1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40# Kselftest framework requirement - SKIP code is 4. 41ksft_skip=4 42 43VERBOSE=0 44 45NSA_DEV=eth1 46NSA_DEV2=eth2 47NSB_DEV=eth1 48NSC_DEV=eth2 49VRF=red 50VRF_TABLE=1101 51 52# IPv4 config 53NSA_IP=172.16.1.1 54NSB_IP=172.16.1.2 55VRF_IP=172.16.3.1 56NS_NET=172.16.1.0/24 57 58# IPv6 config 59NSA_IP6=2001:db8:1::1 60NSB_IP6=2001:db8:1::2 61VRF_IP6=2001:db8:3::1 62NS_NET6=2001:db8:1::/120 63 64NSA_LO_IP=172.16.2.1 65NSB_LO_IP=172.16.2.2 66NSA_LO_IP6=2001:db8:2::1 67NSB_LO_IP6=2001:db8:2::2 68 69# non-local addresses for freebind tests 70NL_IP=172.17.1.1 71NL_IP6=2001:db8:4::1 72 73# multicast and broadcast addresses 74MCAST_IP=224.0.0.1 75BCAST_IP=255.255.255.255 76 77MD5_PW=abc123 78MD5_WRONG_PW=abc1234 79 80MCAST=ff02::1 81# set after namespace create 82NSA_LINKIP6= 83NSB_LINKIP6= 84 85NSA=ns-A 86NSB=ns-B 87NSC=ns-C 88 89NSA_CMD="ip netns exec ${NSA}" 90NSB_CMD="ip netns exec ${NSB}" 91NSC_CMD="ip netns exec ${NSC}" 92 93which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 94 95################################################################################ 96# utilities 97 98log_test() 99{ 100 local rc=$1 101 local expected=$2 102 local msg="$3" 103 104 [ "${VERBOSE}" = "1" ] && echo 105 106 if [ ${rc} -eq ${expected} ]; then 107 nsuccess=$((nsuccess+1)) 108 printf "TEST: %-70s [ OK ]\n" "${msg}" 109 else 110 nfail=$((nfail+1)) 111 printf "TEST: %-70s [FAIL]\n" "${msg}" 112 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 113 echo 114 echo "hit enter to continue, 'q' to quit" 115 read a 116 [ "$a" = "q" ] && exit 1 117 fi 118 fi 119 120 if [ "${PAUSE}" = "yes" ]; then 121 echo 122 echo "hit enter to continue, 'q' to quit" 123 read a 124 [ "$a" = "q" ] && exit 1 125 fi 126 127 kill_procs 128} 129 130log_test_addr() 131{ 132 local addr=$1 133 local rc=$2 134 local expected=$3 135 local msg="$4" 136 local astr 137 138 astr=$(addr2str ${addr}) 139 log_test $rc $expected "$msg - ${astr}" 140} 141 142log_section() 143{ 144 echo 145 echo "###########################################################################" 146 echo "$*" 147 echo "###########################################################################" 148 echo 149} 150 151log_subsection() 152{ 153 echo 154 echo "#################################################################" 155 echo "$*" 156 echo 157} 158 159log_start() 160{ 161 # make sure we have no test instances running 162 kill_procs 163 164 if [ "${VERBOSE}" = "1" ]; then 165 echo 166 echo "#######################################################" 167 fi 168} 169 170log_debug() 171{ 172 if [ "${VERBOSE}" = "1" ]; then 173 echo 174 echo "$*" 175 echo 176 fi 177} 178 179show_hint() 180{ 181 if [ "${VERBOSE}" = "1" ]; then 182 echo "HINT: $*" 183 echo 184 fi 185} 186 187kill_procs() 188{ 189 killall nettest ping ping6 >/dev/null 2>&1 190 sleep 1 191} 192 193do_run_cmd() 194{ 195 local cmd="$*" 196 local out 197 198 if [ "$VERBOSE" = "1" ]; then 199 echo "COMMAND: ${cmd}" 200 fi 201 202 out=$($cmd 2>&1) 203 rc=$? 204 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 205 echo "$out" 206 fi 207 208 return $rc 209} 210 211run_cmd() 212{ 213 do_run_cmd ${NSA_CMD} $* 214} 215 216run_cmd_nsb() 217{ 218 do_run_cmd ${NSB_CMD} $* 219} 220 221run_cmd_nsc() 222{ 223 do_run_cmd ${NSC_CMD} $* 224} 225 226setup_cmd() 227{ 228 local cmd="$*" 229 local rc 230 231 run_cmd ${cmd} 232 rc=$? 233 if [ $rc -ne 0 ]; then 234 # show user the command if not done so already 235 if [ "$VERBOSE" = "0" ]; then 236 echo "setup command: $cmd" 237 fi 238 echo "failed. stopping tests" 239 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 240 echo 241 echo "hit enter to continue" 242 read a 243 fi 244 exit $rc 245 fi 246} 247 248setup_cmd_nsb() 249{ 250 local cmd="$*" 251 local rc 252 253 run_cmd_nsb ${cmd} 254 rc=$? 255 if [ $rc -ne 0 ]; then 256 # show user the command if not done so already 257 if [ "$VERBOSE" = "0" ]; then 258 echo "setup command: $cmd" 259 fi 260 echo "failed. stopping tests" 261 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 262 echo 263 echo "hit enter to continue" 264 read a 265 fi 266 exit $rc 267 fi 268} 269 270setup_cmd_nsc() 271{ 272 local cmd="$*" 273 local rc 274 275 run_cmd_nsc ${cmd} 276 rc=$? 277 if [ $rc -ne 0 ]; then 278 # show user the command if not done so already 279 if [ "$VERBOSE" = "0" ]; then 280 echo "setup command: $cmd" 281 fi 282 echo "failed. stopping tests" 283 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 284 echo 285 echo "hit enter to continue" 286 read a 287 fi 288 exit $rc 289 fi 290} 291 292# set sysctl values in NS-A 293set_sysctl() 294{ 295 echo "SYSCTL: $*" 296 echo 297 run_cmd sysctl -q -w $* 298} 299 300# get sysctl values in NS-A 301get_sysctl() 302{ 303 ${NSA_CMD} sysctl -n $* 304} 305 306################################################################################ 307# Setup for tests 308 309addr2str() 310{ 311 case "$1" in 312 127.0.0.1) echo "loopback";; 313 ::1) echo "IPv6 loopback";; 314 315 ${BCAST_IP}) echo "broadcast";; 316 ${MCAST_IP}) echo "multicast";; 317 318 ${NSA_IP}) echo "ns-A IP";; 319 ${NSA_IP6}) echo "ns-A IPv6";; 320 ${NSA_LO_IP}) echo "ns-A loopback IP";; 321 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 322 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 323 324 ${NSB_IP}) echo "ns-B IP";; 325 ${NSB_IP6}) echo "ns-B IPv6";; 326 ${NSB_LO_IP}) echo "ns-B loopback IP";; 327 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 328 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 329 330 ${NL_IP}) echo "nonlocal IP";; 331 ${NL_IP6}) echo "nonlocal IPv6";; 332 333 ${VRF_IP}) echo "VRF IP";; 334 ${VRF_IP6}) echo "VRF IPv6";; 335 336 ${MCAST}%*) echo "multicast IP";; 337 338 *) echo "unknown";; 339 esac 340} 341 342get_linklocal() 343{ 344 local ns=$1 345 local dev=$2 346 local addr 347 348 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 349 awk '{ 350 for (i = 3; i <= NF; ++i) { 351 if ($i ~ /^fe80/) 352 print $i 353 } 354 }' 355 ) 356 addr=${addr/\/*} 357 358 [ -z "$addr" ] && return 1 359 360 echo $addr 361 362 return 0 363} 364 365################################################################################ 366# create namespaces and vrf 367 368create_vrf() 369{ 370 local ns=$1 371 local vrf=$2 372 local table=$3 373 local addr=$4 374 local addr6=$5 375 376 ip -netns ${ns} link add ${vrf} type vrf table ${table} 377 ip -netns ${ns} link set ${vrf} up 378 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 379 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 380 381 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 382 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 383 if [ "${addr}" != "-" ]; then 384 ip -netns ${ns} addr add dev ${vrf} ${addr} 385 fi 386 if [ "${addr6}" != "-" ]; then 387 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 388 fi 389 390 ip -netns ${ns} ru del pref 0 391 ip -netns ${ns} ru add pref 32765 from all lookup local 392 ip -netns ${ns} -6 ru del pref 0 393 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 394} 395 396create_ns() 397{ 398 local ns=$1 399 local addr=$2 400 local addr6=$3 401 402 ip netns add ${ns} 403 404 ip -netns ${ns} link set lo up 405 if [ "${addr}" != "-" ]; then 406 ip -netns ${ns} addr add dev lo ${addr} 407 fi 408 if [ "${addr6}" != "-" ]; then 409 ip -netns ${ns} -6 addr add dev lo ${addr6} 410 fi 411 412 ip -netns ${ns} ro add unreachable default metric 8192 413 ip -netns ${ns} -6 ro add unreachable default metric 8192 414 415 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 416 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 417 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 418 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 419} 420 421# create veth pair to connect namespaces and apply addresses. 422connect_ns() 423{ 424 local ns1=$1 425 local ns1_dev=$2 426 local ns1_addr=$3 427 local ns1_addr6=$4 428 local ns2=$5 429 local ns2_dev=$6 430 local ns2_addr=$7 431 local ns2_addr6=$8 432 433 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 434 ip -netns ${ns1} li set ${ns1_dev} up 435 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 436 ip -netns ${ns2} li set ${ns2_dev} up 437 438 if [ "${ns1_addr}" != "-" ]; then 439 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 440 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 441 fi 442 443 if [ "${ns1_addr6}" != "-" ]; then 444 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 445 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 446 fi 447} 448 449cleanup() 450{ 451 # explicit cleanups to check those code paths 452 ip netns | grep -q ${NSA} 453 if [ $? -eq 0 ]; then 454 ip -netns ${NSA} link delete ${VRF} 455 ip -netns ${NSA} ro flush table ${VRF_TABLE} 456 457 ip -netns ${NSA} addr flush dev ${NSA_DEV} 458 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 459 ip -netns ${NSA} link set dev ${NSA_DEV} down 460 ip -netns ${NSA} link del dev ${NSA_DEV} 461 462 ip netns pids ${NSA} | xargs kill 2>/dev/null 463 ip netns del ${NSA} 464 fi 465 466 ip netns pids ${NSB} | xargs kill 2>/dev/null 467 ip netns del ${NSB} 468 ip netns pids ${NSC} | xargs kill 2>/dev/null 469 ip netns del ${NSC} >/dev/null 2>&1 470} 471 472cleanup_vrf_dup() 473{ 474 ip link del ${NSA_DEV2} >/dev/null 2>&1 475 ip netns pids ${NSC} | xargs kill 2>/dev/null 476 ip netns del ${NSC} >/dev/null 2>&1 477} 478 479setup_vrf_dup() 480{ 481 # some VRF tests use ns-C which has the same config as 482 # ns-B but for a device NOT in the VRF 483 create_ns ${NSC} "-" "-" 484 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 485 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 486} 487 488setup() 489{ 490 local with_vrf=${1} 491 492 # make sure we are starting with a clean slate 493 kill_procs 494 cleanup 2>/dev/null 495 496 log_debug "Configuring network namespaces" 497 set -e 498 499 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 500 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 501 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 502 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 503 504 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 505 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 506 507 # tell ns-A how to get to remote addresses of ns-B 508 if [ "${with_vrf}" = "yes" ]; then 509 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 510 511 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 512 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 513 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 514 515 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 516 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 517 else 518 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 519 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 520 fi 521 522 523 # tell ns-B how to get to remote addresses of ns-A 524 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 525 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 526 527 set +e 528 529 sleep 1 530} 531 532setup_lla_only() 533{ 534 # make sure we are starting with a clean slate 535 kill_procs 536 cleanup 2>/dev/null 537 538 log_debug "Configuring network namespaces" 539 set -e 540 541 create_ns ${NSA} "-" "-" 542 create_ns ${NSB} "-" "-" 543 create_ns ${NSC} "-" "-" 544 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 545 ${NSB} ${NSB_DEV} "-" "-" 546 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 547 ${NSC} ${NSC_DEV} "-" "-" 548 549 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 550 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 551 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 552 553 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 554 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 555 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 556 557 set +e 558 559 sleep 1 560} 561 562################################################################################ 563# IPv4 564 565ipv4_ping_novrf() 566{ 567 local a 568 569 # 570 # out 571 # 572 for a in ${NSB_IP} ${NSB_LO_IP} 573 do 574 log_start 575 run_cmd ping -c1 -w1 ${a} 576 log_test_addr ${a} $? 0 "ping out" 577 578 log_start 579 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 580 log_test_addr ${a} $? 0 "ping out, device bind" 581 582 log_start 583 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 584 log_test_addr ${a} $? 0 "ping out, address bind" 585 done 586 587 # 588 # in 589 # 590 for a in ${NSA_IP} ${NSA_LO_IP} 591 do 592 log_start 593 run_cmd_nsb ping -c1 -w1 ${a} 594 log_test_addr ${a} $? 0 "ping in" 595 done 596 597 # 598 # local traffic 599 # 600 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 601 do 602 log_start 603 run_cmd ping -c1 -w1 ${a} 604 log_test_addr ${a} $? 0 "ping local" 605 done 606 607 # 608 # local traffic, socket bound to device 609 # 610 # address on device 611 a=${NSA_IP} 612 log_start 613 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 614 log_test_addr ${a} $? 0 "ping local, device bind" 615 616 # loopback addresses not reachable from device bind 617 # fails in a really weird way though because ipv4 special cases 618 # route lookups with oif set. 619 for a in ${NSA_LO_IP} 127.0.0.1 620 do 621 log_start 622 show_hint "Fails since address on loopback device is out of device scope" 623 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 624 log_test_addr ${a} $? 1 "ping local, device bind" 625 done 626 627 # 628 # ip rule blocks reachability to remote address 629 # 630 log_start 631 setup_cmd ip rule add pref 32765 from all lookup local 632 setup_cmd ip rule del pref 0 from all lookup local 633 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 634 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 635 636 a=${NSB_LO_IP} 637 run_cmd ping -c1 -w1 ${a} 638 log_test_addr ${a} $? 2 "ping out, blocked by rule" 639 640 # NOTE: ipv4 actually allows the lookup to fail and yet still create 641 # a viable rtable if the oif (e.g., bind to device) is set, so this 642 # case succeeds despite the rule 643 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 644 645 a=${NSA_LO_IP} 646 log_start 647 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 648 run_cmd_nsb ping -c1 -w1 ${a} 649 log_test_addr ${a} $? 