1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40# Kselftest framework requirement - SKIP code is 4. 41ksft_skip=4 42 43VERBOSE=0 44 45NSA_DEV=eth1 46NSA_DEV2=eth2 47NSB_DEV=eth1 48NSC_DEV=eth2 49VRF=red 50VRF_TABLE=1101 51 52# IPv4 config 53NSA_IP=172.16.1.1 54NSB_IP=172.16.1.2 55VRF_IP=172.16.3.1 56NS_NET=172.16.1.0/24 57 58# IPv6 config 59NSA_IP6=2001:db8:1::1 60NSB_IP6=2001:db8:1::2 61VRF_IP6=2001:db8:3::1 62NS_NET6=2001:db8:1::/120 63 64NSA_LO_IP=172.16.2.1 65NSB_LO_IP=172.16.2.2 66NSA_LO_IP6=2001:db8:2::1 67NSB_LO_IP6=2001:db8:2::2 68 69# non-local addresses for freebind tests 70NL_IP=172.17.1.1 71NL_IP6=2001:db8:4::1 72 73MD5_PW=abc123 74MD5_WRONG_PW=abc1234 75 76MCAST=ff02::1 77# set after namespace create 78NSA_LINKIP6= 79NSB_LINKIP6= 80 81NSA=ns-A 82NSB=ns-B 83NSC=ns-C 84 85NSA_CMD="ip netns exec ${NSA}" 86NSB_CMD="ip netns exec ${NSB}" 87NSC_CMD="ip netns exec ${NSC}" 88 89which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 90 91################################################################################ 92# utilities 93 94log_test() 95{ 96 local rc=$1 97 local expected=$2 98 local msg="$3" 99 100 [ "${VERBOSE}" = "1" ] && echo 101 102 if [ ${rc} -eq ${expected} ]; then 103 nsuccess=$((nsuccess+1)) 104 printf "TEST: %-70s [ OK ]\n" "${msg}" 105 else 106 nfail=$((nfail+1)) 107 printf "TEST: %-70s [FAIL]\n" "${msg}" 108 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 109 echo 110 echo "hit enter to continue, 'q' to quit" 111 read a 112 [ "$a" = "q" ] && exit 1 113 fi 114 fi 115 116 if [ "${PAUSE}" = "yes" ]; then 117 echo 118 echo "hit enter to continue, 'q' to quit" 119 read a 120 [ "$a" = "q" ] && exit 1 121 fi 122 123 kill_procs 124} 125 126log_test_addr() 127{ 128 local addr=$1 129 local rc=$2 130 local expected=$3 131 local msg="$4" 132 local astr 133 134 astr=$(addr2str ${addr}) 135 log_test $rc $expected "$msg - ${astr}" 136} 137 138log_section() 139{ 140 echo 141 echo "###########################################################################" 142 echo "$*" 143 echo "###########################################################################" 144 echo 145} 146 147log_subsection() 148{ 149 echo 150 echo "#################################################################" 151 echo "$*" 152 echo 153} 154 155log_start() 156{ 157 # make sure we have no test instances running 158 kill_procs 159 160 if [ "${VERBOSE}" = "1" ]; then 161 echo 162 echo "#######################################################" 163 fi 164} 165 166log_debug() 167{ 168 if [ "${VERBOSE}" = "1" ]; then 169 echo 170 echo "$*" 171 echo 172 fi 173} 174 175show_hint() 176{ 177 if [ "${VERBOSE}" = "1" ]; then 178 echo "HINT: $*" 179 echo 180 fi 181} 182 183kill_procs() 184{ 185 killall nettest ping ping6 >/dev/null 2>&1 186 sleep 1 187} 188 189do_run_cmd() 190{ 191 local cmd="$*" 192 local out 193 194 if [ "$VERBOSE" = "1" ]; then 195 echo "COMMAND: ${cmd}" 196 fi 197 198 out=$($cmd 2>&1) 199 rc=$? 200 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 201 echo "$out" 202 fi 203 204 return $rc 205} 206 207run_cmd() 208{ 209 do_run_cmd ${NSA_CMD} $* 210} 211 212run_cmd_nsb() 213{ 214 do_run_cmd ${NSB_CMD} $* 215} 216 217run_cmd_nsc() 218{ 219 do_run_cmd ${NSC_CMD} $* 220} 221 222setup_cmd() 223{ 224 local cmd="$*" 225 local rc 226 227 run_cmd ${cmd} 228 rc=$? 229 if [ $rc -ne 0 ]; then 230 # show user the command if not done so already 231 if [ "$VERBOSE" = "0" ]; then 232 echo "setup command: $cmd" 233 fi 234 echo "failed. stopping tests" 235 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 236 echo 237 echo "hit enter to continue" 238 read a 239 fi 240 exit $rc 241 fi 242} 243 244setup_cmd_nsb() 245{ 246 local cmd="$*" 247 local rc 248 249 run_cmd_nsb ${cmd} 250 rc=$? 251 if [ $rc -ne 0 ]; then 252 # show user the command if not done so already 253 if [ "$VERBOSE" = "0" ]; then 254 echo "setup command: $cmd" 255 fi 256 echo "failed. stopping tests" 257 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 258 echo 259 echo "hit enter to continue" 260 read a 261 fi 262 exit $rc 263 fi 264} 265 266setup_cmd_nsc() 267{ 268 local cmd="$*" 269 local rc 270 271 run_cmd_nsc ${cmd} 272 rc=$? 273 if [ $rc -ne 0 ]; then 274 # show user the command if not done so already 275 if [ "$VERBOSE" = "0" ]; then 276 echo "setup command: $cmd" 277 fi 278 echo "failed. stopping tests" 279 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 280 echo 281 echo "hit enter to continue" 282 read a 283 fi 284 exit $rc 285 fi 286} 287 288# set sysctl values in NS-A 289set_sysctl() 290{ 291 echo "SYSCTL: $*" 292 echo 293 run_cmd sysctl -q -w $* 294} 295 296# get sysctl values in NS-A 297get_sysctl() 298{ 299 ${NSA_CMD} sysctl -n $* 300} 301 302################################################################################ 303# Setup for tests 304 305addr2str() 306{ 307 case "$1" in 308 127.0.0.1) echo "loopback";; 309 ::1) echo "IPv6 loopback";; 310 311 ${NSA_IP}) echo "ns-A IP";; 312 ${NSA_IP6}) echo "ns-A IPv6";; 313 ${NSA_LO_IP}) echo "ns-A loopback IP";; 314 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 315 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 316 317 ${NSB_IP}) echo "ns-B IP";; 318 ${NSB_IP6}) echo "ns-B IPv6";; 319 ${NSB_LO_IP}) echo "ns-B loopback IP";; 320 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 321 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 322 323 ${NL_IP}) echo "nonlocal IP";; 324 ${NL_IP6}) echo "nonlocal IPv6";; 325 326 ${VRF_IP}) echo "VRF IP";; 327 ${VRF_IP6}) echo "VRF IPv6";; 328 329 ${MCAST}%*) echo "multicast IP";; 330 331 *) echo "unknown";; 332 esac 333} 334 335get_linklocal() 336{ 337 local ns=$1 338 local dev=$2 339 local addr 340 341 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 342 awk '{ 343 for (i = 3; i <= NF; ++i) { 344 if ($i ~ /^fe80/) 345 print $i 346 } 347 }' 348 ) 349 addr=${addr/\/*} 350 351 [ -z "$addr" ] && return 1 352 353 echo $addr 354 355 return 0 356} 357 358################################################################################ 359# create namespaces and vrf 360 361create_vrf() 362{ 363 local ns=$1 364 local vrf=$2 365 local table=$3 366 local addr=$4 367 local addr6=$5 368 369 ip -netns ${ns} link add ${vrf} type vrf table ${table} 370 ip -netns ${ns} link set ${vrf} up 371 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 372 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 373 374 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 375 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 376 if [ "${addr}" != "-" ]; then 377 ip -netns ${ns} addr add dev ${vrf} ${addr} 378 fi 379 if [ "${addr6}" != "-" ]; then 380 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 381 fi 382 383 ip -netns ${ns} ru del pref 0 384 ip -netns ${ns} ru add pref 32765 from all lookup local 385 ip -netns ${ns} -6 ru del pref 0 386 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 387} 388 389create_ns() 390{ 391 local ns=$1 392 local addr=$2 393 local addr6=$3 394 395 ip netns add ${ns} 396 397 ip -netns ${ns} link set lo up 398 if [ "${addr}" != "-" ]; then 399 ip -netns ${ns} addr add dev lo ${addr} 400 fi 401 if [ "${addr6}" != "-" ]; then 402 ip -netns ${ns} -6 addr add dev lo ${addr6} 403 fi 404 405 ip -netns ${ns} ro add unreachable default metric 8192 406 ip -netns ${ns} -6 ro add unreachable default metric 8192 407 408 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 409 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 410 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 411 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 412} 413 414# create veth pair to connect namespaces and apply addresses. 415connect_ns() 416{ 417 local ns1=$1 418 local ns1_dev=$2 419 local ns1_addr=$3 420 local ns1_addr6=$4 421 local ns2=$5 422 local ns2_dev=$6 423 local ns2_addr=$7 424 local ns2_addr6=$8 425 426 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 427 ip -netns ${ns1} li set ${ns1_dev} up 428 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 429 ip -netns ${ns2} li set ${ns2_dev} up 430 431 if [ "${ns1_addr}" != "-" ]; then 432 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 433 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 434 fi 435 436 if [ "${ns1_addr6}" != "-" ]; then 437 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 438 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 439 fi 440} 441 442cleanup() 443{ 444 # explicit cleanups to check those code paths 445 ip netns | grep -q ${NSA} 446 if [ $? -eq 0 ]; then 447 ip -netns ${NSA} link delete ${VRF} 448 ip -netns ${NSA} ro flush table ${VRF_TABLE} 449 450 ip -netns ${NSA} addr flush dev ${NSA_DEV} 451 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 452 ip -netns ${NSA} link set dev ${NSA_DEV} down 453 ip -netns ${NSA} link del dev ${NSA_DEV} 454 455 ip netns pids ${NSA} | xargs kill 2>/dev/null 456 ip netns del ${NSA} 457 fi 458 459 ip netns pids ${NSB} | xargs kill 2>/dev/null 460 ip netns del ${NSB} 461 ip netns pids ${NSC} | xargs kill 2>/dev/null 462 ip netns del ${NSC} >/dev/null 2>&1 463} 464 465cleanup_vrf_dup() 466{ 467 ip link del ${NSA_DEV2} >/dev/null 2>&1 468 ip netns pids ${NSC} | xargs kill 2>/dev/null 469 ip netns del ${NSC} >/dev/null 2>&1 470} 471 472setup_vrf_dup() 473{ 474 # some VRF tests use ns-C which has the same config as 475 # ns-B but for a device NOT in the VRF 476 create_ns ${NSC} "-" "-" 477 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 478 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 479} 480 481setup() 482{ 483 local with_vrf=${1} 484 485 # make sure we are starting with a clean slate 486 kill_procs 487 cleanup 2>/dev/null 488 489 log_debug "Configuring network namespaces" 490 set -e 491 492 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 493 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 494 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 495 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 496 497 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 498 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 499 500 # tell ns-A how to get to remote addresses of ns-B 501 if [ "${with_vrf}" = "yes" ]; then 502 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 503 504 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 505 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 506 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 507 508 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 509 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 510 else 511 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 512 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 513 fi 514 515 516 # tell ns-B how to get to remote addresses of ns-A 517 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 518 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 519 520 set +e 521 522 sleep 1 523} 524 525setup_lla_only() 526{ 527 # make sure we are starting with a clean slate 528 kill_procs 529 cleanup 2>/dev/null 530 531 log_debug "Configuring network namespaces" 532 set -e 533 534 create_ns ${NSA} "-" "-" 535 create_ns ${NSB} "-" "-" 536 create_ns ${NSC} "-" "-" 537 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 538 ${NSB} ${NSB_DEV} "-" "-" 539 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 540 ${NSC} ${NSC_DEV} "-" "-" 541 542 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 543 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 544 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 545 546 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 547 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 548 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 549 550 set +e 551 552 sleep 1 553} 554 555################################################################################ 556# IPv4 557 558ipv4_ping_novrf() 559{ 560 local a 561 562 # 563 # out 564 # 565 for a in ${NSB_IP} ${NSB_LO_IP} 566 do 567 log_start 568 run_cmd ping -c1 -w1 ${a} 569 log_test_addr ${a} $? 0 "ping out" 570 571 log_start 572 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 573 log_test_addr ${a} $? 0 "ping out, device bind" 574 575 log_start 576 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 577 log_test_addr ${a} $? 0 "ping out, address bind" 578 done 579 580 # 581 # in 582 # 583 for a in ${NSA_IP} ${NSA_LO_IP} 584 do 585 log_start 586 run_cmd_nsb ping -c1 -w1 ${a} 587 log_test_addr ${a} $? 0 "ping in" 588 done 589 590 # 591 # local traffic 592 # 593 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 594 do 595 log_start 596 run_cmd ping -c1 -w1 ${a} 597 log_test_addr ${a} $? 0 "ping local" 598 done 599 600 # 601 # local traffic, socket bound to device 602 # 603 # address on device 604 a=${NSA_IP} 605 log_start 606 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 607 log_test_addr ${a} $? 0 "ping local, device bind" 608 609 # loopback addresses not reachable from device bind 610 # fails in a really weird way though because ipv4 special cases 611 # route lookups with oif set. 612 for a in ${NSA_LO_IP} 127.0.0.1 613 do 614 log_start 615 show_hint "Fails since address on loopback device is out of device scope" 616 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 617 log_test_addr ${a} $? 1 "ping local, device bind" 618 done 619 620 # 621 # ip rule blocks reachability to remote address 622 # 623 log_start 624 setup_cmd ip rule add pref 32765 from all lookup local 625 setup_cmd ip rule del pref 0 from all lookup local 626 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 627 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 628 629 a=${NSB_LO_IP} 630 run_cmd ping -c1 -w1 ${a} 631 log_test_addr ${a} $? 2 "ping out, blocked by rule" 632 633 # NOTE: ipv4 actually allows the lookup to fail and yet still create 634 # a viable rtable if the oif (e.g., bind to device) is set, so this 635 # case succeeds despite the rule 636 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 637 638 a=${NSA_LO_IP} 639 log_start 640 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 641 run_cmd_nsb ping -c1 -w1 ${a} 642 log_test_addr ${a} $? 