 3713 # is that the address is valid in the L3 domain. So this test 3714 # passes when it really should not 3715 a=${VRF_IP6} 3716 log_start 3717 show_hint "Tecnically should fail since address is not on device but kernel allows" 3718 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3719 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3720 3721 a=${NSA_LO_IP6} 3722 log_start 3723 show_hint "Address on loopback out of scope for VRF" 3724 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3725 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3726 3727 log_start 3728 show_hint "Address on loopback out of scope for device in VRF" 3729 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3730 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3731 3732} 3733 3734ipv6_addr_bind() 3735{ 3736 log_section "IPv6 address binds" 3737 3738 log_subsection "No VRF" 3739 setup 3740 ipv6_addr_bind_novrf 3741 3742 log_subsection "With VRF" 3743 setup "yes" 3744 ipv6_addr_bind_vrf 3745} 3746 3747################################################################################ 3748# IPv6 runtime tests 3749 3750ipv6_rt() 3751{ 3752 local desc="$1" 3753 local varg="-6 $2" 3754 local with_vrf="yes" 3755 local a 3756 3757 # 3758 # server tests 3759 # 3760 for a in ${NSA_IP6} ${VRF_IP6} 3761 do 3762 log_start 3763 run_cmd nettest ${varg} -s & 3764 sleep 1 3765 run_cmd_nsb nettest ${varg} -r ${a} & 3766 sleep 3 3767 run_cmd ip link del ${VRF} 3768 sleep 1 3769 log_test_addr ${a} 0 0 "${desc}, global server" 3770 3771 setup ${with_vrf} 3772 done 3773 3774 for a in ${NSA_IP6} ${VRF_IP6} 3775 do 3776 log_start 3777 run_cmd nettest ${varg} -I ${VRF} -s & 3778 sleep 1 3779 run_cmd_nsb nettest ${varg} -r ${a} & 3780 sleep 3 3781 run_cmd ip link del ${VRF} 3782 sleep 1 3783 log_test_addr ${a} 0 0 "${desc}, VRF server" 3784 3785 setup ${with_vrf} 3786 done 3787 3788 for a in ${NSA_IP6} ${VRF_IP6} 3789 do 3790 log_start 3791 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3792 sleep 1 3793 run_cmd_nsb nettest ${varg} -r ${a} & 3794 sleep 3 3795 run_cmd ip link del ${VRF} 3796 sleep 1 3797 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3798 3799 setup ${with_vrf} 3800 done 3801 3802 # 3803 # client test 3804 # 3805 log_start 3806 run_cmd_nsb nettest ${varg} -s & 3807 sleep 1 3808 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3809 sleep 3 3810 run_cmd ip link del ${VRF} 3811 sleep 1 3812 log_test 0 0 "${desc}, VRF client" 3813 3814 setup ${with_vrf} 3815 3816 log_start 3817 run_cmd_nsb nettest ${varg} -s & 3818 sleep 1 3819 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3820 sleep 3 3821 run_cmd ip link del ${VRF} 3822 sleep 1 3823 log_test 0 0 "${desc}, enslaved device client" 3824 3825 setup ${with_vrf} 3826 3827 3828 # 3829 # local address tests 3830 # 3831 for a in ${NSA_IP6} ${VRF_IP6} 3832 do 3833 log_start 3834 run_cmd nettest ${varg} -s & 3835 sleep 1 3836 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3837 sleep 3 3838 run_cmd ip link del ${VRF} 3839 sleep 1 3840 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3841 3842 setup ${with_vrf} 3843 done 3844 3845 for a in ${NSA_IP6} ${VRF_IP6} 3846 do 3847 log_start 3848 run_cmd nettest ${varg} -I ${VRF} -s & 3849 sleep 1 3850 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3851 sleep 3 3852 run_cmd ip link del ${VRF} 3853 sleep 1 3854 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3855 3856 setup ${with_vrf} 3857 done 3858 3859 a=${NSA_IP6} 3860 log_start 3861 run_cmd nettest ${varg} -s & 3862 sleep 1 3863 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3864 sleep 3 3865 run_cmd ip link del ${VRF} 3866 sleep 1 3867 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3868 3869 setup ${with_vrf} 3870 3871 log_start 3872 run_cmd nettest ${varg} -I ${VRF} -s & 3873 sleep 1 3874 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3875 sleep 3 3876 run_cmd ip link del ${VRF} 3877 sleep 1 3878 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3879 3880 setup ${with_vrf} 3881 3882 log_start 3883 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3884 sleep 1 3885 