xref: /openbmc/linux/tools/testing/selftests/net/fcnal-test.sh (revision 19dc81b4017baffd6e919fd71cfc8dcbd5442e15)
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
5#
6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups
7# for various permutations:
8#   1. icmp, tcp, udp and netfilter
9#   2. client, server, no-server
10#   3. global address on interface
11#   4. global address on 'lo'
12#   5. remote and local traffic
13#   6. VRF and non-VRF permutations
14#
15# Setup:
16#                     ns-A     |     ns-B
17# No VRF case:
18#    [ lo ]         [ eth1 ]---|---[ eth1 ]      [ lo ]
19#                                                remote address
20# VRF case:
21#         [ red ]---[ eth1 ]---|---[ eth1 ]      [ lo ]
22#
23# ns-A:
24#     eth1: 172.16.1.1/24, 2001:db8:1::1/64
25#       lo: 127.0.0.1/8, ::1/128
26#           172.16.2.1/32, 2001:db8:2::1/128
27#      red: 127.0.0.1/8, ::1/128
28#           172.16.3.1/32, 2001:db8:3::1/128
29#
30# ns-B:
31#     eth1: 172.16.1.2/24, 2001:db8:1::2/64
32#      lo2: 127.0.0.1/8, ::1/128
33#           172.16.2.2/32, 2001:db8:2::2/128
34#
35# ns-A to ns-C connection - only for VRF and same config
36# as ns-A to ns-B
37#
38# server / client nomenclature relative to ns-A
39
40# Kselftest framework requirement - SKIP code is 4.
41ksft_skip=4
42
43VERBOSE=0
44
45NSA_DEV=eth1
46NSA_DEV2=eth2
47NSB_DEV=eth1
48NSC_DEV=eth2
49VRF=red
50VRF_TABLE=1101
51
52# IPv4 config
53NSA_IP=172.16.1.1
54NSB_IP=172.16.1.2
55VRF_IP=172.16.3.1
56NS_NET=172.16.1.0/24
57
58# IPv6 config
59NSA_IP6=2001:db8:1::1
60NSB_IP6=2001:db8:1::2
61VRF_IP6=2001:db8:3::1
62NS_NET6=2001:db8:1::/120
63
64NSA_LO_IP=172.16.2.1
65NSB_LO_IP=172.16.2.2
66NSA_LO_IP6=2001:db8:2::1
67NSB_LO_IP6=2001:db8:2::2
68
69# non-local addresses for freebind tests
70NL_IP=172.17.1.1
71NL_IP6=2001:db8:4::1
72
73MD5_PW=abc123
74MD5_WRONG_PW=abc1234
75
76MCAST=ff02::1
77# set after namespace create
78NSA_LINKIP6=
79NSB_LINKIP6=
80
81NSA=ns-A
82NSB=ns-B
83NSC=ns-C
84
85NSA_CMD="ip netns exec ${NSA}"
86NSB_CMD="ip netns exec ${NSB}"
87NSC_CMD="ip netns exec ${NSC}"
88
89which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
90
91################################################################################
92# utilities
93
94log_test()
95{
96	local rc=$1
97	local expected=$2
98	local msg="$3"
99
100	[ "${VERBOSE}" = "1" ] && echo
101
102	if [ ${rc} -eq ${expected} ]; then
103		nsuccess=$((nsuccess+1))
104		printf "TEST: %-70s  [ OK ]\n" "${msg}"
105	else
106		nfail=$((nfail+1))
107		printf "TEST: %-70s  [FAIL]\n" "${msg}"
108		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
109			echo
110			echo "hit enter to continue, 'q' to quit"
111			read a
112			[ "$a" = "q" ] && exit 1
113		fi
114	fi
115
116	if [ "${PAUSE}" = "yes" ]; then
117		echo
118		echo "hit enter to continue, 'q' to quit"
119		read a
120		[ "$a" = "q" ] && exit 1
121	fi
122
123	kill_procs
124}
125
126log_test_addr()
127{
128	local addr=$1
129	local rc=$2
130	local expected=$3
131	local msg="$4"
132	local astr
133
134	astr=$(addr2str ${addr})
135	log_test $rc $expected "$msg - ${astr}"
136}
137
138log_section()
139{
140	echo
141	echo "###########################################################################"
142	echo "$*"
143	echo "###########################################################################"
144	echo
145}
146
147log_subsection()
148{
149	echo
150	echo "#################################################################"
151	echo "$*"
152	echo
153}
154
155log_start()
156{
157	# make sure we have no test instances running
158	kill_procs
159
160	if [ "${VERBOSE}" = "1" ]; then
161		echo
162		echo "#######################################################"
163	fi
164}
165
166log_debug()
167{
168	if [ "${VERBOSE}" = "1" ]; then
169		echo
170		echo "$*"
171		echo
172	fi
173}
174
175show_hint()
176{
177	if [ "${VERBOSE}" = "1" ]; then
178		echo "HINT: $*"
179		echo
180	fi
181}
182
183kill_procs()
184{
185	killall nettest ping ping6 >/dev/null 2>&1
186	sleep 1
187}
188
189do_run_cmd()
190{
191	local cmd="$*"
192	local out
193
194	if [ "$VERBOSE" = "1" ]; then
195		echo "COMMAND: ${cmd}"
196	fi
197
198	out=$($cmd 2>&1)
199	rc=$?
200	if [ "$VERBOSE" = "1" -a -n "$out" ]; then
201		echo "$out"
202	fi
203
204	return $rc
205}
206
207run_cmd()
208{
209	do_run_cmd ${NSA_CMD} $*
210}
211
212run_cmd_nsb()
213{
214	do_run_cmd ${NSB_CMD} $*
215}
216
217run_cmd_nsc()
218{
219	do_run_cmd ${NSC_CMD} $*
220}
221
222setup_cmd()
223{
224	local cmd="$*"
225	local rc
226
227	run_cmd ${cmd}
228	rc=$?
229	if [ $rc -ne 0 ]; then
230		# show user the command if not done so already
231		if [ "$VERBOSE" = "0" ]; then
232			echo "setup command: $cmd"
233		fi
234		echo "failed. stopping tests"
235		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
236			echo
237			echo "hit enter to continue"
238			read a
239		fi
240		exit $rc
241	fi
242}
243
244setup_cmd_nsb()
245{
246	local cmd="$*"
247	local rc
248
249	run_cmd_nsb ${cmd}
250	rc=$?
251	if [ $rc -ne 0 ]; then
252		# show user the command if not done so already
253		if [ "$VERBOSE" = "0" ]; then
254			echo "setup command: $cmd"
255		fi
256		echo "failed. stopping tests"
257		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
258			echo
259			echo "hit enter to continue"
260			read a
261		fi
262		exit $rc
263	fi
264}
265
266setup_cmd_nsc()
267{
268	local cmd="$*"
269	local rc
270
271	run_cmd_nsc ${cmd}
272	rc=$?
273	if [ $rc -ne 0 ]; then
274		# show user the command if not done so already
275		if [ "$VERBOSE" = "0" ]; then
276			echo "setup command: $cmd"
277		fi
278		echo "failed. stopping tests"
279		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
280			echo
281			echo "hit enter to continue"
282			read a
283		fi
284		exit $rc
285	fi
286}
287
288# set sysctl values in NS-A
289set_sysctl()
290{
291	echo "SYSCTL: $*"
292	echo
293	run_cmd sysctl -q -w $*
294}
295
296# get sysctl values in NS-A
297get_sysctl()
298{
299	${NSA_CMD} sysctl -n $*
300}
301
302################################################################################
303# Setup for tests
304
305addr2str()
306{
307	case "$1" in
308	127.0.0.1) echo "loopback";;
309	::1) echo "IPv6 loopback";;
310
311	${NSA_IP})	echo "ns-A IP";;
312	${NSA_IP6})	echo "ns-A IPv6";;
313	${NSA_LO_IP})	echo "ns-A loopback IP";;
314	${NSA_LO_IP6})	echo "ns-A loopback IPv6";;
315	${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";;
316
317	${NSB_IP})	echo "ns-B IP";;
318	${NSB_IP6})	echo "ns-B IPv6";;
319	${NSB_LO_IP})	echo "ns-B loopback IP";;
320	${NSB_LO_IP6})	echo "ns-B loopback IPv6";;
321	${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";;
322
323	${NL_IP})       echo "nonlocal IP";;
324	${NL_IP6})      echo "nonlocal IPv6";;
325
326	${VRF_IP})	echo "VRF IP";;
327	${VRF_IP6})	echo "VRF IPv6";;
328
329	${MCAST}%*)	echo "multicast IP";;
330
331	*) echo "unknown";;
332	esac
333}
334
335get_linklocal()
336{
337	local ns=$1
338	local dev=$2
339	local addr
340
341	addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \
342	awk '{
343		for (i = 3; i <= NF; ++i) {
344			if ($i ~ /^fe80/)
345				print $i
346		}
347	}'
348	)
349	addr=${addr/\/*}
350
351	[ -z "$addr" ] && return 1
352
353	echo $addr
354
355	return 0
356}
357
358################################################################################
359# create namespaces and vrf
360
361create_vrf()
362{
363	local ns=$1
364	local vrf=$2
365	local table=$3
366	local addr=$4
367	local addr6=$5
368
369	ip -netns ${ns} link add ${vrf} type vrf table ${table}
370	ip -netns ${ns} link set ${vrf} up
371	ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192
372	ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
373
374	ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf}
375	ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad
376	if [ "${addr}" != "-" ]; then
377		ip -netns ${ns} addr add dev ${vrf} ${addr}
378	fi
379	if [ "${addr6}" != "-" ]; then
380		ip -netns ${ns} -6 addr add dev ${vrf} ${addr6}
381	fi
382
383	ip -netns ${ns} ru del pref 0
384	ip -netns ${ns} ru add pref 32765 from all lookup local
385	ip -netns ${ns} -6 ru del pref 0
386	ip -netns ${ns} -6 ru add pref 32765 from all lookup local
387}
388
389create_ns()
390{
391	local ns=$1
392	local addr=$2
393	local addr6=$3
394
395	ip netns add ${ns}
396
397	ip -netns ${ns} link set lo up
398	if [ "${addr}" != "-" ]; then
399		ip -netns ${ns} addr add dev lo ${addr}
400	fi
401	if [ "${addr6}" != "-" ]; then
402		ip -netns ${ns} -6 addr add dev lo ${addr6}
403	fi
404
405	ip -netns ${ns} ro add unreachable default metric 8192
406	ip -netns ${ns} -6 ro add unreachable default metric 8192
407
408	ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
409	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
410	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
411	ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
412}
413
414# create veth pair to connect namespaces and apply addresses.
415connect_ns()
416{
417	local ns1=$1
418	local ns1_dev=$2
419	local ns1_addr=$3
420	local ns1_addr6=$4
421	local ns2=$5
422	local ns2_dev=$6
423	local ns2_addr=$7
424	local ns2_addr6=$8
425
426	ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
427	ip -netns ${ns1} li set ${ns1_dev} up
428	ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
429	ip -netns ${ns2} li set ${ns2_dev} up
430
431	if [ "${ns1_addr}" != "-" ]; then
432		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
433		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
434	fi
435
436	if [ "${ns1_addr6}" != "-" ]; then
437		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
438		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
439	fi
440}
441
442cleanup()
443{
444	# explicit cleanups to check those code paths
445	ip netns | grep -q ${NSA}
446	if [ $? -eq 0 ]; then
447		ip -netns ${NSA} link delete ${VRF}
448		ip -netns ${NSA} ro flush table ${VRF_TABLE}
449
450		ip -netns ${NSA} addr flush dev ${NSA_DEV}
451		ip -netns ${NSA} -6 addr flush dev ${NSA_DEV}
452		ip -netns ${NSA} link set dev ${NSA_DEV} down
453		ip -netns ${NSA} link del dev ${NSA_DEV}
454
455		ip netns pids ${NSA} | xargs kill 2>/dev/null
456		ip netns del ${NSA}
457	fi
458
459	ip netns pids ${NSB} | xargs kill 2>/dev/null
460	ip netns del ${NSB}
461	ip netns pids ${NSC} | xargs kill 2>/dev/null
462	ip netns del ${NSC} >/dev/null 2>&1
463}
464
465cleanup_vrf_dup()
466{
467	ip link del ${NSA_DEV2} >/dev/null 2>&1
468	ip netns pids ${NSC} | xargs kill 2>/dev/null
469	ip netns del ${NSC} >/dev/null 2>&1
470}
471
472setup_vrf_dup()
473{
474	# some VRF tests use ns-C which has the same config as
475	# ns-B but for a device NOT in the VRF
476	create_ns ${NSC} "-" "-"
477	connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
478		   ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
479}
480
481setup()
482{
483	local with_vrf=${1}
484
485	# make sure we are starting with a clean slate
486	kill_procs
487	cleanup 2>/dev/null
488
489	log_debug "Configuring network namespaces"
490	set -e
491
492	create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128
493	create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128
494	connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \
495		   ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
496
497	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
498	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
499
500	# tell ns-A how to get to remote addresses of ns-B
501	if [ "${with_vrf}" = "yes" ]; then
502		create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6}
503
504		ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
505		ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
506		ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
507
508		ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
509		ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
510	else
511		ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
512		ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
513	fi
514
515
516	# tell ns-B how to get to remote addresses of ns-A
517	ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
518	ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
519
520	set +e
521
522	sleep 1
523}
524
525setup_lla_only()
526{
527	# make sure we are starting with a clean slate
528	kill_procs
529	cleanup 2>/dev/null
530
531	log_debug "Configuring network namespaces"
532	set -e
533
534	create_ns ${NSA} "-" "-"
535	create_ns ${NSB} "-" "-"
536	create_ns ${NSC} "-" "-"
537	connect_ns ${NSA} ${NSA_DEV} "-" "-" \
538		   ${NSB} ${NSB_DEV} "-" "-"
539	connect_ns ${NSA} ${NSA_DEV2} "-" "-" \
540		   ${NSC} ${NSC_DEV}  "-" "-"
541
542	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
543	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
544	NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV})
545
546	create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-"
547	ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
548	ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF}
549
550	set +e
551
552	sleep 1
553}
554
555################################################################################
556# IPv4
557
558ipv4_ping_novrf()
559{
560	local a
561
562	#
563	# out
564	#
565	for a in ${NSB_IP} ${NSB_LO_IP}
566	do
567		log_start
568		run_cmd ping -c1 -w1 ${a}
569		log_test_addr ${a} $? 0 "ping out"
570
571		log_start
572		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
573		log_test_addr ${a} $? 0 "ping out, device bind"
574
575		log_start
576		run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a}
577		log_test_addr ${a} $? 0 "ping out, address bind"
578	done
579
580	#
581	# in
582	#
583	for a in ${NSA_IP} ${NSA_LO_IP}
584	do
585		log_start
586		run_cmd_nsb ping -c1 -w1 ${a}
587		log_test_addr ${a} $? 0 "ping in"
588	done
589
590	#
591	# local traffic
592	#
593	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
594	do
595		log_start
596		run_cmd ping -c1 -w1 ${a}
597		log_test_addr ${a} $? 0 "ping local"
598	done
599
600	#
601	# local traffic, socket bound to device
602	#
603	# address on device
604	a=${NSA_IP}
605	log_start
606	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
607	log_test_addr ${a} $? 0 "ping local, device bind"
608
609	# loopback addresses not reachable from device bind
610	# fails in a really weird way though because ipv4 special cases
611	# route lookups with oif set.
