1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40# Kselftest framework requirement - SKIP code is 4. 41ksft_skip=4 42 43VERBOSE=0 44 45NSA_DEV=eth1 46NSA_DEV2=eth2 47NSB_DEV=eth1 48NSC_DEV=eth2 49VRF=red 50VRF_TABLE=1101 51 52# IPv4 config 53NSA_IP=172.16.1.1 54NSB_IP=172.16.1.2 55VRF_IP=172.16.3.1 56NS_NET=172.16.1.0/24 57 58# IPv6 config 59NSA_IP6=2001:db8:1::1 60NSB_IP6=2001:db8:1::2 61VRF_IP6=2001:db8:3::1 62NS_NET6=2001:db8:1::/120 63 64NSA_LO_IP=172.16.2.1 65NSB_LO_IP=172.16.2.2 66NSA_LO_IP6=2001:db8:2::1 67NSB_LO_IP6=2001:db8:2::2 68 69# non-local addresses for freebind tests 70NL_IP=172.17.1.1 71NL_IP6=2001:db8:4::1 72 73MD5_PW=abc123 74MD5_WRONG_PW=abc1234 75 76MCAST=ff02::1 77# set after namespace create 78NSA_LINKIP6= 79NSB_LINKIP6= 80 81NSA=ns-A 82NSB=ns-B 83NSC=ns-C 84 85NSA_CMD="ip netns exec ${NSA}" 86NSB_CMD="ip netns exec ${NSB}" 87NSC_CMD="ip netns exec ${NSC}" 88 89which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 90 91################################################################################ 92# utilities 93 94log_test() 95{ 96 local rc=$1 97 local expected=$2 98 local msg="$3" 99 100 [ "${VERBOSE}" = "1" ] && echo 101 102 if [ ${rc} -eq ${expected} ]; then 103 nsuccess=$((nsuccess+1)) 104 printf "TEST: %-70s [ OK ]\n" "${msg}" 105 else 106 nfail=$((nfail+1)) 107 printf "TEST: %-70s [FAIL]\n" "${msg}" 108 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 109 echo 110 echo "hit enter to continue, 'q' to quit" 111 read a 112 [ "$a" = "q" ] && exit 1 113 fi 114 fi 115 116 if [ "${PAUSE}" = "yes" ]; then 117 echo 118 echo "hit enter to continue, 'q' to quit" 119 read a 120 [ "$a" = "q" ] && exit 1 121 fi 122 123 kill_procs 124} 125 126log_test_addr() 127{ 128 local addr=$1 129 local rc=$2 130 local expected=$3 131 local msg="$4" 132 local astr 133 134 astr=$(addr2str ${addr}) 135 log_test $rc $expected "$msg - ${astr}" 136} 137 138log_section() 139{ 140 echo 141 echo "###########################################################################" 142 echo "$*" 143 echo "###########################################################################" 144 echo 145} 146 147log_subsection() 148{ 149 echo 150 echo "#################################################################" 151 echo "$*" 152 echo 153} 154 155log_start() 156{ 157 # make sure we have no test instances running 158 kill_procs 159 160 if [ "${VERBOSE}" = "1" ]; then 161 echo 162 echo "#######################################################" 163 fi 164} 165 166log_debug() 167{ 168 if [ "${VERBOSE}" = "1" ]; then 169 echo 170 echo "$*" 171 echo 172 fi 173} 174 175show_hint() 176{ 177 if [ "${VERBOSE}" = "1" ]; then 178 echo "HINT: $*" 179 echo 180 fi 181} 182 183kill_procs() 184{ 185 killall nettest ping ping6 >/dev/null 2>&1 186 sleep 1 187} 188 189do_run_cmd() 190{ 191 local cmd="$*" 192 local out 193 194 if [ "$VERBOSE" = "1" ]; then 195 echo "COMMAND: ${cmd}" 196 fi 197 198 out=$($cmd 2>&1) 199 rc=$? 200 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 201 echo "$out" 202 fi 203 204 return $rc 205} 206 207run_cmd() 208{ 209 do_run_cmd ${NSA_CMD} $* 210} 211 212run_cmd_nsb() 213{ 214 do_run_cmd ${NSB_CMD} $* 215} 216 217run_cmd_nsc() 218{ 219 do_run_cmd ${NSC_CMD} $* 220} 221 222setup_cmd() 223{ 224 local cmd="$*" 225 local rc 226 227 run_cmd ${cmd} 228 rc=$? 229 if [ $rc -ne 0 ]; then 230 # show user the command if not done so already 231 if [ "$VERBOSE" = "0" ]; then 232 echo "setup command: $cmd" 233 fi 234 echo "failed. stopping tests" 235 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 236 echo 237 echo "hit enter to continue" 238 read a 239 fi 240 exit $rc 241 fi 242} 243 244setup_cmd_nsb() 245{ 246 local cmd="$*" 247 local rc 248 249 run_cmd_nsb ${cmd} 250 rc=$? 251 if [ $rc -ne 0 ]; then 252 # show user the command if not done so already 253 if [ "$VERBOSE" = "0" ]; then 254 echo "setup command: $cmd" 255 fi 256 echo "failed. stopping tests" 257 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 258 echo 259 echo "hit enter to continue" 260 read a 261 fi 262 exit $rc 263 fi 264} 265 266setup_cmd_nsc() 267{ 268 local cmd="$*" 269 local rc 270 271 run_cmd_nsc ${cmd} 272 rc=$? 273 if [ $rc -ne 0 ]; then 274 # show user the command if not done so already 275 if [ "$VERBOSE" = "0" ]; then 276 echo "setup command: $cmd" 277 fi 278 echo "failed. stopping tests" 279 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 280 echo 281 echo "hit enter to continue" 282 read a 283 fi 284 exit $rc 285 fi 286} 287 288# set sysctl values in NS-A 289set_sysctl() 290{ 291 echo "SYSCTL: $*" 292 echo 293 run_cmd sysctl -q -w $* 294} 295 296# get sysctl values in NS-A 297get_sysctl() 298{ 299 ${NSA_CMD} sysctl -n $* 300} 301 302################################################################################ 303# Setup for tests 304 305addr2str() 306{ 307 case "$1" in 308 127.0.0.1) echo "loopback";; 309 ::1) echo "IPv6 loopback";; 310 311 ${NSA_IP}) echo "ns-A IP";; 312 ${NSA_IP6}) echo "ns-A IPv6";; 313 ${NSA_LO_IP}) echo "ns-A loopback IP";; 314 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 315 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 316 317 ${NSB_IP}) echo "ns-B IP";; 318 ${NSB_IP6}) echo "ns-B IPv6";; 319 ${NSB_LO_IP}) echo "ns-B loopback IP";; 320 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 321 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 322 323 ${NL_IP}) echo "nonlocal IP";; 324 ${NL_IP6}) echo "nonlocal IPv6";; 325 326 ${VRF_IP}) echo "VRF IP";; 327 ${VRF_IP6}) echo "VRF IPv6";; 328 329 ${MCAST}%*) echo "multicast IP";; 330 331 *) echo "unknown";; 332 esac 333} 334 335get_linklocal() 336{ 337 local ns=$1 338 local dev=$2 339 local addr 340 341 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 342 awk '{ 343 for (i = 3; i <= NF; ++i) { 344 if ($i ~ /^fe80/) 345 print $i 346 } 347 }' 348 ) 349 addr=${addr/\/*} 350 351 [ -z "$addr" ] && return 1 352 353 echo $addr 354 355 return 0 356} 357 358################################################################################ 359# create namespaces and vrf 360 361create_vrf() 362{ 363 local ns=$1 364 local vrf=$2 365 local table=$3 366 local addr=$4 367 local addr6=$5 368 369 ip -netns ${ns} link add ${vrf} type vrf table ${table} 370 ip -netns ${ns} link set ${vrf} up 371 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 372 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 373 374 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 375 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 376 if [ "${addr}" != "-" ]; then 377 ip -netns ${ns} addr add dev ${vrf} ${addr} 378 fi 379 if [ "${addr6}" != "-" ]; then 380 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 381 fi 382 383 ip -netns ${ns} ru del pref 0 384 ip -netns ${ns} ru add pref 32765 from all lookup local 385 ip -netns ${ns} -6 ru del pref 0 386 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 387} 388 389create_ns() 390{ 391 local ns=$1 392 local addr=$2 393 local addr6=$3 394 395 ip netns add ${ns} 396 397 ip -netns ${ns} link set lo up 398 if [ "${addr}" != "-" ]; then 399 ip -netns ${ns} addr add dev lo ${addr} 400 fi 401 if [ "${addr6}" != "-" ]; then 402 ip -netns ${ns} -6 addr add dev lo ${addr6} 403 fi 404 405 ip -netns ${ns} ro add unreachable default metric 8192 406 ip -netns ${ns} -6 ro add unreachable default metric 8192 407 408 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 409 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 410 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 411 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 412} 413 414# create veth pair to connect namespaces and apply addresses. 415connect_ns() 416{ 417 local ns1=$1 418 local ns1_dev=$2 419 local ns1_addr=$3 420 local ns1_addr6=$4 421 local ns2=$5 422 local ns2_dev=$6 423 local ns2_addr=$7 424 local ns2_addr6=$8 425 426 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 427 ip -netns ${ns1} li set ${ns1_dev} up 428 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 429 ip -netns ${ns2} li set ${ns2_dev} up 430 431 if [ "${ns1_addr}" != "-" ]; then 432 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 433 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 434 fi 435 436 if [ "${ns1_addr6}" != "-" ]; then 437 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 438 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 439 fi 440} 441 442cleanup() 443{ 444 # explicit cleanups to check those code paths 445 ip netns | grep -q ${NSA} 446 if [ $? -eq 0 ]; then 447 ip -netns ${NSA} link delete ${VRF} 448 ip -netns ${NSA} ro flush table ${VRF_TABLE} 449 450 ip -netns ${NSA} addr flush dev ${NSA_DEV} 451 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 452 ip -netns ${NSA} link set dev ${NSA_DEV} down 453 ip -netns ${NSA} link del dev ${NSA_DEV} 454 455 ip netns pids ${NSA} | xargs kill 2>/dev/null 456 ip netns del ${NSA} 457 fi 458 459 ip netns pids ${NSB} | xargs kill 2>/dev/null 460 ip netns del ${NSB} 461 ip netns pids ${NSC} | xargs kill 2>/dev/null 462 ip netns del ${NSC} >/dev/null 2>&1 463} 464 465cleanup_vrf_dup() 466{ 467 ip link del ${NSA_DEV2} >/dev/null 2>&1 468 ip netns pids ${NSC} | xargs kill 2>/dev/null 469 ip netns del ${NSC} >/dev/null 2>&1 470} 471 472setup_vrf_dup() 473{ 474 # some VRF tests use ns-C which has the same config as 475 # ns-B but for a device NOT in the VRF 476 create_ns ${NSC} "-" "-" 477 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 478 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 479} 480 481setup() 482{ 483 local with_vrf=${1} 484 485 # make sure we are starting with a clean slate 486 kill_procs 487 cleanup 2>/dev/null 488 489 log_debug "Configuring network namespaces" 490 set -e 491 492 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 493 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 494 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 495 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 496 497 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 498 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 499 500 # tell ns-A how to get to remote addresses of ns-B 501 if [ "${with_vrf}" = "yes" ]; then 502 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 503 504 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 505 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 506 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 507 508 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 509 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 510 else 511 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 512 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 513 fi 514 515 516 # tell ns-B how to get to remote addresses of ns-A 517 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 518 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 519 520 set +e 521 522 sleep 1 523} 524 525setup_lla_only() 526{ 527 # make sure we are starting with a clean slate 528 kill_procs 529 cleanup 2>/dev/null 530 531 log_debug "Configuring network namespaces" 532 set -e 533 534 create_ns ${NSA} "-" "-" 535 create_ns ${NSB} "-" "-" 536 create_ns ${NSC} "-" "-" 537 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 538 ${NSB} ${NSB_DEV} "-" "-" 539 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 540 ${NSC} ${NSC_DEV} "-" "-" 541 542 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 543 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 544 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 545 546 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 547 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 548 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 549 550 set +e 551 552 sleep 1 553} 554 555################################################################################ 556# IPv4 557 558ipv4_ping_novrf() 559{ 560 local a 561 562 # 563 # out 564 # 565 for a in ${NSB_IP} ${NSB_LO_IP} 566 do 567 log_start 568 run_cmd ping -c1 -w1 ${a} 569 log_test_addr ${a} $? 0 "ping out" 570 571 log_start 572 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 573 log_test_addr ${a} $? 0 "ping out, device bind" 574 575 log_start 576 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 577 log_test_addr ${a} $? 0 "ping out, address bind" 578 done 579 580 # 581 # in 582 # 583 for a in ${NSA_IP} ${NSA_LO_IP} 584 do 585 log_start 586 run_cmd_nsb ping -c1 -w1 ${a} 587 log_test_addr ${a} $? 0 "ping in" 588 done 589 590 # 591 # local traffic 592 # 593 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 594 do 595 log_start 596 run_cmd ping -c1 -w1 ${a} 597 log_test_addr ${a} $? 0 "ping local" 598 done 599 600 # 601 # local traffic, socket bound to device 602 # 603 # address on device 604 a=${NSA_IP} 605 log_start 606 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 607 log_test_addr ${a} $? 0 "ping local, device bind" 608 609 # loopback addresses not reachable from device bind 610 # fails in a really weird way though because ipv4 special cases 611 # route lookups with oif set. 612 for a in ${NSA_LO_IP} 127.0.0.1 613 do 614 log_start 615 show_hint "Fails since address on loopback device is out of device scope" 616 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 617 log_test_addr ${a} $? 1 "ping local, device bind" 618 done 619 620 # 621 # ip rule blocks reachability to remote address 622 # 623 log_start 624 setup_cmd ip rule add pref 32765 from all lookup local 625 setup_cmd ip rule del pref 0 from all lookup local 626 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 627 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 628 629 a=${NSB_LO_IP} 630 run_cmd ping -c1 -w1 ${a} 631 log_test_addr ${a} $? 2 "ping out, blocked by rule" 632 633 # NOTE: ipv4 actually allows the lookup to fail and yet still create 634 # a viable rtable if the oif (e.g., bind to device) is set, so this 635 # case succeeds despite the rule 636 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 637 638 a=${NSA_LO_IP} 639 log_start 640 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 641 run_cmd_nsb ping -c1 -w1 ${a} 642 log_test_addr ${a} $? 