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3886 sleep 3 3887 run_cmd ip link del ${VRF} 3888 sleep 1 3889 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3890} 3891 3892ipv6_ping_rt() 3893{ 3894 local with_vrf="yes" 3895 local a 3896 3897 a=${NSA_IP6} 3898 log_start 3899 run_cmd_nsb ${ping6} -f ${a} & 3900 sleep 3 3901 run_cmd ip link del ${VRF} 3902 sleep 1 3903 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3904 3905 setup ${with_vrf} 3906 3907 log_start 3908 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3909 sleep 1 3910 run_cmd ip link del ${VRF} 3911 sleep 1 3912 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3913} 3914 3915ipv6_runtime() 3916{ 3917 log_section "Run time tests - ipv6" 3918 3919 setup "yes" 3920 ipv6_ping_rt 3921 3922 setup "yes" 3923 ipv6_rt "TCP active socket" "-n -1" 3924 3925 setup "yes" 3926 ipv6_rt "TCP passive socket" "-i" 3927 3928 setup "yes" 3929 ipv6_rt "UDP active socket" "-D -n -1" 3930} 3931 3932################################################################################ 3933# netfilter blocking connections 3934 3935netfilter_tcp_reset() 3936{ 3937 local a 3938 3939 for a in ${NSA_IP} ${VRF_IP} 3940 do 3941 log_start 3942 run_cmd nettest -s & 3943 sleep 1 3944 run_cmd_nsb nettest -r ${a} 3945 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3946 done 3947} 3948 3949netfilter_icmp() 3950{ 3951 local stype="$1" 3952 local arg 3953 local a 3954 3955 [ "${stype}" = "UDP" ] && arg="-D" 3956 3957 for a in ${NSA_IP} ${VRF_IP} 3958 do 3959 log_start 3960 run_cmd nettest ${arg} -s & 3961 sleep 1 3962 run_cmd_nsb nettest ${arg} -r ${a} 3963 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3964 done 3965} 3966 3967ipv4_netfilter() 3968{ 3969 log_section "IPv4 Netfilter" 3970 log_subsection "TCP reset" 3971 3972 setup "yes" 3973 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3974 3975 netfilter_tcp_reset 3976 3977 log_start 3978 log_subsection "ICMP unreachable" 3979 3980 log_start 3981 run_cmd iptables -F 3982 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3983 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3984 3985 netfilter_icmp "TCP" 3986 netfilter_icmp "UDP" 3987 3988 log_start 3989 iptables -F 3990} 3991 3992netfilter_tcp6_reset() 3993{ 3994 local a 3995 3996 for a in ${NSA_IP6} ${VRF_IP6} 3997 do 3998 log_start 3999 run_cmd nettest -6 -s & 4000 sleep 1 4001 run_cmd_nsb nettest -6 -r ${a} 4002 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 4003 done 4004} 4005 4006netfilter_icmp6() 4007{ 4008 local stype="$1" 4009 local arg 4010 local a 4011 4012 [ "${stype}" = "UDP" ] && arg="$arg -D" 4013 4014 for a in ${NSA_IP6} ${VRF_IP6} 4015 do 4016 log_start 4017 run_cmd nettest -6 -s ${arg} & 4018 sleep 1 4019 run_cmd_nsb nettest -6 ${arg} -r ${a} 4020 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 4021 done 4022} 4023 4024ipv6_netfilter() 4025{ 4026 log_section "IPv6 Netfilter" 4027 log_subsection "TCP reset" 4028 4029 setup "yes" 4030 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 4031 4032 netfilter_tcp6_reset 4033 4034 log_subsection "ICMP unreachable" 4035 4036 log_start 4037 run_cmd ip6tables -F 4038 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 4039 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 4040 4041 netfilter_icmp6 "TCP" 4042 netfilter_icmp6 "UDP" 4043 4044 log_start 4045 ip6tables -F 4046} 4047 4048################################################################################ 4049# specific use cases 4050 4051# VRF only. 4052# ns-A device enslaved to bridge. Verify traffic with and without 4053# br_netfilter module loaded. Repeat with SVI on bridge. 4054use_case_br() 4055{ 4056 setup "yes" 4057 4058 setup_cmd ip link set ${NSA_DEV} down 4059 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 4060 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 4061 4062 setup_cmd ip link add br0 type bridge 4063 setup_cmd ip addr add dev br0 ${NSA_IP}/24 4064 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 4065 4066 setup_cmd ip li set ${NSA_DEV} master br0 4067 setup_cmd ip li set ${NSA_DEV} up 4068 setup_cmd ip li set br0 up 4069 setup_cmd ip li set br0 vrf ${VRF} 4070 4071 rmmod br_netfilter 2>/dev/null 4072 sleep 5 # DAD 4073 4074 run_cmd ip neigh flush all 4075 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4076 log_test $? 