1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40# Kselftest framework requirement - SKIP code is 4. 41ksft_skip=4 42 43VERBOSE=0 44 45NSA_DEV=eth1 46NSA_DEV2=eth2 47NSB_DEV=eth1 48NSC_DEV=eth2 49VRF=red 50VRF_TABLE=1101 51 52# IPv4 config 53NSA_IP=172.16.1.1 54NSB_IP=172.16.1.2 55VRF_IP=172.16.3.1 56NS_NET=172.16.1.0/24 57 58# IPv6 config 59NSA_IP6=2001:db8:1::1 60NSB_IP6=2001:db8:1::2 61VRF_IP6=2001:db8:3::1 62NS_NET6=2001:db8:1::/120 63 64NSA_LO_IP=172.16.2.1 65NSB_LO_IP=172.16.2.2 66NSA_LO_IP6=2001:db8:2::1 67NSB_LO_IP6=2001:db8:2::2 68 69# non-local addresses for freebind tests 70NL_IP=172.17.1.1 71NL_IP6=2001:db8:4::1 72 73# multicast and broadcast addresses 74MCAST_IP=224.0.0.1 75BCAST_IP=255.255.255.255 76 77MD5_PW=abc123 78MD5_WRONG_PW=abc1234 79 80MCAST=ff02::1 81# set after namespace create 82NSA_LINKIP6= 83NSB_LINKIP6= 84 85NSA=ns-A 86NSB=ns-B 87NSC=ns-C 88 89NSA_CMD="ip netns exec ${NSA}" 90NSB_CMD="ip netns exec ${NSB}" 91NSC_CMD="ip netns exec ${NSC}" 92 93which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 94 95# Check if FIPS mode is enabled 96if [ -f /proc/sys/crypto/fips_enabled ]; then 97 fips_enabled=`cat /proc/sys/crypto/fips_enabled` 98else 99 fips_enabled=0 100fi 101 102################################################################################ 103# utilities 104 105log_test() 106{ 107 local rc=$1 108 local expected=$2 109 local msg="$3" 110 111 [ "${VERBOSE}" = "1" ] && echo 112 113 if [ ${rc} -eq ${expected} ]; then 114 nsuccess=$((nsuccess+1)) 115 printf "TEST: %-70s [ OK ]\n" "${msg}" 116 else 117 nfail=$((nfail+1)) 118 printf "TEST: %-70s [FAIL]\n" "${msg}" 119 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 120 echo 121 echo "hit enter to continue, 'q' to quit" 122 read a 123 [ "$a" = "q" ] && exit 1 124 fi 125 fi 126 127 if [ "${PAUSE}" = "yes" ]; then 128 echo 129 echo "hit enter to continue, 'q' to quit" 130 read a 131 [ "$a" = "q" ] && exit 1 132 fi 133 134 kill_procs 135} 136 137log_test_addr() 138{ 139 local addr=$1 140 local rc=$2 141 local expected=$3 142 local msg="$4" 143 local astr 144 145 astr=$(addr2str ${addr}) 146 log_test $rc $expected "$msg - ${astr}" 147} 148 149log_section() 150{ 151 echo 152 echo "###########################################################################" 153 echo "$*" 154 echo "###########################################################################" 155 echo 156} 157 158log_subsection() 159{ 160 echo 161 echo "#################################################################" 162 echo "$*" 163 echo 164} 165 166log_start() 167{ 168 # make sure we have no test instances running 169 kill_procs 170 171 if [ "${VERBOSE}" = "1" ]; then 172 echo 173 echo "#######################################################" 174 fi 175} 176 177log_debug() 178{ 179 if [ "${VERBOSE}" = "1" ]; then 180 echo 181 echo "$*" 182 echo 183 fi 184} 185 186show_hint() 187{ 188 if [ "${VERBOSE}" = "1" ]; then 189 echo "HINT: $*" 190 echo 191 fi 192} 193 194kill_procs() 195{ 196 killall nettest ping ping6 >/dev/null 2>&1 197 sleep 1 198} 199 200do_run_cmd() 201{ 202 local cmd="$*" 203 local out 204 205 if [ "$VERBOSE" = "1" ]; then 206 echo "COMMAND: ${cmd}" 207 fi 208 209 out=$($cmd 2>&1) 210 rc=$? 211 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 212 echo "$out" 213 fi 214 215 return $rc 216} 217 218run_cmd() 219{ 220 do_run_cmd ${NSA_CMD} $* 221} 222 223run_cmd_nsb() 224{ 225 do_run_cmd ${NSB_CMD} $* 226} 227 228run_cmd_nsc() 229{ 230 do_run_cmd ${NSC_CMD} $* 231} 232 233setup_cmd() 234{ 235 local cmd="$*" 236 local rc 237 238 run_cmd ${cmd} 239 rc=$? 240 if [ $rc -ne 0 ]; then 241 # show user the command if not done so already 242 if [ "$VERBOSE" = "0" ]; then 243 echo "setup command: $cmd" 244 fi 245 echo "failed. stopping tests" 246 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 247 echo 248 echo "hit enter to continue" 249 read a 250 fi 251 exit $rc 252 fi 253} 254 255setup_cmd_nsb() 256{ 257 local cmd="$*" 258 local rc 259 260 run_cmd_nsb ${cmd} 261 rc=$? 262 if [ $rc -ne 0 ]; then 263 # show user the command if not done so already 264 if [ "$VERBOSE" = "0" ]; then 265 echo "setup command: $cmd" 266 fi 267 echo "failed. stopping tests" 268 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 269 echo 270 echo "hit enter to continue" 271 read a 272 fi 273 exit $rc 274 fi 275} 276 277setup_cmd_nsc() 278{ 279 local cmd="$*" 280 local rc 281 282 run_cmd_nsc ${cmd} 283 rc=$? 284 if [ $rc -ne 0 ]; then 285 # show user the command if not done so already 286 if [ "$VERBOSE" = "0" ]; then 287 echo "setup command: $cmd" 288 fi 289 echo "failed. stopping tests" 290 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 291 echo 292 echo "hit enter to continue" 293 read a 294 fi 295 exit $rc 296 fi 297} 298 299# set sysctl values in NS-A 300set_sysctl() 301{ 302 echo "SYSCTL: $*" 303 echo 304 run_cmd sysctl -q -w $* 305} 306 307# get sysctl values in NS-A 308get_sysctl() 309{ 310 ${NSA_CMD} sysctl -n $* 311} 312 313################################################################################ 314# Setup for tests 315 316addr2str() 317{ 318 case "$1" in 319 127.0.0.1) echo "loopback";; 320 ::1) echo "IPv6 loopback";; 321 322 ${BCAST_IP}) echo "broadcast";; 323 ${MCAST_IP}) echo "multicast";; 324 325 ${NSA_IP}) echo "ns-A IP";; 326 ${NSA_IP6}) echo "ns-A IPv6";; 327 ${NSA_LO_IP}) echo "ns-A loopback IP";; 328 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 329 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 330 331 ${NSB_IP}) echo "ns-B IP";; 332 ${NSB_IP6}) echo "ns-B IPv6";; 333 ${NSB_LO_IP}) echo "ns-B loopback IP";; 334 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 335 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 336 337 ${NL_IP}) echo "nonlocal IP";; 338 ${NL_IP6}) echo "nonlocal IPv6";; 339 340 ${VRF_IP}) echo "VRF IP";; 341 ${VRF_IP6}) echo "VRF IPv6";; 342 343 ${MCAST}%*) echo "multicast IP";; 344 345 *) echo "unknown";; 346 esac 347} 348 349get_linklocal() 350{ 351 local ns=$1 352 local dev=$2 353 local addr 354 355 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 356 awk '{ 357 for (i = 3; i <= NF; ++i) { 358 if ($i ~ /^fe80/) 359 print $i 360 } 361 }' 362 ) 363 addr=${addr/\/*} 364 365 [ -z "$addr" ] && return 1 366 367 echo $addr 368 369 return 0 370} 371 372################################################################################ 373# create namespaces and vrf 374 375create_vrf() 376{ 377 local ns=$1 378 local vrf=$2 379 local table=$3 380 local addr=$4 381 local addr6=$5 382 383 ip -netns ${ns} link add ${vrf} type vrf table ${table} 384 ip -netns ${ns} link set ${vrf} up 385 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 386 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 387 388 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 389 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 390 if [ "${addr}" != "-" ]; then 391 ip -netns ${ns} addr add dev ${vrf} ${addr} 392 fi 393 if [ "${addr6}" != "-" ]; then 394 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 395 fi 396 397 ip -netns ${ns} ru del pref 0 398 ip -netns ${ns} ru add pref 32765 from all lookup local 399 ip -netns ${ns} -6 ru del pref 0 400 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 401} 402 403create_ns() 404{ 405 local ns=$1 406 local addr=$2 407 local addr6=$3 408 409 ip netns add ${ns} 410 411 ip -netns ${ns} link set lo up 412 if [ "${addr}" != "-" ]; then 413 ip -netns ${ns} addr add dev lo ${addr} 414 fi 415 if [ "${addr6}" != "-" ]; then 416 ip -netns ${ns} -6 addr add dev lo ${addr6} 417 fi 418 419 ip -netns ${ns} ro add unreachable default metric 8192 420 ip -netns ${ns} -6 ro add unreachable default metric 8192 421 422 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 423 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 424 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 425 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 426} 427 428# create veth pair to connect namespaces and apply addresses. 429connect_ns() 430{ 431 local ns1=$1 432 local ns1_dev=$2 433 local ns1_addr=$3 434 local ns1_addr6=$4 435 local ns2=$5 436 local ns2_dev=$6 437 local ns2_addr=$7 438 local ns2_addr6=$8 439 440 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 441 ip -netns ${ns1} li set ${ns1_dev} up 442 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 443 ip -netns ${ns2} li set ${ns2_dev} up 444 445 if [ "${ns1_addr}" != "-" ]; then 446 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 447 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 448 fi 449 450 if [ "${ns1_addr6}" != "-" ]; then 451 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 452 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 453 fi 454} 455 456cleanup() 457{ 458 # explicit cleanups to check those code paths 459 ip netns | grep -q ${NSA} 460 if [ $? -eq 0 ]; then 461 ip -netns ${NSA} link delete ${VRF} 462 ip -netns ${NSA} ro flush table ${VRF_TABLE} 463 464 ip -netns ${NSA} addr flush dev ${NSA_DEV} 465 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 466 ip -netns ${NSA} link set dev ${NSA_DEV} down 467 ip -netns ${NSA} link del dev ${NSA_DEV} 468 469 ip netns pids ${NSA} | xargs kill 2>/dev/null 470 ip netns del ${NSA} 471 fi 472 473 ip netns pids ${NSB} | xargs kill 2>/dev/null 474 ip netns del ${NSB} 475 ip netns pids ${NSC} | xargs kill 2>/dev/null 476 ip netns del ${NSC} >/dev/null 2>&1 477} 478 479cleanup_vrf_dup() 480{ 481 ip link del ${NSA_DEV2} >/dev/null 2>&1 482 ip netns pids ${NSC} | xargs kill 2>/dev/null 483 ip netns del ${NSC} >/dev/null 2>&1 484} 485 486setup_vrf_dup() 487{ 488 # some VRF tests use ns-C which has the same config as 489 # ns-B but for a device NOT in the VRF 490 create_ns ${NSC} "-" "-" 491 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 492 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 493} 494 495setup() 496{ 497 local with_vrf=${1} 498 499 # make sure we are starting with a clean slate 500 kill_procs 501 cleanup 2>/dev/null 502 503 log_debug "Configuring network namespaces" 504 set -e 505 506 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 507 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 508 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 509 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 510 511 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 512 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 513 514 # tell ns-A how to get to remote addresses of ns-B 515 if [ "${with_vrf}" = "yes" ]; then 516 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 517 518 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 519 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 520 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 521 522 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 523 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 524 else 525 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 526 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 527 fi 528 529 530 # tell ns-B how to get to remote addresses of ns-A 531 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 532 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 533 534 set +e 535 536 sleep 1 537} 538 539setup_lla_only() 540{ 541 # make sure we are starting with a clean slate 542 kill_procs 543 cleanup 2>/dev/null 544 545 log_debug "Configuring network namespaces" 546 set -e 547 548 create_ns ${NSA} "-" "-" 549 create_ns ${NSB} "-" "-" 550 create_ns ${NSC} "-" "-" 551 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 552 ${NSB} ${NSB_DEV} "-" "-" 553 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 554 ${NSC} ${NSC_DEV} "-" "-" 555 556 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 557 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 558 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 559 560 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 561 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 562 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 563 564 set +e 565 566 sleep 1 567} 568 569################################################################################ 570# IPv4 571 572ipv4_ping_novrf() 573{ 574 local a 575 576 # 577 # out 578 # 579 for a in ${NSB_IP} ${NSB_LO_IP} 580 do 581 log_start 582 run_cmd ping -c1 -w1 ${a} 583 log_test_addr ${a} $? 0 "ping out" 584 585 log_start 586 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 587 log_test_addr ${a} $? 0 "ping out, device bind" 588 589 log_start 590 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 591 log_test_addr ${a} $? 0 "ping out, address bind" 592 done 593 594 # 595 # in 596 # 597 for a in ${NSA_IP} ${NSA_LO_IP} 598 do 599 log_start 600 run_cmd_nsb ping -c1 -w1 ${a} 601 log_test_addr ${a} $? 0 "ping in" 602 done 603 604 # 605 # local traffic 606 # 607 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 608 do 609 log_start 610 run_cmd ping -c1 -w1 ${a} 611 log_test_addr ${a} $? 0 "ping local" 612 done 613 614 # 615 # local traffic, socket bound to device 616 # 617 # address on device 618 a=${NSA_IP} 619 log_start 620 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 621 log_test_addr ${a} $? 0 "ping local, device bind" 622 623 # loopback addresses not reachable from device bind 624 # fails in a really weird way though because ipv4 special cases 625 # route lookups with oif set. 626 for a in ${NSA_LO_IP} 127.0.0.1 627 do 628 log_start 629 show_hint "Fails since address on loopback device is out of device scope" 630 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 631 log_test_addr ${a} $? 1 "ping local, device bind" 632 done 633 634 # 635 # ip rule blocks reachability to remote address 636 # 637 log_start 638 setup_cmd ip rule add pref 32765 from all lookup local 639 setup_cmd ip rule del pref 0 from all lookup local 640 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 641 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 642 643 a=${NSB_LO_IP} 644 run_cmd ping -c1 -w1 ${a} 645 log_test_addr ${a} $? 2 "ping out, blocked by rule" 646 647 # NOTE: ipv4 actually allows the lookup to fail and yet still create 648 # a viable rtable if the oif (e.g., bind to device) is set, so this 649 # case succeeds despite the rule 650 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 651 652 a=${NSA_LO_IP} 653 log_start 654 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 655 run_cmd_nsb ping -c1 -w1 ${a} 656 log_test_addr ${a} $? 