612	for a in ${NSA_LO_IP} 127.0.0.1
613	do
614		log_start
615		show_hint "Fails since address on loopback device is out of device scope"
616		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
617		log_test_addr ${a} $? 1 "ping local, device bind"
618	done
619
620	#
621	# ip rule blocks reachability to remote address
622	#
623	log_start
624	setup_cmd ip rule add pref 32765 from all lookup local
625	setup_cmd ip rule del pref 0 from all lookup local
626	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
627	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
628
629	a=${NSB_LO_IP}
630	run_cmd ping -c1 -w1 ${a}
631	log_test_addr ${a} $? 2 "ping out, blocked by rule"
632
633	# NOTE: ipv4 actually allows the lookup to fail and yet still create
634	# a viable rtable if the oif (e.g., bind to device) is set, so this
635	# case succeeds despite the rule
636	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
637
638	a=${NSA_LO_IP}
639	log_start
640	show_hint "Response generates ICMP (or arp request is ignored) due to ip rule"
641	run_cmd_nsb ping -c1 -w1 ${a}
642	log_test_addr ${a} $? 1 "ping in, blocked by rule"
643
644	[ "$VERBOSE" = "1" ] && echo
645	setup_cmd ip rule del pref 32765 from all lookup local
646	setup_cmd ip rule add pref 0 from all lookup local
647	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
648	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
649
650	#
651	# route blocks reachability to remote address
652	#
653	log_start
654	setup_cmd ip route replace unreachable ${NSB_LO_IP}
655	setup_cmd ip route replace unreachable ${NSB_IP}
656
657	a=${NSB_LO_IP}
658	run_cmd ping -c1 -w1 ${a}
659	log_test_addr ${a} $? 2 "ping out, blocked by route"
660
661	# NOTE: ipv4 actually allows the lookup to fail and yet still create
662	# a viable rtable if the oif (e.g., bind to device) is set, so this
663	# case succeeds despite not having a route for the address
664	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
665
666	a=${NSA_LO_IP}
667	log_start
668	show_hint "Response is dropped (or arp request is ignored) due to ip route"
669	run_cmd_nsb ping -c1 -w1 ${a}
670	log_test_addr ${a} $? 1 "ping in, blocked by route"
671
672	#
673	# remove 'remote' routes; fallback to default
674	#
675	log_start
676	setup_cmd ip ro del ${NSB_LO_IP}
677
678	a=${NSB_LO_IP}
679	run_cmd ping -c1 -w1 ${a}
680	log_test_addr ${a} $? 2 "ping out, unreachable default route"
681
682	# NOTE: ipv4 actually allows the lookup to fail and yet still create
683	# a viable rtable if the oif (e.g., bind to device) is set, so this
684	# case succeeds despite not having a route for the address
685	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
686}
687
688ipv4_ping_vrf()
689{
690	local a
691
692	# should default on; does not exist on older kernels
693	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
694
695	#
696	# out
697	#
698	for a in ${NSB_IP} ${NSB_LO_IP}
699	do
700		log_start
701		run_cmd ping -c1 -w1 -I ${VRF} ${a}
702		log_test_addr ${a} $? 0 "ping out, VRF bind"
703
704		log_start
705		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
706		log_test_addr ${a} $? 0 "ping out, device bind"
707
708		log_start
709		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a}
710		log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind"
711
712		log_start
713		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a}
714		log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind"
715	done
716
717	#
718	# in
719	#
720	for a in ${NSA_IP} ${VRF_IP}
721	do
722		log_start
723		run_cmd_nsb ping -c1 -w1 ${a}
724		log_test_addr ${a} $? 0 "ping in"
725	done
726
727	#
728	# local traffic, local address
729	#
730	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
731	do
732		log_start
733		show_hint "Source address should be ${a}"
734		run_cmd ping -c1 -w1 -I ${VRF} ${a}
735		log_test_addr ${a} $? 0 "ping local, VRF bind"
736	done
737
738	#
739	# local traffic, socket bound to device
740	#
741	# address on device
742	a=${NSA_IP}
743	log_start
744	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
745	log_test_addr ${a} $? 0 "ping local, device bind"
746
747	# vrf device is out of scope
748	for a in ${VRF_IP} 127.0.0.1
749	do
750		log_start
751		show_hint "Fails since address on vrf device is out of device scope"
752		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
753		log_test_addr ${a} $? 1 "ping local, device bind"
754	done
755
756	#
757	# ip rule blocks address
758	#
759	log_start
760	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
761	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
762
763	a=${NSB_LO_IP}
764	run_cmd ping -c1 -w1 -I ${VRF} ${a}
765	log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule"
766
767	log_start
768	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
769	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
770
771	a=${NSA_LO_IP}
772	log_start
773	show_hint "Response lost due to ip rule"
774	run_cmd_nsb ping -c1 -w1 ${a}
775	log_test_addr ${a} $? 1 "ping in, blocked by rule"
776
777	[ "$VERBOSE" = "1" ] && echo
778	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
779	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
780
781	#
782	# remove 'remote' routes; fallback to default
783	#
784	log_start
785	setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP}
786
787	a=${NSB_LO_IP}
788	run_cmd ping -c1 -w1 -I ${VRF} ${a}
789	log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route"
790
791	log_start
792	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
793	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
794
795	a=${NSA_LO_IP}
796	log_start
797	show_hint "Response lost by unreachable route"
798	run_cmd_nsb ping -c1 -w1 ${a}
799	log_test_addr ${a} $? 1 "ping in, unreachable route"
800}
801
802ipv4_ping()
803{
804	log_section "IPv4 ping"
805
806	log_subsection "No VRF"
807	setup
808	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
809	ipv4_ping_novrf
810	setup
811	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
812	ipv4_ping_novrf
813
814	log_subsection "With VRF"
815	setup "yes"
816	ipv4_ping_vrf
817}
818
819################################################################################
820# IPv4 TCP
821
822#
823# MD5 tests without VRF
824#
825ipv4_tcp_md5_novrf()
826{
827	#
828	# single address
829	#
830
831	# basic use case
832	log_start
833	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
834	sleep 1
835	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
836	log_test $? 0 "MD5: Single address config"
837
838	# client sends MD5, server not configured
839	log_start
840	show_hint "Should timeout due to MD5 mismatch"
841	run_cmd nettest -s &
842	sleep 1
843	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
844	log_test $? 2 "MD5: Server no config, client uses password"
845
846	# wrong password
847	log_start
848	show_hint "Should timeout since client uses wrong password"
849	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
850	sleep 1
851	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
852	log_test $? 2 "MD5: Client uses wrong password"
853
854	# client from different address
855	log_start
856	show_hint "Should timeout due to MD5 mismatch"
857	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} &
858	sleep 1
859	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
860	log_test $? 2 "MD5: Client address does not match address configured with password"
861
862	#
863	# MD5 extension - prefix length
864	#
865
866	# client in prefix
867	log_start
868	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
869	sleep 1
870	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
871	log_test $? 0 "MD5: Prefix config"
872
873	# client in prefix, wrong password
874	log_start
875	show_hint "Should timeout since client uses wrong password"
876	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
877	sleep 1
878	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
879	log_test $? 2 "MD5: Prefix config, client uses wrong password"
880
881	# client outside of prefix
882	log_start
883	show_hint "Should timeout due to MD5 mismatch"
884	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
885	sleep 1
886	run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
887	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
888}
889
890#
891# MD5 tests with VRF
892#
893ipv4_tcp_md5()
894{
895	#
896	# single address
897	#
898
899	# basic use case
900	log_start
901	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
902	sleep 1
903	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
904	log_test $? 0 "MD5: VRF: Single address config"
905
906	# client sends MD5, server not configured
907	log_start
908	show_hint "Should timeout since server does not have MD5 auth"
909	run_cmd nettest -s -I ${VRF} &
910	sleep 1
911	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
912	log_test $? 2 "MD5: VRF: Server no config, client uses password"
913
914	# wrong password
915	log_start
916	show_hint "Should timeout since client uses wrong password"
917	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
918	sleep 1
919	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
920	log_test $? 2 "MD5: VRF: Client uses wrong password"
921
922	# client from different address
923	log_start
924	show_hint "Should timeout since server config differs from client"
925	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} &
926	sleep 1
927	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
928	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
929
930	#
931	# MD5 extension - prefix length
932	#
933
934	# client in prefix
935	log_start
936	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
937	sleep 1
938	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
939	log_test $? 0 "MD5: VRF: Prefix config"
940
941	# client in prefix, wrong password
942	log_start
943	show_hint "Should timeout since client uses wrong password"
944	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
945	sleep 1
946	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
947	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
948
949	# client outside of prefix
950	log_start
951	show_hint "Should timeout since client address is outside of prefix"
952	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
953	sleep 1
954	run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
955	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
956
957	#
958	# duplicate config between default VRF and a VRF
959	#
960
961	log_start
962	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
963	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
964	sleep 1
965	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
966	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
967
968	log_start
969	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
970	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
971	sleep 1
972	run_cmd_nsc nettest  -r ${NSA_IP} -X ${MD5_WRONG_PW}
973	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
974
975	log_start
976	show_hint "Should timeout since client in default VRF uses VRF password"
977	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
978	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
979	sleep 1
980	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
981	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
982
983	log_start
984	show_hint "Should timeout since client in VRF uses default VRF password"
985	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
986	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
987	sleep 1
988	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
989	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
990
991	log_start
992	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
993	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
994	sleep 1
995	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
996	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
997
998	log_start
999	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1000	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1001	sleep 1
1002	run_cmd_nsc nettest  -r ${NSA_IP} -X ${MD5_WRONG_PW}
1003	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
1004
1005	log_start
1006	show_hint "Should timeout since client in default VRF uses VRF password"
1007	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1008	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1009	sleep 1
1010	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1011	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
1012
1013	log_start
1014	show_hint "Should timeout since client in VRF uses default VRF password"
1015	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1016	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1017	sleep 1
1018	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1019	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
1020
1021	#
1022	# negative tests
1023	#
1024	log_start
1025	run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP}
1026	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
1027
1028	log_start
1029	run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET}
1030	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
1031
1032	test_ipv4_md5_vrf__vrf_server__no_bind_ifindex
1033	test_ipv4_md5_vrf__global_server__bind_ifindex0
1034}
1035
1036test_ipv4_md5_vrf__vrf_server__no_bind_ifindex()
1037{
1038	log_start
1039	show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX"
1040	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1041	sleep 1
1042	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1043	log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection"
1044
1045	log_start
1046	show_hint "Binding both the socket and the key is not required but it works"
1047	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1048	sleep 1
1049	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1050	log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection"
1051}
1052
1053test_ipv4_md5_vrf__global_server__bind_ifindex0()
1054{
1055	# This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections
1056	local old_tcp_l3mdev_accept
1057	old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept)
1058	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1059
1060	log_start
1061	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1062	sleep 1
1063	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1064	log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection"
1065
1066	log_start
1067	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1068	sleep 1
1069	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1070	log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection"
