1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
5#
6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups
7# for various permutations:
8#   1. icmp, tcp, udp and netfilter
9#   2. client, server, no-server
10#   3. global address on interface
11#   4. global address on 'lo'
12#   5. remote and local traffic
13#   6. VRF and non-VRF permutations
14#
15# Setup:
16#                     ns-A     |     ns-B
17# No VRF case:
18#    [ lo ]         [ eth1 ]---|---[ eth1 ]      [ lo ]
19#                                                remote address
20# VRF case:
21#         [ red ]---[ eth1 ]---|---[ eth1 ]      [ lo ]
22#
23# ns-A:
24#     eth1: 172.16.1.1/24, 2001:db8:1::1/64
25#       lo: 127.0.0.1/8, ::1/128
26#           172.16.2.1/32, 2001:db8:2::1/128
27#      red: 127.0.0.1/8, ::1/128
28#           172.16.3.1/32, 2001:db8:3::1/128
29#
30# ns-B:
31#     eth1: 172.16.1.2/24, 2001:db8:1::2/64
32#      lo2: 127.0.0.1/8, ::1/128
33#           172.16.2.2/32, 2001:db8:2::2/128
34#
35# ns-A to ns-C connection - only for VRF and same config
36# as ns-A to ns-B
37#
38# server / client nomenclature relative to ns-A
39
40# Kselftest framework requirement - SKIP code is 4.
41ksft_skip=4
42
43VERBOSE=0
44
45NSA_DEV=eth1
46NSA_DEV2=eth2
47NSB_DEV=eth1
48NSC_DEV=eth2
49VRF=red
50VRF_TABLE=1101
51
52# IPv4 config
53NSA_IP=172.16.1.1
54NSB_IP=172.16.1.2
55VRF_IP=172.16.3.1
56NS_NET=172.16.1.0/24
57
58# IPv6 config
59NSA_IP6=2001:db8:1::1
60NSB_IP6=2001:db8:1::2
61VRF_IP6=2001:db8:3::1
62NS_NET6=2001:db8:1::/120
63
64NSA_LO_IP=172.16.2.1
65NSB_LO_IP=172.16.2.2
66NSA_LO_IP6=2001:db8:2::1
67NSB_LO_IP6=2001:db8:2::2
68
69# non-local addresses for freebind tests
70NL_IP=172.17.1.1
71NL_IP6=2001:db8:4::1
72
73# multicast and broadcast addresses
74MCAST_IP=224.0.0.1
75BCAST_IP=255.255.255.255
76
77MD5_PW=abc123
78MD5_WRONG_PW=abc1234
79
80MCAST=ff02::1
81# set after namespace create
82NSA_LINKIP6=
83NSB_LINKIP6=
84
85NSA=ns-A
86NSB=ns-B
87NSC=ns-C
88
89NSA_CMD="ip netns exec ${NSA}"
90NSB_CMD="ip netns exec ${NSB}"
91NSC_CMD="ip netns exec ${NSC}"
92
93which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
94
95################################################################################
96# utilities
97
98log_test()
99{
100	local rc=$1
101	local expected=$2
102	local msg="$3"
103
104	[ "${VERBOSE}" = "1" ] && echo
105
106	if [ ${rc} -eq ${expected} ]; then
107		nsuccess=$((nsuccess+1))
108		printf "TEST: %-70s  [ OK ]\n" "${msg}"
109	else
110		nfail=$((nfail+1))
111		printf "TEST: %-70s  [FAIL]\n" "${msg}"
112		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
113			echo
114			echo "hit enter to continue, 'q' to quit"
115			read a
116			[ "$a" = "q" ] && exit 1
117		fi
118	fi
119
120	if [ "${PAUSE}" = "yes" ]; then
121		echo
122		echo "hit enter to continue, 'q' to quit"
123		read a
124		[ "$a" = "q" ] && exit 1
125	fi
126
127	kill_procs
128}
129
130log_test_addr()
131{
132	local addr=$1
133	local rc=$2
134	local expected=$3
135	local msg="$4"
136	local astr
137
138	astr=$(addr2str ${addr})
139	log_test $rc $expected "$msg - ${astr}"
140}
141
142log_section()
143{
144	echo
145	echo "###########################################################################"
146	echo "$*"
147	echo "###########################################################################"
148	echo
149}
150
151log_subsection()
152{
153	echo
154	echo "#################################################################"
155	echo "$*"
156	echo
157}
158
159log_start()
160{
161	# make sure we have no test instances running
162	kill_procs
163
164	if [ "${VERBOSE}" = "1" ]; then
165		echo
166		echo "#######################################################"
167	fi
168}
169
170log_debug()
171{
172	if [ "${VERBOSE}" = "1" ]; then
173		echo
174		echo "$*"
175		echo
176	fi
177}
178
179show_hint()
180{
181	if [ "${VERBOSE}" = "1" ]; then
182		echo "HINT: $*"
183		echo
184	fi
185}
186
187kill_procs()
188{
189	killall nettest ping ping6 >/dev/null 2>&1
190	sleep 1
191}
192
193do_run_cmd()
194{
195	local cmd="$*"
196	local out
197
198	if [ "$VERBOSE" = "1" ]; then
199		echo "COMMAND: ${cmd}"
200	fi
201
202	out=$($cmd 2>&1)
203	rc=$?
204	if [ "$VERBOSE" = "1" -a -n "$out" ]; then
205		echo "$out"
206	fi
207
208	return $rc
209}
210
211run_cmd()
212{
213	do_run_cmd ${NSA_CMD} $*
214}
215
216run_cmd_nsb()
217{
218	do_run_cmd ${NSB_CMD} $*
219}
220
221run_cmd_nsc()
222{
223	do_run_cmd ${NSC_CMD} $*
224}
225
226setup_cmd()
227{
228	local cmd="$*"
229	local rc
230
231	run_cmd ${cmd}
232	rc=$?
233	if [ $rc -ne 0 ]; then
234		# show user the command if not done so already
235		if [ "$VERBOSE" = "0" ]; then
236			echo "setup command: $cmd"
237		fi
238		echo "failed. stopping tests"
239		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
240			echo
241			echo "hit enter to continue"
242			read a
243		fi
244		exit $rc
245	fi
246}
247
248setup_cmd_nsb()
249{
250	local cmd="$*"
251	local rc
252
253	run_cmd_nsb ${cmd}
254	rc=$?
255	if [ $rc -ne 0 ]; then
256		# show user the command if not done so already
257		if [ "$VERBOSE" = "0" ]; then
258			echo "setup command: $cmd"
259		fi
260		echo "failed. stopping tests"
261		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
262			echo
263			echo "hit enter to continue"
264			read a
265		fi
266		exit $rc
267	fi
268}
269
270setup_cmd_nsc()
271{
272	local cmd="$*"
273	local rc
274
275	run_cmd_nsc ${cmd}
276	rc=$?
277	if [ $rc -ne 0 ]; then
278		# show user the command if not done so already
279		if [ "$VERBOSE" = "0" ]; then
280			echo "setup command: $cmd"
281		fi
282		echo "failed. stopping tests"
283		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
284			echo
285			echo "hit enter to continue"
286			read a
287		fi
288		exit $rc
289	fi
290}
291
292# set sysctl values in NS-A
293set_sysctl()
294{
295	echo "SYSCTL: $*"
296	echo
297	run_cmd sysctl -q -w $*
298}
299
300# get sysctl values in NS-A
301get_sysctl()
302{
303	${NSA_CMD} sysctl -n $*
304}
305
306################################################################################
307# Setup for tests
308
309addr2str()
310{
311	case "$1" in
312	127.0.0.1) echo "loopback";;
313	::1) echo "IPv6 loopback";;
314
315	${BCAST_IP}) echo "broadcast";;
316	${MCAST_IP}) echo "multicast";;
317
318	${NSA_IP})	echo "ns-A IP";;
319	${NSA_IP6})	echo "ns-A IPv6";;
320	${NSA_LO_IP})	echo "ns-A loopback IP";;
321	${NSA_LO_IP6})	echo "ns-A loopback IPv6";;
322	${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";;
323
324	${NSB_IP})	echo "ns-B IP";;
325	${NSB_IP6})	echo "ns-B IPv6";;
326	${NSB_LO_IP})	echo "ns-B loopback IP";;
327	${NSB_LO_IP6})	echo "ns-B loopback IPv6";;
328	${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";;
329
330	${NL_IP})       echo "nonlocal IP";;
331	${NL_IP6})      echo "nonlocal IPv6";;
332
333	${VRF_IP})	echo "VRF IP";;
334	${VRF_IP6})	echo "VRF IPv6";;
335
336	${MCAST}%*)	echo "multicast IP";;
337
338	*) echo "unknown";;
339	esac
340}
341
342get_linklocal()
343{
344	local ns=$1
345	local dev=$2
346	local addr
347
348	addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \
349	awk '{
350		for (i = 3; i <= NF; ++i) {
351			if ($i ~ /^fe80/)
352				print $i
353		}
354	}'
355	)
356	addr=${addr/\/*}
357
358	[ -z "$addr" ] && return 1
359
360	echo $addr
361
362	return 0
363}
364
365################################################################################
366# create namespaces and vrf
367
368create_vrf()
369{
370	local ns=$1
371	local vrf=$2
372	local table=$3
373	local addr=$4
374	local addr6=$5
375
376	ip -netns ${ns} link add ${vrf} type vrf table ${table}
377	ip -netns ${ns} link set ${vrf} up
378	ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192
379	ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
380
381	ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf}
382	ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad
383	if [ "${addr}" != "-" ]; then
384		ip -netns ${ns} addr add dev ${vrf} ${addr}
385	fi
386	if [ "${addr6}" != "-" ]; then
387		ip -netns ${ns} -6 addr add dev ${vrf} ${addr6}
388	fi
389
390	ip -netns ${ns} ru del pref 0
391	ip -netns ${ns} ru add pref 32765 from all lookup local
392	ip -netns ${ns} -6 ru del pref 0
393	ip -netns ${ns} -6 ru add pref 32765 from all lookup local
394}
395
396create_ns()
397{
398	local ns=$1
399	local addr=$2
400	local addr6=$3
401
402	ip netns add ${ns}
403
404	ip -netns ${ns} link set lo up
405	if [ "${addr}" != "-" ]; then
406		ip -netns ${ns} addr add dev lo ${addr}
407	fi
408	if [ "${addr6}" != "-" ]; then
409		ip -netns ${ns} -6 addr add dev lo ${addr6}
410	fi
411
412	ip -netns ${ns} ro add unreachable default metric 8192
413	ip -netns ${ns} -6 ro add unreachable default metric 8192
414
415	ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
416	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
417	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
418	ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
419}
420
421# create veth pair to connect namespaces and apply addresses.
422connect_ns()
423{
424	local ns1=$1
425	local ns1_dev=$2
426	local ns1_addr=$3
427	local ns1_addr6=$4
428	local ns2=$5
429	local ns2_dev=$6
430	local ns2_addr=$7
431	local ns2_addr6=$8
432
433	ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
434	ip -netns ${ns1} li set ${ns1_dev} up
435	ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
436	ip -netns ${ns2} li set ${ns2_dev} up
437
438	if [ "${ns1_addr}" != "-" ]; then
439		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
440		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
441	fi
442
443	if [ "${ns1_addr6}" != "-" ]; then
444		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
445		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
446	fi
447}
448
449cleanup()
450{
451	# explicit cleanups to check those code paths
452	ip netns | grep -q ${NSA}
453	if [ $? -eq 0 ]; then
454		ip -netns ${NSA} link delete ${VRF}
455		ip -netns ${NSA} ro flush table ${VRF_TABLE}
456
457		ip -netns ${NSA} addr flush dev ${NSA_DEV}
458		ip -netns ${NSA} -6 addr flush dev ${NSA_DEV}
459		ip -netns ${NSA} link set dev ${NSA_DEV} down
460		ip -netns ${NSA} link del dev ${NSA_DEV}
461
462		ip netns pids ${NSA} | xargs kill 2>/dev/null
463		ip netns del ${NSA}
464	fi
465
466	ip netns pids ${NSB} | xargs kill 2>/dev/null
467	ip netns del ${NSB}
468	ip netns pids ${NSC} | xargs kill 2>/dev/null
469	ip netns del ${NSC} >/dev/null 2>&1
470}
471
472cleanup_vrf_dup()
473{
474	ip link del ${NSA_DEV2} >/dev/null 2>&1
475	ip netns pids ${NSC} | xargs kill 2>/dev/null
476	ip netns del ${NSC} >/dev/null 2>&1
477}
478
479setup_vrf_dup()
480{
481	# some VRF tests use ns-C which has the same config as
482	# ns-B but for a device NOT in the VRF
483	create_ns ${NSC} "-" "-"
484	connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
485		   ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
486}
487
488setup()
489{
490	local with_vrf=${1}
491
492	# make sure we are starting with a clean slate
493	kill_procs
494	cleanup 2>/dev/null
495
496	log_debug "Configuring network namespaces"
497	set -e
498
499	create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128
500	create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128
501	connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \
502		   ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
503
504	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
505	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
506
507	# tell ns-A how to get to remote addresses of ns-B
508	if [ "${with_vrf}" = "yes" ]; then
509		create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6}
510
511		ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
512		ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
513		ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
514
515		ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
516		ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
517	else
518		ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
519		ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
520	fi
521
522
523	# tell ns-B how to get to remote addresses of ns-A
524	ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
525	ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
526
527	set +e
528
529	sleep 1
530}
531
532setup_lla_only()
533{
534	# make sure we are starting with a clean slate
535	kill_procs
536	cleanup 2>/dev/null
537
538	log_debug "Configuring network namespaces"
539	set -e
540
541	create_ns ${NSA} "-" "-"
542	create_ns ${NSB} "-" "-"
543	create_ns ${NSC} "-" "-"
544	connect_ns ${NSA} ${NSA_DEV} "-" "-" \
545		   ${NSB} ${NSB_DEV} "-" "-"
546	connect_ns ${NSA} ${NSA_DEV2} "-" "-" \
547		   ${NSC} ${NSC_DEV}  "-" "-"
548
549	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
550	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
551	NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV})
552
553	create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-"
554	ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
555	ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF}
556
557	set +e
558
559	sleep 1
560}
561
562################################################################################
563# IPv4
564
565ipv4_ping_novrf()
566{
567	local a
568
569	#
570	# out
571	#
572	for a in ${NSB_IP} ${NSB_LO_IP}
573	do
574		log_start
575		run_cmd ping -c1 -w1 ${a}
576		log_test_addr ${a} $? 0 "ping out"
577
578		log_start
579		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
580		log_test_addr ${a} $? 0 "ping out, device bind"
581
582		log_start
583		run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a}
584		log_test_addr ${a} $? 0 "ping out, address bind"
585	done
586
587	#
588	# out, but don't use gateway if peer is not on link
589	#
590	a=${NSB_IP}
591	log_start
592	run_cmd ping -c 1 -w 1 -r ${a}
593	log_test_addr ${a} $? 0 "ping out (don't route), peer on link"
594
595	a=${NSB_LO_IP}
596	log_start
597	show_hint "Fails since peer is not on link"
598	run_cmd ping -c 1 -w 1 -r ${a}
599	log_test_addr ${a} $? 1 "ping out (don't route), peer not on link"
600
601	#
602	# in
603	#
604	for a in ${NSA_IP} ${NSA_LO_IP}
605	do
606		log_start
607		run_cmd_nsb ping -c1 -w1 ${a}
608		log_test_addr ${a} $? 0 "ping in"
609	done
610
611	#
612	# local traffic
613	#
614	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
615	do
616		log_start
617		run_cmd ping -c1 -w1 ${a}
618		log_test_addr ${a} $? 0 "ping local"
619	done
620
621	#
622	# local traffic, socket bound to device
623	#
624	# address on device
625	a=${NSA_IP}
626	log_start
627	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
628	log_test_addr ${a} $? 0 "ping local, device bind"
629
630	# loopback addresses not reachable from device bind
631	# fails in a really weird way though because ipv4 special cases
632	# route lookups with oif set.