1 "ping in, blocked by rule" 643 644 [ "$VERBOSE" = "1" ] && echo 645 setup_cmd ip rule del pref 32765 from all lookup local 646 setup_cmd ip rule add pref 0 from all lookup local 647 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 648 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 649 650 # 651 # route blocks reachability to remote address 652 # 653 log_start 654 setup_cmd ip route replace unreachable ${NSB_LO_IP} 655 setup_cmd ip route replace unreachable ${NSB_IP} 656 657 a=${NSB_LO_IP} 658 run_cmd ping -c1 -w1 ${a} 659 log_test_addr ${a} $? 2 "ping out, blocked by route" 660 661 # NOTE: ipv4 actually allows the lookup to fail and yet still create 662 # a viable rtable if the oif (e.g., bind to device) is set, so this 663 # case succeeds despite not having a route for the address 664 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 665 666 a=${NSA_LO_IP} 667 log_start 668 show_hint "Response is dropped (or arp request is ignored) due to ip route" 669 run_cmd_nsb ping -c1 -w1 ${a} 670 log_test_addr ${a} $? 1 "ping in, blocked by route" 671 672 # 673 # remove 'remote' routes; fallback to default 674 # 675 log_start 676 setup_cmd ip ro del ${NSB_LO_IP} 677 678 a=${NSB_LO_IP} 679 run_cmd ping -c1 -w1 ${a} 680 log_test_addr ${a} $? 2 "ping out, unreachable default route" 681 682 # NOTE: ipv4 actually allows the lookup to fail and yet still create 683 # a viable rtable if the oif (e.g., bind to device) is set, so this 684 # case succeeds despite not having a route for the address 685 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 686} 687 688ipv4_ping_vrf() 689{ 690 local a 691 692 # should default on; does not exist on older kernels 693 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 694 695 # 696 # out 697 # 698 for a in ${NSB_IP} ${NSB_LO_IP} 699 do 700 log_start 701 run_cmd ping -c1 -w1 -I ${VRF} ${a} 702 log_test_addr ${a} $? 0 "ping out, VRF bind" 703 704 log_start 705 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 706 log_test_addr ${a} $? 0 "ping out, device bind" 707 708 log_start 709 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 710 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 711 712 log_start 713 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 714 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 715 done 716 717 # 718 # in 719 # 720 for a in ${NSA_IP} ${VRF_IP} 721 do 722 log_start 723 run_cmd_nsb ping -c1 -w1 ${a} 724 log_test_addr ${a} $? 0 "ping in" 725 done 726 727 # 728 # local traffic, local address 729 # 730 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 731 do 732 log_start 733 show_hint "Source address should be ${a}" 734 run_cmd ping -c1 -w1 -I ${VRF} ${a} 735 log_test_addr ${a} $? 0 "ping local, VRF bind" 736 done 737 738 # 739 # local traffic, socket bound to device 740 # 741 # address on device 742 a=${NSA_IP} 743 log_start 744 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 745 log_test_addr ${a} $? 0 "ping local, device bind" 746 747 # vrf device is out of scope 748 for a in ${VRF_IP} 127.0.0.1 749 do 750 log_start 751 show_hint "Fails since address on vrf device is out of device scope" 752 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 753 log_test_addr ${a} $? 2 "ping local, device bind" 754 done 755 756 # 757 # ip rule blocks address 758 # 759 log_start 760 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 761 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 762 763 a=${NSB_LO_IP} 764 run_cmd ping -c1 -w1 -I ${VRF} ${a} 765 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 766 767 log_start 768 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 769 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 770 771 a=${NSA_LO_IP} 772 log_start 773 show_hint "Response lost due to ip rule" 774 run_cmd_nsb ping -c1 -w1 ${a} 775 log_test_addr ${a} $? 1 "ping in, blocked by rule" 776 777 [ "$VERBOSE" = "1" ] && echo 778 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 779 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 780 781 # 782 # remove 'remote' routes; fallback to default 783 # 784 log_start 785 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 786 787 a=${NSB_LO_IP} 788 run_cmd ping -c1 -w1 -I ${VRF} ${a} 789 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 790 791 log_start 792 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 793 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 794 795 a=${NSA_LO_IP} 796 log_start 797 show_hint "Response lost by unreachable route" 798 run_cmd_nsb ping -c1 -w1 ${a} 799 log_test_addr ${a} $? 1 "ping in, unreachable route" 800} 801 802ipv4_ping() 803{ 804 log_section "IPv4 ping" 805 806 log_subsection "No VRF" 807 setup 808 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 809 ipv4_ping_novrf 810 setup 811 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 812 ipv4_ping_novrf 813 setup 814 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 815 ipv4_ping_novrf 816 817 log_subsection "With VRF" 818 setup "yes" 819 ipv4_ping_vrf 820 setup "yes" 821 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 822 ipv4_ping_vrf 823} 824 825################################################################################ 826# IPv4 TCP 827 828# 829# MD5 tests without VRF 830# 831ipv4_tcp_md5_novrf() 832{ 833 # 834 # single address 835 # 836 837 # basic use case 838 log_start 839 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 840 sleep 1 841 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 842 log_test $? 0 "MD5: Single address config" 843 844 # client sends MD5, server not configured 845 log_start 846 show_hint "Should timeout due to MD5 mismatch" 847 run_cmd nettest -s & 848 sleep 1 849 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 850 log_test $? 2 "MD5: Server no config, client uses password" 851 852 # wrong password 853 log_start 854 show_hint "Should timeout since client uses wrong password" 855 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 856 sleep 1 857 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 858 log_test $? 2 "MD5: Client uses wrong password" 859 860 # client from different address 861 log_start 862 show_hint "Should timeout due to MD5 mismatch" 863 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 864 sleep 1 865 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 866 log_test $? 2 "MD5: Client address does not match address configured with password" 867 868 # 869 # MD5 extension - prefix length 870 # 871 872 # client in prefix 873 log_start 874 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 875 sleep 1 876 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 877 log_test $? 0 "MD5: Prefix config" 878 879 # client in prefix, wrong password 880 log_start 881 show_hint "Should timeout since client uses wrong password" 882 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 883 sleep 1 884 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 885 log_test $? 2 "MD5: Prefix config, client uses wrong password" 886 887 # client outside of prefix 888 log_start 889 show_hint "Should timeout due to MD5 mismatch" 890 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 891 sleep 1 892 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 893 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 894} 895 896# 897# MD5 tests with VRF 898# 899ipv4_tcp_md5() 900{ 901 # 902 # single address 903 # 904 905 # basic use case 906 log_start 907 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 908 sleep 1 909 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 910 log_test $? 0 "MD5: VRF: Single address config" 911 912 # client sends MD5, server not configured 913 log_start 914 show_hint "Should timeout since server does not have MD5 auth" 915 run_cmd nettest -s -I ${VRF} & 916 sleep 1 917 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 918 log_test $? 2 "MD5: VRF: Server no config, client uses password" 919 920 # wrong password 921 log_start 922 show_hint "Should timeout since client uses wrong password" 923 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 924 sleep 1 925 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 926 log_test $? 2 "MD5: VRF: Client uses wrong password" 927 928 # client from different address 929 log_start 930 show_hint "Should timeout since server config differs from client" 931 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 932 sleep 1 933 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 934 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 935 936 # 937 # MD5 extension - prefix length 938 # 939 940 # client in prefix 941 log_start 942 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 943 sleep 1 944 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 945 log_test $? 0 "MD5: VRF: Prefix config" 946 947 # client in prefix, wrong password 948 log_start 949 show_hint "Should timeout since client uses wrong password" 950 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 951 sleep 1 952 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 953 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 954 955 # client outside of prefix 956 log_start 957 show_hint "Should timeout since client address is outside of prefix" 958 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 959 sleep 1 960 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 961 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 962 963 # 964 # duplicate config between default VRF and a VRF 965 # 966 967 log_start 968 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 969 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 970 sleep 1 971 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 972 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 973 974 log_start 975 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 976 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 977 sleep 1 978 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 979 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 980 981 log_start 982 show_hint "Should timeout since client in default VRF uses VRF password" 983 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 984 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 985 sleep 1 986 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 987 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 988 989 log_start 990 show_hint "Should timeout since client in VRF uses default VRF password" 991 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 992 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 993 sleep 1 994 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 995 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 996 997 log_start 998 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 999 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1000 sleep 1 1001 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1002 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 1003 1004 log_start 1005 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1006 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1007 sleep 1 1008 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1009 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 1010 1011 log_start 1012 show_hint "Should timeout since client in default VRF uses VRF password" 1013 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1014 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1015 sleep 1 1016 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1017 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1018 1019 log_start 1020 show_hint "Should timeout since client in VRF uses default VRF password" 1021 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1022 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1023 sleep 1 1024 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1025 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1026 1027 # 1028 # negative tests 1029 # 1030 log_start 1031 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1032 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1033 1034 log_start 1035 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1036 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1037 1038 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1039 test_ipv4_md5_vrf__global_server__bind_ifindex0 1040} 1041 1042test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1043{ 1044 log_start 1045 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1046 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1047 sleep 1 1048 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1049 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1050 1051 log_start 1052 show_hint "Binding both the socket and the key is not required but it works" 1053 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1054 sleep 1 1055 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1056 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1057} 1058 1059test_ipv4_md5_vrf__global_server__bind_ifindex0() 1060{ 1061 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1062 local old_tcp_l3mdev_accept 1063 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1064 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1065 1066 log_start 1067 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1068 sleep 1 1069 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1070 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1071 1072 log_start 1073 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1074 sleep 1 1075 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1076 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1077 log_start 1078 1079 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1080 sleep 1 1081 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1082 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1083 1084 log_start 1085 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1086 sleep 1 1087 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1088 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1089 1090 # restore value 1091 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1092} 1093 1094ipv4_tcp_novrf() 1095{ 1096 local a 1097 1098 # 1099 # server tests 1100 # 1101 for a in ${NSA_IP} ${NSA_LO_IP} 1102 do 1103 log_start 1104 run_cmd nettest -s & 1105 sleep 1 1106 run_cmd_nsb nettest -r ${a} 1107 log_test_addr ${a} $? 