1071	log_start
1072
1073	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1074	sleep 1
1075	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1076	log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection"
1077
1078	log_start
1079	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1080	sleep 1
1081	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1082	log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection"
1083
1084	# restore value
1085	set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept"
1086}
1087
1088ipv4_tcp_novrf()
1089{
1090	local a
1091
1092	#
1093	# server tests
1094	#
1095	for a in ${NSA_IP} ${NSA_LO_IP}
1096	do
1097		log_start
1098		run_cmd nettest -s &
1099		sleep 1
1100		run_cmd_nsb nettest -r ${a}
1101		log_test_addr ${a} $? 0 "Global server"
1102	done
1103
1104	a=${NSA_IP}
1105	log_start
1106	run_cmd nettest -s -I ${NSA_DEV} &
1107	sleep 1
1108	run_cmd_nsb nettest -r ${a}
1109	log_test_addr ${a} $? 0 "Device server"
1110
1111	# verify TCP reset sent and received
1112	for a in ${NSA_IP} ${NSA_LO_IP}
1113	do
1114		log_start
1115		show_hint "Should fail 'Connection refused' since there is no server"
1116		run_cmd_nsb nettest -r ${a}
1117		log_test_addr ${a} $? 1 "No server"
1118	done
1119
1120	#
1121	# client
1122	#
1123	for a in ${NSB_IP} ${NSB_LO_IP}
1124	do
1125		log_start
1126		run_cmd_nsb nettest -s &
1127		sleep 1
1128		run_cmd nettest -r ${a} -0 ${NSA_IP}
1129		log_test_addr ${a} $? 0 "Client"
1130
1131		log_start
1132		run_cmd_nsb nettest -s &
1133		sleep 1
1134		run_cmd nettest -r ${a} -d ${NSA_DEV}
1135		log_test_addr ${a} $? 0 "Client, device bind"
1136
1137		log_start
1138		show_hint "Should fail 'Connection refused'"
1139		run_cmd nettest -r ${a}
1140		log_test_addr ${a} $? 1 "No server, unbound client"
1141
1142		log_start
1143		show_hint "Should fail 'Connection refused'"
1144		run_cmd nettest -r ${a} -d ${NSA_DEV}
1145		log_test_addr ${a} $? 1 "No server, device client"
1146	done
1147
1148	#
1149	# local address tests
1150	#
1151	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1152	do
1153		log_start
1154		run_cmd nettest -s &
1155		sleep 1
1156		run_cmd nettest -r ${a} -0 ${a} -1 ${a}
1157		log_test_addr ${a} $? 0 "Global server, local connection"
1158	done
1159
1160	a=${NSA_IP}
1161	log_start
1162	run_cmd nettest -s -I ${NSA_DEV} &
1163	sleep 1
1164	run_cmd nettest -r ${a} -0 ${a}
1165	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1166
1167	for a in ${NSA_LO_IP} 127.0.0.1
1168	do
1169		log_start
1170		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
1171		run_cmd nettest -s -I ${NSA_DEV} &
1172		sleep 1
1173		run_cmd nettest -r ${a}
1174		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1175	done
1176
1177	a=${NSA_IP}
1178	log_start
1179	run_cmd nettest -s &
1180	sleep 1
1181	run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV}
1182	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1183
1184	for a in ${NSA_LO_IP} 127.0.0.1
1185	do
1186		log_start
1187		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
1188		run_cmd nettest -s &
1189		sleep 1
1190		run_cmd nettest -r ${a} -d ${NSA_DEV}
1191		log_test_addr ${a} $? 1 "Global server, device client, local connection"
1192	done
1193
1194	a=${NSA_IP}
1195	log_start
1196	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1197	sleep 1
1198	run_cmd nettest  -d ${NSA_DEV} -r ${a} -0 ${a}
1199	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1200
1201	log_start
1202	show_hint "Should fail 'Connection refused'"
1203	run_cmd nettest -d ${NSA_DEV} -r ${a}
1204	log_test_addr ${a} $? 1 "No server, device client, local conn"
1205
1206	ipv4_tcp_md5_novrf
1207}
1208
1209ipv4_tcp_vrf()
1210{
1211	local a
1212
1213	# disable global server
1214	log_subsection "Global server disabled"
1215
1216	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1217
1218	#
1219	# server tests
1220	#
1221	for a in ${NSA_IP} ${VRF_IP}
1222	do
1223		log_start
1224		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1225		run_cmd nettest -s &
1226		sleep 1
1227		run_cmd_nsb nettest -r ${a}
1228		log_test_addr ${a} $? 1 "Global server"
1229
1230		log_start
1231		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1232		sleep 1
1233		run_cmd_nsb nettest -r ${a}
1234		log_test_addr ${a} $? 0 "VRF server"
1235
1236		log_start
1237		run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1238		sleep 1
1239		run_cmd_nsb nettest -r ${a}
1240		log_test_addr ${a} $? 0 "Device server"
1241
1242		# verify TCP reset received
1243		log_start
1244		show_hint "Should fail 'Connection refused' since there is no server"
1245		run_cmd_nsb nettest -r ${a}
1246		log_test_addr ${a} $? 1 "No server"
1247	done
1248
1249	# local address tests
1250	# (${VRF_IP} and 127.0.0.1 both timeout)
1251	a=${NSA_IP}
1252	log_start
1253	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1254	run_cmd nettest -s &
1255	sleep 1
1256	run_cmd nettest -r ${a} -d ${NSA_DEV}
1257	log_test_addr ${a} $? 1 "Global server, local connection"
1258
1259	# run MD5 tests
1260	setup_vrf_dup
1261	ipv4_tcp_md5
1262	cleanup_vrf_dup
1263
1264	#
1265	# enable VRF global server
1266	#
1267	log_subsection "VRF Global server enabled"
1268	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1269
1270	for a in ${NSA_IP} ${VRF_IP}
1271	do
1272		log_start
1273		show_hint "client socket should be bound to VRF"
1274		run_cmd nettest -s -3 ${VRF} &
1275		sleep 1
1276		run_cmd_nsb nettest -r ${a}
1277		log_test_addr ${a} $? 0 "Global server"
1278
1279		log_start
1280		show_hint "client socket should be bound to VRF"
1281		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1282		sleep 1
1283		run_cmd_nsb nettest -r ${a}
1284		log_test_addr ${a} $? 0 "VRF server"
1285
1286		# verify TCP reset received
1287		log_start
1288		show_hint "Should fail 'Connection refused'"
1289		run_cmd_nsb nettest -r ${a}
1290		log_test_addr ${a} $? 1 "No server"
1291	done
1292
1293	a=${NSA_IP}
1294	log_start
1295	show_hint "client socket should be bound to device"
1296	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1297	sleep 1
1298	run_cmd_nsb nettest -r ${a}
1299	log_test_addr ${a} $? 0 "Device server"
1300
1301	# local address tests
1302	for a in ${NSA_IP} ${VRF_IP}
1303	do
1304		log_start
1305		show_hint "Should fail 'Connection refused' since client is not bound to VRF"
1306		run_cmd nettest -s -I ${VRF} &
1307		sleep 1
1308		run_cmd nettest -r ${a}
1309		log_test_addr ${a} $? 1 "Global server, local connection"
1310	done
1311
1312	#
1313	# client
1314	#
1315	for a in ${NSB_IP} ${NSB_LO_IP}
1316	do
1317		log_start
1318		run_cmd_nsb nettest -s &
1319		sleep 1
1320		run_cmd nettest -r ${a} -d ${VRF}
1321		log_test_addr ${a} $? 0 "Client, VRF bind"
1322
1323		log_start
1324		run_cmd_nsb nettest -s &
1325		sleep 1
1326		run_cmd nettest -r ${a} -d ${NSA_DEV}
1327		log_test_addr ${a} $? 0 "Client, device bind"
1328
1329		log_start
1330		show_hint "Should fail 'Connection refused'"
1331		run_cmd nettest -r ${a} -d ${VRF}
1332		log_test_addr ${a} $? 1 "No server, VRF client"
1333
1334		log_start
1335		show_hint "Should fail 'Connection refused'"
1336		run_cmd nettest -r ${a} -d ${NSA_DEV}
1337		log_test_addr ${a} $? 1 "No server, device client"
1338	done
1339
1340	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1341	do
1342		log_start
1343		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1344		sleep 1
1345		run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1346		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
1347	done
1348
1349	a=${NSA_IP}
1350	log_start
1351	run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1352	sleep 1
1353	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1354	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
1355
1356	log_start
1357	show_hint "Should fail 'No route to host' since client is out of VRF scope"
1358	run_cmd nettest -s -I ${VRF} &
1359	sleep 1
1360	run_cmd nettest -r ${a}
1361	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
1362
1363	log_start
1364	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1365	sleep 1
1366	run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1367	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
1368
1369	log_start
1370	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1371	sleep 1
1372	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1373	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1374}
1375
1376ipv4_tcp()
1377{
1378	log_section "IPv4/TCP"
1379	log_subsection "No VRF"
1380	setup
1381
1382	# tcp_l3mdev_accept should have no affect without VRF;
1383	# run tests with it enabled and disabled to verify
1384	log_subsection "tcp_l3mdev_accept disabled"
1385	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1386	ipv4_tcp_novrf
1387	log_subsection "tcp_l3mdev_accept enabled"
1388	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1389	ipv4_tcp_novrf
1390
1391	log_subsection "With VRF"
1392	setup "yes"
1393	ipv4_tcp_vrf
1394}
1395
1396################################################################################
1397# IPv4 UDP
1398
1399ipv4_udp_novrf()
1400{
1401	local a
1402
1403	#
1404	# server tests
1405	#
1406	for a in ${NSA_IP} ${NSA_LO_IP}
1407	do
1408		log_start
1409		run_cmd nettest -D -s -3 ${NSA_DEV} &
1410		sleep 1
1411		run_cmd_nsb nettest -D -r ${a}
1412		log_test_addr ${a} $? 0 "Global server"
1413
1414		log_start
1415		show_hint "Should fail 'Connection refused' since there is no server"
1416		run_cmd_nsb nettest -D -r ${a}
1417		log_test_addr ${a} $? 1 "No server"
1418	done
1419
1420	a=${NSA_IP}
1421	log_start
1422	run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1423	sleep 1
1424	run_cmd_nsb nettest -D -r ${a}
1425	log_test_addr ${a} $? 0 "Device server"
1426
1427	#
1428	# client
1429	#
1430	for a in ${NSB_IP} ${NSB_LO_IP}
1431	do
1432		log_start
1433		run_cmd_nsb nettest -D -s &
1434		sleep 1
1435		run_cmd nettest -D -r ${a} -0 ${NSA_IP}
1436		log_test_addr ${a} $? 0 "Client"
1437
1438		log_start
1439		run_cmd_nsb nettest -D -s &
1440		sleep 1
1441		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP}
1442		log_test_addr ${a} $? 0 "Client, device bind"
1443
1444		log_start
1445		run_cmd_nsb nettest -D -s &
1446		sleep 1
1447		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP}
1448		log_test_addr ${a} $? 0 "Client, device send via cmsg"
1449
1450		log_start
1451		run_cmd_nsb nettest -D -s &
1452		sleep 1
1453		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
1454		log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
1455
1456		log_start
1457		show_hint "Should fail 'Connection refused'"
1458		run_cmd nettest -D -r ${a}
1459		log_test_addr ${a} $? 1 "No server, unbound client"
1460
1461		log_start
1462		show_hint "Should fail 'Connection refused'"
1463		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1464		log_test_addr ${a} $? 1 "No server, device client"
1465	done
1466
1467	#
1468	# local address tests
1469	#
1470	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1471	do
1472		log_start
1473		run_cmd nettest -D -s &
1474		sleep 1
1475		run_cmd nettest -D -r ${a} -0 ${a} -1 ${a}
1476		log_test_addr ${a} $? 0 "Global server, local connection"
1477	done
1478
1479	a=${NSA_IP}
1480	log_start
1481	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1482	sleep 1
1483	run_cmd nettest -D -r ${a}
1484	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1485
1486	for a in ${NSA_LO_IP} 127.0.0.1
1487	do
1488		log_start
1489		show_hint "Should fail 'Connection refused' since address is out of device scope"
1490		run_cmd nettest -s -D -I ${NSA_DEV} &
1491		sleep 1
1492		run_cmd nettest -D -r ${a}
1493		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1494	done
1495
1496	a=${NSA_IP}
1497	log_start
1498	run_cmd nettest -s -D &
1499	sleep 1
1500	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1501	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1502
1503	log_start
1504	run_cmd nettest -s -D &
1505	sleep 1
1506	run_cmd nettest -D -d ${NSA_DEV} -C -r ${a}
1507	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
1508
1509	log_start
1510	run_cmd nettest -s -D &
1511	sleep 1
1512	run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
1513	log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
1514
1515	# IPv4 with device bind has really weird behavior - it overrides the
1516	# fib lookup, generates an rtable and tries to send the packet. This
1517	# causes failures for local traffic at different places
1518	for a in ${NSA_LO_IP} 127.0.0.1
1519	do
1520		log_start
1521		show_hint "Should fail since addresses on loopback are out of device scope"
1522		run_cmd nettest -D -s &
1523		sleep 1
1524		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1525		log_test_addr ${a} $? 2 "Global server, device client, local connection"
1526
1527		log_start
1528		show_hint "Should fail since addresses on loopback are out of device scope"
1529		run_cmd nettest -D -s &
1530		sleep 1
1531		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C
1532		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
1533
1534		log_start
1535		show_hint "Should fail since addresses on loopback are out of device scope"
1536		run_cmd nettest -D -s &
1537		sleep 1
1538		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
1539		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
1540	done
1541
1542	a=${NSA_IP}
1543	log_start
1544	run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1545	sleep 1
1546	run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a}
1547	log_test_addr ${a} $? 0 "Device server, device client, local conn"
1548
1549	log_start
1550	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1551	log_test_addr ${a} $? 2 "No server, device client, local conn"
1552}
1553
1554ipv4_udp_vrf()
1555{
1556	local a
1557
1558	# disable global server
1559	log_subsection "Global server disabled"
1560	set_sysctl net.ipv4.udp_l3mdev_accept=0
1561
1562	#
1563	# server tests
1564	#
1565	for a in ${NSA_IP} ${VRF_IP}
1566	do
1567		log_start
1568		show_hint "Fails because ingress is in a VRF and global server is disabled"
1569		run_cmd nettest -D -s &
1570		sleep 1
1571		run_cmd_nsb nettest -D -r ${a}
1572		log_test_addr ${a} $? 1 "Global server"
1573
1574		log_start
1575		run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1576		sleep 1
1577		run_cmd_nsb nettest -D -r ${a}
1578		log_test_addr ${a} $? 0 "VRF server"
1579
1580		log_start
1581		run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1582		sleep 1
1583		run_cmd_nsb nettest -D -r ${a}
1584		log_test_addr ${a} $? 0 "Enslaved device server"
