1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40# Kselftest framework requirement - SKIP code is 4. 41ksft_skip=4 42 43VERBOSE=0 44 45NSA_DEV=eth1 46NSA_DEV2=eth2 47NSB_DEV=eth1 48NSC_DEV=eth2 49VRF=red 50VRF_TABLE=1101 51 52# IPv4 config 53NSA_IP=172.16.1.1 54NSB_IP=172.16.1.2 55VRF_IP=172.16.3.1 56NS_NET=172.16.1.0/24 57 58# IPv6 config 59NSA_IP6=2001:db8:1::1 60NSB_IP6=2001:db8:1::2 61VRF_IP6=2001:db8:3::1 62NS_NET6=2001:db8:1::/120 63 64NSA_LO_IP=172.16.2.1 65NSB_LO_IP=172.16.2.2 66NSA_LO_IP6=2001:db8:2::1 67NSB_LO_IP6=2001:db8:2::2 68 69# non-local addresses for freebind tests 70NL_IP=172.17.1.1 71NL_IP6=2001:db8:4::1 72 73# multicast and broadcast addresses 74MCAST_IP=224.0.0.1 75BCAST_IP=255.255.255.255 76 77MD5_PW=abc123 78MD5_WRONG_PW=abc1234 79 80MCAST=ff02::1 81# set after namespace create 82NSA_LINKIP6= 83NSB_LINKIP6= 84 85NSA=ns-A 86NSB=ns-B 87NSC=ns-C 88 89NSA_CMD="ip netns exec ${NSA}" 90NSB_CMD="ip netns exec ${NSB}" 91NSC_CMD="ip netns exec ${NSC}" 92 93which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 94 95################################################################################ 96# utilities 97 98log_test() 99{ 100 local rc=$1 101 local expected=$2 102 local msg="$3" 103 104 [ "${VERBOSE}" = "1" ] && echo 105 106 if [ ${rc} -eq ${expected} ]; then 107 nsuccess=$((nsuccess+1)) 108 printf "TEST: %-70s [ OK ]\n" "${msg}" 109 else 110 nfail=$((nfail+1)) 111 printf "TEST: %-70s [FAIL]\n" "${msg}" 112 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 113 echo 114 echo "hit enter to continue, 'q' to quit" 115 read a 116 [ "$a" = "q" ] && exit 1 117 fi 118 fi 119 120 if [ "${PAUSE}" = "yes" ]; then 121 echo 122 echo "hit enter to continue, 'q' to quit" 123 read a 124 [ "$a" = "q" ] && exit 1 125 fi 126 127 kill_procs 128} 129 130log_test_addr() 131{ 132 local addr=$1 133 local rc=$2 134 local expected=$3 135 local msg="$4" 136 local astr 137 138 astr=$(addr2str ${addr}) 139 log_test $rc $expected "$msg - ${astr}" 140} 141 142log_section() 143{ 144 echo 145 echo "###########################################################################" 146 echo "$*" 147 echo "###########################################################################" 148 echo 149} 150 151log_subsection() 152{ 153 echo 154 echo "#################################################################" 155 echo "$*" 156 echo 157} 158 159log_start() 160{ 161 # make sure we have no test instances running 162 kill_procs 163 164 if [ "${VERBOSE}" = "1" ]; then 165 echo 166 echo "#######################################################" 167 fi 168} 169 170log_debug() 171{ 172 if [ "${VERBOSE}" = "1" ]; then 173 echo 174 echo "$*" 175 echo 176 fi 177} 178 179show_hint() 180{ 181 if [ "${VERBOSE}" = "1" ]; then 182 echo "HINT: $*" 183 echo 184 fi 185} 186 187kill_procs() 188{ 189 killall nettest ping ping6 >/dev/null 2>&1 190 sleep 1 191} 192 193do_run_cmd() 194{ 195 local cmd="$*" 196 local out 197 198 if [ "$VERBOSE" = "1" ]; then 199 echo "COMMAND: ${cmd}" 200 fi 201 202 out=$($cmd 2>&1) 203 rc=$? 204 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 205 echo "$out" 206 fi 207 208 return $rc 209} 210 211run_cmd() 212{ 213 do_run_cmd ${NSA_CMD} $* 214} 215 216run_cmd_nsb() 217{ 218 do_run_cmd ${NSB_CMD} $* 219} 220 221run_cmd_nsc() 222{ 223 do_run_cmd ${NSC_CMD} $* 224} 225 226setup_cmd() 227{ 228 local cmd="$*" 229 local rc 230 231 run_cmd ${cmd} 232 rc=$? 233 if [ $rc -ne 0 ]; then 234 # show user the command if not done so already 235 if [ "$VERBOSE" = "0" ]; then 236 echo "setup command: $cmd" 237 fi 238 echo "failed. stopping tests" 239 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 240 echo 241 echo "hit enter to continue" 242 read a 243 fi 244 exit $rc 245 fi 246} 247 248setup_cmd_nsb() 249{ 250 local cmd="$*" 251 local rc 252 253 run_cmd_nsb ${cmd} 254 rc=$? 255 if [ $rc -ne 0 ]; then 256 # show user the command if not done so already 257 if [ "$VERBOSE" = "0" ]; then 258 echo "setup command: $cmd" 259 fi 260 echo "failed. stopping tests" 261 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 262 echo 263 echo "hit enter to continue" 264 read a 265 fi 266 exit $rc 267 fi 268} 269 270setup_cmd_nsc() 271{ 272 local cmd="$*" 273 local rc 274 275 run_cmd_nsc ${cmd} 276 rc=$? 277 if [ $rc -ne 0 ]; then 278 # show user the command if not done so already 279 if [ "$VERBOSE" = "0" ]; then 280 echo "setup command: $cmd" 281 fi 282 echo "failed. stopping tests" 283 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 284 echo 285 echo "hit enter to continue" 286 read a 287 fi 288 exit $rc 289 fi 290} 291 292# set sysctl values in NS-A 293set_sysctl() 294{ 295 echo "SYSCTL: $*" 296 echo 297 run_cmd sysctl -q -w $* 298} 299 300# get sysctl values in NS-A 301get_sysctl() 302{ 303 ${NSA_CMD} sysctl -n $* 304} 305 306################################################################################ 307# Setup for tests 308 309addr2str() 310{ 311 case "$1" in 312 127.0.0.1) echo "loopback";; 313 ::1) echo "IPv6 loopback";; 314 315 ${BCAST_IP}) echo "broadcast";; 316 ${MCAST_IP}) echo "multicast";; 317 318 ${NSA_IP}) echo "ns-A IP";; 319 ${NSA_IP6}) echo "ns-A IPv6";; 320 ${NSA_LO_IP}) echo "ns-A loopback IP";; 321 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 322 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 323 324 ${NSB_IP}) echo "ns-B IP";; 325 ${NSB_IP6}) echo "ns-B IPv6";; 326 ${NSB_LO_IP}) echo "ns-B loopback IP";; 327 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 328 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 329 330 ${NL_IP}) echo "nonlocal IP";; 331 ${NL_IP6}) echo "nonlocal IPv6";; 332 333 ${VRF_IP}) echo "VRF IP";; 334 ${VRF_IP6}) echo "VRF IPv6";; 335 336 ${MCAST}%*) echo "multicast IP";; 337 338 *) echo "unknown";; 339 esac 340} 341 342get_linklocal() 343{ 344 local ns=$1 345 local dev=$2 346 local addr 347 348 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 349 awk '{ 350 for (i = 3; i <= NF; ++i) { 351 if ($i ~ /^fe80/) 352 print $i 353 } 354 }' 355 ) 356 addr=${addr/\/*} 357 358 [ -z "$addr" ] && return 1 359 360 echo $addr 361 362 return 0 363} 364 365################################################################################ 366# create namespaces and vrf 367 368create_vrf() 369{ 370 local ns=$1 371 local vrf=$2 372 local table=$3 373 local addr=$4 374 local addr6=$5 375 376 ip -netns ${ns} link add ${vrf} type vrf table ${table} 377 ip -netns ${ns} link set ${vrf} up 378 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 379 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 380 381 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 382 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 383 if [ "${addr}" != "-" ]; then 384 ip -netns ${ns} addr add dev ${vrf} ${addr} 385 fi 386 if [ "${addr6}" != "-" ]; then 387 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 388 fi 389 390 ip -netns ${ns} ru del pref 0 391 ip -netns ${ns} ru add pref 32765 from all lookup local 392 ip -netns ${ns} -6 ru del pref 0 393 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 394} 395 396create_ns() 397{ 398 local ns=$1 399 local addr=$2 400 local addr6=$3 401 402 ip netns add ${ns} 403 404 ip -netns ${ns} link set lo up 405 if [ "${addr}" != "-" ]; then 406 ip -netns ${ns} addr add dev lo ${addr} 407 fi 408 if [ "${addr6}" != "-" ]; then 409 ip -netns ${ns} -6 addr add dev lo ${addr6} 410 fi 411 412 ip -netns ${ns} ro add unreachable default metric 8192 413 ip -netns ${ns} -6 ro add unreachable default metric 8192 414 415 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 416 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 417 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 418 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 419} 420 421# create veth pair to connect namespaces and apply addresses. 422connect_ns() 423{ 424 local ns1=$1 425 local ns1_dev=$2 426 local ns1_addr=$3 427 local ns1_addr6=$4 428 local ns2=$5 429 local ns2_dev=$6 430 local ns2_addr=$7 431 local ns2_addr6=$8 432 433 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 434 ip -netns ${ns1} li set ${ns1_dev} up 435 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 436 ip -netns ${ns2} li set ${ns2_dev} up 437 438 if [ "${ns1_addr}" != "-" ]; then 439 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 440 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 441 fi 442 443 if [ "${ns1_addr6}" != "-" ]; then 444 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 445 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 446 fi 447} 448 449cleanup() 450{ 451 # explicit cleanups to check those code paths 452 ip netns | grep -q ${NSA} 453 if [ $? -eq 0 ]; then 454 ip -netns ${NSA} link delete ${VRF} 455 ip -netns ${NSA} ro flush table ${VRF_TABLE} 456 457 ip -netns ${NSA} addr flush dev ${NSA_DEV} 458 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 459 ip -netns ${NSA} link set dev ${NSA_DEV} down 460 ip -netns ${NSA} link del dev ${NSA_DEV} 461 462 ip netns pids ${NSA} | xargs kill 2>/dev/null 463 ip netns del ${NSA} 464 fi 465 466 ip netns pids ${NSB} | xargs kill 2>/dev/null 467 ip netns del ${NSB} 468 ip netns pids ${NSC} | xargs kill 2>/dev/null 469 ip netns del ${NSC} >/dev/null 2>&1 470} 471 472cleanup_vrf_dup() 473{ 474 ip link del ${NSA_DEV2} >/dev/null 2>&1 475 ip netns pids ${NSC} | xargs kill 2>/dev/null 476 ip netns del ${NSC} >/dev/null 2>&1 477} 478 479setup_vrf_dup() 480{ 481 # some VRF tests use ns-C which has the same config as 482 # ns-B but for a device NOT in the VRF 483 create_ns ${NSC} "-" "-" 484 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 485 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 486} 487 488setup() 489{ 490 local with_vrf=${1} 491 492 # make sure we are starting with a clean slate 493 kill_procs 494 cleanup 2>/dev/null 495 496 log_debug "Configuring network namespaces" 497 set -e 498 499 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 500 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 501 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 502 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 503 504 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 505 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 506 507 # tell ns-A how to get to remote addresses of ns-B 508 if [ "${with_vrf}" = "yes" ]; then 509 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 510 511 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 512 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 513 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 514 515 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 516 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 517 else 518 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 519 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 520 fi 521 522 523 # tell ns-B how to get to remote addresses of ns-A 524 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 525 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 526 527 set +e 528 529 sleep 1 530} 531 532setup_lla_only() 533{ 534 # make sure we are starting with a clean slate 535 kill_procs 536 cleanup 2>/dev/null 537 538 log_debug "Configuring network namespaces" 539 set -e 540 541 create_ns ${NSA} "-" "-" 542 create_ns ${NSB} "-" "-" 543 create_ns ${NSC} "-" "-" 544 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 545 ${NSB} ${NSB_DEV} "-" "-" 546 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 547 ${NSC} ${NSC_DEV} "-" "-" 548 549 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 550 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 551 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 552 553 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 554 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 555 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 556 557 set +e 558 559 sleep 1 560} 561 562################################################################################ 563# IPv4 564 565ipv4_ping_novrf() 566{ 567 local a 568 569 # 570 # out 571 # 572 for a in ${NSB_IP} ${NSB_LO_IP} 573 do 574 log_start 575 run_cmd ping -c1 -w1 ${a} 576 log_test_addr ${a} $? 0 "ping out" 577 578 log_start 579 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 580 log_test_addr ${a} $? 0 "ping out, device bind" 581 582 log_start 583 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 584 log_test_addr ${a} $? 0 "ping out, address bind" 585 done 586 587 # 588 # in 589 # 590 for a in ${NSA_IP} ${NSA_LO_IP} 591 do 592 log_start 593 run_cmd_nsb ping -c1 -w1 ${a} 594 log_test_addr ${a} $? 0 "ping in" 595 done 596 597 # 598 # local traffic 599 # 600 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 601 do 602 log_start 603 run_cmd ping -c1 -w1 ${a} 604 log_test_addr ${a} $? 0 "ping local" 605 done 606 607 # 608 # local traffic, socket bound to device 609 # 610 # address on device 611 a=${NSA_IP} 612 log_start 613 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 614 log_test_addr ${a} $? 0 "ping local, device bind" 615 616 # loopback addresses not reachable from device bind 617 # fails in a really weird way though because ipv4 special cases 618 # route lookups with oif set. 619 for a in ${NSA_LO_IP} 127.0.0.1 620 do 621 log_start 622 show_hint "Fails since address on loopback device is out of device scope" 623 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 624 log_test_addr ${a} $? 