1 "ping in, blocked by rule" 643 644 [ "$VERBOSE" = "1" ] && echo 645 setup_cmd ip rule del pref 32765 from all lookup local 646 setup_cmd ip rule add pref 0 from all lookup local 647 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 648 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 649 650 # 651 # route blocks reachability to remote address 652 # 653 log_start 654 setup_cmd ip route replace unreachable ${NSB_LO_IP} 655 setup_cmd ip route replace unreachable ${NSB_IP} 656 657 a=${NSB_LO_IP} 658 run_cmd ping -c1 -w1 ${a} 659 log_test_addr ${a} $? 2 "ping out, blocked by route" 660 661 # NOTE: ipv4 actually allows the lookup to fail and yet still create 662 # a viable rtable if the oif (e.g., bind to device) is set, so this 663 # case succeeds despite not having a route for the address 664 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 665 666 a=${NSA_LO_IP} 667 log_start 668 show_hint "Response is dropped (or arp request is ignored) due to ip route" 669 run_cmd_nsb ping -c1 -w1 ${a} 670 log_test_addr ${a} $? 1 "ping in, blocked by route" 671 672 # 673 # remove 'remote' routes; fallback to default 674 # 675 log_start 676 setup_cmd ip ro del ${NSB_LO_IP} 677 678 a=${NSB_LO_IP} 679 run_cmd ping -c1 -w1 ${a} 680 log_test_addr ${a} $? 2 "ping out, unreachable default route" 681 682 # NOTE: ipv4 actually allows the lookup to fail and yet still create 683 # a viable rtable if the oif (e.g., bind to device) is set, so this 684 # case succeeds despite not having a route for the address 685 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 686} 687 688ipv4_ping_vrf() 689{ 690 local a 691 692 # should default on; does not exist on older kernels 693 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 694 695 # 696 # out 697 # 698 for a in ${NSB_IP} ${NSB_LO_IP} 699 do 700 log_start 701 run_cmd ping -c1 -w1 -I ${VRF} ${a} 702 log_test_addr ${a} $? 0 "ping out, VRF bind" 703 704 log_start 705 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 706 log_test_addr ${a} $? 0 "ping out, device bind" 707 708 log_start 709 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 710 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 711 712 log_start 713 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 714 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 715 done 716 717 # 718 # in 719 # 720 for a in ${NSA_IP} ${VRF_IP} 721 do 722 log_start 723 run_cmd_nsb ping -c1 -w1 ${a} 724 log_test_addr ${a} $? 0 "ping in" 725 done 726 727 # 728 # local traffic, local address 729 # 730 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 731 do 732 log_start 733 show_hint "Source address should be ${a}" 734 run_cmd ping -c1 -w1 -I ${VRF} ${a} 735 log_test_addr ${a} $? 0 "ping local, VRF bind" 736 done 737 738 # 739 # local traffic, socket bound to device 740 # 741 # address on device 742 a=${NSA_IP} 743 log_start 744 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 745 log_test_addr ${a} $? 0 "ping local, device bind" 746 747 # vrf device is out of scope 748 for a in ${VRF_IP} 127.0.0.1 749 do 750 log_start 751 show_hint "Fails since address on vrf device is out of device scope" 752 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 753 log_test_addr ${a} $? 1 "ping local, device bind" 754 done 755 756 # 757 # ip rule blocks address 758 # 759 log_start 760 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 761 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 762 763 a=${NSB_LO_IP} 764 run_cmd ping -c1 -w1 -I ${VRF} ${a} 765 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 766 767 log_start 768 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 769 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 770 771 a=${NSA_LO_IP} 772 log_start 773 show_hint "Response lost due to ip rule" 774 run_cmd_nsb ping -c1 -w1 ${a} 775 log_test_addr ${a} $? 1 "ping in, blocked by rule" 776 777 [ "$VERBOSE" = "1" ] && echo 778 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 779 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 780 781 # 782 # remove 'remote' routes; fallback to default 783 # 784 log_start 785 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 786 787 a=${NSB_LO_IP} 788 run_cmd ping -c1 -w1 -I ${VRF} ${a} 789 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 790 791 log_start 792 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 793 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 794 795 a=${NSA_LO_IP} 796 log_start 797 show_hint "Response lost by unreachable route" 798 run_cmd_nsb ping -c1 -w1 ${a} 799 log_test_addr ${a} $? 1 "ping in, unreachable route" 800} 801 802ipv4_ping() 803{ 804 log_section "IPv4 ping" 805 806 log_subsection "No VRF" 807 setup 808 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 809 ipv4_ping_novrf 810 setup 811 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 812 ipv4_ping_novrf 813 814 log_subsection "With VRF" 815 setup "yes" 816 ipv4_ping_vrf 817} 818 819################################################################################ 820# IPv4 TCP 821 822# 823# MD5 tests without VRF 824# 825ipv4_tcp_md5_novrf() 826{ 827 # 828 # single address 829 # 830 831 # basic use case 832 log_start 833 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 834 sleep 1 835 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 836 log_test $? 0 "MD5: Single address config" 837 838 # client sends MD5, server not configured 839 log_start 840 show_hint "Should timeout due to MD5 mismatch" 841 run_cmd nettest -s & 842 sleep 1 843 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 844 log_test $? 2 "MD5: Server no config, client uses password" 845 846 # wrong password 847 log_start 848 show_hint "Should timeout since client uses wrong password" 849 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 850 sleep 1 851 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 852 log_test $? 2 "MD5: Client uses wrong password" 853 854 # client from different address 855 log_start 856 show_hint "Should timeout due to MD5 mismatch" 857 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 858 sleep 1 859 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 860 log_test $? 2 "MD5: Client address does not match address configured with password" 861 862 # 863 # MD5 extension - prefix length 864 # 865 866 # client in prefix 867 log_start 868 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 869 sleep 1 870 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 871 log_test $? 0 "MD5: Prefix config" 872 873 # client in prefix, wrong password 874 log_start 875 show_hint "Should timeout since client uses wrong password" 876 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 877 sleep 1 878 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 879 log_test $? 2 "MD5: Prefix config, client uses wrong password" 880 881 # client outside of prefix 882 log_start 883 show_hint "Should timeout due to MD5 mismatch" 884 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 885 sleep 1 886 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 887 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 888} 889 890# 891# MD5 tests with VRF 892# 893ipv4_tcp_md5() 894{ 895 # 896 # single address 897 # 898 899 # basic use case 900 log_start 901 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 902 sleep 1 903 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 904 log_test $? 0 "MD5: VRF: Single address config" 905 906 # client sends MD5, server not configured 907 log_start 908 show_hint "Should timeout since server does not have MD5 auth" 909 run_cmd nettest -s -I ${VRF} & 910 sleep 1 911 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 912 log_test $? 2 "MD5: VRF: Server no config, client uses password" 913 914 # wrong password 915 log_start 916 show_hint "Should timeout since client uses wrong password" 917 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 918 sleep 1 919 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 920 log_test $? 2 "MD5: VRF: Client uses wrong password" 921 922 # client from different address 923 log_start 924 show_hint "Should timeout since server config differs from client" 925 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 926 sleep 1 927 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 928 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 929 930 # 931 # MD5 extension - prefix length 932 # 933 934 # client in prefix 935 log_start 936 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 937 sleep 1 938 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 939 log_test $? 0 "MD5: VRF: Prefix config" 940 941 # client in prefix, wrong password 942 log_start 943 show_hint "Should timeout since client uses wrong password" 944 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 945 sleep 1 946 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 947 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 948 949 # client outside of prefix 950 log_start 951 show_hint "Should timeout since client address is outside of prefix" 952 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 953 sleep 1 954 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 955 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 956 957 # 958 # duplicate config between default VRF and a VRF 959 # 960 961 log_start 962 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 963 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 964 sleep 1 965 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 966 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 967 968 log_start 969 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 970 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 971 sleep 1 972 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 973 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 974 975 log_start 976 show_hint "Should timeout since client in default VRF uses VRF password" 977 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 978 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 979 sleep 1 980 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 981 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 982 983 log_start 984 show_hint "Should timeout since client in VRF uses default VRF password" 985 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 986 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 987 sleep 1 988 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 989 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 990 991 log_start 992 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 993 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 994 sleep 1 995 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 996 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 997 998 log_start 999 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1000 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1001 sleep 1 1002 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1003 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 1004 1005 log_start 1006 show_hint "Should timeout since client in default VRF uses VRF password" 1007 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1008 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1009 sleep 1 1010 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1011 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1012 1013 log_start 1014 show_hint "Should timeout since client in VRF uses default VRF password" 1015 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1016 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1017 sleep 1 1018 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1019 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1020 1021 # 1022 # negative tests 1023 # 1024 log_start 1025 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1026 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1027 1028 log_start 1029 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1030 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1031 1032 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1033 test_ipv4_md5_vrf__global_server__bind_ifindex0 1034} 1035 1036test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1037{ 1038 log_start 1039 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1040 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1041 sleep 1 1042 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1043 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1044 1045 log_start 1046 show_hint "Binding both the socket and the key is not required but it works" 1047 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1048 sleep 1 1049 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1050 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1051} 1052 1053test_ipv4_md5_vrf__global_server__bind_ifindex0() 1054{ 1055 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1056 local old_tcp_l3mdev_accept 1057 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1058 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1059 1060 log_start 1061 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1062 sleep 1 1063 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1064 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1065 1066 log_start 1067 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1068 sleep 1 1069 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1070 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1071 log_start 1072 1073 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1074 sleep 1 1075 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1076 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1077 1078 log_start 1079 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1080 sleep 1 1081 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1082 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1083 1084 # restore value 1085 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1086} 1087 1088ipv4_tcp_novrf() 1089{ 1090 local a 1091 1092 # 1093 # server tests 1094 # 1095 for a in ${NSA_IP} ${NSA_LO_IP} 1096 do 1097 log_start 1098 run_cmd nettest -s & 1099 sleep 1 1100 run_cmd_nsb nettest -r ${a} 1101 log_test_addr ${a} $? 