0 "Bridge into VRF - IPv4 ping out" 4077 4078 run_cmd ip neigh flush all 4079 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4080 log_test $? 0 "Bridge into VRF - IPv6 ping out" 4081 4082 run_cmd ip neigh flush all 4083 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4084 log_test $? 0 "Bridge into VRF - IPv4 ping in" 4085 4086 run_cmd ip neigh flush all 4087 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4088 log_test $? 0 "Bridge into VRF - IPv6 ping in" 4089 4090 modprobe br_netfilter 4091 if [ $? -eq 0 ]; then 4092 run_cmd ip neigh flush all 4093 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4094 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 4095 4096 run_cmd ip neigh flush all 4097 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4098 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 4099 4100 run_cmd ip neigh flush all 4101 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4102 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 4103 4104 run_cmd ip neigh flush all 4105 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4106 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 4107 fi 4108 4109 setup_cmd ip li set br0 nomaster 4110 setup_cmd ip li add br0.100 link br0 type vlan id 100 4111 setup_cmd ip li set br0.100 vrf ${VRF} up 4112 setup_cmd ip addr add dev br0.100 172.16.101.1/24 4113 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 4114 4115 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 4116 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 4117 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 4118 setup_cmd_nsb ip li set vlan100 up 4119 sleep 1 4120 4121 rmmod br_netfilter 2>/dev/null 4122 4123 run_cmd ip neigh flush all 4124 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4125 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 4126 4127 run_cmd ip neigh flush all 4128 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4129 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 4130 4131 run_cmd ip neigh flush all 4132 run_cmd_nsb ping -c1 -w1 172.16.101.1 4133 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4134 4135 run_cmd ip neigh flush all 4136 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4137 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4138 4139 modprobe br_netfilter 4140 if [ $? -eq 0 ]; then 4141 run_cmd ip neigh flush all 4142 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4143 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 4144 4145 run_cmd ip neigh flush all 4146 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4147 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 4148 4149 run_cmd ip neigh flush all 4150 run_cmd_nsb ping -c1 -w1 172.16.101.1 4151 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4152 4153 run_cmd ip neigh flush all 4154 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4155 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4156 fi 4157 4158 setup_cmd ip li del br0 2>/dev/null 4159 setup_cmd_nsb ip li del vlan100 2>/dev/null 4160} 4161 4162# VRF only. 4163# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 4164# LLA on the interfaces 4165use_case_ping_lla_multi() 4166{ 4167 setup_lla_only 4168 # only want reply from ns-A 4169 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4170 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4171 4172 log_start 4173 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4174 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 4175 4176 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4177 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 4178 4179 # cycle/flap the first ns-A interface 4180 setup_cmd ip link set ${NSA_DEV} down 4181 setup_cmd ip link set ${NSA_DEV} up 4182 sleep 1 4183 4184 log_start 4185 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4186 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 4187 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4188 