1 "ping in, blocked by rule" 657 658 [ "$VERBOSE" = "1" ] && echo 659 setup_cmd ip rule del pref 32765 from all lookup local 660 setup_cmd ip rule add pref 0 from all lookup local 661 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 662 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 663 664 # 665 # route blocks reachability to remote address 666 # 667 log_start 668 setup_cmd ip route replace unreachable ${NSB_LO_IP} 669 setup_cmd ip route replace unreachable ${NSB_IP} 670 671 a=${NSB_LO_IP} 672 run_cmd ping -c1 -w1 ${a} 673 log_test_addr ${a} $? 2 "ping out, blocked by route" 674 675 # NOTE: ipv4 actually allows the lookup to fail and yet still create 676 # a viable rtable if the oif (e.g., bind to device) is set, so this 677 # case succeeds despite not having a route for the address 678 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 679 680 a=${NSA_LO_IP} 681 log_start 682 show_hint "Response is dropped (or arp request is ignored) due to ip route" 683 run_cmd_nsb ping -c1 -w1 ${a} 684 log_test_addr ${a} $? 1 "ping in, blocked by route" 685 686 # 687 # remove 'remote' routes; fallback to default 688 # 689 log_start 690 setup_cmd ip ro del ${NSB_LO_IP} 691 692 a=${NSB_LO_IP} 693 run_cmd ping -c1 -w1 ${a} 694 log_test_addr ${a} $? 2 "ping out, unreachable default route" 695 696 # NOTE: ipv4 actually allows the lookup to fail and yet still create 697 # a viable rtable if the oif (e.g., bind to device) is set, so this 698 # case succeeds despite not having a route for the address 699 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 700} 701 702ipv4_ping_vrf() 703{ 704 local a 705 706 # should default on; does not exist on older kernels 707 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 708 709 # 710 # out 711 # 712 for a in ${NSB_IP} ${NSB_LO_IP} 713 do 714 log_start 715 run_cmd ping -c1 -w1 -I ${VRF} ${a} 716 log_test_addr ${a} $? 0 "ping out, VRF bind" 717 718 log_start 719 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 720 log_test_addr ${a} $? 0 "ping out, device bind" 721 722 log_start 723 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 724 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 725 726 log_start 727 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 728 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 729 done 730 731 # 732 # in 733 # 734 for a in ${NSA_IP} ${VRF_IP} 735 do 736 log_start 737 run_cmd_nsb ping -c1 -w1 ${a} 738 log_test_addr ${a} $? 0 "ping in" 739 done 740 741 # 742 # local traffic, local address 743 # 744 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 745 do 746 log_start 747 show_hint "Source address should be ${a}" 748 run_cmd ping -c1 -w1 -I ${VRF} ${a} 749 log_test_addr ${a} $? 0 "ping local, VRF bind" 750 done 751 752 # 753 # local traffic, socket bound to device 754 # 755 # address on device 756 a=${NSA_IP} 757 log_start 758 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 759 log_test_addr ${a} $? 0 "ping local, device bind" 760 761 # vrf device is out of scope 762 for a in ${VRF_IP} 127.0.0.1 763 do 764 log_start 765 show_hint "Fails since address on vrf device is out of device scope" 766 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 767 log_test_addr ${a} $? 2 "ping local, device bind" 768 done 769 770 # 771 # ip rule blocks address 772 # 773 log_start 774 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 775 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 776 777 a=${NSB_LO_IP} 778 run_cmd ping -c1 -w1 -I ${VRF} ${a} 779 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 780 781 log_start 782 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 783 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 784 785 a=${NSA_LO_IP} 786 log_start 787 show_hint "Response lost due to ip rule" 788 run_cmd_nsb ping -c1 -w1 ${a} 789 log_test_addr ${a} $? 1 "ping in, blocked by rule" 790 791 [ "$VERBOSE" = "1" ] && echo 792 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 793 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 794 795 # 796 # remove 'remote' routes; fallback to default 797 # 798 log_start 799 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 800 801 a=${NSB_LO_IP} 802 run_cmd ping -c1 -w1 -I ${VRF} ${a} 803 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 804 805 log_start 806 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 807 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 808 809 a=${NSA_LO_IP} 810 log_start 811 show_hint "Response lost by unreachable route" 812 run_cmd_nsb ping -c1 -w1 ${a} 813 log_test_addr ${a} $? 1 "ping in, unreachable route" 814} 815 816ipv4_ping() 817{ 818 log_section "IPv4 ping" 819 820 log_subsection "No VRF" 821 setup 822 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 823 ipv4_ping_novrf 824 setup 825 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 826 ipv4_ping_novrf 827 setup 828 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 829 ipv4_ping_novrf 830 831 log_subsection "With VRF" 832 setup "yes" 833 ipv4_ping_vrf 834 setup "yes" 835 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 836 ipv4_ping_vrf 837} 838 839################################################################################ 840# IPv4 TCP 841 842# 843# MD5 tests without VRF 844# 845ipv4_tcp_md5_novrf() 846{ 847 # 848 # single address 849 # 850 851 # basic use case 852 log_start 853 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 854 sleep 1 855 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 856 log_test $? 0 "MD5: Single address config" 857 858 # client sends MD5, server not configured 859 log_start 860 show_hint "Should timeout due to MD5 mismatch" 861 run_cmd nettest -s & 862 sleep 1 863 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 864 log_test $? 2 "MD5: Server no config, client uses password" 865 866 # wrong password 867 log_start 868 show_hint "Should timeout since client uses wrong password" 869 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 870 sleep 1 871 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 872 log_test $? 2 "MD5: Client uses wrong password" 873 874 # client from different address 875 log_start 876 show_hint "Should timeout due to MD5 mismatch" 877 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 878 sleep 1 879 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 880 log_test $? 2 "MD5: Client address does not match address configured with password" 881 882 # 883 # MD5 extension - prefix length 884 # 885 886 # client in prefix 887 log_start 888 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 889 sleep 1 890 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 891 log_test $? 0 "MD5: Prefix config" 892 893 # client in prefix, wrong password 894 log_start 895 show_hint "Should timeout since client uses wrong password" 896 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 897 sleep 1 898 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 899 log_test $? 2 "MD5: Prefix config, client uses wrong password" 900 901 # client outside of prefix 902 log_start 903 show_hint "Should timeout due to MD5 mismatch" 904 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 905 sleep 1 906 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 907 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 908} 909 910# 911# MD5 tests with VRF 912# 913ipv4_tcp_md5() 914{ 915 # 916 # single address 917 # 918 919 # basic use case 920 log_start 921 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 922 sleep 1 923 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 924 log_test $? 0 "MD5: VRF: Single address config" 925 926 # client sends MD5, server not configured 927 log_start 928 show_hint "Should timeout since server does not have MD5 auth" 929 run_cmd nettest -s -I ${VRF} & 930 sleep 1 931 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 932 log_test $? 2 "MD5: VRF: Server no config, client uses password" 933 934 # wrong password 935 log_start 936 show_hint "Should timeout since client uses wrong password" 937 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 938 sleep 1 939 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 940 log_test $? 2 "MD5: VRF: Client uses wrong password" 941 942 # client from different address 943 log_start 944 show_hint "Should timeout since server config differs from client" 945 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 946 sleep 1 947 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 948 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 949 950 # 951 # MD5 extension - prefix length 952 # 953 954 # client in prefix 955 log_start 956 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 957 sleep 1 958 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 959 log_test $? 0 "MD5: VRF: Prefix config" 960 961 # client in prefix, wrong password 962 log_start 963 show_hint "Should timeout since client uses wrong password" 964 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 965 sleep 1 966 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 967 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 968 969 # client outside of prefix 970 log_start 971 show_hint "Should timeout since client address is outside of prefix" 972 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 973 sleep 1 974 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 975 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 976 977 # 978 # duplicate config between default VRF and a VRF 979 # 980 981 log_start 982 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 983 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 984 sleep 1 985 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 986 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 987 988 log_start 989 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 990 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 991 sleep 1 992 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 993 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 994 995 log_start 996 show_hint "Should timeout since client in default VRF uses VRF password" 997 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 998 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 999 sleep 1 1000 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1001 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 1002 1003 log_start 1004 show_hint "Should timeout since client in VRF uses default VRF password" 1005 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1006 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1007 sleep 1 1008 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1009 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 1010 1011 log_start 1012 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1013 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1014 sleep 1 1015 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1016 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 1017 1018 log_start 1019 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1020 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1021 sleep 1 1022 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1023 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 1024 1025 log_start 1026 show_hint "Should timeout since client in default VRF uses VRF password" 1027 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1028 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1029 sleep 1 1030 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1031 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1032 1033 log_start 1034 show_hint "Should timeout since client in VRF uses default VRF password" 1035 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1036 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1037 sleep 1 1038 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1039 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1040 1041 # 1042 # negative tests 1043 # 1044 log_start 1045 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1046 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1047 1048 log_start 1049 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1050 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1051 1052 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1053 test_ipv4_md5_vrf__global_server__bind_ifindex0 1054} 1055 1056test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1057{ 1058 log_start 1059 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1060 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1061 sleep 1 1062 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1063 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1064 1065 log_start 1066 show_hint "Binding both the socket and the key is not required but it works" 1067 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1068 sleep 1 1069 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1070 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1071} 1072 1073test_ipv4_md5_vrf__global_server__bind_ifindex0() 1074{ 1075 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1076 local old_tcp_l3mdev_accept 1077 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1078 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1079 1080 log_start 1081 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1082 sleep 1 1083 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1084 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1085 1086 log_start 1087 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1088 sleep 1 1089 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1090 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1091 log_start 1092 1093 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1094 sleep 1 1095 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1096 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1097 1098 log_start 1099 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1100 sleep 1 1101 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1102 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1103 1104 # restore value 1105 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1106} 1107 1108ipv4_tcp_novrf() 1109{ 1110 local a 1111 1112 # 1113 # server tests 1114 # 1115 for a in ${NSA_IP} ${NSA_LO_IP} 1116 do 1117 log_start 1118 run_cmd nettest -s & 1119 sleep 1 1120 run_cmd_nsb nettest -r ${a} 1121 log_test_addr ${a} $? 0 "Global server" 1122 done 1123 1124 a=${NSA_IP} 1125 log_start 1126 run_cmd nettest -s -I ${NSA_DEV} & 1127 sleep 1 1128 run_cmd_nsb nettest -r ${a} 1129 log_test_addr ${a} $? 0 "Device server" 1130 1131 # verify TCP reset sent and received 1132 for a in ${NSA_IP} ${NSA_LO_IP} 1133 do 1134 log_start 1135 show_hint "Should fail 'Connection refused' since there is no server" 1136 run_cmd_nsb nettest -r ${a} 1137 log_test_addr ${a} $? 