0 "Global server" 1102 done 1103 1104 a=${NSA_IP} 1105 log_start 1106 run_cmd nettest -s -I ${NSA_DEV} & 1107 sleep 1 1108 run_cmd_nsb nettest -r ${a} 1109 log_test_addr ${a} $? 0 "Device server" 1110 1111 # verify TCP reset sent and received 1112 for a in ${NSA_IP} ${NSA_LO_IP} 1113 do 1114 log_start 1115 show_hint "Should fail 'Connection refused' since there is no server" 1116 run_cmd_nsb nettest -r ${a} 1117 log_test_addr ${a} $? 1 "No server" 1118 done 1119 1120 # 1121 # client 1122 # 1123 for a in ${NSB_IP} ${NSB_LO_IP} 1124 do 1125 log_start 1126 run_cmd_nsb nettest -s & 1127 sleep 1 1128 run_cmd nettest -r ${a} -0 ${NSA_IP} 1129 log_test_addr ${a} $? 0 "Client" 1130 1131 log_start 1132 run_cmd_nsb nettest -s & 1133 sleep 1 1134 run_cmd nettest -r ${a} -d ${NSA_DEV} 1135 log_test_addr ${a} $? 0 "Client, device bind" 1136 1137 log_start 1138 show_hint "Should fail 'Connection refused'" 1139 run_cmd nettest -r ${a} 1140 log_test_addr ${a} $? 1 "No server, unbound client" 1141 1142 log_start 1143 show_hint "Should fail 'Connection refused'" 1144 run_cmd nettest -r ${a} -d ${NSA_DEV} 1145 log_test_addr ${a} $? 1 "No server, device client" 1146 done 1147 1148 # 1149 # local address tests 1150 # 1151 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1152 do 1153 log_start 1154 run_cmd nettest -s & 1155 sleep 1 1156 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1157 log_test_addr ${a} $? 0 "Global server, local connection" 1158 done 1159 1160 a=${NSA_IP} 1161 log_start 1162 run_cmd nettest -s -I ${NSA_DEV} & 1163 sleep 1 1164 run_cmd nettest -r ${a} -0 ${a} 1165 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1166 1167 for a in ${NSA_LO_IP} 127.0.0.1 1168 do 1169 log_start 1170 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1171 run_cmd nettest -s -I ${NSA_DEV} & 1172 sleep 1 1173 run_cmd nettest -r ${a} 1174 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1175 done 1176 1177 a=${NSA_IP} 1178 log_start 1179 run_cmd nettest -s & 1180 sleep 1 1181 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1182 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1183 1184 for a in ${NSA_LO_IP} 127.0.0.1 1185 do 1186 log_start 1187 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1188 run_cmd nettest -s & 1189 sleep 1 1190 run_cmd nettest -r ${a} -d ${NSA_DEV} 1191 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1192 done 1193 1194 a=${NSA_IP} 1195 log_start 1196 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1197 sleep 1 1198 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1199 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1200 1201 log_start 1202 show_hint "Should fail 'Connection refused'" 1203 run_cmd nettest -d ${NSA_DEV} -r ${a} 1204 log_test_addr ${a} $? 1 "No server, device client, local conn" 1205 1206 ipv4_tcp_md5_novrf 1207} 1208 1209ipv4_tcp_vrf() 1210{ 1211 local a 1212 1213 # disable global server 1214 log_subsection "Global server disabled" 1215 1216 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1217 1218 # 1219 # server tests 1220 # 1221 for a in ${NSA_IP} ${VRF_IP} 1222 do 1223 log_start 1224 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1225 run_cmd nettest -s & 1226 sleep 1 1227 run_cmd_nsb nettest -r ${a} 1228 log_test_addr ${a} $? 1 "Global server" 1229 1230 log_start 1231 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1232 sleep 1 1233 run_cmd_nsb nettest -r ${a} 1234 log_test_addr ${a} $? 0 "VRF server" 1235 1236 log_start 1237 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1238 sleep 1 1239 run_cmd_nsb nettest -r ${a} 1240 log_test_addr ${a} $? 0 "Device server" 1241 1242 # verify TCP reset received 1243 log_start 1244 show_hint "Should fail 'Connection refused' since there is no server" 1245 run_cmd_nsb nettest -r ${a} 1246 log_test_addr ${a} $? 1 "No server" 1247 done 1248 1249 # local address tests 1250 # (${VRF_IP} and 127.0.0.1 both timeout) 1251 a=${NSA_IP} 1252 log_start 1253 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1254 run_cmd nettest -s & 1255 sleep 1 1256 run_cmd nettest -r ${a} -d ${NSA_DEV} 1257 log_test_addr ${a} $? 1 "Global server, local connection" 1258 1259 # run MD5 tests 1260 setup_vrf_dup 1261 ipv4_tcp_md5 1262 cleanup_vrf_dup 1263 1264 # 1265 # enable VRF global server 1266 # 1267 log_subsection "VRF Global server enabled" 1268 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1269 1270 for a in ${NSA_IP} ${VRF_IP} 1271 do 1272 log_start 1273 show_hint "client socket should be bound to VRF" 1274 run_cmd nettest -s -3 ${VRF} & 1275 sleep 1 1276 run_cmd_nsb nettest -r ${a} 1277 log_test_addr ${a} $? 0 "Global server" 1278 1279 log_start 1280 show_hint "client socket should be bound to VRF" 1281 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1282 sleep 1 1283 run_cmd_nsb nettest -r ${a} 1284 log_test_addr ${a} $? 0 "VRF server" 1285 1286 # verify TCP reset received 1287 log_start 1288 show_hint "Should fail 'Connection refused'" 1289 run_cmd_nsb nettest -r ${a} 1290 log_test_addr ${a} $? 1 "No server" 1291 done 1292 1293 a=${NSA_IP} 1294 log_start 1295 show_hint "client socket should be bound to device" 1296 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1297 sleep 1 1298 run_cmd_nsb nettest -r ${a} 1299 log_test_addr ${a} $? 0 "Device server" 1300 1301 # local address tests 1302 for a in ${NSA_IP} ${VRF_IP} 1303 do 1304 log_start 1305 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1306 run_cmd nettest -s -I ${VRF} & 1307 sleep 1 1308 run_cmd nettest -r ${a} 1309 log_test_addr ${a} $? 1 "Global server, local connection" 1310 done 1311 1312 # 1313 # client 1314 # 1315 for a in ${NSB_IP} ${NSB_LO_IP} 1316 do 1317 log_start 1318 run_cmd_nsb nettest -s & 1319 sleep 1 1320 run_cmd nettest -r ${a} -d ${VRF} 1321 log_test_addr ${a} $? 0 "Client, VRF bind" 1322 1323 log_start 1324 run_cmd_nsb nettest -s & 1325 sleep 1 1326 run_cmd nettest -r ${a} -d ${NSA_DEV} 1327 log_test_addr ${a} $? 0 "Client, device bind" 1328 1329 log_start 1330 show_hint "Should fail 'Connection refused'" 1331 run_cmd nettest -r ${a} -d ${VRF} 1332 log_test_addr ${a} $? 1 "No server, VRF client" 1333 1334 log_start 1335 show_hint "Should fail 'Connection refused'" 1336 run_cmd nettest -r ${a} -d ${NSA_DEV} 1337 log_test_addr ${a} $? 1 "No server, device client" 1338 done 1339 1340 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1341 do 1342 log_start 1343 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1344 sleep 1 1345 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1346 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1347 done 1348 1349 a=${NSA_IP} 1350 log_start 1351 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1352 sleep 1 1353 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1354 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1355 1356 log_start 1357 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1358 run_cmd nettest -s -I ${VRF} & 1359 sleep 1 1360 run_cmd nettest -r ${a} 1361 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1362 1363 log_start 1364 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1365 sleep 1 1366 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1367 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1368 1369 log_start 1370 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1371 sleep 1 1372 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1373 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1374} 1375 1376ipv4_tcp() 1377{ 1378 log_section "IPv4/TCP" 1379 log_subsection "No VRF" 1380 setup 1381 1382 # tcp_l3mdev_accept should have no affect without VRF; 1383 # run tests with it enabled and disabled to verify 1384 log_subsection "tcp_l3mdev_accept disabled" 1385 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1386 ipv4_tcp_novrf 1387 log_subsection "tcp_l3mdev_accept enabled" 1388 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1389 ipv4_tcp_novrf 1390 1391 log_subsection "With VRF" 1392 setup "yes" 1393 ipv4_tcp_vrf 1394} 1395 1396################################################################################ 1397# IPv4 UDP 1398 1399ipv4_udp_novrf() 1400{ 1401 local a 1402 1403 # 1404 # server tests 1405 # 1406 for a in ${NSA_IP} ${NSA_LO_IP} 1407 do 1408 log_start 1409 run_cmd nettest -D -s -3 ${NSA_DEV} & 1410 sleep 1 1411 run_cmd_nsb nettest -D -r ${a} 1412 log_test_addr ${a} $? 0 "Global server" 1413 1414 log_start 1415 show_hint "Should fail 'Connection refused' since there is no server" 1416 run_cmd_nsb nettest -D -r ${a} 1417 log_test_addr ${a} $? 1 "No server" 1418 done 1419 1420 a=${NSA_IP} 1421 log_start 1422 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1423 sleep 1 1424 run_cmd_nsb nettest -D -r ${a} 1425 log_test_addr ${a} $? 0 "Device server" 1426 1427 # 1428 # client 1429 # 1430 for a in ${NSB_IP} ${NSB_LO_IP} 1431 do 1432 log_start 1433 run_cmd_nsb nettest -D -s & 1434 sleep 1 1435 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1436 log_test_addr ${a} $? 0 "Client" 1437 1438 log_start 1439 run_cmd_nsb nettest -D -s & 1440 sleep 1 1441 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1442 log_test_addr ${a} $? 0 "Client, device bind" 1443 1444 log_start 1445 run_cmd_nsb nettest -D -s & 1446 sleep 1 1447 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1448 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1449 1450 log_start 1451 run_cmd_nsb nettest -D -s & 1452 sleep 1 1453 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1454 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1455 1456 log_start 1457 show_hint "Should fail 'Connection refused'" 1458 run_cmd nettest -D -r ${a} 1459 log_test_addr ${a} $? 1 "No server, unbound client" 1460 1461 log_start 1462 show_hint "Should fail 'Connection refused'" 1463 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1464 log_test_addr ${a} $? 1 "No server, device client" 1465 done 1466 1467 # 1468 # local address tests 1469 # 1470 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1471 do 1472 log_start 1473 run_cmd nettest -D -s & 1474 sleep 1 1475 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1476 log_test_addr ${a} $? 0 "Global server, local connection" 1477 done 1478 1479 a=${NSA_IP} 1480 log_start 1481 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1482 sleep 1 1483 run_cmd nettest -D -r ${a} 1484 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1485 1486 for a in ${NSA_LO_IP} 127.0.0.1 1487 do 1488 log_start 1489 show_hint "Should fail 'Connection refused' since address is out of device scope" 1490 run_cmd nettest -s -D -I ${NSA_DEV} & 1491 sleep 1 1492 run_cmd nettest -D -r ${a} 1493 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1494 done 1495 1496 a=${NSA_IP} 1497 log_start 1498 run_cmd nettest -s -D & 1499 sleep 1 1500 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1501 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1502 1503 log_start 1504 run_cmd nettest -s -D & 1505 sleep 1 1506 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1507 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1508 1509 log_start 1510 run_cmd nettest -s -D & 1511 sleep 1 1512 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1513 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1514 1515 # IPv4 with device bind has really weird behavior - it overrides the 1516 # fib lookup, generates an rtable and tries to send the packet. This 1517 # causes failures for local traffic at different places 1518 for a in ${NSA_LO_IP} 127.0.0.1 1519 do 1520 log_start 1521 show_hint "Should fail since addresses on loopback are out of device scope" 1522 run_cmd nettest -D -s & 1523 sleep 1 1524 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1525 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1526 1527 log_start 1528 show_hint "Should fail since addresses on loopback are out of device scope" 1529 run_cmd nettest -D -s & 1530 sleep 1 1531 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1532 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1533 1534 log_start 1535 show_hint "Should fail since addresses on loopback are out of device scope" 1536 run_cmd nettest -D -s & 1537 sleep 1 1538 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1539 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1540 done 1541 1542 a=${NSA_IP} 1543 log_start 1544 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1545 sleep 1 1546 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1547 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1548 1549 log_start 1550 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1551 log_test_addr ${a} $? 2 "No server, device client, local conn" 1552} 1553 1554ipv4_udp_vrf() 1555{ 1556 local a 1557 1558 # disable global server 1559 log_subsection "Global server disabled" 1560 set_sysctl net.ipv4.udp_l3mdev_accept=0 1561 1562 # 1563 # server tests 1564 # 1565 for a in ${NSA_IP} ${VRF_IP} 1566 do 1567 log_start 1568 show_hint "Fails because ingress is in a VRF and global server is disabled" 1569 run_cmd nettest -D -s & 1570 sleep 1 1571 run_cmd_nsb nettest -D -r ${a} 1572 log_test_addr ${a} $? 1 "Global server" 1573 1574 log_start 1575 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1576 sleep 1 1577 run_cmd_nsb nettest -D -r ${a} 1578 log_test_addr ${a} $? 0 "VRF server" 1579 1580 log_start 1581 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1582 sleep 1 1583 run_cmd_nsb nettest -D -r ${a} 1584 log_test_addr ${a} $? 0 "Enslaved device server" 1585 1586 log_start 1587 show_hint "Should fail 'Connection refused' since there is no server" 1588 run_cmd_nsb nettest -D -r ${a} 1589 log_test_addr ${a} $? 