0 "Global server" 1108 done 1109 1110 a=${NSA_IP} 1111 log_start 1112 run_cmd nettest -s -I ${NSA_DEV} & 1113 sleep 1 1114 run_cmd_nsb nettest -r ${a} 1115 log_test_addr ${a} $? 0 "Device server" 1116 1117 # verify TCP reset sent and received 1118 for a in ${NSA_IP} ${NSA_LO_IP} 1119 do 1120 log_start 1121 show_hint "Should fail 'Connection refused' since there is no server" 1122 run_cmd_nsb nettest -r ${a} 1123 log_test_addr ${a} $? 1 "No server" 1124 done 1125 1126 # 1127 # client 1128 # 1129 for a in ${NSB_IP} ${NSB_LO_IP} 1130 do 1131 log_start 1132 run_cmd_nsb nettest -s & 1133 sleep 1 1134 run_cmd nettest -r ${a} -0 ${NSA_IP} 1135 log_test_addr ${a} $? 0 "Client" 1136 1137 log_start 1138 run_cmd_nsb nettest -s & 1139 sleep 1 1140 run_cmd nettest -r ${a} -d ${NSA_DEV} 1141 log_test_addr ${a} $? 0 "Client, device bind" 1142 1143 log_start 1144 show_hint "Should fail 'Connection refused'" 1145 run_cmd nettest -r ${a} 1146 log_test_addr ${a} $? 1 "No server, unbound client" 1147 1148 log_start 1149 show_hint "Should fail 'Connection refused'" 1150 run_cmd nettest -r ${a} -d ${NSA_DEV} 1151 log_test_addr ${a} $? 1 "No server, device client" 1152 done 1153 1154 # 1155 # local address tests 1156 # 1157 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1158 do 1159 log_start 1160 run_cmd nettest -s & 1161 sleep 1 1162 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1163 log_test_addr ${a} $? 0 "Global server, local connection" 1164 done 1165 1166 a=${NSA_IP} 1167 log_start 1168 run_cmd nettest -s -I ${NSA_DEV} & 1169 sleep 1 1170 run_cmd nettest -r ${a} -0 ${a} 1171 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1172 1173 for a in ${NSA_LO_IP} 127.0.0.1 1174 do 1175 log_start 1176 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1177 run_cmd nettest -s -I ${NSA_DEV} & 1178 sleep 1 1179 run_cmd nettest -r ${a} 1180 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1181 done 1182 1183 a=${NSA_IP} 1184 log_start 1185 run_cmd nettest -s & 1186 sleep 1 1187 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1188 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1189 1190 for a in ${NSA_LO_IP} 127.0.0.1 1191 do 1192 log_start 1193 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1194 run_cmd nettest -s & 1195 sleep 1 1196 run_cmd nettest -r ${a} -d ${NSA_DEV} 1197 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1198 done 1199 1200 a=${NSA_IP} 1201 log_start 1202 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1203 sleep 1 1204 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1205 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1206 1207 log_start 1208 show_hint "Should fail 'Connection refused'" 1209 run_cmd nettest -d ${NSA_DEV} -r ${a} 1210 log_test_addr ${a} $? 1 "No server, device client, local conn" 1211 1212 ipv4_tcp_md5_novrf 1213} 1214 1215ipv4_tcp_vrf() 1216{ 1217 local a 1218 1219 # disable global server 1220 log_subsection "Global server disabled" 1221 1222 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1223 1224 # 1225 # server tests 1226 # 1227 for a in ${NSA_IP} ${VRF_IP} 1228 do 1229 log_start 1230 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1231 run_cmd nettest -s & 1232 sleep 1 1233 run_cmd_nsb nettest -r ${a} 1234 log_test_addr ${a} $? 1 "Global server" 1235 1236 log_start 1237 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1238 sleep 1 1239 run_cmd_nsb nettest -r ${a} 1240 log_test_addr ${a} $? 0 "VRF server" 1241 1242 log_start 1243 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1244 sleep 1 1245 run_cmd_nsb nettest -r ${a} 1246 log_test_addr ${a} $? 0 "Device server" 1247 1248 # verify TCP reset received 1249 log_start 1250 show_hint "Should fail 'Connection refused' since there is no server" 1251 run_cmd_nsb nettest -r ${a} 1252 log_test_addr ${a} $? 1 "No server" 1253 done 1254 1255 # local address tests 1256 # (${VRF_IP} and 127.0.0.1 both timeout) 1257 a=${NSA_IP} 1258 log_start 1259 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1260 run_cmd nettest -s & 1261 sleep 1 1262 run_cmd nettest -r ${a} -d ${NSA_DEV} 1263 log_test_addr ${a} $? 1 "Global server, local connection" 1264 1265 # run MD5 tests 1266 setup_vrf_dup 1267 ipv4_tcp_md5 1268 cleanup_vrf_dup 1269 1270 # 1271 # enable VRF global server 1272 # 1273 log_subsection "VRF Global server enabled" 1274 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1275 1276 for a in ${NSA_IP} ${VRF_IP} 1277 do 1278 log_start 1279 show_hint "client socket should be bound to VRF" 1280 run_cmd nettest -s -3 ${VRF} & 1281 sleep 1 1282 run_cmd_nsb nettest -r ${a} 1283 log_test_addr ${a} $? 0 "Global server" 1284 1285 log_start 1286 show_hint "client socket should be bound to VRF" 1287 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1288 sleep 1 1289 run_cmd_nsb nettest -r ${a} 1290 log_test_addr ${a} $? 0 "VRF server" 1291 1292 # verify TCP reset received 1293 log_start 1294 show_hint "Should fail 'Connection refused'" 1295 run_cmd_nsb nettest -r ${a} 1296 log_test_addr ${a} $? 1 "No server" 1297 done 1298 1299 a=${NSA_IP} 1300 log_start 1301 show_hint "client socket should be bound to device" 1302 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1303 sleep 1 1304 run_cmd_nsb nettest -r ${a} 1305 log_test_addr ${a} $? 0 "Device server" 1306 1307 # local address tests 1308 for a in ${NSA_IP} ${VRF_IP} 1309 do 1310 log_start 1311 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1312 run_cmd nettest -s -I ${VRF} & 1313 sleep 1 1314 run_cmd nettest -r ${a} 1315 log_test_addr ${a} $? 1 "Global server, local connection" 1316 done 1317 1318 # 1319 # client 1320 # 1321 for a in ${NSB_IP} ${NSB_LO_IP} 1322 do 1323 log_start 1324 run_cmd_nsb nettest -s & 1325 sleep 1 1326 run_cmd nettest -r ${a} -d ${VRF} 1327 log_test_addr ${a} $? 0 "Client, VRF bind" 1328 1329 log_start 1330 run_cmd_nsb nettest -s & 1331 sleep 1 1332 run_cmd nettest -r ${a} -d ${NSA_DEV} 1333 log_test_addr ${a} $? 0 "Client, device bind" 1334 1335 log_start 1336 show_hint "Should fail 'Connection refused'" 1337 run_cmd nettest -r ${a} -d ${VRF} 1338 log_test_addr ${a} $? 1 "No server, VRF client" 1339 1340 log_start 1341 show_hint "Should fail 'Connection refused'" 1342 run_cmd nettest -r ${a} -d ${NSA_DEV} 1343 log_test_addr ${a} $? 1 "No server, device client" 1344 done 1345 1346 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1347 do 1348 log_start 1349 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1350 sleep 1 1351 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1352 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1353 done 1354 1355 a=${NSA_IP} 1356 log_start 1357 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1358 sleep 1 1359 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1360 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1361 1362 log_start 1363 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1364 run_cmd nettest -s -I ${VRF} & 1365 sleep 1 1366 run_cmd nettest -r ${a} 1367 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1368 1369 log_start 1370 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1371 sleep 1 1372 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1373 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1374 1375 log_start 1376 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1377 sleep 1 1378 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1379 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1380} 1381 1382ipv4_tcp() 1383{ 1384 log_section "IPv4/TCP" 1385 log_subsection "No VRF" 1386 setup 1387 1388 # tcp_l3mdev_accept should have no affect without VRF; 1389 # run tests with it enabled and disabled to verify 1390 log_subsection "tcp_l3mdev_accept disabled" 1391 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1392 ipv4_tcp_novrf 1393 log_subsection "tcp_l3mdev_accept enabled" 1394 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1395 ipv4_tcp_novrf 1396 1397 log_subsection "With VRF" 1398 setup "yes" 1399 ipv4_tcp_vrf 1400} 1401 1402################################################################################ 1403# IPv4 UDP 1404 1405ipv4_udp_novrf() 1406{ 1407 local a 1408 1409 # 1410 # server tests 1411 # 1412 for a in ${NSA_IP} ${NSA_LO_IP} 1413 do 1414 log_start 1415 run_cmd nettest -D -s -3 ${NSA_DEV} & 1416 sleep 1 1417 run_cmd_nsb nettest -D -r ${a} 1418 log_test_addr ${a} $? 0 "Global server" 1419 1420 log_start 1421 show_hint "Should fail 'Connection refused' since there is no server" 1422 run_cmd_nsb nettest -D -r ${a} 1423 log_test_addr ${a} $? 1 "No server" 1424 done 1425 1426 a=${NSA_IP} 1427 log_start 1428 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1429 sleep 1 1430 run_cmd_nsb nettest -D -r ${a} 1431 log_test_addr ${a} $? 0 "Device server" 1432 1433 # 1434 # client 1435 # 1436 for a in ${NSB_IP} ${NSB_LO_IP} 1437 do 1438 log_start 1439 run_cmd_nsb nettest -D -s & 1440 sleep 1 1441 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1442 log_test_addr ${a} $? 0 "Client" 1443 1444 log_start 1445 run_cmd_nsb nettest -D -s & 1446 sleep 1 1447 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1448 log_test_addr ${a} $? 0 "Client, device bind" 1449 1450 log_start 1451 run_cmd_nsb nettest -D -s & 1452 sleep 1 1453 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1454 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1455 1456 log_start 1457 run_cmd_nsb nettest -D -s & 1458 sleep 1 1459 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1460 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1461 1462 log_start 1463 show_hint "Should fail 'Connection refused'" 1464 run_cmd nettest -D -r ${a} 1465 log_test_addr ${a} $? 1 "No server, unbound client" 1466 1467 log_start 1468 show_hint "Should fail 'Connection refused'" 1469 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1470 log_test_addr ${a} $? 1 "No server, device client" 1471 done 1472 1473 # 1474 # local address tests 1475 # 1476 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1477 do 1478 log_start 1479 run_cmd nettest -D -s & 1480 sleep 1 1481 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1482 log_test_addr ${a} $? 0 "Global server, local connection" 1483 done 1484 1485 a=${NSA_IP} 1486 log_start 1487 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1488 sleep 1 1489 run_cmd nettest -D -r ${a} 1490 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1491 1492 for a in ${NSA_LO_IP} 127.0.0.1 1493 do 1494 log_start 1495 show_hint "Should fail 'Connection refused' since address is out of device scope" 1496 run_cmd nettest -s -D -I ${NSA_DEV} & 1497 sleep 1 1498 run_cmd nettest -D -r ${a} 1499 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1500 done 1501 1502 a=${NSA_IP} 1503 log_start 1504 run_cmd nettest -s -D & 1505 sleep 1 1506 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1507 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1508 1509 log_start 1510 run_cmd nettest -s -D & 1511 sleep 1 1512 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1513 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1514 1515 log_start 1516 run_cmd nettest -s -D & 1517 sleep 1 1518 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1519 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1520 1521 # IPv4 with device bind has really weird behavior - it overrides the 1522 # fib lookup, generates an rtable and tries to send the packet. This 1523 # causes failures for local traffic at different places 1524 for a in ${NSA_LO_IP} 127.0.0.1 1525 do 1526 log_start 1527 show_hint "Should fail since addresses on loopback are out of device scope" 1528 run_cmd nettest -D -s & 1529 sleep 1 1530 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1531 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1532 1533 log_start 1534 show_hint "Should fail since addresses on loopback are out of device scope" 1535 run_cmd nettest -D -s & 1536 sleep 1 1537 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1538 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1539 1540 log_start 1541 show_hint "Should fail since addresses on loopback are out of device scope" 1542 run_cmd nettest -D -s & 1543 sleep 1 1544 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1545 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1546 done 1547 1548 a=${NSA_IP} 1549 log_start 1550 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1551 sleep 1 1552 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1553 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1554 1555 log_start 1556 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1557 log_test_addr ${a} $? 2 "No server, device client, local conn" 1558} 1559 1560ipv4_udp_vrf() 1561{ 1562 local a 1563 1564 # disable global server 1565 log_subsection "Global server disabled" 1566 set_sysctl net.ipv4.udp_l3mdev_accept=0 1567 1568 # 1569 # server tests 1570 # 1571 for a in ${NSA_IP} ${VRF_IP} 1572 do 1573 log_start 1574 show_hint "Fails because ingress is in a VRF and global server is disabled" 1575 run_cmd nettest -D -s & 1576 sleep 1 1577 run_cmd_nsb nettest -D -r ${a} 1578 log_test_addr ${a} $? 1 "Global server" 1579 1580 log_start 1581 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1582 sleep 1 1583 run_cmd_nsb nettest -D -r ${a} 1584 log_test_addr ${a} $? 0 "VRF server" 1585 1586 log_start 1587 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1588 sleep 1 1589 run_cmd_nsb nettest -D -r ${a} 1590 log_test_addr ${a} $? 0 "Enslaved device server" 1591 1592 log_start 1593 show_hint "Should fail 'Connection refused' since there is no server" 1594 run_cmd_nsb nettest -D -r ${a} 1595 log_test_addr ${a} $? 