1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40# Kselftest framework requirement - SKIP code is 4. 41ksft_skip=4 42 43VERBOSE=0 44 45NSA_DEV=eth1 46NSA_DEV2=eth2 47NSB_DEV=eth1 48NSC_DEV=eth2 49VRF=red 50VRF_TABLE=1101 51 52# IPv4 config 53NSA_IP=172.16.1.1 54NSB_IP=172.16.1.2 55VRF_IP=172.16.3.1 56NS_NET=172.16.1.0/24 57 58# IPv6 config 59NSA_IP6=2001:db8:1::1 60NSB_IP6=2001:db8:1::2 61VRF_IP6=2001:db8:3::1 62NS_NET6=2001:db8:1::/120 63 64NSA_LO_IP=172.16.2.1 65NSB_LO_IP=172.16.2.2 66NSA_LO_IP6=2001:db8:2::1 67NSB_LO_IP6=2001:db8:2::2 68 69# non-local addresses for freebind tests 70NL_IP=172.17.1.1 71NL_IP6=2001:db8:4::1 72 73# multicast and broadcast addresses 74MCAST_IP=224.0.0.1 75BCAST_IP=255.255.255.255 76 77MD5_PW=abc123 78MD5_WRONG_PW=abc1234 79 80MCAST=ff02::1 81# set after namespace create 82NSA_LINKIP6= 83NSB_LINKIP6= 84 85NSA=ns-A 86NSB=ns-B 87NSC=ns-C 88 89NSA_CMD="ip netns exec ${NSA}" 90NSB_CMD="ip netns exec ${NSB}" 91NSC_CMD="ip netns exec ${NSC}" 92 93which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 94 95################################################################################ 96# utilities 97 98log_test() 99{ 100 local rc=$1 101 local expected=$2 102 local msg="$3" 103 104 [ "${VERBOSE}" = "1" ] && echo 105 106 if [ ${rc} -eq ${expected} ]; then 107 nsuccess=$((nsuccess+1)) 108 printf "TEST: %-70s [ OK ]\n" "${msg}" 109 else 110 nfail=$((nfail+1)) 111 printf "TEST: %-70s [FAIL]\n" "${msg}" 112 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 113 echo 114 echo "hit enter to continue, 'q' to quit" 115 read a 116 [ "$a" = "q" ] && exit 1 117 fi 118 fi 119 120 if [ "${PAUSE}" = "yes" ]; then 121 echo 122 echo "hit enter to continue, 'q' to quit" 123 read a 124 [ "$a" = "q" ] && exit 1 125 fi 126 127 kill_procs 128} 129 130log_test_addr() 131{ 132 local addr=$1 133 local rc=$2 134 local expected=$3 135 local msg="$4" 136 local astr 137 138 astr=$(addr2str ${addr}) 139 log_test $rc $expected "$msg - ${astr}" 140} 141 142log_section() 143{ 144 echo 145 echo "###########################################################################" 146 echo "$*" 147 echo "###########################################################################" 148 echo 149} 150 151log_subsection() 152{ 153 echo 154 echo "#################################################################" 155 echo "$*" 156 echo 157} 158 159log_start() 160{ 161 # make sure we have no test instances running 162 kill_procs 163 164 if [ "${VERBOSE}" = "1" ]; then 165 echo 166 echo "#######################################################" 167 fi 168} 169 170log_debug() 171{ 172 if [ "${VERBOSE}" = "1" ]; then 173 echo 174 echo "$*" 175 echo 176 fi 177} 178 179show_hint() 180{ 181 if [ "${VERBOSE}" = "1" ]; then 182 echo "HINT: $*" 183 echo 184 fi 185} 186 187kill_procs() 188{ 189 killall nettest ping ping6 >/dev/null 2>&1 190 sleep 1 191} 192 193do_run_cmd() 194{ 195 local cmd="$*" 196 local out 197 198 if [ "$VERBOSE" = "1" ]; then 199 echo "COMMAND: ${cmd}" 200 fi 201 202 out=$($cmd 2>&1) 203 rc=$? 204 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 205 echo "$out" 206 fi 207 208 return $rc 209} 210 211run_cmd() 212{ 213 do_run_cmd ${NSA_CMD} $* 214} 215 216run_cmd_nsb() 217{ 218 do_run_cmd ${NSB_CMD} $* 219} 220 221run_cmd_nsc() 222{ 223 do_run_cmd ${NSC_CMD} $* 224} 225 226setup_cmd() 227{ 228 local cmd="$*" 229 local rc 230 231 run_cmd ${cmd} 232 rc=$? 233 if [ $rc -ne 0 ]; then 234 # show user the command if not done so already 235 if [ "$VERBOSE" = "0" ]; then 236 echo "setup command: $cmd" 237 fi 238 echo "failed. stopping tests" 239 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 240 echo 241 echo "hit enter to continue" 242 read a 243 fi 244 exit $rc 245 fi 246} 247 248setup_cmd_nsb() 249{ 250 local cmd="$*" 251 local rc 252 253 run_cmd_nsb ${cmd} 254 rc=$? 255 if [ $rc -ne 0 ]; then 256 # show user the command if not done so already 257 if [ "$VERBOSE" = "0" ]; then 258 echo "setup command: $cmd" 259 fi 260 echo "failed. stopping tests" 261 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 262 echo 263 echo "hit enter to continue" 264 read a 265 fi 266 exit $rc 267 fi 268} 269 270setup_cmd_nsc() 271{ 272 local cmd="$*" 273 local rc 274 275 run_cmd_nsc ${cmd} 276 rc=$? 277 if [ $rc -ne 0 ]; then 278 # show user the command if not done so already 279 if [ "$VERBOSE" = "0" ]; then 280 echo "setup command: $cmd" 281 fi 282 echo "failed. stopping tests" 283 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 284 echo 285 echo "hit enter to continue" 286 read a 287 fi 288 exit $rc 289 fi 290} 291 292# set sysctl values in NS-A 293set_sysctl() 294{ 295 echo "SYSCTL: $*" 296 echo 297 run_cmd sysctl -q -w $* 298} 299 300# get sysctl values in NS-A 301get_sysctl() 302{ 303 ${NSA_CMD} sysctl -n $* 304} 305 306################################################################################ 307# Setup for tests 308 309addr2str() 310{ 311 case "$1" in 312 127.0.0.1) echo "loopback";; 313 ::1) echo "IPv6 loopback";; 314 315 ${BCAST_IP}) echo "broadcast";; 316 ${MCAST_IP}) echo "multicast";; 317 318 ${NSA_IP}) echo "ns-A IP";; 319 ${NSA_IP6}) echo "ns-A IPv6";; 320 ${NSA_LO_IP}) echo "ns-A loopback IP";; 321 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 322 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 323 324 ${NSB_IP}) echo "ns-B IP";; 325 ${NSB_IP6}) echo "ns-B IPv6";; 326 ${NSB_LO_IP}) echo "ns-B loopback IP";; 327 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 328 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 329 330 ${NL_IP}) echo "nonlocal IP";; 331 ${NL_IP6}) echo "nonlocal IPv6";; 332 333 ${VRF_IP}) echo "VRF IP";; 334 ${VRF_IP6}) echo "VRF IPv6";; 335 336 ${MCAST}%*) echo "multicast IP";; 337 338 *) echo "unknown";; 339 esac 340} 341 342get_linklocal() 343{ 344 local ns=$1 345 local dev=$2 346 local addr 347 348 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 349 awk '{ 350 for (i = 3; i <= NF; ++i) { 351 if ($i ~ /^fe80/) 352 print $i 353 } 354 }' 355 ) 356 addr=${addr/\/*} 357 358 [ -z "$addr" ] && return 1 359 360 echo $addr 361 362 return 0 363} 364 365################################################################################ 366# create namespaces and vrf 367 368create_vrf() 369{ 370 local ns=$1 371 local vrf=$2 372 local table=$3 373 local addr=$4 374 local addr6=$5 375 376 ip -netns ${ns} link add ${vrf} type vrf table ${table} 377 ip -netns ${ns} link set ${vrf} up 378 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 379 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 380 381 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 382 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 383 if [ "${addr}" != "-" ]; then 384 ip -netns ${ns} addr add dev ${vrf} ${addr} 385 fi 386 if [ "${addr6}" != "-" ]; then 387 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 388 fi 389 390 ip -netns ${ns} ru del pref 0 391 ip -netns ${ns} ru add pref 32765 from all lookup local 392 ip -netns ${ns} -6 ru del pref 0 393 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 394} 395 396create_ns() 397{ 398 local ns=$1 399 local addr=$2 400 local addr6=$3 401 402 ip netns add ${ns} 403 404 ip -netns ${ns} link set lo up 405 if [ "${addr}" != "-" ]; then 406 ip -netns ${ns} addr add dev lo ${addr} 407 fi 408 if [ "${addr6}" != "-" ]; then 409 ip -netns ${ns} -6 addr add dev lo ${addr6} 410 fi 411 412 ip -netns ${ns} ro add unreachable default metric 8192 413 ip -netns ${ns} -6 ro add unreachable default metric 8192 414 415 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 416 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 417 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 418 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 419} 420 421# create veth pair to connect namespaces and apply addresses. 422connect_ns() 423{ 424 local ns1=$1 425 local ns1_dev=$2 426 local ns1_addr=$3 427 local ns1_addr6=$4 428 local ns2=$5 429 local ns2_dev=$6 430 local ns2_addr=$7 431 local ns2_addr6=$8 432 433 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 434 ip -netns ${ns1} li set ${ns1_dev} up 435 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 436 ip -netns ${ns2} li set ${ns2_dev} up 437 438 if [ "${ns1_addr}" != "-" ]; then 439 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 440 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 441 fi 442 443 if [ "${ns1_addr6}" != "-" ]; then 444 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 445 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 446 fi 447} 448 449cleanup() 450{ 451 # explicit cleanups to check those code paths 452 ip netns | grep -q ${NSA} 453 if [ $? -eq 0 ]; then 454 ip -netns ${NSA} link delete ${VRF} 455 ip -netns ${NSA} ro flush table ${VRF_TABLE} 456 457 ip -netns ${NSA} addr flush dev ${NSA_DEV} 458 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 459 ip -netns ${NSA} link set dev ${NSA_DEV} down 460 ip -netns ${NSA} link del dev ${NSA_DEV} 461 462 ip netns pids ${NSA} | xargs kill 2>/dev/null 463 ip netns del ${NSA} 464 fi 465 466 ip netns pids ${NSB} | xargs kill 2>/dev/null 467 ip netns del ${NSB} 468 ip netns pids ${NSC} | xargs kill 2>/dev/null 469 ip netns del ${NSC} >/dev/null 2>&1 470} 471 472cleanup_vrf_dup() 473{ 474 ip link del ${NSA_DEV2} >/dev/null 2>&1 475 ip netns pids ${NSC} | xargs kill 2>/dev/null 476 ip netns del ${NSC} >/dev/null 2>&1 477} 478 479setup_vrf_dup() 480{ 481 # some VRF tests use ns-C which has the same config as 482 # ns-B but for a device NOT in the VRF 483 create_ns ${NSC} "-" "-" 484 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 485 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 486} 487 488setup() 489{ 490 local with_vrf=${1} 491 492 # make sure we are starting with a clean slate 493 kill_procs 494 cleanup 2>/dev/null 495 496 log_debug "Configuring network namespaces" 497 set -e 498 499 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 500 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 501 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 502 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 503 504 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 505 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 506 507 # tell ns-A how to get to remote addresses of ns-B 508 if [ "${with_vrf}" = "yes" ]; then 509 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 510 511 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 512 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 513 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 514 515 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 516 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 517 else 518 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 519 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 520 fi 521 522 523 # tell ns-B how to get to remote addresses of ns-A 524 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 525 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 526 527 set +e 528 529 sleep 1 530} 531 532setup_lla_only() 533{ 534 # make sure we are starting with a clean slate 535 kill_procs 536 cleanup 2>/dev/null 537 538 log_debug "Configuring network namespaces" 539 set -e 540 541 create_ns ${NSA} "-" "-" 542 create_ns ${NSB} "-" "-" 543 create_ns ${NSC} "-" "-" 544 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 545 ${NSB} ${NSB_DEV} "-" "-" 546 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 547 ${NSC} ${NSC_DEV} "-" "-" 548 549 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 550 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 551 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 552 553 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 554 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 555 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 556 557 set +e 558 559 sleep 1 560} 561 562################################################################################ 563# IPv4 564 565ipv4_ping_novrf() 566{ 567 local a 568 569 # 570 # out 571 # 572 for a in ${NSB_IP} ${NSB_LO_IP} 573 do 574 log_start 575 run_cmd ping -c1 -w1 ${a} 576 log_test_addr ${a} $? 0 "ping out" 577 578 log_start 579 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 580 log_test_addr ${a} $? 0 "ping out, device bind" 581 582 log_start 583 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 584 log_test_addr ${a} $? 0 "ping out, address bind" 585 done 586 587 # 588 # out, but don't use gateway if peer is not on link 589 # 590 a=${NSB_IP} 591 log_start 592 run_cmd ping -c 1 -w 1 -r ${a} 593 log_test_addr ${a} $? 0 "ping out (don't route), peer on link" 594 595 a=${NSB_LO_IP} 596 log_start 597 show_hint "Fails since peer is not on link" 598 run_cmd ping -c 1 -w 1 -r ${a} 599 log_test_addr ${a} $? 1 "ping out (don't route), peer not on link" 600 601 # 602 # in 603 # 604 for a in ${NSA_IP} ${NSA_LO_IP} 605 do 606 log_start 607 run_cmd_nsb ping -c1 -w1 ${a} 608 log_test_addr ${a} $? 0 "ping in" 609 done 610 611 # 612 # local traffic 613 # 614 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 615 do 616 log_start 617 run_cmd ping -c1 -w1 ${a} 618 log_test_addr ${a} $? 0 "ping local" 619 done 620 621 # 622 # local traffic, socket bound to device 623 # 624 # address on device 625 a=${NSA_IP} 626 log_start 627 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 628 log_test_addr ${a} $? 0 "ping local, device bind" 629 630 # loopback addresses not reachable from device bind 631 # fails in a really weird way though because ipv4 special cases 632 # route lookups with oif set. 633 for a in ${NSA_LO_IP} 127.0.0.1 634 do 635 log_start 636 show_hint "Fails since address on loopback device is out of device scope" 637 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 638 log_test_addr ${a} $? 1 "ping local, device bind" 639 done 640 641 # 642 # ip rule blocks reachability to remote address 643 # 644 log_start 645 setup_cmd ip rule add pref 32765 from all lookup local 646 setup_cmd ip rule del pref 0 from all lookup local 647 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 648 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 649 650 a=${NSB_LO_IP} 651 run_cmd ping -c1 -w1 ${a} 652 log_test_addr ${a} $? 2 "ping out, blocked by rule" 653 654 # NOTE: ipv4 actually allows the lookup to fail and yet still create 655 # a viable rtable if the oif (e.g., bind to device) is set, so this 656 # case succeeds despite the rule 657 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 658 659 a=${NSA_LO_IP} 660 log_start 661 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 662 run_cmd_nsb ping -c1 -w1 ${a} 663 log_test_addr ${a} $? 