1 "No server" 1590 1591 log_start 1592 show_hint "Should fail 'Connection refused' since global server is out of scope" 1593 run_cmd nettest -D -s & 1594 sleep 1 1595 run_cmd nettest -D -d ${VRF} -r ${a} 1596 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1597 done 1598 1599 a=${NSA_IP} 1600 log_start 1601 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1602 sleep 1 1603 run_cmd nettest -D -d ${VRF} -r ${a} 1604 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1605 1606 log_start 1607 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1608 sleep 1 1609 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1610 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1611 1612 a=${NSA_IP} 1613 log_start 1614 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1615 sleep 1 1616 run_cmd nettest -D -d ${VRF} -r ${a} 1617 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1618 1619 log_start 1620 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1621 sleep 1 1622 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1623 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1624 1625 # enable global server 1626 log_subsection "Global server enabled" 1627 set_sysctl net.ipv4.udp_l3mdev_accept=1 1628 1629 # 1630 # server tests 1631 # 1632 for a in ${NSA_IP} ${VRF_IP} 1633 do 1634 log_start 1635 run_cmd nettest -D -s -3 ${NSA_DEV} & 1636 sleep 1 1637 run_cmd_nsb nettest -D -r ${a} 1638 log_test_addr ${a} $? 0 "Global server" 1639 1640 log_start 1641 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1642 sleep 1 1643 run_cmd_nsb nettest -D -r ${a} 1644 log_test_addr ${a} $? 0 "VRF server" 1645 1646 log_start 1647 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1648 sleep 1 1649 run_cmd_nsb nettest -D -r ${a} 1650 log_test_addr ${a} $? 0 "Enslaved device server" 1651 1652 log_start 1653 show_hint "Should fail 'Connection refused'" 1654 run_cmd_nsb nettest -D -r ${a} 1655 log_test_addr ${a} $? 1 "No server" 1656 done 1657 1658 # 1659 # client tests 1660 # 1661 log_start 1662 run_cmd_nsb nettest -D -s & 1663 sleep 1 1664 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1665 log_test $? 0 "VRF client" 1666 1667 log_start 1668 run_cmd_nsb nettest -D -s & 1669 sleep 1 1670 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1671 log_test $? 0 "Enslaved device client" 1672 1673 # negative test - should fail 1674 log_start 1675 show_hint "Should fail 'Connection refused'" 1676 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1677 log_test $? 1 "No server, VRF client" 1678 1679 log_start 1680 show_hint "Should fail 'Connection refused'" 1681 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1682 log_test $? 1 "No server, enslaved device client" 1683 1684 # 1685 # local address tests 1686 # 1687 a=${NSA_IP} 1688 log_start 1689 run_cmd nettest -D -s -3 ${NSA_DEV} & 1690 sleep 1 1691 run_cmd nettest -D -d ${VRF} -r ${a} 1692 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1693 1694 log_start 1695 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1696 sleep 1 1697 run_cmd nettest -D -d ${VRF} -r ${a} 1698 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1699 1700 log_start 1701 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1702 sleep 1 1703 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1704 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1705 1706 log_start 1707 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1708 sleep 1 1709 run_cmd nettest -D -d ${VRF} -r ${a} 1710 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1711 1712 log_start 1713 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1714 sleep 1 1715 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1716 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1717 1718 for a in ${VRF_IP} 127.0.0.1 1719 do 1720 log_start 1721 run_cmd nettest -D -s -3 ${VRF} & 1722 sleep 1 1723 run_cmd nettest -D -d ${VRF} -r ${a} 1724 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1725 done 1726 1727 for a in ${VRF_IP} 127.0.0.1 1728 do 1729 log_start 1730 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1731 sleep 1 1732 run_cmd nettest -D -d ${VRF} -r ${a} 1733 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1734 done 1735 1736 # negative test - should fail 1737 # verifies ECONNREFUSED 1738 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1739 do 1740 log_start 1741 show_hint "Should fail 'Connection refused'" 1742 run_cmd nettest -D -d ${VRF} -r ${a} 1743 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1744 done 1745} 1746 1747ipv4_udp() 1748{ 1749 log_section "IPv4/UDP" 1750 log_subsection "No VRF" 1751 1752 setup 1753 1754 # udp_l3mdev_accept should have no affect without VRF; 1755 # run tests with it enabled and disabled to verify 1756 log_subsection "udp_l3mdev_accept disabled" 1757 set_sysctl net.ipv4.udp_l3mdev_accept=0 1758 ipv4_udp_novrf 1759 log_subsection "udp_l3mdev_accept enabled" 1760 set_sysctl net.ipv4.udp_l3mdev_accept=1 1761 ipv4_udp_novrf 1762 1763 log_subsection "With VRF" 1764 setup "yes" 1765 ipv4_udp_vrf 1766} 1767 1768################################################################################ 1769# IPv4 address bind 1770# 1771# verifies ability or inability to bind to an address / device 1772 1773ipv4_addr_bind_novrf() 1774{ 1775 # 1776 # raw socket 1777 # 1778 for a in ${NSA_IP} ${NSA_LO_IP} 1779 do 1780 log_start 1781 run_cmd nettest -s -R -P icmp -l ${a} -b 1782 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1783 1784 log_start 1785 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1786 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1787 done 1788 1789 # 1790 # raw socket with nonlocal bind 1791 # 1792 a=${NL_IP} 1793 log_start 1794 run_cmd nettest -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 1795 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after device bind" 1796 1797 # 1798 # tcp sockets 1799 # 1800 a=${NSA_IP} 1801 log_start 1802 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1803 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1804 1805 log_start 1806 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1807 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1808 1809 # Sadly, the kernel allows binding a socket to a device and then 1810 # binding to an address not on the device. The only restriction 1811 # is that the address is valid in the L3 domain. So this test 1812 # passes when it really should not 1813 #a=${NSA_LO_IP} 1814 #log_start 1815 #show_hint "Should fail with 'Cannot assign requested address'" 1816 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1817 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1818} 1819 1820ipv4_addr_bind_vrf() 1821{ 1822 # 1823 # raw socket 1824 # 1825 for a in ${NSA_IP} ${VRF_IP} 1826 do 1827 log_start 1828 show_hint "Socket not bound to VRF, but address is in VRF" 1829 run_cmd nettest -s -R -P icmp -l ${a} -b 1830 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1831 1832 log_start 1833 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1834 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1835 log_start 1836 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1837 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1838 done 1839 1840 a=${NSA_LO_IP} 1841 log_start 1842 show_hint "Address on loopback is out of VRF scope" 1843 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1844 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1845 1846 # 1847 # raw socket with nonlocal bind 1848 # 1849 a=${NL_IP} 1850 log_start 1851 run_cmd nettest -s -R -P icmp -f -l ${a} -I ${VRF} -b 1852 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 1853 1854 # 1855 # tcp sockets 1856 # 1857 for a in ${NSA_IP} ${VRF_IP} 1858 do 1859 log_start 1860 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1861 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1862 1863 log_start 1864 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1865 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1866 done 1867 1868 a=${NSA_LO_IP} 1869 log_start 1870 show_hint "Address on loopback out of scope for VRF" 1871 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1872 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 1873 1874 log_start 1875 show_hint "Address on loopback out of scope for device in VRF" 1876 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1877 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 1878} 1879 1880ipv4_addr_bind() 1881{ 1882 log_section "IPv4 address binds" 1883 1884 log_subsection "No VRF" 1885 setup 1886 ipv4_addr_bind_novrf 1887 1888 log_subsection "With VRF" 1889 setup "yes" 1890 ipv4_addr_bind_vrf 1891} 1892 1893################################################################################ 1894# IPv4 runtime tests 1895 1896ipv4_rt() 1897{ 1898 local desc="$1" 1899 local varg="$2" 1900 local with_vrf="yes" 1901 local a 1902 1903 # 1904 # server tests 1905 # 1906 for a in ${NSA_IP} ${VRF_IP} 1907 do 1908 log_start 1909 run_cmd nettest ${varg} -s & 1910 sleep 1 1911 run_cmd_nsb nettest ${varg} -r ${a} & 1912 sleep 3 1913 run_cmd ip link del ${VRF} 1914 sleep 1 1915 log_test_addr ${a} 0 0 "${desc}, global server" 1916 1917 setup ${with_vrf} 1918 done 1919 1920 for a in ${NSA_IP} ${VRF_IP} 1921 do 1922 log_start 1923 run_cmd nettest ${varg} -s -I ${VRF} & 1924 sleep 1 1925 run_cmd_nsb nettest ${varg} -r ${a} & 1926 sleep 3 1927 run_cmd ip link del ${VRF} 1928 sleep 1 1929 log_test_addr ${a} 0 0 "${desc}, VRF server" 1930 1931 setup ${with_vrf} 1932 done 1933 1934 a=${NSA_IP} 1935 log_start 1936 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 1937 sleep 1 1938 run_cmd_nsb nettest ${varg} -r ${a} & 1939 sleep 3 1940 run_cmd ip link del ${VRF} 1941 sleep 1 1942 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 1943 1944 setup ${with_vrf} 1945 1946 # 1947 # client test 1948 # 1949 log_start 1950 run_cmd_nsb nettest ${varg} -s & 1951 sleep 1 1952 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 1953 sleep 3 1954 run_cmd ip link del ${VRF} 1955 sleep 1 1956 log_test_addr ${a} 0 0 "${desc}, VRF client" 1957 1958 setup ${with_vrf} 1959 1960 log_start 1961 run_cmd_nsb nettest ${varg} -s & 1962 sleep 1 1963 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 1964 sleep 3 1965 run_cmd ip link del ${VRF} 1966 sleep 1 1967 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 1968 1969 setup ${with_vrf} 1970 1971 # 1972 # local address tests 1973 # 1974 for a in ${NSA_IP} ${VRF_IP} 1975 do 1976 log_start 1977 run_cmd nettest ${varg} -s & 1978 sleep 1 1979 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1980 sleep 3 1981 run_cmd ip link del ${VRF} 1982 sleep 1 1983 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 1984 1985 setup ${with_vrf} 1986 done 1987 1988 for a in ${NSA_IP} ${VRF_IP} 1989 do 1990 log_start 1991 run_cmd nettest ${varg} -I ${VRF} -s & 1992 sleep 1 1993 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1994 sleep 3 1995 run_cmd ip link del ${VRF} 1996 sleep 1 1997 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 1998 1999 setup ${with_vrf} 2000 done 2001 2002 a=${NSA_IP} 2003 log_start 2004 2005 run_cmd nettest ${varg} -s & 2006 sleep 1 2007 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2008 sleep 3 2009 run_cmd ip link del ${VRF} 2010 sleep 1 2011 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 2012 2013 setup ${with_vrf} 2014 2015 log_start 2016 run_cmd nettest ${varg} -I ${VRF} -s & 2017 sleep 1 2018 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2019 sleep 3 2020 run_cmd ip link del ${VRF} 2021 sleep 1 2022 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 2023 2024 setup ${with_vrf} 2025 2026 log_start 2027 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2028 sleep 1 2029 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2030 sleep 3 2031 run_cmd ip link del ${VRF} 2032 sleep 1 2033 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2034} 2035 2036ipv4_ping_rt() 2037{ 2038 local with_vrf="yes" 2039 local a 2040 2041 for a in ${NSA_IP} ${VRF_IP} 2042 do 2043 log_start 2044 run_cmd_nsb ping -f ${a} & 2045 sleep 3 2046 run_cmd ip link del ${VRF} 2047 sleep 1 2048 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2049 2050 setup ${with_vrf} 2051 done 2052 2053 a=${NSB_IP} 2054 log_start 2055 run_cmd ping -f -I ${VRF} ${a} & 2056 sleep 3 2057 run_cmd ip link del ${VRF} 2058 sleep 1 2059 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2060} 2061 2062ipv4_runtime() 2063{ 2064 log_section "Run time tests - ipv4" 2065 2066 setup "yes" 2067 ipv4_ping_rt 2068 2069 setup "yes" 2070 ipv4_rt "TCP active socket" "-n -1" 2071 2072 setup "yes" 2073 ipv4_rt "TCP passive socket" "-i" 2074} 2075 2076################################################################################ 2077# IPv6 2078 2079ipv6_ping_novrf() 2080{ 2081 local a 2082 2083 # should not have an impact, but make a known state 2084 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2085 2086 # 2087 # out 2088 # 2089 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2090 do 2091 log_start 2092 run_cmd ${ping6} -c1 -w1 ${a} 2093 log_test_addr ${a} $? 0 "ping out" 2094 done 2095 2096 for a in ${NSB_IP6} ${NSB_LO_IP6} 2097 do 2098 log_start 2099 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2100 log_test_addr ${a} $? 0 "ping out, device bind" 2101 2102 log_start 2103 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2104 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2105 done 2106 2107 # 2108 # in 2109 # 2110 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2111 do 2112 log_start 2113 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2114 log_test_addr ${a} $? 0 "ping in" 2115 done 2116 2117 # 2118 # local traffic, local address 2119 # 2120 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2121 do 2122 log_start 2123 run_cmd ${ping6} -c1 -w1 ${a} 2124 log_test_addr ${a} $? 0 "ping local, no bind" 2125 done 2126 2127 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2128 do 2129 log_start 2130 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2131 log_test_addr ${a} $? 0 "ping local, device bind" 2132 done 2133 2134 for a in ${NSA_LO_IP6} ::1 2135 do 2136 log_start 2137 show_hint "Fails since address on loopback is out of device scope" 2138 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2139 log_test_addr ${a} $? 