1 "No server" 1138 done 1139 1140 # 1141 # client 1142 # 1143 for a in ${NSB_IP} ${NSB_LO_IP} 1144 do 1145 log_start 1146 run_cmd_nsb nettest -s & 1147 sleep 1 1148 run_cmd nettest -r ${a} -0 ${NSA_IP} 1149 log_test_addr ${a} $? 0 "Client" 1150 1151 log_start 1152 run_cmd_nsb nettest -s & 1153 sleep 1 1154 run_cmd nettest -r ${a} -d ${NSA_DEV} 1155 log_test_addr ${a} $? 0 "Client, device bind" 1156 1157 log_start 1158 show_hint "Should fail 'Connection refused'" 1159 run_cmd nettest -r ${a} 1160 log_test_addr ${a} $? 1 "No server, unbound client" 1161 1162 log_start 1163 show_hint "Should fail 'Connection refused'" 1164 run_cmd nettest -r ${a} -d ${NSA_DEV} 1165 log_test_addr ${a} $? 1 "No server, device client" 1166 done 1167 1168 # 1169 # local address tests 1170 # 1171 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1172 do 1173 log_start 1174 run_cmd nettest -s & 1175 sleep 1 1176 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1177 log_test_addr ${a} $? 0 "Global server, local connection" 1178 done 1179 1180 a=${NSA_IP} 1181 log_start 1182 run_cmd nettest -s -I ${NSA_DEV} & 1183 sleep 1 1184 run_cmd nettest -r ${a} -0 ${a} 1185 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1186 1187 for a in ${NSA_LO_IP} 127.0.0.1 1188 do 1189 log_start 1190 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1191 run_cmd nettest -s -I ${NSA_DEV} & 1192 sleep 1 1193 run_cmd nettest -r ${a} 1194 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1195 done 1196 1197 a=${NSA_IP} 1198 log_start 1199 run_cmd nettest -s & 1200 sleep 1 1201 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1202 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1203 1204 for a in ${NSA_LO_IP} 127.0.0.1 1205 do 1206 log_start 1207 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1208 run_cmd nettest -s & 1209 sleep 1 1210 run_cmd nettest -r ${a} -d ${NSA_DEV} 1211 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1212 done 1213 1214 a=${NSA_IP} 1215 log_start 1216 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1217 sleep 1 1218 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1219 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1220 1221 log_start 1222 show_hint "Should fail 'Connection refused'" 1223 run_cmd nettest -d ${NSA_DEV} -r ${a} 1224 log_test_addr ${a} $? 1 "No server, device client, local conn" 1225 1226 [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf 1227} 1228 1229ipv4_tcp_vrf() 1230{ 1231 local a 1232 1233 # disable global server 1234 log_subsection "Global server disabled" 1235 1236 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1237 1238 # 1239 # server tests 1240 # 1241 for a in ${NSA_IP} ${VRF_IP} 1242 do 1243 log_start 1244 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1245 run_cmd nettest -s & 1246 sleep 1 1247 run_cmd_nsb nettest -r ${a} 1248 log_test_addr ${a} $? 1 "Global server" 1249 1250 log_start 1251 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1252 sleep 1 1253 run_cmd_nsb nettest -r ${a} 1254 log_test_addr ${a} $? 0 "VRF server" 1255 1256 log_start 1257 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1258 sleep 1 1259 run_cmd_nsb nettest -r ${a} 1260 log_test_addr ${a} $? 0 "Device server" 1261 1262 # verify TCP reset received 1263 log_start 1264 show_hint "Should fail 'Connection refused' since there is no server" 1265 run_cmd_nsb nettest -r ${a} 1266 log_test_addr ${a} $? 1 "No server" 1267 done 1268 1269 # local address tests 1270 # (${VRF_IP} and 127.0.0.1 both timeout) 1271 a=${NSA_IP} 1272 log_start 1273 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1274 run_cmd nettest -s & 1275 sleep 1 1276 run_cmd nettest -r ${a} -d ${NSA_DEV} 1277 log_test_addr ${a} $? 1 "Global server, local connection" 1278 1279 # run MD5 tests 1280 if [ "$fips_enabled" = "0" ]; then 1281 setup_vrf_dup 1282 ipv4_tcp_md5 1283 cleanup_vrf_dup 1284 fi 1285 1286 # 1287 # enable VRF global server 1288 # 1289 log_subsection "VRF Global server enabled" 1290 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1291 1292 for a in ${NSA_IP} ${VRF_IP} 1293 do 1294 log_start 1295 show_hint "client socket should be bound to VRF" 1296 run_cmd nettest -s -3 ${VRF} & 1297 sleep 1 1298 run_cmd_nsb nettest -r ${a} 1299 log_test_addr ${a} $? 0 "Global server" 1300 1301 log_start 1302 show_hint "client socket should be bound to VRF" 1303 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1304 sleep 1 1305 run_cmd_nsb nettest -r ${a} 1306 log_test_addr ${a} $? 0 "VRF server" 1307 1308 # verify TCP reset received 1309 log_start 1310 show_hint "Should fail 'Connection refused'" 1311 run_cmd_nsb nettest -r ${a} 1312 log_test_addr ${a} $? 1 "No server" 1313 done 1314 1315 a=${NSA_IP} 1316 log_start 1317 show_hint "client socket should be bound to device" 1318 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1319 sleep 1 1320 run_cmd_nsb nettest -r ${a} 1321 log_test_addr ${a} $? 0 "Device server" 1322 1323 # local address tests 1324 for a in ${NSA_IP} ${VRF_IP} 1325 do 1326 log_start 1327 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1328 run_cmd nettest -s -I ${VRF} & 1329 sleep 1 1330 run_cmd nettest -r ${a} 1331 log_test_addr ${a} $? 1 "Global server, local connection" 1332 done 1333 1334 # 1335 # client 1336 # 1337 for a in ${NSB_IP} ${NSB_LO_IP} 1338 do 1339 log_start 1340 run_cmd_nsb nettest -s & 1341 sleep 1 1342 run_cmd nettest -r ${a} -d ${VRF} 1343 log_test_addr ${a} $? 0 "Client, VRF bind" 1344 1345 log_start 1346 run_cmd_nsb nettest -s & 1347 sleep 1 1348 run_cmd nettest -r ${a} -d ${NSA_DEV} 1349 log_test_addr ${a} $? 0 "Client, device bind" 1350 1351 log_start 1352 show_hint "Should fail 'Connection refused'" 1353 run_cmd nettest -r ${a} -d ${VRF} 1354 log_test_addr ${a} $? 1 "No server, VRF client" 1355 1356 log_start 1357 show_hint "Should fail 'Connection refused'" 1358 run_cmd nettest -r ${a} -d ${NSA_DEV} 1359 log_test_addr ${a} $? 1 "No server, device client" 1360 done 1361 1362 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1363 do 1364 log_start 1365 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1366 sleep 1 1367 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1368 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1369 done 1370 1371 a=${NSA_IP} 1372 log_start 1373 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1374 sleep 1 1375 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1376 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1377 1378 log_start 1379 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1380 run_cmd nettest -s -I ${VRF} & 1381 sleep 1 1382 run_cmd nettest -r ${a} 1383 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1384 1385 log_start 1386 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1387 sleep 1 1388 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1389 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1390 1391 log_start 1392 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1393 sleep 1 1394 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1395 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1396} 1397 1398ipv4_tcp() 1399{ 1400 log_section "IPv4/TCP" 1401 log_subsection "No VRF" 1402 setup 1403 1404 # tcp_l3mdev_accept should have no affect without VRF; 1405 # run tests with it enabled and disabled to verify 1406 log_subsection "tcp_l3mdev_accept disabled" 1407 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1408 ipv4_tcp_novrf 1409 log_subsection "tcp_l3mdev_accept enabled" 1410 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1411 ipv4_tcp_novrf 1412 1413 log_subsection "With VRF" 1414 setup "yes" 1415 ipv4_tcp_vrf 1416} 1417 1418################################################################################ 1419# IPv4 UDP 1420 1421ipv4_udp_novrf() 1422{ 1423 local a 1424 1425 # 1426 # server tests 1427 # 1428 for a in ${NSA_IP} ${NSA_LO_IP} 1429 do 1430 log_start 1431 run_cmd nettest -D -s -3 ${NSA_DEV} & 1432 sleep 1 1433 run_cmd_nsb nettest -D -r ${a} 1434 log_test_addr ${a} $? 0 "Global server" 1435 1436 log_start 1437 show_hint "Should fail 'Connection refused' since there is no server" 1438 run_cmd_nsb nettest -D -r ${a} 1439 log_test_addr ${a} $? 1 "No server" 1440 done 1441 1442 a=${NSA_IP} 1443 log_start 1444 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1445 sleep 1 1446 run_cmd_nsb nettest -D -r ${a} 1447 log_test_addr ${a} $? 0 "Device server" 1448 1449 # 1450 # client 1451 # 1452 for a in ${NSB_IP} ${NSB_LO_IP} 1453 do 1454 log_start 1455 run_cmd_nsb nettest -D -s & 1456 sleep 1 1457 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1458 log_test_addr ${a} $? 0 "Client" 1459 1460 log_start 1461 run_cmd_nsb nettest -D -s & 1462 sleep 1 1463 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1464 log_test_addr ${a} $? 0 "Client, device bind" 1465 1466 log_start 1467 run_cmd_nsb nettest -D -s & 1468 sleep 1 1469 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1470 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1471 1472 log_start 1473 run_cmd_nsb nettest -D -s & 1474 sleep 1 1475 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1476 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1477 1478 log_start 1479 run_cmd_nsb nettest -D -s & 1480 sleep 1 1481 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U 1482 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()" 1483 1484 1485 log_start 1486 show_hint "Should fail 'Connection refused'" 1487 run_cmd nettest -D -r ${a} 1488 log_test_addr ${a} $? 1 "No server, unbound client" 1489 1490 log_start 1491 show_hint "Should fail 'Connection refused'" 1492 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1493 log_test_addr ${a} $? 1 "No server, device client" 1494 done 1495 1496 # 1497 # local address tests 1498 # 1499 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1500 do 1501 log_start 1502 run_cmd nettest -D -s & 1503 sleep 1 1504 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1505 log_test_addr ${a} $? 0 "Global server, local connection" 1506 done 1507 1508 a=${NSA_IP} 1509 log_start 1510 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1511 sleep 1 1512 run_cmd nettest -D -r ${a} 1513 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1514 1515 for a in ${NSA_LO_IP} 127.0.0.1 1516 do 1517 log_start 1518 show_hint "Should fail 'Connection refused' since address is out of device scope" 1519 run_cmd nettest -s -D -I ${NSA_DEV} & 1520 sleep 1 1521 run_cmd nettest -D -r ${a} 1522 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1523 done 1524 1525 a=${NSA_IP} 1526 log_start 1527 run_cmd nettest -s -D & 1528 sleep 1 1529 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1530 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1531 1532 log_start 1533 run_cmd nettest -s -D & 1534 sleep 1 1535 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1536 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1537 1538 log_start 1539 run_cmd nettest -s -D & 1540 sleep 1 1541 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1542 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1543 1544 log_start 1545 run_cmd nettest -s -D & 1546 sleep 1 1547 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U 1548 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1549 1550 1551 # IPv4 with device bind has really weird behavior - it overrides the 1552 # fib lookup, generates an rtable and tries to send the packet. This 1553 # causes failures for local traffic at different places 1554 for a in ${NSA_LO_IP} 127.0.0.1 1555 do 1556 log_start 1557 show_hint "Should fail since addresses on loopback are out of device scope" 1558 run_cmd nettest -D -s & 1559 sleep 1 1560 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1561 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1562 1563 log_start 1564 show_hint "Should fail since addresses on loopback are out of device scope" 1565 run_cmd nettest -D -s & 1566 sleep 1 1567 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1568 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1569 1570 log_start 1571 show_hint "Should fail since addresses on loopback are out of device scope" 1572 run_cmd nettest -D -s & 1573 sleep 1 1574 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1575 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1576 1577 log_start 1578 show_hint "Should fail since addresses on loopback are out of device scope" 1579 run_cmd nettest -D -s & 1580 sleep 1 1581 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U 1582 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1583 1584 1585 done 1586 1587 a=${NSA_IP} 1588 log_start 1589 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1590 sleep 1 1591 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1592 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1593 1594 log_start 1595 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1596 log_test_addr ${a} $? 2 "No server, device client, local conn" 1597} 1598 1599ipv4_udp_vrf() 1600{ 1601 local a 1602 1603 # disable global server 1604 log_subsection "Global server disabled" 1605 set_sysctl net.ipv4.udp_l3mdev_accept=0 1606 1607 # 1608 # server tests 1609 # 1610 for a in ${NSA_IP} ${VRF_IP} 1611 do 1612 log_start 1613 show_hint "Fails because ingress is in a VRF and global server is disabled" 1614 run_cmd nettest -D -s & 1615 sleep 1 1616 run_cmd_nsb nettest -D -r ${a} 1617 log_test_addr ${a} $? 1 "Global server" 1618 1619 log_start 1620 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1621 sleep 1 1622 run_cmd_nsb nettest -D -r ${a} 1623 log_test_addr ${a} $? 0 "VRF server" 1624 1625 log_start 1626 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1627 sleep 1 1628 run_cmd_nsb nettest -D -r ${a} 1629 log_test_addr ${a} $? 0 "Enslaved device server" 1630 1631 log_start 1632 show_hint "Should fail 'Connection refused' since there is no server" 1633 run_cmd_nsb nettest -D -r ${a} 1634 log_test_addr ${a} $? 