1 "ping in, blocked by rule" 664 665 [ "$VERBOSE" = "1" ] && echo 666 setup_cmd ip rule del pref 32765 from all lookup local 667 setup_cmd ip rule add pref 0 from all lookup local 668 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 669 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 670 671 # 672 # route blocks reachability to remote address 673 # 674 log_start 675 setup_cmd ip route replace unreachable ${NSB_LO_IP} 676 setup_cmd ip route replace unreachable ${NSB_IP} 677 678 a=${NSB_LO_IP} 679 run_cmd ping -c1 -w1 ${a} 680 log_test_addr ${a} $? 2 "ping out, blocked by route" 681 682 # NOTE: ipv4 actually allows the lookup to fail and yet still create 683 # a viable rtable if the oif (e.g., bind to device) is set, so this 684 # case succeeds despite not having a route for the address 685 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 686 687 a=${NSA_LO_IP} 688 log_start 689 show_hint "Response is dropped (or arp request is ignored) due to ip route" 690 run_cmd_nsb ping -c1 -w1 ${a} 691 log_test_addr ${a} $? 1 "ping in, blocked by route" 692 693 # 694 # remove 'remote' routes; fallback to default 695 # 696 log_start 697 setup_cmd ip ro del ${NSB_LO_IP} 698 699 a=${NSB_LO_IP} 700 run_cmd ping -c1 -w1 ${a} 701 log_test_addr ${a} $? 2 "ping out, unreachable default route" 702 703 # NOTE: ipv4 actually allows the lookup to fail and yet still create 704 # a viable rtable if the oif (e.g., bind to device) is set, so this 705 # case succeeds despite not having a route for the address 706 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 707} 708 709ipv4_ping_vrf() 710{ 711 local a 712 713 # should default on; does not exist on older kernels 714 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 715 716 # 717 # out 718 # 719 for a in ${NSB_IP} ${NSB_LO_IP} 720 do 721 log_start 722 run_cmd ping -c1 -w1 -I ${VRF} ${a} 723 log_test_addr ${a} $? 0 "ping out, VRF bind" 724 725 log_start 726 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 727 log_test_addr ${a} $? 0 "ping out, device bind" 728 729 log_start 730 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 731 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 732 733 log_start 734 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 735 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 736 done 737 738 # 739 # in 740 # 741 for a in ${NSA_IP} ${VRF_IP} 742 do 743 log_start 744 run_cmd_nsb ping -c1 -w1 ${a} 745 log_test_addr ${a} $? 0 "ping in" 746 done 747 748 # 749 # local traffic, local address 750 # 751 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 752 do 753 log_start 754 show_hint "Source address should be ${a}" 755 run_cmd ping -c1 -w1 -I ${VRF} ${a} 756 log_test_addr ${a} $? 0 "ping local, VRF bind" 757 done 758 759 # 760 # local traffic, socket bound to device 761 # 762 # address on device 763 a=${NSA_IP} 764 log_start 765 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 766 log_test_addr ${a} $? 0 "ping local, device bind" 767 768 # vrf device is out of scope 769 for a in ${VRF_IP} 127.0.0.1 770 do 771 log_start 772 show_hint "Fails since address on vrf device is out of device scope" 773 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 774 log_test_addr ${a} $? 2 "ping local, device bind" 775 done 776 777 # 778 # ip rule blocks address 779 # 780 log_start 781 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 782 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 783 784 a=${NSB_LO_IP} 785 run_cmd ping -c1 -w1 -I ${VRF} ${a} 786 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 787 788 log_start 789 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 790 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 791 792 a=${NSA_LO_IP} 793 log_start 794 show_hint "Response lost due to ip rule" 795 run_cmd_nsb ping -c1 -w1 ${a} 796 log_test_addr ${a} $? 1 "ping in, blocked by rule" 797 798 [ "$VERBOSE" = "1" ] && echo 799 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 800 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 801 802 # 803 # remove 'remote' routes; fallback to default 804 # 805 log_start 806 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 807 808 a=${NSB_LO_IP} 809 run_cmd ping -c1 -w1 -I ${VRF} ${a} 810 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 811 812 log_start 813 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 814 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 815 816 a=${NSA_LO_IP} 817 log_start 818 show_hint "Response lost by unreachable route" 819 run_cmd_nsb ping -c1 -w1 ${a} 820 log_test_addr ${a} $? 1 "ping in, unreachable route" 821} 822 823ipv4_ping() 824{ 825 log_section "IPv4 ping" 826 827 log_subsection "No VRF" 828 setup 829 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 830 ipv4_ping_novrf 831 setup 832 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 833 ipv4_ping_novrf 834 setup 835 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 836 ipv4_ping_novrf 837 838 log_subsection "With VRF" 839 setup "yes" 840 ipv4_ping_vrf 841 setup "yes" 842 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 843 ipv4_ping_vrf 844} 845 846################################################################################ 847# IPv4 TCP 848 849# 850# MD5 tests without VRF 851# 852ipv4_tcp_md5_novrf() 853{ 854 # 855 # single address 856 # 857 858 # basic use case 859 log_start 860 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 861 sleep 1 862 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 863 log_test $? 0 "MD5: Single address config" 864 865 # client sends MD5, server not configured 866 log_start 867 show_hint "Should timeout due to MD5 mismatch" 868 run_cmd nettest -s & 869 sleep 1 870 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 871 log_test $? 2 "MD5: Server no config, client uses password" 872 873 # wrong password 874 log_start 875 show_hint "Should timeout since client uses wrong password" 876 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 877 sleep 1 878 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 879 log_test $? 2 "MD5: Client uses wrong password" 880 881 # client from different address 882 log_start 883 show_hint "Should timeout due to MD5 mismatch" 884 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 885 sleep 1 886 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 887 log_test $? 2 "MD5: Client address does not match address configured with password" 888 889 # 890 # MD5 extension - prefix length 891 # 892 893 # client in prefix 894 log_start 895 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 896 sleep 1 897 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 898 log_test $? 0 "MD5: Prefix config" 899 900 # client in prefix, wrong password 901 log_start 902 show_hint "Should timeout since client uses wrong password" 903 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 904 sleep 1 905 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 906 log_test $? 2 "MD5: Prefix config, client uses wrong password" 907 908 # client outside of prefix 909 log_start 910 show_hint "Should timeout due to MD5 mismatch" 911 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 912 sleep 1 913 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 914 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 915} 916 917# 918# MD5 tests with VRF 919# 920ipv4_tcp_md5() 921{ 922 # 923 # single address 924 # 925 926 # basic use case 927 log_start 928 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 929 sleep 1 930 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 931 log_test $? 0 "MD5: VRF: Single address config" 932 933 # client sends MD5, server not configured 934 log_start 935 show_hint "Should timeout since server does not have MD5 auth" 936 run_cmd nettest -s -I ${VRF} & 937 sleep 1 938 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 939 log_test $? 2 "MD5: VRF: Server no config, client uses password" 940 941 # wrong password 942 log_start 943 show_hint "Should timeout since client uses wrong password" 944 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 945 sleep 1 946 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 947 log_test $? 2 "MD5: VRF: Client uses wrong password" 948 949 # client from different address 950 log_start 951 show_hint "Should timeout since server config differs from client" 952 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 953 sleep 1 954 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 955 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 956 957 # 958 # MD5 extension - prefix length 959 # 960 961 # client in prefix 962 log_start 963 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 964 sleep 1 965 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 966 log_test $? 0 "MD5: VRF: Prefix config" 967 968 # client in prefix, wrong password 969 log_start 970 show_hint "Should timeout since client uses wrong password" 971 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 972 sleep 1 973 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 974 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 975 976 # client outside of prefix 977 log_start 978 show_hint "Should timeout since client address is outside of prefix" 979 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 980 sleep 1 981 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 982 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 983 984 # 985 # duplicate config between default VRF and a VRF 986 # 987 988 log_start 989 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 990 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 991 sleep 1 992 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 993 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 994 995 log_start 996 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 997 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 998 sleep 1 999 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1000 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 1001 1002 log_start 1003 show_hint "Should timeout since client in default VRF uses VRF password" 1004 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1005 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1006 sleep 1 1007 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1008 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 1009 1010 log_start 1011 show_hint "Should timeout since client in VRF uses default VRF password" 1012 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1013 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1014 sleep 1 1015 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1016 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 1017 1018 log_start 1019 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1020 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1021 sleep 1 1022 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1023 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 1024 1025 log_start 1026 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1027 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1028 sleep 1 1029 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1030 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 1031 1032 log_start 1033 show_hint "Should timeout since client in default VRF uses VRF password" 1034 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1035 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1036 sleep 1 1037 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1038 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1039 1040 log_start 1041 show_hint "Should timeout since client in VRF uses default VRF password" 1042 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1043 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1044 sleep 1 1045 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1046 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1047 1048 # 1049 # negative tests 1050 # 1051 log_start 1052 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1053 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1054 1055 log_start 1056 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1057 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1058 1059 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1060 test_ipv4_md5_vrf__global_server__bind_ifindex0 1061} 1062 1063test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1064{ 1065 log_start 1066 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1067 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1068 sleep 1 1069 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1070 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1071 1072 log_start 1073 show_hint "Binding both the socket and the key is not required but it works" 1074 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1075 sleep 1 1076 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1077 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1078} 1079 1080test_ipv4_md5_vrf__global_server__bind_ifindex0() 1081{ 1082 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1083 local old_tcp_l3mdev_accept 1084 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1085 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1086 1087 log_start 1088 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1089 sleep 1 1090 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1091 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1092 1093 log_start 1094 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1095 sleep 1 1096 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1097 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1098 log_start 1099 1100 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1101 sleep 1 1102 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1103 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1104 1105 log_start 1106 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1107 sleep 1 1108 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1109 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1110 1111 # restore value 1112 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1113} 1114 1115ipv4_tcp_dontroute() 1116{ 1117 local syncookies=$1 1118 local nsa_syncookies 1119 local nsb_syncookies 1120 local a 1121 1122 # 1123 # Link local connection tests (SO_DONTROUTE). 1124 # Connections should succeed only when the remote IP address is 1125 # on link (doesn't need to be routed through a gateway). 1126 # 1127 1128 nsa_syncookies=$(ip netns exec "${NSA}" sysctl -n net.ipv4.tcp_syncookies) 1129 nsb_syncookies=$(ip netns exec "${NSB}" sysctl -n net.ipv4.tcp_syncookies) 1130 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies} 1131 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies} 1132 1133 # Test with eth1 address (on link). 1134 1135 a=${NSB_IP} 1136 log_start 1137 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1138 log_test_addr ${a} $? 0 "SO_DONTROUTE client, syncookies=${syncookies}" 1139 1140 a=${NSB_IP} 1141 log_start 1142 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --server-dontroute 1143 log_test_addr ${a} $? 0 "SO_DONTROUTE server, syncookies=${syncookies}" 1144 1145 # Test with loopback address (routed). 