633	for a in ${NSA_LO_IP} 127.0.0.1
634	do
635		log_start
636		show_hint "Fails since address on loopback device is out of device scope"
637		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
638		log_test_addr ${a} $? 1 "ping local, device bind"
639	done
640
641	#
642	# ip rule blocks reachability to remote address
643	#
644	log_start
645	setup_cmd ip rule add pref 32765 from all lookup local
646	setup_cmd ip rule del pref 0 from all lookup local
647	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
648	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
649
650	a=${NSB_LO_IP}
651	run_cmd ping -c1 -w1 ${a}
652	log_test_addr ${a} $? 2 "ping out, blocked by rule"
653
654	# NOTE: ipv4 actually allows the lookup to fail and yet still create
655	# a viable rtable if the oif (e.g., bind to device) is set, so this
656	# case succeeds despite the rule
657	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
658
659	a=${NSA_LO_IP}
660	log_start
661	show_hint "Response generates ICMP (or arp request is ignored) due to ip rule"
662	run_cmd_nsb ping -c1 -w1 ${a}
663	log_test_addr ${a} $? 1 "ping in, blocked by rule"
664
665	[ "$VERBOSE" = "1" ] && echo
666	setup_cmd ip rule del pref 32765 from all lookup local
667	setup_cmd ip rule add pref 0 from all lookup local
668	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
669	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
670
671	#
672	# route blocks reachability to remote address
673	#
674	log_start
675	setup_cmd ip route replace unreachable ${NSB_LO_IP}
676	setup_cmd ip route replace unreachable ${NSB_IP}
677
678	a=${NSB_LO_IP}
679	run_cmd ping -c1 -w1 ${a}
680	log_test_addr ${a} $? 2 "ping out, blocked by route"
681
682	# NOTE: ipv4 actually allows the lookup to fail and yet still create
683	# a viable rtable if the oif (e.g., bind to device) is set, so this
684	# case succeeds despite not having a route for the address
685	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
686
687	a=${NSA_LO_IP}
688	log_start
689	show_hint "Response is dropped (or arp request is ignored) due to ip route"
690	run_cmd_nsb ping -c1 -w1 ${a}
691	log_test_addr ${a} $? 1 "ping in, blocked by route"
692
693	#
694	# remove 'remote' routes; fallback to default
695	#
696	log_start
697	setup_cmd ip ro del ${NSB_LO_IP}
698
699	a=${NSB_LO_IP}
700	run_cmd ping -c1 -w1 ${a}
701	log_test_addr ${a} $? 2 "ping out, unreachable default route"
702
703	# NOTE: ipv4 actually allows the lookup to fail and yet still create
704	# a viable rtable if the oif (e.g., bind to device) is set, so this
705	# case succeeds despite not having a route for the address
706	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
707}
708
709ipv4_ping_vrf()
710{
711	local a
712
713	# should default on; does not exist on older kernels
714	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
715
716	#
717	# out
718	#
719	for a in ${NSB_IP} ${NSB_LO_IP}
720	do
721		log_start
722		run_cmd ping -c1 -w1 -I ${VRF} ${a}
723		log_test_addr ${a} $? 0 "ping out, VRF bind"
724
725		log_start
726		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
727		log_test_addr ${a} $? 0 "ping out, device bind"
728
729		log_start
730		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a}
731		log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind"
732
733		log_start
734		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a}
735		log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind"
736	done
737
738	#
739	# in
740	#
741	for a in ${NSA_IP} ${VRF_IP}
742	do
743		log_start
744		run_cmd_nsb ping -c1 -w1 ${a}
745		log_test_addr ${a} $? 0 "ping in"
746	done
747
748	#
749	# local traffic, local address
750	#
751	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
752	do
753		log_start
754		show_hint "Source address should be ${a}"
755		run_cmd ping -c1 -w1 -I ${VRF} ${a}
756		log_test_addr ${a} $? 0 "ping local, VRF bind"
757	done
758
759	#
760	# local traffic, socket bound to device
761	#
762	# address on device
763	a=${NSA_IP}
764	log_start
765	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
766	log_test_addr ${a} $? 0 "ping local, device bind"
767
768	# vrf device is out of scope
769	for a in ${VRF_IP} 127.0.0.1
770	do
771		log_start
772		show_hint "Fails since address on vrf device is out of device scope"
773		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
774		log_test_addr ${a} $? 2 "ping local, device bind"
775	done
776
777	#
778	# ip rule blocks address
779	#
780	log_start
781	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
782	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
783
784	a=${NSB_LO_IP}
785	run_cmd ping -c1 -w1 -I ${VRF} ${a}
786	log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule"
787
788	log_start
789	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
790	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
791
792	a=${NSA_LO_IP}
793	log_start
794	show_hint "Response lost due to ip rule"
795	run_cmd_nsb ping -c1 -w1 ${a}
796	log_test_addr ${a} $? 1 "ping in, blocked by rule"
797
798	[ "$VERBOSE" = "1" ] && echo
799	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
800	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
801
802	#
803	# remove 'remote' routes; fallback to default
804	#
805	log_start
806	setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP}
807
808	a=${NSB_LO_IP}
809	run_cmd ping -c1 -w1 -I ${VRF} ${a}
810	log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route"
811
812	log_start
813	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
814	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
815
816	a=${NSA_LO_IP}
817	log_start
818	show_hint "Response lost by unreachable route"
819	run_cmd_nsb ping -c1 -w1 ${a}
820	log_test_addr ${a} $? 1 "ping in, unreachable route"
821}
822
823ipv4_ping()
824{
825	log_section "IPv4 ping"
826
827	log_subsection "No VRF"
828	setup
829	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
830	ipv4_ping_novrf
831	setup
832	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
833	ipv4_ping_novrf
834	setup
835	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
836	ipv4_ping_novrf
837
838	log_subsection "With VRF"
839	setup "yes"
840	ipv4_ping_vrf
841	setup "yes"
842	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
843	ipv4_ping_vrf
844}
845
846################################################################################
847# IPv4 TCP
848
849#
850# MD5 tests without VRF
851#
852ipv4_tcp_md5_novrf()
853{
854	#
855	# single address
856	#
857
858	# basic use case
859	log_start
860	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
861	sleep 1
862	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
863	log_test $? 0 "MD5: Single address config"
864
865	# client sends MD5, server not configured
866	log_start
867	show_hint "Should timeout due to MD5 mismatch"
868	run_cmd nettest -s &
869	sleep 1
870	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
871	log_test $? 2 "MD5: Server no config, client uses password"
872
873	# wrong password
874	log_start
875	show_hint "Should timeout since client uses wrong password"
876	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
877	sleep 1
878	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
879	log_test $? 2 "MD5: Client uses wrong password"
880
881	# client from different address
882	log_start
883	show_hint "Should timeout due to MD5 mismatch"
884	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} &
885	sleep 1
886	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
887	log_test $? 2 "MD5: Client address does not match address configured with password"
888
889	#
890	# MD5 extension - prefix length
891	#
892
893	# client in prefix
894	log_start
895	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
896	sleep 1
897	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
898	log_test $? 0 "MD5: Prefix config"
899
900	# client in prefix, wrong password
901	log_start
902	show_hint "Should timeout since client uses wrong password"
903	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
904	sleep 1
905	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
906	log_test $? 2 "MD5: Prefix config, client uses wrong password"
907
908	# client outside of prefix
909	log_start
910	show_hint "Should timeout due to MD5 mismatch"
911	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
912	sleep 1
913	run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
914	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
915}
916
917#
918# MD5 tests with VRF
919#
920ipv4_tcp_md5()
921{
922	#
923	# single address
924	#
925
926	# basic use case
927	log_start
928	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
929	sleep 1
930	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
931	log_test $? 0 "MD5: VRF: Single address config"
932
933	# client sends MD5, server not configured
934	log_start
935	show_hint "Should timeout since server does not have MD5 auth"
936	run_cmd nettest -s -I ${VRF} &
937	sleep 1
938	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
939	log_test $? 2 "MD5: VRF: Server no config, client uses password"
940
941	# wrong password
942	log_start
943	show_hint "Should timeout since client uses wrong password"
944	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
945	sleep 1
946	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
947	log_test $? 2 "MD5: VRF: Client uses wrong password"
948
949	# client from different address
950	log_start
951	show_hint "Should timeout since server config differs from client"
952	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} &
953	sleep 1
954	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
955	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
956
957	#
958	# MD5 extension - prefix length
959	#
960
961	# client in prefix
962	log_start
963	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
964	sleep 1
965	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
966	log_test $? 0 "MD5: VRF: Prefix config"
967
968	# client in prefix, wrong password
969	log_start
970	show_hint "Should timeout since client uses wrong password"
971	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
972	sleep 1
973	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
974	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
975
976	# client outside of prefix
977	log_start
978	show_hint "Should timeout since client address is outside of prefix"
979	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
980	sleep 1
981	run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
982	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
983
984	#
985	# duplicate config between default VRF and a VRF
986	#
987
988	log_start
989	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
990	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
991	sleep 1
992	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
993	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
994
995	log_start
996	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
997	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
998	sleep 1
999	run_cmd_nsc nettest  -r ${NSA_IP} -X ${MD5_WRONG_PW}
1000	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
1001
1002	log_start
1003	show_hint "Should timeout since client in default VRF uses VRF password"
1004	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1005	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1006	sleep 1
1007	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1008	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
1009
1010	log_start
1011	show_hint "Should timeout since client in VRF uses default VRF password"
1012	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1013	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1014	sleep 1
1015	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1016	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
1017
1018	log_start
1019	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1020	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1021	sleep 1
1022	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
1023	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
1024
1025	log_start
1026	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1027	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1028	sleep 1
1029	run_cmd_nsc nettest  -r ${NSA_IP} -X ${MD5_WRONG_PW}
1030	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
1031
1032	log_start
1033	show_hint "Should timeout since client in default VRF uses VRF password"
1034	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1035	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1036	sleep 1
1037	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1038	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
1039
1040	log_start
1041	show_hint "Should timeout since client in VRF uses default VRF password"
1042	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1043	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1044	sleep 1
1045	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1046	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
1047
1048	#
1049	# negative tests
1050	#
1051	log_start
1052	run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP}
1053	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
1054
1055	log_start
1056	run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET}
1057	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
1058
1059	test_ipv4_md5_vrf__vrf_server__no_bind_ifindex
1060	test_ipv4_md5_vrf__global_server__bind_ifindex0
1061}
1062
1063test_ipv4_md5_vrf__vrf_server__no_bind_ifindex()
1064{
1065	log_start
1066	show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX"
1067	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1068	sleep 1
1069	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1070	log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection"
1071
1072	log_start
1073	show_hint "Binding both the socket and the key is not required but it works"
1074	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1075	sleep 1
1076	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1077	log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection"
1078}
1079
1080test_ipv4_md5_vrf__global_server__bind_ifindex0()
1081{
1082	# This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections
1083	local old_tcp_l3mdev_accept
1084	old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept)
1085	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1086
1087	log_start
1088	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1089	sleep 1
1090	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1091	log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection"
1092
1093	log_start
1094	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1095	sleep 1
1096	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1097	log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection"
1098	log_start
1099
1100	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1101	sleep 1
1102	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1103	log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection"
1104
1105	log_start
1106	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1107	sleep 1
1108	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1109	log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection"
1110
1111	# restore value
1112	set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept"
1113}
1114
1115ipv4_tcp_dontroute()
1116{
1117	local syncookies=$1
1118	local nsa_syncookies
1119	local nsb_syncookies
1120	local a
1121
1122	#
1123	# Link local connection tests (SO_DONTROUTE).
1124	# Connections should succeed only when the remote IP address is
1125	# on link (doesn't need to be routed through a gateway).
1126	#
1127
1128	nsa_syncookies=$(ip netns exec "${NSA}" sysctl -n net.ipv4.tcp_syncookies)
1129	nsb_syncookies=$(ip netns exec "${NSB}" sysctl -n net.ipv4.tcp_syncookies)
1130	ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies}
1131	ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies}
1132
1133	# Test with eth1 address (on link).
1134
1135	a=${NSB_IP}
1136	log_start
1137	do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1138	log_test_addr ${a} $? 0 "SO_DONTROUTE client, syncookies=${syncookies}"
1139
1140	a=${NSB_IP}
1141	log_start
1142	do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --server-dontroute
1143	log_test_addr ${a} $? 0 "SO_DONTROUTE server, syncookies=${syncookies}"
1144
1145	# Test with loopback address (routed).
1146	#
1147	# The client would use the eth1 address as source IP by default.