1585
1586		log_start
1587		show_hint "Should fail 'Connection refused' since there is no server"
1588		run_cmd_nsb nettest -D -r ${a}
1589		log_test_addr ${a} $? 1 "No server"
1590
1591		log_start
1592		show_hint "Should fail 'Connection refused' since global server is out of scope"
1593		run_cmd nettest -D -s &
1594		sleep 1
1595		run_cmd nettest -D -d ${VRF} -r ${a}
1596		log_test_addr ${a} $? 1 "Global server, VRF client, local connection"
1597	done
1598
1599	a=${NSA_IP}
1600	log_start
1601	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1602	sleep 1
1603	run_cmd nettest -D -d ${VRF} -r ${a}
1604	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1605
1606	log_start
1607	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1608	sleep 1
1609	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1610	log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection"
1611
1612	a=${NSA_IP}
1613	log_start
1614	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1615	sleep 1
1616	run_cmd nettest -D -d ${VRF} -r ${a}
1617	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1618
1619	log_start
1620	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1621	sleep 1
1622	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1623	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1624
1625	# enable global server
1626	log_subsection "Global server enabled"
1627	set_sysctl net.ipv4.udp_l3mdev_accept=1
1628
1629	#
1630	# server tests
1631	#
1632	for a in ${NSA_IP} ${VRF_IP}
1633	do
1634		log_start
1635		run_cmd nettest -D -s -3 ${NSA_DEV} &
1636		sleep 1
1637		run_cmd_nsb nettest -D -r ${a}
1638		log_test_addr ${a} $? 0 "Global server"
1639
1640		log_start
1641		run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1642		sleep 1
1643		run_cmd_nsb nettest -D -r ${a}
1644		log_test_addr ${a} $? 0 "VRF server"
1645
1646		log_start
1647		run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1648		sleep 1
1649		run_cmd_nsb nettest -D -r ${a}
1650		log_test_addr ${a} $? 0 "Enslaved device server"
1651
1652		log_start
1653		show_hint "Should fail 'Connection refused'"
1654		run_cmd_nsb nettest -D -r ${a}
1655		log_test_addr ${a} $? 1 "No server"
1656	done
1657
1658	#
1659	# client tests
1660	#
1661	log_start
1662	run_cmd_nsb nettest -D -s &
1663	sleep 1
1664	run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP}
1665	log_test $? 0 "VRF client"
1666
1667	log_start
1668	run_cmd_nsb nettest -D -s &
1669	sleep 1
1670	run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP}
1671	log_test $? 0 "Enslaved device client"
1672
1673	# negative test - should fail
1674	log_start
1675	show_hint "Should fail 'Connection refused'"
1676	run_cmd nettest -D -d ${VRF} -r ${NSB_IP}
1677	log_test $? 1 "No server, VRF client"
1678
1679	log_start
1680	show_hint "Should fail 'Connection refused'"
1681	run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP}
1682	log_test $? 1 "No server, enslaved device client"
1683
1684	#
1685	# local address tests
1686	#
1687	a=${NSA_IP}
1688	log_start
1689	run_cmd nettest -D -s -3 ${NSA_DEV} &
1690	sleep 1
1691	run_cmd nettest -D -d ${VRF} -r ${a}
1692	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1693
1694	log_start
1695	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1696	sleep 1
1697	run_cmd nettest -D -d ${VRF} -r ${a}
1698	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1699
1700	log_start
1701	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1702	sleep 1
1703	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1704	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
1705
1706	log_start
1707	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1708	sleep 1
1709	run_cmd nettest -D -d ${VRF} -r ${a}
1710	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1711
1712	log_start
1713	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1714	sleep 1
1715	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1716	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1717
1718	for a in ${VRF_IP} 127.0.0.1
1719	do
1720		log_start
1721		run_cmd nettest -D -s -3 ${VRF} &
1722		sleep 1
1723		run_cmd nettest -D -d ${VRF} -r ${a}
1724		log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1725	done
1726
1727	for a in ${VRF_IP} 127.0.0.1
1728	do
1729		log_start
1730		run_cmd nettest -s -D -I ${VRF} -3 ${VRF} &
1731		sleep 1
1732		run_cmd nettest -D -d ${VRF} -r ${a}
1733		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1734	done
1735
1736	# negative test - should fail
1737	# verifies ECONNREFUSED
1738	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1739	do
1740		log_start
1741		show_hint "Should fail 'Connection refused'"
1742		run_cmd nettest -D -d ${VRF} -r ${a}
1743		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
1744	done
1745}
1746
1747ipv4_udp()
1748{
1749	log_section "IPv4/UDP"
1750	log_subsection "No VRF"
1751
1752	setup
1753
1754	# udp_l3mdev_accept should have no affect without VRF;
1755	# run tests with it enabled and disabled to verify
1756	log_subsection "udp_l3mdev_accept disabled"
1757	set_sysctl net.ipv4.udp_l3mdev_accept=0
1758	ipv4_udp_novrf
1759	log_subsection "udp_l3mdev_accept enabled"
1760	set_sysctl net.ipv4.udp_l3mdev_accept=1
1761	ipv4_udp_novrf
1762
1763	log_subsection "With VRF"
1764	setup "yes"
1765	ipv4_udp_vrf
1766}
1767
1768################################################################################
1769# IPv4 address bind
1770#
1771# verifies ability or inability to bind to an address / device
1772
1773ipv4_addr_bind_novrf()
1774{
1775	#
1776	# raw socket
1777	#
1778	for a in ${NSA_IP} ${NSA_LO_IP}
1779	do
1780		log_start
1781		run_cmd nettest -s -R -P icmp -l ${a} -b
1782		log_test_addr ${a} $? 0 "Raw socket bind to local address"
1783
1784		log_start
1785		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1786		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1787	done
1788
1789	#
1790	# raw socket with nonlocal bind
1791	#
1792	a=${NL_IP}
1793	log_start
1794	run_cmd nettest -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b
1795	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after device bind"
1796
1797	#
1798	# tcp sockets
1799	#
1800	a=${NSA_IP}
1801	log_start
1802	run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b
1803	log_test_addr ${a} $? 0 "TCP socket bind to local address"
1804
1805	log_start
1806	run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b
1807	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1808
1809	# Sadly, the kernel allows binding a socket to a device and then
1810	# binding to an address not on the device. The only restriction
1811	# is that the address is valid in the L3 domain. So this test
1812	# passes when it really should not
1813	#a=${NSA_LO_IP}
1814	#log_start
1815	#show_hint "Should fail with 'Cannot assign requested address'"
1816	#run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1817	#log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
1818}
1819
1820ipv4_addr_bind_vrf()
1821{
1822	#
1823	# raw socket
1824	#
1825	for a in ${NSA_IP} ${VRF_IP}
1826	do
1827		log_start
1828		show_hint "Socket not bound to VRF, but address is in VRF"
1829		run_cmd nettest -s -R -P icmp -l ${a} -b
1830		log_test_addr ${a} $? 1 "Raw socket bind to local address"
1831
1832		log_start
1833		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1834		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1835		log_start
1836		run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1837		log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind"
1838	done
1839
1840	a=${NSA_LO_IP}
1841	log_start
1842	show_hint "Address on loopback is out of VRF scope"
1843	run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1844	log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind"
1845
1846	#
1847	# raw socket with nonlocal bind
1848	#
1849	a=${NL_IP}
1850	log_start
1851	run_cmd nettest -s -R -P icmp -f -l ${a} -I ${VRF} -b
1852	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
1853
1854	#
1855	# tcp sockets
1856	#
1857	for a in ${NSA_IP} ${VRF_IP}
1858	do
1859		log_start
1860		run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
1861		log_test_addr ${a} $? 0 "TCP socket bind to local address"
1862
1863		log_start
1864		run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1865		log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1866	done
1867
1868	a=${NSA_LO_IP}
1869	log_start
1870	show_hint "Address on loopback out of scope for VRF"
1871	run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
1872	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
1873
1874	log_start
1875	show_hint "Address on loopback out of scope for device in VRF"
1876	run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1877	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
1878}
1879
1880ipv4_addr_bind()
1881{
1882	log_section "IPv4 address binds"
1883
1884	log_subsection "No VRF"
1885	setup
1886	ipv4_addr_bind_novrf
1887
1888	log_subsection "With VRF"
1889	setup "yes"
1890	ipv4_addr_bind_vrf
1891}
1892
1893################################################################################
1894# IPv4 runtime tests
1895
1896ipv4_rt()
1897{
1898	local desc="$1"
1899	local varg="$2"
1900	local with_vrf="yes"
1901	local a
1902
1903	#
1904	# server tests
1905	#
1906	for a in ${NSA_IP} ${VRF_IP}
1907	do
1908		log_start
1909		run_cmd nettest ${varg} -s &
1910		sleep 1
1911		run_cmd_nsb nettest ${varg} -r ${a} &
1912		sleep 3
1913		run_cmd ip link del ${VRF}
1914		sleep 1
1915		log_test_addr ${a} 0 0 "${desc}, global server"
1916
1917		setup ${with_vrf}
1918	done
1919
1920	for a in ${NSA_IP} ${VRF_IP}
1921	do
1922		log_start
1923		run_cmd nettest ${varg} -s -I ${VRF} &
1924		sleep 1
1925		run_cmd_nsb nettest ${varg} -r ${a} &
1926		sleep 3
1927		run_cmd ip link del ${VRF}
1928		sleep 1
1929		log_test_addr ${a} 0 0 "${desc}, VRF server"
1930
1931		setup ${with_vrf}
1932	done
1933
1934	a=${NSA_IP}
1935	log_start
1936	run_cmd nettest ${varg} -s -I ${NSA_DEV} &
1937	sleep 1
1938	run_cmd_nsb nettest ${varg} -r ${a} &
1939	sleep 3
1940	run_cmd ip link del ${VRF}
1941	sleep 1
1942	log_test_addr ${a} 0 0 "${desc}, enslaved device server"
1943
1944	setup ${with_vrf}
1945
1946	#
1947	# client test
1948	#
1949	log_start
1950	run_cmd_nsb nettest ${varg} -s &
1951	sleep 1
1952	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} &
1953	sleep 3
1954	run_cmd ip link del ${VRF}
1955	sleep 1
1956	log_test_addr ${a} 0 0 "${desc}, VRF client"
1957
1958	setup ${with_vrf}
1959
1960	log_start
1961	run_cmd_nsb nettest ${varg} -s &
1962	sleep 1
1963	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} &
1964	sleep 3
1965	run_cmd ip link del ${VRF}
1966	sleep 1
1967	log_test_addr ${a} 0 0 "${desc}, enslaved device client"
1968
1969	setup ${with_vrf}
1970
1971	#
1972	# local address tests
1973	#
1974	for a in ${NSA_IP} ${VRF_IP}
1975	do
1976		log_start
1977		run_cmd nettest ${varg} -s &
1978		sleep 1
1979		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
1980		sleep 3
1981		run_cmd ip link del ${VRF}
1982		sleep 1
1983		log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local"
1984
1985		setup ${with_vrf}
1986	done
1987
1988	for a in ${NSA_IP} ${VRF_IP}
1989	do
1990		log_start
1991		run_cmd nettest ${varg} -I ${VRF} -s &
1992		sleep 1
1993		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
1994		sleep 3
1995		run_cmd ip link del ${VRF}
1996		sleep 1
1997		log_test_addr ${a} 0 0 "${desc}, VRF server and client, local"
1998
1999		setup ${with_vrf}
2000	done
2001
2002	a=${NSA_IP}
2003	log_start
2004
2005	run_cmd nettest ${varg} -s &
2006	sleep 1
2007	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2008	sleep 3
2009	run_cmd ip link del ${VRF}
2010	sleep 1
2011	log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local"
2012
2013	setup ${with_vrf}
2014
2015	log_start
2016	run_cmd nettest ${varg} -I ${VRF} -s &
2017	sleep 1
2018	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2019	sleep 3
2020	run_cmd ip link del ${VRF}
2021	sleep 1
2022	log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local"
2023
2024	setup ${with_vrf}
2025
2026	log_start
2027	run_cmd nettest ${varg} -I ${NSA_DEV} -s &
2028	sleep 1
2029	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2030	sleep 3
2031	run_cmd ip link del ${VRF}
2032	sleep 1
2033	log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local"
2034}
2035
2036ipv4_ping_rt()
2037{
2038	local with_vrf="yes"
2039	local a
2040
2041	for a in ${NSA_IP} ${VRF_IP}
2042	do
2043		log_start
2044		run_cmd_nsb ping -f ${a} &
2045		sleep 3
2046		run_cmd ip link del ${VRF}
2047		sleep 1
2048		log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
2049
2050		setup ${with_vrf}
2051	done
2052
2053	a=${NSB_IP}
2054	log_start
2055	run_cmd ping -f -I ${VRF} ${a} &
2056	sleep 3
2057	run_cmd ip link del ${VRF}
2058	sleep 1
2059	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
2060}
2061
2062ipv4_runtime()
2063{
2064	log_section "Run time tests - ipv4"
2065
2066	setup "yes"
2067	ipv4_ping_rt
2068
2069	setup "yes"
2070	ipv4_rt "TCP active socket"  "-n -1"
2071
2072	setup "yes"
2073	ipv4_rt "TCP passive socket" "-i"
2074}
2075
2076################################################################################
2077# IPv6
2078
2079ipv6_ping_novrf()
2080{
2081	local a
2082
2083	# should not have an impact, but make a known state
2084	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
2085
2086	#
2087	# out
2088	#
2089	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2090	do
2091		log_start
2092		run_cmd ${ping6} -c1 -w1 ${a}
2093		log_test_addr ${a} $? 0 "ping out"
2094	done
2095
2096	for a in ${NSB_IP6} ${NSB_LO_IP6}
2097	do
2098		log_start
2099		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2100		log_test_addr ${a} $? 0 "ping out, device bind"
2101
2102		log_start
2103		run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a}
2104		log_test_addr ${a} $? 0 "ping out, loopback address bind"
2105	done
2106
2107	#
2108	# in
2109	#
2110	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2111	do
2112		log_start
2113		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2114		log_test_addr ${a} $? 0 "ping in"
2115	done
2116
2117	#
2118	# local traffic, local address
2119	#
2120	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2121	do
2122		log_start
2123		run_cmd ${ping6} -c1 -w1 ${a}
2124		log_test_addr ${a} $? 0 "ping local, no bind"
2125	done
2126
2127	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2128	do
2129		log_start
2130		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2131		log_test_addr ${a} $? 0 "ping local, device bind"
2132	done
2133