1146 # 1147 # The client would use the eth1 address as source IP by default. 1148 # Therefore, we need to use the -c option here, to force the use of the 1149 # routed (loopback) address as source IP (so that the server will try 1150 # to respond to a routed address and not a link local one). 1151 1152 a=${NSB_LO_IP} 1153 log_start 1154 show_hint "Should fail 'Network is unreachable' since server is not on link" 1155 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --client-dontroute 1156 log_test_addr ${a} $? 1 "SO_DONTROUTE client, syncookies=${syncookies}" 1157 1158 a=${NSB_LO_IP} 1159 log_start 1160 show_hint "Should timeout since server cannot respond (client is not on link)" 1161 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --server-dontroute 1162 log_test_addr ${a} $? 2 "SO_DONTROUTE server, syncookies=${syncookies}" 1163 1164 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${nsb_syncookies} 1165 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${nsa_syncookies} 1166} 1167 1168ipv4_tcp_novrf() 1169{ 1170 local a 1171 1172 # 1173 # server tests 1174 # 1175 for a in ${NSA_IP} ${NSA_LO_IP} 1176 do 1177 log_start 1178 run_cmd nettest -s & 1179 sleep 1 1180 run_cmd_nsb nettest -r ${a} 1181 log_test_addr ${a} $? 0 "Global server" 1182 done 1183 1184 a=${NSA_IP} 1185 log_start 1186 run_cmd nettest -s -I ${NSA_DEV} & 1187 sleep 1 1188 run_cmd_nsb nettest -r ${a} 1189 log_test_addr ${a} $? 0 "Device server" 1190 1191 # verify TCP reset sent and received 1192 for a in ${NSA_IP} ${NSA_LO_IP} 1193 do 1194 log_start 1195 show_hint "Should fail 'Connection refused' since there is no server" 1196 run_cmd_nsb nettest -r ${a} 1197 log_test_addr ${a} $? 1 "No server" 1198 done 1199 1200 # 1201 # client 1202 # 1203 for a in ${NSB_IP} ${NSB_LO_IP} 1204 do 1205 log_start 1206 run_cmd_nsb nettest -s & 1207 sleep 1 1208 run_cmd nettest -r ${a} -0 ${NSA_IP} 1209 log_test_addr ${a} $? 0 "Client" 1210 1211 log_start 1212 run_cmd_nsb nettest -s & 1213 sleep 1 1214 run_cmd nettest -r ${a} -d ${NSA_DEV} 1215 log_test_addr ${a} $? 0 "Client, device bind" 1216 1217 log_start 1218 show_hint "Should fail 'Connection refused'" 1219 run_cmd nettest -r ${a} 1220 log_test_addr ${a} $? 1 "No server, unbound client" 1221 1222 log_start 1223 show_hint "Should fail 'Connection refused'" 1224 run_cmd nettest -r ${a} -d ${NSA_DEV} 1225 log_test_addr ${a} $? 1 "No server, device client" 1226 done 1227 1228 # 1229 # local address tests 1230 # 1231 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1232 do 1233 log_start 1234 run_cmd nettest -s & 1235 sleep 1 1236 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1237 log_test_addr ${a} $? 0 "Global server, local connection" 1238 done 1239 1240 a=${NSA_IP} 1241 log_start 1242 run_cmd nettest -s -I ${NSA_DEV} & 1243 sleep 1 1244 run_cmd nettest -r ${a} -0 ${a} 1245 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1246 1247 for a in ${NSA_LO_IP} 127.0.0.1 1248 do 1249 log_start 1250 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1251 run_cmd nettest -s -I ${NSA_DEV} & 1252 sleep 1 1253 run_cmd nettest -r ${a} 1254 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1255 done 1256 1257 a=${NSA_IP} 1258 log_start 1259 run_cmd nettest -s & 1260 sleep 1 1261 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1262 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1263 1264 for a in ${NSA_LO_IP} 127.0.0.1 1265 do 1266 log_start 1267 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1268 run_cmd nettest -s & 1269 sleep 1 1270 run_cmd nettest -r ${a} -d ${NSA_DEV} 1271 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1272 done 1273 1274 a=${NSA_IP} 1275 log_start 1276 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1277 sleep 1 1278 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1279 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1280 1281 log_start 1282 show_hint "Should fail 'Connection refused'" 1283 run_cmd nettest -d ${NSA_DEV} -r ${a} 1284 log_test_addr ${a} $? 1 "No server, device client, local conn" 1285 1286 ipv4_tcp_md5_novrf 1287 1288 ipv4_tcp_dontroute 0 1289 ipv4_tcp_dontroute 2 1290} 1291 1292ipv4_tcp_vrf() 1293{ 1294 local a 1295 1296 # disable global server 1297 log_subsection "Global server disabled" 1298 1299 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1300 1301 # 1302 # server tests 1303 # 1304 for a in ${NSA_IP} ${VRF_IP} 1305 do 1306 log_start 1307 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1308 run_cmd nettest -s & 1309 sleep 1 1310 run_cmd_nsb nettest -r ${a} 1311 log_test_addr ${a} $? 1 "Global server" 1312 1313 log_start 1314 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1315 sleep 1 1316 run_cmd_nsb nettest -r ${a} 1317 log_test_addr ${a} $? 0 "VRF server" 1318 1319 log_start 1320 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1321 sleep 1 1322 run_cmd_nsb nettest -r ${a} 1323 log_test_addr ${a} $? 0 "Device server" 1324 1325 # verify TCP reset received 1326 log_start 1327 show_hint "Should fail 'Connection refused' since there is no server" 1328 run_cmd_nsb nettest -r ${a} 1329 log_test_addr ${a} $? 1 "No server" 1330 done 1331 1332 # local address tests 1333 # (${VRF_IP} and 127.0.0.1 both timeout) 1334 a=${NSA_IP} 1335 log_start 1336 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1337 run_cmd nettest -s & 1338 sleep 1 1339 run_cmd nettest -r ${a} -d ${NSA_DEV} 1340 log_test_addr ${a} $? 1 "Global server, local connection" 1341 1342 # run MD5 tests 1343 setup_vrf_dup 1344 ipv4_tcp_md5 1345 cleanup_vrf_dup 1346 1347 # 1348 # enable VRF global server 1349 # 1350 log_subsection "VRF Global server enabled" 1351 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1352 1353 for a in ${NSA_IP} ${VRF_IP} 1354 do 1355 log_start 1356 show_hint "client socket should be bound to VRF" 1357 run_cmd nettest -s -3 ${VRF} & 1358 sleep 1 1359 run_cmd_nsb nettest -r ${a} 1360 log_test_addr ${a} $? 0 "Global server" 1361 1362 log_start 1363 show_hint "client socket should be bound to VRF" 1364 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1365 sleep 1 1366 run_cmd_nsb nettest -r ${a} 1367 log_test_addr ${a} $? 0 "VRF server" 1368 1369 # verify TCP reset received 1370 log_start 1371 show_hint "Should fail 'Connection refused'" 1372 run_cmd_nsb nettest -r ${a} 1373 log_test_addr ${a} $? 1 "No server" 1374 done 1375 1376 a=${NSA_IP} 1377 log_start 1378 show_hint "client socket should be bound to device" 1379 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1380 sleep 1 1381 run_cmd_nsb nettest -r ${a} 1382 log_test_addr ${a} $? 0 "Device server" 1383 1384 # local address tests 1385 for a in ${NSA_IP} ${VRF_IP} 1386 do 1387 log_start 1388 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1389 run_cmd nettest -s -I ${VRF} & 1390 sleep 1 1391 run_cmd nettest -r ${a} 1392 log_test_addr ${a} $? 1 "Global server, local connection" 1393 done 1394 1395 # 1396 # client 1397 # 1398 for a in ${NSB_IP} ${NSB_LO_IP} 1399 do 1400 log_start 1401 run_cmd_nsb nettest -s & 1402 sleep 1 1403 run_cmd nettest -r ${a} -d ${VRF} 1404 log_test_addr ${a} $? 0 "Client, VRF bind" 1405 1406 log_start 1407 run_cmd_nsb nettest -s & 1408 sleep 1 1409 run_cmd nettest -r ${a} -d ${NSA_DEV} 1410 log_test_addr ${a} $? 0 "Client, device bind" 1411 1412 log_start 1413 show_hint "Should fail 'Connection refused'" 1414 run_cmd nettest -r ${a} -d ${VRF} 1415 log_test_addr ${a} $? 1 "No server, VRF client" 1416 1417 log_start 1418 show_hint "Should fail 'Connection refused'" 1419 run_cmd nettest -r ${a} -d ${NSA_DEV} 1420 log_test_addr ${a} $? 1 "No server, device client" 1421 done 1422 1423 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1424 do 1425 log_start 1426 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1427 sleep 1 1428 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1429 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1430 done 1431 1432 a=${NSA_IP} 1433 log_start 1434 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1435 sleep 1 1436 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1437 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1438 1439 log_start 1440 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1441 run_cmd nettest -s -I ${VRF} & 1442 sleep 1 1443 run_cmd nettest -r ${a} 1444 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1445 1446 log_start 1447 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1448 sleep 1 1449 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1450 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1451 1452 log_start 1453 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1454 sleep 1 1455 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1456 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1457} 1458 1459ipv4_tcp() 1460{ 1461 log_section "IPv4/TCP" 1462 log_subsection "No VRF" 1463 setup 1464 1465 # tcp_l3mdev_accept should have no affect without VRF; 1466 # run tests with it enabled and disabled to verify 1467 log_subsection "tcp_l3mdev_accept disabled" 1468 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1469 ipv4_tcp_novrf 1470 log_subsection "tcp_l3mdev_accept enabled" 1471 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1472 ipv4_tcp_novrf 1473 1474 log_subsection "With VRF" 1475 setup "yes" 1476 ipv4_tcp_vrf 1477} 1478 1479################################################################################ 1480# IPv4 UDP 1481 1482ipv4_udp_novrf() 1483{ 1484 local a 1485 1486 # 1487 # server tests 1488 # 1489 for a in ${NSA_IP} ${NSA_LO_IP} 1490 do 1491 log_start 1492 run_cmd nettest -D -s -3 ${NSA_DEV} & 1493 sleep 1 1494 run_cmd_nsb nettest -D -r ${a} 1495 log_test_addr ${a} $? 0 "Global server" 1496 1497 log_start 1498 show_hint "Should fail 'Connection refused' since there is no server" 1499 run_cmd_nsb nettest -D -r ${a} 1500 log_test_addr ${a} $? 1 "No server" 1501 done 1502 1503 a=${NSA_IP} 1504 log_start 1505 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1506 sleep 1 1507 run_cmd_nsb nettest -D -r ${a} 1508 log_test_addr ${a} $? 0 "Device server" 1509 1510 # 1511 # client 1512 # 1513 for a in ${NSB_IP} ${NSB_LO_IP} 1514 do 1515 log_start 1516 run_cmd_nsb nettest -D -s & 1517 sleep 1 1518 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1519 log_test_addr ${a} $? 0 "Client" 1520 1521 log_start 1522 run_cmd_nsb nettest -D -s & 1523 sleep 1 1524 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1525 log_test_addr ${a} $? 0 "Client, device bind" 1526 1527 log_start 1528 run_cmd_nsb nettest -D -s & 1529 sleep 1 1530 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1531 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1532 1533 log_start 1534 run_cmd_nsb nettest -D -s & 1535 sleep 1 1536 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1537 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1538 1539 log_start 1540 run_cmd_nsb nettest -D -s & 1541 sleep 1 1542 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U 1543 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()" 1544 1545 1546 log_start 1547 show_hint "Should fail 'Connection refused'" 1548 run_cmd nettest -D -r ${a} 1549 log_test_addr ${a} $? 1 "No server, unbound client" 1550 1551 log_start 1552 show_hint "Should fail 'Connection refused'" 1553 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1554 log_test_addr ${a} $? 1 "No server, device client" 1555 done 1556 1557 # 1558 # local address tests 1559 # 1560 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1561 do 1562 log_start 1563 run_cmd nettest -D -s & 1564 sleep 1 1565 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1566 log_test_addr ${a} $? 0 "Global server, local connection" 1567 done 1568 1569 a=${NSA_IP} 1570 log_start 1571 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1572 sleep 1 1573 run_cmd nettest -D -r ${a} 1574 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1575 1576 for a in ${NSA_LO_IP} 127.0.0.1 1577 do 1578 log_start 1579 show_hint "Should fail 'Connection refused' since address is out of device scope" 1580 run_cmd nettest -s -D -I ${NSA_DEV} & 1581 sleep 1 1582 run_cmd nettest -D -r ${a} 1583 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1584 done 1585 1586 a=${NSA_IP} 1587 log_start 1588 run_cmd nettest -s -D & 1589 sleep 1 1590 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1591 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1592 1593 log_start 1594 run_cmd nettest -s -D & 1595 sleep 1 1596 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1597 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1598 1599 log_start 1600 run_cmd nettest -s -D & 1601 sleep 1 1602 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1603 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1604 1605 log_start 1606 run_cmd nettest -s -D & 1607 sleep 1 1608 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U 1609 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1610 1611 1612 # IPv4 with device bind has really weird behavior - it overrides the 1613 # fib lookup, generates an rtable and tries to send the packet. This 1614 # causes failures for local traffic at different places 1615 for a in ${NSA_LO_IP} 127.0.0.1 1616 do 1617 log_start 1618 show_hint "Should fail since addresses on loopback are out of device scope" 1619 run_cmd nettest -D -s & 1620 sleep 1 1621 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1622 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1623 1624 log_start 1625 show_hint "Should fail since addresses on loopback are out of device scope" 1626 run_cmd nettest -D -s & 1627 sleep 1 1628 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1629 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1630 1631 log_start 1632 show_hint "Should fail since addresses on loopback are out of device scope" 1633 run_cmd nettest -D -s & 1634 sleep 1 1635 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1636 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1637 1638 log_start 1639 show_hint "Should fail since addresses on loopback are out of device scope" 1640 run_cmd nettest -D -s & 1641 sleep 1 1642 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U 1643 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1644 1645 1646 done 1647 1648 a=${NSA_IP} 1649 log_start 1650 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1651 sleep 1 1652 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1653 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1654 1655 log_start 1656 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1657 log_test_addr ${a} $? 2 "No server, device client, local conn" 1658 1659 # 1660 # Link local connection tests (SO_DONTROUTE). 1661 # Connections should succeed only when the remote IP address is 1662 # on link (doesn't need to be routed through a gateway). 1663 # 1664 1665 a=${NSB_IP} 1666 log_start 1667 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1668 log_test_addr ${a} $? 