2 "ping local, device bind" 2140 done 2141 2142 # 2143 # ip rule blocks address 2144 # 2145 log_start 2146 setup_cmd ip -6 rule add pref 32765 from all lookup local 2147 setup_cmd ip -6 rule del pref 0 from all lookup local 2148 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2149 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2150 2151 a=${NSB_LO_IP6} 2152 run_cmd ${ping6} -c1 -w1 ${a} 2153 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2154 2155 log_start 2156 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2157 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2158 2159 a=${NSA_LO_IP6} 2160 log_start 2161 show_hint "Response lost due to ip rule" 2162 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2163 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2164 2165 setup_cmd ip -6 rule add pref 0 from all lookup local 2166 setup_cmd ip -6 rule del pref 32765 from all lookup local 2167 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2168 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2169 2170 # 2171 # route blocks reachability to remote address 2172 # 2173 log_start 2174 setup_cmd ip -6 route del ${NSB_LO_IP6} 2175 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2176 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2177 2178 a=${NSB_LO_IP6} 2179 run_cmd ${ping6} -c1 -w1 ${a} 2180 log_test_addr ${a} $? 2 "ping out, blocked by route" 2181 2182 log_start 2183 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2184 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2185 2186 a=${NSA_LO_IP6} 2187 log_start 2188 show_hint "Response lost due to ip route" 2189 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2190 log_test_addr ${a} $? 1 "ping in, blocked by route" 2191 2192 2193 # 2194 # remove 'remote' routes; fallback to default 2195 # 2196 log_start 2197 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2198 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2199 2200 a=${NSB_LO_IP6} 2201 run_cmd ${ping6} -c1 -w1 ${a} 2202 log_test_addr ${a} $? 2 "ping out, unreachable route" 2203 2204 log_start 2205 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2206 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2207} 2208 2209ipv6_ping_vrf() 2210{ 2211 local a 2212 2213 # should default on; does not exist on older kernels 2214 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2215 2216 # 2217 # out 2218 # 2219 for a in ${NSB_IP6} ${NSB_LO_IP6} 2220 do 2221 log_start 2222 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2223 log_test_addr ${a} $? 0 "ping out, VRF bind" 2224 done 2225 2226 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2227 do 2228 log_start 2229 show_hint "Fails since VRF device does not support linklocal or multicast" 2230 run_cmd ${ping6} -c1 -w1 ${a} 2231 log_test_addr ${a} $? 1 "ping out, VRF bind" 2232 done 2233 2234 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2235 do 2236 log_start 2237 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2238 log_test_addr ${a} $? 0 "ping out, device bind" 2239 done 2240 2241 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2242 do 2243 log_start 2244 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2245 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2246 done 2247 2248 # 2249 # in 2250 # 2251 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2252 do 2253 log_start 2254 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2255 log_test_addr ${a} $? 0 "ping in" 2256 done 2257 2258 a=${NSA_LO_IP6} 2259 log_start 2260 show_hint "Fails since loopback address is out of VRF scope" 2261 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2262 log_test_addr ${a} $? 1 "ping in" 2263 2264 # 2265 # local traffic, local address 2266 # 2267 for a in ${NSA_IP6} ${VRF_IP6} ::1 2268 do 2269 log_start 2270 show_hint "Source address should be ${a}" 2271 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2272 log_test_addr ${a} $? 0 "ping local, VRF bind" 2273 done 2274 2275 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2276 do 2277 log_start 2278 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2279 log_test_addr ${a} $? 0 "ping local, device bind" 2280 done 2281 2282 # LLA to GUA - remove ipv6 global addresses from ns-B 2283 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2284 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2285 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2286 2287 for a in ${NSA_IP6} ${VRF_IP6} 2288 do 2289 log_start 2290 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2291 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2292 done 2293 2294 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2295 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2296 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2297 2298 # 2299 # ip rule blocks address 2300 # 2301 log_start 2302 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2303 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2304 2305 a=${NSB_LO_IP6} 2306 run_cmd ${ping6} -c1 -w1 ${a} 2307 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2308 2309 log_start 2310 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2311 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2312 2313 a=${NSA_LO_IP6} 2314 log_start 2315 show_hint "Response lost due to ip rule" 2316 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2317 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2318 2319 log_start 2320 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2321 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2322 2323 # 2324 # remove 'remote' routes; fallback to default 2325 # 2326 log_start 2327 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2328 2329 a=${NSB_LO_IP6} 2330 run_cmd ${ping6} -c1 -w1 ${a} 2331 log_test_addr ${a} $? 2 "ping out, unreachable route" 2332 2333 log_start 2334 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2335 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2336 2337 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2338 a=${NSA_LO_IP6} 2339 log_start 2340 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2341 log_test_addr ${a} $? 2 "ping in, unreachable route" 2342} 2343 2344ipv6_ping() 2345{ 2346 log_section "IPv6 ping" 2347 2348 log_subsection "No VRF" 2349 setup 2350 ipv6_ping_novrf 2351 2352 log_subsection "With VRF" 2353 setup "yes" 2354 ipv6_ping_vrf 2355} 2356 2357################################################################################ 2358# IPv6 TCP 2359 2360# 2361# MD5 tests without VRF 2362# 2363ipv6_tcp_md5_novrf() 2364{ 2365 # 2366 # single address 2367 # 2368 2369 # basic use case 2370 log_start 2371 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2372 sleep 1 2373 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2374 log_test $? 0 "MD5: Single address config" 2375 2376 # client sends MD5, server not configured 2377 log_start 2378 show_hint "Should timeout due to MD5 mismatch" 2379 run_cmd nettest -6 -s & 2380 sleep 1 2381 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2382 log_test $? 2 "MD5: Server no config, client uses password" 2383 2384 # wrong password 2385 log_start 2386 show_hint "Should timeout since client uses wrong password" 2387 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2388 sleep 1 2389 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2390 log_test $? 2 "MD5: Client uses wrong password" 2391 2392 # client from different address 2393 log_start 2394 show_hint "Should timeout due to MD5 mismatch" 2395 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2396 sleep 1 2397 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2398 log_test $? 2 "MD5: Client address does not match address configured with password" 2399 2400 # 2401 # MD5 extension - prefix length 2402 # 2403 2404 # client in prefix 2405 log_start 2406 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2407 sleep 1 2408 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2409 log_test $? 0 "MD5: Prefix config" 2410 2411 # client in prefix, wrong password 2412 log_start 2413 show_hint "Should timeout since client uses wrong password" 2414 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2415 sleep 1 2416 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2417 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2418 2419 # client outside of prefix 2420 log_start 2421 show_hint "Should timeout due to MD5 mismatch" 2422 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2423 sleep 1 2424 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2425 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2426} 2427 2428# 2429# MD5 tests with VRF 2430# 2431ipv6_tcp_md5() 2432{ 2433 # 2434 # single address 2435 # 2436 2437 # basic use case 2438 log_start 2439 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2440 sleep 1 2441 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2442 log_test $? 0 "MD5: VRF: Single address config" 2443 2444 # client sends MD5, server not configured 2445 log_start 2446 show_hint "Should timeout since server does not have MD5 auth" 2447 run_cmd nettest -6 -s -I ${VRF} & 2448 sleep 1 2449 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2450 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2451 2452 # wrong password 2453 log_start 2454 show_hint "Should timeout since client uses wrong password" 2455 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2456 sleep 1 2457 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2458 log_test $? 2 "MD5: VRF: Client uses wrong password" 2459 2460 # client from different address 2461 log_start 2462 show_hint "Should timeout since server config differs from client" 2463 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2464 sleep 1 2465 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2466 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2467 2468 # 2469 # MD5 extension - prefix length 2470 # 2471 2472 # client in prefix 2473 log_start 2474 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2475 sleep 1 2476 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2477 log_test $? 0 "MD5: VRF: Prefix config" 2478 2479 # client in prefix, wrong password 2480 log_start 2481 show_hint "Should timeout since client uses wrong password" 2482 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2483 sleep 1 2484 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2485 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2486 2487 # client outside of prefix 2488 log_start 2489 show_hint "Should timeout since client address is outside of prefix" 2490 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2491 sleep 1 2492 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2493 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2494 2495 # 2496 # duplicate config between default VRF and a VRF 2497 # 2498 2499 log_start 2500 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2501 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2502 sleep 1 2503 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2504 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2505 2506 log_start 2507 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2508 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2509 sleep 1 2510 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2511 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2512 2513 log_start 2514 show_hint "Should timeout since client in default VRF uses VRF password" 2515 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2516 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2517 sleep 1 2518 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2519 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2520 2521 log_start 2522 show_hint "Should timeout since client in VRF uses default VRF password" 2523 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2524 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2525 sleep 1 2526 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2527 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2528 2529 log_start 2530 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2531 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2532 sleep 1 2533 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2534 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2535 2536 log_start 2537 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2538 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2539 sleep 1 2540 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2541 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2542 2543 log_start 2544 show_hint "Should timeout since client in default VRF uses VRF password" 2545 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2546 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2547 sleep 1 2548 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2549 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2550 2551 log_start 2552 show_hint "Should timeout since client in VRF uses default VRF password" 2553 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2554 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2555 sleep 1 2556 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2557 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2558 2559 # 2560 # negative tests 2561 # 2562 log_start 2563 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2564 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2565 2566 log_start 2567 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2568 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2569 2570} 2571 2572ipv6_tcp_novrf() 2573{ 2574 local a 2575 2576 # 2577 # server tests 2578 # 2579 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2580 do 2581 log_start 2582 run_cmd nettest -6 -s & 2583 sleep 1 2584 run_cmd_nsb nettest -6 -r ${a} 2585 log_test_addr ${a} $? 0 "Global server" 2586 done 2587 2588 # verify TCP reset received 2589 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2590 do 2591 log_start 2592 show_hint "Should fail 'Connection refused'" 2593 run_cmd_nsb nettest -6 -r ${a} 2594 log_test_addr ${a} $? 1 "No server" 2595 done 2596 2597 # 2598 # client 2599 # 2600 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2601 do 2602 log_start 2603 run_cmd_nsb nettest -6 -s & 2604 sleep 1 2605 run_cmd nettest -6 -r ${a} 2606 log_test_addr ${a} $? 0 "Client" 2607 done 2608 2609 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2610 do 2611 log_start 2612 run_cmd_nsb nettest -6 -s & 2613 sleep 1 2614 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2615 log_test_addr ${a} $? 