1 "ping local, device bind" 625 done 626 627 # 628 # ip rule blocks reachability to remote address 629 # 630 log_start 631 setup_cmd ip rule add pref 32765 from all lookup local 632 setup_cmd ip rule del pref 0 from all lookup local 633 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 634 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 635 636 a=${NSB_LO_IP} 637 run_cmd ping -c1 -w1 ${a} 638 log_test_addr ${a} $? 2 "ping out, blocked by rule" 639 640 # NOTE: ipv4 actually allows the lookup to fail and yet still create 641 # a viable rtable if the oif (e.g., bind to device) is set, so this 642 # case succeeds despite the rule 643 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 644 645 a=${NSA_LO_IP} 646 log_start 647 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 648 run_cmd_nsb ping -c1 -w1 ${a} 649 log_test_addr ${a} $? 1 "ping in, blocked by rule" 650 651 [ "$VERBOSE" = "1" ] && echo 652 setup_cmd ip rule del pref 32765 from all lookup local 653 setup_cmd ip rule add pref 0 from all lookup local 654 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 655 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 656 657 # 658 # route blocks reachability to remote address 659 # 660 log_start 661 setup_cmd ip route replace unreachable ${NSB_LO_IP} 662 setup_cmd ip route replace unreachable ${NSB_IP} 663 664 a=${NSB_LO_IP} 665 run_cmd ping -c1 -w1 ${a} 666 log_test_addr ${a} $? 2 "ping out, blocked by route" 667 668 # NOTE: ipv4 actually allows the lookup to fail and yet still create 669 # a viable rtable if the oif (e.g., bind to device) is set, so this 670 # case succeeds despite not having a route for the address 671 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 672 673 a=${NSA_LO_IP} 674 log_start 675 show_hint "Response is dropped (or arp request is ignored) due to ip route" 676 run_cmd_nsb ping -c1 -w1 ${a} 677 log_test_addr ${a} $? 1 "ping in, blocked by route" 678 679 # 680 # remove 'remote' routes; fallback to default 681 # 682 log_start 683 setup_cmd ip ro del ${NSB_LO_IP} 684 685 a=${NSB_LO_IP} 686 run_cmd ping -c1 -w1 ${a} 687 log_test_addr ${a} $? 2 "ping out, unreachable default route" 688 689 # NOTE: ipv4 actually allows the lookup to fail and yet still create 690 # a viable rtable if the oif (e.g., bind to device) is set, so this 691 # case succeeds despite not having a route for the address 692 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 693} 694 695ipv4_ping_vrf() 696{ 697 local a 698 699 # should default on; does not exist on older kernels 700 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 701 702 # 703 # out 704 # 705 for a in ${NSB_IP} ${NSB_LO_IP} 706 do 707 log_start 708 run_cmd ping -c1 -w1 -I ${VRF} ${a} 709 log_test_addr ${a} $? 0 "ping out, VRF bind" 710 711 log_start 712 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 713 log_test_addr ${a} $? 0 "ping out, device bind" 714 715 log_start 716 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 717 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 718 719 log_start 720 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 721 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 722 done 723 724 # 725 # in 726 # 727 for a in ${NSA_IP} ${VRF_IP} 728 do 729 log_start 730 run_cmd_nsb ping -c1 -w1 ${a} 731 log_test_addr ${a} $? 0 "ping in" 732 done 733 734 # 735 # local traffic, local address 736 # 737 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 738 do 739 log_start 740 show_hint "Source address should be ${a}" 741 run_cmd ping -c1 -w1 -I ${VRF} ${a} 742 log_test_addr ${a} $? 0 "ping local, VRF bind" 743 done 744 745 # 746 # local traffic, socket bound to device 747 # 748 # address on device 749 a=${NSA_IP} 750 log_start 751 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 752 log_test_addr ${a} $? 0 "ping local, device bind" 753 754 # vrf device is out of scope 755 for a in ${VRF_IP} 127.0.0.1 756 do 757 log_start 758 show_hint "Fails since address on vrf device is out of device scope" 759 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 760 log_test_addr ${a} $? 2 "ping local, device bind" 761 done 762 763 # 764 # ip rule blocks address 765 # 766 log_start 767 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 768 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 769 770 a=${NSB_LO_IP} 771 run_cmd ping -c1 -w1 -I ${VRF} ${a} 772 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 773 774 log_start 775 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 776 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 777 778 a=${NSA_LO_IP} 779 log_start 780 show_hint "Response lost due to ip rule" 781 run_cmd_nsb ping -c1 -w1 ${a} 782 log_test_addr ${a} $? 1 "ping in, blocked by rule" 783 784 [ "$VERBOSE" = "1" ] && echo 785 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 786 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 787 788 # 789 # remove 'remote' routes; fallback to default 790 # 791 log_start 792 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 793 794 a=${NSB_LO_IP} 795 run_cmd ping -c1 -w1 -I ${VRF} ${a} 796 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 797 798 log_start 799 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 800 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 801 802 a=${NSA_LO_IP} 803 log_start 804 show_hint "Response lost by unreachable route" 805 run_cmd_nsb ping -c1 -w1 ${a} 806 log_test_addr ${a} $? 1 "ping in, unreachable route" 807} 808 809ipv4_ping() 810{ 811 log_section "IPv4 ping" 812 813 log_subsection "No VRF" 814 setup 815 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 816 ipv4_ping_novrf 817 setup 818 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 819 ipv4_ping_novrf 820 setup 821 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 822 ipv4_ping_novrf 823 824 log_subsection "With VRF" 825 setup "yes" 826 ipv4_ping_vrf 827 setup "yes" 828 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 829 ipv4_ping_vrf 830} 831 832################################################################################ 833# IPv4 TCP 834 835# 836# MD5 tests without VRF 837# 838ipv4_tcp_md5_novrf() 839{ 840 # 841 # single address 842 # 843 844 # basic use case 845 log_start 846 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 847 sleep 1 848 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 849 log_test $? 0 "MD5: Single address config" 850 851 # client sends MD5, server not configured 852 log_start 853 show_hint "Should timeout due to MD5 mismatch" 854 run_cmd nettest -s & 855 sleep 1 856 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 857 log_test $? 2 "MD5: Server no config, client uses password" 858 859 # wrong password 860 log_start 861 show_hint "Should timeout since client uses wrong password" 862 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 863 sleep 1 864 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 865 log_test $? 2 "MD5: Client uses wrong password" 866 867 # client from different address 868 log_start 869 show_hint "Should timeout due to MD5 mismatch" 870 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 871 sleep 1 872 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 873 log_test $? 2 "MD5: Client address does not match address configured with password" 874 875 # 876 # MD5 extension - prefix length 877 # 878 879 # client in prefix 880 log_start 881 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 882 sleep 1 883 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 884 log_test $? 0 "MD5: Prefix config" 885 886 # client in prefix, wrong password 887 log_start 888 show_hint "Should timeout since client uses wrong password" 889 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 890 sleep 1 891 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 892 log_test $? 2 "MD5: Prefix config, client uses wrong password" 893 894 # client outside of prefix 895 log_start 896 show_hint "Should timeout due to MD5 mismatch" 897 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 898 sleep 1 899 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 900 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 901} 902 903# 904# MD5 tests with VRF 905# 906ipv4_tcp_md5() 907{ 908 # 909 # single address 910 # 911 912 # basic use case 913 log_start 914 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 915 sleep 1 916 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 917 log_test $? 0 "MD5: VRF: Single address config" 918 919 # client sends MD5, server not configured 920 log_start 921 show_hint "Should timeout since server does not have MD5 auth" 922 run_cmd nettest -s -I ${VRF} & 923 sleep 1 924 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 925 log_test $? 2 "MD5: VRF: Server no config, client uses password" 926 927 # wrong password 928 log_start 929 show_hint "Should timeout since client uses wrong password" 930 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 931 sleep 1 932 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 933 log_test $? 2 "MD5: VRF: Client uses wrong password" 934 935 # client from different address 936 log_start 937 show_hint "Should timeout since server config differs from client" 938 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 939 sleep 1 940 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 941 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 942 943 # 944 # MD5 extension - prefix length 945 # 946 947 # client in prefix 948 log_start 949 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 950 sleep 1 951 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 952 log_test $? 0 "MD5: VRF: Prefix config" 953 954 # client in prefix, wrong password 955 log_start 956 show_hint "Should timeout since client uses wrong password" 957 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 958 sleep 1 959 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 960 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 961 962 # client outside of prefix 963 log_start 964 show_hint "Should timeout since client address is outside of prefix" 965 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 966 sleep 1 967 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 968 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 969 970 # 971 # duplicate config between default VRF and a VRF 972 # 973 974 log_start 975 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 976 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 977 sleep 1 978 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 979 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 980 981 log_start 982 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 983 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 984 sleep 1 985 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 986 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 987 988 log_start 989 show_hint "Should timeout since client in default VRF uses VRF password" 990 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 991 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 992 sleep 1 993 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 994 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 995 996 log_start 997 show_hint "Should timeout since client in VRF uses default VRF password" 998 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 999 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1000 sleep 1 1001 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1002 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 1003 1004 log_start 1005 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1006 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1007 sleep 1 1008 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1009 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 1010 1011 log_start 1012 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1013 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1014 sleep 1 1015 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1016 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 1017 1018 log_start 1019 show_hint "Should timeout since client in default VRF uses VRF password" 1020 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1021 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1022 sleep 1 1023 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1024 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1025 1026 log_start 1027 show_hint "Should timeout since client in VRF uses default VRF password" 1028 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1029 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1030 sleep 1 1031 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1032 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1033 1034 # 1035 # negative tests 1036 # 1037 log_start 1038 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1039 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1040 1041 log_start 1042 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1043 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1044 1045 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1046 test_ipv4_md5_vrf__global_server__bind_ifindex0 1047} 1048 1049test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1050{ 1051 log_start 1052 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1053 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1054 sleep 1 1055 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1056 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1057 1058 log_start 1059 show_hint "Binding both the socket and the key is not required but it works" 1060 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1061 sleep 1 1062 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1063 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1064} 1065 1066test_ipv4_md5_vrf__global_server__bind_ifindex0() 1067{ 1068 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1069 local old_tcp_l3mdev_accept 1070 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1071 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1072 1073 log_start 1074 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1075 sleep 1 1076 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1077 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1078 1079 log_start 1080 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1081 sleep 1 1082 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1083 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1084 log_start 1085 1086 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1087 sleep 1 1088 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1089 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1090 1091 log_start 1092 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1093 sleep 1 1094 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1095 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1096 1097 # restore value 1098 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1099} 1100 1101ipv4_tcp_novrf() 1102{ 1103 local a 1104 1105 # 1106 # server tests 1107 # 1108 for a in ${NSA_IP} ${NSA_LO_IP} 1109 do 1110 log_start 1111 run_cmd nettest -s & 1112 sleep 1 1113 run_cmd_nsb nettest -r ${a} 1114 log_test_addr ${a} $? 