0 "SO_DONTROUTE client" 1669 1670 a=${NSB_LO_IP} 1671 log_start 1672 show_hint "Should fail 'Network is unreachable' since server is not on link" 1673 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1674 log_test_addr ${a} $? 1 "SO_DONTROUTE client" 1675} 1676 1677ipv4_udp_vrf() 1678{ 1679 local a 1680 1681 # disable global server 1682 log_subsection "Global server disabled" 1683 set_sysctl net.ipv4.udp_l3mdev_accept=0 1684 1685 # 1686 # server tests 1687 # 1688 for a in ${NSA_IP} ${VRF_IP} 1689 do 1690 log_start 1691 show_hint "Fails because ingress is in a VRF and global server is disabled" 1692 run_cmd nettest -D -s & 1693 sleep 1 1694 run_cmd_nsb nettest -D -r ${a} 1695 log_test_addr ${a} $? 1 "Global server" 1696 1697 log_start 1698 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1699 sleep 1 1700 run_cmd_nsb nettest -D -r ${a} 1701 log_test_addr ${a} $? 0 "VRF server" 1702 1703 log_start 1704 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1705 sleep 1 1706 run_cmd_nsb nettest -D -r ${a} 1707 log_test_addr ${a} $? 0 "Enslaved device server" 1708 1709 log_start 1710 show_hint "Should fail 'Connection refused' since there is no server" 1711 run_cmd_nsb nettest -D -r ${a} 1712 log_test_addr ${a} $? 1 "No server" 1713 1714 log_start 1715 show_hint "Should fail 'Connection refused' since global server is out of scope" 1716 run_cmd nettest -D -s & 1717 sleep 1 1718 run_cmd nettest -D -d ${VRF} -r ${a} 1719 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1720 done 1721 1722 a=${NSA_IP} 1723 log_start 1724 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1725 sleep 1 1726 run_cmd nettest -D -d ${VRF} -r ${a} 1727 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1728 1729 log_start 1730 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1731 sleep 1 1732 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1733 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1734 1735 a=${NSA_IP} 1736 log_start 1737 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1738 sleep 1 1739 run_cmd nettest -D -d ${VRF} -r ${a} 1740 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1741 1742 log_start 1743 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1744 sleep 1 1745 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1746 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1747 1748 # enable global server 1749 log_subsection "Global server enabled" 1750 set_sysctl net.ipv4.udp_l3mdev_accept=1 1751 1752 # 1753 # server tests 1754 # 1755 for a in ${NSA_IP} ${VRF_IP} 1756 do 1757 log_start 1758 run_cmd nettest -D -s -3 ${NSA_DEV} & 1759 sleep 1 1760 run_cmd_nsb nettest -D -r ${a} 1761 log_test_addr ${a} $? 0 "Global server" 1762 1763 log_start 1764 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1765 sleep 1 1766 run_cmd_nsb nettest -D -r ${a} 1767 log_test_addr ${a} $? 0 "VRF server" 1768 1769 log_start 1770 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1771 sleep 1 1772 run_cmd_nsb nettest -D -r ${a} 1773 log_test_addr ${a} $? 0 "Enslaved device server" 1774 1775 log_start 1776 show_hint "Should fail 'Connection refused'" 1777 run_cmd_nsb nettest -D -r ${a} 1778 log_test_addr ${a} $? 1 "No server" 1779 done 1780 1781 # 1782 # client tests 1783 # 1784 log_start 1785 run_cmd_nsb nettest -D -s & 1786 sleep 1 1787 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1788 log_test $? 0 "VRF client" 1789 1790 log_start 1791 run_cmd_nsb nettest -D -s & 1792 sleep 1 1793 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1794 log_test $? 0 "Enslaved device client" 1795 1796 # negative test - should fail 1797 log_start 1798 show_hint "Should fail 'Connection refused'" 1799 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1800 log_test $? 1 "No server, VRF client" 1801 1802 log_start 1803 show_hint "Should fail 'Connection refused'" 1804 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1805 log_test $? 1 "No server, enslaved device client" 1806 1807 # 1808 # local address tests 1809 # 1810 a=${NSA_IP} 1811 log_start 1812 run_cmd nettest -D -s -3 ${NSA_DEV} & 1813 sleep 1 1814 run_cmd nettest -D -d ${VRF} -r ${a} 1815 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1816 1817 log_start 1818 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1819 sleep 1 1820 run_cmd nettest -D -d ${VRF} -r ${a} 1821 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1822 1823 log_start 1824 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1825 sleep 1 1826 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1827 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1828 1829 log_start 1830 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1831 sleep 1 1832 run_cmd nettest -D -d ${VRF} -r ${a} 1833 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1834 1835 log_start 1836 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1837 sleep 1 1838 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1839 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1840 1841 for a in ${VRF_IP} 127.0.0.1 1842 do 1843 log_start 1844 run_cmd nettest -D -s -3 ${VRF} & 1845 sleep 1 1846 run_cmd nettest -D -d ${VRF} -r ${a} 1847 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1848 done 1849 1850 for a in ${VRF_IP} 127.0.0.1 1851 do 1852 log_start 1853 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1854 sleep 1 1855 run_cmd nettest -D -d ${VRF} -r ${a} 1856 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1857 done 1858 1859 # negative test - should fail 1860 # verifies ECONNREFUSED 1861 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1862 do 1863 log_start 1864 show_hint "Should fail 'Connection refused'" 1865 run_cmd nettest -D -d ${VRF} -r ${a} 1866 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1867 done 1868} 1869 1870ipv4_udp() 1871{ 1872 log_section "IPv4/UDP" 1873 log_subsection "No VRF" 1874 1875 setup 1876 1877 # udp_l3mdev_accept should have no affect without VRF; 1878 # run tests with it enabled and disabled to verify 1879 log_subsection "udp_l3mdev_accept disabled" 1880 set_sysctl net.ipv4.udp_l3mdev_accept=0 1881 ipv4_udp_novrf 1882 log_subsection "udp_l3mdev_accept enabled" 1883 set_sysctl net.ipv4.udp_l3mdev_accept=1 1884 ipv4_udp_novrf 1885 1886 log_subsection "With VRF" 1887 setup "yes" 1888 ipv4_udp_vrf 1889} 1890 1891################################################################################ 1892# IPv4 address bind 1893# 1894# verifies ability or inability to bind to an address / device 1895 1896ipv4_addr_bind_novrf() 1897{ 1898 # 1899 # raw socket 1900 # 1901 for a in ${NSA_IP} ${NSA_LO_IP} 1902 do 1903 log_start 1904 run_cmd nettest -s -R -P icmp -l ${a} -b 1905 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1906 1907 log_start 1908 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1909 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1910 done 1911 1912 # 1913 # tests for nonlocal bind 1914 # 1915 a=${NL_IP} 1916 log_start 1917 run_cmd nettest -s -R -f -l ${a} -b 1918 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 1919 1920 log_start 1921 run_cmd nettest -s -f -l ${a} -b 1922 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address" 1923 1924 log_start 1925 run_cmd nettest -s -D -P icmp -f -l ${a} -b 1926 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address" 1927 1928 # 1929 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1930 # 1931 a=${BCAST_IP} 1932 log_start 1933 run_cmd nettest -s -D -P icmp -l ${a} -b 1934 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address" 1935 1936 a=${MCAST_IP} 1937 log_start 1938 run_cmd nettest -s -D -P icmp -l ${a} -b 1939 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address" 1940 1941 # 1942 # tcp sockets 1943 # 1944 a=${NSA_IP} 1945 log_start 1946 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1947 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1948 1949 log_start 1950 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1951 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1952 1953 # Sadly, the kernel allows binding a socket to a device and then 1954 # binding to an address not on the device. The only restriction 1955 # is that the address is valid in the L3 domain. So this test 1956 # passes when it really should not 1957 #a=${NSA_LO_IP} 1958 #log_start 1959 #show_hint "Should fail with 'Cannot assign requested address'" 1960 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1961 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1962} 1963 1964ipv4_addr_bind_vrf() 1965{ 1966 # 1967 # raw socket 1968 # 1969 for a in ${NSA_IP} ${VRF_IP} 1970 do 1971 log_start 1972 show_hint "Socket not bound to VRF, but address is in VRF" 1973 run_cmd nettest -s -R -P icmp -l ${a} -b 1974 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1975 1976 log_start 1977 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1978 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1979 log_start 1980 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1981 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1982 done 1983 1984 a=${NSA_LO_IP} 1985 log_start 1986 show_hint "Address on loopback is out of VRF scope" 1987 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1988 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1989 1990 # 1991 # tests for nonlocal bind 1992 # 1993 a=${NL_IP} 1994 log_start 1995 run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b 1996 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 1997 1998 log_start 1999 run_cmd nettest -s -f -l ${a} -I ${VRF} -b 2000 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind" 2001 2002 log_start 2003 run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b 2004 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind" 2005 2006 # 2007 # check that ICMP sockets cannot bind to broadcast and multicast addresses 2008 # 2009 a=${BCAST_IP} 2010 log_start 2011 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 2012 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind" 2013 2014 a=${MCAST_IP} 2015 log_start 2016 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 2017 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind" 2018 2019 # 2020 # tcp sockets 2021 # 2022 for a in ${NSA_IP} ${VRF_IP} 2023 do 2024 log_start 2025 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 2026 log_test_addr ${a} $? 0 "TCP socket bind to local address" 2027 2028 log_start 2029 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 2030 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 2031 done 2032 2033 a=${NSA_LO_IP} 2034 log_start 2035 show_hint "Address on loopback out of scope for VRF" 2036 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 2037 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 2038 2039 log_start 2040 show_hint "Address on loopback out of scope for device in VRF" 2041 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 2042 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 2043} 2044 2045ipv4_addr_bind() 2046{ 2047 log_section "IPv4 address binds" 2048 2049 log_subsection "No VRF" 2050 setup 2051 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2052 ipv4_addr_bind_novrf 2053 2054 log_subsection "With VRF" 2055 setup "yes" 2056 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2057 ipv4_addr_bind_vrf 2058} 2059 2060################################################################################ 2061# IPv4 runtime tests 2062 2063ipv4_rt() 2064{ 2065 local desc="$1" 2066 local varg="$2" 2067 local with_vrf="yes" 2068 local a 2069 2070 # 2071 # server tests 2072 # 2073 for a in ${NSA_IP} ${VRF_IP} 2074 do 2075 log_start 2076 run_cmd nettest ${varg} -s & 2077 sleep 1 2078 run_cmd_nsb nettest ${varg} -r ${a} & 2079 sleep 3 2080 run_cmd ip link del ${VRF} 2081 sleep 1 2082 log_test_addr ${a} 0 0 "${desc}, global server" 2083 2084 setup ${with_vrf} 2085 done 2086 2087 for a in ${NSA_IP} ${VRF_IP} 2088 do 2089 log_start 2090 run_cmd nettest ${varg} -s -I ${VRF} & 2091 sleep 1 2092 run_cmd_nsb nettest ${varg} -r ${a} & 2093 sleep 3 2094 run_cmd ip link del ${VRF} 2095 sleep 1 2096 log_test_addr ${a} 0 0 "${desc}, VRF server" 2097 2098 setup ${with_vrf} 2099 done 2100 2101 a=${NSA_IP} 2102 log_start 2103 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 2104 sleep 1 2105 run_cmd_nsb nettest ${varg} -r ${a} & 2106 sleep 3 2107 run_cmd ip link del ${VRF} 2108 sleep 1 2109 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 2110 2111 setup ${with_vrf} 2112 2113 # 2114 # client test 2115 # 2116 log_start 2117 run_cmd_nsb nettest ${varg} -s & 2118 sleep 1 2119 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 2120 sleep 3 2121 run_cmd ip link del ${VRF} 2122 sleep 1 2123 log_test_addr ${a} 0 0 "${desc}, VRF client" 2124 2125 setup ${with_vrf} 2126 2127 log_start 2128 run_cmd_nsb nettest ${varg} -s & 2129 sleep 1 2130 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 2131 sleep 3 2132 run_cmd ip link del ${VRF} 2133 sleep 1 2134 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 2135 2136 setup ${with_vrf} 2137 2138 # 2139 # local address tests 2140 # 2141 for a in ${NSA_IP} ${VRF_IP} 2142 do 2143 log_start 2144 run_cmd nettest ${varg} -s & 2145 sleep 1 2146 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2147 sleep 3 2148 run_cmd ip link del ${VRF} 2149 sleep 1 2150 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 2151 2152 setup ${with_vrf} 2153 done 2154 2155 for a in ${NSA_IP} ${VRF_IP} 2156 do 2157 log_start 2158 run_cmd nettest ${varg} -I ${VRF} -s & 2159 sleep 1 2160 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2161 sleep 3 2162 run_cmd ip link del ${VRF} 2163 sleep 1 2164 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 2165 2166 setup ${with_vrf} 2167 done 2168 2169 a=${NSA_IP} 2170 log_start 2171 2172 run_cmd nettest ${varg} -s & 2173 sleep 1 2174 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2175 sleep 3 2176 run_cmd ip link del ${VRF} 2177 sleep 1 2178 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 2179 2180 setup ${with_vrf} 2181 2182 log_start 2183 run_cmd nettest ${varg} -I ${VRF} -s & 2184 sleep 1 2185 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2186 sleep 3 2187 run_cmd ip link del ${VRF} 2188 sleep 1 2189 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 2190 2191 setup ${with_vrf} 2192 2193 log_start 2194 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2195 sleep 1 2196 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2197 sleep 3 2198 run_cmd ip link del ${VRF} 2199 sleep 1 2200 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2201} 2202 2203ipv4_ping_rt() 2204{ 2205 local with_vrf="yes" 2206 local a 2207 2208 for a in ${NSA_IP} ${VRF_IP} 2209 do 2210 log_start 2211 run_cmd_nsb ping -f ${a} & 2212 sleep 3 2213 run_cmd ip link del ${VRF} 2214 sleep 1 2215 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2216 2217 setup ${with_vrf} 2218 done 2219 2220 a=${NSB_IP} 2221 log_start 2222 run_cmd ping -f -I ${VRF} ${a} & 2223 sleep 3 2224 run_cmd ip link del ${VRF} 2225 sleep 1 2226 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2227} 2228 2229ipv4_runtime() 2230{ 2231 log_section "Run time tests - ipv4" 2232 2233 setup "yes" 2234 ipv4_ping_rt 2235 2236 setup "yes" 2237 ipv4_rt "TCP active socket" "-n -1" 2238 2239 setup "yes" 2240 ipv4_rt "TCP passive socket" "-i" 2241} 2242 2243################################################################################ 2244# IPv6 2245 2246ipv6_ping_novrf() 2247{ 2248 local a 2249 2250 # should not have an impact, but make a known state 2251 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2252 2253 # 2254 # out 2255 # 2256 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2257 do 2258 log_start 2259 run_cmd ${ping6} -c1 -w1 ${a} 2260 log_test_addr ${a} $? 