1 "ping in, blocked by rule" 650 651 [ "$VERBOSE" = "1" ] && echo 652 setup_cmd ip rule del pref 32765 from all lookup local 653 setup_cmd ip rule add pref 0 from all lookup local 654 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 655 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 656 657 # 658 # route blocks reachability to remote address 659 # 660 log_start 661 setup_cmd ip route replace unreachable ${NSB_LO_IP} 662 setup_cmd ip route replace unreachable ${NSB_IP} 663 664 a=${NSB_LO_IP} 665 run_cmd ping -c1 -w1 ${a} 666 log_test_addr ${a} $? 2 "ping out, blocked by route" 667 668 # NOTE: ipv4 actually allows the lookup to fail and yet still create 669 # a viable rtable if the oif (e.g., bind to device) is set, so this 670 # case succeeds despite not having a route for the address 671 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 672 673 a=${NSA_LO_IP} 674 log_start 675 show_hint "Response is dropped (or arp request is ignored) due to ip route" 676 run_cmd_nsb ping -c1 -w1 ${a} 677 log_test_addr ${a} $? 1 "ping in, blocked by route" 678 679 # 680 # remove 'remote' routes; fallback to default 681 # 682 log_start 683 setup_cmd ip ro del ${NSB_LO_IP} 684 685 a=${NSB_LO_IP} 686 run_cmd ping -c1 -w1 ${a} 687 log_test_addr ${a} $? 2 "ping out, unreachable default route" 688 689 # NOTE: ipv4 actually allows the lookup to fail and yet still create 690 # a viable rtable if the oif (e.g., bind to device) is set, so this 691 # case succeeds despite not having a route for the address 692 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 693} 694 695ipv4_ping_vrf() 696{ 697 local a 698 699 # should default on; does not exist on older kernels 700 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 701 702 # 703 # out 704 # 705 for a in ${NSB_IP} ${NSB_LO_IP} 706 do 707 log_start 708 run_cmd ping -c1 -w1 -I ${VRF} ${a} 709 log_test_addr ${a} $? 0 "ping out, VRF bind" 710 711 log_start 712 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 713 log_test_addr ${a} $? 0 "ping out, device bind" 714 715 log_start 716 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 717 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 718 719 log_start 720 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 721 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 722 done 723 724 # 725 # in 726 # 727 for a in ${NSA_IP} ${VRF_IP} 728 do 729 log_start 730 run_cmd_nsb ping -c1 -w1 ${a} 731 log_test_addr ${a} $? 0 "ping in" 732 done 733 734 # 735 # local traffic, local address 736 # 737 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 738 do 739 log_start 740 show_hint "Source address should be ${a}" 741 run_cmd ping -c1 -w1 -I ${VRF} ${a} 742 log_test_addr ${a} $? 0 "ping local, VRF bind" 743 done 744 745 # 746 # local traffic, socket bound to device 747 # 748 # address on device 749 a=${NSA_IP} 750 log_start 751 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 752 log_test_addr ${a} $? 0 "ping local, device bind" 753 754 # vrf device is out of scope 755 for a in ${VRF_IP} 127.0.0.1 756 do 757 log_start 758 show_hint "Fails since address on vrf device is out of device scope" 759 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 760 log_test_addr ${a} $? 2 "ping local, device bind" 761 done 762 763 # 764 # ip rule blocks address 765 # 766 log_start 767 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 768 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 769 770 a=${NSB_LO_IP} 771 run_cmd ping -c1 -w1 -I ${VRF} ${a} 772 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 773 774 log_start 775 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 776 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 777 778 a=${NSA_LO_IP} 779 log_start 780 show_hint "Response lost due to ip rule" 781 run_cmd_nsb ping -c1 -w1 ${a} 782 log_test_addr ${a} $? 1 "ping in, blocked by rule" 783 784 [ "$VERBOSE" = "1" ] && echo 785 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 786 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 787 788 # 789 # remove 'remote' routes; fallback to default 790 # 791 log_start 792 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 793 794 a=${NSB_LO_IP} 795 run_cmd ping -c1 -w1 -I ${VRF} ${a} 796 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 797 798 log_start 799 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 800 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 801 802 a=${NSA_LO_IP} 803 log_start 804 show_hint "Response lost by unreachable route" 805 run_cmd_nsb ping -c1 -w1 ${a} 806 log_test_addr ${a} $? 1 "ping in, unreachable route" 807} 808 809ipv4_ping() 810{ 811 log_section "IPv4 ping" 812 813 log_subsection "No VRF" 814 setup 815 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 816 ipv4_ping_novrf 817 setup 818 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 819 ipv4_ping_novrf 820 setup 821 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 822 ipv4_ping_novrf 823 824 log_subsection "With VRF" 825 setup "yes" 826 ipv4_ping_vrf 827 setup "yes" 828 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 829 ipv4_ping_vrf 830} 831 832################################################################################ 833# IPv4 TCP 834 835# 836# MD5 tests without VRF 837# 838ipv4_tcp_md5_novrf() 839{ 840 # 841 # single address 842 # 843 844 # basic use case 845 log_start 846 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 847 sleep 1 848 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 849 log_test $? 0 "MD5: Single address config" 850 851 # client sends MD5, server not configured 852 log_start 853 show_hint "Should timeout due to MD5 mismatch" 854 run_cmd nettest -s & 855 sleep 1 856 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 857 log_test $? 2 "MD5: Server no config, client uses password" 858 859 # wrong password 860 log_start 861 show_hint "Should timeout since client uses wrong password" 862 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 863 sleep 1 864 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 865 log_test $? 2 "MD5: Client uses wrong password" 866 867 # client from different address 868 log_start 869 show_hint "Should timeout due to MD5 mismatch" 870 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 871 sleep 1 872 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 873 log_test $? 2 "MD5: Client address does not match address configured with password" 874 875 # 876 # MD5 extension - prefix length 877 # 878 879 # client in prefix 880 log_start 881 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 882 sleep 1 883 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 884 log_test $? 0 "MD5: Prefix config" 885 886 # client in prefix, wrong password 887 log_start 888 show_hint "Should timeout since client uses wrong password" 889 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 890 sleep 1 891 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 892 log_test $? 2 "MD5: Prefix config, client uses wrong password" 893 894 # client outside of prefix 895 log_start 896 show_hint "Should timeout due to MD5 mismatch" 897 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 898 sleep 1 899 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 900 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 901} 902 903# 904# MD5 tests with VRF 905# 906ipv4_tcp_md5() 907{ 908 # 909 # single address 910 # 911 912 # basic use case 913 log_start 914 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 915 sleep 1 916 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 917 log_test $? 0 "MD5: VRF: Single address config" 918 919 # client sends MD5, server not configured 920 log_start 921 show_hint "Should timeout since server does not have MD5 auth" 922 run_cmd nettest -s -I ${VRF} & 923 sleep 1 924 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 925 log_test $? 2 "MD5: VRF: Server no config, client uses password" 926 927 # wrong password 928 log_start 929 show_hint "Should timeout since client uses wrong password" 930 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 931 sleep 1 932 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 933 log_test $? 2 "MD5: VRF: Client uses wrong password" 934 935 # client from different address 936 log_start 937 show_hint "Should timeout since server config differs from client" 938 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 939 sleep 1 940 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 941 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 942 943 # 944 # MD5 extension - prefix length 945 # 946 947 # client in prefix 948 log_start 949 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 950 sleep 1 951 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 952 log_test $? 0 "MD5: VRF: Prefix config" 953 954 # client in prefix, wrong password 955 log_start 956 show_hint "Should timeout since client uses wrong password" 957 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 958 sleep 1 959 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 960 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 961 962 # client outside of prefix 963 log_start 964 show_hint "Should timeout since client address is outside of prefix" 965 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 966 sleep 1 967 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 968 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 969 970 # 971 # duplicate config between default VRF and a VRF 972 # 973 974 log_start 975 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 976 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 977 sleep 1 978 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 979 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 980 981 log_start 982 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 983 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 984 sleep 1 985 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 986 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 987 988 log_start 989 show_hint "Should timeout since client in default VRF uses VRF password" 990 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 991 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 992 sleep 1 993 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 994 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 995 996 log_start 997 show_hint "Should timeout since client in VRF uses default VRF password" 998 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 999 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1000 sleep 1 1001 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1002 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 1003 1004 log_start 1005 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1006 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1007 sleep 1 1008 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1009 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 1010 1011 log_start 1012 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1013 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1014 sleep 1 1015 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1016 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 1017 1018 log_start 1019 show_hint "Should timeout since client in default VRF uses VRF password" 1020 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1021 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1022 sleep 1 1023 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1024 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1025 1026 log_start 1027 show_hint "Should timeout since client in VRF uses default VRF password" 1028 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1029 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1030 sleep 1 1031 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1032 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1033 1034 # 1035 # negative tests 1036 # 1037 log_start 1038 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1039 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1040 1041 log_start 1042 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1043 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1044 1045 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1046 test_ipv4_md5_vrf__global_server__bind_ifindex0 1047} 1048 1049test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1050{ 1051 log_start 1052 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1053 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1054 sleep 1 1055 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1056 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1057 1058 log_start 1059 show_hint "Binding both the socket and the key is not required but it works" 1060 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1061 sleep 1 1062 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1063 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1064} 1065 1066test_ipv4_md5_vrf__global_server__bind_ifindex0() 1067{ 1068 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1069 local old_tcp_l3mdev_accept 1070 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1071 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1072 1073 log_start 1074 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1075 sleep 1 1076 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1077 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1078 1079 log_start 1080 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1081 sleep 1 1082 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1083 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1084 log_start 1085 1086 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1087 sleep 1 1088 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1089 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1090 1091 log_start 1092 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1093 sleep 1 1094 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1095 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1096 1097 # restore value 1098 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1099} 1100 1101ipv4_tcp_novrf() 1102{ 1103 local a 1104 1105 # 1106 # server tests 1107 # 1108 for a in ${NSA_IP} ${NSA_LO_IP} 1109 do 1110 log_start 1111 run_cmd nettest -s & 1112 sleep 1 1113 run_cmd_nsb nettest -r ${a} 1114 log_test_addr ${a} $? 0 "Global server" 1115 done 1116 1117 a=${NSA_IP} 1118 log_start 1119 run_cmd nettest -s -I ${NSA_DEV} & 1120 sleep 1 1121 run_cmd_nsb nettest -r ${a} 1122 log_test_addr ${a} $? 