1 "No server" 1596 1597 log_start 1598 show_hint "Should fail 'Connection refused' since global server is out of scope" 1599 run_cmd nettest -D -s & 1600 sleep 1 1601 run_cmd nettest -D -d ${VRF} -r ${a} 1602 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1603 done 1604 1605 a=${NSA_IP} 1606 log_start 1607 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1608 sleep 1 1609 run_cmd nettest -D -d ${VRF} -r ${a} 1610 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1611 1612 log_start 1613 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1614 sleep 1 1615 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1616 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1617 1618 a=${NSA_IP} 1619 log_start 1620 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1621 sleep 1 1622 run_cmd nettest -D -d ${VRF} -r ${a} 1623 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1624 1625 log_start 1626 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1627 sleep 1 1628 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1629 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1630 1631 # enable global server 1632 log_subsection "Global server enabled" 1633 set_sysctl net.ipv4.udp_l3mdev_accept=1 1634 1635 # 1636 # server tests 1637 # 1638 for a in ${NSA_IP} ${VRF_IP} 1639 do 1640 log_start 1641 run_cmd nettest -D -s -3 ${NSA_DEV} & 1642 sleep 1 1643 run_cmd_nsb nettest -D -r ${a} 1644 log_test_addr ${a} $? 0 "Global server" 1645 1646 log_start 1647 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1648 sleep 1 1649 run_cmd_nsb nettest -D -r ${a} 1650 log_test_addr ${a} $? 0 "VRF server" 1651 1652 log_start 1653 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1654 sleep 1 1655 run_cmd_nsb nettest -D -r ${a} 1656 log_test_addr ${a} $? 0 "Enslaved device server" 1657 1658 log_start 1659 show_hint "Should fail 'Connection refused'" 1660 run_cmd_nsb nettest -D -r ${a} 1661 log_test_addr ${a} $? 1 "No server" 1662 done 1663 1664 # 1665 # client tests 1666 # 1667 log_start 1668 run_cmd_nsb nettest -D -s & 1669 sleep 1 1670 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1671 log_test $? 0 "VRF client" 1672 1673 log_start 1674 run_cmd_nsb nettest -D -s & 1675 sleep 1 1676 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1677 log_test $? 0 "Enslaved device client" 1678 1679 # negative test - should fail 1680 log_start 1681 show_hint "Should fail 'Connection refused'" 1682 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1683 log_test $? 1 "No server, VRF client" 1684 1685 log_start 1686 show_hint "Should fail 'Connection refused'" 1687 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1688 log_test $? 1 "No server, enslaved device client" 1689 1690 # 1691 # local address tests 1692 # 1693 a=${NSA_IP} 1694 log_start 1695 run_cmd nettest -D -s -3 ${NSA_DEV} & 1696 sleep 1 1697 run_cmd nettest -D -d ${VRF} -r ${a} 1698 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1699 1700 log_start 1701 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1702 sleep 1 1703 run_cmd nettest -D -d ${VRF} -r ${a} 1704 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1705 1706 log_start 1707 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1708 sleep 1 1709 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1710 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1711 1712 log_start 1713 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1714 sleep 1 1715 run_cmd nettest -D -d ${VRF} -r ${a} 1716 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1717 1718 log_start 1719 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1720 sleep 1 1721 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1722 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1723 1724 for a in ${VRF_IP} 127.0.0.1 1725 do 1726 log_start 1727 run_cmd nettest -D -s -3 ${VRF} & 1728 sleep 1 1729 run_cmd nettest -D -d ${VRF} -r ${a} 1730 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1731 done 1732 1733 for a in ${VRF_IP} 127.0.0.1 1734 do 1735 log_start 1736 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1737 sleep 1 1738 run_cmd nettest -D -d ${VRF} -r ${a} 1739 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1740 done 1741 1742 # negative test - should fail 1743 # verifies ECONNREFUSED 1744 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1745 do 1746 log_start 1747 show_hint "Should fail 'Connection refused'" 1748 run_cmd nettest -D -d ${VRF} -r ${a} 1749 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1750 done 1751} 1752 1753ipv4_udp() 1754{ 1755 log_section "IPv4/UDP" 1756 log_subsection "No VRF" 1757 1758 setup 1759 1760 # udp_l3mdev_accept should have no affect without VRF; 1761 # run tests with it enabled and disabled to verify 1762 log_subsection "udp_l3mdev_accept disabled" 1763 set_sysctl net.ipv4.udp_l3mdev_accept=0 1764 ipv4_udp_novrf 1765 log_subsection "udp_l3mdev_accept enabled" 1766 set_sysctl net.ipv4.udp_l3mdev_accept=1 1767 ipv4_udp_novrf 1768 1769 log_subsection "With VRF" 1770 setup "yes" 1771 ipv4_udp_vrf 1772} 1773 1774################################################################################ 1775# IPv4 address bind 1776# 1777# verifies ability or inability to bind to an address / device 1778 1779ipv4_addr_bind_novrf() 1780{ 1781 # 1782 # raw socket 1783 # 1784 for a in ${NSA_IP} ${NSA_LO_IP} 1785 do 1786 log_start 1787 run_cmd nettest -s -R -P icmp -l ${a} -b 1788 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1789 1790 log_start 1791 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1792 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1793 done 1794 1795 # 1796 # raw socket with nonlocal bind 1797 # 1798 a=${NL_IP} 1799 log_start 1800 run_cmd nettest -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 1801 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after device bind" 1802 1803 # 1804 # tcp sockets 1805 # 1806 a=${NSA_IP} 1807 log_start 1808 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1809 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1810 1811 log_start 1812 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1813 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1814 1815 # Sadly, the kernel allows binding a socket to a device and then 1816 # binding to an address not on the device. The only restriction 1817 # is that the address is valid in the L3 domain. So this test 1818 # passes when it really should not 1819 #a=${NSA_LO_IP} 1820 #log_start 1821 #show_hint "Should fail with 'Cannot assign requested address'" 1822 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1823 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1824} 1825 1826ipv4_addr_bind_vrf() 1827{ 1828 # 1829 # raw socket 1830 # 1831 for a in ${NSA_IP} ${VRF_IP} 1832 do 1833 log_start 1834 show_hint "Socket not bound to VRF, but address is in VRF" 1835 run_cmd nettest -s -R -P icmp -l ${a} -b 1836 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1837 1838 log_start 1839 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1840 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1841 log_start 1842 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1843 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1844 done 1845 1846 a=${NSA_LO_IP} 1847 log_start 1848 show_hint "Address on loopback is out of VRF scope" 1849 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1850 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1851 1852 # 1853 # raw socket with nonlocal bind 1854 # 1855 a=${NL_IP} 1856 log_start 1857 run_cmd nettest -s -R -P icmp -f -l ${a} -I ${VRF} -b 1858 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 1859 1860 # 1861 # tcp sockets 1862 # 1863 for a in ${NSA_IP} ${VRF_IP} 1864 do 1865 log_start 1866 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1867 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1868 1869 log_start 1870 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1871 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1872 done 1873 1874 a=${NSA_LO_IP} 1875 log_start 1876 show_hint "Address on loopback out of scope for VRF" 1877 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1878 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 1879 1880 log_start 1881 show_hint "Address on loopback out of scope for device in VRF" 1882 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1883 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 1884} 1885 1886ipv4_addr_bind() 1887{ 1888 log_section "IPv4 address binds" 1889 1890 log_subsection "No VRF" 1891 setup 1892 ipv4_addr_bind_novrf 1893 1894 log_subsection "With VRF" 1895 setup "yes" 1896 ipv4_addr_bind_vrf 1897} 1898 1899################################################################################ 1900# IPv4 runtime tests 1901 1902ipv4_rt() 1903{ 1904 local desc="$1" 1905 local varg="$2" 1906 local with_vrf="yes" 1907 local a 1908 1909 # 1910 # server tests 1911 # 1912 for a in ${NSA_IP} ${VRF_IP} 1913 do 1914 log_start 1915 run_cmd nettest ${varg} -s & 1916 sleep 1 1917 run_cmd_nsb nettest ${varg} -r ${a} & 1918 sleep 3 1919 run_cmd ip link del ${VRF} 1920 sleep 1 1921 log_test_addr ${a} 0 0 "${desc}, global server" 1922 1923 setup ${with_vrf} 1924 done 1925 1926 for a in ${NSA_IP} ${VRF_IP} 1927 do 1928 log_start 1929 run_cmd nettest ${varg} -s -I ${VRF} & 1930 sleep 1 1931 run_cmd_nsb nettest ${varg} -r ${a} & 1932 sleep 3 1933 run_cmd ip link del ${VRF} 1934 sleep 1 1935 log_test_addr ${a} 0 0 "${desc}, VRF server" 1936 1937 setup ${with_vrf} 1938 done 1939 1940 a=${NSA_IP} 1941 log_start 1942 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 1943 sleep 1 1944 run_cmd_nsb nettest ${varg} -r ${a} & 1945 sleep 3 1946 run_cmd ip link del ${VRF} 1947 sleep 1 1948 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 1949 1950 setup ${with_vrf} 1951 1952 # 1953 # client test 1954 # 1955 log_start 1956 run_cmd_nsb nettest ${varg} -s & 1957 sleep 1 1958 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 1959 sleep 3 1960 run_cmd ip link del ${VRF} 1961 sleep 1 1962 log_test_addr ${a} 0 0 "${desc}, VRF client" 1963 1964 setup ${with_vrf} 1965 1966 log_start 1967 run_cmd_nsb nettest ${varg} -s & 1968 sleep 1 1969 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 1970 sleep 3 1971 run_cmd ip link del ${VRF} 1972 sleep 1 1973 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 1974 1975 setup ${with_vrf} 1976 1977 # 1978 # local address tests 1979 # 1980 for a in ${NSA_IP} ${VRF_IP} 1981 do 1982 log_start 1983 run_cmd nettest ${varg} -s & 1984 sleep 1 1985 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1986 sleep 3 1987 run_cmd ip link del ${VRF} 1988 sleep 1 1989 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 1990 1991 setup ${with_vrf} 1992 done 1993 1994 for a in ${NSA_IP} ${VRF_IP} 1995 do 1996 log_start 1997 run_cmd nettest ${varg} -I ${VRF} -s & 1998 sleep 1 1999 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2000 sleep 3 2001 run_cmd ip link del ${VRF} 2002 sleep 1 2003 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 2004 2005 setup ${with_vrf} 2006 done 2007 2008 a=${NSA_IP} 2009 log_start 2010 2011 run_cmd nettest ${varg} -s & 2012 sleep 1 2013 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2014 sleep 3 2015 run_cmd ip link del ${VRF} 2016 sleep 1 2017 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 2018 2019 setup ${with_vrf} 2020 2021 log_start 2022 run_cmd nettest ${varg} -I ${VRF} -s & 2023 sleep 1 2024 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2025 sleep 3 2026 run_cmd ip link del ${VRF} 2027 sleep 1 2028 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 2029 2030 setup ${with_vrf} 2031 2032 log_start 2033 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2034 sleep 1 2035 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2036 sleep 3 2037 run_cmd ip link del ${VRF} 2038 sleep 1 2039 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2040} 2041 2042ipv4_ping_rt() 2043{ 2044 local with_vrf="yes" 2045 local a 2046 2047 for a in ${NSA_IP} ${VRF_IP} 2048 do 2049 log_start 2050 run_cmd_nsb ping -f ${a} & 2051 sleep 3 2052 run_cmd ip link del ${VRF} 2053 sleep 1 2054 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2055 2056 setup ${with_vrf} 2057 done 2058 2059 a=${NSB_IP} 2060 log_start 2061 run_cmd ping -f -I ${VRF} ${a} & 2062 sleep 3 2063 run_cmd ip link del ${VRF} 2064 sleep 1 2065 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2066} 2067 2068ipv4_runtime() 2069{ 2070 log_section "Run time tests - ipv4" 2071 2072 setup "yes" 2073 ipv4_ping_rt 2074 2075 setup "yes" 2076 ipv4_rt "TCP active socket" "-n -1" 2077 2078 setup "yes" 2079 ipv4_rt "TCP passive socket" "-i" 2080} 2081 2082################################################################################ 2083# IPv6 2084 2085ipv6_ping_novrf() 2086{ 2087 local a 2088 2089 # should not have an impact, but make a known state 2090 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2091 2092 # 2093 # out 2094 # 2095 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2096 do 2097 log_start 2098 run_cmd ${ping6} -c1 -w1 ${a} 2099 log_test_addr ${a} $? 0 "ping out" 2100 done 2101 2102 for a in ${NSB_IP6} ${NSB_LO_IP6} 2103 do 2104 log_start 2105 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2106 log_test_addr ${a} $? 0 "ping out, device bind" 2107 2108 log_start 2109 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2110 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2111 done 2112 2113 # 2114 # in 2115 # 2116 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2117 do 2118 log_start 2119 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2120 log_test_addr ${a} $? 0 "ping in" 2121 done 2122 2123 # 2124 # local traffic, local address 2125 # 2126 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2127 do 2128 log_start 2129 run_cmd ${ping6} -c1 -w1 ${a} 2130 log_test_addr ${a} $? 0 "ping local, no bind" 2131 done 2132 2133 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2134 do 2135 log_start 2136 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2137 log_test_addr ${a} $? 0 "ping local, device bind" 2138 done 2139 2140 for a in ${NSA_LO_IP6} ::1 2141 do 2142 log_start 2143 show_hint "Fails since address on loopback is out of device scope" 2144 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2145 log_test_addr ${a} $? 