0 "ping out" 2261 done 2262 2263 for a in ${NSB_IP6} ${NSB_LO_IP6} 2264 do 2265 log_start 2266 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2267 log_test_addr ${a} $? 0 "ping out, device bind" 2268 2269 log_start 2270 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2271 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2272 done 2273 2274 # 2275 # in 2276 # 2277 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2278 do 2279 log_start 2280 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2281 log_test_addr ${a} $? 0 "ping in" 2282 done 2283 2284 # 2285 # local traffic, local address 2286 # 2287 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2288 do 2289 log_start 2290 run_cmd ${ping6} -c1 -w1 ${a} 2291 log_test_addr ${a} $? 0 "ping local, no bind" 2292 done 2293 2294 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2295 do 2296 log_start 2297 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2298 log_test_addr ${a} $? 0 "ping local, device bind" 2299 done 2300 2301 for a in ${NSA_LO_IP6} ::1 2302 do 2303 log_start 2304 show_hint "Fails since address on loopback is out of device scope" 2305 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2306 log_test_addr ${a} $? 2 "ping local, device bind" 2307 done 2308 2309 # 2310 # ip rule blocks address 2311 # 2312 log_start 2313 setup_cmd ip -6 rule add pref 32765 from all lookup local 2314 setup_cmd ip -6 rule del pref 0 from all lookup local 2315 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2316 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2317 2318 a=${NSB_LO_IP6} 2319 run_cmd ${ping6} -c1 -w1 ${a} 2320 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2321 2322 log_start 2323 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2324 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2325 2326 a=${NSA_LO_IP6} 2327 log_start 2328 show_hint "Response lost due to ip rule" 2329 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2330 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2331 2332 setup_cmd ip -6 rule add pref 0 from all lookup local 2333 setup_cmd ip -6 rule del pref 32765 from all lookup local 2334 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2335 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2336 2337 # 2338 # route blocks reachability to remote address 2339 # 2340 log_start 2341 setup_cmd ip -6 route del ${NSB_LO_IP6} 2342 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2343 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2344 2345 a=${NSB_LO_IP6} 2346 run_cmd ${ping6} -c1 -w1 ${a} 2347 log_test_addr ${a} $? 2 "ping out, blocked by route" 2348 2349 log_start 2350 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2351 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2352 2353 a=${NSA_LO_IP6} 2354 log_start 2355 show_hint "Response lost due to ip route" 2356 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2357 log_test_addr ${a} $? 1 "ping in, blocked by route" 2358 2359 2360 # 2361 # remove 'remote' routes; fallback to default 2362 # 2363 log_start 2364 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2365 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2366 2367 a=${NSB_LO_IP6} 2368 run_cmd ${ping6} -c1 -w1 ${a} 2369 log_test_addr ${a} $? 2 "ping out, unreachable route" 2370 2371 log_start 2372 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2373 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2374} 2375 2376ipv6_ping_vrf() 2377{ 2378 local a 2379 2380 # should default on; does not exist on older kernels 2381 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2382 2383 # 2384 # out 2385 # 2386 for a in ${NSB_IP6} ${NSB_LO_IP6} 2387 do 2388 log_start 2389 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2390 log_test_addr ${a} $? 0 "ping out, VRF bind" 2391 done 2392 2393 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2394 do 2395 log_start 2396 show_hint "Fails since VRF device does not support linklocal or multicast" 2397 run_cmd ${ping6} -c1 -w1 ${a} 2398 log_test_addr ${a} $? 1 "ping out, VRF bind" 2399 done 2400 2401 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2402 do 2403 log_start 2404 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2405 log_test_addr ${a} $? 0 "ping out, device bind" 2406 done 2407 2408 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2409 do 2410 log_start 2411 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2412 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2413 done 2414 2415 # 2416 # in 2417 # 2418 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2419 do 2420 log_start 2421 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2422 log_test_addr ${a} $? 0 "ping in" 2423 done 2424 2425 a=${NSA_LO_IP6} 2426 log_start 2427 show_hint "Fails since loopback address is out of VRF scope" 2428 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2429 log_test_addr ${a} $? 1 "ping in" 2430 2431 # 2432 # local traffic, local address 2433 # 2434 for a in ${NSA_IP6} ${VRF_IP6} ::1 2435 do 2436 log_start 2437 show_hint "Source address should be ${a}" 2438 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2439 log_test_addr ${a} $? 0 "ping local, VRF bind" 2440 done 2441 2442 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2443 do 2444 log_start 2445 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2446 log_test_addr ${a} $? 0 "ping local, device bind" 2447 done 2448 2449 # LLA to GUA - remove ipv6 global addresses from ns-B 2450 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2451 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2452 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2453 2454 for a in ${NSA_IP6} ${VRF_IP6} 2455 do 2456 log_start 2457 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2458 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2459 done 2460 2461 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2462 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2463 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2464 2465 # 2466 # ip rule blocks address 2467 # 2468 log_start 2469 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2470 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2471 2472 a=${NSB_LO_IP6} 2473 run_cmd ${ping6} -c1 -w1 ${a} 2474 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2475 2476 log_start 2477 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2478 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2479 2480 a=${NSA_LO_IP6} 2481 log_start 2482 show_hint "Response lost due to ip rule" 2483 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2484 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2485 2486 log_start 2487 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2488 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2489 2490 # 2491 # remove 'remote' routes; fallback to default 2492 # 2493 log_start 2494 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2495 2496 a=${NSB_LO_IP6} 2497 run_cmd ${ping6} -c1 -w1 ${a} 2498 log_test_addr ${a} $? 2 "ping out, unreachable route" 2499 2500 log_start 2501 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2502 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2503 2504 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2505 a=${NSA_LO_IP6} 2506 log_start 2507 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2508 log_test_addr ${a} $? 2 "ping in, unreachable route" 2509} 2510 2511ipv6_ping() 2512{ 2513 log_section "IPv6 ping" 2514 2515 log_subsection "No VRF" 2516 setup 2517 ipv6_ping_novrf 2518 setup 2519 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2520 ipv6_ping_novrf 2521 2522 log_subsection "With VRF" 2523 setup "yes" 2524 ipv6_ping_vrf 2525 setup "yes" 2526 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2527 ipv6_ping_vrf 2528} 2529 2530################################################################################ 2531# IPv6 TCP 2532 2533# 2534# MD5 tests without VRF 2535# 2536ipv6_tcp_md5_novrf() 2537{ 2538 # 2539 # single address 2540 # 2541 2542 # basic use case 2543 log_start 2544 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2545 sleep 1 2546 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2547 log_test $? 0 "MD5: Single address config" 2548 2549 # client sends MD5, server not configured 2550 log_start 2551 show_hint "Should timeout due to MD5 mismatch" 2552 run_cmd nettest -6 -s & 2553 sleep 1 2554 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2555 log_test $? 2 "MD5: Server no config, client uses password" 2556 2557 # wrong password 2558 log_start 2559 show_hint "Should timeout since client uses wrong password" 2560 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2561 sleep 1 2562 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2563 log_test $? 2 "MD5: Client uses wrong password" 2564 2565 # client from different address 2566 log_start 2567 show_hint "Should timeout due to MD5 mismatch" 2568 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2569 sleep 1 2570 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2571 log_test $? 2 "MD5: Client address does not match address configured with password" 2572 2573 # 2574 # MD5 extension - prefix length 2575 # 2576 2577 # client in prefix 2578 log_start 2579 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2580 sleep 1 2581 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2582 log_test $? 0 "MD5: Prefix config" 2583 2584 # client in prefix, wrong password 2585 log_start 2586 show_hint "Should timeout since client uses wrong password" 2587 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2588 sleep 1 2589 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2590 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2591 2592 # client outside of prefix 2593 log_start 2594 show_hint "Should timeout due to MD5 mismatch" 2595 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2596 sleep 1 2597 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2598 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2599} 2600 2601# 2602# MD5 tests with VRF 2603# 2604ipv6_tcp_md5() 2605{ 2606 # 2607 # single address 2608 # 2609 2610 # basic use case 2611 log_start 2612 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2613 sleep 1 2614 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2615 log_test $? 0 "MD5: VRF: Single address config" 2616 2617 # client sends MD5, server not configured 2618 log_start 2619 show_hint "Should timeout since server does not have MD5 auth" 2620 run_cmd nettest -6 -s -I ${VRF} & 2621 sleep 1 2622 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2623 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2624 2625 # wrong password 2626 log_start 2627 show_hint "Should timeout since client uses wrong password" 2628 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2629 sleep 1 2630 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2631 log_test $? 2 "MD5: VRF: Client uses wrong password" 2632 2633 # client from different address 2634 log_start 2635 show_hint "Should timeout since server config differs from client" 2636 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2637 sleep 1 2638 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2639 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2640 2641 # 2642 # MD5 extension - prefix length 2643 # 2644 2645 # client in prefix 2646 log_start 2647 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2648 sleep 1 2649 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2650 log_test $? 0 "MD5: VRF: Prefix config" 2651 2652 # client in prefix, wrong password 2653 log_start 2654 show_hint "Should timeout since client uses wrong password" 2655 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2656 sleep 1 2657 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2658 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2659 2660 # client outside of prefix 2661 log_start 2662 show_hint "Should timeout since client address is outside of prefix" 2663 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2664 sleep 1 2665 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2666 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2667 2668 # 2669 # duplicate config between default VRF and a VRF 2670 # 2671 2672 log_start 2673 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2674 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2675 sleep 1 2676 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2677 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2678 2679 log_start 2680 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2681 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2682 sleep 1 2683 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2684 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2685 2686 log_start 2687 show_hint "Should timeout since client in default VRF uses VRF password" 2688 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2689 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2690 sleep 1 2691 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2692 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2693 2694 log_start 2695 show_hint "Should timeout since client in VRF uses default VRF password" 2696 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2697 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2698 sleep 1 2699 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2700 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2701 2702 log_start 2703 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2704 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2705 sleep 1 2706 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2707 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2708 2709 log_start 2710 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2711 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2712 sleep 1 2713 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2714 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2715 2716 log_start 2717 show_hint "Should timeout since client in default VRF uses VRF password" 2718 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2719 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2720 sleep 1 2721 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2722 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2723 2724 log_start 2725 show_hint "Should timeout since client in VRF uses default VRF password" 2726 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2727 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2728 sleep 1 2729 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2730 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2731 2732 # 2733 # negative tests 2734 # 2735 log_start 2736 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2737 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2738 2739 log_start 2740 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2741 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2742 2743} 2744 2745ipv6_tcp_novrf() 2746{ 2747 local a 2748 2749 # 2750 # server tests 2751 # 2752 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2753 do 2754 log_start 2755 run_cmd nettest -6 -s & 2756 sleep 1 2757 run_cmd_nsb nettest -6 -r ${a} 2758 log_test_addr ${a} $? 