0 "Device server" 1123 1124 # verify TCP reset sent and received 1125 for a in ${NSA_IP} ${NSA_LO_IP} 1126 do 1127 log_start 1128 show_hint "Should fail 'Connection refused' since there is no server" 1129 run_cmd_nsb nettest -r ${a} 1130 log_test_addr ${a} $? 1 "No server" 1131 done 1132 1133 # 1134 # client 1135 # 1136 for a in ${NSB_IP} ${NSB_LO_IP} 1137 do 1138 log_start 1139 run_cmd_nsb nettest -s & 1140 sleep 1 1141 run_cmd nettest -r ${a} -0 ${NSA_IP} 1142 log_test_addr ${a} $? 0 "Client" 1143 1144 log_start 1145 run_cmd_nsb nettest -s & 1146 sleep 1 1147 run_cmd nettest -r ${a} -d ${NSA_DEV} 1148 log_test_addr ${a} $? 0 "Client, device bind" 1149 1150 log_start 1151 show_hint "Should fail 'Connection refused'" 1152 run_cmd nettest -r ${a} 1153 log_test_addr ${a} $? 1 "No server, unbound client" 1154 1155 log_start 1156 show_hint "Should fail 'Connection refused'" 1157 run_cmd nettest -r ${a} -d ${NSA_DEV} 1158 log_test_addr ${a} $? 1 "No server, device client" 1159 done 1160 1161 # 1162 # local address tests 1163 # 1164 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1165 do 1166 log_start 1167 run_cmd nettest -s & 1168 sleep 1 1169 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1170 log_test_addr ${a} $? 0 "Global server, local connection" 1171 done 1172 1173 a=${NSA_IP} 1174 log_start 1175 run_cmd nettest -s -I ${NSA_DEV} & 1176 sleep 1 1177 run_cmd nettest -r ${a} -0 ${a} 1178 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1179 1180 for a in ${NSA_LO_IP} 127.0.0.1 1181 do 1182 log_start 1183 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1184 run_cmd nettest -s -I ${NSA_DEV} & 1185 sleep 1 1186 run_cmd nettest -r ${a} 1187 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1188 done 1189 1190 a=${NSA_IP} 1191 log_start 1192 run_cmd nettest -s & 1193 sleep 1 1194 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1195 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1196 1197 for a in ${NSA_LO_IP} 127.0.0.1 1198 do 1199 log_start 1200 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1201 run_cmd nettest -s & 1202 sleep 1 1203 run_cmd nettest -r ${a} -d ${NSA_DEV} 1204 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1205 done 1206 1207 a=${NSA_IP} 1208 log_start 1209 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1210 sleep 1 1211 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1212 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1213 1214 log_start 1215 show_hint "Should fail 'Connection refused'" 1216 run_cmd nettest -d ${NSA_DEV} -r ${a} 1217 log_test_addr ${a} $? 1 "No server, device client, local conn" 1218 1219 ipv4_tcp_md5_novrf 1220} 1221 1222ipv4_tcp_vrf() 1223{ 1224 local a 1225 1226 # disable global server 1227 log_subsection "Global server disabled" 1228 1229 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1230 1231 # 1232 # server tests 1233 # 1234 for a in ${NSA_IP} ${VRF_IP} 1235 do 1236 log_start 1237 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1238 run_cmd nettest -s & 1239 sleep 1 1240 run_cmd_nsb nettest -r ${a} 1241 log_test_addr ${a} $? 1 "Global server" 1242 1243 log_start 1244 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1245 sleep 1 1246 run_cmd_nsb nettest -r ${a} 1247 log_test_addr ${a} $? 0 "VRF server" 1248 1249 log_start 1250 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1251 sleep 1 1252 run_cmd_nsb nettest -r ${a} 1253 log_test_addr ${a} $? 0 "Device server" 1254 1255 # verify TCP reset received 1256 log_start 1257 show_hint "Should fail 'Connection refused' since there is no server" 1258 run_cmd_nsb nettest -r ${a} 1259 log_test_addr ${a} $? 1 "No server" 1260 done 1261 1262 # local address tests 1263 # (${VRF_IP} and 127.0.0.1 both timeout) 1264 a=${NSA_IP} 1265 log_start 1266 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1267 run_cmd nettest -s & 1268 sleep 1 1269 run_cmd nettest -r ${a} -d ${NSA_DEV} 1270 log_test_addr ${a} $? 1 "Global server, local connection" 1271 1272 # run MD5 tests 1273 setup_vrf_dup 1274 ipv4_tcp_md5 1275 cleanup_vrf_dup 1276 1277 # 1278 # enable VRF global server 1279 # 1280 log_subsection "VRF Global server enabled" 1281 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1282 1283 for a in ${NSA_IP} ${VRF_IP} 1284 do 1285 log_start 1286 show_hint "client socket should be bound to VRF" 1287 run_cmd nettest -s -3 ${VRF} & 1288 sleep 1 1289 run_cmd_nsb nettest -r ${a} 1290 log_test_addr ${a} $? 0 "Global server" 1291 1292 log_start 1293 show_hint "client socket should be bound to VRF" 1294 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1295 sleep 1 1296 run_cmd_nsb nettest -r ${a} 1297 log_test_addr ${a} $? 0 "VRF server" 1298 1299 # verify TCP reset received 1300 log_start 1301 show_hint "Should fail 'Connection refused'" 1302 run_cmd_nsb nettest -r ${a} 1303 log_test_addr ${a} $? 1 "No server" 1304 done 1305 1306 a=${NSA_IP} 1307 log_start 1308 show_hint "client socket should be bound to device" 1309 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1310 sleep 1 1311 run_cmd_nsb nettest -r ${a} 1312 log_test_addr ${a} $? 0 "Device server" 1313 1314 # local address tests 1315 for a in ${NSA_IP} ${VRF_IP} 1316 do 1317 log_start 1318 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1319 run_cmd nettest -s -I ${VRF} & 1320 sleep 1 1321 run_cmd nettest -r ${a} 1322 log_test_addr ${a} $? 1 "Global server, local connection" 1323 done 1324 1325 # 1326 # client 1327 # 1328 for a in ${NSB_IP} ${NSB_LO_IP} 1329 do 1330 log_start 1331 run_cmd_nsb nettest -s & 1332 sleep 1 1333 run_cmd nettest -r ${a} -d ${VRF} 1334 log_test_addr ${a} $? 0 "Client, VRF bind" 1335 1336 log_start 1337 run_cmd_nsb nettest -s & 1338 sleep 1 1339 run_cmd nettest -r ${a} -d ${NSA_DEV} 1340 log_test_addr ${a} $? 0 "Client, device bind" 1341 1342 log_start 1343 show_hint "Should fail 'Connection refused'" 1344 run_cmd nettest -r ${a} -d ${VRF} 1345 log_test_addr ${a} $? 1 "No server, VRF client" 1346 1347 log_start 1348 show_hint "Should fail 'Connection refused'" 1349 run_cmd nettest -r ${a} -d ${NSA_DEV} 1350 log_test_addr ${a} $? 1 "No server, device client" 1351 done 1352 1353 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1354 do 1355 log_start 1356 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1357 sleep 1 1358 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1359 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1360 done 1361 1362 a=${NSA_IP} 1363 log_start 1364 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1365 sleep 1 1366 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1367 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1368 1369 log_start 1370 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1371 run_cmd nettest -s -I ${VRF} & 1372 sleep 1 1373 run_cmd nettest -r ${a} 1374 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1375 1376 log_start 1377 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1378 sleep 1 1379 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1380 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1381 1382 log_start 1383 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1384 sleep 1 1385 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1386 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1387} 1388 1389ipv4_tcp() 1390{ 1391 log_section "IPv4/TCP" 1392 log_subsection "No VRF" 1393 setup 1394 1395 # tcp_l3mdev_accept should have no affect without VRF; 1396 # run tests with it enabled and disabled to verify 1397 log_subsection "tcp_l3mdev_accept disabled" 1398 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1399 ipv4_tcp_novrf 1400 log_subsection "tcp_l3mdev_accept enabled" 1401 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1402 ipv4_tcp_novrf 1403 1404 log_subsection "With VRF" 1405 setup "yes" 1406 ipv4_tcp_vrf 1407} 1408 1409################################################################################ 1410# IPv4 UDP 1411 1412ipv4_udp_novrf() 1413{ 1414 local a 1415 1416 # 1417 # server tests 1418 # 1419 for a in ${NSA_IP} ${NSA_LO_IP} 1420 do 1421 log_start 1422 run_cmd nettest -D -s -3 ${NSA_DEV} & 1423 sleep 1 1424 run_cmd_nsb nettest -D -r ${a} 1425 log_test_addr ${a} $? 0 "Global server" 1426 1427 log_start 1428 show_hint "Should fail 'Connection refused' since there is no server" 1429 run_cmd_nsb nettest -D -r ${a} 1430 log_test_addr ${a} $? 1 "No server" 1431 done 1432 1433 a=${NSA_IP} 1434 log_start 1435 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1436 sleep 1 1437 run_cmd_nsb nettest -D -r ${a} 1438 log_test_addr ${a} $? 0 "Device server" 1439 1440 # 1441 # client 1442 # 1443 for a in ${NSB_IP} ${NSB_LO_IP} 1444 do 1445 log_start 1446 run_cmd_nsb nettest -D -s & 1447 sleep 1 1448 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1449 log_test_addr ${a} $? 0 "Client" 1450 1451 log_start 1452 run_cmd_nsb nettest -D -s & 1453 sleep 1 1454 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1455 log_test_addr ${a} $? 0 "Client, device bind" 1456 1457 log_start 1458 run_cmd_nsb nettest -D -s & 1459 sleep 1 1460 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1461 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1462 1463 log_start 1464 run_cmd_nsb nettest -D -s & 1465 sleep 1 1466 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1467 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1468 1469 log_start 1470 show_hint "Should fail 'Connection refused'" 1471 run_cmd nettest -D -r ${a} 1472 log_test_addr ${a} $? 1 "No server, unbound client" 1473 1474 log_start 1475 show_hint "Should fail 'Connection refused'" 1476 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1477 log_test_addr ${a} $? 1 "No server, device client" 1478 done 1479 1480 # 1481 # local address tests 1482 # 1483 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1484 do 1485 log_start 1486 run_cmd nettest -D -s & 1487 sleep 1 1488 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1489 log_test_addr ${a} $? 0 "Global server, local connection" 1490 done 1491 1492 a=${NSA_IP} 1493 log_start 1494 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1495 sleep 1 1496 run_cmd nettest -D -r ${a} 1497 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1498 1499 for a in ${NSA_LO_IP} 127.0.0.1 1500 do 1501 log_start 1502 show_hint "Should fail 'Connection refused' since address is out of device scope" 1503 run_cmd nettest -s -D -I ${NSA_DEV} & 1504 sleep 1 1505 run_cmd nettest -D -r ${a} 1506 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1507 done 1508 1509 a=${NSA_IP} 1510 log_start 1511 run_cmd nettest -s -D & 1512 sleep 1 1513 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1514 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1515 1516 log_start 1517 run_cmd nettest -s -D & 1518 sleep 1 1519 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1520 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1521 1522 log_start 1523 run_cmd nettest -s -D & 1524 sleep 1 1525 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1526 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1527 1528 # IPv4 with device bind has really weird behavior - it overrides the 1529 # fib lookup, generates an rtable and tries to send the packet. This 1530 # causes failures for local traffic at different places 1531 for a in ${NSA_LO_IP} 127.0.0.1 1532 do 1533 log_start 1534 show_hint "Should fail since addresses on loopback are out of device scope" 1535 run_cmd nettest -D -s & 1536 sleep 1 1537 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1538 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1539 1540 log_start 1541 show_hint "Should fail since addresses on loopback are out of device scope" 1542 run_cmd nettest -D -s & 1543 sleep 1 1544 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1545 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1546 1547 log_start 1548 show_hint "Should fail since addresses on loopback are out of device scope" 1549 run_cmd nettest -D -s & 1550 sleep 1 1551 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1552 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1553 done 1554 1555 a=${NSA_IP} 1556 log_start 1557 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1558 sleep 1 1559 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1560 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1561 1562 log_start 1563 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1564 log_test_addr ${a} $? 2 "No server, device client, local conn" 1565} 1566 1567ipv4_udp_vrf() 1568{ 1569 local a 1570 1571 # disable global server 1572 log_subsection "Global server disabled" 1573 set_sysctl net.ipv4.udp_l3mdev_accept=0 1574 1575 # 1576 # server tests 1577 # 1578 for a in ${NSA_IP} ${VRF_IP} 1579 do 1580 log_start 1581 show_hint "Fails because ingress is in a VRF and global server is disabled" 1582 run_cmd nettest -D -s & 1583 sleep 1 1584 run_cmd_nsb nettest -D -r ${a} 1585 log_test_addr ${a} $? 1 "Global server" 1586 1587 log_start 1588 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1589 sleep 1 1590 run_cmd_nsb nettest -D -r ${a} 1591 log_test_addr ${a} $? 0 "VRF server" 1592 1593 log_start 1594 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1595 sleep 1 1596 run_cmd_nsb nettest -D -r ${a} 1597 log_test_addr ${a} $? 0 "Enslaved device server" 1598 1599 log_start 1600 show_hint "Should fail 'Connection refused' since there is no server" 1601 run_cmd_nsb nettest -D -r ${a} 1602 log_test_addr ${a} $? 1 "No server" 1603 1604 log_start 1605 show_hint "Should fail 'Connection refused' since global server is out of scope" 1606 run_cmd nettest -D -s & 1607 sleep 1 1608 run_cmd nettest -D -d ${VRF} -r ${a} 1609 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1610 done 1611 1612 a=${NSA_IP} 1613 log_start 1614 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1615 sleep 1 1616 run_cmd nettest -D -d ${VRF} -r ${a} 1617 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1618 1619 log_start 1620 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1621 sleep 1 1622 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1623 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1624 1625 a=${NSA_IP} 1626 log_start 1627 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1628 sleep 1 1629 run_cmd nettest -D -d ${VRF} -r ${a} 1630 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1631 1632 log_start 1633 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1634 sleep 1 1635 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1636 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1637 1638 # enable global server 1639 log_subsection "Global server enabled" 1640 set_sysctl net.ipv4.udp_l3mdev_accept=1 1641 1642 # 1643 # server tests 1644 # 1645 for a in ${NSA_IP} ${VRF_IP} 1646 do 1647 log_start 1648 run_cmd nettest -D -s -3 ${NSA_DEV} & 1649 sleep 1 1650 run_cmd_nsb nettest -D -r ${a} 1651 log_test_addr ${a} $? 