0 "Global server" 1115 done 1116 1117 a=${NSA_IP} 1118 log_start 1119 run_cmd nettest -s -I ${NSA_DEV} & 1120 sleep 1 1121 run_cmd_nsb nettest -r ${a} 1122 log_test_addr ${a} $? 0 "Device server" 1123 1124 # verify TCP reset sent and received 1125 for a in ${NSA_IP} ${NSA_LO_IP} 1126 do 1127 log_start 1128 show_hint "Should fail 'Connection refused' since there is no server" 1129 run_cmd_nsb nettest -r ${a} 1130 log_test_addr ${a} $? 1 "No server" 1131 done 1132 1133 # 1134 # client 1135 # 1136 for a in ${NSB_IP} ${NSB_LO_IP} 1137 do 1138 log_start 1139 run_cmd_nsb nettest -s & 1140 sleep 1 1141 run_cmd nettest -r ${a} -0 ${NSA_IP} 1142 log_test_addr ${a} $? 0 "Client" 1143 1144 log_start 1145 run_cmd_nsb nettest -s & 1146 sleep 1 1147 run_cmd nettest -r ${a} -d ${NSA_DEV} 1148 log_test_addr ${a} $? 0 "Client, device bind" 1149 1150 log_start 1151 show_hint "Should fail 'Connection refused'" 1152 run_cmd nettest -r ${a} 1153 log_test_addr ${a} $? 1 "No server, unbound client" 1154 1155 log_start 1156 show_hint "Should fail 'Connection refused'" 1157 run_cmd nettest -r ${a} -d ${NSA_DEV} 1158 log_test_addr ${a} $? 1 "No server, device client" 1159 done 1160 1161 # 1162 # local address tests 1163 # 1164 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1165 do 1166 log_start 1167 run_cmd nettest -s & 1168 sleep 1 1169 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1170 log_test_addr ${a} $? 0 "Global server, local connection" 1171 done 1172 1173 a=${NSA_IP} 1174 log_start 1175 run_cmd nettest -s -I ${NSA_DEV} & 1176 sleep 1 1177 run_cmd nettest -r ${a} -0 ${a} 1178 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1179 1180 for a in ${NSA_LO_IP} 127.0.0.1 1181 do 1182 log_start 1183 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1184 run_cmd nettest -s -I ${NSA_DEV} & 1185 sleep 1 1186 run_cmd nettest -r ${a} 1187 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1188 done 1189 1190 a=${NSA_IP} 1191 log_start 1192 run_cmd nettest -s & 1193 sleep 1 1194 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1195 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1196 1197 for a in ${NSA_LO_IP} 127.0.0.1 1198 do 1199 log_start 1200 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1201 run_cmd nettest -s & 1202 sleep 1 1203 run_cmd nettest -r ${a} -d ${NSA_DEV} 1204 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1205 done 1206 1207 a=${NSA_IP} 1208 log_start 1209 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1210 sleep 1 1211 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1212 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1213 1214 log_start 1215 show_hint "Should fail 'Connection refused'" 1216 run_cmd nettest -d ${NSA_DEV} -r ${a} 1217 log_test_addr ${a} $? 1 "No server, device client, local conn" 1218 1219 ipv4_tcp_md5_novrf 1220} 1221 1222ipv4_tcp_vrf() 1223{ 1224 local a 1225 1226 # disable global server 1227 log_subsection "Global server disabled" 1228 1229 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1230 1231 # 1232 # server tests 1233 # 1234 for a in ${NSA_IP} ${VRF_IP} 1235 do 1236 log_start 1237 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1238 run_cmd nettest -s & 1239 sleep 1 1240 run_cmd_nsb nettest -r ${a} 1241 log_test_addr ${a} $? 1 "Global server" 1242 1243 log_start 1244 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1245 sleep 1 1246 run_cmd_nsb nettest -r ${a} 1247 log_test_addr ${a} $? 0 "VRF server" 1248 1249 log_start 1250 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1251 sleep 1 1252 run_cmd_nsb nettest -r ${a} 1253 log_test_addr ${a} $? 0 "Device server" 1254 1255 # verify TCP reset received 1256 log_start 1257 show_hint "Should fail 'Connection refused' since there is no server" 1258 run_cmd_nsb nettest -r ${a} 1259 log_test_addr ${a} $? 1 "No server" 1260 done 1261 1262 # local address tests 1263 # (${VRF_IP} and 127.0.0.1 both timeout) 1264 a=${NSA_IP} 1265 log_start 1266 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1267 run_cmd nettest -s & 1268 sleep 1 1269 run_cmd nettest -r ${a} -d ${NSA_DEV} 1270 log_test_addr ${a} $? 1 "Global server, local connection" 1271 1272 # run MD5 tests 1273 setup_vrf_dup 1274 ipv4_tcp_md5 1275 cleanup_vrf_dup 1276 1277 # 1278 # enable VRF global server 1279 # 1280 log_subsection "VRF Global server enabled" 1281 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1282 1283 for a in ${NSA_IP} ${VRF_IP} 1284 do 1285 log_start 1286 show_hint "client socket should be bound to VRF" 1287 run_cmd nettest -s -3 ${VRF} & 1288 sleep 1 1289 run_cmd_nsb nettest -r ${a} 1290 log_test_addr ${a} $? 0 "Global server" 1291 1292 log_start 1293 show_hint "client socket should be bound to VRF" 1294 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1295 sleep 1 1296 run_cmd_nsb nettest -r ${a} 1297 log_test_addr ${a} $? 0 "VRF server" 1298 1299 # verify TCP reset received 1300 log_start 1301 show_hint "Should fail 'Connection refused'" 1302 run_cmd_nsb nettest -r ${a} 1303 log_test_addr ${a} $? 1 "No server" 1304 done 1305 1306 a=${NSA_IP} 1307 log_start 1308 show_hint "client socket should be bound to device" 1309 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1310 sleep 1 1311 run_cmd_nsb nettest -r ${a} 1312 log_test_addr ${a} $? 0 "Device server" 1313 1314 # local address tests 1315 for a in ${NSA_IP} ${VRF_IP} 1316 do 1317 log_start 1318 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1319 run_cmd nettest -s -I ${VRF} & 1320 sleep 1 1321 run_cmd nettest -r ${a} 1322 log_test_addr ${a} $? 1 "Global server, local connection" 1323 done 1324 1325 # 1326 # client 1327 # 1328 for a in ${NSB_IP} ${NSB_LO_IP} 1329 do 1330 log_start 1331 run_cmd_nsb nettest -s & 1332 sleep 1 1333 run_cmd nettest -r ${a} -d ${VRF} 1334 log_test_addr ${a} $? 0 "Client, VRF bind" 1335 1336 log_start 1337 run_cmd_nsb nettest -s & 1338 sleep 1 1339 run_cmd nettest -r ${a} -d ${NSA_DEV} 1340 log_test_addr ${a} $? 0 "Client, device bind" 1341 1342 log_start 1343 show_hint "Should fail 'Connection refused'" 1344 run_cmd nettest -r ${a} -d ${VRF} 1345 log_test_addr ${a} $? 1 "No server, VRF client" 1346 1347 log_start 1348 show_hint "Should fail 'Connection refused'" 1349 run_cmd nettest -r ${a} -d ${NSA_DEV} 1350 log_test_addr ${a} $? 1 "No server, device client" 1351 done 1352 1353 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1354 do 1355 log_start 1356 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1357 sleep 1 1358 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1359 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1360 done 1361 1362 a=${NSA_IP} 1363 log_start 1364 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1365 sleep 1 1366 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1367 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1368 1369 log_start 1370 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1371 run_cmd nettest -s -I ${VRF} & 1372 sleep 1 1373 run_cmd nettest -r ${a} 1374 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1375 1376 log_start 1377 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1378 sleep 1 1379 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1380 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1381 1382 log_start 1383 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1384 sleep 1 1385 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1386 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1387} 1388 1389ipv4_tcp() 1390{ 1391 log_section "IPv4/TCP" 1392 log_subsection "No VRF" 1393 setup 1394 1395 # tcp_l3mdev_accept should have no affect without VRF; 1396 # run tests with it enabled and disabled to verify 1397 log_subsection "tcp_l3mdev_accept disabled" 1398 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1399 ipv4_tcp_novrf 1400 log_subsection "tcp_l3mdev_accept enabled" 1401 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1402 ipv4_tcp_novrf 1403 1404 log_subsection "With VRF" 1405 setup "yes" 1406 ipv4_tcp_vrf 1407} 1408 1409################################################################################ 1410# IPv4 UDP 1411 1412ipv4_udp_novrf() 1413{ 1414 local a 1415 1416 # 1417 # server tests 1418 # 1419 for a in ${NSA_IP} ${NSA_LO_IP} 1420 do 1421 log_start 1422 run_cmd nettest -D -s -3 ${NSA_DEV} & 1423 sleep 1 1424 run_cmd_nsb nettest -D -r ${a} 1425 log_test_addr ${a} $? 0 "Global server" 1426 1427 log_start 1428 show_hint "Should fail 'Connection refused' since there is no server" 1429 run_cmd_nsb nettest -D -r ${a} 1430 log_test_addr ${a} $? 1 "No server" 1431 done 1432 1433 a=${NSA_IP} 1434 log_start 1435 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1436 sleep 1 1437 run_cmd_nsb nettest -D -r ${a} 1438 log_test_addr ${a} $? 0 "Device server" 1439 1440 # 1441 # client 1442 # 1443 for a in ${NSB_IP} ${NSB_LO_IP} 1444 do 1445 log_start 1446 run_cmd_nsb nettest -D -s & 1447 sleep 1 1448 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1449 log_test_addr ${a} $? 0 "Client" 1450 1451 log_start 1452 run_cmd_nsb nettest -D -s & 1453 sleep 1 1454 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1455 log_test_addr ${a} $? 0 "Client, device bind" 1456 1457 log_start 1458 run_cmd_nsb nettest -D -s & 1459 sleep 1 1460 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1461 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1462 1463 log_start 1464 run_cmd_nsb nettest -D -s & 1465 sleep 1 1466 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1467 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1468 1469 log_start 1470 run_cmd_nsb nettest -D -s & 1471 sleep 1 1472 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U 1473 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()" 1474 1475 1476 log_start 1477 show_hint "Should fail 'Connection refused'" 1478 run_cmd nettest -D -r ${a} 1479 log_test_addr ${a} $? 1 "No server, unbound client" 1480 1481 log_start 1482 show_hint "Should fail 'Connection refused'" 1483 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1484 log_test_addr ${a} $? 1 "No server, device client" 1485 done 1486 1487 # 1488 # local address tests 1489 # 1490 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1491 do 1492 log_start 1493 run_cmd nettest -D -s & 1494 sleep 1 1495 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1496 log_test_addr ${a} $? 