0 "Global server" 2759 done 2760 2761 # verify TCP reset received 2762 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2763 do 2764 log_start 2765 show_hint "Should fail 'Connection refused'" 2766 run_cmd_nsb nettest -6 -r ${a} 2767 log_test_addr ${a} $? 1 "No server" 2768 done 2769 2770 # 2771 # client 2772 # 2773 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2774 do 2775 log_start 2776 run_cmd_nsb nettest -6 -s & 2777 sleep 1 2778 run_cmd nettest -6 -r ${a} 2779 log_test_addr ${a} $? 0 "Client" 2780 done 2781 2782 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2783 do 2784 log_start 2785 run_cmd_nsb nettest -6 -s & 2786 sleep 1 2787 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2788 log_test_addr ${a} $? 0 "Client, device bind" 2789 done 2790 2791 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2792 do 2793 log_start 2794 show_hint "Should fail 'Connection refused'" 2795 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2796 log_test_addr ${a} $? 1 "No server, device client" 2797 done 2798 2799 # 2800 # local address tests 2801 # 2802 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2803 do 2804 log_start 2805 run_cmd nettest -6 -s & 2806 sleep 1 2807 run_cmd nettest -6 -r ${a} 2808 log_test_addr ${a} $? 0 "Global server, local connection" 2809 done 2810 2811 a=${NSA_IP6} 2812 log_start 2813 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2814 sleep 1 2815 run_cmd nettest -6 -r ${a} -0 ${a} 2816 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2817 2818 for a in ${NSA_LO_IP6} ::1 2819 do 2820 log_start 2821 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2822 run_cmd nettest -6 -s -I ${NSA_DEV} & 2823 sleep 1 2824 run_cmd nettest -6 -r ${a} 2825 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2826 done 2827 2828 a=${NSA_IP6} 2829 log_start 2830 run_cmd nettest -6 -s & 2831 sleep 1 2832 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2833 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2834 2835 for a in ${NSA_LO_IP6} ::1 2836 do 2837 log_start 2838 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2839 run_cmd nettest -6 -s & 2840 sleep 1 2841 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2842 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2843 done 2844 2845 for a in ${NSA_IP6} ${NSA_LINKIP6} 2846 do 2847 log_start 2848 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2849 sleep 1 2850 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2851 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2852 done 2853 2854 for a in ${NSA_IP6} ${NSA_LINKIP6} 2855 do 2856 log_start 2857 show_hint "Should fail 'Connection refused'" 2858 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2859 log_test_addr ${a} $? 1 "No server, device client, local conn" 2860 done 2861 2862 ipv6_tcp_md5_novrf 2863} 2864 2865ipv6_tcp_vrf() 2866{ 2867 local a 2868 2869 # disable global server 2870 log_subsection "Global server disabled" 2871 2872 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2873 2874 # 2875 # server tests 2876 # 2877 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2878 do 2879 log_start 2880 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2881 run_cmd nettest -6 -s & 2882 sleep 1 2883 run_cmd_nsb nettest -6 -r ${a} 2884 log_test_addr ${a} $? 1 "Global server" 2885 done 2886 2887 for a in ${NSA_IP6} ${VRF_IP6} 2888 do 2889 log_start 2890 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2891 sleep 1 2892 run_cmd_nsb nettest -6 -r ${a} 2893 log_test_addr ${a} $? 0 "VRF server" 2894 done 2895 2896 # link local is always bound to ingress device 2897 a=${NSA_LINKIP6}%${NSB_DEV} 2898 log_start 2899 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2900 sleep 1 2901 run_cmd_nsb nettest -6 -r ${a} 2902 log_test_addr ${a} $? 0 "VRF server" 2903 2904 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2905 do 2906 log_start 2907 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2908 sleep 1 2909 run_cmd_nsb nettest -6 -r ${a} 2910 log_test_addr ${a} $? 0 "Device server" 2911 done 2912 2913 # verify TCP reset received 2914 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2915 do 2916 log_start 2917 show_hint "Should fail 'Connection refused'" 2918 run_cmd_nsb nettest -6 -r ${a} 2919 log_test_addr ${a} $? 1 "No server" 2920 done 2921 2922 # local address tests 2923 a=${NSA_IP6} 2924 log_start 2925 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2926 run_cmd nettest -6 -s & 2927 sleep 1 2928 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2929 log_test_addr ${a} $? 1 "Global server, local connection" 2930 2931 # run MD5 tests 2932 setup_vrf_dup 2933 ipv6_tcp_md5 2934 cleanup_vrf_dup 2935 2936 # 2937 # enable VRF global server 2938 # 2939 log_subsection "VRF Global server enabled" 2940 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2941 2942 for a in ${NSA_IP6} ${VRF_IP6} 2943 do 2944 log_start 2945 run_cmd nettest -6 -s -3 ${VRF} & 2946 sleep 1 2947 run_cmd_nsb nettest -6 -r ${a} 2948 log_test_addr ${a} $? 0 "Global server" 2949 done 2950 2951 for a in ${NSA_IP6} ${VRF_IP6} 2952 do 2953 log_start 2954 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2955 sleep 1 2956 run_cmd_nsb nettest -6 -r ${a} 2957 log_test_addr ${a} $? 0 "VRF server" 2958 done 2959 2960 # For LLA, child socket is bound to device 2961 a=${NSA_LINKIP6}%${NSB_DEV} 2962 log_start 2963 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2964 sleep 1 2965 run_cmd_nsb nettest -6 -r ${a} 2966 log_test_addr ${a} $? 0 "Global server" 2967 2968 log_start 2969 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2970 sleep 1 2971 run_cmd_nsb nettest -6 -r ${a} 2972 log_test_addr ${a} $? 0 "VRF server" 2973 2974 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2975 do 2976 log_start 2977 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2978 sleep 1 2979 run_cmd_nsb nettest -6 -r ${a} 2980 log_test_addr ${a} $? 0 "Device server" 2981 done 2982 2983 # verify TCP reset received 2984 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2985 do 2986 log_start 2987 show_hint "Should fail 'Connection refused'" 2988 run_cmd_nsb nettest -6 -r ${a} 2989 log_test_addr ${a} $? 1 "No server" 2990 done 2991 2992 # local address tests 2993 for a in ${NSA_IP6} ${VRF_IP6} 2994 do 2995 log_start 2996 show_hint "Fails 'Connection refused' since client is not in VRF" 2997 run_cmd nettest -6 -s -I ${VRF} & 2998 sleep 1 2999 run_cmd nettest -6 -r ${a} 3000 log_test_addr ${a} $? 1 "Global server, local connection" 3001 done 3002 3003 3004 # 3005 # client 3006 # 3007 for a in ${NSB_IP6} ${NSB_LO_IP6} 3008 do 3009 log_start 3010 run_cmd_nsb nettest -6 -s & 3011 sleep 1 3012 run_cmd nettest -6 -r ${a} -d ${VRF} 3013 log_test_addr ${a} $? 0 "Client, VRF bind" 3014 done 3015 3016 a=${NSB_LINKIP6} 3017 log_start 3018 show_hint "Fails since VRF device does not allow linklocal addresses" 3019 run_cmd_nsb nettest -6 -s & 3020 sleep 1 3021 run_cmd nettest -6 -r ${a} -d ${VRF} 3022 log_test_addr ${a} $? 1 "Client, VRF bind" 3023 3024 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 3025 do 3026 log_start 3027 run_cmd_nsb nettest -6 -s & 3028 sleep 1 3029 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 3030 log_test_addr ${a} $? 0 "Client, device bind" 3031 done 3032 3033 for a in ${NSB_IP6} ${NSB_LO_IP6} 3034 do 3035 log_start 3036 show_hint "Should fail 'Connection refused'" 3037 run_cmd nettest -6 -r ${a} -d ${VRF} 3038 log_test_addr ${a} $? 1 "No server, VRF client" 3039 done 3040 3041 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 3042 do 3043 log_start 3044 show_hint "Should fail 'Connection refused'" 3045 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 3046 log_test_addr ${a} $? 1 "No server, device client" 3047 done 3048 3049 for a in ${NSA_IP6} ${VRF_IP6} ::1 3050 do 3051 log_start 3052 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 3053 sleep 1 3054 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3055 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 3056 done 3057 3058 a=${NSA_IP6} 3059 log_start 3060 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 3061 sleep 1 3062 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3063 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 3064 3065 a=${NSA_IP6} 3066 log_start 3067 show_hint "Should fail since unbound client is out of VRF scope" 3068 run_cmd nettest -6 -s -I ${VRF} & 3069 sleep 1 3070 run_cmd nettest -6 -r ${a} 3071 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 3072 3073 log_start 3074 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3075 sleep 1 3076 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3077 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 3078 3079 for a in ${NSA_IP6} ${NSA_LINKIP6} 3080 do 3081 log_start 3082 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3083 sleep 1 3084 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3085 log_test_addr ${a} $? 0 "Device server, device client, local connection" 3086 done 3087} 3088 3089ipv6_tcp() 3090{ 3091 log_section "IPv6/TCP" 3092 log_subsection "No VRF" 3093 setup 3094 3095 # tcp_l3mdev_accept should have no affect without VRF; 3096 # run tests with it enabled and disabled to verify 3097 log_subsection "tcp_l3mdev_accept disabled" 3098 set_sysctl net.ipv4.tcp_l3mdev_accept=0 3099 ipv6_tcp_novrf 3100 log_subsection "tcp_l3mdev_accept enabled" 3101 set_sysctl net.ipv4.tcp_l3mdev_accept=1 3102 ipv6_tcp_novrf 3103 3104 log_subsection "With VRF" 3105 setup "yes" 3106 ipv6_tcp_vrf 3107} 3108 3109################################################################################ 3110# IPv6 UDP 3111 3112ipv6_udp_novrf() 3113{ 3114 local a 3115 3116 # 3117 # server tests 3118 # 3119 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3120 do 3121 log_start 3122 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3123 sleep 1 3124 run_cmd_nsb nettest -6 -D -r ${a} 3125 log_test_addr ${a} $? 0 "Global server" 3126 3127 log_start 3128 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3129 sleep 1 3130 run_cmd_nsb nettest -6 -D -r ${a} 3131 log_test_addr ${a} $? 0 "Device server" 3132 done 3133 3134 a=${NSA_LO_IP6} 3135 log_start 3136 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3137 sleep 1 3138 run_cmd_nsb nettest -6 -D -r ${a} 3139 log_test_addr ${a} $? 0 "Global server" 3140 3141 # should fail since loopback address is out of scope for a device 3142 # bound server, but it does not - hence this is more documenting 3143 # behavior. 3144 #log_start 3145 #show_hint "Should fail since loopback address is out of scope" 3146 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3147 #sleep 1 3148 #run_cmd_nsb nettest -6 -D -r ${a} 3149 #log_test_addr ${a} $? 1 "Device server" 3150 3151 # negative test - should fail 3152 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3153 do 3154 log_start 3155 show_hint "Should fail 'Connection refused' since there is no server" 3156 run_cmd_nsb nettest -6 -D -r ${a} 3157 log_test_addr ${a} $? 1 "No server" 3158 done 3159 3160 # 3161 # client 3162 # 3163 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 3164 do 3165 log_start 3166 run_cmd_nsb nettest -6 -D -s & 3167 sleep 1 3168 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 3169 log_test_addr ${a} $? 0 "Client" 3170 3171 log_start 3172 run_cmd_nsb nettest -6 -D -s & 3173 sleep 1 3174 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 3175 log_test_addr ${a} $? 0 "Client, device bind" 3176 3177 log_start 3178 run_cmd_nsb nettest -6 -D -s & 3179 sleep 1 3180 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 3181 log_test_addr ${a} $? 0 "Client, device send via cmsg" 3182 3183 log_start 3184 run_cmd_nsb nettest -6 -D -s & 3185 sleep 1 3186 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 3187 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 3188 3189 log_start 3190 show_hint "Should fail 'Connection refused'" 3191 run_cmd nettest -6 -D -r ${a} 3192 log_test_addr ${a} $? 1 "No server, unbound client" 3193 3194 log_start 3195 show_hint "Should fail 'Connection refused'" 3196 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3197 log_test_addr ${a} $? 1 "No server, device client" 3198 done 3199 3200 # 3201 # local address tests 3202 # 3203 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3204 do 3205 log_start 3206 run_cmd nettest -6 -D -s & 3207 sleep 1 3208 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3209 log_test_addr ${a} $? 0 "Global server, local connection" 3210 done 3211 3212 a=${NSA_IP6} 3213 log_start 3214 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3215 sleep 1 3216 run_cmd nettest -6 -D -r ${a} 3217 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3218 3219 for a in ${NSA_LO_IP6} ::1 3220 do 3221 log_start 3222 show_hint "Should fail 'Connection refused' since address is out of device scope" 3223 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3224 sleep 1 3225 run_cmd nettest -6 -D -r ${a} 3226 log_test_addr ${a} $? 