0 "Global server" 1652 1653 log_start 1654 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1655 sleep 1 1656 run_cmd_nsb nettest -D -r ${a} 1657 log_test_addr ${a} $? 0 "VRF server" 1658 1659 log_start 1660 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1661 sleep 1 1662 run_cmd_nsb nettest -D -r ${a} 1663 log_test_addr ${a} $? 0 "Enslaved device server" 1664 1665 log_start 1666 show_hint "Should fail 'Connection refused'" 1667 run_cmd_nsb nettest -D -r ${a} 1668 log_test_addr ${a} $? 1 "No server" 1669 done 1670 1671 # 1672 # client tests 1673 # 1674 log_start 1675 run_cmd_nsb nettest -D -s & 1676 sleep 1 1677 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1678 log_test $? 0 "VRF client" 1679 1680 log_start 1681 run_cmd_nsb nettest -D -s & 1682 sleep 1 1683 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1684 log_test $? 0 "Enslaved device client" 1685 1686 # negative test - should fail 1687 log_start 1688 show_hint "Should fail 'Connection refused'" 1689 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1690 log_test $? 1 "No server, VRF client" 1691 1692 log_start 1693 show_hint "Should fail 'Connection refused'" 1694 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1695 log_test $? 1 "No server, enslaved device client" 1696 1697 # 1698 # local address tests 1699 # 1700 a=${NSA_IP} 1701 log_start 1702 run_cmd nettest -D -s -3 ${NSA_DEV} & 1703 sleep 1 1704 run_cmd nettest -D -d ${VRF} -r ${a} 1705 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1706 1707 log_start 1708 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1709 sleep 1 1710 run_cmd nettest -D -d ${VRF} -r ${a} 1711 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1712 1713 log_start 1714 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1715 sleep 1 1716 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1717 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1718 1719 log_start 1720 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1721 sleep 1 1722 run_cmd nettest -D -d ${VRF} -r ${a} 1723 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1724 1725 log_start 1726 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1727 sleep 1 1728 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1729 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1730 1731 for a in ${VRF_IP} 127.0.0.1 1732 do 1733 log_start 1734 run_cmd nettest -D -s -3 ${VRF} & 1735 sleep 1 1736 run_cmd nettest -D -d ${VRF} -r ${a} 1737 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1738 done 1739 1740 for a in ${VRF_IP} 127.0.0.1 1741 do 1742 log_start 1743 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1744 sleep 1 1745 run_cmd nettest -D -d ${VRF} -r ${a} 1746 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1747 done 1748 1749 # negative test - should fail 1750 # verifies ECONNREFUSED 1751 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1752 do 1753 log_start 1754 show_hint "Should fail 'Connection refused'" 1755 run_cmd nettest -D -d ${VRF} -r ${a} 1756 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1757 done 1758} 1759 1760ipv4_udp() 1761{ 1762 log_section "IPv4/UDP" 1763 log_subsection "No VRF" 1764 1765 setup 1766 1767 # udp_l3mdev_accept should have no affect without VRF; 1768 # run tests with it enabled and disabled to verify 1769 log_subsection "udp_l3mdev_accept disabled" 1770 set_sysctl net.ipv4.udp_l3mdev_accept=0 1771 ipv4_udp_novrf 1772 log_subsection "udp_l3mdev_accept enabled" 1773 set_sysctl net.ipv4.udp_l3mdev_accept=1 1774 ipv4_udp_novrf 1775 1776 log_subsection "With VRF" 1777 setup "yes" 1778 ipv4_udp_vrf 1779} 1780 1781################################################################################ 1782# IPv4 address bind 1783# 1784# verifies ability or inability to bind to an address / device 1785 1786ipv4_addr_bind_novrf() 1787{ 1788 # 1789 # raw socket 1790 # 1791 for a in ${NSA_IP} ${NSA_LO_IP} 1792 do 1793 log_start 1794 run_cmd nettest -s -R -P icmp -l ${a} -b 1795 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1796 1797 log_start 1798 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1799 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1800 done 1801 1802 # 1803 # tests for nonlocal bind 1804 # 1805 a=${NL_IP} 1806 log_start 1807 run_cmd nettest -s -R -f -l ${a} -b 1808 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 1809 1810 log_start 1811 run_cmd nettest -s -f -l ${a} -b 1812 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address" 1813 1814 log_start 1815 run_cmd nettest -s -D -P icmp -f -l ${a} -b 1816 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address" 1817 1818 # 1819 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1820 # 1821 a=${BCAST_IP} 1822 log_start 1823 run_cmd nettest -s -D -P icmp -l ${a} -b 1824 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address" 1825 1826 a=${MCAST_IP} 1827 log_start 1828 run_cmd nettest -s -D -P icmp -l ${a} -b 1829 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address" 1830 1831 # 1832 # tcp sockets 1833 # 1834 a=${NSA_IP} 1835 log_start 1836 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1837 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1838 1839 log_start 1840 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1841 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1842 1843 # Sadly, the kernel allows binding a socket to a device and then 1844 # binding to an address not on the device. The only restriction 1845 # is that the address is valid in the L3 domain. So this test 1846 # passes when it really should not 1847 #a=${NSA_LO_IP} 1848 #log_start 1849 #show_hint "Should fail with 'Cannot assign requested address'" 1850 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1851 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1852} 1853 1854ipv4_addr_bind_vrf() 1855{ 1856 # 1857 # raw socket 1858 # 1859 for a in ${NSA_IP} ${VRF_IP} 1860 do 1861 log_start 1862 show_hint "Socket not bound to VRF, but address is in VRF" 1863 run_cmd nettest -s -R -P icmp -l ${a} -b 1864 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1865 1866 log_start 1867 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1868 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1869 log_start 1870 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1871 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1872 done 1873 1874 a=${NSA_LO_IP} 1875 log_start 1876 show_hint "Address on loopback is out of VRF scope" 1877 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1878 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1879 1880 # 1881 # tests for nonlocal bind 1882 # 1883 a=${NL_IP} 1884 log_start 1885 run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b 1886 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 1887 1888 log_start 1889 run_cmd nettest -s -f -l ${a} -I ${VRF} -b 1890 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind" 1891 1892 log_start 1893 run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b 1894 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind" 1895 1896 # 1897 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1898 # 1899 a=${BCAST_IP} 1900 log_start 1901 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 1902 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind" 1903 1904 a=${MCAST_IP} 1905 log_start 1906 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 1907 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind" 1908 1909 # 1910 # tcp sockets 1911 # 1912 for a in ${NSA_IP} ${VRF_IP} 1913 do 1914 log_start 1915 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1916 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1917 1918 log_start 1919 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1920 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1921 done 1922 1923 a=${NSA_LO_IP} 1924 log_start 1925 show_hint "Address on loopback out of scope for VRF" 1926 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1927 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 1928 1929 log_start 1930 show_hint "Address on loopback out of scope for device in VRF" 1931 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1932 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 1933} 1934 1935ipv4_addr_bind() 1936{ 1937 log_section "IPv4 address binds" 1938 1939 log_subsection "No VRF" 1940 setup 1941 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 1942 ipv4_addr_bind_novrf 1943 1944 log_subsection "With VRF" 1945 setup "yes" 1946 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 1947 ipv4_addr_bind_vrf 1948} 1949 1950################################################################################ 1951# IPv4 runtime tests 1952 1953ipv4_rt() 1954{ 1955 local desc="$1" 1956 local varg="$2" 1957 local with_vrf="yes" 1958 local a 1959 1960 # 1961 # server tests 1962 # 1963 for a in ${NSA_IP} ${VRF_IP} 1964 do 1965 log_start 1966 run_cmd nettest ${varg} -s & 1967 sleep 1 1968 run_cmd_nsb nettest ${varg} -r ${a} & 1969 sleep 3 1970 run_cmd ip link del ${VRF} 1971 sleep 1 1972 log_test_addr ${a} 0 0 "${desc}, global server" 1973 1974 setup ${with_vrf} 1975 done 1976 1977 for a in ${NSA_IP} ${VRF_IP} 1978 do 1979 log_start 1980 run_cmd nettest ${varg} -s -I ${VRF} & 1981 sleep 1 1982 run_cmd_nsb nettest ${varg} -r ${a} & 1983 sleep 3 1984 run_cmd ip link del ${VRF} 1985 sleep 1 1986 log_test_addr ${a} 0 0 "${desc}, VRF server" 1987 1988 setup ${with_vrf} 1989 done 1990 1991 a=${NSA_IP} 1992 log_start 1993 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 1994 sleep 1 1995 run_cmd_nsb nettest ${varg} -r ${a} & 1996 sleep 3 1997 run_cmd ip link del ${VRF} 1998 sleep 1 1999 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 2000 2001 setup ${with_vrf} 2002 2003 # 2004 # client test 2005 # 2006 log_start 2007 run_cmd_nsb nettest ${varg} -s & 2008 sleep 1 2009 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 2010 sleep 3 2011 run_cmd ip link del ${VRF} 2012 sleep 1 2013 log_test_addr ${a} 0 0 "${desc}, VRF client" 2014 2015 setup ${with_vrf} 2016 2017 log_start 2018 run_cmd_nsb nettest ${varg} -s & 2019 sleep 1 2020 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 2021 sleep 3 2022 run_cmd ip link del ${VRF} 2023 sleep 1 2024 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 2025 2026 setup ${with_vrf} 2027 2028 # 2029 # local address tests 2030 # 2031 for a in ${NSA_IP} ${VRF_IP} 2032 do 2033 log_start 2034 run_cmd nettest ${varg} -s & 2035 sleep 1 2036 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2037 sleep 3 2038 run_cmd ip link del ${VRF} 2039 sleep 1 2040 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 2041 2042 setup ${with_vrf} 2043 done 2044 2045 for a in ${NSA_IP} ${VRF_IP} 2046 do 2047 log_start 2048 run_cmd nettest ${varg} -I ${VRF} -s & 2049 sleep 1 2050 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2051 sleep 3 2052 run_cmd ip link del ${VRF} 2053 sleep 1 2054 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 2055 2056 setup ${with_vrf} 2057 done 2058 2059 a=${NSA_IP} 2060 log_start 2061 2062 run_cmd nettest ${varg} -s & 2063 sleep 1 2064 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2065 sleep 3 2066 run_cmd ip link del ${VRF} 2067 sleep 1 2068 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 2069 2070 setup ${with_vrf} 2071 2072 log_start 2073 run_cmd nettest ${varg} -I ${VRF} -s & 2074 sleep 1 2075 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2076 sleep 3 2077 run_cmd ip link del ${VRF} 2078 sleep 1 2079 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 2080 2081 setup ${with_vrf} 2082 2083 log_start 2084 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2085 sleep 1 2086 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2087 sleep 3 2088 run_cmd ip link del ${VRF} 2089 sleep 1 2090 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2091} 2092 2093ipv4_ping_rt() 2094{ 2095 local with_vrf="yes" 2096 local a 2097 2098 for a in ${NSA_IP} ${VRF_IP} 2099 do 2100 log_start 2101 run_cmd_nsb ping -f ${a} & 2102 sleep 3 2103 run_cmd ip link del ${VRF} 2104 sleep 1 2105 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2106 2107 setup ${with_vrf} 2108 done 2109 2110 a=${NSB_IP} 2111 log_start 2112 run_cmd ping -f -I ${VRF} ${a} & 2113 sleep 3 2114 run_cmd ip link del ${VRF} 2115 sleep 1 2116 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2117} 2118 2119ipv4_runtime() 2120{ 2121 log_section "Run time tests - ipv4" 2122 2123 setup "yes" 2124 ipv4_ping_rt 2125 2126 setup "yes" 2127 ipv4_rt "TCP active socket" "-n -1" 2128 2129 setup "yes" 2130 ipv4_rt "TCP passive socket" "-i" 2131} 2132 2133################################################################################ 2134# IPv6 2135 2136ipv6_ping_novrf() 2137{ 2138 local a 2139 2140 # should not have an impact, but make a known state 2141 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2142 2143 # 2144 # out 2145 # 2146 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2147 do 2148 log_start 2149 run_cmd ${ping6} -c1 -w1 ${a} 2150 log_test_addr ${a} $? 0 "ping out" 2151 done 2152 2153 for a in ${NSB_IP6} ${NSB_LO_IP6} 2154 do 2155 log_start 2156 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2157 log_test_addr ${a} $? 0 "ping out, device bind" 2158 2159 log_start 2160 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2161 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2162 done 2163 2164 # 2165 # in 2166 # 2167 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2168 do 2169 log_start 2170 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2171 log_test_addr ${a} $? 0 "ping in" 2172 done 2173 2174 # 2175 # local traffic, local address 2176 # 2177 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2178 do 2179 log_start 2180 run_cmd ${ping6} -c1 -w1 ${a} 2181 log_test_addr ${a} $? 