0 "Global server, local connection" 1497 done 1498 1499 a=${NSA_IP} 1500 log_start 1501 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1502 sleep 1 1503 run_cmd nettest -D -r ${a} 1504 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1505 1506 for a in ${NSA_LO_IP} 127.0.0.1 1507 do 1508 log_start 1509 show_hint "Should fail 'Connection refused' since address is out of device scope" 1510 run_cmd nettest -s -D -I ${NSA_DEV} & 1511 sleep 1 1512 run_cmd nettest -D -r ${a} 1513 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1514 done 1515 1516 a=${NSA_IP} 1517 log_start 1518 run_cmd nettest -s -D & 1519 sleep 1 1520 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1521 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1522 1523 log_start 1524 run_cmd nettest -s -D & 1525 sleep 1 1526 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1527 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1528 1529 log_start 1530 run_cmd nettest -s -D & 1531 sleep 1 1532 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1533 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1534 1535 log_start 1536 run_cmd nettest -s -D & 1537 sleep 1 1538 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U 1539 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1540 1541 1542 # IPv4 with device bind has really weird behavior - it overrides the 1543 # fib lookup, generates an rtable and tries to send the packet. This 1544 # causes failures for local traffic at different places 1545 for a in ${NSA_LO_IP} 127.0.0.1 1546 do 1547 log_start 1548 show_hint "Should fail since addresses on loopback are out of device scope" 1549 run_cmd nettest -D -s & 1550 sleep 1 1551 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1552 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1553 1554 log_start 1555 show_hint "Should fail since addresses on loopback are out of device scope" 1556 run_cmd nettest -D -s & 1557 sleep 1 1558 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1559 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1560 1561 log_start 1562 show_hint "Should fail since addresses on loopback are out of device scope" 1563 run_cmd nettest -D -s & 1564 sleep 1 1565 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1566 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1567 1568 log_start 1569 show_hint "Should fail since addresses on loopback are out of device scope" 1570 run_cmd nettest -D -s & 1571 sleep 1 1572 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U 1573 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1574 1575 1576 done 1577 1578 a=${NSA_IP} 1579 log_start 1580 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1581 sleep 1 1582 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1583 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1584 1585 log_start 1586 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1587 log_test_addr ${a} $? 2 "No server, device client, local conn" 1588} 1589 1590ipv4_udp_vrf() 1591{ 1592 local a 1593 1594 # disable global server 1595 log_subsection "Global server disabled" 1596 set_sysctl net.ipv4.udp_l3mdev_accept=0 1597 1598 # 1599 # server tests 1600 # 1601 for a in ${NSA_IP} ${VRF_IP} 1602 do 1603 log_start 1604 show_hint "Fails because ingress is in a VRF and global server is disabled" 1605 run_cmd nettest -D -s & 1606 sleep 1 1607 run_cmd_nsb nettest -D -r ${a} 1608 log_test_addr ${a} $? 1 "Global server" 1609 1610 log_start 1611 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1612 sleep 1 1613 run_cmd_nsb nettest -D -r ${a} 1614 log_test_addr ${a} $? 0 "VRF server" 1615 1616 log_start 1617 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1618 sleep 1 1619 run_cmd_nsb nettest -D -r ${a} 1620 log_test_addr ${a} $? 0 "Enslaved device server" 1621 1622 log_start 1623 show_hint "Should fail 'Connection refused' since there is no server" 1624 run_cmd_nsb nettest -D -r ${a} 1625 log_test_addr ${a} $? 1 "No server" 1626 1627 log_start 1628 show_hint "Should fail 'Connection refused' since global server is out of scope" 1629 run_cmd nettest -D -s & 1630 sleep 1 1631 run_cmd nettest -D -d ${VRF} -r ${a} 1632 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1633 done 1634 1635 a=${NSA_IP} 1636 log_start 1637 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1638 sleep 1 1639 run_cmd nettest -D -d ${VRF} -r ${a} 1640 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1641 1642 log_start 1643 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1644 sleep 1 1645 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1646 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1647 1648 a=${NSA_IP} 1649 log_start 1650 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1651 sleep 1 1652 run_cmd nettest -D -d ${VRF} -r ${a} 1653 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1654 1655 log_start 1656 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1657 sleep 1 1658 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1659 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1660 1661 # enable global server 1662 log_subsection "Global server enabled" 1663 set_sysctl net.ipv4.udp_l3mdev_accept=1 1664 1665 # 1666 # server tests 1667 # 1668 for a in ${NSA_IP} ${VRF_IP} 1669 do 1670 log_start 1671 run_cmd nettest -D -s -3 ${NSA_DEV} & 1672 sleep 1 1673 run_cmd_nsb nettest -D -r ${a} 1674 log_test_addr ${a} $? 0 "Global server" 1675 1676 log_start 1677 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1678 sleep 1 1679 run_cmd_nsb nettest -D -r ${a} 1680 log_test_addr ${a} $? 0 "VRF server" 1681 1682 log_start 1683 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1684 sleep 1 1685 run_cmd_nsb nettest -D -r ${a} 1686 log_test_addr ${a} $? 0 "Enslaved device server" 1687 1688 log_start 1689 show_hint "Should fail 'Connection refused'" 1690 run_cmd_nsb nettest -D -r ${a} 1691 log_test_addr ${a} $? 1 "No server" 1692 done 1693 1694 # 1695 # client tests 1696 # 1697 log_start 1698 run_cmd_nsb nettest -D -s & 1699 sleep 1 1700 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1701 log_test $? 0 "VRF client" 1702 1703 log_start 1704 run_cmd_nsb nettest -D -s & 1705 sleep 1 1706 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1707 log_test $? 0 "Enslaved device client" 1708 1709 # negative test - should fail 1710 log_start 1711 show_hint "Should fail 'Connection refused'" 1712 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1713 log_test $? 1 "No server, VRF client" 1714 1715 log_start 1716 show_hint "Should fail 'Connection refused'" 1717 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1718 log_test $? 1 "No server, enslaved device client" 1719 1720 # 1721 # local address tests 1722 # 1723 a=${NSA_IP} 1724 log_start 1725 run_cmd nettest -D -s -3 ${NSA_DEV} & 1726 sleep 1 1727 run_cmd nettest -D -d ${VRF} -r ${a} 1728 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1729 1730 log_start 1731 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1732 sleep 1 1733 run_cmd nettest -D -d ${VRF} -r ${a} 1734 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1735 1736 log_start 1737 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1738 sleep 1 1739 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1740 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1741 1742 log_start 1743 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1744 sleep 1 1745 run_cmd nettest -D -d ${VRF} -r ${a} 1746 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1747 1748 log_start 1749 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1750 sleep 1 1751 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1752 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1753 1754 for a in ${VRF_IP} 127.0.0.1 1755 do 1756 log_start 1757 run_cmd nettest -D -s -3 ${VRF} & 1758 sleep 1 1759 run_cmd nettest -D -d ${VRF} -r ${a} 1760 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1761 done 1762 1763 for a in ${VRF_IP} 127.0.0.1 1764 do 1765 log_start 1766 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1767 sleep 1 1768 run_cmd nettest -D -d ${VRF} -r ${a} 1769 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1770 done 1771 1772 # negative test - should fail 1773 # verifies ECONNREFUSED 1774 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1775 do 1776 log_start 1777 show_hint "Should fail 'Connection refused'" 1778 run_cmd nettest -D -d ${VRF} -r ${a} 1779 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1780 done 1781} 1782 1783ipv4_udp() 1784{ 1785 log_section "IPv4/UDP" 1786 log_subsection "No VRF" 1787 1788 setup 1789 1790 # udp_l3mdev_accept should have no affect without VRF; 1791 # run tests with it enabled and disabled to verify 1792 log_subsection "udp_l3mdev_accept disabled" 1793 set_sysctl net.ipv4.udp_l3mdev_accept=0 1794 ipv4_udp_novrf 1795 log_subsection "udp_l3mdev_accept enabled" 1796 set_sysctl net.ipv4.udp_l3mdev_accept=1 1797 ipv4_udp_novrf 1798 1799 log_subsection "With VRF" 1800 setup "yes" 1801 ipv4_udp_vrf 1802} 1803 1804################################################################################ 1805# IPv4 address bind 1806# 1807# verifies ability or inability to bind to an address / device 1808 1809ipv4_addr_bind_novrf() 1810{ 1811 # 1812 # raw socket 1813 # 1814 for a in ${NSA_IP} ${NSA_LO_IP} 1815 do 1816 log_start 1817 run_cmd nettest -s -R -P icmp -l ${a} -b 1818 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1819 1820 log_start 1821 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1822 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1823 done 1824 1825 # 1826 # tests for nonlocal bind 1827 # 1828 a=${NL_IP} 1829 log_start 1830 run_cmd nettest -s -R -f -l ${a} -b 1831 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 1832 1833 log_start 1834 run_cmd nettest -s -f -l ${a} -b 1835 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address" 1836 1837 log_start 1838 run_cmd nettest -s -D -P icmp -f -l ${a} -b 1839 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address" 1840 1841 # 1842 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1843 # 1844 a=${BCAST_IP} 1845 log_start 1846 run_cmd nettest -s -D -P icmp -l ${a} -b 1847 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address" 1848 1849 a=${MCAST_IP} 1850 log_start 1851 run_cmd nettest -s -D -P icmp -l ${a} -b 1852 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address" 1853 1854 # 1855 # tcp sockets 1856 # 1857 a=${NSA_IP} 1858 log_start 1859 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1860 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1861 1862 log_start 1863 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1864 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1865 1866 # Sadly, the kernel allows binding a socket to a device and then 1867 # binding to an address not on the device. The only restriction 1868 # is that the address is valid in the L3 domain. So this test 1869 # passes when it really should not 1870 #a=${NSA_LO_IP} 1871 #log_start 1872 #show_hint "Should fail with 'Cannot assign requested address'" 1873 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1874 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1875} 1876 1877ipv4_addr_bind_vrf() 1878{ 1879 # 1880 # raw socket 1881 # 1882 for a in ${NSA_IP} ${VRF_IP} 1883 do 1884 log_start 1885 show_hint "Socket not bound to VRF, but address is in VRF" 1886 run_cmd nettest -s -R -P icmp -l ${a} -b 1887 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1888 1889 log_start 1890 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1891 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1892 log_start 1893 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1894 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1895 done 1896 1897 a=${NSA_LO_IP} 1898 log_start 1899 show_hint "Address on loopback is out of VRF scope" 1900 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1901 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1902 1903 # 1904 # tests for nonlocal bind 1905 # 1906 a=${NL_IP} 1907 log_start 1908 run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b 1909 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 1910 1911 log_start 1912 run_cmd nettest -s -f -l ${a} -I ${VRF} -b 1913 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind" 1914 1915 log_start 1916 run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b 1917 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind" 1918 1919 # 1920 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1921 # 1922 a=${BCAST_IP} 1923 log_start 1924 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 1925 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind" 1926 1927 a=${MCAST_IP} 1928 log_start 1929 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 1930 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind" 1931 1932 # 1933 # tcp sockets 1934 # 1935 for a in ${NSA_IP} ${VRF_IP} 1936 do 1937 log_start 1938 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1939 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1940 1941 log_start 1942 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1943 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1944 done 1945 1946 a=${NSA_LO_IP} 1947 log_start 1948 show_hint "Address on loopback out of scope for VRF" 1949 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1950 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 1951 1952 log_start 1953 show_hint "Address on loopback out of scope for device in VRF" 1954 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1955 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 1956} 1957 1958ipv4_addr_bind() 1959{ 1960 log_section "IPv4 address binds" 1961 1962 log_subsection "No VRF" 1963 setup 1964 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 1965 ipv4_addr_bind_novrf 1966 1967 log_subsection "With VRF" 1968 setup "yes" 1969 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 1970 ipv4_addr_bind_vrf 1971} 1972 1973################################################################################ 1974# IPv4 runtime tests 1975 1976ipv4_rt() 1977{ 1978 local desc="$1" 1979 local varg="$2" 1980 local with_vrf="yes" 1981 local a 1982 1983 # 1984 # server tests 1985 # 1986 for a in ${NSA_IP} ${VRF_IP} 1987 do 1988 log_start 1989 run_cmd nettest ${varg} -s & 1990 sleep 1 1991 run_cmd_nsb nettest ${varg} -r ${a} & 1992 sleep 3 1993 run_cmd ip link del ${VRF} 1994 sleep 1 1995 log_test_addr ${a} 0 0 "${desc}, global server" 1996 1997 setup ${with_vrf} 1998 done 1999 2000 