1 "Device server, local connection" 3227 done 3228 3229 a=${NSA_IP6} 3230 log_start 3231 run_cmd nettest -6 -s -D & 3232 sleep 1 3233 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3234 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3235 3236 log_start 3237 run_cmd nettest -6 -s -D & 3238 sleep 1 3239 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3240 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3241 3242 log_start 3243 run_cmd nettest -6 -s -D & 3244 sleep 1 3245 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3246 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3247 3248 for a in ${NSA_LO_IP6} ::1 3249 do 3250 log_start 3251 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3252 run_cmd nettest -6 -D -s & 3253 sleep 1 3254 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3255 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3256 3257 log_start 3258 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3259 run_cmd nettest -6 -D -s & 3260 sleep 1 3261 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3262 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3263 3264 log_start 3265 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3266 run_cmd nettest -6 -D -s & 3267 sleep 1 3268 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3269 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3270 3271 log_start 3272 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3273 run_cmd nettest -6 -D -s & 3274 sleep 1 3275 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U 3276 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 3277 done 3278 3279 a=${NSA_IP6} 3280 log_start 3281 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3282 sleep 1 3283 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3284 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3285 3286 log_start 3287 show_hint "Should fail 'Connection refused'" 3288 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3289 log_test_addr ${a} $? 1 "No server, device client, local conn" 3290 3291 # LLA to GUA 3292 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3293 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3294 log_start 3295 run_cmd nettest -6 -s -D & 3296 sleep 1 3297 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3298 log_test $? 0 "UDP in - LLA to GUA" 3299 3300 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3301 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3302} 3303 3304ipv6_udp_vrf() 3305{ 3306 local a 3307 3308 # disable global server 3309 log_subsection "Global server disabled" 3310 set_sysctl net.ipv4.udp_l3mdev_accept=0 3311 3312 # 3313 # server tests 3314 # 3315 for a in ${NSA_IP6} ${VRF_IP6} 3316 do 3317 log_start 3318 show_hint "Should fail 'Connection refused' since global server is disabled" 3319 run_cmd nettest -6 -D -s & 3320 sleep 1 3321 run_cmd_nsb nettest -6 -D -r ${a} 3322 log_test_addr ${a} $? 1 "Global server" 3323 done 3324 3325 for a in ${NSA_IP6} ${VRF_IP6} 3326 do 3327 log_start 3328 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3329 sleep 1 3330 run_cmd_nsb nettest -6 -D -r ${a} 3331 log_test_addr ${a} $? 0 "VRF server" 3332 done 3333 3334 for a in ${NSA_IP6} ${VRF_IP6} 3335 do 3336 log_start 3337 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3338 sleep 1 3339 run_cmd_nsb nettest -6 -D -r ${a} 3340 log_test_addr ${a} $? 0 "Enslaved device server" 3341 done 3342 3343 # negative test - should fail 3344 for a in ${NSA_IP6} ${VRF_IP6} 3345 do 3346 log_start 3347 show_hint "Should fail 'Connection refused' since there is no server" 3348 run_cmd_nsb nettest -6 -D -r ${a} 3349 log_test_addr ${a} $? 1 "No server" 3350 done 3351 3352 # 3353 # local address tests 3354 # 3355 for a in ${NSA_IP6} ${VRF_IP6} 3356 do 3357 log_start 3358 show_hint "Should fail 'Connection refused' since global server is disabled" 3359 run_cmd nettest -6 -D -s & 3360 sleep 1 3361 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3362 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3363 done 3364 3365 for a in ${NSA_IP6} ${VRF_IP6} 3366 do 3367 log_start 3368 run_cmd nettest -6 -D -I ${VRF} -s & 3369 sleep 1 3370 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3371 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3372 done 3373 3374 a=${NSA_IP6} 3375 log_start 3376 show_hint "Should fail 'Connection refused' since global server is disabled" 3377 run_cmd nettest -6 -D -s & 3378 sleep 1 3379 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3380 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3381 3382 log_start 3383 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3384 sleep 1 3385 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3386 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3387 3388 log_start 3389 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3390 sleep 1 3391 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3392 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3393 3394 log_start 3395 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3396 sleep 1 3397 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3398 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3399 3400 # disable global server 3401 log_subsection "Global server enabled" 3402 set_sysctl net.ipv4.udp_l3mdev_accept=1 3403 3404 # 3405 # server tests 3406 # 3407 for a in ${NSA_IP6} ${VRF_IP6} 3408 do 3409 log_start 3410 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3411 sleep 1 3412 run_cmd_nsb nettest -6 -D -r ${a} 3413 log_test_addr ${a} $? 0 "Global server" 3414 done 3415 3416 for a in ${NSA_IP6} ${VRF_IP6} 3417 do 3418 log_start 3419 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3420 sleep 1 3421 run_cmd_nsb nettest -6 -D -r ${a} 3422 log_test_addr ${a} $? 0 "VRF server" 3423 done 3424 3425 for a in ${NSA_IP6} ${VRF_IP6} 3426 do 3427 log_start 3428 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3429 sleep 1 3430 run_cmd_nsb nettest -6 -D -r ${a} 3431 log_test_addr ${a} $? 0 "Enslaved device server" 3432 done 3433 3434 # negative test - should fail 3435 for a in ${NSA_IP6} ${VRF_IP6} 3436 do 3437 log_start 3438 run_cmd_nsb nettest -6 -D -r ${a} 3439 log_test_addr ${a} $? 1 "No server" 3440 done 3441 3442 # 3443 # client tests 3444 # 3445 log_start 3446 run_cmd_nsb nettest -6 -D -s & 3447 sleep 1 3448 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3449 log_test $? 0 "VRF client" 3450 3451 # negative test - should fail 3452 log_start 3453 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3454 log_test $? 1 "No server, VRF client" 3455 3456 log_start 3457 run_cmd_nsb nettest -6 -D -s & 3458 sleep 1 3459 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3460 log_test $? 0 "Enslaved device client" 3461 3462 # negative test - should fail 3463 log_start 3464 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3465 log_test $? 1 "No server, enslaved device client" 3466 3467 # 3468 # local address tests 3469 # 3470 a=${NSA_IP6} 3471 log_start 3472 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3473 sleep 1 3474 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3475 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3476 3477 #log_start 3478 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3479 sleep 1 3480 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3481 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3482 3483 3484 a=${VRF_IP6} 3485 log_start 3486 run_cmd nettest -6 -D -s -3 ${VRF} & 3487 sleep 1 3488 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3489 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3490 3491 log_start 3492 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3493 sleep 1 3494 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3495 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3496 3497 # negative test - should fail 3498 for a in ${NSA_IP6} ${VRF_IP6} 3499 do 3500 log_start 3501 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3502 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3503 done 3504 3505 # device to global IP 3506 a=${NSA_IP6} 3507 log_start 3508 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3509 sleep 1 3510 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3511 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3512 3513 log_start 3514 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3515 sleep 1 3516 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3517 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3518 3519 log_start 3520 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3521 sleep 1 3522 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3523 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3524 3525 log_start 3526 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3527 sleep 1 3528 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3529 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3530 3531 log_start 3532 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3533 log_test_addr ${a} $? 1 "No server, device client, local conn" 3534 3535 3536 # link local addresses 3537 log_start 3538 run_cmd nettest -6 -D -s & 3539 sleep 1 3540 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3541 log_test $? 0 "Global server, linklocal IP" 3542 3543 log_start 3544 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3545 log_test $? 1 "No server, linklocal IP" 3546 3547 3548 log_start 3549 run_cmd_nsb nettest -6 -D -s & 3550 sleep 1 3551 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3552 log_test $? 0 "Enslaved device client, linklocal IP" 3553 3554 log_start 3555 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3556 log_test $? 1 "No server, device client, peer linklocal IP" 3557 3558 3559 log_start 3560 run_cmd nettest -6 -D -s & 3561 sleep 1 3562 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3563 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3564 3565 log_start 3566 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3567 log_test $? 1 "No server, device client, local conn - linklocal IP" 3568 3569 # LLA to GUA 3570 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3571 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3572 log_start 3573 run_cmd nettest -6 -s -D & 3574 sleep 1 3575 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3576 log_test $? 0 "UDP in - LLA to GUA" 3577 3578 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3579 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3580} 3581 3582ipv6_udp() 3583{ 3584 # should not matter, but set to known state 3585 set_sysctl net.ipv4.udp_early_demux=1 3586 3587 log_section "IPv6/UDP" 3588 log_subsection "No VRF" 3589 setup 3590 3591 # udp_l3mdev_accept should have no affect without VRF; 3592 # run tests with it enabled and disabled to verify 3593 log_subsection "udp_l3mdev_accept disabled" 3594 set_sysctl net.ipv4.udp_l3mdev_accept=0 3595 ipv6_udp_novrf 3596 log_subsection "udp_l3mdev_accept enabled" 3597 set_sysctl net.ipv4.udp_l3mdev_accept=1 3598 ipv6_udp_novrf 3599 3600 log_subsection "With VRF" 3601 setup "yes" 3602 ipv6_udp_vrf 3603} 3604 3605################################################################################ 3606# IPv6 address bind 3607 3608ipv6_addr_bind_novrf() 3609{ 3610 # 3611 # raw socket 3612 # 3613 for a in ${NSA_IP6} ${NSA_LO_IP6} 3614 do 3615 log_start 3616 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3617 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3618 3619 log_start 3620 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3621 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3622 done 3623 3624 # 3625 # raw socket with nonlocal bind 3626 # 3627 a=${NL_IP6} 3628 log_start 3629 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 3630 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 3631 3632 # 3633 # tcp sockets 3634 # 3635 a=${NSA_IP6} 3636 log_start 3637 run_cmd nettest -6 -s -l ${a} -t1 -b 3638 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3639 3640 log_start 3641 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3642 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3643 3644 # Sadly, the kernel allows binding a socket to a device and then 3645 # binding to an address not on the device. So this test passes 3646 # when it really should not 3647 a=${NSA_LO_IP6} 3648 log_start 3649 show_hint "Tecnically should fail since address is not on device but kernel allows" 3650 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3651 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3652} 3653 3654ipv6_addr_bind_vrf() 3655{ 3656 # 3657 # raw socket 3658 # 3659 for a in ${NSA_IP6} ${VRF_IP6} 3660 do 3661 log_start 3662 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3663 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3664 3665 log_start 3666 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3667 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3668 done 3669 3670 a=${NSA_LO_IP6} 3671 log_start 3672 show_hint "Address on loopback is out of VRF scope" 3673 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3674 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3675 3676 # 3677 # raw socket with nonlocal bind 3678 # 3679 a=${NL_IP6} 3680 log_start 3681 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b 3682 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 3683 3684 # 3685 # tcp sockets 3686 # 3687 # address on enslaved device is valid for the VRF or device in a VRF 3688 for a in ${NSA_IP6} ${VRF_IP6} 3689 do 3690 log_start 3691 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3692 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3693 done 3694 3695 a=${NSA_IP6} 3696 log_start 3697 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3698 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3699 3700 # Sadly, the kernel allows binding a socket to a device and then 3701 # binding to an address not on the device. The only restriction 3702 # is that the address is valid in the L3 domain. So this test 3703 # passes when it really should not 3704 a=${VRF_IP6} 3705 log_start 3706 show_hint "Tecnically should fail since address is not on device but kernel allows" 3707 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3708 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3709 3710 a=${NSA_LO_IP6} 3711 log_start 3712 show_hint "Address on loopback out of scope for VRF" 3713 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3714 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3715 3716 log_start 3717 show_hint "Address on loopback out of scope for device in VRF" 3718 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3719 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3720 3721} 3722 3723ipv6_addr_bind() 3724{ 3725 log_section "IPv6 address binds" 3726 3727 log_subsection "No VRF" 3728 setup 3729 ipv6_addr_bind_novrf 3730 3731 log_subsection "With VRF" 3732 setup "yes" 3733 ipv6_addr_bind_vrf 3734} 3735 3736################################################################################ 3737# IPv6 runtime tests 3738 3739ipv6_rt() 3740{ 3741 local desc="$1" 3742 local varg="-6 $2" 3743 local with_vrf="yes" 3744 local a 3745 3746 # 3747 # server tests 3748 # 3749 for a in ${NSA_IP6} ${VRF_IP6} 3750 do 3751 log_start 3752 run_cmd nettest ${varg} -s & 3753 sleep 1 3754 run_cmd_nsb nettest ${varg} -r ${a} & 3755 sleep 3 3756 run_cmd ip link del ${VRF} 3757 sleep 1 3758 log_test_addr ${a} 0 0 "${desc}, global server" 3759 3760 setup ${with_vrf} 3761 done 3762 3763 for a in ${NSA_IP6} ${VRF_IP6} 3764 do 3765 log_start 3766 run_cmd nettest ${varg} -I ${VRF} -s & 3767 