0 "ping local, no bind" 2182 done 2183 2184 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2185 do 2186 log_start 2187 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2188 log_test_addr ${a} $? 0 "ping local, device bind" 2189 done 2190 2191 for a in ${NSA_LO_IP6} ::1 2192 do 2193 log_start 2194 show_hint "Fails since address on loopback is out of device scope" 2195 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2196 log_test_addr ${a} $? 2 "ping local, device bind" 2197 done 2198 2199 # 2200 # ip rule blocks address 2201 # 2202 log_start 2203 setup_cmd ip -6 rule add pref 32765 from all lookup local 2204 setup_cmd ip -6 rule del pref 0 from all lookup local 2205 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2206 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2207 2208 a=${NSB_LO_IP6} 2209 run_cmd ${ping6} -c1 -w1 ${a} 2210 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2211 2212 log_start 2213 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2214 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2215 2216 a=${NSA_LO_IP6} 2217 log_start 2218 show_hint "Response lost due to ip rule" 2219 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2220 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2221 2222 setup_cmd ip -6 rule add pref 0 from all lookup local 2223 setup_cmd ip -6 rule del pref 32765 from all lookup local 2224 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2225 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2226 2227 # 2228 # route blocks reachability to remote address 2229 # 2230 log_start 2231 setup_cmd ip -6 route del ${NSB_LO_IP6} 2232 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2233 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2234 2235 a=${NSB_LO_IP6} 2236 run_cmd ${ping6} -c1 -w1 ${a} 2237 log_test_addr ${a} $? 2 "ping out, blocked by route" 2238 2239 log_start 2240 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2241 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2242 2243 a=${NSA_LO_IP6} 2244 log_start 2245 show_hint "Response lost due to ip route" 2246 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2247 log_test_addr ${a} $? 1 "ping in, blocked by route" 2248 2249 2250 # 2251 # remove 'remote' routes; fallback to default 2252 # 2253 log_start 2254 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2255 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2256 2257 a=${NSB_LO_IP6} 2258 run_cmd ${ping6} -c1 -w1 ${a} 2259 log_test_addr ${a} $? 2 "ping out, unreachable route" 2260 2261 log_start 2262 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2263 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2264} 2265 2266ipv6_ping_vrf() 2267{ 2268 local a 2269 2270 # should default on; does not exist on older kernels 2271 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2272 2273 # 2274 # out 2275 # 2276 for a in ${NSB_IP6} ${NSB_LO_IP6} 2277 do 2278 log_start 2279 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2280 log_test_addr ${a} $? 0 "ping out, VRF bind" 2281 done 2282 2283 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2284 do 2285 log_start 2286 show_hint "Fails since VRF device does not support linklocal or multicast" 2287 run_cmd ${ping6} -c1 -w1 ${a} 2288 log_test_addr ${a} $? 1 "ping out, VRF bind" 2289 done 2290 2291 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2292 do 2293 log_start 2294 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2295 log_test_addr ${a} $? 0 "ping out, device bind" 2296 done 2297 2298 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2299 do 2300 log_start 2301 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2302 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2303 done 2304 2305 # 2306 # in 2307 # 2308 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2309 do 2310 log_start 2311 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2312 log_test_addr ${a} $? 0 "ping in" 2313 done 2314 2315 a=${NSA_LO_IP6} 2316 log_start 2317 show_hint "Fails since loopback address is out of VRF scope" 2318 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2319 log_test_addr ${a} $? 1 "ping in" 2320 2321 # 2322 # local traffic, local address 2323 # 2324 for a in ${NSA_IP6} ${VRF_IP6} ::1 2325 do 2326 log_start 2327 show_hint "Source address should be ${a}" 2328 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2329 log_test_addr ${a} $? 0 "ping local, VRF bind" 2330 done 2331 2332 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2333 do 2334 log_start 2335 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2336 log_test_addr ${a} $? 0 "ping local, device bind" 2337 done 2338 2339 # LLA to GUA - remove ipv6 global addresses from ns-B 2340 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2341 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2342 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2343 2344 for a in ${NSA_IP6} ${VRF_IP6} 2345 do 2346 log_start 2347 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2348 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2349 done 2350 2351 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2352 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2353 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2354 2355 # 2356 # ip rule blocks address 2357 # 2358 log_start 2359 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2360 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2361 2362 a=${NSB_LO_IP6} 2363 run_cmd ${ping6} -c1 -w1 ${a} 2364 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2365 2366 log_start 2367 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2368 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2369 2370 a=${NSA_LO_IP6} 2371 log_start 2372 show_hint "Response lost due to ip rule" 2373 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2374 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2375 2376 log_start 2377 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2378 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2379 2380 # 2381 # remove 'remote' routes; fallback to default 2382 # 2383 log_start 2384 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2385 2386 a=${NSB_LO_IP6} 2387 run_cmd ${ping6} -c1 -w1 ${a} 2388 log_test_addr ${a} $? 2 "ping out, unreachable route" 2389 2390 log_start 2391 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2392 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2393 2394 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2395 a=${NSA_LO_IP6} 2396 log_start 2397 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2398 log_test_addr ${a} $? 2 "ping in, unreachable route" 2399} 2400 2401ipv6_ping() 2402{ 2403 log_section "IPv6 ping" 2404 2405 log_subsection "No VRF" 2406 setup 2407 ipv6_ping_novrf 2408 setup 2409 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2410 ipv6_ping_novrf 2411 2412 log_subsection "With VRF" 2413 setup "yes" 2414 ipv6_ping_vrf 2415 setup "yes" 2416 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2417 ipv6_ping_vrf 2418} 2419 2420################################################################################ 2421# IPv6 TCP 2422 2423# 2424# MD5 tests without VRF 2425# 2426ipv6_tcp_md5_novrf() 2427{ 2428 # 2429 # single address 2430 # 2431 2432 # basic use case 2433 log_start 2434 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2435 sleep 1 2436 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2437 log_test $? 0 "MD5: Single address config" 2438 2439 # client sends MD5, server not configured 2440 log_start 2441 show_hint "Should timeout due to MD5 mismatch" 2442 run_cmd nettest -6 -s & 2443 sleep 1 2444 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2445 log_test $? 2 "MD5: Server no config, client uses password" 2446 2447 # wrong password 2448 log_start 2449 show_hint "Should timeout since client uses wrong password" 2450 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2451 sleep 1 2452 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2453 log_test $? 2 "MD5: Client uses wrong password" 2454 2455 # client from different address 2456 log_start 2457 show_hint "Should timeout due to MD5 mismatch" 2458 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2459 sleep 1 2460 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2461 log_test $? 2 "MD5: Client address does not match address configured with password" 2462 2463 # 2464 # MD5 extension - prefix length 2465 # 2466 2467 # client in prefix 2468 log_start 2469 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2470 sleep 1 2471 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2472 log_test $? 0 "MD5: Prefix config" 2473 2474 # client in prefix, wrong password 2475 log_start 2476 show_hint "Should timeout since client uses wrong password" 2477 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2478 sleep 1 2479 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2480 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2481 2482 # client outside of prefix 2483 log_start 2484 show_hint "Should timeout due to MD5 mismatch" 2485 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2486 sleep 1 2487 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2488 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2489} 2490 2491# 2492# MD5 tests with VRF 2493# 2494ipv6_tcp_md5() 2495{ 2496 # 2497 # single address 2498 # 2499 2500 # basic use case 2501 log_start 2502 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2503 sleep 1 2504 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2505 log_test $? 0 "MD5: VRF: Single address config" 2506 2507 # client sends MD5, server not configured 2508 log_start 2509 show_hint "Should timeout since server does not have MD5 auth" 2510 run_cmd nettest -6 -s -I ${VRF} & 2511 sleep 1 2512 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2513 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2514 2515 # wrong password 2516 log_start 2517 show_hint "Should timeout since client uses wrong password" 2518 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2519 sleep 1 2520 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2521 log_test $? 2 "MD5: VRF: Client uses wrong password" 2522 2523 # client from different address 2524 log_start 2525 show_hint "Should timeout since server config differs from client" 2526 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2527 sleep 1 2528 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2529 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2530 2531 # 2532 # MD5 extension - prefix length 2533 # 2534 2535 # client in prefix 2536 log_start 2537 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2538 sleep 1 2539 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2540 log_test $? 0 "MD5: VRF: Prefix config" 2541 2542 # client in prefix, wrong password 2543 log_start 2544 show_hint "Should timeout since client uses wrong password" 2545 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2546 sleep 1 2547 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2548 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2549 2550 # client outside of prefix 2551 log_start 2552 show_hint "Should timeout since client address is outside of prefix" 2553 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2554 sleep 1 2555 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2556 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2557 2558 # 2559 # duplicate config between default VRF and a VRF 2560 # 2561 2562 log_start 2563 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2564 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2565 sleep 1 2566 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2567 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2568 2569 log_start 2570 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2571 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2572 sleep 1 2573 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2574 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2575 2576 log_start 2577 show_hint "Should timeout since client in default VRF uses VRF password" 2578 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2579 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2580 sleep 1 2581 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2582 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2583 2584 log_start 2585 show_hint "Should timeout since client in VRF uses default VRF password" 2586 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2587 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2588 sleep 1 2589 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2590 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2591 2592 log_start 2593 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2594 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2595 sleep 1 2596 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2597 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2598 2599 log_start 2600 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2601 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2602 sleep 1 2603 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2604 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2605 2606 log_start 2607 show_hint "Should timeout since client in default VRF uses VRF password" 2608 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2609 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2610 sleep 1 2611 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2612 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2613 2614 log_start 2615 show_hint "Should timeout since client in VRF uses default VRF password" 2616 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2617 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2618 sleep 1 2619 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2620 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2621 2622 # 2623 # negative tests 2624 # 2625 log_start 2626 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2627 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2628 2629 log_start 2630 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2631 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2632 2633} 2634 2635ipv6_tcp_novrf() 2636{ 2637 local a 2638 2639 # 2640 # server tests 2641 # 2642 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2643 do 2644 log_start 2645 run_cmd nettest -6 -s & 2646 sleep 1 2647 run_cmd_nsb nettest -6 -r ${a} 2648 log_test_addr ${a} $? 