0 "Client, device bind" 2616 done 2617 2618 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2619 do 2620 log_start 2621 show_hint "Should fail 'Connection refused'" 2622 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2623 log_test_addr ${a} $? 1 "No server, device client" 2624 done 2625 2626 # 2627 # local address tests 2628 # 2629 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2630 do 2631 log_start 2632 run_cmd nettest -6 -s & 2633 sleep 1 2634 run_cmd nettest -6 -r ${a} 2635 log_test_addr ${a} $? 0 "Global server, local connection" 2636 done 2637 2638 a=${NSA_IP6} 2639 log_start 2640 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2641 sleep 1 2642 run_cmd nettest -6 -r ${a} -0 ${a} 2643 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2644 2645 for a in ${NSA_LO_IP6} ::1 2646 do 2647 log_start 2648 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2649 run_cmd nettest -6 -s -I ${NSA_DEV} & 2650 sleep 1 2651 run_cmd nettest -6 -r ${a} 2652 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2653 done 2654 2655 a=${NSA_IP6} 2656 log_start 2657 run_cmd nettest -6 -s & 2658 sleep 1 2659 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2660 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2661 2662 for a in ${NSA_LO_IP6} ::1 2663 do 2664 log_start 2665 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2666 run_cmd nettest -6 -s & 2667 sleep 1 2668 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2669 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2670 done 2671 2672 for a in ${NSA_IP6} ${NSA_LINKIP6} 2673 do 2674 log_start 2675 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2676 sleep 1 2677 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2678 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2679 done 2680 2681 for a in ${NSA_IP6} ${NSA_LINKIP6} 2682 do 2683 log_start 2684 show_hint "Should fail 'Connection refused'" 2685 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2686 log_test_addr ${a} $? 1 "No server, device client, local conn" 2687 done 2688 2689 ipv6_tcp_md5_novrf 2690} 2691 2692ipv6_tcp_vrf() 2693{ 2694 local a 2695 2696 # disable global server 2697 log_subsection "Global server disabled" 2698 2699 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2700 2701 # 2702 # server tests 2703 # 2704 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2705 do 2706 log_start 2707 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2708 run_cmd nettest -6 -s & 2709 sleep 1 2710 run_cmd_nsb nettest -6 -r ${a} 2711 log_test_addr ${a} $? 1 "Global server" 2712 done 2713 2714 for a in ${NSA_IP6} ${VRF_IP6} 2715 do 2716 log_start 2717 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2718 sleep 1 2719 run_cmd_nsb nettest -6 -r ${a} 2720 log_test_addr ${a} $? 0 "VRF server" 2721 done 2722 2723 # link local is always bound to ingress device 2724 a=${NSA_LINKIP6}%${NSB_DEV} 2725 log_start 2726 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2727 sleep 1 2728 run_cmd_nsb nettest -6 -r ${a} 2729 log_test_addr ${a} $? 0 "VRF server" 2730 2731 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2732 do 2733 log_start 2734 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2735 sleep 1 2736 run_cmd_nsb nettest -6 -r ${a} 2737 log_test_addr ${a} $? 0 "Device server" 2738 done 2739 2740 # verify TCP reset received 2741 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2742 do 2743 log_start 2744 show_hint "Should fail 'Connection refused'" 2745 run_cmd_nsb nettest -6 -r ${a} 2746 log_test_addr ${a} $? 1 "No server" 2747 done 2748 2749 # local address tests 2750 a=${NSA_IP6} 2751 log_start 2752 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2753 run_cmd nettest -6 -s & 2754 sleep 1 2755 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2756 log_test_addr ${a} $? 1 "Global server, local connection" 2757 2758 # run MD5 tests 2759 setup_vrf_dup 2760 ipv6_tcp_md5 2761 cleanup_vrf_dup 2762 2763 # 2764 # enable VRF global server 2765 # 2766 log_subsection "VRF Global server enabled" 2767 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2768 2769 for a in ${NSA_IP6} ${VRF_IP6} 2770 do 2771 log_start 2772 run_cmd nettest -6 -s -3 ${VRF} & 2773 sleep 1 2774 run_cmd_nsb nettest -6 -r ${a} 2775 log_test_addr ${a} $? 0 "Global server" 2776 done 2777 2778 for a in ${NSA_IP6} ${VRF_IP6} 2779 do 2780 log_start 2781 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2782 sleep 1 2783 run_cmd_nsb nettest -6 -r ${a} 2784 log_test_addr ${a} $? 0 "VRF server" 2785 done 2786 2787 # For LLA, child socket is bound to device 2788 a=${NSA_LINKIP6}%${NSB_DEV} 2789 log_start 2790 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2791 sleep 1 2792 run_cmd_nsb nettest -6 -r ${a} 2793 log_test_addr ${a} $? 0 "Global server" 2794 2795 log_start 2796 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2797 sleep 1 2798 run_cmd_nsb nettest -6 -r ${a} 2799 log_test_addr ${a} $? 0 "VRF server" 2800 2801 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2802 do 2803 log_start 2804 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2805 sleep 1 2806 run_cmd_nsb nettest -6 -r ${a} 2807 log_test_addr ${a} $? 0 "Device server" 2808 done 2809 2810 # verify TCP reset received 2811 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2812 do 2813 log_start 2814 show_hint "Should fail 'Connection refused'" 2815 run_cmd_nsb nettest -6 -r ${a} 2816 log_test_addr ${a} $? 1 "No server" 2817 done 2818 2819 # local address tests 2820 for a in ${NSA_IP6} ${VRF_IP6} 2821 do 2822 log_start 2823 show_hint "Fails 'Connection refused' since client is not in VRF" 2824 run_cmd nettest -6 -s -I ${VRF} & 2825 sleep 1 2826 run_cmd nettest -6 -r ${a} 2827 log_test_addr ${a} $? 1 "Global server, local connection" 2828 done 2829 2830 2831 # 2832 # client 2833 # 2834 for a in ${NSB_IP6} ${NSB_LO_IP6} 2835 do 2836 log_start 2837 run_cmd_nsb nettest -6 -s & 2838 sleep 1 2839 run_cmd nettest -6 -r ${a} -d ${VRF} 2840 log_test_addr ${a} $? 0 "Client, VRF bind" 2841 done 2842 2843 a=${NSB_LINKIP6} 2844 log_start 2845 show_hint "Fails since VRF device does not allow linklocal addresses" 2846 run_cmd_nsb nettest -6 -s & 2847 sleep 1 2848 run_cmd nettest -6 -r ${a} -d ${VRF} 2849 log_test_addr ${a} $? 1 "Client, VRF bind" 2850 2851 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2852 do 2853 log_start 2854 run_cmd_nsb nettest -6 -s & 2855 sleep 1 2856 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2857 log_test_addr ${a} $? 0 "Client, device bind" 2858 done 2859 2860 for a in ${NSB_IP6} ${NSB_LO_IP6} 2861 do 2862 log_start 2863 show_hint "Should fail 'Connection refused'" 2864 run_cmd nettest -6 -r ${a} -d ${VRF} 2865 log_test_addr ${a} $? 1 "No server, VRF client" 2866 done 2867 2868 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2869 do 2870 log_start 2871 show_hint "Should fail 'Connection refused'" 2872 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2873 log_test_addr ${a} $? 1 "No server, device client" 2874 done 2875 2876 for a in ${NSA_IP6} ${VRF_IP6} ::1 2877 do 2878 log_start 2879 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2880 sleep 1 2881 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2882 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 2883 done 2884 2885 a=${NSA_IP6} 2886 log_start 2887 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2888 sleep 1 2889 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2890 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 2891 2892 a=${NSA_IP6} 2893 log_start 2894 show_hint "Should fail since unbound client is out of VRF scope" 2895 run_cmd nettest -6 -s -I ${VRF} & 2896 sleep 1 2897 run_cmd nettest -6 -r ${a} 2898 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 2899 2900 log_start 2901 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2902 sleep 1 2903 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2904 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 2905 2906 for a in ${NSA_IP6} ${NSA_LINKIP6} 2907 do 2908 log_start 2909 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2910 sleep 1 2911 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2912 log_test_addr ${a} $? 0 "Device server, device client, local connection" 2913 done 2914} 2915 2916ipv6_tcp() 2917{ 2918 log_section "IPv6/TCP" 2919 log_subsection "No VRF" 2920 setup 2921 2922 # tcp_l3mdev_accept should have no affect without VRF; 2923 # run tests with it enabled and disabled to verify 2924 log_subsection "tcp_l3mdev_accept disabled" 2925 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2926 ipv6_tcp_novrf 2927 log_subsection "tcp_l3mdev_accept enabled" 2928 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2929 ipv6_tcp_novrf 2930 2931 log_subsection "With VRF" 2932 setup "yes" 2933 ipv6_tcp_vrf 2934} 2935 2936################################################################################ 2937# IPv6 UDP 2938 2939ipv6_udp_novrf() 2940{ 2941 local a 2942 2943 # 2944 # server tests 2945 # 2946 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2947 do 2948 log_start 2949 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2950 sleep 1 2951 run_cmd_nsb nettest -6 -D -r ${a} 2952 log_test_addr ${a} $? 0 "Global server" 2953 2954 log_start 2955 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 2956 sleep 1 2957 run_cmd_nsb nettest -6 -D -r ${a} 2958 log_test_addr ${a} $? 0 "Device server" 2959 done 2960 2961 a=${NSA_LO_IP6} 2962 log_start 2963 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2964 sleep 1 2965 run_cmd_nsb nettest -6 -D -r ${a} 2966 log_test_addr ${a} $? 0 "Global server" 2967 2968 # should fail since loopback address is out of scope for a device 2969 # bound server, but it does not - hence this is more documenting 2970 # behavior. 2971 #log_start 2972 #show_hint "Should fail since loopback address is out of scope" 2973 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 2974 #sleep 1 2975 #run_cmd_nsb nettest -6 -D -r ${a} 2976 #log_test_addr ${a} $? 1 "Device server" 2977 2978 # negative test - should fail 2979 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2980 do 2981 log_start 2982 show_hint "Should fail 'Connection refused' since there is no server" 2983 run_cmd_nsb nettest -6 -D -r ${a} 2984 log_test_addr ${a} $? 1 "No server" 2985 done 2986 2987 # 2988 # client 2989 # 2990 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2991 do 2992 log_start 2993 run_cmd_nsb nettest -6 -D -s & 2994 sleep 1 2995 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 2996 log_test_addr ${a} $? 0 "Client" 2997 2998 log_start 2999 run_cmd_nsb nettest -6 -D -s & 3000 sleep 1 3001 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 3002 log_test_addr ${a} $? 0 "Client, device bind" 3003 3004 log_start 3005 run_cmd_nsb nettest -6 -D -s & 3006 sleep 1 3007 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 3008 log_test_addr ${a} $? 0 "Client, device send via cmsg" 3009 3010 log_start 3011 run_cmd_nsb nettest -6 -D -s & 3012 sleep 1 3013 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 3014 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 3015 3016 log_start 3017 show_hint "Should fail 'Connection refused'" 3018 run_cmd nettest -6 -D -r ${a} 3019 log_test_addr ${a} $? 1 "No server, unbound client" 3020 3021 log_start 3022 show_hint "Should fail 'Connection refused'" 3023 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3024 log_test_addr ${a} $? 1 "No server, device client" 3025 done 3026 3027 # 3028 # local address tests 3029 # 3030 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3031 do 3032 log_start 3033 run_cmd nettest -6 -D -s & 3034 sleep 1 3035 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3036 log_test_addr ${a} $? 0 "Global server, local connection" 3037 done 3038 3039 a=${NSA_IP6} 3040 log_start 3041 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3042 sleep 1 3043 run_cmd nettest -6 -D -r ${a} 3044 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3045 3046 for a in ${NSA_LO_IP6} ::1 3047 do 3048 log_start 3049 show_hint "Should fail 'Connection refused' since address is out of device scope" 3050 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3051 sleep 1 3052 run_cmd nettest -6 -D -r ${a} 3053 log_test_addr ${a} $? 1 "Device server, local connection" 3054 done 3055 3056 a=${NSA_IP6} 3057 log_start 3058 run_cmd nettest -6 -s -D & 3059 sleep 1 3060 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3061 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3062 3063 log_start 3064 run_cmd nettest -6 -s -D & 3065 sleep 1 3066 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3067 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3068 3069 log_start 3070 run_cmd nettest -6 -s -D & 3071 sleep 1 3072 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3073 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3074 3075 for a in ${NSA_LO_IP6} ::1 3076 do 3077 log_start 3078 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3079 run_cmd nettest -6 -D -s & 3080 sleep 1 3081 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3082 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3083 3084 log_start 3085 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3086 run_cmd nettest -6 -D -s & 3087 sleep 1 3088 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3089 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3090 3091 log_start 3092 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3093 run_cmd nettest -6 -D -s & 3094 sleep 1 3095 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3096 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3097 done 3098 3099 a=${NSA_IP6} 3100 log_start 3101 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3102 sleep 1 3103 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3104 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3105 3106 log_start 3107 show_hint "Should fail 'Connection refused'" 3108 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3109 log_test_addr ${a} $? 