1 "No server" 1635 1636 log_start 1637 show_hint "Should fail 'Connection refused' since global server is out of scope" 1638 run_cmd nettest -D -s & 1639 sleep 1 1640 run_cmd nettest -D -d ${VRF} -r ${a} 1641 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1642 done 1643 1644 a=${NSA_IP} 1645 log_start 1646 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1647 sleep 1 1648 run_cmd nettest -D -d ${VRF} -r ${a} 1649 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1650 1651 log_start 1652 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1653 sleep 1 1654 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1655 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1656 1657 a=${NSA_IP} 1658 log_start 1659 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1660 sleep 1 1661 run_cmd nettest -D -d ${VRF} -r ${a} 1662 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1663 1664 log_start 1665 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1666 sleep 1 1667 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1668 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1669 1670 # enable global server 1671 log_subsection "Global server enabled" 1672 set_sysctl net.ipv4.udp_l3mdev_accept=1 1673 1674 # 1675 # server tests 1676 # 1677 for a in ${NSA_IP} ${VRF_IP} 1678 do 1679 log_start 1680 run_cmd nettest -D -s -3 ${NSA_DEV} & 1681 sleep 1 1682 run_cmd_nsb nettest -D -r ${a} 1683 log_test_addr ${a} $? 0 "Global server" 1684 1685 log_start 1686 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1687 sleep 1 1688 run_cmd_nsb nettest -D -r ${a} 1689 log_test_addr ${a} $? 0 "VRF server" 1690 1691 log_start 1692 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1693 sleep 1 1694 run_cmd_nsb nettest -D -r ${a} 1695 log_test_addr ${a} $? 0 "Enslaved device server" 1696 1697 log_start 1698 show_hint "Should fail 'Connection refused'" 1699 run_cmd_nsb nettest -D -r ${a} 1700 log_test_addr ${a} $? 1 "No server" 1701 done 1702 1703 # 1704 # client tests 1705 # 1706 log_start 1707 run_cmd_nsb nettest -D -s & 1708 sleep 1 1709 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1710 log_test $? 0 "VRF client" 1711 1712 log_start 1713 run_cmd_nsb nettest -D -s & 1714 sleep 1 1715 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1716 log_test $? 0 "Enslaved device client" 1717 1718 # negative test - should fail 1719 log_start 1720 show_hint "Should fail 'Connection refused'" 1721 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1722 log_test $? 1 "No server, VRF client" 1723 1724 log_start 1725 show_hint "Should fail 'Connection refused'" 1726 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1727 log_test $? 1 "No server, enslaved device client" 1728 1729 # 1730 # local address tests 1731 # 1732 a=${NSA_IP} 1733 log_start 1734 run_cmd nettest -D -s -3 ${NSA_DEV} & 1735 sleep 1 1736 run_cmd nettest -D -d ${VRF} -r ${a} 1737 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1738 1739 log_start 1740 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1741 sleep 1 1742 run_cmd nettest -D -d ${VRF} -r ${a} 1743 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1744 1745 log_start 1746 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1747 sleep 1 1748 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1749 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1750 1751 log_start 1752 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1753 sleep 1 1754 run_cmd nettest -D -d ${VRF} -r ${a} 1755 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1756 1757 log_start 1758 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1759 sleep 1 1760 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1761 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1762 1763 for a in ${VRF_IP} 127.0.0.1 1764 do 1765 log_start 1766 run_cmd nettest -D -s -3 ${VRF} & 1767 sleep 1 1768 run_cmd nettest -D -d ${VRF} -r ${a} 1769 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1770 done 1771 1772 for a in ${VRF_IP} 127.0.0.1 1773 do 1774 log_start 1775 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1776 sleep 1 1777 run_cmd nettest -D -d ${VRF} -r ${a} 1778 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1779 done 1780 1781 # negative test - should fail 1782 # verifies ECONNREFUSED 1783 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1784 do 1785 log_start 1786 show_hint "Should fail 'Connection refused'" 1787 run_cmd nettest -D -d ${VRF} -r ${a} 1788 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1789 done 1790} 1791 1792ipv4_udp() 1793{ 1794 log_section "IPv4/UDP" 1795 log_subsection "No VRF" 1796 1797 setup 1798 1799 # udp_l3mdev_accept should have no affect without VRF; 1800 # run tests with it enabled and disabled to verify 1801 log_subsection "udp_l3mdev_accept disabled" 1802 set_sysctl net.ipv4.udp_l3mdev_accept=0 1803 ipv4_udp_novrf 1804 log_subsection "udp_l3mdev_accept enabled" 1805 set_sysctl net.ipv4.udp_l3mdev_accept=1 1806 ipv4_udp_novrf 1807 1808 log_subsection "With VRF" 1809 setup "yes" 1810 ipv4_udp_vrf 1811} 1812 1813################################################################################ 1814# IPv4 address bind 1815# 1816# verifies ability or inability to bind to an address / device 1817 1818ipv4_addr_bind_novrf() 1819{ 1820 # 1821 # raw socket 1822 # 1823 for a in ${NSA_IP} ${NSA_LO_IP} 1824 do 1825 log_start 1826 run_cmd nettest -s -R -P icmp -l ${a} -b 1827 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1828 1829 log_start 1830 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1831 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1832 done 1833 1834 # 1835 # tests for nonlocal bind 1836 # 1837 a=${NL_IP} 1838 log_start 1839 run_cmd nettest -s -R -f -l ${a} -b 1840 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 1841 1842 log_start 1843 run_cmd nettest -s -f -l ${a} -b 1844 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address" 1845 1846 log_start 1847 run_cmd nettest -s -D -P icmp -f -l ${a} -b 1848 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address" 1849 1850 # 1851 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1852 # 1853 a=${BCAST_IP} 1854 log_start 1855 run_cmd nettest -s -D -P icmp -l ${a} -b 1856 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address" 1857 1858 a=${MCAST_IP} 1859 log_start 1860 run_cmd nettest -s -D -P icmp -l ${a} -b 1861 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address" 1862 1863 # 1864 # tcp sockets 1865 # 1866 a=${NSA_IP} 1867 log_start 1868 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1869 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1870 1871 log_start 1872 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1873 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1874 1875 # Sadly, the kernel allows binding a socket to a device and then 1876 # binding to an address not on the device. The only restriction 1877 # is that the address is valid in the L3 domain. So this test 1878 # passes when it really should not 1879 #a=${NSA_LO_IP} 1880 #log_start 1881 #show_hint "Should fail with 'Cannot assign requested address'" 1882 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1883 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1884} 1885 1886ipv4_addr_bind_vrf() 1887{ 1888 # 1889 # raw socket 1890 # 1891 for a in ${NSA_IP} ${VRF_IP} 1892 do 1893 log_start 1894 show_hint "Socket not bound to VRF, but address is in VRF" 1895 run_cmd nettest -s -R -P icmp -l ${a} -b 1896 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1897 1898 log_start 1899 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1900 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1901 log_start 1902 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1903 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1904 done 1905 1906 a=${NSA_LO_IP} 1907 log_start 1908 show_hint "Address on loopback is out of VRF scope" 1909 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1910 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1911 1912 # 1913 # tests for nonlocal bind 1914 # 1915 a=${NL_IP} 1916 log_start 1917 run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b 1918 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 1919 1920 log_start 1921 run_cmd nettest -s -f -l ${a} -I ${VRF} -b 1922 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind" 1923 1924 log_start 1925 run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b 1926 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind" 1927 1928 # 1929 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1930 # 1931 a=${BCAST_IP} 1932 log_start 1933 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 1934 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind" 1935 1936 a=${MCAST_IP} 1937 log_start 1938 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 1939 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind" 1940 1941 # 1942 # tcp sockets 1943 # 1944 for a in ${NSA_IP} ${VRF_IP} 1945 do 1946 log_start 1947 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1948 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1949 1950 log_start 1951 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1952 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1953 done 1954 1955 a=${NSA_LO_IP} 1956 log_start 1957 show_hint "Address on loopback out of scope for VRF" 1958 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1959 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 1960 1961 log_start 1962 show_hint "Address on loopback out of scope for device in VRF" 1963 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1964 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 1965} 1966 1967ipv4_addr_bind() 1968{ 1969 log_section "IPv4 address binds" 1970 1971 log_subsection "No VRF" 1972 setup 1973 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 1974 ipv4_addr_bind_novrf 1975 1976 log_subsection "With VRF" 1977 setup "yes" 1978 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 1979 ipv4_addr_bind_vrf 1980} 1981 1982################################################################################ 1983# IPv4 runtime tests 1984 1985ipv4_rt() 1986{ 1987 local desc="$1" 1988 local varg="$2" 1989 local with_vrf="yes" 1990 local a 1991 1992 # 1993 # server tests 1994 # 1995 for a in ${NSA_IP} ${VRF_IP} 1996 do 1997 log_start 1998 run_cmd nettest ${varg} -s & 1999 sleep 1 2000 run_cmd_nsb nettest ${varg} -r ${a} & 2001 sleep 3 2002 run_cmd ip link del ${VRF} 2003 sleep 1 2004 log_test_addr ${a} 0 0 "${desc}, global server" 2005 2006 setup ${with_vrf} 2007 done 2008 2009 for a in ${NSA_IP} ${VRF_IP} 2010 do 2011 log_start 2012 run_cmd nettest ${varg} -s -I ${VRF} & 2013 sleep 1 2014 run_cmd_nsb nettest ${varg} -r ${a} & 2015 sleep 3 2016 run_cmd ip link del ${VRF} 2017 sleep 1 2018 log_test_addr ${a} 0 0 "${desc}, VRF server" 2019 2020 setup ${with_vrf} 2021 done 2022 2023 a=${NSA_IP} 2024 log_start 2025 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 2026 sleep 1 2027 run_cmd_nsb nettest ${varg} -r ${a} & 2028 sleep 3 2029 run_cmd ip link del ${VRF} 2030 sleep 1 2031 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 2032 2033 setup ${with_vrf} 2034 2035 # 2036 # client test 2037 # 2038 log_start 2039 run_cmd_nsb nettest ${varg} -s & 2040 sleep 1 2041 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 2042 sleep 3 2043 run_cmd ip link del ${VRF} 2044 sleep 1 2045 log_test_addr ${a} 0 0 "${desc}, VRF client" 2046 2047 setup ${with_vrf} 2048 2049 log_start 2050 run_cmd_nsb nettest ${varg} -s & 2051 sleep 1 2052 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 2053 sleep 3 2054 run_cmd ip link del ${VRF} 2055 sleep 1 2056 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 2057 2058 setup ${with_vrf} 2059 2060 # 2061 # local address tests 2062 # 2063 for a in ${NSA_IP} ${VRF_IP} 2064 do 2065 log_start 2066 run_cmd nettest ${varg} -s & 2067 sleep 1 2068 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2069 sleep 3 2070 run_cmd ip link del ${VRF} 2071 sleep 1 2072 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 2073 2074 setup ${with_vrf} 2075 done 2076 2077 for a in ${NSA_IP} ${VRF_IP} 2078 do 2079 log_start 2080 run_cmd nettest ${varg} -I ${VRF} -s & 2081 sleep 1 2082 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2083 sleep 3 2084 run_cmd ip link del ${VRF} 2085 sleep 1 2086 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 2087 2088 setup ${with_vrf} 2089 done 2090 2091 a=${NSA_IP} 2092 log_start 2093 2094 run_cmd nettest ${varg} -s & 2095 sleep 1 2096 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2097 sleep 3 2098 run_cmd ip link del ${VRF} 2099 sleep 1 2100 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 2101 2102 setup ${with_vrf} 2103 2104 log_start 2105 run_cmd nettest ${varg} -I ${VRF} -s & 2106 sleep 1 2107 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2108 sleep 3 2109 run_cmd ip link del ${VRF} 2110 sleep 1 2111 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 2112 2113 setup ${with_vrf} 2114 2115 log_start 2116 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2117 sleep 1 2118 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2119 sleep 3 2120 run_cmd ip link del ${VRF} 2121 sleep 1 2122 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2123} 2124 2125ipv4_ping_rt() 2126{ 2127 local with_vrf="yes" 2128 local a 2129 2130 for a in ${NSA_IP} ${VRF_IP} 2131 do 2132 log_start 2133 run_cmd_nsb ping -f ${a} & 2134 sleep 3 2135 run_cmd ip link del ${VRF} 2136 sleep 1 2137 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2138 2139 setup ${with_vrf} 2140 done 2141 2142 a=${NSB_IP} 2143 log_start 2144 run_cmd ping -f -I ${VRF} ${a} & 2145 sleep 3 2146 run_cmd ip link del ${VRF} 2147 sleep 1 2148 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2149} 2150 2151ipv4_runtime() 2152{ 2153 log_section "Run time tests - ipv4" 2154 2155 setup "yes" 2156 ipv4_ping_rt 2157 2158 setup "yes" 2159 ipv4_rt "TCP active socket" "-n -1" 2160 2161 setup "yes" 2162 ipv4_rt "TCP passive socket" "-i" 2163} 2164 2165################################################################################ 2166# IPv6 2167 2168ipv6_ping_novrf() 2169{ 2170 local a 2171 2172 # should not have an impact, but make a known state 2173 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2174 2175 # 2176 # out 2177 # 2178 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2179 do 2180 log_start 2181 run_cmd ${ping6} -c1 -w1 ${a} 2182 log_test_addr ${a} $? 0 "ping out" 2183 done 2184 2185 for a in ${NSB_IP6} ${NSB_LO_IP6} 2186 do 2187 log_start 2188 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2189 log_test_addr ${a} $? 0 "ping out, device bind" 2190 2191 log_start 2192 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2193 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2194 done 2195 2196 # 2197 # in 2198 # 2199 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2200 do 2201 log_start 2202 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2203 log_test_addr ${a} $? 