0 "Global server" 2649 done 2650 2651 # verify TCP reset received 2652 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2653 do 2654 log_start 2655 show_hint "Should fail 'Connection refused'" 2656 run_cmd_nsb nettest -6 -r ${a} 2657 log_test_addr ${a} $? 1 "No server" 2658 done 2659 2660 # 2661 # client 2662 # 2663 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2664 do 2665 log_start 2666 run_cmd_nsb nettest -6 -s & 2667 sleep 1 2668 run_cmd nettest -6 -r ${a} 2669 log_test_addr ${a} $? 0 "Client" 2670 done 2671 2672 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2673 do 2674 log_start 2675 run_cmd_nsb nettest -6 -s & 2676 sleep 1 2677 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2678 log_test_addr ${a} $? 0 "Client, device bind" 2679 done 2680 2681 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2682 do 2683 log_start 2684 show_hint "Should fail 'Connection refused'" 2685 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2686 log_test_addr ${a} $? 1 "No server, device client" 2687 done 2688 2689 # 2690 # local address tests 2691 # 2692 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2693 do 2694 log_start 2695 run_cmd nettest -6 -s & 2696 sleep 1 2697 run_cmd nettest -6 -r ${a} 2698 log_test_addr ${a} $? 0 "Global server, local connection" 2699 done 2700 2701 a=${NSA_IP6} 2702 log_start 2703 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2704 sleep 1 2705 run_cmd nettest -6 -r ${a} -0 ${a} 2706 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2707 2708 for a in ${NSA_LO_IP6} ::1 2709 do 2710 log_start 2711 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2712 run_cmd nettest -6 -s -I ${NSA_DEV} & 2713 sleep 1 2714 run_cmd nettest -6 -r ${a} 2715 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2716 done 2717 2718 a=${NSA_IP6} 2719 log_start 2720 run_cmd nettest -6 -s & 2721 sleep 1 2722 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2723 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2724 2725 for a in ${NSA_LO_IP6} ::1 2726 do 2727 log_start 2728 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2729 run_cmd nettest -6 -s & 2730 sleep 1 2731 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2732 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2733 done 2734 2735 for a in ${NSA_IP6} ${NSA_LINKIP6} 2736 do 2737 log_start 2738 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2739 sleep 1 2740 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2741 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2742 done 2743 2744 for a in ${NSA_IP6} ${NSA_LINKIP6} 2745 do 2746 log_start 2747 show_hint "Should fail 'Connection refused'" 2748 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2749 log_test_addr ${a} $? 1 "No server, device client, local conn" 2750 done 2751 2752 ipv6_tcp_md5_novrf 2753} 2754 2755ipv6_tcp_vrf() 2756{ 2757 local a 2758 2759 # disable global server 2760 log_subsection "Global server disabled" 2761 2762 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2763 2764 # 2765 # server tests 2766 # 2767 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2768 do 2769 log_start 2770 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2771 run_cmd nettest -6 -s & 2772 sleep 1 2773 run_cmd_nsb nettest -6 -r ${a} 2774 log_test_addr ${a} $? 1 "Global server" 2775 done 2776 2777 for a in ${NSA_IP6} ${VRF_IP6} 2778 do 2779 log_start 2780 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2781 sleep 1 2782 run_cmd_nsb nettest -6 -r ${a} 2783 log_test_addr ${a} $? 0 "VRF server" 2784 done 2785 2786 # link local is always bound to ingress device 2787 a=${NSA_LINKIP6}%${NSB_DEV} 2788 log_start 2789 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2790 sleep 1 2791 run_cmd_nsb nettest -6 -r ${a} 2792 log_test_addr ${a} $? 0 "VRF server" 2793 2794 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2795 do 2796 log_start 2797 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2798 sleep 1 2799 run_cmd_nsb nettest -6 -r ${a} 2800 log_test_addr ${a} $? 0 "Device server" 2801 done 2802 2803 # verify TCP reset received 2804 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2805 do 2806 log_start 2807 show_hint "Should fail 'Connection refused'" 2808 run_cmd_nsb nettest -6 -r ${a} 2809 log_test_addr ${a} $? 1 "No server" 2810 done 2811 2812 # local address tests 2813 a=${NSA_IP6} 2814 log_start 2815 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2816 run_cmd nettest -6 -s & 2817 sleep 1 2818 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2819 log_test_addr ${a} $? 1 "Global server, local connection" 2820 2821 # run MD5 tests 2822 setup_vrf_dup 2823 ipv6_tcp_md5 2824 cleanup_vrf_dup 2825 2826 # 2827 # enable VRF global server 2828 # 2829 log_subsection "VRF Global server enabled" 2830 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2831 2832 for a in ${NSA_IP6} ${VRF_IP6} 2833 do 2834 log_start 2835 run_cmd nettest -6 -s -3 ${VRF} & 2836 sleep 1 2837 run_cmd_nsb nettest -6 -r ${a} 2838 log_test_addr ${a} $? 0 "Global server" 2839 done 2840 2841 for a in ${NSA_IP6} ${VRF_IP6} 2842 do 2843 log_start 2844 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2845 sleep 1 2846 run_cmd_nsb nettest -6 -r ${a} 2847 log_test_addr ${a} $? 0 "VRF server" 2848 done 2849 2850 # For LLA, child socket is bound to device 2851 a=${NSA_LINKIP6}%${NSB_DEV} 2852 log_start 2853 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2854 sleep 1 2855 run_cmd_nsb nettest -6 -r ${a} 2856 log_test_addr ${a} $? 0 "Global server" 2857 2858 log_start 2859 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2860 sleep 1 2861 run_cmd_nsb nettest -6 -r ${a} 2862 log_test_addr ${a} $? 0 "VRF server" 2863 2864 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2865 do 2866 log_start 2867 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2868 sleep 1 2869 run_cmd_nsb nettest -6 -r ${a} 2870 log_test_addr ${a} $? 0 "Device server" 2871 done 2872 2873 # verify TCP reset received 2874 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2875 do 2876 log_start 2877 show_hint "Should fail 'Connection refused'" 2878 run_cmd_nsb nettest -6 -r ${a} 2879 log_test_addr ${a} $? 1 "No server" 2880 done 2881 2882 # local address tests 2883 for a in ${NSA_IP6} ${VRF_IP6} 2884 do 2885 log_start 2886 show_hint "Fails 'Connection refused' since client is not in VRF" 2887 run_cmd nettest -6 -s -I ${VRF} & 2888 sleep 1 2889 run_cmd nettest -6 -r ${a} 2890 log_test_addr ${a} $? 1 "Global server, local connection" 2891 done 2892 2893 2894 # 2895 # client 2896 # 2897 for a in ${NSB_IP6} ${NSB_LO_IP6} 2898 do 2899 log_start 2900 run_cmd_nsb nettest -6 -s & 2901 sleep 1 2902 run_cmd nettest -6 -r ${a} -d ${VRF} 2903 log_test_addr ${a} $? 0 "Client, VRF bind" 2904 done 2905 2906 a=${NSB_LINKIP6} 2907 log_start 2908 show_hint "Fails since VRF device does not allow linklocal addresses" 2909 run_cmd_nsb nettest -6 -s & 2910 sleep 1 2911 run_cmd nettest -6 -r ${a} -d ${VRF} 2912 log_test_addr ${a} $? 1 "Client, VRF bind" 2913 2914 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2915 do 2916 log_start 2917 run_cmd_nsb nettest -6 -s & 2918 sleep 1 2919 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2920 log_test_addr ${a} $? 0 "Client, device bind" 2921 done 2922 2923 for a in ${NSB_IP6} ${NSB_LO_IP6} 2924 do 2925 log_start 2926 show_hint "Should fail 'Connection refused'" 2927 run_cmd nettest -6 -r ${a} -d ${VRF} 2928 log_test_addr ${a} $? 1 "No server, VRF client" 2929 done 2930 2931 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2932 do 2933 log_start 2934 show_hint "Should fail 'Connection refused'" 2935 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2936 log_test_addr ${a} $? 1 "No server, device client" 2937 done 2938 2939 for a in ${NSA_IP6} ${VRF_IP6} ::1 2940 do 2941 log_start 2942 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2943 sleep 1 2944 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2945 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 2946 done 2947 2948 a=${NSA_IP6} 2949 log_start 2950 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2951 sleep 1 2952 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2953 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 2954 2955 a=${NSA_IP6} 2956 log_start 2957 show_hint "Should fail since unbound client is out of VRF scope" 2958 run_cmd nettest -6 -s -I ${VRF} & 2959 sleep 1 2960 run_cmd nettest -6 -r ${a} 2961 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 2962 2963 log_start 2964 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2965 sleep 1 2966 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2967 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 2968 2969 for a in ${NSA_IP6} ${NSA_LINKIP6} 2970 do 2971 log_start 2972 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2973 sleep 1 2974 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2975 log_test_addr ${a} $? 0 "Device server, device client, local connection" 2976 done 2977} 2978 2979ipv6_tcp() 2980{ 2981 log_section "IPv6/TCP" 2982 log_subsection "No VRF" 2983 setup 2984 2985 # tcp_l3mdev_accept should have no affect without VRF; 2986 # run tests with it enabled and disabled to verify 2987 log_subsection "tcp_l3mdev_accept disabled" 2988 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2989 ipv6_tcp_novrf 2990 log_subsection "tcp_l3mdev_accept enabled" 2991 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2992 ipv6_tcp_novrf 2993 2994 log_subsection "With VRF" 2995 setup "yes" 2996 ipv6_tcp_vrf 2997} 2998 2999################################################################################ 3000# IPv6 UDP 3001 3002ipv6_udp_novrf() 3003{ 3004 local a 3005 3006 # 3007 # server tests 3008 # 3009 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3010 do 3011 log_start 3012 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3013 sleep 1 3014 run_cmd_nsb nettest -6 -D -r ${a} 3015 log_test_addr ${a} $? 0 "Global server" 3016 3017 log_start 3018 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3019 sleep 1 3020 run_cmd_nsb nettest -6 -D -r ${a} 3021 log_test_addr ${a} $? 0 "Device server" 3022 done 3023 3024 a=${NSA_LO_IP6} 3025 log_start 3026 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3027 sleep 1 3028 run_cmd_nsb nettest -6 -D -r ${a} 3029 log_test_addr ${a} $? 0 "Global server" 3030 3031 # should fail since loopback address is out of scope for a device 3032 # bound server, but it does not - hence this is more documenting 3033 # behavior. 3034 #log_start 3035 #show_hint "Should fail since loopback address is out of scope" 3036 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3037 #sleep 1 3038 #run_cmd_nsb nettest -6 -D -r ${a} 3039 #log_test_addr ${a} $? 1 "Device server" 3040 3041 # negative test - should fail 3042 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3043 do 3044 log_start 3045 show_hint "Should fail 'Connection refused' since there is no server" 3046 run_cmd_nsb nettest -6 -D -r ${a} 3047 log_test_addr ${a} $? 1 "No server" 3048 done 3049 3050 # 3051 # client 3052 # 3053 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 3054 do 3055 log_start 3056 run_cmd_nsb nettest -6 -D -s & 3057 sleep 1 3058 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 3059 log_test_addr ${a} $? 0 "Client" 3060 3061 log_start 3062 run_cmd_nsb nettest -6 -D -s & 3063 sleep 1 3064 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 3065 log_test_addr ${a} $? 0 "Client, device bind" 3066 3067 log_start 3068 run_cmd_nsb nettest -6 -D -s & 3069 sleep 1 3070 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 3071 log_test_addr ${a} $? 0 "Client, device send via cmsg" 3072 3073 log_start 3074 run_cmd_nsb nettest -6 -D -s & 3075 sleep 1 3076 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 3077 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 3078 3079 log_start 3080 show_hint "Should fail 'Connection refused'" 3081 run_cmd nettest -6 -D -r ${a} 3082 log_test_addr ${a} $? 1 "No server, unbound client" 3083 3084 log_start 3085 show_hint "Should fail 'Connection refused'" 3086 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3087 log_test_addr ${a} $? 1 "No server, device client" 3088 done 3089 3090 # 3091 # local address tests 3092 # 3093 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3094 do 3095 log_start 3096 run_cmd nettest -6 -D -s & 3097 sleep 1 3098 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3099 log_test_addr ${a} $? 0 "Global server, local connection" 3100 done 3101 3102 a=${NSA_IP6} 3103 log_start 3104 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3105 sleep 1 3106 run_cmd nettest -6 -D -r ${a} 3107 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3108 3109 for a in ${NSA_LO_IP6} ::1 3110 do 3111 log_start 3112 show_hint "Should fail 'Connection refused' since address is out of device scope" 3113 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3114 sleep 1 3115 run_cmd nettest -6 -D -r ${a} 3116 log_test_addr ${a} $? 1 "Device server, local connection" 3117 done 3118 3119 a=${NSA_IP6} 3120 log_start 3121 run_cmd nettest -6 -s -D & 3122 sleep 1 3123 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3124 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3125 3126 log_start 3127 run_cmd nettest -6 -s -D & 3128 sleep 1 3129 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3130 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3131 3132 log_start 3133 run_cmd nettest -6 -s -D & 3134 sleep 1 3135 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3136 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3137 3138 for a in ${NSA_LO_IP6} ::1 3139 do 3140 log_start 3141 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3142 run_cmd nettest -6 -D -s & 3143 sleep 1 3144 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3145 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3146 3147 log_start 3148 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3149 run_cmd nettest -6 -D -s & 3150 sleep 1 3151 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3152 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3153 3154 log_start 3155 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3156 run_cmd nettest -6 -D -s & 3157 sleep 1 3158 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3159 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3160 done 3161 3162 a=${NSA_IP6} 3163 log_start 3164 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3165 sleep 1 3166 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3167 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3168 3169 log_start 3170 show_hint "Should fail 'Connection refused'" 3171 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3172 log_test_addr ${a} $? 