1148	# Therefore, we need to use the -c option here, to force the use of the
1149	# routed (loopback) address as source IP (so that the server will try
1150	# to respond to a routed address and not a link local one).
1151
1152	a=${NSB_LO_IP}
1153	log_start
1154	show_hint "Should fail 'Network is unreachable' since server is not on link"
1155	do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --client-dontroute
1156	log_test_addr ${a} $? 1 "SO_DONTROUTE client, syncookies=${syncookies}"
1157
1158	a=${NSB_LO_IP}
1159	log_start
1160	show_hint "Should timeout since server cannot respond (client is not on link)"
1161	do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --server-dontroute
1162	log_test_addr ${a} $? 2 "SO_DONTROUTE server, syncookies=${syncookies}"
1163
1164	ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${nsb_syncookies}
1165	ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${nsa_syncookies}
1166}
1167
1168ipv4_tcp_novrf()
1169{
1170	local a
1171
1172	#
1173	# server tests
1174	#
1175	for a in ${NSA_IP} ${NSA_LO_IP}
1176	do
1177		log_start
1178		run_cmd nettest -s &
1179		sleep 1
1180		run_cmd_nsb nettest -r ${a}
1181		log_test_addr ${a} $? 0 "Global server"
1182	done
1183
1184	a=${NSA_IP}
1185	log_start
1186	run_cmd nettest -s -I ${NSA_DEV} &
1187	sleep 1
1188	run_cmd_nsb nettest -r ${a}
1189	log_test_addr ${a} $? 0 "Device server"
1190
1191	# verify TCP reset sent and received
1192	for a in ${NSA_IP} ${NSA_LO_IP}
1193	do
1194		log_start
1195		show_hint "Should fail 'Connection refused' since there is no server"
1196		run_cmd_nsb nettest -r ${a}
1197		log_test_addr ${a} $? 1 "No server"
1198	done
1199
1200	#
1201	# client
1202	#
1203	for a in ${NSB_IP} ${NSB_LO_IP}
1204	do
1205		log_start
1206		run_cmd_nsb nettest -s &
1207		sleep 1
1208		run_cmd nettest -r ${a} -0 ${NSA_IP}
1209		log_test_addr ${a} $? 0 "Client"
1210
1211		log_start
1212		run_cmd_nsb nettest -s &
1213		sleep 1
1214		run_cmd nettest -r ${a} -d ${NSA_DEV}
1215		log_test_addr ${a} $? 0 "Client, device bind"
1216
1217		log_start
1218		show_hint "Should fail 'Connection refused'"
1219		run_cmd nettest -r ${a}
1220		log_test_addr ${a} $? 1 "No server, unbound client"
1221
1222		log_start
1223		show_hint "Should fail 'Connection refused'"
1224		run_cmd nettest -r ${a} -d ${NSA_DEV}
1225		log_test_addr ${a} $? 1 "No server, device client"
1226	done
1227
1228	#
1229	# local address tests
1230	#
1231	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1232	do
1233		log_start
1234		run_cmd nettest -s &
1235		sleep 1
1236		run_cmd nettest -r ${a} -0 ${a} -1 ${a}
1237		log_test_addr ${a} $? 0 "Global server, local connection"
1238	done
1239
1240	a=${NSA_IP}
1241	log_start
1242	run_cmd nettest -s -I ${NSA_DEV} &
1243	sleep 1
1244	run_cmd nettest -r ${a} -0 ${a}
1245	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1246
1247	for a in ${NSA_LO_IP} 127.0.0.1
1248	do
1249		log_start
1250		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
1251		run_cmd nettest -s -I ${NSA_DEV} &
1252		sleep 1
1253		run_cmd nettest -r ${a}
1254		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1255	done
1256
1257	a=${NSA_IP}
1258	log_start
1259	run_cmd nettest -s &
1260	sleep 1
1261	run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV}
1262	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1263
1264	for a in ${NSA_LO_IP} 127.0.0.1
1265	do
1266		log_start
1267		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
1268		run_cmd nettest -s &
1269		sleep 1
1270		run_cmd nettest -r ${a} -d ${NSA_DEV}
1271		log_test_addr ${a} $? 1 "Global server, device client, local connection"
1272	done
1273
1274	a=${NSA_IP}
1275	log_start
1276	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1277	sleep 1
1278	run_cmd nettest  -d ${NSA_DEV} -r ${a} -0 ${a}
1279	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1280
1281	log_start
1282	show_hint "Should fail 'Connection refused'"
1283	run_cmd nettest -d ${NSA_DEV} -r ${a}
1284	log_test_addr ${a} $? 1 "No server, device client, local conn"
1285
1286	ipv4_tcp_md5_novrf
1287
1288	ipv4_tcp_dontroute 0
1289	ipv4_tcp_dontroute 2
1290}
1291
1292ipv4_tcp_vrf()
1293{
1294	local a
1295
1296	# disable global server
1297	log_subsection "Global server disabled"
1298
1299	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1300
1301	#
1302	# server tests
1303	#
1304	for a in ${NSA_IP} ${VRF_IP}
1305	do
1306		log_start
1307		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1308		run_cmd nettest -s &
1309		sleep 1
1310		run_cmd_nsb nettest -r ${a}
1311		log_test_addr ${a} $? 1 "Global server"
1312
1313		log_start
1314		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1315		sleep 1
1316		run_cmd_nsb nettest -r ${a}
1317		log_test_addr ${a} $? 0 "VRF server"
1318
1319		log_start
1320		run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1321		sleep 1
1322		run_cmd_nsb nettest -r ${a}
1323		log_test_addr ${a} $? 0 "Device server"
1324
1325		# verify TCP reset received
1326		log_start
1327		show_hint "Should fail 'Connection refused' since there is no server"
1328		run_cmd_nsb nettest -r ${a}
1329		log_test_addr ${a} $? 1 "No server"
1330	done
1331
1332	# local address tests
1333	# (${VRF_IP} and 127.0.0.1 both timeout)
1334	a=${NSA_IP}
1335	log_start
1336	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1337	run_cmd nettest -s &
1338	sleep 1
1339	run_cmd nettest -r ${a} -d ${NSA_DEV}
1340	log_test_addr ${a} $? 1 "Global server, local connection"
1341
1342	# run MD5 tests
1343	setup_vrf_dup
1344	ipv4_tcp_md5
1345	cleanup_vrf_dup
1346
1347	#
1348	# enable VRF global server
1349	#
1350	log_subsection "VRF Global server enabled"
1351	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1352
1353	for a in ${NSA_IP} ${VRF_IP}
1354	do
1355		log_start
1356		show_hint "client socket should be bound to VRF"
1357		run_cmd nettest -s -3 ${VRF} &
1358		sleep 1
1359		run_cmd_nsb nettest -r ${a}
1360		log_test_addr ${a} $? 0 "Global server"
1361
1362		log_start
1363		show_hint "client socket should be bound to VRF"
1364		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1365		sleep 1
1366		run_cmd_nsb nettest -r ${a}
1367		log_test_addr ${a} $? 0 "VRF server"
1368
1369		# verify TCP reset received
1370		log_start
1371		show_hint "Should fail 'Connection refused'"
1372		run_cmd_nsb nettest -r ${a}
1373		log_test_addr ${a} $? 1 "No server"
1374	done
1375
1376	a=${NSA_IP}
1377	log_start
1378	show_hint "client socket should be bound to device"
1379	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1380	sleep 1
1381	run_cmd_nsb nettest -r ${a}
1382	log_test_addr ${a} $? 0 "Device server"
1383
1384	# local address tests
1385	for a in ${NSA_IP} ${VRF_IP}
1386	do
1387		log_start
1388		show_hint "Should fail 'Connection refused' since client is not bound to VRF"
1389		run_cmd nettest -s -I ${VRF} &
1390		sleep 1
1391		run_cmd nettest -r ${a}
1392		log_test_addr ${a} $? 1 "Global server, local connection"
1393	done
1394
1395	#
1396	# client
1397	#
1398	for a in ${NSB_IP} ${NSB_LO_IP}
1399	do
1400		log_start
1401		run_cmd_nsb nettest -s &
1402		sleep 1
1403		run_cmd nettest -r ${a} -d ${VRF}
1404		log_test_addr ${a} $? 0 "Client, VRF bind"
1405
1406		log_start
1407		run_cmd_nsb nettest -s &
1408		sleep 1
1409		run_cmd nettest -r ${a} -d ${NSA_DEV}
1410		log_test_addr ${a} $? 0 "Client, device bind"
1411
1412		log_start
1413		show_hint "Should fail 'Connection refused'"
1414		run_cmd nettest -r ${a} -d ${VRF}
1415		log_test_addr ${a} $? 1 "No server, VRF client"
1416
1417		log_start
1418		show_hint "Should fail 'Connection refused'"
1419		run_cmd nettest -r ${a} -d ${NSA_DEV}
1420		log_test_addr ${a} $? 1 "No server, device client"
1421	done
1422
1423	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1424	do
1425		log_start
1426		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1427		sleep 1
1428		run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1429		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
1430	done
1431
1432	a=${NSA_IP}
1433	log_start
1434	run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1435	sleep 1
1436	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1437	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
1438
1439	log_start
1440	show_hint "Should fail 'No route to host' since client is out of VRF scope"
1441	run_cmd nettest -s -I ${VRF} &
1442	sleep 1
1443	run_cmd nettest -r ${a}
1444	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
1445
1446	log_start
1447	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1448	sleep 1
1449	run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1450	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
1451
1452	log_start
1453	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1454	sleep 1
1455	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1456	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1457}
1458
1459ipv4_tcp()
1460{
1461	log_section "IPv4/TCP"
1462	log_subsection "No VRF"
1463	setup
1464
1465	# tcp_l3mdev_accept should have no affect without VRF;
1466	# run tests with it enabled and disabled to verify
1467	log_subsection "tcp_l3mdev_accept disabled"
1468	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1469	ipv4_tcp_novrf
1470	log_subsection "tcp_l3mdev_accept enabled"
1471	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1472	ipv4_tcp_novrf
1473
1474	log_subsection "With VRF"
1475	setup "yes"
1476	ipv4_tcp_vrf
1477}
1478
1479################################################################################
1480# IPv4 UDP
1481
1482ipv4_udp_novrf()
1483{
1484	local a
1485
1486	#
1487	# server tests
1488	#
1489	for a in ${NSA_IP} ${NSA_LO_IP}
1490	do
1491		log_start
1492		run_cmd nettest -D -s -3 ${NSA_DEV} &
1493		sleep 1
1494		run_cmd_nsb nettest -D -r ${a}
1495		log_test_addr ${a} $? 0 "Global server"
1496
1497		log_start
1498		show_hint "Should fail 'Connection refused' since there is no server"
1499		run_cmd_nsb nettest -D -r ${a}
1500		log_test_addr ${a} $? 1 "No server"
1501	done
1502
1503	a=${NSA_IP}
1504	log_start
1505	run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1506	sleep 1
1507	run_cmd_nsb nettest -D -r ${a}
1508	log_test_addr ${a} $? 0 "Device server"
1509
1510	#
1511	# client
1512	#
1513	for a in ${NSB_IP} ${NSB_LO_IP}
1514	do
1515		log_start
1516		run_cmd_nsb nettest -D -s &
1517		sleep 1
1518		run_cmd nettest -D -r ${a} -0 ${NSA_IP}
1519		log_test_addr ${a} $? 0 "Client"
1520
1521		log_start
1522		run_cmd_nsb nettest -D -s &
1523		sleep 1
1524		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP}
1525		log_test_addr ${a} $? 0 "Client, device bind"
1526
1527		log_start
1528		run_cmd_nsb nettest -D -s &
1529		sleep 1
1530		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP}
1531		log_test_addr ${a} $? 0 "Client, device send via cmsg"
1532
1533		log_start
1534		run_cmd_nsb nettest -D -s &
1535		sleep 1
1536		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
1537		log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
1538
1539		log_start
1540		run_cmd_nsb nettest -D -s &
1541		sleep 1
1542		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U
1543		log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()"
1544
1545
1546		log_start
1547		show_hint "Should fail 'Connection refused'"
1548		run_cmd nettest -D -r ${a}
1549		log_test_addr ${a} $? 1 "No server, unbound client"
1550
1551		log_start
1552		show_hint "Should fail 'Connection refused'"
1553		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1554		log_test_addr ${a} $? 1 "No server, device client"
1555	done
1556
1557	#
1558	# local address tests
1559	#
1560	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1561	do
1562		log_start
1563		run_cmd nettest -D -s &
1564		sleep 1
1565		run_cmd nettest -D -r ${a} -0 ${a} -1 ${a}
1566		log_test_addr ${a} $? 0 "Global server, local connection"
1567	done
1568
1569	a=${NSA_IP}
1570	log_start
1571	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1572	sleep 1
1573	run_cmd nettest -D -r ${a}
1574	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1575
1576	for a in ${NSA_LO_IP} 127.0.0.1
1577	do
1578		log_start
1579		show_hint "Should fail 'Connection refused' since address is out of device scope"
1580		run_cmd nettest -s -D -I ${NSA_DEV} &
1581		sleep 1
1582		run_cmd nettest -D -r ${a}
1583		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1584	done
1585
1586	a=${NSA_IP}
1587	log_start
1588	run_cmd nettest -s -D &
1589	sleep 1
1590	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1591	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1592
1593	log_start
1594	run_cmd nettest -s -D &
1595	sleep 1
1596	run_cmd nettest -D -d ${NSA_DEV} -C -r ${a}
1597	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
1598
1599	log_start
1600	run_cmd nettest -s -D &
1601	sleep 1
1602	run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
1603	log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
1604
1605	log_start
1606	run_cmd nettest -s -D &
1607	sleep 1
1608	run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U
1609	log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
1610
1611
1612	# IPv4 with device bind has really weird behavior - it overrides the
1613	# fib lookup, generates an rtable and tries to send the packet. This
1614	# causes failures for local traffic at different places
1615	for a in ${NSA_LO_IP} 127.0.0.1
1616	do
1617		log_start
1618		show_hint "Should fail since addresses on loopback are out of device scope"
1619		run_cmd nettest -D -s &
1620		sleep 1
1621		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1622		log_test_addr ${a} $? 2 "Global server, device client, local connection"
1623
1624		log_start
1625		show_hint "Should fail since addresses on loopback are out of device scope"
1626		run_cmd nettest -D -s &
1627		sleep 1
1628		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C
1629		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
1630
1631		log_start
1632		show_hint "Should fail since addresses on loopback are out of device scope"
1633		run_cmd nettest -D -s &
1634		sleep 1
1635		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
1636		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
1637
1638		log_start
1639		show_hint "Should fail since addresses on loopback are out of device scope"
1640		run_cmd nettest -D -s &
1641		sleep 1
1642		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U
1643		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
1644
1645
1646	done
1647
1648	a=${NSA_IP}
1649	log_start
1650	run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1651	sleep 1
1652	run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a}
1653	log_test_addr ${a} $? 0 "Device server, device client, local conn"
1654
1655	log_start
1656	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1657	log_test_addr ${a} $? 2 "No server, device client, local conn"
1658
1659	#
1660	# Link local connection tests (SO_DONTROUTE).