2134	for a in ${NSA_LO_IP6} ::1
2135	do
2136		log_start
2137		show_hint "Fails since address on loopback is out of device scope"
2138		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2139		log_test_addr ${a} $? 2 "ping local, device bind"
2140	done
2141
2142	#
2143	# ip rule blocks address
2144	#
2145	log_start
2146	setup_cmd ip -6 rule add pref 32765 from all lookup local
2147	setup_cmd ip -6 rule del pref 0 from all lookup local
2148	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2149	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2150
2151	a=${NSB_LO_IP6}
2152	run_cmd ${ping6} -c1 -w1 ${a}
2153	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2154
2155	log_start
2156	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2157	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2158
2159	a=${NSA_LO_IP6}
2160	log_start
2161	show_hint "Response lost due to ip rule"
2162	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2163	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2164
2165	setup_cmd ip -6 rule add pref 0 from all lookup local
2166	setup_cmd ip -6 rule del pref 32765 from all lookup local
2167	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2168	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2169
2170	#
2171	# route blocks reachability to remote address
2172	#
2173	log_start
2174	setup_cmd ip -6 route del ${NSB_LO_IP6}
2175	setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10
2176	setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10
2177
2178	a=${NSB_LO_IP6}
2179	run_cmd ${ping6} -c1 -w1 ${a}
2180	log_test_addr ${a} $? 2 "ping out, blocked by route"
2181
2182	log_start
2183	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2184	log_test_addr ${a} $? 2 "ping out, device bind, blocked by route"
2185
2186	a=${NSA_LO_IP6}
2187	log_start
2188	show_hint "Response lost due to ip route"
2189	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2190	log_test_addr ${a} $? 1 "ping in, blocked by route"
2191
2192
2193	#
2194	# remove 'remote' routes; fallback to default
2195	#
2196	log_start
2197	setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6}
2198	setup_cmd ip -6 ro del unreachable ${NSB_IP6}
2199
2200	a=${NSB_LO_IP6}
2201	run_cmd ${ping6} -c1 -w1 ${a}
2202	log_test_addr ${a} $? 2 "ping out, unreachable route"
2203
2204	log_start
2205	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2206	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2207}
2208
2209ipv6_ping_vrf()
2210{
2211	local a
2212
2213	# should default on; does not exist on older kernels
2214	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
2215
2216	#
2217	# out
2218	#
2219	for a in ${NSB_IP6} ${NSB_LO_IP6}
2220	do
2221		log_start
2222		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2223		log_test_addr ${a} $? 0 "ping out, VRF bind"
2224	done
2225
2226	for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF}
2227	do
2228		log_start
2229		show_hint "Fails since VRF device does not support linklocal or multicast"
2230		run_cmd ${ping6} -c1 -w1 ${a}
2231		log_test_addr ${a} $? 1 "ping out, VRF bind"
2232	done
2233
2234	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2235	do
2236		log_start
2237		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2238		log_test_addr ${a} $? 0 "ping out, device bind"
2239	done
2240
2241	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2242	do
2243		log_start
2244		run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a}
2245		log_test_addr ${a} $? 0 "ping out, vrf device+address bind"
2246	done
2247
2248	#
2249	# in
2250	#
2251	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2252	do
2253		log_start
2254		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2255		log_test_addr ${a} $? 0 "ping in"
2256	done
2257
2258	a=${NSA_LO_IP6}
2259	log_start
2260	show_hint "Fails since loopback address is out of VRF scope"
2261	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2262	log_test_addr ${a} $? 1 "ping in"
2263
2264	#
2265	# local traffic, local address
2266	#
2267	for a in ${NSA_IP6} ${VRF_IP6} ::1
2268	do
2269		log_start
2270		show_hint "Source address should be ${a}"
2271		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2272		log_test_addr ${a} $? 0 "ping local, VRF bind"
2273	done
2274
2275	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2276	do
2277		log_start
2278		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2279		log_test_addr ${a} $? 0 "ping local, device bind"
2280	done
2281
2282	# LLA to GUA - remove ipv6 global addresses from ns-B
2283	setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2284	setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo
2285	setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2286
2287	for a in ${NSA_IP6} ${VRF_IP6}
2288	do
2289		log_start
2290		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
2291		log_test_addr ${a} $? 0 "ping in, LLA to GUA"
2292	done
2293
2294	setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2295	setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV}
2296	setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo
2297
2298	#
2299	# ip rule blocks address
2300	#
2301	log_start
2302	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2303	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2304
2305	a=${NSB_LO_IP6}
2306	run_cmd ${ping6} -c1 -w1 ${a}
2307	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2308
2309	log_start
2310	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2311	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2312
2313	a=${NSA_LO_IP6}
2314	log_start
2315	show_hint "Response lost due to ip rule"
2316	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2317	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2318
2319	log_start
2320	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2321	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2322
2323	#
2324	# remove 'remote' routes; fallback to default
2325	#
2326	log_start
2327	setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF}
2328
2329	a=${NSB_LO_IP6}
2330	run_cmd ${ping6} -c1 -w1 ${a}
2331	log_test_addr ${a} $? 2 "ping out, unreachable route"
2332
2333	log_start
2334	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2335	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2336
2337	ip -netns ${NSB} -6 ro del ${NSA_LO_IP6}
2338	a=${NSA_LO_IP6}
2339	log_start
2340	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2341	log_test_addr ${a} $? 2 "ping in, unreachable route"
2342}
2343
2344ipv6_ping()
2345{
2346	log_section "IPv6 ping"
2347
2348	log_subsection "No VRF"
2349	setup
2350	ipv6_ping_novrf
2351
2352	log_subsection "With VRF"
2353	setup "yes"
2354	ipv6_ping_vrf
2355}
2356
2357################################################################################
2358# IPv6 TCP
2359
2360#
2361# MD5 tests without VRF
2362#
2363ipv6_tcp_md5_novrf()
2364{
2365	#
2366	# single address
2367	#
2368
2369	# basic use case
2370	log_start
2371	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2372	sleep 1
2373	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2374	log_test $? 0 "MD5: Single address config"
2375
2376	# client sends MD5, server not configured
2377	log_start
2378	show_hint "Should timeout due to MD5 mismatch"
2379	run_cmd nettest -6 -s &
2380	sleep 1
2381	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2382	log_test $? 2 "MD5: Server no config, client uses password"
2383
2384	# wrong password
2385	log_start
2386	show_hint "Should timeout since client uses wrong password"
2387	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2388	sleep 1
2389	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2390	log_test $? 2 "MD5: Client uses wrong password"
2391
2392	# client from different address
2393	log_start
2394	show_hint "Should timeout due to MD5 mismatch"
2395	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} &
2396	sleep 1
2397	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2398	log_test $? 2 "MD5: Client address does not match address configured with password"
2399
2400	#
2401	# MD5 extension - prefix length
2402	#
2403
2404	# client in prefix
2405	log_start
2406	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2407	sleep 1
2408	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2409	log_test $? 0 "MD5: Prefix config"
2410
2411	# client in prefix, wrong password
2412	log_start
2413	show_hint "Should timeout since client uses wrong password"
2414	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2415	sleep 1
2416	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2417	log_test $? 2 "MD5: Prefix config, client uses wrong password"
2418
2419	# client outside of prefix
2420	log_start
2421	show_hint "Should timeout due to MD5 mismatch"
2422	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2423	sleep 1
2424	run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2425	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
2426}
2427
2428#
2429# MD5 tests with VRF
2430#
2431ipv6_tcp_md5()
2432{
2433	#
2434	# single address
2435	#
2436
2437	# basic use case
2438	log_start
2439	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2440	sleep 1
2441	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2442	log_test $? 0 "MD5: VRF: Single address config"
2443
2444	# client sends MD5, server not configured
2445	log_start
2446	show_hint "Should timeout since server does not have MD5 auth"
2447	run_cmd nettest -6 -s -I ${VRF} &
2448	sleep 1
2449	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2450	log_test $? 2 "MD5: VRF: Server no config, client uses password"
2451
2452	# wrong password
2453	log_start
2454	show_hint "Should timeout since client uses wrong password"
2455	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2456	sleep 1
2457	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2458	log_test $? 2 "MD5: VRF: Client uses wrong password"
2459
2460	# client from different address
2461	log_start
2462	show_hint "Should timeout since server config differs from client"
2463	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} &
2464	sleep 1
2465	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2466	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
2467
2468	#
2469	# MD5 extension - prefix length
2470	#
2471
2472	# client in prefix
2473	log_start
2474	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2475	sleep 1
2476	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2477	log_test $? 0 "MD5: VRF: Prefix config"
2478
2479	# client in prefix, wrong password
2480	log_start
2481	show_hint "Should timeout since client uses wrong password"
2482	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2483	sleep 1
2484	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2485	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
2486
2487	# client outside of prefix
2488	log_start
2489	show_hint "Should timeout since client address is outside of prefix"
2490	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2491	sleep 1
2492	run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2493	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
2494
2495	#
2496	# duplicate config between default VRF and a VRF
2497	#
2498
2499	log_start
2500	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2501	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2502	sleep 1
2503	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2504	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
2505
2506	log_start
2507	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2508	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2509	sleep 1
2510	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2511	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
2512
2513	log_start
2514	show_hint "Should timeout since client in default VRF uses VRF password"
2515	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2516	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2517	sleep 1
2518	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2519	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
2520
2521	log_start
2522	show_hint "Should timeout since client in VRF uses default VRF password"
2523	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2524	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2525	sleep 1
2526	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2527	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
2528
2529	log_start
2530	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2531	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2532	sleep 1
2533	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2534	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
2535
2536	log_start
2537	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2538	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2539	sleep 1
2540	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2541	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
2542
2543	log_start
2544	show_hint "Should timeout since client in default VRF uses VRF password"
2545	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2546	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2547	sleep 1
2548	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2549	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
2550
2551	log_start
2552	show_hint "Should timeout since client in VRF uses default VRF password"
2553	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2554	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2555	sleep 1
2556	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2557	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
2558
2559	#
2560	# negative tests
2561	#
2562	log_start
2563	run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6}
2564	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
2565
2566	log_start
2567	run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6}
2568	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
2569
2570}
2571
2572ipv6_tcp_novrf()
2573{
2574	local a
2575
2576	#
2577	# server tests
2578	#
2579	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2580	do
2581		log_start
2582		run_cmd nettest -6 -s &
2583		sleep 1
2584		run_cmd_nsb nettest -6 -r ${a}
2585		log_test_addr ${a} $? 0 "Global server"
2586	done
2587
2588	# verify TCP reset received
2589	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2590	do
2591		log_start
2592		show_hint "Should fail 'Connection refused'"
2593		run_cmd_nsb nettest -6 -r ${a}
2594		log_test_addr ${a} $? 1 "No server"
2595	done
2596
2597	#
2598	# client
2599	#
2600	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2601	do
2602		log_start