2 "ping local, device bind" 2146 done 2147 2148 # 2149 # ip rule blocks address 2150 # 2151 log_start 2152 setup_cmd ip -6 rule add pref 32765 from all lookup local 2153 setup_cmd ip -6 rule del pref 0 from all lookup local 2154 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2155 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2156 2157 a=${NSB_LO_IP6} 2158 run_cmd ${ping6} -c1 -w1 ${a} 2159 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2160 2161 log_start 2162 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2163 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2164 2165 a=${NSA_LO_IP6} 2166 log_start 2167 show_hint "Response lost due to ip rule" 2168 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2169 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2170 2171 setup_cmd ip -6 rule add pref 0 from all lookup local 2172 setup_cmd ip -6 rule del pref 32765 from all lookup local 2173 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2174 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2175 2176 # 2177 # route blocks reachability to remote address 2178 # 2179 log_start 2180 setup_cmd ip -6 route del ${NSB_LO_IP6} 2181 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2182 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2183 2184 a=${NSB_LO_IP6} 2185 run_cmd ${ping6} -c1 -w1 ${a} 2186 log_test_addr ${a} $? 2 "ping out, blocked by route" 2187 2188 log_start 2189 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2190 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2191 2192 a=${NSA_LO_IP6} 2193 log_start 2194 show_hint "Response lost due to ip route" 2195 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2196 log_test_addr ${a} $? 1 "ping in, blocked by route" 2197 2198 2199 # 2200 # remove 'remote' routes; fallback to default 2201 # 2202 log_start 2203 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2204 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2205 2206 a=${NSB_LO_IP6} 2207 run_cmd ${ping6} -c1 -w1 ${a} 2208 log_test_addr ${a} $? 2 "ping out, unreachable route" 2209 2210 log_start 2211 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2212 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2213} 2214 2215ipv6_ping_vrf() 2216{ 2217 local a 2218 2219 # should default on; does not exist on older kernels 2220 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2221 2222 # 2223 # out 2224 # 2225 for a in ${NSB_IP6} ${NSB_LO_IP6} 2226 do 2227 log_start 2228 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2229 log_test_addr ${a} $? 0 "ping out, VRF bind" 2230 done 2231 2232 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2233 do 2234 log_start 2235 show_hint "Fails since VRF device does not support linklocal or multicast" 2236 run_cmd ${ping6} -c1 -w1 ${a} 2237 log_test_addr ${a} $? 1 "ping out, VRF bind" 2238 done 2239 2240 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2241 do 2242 log_start 2243 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2244 log_test_addr ${a} $? 0 "ping out, device bind" 2245 done 2246 2247 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2248 do 2249 log_start 2250 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2251 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2252 done 2253 2254 # 2255 # in 2256 # 2257 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2258 do 2259 log_start 2260 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2261 log_test_addr ${a} $? 0 "ping in" 2262 done 2263 2264 a=${NSA_LO_IP6} 2265 log_start 2266 show_hint "Fails since loopback address is out of VRF scope" 2267 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2268 log_test_addr ${a} $? 1 "ping in" 2269 2270 # 2271 # local traffic, local address 2272 # 2273 for a in ${NSA_IP6} ${VRF_IP6} ::1 2274 do 2275 log_start 2276 show_hint "Source address should be ${a}" 2277 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2278 log_test_addr ${a} $? 0 "ping local, VRF bind" 2279 done 2280 2281 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2282 do 2283 log_start 2284 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2285 log_test_addr ${a} $? 0 "ping local, device bind" 2286 done 2287 2288 # LLA to GUA - remove ipv6 global addresses from ns-B 2289 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2290 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2291 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2292 2293 for a in ${NSA_IP6} ${VRF_IP6} 2294 do 2295 log_start 2296 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2297 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2298 done 2299 2300 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2301 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2302 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2303 2304 # 2305 # ip rule blocks address 2306 # 2307 log_start 2308 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2309 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2310 2311 a=${NSB_LO_IP6} 2312 run_cmd ${ping6} -c1 -w1 ${a} 2313 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2314 2315 log_start 2316 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2317 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2318 2319 a=${NSA_LO_IP6} 2320 log_start 2321 show_hint "Response lost due to ip rule" 2322 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2323 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2324 2325 log_start 2326 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2327 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2328 2329 # 2330 # remove 'remote' routes; fallback to default 2331 # 2332 log_start 2333 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2334 2335 a=${NSB_LO_IP6} 2336 run_cmd ${ping6} -c1 -w1 ${a} 2337 log_test_addr ${a} $? 2 "ping out, unreachable route" 2338 2339 log_start 2340 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2341 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2342 2343 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2344 a=${NSA_LO_IP6} 2345 log_start 2346 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2347 log_test_addr ${a} $? 2 "ping in, unreachable route" 2348} 2349 2350ipv6_ping() 2351{ 2352 log_section "IPv6 ping" 2353 2354 log_subsection "No VRF" 2355 setup 2356 ipv6_ping_novrf 2357 setup 2358 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2359 ipv6_ping_novrf 2360 2361 log_subsection "With VRF" 2362 setup "yes" 2363 ipv6_ping_vrf 2364 setup "yes" 2365 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2366 ipv6_ping_vrf 2367} 2368 2369################################################################################ 2370# IPv6 TCP 2371 2372# 2373# MD5 tests without VRF 2374# 2375ipv6_tcp_md5_novrf() 2376{ 2377 # 2378 # single address 2379 # 2380 2381 # basic use case 2382 log_start 2383 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2384 sleep 1 2385 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2386 log_test $? 0 "MD5: Single address config" 2387 2388 # client sends MD5, server not configured 2389 log_start 2390 show_hint "Should timeout due to MD5 mismatch" 2391 run_cmd nettest -6 -s & 2392 sleep 1 2393 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2394 log_test $? 2 "MD5: Server no config, client uses password" 2395 2396 # wrong password 2397 log_start 2398 show_hint "Should timeout since client uses wrong password" 2399 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2400 sleep 1 2401 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2402 log_test $? 2 "MD5: Client uses wrong password" 2403 2404 # client from different address 2405 log_start 2406 show_hint "Should timeout due to MD5 mismatch" 2407 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2408 sleep 1 2409 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2410 log_test $? 2 "MD5: Client address does not match address configured with password" 2411 2412 # 2413 # MD5 extension - prefix length 2414 # 2415 2416 # client in prefix 2417 log_start 2418 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2419 sleep 1 2420 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2421 log_test $? 0 "MD5: Prefix config" 2422 2423 # client in prefix, wrong password 2424 log_start 2425 show_hint "Should timeout since client uses wrong password" 2426 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2427 sleep 1 2428 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2429 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2430 2431 # client outside of prefix 2432 log_start 2433 show_hint "Should timeout due to MD5 mismatch" 2434 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2435 sleep 1 2436 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2437 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2438} 2439 2440# 2441# MD5 tests with VRF 2442# 2443ipv6_tcp_md5() 2444{ 2445 # 2446 # single address 2447 # 2448 2449 # basic use case 2450 log_start 2451 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2452 sleep 1 2453 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2454 log_test $? 0 "MD5: VRF: Single address config" 2455 2456 # client sends MD5, server not configured 2457 log_start 2458 show_hint "Should timeout since server does not have MD5 auth" 2459 run_cmd nettest -6 -s -I ${VRF} & 2460 sleep 1 2461 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2462 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2463 2464 # wrong password 2465 log_start 2466 show_hint "Should timeout since client uses wrong password" 2467 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2468 sleep 1 2469 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2470 log_test $? 2 "MD5: VRF: Client uses wrong password" 2471 2472 # client from different address 2473 log_start 2474 show_hint "Should timeout since server config differs from client" 2475 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2476 sleep 1 2477 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2478 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2479 2480 # 2481 # MD5 extension - prefix length 2482 # 2483 2484 # client in prefix 2485 log_start 2486 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2487 sleep 1 2488 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2489 log_test $? 0 "MD5: VRF: Prefix config" 2490 2491 # client in prefix, wrong password 2492 log_start 2493 show_hint "Should timeout since client uses wrong password" 2494 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2495 sleep 1 2496 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2497 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2498 2499 # client outside of prefix 2500 log_start 2501 show_hint "Should timeout since client address is outside of prefix" 2502 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2503 sleep 1 2504 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2505 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2506 2507 # 2508 # duplicate config between default VRF and a VRF 2509 # 2510 2511 log_start 2512 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2513 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2514 sleep 1 2515 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2516 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2517 2518 log_start 2519 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2520 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2521 sleep 1 2522 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2523 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2524 2525 log_start 2526 show_hint "Should timeout since client in default VRF uses VRF password" 2527 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2528 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2529 sleep 1 2530 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2531 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2532 2533 log_start 2534 show_hint "Should timeout since client in VRF uses default VRF password" 2535 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2536 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2537 sleep 1 2538 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2539 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2540 2541 log_start 2542 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2543 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2544 sleep 1 2545 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2546 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2547 2548 log_start 2549 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2550 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2551 sleep 1 2552 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2553 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2554 2555 log_start 2556 show_hint "Should timeout since client in default VRF uses VRF password" 2557 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2558 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2559 sleep 1 2560 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2561 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2562 2563 log_start 2564 show_hint "Should timeout since client in VRF uses default VRF password" 2565 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2566 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2567 sleep 1 2568 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2569 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2570 2571 # 2572 # negative tests 2573 # 2574 log_start 2575 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2576 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2577 2578 log_start 2579 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2580 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2581 2582} 2583 2584ipv6_tcp_novrf() 2585{ 2586 local a 2587 2588 # 2589 # server tests 2590 # 2591 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2592 do 2593 log_start 2594 run_cmd nettest -6 -s & 2595 sleep 1 2596 run_cmd_nsb nettest -6 -r ${a} 2597 log_test_addr ${a} $? 0 "Global server" 2598 done 2599 2600 # verify TCP reset received 2601 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2602 do 2603 log_start 2604 show_hint "Should fail 'Connection refused'" 2605 run_cmd_nsb nettest -6 -r ${a} 2606 log_test_addr ${a} $? 1 "No server" 2607 done 2608 2609 # 2610 # client 2611 # 2612 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2613 do 2614 log_start 2615 run_cmd_nsb nettest -6 -s & 2616 sleep 1 2617 run_cmd nettest -6 -r ${a} 2618 log_test_addr ${a} $? 