1661	# Connections should succeed only when the remote IP address is
1662	# on link (doesn't need to be routed through a gateway).
1663	#
1664
1665	a=${NSB_IP}
1666	log_start
1667	do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1668	log_test_addr ${a} $? 0 "SO_DONTROUTE client"
1669
1670	a=${NSB_LO_IP}
1671	log_start
1672	show_hint "Should fail 'Network is unreachable' since server is not on link"
1673	do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1674	log_test_addr ${a} $? 1 "SO_DONTROUTE client"
1675}
1676
1677ipv4_udp_vrf()
1678{
1679	local a
1680
1681	# disable global server
1682	log_subsection "Global server disabled"
1683	set_sysctl net.ipv4.udp_l3mdev_accept=0
1684
1685	#
1686	# server tests
1687	#
1688	for a in ${NSA_IP} ${VRF_IP}
1689	do
1690		log_start
1691		show_hint "Fails because ingress is in a VRF and global server is disabled"
1692		run_cmd nettest -D -s &
1693		sleep 1
1694		run_cmd_nsb nettest -D -r ${a}
1695		log_test_addr ${a} $? 1 "Global server"
1696
1697		log_start
1698		run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1699		sleep 1
1700		run_cmd_nsb nettest -D -r ${a}
1701		log_test_addr ${a} $? 0 "VRF server"
1702
1703		log_start
1704		run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1705		sleep 1
1706		run_cmd_nsb nettest -D -r ${a}
1707		log_test_addr ${a} $? 0 "Enslaved device server"
1708
1709		log_start
1710		show_hint "Should fail 'Connection refused' since there is no server"
1711		run_cmd_nsb nettest -D -r ${a}
1712		log_test_addr ${a} $? 1 "No server"
1713
1714		log_start
1715		show_hint "Should fail 'Connection refused' since global server is out of scope"
1716		run_cmd nettest -D -s &
1717		sleep 1
1718		run_cmd nettest -D -d ${VRF} -r ${a}
1719		log_test_addr ${a} $? 1 "Global server, VRF client, local connection"
1720	done
1721
1722	a=${NSA_IP}
1723	log_start
1724	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1725	sleep 1
1726	run_cmd nettest -D -d ${VRF} -r ${a}
1727	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1728
1729	log_start
1730	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1731	sleep 1
1732	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1733	log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection"
1734
1735	a=${NSA_IP}
1736	log_start
1737	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1738	sleep 1
1739	run_cmd nettest -D -d ${VRF} -r ${a}
1740	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1741
1742	log_start
1743	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1744	sleep 1
1745	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1746	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1747
1748	# enable global server
1749	log_subsection "Global server enabled"
1750	set_sysctl net.ipv4.udp_l3mdev_accept=1
1751
1752	#
1753	# server tests
1754	#
1755	for a in ${NSA_IP} ${VRF_IP}
1756	do
1757		log_start
1758		run_cmd nettest -D -s -3 ${NSA_DEV} &
1759		sleep 1
1760		run_cmd_nsb nettest -D -r ${a}
1761		log_test_addr ${a} $? 0 "Global server"
1762
1763		log_start
1764		run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1765		sleep 1
1766		run_cmd_nsb nettest -D -r ${a}
1767		log_test_addr ${a} $? 0 "VRF server"
1768
1769		log_start
1770		run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1771		sleep 1
1772		run_cmd_nsb nettest -D -r ${a}
1773		log_test_addr ${a} $? 0 "Enslaved device server"
1774
1775		log_start
1776		show_hint "Should fail 'Connection refused'"
1777		run_cmd_nsb nettest -D -r ${a}
1778		log_test_addr ${a} $? 1 "No server"
1779	done
1780
1781	#
1782	# client tests
1783	#
1784	log_start
1785	run_cmd_nsb nettest -D -s &
1786	sleep 1
1787	run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP}
1788	log_test $? 0 "VRF client"
1789
1790	log_start
1791	run_cmd_nsb nettest -D -s &
1792	sleep 1
1793	run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP}
1794	log_test $? 0 "Enslaved device client"
1795
1796	# negative test - should fail
1797	log_start
1798	show_hint "Should fail 'Connection refused'"
1799	run_cmd nettest -D -d ${VRF} -r ${NSB_IP}
1800	log_test $? 1 "No server, VRF client"
1801
1802	log_start
1803	show_hint "Should fail 'Connection refused'"
1804	run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP}
1805	log_test $? 1 "No server, enslaved device client"
1806
1807	#
1808	# local address tests
1809	#
1810	a=${NSA_IP}
1811	log_start
1812	run_cmd nettest -D -s -3 ${NSA_DEV} &
1813	sleep 1
1814	run_cmd nettest -D -d ${VRF} -r ${a}
1815	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1816
1817	log_start
1818	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1819	sleep 1
1820	run_cmd nettest -D -d ${VRF} -r ${a}
1821	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1822
1823	log_start
1824	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1825	sleep 1
1826	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1827	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
1828
1829	log_start
1830	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1831	sleep 1
1832	run_cmd nettest -D -d ${VRF} -r ${a}
1833	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1834
1835	log_start
1836	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1837	sleep 1
1838	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1839	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1840
1841	for a in ${VRF_IP} 127.0.0.1
1842	do
1843		log_start
1844		run_cmd nettest -D -s -3 ${VRF} &
1845		sleep 1
1846		run_cmd nettest -D -d ${VRF} -r ${a}
1847		log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1848	done
1849
1850	for a in ${VRF_IP} 127.0.0.1
1851	do
1852		log_start
1853		run_cmd nettest -s -D -I ${VRF} -3 ${VRF} &
1854		sleep 1
1855		run_cmd nettest -D -d ${VRF} -r ${a}
1856		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1857	done
1858
1859	# negative test - should fail
1860	# verifies ECONNREFUSED
1861	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1862	do
1863		log_start
1864		show_hint "Should fail 'Connection refused'"
1865		run_cmd nettest -D -d ${VRF} -r ${a}
1866		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
1867	done
1868}
1869
1870ipv4_udp()
1871{
1872	log_section "IPv4/UDP"
1873	log_subsection "No VRF"
1874
1875	setup
1876
1877	# udp_l3mdev_accept should have no affect without VRF;
1878	# run tests with it enabled and disabled to verify
1879	log_subsection "udp_l3mdev_accept disabled"
1880	set_sysctl net.ipv4.udp_l3mdev_accept=0
1881	ipv4_udp_novrf
1882	log_subsection "udp_l3mdev_accept enabled"
1883	set_sysctl net.ipv4.udp_l3mdev_accept=1
1884	ipv4_udp_novrf
1885
1886	log_subsection "With VRF"
1887	setup "yes"
1888	ipv4_udp_vrf
1889}
1890
1891################################################################################
1892# IPv4 address bind
1893#
1894# verifies ability or inability to bind to an address / device
1895
1896ipv4_addr_bind_novrf()
1897{
1898	#
1899	# raw socket
1900	#
1901	for a in ${NSA_IP} ${NSA_LO_IP}
1902	do
1903		log_start
1904		run_cmd nettest -s -R -P icmp -l ${a} -b
1905		log_test_addr ${a} $? 0 "Raw socket bind to local address"
1906
1907		log_start
1908		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1909		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1910	done
1911
1912	#
1913	# tests for nonlocal bind
1914	#
1915	a=${NL_IP}
1916	log_start
1917	run_cmd nettest -s -R -f -l ${a} -b
1918	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
1919
1920	log_start
1921	run_cmd nettest -s -f -l ${a} -b
1922	log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address"
1923
1924	log_start
1925	run_cmd nettest -s -D -P icmp -f -l ${a} -b
1926	log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address"
1927
1928	#
1929	# check that ICMP sockets cannot bind to broadcast and multicast addresses
1930	#
1931	a=${BCAST_IP}
1932	log_start
1933	run_cmd nettest -s -D -P icmp -l ${a} -b
1934	log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address"
1935
1936	a=${MCAST_IP}
1937	log_start
1938	run_cmd nettest -s -D -P icmp -l ${a} -b
1939	log_test_addr ${a} $? 1 "ICMP socket bind to multicast address"
1940
1941	#
1942	# tcp sockets
1943	#
1944	a=${NSA_IP}
1945	log_start
1946	run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b
1947	log_test_addr ${a} $? 0 "TCP socket bind to local address"
1948
1949	log_start
1950	run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b
1951	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1952
1953	# Sadly, the kernel allows binding a socket to a device and then
1954	# binding to an address not on the device. The only restriction
1955	# is that the address is valid in the L3 domain. So this test
1956	# passes when it really should not
1957	#a=${NSA_LO_IP}
1958	#log_start
1959	#show_hint "Should fail with 'Cannot assign requested address'"
1960	#run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1961	#log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
1962}
1963
1964ipv4_addr_bind_vrf()
1965{
1966	#
1967	# raw socket
1968	#
1969	for a in ${NSA_IP} ${VRF_IP}
1970	do
1971		log_start
1972		show_hint "Socket not bound to VRF, but address is in VRF"
1973		run_cmd nettest -s -R -P icmp -l ${a} -b
1974		log_test_addr ${a} $? 1 "Raw socket bind to local address"
1975
1976		log_start
1977		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1978		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1979		log_start
1980		run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1981		log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind"
1982	done
1983
1984	a=${NSA_LO_IP}
1985	log_start
1986	show_hint "Address on loopback is out of VRF scope"
1987	run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1988	log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind"
1989
1990	#
1991	# tests for nonlocal bind
1992	#
1993	a=${NL_IP}
1994	log_start
1995	run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b
1996	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
1997
1998	log_start
1999	run_cmd nettest -s -f -l ${a} -I ${VRF} -b
2000	log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind"
2001
2002	log_start
2003	run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b
2004	log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind"
2005
2006	#
2007	# check that ICMP sockets cannot bind to broadcast and multicast addresses
2008	#
2009	a=${BCAST_IP}
2010	log_start
2011	run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
2012	log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind"
2013
2014	a=${MCAST_IP}
2015	log_start
2016	run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
2017	log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind"
2018
2019	#
2020	# tcp sockets
2021	#
2022	for a in ${NSA_IP} ${VRF_IP}
2023	do
2024		log_start
2025		run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
2026		log_test_addr ${a} $? 0 "TCP socket bind to local address"
2027
2028		log_start
2029		run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
2030		log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
2031	done
2032
2033	a=${NSA_LO_IP}
2034	log_start
2035	show_hint "Address on loopback out of scope for VRF"
2036	run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
2037	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
2038
2039	log_start
2040	show_hint "Address on loopback out of scope for device in VRF"
2041	run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
2042	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
2043}
2044
2045ipv4_addr_bind()
2046{
2047	log_section "IPv4 address binds"
2048
2049	log_subsection "No VRF"
2050	setup
2051	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
2052	ipv4_addr_bind_novrf
2053
2054	log_subsection "With VRF"
2055	setup "yes"
2056	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
2057	ipv4_addr_bind_vrf
2058}
2059
2060################################################################################
2061# IPv4 runtime tests
2062
2063ipv4_rt()
2064{
2065	local desc="$1"
2066	local varg="$2"
2067	local with_vrf="yes"
2068	local a
2069
2070	#
2071	# server tests
2072	#
2073	for a in ${NSA_IP} ${VRF_IP}
2074	do
2075		log_start
2076		run_cmd nettest ${varg} -s &
2077		sleep 1
2078		run_cmd_nsb nettest ${varg} -r ${a} &
2079		sleep 3
2080		run_cmd ip link del ${VRF}
2081		sleep 1
2082		log_test_addr ${a} 0 0 "${desc}, global server"
2083
2084		setup ${with_vrf}
2085	done
2086
2087	for a in ${NSA_IP} ${VRF_IP}
2088	do
2089		log_start
2090		run_cmd nettest ${varg} -s -I ${VRF} &
2091		sleep 1
2092		run_cmd_nsb nettest ${varg} -r ${a} &
2093		sleep 3
2094		run_cmd ip link del ${VRF}
2095		sleep 1
2096		log_test_addr ${a} 0 0 "${desc}, VRF server"
2097
2098		setup ${with_vrf}
2099	done
2100
2101	a=${NSA_IP}
2102	log_start
2103	run_cmd nettest ${varg} -s -I ${NSA_DEV} &
2104	sleep 1
2105	run_cmd_nsb nettest ${varg} -r ${a} &
2106	sleep 3
2107	run_cmd ip link del ${VRF}
2108	sleep 1
2109	log_test_addr ${a} 0 0 "${desc}, enslaved device server"
2110
2111	setup ${with_vrf}
2112
2113	#
2114	# client test
2115	#
2116	log_start
2117	run_cmd_nsb nettest ${varg} -s &
2118	sleep 1
2119	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} &
2120	sleep 3
2121	run_cmd ip link del ${VRF}
2122	sleep 1
2123	log_test_addr ${a} 0 0 "${desc}, VRF client"
2124
2125	setup ${with_vrf}
2126
2127	log_start
2128	run_cmd_nsb nettest ${varg} -s &
2129	sleep 1
2130	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} &
2131	sleep 3
2132	run_cmd ip link del ${VRF}
2133	sleep 1
2134	log_test_addr ${a} 0 0 "${desc}, enslaved device client"
2135
2136	setup ${with_vrf}
2137
2138	#
2139	# local address tests
2140	#
2141	for a in ${NSA_IP} ${VRF_IP}
2142	do
2143		log_start
2144		run_cmd nettest ${varg} -s &
2145		sleep 1
2146		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2147		sleep 3
2148		run_cmd ip link del ${VRF}
2149		sleep 1
2150		log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local"
2151
2152		setup ${with_vrf}
2153	done
2154
2155	for a in ${NSA_IP} ${VRF_IP}
2156	do
2157		log_start
2158		run_cmd nettest ${varg} -I ${VRF} -s &
2159		sleep 1
2160		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2161		sleep 3