2603		run_cmd_nsb nettest -6 -s &
2604		sleep 1
2605		run_cmd nettest -6 -r ${a}
2606		log_test_addr ${a} $? 0 "Client"
2607	done
2608
2609	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2610	do
2611		log_start
2612		run_cmd_nsb nettest -6 -s &
2613		sleep 1
2614		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2615		log_test_addr ${a} $? 0 "Client, device bind"
2616	done
2617
2618	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2619	do
2620		log_start
2621		show_hint "Should fail 'Connection refused'"
2622		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2623		log_test_addr ${a} $? 1 "No server, device client"
2624	done
2625
2626	#
2627	# local address tests
2628	#
2629	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2630	do
2631		log_start
2632		run_cmd nettest -6 -s &
2633		sleep 1
2634		run_cmd nettest -6 -r ${a}
2635		log_test_addr ${a} $? 0 "Global server, local connection"
2636	done
2637
2638	a=${NSA_IP6}
2639	log_start
2640	run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2641	sleep 1
2642	run_cmd nettest -6 -r ${a} -0 ${a}
2643	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2644
2645	for a in ${NSA_LO_IP6} ::1
2646	do
2647		log_start
2648		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2649		run_cmd nettest -6 -s -I ${NSA_DEV} &
2650		sleep 1
2651		run_cmd nettest -6 -r ${a}
2652		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
2653	done
2654
2655	a=${NSA_IP6}
2656	log_start
2657	run_cmd nettest -6 -s &
2658	sleep 1
2659	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2660	log_test_addr ${a} $? 0 "Global server, device client, local connection"
2661
2662	for a in ${NSA_LO_IP6} ::1
2663	do
2664		log_start
2665		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2666		run_cmd nettest -6 -s &
2667		sleep 1
2668		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2669		log_test_addr ${a} $? 1 "Global server, device client, local connection"
2670	done
2671
2672	for a in ${NSA_IP6} ${NSA_LINKIP6}
2673	do
2674		log_start
2675		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2676		sleep 1
2677		run_cmd nettest -6  -d ${NSA_DEV} -r ${a}
2678		log_test_addr ${a} $? 0 "Device server, device client, local conn"
2679	done
2680
2681	for a in ${NSA_IP6} ${NSA_LINKIP6}
2682	do
2683		log_start
2684		show_hint "Should fail 'Connection refused'"
2685		run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2686		log_test_addr ${a} $? 1 "No server, device client, local conn"
2687	done
2688
2689	ipv6_tcp_md5_novrf
2690}
2691
2692ipv6_tcp_vrf()
2693{
2694	local a
2695
2696	# disable global server
2697	log_subsection "Global server disabled"
2698
2699	set_sysctl net.ipv4.tcp_l3mdev_accept=0
2700
2701	#
2702	# server tests
2703	#
2704	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2705	do
2706		log_start
2707		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2708		run_cmd nettest -6 -s &
2709		sleep 1
2710		run_cmd_nsb nettest -6 -r ${a}
2711		log_test_addr ${a} $? 1 "Global server"
2712	done
2713
2714	for a in ${NSA_IP6} ${VRF_IP6}
2715	do
2716		log_start
2717		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2718		sleep 1
2719		run_cmd_nsb nettest -6 -r ${a}
2720		log_test_addr ${a} $? 0 "VRF server"
2721	done
2722
2723	# link local is always bound to ingress device
2724	a=${NSA_LINKIP6}%${NSB_DEV}
2725	log_start
2726	run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2727	sleep 1
2728	run_cmd_nsb nettest -6 -r ${a}
2729	log_test_addr ${a} $? 0 "VRF server"
2730
2731	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2732	do
2733		log_start
2734		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2735		sleep 1
2736		run_cmd_nsb nettest -6 -r ${a}
2737		log_test_addr ${a} $? 0 "Device server"
2738	done
2739
2740	# verify TCP reset received
2741	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2742	do
2743		log_start
2744		show_hint "Should fail 'Connection refused'"
2745		run_cmd_nsb nettest -6 -r ${a}
2746		log_test_addr ${a} $? 1 "No server"
2747	done
2748
2749	# local address tests
2750	a=${NSA_IP6}
2751	log_start
2752	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2753	run_cmd nettest -6 -s &
2754	sleep 1
2755	run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2756	log_test_addr ${a} $? 1 "Global server, local connection"
2757
2758	# run MD5 tests
2759	setup_vrf_dup
2760	ipv6_tcp_md5
2761	cleanup_vrf_dup
2762
2763	#
2764	# enable VRF global server
2765	#
2766	log_subsection "VRF Global server enabled"
2767	set_sysctl net.ipv4.tcp_l3mdev_accept=1
2768
2769	for a in ${NSA_IP6} ${VRF_IP6}
2770	do
2771		log_start
2772		run_cmd nettest -6 -s -3 ${VRF} &
2773		sleep 1
2774		run_cmd_nsb nettest -6 -r ${a}
2775		log_test_addr ${a} $? 0 "Global server"
2776	done
2777
2778	for a in ${NSA_IP6} ${VRF_IP6}
2779	do
2780		log_start
2781		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2782		sleep 1
2783		run_cmd_nsb nettest -6 -r ${a}
2784		log_test_addr ${a} $? 0 "VRF server"
2785	done
2786
2787	# For LLA, child socket is bound to device
2788	a=${NSA_LINKIP6}%${NSB_DEV}
2789	log_start
2790	run_cmd nettest -6 -s -3 ${NSA_DEV} &
2791	sleep 1
2792	run_cmd_nsb nettest -6 -r ${a}
2793	log_test_addr ${a} $? 0 "Global server"
2794
2795	log_start
2796	run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2797	sleep 1
2798	run_cmd_nsb nettest -6 -r ${a}
2799	log_test_addr ${a} $? 0 "VRF server"
2800
2801	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2802	do
2803		log_start
2804		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2805		sleep 1
2806		run_cmd_nsb nettest -6 -r ${a}
2807		log_test_addr ${a} $? 0 "Device server"
2808	done
2809
2810	# verify TCP reset received
2811	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2812	do
2813		log_start
2814		show_hint "Should fail 'Connection refused'"
2815		run_cmd_nsb nettest -6 -r ${a}
2816		log_test_addr ${a} $? 1 "No server"
2817	done
2818
2819	# local address tests
2820	for a in ${NSA_IP6} ${VRF_IP6}
2821	do
2822		log_start
2823		show_hint "Fails 'Connection refused' since client is not in VRF"
2824		run_cmd nettest -6 -s -I ${VRF} &
2825		sleep 1
2826		run_cmd nettest -6 -r ${a}
2827		log_test_addr ${a} $? 1 "Global server, local connection"
2828	done
2829
2830
2831	#
2832	# client
2833	#
2834	for a in ${NSB_IP6} ${NSB_LO_IP6}
2835	do
2836		log_start
2837		run_cmd_nsb nettest -6 -s &
2838		sleep 1
2839		run_cmd nettest -6 -r ${a} -d ${VRF}
2840		log_test_addr ${a} $? 0 "Client, VRF bind"
2841	done
2842
2843	a=${NSB_LINKIP6}
2844	log_start
2845	show_hint "Fails since VRF device does not allow linklocal addresses"
2846	run_cmd_nsb nettest -6 -s &
2847	sleep 1
2848	run_cmd nettest -6 -r ${a} -d ${VRF}
2849	log_test_addr ${a} $? 1 "Client, VRF bind"
2850
2851	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2852	do
2853		log_start
2854		run_cmd_nsb nettest -6 -s &
2855		sleep 1
2856		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2857		log_test_addr ${a} $? 0 "Client, device bind"
2858	done
2859
2860	for a in ${NSB_IP6} ${NSB_LO_IP6}
2861	do
2862		log_start
2863		show_hint "Should fail 'Connection refused'"
2864		run_cmd nettest -6 -r ${a} -d ${VRF}
2865		log_test_addr ${a} $? 1 "No server, VRF client"
2866	done
2867
2868	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2869	do
2870		log_start
2871		show_hint "Should fail 'Connection refused'"
2872		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2873		log_test_addr ${a} $? 1 "No server, device client"
2874	done
2875
2876	for a in ${NSA_IP6} ${VRF_IP6} ::1
2877	do
2878		log_start
2879		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2880		sleep 1
2881		run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2882		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
2883	done
2884
2885	a=${NSA_IP6}
2886	log_start
2887	run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2888	sleep 1
2889	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2890	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
2891
2892	a=${NSA_IP6}
2893	log_start
2894	show_hint "Should fail since unbound client is out of VRF scope"
2895	run_cmd nettest -6 -s -I ${VRF} &
2896	sleep 1
2897	run_cmd nettest -6 -r ${a}
2898	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
2899
2900	log_start
2901	run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2902	sleep 1
2903	run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2904	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
2905
2906	for a in ${NSA_IP6} ${NSA_LINKIP6}
2907	do
2908		log_start
2909		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2910		sleep 1
2911		run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2912		log_test_addr ${a} $? 0 "Device server, device client, local connection"
2913	done
2914}
2915
2916ipv6_tcp()
2917{
2918	log_section "IPv6/TCP"
2919	log_subsection "No VRF"
2920	setup
2921
2922	# tcp_l3mdev_accept should have no affect without VRF;
2923	# run tests with it enabled and disabled to verify
2924	log_subsection "tcp_l3mdev_accept disabled"
2925	set_sysctl net.ipv4.tcp_l3mdev_accept=0
2926	ipv6_tcp_novrf
2927	log_subsection "tcp_l3mdev_accept enabled"
2928	set_sysctl net.ipv4.tcp_l3mdev_accept=1
2929	ipv6_tcp_novrf
2930
2931	log_subsection "With VRF"
2932	setup "yes"
2933	ipv6_tcp_vrf
2934}
2935
2936################################################################################
2937# IPv6 UDP
2938
2939ipv6_udp_novrf()
2940{
2941	local a
2942
2943	#
2944	# server tests
2945	#
2946	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2947	do
2948		log_start
2949		run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
2950		sleep 1
2951		run_cmd_nsb nettest -6 -D -r ${a}
2952		log_test_addr ${a} $? 0 "Global server"
2953
2954		log_start
2955		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
2956		sleep 1
2957		run_cmd_nsb nettest -6 -D -r ${a}
2958		log_test_addr ${a} $? 0 "Device server"
2959	done
2960
2961	a=${NSA_LO_IP6}
2962	log_start
2963	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
2964	sleep 1
2965	run_cmd_nsb nettest -6 -D -r ${a}
2966	log_test_addr ${a} $? 0 "Global server"
2967
2968	# should fail since loopback address is out of scope for a device
2969	# bound server, but it does not - hence this is more documenting
2970	# behavior.
2971	#log_start
2972	#show_hint "Should fail since loopback address is out of scope"
2973	#run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
2974	#sleep 1
2975	#run_cmd_nsb nettest -6 -D -r ${a}
2976	#log_test_addr ${a} $? 1 "Device server"
2977
2978	# negative test - should fail
2979	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2980	do
2981		log_start
2982		show_hint "Should fail 'Connection refused' since there is no server"
2983		run_cmd_nsb nettest -6 -D -r ${a}
2984		log_test_addr ${a} $? 1 "No server"
2985	done
2986
2987	#
2988	# client
2989	#
2990	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2991	do
2992		log_start
2993		run_cmd_nsb nettest -6 -D -s &
2994		sleep 1
2995		run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6}
2996		log_test_addr ${a} $? 0 "Client"
2997
2998		log_start
2999		run_cmd_nsb nettest -6 -D -s &
3000		sleep 1
3001		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6}
3002		log_test_addr ${a} $? 0 "Client, device bind"
3003
3004		log_start
3005		run_cmd_nsb nettest -6 -D -s &
3006		sleep 1
3007		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6}
3008		log_test_addr ${a} $? 0 "Client, device send via cmsg"
3009
3010		log_start
3011		run_cmd_nsb nettest -6 -D -s &
3012		sleep 1
3013		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6}
3014		log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF"
3015
3016		log_start
3017		show_hint "Should fail 'Connection refused'"
3018		run_cmd nettest -6 -D -r ${a}
3019		log_test_addr ${a} $? 1 "No server, unbound client"
3020
3021		log_start
3022		show_hint "Should fail 'Connection refused'"
3023		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3024		log_test_addr ${a} $? 1 "No server, device client"
3025	done
3026
3027	#
3028	# local address tests
3029	#
3030	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
3031	do
3032		log_start
3033		run_cmd nettest -6 -D -s &
3034		sleep 1
3035		run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a}
3036		log_test_addr ${a} $? 0 "Global server, local connection"
3037	done
3038
3039	a=${NSA_IP6}
3040	log_start
3041	run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
3042	sleep 1
3043	run_cmd nettest -6 -D -r ${a}
3044	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
3045
3046	for a in ${NSA_LO_IP6} ::1
3047	do
3048		log_start
3049		show_hint "Should fail 'Connection refused' since address is out of device scope"
3050		run_cmd nettest -6 -s -D -I ${NSA_DEV} &
3051		sleep 1
3052		run_cmd nettest -6 -D -r ${a}
3053		log_test_addr ${a} $? 1 "Device server, local connection"
3054	done
3055
3056	a=${NSA_IP6}
3057	log_start
3058	run_cmd nettest -6 -s -D &
3059	sleep 1
3060	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3061	log_test_addr ${a} $? 0 "Global server, device client, local connection"
3062
3063	log_start
3064	run_cmd nettest -6 -s -D &
3065	sleep 1
3066	run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a}
3067	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
3068
3069	log_start
3070	run_cmd nettest -6 -s -D &
3071	sleep 1
3072	run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a}
3073	log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection"
3074
3075	for a in ${NSA_LO_IP6} ::1
3076	do
3077		log_start
3078		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3079		run_cmd nettest -6 -D -s &
3080		sleep 1
3081		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3082		log_test_addr ${a} $? 1 "Global server, device client, local connection"
3083
3084		log_start
3085		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3086		run_cmd nettest -6 -D -s &
3087		sleep 1
3088		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C
3089		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
3090
3091		log_start
3092		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3093		run_cmd nettest -6 -D -s &
3094		sleep 1
3095		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
3096		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
3097	done
3098
3099	a=${NSA_IP6}
3100	log_start
3101	run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3102	sleep 1
3103	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a}
3104	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3105
3106	log_start
3107	show_hint "Should fail 'Connection refused'"
3108	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3109	log_test_addr ${a} $? 1 "No server, device client, local conn"