1 "No server, device client, local conn" 3173 3174 # LLA to GUA 3175 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3176 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3177 log_start 3178 run_cmd nettest -6 -s -D & 3179 sleep 1 3180 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3181 log_test $? 0 "UDP in - LLA to GUA" 3182 3183 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3184 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3185} 3186 3187ipv6_udp_vrf() 3188{ 3189 local a 3190 3191 # disable global server 3192 log_subsection "Global server disabled" 3193 set_sysctl net.ipv4.udp_l3mdev_accept=0 3194 3195 # 3196 # server tests 3197 # 3198 for a in ${NSA_IP6} ${VRF_IP6} 3199 do 3200 log_start 3201 show_hint "Should fail 'Connection refused' since global server is disabled" 3202 run_cmd nettest -6 -D -s & 3203 sleep 1 3204 run_cmd_nsb nettest -6 -D -r ${a} 3205 log_test_addr ${a} $? 1 "Global server" 3206 done 3207 3208 for a in ${NSA_IP6} ${VRF_IP6} 3209 do 3210 log_start 3211 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3212 sleep 1 3213 run_cmd_nsb nettest -6 -D -r ${a} 3214 log_test_addr ${a} $? 0 "VRF server" 3215 done 3216 3217 for a in ${NSA_IP6} ${VRF_IP6} 3218 do 3219 log_start 3220 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3221 sleep 1 3222 run_cmd_nsb nettest -6 -D -r ${a} 3223 log_test_addr ${a} $? 0 "Enslaved device server" 3224 done 3225 3226 # negative test - should fail 3227 for a in ${NSA_IP6} ${VRF_IP6} 3228 do 3229 log_start 3230 show_hint "Should fail 'Connection refused' since there is no server" 3231 run_cmd_nsb nettest -6 -D -r ${a} 3232 log_test_addr ${a} $? 1 "No server" 3233 done 3234 3235 # 3236 # local address tests 3237 # 3238 for a in ${NSA_IP6} ${VRF_IP6} 3239 do 3240 log_start 3241 show_hint "Should fail 'Connection refused' since global server is disabled" 3242 run_cmd nettest -6 -D -s & 3243 sleep 1 3244 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3245 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3246 done 3247 3248 for a in ${NSA_IP6} ${VRF_IP6} 3249 do 3250 log_start 3251 run_cmd nettest -6 -D -I ${VRF} -s & 3252 sleep 1 3253 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3254 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3255 done 3256 3257 a=${NSA_IP6} 3258 log_start 3259 show_hint "Should fail 'Connection refused' since global server is disabled" 3260 run_cmd nettest -6 -D -s & 3261 sleep 1 3262 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3263 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3264 3265 log_start 3266 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3267 sleep 1 3268 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3269 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3270 3271 log_start 3272 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3273 sleep 1 3274 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3275 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3276 3277 log_start 3278 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3279 sleep 1 3280 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3281 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3282 3283 # disable global server 3284 log_subsection "Global server enabled" 3285 set_sysctl net.ipv4.udp_l3mdev_accept=1 3286 3287 # 3288 # server tests 3289 # 3290 for a in ${NSA_IP6} ${VRF_IP6} 3291 do 3292 log_start 3293 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3294 sleep 1 3295 run_cmd_nsb nettest -6 -D -r ${a} 3296 log_test_addr ${a} $? 0 "Global server" 3297 done 3298 3299 for a in ${NSA_IP6} ${VRF_IP6} 3300 do 3301 log_start 3302 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3303 sleep 1 3304 run_cmd_nsb nettest -6 -D -r ${a} 3305 log_test_addr ${a} $? 0 "VRF server" 3306 done 3307 3308 for a in ${NSA_IP6} ${VRF_IP6} 3309 do 3310 log_start 3311 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3312 sleep 1 3313 run_cmd_nsb nettest -6 -D -r ${a} 3314 log_test_addr ${a} $? 0 "Enslaved device server" 3315 done 3316 3317 # negative test - should fail 3318 for a in ${NSA_IP6} ${VRF_IP6} 3319 do 3320 log_start 3321 run_cmd_nsb nettest -6 -D -r ${a} 3322 log_test_addr ${a} $? 1 "No server" 3323 done 3324 3325 # 3326 # client tests 3327 # 3328 log_start 3329 run_cmd_nsb nettest -6 -D -s & 3330 sleep 1 3331 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3332 log_test $? 0 "VRF client" 3333 3334 # negative test - should fail 3335 log_start 3336 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3337 log_test $? 1 "No server, VRF client" 3338 3339 log_start 3340 run_cmd_nsb nettest -6 -D -s & 3341 sleep 1 3342 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3343 log_test $? 0 "Enslaved device client" 3344 3345 # negative test - should fail 3346 log_start 3347 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3348 log_test $? 1 "No server, enslaved device client" 3349 3350 # 3351 # local address tests 3352 # 3353 a=${NSA_IP6} 3354 log_start 3355 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3356 sleep 1 3357 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3358 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3359 3360 #log_start 3361 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3362 sleep 1 3363 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3364 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3365 3366 3367 a=${VRF_IP6} 3368 log_start 3369 run_cmd nettest -6 -D -s -3 ${VRF} & 3370 sleep 1 3371 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3372 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3373 3374 log_start 3375 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3376 sleep 1 3377 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3378 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3379 3380 # negative test - should fail 3381 for a in ${NSA_IP6} ${VRF_IP6} 3382 do 3383 log_start 3384 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3385 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3386 done 3387 3388 # device to global IP 3389 a=${NSA_IP6} 3390 log_start 3391 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3392 sleep 1 3393 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3394 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3395 3396 log_start 3397 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3398 sleep 1 3399 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3400 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3401 3402 log_start 3403 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3404 sleep 1 3405 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3406 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3407 3408 log_start 3409 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3410 sleep 1 3411 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3412 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3413 3414 log_start 3415 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3416 log_test_addr ${a} $? 1 "No server, device client, local conn" 3417 3418 3419 # link local addresses 3420 log_start 3421 run_cmd nettest -6 -D -s & 3422 sleep 1 3423 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3424 log_test $? 0 "Global server, linklocal IP" 3425 3426 log_start 3427 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3428 log_test $? 1 "No server, linklocal IP" 3429 3430 3431 log_start 3432 run_cmd_nsb nettest -6 -D -s & 3433 sleep 1 3434 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3435 log_test $? 0 "Enslaved device client, linklocal IP" 3436 3437 log_start 3438 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3439 log_test $? 1 "No server, device client, peer linklocal IP" 3440 3441 3442 log_start 3443 run_cmd nettest -6 -D -s & 3444 sleep 1 3445 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3446 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3447 3448 log_start 3449 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3450 log_test $? 1 "No server, device client, local conn - linklocal IP" 3451 3452 # LLA to GUA 3453 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3454 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3455 log_start 3456 run_cmd nettest -6 -s -D & 3457 sleep 1 3458 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3459 log_test $? 0 "UDP in - LLA to GUA" 3460 3461 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3462 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3463} 3464 3465ipv6_udp() 3466{ 3467 # should not matter, but set to known state 3468 set_sysctl net.ipv4.udp_early_demux=1 3469 3470 log_section "IPv6/UDP" 3471 log_subsection "No VRF" 3472 setup 3473 3474 # udp_l3mdev_accept should have no affect without VRF; 3475 # run tests with it enabled and disabled to verify 3476 log_subsection "udp_l3mdev_accept disabled" 3477 set_sysctl net.ipv4.udp_l3mdev_accept=0 3478 ipv6_udp_novrf 3479 log_subsection "udp_l3mdev_accept enabled" 3480 set_sysctl net.ipv4.udp_l3mdev_accept=1 3481 ipv6_udp_novrf 3482 3483 log_subsection "With VRF" 3484 setup "yes" 3485 ipv6_udp_vrf 3486} 3487 3488################################################################################ 3489# IPv6 address bind 3490 3491ipv6_addr_bind_novrf() 3492{ 3493 # 3494 # raw socket 3495 # 3496 for a in ${NSA_IP6} ${NSA_LO_IP6} 3497 do 3498 log_start 3499 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3500 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3501 3502 log_start 3503 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3504 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3505 done 3506 3507 # 3508 # raw socket with nonlocal bind 3509 # 3510 a=${NL_IP6} 3511 log_start 3512 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 3513 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 3514 3515 # 3516 # tcp sockets 3517 # 3518 a=${NSA_IP6} 3519 log_start 3520 run_cmd nettest -6 -s -l ${a} -t1 -b 3521 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3522 3523 log_start 3524 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3525 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3526 3527 # Sadly, the kernel allows binding a socket to a device and then 3528 # binding to an address not on the device. So this test passes 3529 # when it really should not 3530 a=${NSA_LO_IP6} 3531 log_start 3532 show_hint "Tecnically should fail since address is not on device but kernel allows" 3533 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3534 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3535} 3536 3537ipv6_addr_bind_vrf() 3538{ 3539 # 3540 # raw socket 3541 # 3542 for a in ${NSA_IP6} ${VRF_IP6} 3543 do 3544 log_start 3545 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3546 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3547 3548 log_start 3549 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3550 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3551 done 3552 3553 a=${NSA_LO_IP6} 3554 log_start 3555 show_hint "Address on loopback is out of VRF scope" 3556 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3557 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3558 3559 # 3560 # raw socket with nonlocal bind 3561 # 3562 a=${NL_IP6} 3563 log_start 3564 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b 3565 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 3566 3567 # 3568 # tcp sockets 3569 # 3570 # address on enslaved device is valid for the VRF or device in a VRF 3571 for a in ${NSA_IP6} ${VRF_IP6} 3572 do 3573 log_start 3574 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3575 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3576 done 3577 3578 a=${NSA_IP6} 3579 log_start 3580 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3581 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3582 3583 # Sadly, the kernel allows binding a socket to a device and then 3584 # binding to an address not on the device. The only restriction 3585 # is that the address is valid in the L3 domain. So this test 3586 # passes when it really should not 3587 a=${VRF_IP6} 3588 log_start 3589 show_hint "Tecnically should fail since address is not on device but kernel allows" 3590 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3591 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3592 3593 a=${NSA_LO_IP6} 3594 log_start 3595 show_hint "Address on loopback out of scope for VRF" 3596 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3597 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3598 3599 log_start 3600 show_hint "Address on loopback out of scope for device in VRF" 3601 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3602 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3603 3604} 3605 3606ipv6_addr_bind() 3607{ 3608 log_section "IPv6 address binds" 3609 3610 log_subsection "No VRF" 3611 setup 3612 ipv6_addr_bind_novrf 3613 3614 log_subsection "With VRF" 3615 setup "yes" 3616 ipv6_addr_bind_vrf 3617} 3618 3619################################################################################ 3620# IPv6 runtime tests 3621 3622ipv6_rt() 3623{ 3624 local desc="$1" 3625 local varg="-6 $2" 3626 local with_vrf="yes" 3627 local a 3628 3629 # 3630 # server tests 3631 # 3632 for a in ${NSA_IP6} ${VRF_IP6} 3633 do 3634 log_start 3635 run_cmd nettest ${varg} -s & 3636 sleep 1 3637 run_cmd_nsb nettest ${varg} -r ${a} & 3638 sleep 3 3639 run_cmd ip link del ${VRF} 3640 sleep 1 3641 log_test_addr ${a} 0 0 "${desc}, global server" 3642 3643 setup ${with_vrf} 3644 done 3645 3646 for a in ${NSA_IP6} ${VRF_IP6} 3647 do 3648 log_start 3649 run_cmd nettest ${varg} -I ${VRF} -s & 3650 sleep 1 3651 run_cmd_nsb nettest ${varg} -r ${a} & 3652 sleep 3 3653 run_cmd ip link del ${VRF} 3654 sleep 1 3655 log_test_addr ${a} 0 0 "${desc}, VRF server" 3656 3657 setup ${with_vrf} 3658 done 3659 3660 for a in ${NSA_IP6} ${VRF_IP6} 3661 do 3662 log_start 3663 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3664 sleep 1 3665 run_cmd_nsb nettest ${varg} -r ${a} & 3666 sleep 3 