for a in ${NSA_IP} ${VRF_IP} 2001 do 2002 log_start 2003 run_cmd nettest ${varg} -s -I ${VRF} & 2004 sleep 1 2005 run_cmd_nsb nettest ${varg} -r ${a} & 2006 sleep 3 2007 run_cmd ip link del ${VRF} 2008 sleep 1 2009 log_test_addr ${a} 0 0 "${desc}, VRF server" 2010 2011 setup ${with_vrf} 2012 done 2013 2014 a=${NSA_IP} 2015 log_start 2016 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 2017 sleep 1 2018 run_cmd_nsb nettest ${varg} -r ${a} & 2019 sleep 3 2020 run_cmd ip link del ${VRF} 2021 sleep 1 2022 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 2023 2024 setup ${with_vrf} 2025 2026 # 2027 # client test 2028 # 2029 log_start 2030 run_cmd_nsb nettest ${varg} -s & 2031 sleep 1 2032 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 2033 sleep 3 2034 run_cmd ip link del ${VRF} 2035 sleep 1 2036 log_test_addr ${a} 0 0 "${desc}, VRF client" 2037 2038 setup ${with_vrf} 2039 2040 log_start 2041 run_cmd_nsb nettest ${varg} -s & 2042 sleep 1 2043 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 2044 sleep 3 2045 run_cmd ip link del ${VRF} 2046 sleep 1 2047 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 2048 2049 setup ${with_vrf} 2050 2051 # 2052 # local address tests 2053 # 2054 for a in ${NSA_IP} ${VRF_IP} 2055 do 2056 log_start 2057 run_cmd nettest ${varg} -s & 2058 sleep 1 2059 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2060 sleep 3 2061 run_cmd ip link del ${VRF} 2062 sleep 1 2063 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 2064 2065 setup ${with_vrf} 2066 done 2067 2068 for a in ${NSA_IP} ${VRF_IP} 2069 do 2070 log_start 2071 run_cmd nettest ${varg} -I ${VRF} -s & 2072 sleep 1 2073 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2074 sleep 3 2075 run_cmd ip link del ${VRF} 2076 sleep 1 2077 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 2078 2079 setup ${with_vrf} 2080 done 2081 2082 a=${NSA_IP} 2083 log_start 2084 2085 run_cmd nettest ${varg} -s & 2086 sleep 1 2087 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2088 sleep 3 2089 run_cmd ip link del ${VRF} 2090 sleep 1 2091 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 2092 2093 setup ${with_vrf} 2094 2095 log_start 2096 run_cmd nettest ${varg} -I ${VRF} -s & 2097 sleep 1 2098 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2099 sleep 3 2100 run_cmd ip link del ${VRF} 2101 sleep 1 2102 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 2103 2104 setup ${with_vrf} 2105 2106 log_start 2107 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2108 sleep 1 2109 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2110 sleep 3 2111 run_cmd ip link del ${VRF} 2112 sleep 1 2113 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2114} 2115 2116ipv4_ping_rt() 2117{ 2118 local with_vrf="yes" 2119 local a 2120 2121 for a in ${NSA_IP} ${VRF_IP} 2122 do 2123 log_start 2124 run_cmd_nsb ping -f ${a} & 2125 sleep 3 2126 run_cmd ip link del ${VRF} 2127 sleep 1 2128 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2129 2130 setup ${with_vrf} 2131 done 2132 2133 a=${NSB_IP} 2134 log_start 2135 run_cmd ping -f -I ${VRF} ${a} & 2136 sleep 3 2137 run_cmd ip link del ${VRF} 2138 sleep 1 2139 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2140} 2141 2142ipv4_runtime() 2143{ 2144 log_section "Run time tests - ipv4" 2145 2146 setup "yes" 2147 ipv4_ping_rt 2148 2149 setup "yes" 2150 ipv4_rt "TCP active socket" "-n -1" 2151 2152 setup "yes" 2153 ipv4_rt "TCP passive socket" "-i" 2154} 2155 2156################################################################################ 2157# IPv6 2158 2159ipv6_ping_novrf() 2160{ 2161 local a 2162 2163 # should not have an impact, but make a known state 2164 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2165 2166 # 2167 # out 2168 # 2169 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2170 do 2171 log_start 2172 run_cmd ${ping6} -c1 -w1 ${a} 2173 log_test_addr ${a} $? 0 "ping out" 2174 done 2175 2176 for a in ${NSB_IP6} ${NSB_LO_IP6} 2177 do 2178 log_start 2179 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2180 log_test_addr ${a} $? 0 "ping out, device bind" 2181 2182 log_start 2183 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2184 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2185 done 2186 2187 # 2188 # in 2189 # 2190 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2191 do 2192 log_start 2193 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2194 log_test_addr ${a} $? 0 "ping in" 2195 done 2196 2197 # 2198 # local traffic, local address 2199 # 2200 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2201 do 2202 log_start 2203 run_cmd ${ping6} -c1 -w1 ${a} 2204 log_test_addr ${a} $? 0 "ping local, no bind" 2205 done 2206 2207 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2208 do 2209 log_start 2210 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2211 log_test_addr ${a} $? 0 "ping local, device bind" 2212 done 2213 2214 for a in ${NSA_LO_IP6} ::1 2215 do 2216 log_start 2217 show_hint "Fails since address on loopback is out of device scope" 2218 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2219 log_test_addr ${a} $? 2 "ping local, device bind" 2220 done 2221 2222 # 2223 # ip rule blocks address 2224 # 2225 log_start 2226 setup_cmd ip -6 rule add pref 32765 from all lookup local 2227 setup_cmd ip -6 rule del pref 0 from all lookup local 2228 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2229 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2230 2231 a=${NSB_LO_IP6} 2232 run_cmd ${ping6} -c1 -w1 ${a} 2233 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2234 2235 log_start 2236 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2237 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2238 2239 a=${NSA_LO_IP6} 2240 log_start 2241 show_hint "Response lost due to ip rule" 2242 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2243 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2244 2245 setup_cmd ip -6 rule add pref 0 from all lookup local 2246 setup_cmd ip -6 rule del pref 32765 from all lookup local 2247 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2248 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2249 2250 # 2251 # route blocks reachability to remote address 2252 # 2253 log_start 2254 setup_cmd ip -6 route del ${NSB_LO_IP6} 2255 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2256 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2257 2258 a=${NSB_LO_IP6} 2259 run_cmd ${ping6} -c1 -w1 ${a} 2260 log_test_addr ${a} $? 2 "ping out, blocked by route" 2261 2262 log_start 2263 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2264 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2265 2266 a=${NSA_LO_IP6} 2267 log_start 2268 show_hint "Response lost due to ip route" 2269 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2270 log_test_addr ${a} $? 1 "ping in, blocked by route" 2271 2272 2273 # 2274 # remove 'remote' routes; fallback to default 2275 # 2276 log_start 2277 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2278 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2279 2280 a=${NSB_LO_IP6} 2281 run_cmd ${ping6} -c1 -w1 ${a} 2282 log_test_addr ${a} $? 2 "ping out, unreachable route" 2283 2284 log_start 2285 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2286 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2287} 2288 2289ipv6_ping_vrf() 2290{ 2291 local a 2292 2293 # should default on; does not exist on older kernels 2294 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2295 2296 # 2297 # out 2298 # 2299 for a in ${NSB_IP6} ${NSB_LO_IP6} 2300 do 2301 log_start 2302 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2303 log_test_addr ${a} $? 0 "ping out, VRF bind" 2304 done 2305 2306 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2307 do 2308 log_start 2309 show_hint "Fails since VRF device does not support linklocal or multicast" 2310 run_cmd ${ping6} -c1 -w1 ${a} 2311 log_test_addr ${a} $? 1 "ping out, VRF bind" 2312 done 2313 2314 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2315 do 2316 log_start 2317 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2318 log_test_addr ${a} $? 0 "ping out, device bind" 2319 done 2320 2321 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2322 do 2323 log_start 2324 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2325 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2326 done 2327 2328 # 2329 # in 2330 # 2331 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2332 do 2333 log_start 2334 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2335 log_test_addr ${a} $? 0 "ping in" 2336 done 2337 2338 a=${NSA_LO_IP6} 2339 log_start 2340 show_hint "Fails since loopback address is out of VRF scope" 2341 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2342 log_test_addr ${a} $? 1 "ping in" 2343 2344 # 2345 # local traffic, local address 2346 # 2347 for a in ${NSA_IP6} ${VRF_IP6} ::1 2348 do 2349 log_start 2350 show_hint "Source address should be ${a}" 2351 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2352 log_test_addr ${a} $? 0 "ping local, VRF bind" 2353 done 2354 2355 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2356 do 2357 log_start 2358 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2359 log_test_addr ${a} $? 0 "ping local, device bind" 2360 done 2361 2362 # LLA to GUA - remove ipv6 global addresses from ns-B 2363 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2364 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2365 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2366 2367 for a in ${NSA_IP6} ${VRF_IP6} 2368 do 2369 log_start 2370 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2371 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2372 done 2373 2374 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2375 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2376 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2377 2378 # 2379 # ip rule blocks address 2380 # 2381 log_start 2382 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2383 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2384 2385 a=${NSB_LO_IP6} 2386 run_cmd ${ping6} -c1 -w1 ${a} 2387 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2388 2389 log_start 2390 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2391 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2392 2393 a=${NSA_LO_IP6} 2394 log_start 2395 show_hint "Response lost due to ip rule" 2396 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2397 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2398 2399 log_start 2400 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2401 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2402 2403 # 2404 # remove 'remote' routes; fallback to default 2405 # 2406 log_start 2407 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2408 2409 a=${NSB_LO_IP6} 2410 run_cmd ${ping6} -c1 -w1 ${a} 2411 log_test_addr ${a} $? 2 "ping out, unreachable route" 2412 2413 log_start 2414 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2415 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2416 2417 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2418 a=${NSA_LO_IP6} 2419 log_start 2420 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2421 log_test_addr ${a} $? 2 "ping in, unreachable route" 2422} 2423 2424ipv6_ping() 2425{ 2426 log_section "IPv6 ping" 2427 2428 log_subsection "No VRF" 2429 setup 2430 ipv6_ping_novrf 2431 setup 2432 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2433 ipv6_ping_novrf 2434 2435 log_subsection "With VRF" 2436 setup "yes" 2437 ipv6_ping_vrf 2438 setup "yes" 2439 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2440 ipv6_ping_vrf 2441} 2442 2443################################################################################ 2444# IPv6 TCP 2445 2446# 2447# MD5 tests without VRF 2448# 2449ipv6_tcp_md5_novrf() 2450{ 2451 # 2452 # single address 2453 # 2454 2455 # basic use case 2456 log_start 2457 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2458 sleep 1 2459 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2460 log_test $? 0 "MD5: Single address config" 2461 2462 # client sends MD5, server not configured 2463 log_start 2464 show_hint "Should timeout due to MD5 mismatch" 2465 run_cmd nettest -6 -s & 2466 sleep 1 2467 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2468 log_test $? 2 "MD5: Server no config, client uses password" 2469 2470 # wrong password 2471 log_start 2472 show_hint "Should timeout since client uses wrong password" 2473 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2474 sleep 1 2475 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2476 log_test $? 2 "MD5: Client uses wrong password" 2477 2478 # client from different address 2479 log_start 2480 show_hint "Should timeout due to MD5 mismatch" 2481 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2482 sleep 1 2483 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2484 log_test $? 2 "MD5: Client address does not match address configured with password" 2485 2486 # 2487 # MD5 extension - prefix length 2488 # 2489 2490 # client in prefix 2491 log_start 2492 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2493 sleep 1 2494 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2495 log_test $? 