3110
3111	# LLA to GUA
3112	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3113	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3114	log_start
3115	run_cmd nettest -6 -s -D &
3116	sleep 1
3117	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3118	log_test $? 0 "UDP in - LLA to GUA"
3119
3120	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3121	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3122}
3123
3124ipv6_udp_vrf()
3125{
3126	local a
3127
3128	# disable global server
3129	log_subsection "Global server disabled"
3130	set_sysctl net.ipv4.udp_l3mdev_accept=0
3131
3132	#
3133	# server tests
3134	#
3135	for a in ${NSA_IP6} ${VRF_IP6}
3136	do
3137		log_start
3138		show_hint "Should fail 'Connection refused' since global server is disabled"
3139		run_cmd nettest -6 -D -s &
3140		sleep 1
3141		run_cmd_nsb nettest -6 -D -r ${a}
3142		log_test_addr ${a} $? 1 "Global server"
3143	done
3144
3145	for a in ${NSA_IP6} ${VRF_IP6}
3146	do
3147		log_start
3148		run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3149		sleep 1
3150		run_cmd_nsb nettest -6 -D -r ${a}
3151		log_test_addr ${a} $? 0 "VRF server"
3152	done
3153
3154	for a in ${NSA_IP6} ${VRF_IP6}
3155	do
3156		log_start
3157		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3158		sleep 1
3159		run_cmd_nsb nettest -6 -D -r ${a}
3160		log_test_addr ${a} $? 0 "Enslaved device server"
3161	done
3162
3163	# negative test - should fail
3164	for a in ${NSA_IP6} ${VRF_IP6}
3165	do
3166		log_start
3167		show_hint "Should fail 'Connection refused' since there is no server"
3168		run_cmd_nsb nettest -6 -D -r ${a}
3169		log_test_addr ${a} $? 1 "No server"
3170	done
3171
3172	#
3173	# local address tests
3174	#
3175	for a in ${NSA_IP6} ${VRF_IP6}
3176	do
3177		log_start
3178		show_hint "Should fail 'Connection refused' since global server is disabled"
3179		run_cmd nettest -6 -D -s &
3180		sleep 1
3181		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3182		log_test_addr ${a} $? 1 "Global server, VRF client, local conn"
3183	done
3184
3185	for a in ${NSA_IP6} ${VRF_IP6}
3186	do
3187		log_start
3188		run_cmd nettest -6 -D -I ${VRF} -s &
3189		sleep 1
3190		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3191		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3192	done
3193
3194	a=${NSA_IP6}
3195	log_start
3196	show_hint "Should fail 'Connection refused' since global server is disabled"
3197	run_cmd nettest -6 -D -s &
3198	sleep 1
3199	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3200	log_test_addr ${a} $? 1 "Global server, device client, local conn"
3201
3202	log_start
3203	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3204	sleep 1
3205	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3206	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3207
3208	log_start
3209	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3210	sleep 1
3211	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3212	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
3213
3214	log_start
3215	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3216	sleep 1
3217	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3218	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
3219
3220	# disable global server
3221	log_subsection "Global server enabled"
3222	set_sysctl net.ipv4.udp_l3mdev_accept=1
3223
3224	#
3225	# server tests
3226	#
3227	for a in ${NSA_IP6} ${VRF_IP6}
3228	do
3229		log_start
3230		run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3231		sleep 1
3232		run_cmd_nsb nettest -6 -D -r ${a}
3233		log_test_addr ${a} $? 0 "Global server"
3234	done
3235
3236	for a in ${NSA_IP6} ${VRF_IP6}
3237	do
3238		log_start
3239		run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3240		sleep 1
3241		run_cmd_nsb nettest -6 -D -r ${a}
3242		log_test_addr ${a} $? 0 "VRF server"
3243	done
3244
3245	for a in ${NSA_IP6} ${VRF_IP6}
3246	do
3247		log_start
3248		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3249		sleep 1
3250		run_cmd_nsb nettest -6 -D -r ${a}
3251		log_test_addr ${a} $? 0 "Enslaved device server"
3252	done
3253
3254	# negative test - should fail
3255	for a in ${NSA_IP6} ${VRF_IP6}
3256	do
3257		log_start
3258		run_cmd_nsb nettest -6 -D -r ${a}
3259		log_test_addr ${a} $? 1 "No server"
3260	done
3261
3262	#
3263	# client tests
3264	#
3265	log_start
3266	run_cmd_nsb nettest -6 -D -s &
3267	sleep 1
3268	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3269	log_test $? 0 "VRF client"
3270
3271	# negative test - should fail
3272	log_start
3273	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3274	log_test $? 1 "No server, VRF client"
3275
3276	log_start
3277	run_cmd_nsb nettest -6 -D -s &
3278	sleep 1
3279	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3280	log_test $? 0 "Enslaved device client"
3281
3282	# negative test - should fail
3283	log_start
3284	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3285	log_test $? 1 "No server, enslaved device client"
3286
3287	#
3288	# local address tests
3289	#
3290	a=${NSA_IP6}
3291	log_start
3292	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3293	sleep 1
3294	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3295	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3296
3297	#log_start
3298	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3299	sleep 1
3300	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3301	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3302
3303
3304	a=${VRF_IP6}
3305	log_start
3306	run_cmd nettest -6 -D -s -3 ${VRF} &
3307	sleep 1
3308	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3309	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3310
3311	log_start
3312	run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} &
3313	sleep 1
3314	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3315	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3316
3317	# negative test - should fail
3318	for a in ${NSA_IP6} ${VRF_IP6}
3319	do
3320		log_start
3321		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3322		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
3323	done
3324
3325	# device to global IP
3326	a=${NSA_IP6}
3327	log_start
3328	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3329	sleep 1
3330	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3331	log_test_addr ${a} $? 0 "Global server, device client, local conn"
3332
3333	log_start
3334	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3335	sleep 1
3336	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3337	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3338
3339	log_start
3340	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3341	sleep 1
3342	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3343	log_test_addr ${a} $? 0 "Device server, VRF client, local conn"
3344
3345	log_start
3346	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3347	sleep 1
3348	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3349	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3350
3351	log_start
3352	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3353	log_test_addr ${a} $? 1 "No server, device client, local conn"
3354
3355
3356	# link local addresses
3357	log_start
3358	run_cmd nettest -6 -D -s &
3359	sleep 1
3360	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3361	log_test $? 0 "Global server, linklocal IP"
3362
3363	log_start
3364	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3365	log_test $? 1 "No server, linklocal IP"
3366
3367
3368	log_start
3369	run_cmd_nsb nettest -6 -D -s &
3370	sleep 1
3371	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3372	log_test $? 0 "Enslaved device client, linklocal IP"
3373
3374	log_start
3375	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3376	log_test $? 1 "No server, device client, peer linklocal IP"
3377
3378
3379	log_start
3380	run_cmd nettest -6 -D -s &
3381	sleep 1
3382	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3383	log_test $? 0 "Enslaved device client, local conn - linklocal IP"
3384
3385	log_start
3386	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3387	log_test $? 1 "No server, device client, local conn  - linklocal IP"
3388
3389	# LLA to GUA
3390	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3391	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3392	log_start
3393	run_cmd nettest -6 -s -D &
3394	sleep 1
3395	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3396	log_test $? 0 "UDP in - LLA to GUA"
3397
3398	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3399	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3400}
3401
3402ipv6_udp()
3403{
3404        # should not matter, but set to known state
3405        set_sysctl net.ipv4.udp_early_demux=1
3406
3407        log_section "IPv6/UDP"
3408        log_subsection "No VRF"
3409        setup
3410
3411        # udp_l3mdev_accept should have no affect without VRF;
3412        # run tests with it enabled and disabled to verify
3413        log_subsection "udp_l3mdev_accept disabled"
3414        set_sysctl net.ipv4.udp_l3mdev_accept=0
3415        ipv6_udp_novrf
3416        log_subsection "udp_l3mdev_accept enabled"
3417        set_sysctl net.ipv4.udp_l3mdev_accept=1
3418        ipv6_udp_novrf
3419
3420        log_subsection "With VRF"
3421        setup "yes"
3422        ipv6_udp_vrf
3423}
3424
3425################################################################################
3426# IPv6 address bind
3427
3428ipv6_addr_bind_novrf()
3429{
3430	#
3431	# raw socket
3432	#
3433	for a in ${NSA_IP6} ${NSA_LO_IP6}
3434	do
3435		log_start
3436		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b
3437		log_test_addr ${a} $? 0 "Raw socket bind to local address"
3438
3439		log_start
3440		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3441		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3442	done
3443
3444	#
3445	# raw socket with nonlocal bind
3446	#
3447	a=${NL_IP6}
3448	log_start
3449	run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b
3450	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
3451
3452	#
3453	# tcp sockets
3454	#
3455	a=${NSA_IP6}
3456	log_start
3457	run_cmd nettest -6 -s -l ${a} -t1 -b
3458	log_test_addr ${a} $? 0 "TCP socket bind to local address"
3459
3460	log_start
3461	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3462	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
3463
3464	# Sadly, the kernel allows binding a socket to a device and then
3465	# binding to an address not on the device. So this test passes
3466	# when it really should not
3467	a=${NSA_LO_IP6}
3468	log_start
3469	show_hint "Tecnically should fail since address is not on device but kernel allows"
3470	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3471	log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address"
3472}
3473
3474ipv6_addr_bind_vrf()
3475{
3476	#
3477	# raw socket
3478	#
3479	for a in ${NSA_IP6} ${VRF_IP6}
3480	do
3481		log_start
3482		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3483		log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind"
3484
3485		log_start
3486		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3487		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3488	done
3489
3490	a=${NSA_LO_IP6}
3491	log_start
3492	show_hint "Address on loopback is out of VRF scope"
3493	run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3494	log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind"
3495
3496	#
3497	# raw socket with nonlocal bind
3498	#
3499	a=${NL_IP6}
3500	log_start
3501	run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b
3502	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
3503
3504	#
3505	# tcp sockets
3506	#
3507	# address on enslaved device is valid for the VRF or device in a VRF
3508	for a in ${NSA_IP6} ${VRF_IP6}
3509	do
3510		log_start
3511		run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3512		log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind"
3513	done
3514
3515	a=${NSA_IP6}
3516	log_start
3517	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3518	log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
3519
3520	# Sadly, the kernel allows binding a socket to a device and then
3521	# binding to an address not on the device. The only restriction
3522	# is that the address is valid in the L3 domain. So this test
3523	# passes when it really should not
3524	a=${VRF_IP6}
3525	log_start
3526	show_hint "Tecnically should fail since address is not on device but kernel allows"
3527	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3528	log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind"
3529
3530	a=${NSA_LO_IP6}
3531	log_start
3532	show_hint "Address on loopback out of scope for VRF"
3533	run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3534	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
3535
3536	log_start
3537	show_hint "Address on loopback out of scope for device in VRF"
3538	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3539	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
3540
3541}
3542
3543ipv6_addr_bind()
3544{
3545	log_section "IPv6 address binds"
3546
3547	log_subsection "No VRF"
3548	setup
3549	ipv6_addr_bind_novrf
3550
3551	log_subsection "With VRF"
3552	setup "yes"
3553	ipv6_addr_bind_vrf
3554}
3555
3556################################################################################
3557# IPv6 runtime tests
3558
3559ipv6_rt()
3560{
3561	local desc="$1"
3562	local varg="-6 $2"
3563	local with_vrf="yes"
3564	local a
3565
3566	#
3567	# server tests
3568	#
3569	for a in ${NSA_IP6} ${VRF_IP6}
3570	do
3571		log_start
3572		run_cmd nettest ${varg} -s &
3573		sleep 1
3574		run_cmd_nsb nettest ${varg} -r ${a} &
3575		sleep 3
3576		run_cmd ip link del ${VRF}
3577		sleep 1
3578		log_test_addr ${a} 0 0 "${desc}, global server"
3579
3580		setup ${with_vrf}
3581	done
3582
3583	for a in ${NSA_IP6} ${VRF_IP6}
3584	do
3585		log_start
3586		run_cmd nettest ${varg} -I ${VRF} -s &
3587		sleep 1
3588		run_cmd_nsb nettest ${varg} -r ${a} &
3589		sleep 3
3590		run_cmd ip link del ${VRF}
3591		sleep 1
3592		log_test_addr ${a} 0 0 "${desc}, VRF server"
3593
3594		setup ${with_vrf}
3595	done
3596
3597	for a in ${NSA_IP6} ${VRF_IP6}
3598	do
3599		log_start
3600		run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3601		sleep 1
3602		run_cmd_nsb nettest ${varg} -r ${a} &
3603		sleep 3
3604		run_cmd ip link del ${VRF}
3605		sleep 1
3606		log_test_addr ${a} 0 0 "${desc}, enslaved device server"
3607
3608		setup ${with_vrf}
3609	done
3610
3611	#
3612	# client test
3613	#
3614	log_start
3615	run_cmd_nsb nettest ${varg} -s &