3667 run_cmd ip link del ${VRF} 3668 sleep 1 3669 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3670 3671 setup ${with_vrf} 3672 done 3673 3674 # 3675 # client test 3676 # 3677 log_start 3678 run_cmd_nsb nettest ${varg} -s & 3679 sleep 1 3680 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3681 sleep 3 3682 run_cmd ip link del ${VRF} 3683 sleep 1 3684 log_test 0 0 "${desc}, VRF client" 3685 3686 setup ${with_vrf} 3687 3688 log_start 3689 run_cmd_nsb nettest ${varg} -s & 3690 sleep 1 3691 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3692 sleep 3 3693 run_cmd ip link del ${VRF} 3694 sleep 1 3695 log_test 0 0 "${desc}, enslaved device client" 3696 3697 setup ${with_vrf} 3698 3699 3700 # 3701 # local address tests 3702 # 3703 for a in ${NSA_IP6} ${VRF_IP6} 3704 do 3705 log_start 3706 run_cmd nettest ${varg} -s & 3707 sleep 1 3708 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3709 sleep 3 3710 run_cmd ip link del ${VRF} 3711 sleep 1 3712 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3713 3714 setup ${with_vrf} 3715 done 3716 3717 for a in ${NSA_IP6} ${VRF_IP6} 3718 do 3719 log_start 3720 run_cmd nettest ${varg} -I ${VRF} -s & 3721 sleep 1 3722 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3723 sleep 3 3724 run_cmd ip link del ${VRF} 3725 sleep 1 3726 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3727 3728 setup ${with_vrf} 3729 done 3730 3731 a=${NSA_IP6} 3732 log_start 3733 run_cmd nettest ${varg} -s & 3734 sleep 1 3735 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3736 sleep 3 3737 run_cmd ip link del ${VRF} 3738 sleep 1 3739 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3740 3741 setup ${with_vrf} 3742 3743 log_start 3744 run_cmd nettest ${varg} -I ${VRF} -s & 3745 sleep 1 3746 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3747 sleep 3 3748 run_cmd ip link del ${VRF} 3749 sleep 1 3750 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3751 3752 setup ${with_vrf} 3753 3754 log_start 3755 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3756 sleep 1 3757 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3758 sleep 3 3759 run_cmd ip link del ${VRF} 3760 sleep 1 3761 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3762} 3763 3764ipv6_ping_rt() 3765{ 3766 local with_vrf="yes" 3767 local a 3768 3769 a=${NSA_IP6} 3770 log_start 3771 run_cmd_nsb ${ping6} -f ${a} & 3772 sleep 3 3773 run_cmd ip link del ${VRF} 3774 sleep 1 3775 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3776 3777 setup ${with_vrf} 3778 3779 log_start 3780 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3781 sleep 1 3782 run_cmd ip link del ${VRF} 3783 sleep 1 3784 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3785} 3786 3787ipv6_runtime() 3788{ 3789 log_section "Run time tests - ipv6" 3790 3791 setup "yes" 3792 ipv6_ping_rt 3793 3794 setup "yes" 3795 ipv6_rt "TCP active socket" "-n -1" 3796 3797 setup "yes" 3798 ipv6_rt "TCP passive socket" "-i" 3799 3800 setup "yes" 3801 ipv6_rt "UDP active socket" "-D -n -1" 3802} 3803 3804################################################################################ 3805# netfilter blocking connections 3806 3807netfilter_tcp_reset() 3808{ 3809 local a 3810 3811 for a in ${NSA_IP} ${VRF_IP} 3812 do 3813 log_start 3814 run_cmd nettest -s & 3815 sleep 1 3816 run_cmd_nsb nettest -r ${a} 3817 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3818 done 3819} 3820 3821netfilter_icmp() 3822{ 3823 local stype="$1" 3824 local arg 3825 local a 3826 3827 [ "${stype}" = "UDP" ] && arg="-D" 3828 3829 for a in ${NSA_IP} ${VRF_IP} 3830 do 3831 log_start 3832 run_cmd nettest ${arg} -s & 3833 sleep 1 3834 run_cmd_nsb nettest ${arg} -r ${a} 3835 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3836 done 3837} 3838 3839ipv4_netfilter() 3840{ 3841 log_section "IPv4 Netfilter" 3842 log_subsection "TCP reset" 3843 3844 setup "yes" 3845 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3846 3847 netfilter_tcp_reset 3848 3849 log_start 3850 log_subsection "ICMP unreachable" 3851 3852 log_start 3853 run_cmd iptables -F 3854 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3855 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3856 3857 netfilter_icmp "TCP" 3858 netfilter_icmp "UDP" 3859 3860 log_start 3861 iptables -F 3862} 3863 3864netfilter_tcp6_reset() 3865{ 3866 local a 3867 3868 for a in ${NSA_IP6} ${VRF_IP6} 3869 do 3870 log_start 3871 run_cmd nettest -6 -s & 3872 sleep 1 3873 run_cmd_nsb nettest -6 -r ${a} 3874 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3875 done 3876} 3877 3878netfilter_icmp6() 3879{ 3880 local stype="$1" 3881 local arg 3882 local a 3883 3884 [ "${stype}" = "UDP" ] && arg="$arg -D" 3885 3886 for a in ${NSA_IP6} ${VRF_IP6} 3887 do 3888 log_start 3889 run_cmd nettest -6 -s ${arg} & 3890 sleep 1 3891 run_cmd_nsb nettest -6 ${arg} -r ${a} 3892 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3893 done 3894} 3895 3896ipv6_netfilter() 3897{ 3898 log_section "IPv6 Netfilter" 3899 log_subsection "TCP reset" 3900 3901 setup "yes" 3902 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3903 3904 netfilter_tcp6_reset 3905 3906 log_subsection "ICMP unreachable" 3907 3908 log_start 3909 run_cmd ip6tables -F 3910 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3911 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3912 3913 netfilter_icmp6 "TCP" 3914 netfilter_icmp6 "UDP" 3915 3916 log_start 3917 ip6tables -F 3918} 3919 3920################################################################################ 3921# specific use cases 3922 3923# VRF only. 3924# ns-A device enslaved to bridge. Verify traffic with and without 3925# br_netfilter module loaded. Repeat with SVI on bridge. 3926use_case_br() 3927{ 3928 setup "yes" 3929 3930 setup_cmd ip link set ${NSA_DEV} down 3931 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 3932 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 3933 3934 setup_cmd ip link add br0 type bridge 3935 setup_cmd ip addr add dev br0 ${NSA_IP}/24 3936 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 3937 3938 setup_cmd ip li set ${NSA_DEV} master br0 3939 setup_cmd ip li set ${NSA_DEV} up 3940 setup_cmd ip li set br0 up 3941 setup_cmd ip li set br0 vrf ${VRF} 3942 3943 rmmod br_netfilter 2>/dev/null 3944 sleep 5 # DAD 3945 3946 run_cmd ip neigh flush all 3947 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3948 log_test $? 0 "Bridge into VRF - IPv4 ping out" 3949 3950 run_cmd ip neigh flush all 3951 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3952 log_test $? 0 "Bridge into VRF - IPv6 ping out" 3953 3954 run_cmd ip neigh flush all 3955 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3956 log_test $? 0 "Bridge into VRF - IPv4 ping in" 3957 3958 run_cmd ip neigh flush all 3959 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3960 log_test $? 0 "Bridge into VRF - IPv6 ping in" 3961 3962 modprobe br_netfilter 3963 if [ $? -eq 0 ]; then 3964 run_cmd ip neigh flush all 3965 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3966 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 3967 3968 run_cmd ip neigh flush all 3969 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3970 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 3971 3972 run_cmd ip neigh flush all 3973 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3974 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 3975 3976 run_cmd ip neigh flush all 3977 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3978 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 3979 fi 3980 3981 setup_cmd ip li set br0 nomaster 3982 setup_cmd ip li add br0.100 link br0 type vlan id 100 3983 setup_cmd ip li set br0.100 vrf ${VRF} up 3984 setup_cmd ip addr add dev br0.100 172.16.101.1/24 3985 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 3986 3987 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 3988 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 3989 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 3990 setup_cmd_nsb ip li set vlan100 up 3991 sleep 1 3992 3993 rmmod br_netfilter 2>/dev/null 3994 3995 run_cmd ip neigh flush all 3996 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3997 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 3998 3999 run_cmd ip neigh flush all 4000 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4001 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 4002 4003 run_cmd ip neigh flush all 4004 run_cmd_nsb ping -c1 -w1 172.16.101.1 4005 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4006 4007 run_cmd ip neigh flush all 4008 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4009 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4010 4011 modprobe br_netfilter 4012 if [ $? -eq 0 ]; then 4013 run_cmd ip neigh flush all 4014 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4015 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 4016 4017 run_cmd ip neigh flush all 4018 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4019 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 4020 4021 run_cmd ip neigh flush all 4022 run_cmd_nsb ping -c1 -w1 172.16.101.1 4023 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4024 4025 run_cmd ip neigh flush all 4026 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4027 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4028 fi 4029 4030 setup_cmd ip li del br0 2>/dev/null 4031 setup_cmd_nsb ip li del vlan100 2>/dev/null 4032} 4033 4034# VRF only. 4035# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 4036# LLA on the interfaces 4037use_case_ping_lla_multi() 4038{ 4039 setup_lla_only 4040 # only want reply from ns-A 4041 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4042 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4043 4044 log_start 4045 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4046 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 4047 4048 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4049 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 4050 4051 # cycle/flap the first ns-A interface 4052 setup_cmd ip link set ${NSA_DEV} down 4053 setup_cmd ip link set ${NSA_DEV} up 4054 sleep 1 4055 4056 log_start 4057 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4058 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 4059 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4060 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 4061 4062 # cycle/flap the second ns-A interface 4063 setup_cmd ip link set ${NSA_DEV2} down 4064 setup_cmd ip link set ${NSA_DEV2} up 4065 sleep 1 4066 4067 log_start 4068 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4069 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 4070 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4071 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 4072} 4073 4074# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 4075# established with ns-B. 4076use_case_snat_on_vrf() 4077{ 4078 setup "yes" 4079 4080 local port="12345" 4081 4082 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4083 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4084 4085 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 4086 sleep 1 4087 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 4088 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 4089 4090 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 4091 sleep 1 4092 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 4093 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 4094 4095 # Cleanup 4096 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4097 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4098} 4099 4100use_cases() 4101{ 4102 log_section "Use cases" 4103 log_subsection "Device enslaved to bridge" 4104 use_case_br 4105 log_subsection "Ping LLA with multiple interfaces" 4106 use_case_ping_lla_multi 4107 log_subsection "SNAT on VRF" 4108 use_case_snat_on_vrf 4109} 4110 4111################################################################################ 4112# usage 4113 4114usage() 4115{ 4116 cat <<EOF 4117usage: ${0##*/} OPTS 4118 4119 -4 IPv4 tests only 4120 -6 IPv6 tests only 4121 -t <test> Test name/set to run 4122 -p Pause on fail 4123 -P Pause after each test 4124 -v Be verbose 4125 4126Tests: 4127 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER 4128EOF 4129} 4130 4131################################################################################ 4132# main 4133 4134TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4135TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4136TESTS_OTHER="use_cases" 4137 4138PAUSE_ON_FAIL=no 4139PAUSE=no 4140 4141while getopts :46t:pPvh o 4142do 4143 case $o in 4144 4) TESTS=ipv4;; 4145 6) TESTS=ipv6;; 4146 t) TESTS=$OPTARG;; 4147 p) PAUSE_ON_FAIL=yes;; 4148 P) PAUSE=yes;; 4149 v) VERBOSE=1;; 4150 h) usage; exit 0;; 4151 *) usage; exit 1;; 4152 esac 4153done 4154 4155# make sure we don't pause twice 4156[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4157 4158# 4159# show user test config 4160# 4161if [ -z "$TESTS" ]; then 4162 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4163elif [ "$TESTS" = "ipv4" ]; then 4164 TESTS="$TESTS_IPV4" 4165elif [ "$TESTS" = "ipv6" ]; then 4166 TESTS="$TESTS_IPV6" 4167fi 4168 4169which nettest >/dev/null 4170if [ $? -ne 0 ]; then 4171 echo "'nettest' command not found; skipping tests" 4172 exit $ksft_skip 4173fi 4174 4175declare -i nfail=0 4176declare -i nsuccess=0 4177 4178for t in $TESTS 4179do 4180 case $t in 4181 ipv4_ping|ping) ipv4_ping;; 4182 ipv4_tcp|tcp) ipv4_tcp;; 4183 ipv4_udp|udp) ipv4_udp;; 4184 ipv4_bind|bind) ipv4_addr_bind;; 4185 ipv4_runtime) ipv4_runtime;; 4186 ipv4_netfilter) ipv4_netfilter;; 4187 4188 ipv6_ping|ping6) ipv6_ping;; 4189 ipv6_tcp|tcp6) ipv6_tcp;; 4190 ipv6_udp|udp6) ipv6_udp;; 4191 ipv6_bind|bind6) ipv6_addr_bind;; 4192 ipv6_runtime) ipv6_runtime;; 4193 ipv6_netfilter) ipv6_netfilter;; 4194 4195 use_cases) use_cases;; 4196 4197 # setup namespaces and config, but do not run any tests 4198 setup) setup; exit 0;; 4199 vrf_setup) setup "yes"; exit 0;; 4200 esac 4201done 4202 4203cleanup 2>/dev/null 4204 4205printf "\nTests passed: %3d\n" ${nsuccess} 4206printf "Tests failed: %3d\n" ${nfail} 4207 4208if [ $nfail -ne 0 ]; then 4209 exit 1 # KSFT_FAIL 4210elif [ $nsuccess -eq 0 ]; then 4211 exit $ksft_skip 4212fi 4213 4214exit 0 # KSFT_PASS 4215