0 "MD5: Prefix config" 2496 2497 # client in prefix, wrong password 2498 log_start 2499 show_hint "Should timeout since client uses wrong password" 2500 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2501 sleep 1 2502 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2503 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2504 2505 # client outside of prefix 2506 log_start 2507 show_hint "Should timeout due to MD5 mismatch" 2508 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2509 sleep 1 2510 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2511 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2512} 2513 2514# 2515# MD5 tests with VRF 2516# 2517ipv6_tcp_md5() 2518{ 2519 # 2520 # single address 2521 # 2522 2523 # basic use case 2524 log_start 2525 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2526 sleep 1 2527 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2528 log_test $? 0 "MD5: VRF: Single address config" 2529 2530 # client sends MD5, server not configured 2531 log_start 2532 show_hint "Should timeout since server does not have MD5 auth" 2533 run_cmd nettest -6 -s -I ${VRF} & 2534 sleep 1 2535 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2536 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2537 2538 # wrong password 2539 log_start 2540 show_hint "Should timeout since client uses wrong password" 2541 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2542 sleep 1 2543 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2544 log_test $? 2 "MD5: VRF: Client uses wrong password" 2545 2546 # client from different address 2547 log_start 2548 show_hint "Should timeout since server config differs from client" 2549 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2550 sleep 1 2551 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2552 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2553 2554 # 2555 # MD5 extension - prefix length 2556 # 2557 2558 # client in prefix 2559 log_start 2560 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2561 sleep 1 2562 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2563 log_test $? 0 "MD5: VRF: Prefix config" 2564 2565 # client in prefix, wrong password 2566 log_start 2567 show_hint "Should timeout since client uses wrong password" 2568 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2569 sleep 1 2570 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2571 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2572 2573 # client outside of prefix 2574 log_start 2575 show_hint "Should timeout since client address is outside of prefix" 2576 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2577 sleep 1 2578 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2579 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2580 2581 # 2582 # duplicate config between default VRF and a VRF 2583 # 2584 2585 log_start 2586 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2587 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2588 sleep 1 2589 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2590 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2591 2592 log_start 2593 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2594 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2595 sleep 1 2596 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2597 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2598 2599 log_start 2600 show_hint "Should timeout since client in default VRF uses VRF password" 2601 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2602 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2603 sleep 1 2604 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2605 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2606 2607 log_start 2608 show_hint "Should timeout since client in VRF uses default VRF password" 2609 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2610 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2611 sleep 1 2612 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2613 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2614 2615 log_start 2616 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2617 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2618 sleep 1 2619 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2620 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2621 2622 log_start 2623 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2624 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2625 sleep 1 2626 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2627 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2628 2629 log_start 2630 show_hint "Should timeout since client in default VRF uses VRF password" 2631 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2632 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2633 sleep 1 2634 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2635 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2636 2637 log_start 2638 show_hint "Should timeout since client in VRF uses default VRF password" 2639 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2640 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2641 sleep 1 2642 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2643 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2644 2645 # 2646 # negative tests 2647 # 2648 log_start 2649 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2650 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2651 2652 log_start 2653 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2654 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2655 2656} 2657 2658ipv6_tcp_novrf() 2659{ 2660 local a 2661 2662 # 2663 # server tests 2664 # 2665 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2666 do 2667 log_start 2668 run_cmd nettest -6 -s & 2669 sleep 1 2670 run_cmd_nsb nettest -6 -r ${a} 2671 log_test_addr ${a} $? 0 "Global server" 2672 done 2673 2674 # verify TCP reset received 2675 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2676 do 2677 log_start 2678 show_hint "Should fail 'Connection refused'" 2679 run_cmd_nsb nettest -6 -r ${a} 2680 log_test_addr ${a} $? 1 "No server" 2681 done 2682 2683 # 2684 # client 2685 # 2686 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2687 do 2688 log_start 2689 run_cmd_nsb nettest -6 -s & 2690 sleep 1 2691 run_cmd nettest -6 -r ${a} 2692 log_test_addr ${a} $? 0 "Client" 2693 done 2694 2695 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2696 do 2697 log_start 2698 run_cmd_nsb nettest -6 -s & 2699 sleep 1 2700 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2701 log_test_addr ${a} $? 0 "Client, device bind" 2702 done 2703 2704 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2705 do 2706 log_start 2707 show_hint "Should fail 'Connection refused'" 2708 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2709 log_test_addr ${a} $? 1 "No server, device client" 2710 done 2711 2712 # 2713 # local address tests 2714 # 2715 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2716 do 2717 log_start 2718 run_cmd nettest -6 -s & 2719 sleep 1 2720 run_cmd nettest -6 -r ${a} 2721 log_test_addr ${a} $? 0 "Global server, local connection" 2722 done 2723 2724 a=${NSA_IP6} 2725 log_start 2726 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2727 sleep 1 2728 run_cmd nettest -6 -r ${a} -0 ${a} 2729 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2730 2731 for a in ${NSA_LO_IP6} ::1 2732 do 2733 log_start 2734 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2735 run_cmd nettest -6 -s -I ${NSA_DEV} & 2736 sleep 1 2737 run_cmd nettest -6 -r ${a} 2738 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2739 done 2740 2741 a=${NSA_IP6} 2742 log_start 2743 run_cmd nettest -6 -s & 2744 sleep 1 2745 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2746 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2747 2748 for a in ${NSA_LO_IP6} ::1 2749 do 2750 log_start 2751 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2752 run_cmd nettest -6 -s & 2753 sleep 1 2754 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2755 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2756 done 2757 2758 for a in ${NSA_IP6} ${NSA_LINKIP6} 2759 do 2760 log_start 2761 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2762 sleep 1 2763 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2764 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2765 done 2766 2767 for a in ${NSA_IP6} ${NSA_LINKIP6} 2768 do 2769 log_start 2770 show_hint "Should fail 'Connection refused'" 2771 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2772 log_test_addr ${a} $? 1 "No server, device client, local conn" 2773 done 2774 2775 ipv6_tcp_md5_novrf 2776} 2777 2778ipv6_tcp_vrf() 2779{ 2780 local a 2781 2782 # disable global server 2783 log_subsection "Global server disabled" 2784 2785 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2786 2787 # 2788 # server tests 2789 # 2790 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2791 do 2792 log_start 2793 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2794 run_cmd nettest -6 -s & 2795 sleep 1 2796 run_cmd_nsb nettest -6 -r ${a} 2797 log_test_addr ${a} $? 1 "Global server" 2798 done 2799 2800 for a in ${NSA_IP6} ${VRF_IP6} 2801 do 2802 log_start 2803 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2804 sleep 1 2805 run_cmd_nsb nettest -6 -r ${a} 2806 log_test_addr ${a} $? 0 "VRF server" 2807 done 2808 2809 # link local is always bound to ingress device 2810 a=${NSA_LINKIP6}%${NSB_DEV} 2811 log_start 2812 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2813 sleep 1 2814 run_cmd_nsb nettest -6 -r ${a} 2815 log_test_addr ${a} $? 0 "VRF server" 2816 2817 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2818 do 2819 log_start 2820 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2821 sleep 1 2822 run_cmd_nsb nettest -6 -r ${a} 2823 log_test_addr ${a} $? 0 "Device server" 2824 done 2825 2826 # verify TCP reset received 2827 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2828 do 2829 log_start 2830 show_hint "Should fail 'Connection refused'" 2831 run_cmd_nsb nettest -6 -r ${a} 2832 log_test_addr ${a} $? 1 "No server" 2833 done 2834 2835 # local address tests 2836 a=${NSA_IP6} 2837 log_start 2838 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2839 run_cmd nettest -6 -s & 2840 sleep 1 2841 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2842 log_test_addr ${a} $? 1 "Global server, local connection" 2843 2844 # run MD5 tests 2845 setup_vrf_dup 2846 ipv6_tcp_md5 2847 cleanup_vrf_dup 2848 2849 # 2850 # enable VRF global server 2851 # 2852 log_subsection "VRF Global server enabled" 2853 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2854 2855 for a in ${NSA_IP6} ${VRF_IP6} 2856 do 2857 log_start 2858 run_cmd nettest -6 -s -3 ${VRF} & 2859 sleep 1 2860 run_cmd_nsb nettest -6 -r ${a} 2861 log_test_addr ${a} $? 0 "Global server" 2862 done 2863 2864 for a in ${NSA_IP6} ${VRF_IP6} 2865 do 2866 log_start 2867 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2868 sleep 1 2869 run_cmd_nsb nettest -6 -r ${a} 2870 log_test_addr ${a} $? 0 "VRF server" 2871 done 2872 2873 # For LLA, child socket is bound to device 2874 a=${NSA_LINKIP6}%${NSB_DEV} 2875 log_start 2876 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2877 sleep 1 2878 run_cmd_nsb nettest -6 -r ${a} 2879 log_test_addr ${a} $? 0 "Global server" 2880 2881 log_start 2882 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2883 sleep 1 2884 run_cmd_nsb nettest -6 -r ${a} 2885 log_test_addr ${a} $? 0 "VRF server" 2886 2887 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2888 do 2889 log_start 2890 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2891 sleep 1 2892 run_cmd_nsb nettest -6 -r ${a} 2893 log_test_addr ${a} $? 0 "Device server" 2894 done 2895 2896 # verify TCP reset received 2897 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2898 do 2899 log_start 2900 show_hint "Should fail 'Connection refused'" 2901 run_cmd_nsb nettest -6 -r ${a} 2902 log_test_addr ${a} $? 1 "No server" 2903 done 2904 2905 # local address tests 2906 for a in ${NSA_IP6} ${VRF_IP6} 2907 do 2908 log_start 2909 show_hint "Fails 'Connection refused' since client is not in VRF" 2910 run_cmd nettest -6 -s -I ${VRF} & 2911 sleep 1 2912 run_cmd nettest -6 -r ${a} 2913 log_test_addr ${a} $? 1 "Global server, local connection" 2914 done 2915 2916 2917 # 2918 # client 2919 # 2920 for a in ${NSB_IP6} ${NSB_LO_IP6} 2921 do 2922 log_start 2923 run_cmd_nsb nettest -6 -s & 2924 sleep 1 2925 run_cmd nettest -6 -r ${a} -d ${VRF} 2926 log_test_addr ${a} $? 0 "Client, VRF bind" 2927 done 2928 2929 a=${NSB_LINKIP6} 2930 log_start 2931 show_hint "Fails since VRF device does not allow linklocal addresses" 2932 run_cmd_nsb nettest -6 -s & 2933 sleep 1 2934 run_cmd nettest -6 -r ${a} -d ${VRF} 2935 log_test_addr ${a} $? 1 "Client, VRF bind" 2936 2937 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2938 do 2939 log_start 2940 run_cmd_nsb nettest -6 -s & 2941 sleep 1 2942 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2943 log_test_addr ${a} $? 0 "Client, device bind" 2944 done 2945 2946 for a in ${NSB_IP6} ${NSB_LO_IP6} 2947 do 2948 log_start 2949 show_hint "Should fail 'Connection refused'" 2950 run_cmd nettest -6 -r ${a} -d ${VRF} 2951 log_test_addr ${a} $? 1 "No server, VRF client" 2952 done 2953 2954 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2955 do 2956 log_start 2957 show_hint "Should fail 'Connection refused'" 2958 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2959 log_test_addr ${a} $? 