0 "Client" 2619 done 2620 2621 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2622 do 2623 log_start 2624 run_cmd_nsb nettest -6 -s & 2625 sleep 1 2626 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2627 log_test_addr ${a} $? 0 "Client, device bind" 2628 done 2629 2630 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2631 do 2632 log_start 2633 show_hint "Should fail 'Connection refused'" 2634 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2635 log_test_addr ${a} $? 1 "No server, device client" 2636 done 2637 2638 # 2639 # local address tests 2640 # 2641 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2642 do 2643 log_start 2644 run_cmd nettest -6 -s & 2645 sleep 1 2646 run_cmd nettest -6 -r ${a} 2647 log_test_addr ${a} $? 0 "Global server, local connection" 2648 done 2649 2650 a=${NSA_IP6} 2651 log_start 2652 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2653 sleep 1 2654 run_cmd nettest -6 -r ${a} -0 ${a} 2655 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2656 2657 for a in ${NSA_LO_IP6} ::1 2658 do 2659 log_start 2660 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2661 run_cmd nettest -6 -s -I ${NSA_DEV} & 2662 sleep 1 2663 run_cmd nettest -6 -r ${a} 2664 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2665 done 2666 2667 a=${NSA_IP6} 2668 log_start 2669 run_cmd nettest -6 -s & 2670 sleep 1 2671 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2672 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2673 2674 for a in ${NSA_LO_IP6} ::1 2675 do 2676 log_start 2677 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2678 run_cmd nettest -6 -s & 2679 sleep 1 2680 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2681 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2682 done 2683 2684 for a in ${NSA_IP6} ${NSA_LINKIP6} 2685 do 2686 log_start 2687 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2688 sleep 1 2689 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2690 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2691 done 2692 2693 for a in ${NSA_IP6} ${NSA_LINKIP6} 2694 do 2695 log_start 2696 show_hint "Should fail 'Connection refused'" 2697 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2698 log_test_addr ${a} $? 1 "No server, device client, local conn" 2699 done 2700 2701 ipv6_tcp_md5_novrf 2702} 2703 2704ipv6_tcp_vrf() 2705{ 2706 local a 2707 2708 # disable global server 2709 log_subsection "Global server disabled" 2710 2711 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2712 2713 # 2714 # server tests 2715 # 2716 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2717 do 2718 log_start 2719 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2720 run_cmd nettest -6 -s & 2721 sleep 1 2722 run_cmd_nsb nettest -6 -r ${a} 2723 log_test_addr ${a} $? 1 "Global server" 2724 done 2725 2726 for a in ${NSA_IP6} ${VRF_IP6} 2727 do 2728 log_start 2729 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2730 sleep 1 2731 run_cmd_nsb nettest -6 -r ${a} 2732 log_test_addr ${a} $? 0 "VRF server" 2733 done 2734 2735 # link local is always bound to ingress device 2736 a=${NSA_LINKIP6}%${NSB_DEV} 2737 log_start 2738 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2739 sleep 1 2740 run_cmd_nsb nettest -6 -r ${a} 2741 log_test_addr ${a} $? 0 "VRF server" 2742 2743 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2744 do 2745 log_start 2746 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2747 sleep 1 2748 run_cmd_nsb nettest -6 -r ${a} 2749 log_test_addr ${a} $? 0 "Device server" 2750 done 2751 2752 # verify TCP reset received 2753 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2754 do 2755 log_start 2756 show_hint "Should fail 'Connection refused'" 2757 run_cmd_nsb nettest -6 -r ${a} 2758 log_test_addr ${a} $? 1 "No server" 2759 done 2760 2761 # local address tests 2762 a=${NSA_IP6} 2763 log_start 2764 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2765 run_cmd nettest -6 -s & 2766 sleep 1 2767 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2768 log_test_addr ${a} $? 1 "Global server, local connection" 2769 2770 # run MD5 tests 2771 setup_vrf_dup 2772 ipv6_tcp_md5 2773 cleanup_vrf_dup 2774 2775 # 2776 # enable VRF global server 2777 # 2778 log_subsection "VRF Global server enabled" 2779 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2780 2781 for a in ${NSA_IP6} ${VRF_IP6} 2782 do 2783 log_start 2784 run_cmd nettest -6 -s -3 ${VRF} & 2785 sleep 1 2786 run_cmd_nsb nettest -6 -r ${a} 2787 log_test_addr ${a} $? 0 "Global server" 2788 done 2789 2790 for a in ${NSA_IP6} ${VRF_IP6} 2791 do 2792 log_start 2793 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2794 sleep 1 2795 run_cmd_nsb nettest -6 -r ${a} 2796 log_test_addr ${a} $? 0 "VRF server" 2797 done 2798 2799 # For LLA, child socket is bound to device 2800 a=${NSA_LINKIP6}%${NSB_DEV} 2801 log_start 2802 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2803 sleep 1 2804 run_cmd_nsb nettest -6 -r ${a} 2805 log_test_addr ${a} $? 0 "Global server" 2806 2807 log_start 2808 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2809 sleep 1 2810 run_cmd_nsb nettest -6 -r ${a} 2811 log_test_addr ${a} $? 0 "VRF server" 2812 2813 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2814 do 2815 log_start 2816 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2817 sleep 1 2818 run_cmd_nsb nettest -6 -r ${a} 2819 log_test_addr ${a} $? 0 "Device server" 2820 done 2821 2822 # verify TCP reset received 2823 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2824 do 2825 log_start 2826 show_hint "Should fail 'Connection refused'" 2827 run_cmd_nsb nettest -6 -r ${a} 2828 log_test_addr ${a} $? 1 "No server" 2829 done 2830 2831 # local address tests 2832 for a in ${NSA_IP6} ${VRF_IP6} 2833 do 2834 log_start 2835 show_hint "Fails 'Connection refused' since client is not in VRF" 2836 run_cmd nettest -6 -s -I ${VRF} & 2837 sleep 1 2838 run_cmd nettest -6 -r ${a} 2839 log_test_addr ${a} $? 1 "Global server, local connection" 2840 done 2841 2842 2843 # 2844 # client 2845 # 2846 for a in ${NSB_IP6} ${NSB_LO_IP6} 2847 do 2848 log_start 2849 run_cmd_nsb nettest -6 -s & 2850 sleep 1 2851 run_cmd nettest -6 -r ${a} -d ${VRF} 2852 log_test_addr ${a} $? 0 "Client, VRF bind" 2853 done 2854 2855 a=${NSB_LINKIP6} 2856 log_start 2857 show_hint "Fails since VRF device does not allow linklocal addresses" 2858 run_cmd_nsb nettest -6 -s & 2859 sleep 1 2860 run_cmd nettest -6 -r ${a} -d ${VRF} 2861 log_test_addr ${a} $? 1 "Client, VRF bind" 2862 2863 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2864 do 2865 log_start 2866 run_cmd_nsb nettest -6 -s & 2867 sleep 1 2868 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2869 log_test_addr ${a} $? 0 "Client, device bind" 2870 done 2871 2872 for a in ${NSB_IP6} ${NSB_LO_IP6} 2873 do 2874 log_start 2875 show_hint "Should fail 'Connection refused'" 2876 run_cmd nettest -6 -r ${a} -d ${VRF} 2877 log_test_addr ${a} $? 1 "No server, VRF client" 2878 done 2879 2880 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2881 do 2882 log_start 2883 show_hint "Should fail 'Connection refused'" 2884 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2885 log_test_addr ${a} $? 1 "No server, device client" 2886 done 2887 2888 for a in ${NSA_IP6} ${VRF_IP6} ::1 2889 do 2890 log_start 2891 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2892 sleep 1 2893 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2894 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 2895 done 2896 2897 a=${NSA_IP6} 2898 log_start 2899 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2900 sleep 1 2901 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2902 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 2903 2904 a=${NSA_IP6} 2905 log_start 2906 show_hint "Should fail since unbound client is out of VRF scope" 2907 run_cmd nettest -6 -s -I ${VRF} & 2908 sleep 1 2909 run_cmd nettest -6 -r ${a} 2910 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 2911 2912 log_start 2913 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2914 sleep 1 2915 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2916 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 2917 2918 for a in ${NSA_IP6} ${NSA_LINKIP6} 2919 do 2920 log_start 2921 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2922 sleep 1 2923 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2924 log_test_addr ${a} $? 0 "Device server, device client, local connection" 2925 done 2926} 2927 2928ipv6_tcp() 2929{ 2930 log_section "IPv6/TCP" 2931 log_subsection "No VRF" 2932 setup 2933 2934 # tcp_l3mdev_accept should have no affect without VRF; 2935 # run tests with it enabled and disabled to verify 2936 log_subsection "tcp_l3mdev_accept disabled" 2937 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2938 ipv6_tcp_novrf 2939 log_subsection "tcp_l3mdev_accept enabled" 2940 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2941 ipv6_tcp_novrf 2942 2943 log_subsection "With VRF" 2944 setup "yes" 2945 ipv6_tcp_vrf 2946} 2947 2948################################################################################ 2949# IPv6 UDP 2950 2951ipv6_udp_novrf() 2952{ 2953 local a 2954 2955 # 2956 # server tests 2957 # 2958 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2959 do 2960 log_start 2961 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2962 sleep 1 2963 run_cmd_nsb nettest -6 -D -r ${a} 2964 log_test_addr ${a} $? 0 "Global server" 2965 2966 log_start 2967 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 2968 sleep 1 2969 run_cmd_nsb nettest -6 -D -r ${a} 2970 log_test_addr ${a} $? 0 "Device server" 2971 done 2972 2973 a=${NSA_LO_IP6} 2974 log_start 2975 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2976 sleep 1 2977 run_cmd_nsb nettest -6 -D -r ${a} 2978 log_test_addr ${a} $? 0 "Global server" 2979 2980 # should fail since loopback address is out of scope for a device 2981 # bound server, but it does not - hence this is more documenting 2982 # behavior. 2983 #log_start 2984 #show_hint "Should fail since loopback address is out of scope" 2985 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 2986 #sleep 1 2987 #run_cmd_nsb nettest -6 -D -r ${a} 2988 #log_test_addr ${a} $? 1 "Device server" 2989 2990 # negative test - should fail 2991 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2992 do 2993 log_start 2994 show_hint "Should fail 'Connection refused' since there is no server" 2995 run_cmd_nsb nettest -6 -D -r ${a} 2996 log_test_addr ${a} $? 1 "No server" 2997 done 2998 2999 # 3000 # client 3001 # 3002 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 3003 do 3004 log_start 3005 run_cmd_nsb nettest -6 -D -s & 3006 sleep 1 3007 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 3008 log_test_addr ${a} $? 0 "Client" 3009 3010 log_start 3011 run_cmd_nsb nettest -6 -D -s & 3012 sleep 1 3013 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 3014 log_test_addr ${a} $? 0 "Client, device bind" 3015 3016 log_start 3017 run_cmd_nsb nettest -6 -D -s & 3018 sleep 1 3019 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 3020 log_test_addr ${a} $? 0 "Client, device send via cmsg" 3021 3022 log_start 3023 run_cmd_nsb nettest -6 -D -s & 3024 sleep 1 3025 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 3026 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 3027 3028 log_start 3029 show_hint "Should fail 'Connection refused'" 3030 run_cmd nettest -6 -D -r ${a} 3031 log_test_addr ${a} $? 1 "No server, unbound client" 3032 3033 log_start 3034 show_hint "Should fail 'Connection refused'" 3035 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3036 log_test_addr ${a} $? 1 "No server, device client" 3037 done 3038 3039 # 3040 # local address tests 3041 # 3042 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3043 do 3044 log_start 3045 run_cmd nettest -6 -D -s & 3046 sleep 1 3047 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3048 log_test_addr ${a} $? 0 "Global server, local connection" 3049 done 3050 3051 a=${NSA_IP6} 3052 log_start 3053 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3054 sleep 1 3055 run_cmd nettest -6 -D -r ${a} 3056 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3057 3058 for a in ${NSA_LO_IP6} ::1 3059 do 3060 log_start 3061 show_hint "Should fail 'Connection refused' since address is out of device scope" 3062 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3063 sleep 1 3064 run_cmd nettest -6 -D -r ${a} 3065 log_test_addr ${a} $? 1 "Device server, local connection" 3066 done 3067 3068 a=${NSA_IP6} 3069 log_start 3070 run_cmd nettest -6 -s -D & 3071 sleep 1 3072 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3073 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3074 3075 log_start 3076 run_cmd nettest -6 -s -D & 3077 sleep 1 3078 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3079 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3080 3081 log_start 3082 run_cmd nettest -6 -s -D & 3083 sleep 1 3084 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3085 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3086 3087 for a in ${NSA_LO_IP6} ::1 3088 do 3089 log_start 3090 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3091 run_cmd nettest -6 -D -s & 3092 sleep 1 3093 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3094 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3095 3096 log_start 3097 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3098 run_cmd nettest -6 -D -s & 3099 sleep 1 3100 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3101 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3102 3103 log_start 3104 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3105 run_cmd nettest -6 -D -s & 3106 sleep 1 3107 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3108 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3109 done 3110 3111 a=${NSA_IP6} 3112 log_start 3113 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3114 sleep 1 3115 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3116 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3117 3118 log_start 3119 show_hint "Should fail 'Connection refused'" 3120 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3121 log_test_addr ${a} $? 