1 "No server, device client, local conn" 3110 3111 # LLA to GUA 3112 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3113 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3114 log_start 3115 run_cmd nettest -6 -s -D & 3116 sleep 1 3117 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3118 log_test $? 0 "UDP in - LLA to GUA" 3119 3120 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3121 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3122} 3123 3124ipv6_udp_vrf() 3125{ 3126 local a 3127 3128 # disable global server 3129 log_subsection "Global server disabled" 3130 set_sysctl net.ipv4.udp_l3mdev_accept=0 3131 3132 # 3133 # server tests 3134 # 3135 for a in ${NSA_IP6} ${VRF_IP6} 3136 do 3137 log_start 3138 show_hint "Should fail 'Connection refused' since global server is disabled" 3139 run_cmd nettest -6 -D -s & 3140 sleep 1 3141 run_cmd_nsb nettest -6 -D -r ${a} 3142 log_test_addr ${a} $? 1 "Global server" 3143 done 3144 3145 for a in ${NSA_IP6} ${VRF_IP6} 3146 do 3147 log_start 3148 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3149 sleep 1 3150 run_cmd_nsb nettest -6 -D -r ${a} 3151 log_test_addr ${a} $? 0 "VRF server" 3152 done 3153 3154 for a in ${NSA_IP6} ${VRF_IP6} 3155 do 3156 log_start 3157 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3158 sleep 1 3159 run_cmd_nsb nettest -6 -D -r ${a} 3160 log_test_addr ${a} $? 0 "Enslaved device server" 3161 done 3162 3163 # negative test - should fail 3164 for a in ${NSA_IP6} ${VRF_IP6} 3165 do 3166 log_start 3167 show_hint "Should fail 'Connection refused' since there is no server" 3168 run_cmd_nsb nettest -6 -D -r ${a} 3169 log_test_addr ${a} $? 1 "No server" 3170 done 3171 3172 # 3173 # local address tests 3174 # 3175 for a in ${NSA_IP6} ${VRF_IP6} 3176 do 3177 log_start 3178 show_hint "Should fail 'Connection refused' since global server is disabled" 3179 run_cmd nettest -6 -D -s & 3180 sleep 1 3181 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3182 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3183 done 3184 3185 for a in ${NSA_IP6} ${VRF_IP6} 3186 do 3187 log_start 3188 run_cmd nettest -6 -D -I ${VRF} -s & 3189 sleep 1 3190 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3191 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3192 done 3193 3194 a=${NSA_IP6} 3195 log_start 3196 show_hint "Should fail 'Connection refused' since global server is disabled" 3197 run_cmd nettest -6 -D -s & 3198 sleep 1 3199 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3200 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3201 3202 log_start 3203 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3204 sleep 1 3205 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3206 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3207 3208 log_start 3209 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3210 sleep 1 3211 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3212 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3213 3214 log_start 3215 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3216 sleep 1 3217 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3218 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3219 3220 # disable global server 3221 log_subsection "Global server enabled" 3222 set_sysctl net.ipv4.udp_l3mdev_accept=1 3223 3224 # 3225 # server tests 3226 # 3227 for a in ${NSA_IP6} ${VRF_IP6} 3228 do 3229 log_start 3230 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3231 sleep 1 3232 run_cmd_nsb nettest -6 -D -r ${a} 3233 log_test_addr ${a} $? 0 "Global server" 3234 done 3235 3236 for a in ${NSA_IP6} ${VRF_IP6} 3237 do 3238 log_start 3239 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3240 sleep 1 3241 run_cmd_nsb nettest -6 -D -r ${a} 3242 log_test_addr ${a} $? 0 "VRF server" 3243 done 3244 3245 for a in ${NSA_IP6} ${VRF_IP6} 3246 do 3247 log_start 3248 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3249 sleep 1 3250 run_cmd_nsb nettest -6 -D -r ${a} 3251 log_test_addr ${a} $? 0 "Enslaved device server" 3252 done 3253 3254 # negative test - should fail 3255 for a in ${NSA_IP6} ${VRF_IP6} 3256 do 3257 log_start 3258 run_cmd_nsb nettest -6 -D -r ${a} 3259 log_test_addr ${a} $? 1 "No server" 3260 done 3261 3262 # 3263 # client tests 3264 # 3265 log_start 3266 run_cmd_nsb nettest -6 -D -s & 3267 sleep 1 3268 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3269 log_test $? 0 "VRF client" 3270 3271 # negative test - should fail 3272 log_start 3273 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3274 log_test $? 1 "No server, VRF client" 3275 3276 log_start 3277 run_cmd_nsb nettest -6 -D -s & 3278 sleep 1 3279 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3280 log_test $? 0 "Enslaved device client" 3281 3282 # negative test - should fail 3283 log_start 3284 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3285 log_test $? 1 "No server, enslaved device client" 3286 3287 # 3288 # local address tests 3289 # 3290 a=${NSA_IP6} 3291 log_start 3292 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3293 sleep 1 3294 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3295 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3296 3297 #log_start 3298 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3299 sleep 1 3300 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3301 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3302 3303 3304 a=${VRF_IP6} 3305 log_start 3306 run_cmd nettest -6 -D -s -3 ${VRF} & 3307 sleep 1 3308 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3309 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3310 3311 log_start 3312 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3313 sleep 1 3314 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3315 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3316 3317 # negative test - should fail 3318 for a in ${NSA_IP6} ${VRF_IP6} 3319 do 3320 log_start 3321 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3322 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3323 done 3324 3325 # device to global IP 3326 a=${NSA_IP6} 3327 log_start 3328 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3329 sleep 1 3330 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3331 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3332 3333 log_start 3334 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3335 sleep 1 3336 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3337 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3338 3339 log_start 3340 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3341 sleep 1 3342 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3343 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3344 3345 log_start 3346 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3347 sleep 1 3348 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3349 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3350 3351 log_start 3352 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3353 log_test_addr ${a} $? 1 "No server, device client, local conn" 3354 3355 3356 # link local addresses 3357 log_start 3358 run_cmd nettest -6 -D -s & 3359 sleep 1 3360 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3361 log_test $? 0 "Global server, linklocal IP" 3362 3363 log_start 3364 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3365 log_test $? 1 "No server, linklocal IP" 3366 3367 3368 log_start 3369 run_cmd_nsb nettest -6 -D -s & 3370 sleep 1 3371 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3372 log_test $? 0 "Enslaved device client, linklocal IP" 3373 3374 log_start 3375 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3376 log_test $? 1 "No server, device client, peer linklocal IP" 3377 3378 3379 log_start 3380 run_cmd nettest -6 -D -s & 3381 sleep 1 3382 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3383 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3384 3385 log_start 3386 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3387 log_test $? 1 "No server, device client, local conn - linklocal IP" 3388 3389 # LLA to GUA 3390 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3391 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3392 log_start 3393 run_cmd nettest -6 -s -D & 3394 sleep 1 3395 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3396 log_test $? 0 "UDP in - LLA to GUA" 3397 3398 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3399 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3400} 3401 3402ipv6_udp() 3403{ 3404 # should not matter, but set to known state 3405 set_sysctl net.ipv4.udp_early_demux=1 3406 3407 log_section "IPv6/UDP" 3408 log_subsection "No VRF" 3409 setup 3410 3411 # udp_l3mdev_accept should have no affect without VRF; 3412 # run tests with it enabled and disabled to verify 3413 log_subsection "udp_l3mdev_accept disabled" 3414 set_sysctl net.ipv4.udp_l3mdev_accept=0 3415 ipv6_udp_novrf 3416 log_subsection "udp_l3mdev_accept enabled" 3417 set_sysctl net.ipv4.udp_l3mdev_accept=1 3418 ipv6_udp_novrf 3419 3420 log_subsection "With VRF" 3421 setup "yes" 3422 ipv6_udp_vrf 3423} 3424 3425################################################################################ 3426# IPv6 address bind 3427 3428ipv6_addr_bind_novrf() 3429{ 3430 # 3431 # raw socket 3432 # 3433 for a in ${NSA_IP6} ${NSA_LO_IP6} 3434 do 3435 log_start 3436 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3437 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3438 3439 log_start 3440 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3441 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3442 done 3443 3444 # 3445 # raw socket with nonlocal bind 3446 # 3447 a=${NL_IP6} 3448 log_start 3449 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 3450 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 3451 3452 # 3453 # tcp sockets 3454 # 3455 a=${NSA_IP6} 3456 log_start 3457 run_cmd nettest -6 -s -l ${a} -t1 -b 3458 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3459 3460 log_start 3461 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3462 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3463 3464 # Sadly, the kernel allows binding a socket to a device and then 3465 # binding to an address not on the device. So this test passes 3466 # when it really should not 3467 a=${NSA_LO_IP6} 3468 log_start 3469 show_hint "Tecnically should fail since address is not on device but kernel allows" 3470 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3471 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3472} 3473 3474ipv6_addr_bind_vrf() 3475{ 3476 # 3477 # raw socket 3478 # 3479 for a in ${NSA_IP6} ${VRF_IP6} 3480 do 3481 log_start 3482 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3483 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3484 3485 log_start 3486 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3487 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3488 done 3489 3490 a=${NSA_LO_IP6} 3491 log_start 3492 show_hint "Address on loopback is out of VRF scope" 3493 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3494 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3495 3496 # 3497 # raw socket with nonlocal bind 3498 # 3499 a=${NL_IP6} 3500 log_start 3501 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b 3502 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 3503 3504 # 3505 # tcp sockets 3506 # 3507 # address on enslaved device is valid for the VRF or device in a VRF 3508 for a in ${NSA_IP6} ${VRF_IP6} 3509 do 3510 log_start 3511 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3512 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3513 done 3514 3515 a=${NSA_IP6} 3516 log_start 3517 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3518 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3519 3520 # Sadly, the kernel allows binding a socket to a device and then 3521 # binding to an address not on the device. The only restriction 3522 # is that the address is valid in the L3 domain. So this test 3523 # passes when it really should not 3524 a=${VRF_IP6} 3525 log_start 3526 show_hint "Tecnically should fail since address is not on device but kernel allows" 3527 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3528 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3529 3530 a=${NSA_LO_IP6} 3531 log_start 3532 show_hint "Address on loopback out of scope for VRF" 3533 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3534 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3535 3536 log_start 3537 show_hint "Address on loopback out of scope for device in VRF" 3538 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3539 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3540 3541} 3542 3543ipv6_addr_bind() 3544{ 3545 log_section "IPv6 address binds" 3546 3547 log_subsection "No VRF" 3548 setup 3549 ipv6_addr_bind_novrf 3550 3551 log_subsection "With VRF" 3552 setup "yes" 3553 ipv6_addr_bind_vrf 3554} 3555 3556################################################################################ 3557# IPv6 runtime tests 3558 3559ipv6_rt() 3560{ 3561 local desc="$1" 3562 local varg="-6 $2" 3563 local with_vrf="yes" 3564 local a 3565 3566 # 3567 # server tests 3568 # 3569 for a in ${NSA_IP6} ${VRF_IP6} 3570 do 3571 log_start 3572 run_cmd nettest ${varg} -s & 3573 sleep 1 3574 run_cmd_nsb nettest ${varg} -r ${a} & 3575 sleep 3 3576 run_cmd ip link del ${VRF} 3577 sleep 1 3578 log_test_addr ${a} 0 0 "${desc}, global server" 3579 3580 setup ${with_vrf} 3581 done 3582 3583 for a in ${NSA_IP6} ${VRF_IP6} 3584 do 3585 log_start 3586 run_cmd nettest ${varg} -I ${VRF} -s & 3587 sleep 1 3588 run_cmd_nsb nettest ${varg} -r ${a} & 3589 sleep 3 3590 run_cmd ip link del ${VRF} 3591 sleep 1 3592 log_test_addr ${a} 0 0 "${desc}, VRF server" 3593 3594 setup ${with_vrf} 3595 done 3596 3597 for a in ${NSA_IP6} ${VRF_IP6} 3598 do 3599 log_start 3600 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3601 sleep 1 3602 run_cmd_nsb nettest ${varg} -r ${a} & 3603 sleep 3 3604 run_cmd ip link del ${VRF} 3605 sleep 1 3606 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3607 3608 setup ${with_vrf} 3609 done 3610 3611 # 3612 # client test 3613 # 3614 log_start 3615 run_cmd_nsb nettest ${varg} -s & 3616 