0 "ping in" 2204 done 2205 2206 # 2207 # local traffic, local address 2208 # 2209 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2210 do 2211 log_start 2212 run_cmd ${ping6} -c1 -w1 ${a} 2213 log_test_addr ${a} $? 0 "ping local, no bind" 2214 done 2215 2216 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2217 do 2218 log_start 2219 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2220 log_test_addr ${a} $? 0 "ping local, device bind" 2221 done 2222 2223 for a in ${NSA_LO_IP6} ::1 2224 do 2225 log_start 2226 show_hint "Fails since address on loopback is out of device scope" 2227 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2228 log_test_addr ${a} $? 2 "ping local, device bind" 2229 done 2230 2231 # 2232 # ip rule blocks address 2233 # 2234 log_start 2235 setup_cmd ip -6 rule add pref 32765 from all lookup local 2236 setup_cmd ip -6 rule del pref 0 from all lookup local 2237 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2238 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2239 2240 a=${NSB_LO_IP6} 2241 run_cmd ${ping6} -c1 -w1 ${a} 2242 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2243 2244 log_start 2245 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2246 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2247 2248 a=${NSA_LO_IP6} 2249 log_start 2250 show_hint "Response lost due to ip rule" 2251 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2252 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2253 2254 setup_cmd ip -6 rule add pref 0 from all lookup local 2255 setup_cmd ip -6 rule del pref 32765 from all lookup local 2256 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2257 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2258 2259 # 2260 # route blocks reachability to remote address 2261 # 2262 log_start 2263 setup_cmd ip -6 route del ${NSB_LO_IP6} 2264 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2265 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2266 2267 a=${NSB_LO_IP6} 2268 run_cmd ${ping6} -c1 -w1 ${a} 2269 log_test_addr ${a} $? 2 "ping out, blocked by route" 2270 2271 log_start 2272 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2273 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2274 2275 a=${NSA_LO_IP6} 2276 log_start 2277 show_hint "Response lost due to ip route" 2278 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2279 log_test_addr ${a} $? 1 "ping in, blocked by route" 2280 2281 2282 # 2283 # remove 'remote' routes; fallback to default 2284 # 2285 log_start 2286 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2287 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2288 2289 a=${NSB_LO_IP6} 2290 run_cmd ${ping6} -c1 -w1 ${a} 2291 log_test_addr ${a} $? 2 "ping out, unreachable route" 2292 2293 log_start 2294 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2295 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2296} 2297 2298ipv6_ping_vrf() 2299{ 2300 local a 2301 2302 # should default on; does not exist on older kernels 2303 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2304 2305 # 2306 # out 2307 # 2308 for a in ${NSB_IP6} ${NSB_LO_IP6} 2309 do 2310 log_start 2311 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2312 log_test_addr ${a} $? 0 "ping out, VRF bind" 2313 done 2314 2315 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2316 do 2317 log_start 2318 show_hint "Fails since VRF device does not support linklocal or multicast" 2319 run_cmd ${ping6} -c1 -w1 ${a} 2320 log_test_addr ${a} $? 1 "ping out, VRF bind" 2321 done 2322 2323 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2324 do 2325 log_start 2326 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2327 log_test_addr ${a} $? 0 "ping out, device bind" 2328 done 2329 2330 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2331 do 2332 log_start 2333 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2334 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2335 done 2336 2337 # 2338 # in 2339 # 2340 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2341 do 2342 log_start 2343 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2344 log_test_addr ${a} $? 0 "ping in" 2345 done 2346 2347 a=${NSA_LO_IP6} 2348 log_start 2349 show_hint "Fails since loopback address is out of VRF scope" 2350 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2351 log_test_addr ${a} $? 1 "ping in" 2352 2353 # 2354 # local traffic, local address 2355 # 2356 for a in ${NSA_IP6} ${VRF_IP6} ::1 2357 do 2358 log_start 2359 show_hint "Source address should be ${a}" 2360 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2361 log_test_addr ${a} $? 0 "ping local, VRF bind" 2362 done 2363 2364 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2365 do 2366 log_start 2367 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2368 log_test_addr ${a} $? 0 "ping local, device bind" 2369 done 2370 2371 # LLA to GUA - remove ipv6 global addresses from ns-B 2372 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2373 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2374 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2375 2376 for a in ${NSA_IP6} ${VRF_IP6} 2377 do 2378 log_start 2379 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2380 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2381 done 2382 2383 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2384 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2385 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2386 2387 # 2388 # ip rule blocks address 2389 # 2390 log_start 2391 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2392 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2393 2394 a=${NSB_LO_IP6} 2395 run_cmd ${ping6} -c1 -w1 ${a} 2396 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2397 2398 log_start 2399 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2400 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2401 2402 a=${NSA_LO_IP6} 2403 log_start 2404 show_hint "Response lost due to ip rule" 2405 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2406 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2407 2408 log_start 2409 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2410 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2411 2412 # 2413 # remove 'remote' routes; fallback to default 2414 # 2415 log_start 2416 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2417 2418 a=${NSB_LO_IP6} 2419 run_cmd ${ping6} -c1 -w1 ${a} 2420 log_test_addr ${a} $? 2 "ping out, unreachable route" 2421 2422 log_start 2423 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2424 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2425 2426 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2427 a=${NSA_LO_IP6} 2428 log_start 2429 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2430 log_test_addr ${a} $? 2 "ping in, unreachable route" 2431} 2432 2433ipv6_ping() 2434{ 2435 log_section "IPv6 ping" 2436 2437 log_subsection "No VRF" 2438 setup 2439 ipv6_ping_novrf 2440 setup 2441 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2442 ipv6_ping_novrf 2443 2444 log_subsection "With VRF" 2445 setup "yes" 2446 ipv6_ping_vrf 2447 setup "yes" 2448 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2449 ipv6_ping_vrf 2450} 2451 2452################################################################################ 2453# IPv6 TCP 2454 2455# 2456# MD5 tests without VRF 2457# 2458ipv6_tcp_md5_novrf() 2459{ 2460 # 2461 # single address 2462 # 2463 2464 # basic use case 2465 log_start 2466 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2467 sleep 1 2468 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2469 log_test $? 0 "MD5: Single address config" 2470 2471 # client sends MD5, server not configured 2472 log_start 2473 show_hint "Should timeout due to MD5 mismatch" 2474 run_cmd nettest -6 -s & 2475 sleep 1 2476 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2477 log_test $? 2 "MD5: Server no config, client uses password" 2478 2479 # wrong password 2480 log_start 2481 show_hint "Should timeout since client uses wrong password" 2482 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2483 sleep 1 2484 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2485 log_test $? 2 "MD5: Client uses wrong password" 2486 2487 # client from different address 2488 log_start 2489 show_hint "Should timeout due to MD5 mismatch" 2490 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2491 sleep 1 2492 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2493 log_test $? 2 "MD5: Client address does not match address configured with password" 2494 2495 # 2496 # MD5 extension - prefix length 2497 # 2498 2499 # client in prefix 2500 log_start 2501 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2502 sleep 1 2503 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2504 log_test $? 0 "MD5: Prefix config" 2505 2506 # client in prefix, wrong password 2507 log_start 2508 show_hint "Should timeout since client uses wrong password" 2509 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2510 sleep 1 2511 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2512 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2513 2514 # client outside of prefix 2515 log_start 2516 show_hint "Should timeout due to MD5 mismatch" 2517 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2518 sleep 1 2519 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2520 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2521} 2522 2523# 2524# MD5 tests with VRF 2525# 2526ipv6_tcp_md5() 2527{ 2528 # 2529 # single address 2530 # 2531 2532 # basic use case 2533 log_start 2534 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2535 sleep 1 2536 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2537 log_test $? 0 "MD5: VRF: Single address config" 2538 2539 # client sends MD5, server not configured 2540 log_start 2541 show_hint "Should timeout since server does not have MD5 auth" 2542 run_cmd nettest -6 -s -I ${VRF} & 2543 sleep 1 2544 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2545 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2546 2547 # wrong password 2548 log_start 2549 show_hint "Should timeout since client uses wrong password" 2550 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2551 sleep 1 2552 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2553 log_test $? 2 "MD5: VRF: Client uses wrong password" 2554 2555 # client from different address 2556 log_start 2557 show_hint "Should timeout since server config differs from client" 2558 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2559 sleep 1 2560 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2561 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2562 2563 # 2564 # MD5 extension - prefix length 2565 # 2566 2567 # client in prefix 2568 log_start 2569 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2570 sleep 1 2571 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2572 log_test $? 0 "MD5: VRF: Prefix config" 2573 2574 # client in prefix, wrong password 2575 log_start 2576 show_hint "Should timeout since client uses wrong password" 2577 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2578 sleep 1 2579 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2580 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2581 2582 # client outside of prefix 2583 log_start 2584 show_hint "Should timeout since client address is outside of prefix" 2585 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2586 sleep 1 2587 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2588 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2589 2590 # 2591 # duplicate config between default VRF and a VRF 2592 # 2593 2594 log_start 2595 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2596 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2597 sleep 1 2598 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2599 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2600 2601 log_start 2602 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2603 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2604 sleep 1 2605 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2606 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2607 2608 log_start 2609 show_hint "Should timeout since client in default VRF uses VRF password" 2610 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2611 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2612 sleep 1 2613 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2614 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2615 2616 log_start 2617 show_hint "Should timeout since client in VRF uses default VRF password" 2618 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2619 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2620 sleep 1 2621 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2622 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2623 2624 log_start 2625 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2626 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2627 sleep 1 2628 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2629 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2630 2631 log_start 2632 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2633 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2634 sleep 1 2635 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2636 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2637 2638 log_start 2639 show_hint "Should timeout since client in default VRF uses VRF password" 2640 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2641 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2642 sleep 1 2643 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2644 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2645 2646 log_start 2647 show_hint "Should timeout since client in VRF uses default VRF password" 2648 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2649 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2650 sleep 1 2651 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2652 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2653 2654 # 2655 # negative tests 2656 # 2657 log_start 2658 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2659 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2660 2661 log_start 2662 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2663 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2664 2665} 2666 2667ipv6_tcp_novrf() 2668{ 2669 local a 2670 2671 # 2672 # server tests 2673 # 2674 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2675 do 2676 log_start 2677 run_cmd nettest -6 -s & 2678 sleep 1 2679 run_cmd_nsb nettest -6 -r ${a} 2680 log_test_addr ${a} $? 