1 "No server, device client, local conn" 3122 3123 # LLA to GUA 3124 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3125 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3126 log_start 3127 run_cmd nettest -6 -s -D & 3128 sleep 1 3129 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3130 log_test $? 0 "UDP in - LLA to GUA" 3131 3132 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3133 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3134} 3135 3136ipv6_udp_vrf() 3137{ 3138 local a 3139 3140 # disable global server 3141 log_subsection "Global server disabled" 3142 set_sysctl net.ipv4.udp_l3mdev_accept=0 3143 3144 # 3145 # server tests 3146 # 3147 for a in ${NSA_IP6} ${VRF_IP6} 3148 do 3149 log_start 3150 show_hint "Should fail 'Connection refused' since global server is disabled" 3151 run_cmd nettest -6 -D -s & 3152 sleep 1 3153 run_cmd_nsb nettest -6 -D -r ${a} 3154 log_test_addr ${a} $? 1 "Global server" 3155 done 3156 3157 for a in ${NSA_IP6} ${VRF_IP6} 3158 do 3159 log_start 3160 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3161 sleep 1 3162 run_cmd_nsb nettest -6 -D -r ${a} 3163 log_test_addr ${a} $? 0 "VRF server" 3164 done 3165 3166 for a in ${NSA_IP6} ${VRF_IP6} 3167 do 3168 log_start 3169 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3170 sleep 1 3171 run_cmd_nsb nettest -6 -D -r ${a} 3172 log_test_addr ${a} $? 0 "Enslaved device server" 3173 done 3174 3175 # negative test - should fail 3176 for a in ${NSA_IP6} ${VRF_IP6} 3177 do 3178 log_start 3179 show_hint "Should fail 'Connection refused' since there is no server" 3180 run_cmd_nsb nettest -6 -D -r ${a} 3181 log_test_addr ${a} $? 1 "No server" 3182 done 3183 3184 # 3185 # local address tests 3186 # 3187 for a in ${NSA_IP6} ${VRF_IP6} 3188 do 3189 log_start 3190 show_hint "Should fail 'Connection refused' since global server is disabled" 3191 run_cmd nettest -6 -D -s & 3192 sleep 1 3193 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3194 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3195 done 3196 3197 for a in ${NSA_IP6} ${VRF_IP6} 3198 do 3199 log_start 3200 run_cmd nettest -6 -D -I ${VRF} -s & 3201 sleep 1 3202 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3203 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3204 done 3205 3206 a=${NSA_IP6} 3207 log_start 3208 show_hint "Should fail 'Connection refused' since global server is disabled" 3209 run_cmd nettest -6 -D -s & 3210 sleep 1 3211 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3212 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3213 3214 log_start 3215 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3216 sleep 1 3217 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3218 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3219 3220 log_start 3221 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3222 sleep 1 3223 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3224 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3225 3226 log_start 3227 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3228 sleep 1 3229 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3230 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3231 3232 # disable global server 3233 log_subsection "Global server enabled" 3234 set_sysctl net.ipv4.udp_l3mdev_accept=1 3235 3236 # 3237 # server tests 3238 # 3239 for a in ${NSA_IP6} ${VRF_IP6} 3240 do 3241 log_start 3242 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3243 sleep 1 3244 run_cmd_nsb nettest -6 -D -r ${a} 3245 log_test_addr ${a} $? 0 "Global server" 3246 done 3247 3248 for a in ${NSA_IP6} ${VRF_IP6} 3249 do 3250 log_start 3251 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3252 sleep 1 3253 run_cmd_nsb nettest -6 -D -r ${a} 3254 log_test_addr ${a} $? 0 "VRF server" 3255 done 3256 3257 for a in ${NSA_IP6} ${VRF_IP6} 3258 do 3259 log_start 3260 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3261 sleep 1 3262 run_cmd_nsb nettest -6 -D -r ${a} 3263 log_test_addr ${a} $? 0 "Enslaved device server" 3264 done 3265 3266 # negative test - should fail 3267 for a in ${NSA_IP6} ${VRF_IP6} 3268 do 3269 log_start 3270 run_cmd_nsb nettest -6 -D -r ${a} 3271 log_test_addr ${a} $? 1 "No server" 3272 done 3273 3274 # 3275 # client tests 3276 # 3277 log_start 3278 run_cmd_nsb nettest -6 -D -s & 3279 sleep 1 3280 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3281 log_test $? 0 "VRF client" 3282 3283 # negative test - should fail 3284 log_start 3285 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3286 log_test $? 1 "No server, VRF client" 3287 3288 log_start 3289 run_cmd_nsb nettest -6 -D -s & 3290 sleep 1 3291 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3292 log_test $? 0 "Enslaved device client" 3293 3294 # negative test - should fail 3295 log_start 3296 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3297 log_test $? 1 "No server, enslaved device client" 3298 3299 # 3300 # local address tests 3301 # 3302 a=${NSA_IP6} 3303 log_start 3304 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3305 sleep 1 3306 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3307 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3308 3309 #log_start 3310 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3311 sleep 1 3312 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3313 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3314 3315 3316 a=${VRF_IP6} 3317 log_start 3318 run_cmd nettest -6 -D -s -3 ${VRF} & 3319 sleep 1 3320 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3321 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3322 3323 log_start 3324 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3325 sleep 1 3326 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3327 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3328 3329 # negative test - should fail 3330 for a in ${NSA_IP6} ${VRF_IP6} 3331 do 3332 log_start 3333 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3334 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3335 done 3336 3337 # device to global IP 3338 a=${NSA_IP6} 3339 log_start 3340 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3341 sleep 1 3342 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3343 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3344 3345 log_start 3346 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3347 sleep 1 3348 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3349 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3350 3351 log_start 3352 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3353 sleep 1 3354 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3355 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3356 3357 log_start 3358 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3359 sleep 1 3360 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3361 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3362 3363 log_start 3364 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3365 log_test_addr ${a} $? 1 "No server, device client, local conn" 3366 3367 3368 # link local addresses 3369 log_start 3370 run_cmd nettest -6 -D -s & 3371 sleep 1 3372 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3373 log_test $? 0 "Global server, linklocal IP" 3374 3375 log_start 3376 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3377 log_test $? 1 "No server, linklocal IP" 3378 3379 3380 log_start 3381 run_cmd_nsb nettest -6 -D -s & 3382 sleep 1 3383 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3384 log_test $? 0 "Enslaved device client, linklocal IP" 3385 3386 log_start 3387 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3388 log_test $? 1 "No server, device client, peer linklocal IP" 3389 3390 3391 log_start 3392 run_cmd nettest -6 -D -s & 3393 sleep 1 3394 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3395 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3396 3397 log_start 3398 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3399 log_test $? 1 "No server, device client, local conn - linklocal IP" 3400 3401 # LLA to GUA 3402 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3403 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3404 log_start 3405 run_cmd nettest -6 -s -D & 3406 sleep 1 3407 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3408 log_test $? 0 "UDP in - LLA to GUA" 3409 3410 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3411 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3412} 3413 3414ipv6_udp() 3415{ 3416 # should not matter, but set to known state 3417 set_sysctl net.ipv4.udp_early_demux=1 3418 3419 log_section "IPv6/UDP" 3420 log_subsection "No VRF" 3421 setup 3422 3423 # udp_l3mdev_accept should have no affect without VRF; 3424 # run tests with it enabled and disabled to verify 3425 log_subsection "udp_l3mdev_accept disabled" 3426 set_sysctl net.ipv4.udp_l3mdev_accept=0 3427 ipv6_udp_novrf 3428 log_subsection "udp_l3mdev_accept enabled" 3429 set_sysctl net.ipv4.udp_l3mdev_accept=1 3430 ipv6_udp_novrf 3431 3432 log_subsection "With VRF" 3433 setup "yes" 3434 ipv6_udp_vrf 3435} 3436 3437################################################################################ 3438# IPv6 address bind 3439 3440ipv6_addr_bind_novrf() 3441{ 3442 # 3443 # raw socket 3444 # 3445 for a in ${NSA_IP6} ${NSA_LO_IP6} 3446 do 3447 log_start 3448 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3449 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3450 3451 log_start 3452 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3453 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3454 done 3455 3456 # 3457 # raw socket with nonlocal bind 3458 # 3459 a=${NL_IP6} 3460 log_start 3461 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 3462 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 3463 3464 # 3465 # tcp sockets 3466 # 3467 a=${NSA_IP6} 3468 log_start 3469 run_cmd nettest -6 -s -l ${a} -t1 -b 3470 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3471 3472 log_start 3473 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3474 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3475 3476 # Sadly, the kernel allows binding a socket to a device and then 3477 # binding to an address not on the device. So this test passes 3478 # when it really should not 3479 a=${NSA_LO_IP6} 3480 log_start 3481 show_hint "Tecnically should fail since address is not on device but kernel allows" 3482 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3483 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3484} 3485 3486ipv6_addr_bind_vrf() 3487{ 3488 # 3489 # raw socket 3490 # 3491 for a in ${NSA_IP6} ${VRF_IP6} 3492 do 3493 log_start 3494 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3495 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3496 3497 log_start 3498 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3499 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3500 done 3501 3502 a=${NSA_LO_IP6} 3503 log_start 3504 show_hint "Address on loopback is out of VRF scope" 3505 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3506 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3507 3508 # 3509 # raw socket with nonlocal bind 3510 # 3511 a=${NL_IP6} 3512 log_start 3513 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b 3514 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 3515 3516 # 3517 # tcp sockets 3518 # 3519 # address on enslaved device is valid for the VRF or device in a VRF 3520 for a in ${NSA_IP6} ${VRF_IP6} 3521 do 3522 log_start 3523 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3524 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3525 done 3526 3527 a=${NSA_IP6} 3528 log_start 3529 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3530 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3531 3532 # Sadly, the kernel allows binding a socket to a device and then 3533 # binding to an address not on the device. The only restriction 3534 # is that the address is valid in the L3 domain. So this test 3535 # passes when it really should not 3536 a=${VRF_IP6} 3537 log_start 3538 show_hint "Tecnically should fail since address is not on device but kernel allows" 3539 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3540 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3541 3542 a=${NSA_LO_IP6} 3543 log_start 3544 show_hint "Address on loopback out of scope for VRF" 3545 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3546 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3547 3548 log_start 3549 show_hint "Address on loopback out of scope for device in VRF" 3550 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3551 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3552 3553} 3554 3555ipv6_addr_bind() 3556{ 3557 log_section "IPv6 address binds" 3558 3559 log_subsection "No VRF" 3560 setup 3561 ipv6_addr_bind_novrf 3562 3563 log_subsection "With VRF" 3564 setup "yes" 3565 ipv6_addr_bind_vrf 3566} 3567 3568################################################################################ 3569# IPv6 runtime tests 3570 3571ipv6_rt() 3572{ 3573 local desc="$1" 3574 local varg="-6 $2" 3575 local with_vrf="yes" 3576 local a 3577 3578 # 3579 # server tests 3580 # 3581 for a in ${NSA_IP6} ${VRF_IP6} 3582 do 3583 log_start 3584 run_cmd nettest ${varg} -s & 3585 sleep 1 3586 run_cmd_nsb nettest ${varg} -r ${a} & 3587 sleep 3 3588 run_cmd ip link del ${VRF} 3589 sleep 1 3590 log_test_addr ${a} 0 0 "${desc}, global server" 3591 3592 setup ${with_vrf} 3593 done 3594 3595 for a in ${NSA_IP6} ${VRF_IP6} 3596 do 3597 log_start 3598 run_cmd nettest ${varg} -I ${VRF} -s & 3599 sleep 1 3600 run_cmd_nsb nettest ${varg} -r ${a} & 3601 sleep 3 3602 run_cmd ip link del ${VRF} 3603 sleep 1 3604 log_test_addr ${a} 0 0 "${desc}, VRF server" 3605 3606 setup ${with_vrf} 3607 done 3608 3609 for a in ${NSA_IP6} ${VRF_IP6} 3610 do 3611 log_start 3612 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3613 sleep 1 3614 run_cmd_nsb nettest ${varg} -r ${a} & 3615 sleep 3 3616 run_cmd ip link del ${VRF} 3617 sleep 1 3618 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3619 3620 setup ${with_vrf} 3621 done 3622 3623 # 3624 # client test 3625 # 3626 log_start 