sleep 1 3768 run_cmd_nsb nettest ${varg} -r ${a} & 3769 sleep 3 3770 run_cmd ip link del ${VRF} 3771 sleep 1 3772 log_test_addr ${a} 0 0 "${desc}, VRF server" 3773 3774 setup ${with_vrf} 3775 done 3776 3777 for a in ${NSA_IP6} ${VRF_IP6} 3778 do 3779 log_start 3780 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3781 sleep 1 3782 run_cmd_nsb nettest ${varg} -r ${a} & 3783 sleep 3 3784 run_cmd ip link del ${VRF} 3785 sleep 1 3786 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3787 3788 setup ${with_vrf} 3789 done 3790 3791 # 3792 # client test 3793 # 3794 log_start 3795 run_cmd_nsb nettest ${varg} -s & 3796 sleep 1 3797 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3798 sleep 3 3799 run_cmd ip link del ${VRF} 3800 sleep 1 3801 log_test 0 0 "${desc}, VRF client" 3802 3803 setup ${with_vrf} 3804 3805 log_start 3806 run_cmd_nsb nettest ${varg} -s & 3807 sleep 1 3808 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3809 sleep 3 3810 run_cmd ip link del ${VRF} 3811 sleep 1 3812 log_test 0 0 "${desc}, enslaved device client" 3813 3814 setup ${with_vrf} 3815 3816 3817 # 3818 # local address tests 3819 # 3820 for a in ${NSA_IP6} ${VRF_IP6} 3821 do 3822 log_start 3823 run_cmd nettest ${varg} -s & 3824 sleep 1 3825 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3826 sleep 3 3827 run_cmd ip link del ${VRF} 3828 sleep 1 3829 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3830 3831 setup ${with_vrf} 3832 done 3833 3834 for a in ${NSA_IP6} ${VRF_IP6} 3835 do 3836 log_start 3837 run_cmd nettest ${varg} -I ${VRF} -s & 3838 sleep 1 3839 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3840 sleep 3 3841 run_cmd ip link del ${VRF} 3842 sleep 1 3843 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3844 3845 setup ${with_vrf} 3846 done 3847 3848 a=${NSA_IP6} 3849 log_start 3850 run_cmd nettest ${varg} -s & 3851 sleep 1 3852 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3853 sleep 3 3854 run_cmd ip link del ${VRF} 3855 sleep 1 3856 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3857 3858 setup ${with_vrf} 3859 3860 log_start 3861 run_cmd nettest ${varg} -I ${VRF} -s & 3862 sleep 1 3863 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3864 sleep 3 3865 run_cmd ip link del ${VRF} 3866 sleep 1 3867 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3868 3869 setup ${with_vrf} 3870 3871 log_start 3872 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3873 sleep 1 3874 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3875 sleep 3 3876 run_cmd ip link del ${VRF} 3877 sleep 1 3878 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3879} 3880 3881ipv6_ping_rt() 3882{ 3883 local with_vrf="yes" 3884 local a 3885 3886 a=${NSA_IP6} 3887 log_start 3888 run_cmd_nsb ${ping6} -f ${a} & 3889 sleep 3 3890 run_cmd ip link del ${VRF} 3891 sleep 1 3892 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3893 3894 setup ${with_vrf} 3895 3896 log_start 3897 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3898 sleep 1 3899 run_cmd ip link del ${VRF} 3900 sleep 1 3901 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3902} 3903 3904ipv6_runtime() 3905{ 3906 log_section "Run time tests - ipv6" 3907 3908 setup "yes" 3909 ipv6_ping_rt 3910 3911 setup "yes" 3912 ipv6_rt "TCP active socket" "-n -1" 3913 3914 setup "yes" 3915 ipv6_rt "TCP passive socket" "-i" 3916 3917 setup "yes" 3918 ipv6_rt "UDP active socket" "-D -n -1" 3919} 3920 3921################################################################################ 3922# netfilter blocking connections 3923 3924netfilter_tcp_reset() 3925{ 3926 local a 3927 3928 for a in ${NSA_IP} ${VRF_IP} 3929 do 3930 log_start 3931 run_cmd nettest -s & 3932 sleep 1 3933 run_cmd_nsb nettest -r ${a} 3934 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3935 done 3936} 3937 3938netfilter_icmp() 3939{ 3940 local stype="$1" 3941 local arg 3942 local a 3943 3944 [ "${stype}" = "UDP" ] && arg="-D" 3945 3946 for a in ${NSA_IP} ${VRF_IP} 3947 do 3948 log_start 3949 run_cmd nettest ${arg} -s & 3950 sleep 1 3951 run_cmd_nsb nettest ${arg} -r ${a} 3952 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3953 done 3954} 3955 3956ipv4_netfilter() 3957{ 3958 log_section "IPv4 Netfilter" 3959 log_subsection "TCP reset" 3960 3961 setup "yes" 3962 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3963 3964 netfilter_tcp_reset 3965 3966 log_start 3967 log_subsection "ICMP unreachable" 3968 3969 log_start 3970 run_cmd iptables -F 3971 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3972 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3973 3974 netfilter_icmp "TCP" 3975 netfilter_icmp "UDP" 3976 3977 log_start 3978 iptables -F 3979} 3980 3981netfilter_tcp6_reset() 3982{ 3983 local a 3984 3985 for a in ${NSA_IP6} ${VRF_IP6} 3986 do 3987 log_start 3988 run_cmd nettest -6 -s & 3989 sleep 1 3990 run_cmd_nsb nettest -6 -r ${a} 3991 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3992 done 3993} 3994 3995netfilter_icmp6() 3996{ 3997 local stype="$1" 3998 local arg 3999 local a 4000 4001 [ "${stype}" = "UDP" ] && arg="$arg -D" 4002 4003 for a in ${NSA_IP6} ${VRF_IP6} 4004 do 4005 log_start 4006 run_cmd nettest -6 -s ${arg} & 4007 sleep 1 4008 run_cmd_nsb nettest -6 ${arg} -r ${a} 4009 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 4010 done 4011} 4012 4013ipv6_netfilter() 4014{ 4015 log_section "IPv6 Netfilter" 4016 log_subsection "TCP reset" 4017 4018 setup "yes" 4019 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 4020 4021 netfilter_tcp6_reset 4022 4023 log_subsection "ICMP unreachable" 4024 4025 log_start 4026 run_cmd ip6tables -F 4027 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 4028 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 4029 4030 netfilter_icmp6 "TCP" 4031 netfilter_icmp6 "UDP" 4032 4033 log_start 4034 ip6tables -F 4035} 4036 4037################################################################################ 4038# specific use cases 4039 4040# VRF only. 4041# ns-A device enslaved to bridge. Verify traffic with and without 4042# br_netfilter module loaded. Repeat with SVI on bridge. 4043use_case_br() 4044{ 4045 setup "yes" 4046 4047 setup_cmd ip link set ${NSA_DEV} down 4048 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 4049 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 4050 4051 setup_cmd ip link add br0 type bridge 4052 setup_cmd ip addr add dev br0 ${NSA_IP}/24 4053 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 4054 4055 setup_cmd ip li set ${NSA_DEV} master br0 4056 setup_cmd ip li set ${NSA_DEV} up 4057 setup_cmd ip li set br0 up 4058 setup_cmd ip li set br0 vrf ${VRF} 4059 4060 rmmod br_netfilter 2>/dev/null 4061 sleep 5 # DAD 4062 4063 run_cmd ip neigh flush all 4064 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4065 log_test $? 0 "Bridge into VRF - IPv4 ping out" 4066 4067 run_cmd ip neigh flush all 4068 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4069 log_test $? 0 "Bridge into VRF - IPv6 ping out" 4070 4071 run_cmd ip neigh flush all 4072 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4073 log_test $? 0 "Bridge into VRF - IPv4 ping in" 4074 4075 run_cmd ip neigh flush all 4076 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4077 log_test $? 0 "Bridge into VRF - IPv6 ping in" 4078 4079 modprobe br_netfilter 4080 if [ $? -eq 0 ]; then 4081 run_cmd ip neigh flush all 4082 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4083 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 4084 4085 run_cmd ip neigh flush all 4086 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4087 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 4088 4089 run_cmd ip neigh flush all 4090 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4091 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 4092 4093 run_cmd ip neigh flush all 4094 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4095 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 4096 fi 4097 4098 setup_cmd ip li set br0 nomaster 4099 setup_cmd ip li add br0.100 link br0 type vlan id 100 4100 setup_cmd ip li set br0.100 vrf ${VRF} up 4101 setup_cmd ip addr add dev br0.100 172.16.101.1/24 4102 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 4103 4104 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 4105 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 4106 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 4107 setup_cmd_nsb ip li set vlan100 up 4108 sleep 1 4109 4110 rmmod br_netfilter 2>/dev/null 4111 4112 run_cmd ip neigh flush all 4113 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4114 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 4115 4116 run_cmd ip neigh flush all 4117 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4118 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 4119 4120 run_cmd ip neigh flush all 4121 run_cmd_nsb ping -c1 -w1 172.16.101.1 4122 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4123 4124 run_cmd ip neigh flush all 4125 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4126 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4127 4128 modprobe br_netfilter 4129 if [ $? -eq 0 ]; then 4130 run_cmd ip neigh flush all 4131 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4132 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 4133 4134 run_cmd ip neigh flush all 4135 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4136 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 4137 4138 run_cmd ip neigh flush all 4139 run_cmd_nsb ping -c1 -w1 172.16.101.1 4140 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4141 4142 run_cmd ip neigh flush all 4143 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4144 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4145 fi 4146 4147 setup_cmd ip li del br0 2>/dev/null 4148 setup_cmd_nsb ip li del vlan100 2>/dev/null 4149} 4150 4151# VRF only. 4152# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 4153# LLA on the interfaces 4154use_case_ping_lla_multi() 4155{ 4156 setup_lla_only 4157 # only want reply from ns-A 4158 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4159 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4160 4161 log_start 4162 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4163 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 4164 4165 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4166 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 4167 4168 # cycle/flap the first ns-A interface 4169 setup_cmd ip link set ${NSA_DEV} down 4170 setup_cmd ip link set ${NSA_DEV} up 4171 sleep 1 4172 4173 log_start 4174 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4175 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 4176 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4177 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 4178 4179 # cycle/flap the second ns-A interface 4180 setup_cmd ip link set ${NSA_DEV2} down 4181 setup_cmd ip link set ${NSA_DEV2} up 4182 sleep 1 4183 4184 log_start 4185 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4186 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 4187 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4188 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 4189} 4190 4191# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 4192# established with ns-B. 4193use_case_snat_on_vrf() 4194{ 4195 setup "yes" 4196 4197 local port="12345" 4198 4199 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4200 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4201 4202 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 4203 sleep 1 4204 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 4205 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 4206 4207 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 4208 sleep 1 4209 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 4210 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 4211 4212 # Cleanup 4213 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4214 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4215} 4216 4217use_cases() 4218{ 4219 log_section "Use cases" 4220 log_subsection "Device enslaved to bridge" 4221 use_case_br 4222 log_subsection "Ping LLA with multiple interfaces" 4223 use_case_ping_lla_multi 4224 log_subsection "SNAT on VRF" 4225 use_case_snat_on_vrf 4226} 4227 4228################################################################################ 4229# usage 4230 4231usage() 4232{ 4233 cat <<EOF 4234usage: ${0##*/} OPTS 4235 4236 -4 IPv4 tests only 4237 -6 IPv6 tests only 4238 -t <test> Test name/set to run 4239 -p Pause on fail 4240 -P Pause after each test 4241 -v Be verbose 4242 4243Tests: 4244 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER 4245EOF 4246} 4247 4248################################################################################ 4249# main 4250 4251TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4252TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4253TESTS_OTHER="use_cases" 4254 4255PAUSE_ON_FAIL=no 4256PAUSE=no 4257 4258while getopts :46t:pPvh o 4259do 4260 case $o in 4261 4) TESTS=ipv4;; 4262 6) TESTS=ipv6;; 4263 t) TESTS=$OPTARG;; 4264 p) PAUSE_ON_FAIL=yes;; 4265 P) PAUSE=yes;; 4266 v) VERBOSE=1;; 4267 h) usage; exit 0;; 4268 *) usage; exit 1;; 4269 esac 4270done 4271 4272# make sure we don't pause twice 4273[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4274 4275# 4276# show user test config 4277# 4278if [ -z "$TESTS" ]; then 4279 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4280elif [ "$TESTS" = "ipv4" ]; then 4281 TESTS="$TESTS_IPV4" 4282elif [ "$TESTS" = "ipv6" ]; then 4283 TESTS="$TESTS_IPV6" 4284fi 4285 4286# nettest can be run from PATH or from same directory as this selftest 4287if ! which nettest >/dev/null; then 4288 PATH=$PWD:$PATH 4289 if ! which nettest >/dev/null; then 4290 echo "'nettest' command not found; skipping tests" 4291 exit $ksft_skip 4292 fi 4293fi 4294 4295declare -i nfail=0 4296declare -i nsuccess=0 4297 4298for t in $TESTS 4299do 4300 case $t in 4301 ipv4_ping|ping) ipv4_ping;; 4302 ipv4_tcp|tcp) ipv4_tcp;; 4303 ipv4_udp|udp) ipv4_udp;; 4304 ipv4_bind|bind) ipv4_addr_bind;; 4305 ipv4_runtime) ipv4_runtime;; 4306 ipv4_netfilter) ipv4_netfilter;; 4307 4308 ipv6_ping|ping6) ipv6_ping;; 4309 ipv6_tcp|tcp6) ipv6_tcp;; 4310 ipv6_udp|udp6) ipv6_udp;; 4311 ipv6_bind|bind6) ipv6_addr_bind;; 4312 ipv6_runtime) ipv6_runtime;; 4313 ipv6_netfilter) ipv6_netfilter;; 4314 4315 use_cases) use_cases;; 4316 4317 # setup namespaces and config, but do not run any tests 4318 setup) setup; exit 0;; 4319 vrf_setup) setup "yes"; exit 0;; 4320 esac 4321done 4322 4323cleanup 2>/dev/null 4324 4325printf "\nTests passed: %3d\n" ${nsuccess} 4326printf "Tests failed: %3d\n" ${nfail} 4327 4328if [ $nfail -ne 0 ]; then 4329 exit 1 # KSFT_FAIL 4330elif [ $nsuccess -eq 0 ]; then 4331 exit $ksft_skip 4332fi 4333 4334exit 0 # KSFT_PASS 4335