2162		run_cmd ip link del ${VRF}
2163		sleep 1
2164		log_test_addr ${a} 0 0 "${desc}, VRF server and client, local"
2165
2166		setup ${with_vrf}
2167	done
2168
2169	a=${NSA_IP}
2170	log_start
2171
2172	run_cmd nettest ${varg} -s &
2173	sleep 1
2174	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2175	sleep 3
2176	run_cmd ip link del ${VRF}
2177	sleep 1
2178	log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local"
2179
2180	setup ${with_vrf}
2181
2182	log_start
2183	run_cmd nettest ${varg} -I ${VRF} -s &
2184	sleep 1
2185	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2186	sleep 3
2187	run_cmd ip link del ${VRF}
2188	sleep 1
2189	log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local"
2190
2191	setup ${with_vrf}
2192
2193	log_start
2194	run_cmd nettest ${varg} -I ${NSA_DEV} -s &
2195	sleep 1
2196	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2197	sleep 3
2198	run_cmd ip link del ${VRF}
2199	sleep 1
2200	log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local"
2201}
2202
2203ipv4_ping_rt()
2204{
2205	local with_vrf="yes"
2206	local a
2207
2208	for a in ${NSA_IP} ${VRF_IP}
2209	do
2210		log_start
2211		run_cmd_nsb ping -f ${a} &
2212		sleep 3
2213		run_cmd ip link del ${VRF}
2214		sleep 1
2215		log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
2216
2217		setup ${with_vrf}
2218	done
2219
2220	a=${NSB_IP}
2221	log_start
2222	run_cmd ping -f -I ${VRF} ${a} &
2223	sleep 3
2224	run_cmd ip link del ${VRF}
2225	sleep 1
2226	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
2227}
2228
2229ipv4_runtime()
2230{
2231	log_section "Run time tests - ipv4"
2232
2233	setup "yes"
2234	ipv4_ping_rt
2235
2236	setup "yes"
2237	ipv4_rt "TCP active socket"  "-n -1"
2238
2239	setup "yes"
2240	ipv4_rt "TCP passive socket" "-i"
2241}
2242
2243################################################################################
2244# IPv6
2245
2246ipv6_ping_novrf()
2247{
2248	local a
2249
2250	# should not have an impact, but make a known state
2251	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
2252
2253	#
2254	# out
2255	#
2256	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2257	do
2258		log_start
2259		run_cmd ${ping6} -c1 -w1 ${a}
2260		log_test_addr ${a} $? 0 "ping out"
2261	done
2262
2263	for a in ${NSB_IP6} ${NSB_LO_IP6}
2264	do
2265		log_start
2266		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2267		log_test_addr ${a} $? 0 "ping out, device bind"
2268
2269		log_start
2270		run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a}
2271		log_test_addr ${a} $? 0 "ping out, loopback address bind"
2272	done
2273
2274	#
2275	# in
2276	#
2277	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2278	do
2279		log_start
2280		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2281		log_test_addr ${a} $? 0 "ping in"
2282	done
2283
2284	#
2285	# local traffic, local address
2286	#
2287	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2288	do
2289		log_start
2290		run_cmd ${ping6} -c1 -w1 ${a}
2291		log_test_addr ${a} $? 0 "ping local, no bind"
2292	done
2293
2294	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2295	do
2296		log_start
2297		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2298		log_test_addr ${a} $? 0 "ping local, device bind"
2299	done
2300
2301	for a in ${NSA_LO_IP6} ::1
2302	do
2303		log_start
2304		show_hint "Fails since address on loopback is out of device scope"
2305		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2306		log_test_addr ${a} $? 2 "ping local, device bind"
2307	done
2308
2309	#
2310	# ip rule blocks address
2311	#
2312	log_start
2313	setup_cmd ip -6 rule add pref 32765 from all lookup local
2314	setup_cmd ip -6 rule del pref 0 from all lookup local
2315	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2316	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2317
2318	a=${NSB_LO_IP6}
2319	run_cmd ${ping6} -c1 -w1 ${a}
2320	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2321
2322	log_start
2323	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2324	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2325
2326	a=${NSA_LO_IP6}
2327	log_start
2328	show_hint "Response lost due to ip rule"
2329	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2330	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2331
2332	setup_cmd ip -6 rule add pref 0 from all lookup local
2333	setup_cmd ip -6 rule del pref 32765 from all lookup local
2334	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2335	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2336
2337	#
2338	# route blocks reachability to remote address
2339	#
2340	log_start
2341	setup_cmd ip -6 route del ${NSB_LO_IP6}
2342	setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10
2343	setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10
2344
2345	a=${NSB_LO_IP6}
2346	run_cmd ${ping6} -c1 -w1 ${a}
2347	log_test_addr ${a} $? 2 "ping out, blocked by route"
2348
2349	log_start
2350	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2351	log_test_addr ${a} $? 2 "ping out, device bind, blocked by route"
2352
2353	a=${NSA_LO_IP6}
2354	log_start
2355	show_hint "Response lost due to ip route"
2356	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2357	log_test_addr ${a} $? 1 "ping in, blocked by route"
2358
2359
2360	#
2361	# remove 'remote' routes; fallback to default
2362	#
2363	log_start
2364	setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6}
2365	setup_cmd ip -6 ro del unreachable ${NSB_IP6}
2366
2367	a=${NSB_LO_IP6}
2368	run_cmd ${ping6} -c1 -w1 ${a}
2369	log_test_addr ${a} $? 2 "ping out, unreachable route"
2370
2371	log_start
2372	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2373	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2374}
2375
2376ipv6_ping_vrf()
2377{
2378	local a
2379
2380	# should default on; does not exist on older kernels
2381	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
2382
2383	#
2384	# out
2385	#
2386	for a in ${NSB_IP6} ${NSB_LO_IP6}
2387	do
2388		log_start
2389		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2390		log_test_addr ${a} $? 0 "ping out, VRF bind"
2391	done
2392
2393	for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF}
2394	do
2395		log_start
2396		show_hint "Fails since VRF device does not support linklocal or multicast"
2397		run_cmd ${ping6} -c1 -w1 ${a}
2398		log_test_addr ${a} $? 1 "ping out, VRF bind"
2399	done
2400
2401	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2402	do
2403		log_start
2404		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2405		log_test_addr ${a} $? 0 "ping out, device bind"
2406	done
2407
2408	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2409	do
2410		log_start
2411		run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a}
2412		log_test_addr ${a} $? 0 "ping out, vrf device+address bind"
2413	done
2414
2415	#
2416	# in
2417	#
2418	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2419	do
2420		log_start
2421		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2422		log_test_addr ${a} $? 0 "ping in"
2423	done
2424
2425	a=${NSA_LO_IP6}
2426	log_start
2427	show_hint "Fails since loopback address is out of VRF scope"
2428	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2429	log_test_addr ${a} $? 1 "ping in"
2430
2431	#
2432	# local traffic, local address
2433	#
2434	for a in ${NSA_IP6} ${VRF_IP6} ::1
2435	do
2436		log_start
2437		show_hint "Source address should be ${a}"
2438		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2439		log_test_addr ${a} $? 0 "ping local, VRF bind"
2440	done
2441
2442	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2443	do
2444		log_start
2445		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2446		log_test_addr ${a} $? 0 "ping local, device bind"
2447	done
2448
2449	# LLA to GUA - remove ipv6 global addresses from ns-B
2450	setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2451	setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo
2452	setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2453
2454	for a in ${NSA_IP6} ${VRF_IP6}
2455	do
2456		log_start
2457		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
2458		log_test_addr ${a} $? 0 "ping in, LLA to GUA"
2459	done
2460
2461	setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2462	setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV}
2463	setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo
2464
2465	#
2466	# ip rule blocks address
2467	#
2468	log_start
2469	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2470	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2471
2472	a=${NSB_LO_IP6}
2473	run_cmd ${ping6} -c1 -w1 ${a}
2474	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2475
2476	log_start
2477	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2478	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2479
2480	a=${NSA_LO_IP6}
2481	log_start
2482	show_hint "Response lost due to ip rule"
2483	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2484	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2485
2486	log_start
2487	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2488	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2489
2490	#
2491	# remove 'remote' routes; fallback to default
2492	#
2493	log_start
2494	setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF}
2495
2496	a=${NSB_LO_IP6}
2497	run_cmd ${ping6} -c1 -w1 ${a}
2498	log_test_addr ${a} $? 2 "ping out, unreachable route"
2499
2500	log_start
2501	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2502	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2503
2504	ip -netns ${NSB} -6 ro del ${NSA_LO_IP6}
2505	a=${NSA_LO_IP6}
2506	log_start
2507	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2508	log_test_addr ${a} $? 2 "ping in, unreachable route"
2509}
2510
2511ipv6_ping()
2512{
2513	log_section "IPv6 ping"
2514
2515	log_subsection "No VRF"
2516	setup
2517	ipv6_ping_novrf
2518	setup
2519	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
2520	ipv6_ping_novrf
2521
2522	log_subsection "With VRF"
2523	setup "yes"
2524	ipv6_ping_vrf
2525	setup "yes"
2526	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
2527	ipv6_ping_vrf
2528}
2529
2530################################################################################
2531# IPv6 TCP
2532
2533#
2534# MD5 tests without VRF
2535#
2536ipv6_tcp_md5_novrf()
2537{
2538	#
2539	# single address
2540	#
2541
2542	# basic use case
2543	log_start
2544	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2545	sleep 1
2546	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2547	log_test $? 0 "MD5: Single address config"
2548
2549	# client sends MD5, server not configured
2550	log_start
2551	show_hint "Should timeout due to MD5 mismatch"
2552	run_cmd nettest -6 -s &
2553	sleep 1
2554	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2555	log_test $? 2 "MD5: Server no config, client uses password"
2556
2557	# wrong password
2558	log_start
2559	show_hint "Should timeout since client uses wrong password"
2560	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2561	sleep 1
2562	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2563	log_test $? 2 "MD5: Client uses wrong password"
2564
2565	# client from different address
2566	log_start
2567	show_hint "Should timeout due to MD5 mismatch"
2568	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} &
2569	sleep 1
2570	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2571	log_test $? 2 "MD5: Client address does not match address configured with password"
2572
2573	#
2574	# MD5 extension - prefix length
2575	#
2576
2577	# client in prefix
2578	log_start
2579	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2580	sleep 1
2581	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2582	log_test $? 0 "MD5: Prefix config"
2583
2584	# client in prefix, wrong password
2585	log_start
2586	show_hint "Should timeout since client uses wrong password"
2587	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2588	sleep 1
2589	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2590	log_test $? 2 "MD5: Prefix config, client uses wrong password"
2591
2592	# client outside of prefix
2593	log_start
2594	show_hint "Should timeout due to MD5 mismatch"
2595	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2596	sleep 1
2597	run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2598	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
2599}
2600
2601#
2602# MD5 tests with VRF
2603#
2604ipv6_tcp_md5()
2605{
2606	#
2607	# single address
2608	#
2609
2610	# basic use case
2611	log_start
2612	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2613	sleep 1
2614	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2615	log_test $? 0 "MD5: VRF: Single address config"
2616
2617	# client sends MD5, server not configured
2618	log_start
2619	show_hint "Should timeout since server does not have MD5 auth"
2620	run_cmd nettest -6 -s -I ${VRF} &
2621	sleep 1
2622	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2623	log_test $? 2 "MD5: VRF: Server no config, client uses password"
2624
2625	# wrong password
2626	log_start
2627	show_hint "Should timeout since client uses wrong password"
2628	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2629	sleep 1
2630	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2631	log_test $? 2 "MD5: VRF: Client uses wrong password"
2632
2633	# client from different address
2634	log_start
2635	show_hint "Should timeout since server config differs from client"
2636	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} &
2637	sleep 1
2638	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2639	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
2640
2641	#
2642	# MD5 extension - prefix length
2643	#
2644
2645	# client in prefix
2646	log_start
2647	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2648	sleep 1
2649	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2650	log_test $? 0 "MD5: VRF: Prefix config"
2651
2652	# client in prefix, wrong password
2653	log_start
2654	show_hint "Should timeout since client uses wrong password"
2655	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2656	sleep 1