3627 run_cmd_nsb nettest ${varg} -s & 3628 sleep 1 3629 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3630 sleep 3 3631 run_cmd ip link del ${VRF} 3632 sleep 1 3633 log_test 0 0 "${desc}, VRF client" 3634 3635 setup ${with_vrf} 3636 3637 log_start 3638 run_cmd_nsb nettest ${varg} -s & 3639 sleep 1 3640 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3641 sleep 3 3642 run_cmd ip link del ${VRF} 3643 sleep 1 3644 log_test 0 0 "${desc}, enslaved device client" 3645 3646 setup ${with_vrf} 3647 3648 3649 # 3650 # local address tests 3651 # 3652 for a in ${NSA_IP6} ${VRF_IP6} 3653 do 3654 log_start 3655 run_cmd nettest ${varg} -s & 3656 sleep 1 3657 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3658 sleep 3 3659 run_cmd ip link del ${VRF} 3660 sleep 1 3661 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3662 3663 setup ${with_vrf} 3664 done 3665 3666 for a in ${NSA_IP6} ${VRF_IP6} 3667 do 3668 log_start 3669 run_cmd nettest ${varg} -I ${VRF} -s & 3670 sleep 1 3671 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3672 sleep 3 3673 run_cmd ip link del ${VRF} 3674 sleep 1 3675 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3676 3677 setup ${with_vrf} 3678 done 3679 3680 a=${NSA_IP6} 3681 log_start 3682 run_cmd nettest ${varg} -s & 3683 sleep 1 3684 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3685 sleep 3 3686 run_cmd ip link del ${VRF} 3687 sleep 1 3688 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3689 3690 setup ${with_vrf} 3691 3692 log_start 3693 run_cmd nettest ${varg} -I ${VRF} -s & 3694 sleep 1 3695 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3696 sleep 3 3697 run_cmd ip link del ${VRF} 3698 sleep 1 3699 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3700 3701 setup ${with_vrf} 3702 3703 log_start 3704 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3705 sleep 1 3706 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3707 sleep 3 3708 run_cmd ip link del ${VRF} 3709 sleep 1 3710 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3711} 3712 3713ipv6_ping_rt() 3714{ 3715 local with_vrf="yes" 3716 local a 3717 3718 a=${NSA_IP6} 3719 log_start 3720 run_cmd_nsb ${ping6} -f ${a} & 3721 sleep 3 3722 run_cmd ip link del ${VRF} 3723 sleep 1 3724 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3725 3726 setup ${with_vrf} 3727 3728 log_start 3729 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3730 sleep 1 3731 run_cmd ip link del ${VRF} 3732 sleep 1 3733 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3734} 3735 3736ipv6_runtime() 3737{ 3738 log_section "Run time tests - ipv6" 3739 3740 setup "yes" 3741 ipv6_ping_rt 3742 3743 setup "yes" 3744 ipv6_rt "TCP active socket" "-n -1" 3745 3746 setup "yes" 3747 ipv6_rt "TCP passive socket" "-i" 3748 3749 setup "yes" 3750 ipv6_rt "UDP active socket" "-D -n -1" 3751} 3752 3753################################################################################ 3754# netfilter blocking connections 3755 3756netfilter_tcp_reset() 3757{ 3758 local a 3759 3760 for a in ${NSA_IP} ${VRF_IP} 3761 do 3762 log_start 3763 run_cmd nettest -s & 3764 sleep 1 3765 run_cmd_nsb nettest -r ${a} 3766 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3767 done 3768} 3769 3770netfilter_icmp() 3771{ 3772 local stype="$1" 3773 local arg 3774 local a 3775 3776 [ "${stype}" = "UDP" ] && arg="-D" 3777 3778 for a in ${NSA_IP} ${VRF_IP} 3779 do 3780 log_start 3781 run_cmd nettest ${arg} -s & 3782 sleep 1 3783 run_cmd_nsb nettest ${arg} -r ${a} 3784 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3785 done 3786} 3787 3788ipv4_netfilter() 3789{ 3790 log_section "IPv4 Netfilter" 3791 log_subsection "TCP reset" 3792 3793 setup "yes" 3794 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3795 3796 netfilter_tcp_reset 3797 3798 log_start 3799 log_subsection "ICMP unreachable" 3800 3801 log_start 3802 run_cmd iptables -F 3803 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3804 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3805 3806 netfilter_icmp "TCP" 3807 netfilter_icmp "UDP" 3808 3809 log_start 3810 iptables -F 3811} 3812 3813netfilter_tcp6_reset() 3814{ 3815 local a 3816 3817 for a in ${NSA_IP6} ${VRF_IP6} 3818 do 3819 log_start 3820 run_cmd nettest -6 -s & 3821 sleep 1 3822 run_cmd_nsb nettest -6 -r ${a} 3823 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3824 done 3825} 3826 3827netfilter_icmp6() 3828{ 3829 local stype="$1" 3830 local arg 3831 local a 3832 3833 [ "${stype}" = "UDP" ] && arg="$arg -D" 3834 3835 for a in ${NSA_IP6} ${VRF_IP6} 3836 do 3837 log_start 3838 run_cmd nettest -6 -s ${arg} & 3839 sleep 1 3840 run_cmd_nsb nettest -6 ${arg} -r ${a} 3841 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3842 done 3843} 3844 3845ipv6_netfilter() 3846{ 3847 log_section "IPv6 Netfilter" 3848 log_subsection "TCP reset" 3849 3850 setup "yes" 3851 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3852 3853 netfilter_tcp6_reset 3854 3855 log_subsection "ICMP unreachable" 3856 3857 log_start 3858 run_cmd ip6tables -F 3859 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3860 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3861 3862 netfilter_icmp6 "TCP" 3863 netfilter_icmp6 "UDP" 3864 3865 log_start 3866 ip6tables -F 3867} 3868 3869################################################################################ 3870# specific use cases 3871 3872# VRF only. 3873# ns-A device enslaved to bridge. Verify traffic with and without 3874# br_netfilter module loaded. Repeat with SVI on bridge. 3875use_case_br() 3876{ 3877 setup "yes" 3878 3879 setup_cmd ip link set ${NSA_DEV} down 3880 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 3881 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 3882 3883 setup_cmd ip link add br0 type bridge 3884 setup_cmd ip addr add dev br0 ${NSA_IP}/24 3885 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 3886 3887 setup_cmd ip li set ${NSA_DEV} master br0 3888 setup_cmd ip li set ${NSA_DEV} up 3889 setup_cmd ip li set br0 up 3890 setup_cmd ip li set br0 vrf ${VRF} 3891 3892 rmmod br_netfilter 2>/dev/null 3893 sleep 5 # DAD 3894 3895 run_cmd ip neigh flush all 3896 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3897 log_test $? 0 "Bridge into VRF - IPv4 ping out" 3898 3899 run_cmd ip neigh flush all 3900 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3901 log_test $? 0 "Bridge into VRF - IPv6 ping out" 3902 3903 run_cmd ip neigh flush all 3904 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3905 log_test $? 0 "Bridge into VRF - IPv4 ping in" 3906 3907 run_cmd ip neigh flush all 3908 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3909 log_test $? 0 "Bridge into VRF - IPv6 ping in" 3910 3911 modprobe br_netfilter 3912 if [ $? -eq 0 ]; then 3913 run_cmd ip neigh flush all 3914 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3915 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 3916 3917 run_cmd ip neigh flush all 3918 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3919 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 3920 3921 run_cmd ip neigh flush all 3922 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3923 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 3924 3925 run_cmd ip neigh flush all 3926 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3927 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 3928 fi 3929 3930 setup_cmd ip li set br0 nomaster 3931 setup_cmd ip li add br0.100 link br0 type vlan id 100 3932 setup_cmd ip li set br0.100 vrf ${VRF} up 3933 setup_cmd ip addr add dev br0.100 172.16.101.1/24 3934 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 3935 3936 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 3937 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 3938 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 3939 setup_cmd_nsb ip li set vlan100 up 3940 sleep 1 3941 3942 rmmod br_netfilter 2>/dev/null 3943 3944 run_cmd ip neigh flush all 3945 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3946 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 3947 3948 run_cmd ip neigh flush all 3949 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3950 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 3951 3952 run_cmd ip neigh flush all 3953 run_cmd_nsb ping -c1 -w1 172.16.101.1 3954 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3955 3956 run_cmd ip neigh flush all 3957 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3958 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3959 3960 modprobe br_netfilter 3961 if [ $? -eq 0 ]; then 3962 run_cmd ip neigh flush all 3963 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3964 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 3965 3966 run_cmd ip neigh flush all 3967 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3968 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 3969 3970 run_cmd ip neigh flush all 3971 run_cmd_nsb ping -c1 -w1 172.16.101.1 3972 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3973 3974 run_cmd ip neigh flush all 3975 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3976 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3977 fi 3978 3979 setup_cmd ip li del br0 2>/dev/null 3980 setup_cmd_nsb ip li del vlan100 2>/dev/null 3981} 3982 3983# VRF only. 3984# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 3985# LLA on the interfaces 3986use_case_ping_lla_multi() 3987{ 3988 setup_lla_only 3989 # only want reply from ns-A 3990 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3991 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3992 3993 log_start 3994 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3995 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 3996 3997 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3998 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 3999 4000 # cycle/flap the first ns-A interface 4001 setup_cmd ip link set ${NSA_DEV} down 4002 setup_cmd ip link set ${NSA_DEV} up 4003 sleep 1 4004 4005 log_start 4006 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4007 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 4008 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4009 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 4010 4011 # cycle/flap the second ns-A interface 4012 setup_cmd ip link set ${NSA_DEV2} down 4013 setup_cmd ip link set ${NSA_DEV2} up 4014 sleep 1 4015 4016 log_start 4017 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4018 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 4019 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4020 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 4021} 4022 4023# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 4024# established with ns-B. 4025use_case_snat_on_vrf() 4026{ 4027 setup "yes" 4028 4029 local port="12345" 4030 4031 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4032 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4033 4034 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 4035 sleep 1 4036 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 4037 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 4038 4039 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 4040 sleep 1 4041 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 4042 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 4043 4044 # Cleanup 4045 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4046 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4047} 4048 4049use_cases() 4050{ 4051 log_section "Use cases" 4052 log_subsection "Device enslaved to bridge" 4053 use_case_br 4054 log_subsection "Ping LLA with multiple interfaces" 4055 use_case_ping_lla_multi 4056 log_subsection "SNAT on VRF" 4057 use_case_snat_on_vrf 4058} 4059 4060################################################################################ 4061# usage 4062 4063usage() 4064{ 4065 cat <<EOF 4066usage: ${0##*/} OPTS 4067 4068 -4 IPv4 tests only 4069 -6 IPv6 tests only 4070 -t <test> Test name/set to run 4071 -p Pause on fail 4072 -P Pause after each test 4073 -v Be verbose 4074 4075Tests: 4076 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER 4077EOF 4078} 4079 4080################################################################################ 4081# main 4082 4083TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4084TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4085TESTS_OTHER="use_cases" 4086 4087PAUSE_ON_FAIL=no 4088PAUSE=no 4089 4090while getopts :46t:pPvh o 4091do 4092 case $o in 4093 4) TESTS=ipv4;; 4094 6) TESTS=ipv6;; 4095 t) TESTS=$OPTARG;; 4096 p) PAUSE_ON_FAIL=yes;; 4097 P) PAUSE=yes;; 4098 v) VERBOSE=1;; 4099 h) usage; exit 0;; 4100 *) usage; exit 1;; 4101 esac 4102done 4103 4104# make sure we don't pause twice 4105[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4106 4107# 4108# show user test config 4109# 4110if [ -z "$TESTS" ]; then 4111 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4112elif [ "$TESTS" = "ipv4" ]; then 4113 TESTS="$TESTS_IPV4" 4114elif [ "$TESTS" = "ipv6" ]; then 4115 TESTS="$TESTS_IPV6" 4116fi 4117 4118which nettest >/dev/null 4119if [ $? -ne 0 ]; then 4120 echo "'nettest' command not found; skipping tests" 4121 exit $ksft_skip 4122fi 4123 4124declare -i nfail=0 4125declare -i nsuccess=0 4126 4127for t in $TESTS 4128do 4129 case $t in 4130 ipv4_ping|ping) ipv4_ping;; 4131 ipv4_tcp|tcp) ipv4_tcp;; 4132 ipv4_udp|udp) ipv4_udp;; 4133 ipv4_bind|bind) ipv4_addr_bind;; 4134 ipv4_runtime) ipv4_runtime;; 4135 ipv4_netfilter) ipv4_netfilter;; 4136 4137 ipv6_ping|ping6) ipv6_ping;; 4138 ipv6_tcp|tcp6) ipv6_tcp;; 4139 ipv6_udp|udp6) ipv6_udp;; 4140 ipv6_bind|bind6) ipv6_addr_bind;; 4141 ipv6_runtime) ipv6_runtime;; 4142 ipv6_netfilter) ipv6_netfilter;; 4143 4144 use_cases) use_cases;; 4145 4146 # setup namespaces and config, but do not run any tests 4147 setup) setup; exit 0;; 4148 vrf_setup) setup "yes"; exit 0;; 4149 esac 4150done 4151 4152cleanup 2>/dev/null 4153 4154printf "\nTests passed: %3d\n" ${nsuccess} 4155printf "Tests failed: %3d\n" ${nfail} 4156 4157if [ $nfail -ne 0 ]; then 4158 exit 1 # KSFT_FAIL 4159elif [ $nsuccess -eq 0 ]; then 4160 exit $ksft_skip 4161fi 4162 4163exit 0 # KSFT_PASS 4164