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 4189 4190 # cycle/flap the second ns-A interface 4191 setup_cmd ip link set ${NSA_DEV2} down 4192 setup_cmd ip link set ${NSA_DEV2} up 4193 sleep 1 4194 4195 log_start 4196 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4197 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 4198 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4199 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 4200} 4201 4202# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 4203# established with ns-B. 4204use_case_snat_on_vrf() 4205{ 4206 setup "yes" 4207 4208 local port="12345" 4209 4210 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4211 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4212 4213 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 4214 sleep 1 4215 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 4216 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 4217 4218 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 4219 sleep 1 4220 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 4221 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 4222 4223 # Cleanup 4224 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4225 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4226} 4227 4228use_cases() 4229{ 4230 log_section "Use cases" 4231 log_subsection "Device enslaved to bridge" 4232 use_case_br 4233 log_subsection "Ping LLA with multiple interfaces" 4234 use_case_ping_lla_multi 4235 log_subsection "SNAT on VRF" 4236 use_case_snat_on_vrf 4237} 4238 4239################################################################################ 4240# usage 4241 4242usage() 4243{ 4244 cat <<EOF 4245usage: ${0##*/} OPTS 4246 4247 -4 IPv4 tests only 4248 -6 IPv6 tests only 4249 -t <test> Test name/set to run 4250 -p Pause on fail 4251 -P Pause after each test 4252 -v Be verbose 4253 4254Tests: 4255 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER 4256EOF 4257} 4258 4259################################################################################ 4260# main 4261 4262TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4263TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4264TESTS_OTHER="use_cases" 4265 4266PAUSE_ON_FAIL=no 4267PAUSE=no 4268 4269while getopts :46t:pPvh o 4270do 4271 case $o in 4272 4) TESTS=ipv4;; 4273 6) TESTS=ipv6;; 4274 t) TESTS=$OPTARG;; 4275 p) PAUSE_ON_FAIL=yes;; 4276 P) PAUSE=yes;; 4277 v) VERBOSE=1;; 4278 h) usage; exit 0;; 4279 *) usage; exit 1;; 4280 esac 4281done 4282 4283# make sure we don't pause twice 4284[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4285 4286# 4287# show user test config 4288# 4289if [ -z "$TESTS" ]; then 4290 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4291elif [ "$TESTS" = "ipv4" ]; then 4292 TESTS="$TESTS_IPV4" 4293elif [ "$TESTS" = "ipv6" ]; then 4294 TESTS="$TESTS_IPV6" 4295fi 4296 4297# nettest can be run from PATH or from same directory as this selftest 4298if ! which nettest >/dev/null; then 4299 PATH=$PWD:$PATH 4300 if ! which nettest >/dev/null; then 4301 echo "'nettest' command not found; skipping tests" 4302 exit $ksft_skip 4303 fi 4304fi 4305 4306declare -i nfail=0 4307declare -i nsuccess=0 4308 4309for t in $TESTS 4310do 4311 case $t in 4312 ipv4_ping|ping) ipv4_ping;; 4313 ipv4_tcp|tcp) ipv4_tcp;; 4314 ipv4_udp|udp) ipv4_udp;; 4315 ipv4_bind|bind) ipv4_addr_bind;; 4316 ipv4_runtime) ipv4_runtime;; 4317 ipv4_netfilter) ipv4_netfilter;; 4318 4319 ipv6_ping|ping6) ipv6_ping;; 4320 ipv6_tcp|tcp6) ipv6_tcp;; 4321 ipv6_udp|udp6) ipv6_udp;; 4322 ipv6_bind|bind6) ipv6_addr_bind;; 4323 ipv6_runtime) ipv6_runtime;; 4324 ipv6_netfilter) ipv6_netfilter;; 4325 4326 use_cases) use_cases;; 4327 4328 # setup namespaces and config, but do not run any tests 4329 setup) setup; exit 0;; 4330 vrf_setup) setup "yes"; exit 0;; 4331 esac 4332done 4333 4334cleanup 2>/dev/null 4335 4336printf "\nTests passed: %3d\n" ${nsuccess} 4337printf "Tests failed: %3d\n" ${nfail} 4338 4339if [ $nfail -ne 0 ]; then 4340 exit 1 # KSFT_FAIL 4341elif [ $nsuccess -eq 0 ]; then 4342 exit $ksft_skip 4343fi 4344 4345exit 0 # KSFT_PASS 4346