2657	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2658	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
2659
2660	# client outside of prefix
2661	log_start
2662	show_hint "Should timeout since client address is outside of prefix"
2663	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2664	sleep 1
2665	run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2666	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
2667
2668	#
2669	# duplicate config between default VRF and a VRF
2670	#
2671
2672	log_start
2673	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2674	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2675	sleep 1
2676	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2677	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
2678
2679	log_start
2680	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2681	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2682	sleep 1
2683	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2684	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
2685
2686	log_start
2687	show_hint "Should timeout since client in default VRF uses VRF password"
2688	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2689	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2690	sleep 1
2691	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2692	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
2693
2694	log_start
2695	show_hint "Should timeout since client in VRF uses default VRF password"
2696	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2697	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2698	sleep 1
2699	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2700	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
2701
2702	log_start
2703	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2704	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2705	sleep 1
2706	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2707	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
2708
2709	log_start
2710	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2711	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2712	sleep 1
2713	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2714	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
2715
2716	log_start
2717	show_hint "Should timeout since client in default VRF uses VRF password"
2718	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2719	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2720	sleep 1
2721	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2722	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
2723
2724	log_start
2725	show_hint "Should timeout since client in VRF uses default VRF password"
2726	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2727	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2728	sleep 1
2729	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2730	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
2731
2732	#
2733	# negative tests
2734	#
2735	log_start
2736	run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6}
2737	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
2738
2739	log_start
2740	run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6}
2741	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
2742
2743}
2744
2745ipv6_tcp_novrf()
2746{
2747	local a
2748
2749	#
2750	# server tests
2751	#
2752	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2753	do
2754		log_start
2755		run_cmd nettest -6 -s &
2756		sleep 1
2757		run_cmd_nsb nettest -6 -r ${a}
2758		log_test_addr ${a} $? 0 "Global server"
2759	done
2760
2761	# verify TCP reset received
2762	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2763	do
2764		log_start
2765		show_hint "Should fail 'Connection refused'"
2766		run_cmd_nsb nettest -6 -r ${a}
2767		log_test_addr ${a} $? 1 "No server"
2768	done
2769
2770	#
2771	# client
2772	#
2773	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2774	do
2775		log_start
2776		run_cmd_nsb nettest -6 -s &
2777		sleep 1
2778		run_cmd nettest -6 -r ${a}
2779		log_test_addr ${a} $? 0 "Client"
2780	done
2781
2782	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2783	do
2784		log_start
2785		run_cmd_nsb nettest -6 -s &
2786		sleep 1
2787		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2788		log_test_addr ${a} $? 0 "Client, device bind"
2789	done
2790
2791	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2792	do
2793		log_start
2794		show_hint "Should fail 'Connection refused'"
2795		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2796		log_test_addr ${a} $? 1 "No server, device client"
2797	done
2798
2799	#
2800	# local address tests
2801	#
2802	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2803	do
2804		log_start
2805		run_cmd nettest -6 -s &
2806		sleep 1
2807		run_cmd nettest -6 -r ${a}
2808		log_test_addr ${a} $? 0 "Global server, local connection"
2809	done
2810
2811	a=${NSA_IP6}
2812	log_start
2813	run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2814	sleep 1
2815	run_cmd nettest -6 -r ${a} -0 ${a}
2816	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2817
2818	for a in ${NSA_LO_IP6} ::1
2819	do
2820		log_start
2821		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2822		run_cmd nettest -6 -s -I ${NSA_DEV} &
2823		sleep 1
2824		run_cmd nettest -6 -r ${a}
2825		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
2826	done
2827
2828	a=${NSA_IP6}
2829	log_start
2830	run_cmd nettest -6 -s &
2831	sleep 1
2832	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2833	log_test_addr ${a} $? 0 "Global server, device client, local connection"
2834
2835	for a in ${NSA_LO_IP6} ::1
2836	do
2837		log_start
2838		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2839		run_cmd nettest -6 -s &
2840		sleep 1
2841		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2842		log_test_addr ${a} $? 1 "Global server, device client, local connection"
2843	done
2844
2845	for a in ${NSA_IP6} ${NSA_LINKIP6}
2846	do
2847		log_start
2848		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2849		sleep 1
2850		run_cmd nettest -6  -d ${NSA_DEV} -r ${a}
2851		log_test_addr ${a} $? 0 "Device server, device client, local conn"
2852	done
2853
2854	for a in ${NSA_IP6} ${NSA_LINKIP6}
2855	do
2856		log_start
2857		show_hint "Should fail 'Connection refused'"
2858		run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2859		log_test_addr ${a} $? 1 "No server, device client, local conn"
2860	done
2861
2862	ipv6_tcp_md5_novrf
2863}
2864
2865ipv6_tcp_vrf()
2866{
2867	local a
2868
2869	# disable global server
2870	log_subsection "Global server disabled"
2871
2872	set_sysctl net.ipv4.tcp_l3mdev_accept=0
2873
2874	#
2875	# server tests
2876	#
2877	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2878	do
2879		log_start
2880		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2881		run_cmd nettest -6 -s &
2882		sleep 1
2883		run_cmd_nsb nettest -6 -r ${a}
2884		log_test_addr ${a} $? 1 "Global server"
2885	done
2886
2887	for a in ${NSA_IP6} ${VRF_IP6}
2888	do
2889		log_start
2890		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2891		sleep 1
2892		run_cmd_nsb nettest -6 -r ${a}
2893		log_test_addr ${a} $? 0 "VRF server"
2894	done
2895
2896	# link local is always bound to ingress device
2897	a=${NSA_LINKIP6}%${NSB_DEV}
2898	log_start
2899	run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2900	sleep 1
2901	run_cmd_nsb nettest -6 -r ${a}
2902	log_test_addr ${a} $? 0 "VRF server"
2903
2904	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2905	do
2906		log_start
2907		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2908		sleep 1
2909		run_cmd_nsb nettest -6 -r ${a}
2910		log_test_addr ${a} $? 0 "Device server"
2911	done
2912
2913	# verify TCP reset received
2914	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2915	do
2916		log_start
2917		show_hint "Should fail 'Connection refused'"
2918		run_cmd_nsb nettest -6 -r ${a}
2919		log_test_addr ${a} $? 1 "No server"
2920	done
2921
2922	# local address tests
2923	a=${NSA_IP6}
2924	log_start
2925	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2926	run_cmd nettest -6 -s &
2927	sleep 1
2928	run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2929	log_test_addr ${a} $? 1 "Global server, local connection"
2930
2931	# run MD5 tests
2932	setup_vrf_dup
2933	ipv6_tcp_md5
2934	cleanup_vrf_dup
2935
2936	#
2937	# enable VRF global server
2938	#
2939	log_subsection "VRF Global server enabled"
2940	set_sysctl net.ipv4.tcp_l3mdev_accept=1
2941
2942	for a in ${NSA_IP6} ${VRF_IP6}
2943	do
2944		log_start
2945		run_cmd nettest -6 -s -3 ${VRF} &
2946		sleep 1
2947		run_cmd_nsb nettest -6 -r ${a}
2948		log_test_addr ${a} $? 0 "Global server"
2949	done
2950
2951	for a in ${NSA_IP6} ${VRF_IP6}
2952	do
2953		log_start
2954		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2955		sleep 1
2956		run_cmd_nsb nettest -6 -r ${a}
2957		log_test_addr ${a} $? 0 "VRF server"
2958	done
2959
2960	# For LLA, child socket is bound to device
2961	a=${NSA_LINKIP6}%${NSB_DEV}
2962	log_start
2963	run_cmd nettest -6 -s -3 ${NSA_DEV} &
2964	sleep 1
2965	run_cmd_nsb nettest -6 -r ${a}
2966	log_test_addr ${a} $? 0 "Global server"
2967
2968	log_start
2969	run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2970	sleep 1
2971	run_cmd_nsb nettest -6 -r ${a}
2972	log_test_addr ${a} $? 0 "VRF server"
2973
2974	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2975	do
2976		log_start
2977		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2978		sleep 1
2979		run_cmd_nsb nettest -6 -r ${a}
2980		log_test_addr ${a} $? 0 "Device server"
2981	done
2982
2983	# verify TCP reset received
2984	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2985	do
2986		log_start
2987		show_hint "Should fail 'Connection refused'"
2988		run_cmd_nsb nettest -6 -r ${a}
2989		log_test_addr ${a} $? 1 "No server"
2990	done
2991
2992	# local address tests
2993	for a in ${NSA_IP6} ${VRF_IP6}
2994	do
2995		log_start
2996		show_hint "Fails 'Connection refused' since client is not in VRF"
2997		run_cmd nettest -6 -s -I ${VRF} &
2998		sleep 1
2999		run_cmd nettest -6 -r ${a}
3000		log_test_addr ${a} $? 1 "Global server, local connection"
3001	done
3002
3003
3004	#
3005	# client
3006	#
3007	for a in ${NSB_IP6} ${NSB_LO_IP6}
3008	do
3009		log_start
3010		run_cmd_nsb nettest -6 -s &
3011		sleep 1
3012		run_cmd nettest -6 -r ${a} -d ${VRF}
3013		log_test_addr ${a} $? 0 "Client, VRF bind"
3014	done
3015
3016	a=${NSB_LINKIP6}
3017	log_start
3018	show_hint "Fails since VRF device does not allow linklocal addresses"
3019	run_cmd_nsb nettest -6 -s &
3020	sleep 1
3021	run_cmd nettest -6 -r ${a} -d ${VRF}
3022	log_test_addr ${a} $? 1 "Client, VRF bind"
3023
3024	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
3025	do
3026		log_start
3027		run_cmd_nsb nettest -6 -s &
3028		sleep 1
3029		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
3030		log_test_addr ${a} $? 0 "Client, device bind"
3031	done
3032
3033	for a in ${NSB_IP6} ${NSB_LO_IP6}
3034	do
3035		log_start
3036		show_hint "Should fail 'Connection refused'"
3037		run_cmd nettest -6 -r ${a} -d ${VRF}
3038		log_test_addr ${a} $? 1 "No server, VRF client"
3039	done
3040
3041	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
3042	do
3043		log_start
3044		show_hint "Should fail 'Connection refused'"
3045		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
3046		log_test_addr ${a} $? 1 "No server, device client"
3047	done
3048
3049	for a in ${NSA_IP6} ${VRF_IP6} ::1
3050	do
3051		log_start
3052		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
3053		sleep 1
3054		run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
3055		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
3056	done
3057
3058	a=${NSA_IP6}
3059	log_start
3060	run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
3061	sleep 1
3062	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
3063	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
3064
3065	a=${NSA_IP6}
3066	log_start
3067	show_hint "Should fail since unbound client is out of VRF scope"
3068	run_cmd nettest -6 -s -I ${VRF} &
3069	sleep 1
3070	run_cmd nettest -6 -r ${a}
3071	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
3072
3073	log_start
3074	run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3075	sleep 1
3076	run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
3077	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
3078
3079	for a in ${NSA_IP6} ${NSA_LINKIP6}
3080	do
3081		log_start
3082		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3083		sleep 1
3084		run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
3085		log_test_addr ${a} $? 0 "Device server, device client, local connection"
3086	done
3087}
3088
3089ipv6_tcp()
3090{
3091	log_section "IPv6/TCP"
3092	log_subsection "No VRF"
3093	setup
3094
3095	# tcp_l3mdev_accept should have no affect without VRF;
3096	# run tests with it enabled and disabled to verify
3097	log_subsection "tcp_l3mdev_accept disabled"
3098	set_sysctl net.ipv4.tcp_l3mdev_accept=0
3099	ipv6_tcp_novrf
3100	log_subsection "tcp_l3mdev_accept enabled"
3101	set_sysctl net.ipv4.tcp_l3mdev_accept=1
3102	ipv6_tcp_novrf
3103
3104	log_subsection "With VRF"
3105	setup "yes"
3106	ipv6_tcp_vrf
3107}
3108
3109################################################################################
3110# IPv6 UDP
3111
3112ipv6_udp_novrf()
3113{
3114	local a
3115
3116	#
3117	# server tests
3118	#
3119	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3120	do
3121		log_start
3122		run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3123		sleep 1
3124		run_cmd_nsb nettest -6 -D -r ${a}
3125		log_test_addr ${a} $? 0 "Global server"
3126
3127		log_start
3128		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3129		sleep 1
3130		run_cmd_nsb nettest -6 -D -r ${a}
3131		log_test_addr ${a} $? 0 "Device server"
3132	done
3133
3134	a=${NSA_LO_IP6}
3135	log_start
3136	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3137	sleep 1
3138	run_cmd_nsb nettest -6 -D -r ${a}
3139	log_test_addr ${a} $? 0 "Global server"
3140
3141	# should fail since loopback address is out of scope for a device
3142	# bound server, but it does not - hence this is more documenting
3143	# behavior.