3616	sleep 1
3617	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} &
3618	sleep 3
3619	run_cmd ip link del ${VRF}
3620	sleep 1
3621	log_test  0 0 "${desc}, VRF client"
3622
3623	setup ${with_vrf}
3624
3625	log_start
3626	run_cmd_nsb nettest ${varg} -s &
3627	sleep 1
3628	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} &
3629	sleep 3
3630	run_cmd ip link del ${VRF}
3631	sleep 1
3632	log_test  0 0 "${desc}, enslaved device client"
3633
3634	setup ${with_vrf}
3635
3636
3637	#
3638	# local address tests
3639	#
3640	for a in ${NSA_IP6} ${VRF_IP6}
3641	do
3642		log_start
3643		run_cmd nettest ${varg} -s &
3644		sleep 1
3645		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3646		sleep 3
3647		run_cmd ip link del ${VRF}
3648		sleep 1
3649		log_test_addr ${a} 0 0 "${desc}, global server, VRF client"
3650
3651		setup ${with_vrf}
3652	done
3653
3654	for a in ${NSA_IP6} ${VRF_IP6}
3655	do
3656		log_start
3657		run_cmd nettest ${varg} -I ${VRF} -s &
3658		sleep 1
3659		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3660		sleep 3
3661		run_cmd ip link del ${VRF}
3662		sleep 1
3663		log_test_addr ${a} 0 0 "${desc}, VRF server and client"
3664
3665		setup ${with_vrf}
3666	done
3667
3668	a=${NSA_IP6}
3669	log_start
3670	run_cmd nettest ${varg} -s &
3671	sleep 1
3672	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3673	sleep 3
3674	run_cmd ip link del ${VRF}
3675	sleep 1
3676	log_test_addr ${a} 0 0 "${desc}, global server, device client"
3677
3678	setup ${with_vrf}
3679
3680	log_start
3681	run_cmd nettest ${varg} -I ${VRF} -s &
3682	sleep 1
3683	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3684	sleep 3
3685	run_cmd ip link del ${VRF}
3686	sleep 1
3687	log_test_addr ${a} 0 0 "${desc}, VRF server, device client"
3688
3689	setup ${with_vrf}
3690
3691	log_start
3692	run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3693	sleep 1
3694	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3695	sleep 3
3696	run_cmd ip link del ${VRF}
3697	sleep 1
3698	log_test_addr ${a} 0 0 "${desc}, device server, device client"
3699}
3700
3701ipv6_ping_rt()
3702{
3703	local with_vrf="yes"
3704	local a
3705
3706	a=${NSA_IP6}
3707	log_start
3708	run_cmd_nsb ${ping6} -f ${a} &
3709	sleep 3
3710	run_cmd ip link del ${VRF}
3711	sleep 1
3712	log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
3713
3714	setup ${with_vrf}
3715
3716	log_start
3717	run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} &
3718	sleep 1
3719	run_cmd ip link del ${VRF}
3720	sleep 1
3721	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
3722}
3723
3724ipv6_runtime()
3725{
3726	log_section "Run time tests - ipv6"
3727
3728	setup "yes"
3729	ipv6_ping_rt
3730
3731	setup "yes"
3732	ipv6_rt "TCP active socket"  "-n -1"
3733
3734	setup "yes"
3735	ipv6_rt "TCP passive socket" "-i"
3736
3737	setup "yes"
3738	ipv6_rt "UDP active socket"  "-D -n -1"
3739}
3740
3741################################################################################
3742# netfilter blocking connections
3743
3744netfilter_tcp_reset()
3745{
3746	local a
3747
3748	for a in ${NSA_IP} ${VRF_IP}
3749	do
3750		log_start
3751		run_cmd nettest -s &
3752		sleep 1
3753		run_cmd_nsb nettest -r ${a}
3754		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3755	done
3756}
3757
3758netfilter_icmp()
3759{
3760	local stype="$1"
3761	local arg
3762	local a
3763
3764	[ "${stype}" = "UDP" ] && arg="-D"
3765
3766	for a in ${NSA_IP} ${VRF_IP}
3767	do
3768		log_start
3769		run_cmd nettest ${arg} -s &
3770		sleep 1
3771		run_cmd_nsb nettest ${arg} -r ${a}
3772		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3773	done
3774}
3775
3776ipv4_netfilter()
3777{
3778	log_section "IPv4 Netfilter"
3779	log_subsection "TCP reset"
3780
3781	setup "yes"
3782	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3783
3784	netfilter_tcp_reset
3785
3786	log_start
3787	log_subsection "ICMP unreachable"
3788
3789	log_start
3790	run_cmd iptables -F
3791	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3792	run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3793
3794	netfilter_icmp "TCP"
3795	netfilter_icmp "UDP"
3796
3797	log_start
3798	iptables -F
3799}
3800
3801netfilter_tcp6_reset()
3802{
3803	local a
3804
3805	for a in ${NSA_IP6} ${VRF_IP6}
3806	do
3807		log_start
3808		run_cmd nettest -6 -s &
3809		sleep 1
3810		run_cmd_nsb nettest -6 -r ${a}
3811		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3812	done
3813}
3814
3815netfilter_icmp6()
3816{
3817	local stype="$1"
3818	local arg
3819	local a
3820
3821	[ "${stype}" = "UDP" ] && arg="$arg -D"
3822
3823	for a in ${NSA_IP6} ${VRF_IP6}
3824	do
3825		log_start
3826		run_cmd nettest -6 -s ${arg} &
3827		sleep 1
3828		run_cmd_nsb nettest -6 ${arg} -r ${a}
3829		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3830	done
3831}
3832
3833ipv6_netfilter()
3834{
3835	log_section "IPv6 Netfilter"
3836	log_subsection "TCP reset"
3837
3838	setup "yes"
3839	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3840
3841	netfilter_tcp6_reset
3842
3843	log_subsection "ICMP unreachable"
3844
3845	log_start
3846	run_cmd ip6tables -F
3847	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3848	run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3849
3850	netfilter_icmp6 "TCP"
3851	netfilter_icmp6 "UDP"
3852
3853	log_start
3854	ip6tables -F
3855}
3856
3857################################################################################
3858# specific use cases
3859
3860# VRF only.
3861# ns-A device enslaved to bridge. Verify traffic with and without
3862# br_netfilter module loaded. Repeat with SVI on bridge.
3863use_case_br()
3864{
3865	setup "yes"
3866
3867	setup_cmd ip link set ${NSA_DEV} down
3868	setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24
3869	setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64
3870
3871	setup_cmd ip link add br0 type bridge
3872	setup_cmd ip addr add dev br0 ${NSA_IP}/24
3873	setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad
3874
3875	setup_cmd ip li set ${NSA_DEV} master br0
3876	setup_cmd ip li set ${NSA_DEV} up
3877	setup_cmd ip li set br0 up
3878	setup_cmd ip li set br0 vrf ${VRF}
3879
3880	rmmod br_netfilter 2>/dev/null
3881	sleep 5 # DAD
3882
3883	run_cmd ip neigh flush all
3884	run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3885	log_test $? 0 "Bridge into VRF - IPv4 ping out"
3886
3887	run_cmd ip neigh flush all
3888	run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3889	log_test $? 0 "Bridge into VRF - IPv6 ping out"
3890
3891	run_cmd ip neigh flush all
3892	run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3893	log_test $? 0 "Bridge into VRF - IPv4 ping in"
3894
3895	run_cmd ip neigh flush all
3896	run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3897	log_test $? 0 "Bridge into VRF - IPv6 ping in"
3898
3899	modprobe br_netfilter
3900	if [ $? -eq 0 ]; then
3901		run_cmd ip neigh flush all
3902		run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3903		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out"
3904
3905		run_cmd ip neigh flush all
3906		run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3907		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out"
3908
3909		run_cmd ip neigh flush all
3910		run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3911		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in"
3912
3913		run_cmd ip neigh flush all
3914		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3915		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in"
3916	fi
3917
3918	setup_cmd ip li set br0 nomaster
3919	setup_cmd ip li add br0.100 link br0 type vlan id 100
3920	setup_cmd ip li set br0.100 vrf ${VRF} up
3921	setup_cmd ip    addr add dev br0.100 172.16.101.1/24
3922	setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad
3923
3924	setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100
3925	setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24
3926	setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad
3927	setup_cmd_nsb ip li set vlan100 up
3928	sleep 1
3929
3930	rmmod br_netfilter 2>/dev/null
3931
3932	run_cmd ip neigh flush all
3933	run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
3934	log_test $? 0 "Bridge vlan into VRF - IPv4 ping out"
3935
3936	run_cmd ip neigh flush all
3937	run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
3938	log_test $? 0 "Bridge vlan into VRF - IPv6 ping out"
3939
3940	run_cmd ip neigh flush all
3941	run_cmd_nsb ping -c1 -w1 172.16.101.1
3942	log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
3943
3944	run_cmd ip neigh flush all
3945	run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
3946	log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
3947
3948	modprobe br_netfilter
3949	if [ $? -eq 0 ]; then
3950		run_cmd ip neigh flush all
3951		run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
3952		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out"
3953
3954		run_cmd ip neigh flush all
3955		run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
3956		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out"
3957
3958		run_cmd ip neigh flush all
3959		run_cmd_nsb ping -c1 -w1 172.16.101.1
3960		log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
3961
3962		run_cmd ip neigh flush all
3963		run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
3964		log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
3965	fi
3966
3967	setup_cmd ip li del br0 2>/dev/null
3968	setup_cmd_nsb ip li del vlan100 2>/dev/null
3969}
3970
3971# VRF only.
3972# ns-A device is connected to both ns-B and ns-C on a single VRF but only has
3973# LLA on the interfaces
3974use_case_ping_lla_multi()
3975{
3976	setup_lla_only
3977	# only want reply from ns-A
3978	setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
3979	setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
3980
3981	log_start
3982	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
3983	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B"
3984
3985	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
3986	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C"
3987
3988	# cycle/flap the first ns-A interface
3989	setup_cmd ip link set ${NSA_DEV} down
3990	setup_cmd ip link set ${NSA_DEV} up
3991	sleep 1
3992
3993	log_start
3994	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
3995	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B"
3996	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
3997	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C"
3998
3999	# cycle/flap the second ns-A interface
4000	setup_cmd ip link set ${NSA_DEV2} down
4001	setup_cmd ip link set ${NSA_DEV2} up
4002	sleep 1
4003
4004	log_start
4005	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4006	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B"
4007	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4008	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C"
4009}
4010
4011# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully
4012# established with ns-B.
4013use_case_snat_on_vrf()
4014{
4015	setup "yes"
4016
4017	local port="12345"
4018
4019	run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4020	run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4021
4022	run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} &
4023	sleep 1
4024	run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port}
4025	log_test $? 0 "IPv4 TCP connection over VRF with SNAT"
4026
4027	run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} &
4028	sleep 1
4029	run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port}
4030	log_test $? 0 "IPv6 TCP connection over VRF with SNAT"
4031
4032	# Cleanup
4033	run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4034	run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4035}
4036
4037use_cases()
4038{
4039	log_section "Use cases"
4040	log_subsection "Device enslaved to bridge"
4041	use_case_br
4042	log_subsection "Ping LLA with multiple interfaces"
4043	use_case_ping_lla_multi
4044	log_subsection "SNAT on VRF"
4045	use_case_snat_on_vrf
4046}
4047
4048################################################################################
4049# usage
4050
4051usage()
4052{
4053	cat <<EOF
4054usage: ${0##*/} OPTS
4055
4056	-4          IPv4 tests only
4057	-6          IPv6 tests only
4058	-t <test>   Test name/set to run
4059	-p          Pause on fail
4060	-P          Pause after each test
4061	-v          Be verbose
4062
4063Tests:
4064	$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER
4065EOF
4066}
4067
4068################################################################################
4069# main
4070
4071TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter"
4072TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter"
4073TESTS_OTHER="use_cases"
4074
4075PAUSE_ON_FAIL=no
4076PAUSE=no
4077
4078while getopts :46t:pPvh o
4079do
4080	case $o in
4081		4) TESTS=ipv4;;
4082		6) TESTS=ipv6;;
4083		t) TESTS=$OPTARG;;
4084		p) PAUSE_ON_FAIL=yes;;
4085		P) PAUSE=yes;;
4086		v) VERBOSE=1;;
4087		h) usage; exit 0;;
4088		*) usage; exit 1;;
4089	esac
4090done
4091
4092# make sure we don't pause twice
4093[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no
4094
4095#
4096# show user test config
4097#
4098if [ -z "$TESTS" ]; then
4099	TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER"
4100elif [ "$TESTS" = "ipv4" ]; then
4101	TESTS="$TESTS_IPV4"
4102elif [ "$TESTS" = "ipv6" ]; then
4103	TESTS="$TESTS_IPV6"
4104fi
4105
4106which nettest >/dev/null
4107if [ $? -ne 0 ]; then
4108	echo "'nettest' command not found; skipping tests"
4109	exit $ksft_skip
4110fi
4111
4112declare -i nfail=0
4113declare -i nsuccess=0
4114
4115for t in $TESTS
4116do
4117	case $t in
4118	ipv4_ping|ping)  ipv4_ping;;
4119	ipv4_tcp|tcp)    ipv4_tcp;;
4120	ipv4_udp|udp)    ipv4_udp;;
4121	ipv4_bind|bind)  ipv4_addr_bind;;
4122	ipv4_runtime)    ipv4_runtime;;
4123	ipv4_netfilter)  ipv4_netfilter;;
4124
4125	ipv6_ping|ping6) ipv6_ping;;
4126	ipv6_tcp|tcp6)   ipv6_tcp;;
4127	ipv6_udp|udp6)   ipv6_udp;;
4128	ipv6_bind|bind6) ipv6_addr_bind;;
4129	ipv6_runtime)    ipv6_runtime;;
4130	ipv6_netfilter)  ipv6_netfilter;;
4131
4132	use_cases)       use_cases;;
4133
4134	# setup namespaces and config, but do not run any tests
4135	setup)		 setup; exit 0;;
4136	vrf_setup)	 setup "yes"; exit 0;;
4137	esac
4138done
4139
4140cleanup 2>/dev/null
4141
4142printf "\nTests passed: %3d\n" ${nsuccess}
4143printf "Tests failed: %3d\n"   ${nfail}
4144
4145if [ $nfail -ne 0 ]; then
4146	exit 1 # KSFT_FAIL
4147elif [ $nsuccess -eq 0 ]; then
4148	exit $ksft_skip
4149fi
4150
4151exit 0 # KSFT_PASS
4152