0 "Global server" 2681 done 2682 2683 # verify TCP reset received 2684 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2685 do 2686 log_start 2687 show_hint "Should fail 'Connection refused'" 2688 run_cmd_nsb nettest -6 -r ${a} 2689 log_test_addr ${a} $? 1 "No server" 2690 done 2691 2692 # 2693 # client 2694 # 2695 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2696 do 2697 log_start 2698 run_cmd_nsb nettest -6 -s & 2699 sleep 1 2700 run_cmd nettest -6 -r ${a} 2701 log_test_addr ${a} $? 0 "Client" 2702 done 2703 2704 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2705 do 2706 log_start 2707 run_cmd_nsb nettest -6 -s & 2708 sleep 1 2709 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2710 log_test_addr ${a} $? 0 "Client, device bind" 2711 done 2712 2713 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2714 do 2715 log_start 2716 show_hint "Should fail 'Connection refused'" 2717 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2718 log_test_addr ${a} $? 1 "No server, device client" 2719 done 2720 2721 # 2722 # local address tests 2723 # 2724 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2725 do 2726 log_start 2727 run_cmd nettest -6 -s & 2728 sleep 1 2729 run_cmd nettest -6 -r ${a} 2730 log_test_addr ${a} $? 0 "Global server, local connection" 2731 done 2732 2733 a=${NSA_IP6} 2734 log_start 2735 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2736 sleep 1 2737 run_cmd nettest -6 -r ${a} -0 ${a} 2738 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2739 2740 for a in ${NSA_LO_IP6} ::1 2741 do 2742 log_start 2743 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2744 run_cmd nettest -6 -s -I ${NSA_DEV} & 2745 sleep 1 2746 run_cmd nettest -6 -r ${a} 2747 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2748 done 2749 2750 a=${NSA_IP6} 2751 log_start 2752 run_cmd nettest -6 -s & 2753 sleep 1 2754 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2755 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2756 2757 for a in ${NSA_LO_IP6} ::1 2758 do 2759 log_start 2760 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2761 run_cmd nettest -6 -s & 2762 sleep 1 2763 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2764 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2765 done 2766 2767 for a in ${NSA_IP6} ${NSA_LINKIP6} 2768 do 2769 log_start 2770 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2771 sleep 1 2772 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2773 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2774 done 2775 2776 for a in ${NSA_IP6} ${NSA_LINKIP6} 2777 do 2778 log_start 2779 show_hint "Should fail 'Connection refused'" 2780 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2781 log_test_addr ${a} $? 1 "No server, device client, local conn" 2782 done 2783 2784 [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf 2785} 2786 2787ipv6_tcp_vrf() 2788{ 2789 local a 2790 2791 # disable global server 2792 log_subsection "Global server disabled" 2793 2794 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2795 2796 # 2797 # server tests 2798 # 2799 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2800 do 2801 log_start 2802 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2803 run_cmd nettest -6 -s & 2804 sleep 1 2805 run_cmd_nsb nettest -6 -r ${a} 2806 log_test_addr ${a} $? 1 "Global server" 2807 done 2808 2809 for a in ${NSA_IP6} ${VRF_IP6} 2810 do 2811 log_start 2812 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2813 sleep 1 2814 run_cmd_nsb nettest -6 -r ${a} 2815 log_test_addr ${a} $? 0 "VRF server" 2816 done 2817 2818 # link local is always bound to ingress device 2819 a=${NSA_LINKIP6}%${NSB_DEV} 2820 log_start 2821 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2822 sleep 1 2823 run_cmd_nsb nettest -6 -r ${a} 2824 log_test_addr ${a} $? 0 "VRF server" 2825 2826 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2827 do 2828 log_start 2829 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2830 sleep 1 2831 run_cmd_nsb nettest -6 -r ${a} 2832 log_test_addr ${a} $? 0 "Device server" 2833 done 2834 2835 # verify TCP reset received 2836 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2837 do 2838 log_start 2839 show_hint "Should fail 'Connection refused'" 2840 run_cmd_nsb nettest -6 -r ${a} 2841 log_test_addr ${a} $? 1 "No server" 2842 done 2843 2844 # local address tests 2845 a=${NSA_IP6} 2846 log_start 2847 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2848 run_cmd nettest -6 -s & 2849 sleep 1 2850 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2851 log_test_addr ${a} $? 1 "Global server, local connection" 2852 2853 # run MD5 tests 2854 if [ "$fips_enabled" = "0" ]; then 2855 setup_vrf_dup 2856 ipv6_tcp_md5 2857 cleanup_vrf_dup 2858 fi 2859 2860 # 2861 # enable VRF global server 2862 # 2863 log_subsection "VRF Global server enabled" 2864 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2865 2866 for a in ${NSA_IP6} ${VRF_IP6} 2867 do 2868 log_start 2869 run_cmd nettest -6 -s -3 ${VRF} & 2870 sleep 1 2871 run_cmd_nsb nettest -6 -r ${a} 2872 log_test_addr ${a} $? 0 "Global server" 2873 done 2874 2875 for a in ${NSA_IP6} ${VRF_IP6} 2876 do 2877 log_start 2878 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2879 sleep 1 2880 run_cmd_nsb nettest -6 -r ${a} 2881 log_test_addr ${a} $? 0 "VRF server" 2882 done 2883 2884 # For LLA, child socket is bound to device 2885 a=${NSA_LINKIP6}%${NSB_DEV} 2886 log_start 2887 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2888 sleep 1 2889 run_cmd_nsb nettest -6 -r ${a} 2890 log_test_addr ${a} $? 0 "Global server" 2891 2892 log_start 2893 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2894 sleep 1 2895 run_cmd_nsb nettest -6 -r ${a} 2896 log_test_addr ${a} $? 0 "VRF server" 2897 2898 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2899 do 2900 log_start 2901 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2902 sleep 1 2903 run_cmd_nsb nettest -6 -r ${a} 2904 log_test_addr ${a} $? 0 "Device server" 2905 done 2906 2907 # verify TCP reset received 2908 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2909 do 2910 log_start 2911 show_hint "Should fail 'Connection refused'" 2912 run_cmd_nsb nettest -6 -r ${a} 2913 log_test_addr ${a} $? 1 "No server" 2914 done 2915 2916 # local address tests 2917 for a in ${NSA_IP6} ${VRF_IP6} 2918 do 2919 log_start 2920 show_hint "Fails 'Connection refused' since client is not in VRF" 2921 run_cmd nettest -6 -s -I ${VRF} & 2922 sleep 1 2923 run_cmd nettest -6 -r ${a} 2924 log_test_addr ${a} $? 1 "Global server, local connection" 2925 done 2926 2927 2928 # 2929 # client 2930 # 2931 for a in ${NSB_IP6} ${NSB_LO_IP6} 2932 do 2933 log_start 2934 run_cmd_nsb nettest -6 -s & 2935 sleep 1 2936 run_cmd nettest -6 -r ${a} -d ${VRF} 2937 log_test_addr ${a} $? 0 "Client, VRF bind" 2938 done 2939 2940 a=${NSB_LINKIP6} 2941 log_start 2942 show_hint "Fails since VRF device does not allow linklocal addresses" 2943 run_cmd_nsb nettest -6 -s & 2944 sleep 1 2945 run_cmd nettest -6 -r ${a} -d ${VRF} 2946 log_test_addr ${a} $? 1 "Client, VRF bind" 2947 2948 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2949 do 2950 log_start 2951 run_cmd_nsb nettest -6 -s & 2952 sleep 1 2953 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2954 log_test_addr ${a} $? 0 "Client, device bind" 2955 done 2956 2957 for a in ${NSB_IP6} ${NSB_LO_IP6} 2958 do 2959 log_start 2960 show_hint "Should fail 'Connection refused'" 2961 run_cmd nettest -6 -r ${a} -d ${VRF} 2962 log_test_addr ${a} $? 1 "No server, VRF client" 2963 done 2964 2965 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2966 do 2967 log_start 2968 show_hint "Should fail 'Connection refused'" 2969 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2970 log_test_addr ${a} $? 1 "No server, device client" 2971 done 2972 2973 for a in ${NSA_IP6} ${VRF_IP6} ::1 2974 do 2975 log_start 2976 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2977 sleep 1 2978 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2979 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 2980 done 2981 2982 a=${NSA_IP6} 2983 log_start 2984 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2985 sleep 1 2986 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2987 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 2988 2989 a=${NSA_IP6} 2990 log_start 2991 show_hint "Should fail since unbound client is out of VRF scope" 2992 run_cmd nettest -6 -s -I ${VRF} & 2993 sleep 1 2994 run_cmd nettest -6 -r ${a} 2995 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 2996 2997 log_start 2998 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2999 sleep 1 3000 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3001 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 3002 3003 for a in ${NSA_IP6} ${NSA_LINKIP6} 3004 do 3005 log_start 3006 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3007 sleep 1 3008 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3009 log_test_addr ${a} $? 0 "Device server, device client, local connection" 3010 done 3011} 3012 3013ipv6_tcp() 3014{ 3015 log_section "IPv6/TCP" 3016 log_subsection "No VRF" 3017 setup 3018 3019 # tcp_l3mdev_accept should have no affect without VRF; 3020 # run tests with it enabled and disabled to verify 3021 log_subsection "tcp_l3mdev_accept disabled" 3022 set_sysctl net.ipv4.tcp_l3mdev_accept=0 3023 ipv6_tcp_novrf 3024 log_subsection "tcp_l3mdev_accept enabled" 3025 set_sysctl net.ipv4.tcp_l3mdev_accept=1 3026 ipv6_tcp_novrf 3027 3028 log_subsection "With VRF" 3029 setup "yes" 3030 ipv6_tcp_vrf 3031} 3032 3033################################################################################ 3034# IPv6 UDP 3035 3036ipv6_udp_novrf() 3037{ 3038 local a 3039 3040 # 3041 # server tests 3042 # 3043 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3044 do 3045 log_start 3046 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3047 sleep 1 3048 run_cmd_nsb nettest -6 -D -r ${a} 3049 log_test_addr ${a} $? 0 "Global server" 3050 3051 log_start 3052 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3053 sleep 1 3054 run_cmd_nsb nettest -6 -D -r ${a} 3055 log_test_addr ${a} $? 0 "Device server" 3056 done 3057 3058 a=${NSA_LO_IP6} 3059 log_start 3060 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3061 sleep 1 3062 run_cmd_nsb nettest -6 -D -r ${a} 3063 log_test_addr ${a} $? 0 "Global server" 3064 3065 # should fail since loopback address is out of scope for a device 3066 # bound server, but it does not - hence this is more documenting 3067 # behavior. 3068 #log_start 3069 #show_hint "Should fail since loopback address is out of scope" 3070 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3071 #sleep 1 3072 #run_cmd_nsb nettest -6 -D -r ${a} 3073 #log_test_addr ${a} $? 1 "Device server" 3074 3075 # negative test - should fail 3076 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3077 do 3078 log_start 3079 show_hint "Should fail 'Connection refused' since there is no server" 3080 run_cmd_nsb nettest -6 -D -r ${a} 3081 log_test_addr ${a} $? 1 "No server" 3082 done 3083 3084 # 3085 # client 3086 # 3087 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 3088 do 3089 log_start 3090 run_cmd_nsb nettest -6 -D -s & 3091 sleep 1 3092 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 3093 log_test_addr ${a} $? 0 "Client" 3094 3095 log_start 3096 run_cmd_nsb nettest -6 -D -s & 3097 sleep 1 3098 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 3099 log_test_addr ${a} $? 0 "Client, device bind" 3100 3101 log_start 3102 run_cmd_nsb nettest -6 -D -s & 3103 sleep 1 3104 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 3105 log_test_addr ${a} $? 0 "Client, device send via cmsg" 3106 3107 log_start 3108 run_cmd_nsb nettest -6 -D -s & 3109 sleep 1 3110 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 3111 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 3112 3113 log_start 3114 show_hint "Should fail 'Connection refused'" 3115 run_cmd nettest -6 -D -r ${a} 3116 log_test_addr ${a} $? 1 "No server, unbound client" 3117 3118 log_start 3119 show_hint "Should fail 'Connection refused'" 3120 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3121 log_test_addr ${a} $? 1 "No server, device client" 3122 done 3123 3124 # 3125 # local address tests 3126 # 3127 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3128 do 3129 log_start 3130 run_cmd nettest -6 -D -s & 3131 sleep 1 3132 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3133 log_test_addr ${a} $? 0 "Global server, local connection" 3134 done 3135 3136 a=${NSA_IP6} 3137 log_start 3138 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3139 sleep 1 3140 run_cmd nettest -6 -D -r ${a} 3141 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3142 3143 for a in ${NSA_LO_IP6} ::1 3144 do 3145 log_start 3146 show_hint "Should fail 'Connection refused' since address is out of device scope" 3147 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3148 sleep 1 3149 run_cmd nettest -6 -D -r ${a} 3150 log_test_addr ${a} $? 1 "Device server, local connection" 3151 done 3152 3153 a=${NSA_IP6} 3154 log_start 3155 run_cmd nettest -6 -s -D & 3156 sleep 1 3157 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3158 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3159 3160 log_start 3161 run_cmd nettest -6 -s -D & 3162 sleep 1 3163 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3164 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3165 3166 log_start 3167 run_cmd nettest -6 -s -D & 3168 sleep 1 3169 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3170 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3171 3172 for a in ${NSA_LO_IP6} ::1 3173 do 3174 log_start 3175 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3176 run_cmd nettest -6 -D -s & 3177 sleep 1 3178 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3179 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3180 3181 log_start 3182 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3183 run_cmd nettest -6 -D -s & 3184 sleep 1 3185 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3186 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3187 3188 log_start 3189 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3190 run_cmd nettest -6 -D -s & 3191 sleep 1 3192 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3193 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3194 3195 log_start 3196 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3197 run_cmd nettest -6 -D -s & 3198 sleep 1 3199 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U 3200 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 3201 done 3202 3203 a=${NSA_IP6} 3204 log_start 3205 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3206 sleep 1 3207 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3208 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3209 3210 log_start 3211 show_hint "Should fail 'Connection refused'" 3212 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3213 log_test_addr ${a} $? 