3144	#log_start
3145	#show_hint "Should fail since loopback address is out of scope"
3146	#run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3147	#sleep 1
3148	#run_cmd_nsb nettest -6 -D -r ${a}
3149	#log_test_addr ${a} $? 1 "Device server"
3150
3151	# negative test - should fail
3152	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3153	do
3154		log_start
3155		show_hint "Should fail 'Connection refused' since there is no server"
3156		run_cmd_nsb nettest -6 -D -r ${a}
3157		log_test_addr ${a} $? 1 "No server"
3158	done
3159
3160	#
3161	# client
3162	#
3163	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
3164	do
3165		log_start
3166		run_cmd_nsb nettest -6 -D -s &
3167		sleep 1
3168		run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6}
3169		log_test_addr ${a} $? 0 "Client"
3170
3171		log_start
3172		run_cmd_nsb nettest -6 -D -s &
3173		sleep 1
3174		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6}
3175		log_test_addr ${a} $? 0 "Client, device bind"
3176
3177		log_start
3178		run_cmd_nsb nettest -6 -D -s &
3179		sleep 1
3180		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6}
3181		log_test_addr ${a} $? 0 "Client, device send via cmsg"
3182
3183		log_start
3184		run_cmd_nsb nettest -6 -D -s &
3185		sleep 1
3186		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6}
3187		log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF"
3188
3189		log_start
3190		show_hint "Should fail 'Connection refused'"
3191		run_cmd nettest -6 -D -r ${a}
3192		log_test_addr ${a} $? 1 "No server, unbound client"
3193
3194		log_start
3195		show_hint "Should fail 'Connection refused'"
3196		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3197		log_test_addr ${a} $? 1 "No server, device client"
3198	done
3199
3200	#
3201	# local address tests
3202	#
3203	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
3204	do
3205		log_start
3206		run_cmd nettest -6 -D -s &
3207		sleep 1
3208		run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a}
3209		log_test_addr ${a} $? 0 "Global server, local connection"
3210	done
3211
3212	a=${NSA_IP6}
3213	log_start
3214	run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
3215	sleep 1
3216	run_cmd nettest -6 -D -r ${a}
3217	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
3218
3219	for a in ${NSA_LO_IP6} ::1
3220	do
3221		log_start
3222		show_hint "Should fail 'Connection refused' since address is out of device scope"
3223		run_cmd nettest -6 -s -D -I ${NSA_DEV} &
3224		sleep 1
3225		run_cmd nettest -6 -D -r ${a}
3226		log_test_addr ${a} $? 1 "Device server, local connection"
3227	done
3228
3229	a=${NSA_IP6}
3230	log_start
3231	run_cmd nettest -6 -s -D &
3232	sleep 1
3233	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3234	log_test_addr ${a} $? 0 "Global server, device client, local connection"
3235
3236	log_start
3237	run_cmd nettest -6 -s -D &
3238	sleep 1
3239	run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a}
3240	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
3241
3242	log_start
3243	run_cmd nettest -6 -s -D &
3244	sleep 1
3245	run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a}
3246	log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection"
3247
3248	for a in ${NSA_LO_IP6} ::1
3249	do
3250		log_start
3251		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3252		run_cmd nettest -6 -D -s &
3253		sleep 1
3254		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3255		log_test_addr ${a} $? 1 "Global server, device client, local connection"
3256
3257		log_start
3258		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3259		run_cmd nettest -6 -D -s &
3260		sleep 1
3261		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C
3262		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
3263
3264		log_start
3265		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3266		run_cmd nettest -6 -D -s &
3267		sleep 1
3268		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
3269		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
3270
3271		log_start
3272		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3273		run_cmd nettest -6 -D -s &
3274		sleep 1
3275		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U
3276		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
3277	done
3278
3279	a=${NSA_IP6}
3280	log_start
3281	run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3282	sleep 1
3283	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a}
3284	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3285
3286	log_start
3287	show_hint "Should fail 'Connection refused'"
3288	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3289	log_test_addr ${a} $? 1 "No server, device client, local conn"
3290
3291	# LLA to GUA
3292	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3293	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3294	log_start
3295	run_cmd nettest -6 -s -D &
3296	sleep 1
3297	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3298	log_test $? 0 "UDP in - LLA to GUA"
3299
3300	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3301	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3302}
3303
3304ipv6_udp_vrf()
3305{
3306	local a
3307
3308	# disable global server
3309	log_subsection "Global server disabled"
3310	set_sysctl net.ipv4.udp_l3mdev_accept=0
3311
3312	#
3313	# server tests
3314	#
3315	for a in ${NSA_IP6} ${VRF_IP6}
3316	do
3317		log_start
3318		show_hint "Should fail 'Connection refused' since global server is disabled"
3319		run_cmd nettest -6 -D -s &
3320		sleep 1
3321		run_cmd_nsb nettest -6 -D -r ${a}
3322		log_test_addr ${a} $? 1 "Global server"
3323	done
3324
3325	for a in ${NSA_IP6} ${VRF_IP6}
3326	do
3327		log_start
3328		run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3329		sleep 1
3330		run_cmd_nsb nettest -6 -D -r ${a}
3331		log_test_addr ${a} $? 0 "VRF server"
3332	done
3333
3334	for a in ${NSA_IP6} ${VRF_IP6}
3335	do
3336		log_start
3337		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3338		sleep 1
3339		run_cmd_nsb nettest -6 -D -r ${a}
3340		log_test_addr ${a} $? 0 "Enslaved device server"
3341	done
3342
3343	# negative test - should fail
3344	for a in ${NSA_IP6} ${VRF_IP6}
3345	do
3346		log_start
3347		show_hint "Should fail 'Connection refused' since there is no server"
3348		run_cmd_nsb nettest -6 -D -r ${a}
3349		log_test_addr ${a} $? 1 "No server"
3350	done
3351
3352	#
3353	# local address tests
3354	#
3355	for a in ${NSA_IP6} ${VRF_IP6}
3356	do
3357		log_start
3358		show_hint "Should fail 'Connection refused' since global server is disabled"
3359		run_cmd nettest -6 -D -s &
3360		sleep 1
3361		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3362		log_test_addr ${a} $? 1 "Global server, VRF client, local conn"
3363	done
3364
3365	for a in ${NSA_IP6} ${VRF_IP6}
3366	do
3367		log_start
3368		run_cmd nettest -6 -D -I ${VRF} -s &
3369		sleep 1
3370		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3371		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3372	done
3373
3374	a=${NSA_IP6}
3375	log_start
3376	show_hint "Should fail 'Connection refused' since global server is disabled"
3377	run_cmd nettest -6 -D -s &
3378	sleep 1
3379	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3380	log_test_addr ${a} $? 1 "Global server, device client, local conn"
3381
3382	log_start
3383	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3384	sleep 1
3385	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3386	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3387
3388	log_start
3389	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3390	sleep 1
3391	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3392	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
3393
3394	log_start
3395	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3396	sleep 1
3397	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3398	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
3399
3400	# disable global server
3401	log_subsection "Global server enabled"
3402	set_sysctl net.ipv4.udp_l3mdev_accept=1
3403
3404	#
3405	# server tests
3406	#
3407	for a in ${NSA_IP6} ${VRF_IP6}
3408	do
3409		log_start
3410		run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3411		sleep 1
3412		run_cmd_nsb nettest -6 -D -r ${a}
3413		log_test_addr ${a} $? 0 "Global server"
3414	done
3415
3416	for a in ${NSA_IP6} ${VRF_IP6}
3417	do
3418		log_start
3419		run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3420		sleep 1
3421		run_cmd_nsb nettest -6 -D -r ${a}
3422		log_test_addr ${a} $? 0 "VRF server"
3423	done
3424
3425	for a in ${NSA_IP6} ${VRF_IP6}
3426	do
3427		log_start
3428		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3429		sleep 1
3430		run_cmd_nsb nettest -6 -D -r ${a}
3431		log_test_addr ${a} $? 0 "Enslaved device server"
3432	done
3433
3434	# negative test - should fail
3435	for a in ${NSA_IP6} ${VRF_IP6}
3436	do
3437		log_start
3438		run_cmd_nsb nettest -6 -D -r ${a}
3439		log_test_addr ${a} $? 1 "No server"
3440	done
3441
3442	#
3443	# client tests
3444	#
3445	log_start
3446	run_cmd_nsb nettest -6 -D -s &
3447	sleep 1
3448	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3449	log_test $? 0 "VRF client"
3450
3451	# negative test - should fail
3452	log_start
3453	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3454	log_test $? 1 "No server, VRF client"
3455
3456	log_start
3457	run_cmd_nsb nettest -6 -D -s &
3458	sleep 1
3459	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3460	log_test $? 0 "Enslaved device client"
3461
3462	# negative test - should fail
3463	log_start
3464	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3465	log_test $? 1 "No server, enslaved device client"
3466
3467	#
3468	# local address tests
3469	#
3470	a=${NSA_IP6}
3471	log_start
3472	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3473	sleep 1
3474	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3475	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3476
3477	#log_start
3478	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3479	sleep 1
3480	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3481	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3482
3483
3484	a=${VRF_IP6}
3485	log_start
3486	run_cmd nettest -6 -D -s -3 ${VRF} &
3487	sleep 1
3488	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3489	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3490
3491	log_start
3492	run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} &
3493	sleep 1
3494	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3495	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3496
3497	# negative test - should fail
3498	for a in ${NSA_IP6} ${VRF_IP6}
3499	do
3500		log_start
3501		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3502		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
3503	done
3504
3505	# device to global IP
3506	a=${NSA_IP6}
3507	log_start
3508	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3509	sleep 1
3510	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3511	log_test_addr ${a} $? 0 "Global server, device client, local conn"
3512
3513	log_start
3514	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3515	sleep 1
3516	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3517	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3518
3519	log_start
3520	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3521	sleep 1
3522	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3523	log_test_addr ${a} $? 0 "Device server, VRF client, local conn"
3524
3525	log_start
3526	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3527	sleep 1
3528	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3529	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3530
3531	log_start
3532	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3533	log_test_addr ${a} $? 1 "No server, device client, local conn"
3534
3535
3536	# link local addresses
3537	log_start
3538	run_cmd nettest -6 -D -s &
3539	sleep 1
3540	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3541	log_test $? 0 "Global server, linklocal IP"
3542
3543	log_start
3544	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3545	log_test $? 1 "No server, linklocal IP"
3546
3547
3548	log_start
3549	run_cmd_nsb nettest -6 -D -s &
3550	sleep 1
3551	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3552	log_test $? 0 "Enslaved device client, linklocal IP"
3553
3554	log_start
3555	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3556	log_test $? 1 "No server, device client, peer linklocal IP"
3557
3558
3559	log_start
3560	run_cmd nettest -6 -D -s &
3561	sleep 1
3562	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3563	log_test $? 0 "Enslaved device client, local conn - linklocal IP"
3564
3565	log_start
3566	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3567	log_test $? 1 "No server, device client, local conn  - linklocal IP"
3568
3569	# LLA to GUA
3570	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3571	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3572	log_start
3573	run_cmd nettest -6 -s -D &
3574	sleep 1
3575	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3576	log_test $? 0 "UDP in - LLA to GUA"
3577
3578	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3579	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3580}
3581
3582ipv6_udp()
3583{
3584        # should not matter, but set to known state
3585        set_sysctl net.ipv4.udp_early_demux=1
3586
3587        log_section "IPv6/UDP"
3588        log_subsection "No VRF"
3589        setup
3590
3591        # udp_l3mdev_accept should have no affect without VRF;
3592        # run tests with it enabled and disabled to verify
3593        log_subsection "udp_l3mdev_accept disabled"
3594        set_sysctl net.ipv4.udp_l3mdev_accept=0
3595        ipv6_udp_novrf
3596        log_subsection "udp_l3mdev_accept enabled"
3597        set_sysctl net.ipv4.udp_l3mdev_accept=1
3598        ipv6_udp_novrf
3599
3600        log_subsection "With VRF"
3601        setup "yes"
3602        ipv6_udp_vrf
3603}
3604
3605################################################################################
3606# IPv6 address bind
3607
3608ipv6_addr_bind_novrf()
3609{
3610	#
3611	# raw socket
3612	#
3613	for a in ${NSA_IP6} ${NSA_LO_IP6}
3614	do
3615		log_start
3616		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b
3617		log_test_addr ${a} $? 0 "Raw socket bind to local address"
3618
3619		log_start
3620		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3621		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3622	done
3623
3624	#
3625	# raw socket with nonlocal bind
3626	#
3627	a=${NL_IP6}
3628	log_start
3629	run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b
3630	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
3631
3632	#
3633	# tcp sockets
3634	#
3635	a=${NSA_IP6}
3636	log_start
3637	run_cmd nettest -6 -s -l ${a} -t1 -b
3638	log_test_addr ${a} $? 0 "TCP socket bind to local address"
3639
3640	log_start
3641	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3642	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
3643
3644	# Sadly, the kernel allows binding a socket to a device and then
3645	# binding to an address not on the device. So this test passes
3646	# when it really should not
3647	a=${NSA_LO_IP6}
3648	log_start
3649	show_hint "Tecnically should fail since address is not on device but kernel allows"
3650	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3651	log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address"
3652}
3653
3654ipv6_addr_bind_vrf()
3655{
3656	#
3657	# raw socket
3658	#
3659	for a in ${NSA_IP6} ${VRF_IP6}
3660	do
3661		log_start
3662		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3663		log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind"
3664
3665		log_start
3666		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3667		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3668	done
3669
3670	a=${NSA_LO_IP6}
3671	log_start
3672	show_hint "Address on loopback is out of VRF scope"
3673	run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3674	log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind"
3675
3676	#
3677	# raw socket with nonlocal bind
3678	#
3679	a=${NL_IP6}
3680	log_start
3681	run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b
3682	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
3683
3684	#
3685	# tcp sockets
3686	#
3687	# address on enslaved device is valid for the VRF or device in a VRF
3688	for a in ${NSA_IP6} ${VRF_IP6}
3689	do
3690		log_start
3691		run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3692		log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind"
3693	done
3694
3695	a=${NSA_IP6}
3696	log_start
3697	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3698	log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
3699
3700	# Sadly, the kernel allows binding a socket to a device and then
3701	# binding to an address not on the device. The only restriction
3702	# is that the address is valid in the L3 domain. So this test