sleep 1 3617 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3618 sleep 3 3619 run_cmd ip link del ${VRF} 3620 sleep 1 3621 log_test 0 0 "${desc}, VRF client" 3622 3623 setup ${with_vrf} 3624 3625 log_start 3626 run_cmd_nsb nettest ${varg} -s & 3627 sleep 1 3628 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3629 sleep 3 3630 run_cmd ip link del ${VRF} 3631 sleep 1 3632 log_test 0 0 "${desc}, enslaved device client" 3633 3634 setup ${with_vrf} 3635 3636 3637 # 3638 # local address tests 3639 # 3640 for a in ${NSA_IP6} ${VRF_IP6} 3641 do 3642 log_start 3643 run_cmd nettest ${varg} -s & 3644 sleep 1 3645 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3646 sleep 3 3647 run_cmd ip link del ${VRF} 3648 sleep 1 3649 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3650 3651 setup ${with_vrf} 3652 done 3653 3654 for a in ${NSA_IP6} ${VRF_IP6} 3655 do 3656 log_start 3657 run_cmd nettest ${varg} -I ${VRF} -s & 3658 sleep 1 3659 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3660 sleep 3 3661 run_cmd ip link del ${VRF} 3662 sleep 1 3663 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3664 3665 setup ${with_vrf} 3666 done 3667 3668 a=${NSA_IP6} 3669 log_start 3670 run_cmd nettest ${varg} -s & 3671 sleep 1 3672 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3673 sleep 3 3674 run_cmd ip link del ${VRF} 3675 sleep 1 3676 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3677 3678 setup ${with_vrf} 3679 3680 log_start 3681 run_cmd nettest ${varg} -I ${VRF} -s & 3682 sleep 1 3683 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3684 sleep 3 3685 run_cmd ip link del ${VRF} 3686 sleep 1 3687 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3688 3689 setup ${with_vrf} 3690 3691 log_start 3692 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3693 sleep 1 3694 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3695 sleep 3 3696 run_cmd ip link del ${VRF} 3697 sleep 1 3698 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3699} 3700 3701ipv6_ping_rt() 3702{ 3703 local with_vrf="yes" 3704 local a 3705 3706 a=${NSA_IP6} 3707 log_start 3708 run_cmd_nsb ${ping6} -f ${a} & 3709 sleep 3 3710 run_cmd ip link del ${VRF} 3711 sleep 1 3712 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3713 3714 setup ${with_vrf} 3715 3716 log_start 3717 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3718 sleep 1 3719 run_cmd ip link del ${VRF} 3720 sleep 1 3721 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3722} 3723 3724ipv6_runtime() 3725{ 3726 log_section "Run time tests - ipv6" 3727 3728 setup "yes" 3729 ipv6_ping_rt 3730 3731 setup "yes" 3732 ipv6_rt "TCP active socket" "-n -1" 3733 3734 setup "yes" 3735 ipv6_rt "TCP passive socket" "-i" 3736 3737 setup "yes" 3738 ipv6_rt "UDP active socket" "-D -n -1" 3739} 3740 3741################################################################################ 3742# netfilter blocking connections 3743 3744netfilter_tcp_reset() 3745{ 3746 local a 3747 3748 for a in ${NSA_IP} ${VRF_IP} 3749 do 3750 log_start 3751 run_cmd nettest -s & 3752 sleep 1 3753 run_cmd_nsb nettest -r ${a} 3754 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3755 done 3756} 3757 3758netfilter_icmp() 3759{ 3760 local stype="$1" 3761 local arg 3762 local a 3763 3764 [ "${stype}" = "UDP" ] && arg="-D" 3765 3766 for a in ${NSA_IP} ${VRF_IP} 3767 do 3768 log_start 3769 run_cmd nettest ${arg} -s & 3770 sleep 1 3771 run_cmd_nsb nettest ${arg} -r ${a} 3772 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3773 done 3774} 3775 3776ipv4_netfilter() 3777{ 3778 log_section "IPv4 Netfilter" 3779 log_subsection "TCP reset" 3780 3781 setup "yes" 3782 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3783 3784 netfilter_tcp_reset 3785 3786 log_start 3787 log_subsection "ICMP unreachable" 3788 3789 log_start 3790 run_cmd iptables -F 3791 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3792 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3793 3794 netfilter_icmp "TCP" 3795 netfilter_icmp "UDP" 3796 3797 log_start 3798 iptables -F 3799} 3800 3801netfilter_tcp6_reset() 3802{ 3803 local a 3804 3805 for a in ${NSA_IP6} ${VRF_IP6} 3806 do 3807 log_start 3808 run_cmd nettest -6 -s & 3809 sleep 1 3810 run_cmd_nsb nettest -6 -r ${a} 3811 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3812 done 3813} 3814 3815netfilter_icmp6() 3816{ 3817 local stype="$1" 3818 local arg 3819 local a 3820 3821 [ "${stype}" = "UDP" ] && arg="$arg -D" 3822 3823 for a in ${NSA_IP6} ${VRF_IP6} 3824 do 3825 log_start 3826 run_cmd nettest -6 -s ${arg} & 3827 sleep 1 3828 run_cmd_nsb nettest -6 ${arg} -r ${a} 3829 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3830 done 3831} 3832 3833ipv6_netfilter() 3834{ 3835 log_section "IPv6 Netfilter" 3836 log_subsection "TCP reset" 3837 3838 setup "yes" 3839 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3840 3841 netfilter_tcp6_reset 3842 3843 log_subsection "ICMP unreachable" 3844 3845 log_start 3846 run_cmd ip6tables -F 3847 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3848 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3849 3850 netfilter_icmp6 "TCP" 3851 netfilter_icmp6 "UDP" 3852 3853 log_start 3854 ip6tables -F 3855} 3856 3857################################################################################ 3858# specific use cases 3859 3860# VRF only. 3861# ns-A device enslaved to bridge. Verify traffic with and without 3862# br_netfilter module loaded. Repeat with SVI on bridge. 3863use_case_br() 3864{ 3865 setup "yes" 3866 3867 setup_cmd ip link set ${NSA_DEV} down 3868 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 3869 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 3870 3871 setup_cmd ip link add br0 type bridge 3872 setup_cmd ip addr add dev br0 ${NSA_IP}/24 3873 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 3874 3875 setup_cmd ip li set ${NSA_DEV} master br0 3876 setup_cmd ip li set ${NSA_DEV} up 3877 setup_cmd ip li set br0 up 3878 setup_cmd ip li set br0 vrf ${VRF} 3879 3880 rmmod br_netfilter 2>/dev/null 3881 sleep 5 # DAD 3882 3883 run_cmd ip neigh flush all 3884 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3885 log_test $? 0 "Bridge into VRF - IPv4 ping out" 3886 3887 run_cmd ip neigh flush all 3888 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3889 log_test $? 0 "Bridge into VRF - IPv6 ping out" 3890 3891 run_cmd ip neigh flush all 3892 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3893 log_test $? 0 "Bridge into VRF - IPv4 ping in" 3894 3895 run_cmd ip neigh flush all 3896 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3897 log_test $? 0 "Bridge into VRF - IPv6 ping in" 3898 3899 modprobe br_netfilter 3900 if [ $? -eq 0 ]; then 3901 run_cmd ip neigh flush all 3902 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3903 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 3904 3905 run_cmd ip neigh flush all 3906 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3907 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 3908 3909 run_cmd ip neigh flush all 3910 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3911 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 3912 3913 run_cmd ip neigh flush all 3914 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3915 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 3916 fi 3917 3918 setup_cmd ip li set br0 nomaster 3919 setup_cmd ip li add br0.100 link br0 type vlan id 100 3920 setup_cmd ip li set br0.100 vrf ${VRF} up 3921 setup_cmd ip addr add dev br0.100 172.16.101.1/24 3922 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 3923 3924 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 3925 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 3926 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 3927 setup_cmd_nsb ip li set vlan100 up 3928 sleep 1 3929 3930 rmmod br_netfilter 2>/dev/null 3931 3932 run_cmd ip neigh flush all 3933 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3934 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 3935 3936 run_cmd ip neigh flush all 3937 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3938 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 3939 3940 run_cmd ip neigh flush all 3941 run_cmd_nsb ping -c1 -w1 172.16.101.1 3942 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3943 3944 run_cmd ip neigh flush all 3945 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3946 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3947 3948 modprobe br_netfilter 3949 if [ $? -eq 0 ]; then 3950 run_cmd ip neigh flush all 3951 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3952 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 3953 3954 run_cmd ip neigh flush all 3955 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3956 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 3957 3958 run_cmd ip neigh flush all 3959 run_cmd_nsb ping -c1 -w1 172.16.101.1 3960 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3961 3962 run_cmd ip neigh flush all 3963 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3964 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3965 fi 3966 3967 setup_cmd ip li del br0 2>/dev/null 3968 setup_cmd_nsb ip li del vlan100 2>/dev/null 3969} 3970 3971# VRF only. 3972# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 3973# LLA on the interfaces 3974use_case_ping_lla_multi() 3975{ 3976 setup_lla_only 3977 # only want reply from ns-A 3978 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3979 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3980 3981 log_start 3982 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3983 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 3984 3985 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3986 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 3987 3988 # cycle/flap the first ns-A interface 3989 setup_cmd ip link set ${NSA_DEV} down 3990 setup_cmd ip link set ${NSA_DEV} up 3991 sleep 1 3992 3993 log_start 3994 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3995 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 3996 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3997 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 3998 3999 # cycle/flap the second ns-A interface 4000 setup_cmd ip link set ${NSA_DEV2} down 4001 setup_cmd ip link set ${NSA_DEV2} up 4002 sleep 1 4003 4004 log_start 4005 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4006 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 4007 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4008 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 4009} 4010 4011# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 4012# established with ns-B. 4013use_case_snat_on_vrf() 4014{ 4015 setup "yes" 4016 4017 local port="12345" 4018 4019 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4020 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4021 4022 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 4023 sleep 1 4024 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 4025 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 4026 4027 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 4028 sleep 1 4029 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 4030 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 4031 4032 # Cleanup 4033 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4034 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4035} 4036 4037use_cases() 4038{ 4039 log_section "Use cases" 4040 log_subsection "Device enslaved to bridge" 4041 use_case_br 4042 log_subsection "Ping LLA with multiple interfaces" 4043 use_case_ping_lla_multi 4044 log_subsection "SNAT on VRF" 4045 use_case_snat_on_vrf 4046} 4047 4048################################################################################ 4049# usage 4050 4051usage() 4052{ 4053 cat <<EOF 4054usage: ${0##*/} OPTS 4055 4056 -4 IPv4 tests only 4057 -6 IPv6 tests only 4058 -t <test> Test name/set to run 4059 -p Pause on fail 4060 -P Pause after each test 4061 -v Be verbose 4062 4063Tests: 4064 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER 4065EOF 4066} 4067 4068################################################################################ 4069# main 4070 4071TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4072TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4073TESTS_OTHER="use_cases" 4074 4075PAUSE_ON_FAIL=no 4076PAUSE=no 4077 4078while getopts :46t:pPvh o 4079do 4080 case $o in 4081 4) TESTS=ipv4;; 4082 6) TESTS=ipv6;; 4083 t) TESTS=$OPTARG;; 4084 p) PAUSE_ON_FAIL=yes;; 4085 P) PAUSE=yes;; 4086 v) VERBOSE=1;; 4087 h) usage; exit 0;; 4088 *) usage; exit 1;; 4089 esac 4090done 4091 4092# make sure we don't pause twice 4093[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4094 4095# 4096# show user test config 4097# 4098if [ -z "$TESTS" ]; then 4099 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4100elif [ "$TESTS" = "ipv4" ]; then 4101 TESTS="$TESTS_IPV4" 4102elif [ "$TESTS" = "ipv6" ]; then 4103 TESTS="$TESTS_IPV6" 4104fi 4105 4106which nettest >/dev/null 4107if [ $? -ne 0 ]; then 4108 echo "'nettest' command not found; skipping tests" 4109 exit $ksft_skip 4110fi 4111 4112declare -i nfail=0 4113declare -i nsuccess=0 4114 4115for t in $TESTS 4116do 4117 case $t in 4118 ipv4_ping|ping) ipv4_ping;; 4119 ipv4_tcp|tcp) ipv4_tcp;; 4120 ipv4_udp|udp) ipv4_udp;; 4121 ipv4_bind|bind) ipv4_addr_bind;; 4122 ipv4_runtime) ipv4_runtime;; 4123 ipv4_netfilter) ipv4_netfilter;; 4124 4125 ipv6_ping|ping6) ipv6_ping;; 4126 ipv6_tcp|tcp6) ipv6_tcp;; 4127 ipv6_udp|udp6) ipv6_udp;; 4128 ipv6_bind|bind6) ipv6_addr_bind;; 4129 ipv6_runtime) ipv6_runtime;; 4130 ipv6_netfilter) ipv6_netfilter;; 4131 4132 use_cases) use_cases;; 4133 4134 # setup namespaces and config, but do not run any tests 4135 setup) setup; exit 0;; 4136 vrf_setup) setup "yes"; exit 0;; 4137 esac 4138done 4139 4140cleanup 2>/dev/null 4141 4142printf "\nTests passed: %3d\n" ${nsuccess} 4143printf "Tests failed: %3d\n" ${nfail} 4144 4145if [ $nfail -ne 0 ]; then 4146 exit 1 # KSFT_FAIL 4147elif [ $nsuccess -eq 0 ]; then 4148 exit $ksft_skip 4149fi 4150 4151exit 0 # KSFT_PASS 4152