1 "No server, device client, local conn" 3214 3215 # LLA to GUA 3216 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3217 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3218 log_start 3219 run_cmd nettest -6 -s -D & 3220 sleep 1 3221 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3222 log_test $? 0 "UDP in - LLA to GUA" 3223 3224 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3225 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3226} 3227 3228ipv6_udp_vrf() 3229{ 3230 local a 3231 3232 # disable global server 3233 log_subsection "Global server disabled" 3234 set_sysctl net.ipv4.udp_l3mdev_accept=0 3235 3236 # 3237 # server tests 3238 # 3239 for a in ${NSA_IP6} ${VRF_IP6} 3240 do 3241 log_start 3242 show_hint "Should fail 'Connection refused' since global server is disabled" 3243 run_cmd nettest -6 -D -s & 3244 sleep 1 3245 run_cmd_nsb nettest -6 -D -r ${a} 3246 log_test_addr ${a} $? 1 "Global server" 3247 done 3248 3249 for a in ${NSA_IP6} ${VRF_IP6} 3250 do 3251 log_start 3252 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3253 sleep 1 3254 run_cmd_nsb nettest -6 -D -r ${a} 3255 log_test_addr ${a} $? 0 "VRF server" 3256 done 3257 3258 for a in ${NSA_IP6} ${VRF_IP6} 3259 do 3260 log_start 3261 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3262 sleep 1 3263 run_cmd_nsb nettest -6 -D -r ${a} 3264 log_test_addr ${a} $? 0 "Enslaved device server" 3265 done 3266 3267 # negative test - should fail 3268 for a in ${NSA_IP6} ${VRF_IP6} 3269 do 3270 log_start 3271 show_hint "Should fail 'Connection refused' since there is no server" 3272 run_cmd_nsb nettest -6 -D -r ${a} 3273 log_test_addr ${a} $? 1 "No server" 3274 done 3275 3276 # 3277 # local address tests 3278 # 3279 for a in ${NSA_IP6} ${VRF_IP6} 3280 do 3281 log_start 3282 show_hint "Should fail 'Connection refused' since global server is disabled" 3283 run_cmd nettest -6 -D -s & 3284 sleep 1 3285 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3286 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3287 done 3288 3289 for a in ${NSA_IP6} ${VRF_IP6} 3290 do 3291 log_start 3292 run_cmd nettest -6 -D -I ${VRF} -s & 3293 sleep 1 3294 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3295 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3296 done 3297 3298 a=${NSA_IP6} 3299 log_start 3300 show_hint "Should fail 'Connection refused' since global server is disabled" 3301 run_cmd nettest -6 -D -s & 3302 sleep 1 3303 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3304 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3305 3306 log_start 3307 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3308 sleep 1 3309 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3310 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3311 3312 log_start 3313 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3314 sleep 1 3315 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3316 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3317 3318 log_start 3319 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3320 sleep 1 3321 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3322 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3323 3324 # disable global server 3325 log_subsection "Global server enabled" 3326 set_sysctl net.ipv4.udp_l3mdev_accept=1 3327 3328 # 3329 # server tests 3330 # 3331 for a in ${NSA_IP6} ${VRF_IP6} 3332 do 3333 log_start 3334 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3335 sleep 1 3336 run_cmd_nsb nettest -6 -D -r ${a} 3337 log_test_addr ${a} $? 0 "Global server" 3338 done 3339 3340 for a in ${NSA_IP6} ${VRF_IP6} 3341 do 3342 log_start 3343 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3344 sleep 1 3345 run_cmd_nsb nettest -6 -D -r ${a} 3346 log_test_addr ${a} $? 0 "VRF server" 3347 done 3348 3349 for a in ${NSA_IP6} ${VRF_IP6} 3350 do 3351 log_start 3352 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3353 sleep 1 3354 run_cmd_nsb nettest -6 -D -r ${a} 3355 log_test_addr ${a} $? 0 "Enslaved device server" 3356 done 3357 3358 # negative test - should fail 3359 for a in ${NSA_IP6} ${VRF_IP6} 3360 do 3361 log_start 3362 run_cmd_nsb nettest -6 -D -r ${a} 3363 log_test_addr ${a} $? 1 "No server" 3364 done 3365 3366 # 3367 # client tests 3368 # 3369 log_start 3370 run_cmd_nsb nettest -6 -D -s & 3371 sleep 1 3372 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3373 log_test $? 0 "VRF client" 3374 3375 # negative test - should fail 3376 log_start 3377 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3378 log_test $? 1 "No server, VRF client" 3379 3380 log_start 3381 run_cmd_nsb nettest -6 -D -s & 3382 sleep 1 3383 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3384 log_test $? 0 "Enslaved device client" 3385 3386 # negative test - should fail 3387 log_start 3388 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3389 log_test $? 1 "No server, enslaved device client" 3390 3391 # 3392 # local address tests 3393 # 3394 a=${NSA_IP6} 3395 log_start 3396 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3397 sleep 1 3398 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3399 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3400 3401 #log_start 3402 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3403 sleep 1 3404 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3405 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3406 3407 3408 a=${VRF_IP6} 3409 log_start 3410 run_cmd nettest -6 -D -s -3 ${VRF} & 3411 sleep 1 3412 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3413 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3414 3415 log_start 3416 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3417 sleep 1 3418 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3419 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3420 3421 # negative test - should fail 3422 for a in ${NSA_IP6} ${VRF_IP6} 3423 do 3424 log_start 3425 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3426 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3427 done 3428 3429 # device to global IP 3430 a=${NSA_IP6} 3431 log_start 3432 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3433 sleep 1 3434 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3435 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3436 3437 log_start 3438 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3439 sleep 1 3440 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3441 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3442 3443 log_start 3444 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3445 sleep 1 3446 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3447 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3448 3449 log_start 3450 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3451 sleep 1 3452 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3453 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3454 3455 log_start 3456 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3457 log_test_addr ${a} $? 1 "No server, device client, local conn" 3458 3459 3460 # link local addresses 3461 log_start 3462 run_cmd nettest -6 -D -s & 3463 sleep 1 3464 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3465 log_test $? 0 "Global server, linklocal IP" 3466 3467 log_start 3468 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3469 log_test $? 1 "No server, linklocal IP" 3470 3471 3472 log_start 3473 run_cmd_nsb nettest -6 -D -s & 3474 sleep 1 3475 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3476 log_test $? 0 "Enslaved device client, linklocal IP" 3477 3478 log_start 3479 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3480 log_test $? 1 "No server, device client, peer linklocal IP" 3481 3482 3483 log_start 3484 run_cmd nettest -6 -D -s & 3485 sleep 1 3486 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3487 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3488 3489 log_start 3490 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3491 log_test $? 1 "No server, device client, local conn - linklocal IP" 3492 3493 # LLA to GUA 3494 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3495 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3496 log_start 3497 run_cmd nettest -6 -s -D & 3498 sleep 1 3499 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3500 log_test $? 0 "UDP in - LLA to GUA" 3501 3502 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3503 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3504} 3505 3506ipv6_udp() 3507{ 3508 # should not matter, but set to known state 3509 set_sysctl net.ipv4.udp_early_demux=1 3510 3511 log_section "IPv6/UDP" 3512 log_subsection "No VRF" 3513 setup 3514 3515 # udp_l3mdev_accept should have no affect without VRF; 3516 # run tests with it enabled and disabled to verify 3517 log_subsection "udp_l3mdev_accept disabled" 3518 set_sysctl net.ipv4.udp_l3mdev_accept=0 3519 ipv6_udp_novrf 3520 log_subsection "udp_l3mdev_accept enabled" 3521 set_sysctl net.ipv4.udp_l3mdev_accept=1 3522 ipv6_udp_novrf 3523 3524 log_subsection "With VRF" 3525 setup "yes" 3526 ipv6_udp_vrf 3527} 3528 3529################################################################################ 3530# IPv6 address bind 3531 3532ipv6_addr_bind_novrf() 3533{ 3534 # 3535 # raw socket 3536 # 3537 for a in ${NSA_IP6} ${NSA_LO_IP6} 3538 do 3539 log_start 3540 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3541 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3542 3543 log_start 3544 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3545 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3546 done 3547 3548 # 3549 # raw socket with nonlocal bind 3550 # 3551 a=${NL_IP6} 3552 log_start 3553 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 3554 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 3555 3556 # 3557 # tcp sockets 3558 # 3559 a=${NSA_IP6} 3560 log_start 3561 run_cmd nettest -6 -s -l ${a} -t1 -b 3562 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3563 3564 log_start 3565 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3566 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3567 3568 # Sadly, the kernel allows binding a socket to a device and then 3569 # binding to an address not on the device. So this test passes 3570 # when it really should not 3571 a=${NSA_LO_IP6} 3572 log_start 3573 show_hint "Tecnically should fail since address is not on device but kernel allows" 3574 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3575 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3576} 3577 3578ipv6_addr_bind_vrf() 3579{ 3580 # 3581 # raw socket 3582 # 3583 for a in ${NSA_IP6} ${VRF_IP6} 3584 do 3585 log_start 3586 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3587 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3588 3589 log_start 3590 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3591 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3592 done 3593 3594 a=${NSA_LO_IP6} 3595 log_start 3596 show_hint "Address on loopback is out of VRF scope" 3597 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3598 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3599 3600 # 3601 # raw socket with nonlocal bind 3602 # 3603 a=${NL_IP6} 3604 log_start 3605 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b 3606 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 3607 3608 # 3609 # tcp sockets 3610 # 3611 # address on enslaved device is valid for the VRF or device in a VRF 3612 for a in ${NSA_IP6} ${VRF_IP6} 3613 do 3614 log_start 3615 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3616 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3617 done 3618 3619 a=${NSA_IP6} 3620 log_start 3621 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3622 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3623 3624 # Sadly, the kernel allows binding a socket to a device and then 3625 # binding to an address not on the device. The only restriction 3626 # is that the address is valid in the L3 domain. So this test 3627 # passes when it really should not 3628 a=${VRF_IP6} 3629 log_start 3630 show_hint "Tecnically should fail since address is not on device but kernel allows" 3631 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3632 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3633 3634 a=${NSA_LO_IP6} 3635 log_start 3636 show_hint "Address on loopback out of scope for VRF" 3637 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3638 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3639 3640 log_start 3641 show_hint "Address on loopback out of scope for device in VRF" 3642 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3643 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3644 3645} 3646 3647ipv6_addr_bind() 3648{ 3649 log_section "IPv6 address binds" 3650 3651 log_subsection "No VRF" 3652 setup 3653 ipv6_addr_bind_novrf 3654 3655 log_subsection "With VRF" 3656 setup "yes" 3657 ipv6_addr_bind_vrf 3658} 3659 3660################################################################################ 3661# IPv6 runtime tests 3662 3663ipv6_rt() 3664{ 3665 local desc="$1" 3666 local varg="-6 $2" 3667 local with_vrf="yes" 3668 local a 3669 3670 # 3671 # server tests 3672 # 3673 for a in ${NSA_IP6} ${VRF_IP6} 3674 do 3675 log_start 3676 run_cmd nettest ${varg} -s & 3677 sleep 1 3678 run_cmd_nsb nettest ${varg} -r ${a} & 3679 sleep 3 3680 run_cmd ip link del ${VRF} 3681 sleep 1 3682 log_test_addr ${a} 0 0 "${desc}, global server" 3683 3684 setup ${with_vrf} 3685 done 3686 3687 for a in ${NSA_IP6} ${VRF_IP6} 3688 do 3689 log_start 3690 run_cmd nettest ${varg} -I ${VRF} -s & 3691 sleep 1 3692 run_cmd_nsb nettest ${varg} -r ${a} & 3693 sleep 3 3694 run_cmd ip link del ${VRF} 3695 sleep 1 3696 log_test_addr ${a} 0 0 "${desc}, VRF server" 3697 3698 setup ${with_vrf} 3699 done 3700 3701 for a in ${NSA_IP6} ${VRF_IP6} 3702 do 3703 log_start 3704 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3705 sleep 1 3706 run_cmd_nsb