1 "No server, device client" 2960 done 2961 2962 for a in ${NSA_IP6} ${VRF_IP6} ::1 2963 do 2964 log_start 2965 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2966 sleep 1 2967 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2968 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 2969 done 2970 2971 a=${NSA_IP6} 2972 log_start 2973 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2974 sleep 1 2975 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2976 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 2977 2978 a=${NSA_IP6} 2979 log_start 2980 show_hint "Should fail since unbound client is out of VRF scope" 2981 run_cmd nettest -6 -s -I ${VRF} & 2982 sleep 1 2983 run_cmd nettest -6 -r ${a} 2984 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 2985 2986 log_start 2987 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2988 sleep 1 2989 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2990 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 2991 2992 for a in ${NSA_IP6} ${NSA_LINKIP6} 2993 do 2994 log_start 2995 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2996 sleep 1 2997 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2998 log_test_addr ${a} $? 0 "Device server, device client, local connection" 2999 done 3000} 3001 3002ipv6_tcp() 3003{ 3004 log_section "IPv6/TCP" 3005 log_subsection "No VRF" 3006 setup 3007 3008 # tcp_l3mdev_accept should have no affect without VRF; 3009 # run tests with it enabled and disabled to verify 3010 log_subsection "tcp_l3mdev_accept disabled" 3011 set_sysctl net.ipv4.tcp_l3mdev_accept=0 3012 ipv6_tcp_novrf 3013 log_subsection "tcp_l3mdev_accept enabled" 3014 set_sysctl net.ipv4.tcp_l3mdev_accept=1 3015 ipv6_tcp_novrf 3016 3017 log_subsection "With VRF" 3018 setup "yes" 3019 ipv6_tcp_vrf 3020} 3021 3022################################################################################ 3023# IPv6 UDP 3024 3025ipv6_udp_novrf() 3026{ 3027 local a 3028 3029 # 3030 # server tests 3031 # 3032 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3033 do 3034 log_start 3035 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3036 sleep 1 3037 run_cmd_nsb nettest -6 -D -r ${a} 3038 log_test_addr ${a} $? 0 "Global server" 3039 3040 log_start 3041 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3042 sleep 1 3043 run_cmd_nsb nettest -6 -D -r ${a} 3044 log_test_addr ${a} $? 0 "Device server" 3045 done 3046 3047 a=${NSA_LO_IP6} 3048 log_start 3049 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3050 sleep 1 3051 run_cmd_nsb nettest -6 -D -r ${a} 3052 log_test_addr ${a} $? 0 "Global server" 3053 3054 # should fail since loopback address is out of scope for a device 3055 # bound server, but it does not - hence this is more documenting 3056 # behavior. 3057 #log_start 3058 #show_hint "Should fail since loopback address is out of scope" 3059 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3060 #sleep 1 3061 #run_cmd_nsb nettest -6 -D -r ${a} 3062 #log_test_addr ${a} $? 1 "Device server" 3063 3064 # negative test - should fail 3065 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3066 do 3067 log_start 3068 show_hint "Should fail 'Connection refused' since there is no server" 3069 run_cmd_nsb nettest -6 -D -r ${a} 3070 log_test_addr ${a} $? 1 "No server" 3071 done 3072 3073 # 3074 # client 3075 # 3076 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 3077 do 3078 log_start 3079 run_cmd_nsb nettest -6 -D -s & 3080 sleep 1 3081 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 3082 log_test_addr ${a} $? 0 "Client" 3083 3084 log_start 3085 run_cmd_nsb nettest -6 -D -s & 3086 sleep 1 3087 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 3088 log_test_addr ${a} $? 0 "Client, device bind" 3089 3090 log_start 3091 run_cmd_nsb nettest -6 -D -s & 3092 sleep 1 3093 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 3094 log_test_addr ${a} $? 0 "Client, device send via cmsg" 3095 3096 log_start 3097 run_cmd_nsb nettest -6 -D -s & 3098 sleep 1 3099 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 3100 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 3101 3102 log_start 3103 show_hint "Should fail 'Connection refused'" 3104 run_cmd nettest -6 -D -r ${a} 3105 log_test_addr ${a} $? 1 "No server, unbound client" 3106 3107 log_start 3108 show_hint "Should fail 'Connection refused'" 3109 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3110 log_test_addr ${a} $? 1 "No server, device client" 3111 done 3112 3113 # 3114 # local address tests 3115 # 3116 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3117 do 3118 log_start 3119 run_cmd nettest -6 -D -s & 3120 sleep 1 3121 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3122 log_test_addr ${a} $? 0 "Global server, local connection" 3123 done 3124 3125 a=${NSA_IP6} 3126 log_start 3127 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3128 sleep 1 3129 run_cmd nettest -6 -D -r ${a} 3130 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3131 3132 for a in ${NSA_LO_IP6} ::1 3133 do 3134 log_start 3135 show_hint "Should fail 'Connection refused' since address is out of device scope" 3136 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3137 sleep 1 3138 run_cmd nettest -6 -D -r ${a} 3139 log_test_addr ${a} $? 1 "Device server, local connection" 3140 done 3141 3142 a=${NSA_IP6} 3143 log_start 3144 run_cmd nettest -6 -s -D & 3145 sleep 1 3146 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3147 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3148 3149 log_start 3150 run_cmd nettest -6 -s -D & 3151 sleep 1 3152 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3153 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3154 3155 log_start 3156 run_cmd nettest -6 -s -D & 3157 sleep 1 3158 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3159 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3160 3161 for a in ${NSA_LO_IP6} ::1 3162 do 3163 log_start 3164 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3165 run_cmd nettest -6 -D -s & 3166 sleep 1 3167 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3168 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3169 3170 log_start 3171 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3172 run_cmd nettest -6 -D -s & 3173 sleep 1 3174 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3175 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3176 3177 log_start 3178 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3179 run_cmd nettest -6 -D -s & 3180 sleep 1 3181 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3182 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3183 3184 log_start 3185 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3186 run_cmd nettest -6 -D -s & 3187 sleep 1 3188 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U 3189 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 3190 done 3191 3192 a=${NSA_IP6} 3193 log_start 3194 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3195 sleep 1 3196 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3197 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3198 3199 log_start 3200 show_hint "Should fail 'Connection refused'" 3201 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3202 log_test_addr ${a} $? 1 "No server, device client, local conn" 3203 3204 # LLA to GUA 3205 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3206 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3207 log_start 3208 run_cmd nettest -6 -s -D & 3209 sleep 1 3210 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3211 log_test $? 0 "UDP in - LLA to GUA" 3212 3213 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3214 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3215} 3216 3217ipv6_udp_vrf() 3218{ 3219 local a 3220 3221 # disable global server 3222 log_subsection "Global server disabled" 3223 set_sysctl net.ipv4.udp_l3mdev_accept=0 3224 3225 # 3226 # server tests 3227 # 3228 for a in ${NSA_IP6} ${VRF_IP6} 3229 do 3230 log_start 3231 show_hint "Should fail 'Connection refused' since global server is disabled" 3232 run_cmd nettest -6 -D -s & 3233 sleep 1 3234 run_cmd_nsb nettest -6 -D -r ${a} 3235 log_test_addr ${a} $? 1 "Global server" 3236 done 3237 3238 for a in ${NSA_IP6} ${VRF_IP6} 3239 do 3240 log_start 3241 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3242 sleep 1 3243 run_cmd_nsb nettest -6 -D -r ${a} 3244 log_test_addr ${a} $? 0 "VRF server" 3245 done 3246 3247 for a in ${NSA_IP6} ${VRF_IP6} 3248 do 3249 log_start 3250 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3251 sleep 1 3252 run_cmd_nsb nettest -6 -D -r ${a} 3253 log_test_addr ${a} $? 0 "Enslaved device server" 3254 done 3255 3256 # negative test - should fail 3257 for a in ${NSA_IP6} ${VRF_IP6} 3258 do 3259 log_start 3260 show_hint "Should fail 'Connection refused' since there is no server" 3261 run_cmd_nsb nettest -6 -D -r ${a} 3262 log_test_addr ${a} $? 1 "No server" 3263 done 3264 3265 # 3266 # local address tests 3267 # 3268 for a in ${NSA_IP6} ${VRF_IP6} 3269 do 3270 log_start 3271 show_hint "Should fail 'Connection refused' since global server is disabled" 3272 run_cmd nettest -6 -D -s & 3273 sleep 1 3274 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3275 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3276 done 3277 3278 for a in ${NSA_IP6} ${VRF_IP6} 3279 do 3280 log_start 3281 run_cmd nettest -6 -D -I ${VRF} -s & 3282 sleep 1 3283 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3284 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3285 done 3286 3287 a=${NSA_IP6} 3288 log_start 3289 show_hint "Should fail 'Connection refused' since global server is disabled" 3290 run_cmd nettest -6 -D -s & 3291 sleep 1 3292 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3293 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3294 3295 log_start 3296 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3297 sleep 1 3298 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3299 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3300 3301 log_start 3302 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3303 sleep 1 3304 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3305 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3306 3307 log_start 3308 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3309 sleep 1 3310 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3311 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3312 3313 # disable global server 3314 log_subsection "Global server enabled" 3315 set_sysctl net.ipv4.udp_l3mdev_accept=1 3316 3317 # 3318 # server tests 3319 # 3320 for a in ${NSA_IP6} ${VRF_IP6} 3321 do 3322 log_start 3323 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3324 sleep 1 3325 run_cmd_nsb nettest -6 -D -r ${a} 3326 log_test_addr ${a} $? 0 "Global server" 3327 done 3328 3329 for a in ${NSA_IP6} ${VRF_IP6} 3330 do 3331 log_start 3332 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3333 sleep 1 3334 run_cmd_nsb nettest -6 -D -r ${a} 3335 log_test_addr ${a} $? 0 "VRF server" 3336 done 3337 3338 for a in ${NSA_IP6} ${VRF_IP6} 3339 do 3340 log_start 3341 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3342 sleep 1 3343 run_cmd_nsb nettest -6 -D -r ${a} 3344 log_test_addr ${a} $? 0 "Enslaved device server" 3345 done 3346 3347 # negative test - should fail 3348 for a in ${NSA_IP6} ${VRF_IP6} 3349 do 3350 log_start 3351 run_cmd_nsb nettest -6 -D -r ${a} 3352 log_test_addr ${a} $? 1 "No server" 3353 done 3354 3355 # 3356 # client tests 3357 # 3358 log_start 3359 run_cmd_nsb nettest -6 -D -s & 3360 sleep 1 3361 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3362 log_test $? 0 "VRF client" 3363 3364 # negative test - should fail 3365 log_start 3366 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3367 log_test $? 1 "No server, VRF client" 3368 3369 log_start 3370 run_cmd_nsb nettest -6 -D -s & 3371 sleep 1 3372 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3373 log_test $? 0 "Enslaved device client" 3374 3375 # negative test - should fail 3376 log_start 3377 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3378 log_test $? 1 "No server, enslaved device client" 3379 3380 # 3381 # local address tests 3382 # 3383 a=${NSA_IP6} 3384 log_start 3385 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3386 sleep 1 3387 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3388 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3389 3390 #log_start 3391 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3392 sleep 1 3393 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3394 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3395 3396 3397 a=${VRF_IP6} 3398 log_start 3399 run_cmd nettest -6 -D -s -3 ${VRF} & 3400 sleep 1 3401 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3402 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3403 3404 log_start 3405 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3406 sleep 1 3407 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3408 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3409 3410 # negative test - should fail 3411 for a in ${NSA_IP6} ${VRF_IP6} 3412 do 3413 log_start 3414 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3415 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3416 done 3417 3418 # device to global IP 3419 a=${NSA_IP6} 3420 log_start 3421 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3422 sleep 1 3423 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3424 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3425 3426 log_start 3427 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3428 sleep 1 3429 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3430 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3431 3432 log_start 3433 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3434 sleep 1 3435 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3436 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3437 3438 log_start 3439 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3440 sleep 1 3441 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3442 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3443 3444 log_start 3445 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3446 log_test_addr ${a} $? 