3703	# passes when it really should not
3704	a=${VRF_IP6}
3705	log_start
3706	show_hint "Tecnically should fail since address is not on device but kernel allows"
3707	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3708	log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind"
3709
3710	a=${NSA_LO_IP6}
3711	log_start
3712	show_hint "Address on loopback out of scope for VRF"
3713	run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3714	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
3715
3716	log_start
3717	show_hint "Address on loopback out of scope for device in VRF"
3718	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3719	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
3720
3721}
3722
3723ipv6_addr_bind()
3724{
3725	log_section "IPv6 address binds"
3726
3727	log_subsection "No VRF"
3728	setup
3729	ipv6_addr_bind_novrf
3730
3731	log_subsection "With VRF"
3732	setup "yes"
3733	ipv6_addr_bind_vrf
3734}
3735
3736################################################################################
3737# IPv6 runtime tests
3738
3739ipv6_rt()
3740{
3741	local desc="$1"
3742	local varg="-6 $2"
3743	local with_vrf="yes"
3744	local a
3745
3746	#
3747	# server tests
3748	#
3749	for a in ${NSA_IP6} ${VRF_IP6}
3750	do
3751		log_start
3752		run_cmd nettest ${varg} -s &
3753		sleep 1
3754		run_cmd_nsb nettest ${varg} -r ${a} &
3755		sleep 3
3756		run_cmd ip link del ${VRF}
3757		sleep 1
3758		log_test_addr ${a} 0 0 "${desc}, global server"
3759
3760		setup ${with_vrf}
3761	done
3762
3763	for a in ${NSA_IP6} ${VRF_IP6}
3764	do
3765		log_start
3766		run_cmd nettest ${varg} -I ${VRF} -s &
3767		sleep 1
3768		run_cmd_nsb nettest ${varg} -r ${a} &
3769		sleep 3
3770		run_cmd ip link del ${VRF}
3771		sleep 1
3772		log_test_addr ${a} 0 0 "${desc}, VRF server"
3773
3774		setup ${with_vrf}
3775	done
3776
3777	for a in ${NSA_IP6} ${VRF_IP6}
3778	do
3779		log_start
3780		run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3781		sleep 1
3782		run_cmd_nsb nettest ${varg} -r ${a} &
3783		sleep 3
3784		run_cmd ip link del ${VRF}
3785		sleep 1
3786		log_test_addr ${a} 0 0 "${desc}, enslaved device server"
3787
3788		setup ${with_vrf}
3789	done
3790
3791	#
3792	# client test
3793	#
3794	log_start
3795	run_cmd_nsb nettest ${varg} -s &
3796	sleep 1
3797	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} &
3798	sleep 3
3799	run_cmd ip link del ${VRF}
3800	sleep 1
3801	log_test  0 0 "${desc}, VRF client"
3802
3803	setup ${with_vrf}
3804
3805	log_start
3806	run_cmd_nsb nettest ${varg} -s &
3807	sleep 1
3808	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} &
3809	sleep 3
3810	run_cmd ip link del ${VRF}
3811	sleep 1
3812	log_test  0 0 "${desc}, enslaved device client"
3813
3814	setup ${with_vrf}
3815
3816
3817	#
3818	# local address tests
3819	#
3820	for a in ${NSA_IP6} ${VRF_IP6}
3821	do
3822		log_start
3823		run_cmd nettest ${varg} -s &
3824		sleep 1
3825		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3826		sleep 3
3827		run_cmd ip link del ${VRF}
3828		sleep 1
3829		log_test_addr ${a} 0 0 "${desc}, global server, VRF client"
3830
3831		setup ${with_vrf}
3832	done
3833
3834	for a in ${NSA_IP6} ${VRF_IP6}
3835	do
3836		log_start
3837		run_cmd nettest ${varg} -I ${VRF} -s &
3838		sleep 1
3839		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3840		sleep 3
3841		run_cmd ip link del ${VRF}
3842		sleep 1
3843		log_test_addr ${a} 0 0 "${desc}, VRF server and client"
3844
3845		setup ${with_vrf}
3846	done
3847
3848	a=${NSA_IP6}
3849	log_start
3850	run_cmd nettest ${varg} -s &
3851	sleep 1
3852	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3853	sleep 3
3854	run_cmd ip link del ${VRF}
3855	sleep 1
3856	log_test_addr ${a} 0 0 "${desc}, global server, device client"
3857
3858	setup ${with_vrf}
3859
3860	log_start
3861	run_cmd nettest ${varg} -I ${VRF} -s &
3862	sleep 1
3863	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3864	sleep 3
3865	run_cmd ip link del ${VRF}
3866	sleep 1
3867	log_test_addr ${a} 0 0 "${desc}, VRF server, device client"
3868
3869	setup ${with_vrf}
3870
3871	log_start
3872	run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3873	sleep 1
3874	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3875	sleep 3
3876	run_cmd ip link del ${VRF}
3877	sleep 1
3878	log_test_addr ${a} 0 0 "${desc}, device server, device client"
3879}
3880
3881ipv6_ping_rt()
3882{
3883	local with_vrf="yes"
3884	local a
3885
3886	a=${NSA_IP6}
3887	log_start
3888	run_cmd_nsb ${ping6} -f ${a} &
3889	sleep 3
3890	run_cmd ip link del ${VRF}
3891	sleep 1
3892	log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
3893
3894	setup ${with_vrf}
3895
3896	log_start
3897	run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} &
3898	sleep 1
3899	run_cmd ip link del ${VRF}
3900	sleep 1
3901	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
3902}
3903
3904ipv6_runtime()
3905{
3906	log_section "Run time tests - ipv6"
3907
3908	setup "yes"
3909	ipv6_ping_rt
3910
3911	setup "yes"
3912	ipv6_rt "TCP active socket"  "-n -1"
3913
3914	setup "yes"
3915	ipv6_rt "TCP passive socket" "-i"
3916
3917	setup "yes"
3918	ipv6_rt "UDP active socket"  "-D -n -1"
3919}
3920
3921################################################################################
3922# netfilter blocking connections
3923
3924netfilter_tcp_reset()
3925{
3926	local a
3927
3928	for a in ${NSA_IP} ${VRF_IP}
3929	do
3930		log_start
3931		run_cmd nettest -s &
3932		sleep 1
3933		run_cmd_nsb nettest -r ${a}
3934		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3935	done
3936}
3937
3938netfilter_icmp()
3939{
3940	local stype="$1"
3941	local arg
3942	local a
3943
3944	[ "${stype}" = "UDP" ] && arg="-D"
3945
3946	for a in ${NSA_IP} ${VRF_IP}
3947	do
3948		log_start
3949		run_cmd nettest ${arg} -s &
3950		sleep 1
3951		run_cmd_nsb nettest ${arg} -r ${a}
3952		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3953	done
3954}
3955
3956ipv4_netfilter()
3957{
3958	log_section "IPv4 Netfilter"
3959	log_subsection "TCP reset"
3960
3961	setup "yes"
3962	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3963
3964	netfilter_tcp_reset
3965
3966	log_start
3967	log_subsection "ICMP unreachable"
3968
3969	log_start
3970	run_cmd iptables -F
3971	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3972	run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3973
3974	netfilter_icmp "TCP"
3975	netfilter_icmp "UDP"
3976
3977	log_start
3978	iptables -F
3979}
3980
3981netfilter_tcp6_reset()
3982{
3983	local a
3984
3985	for a in ${NSA_IP6} ${VRF_IP6}
3986	do
3987		log_start
3988		run_cmd nettest -6 -s &
3989		sleep 1
3990		run_cmd_nsb nettest -6 -r ${a}
3991		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3992	done
3993}
3994
3995netfilter_icmp6()
3996{
3997	local stype="$1"
3998	local arg
3999	local a
4000
4001	[ "${stype}" = "UDP" ] && arg="$arg -D"
4002
4003	for a in ${NSA_IP6} ${VRF_IP6}
4004	do
4005		log_start
4006		run_cmd nettest -6 -s ${arg} &
4007		sleep 1
4008		run_cmd_nsb nettest -6 ${arg} -r ${a}
4009		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
4010	done
4011}
4012
4013ipv6_netfilter()
4014{
4015	log_section "IPv6 Netfilter"
4016	log_subsection "TCP reset"
4017
4018	setup "yes"
4019	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
4020
4021	netfilter_tcp6_reset
4022
4023	log_subsection "ICMP unreachable"
4024
4025	log_start
4026	run_cmd ip6tables -F
4027	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
4028	run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
4029
4030	netfilter_icmp6 "TCP"
4031	netfilter_icmp6 "UDP"
4032
4033	log_start
4034	ip6tables -F
4035}
4036
4037################################################################################
4038# specific use cases
4039
4040# VRF only.
4041# ns-A device enslaved to bridge. Verify traffic with and without
4042# br_netfilter module loaded. Repeat with SVI on bridge.
4043use_case_br()
4044{
4045	setup "yes"
4046
4047	setup_cmd ip link set ${NSA_DEV} down
4048	setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24
4049	setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64
4050
4051	setup_cmd ip link add br0 type bridge
4052	setup_cmd ip addr add dev br0 ${NSA_IP}/24
4053	setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad
4054
4055	setup_cmd ip li set ${NSA_DEV} master br0
4056	setup_cmd ip li set ${NSA_DEV} up
4057	setup_cmd ip li set br0 up
4058	setup_cmd ip li set br0 vrf ${VRF}
4059
4060	rmmod br_netfilter 2>/dev/null
4061	sleep 5 # DAD
4062
4063	run_cmd ip neigh flush all
4064	run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
4065	log_test $? 0 "Bridge into VRF - IPv4 ping out"
4066
4067	run_cmd ip neigh flush all
4068	run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
4069	log_test $? 0 "Bridge into VRF - IPv6 ping out"
4070
4071	run_cmd ip neigh flush all
4072	run_cmd_nsb ping -c1 -w1 ${NSA_IP}
4073	log_test $? 0 "Bridge into VRF - IPv4 ping in"
4074
4075	run_cmd ip neigh flush all
4076	run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
4077	log_test $? 0 "Bridge into VRF - IPv6 ping in"
4078
4079	modprobe br_netfilter
4080	if [ $? -eq 0 ]; then
4081		run_cmd ip neigh flush all
4082		run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
4083		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out"
4084
4085		run_cmd ip neigh flush all
4086		run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
4087		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out"
4088
4089		run_cmd ip neigh flush all
4090		run_cmd_nsb ping -c1 -w1 ${NSA_IP}
4091		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in"
4092
4093		run_cmd ip neigh flush all
4094		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
4095		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in"
4096	fi
4097
4098	setup_cmd ip li set br0 nomaster
4099	setup_cmd ip li add br0.100 link br0 type vlan id 100
4100	setup_cmd ip li set br0.100 vrf ${VRF} up
4101	setup_cmd ip    addr add dev br0.100 172.16.101.1/24
4102	setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad
4103
4104	setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100
4105	setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24
4106	setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad
4107	setup_cmd_nsb ip li set vlan100 up
4108	sleep 1
4109
4110	rmmod br_netfilter 2>/dev/null
4111
4112	run_cmd ip neigh flush all
4113	run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
4114	log_test $? 0 "Bridge vlan into VRF - IPv4 ping out"
4115
4116	run_cmd ip neigh flush all
4117	run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4118	log_test $? 0 "Bridge vlan into VRF - IPv6 ping out"
4119
4120	run_cmd ip neigh flush all
4121	run_cmd_nsb ping -c1 -w1 172.16.101.1
4122	log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4123
4124	run_cmd ip neigh flush all
4125	run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4126	log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4127
4128	modprobe br_netfilter
4129	if [ $? -eq 0 ]; then
4130		run_cmd ip neigh flush all
4131		run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
4132		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out"
4133
4134		run_cmd ip neigh flush all
4135		run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4136		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out"
4137
4138		run_cmd ip neigh flush all
4139		run_cmd_nsb ping -c1 -w1 172.16.101.1
4140		log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4141
4142		run_cmd ip neigh flush all
4143		run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4144		log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4145	fi
4146
4147	setup_cmd ip li del br0 2>/dev/null
4148	setup_cmd_nsb ip li del vlan100 2>/dev/null
4149}
4150
4151# VRF only.
4152# ns-A device is connected to both ns-B and ns-C on a single VRF but only has
4153# LLA on the interfaces
4154use_case_ping_lla_multi()
4155{
4156	setup_lla_only
4157	# only want reply from ns-A
4158	setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4159	setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4160
4161	log_start
4162	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4163	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B"
4164
4165	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4166	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C"
4167
4168	# cycle/flap the first ns-A interface
4169	setup_cmd ip link set ${NSA_DEV} down
4170	setup_cmd ip link set ${NSA_DEV} up
4171	sleep 1
4172
4173	log_start
4174	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4175	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B"
4176	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4177	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C"
4178
4179	# cycle/flap the second ns-A interface
4180	setup_cmd ip link set ${NSA_DEV2} down
4181	setup_cmd ip link set ${NSA_DEV2} up
4182	sleep 1
4183
4184	log_start
4185	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4186	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B"
4187	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4188	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C"
4189}
4190
4191# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully
4192# established with ns-B.
4193use_case_snat_on_vrf()
4194{
4195	setup "yes"
4196
4197	local port="12345"
4198
4199	run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4200	run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4201
4202	run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} &
4203	sleep 1
4204	run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port}
4205	log_test $? 0 "IPv4 TCP connection over VRF with SNAT"
4206
4207	run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} &
4208	sleep 1
4209	run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port}
4210	log_test $? 0 "IPv6 TCP connection over VRF with SNAT"
4211
4212	# Cleanup
4213	run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4214	run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4215}
4216
4217use_cases()
4218{
4219	log_section "Use cases"
4220	log_subsection "Device enslaved to bridge"
4221	use_case_br
4222	log_subsection "Ping LLA with multiple interfaces"
4223	use_case_ping_lla_multi
4224	log_subsection "SNAT on VRF"
4225	use_case_snat_on_vrf
4226}
4227
4228################################################################################
4229# usage
4230
4231usage()
4232{
4233	cat <<EOF
4234usage: ${0##*/} OPTS
4235
4236	-4          IPv4 tests only
4237	-6          IPv6 tests only
4238	-t <test>   Test name/set to run
4239	-p          Pause on fail
4240	-P          Pause after each test
4241	-v          Be verbose
4242
4243Tests:
4244	$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER
4245EOF
4246}
4247
4248################################################################################
4249# main
4250
4251TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter"
4252TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter"
4253TESTS_OTHER="use_cases"
4254
4255PAUSE_ON_FAIL=no
4256PAUSE=no
4257
4258while getopts :46t:pPvh o
4259do
4260	case $o in
4261		4) TESTS=ipv4;;
4262		6) TESTS=ipv6;;
4263		t) TESTS=$OPTARG;;
4264		p) PAUSE_ON_FAIL=yes;;
4265		P) PAUSE=yes;;
4266		v) VERBOSE=1;;
4267		h) usage; exit 0;;
4268		*) usage; exit 1;;
4269	esac
4270done
4271
4272# make sure we don't pause twice
4273[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no
4274
4275#
4276# show user test config
4277#
4278if [ -z "$TESTS" ]; then
4279	TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER"
4280elif [ "$TESTS" = "ipv4" ]; then
4281	TESTS="$TESTS_IPV4"
4282elif [ "$TESTS" = "ipv6" ]; then
4283	TESTS="$TESTS_IPV6"
4284fi
4285
4286# nettest can be run from PATH or from same directory as this selftest
4287if ! which nettest >/dev/null; then
4288	PATH=$PWD:$PATH
4289	if ! which nettest >/dev/null; then
4290		echo "'nettest' command not found; skipping tests"
4291		exit $ksft_skip
4292	fi
4293fi
4294
4295declare -i nfail=0
4296declare -i nsuccess=0
4297
4298for t in $TESTS
4299do
4300	case $t in
4301	ipv4_ping|ping)  ipv4_ping;;
4302	ipv4_tcp|tcp)    ipv4_tcp;;
4303	ipv4_udp|udp)    ipv4_udp;;
4304	ipv4_bind|bind)  ipv4_addr_bind;;
4305	ipv4_runtime)    ipv4_runtime;;
4306	ipv4_netfilter)  ipv4_netfilter;;
4307
4308	ipv6_ping|ping6) ipv6_ping;;
4309	ipv6_tcp|tcp6)   ipv6_tcp;;
4310	ipv6_udp|udp6)   ipv6_udp;;
4311	ipv6_bind|bind6) ipv6_addr_bind;;
4312	ipv6_runtime)    ipv6_runtime;;
4313	ipv6_netfilter)  ipv6_netfilter;;
4314
4315	use_cases)       use_cases;;
4316
4317	# setup namespaces and config, but do not run any tests
4318	setup)		 setup; exit 0;;
4319	vrf_setup)	 setup "yes"; exit 0;;
4320	esac
4321done
4322
4323cleanup 2>/dev/null
4324
4325printf "\nTests passed: %3d\n" ${nsuccess}
4326printf "Tests failed: %3d\n"   ${nfail}
4327
4328if [ $nfail -ne 0 ]; then
4329	exit 1 # KSFT_FAIL
4330elif [ $nsuccess -eq 0 ]; then
4331	exit $ksft_skip
4332fi
4333
4334exit 0 # KSFT_PASS
4335