nettest ${varg} -r ${a} & 3707 sleep 3 3708 run_cmd ip link del ${VRF} 3709 sleep 1 3710 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3711 3712 setup ${with_vrf} 3713 done 3714 3715 # 3716 # client test 3717 # 3718 log_start 3719 run_cmd_nsb nettest ${varg} -s & 3720 sleep 1 3721 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3722 sleep 3 3723 run_cmd ip link del ${VRF} 3724 sleep 1 3725 log_test 0 0 "${desc}, VRF client" 3726 3727 setup ${with_vrf} 3728 3729 log_start 3730 run_cmd_nsb nettest ${varg} -s & 3731 sleep 1 3732 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3733 sleep 3 3734 run_cmd ip link del ${VRF} 3735 sleep 1 3736 log_test 0 0 "${desc}, enslaved device client" 3737 3738 setup ${with_vrf} 3739 3740 3741 # 3742 # local address tests 3743 # 3744 for a in ${NSA_IP6} ${VRF_IP6} 3745 do 3746 log_start 3747 run_cmd nettest ${varg} -s & 3748 sleep 1 3749 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3750 sleep 3 3751 run_cmd ip link del ${VRF} 3752 sleep 1 3753 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3754 3755 setup ${with_vrf} 3756 done 3757 3758 for a in ${NSA_IP6} ${VRF_IP6} 3759 do 3760 log_start 3761 run_cmd nettest ${varg} -I ${VRF} -s & 3762 sleep 1 3763 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3764 sleep 3 3765 run_cmd ip link del ${VRF} 3766 sleep 1 3767 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3768 3769 setup ${with_vrf} 3770 done 3771 3772 a=${NSA_IP6} 3773 log_start 3774 run_cmd nettest ${varg} -s & 3775 sleep 1 3776 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3777 sleep 3 3778 run_cmd ip link del ${VRF} 3779 sleep 1 3780 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3781 3782 setup ${with_vrf} 3783 3784 log_start 3785 run_cmd nettest ${varg} -I ${VRF} -s & 3786 sleep 1 3787 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3788 sleep 3 3789 run_cmd ip link del ${VRF} 3790 sleep 1 3791 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3792 3793 setup ${with_vrf} 3794 3795 log_start 3796 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3797 sleep 1 3798 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3799 sleep 3 3800 run_cmd ip link del ${VRF} 3801 sleep 1 3802 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3803} 3804 3805ipv6_ping_rt() 3806{ 3807 local with_vrf="yes" 3808 local a 3809 3810 a=${NSA_IP6} 3811 log_start 3812 run_cmd_nsb ${ping6} -f ${a} & 3813 sleep 3 3814 run_cmd ip link del ${VRF} 3815 sleep 1 3816 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3817 3818 setup ${with_vrf} 3819 3820 log_start 3821 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3822 sleep 1 3823 run_cmd ip link del ${VRF} 3824 sleep 1 3825 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3826} 3827 3828ipv6_runtime() 3829{ 3830 log_section "Run time tests - ipv6" 3831 3832 setup "yes" 3833 ipv6_ping_rt 3834 3835 setup "yes" 3836 ipv6_rt "TCP active socket" "-n -1" 3837 3838 setup "yes" 3839 ipv6_rt "TCP passive socket" "-i" 3840 3841 setup "yes" 3842 ipv6_rt "UDP active socket" "-D -n -1" 3843} 3844 3845################################################################################ 3846# netfilter blocking connections 3847 3848netfilter_tcp_reset() 3849{ 3850 local a 3851 3852 for a in ${NSA_IP} ${VRF_IP} 3853 do 3854 log_start 3855 run_cmd nettest -s & 3856 sleep 1 3857 run_cmd_nsb nettest -r ${a} 3858 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3859 done 3860} 3861 3862netfilter_icmp() 3863{ 3864 local stype="$1" 3865 local arg 3866 local a 3867 3868 [ "${stype}" = "UDP" ] && arg="-D" 3869 3870 for a in ${NSA_IP} ${VRF_IP} 3871 do 3872 log_start 3873 run_cmd nettest ${arg} -s & 3874 sleep 1 3875 run_cmd_nsb nettest ${arg} -r ${a} 3876 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3877 done 3878} 3879 3880ipv4_netfilter() 3881{ 3882 log_section "IPv4 Netfilter" 3883 log_subsection "TCP reset" 3884 3885 setup "yes" 3886 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3887 3888 netfilter_tcp_reset 3889 3890 log_start 3891 log_subsection "ICMP unreachable" 3892 3893 log_start 3894 run_cmd iptables -F 3895 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3896 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3897 3898 netfilter_icmp "TCP" 3899 netfilter_icmp "UDP" 3900 3901 log_start 3902 iptables -F 3903} 3904 3905netfilter_tcp6_reset() 3906{ 3907 local a 3908 3909 for a in ${NSA_IP6} ${VRF_IP6} 3910 do 3911 log_start 3912 run_cmd nettest -6 -s & 3913 sleep 1 3914 run_cmd_nsb nettest -6 -r ${a} 3915 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3916 done 3917} 3918 3919netfilter_icmp6() 3920{ 3921 local stype="$1" 3922 local arg 3923 local a 3924 3925 [ "${stype}" = "UDP" ] && arg="$arg -D" 3926 3927 for a in ${NSA_IP6} ${VRF_IP6} 3928 do 3929 log_start 3930 run_cmd nettest -6 -s ${arg} & 3931 sleep 1 3932 run_cmd_nsb nettest -6 ${arg} -r ${a} 3933 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3934 done 3935} 3936 3937ipv6_netfilter() 3938{ 3939 log_section "IPv6 Netfilter" 3940 log_subsection "TCP reset" 3941 3942 setup "yes" 3943 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3944 3945 netfilter_tcp6_reset 3946 3947 log_subsection "ICMP unreachable" 3948 3949 log_start 3950 run_cmd ip6tables -F 3951 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3952 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3953 3954 netfilter_icmp6 "TCP" 3955 netfilter_icmp6 "UDP" 3956 3957 log_start 3958 ip6tables -F 3959} 3960 3961################################################################################ 3962# specific use cases 3963 3964# VRF only. 3965# ns-A device enslaved to bridge. Verify traffic with and without 3966# br_netfilter module loaded. Repeat with SVI on bridge. 3967use_case_br() 3968{ 3969 setup "yes" 3970 3971 setup_cmd ip link set ${NSA_DEV} down 3972 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 3973 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 3974 3975 setup_cmd ip link add br0 type bridge 3976 setup_cmd ip addr add dev br0 ${NSA_IP}/24 3977 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 3978 3979 setup_cmd ip li set ${NSA_DEV} master br0 3980 setup_cmd ip li set ${NSA_DEV} up 3981 setup_cmd ip li set br0 up 3982 setup_cmd ip li set br0 vrf ${VRF} 3983 3984 rmmod br_netfilter 2>/dev/null 3985 sleep 5 # DAD 3986 3987 run_cmd ip neigh flush all 3988 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3989 log_test $? 0 "Bridge into VRF - IPv4 ping out" 3990 3991 run_cmd ip neigh flush all 3992 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3993 log_test $? 0 "Bridge into VRF - IPv6 ping out" 3994 3995 run_cmd ip neigh flush all 3996 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3997 log_test $? 0 "Bridge into VRF - IPv4 ping in" 3998 3999 run_cmd ip neigh flush all 4000 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4001 log_test $? 0 "Bridge into VRF - IPv6 ping in" 4002 4003 modprobe br_netfilter 4004 if [ $? -eq 0 ]; then 4005 run_cmd ip neigh flush all 4006 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4007 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 4008 4009 run_cmd ip neigh flush all 4010 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4011 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 4012 4013 run_cmd ip neigh flush all 4014 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4015 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 4016 4017 run_cmd ip neigh flush all 4018 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4019 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 4020 fi 4021 4022 setup_cmd ip li set br0 nomaster 4023 setup_cmd ip li add br0.100 link br0 type vlan id 100 4024 setup_cmd ip li set br0.100 vrf ${VRF} up 4025 setup_cmd ip addr add dev br0.100 172.16.101.1/24 4026 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 4027 4028 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 4029 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 4030 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 4031 setup_cmd_nsb ip li set vlan100 up 4032 sleep 1 4033 4034 rmmod br_netfilter 2>/dev/null 4035 4036 run_cmd ip neigh flush all 4037 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4038 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 4039 4040 run_cmd ip neigh flush all 4041 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4042 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 4043 4044 run_cmd ip neigh flush all 4045 run_cmd_nsb ping -c1 -w1 172.16.101.1 4046 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4047 4048 run_cmd ip neigh flush all 4049 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4050 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4051 4052 modprobe br_netfilter 4053 if [ $? -eq 0 ]; then 4054 run_cmd ip neigh flush all 4055 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4056 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 4057 4058 run_cmd ip neigh flush all 4059 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4060 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 4061 4062 run_cmd ip neigh flush all 4063 run_cmd_nsb ping -c1 -w1 172.16.101.1 4064 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4065 4066 run_cmd ip neigh flush all 4067 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4068 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4069 fi 4070 4071 setup_cmd ip li del br0 2>/dev/null 4072 setup_cmd_nsb ip li del vlan100 2>/dev/null 4073} 4074 4075# VRF only. 4076# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 4077# LLA on the interfaces 4078use_case_ping_lla_multi() 4079{ 4080 setup_lla_only 4081 # only want reply from ns-A 4082 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4083 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4084 4085 log_start 4086 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4087 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 4088 4089 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4090 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 4091 4092 # cycle/flap the first ns-A interface 4093 setup_cmd ip link set ${NSA_DEV} down 4094 setup_cmd ip link set ${NSA_DEV} up 4095 sleep 1 4096 4097 log_start 4098 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4099 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 4100 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4101 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 4102 4103 # cycle/flap the second ns-A interface 4104 setup_cmd ip link set ${NSA_DEV2} down 4105 setup_cmd ip link set ${NSA_DEV2} up 4106 sleep 1 4107 4108 log_start 4109 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4110 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 4111 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4112 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 4113} 4114 4115# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 4116# established with ns-B. 4117use_case_snat_on_vrf() 4118{ 4119 setup "yes" 4120 4121 local port="12345" 4122 4123 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4124 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4125 4126 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 4127 sleep 1 4128 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 4129 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 4130 4131 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 4132 sleep 1 4133 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 4134 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 4135 4136 # Cleanup 4137 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4138 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4139} 4140 4141use_cases() 4142{ 4143 log_section "Use cases" 4144 log_subsection "Device enslaved to bridge" 4145 use_case_br 4146 log_subsection "Ping LLA with multiple interfaces" 4147 use_case_ping_lla_multi 4148 log_subsection "SNAT on VRF" 4149 use_case_snat_on_vrf 4150} 4151 4152################################################################################ 4153# usage 4154 4155usage() 4156{ 4157 cat <<EOF 4158usage: ${0##*/} OPTS 4159 4160 -4 IPv4 tests only 4161 -6 IPv6 tests only 4162 -t <test> Test name/set to run 4163 -p Pause on fail 4164 -P Pause after each test 4165 -v Be verbose 4166 4167Tests: 4168 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER 4169EOF 4170} 4171 4172################################################################################ 4173# main 4174 4175TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4176TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4177TESTS_OTHER="use_cases" 4178 4179PAUSE_ON_FAIL=no 4180PAUSE=no 4181 4182while getopts :46t:pPvh o 4183do 4184 case $o in 4185 4) TESTS=ipv4;; 4186 6) TESTS=ipv6;; 4187 t) TESTS=$OPTARG;; 4188 p) PAUSE_ON_FAIL=yes;; 4189 P) PAUSE=yes;; 4190 v) VERBOSE=1;; 4191 h) usage; exit 0;; 4192 *) usage; exit 1;; 4193 esac 4194done 4195 4196# make sure we don't pause twice 4197[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4198 4199# 4200# show user test config 4201# 4202if [ -z "$TESTS" ]; then 4203 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4204elif [ "$TESTS" = "ipv4" ]; then 4205 TESTS="$TESTS_IPV4" 4206elif [ "$TESTS" = "ipv6" ]; then 4207 TESTS="$TESTS_IPV6" 4208fi 4209 4210# nettest can be run from PATH or from same directory as this selftest 4211if ! which nettest >/dev/null; then 4212 PATH=$PWD:$PATH 4213 if ! which nettest >/dev/null; then 4214 echo "'nettest' command not found; skipping tests" 4215 exit $ksft_skip 4216 fi 4217fi 4218 4219declare -i nfail=0 4220declare -i nsuccess=0 4221 4222for t in $TESTS 4223do 4224 case $t in 4225 ipv4_ping|ping) ipv4_ping;; 4226 ipv4_tcp|tcp) ipv4_tcp;; 4227 ipv4_udp|udp) ipv4_udp;; 4228 ipv4_bind|bind) ipv4_addr_bind;; 4229 ipv4_runtime) ipv4_runtime;; 4230 ipv4_netfilter) ipv4_netfilter;; 4231 4232 ipv6_ping|ping6) ipv6_ping;; 4233 ipv6_tcp|tcp6) ipv6_tcp;; 4234 ipv6_udp|udp6) ipv6_udp;; 4235 ipv6_bind|bind6) ipv6_addr_bind;; 4236 ipv6_runtime) ipv6_runtime;; 4237 ipv6_netfilter) ipv6_netfilter;; 4238 4239 use_cases) use_cases;; 4240 4241 # setup namespaces and config, but do not run any tests 4242 setup) setup; exit 0;; 4243 vrf_setup) setup "yes"; exit 0;; 4244 esac 4245done 4246 4247cleanup 2>/dev/null 4248 4249printf "\nTests passed: %3d\n" ${nsuccess} 4250printf "Tests failed: %3d\n" ${nfail} 4251 4252if [ $nfail -ne 0 ]; then 4253 exit 1 # KSFT_FAIL 4254elif [ $nsuccess -eq 0 ]; then 4255 exit $ksft_skip 4256fi 4257 4258exit 0 # KSFT_PASS 4259