1 "No server, device client, local conn" 3447 3448 3449 # link local addresses 3450 log_start 3451 run_cmd nettest -6 -D -s & 3452 sleep 1 3453 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3454 log_test $? 0 "Global server, linklocal IP" 3455 3456 log_start 3457 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3458 log_test $? 1 "No server, linklocal IP" 3459 3460 3461 log_start 3462 run_cmd_nsb nettest -6 -D -s & 3463 sleep 1 3464 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3465 log_test $? 0 "Enslaved device client, linklocal IP" 3466 3467 log_start 3468 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3469 log_test $? 1 "No server, device client, peer linklocal IP" 3470 3471 3472 log_start 3473 run_cmd nettest -6 -D -s & 3474 sleep 1 3475 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3476 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3477 3478 log_start 3479 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3480 log_test $? 1 "No server, device client, local conn - linklocal IP" 3481 3482 # LLA to GUA 3483 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3484 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3485 log_start 3486 run_cmd nettest -6 -s -D & 3487 sleep 1 3488 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3489 log_test $? 0 "UDP in - LLA to GUA" 3490 3491 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3492 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3493} 3494 3495ipv6_udp() 3496{ 3497 # should not matter, but set to known state 3498 set_sysctl net.ipv4.udp_early_demux=1 3499 3500 log_section "IPv6/UDP" 3501 log_subsection "No VRF" 3502 setup 3503 3504 # udp_l3mdev_accept should have no affect without VRF; 3505 # run tests with it enabled and disabled to verify 3506 log_subsection "udp_l3mdev_accept disabled" 3507 set_sysctl net.ipv4.udp_l3mdev_accept=0 3508 ipv6_udp_novrf 3509 log_subsection "udp_l3mdev_accept enabled" 3510 set_sysctl net.ipv4.udp_l3mdev_accept=1 3511 ipv6_udp_novrf 3512 3513 log_subsection "With VRF" 3514 setup "yes" 3515 ipv6_udp_vrf 3516} 3517 3518################################################################################ 3519# IPv6 address bind 3520 3521ipv6_addr_bind_novrf() 3522{ 3523 # 3524 # raw socket 3525 # 3526 for a in ${NSA_IP6} ${NSA_LO_IP6} 3527 do 3528 log_start 3529 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3530 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3531 3532 log_start 3533 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3534 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3535 done 3536 3537 # 3538 # raw socket with nonlocal bind 3539 # 3540 a=${NL_IP6} 3541 log_start 3542 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 3543 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 3544 3545 # 3546 # tcp sockets 3547 # 3548 a=${NSA_IP6} 3549 log_start 3550 run_cmd nettest -6 -s -l ${a} -t1 -b 3551 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3552 3553 log_start 3554 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3555 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3556 3557 # Sadly, the kernel allows binding a socket to a device and then 3558 # binding to an address not on the device. So this test passes 3559 # when it really should not 3560 a=${NSA_LO_IP6} 3561 log_start 3562 show_hint "Tecnically should fail since address is not on device but kernel allows" 3563 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3564 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3565} 3566 3567ipv6_addr_bind_vrf() 3568{ 3569 # 3570 # raw socket 3571 # 3572 for a in ${NSA_IP6} ${VRF_IP6} 3573 do 3574 log_start 3575 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3576 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3577 3578 log_start 3579 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3580 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3581 done 3582 3583 a=${NSA_LO_IP6} 3584 log_start 3585 show_hint "Address on loopback is out of VRF scope" 3586 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3587 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3588 3589 # 3590 # raw socket with nonlocal bind 3591 # 3592 a=${NL_IP6} 3593 log_start 3594 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b 3595 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 3596 3597 # 3598 # tcp sockets 3599 # 3600 # address on enslaved device is valid for the VRF or device in a VRF 3601 for a in ${NSA_IP6} ${VRF_IP6} 3602 do 3603 log_start 3604 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3605 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3606 done 3607 3608 a=${NSA_IP6} 3609 log_start 3610 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3611 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3612 3613 # Sadly, the kernel allows binding a socket to a device and then 3614 # binding to an address not on the device. The only restriction 3615 # is that the address is valid in the L3 domain. So this test 3616 # passes when it really should not 3617 a=${VRF_IP6} 3618 log_start 3619 show_hint "Tecnically should fail since address is not on device but kernel allows" 3620 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3621 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3622 3623 a=${NSA_LO_IP6} 3624 log_start 3625 show_hint "Address on loopback out of scope for VRF" 3626 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3627 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3628 3629 log_start 3630 show_hint "Address on loopback out of scope for device in VRF" 3631 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3632 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3633 3634} 3635 3636ipv6_addr_bind() 3637{ 3638 log_section "IPv6 address binds" 3639 3640 log_subsection "No VRF" 3641 setup 3642 ipv6_addr_bind_novrf 3643 3644 log_subsection "With VRF" 3645 setup "yes" 3646 ipv6_addr_bind_vrf 3647} 3648 3649################################################################################ 3650# IPv6 runtime tests 3651 3652ipv6_rt() 3653{ 3654 local desc="$1" 3655 local varg="-6 $2" 3656 local with_vrf="yes" 3657 local a 3658 3659 # 3660 # server tests 3661 # 3662 for a in ${NSA_IP6} ${VRF_IP6} 3663 do 3664 log_start 3665 run_cmd nettest ${varg} -s & 3666 sleep 1 3667 run_cmd_nsb nettest ${varg} -r ${a} & 3668 sleep 3 3669 run_cmd ip link del ${VRF} 3670 sleep 1 3671 log_test_addr ${a} 0 0 "${desc}, global server" 3672 3673 setup ${with_vrf} 3674 done 3675 3676 for a in ${NSA_IP6} ${VRF_IP6} 3677 do 3678 log_start 3679 run_cmd nettest ${varg} -I ${VRF} -s & 3680 sleep 1 3681 run_cmd_nsb nettest ${varg} -r ${a} & 3682 sleep 3 3683 run_cmd ip link del ${VRF} 3684 sleep 1 3685 log_test_addr ${a} 0 0 "${desc}, VRF server" 3686 3687 setup ${with_vrf} 3688 done 3689 3690 for a in ${NSA_IP6} ${VRF_IP6} 3691 do 3692 log_start 3693 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3694 sleep 1 3695 run_cmd_nsb nettest ${varg} -r ${a} & 3696 sleep 3 3697 run_cmd ip link del ${VRF} 3698 sleep 1 3699 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3700 3701 setup ${with_vrf} 3702 done 3703 3704 # 3705 # client test 3706 # 3707 log_start 3708 run_cmd_nsb nettest ${varg} -s & 3709 sleep 1 3710 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3711 sleep 3 3712 run_cmd ip link del ${VRF} 3713 sleep 1 3714 log_test 0 0 "${desc}, VRF client" 3715 3716 setup ${with_vrf} 3717 3718 log_start 3719 run_cmd_nsb nettest ${varg} -s & 3720 sleep 1 3721 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3722 sleep 3 3723 run_cmd ip link del ${VRF} 3724 sleep 1 3725 log_test 0 0 "${desc}, enslaved device client" 3726 3727 setup ${with_vrf} 3728 3729 3730 # 3731 # local address tests 3732 # 3733 for a in ${NSA_IP6} ${VRF_IP6} 3734 do 3735 log_start 3736 run_cmd nettest ${varg} -s & 3737 sleep 1 3738 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3739 sleep 3 3740 run_cmd ip link del ${VRF} 3741 sleep 1 3742 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3743 3744 setup ${with_vrf} 3745 done 3746 3747 for a in ${NSA_IP6} ${VRF_IP6} 3748 do 3749 log_start 3750 run_cmd nettest ${varg} -I ${VRF} -s & 3751 sleep 1 3752 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3753 sleep 3 3754 run_cmd ip link del ${VRF} 3755 sleep 1 3756 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3757 3758 setup ${with_vrf} 3759 done 3760 3761 a=${NSA_IP6} 3762 log_start 3763 run_cmd nettest ${varg} -s & 3764 sleep 1 3765 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3766 sleep 3 3767 run_cmd ip link del ${VRF} 3768 sleep 1 3769 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3770 3771 setup ${with_vrf} 3772 3773 log_start 3774 run_cmd nettest ${varg} -I ${VRF} -s & 3775 sleep 1 3776 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3777 sleep 3 3778 run_cmd ip link del ${VRF} 3779 sleep 1 3780 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3781 3782 setup ${with_vrf} 3783 3784 log_start 3785 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3786 sleep 1 3787 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3788 sleep 3 3789 run_cmd ip link del ${VRF} 3790 sleep 1 3791 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3792} 3793 3794ipv6_ping_rt() 3795{ 3796 local with_vrf="yes" 3797 local a 3798 3799 a=${NSA_IP6} 3800 log_start 3801 run_cmd_nsb ${ping6} -f ${a} & 3802 sleep 3 3803 run_cmd ip link del ${VRF} 3804 sleep 1 3805 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3806 3807 setup ${with_vrf} 3808 3809 log_start 3810 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3811 sleep 1 3812 run_cmd ip link del ${VRF} 3813 sleep 1 3814 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3815} 3816 3817ipv6_runtime() 3818{ 3819 log_section "Run time tests - ipv6" 3820 3821 setup "yes" 3822 ipv6_ping_rt 3823 3824 setup "yes" 3825 ipv6_rt "TCP active socket" "-n -1" 3826 3827 setup "yes" 3828 ipv6_rt "TCP passive socket" "-i" 3829 3830 setup "yes" 3831 ipv6_rt "UDP active socket" "-D -n -1" 3832} 3833 3834################################################################################ 3835# netfilter blocking connections 3836 3837netfilter_tcp_reset() 3838{ 3839 local a 3840 3841 for a in ${NSA_IP} ${VRF_IP} 3842 do 3843 log_start 3844 run_cmd nettest -s & 3845 sleep 1 3846 run_cmd_nsb nettest -r ${a} 3847 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3848 done 3849} 3850 3851netfilter_icmp() 3852{ 3853 local stype="$1" 3854 local arg 3855 local a 3856 3857 [ "${stype}" = "UDP" ] && arg="-D" 3858 3859 for a in ${NSA_IP} ${VRF_IP} 3860 do 3861 log_start 3862 run_cmd nettest ${arg} -s & 3863 sleep 1 3864 run_cmd_nsb nettest ${arg} -r ${a} 3865 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3866 done 3867} 3868 3869ipv4_netfilter() 3870{ 3871 log_section "IPv4 Netfilter" 3872 log_subsection "TCP reset" 3873 3874 setup "yes" 3875 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3876 3877 netfilter_tcp_reset 3878 3879 log_start 3880 log_subsection "ICMP unreachable" 3881 3882 log_start 3883 run_cmd iptables -F 3884 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3885 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3886 3887 netfilter_icmp "TCP" 3888 netfilter_icmp "UDP" 3889 3890 log_start 3891 iptables -F 3892} 3893 3894netfilter_tcp6_reset() 3895{ 3896 local a 3897 3898 for a in ${NSA_IP6} ${VRF_IP6} 3899 do 3900 log_start 3901 run_cmd nettest -6 -s & 3902 sleep 1 3903 run_cmd_nsb nettest -6 -r ${a} 3904 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3905 done 3906} 3907 3908netfilter_icmp6() 3909{ 3910 local stype="$1" 3911 local arg 3912 local a 3913 3914 [ "${stype}" = "UDP" ] && arg="$arg -D" 3915 3916 for a in ${NSA_IP6} ${VRF_IP6} 3917 do 3918 log_start 3919 run_cmd nettest -6 -s ${arg} & 3920 sleep 1 3921 run_cmd_nsb nettest -6 ${arg} -r ${a} 3922 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3923 done 3924} 3925 3926ipv6_netfilter() 3927{ 3928 log_section "IPv6 Netfilter" 3929 log_subsection "TCP reset" 3930 3931 setup "yes" 3932 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3933 3934 netfilter_tcp6_reset 3935 3936 log_subsection "ICMP unreachable" 3937 3938 log_start 3939 run_cmd ip6tables -F 3940 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3941 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3942 3943 netfilter_icmp6 "TCP" 3944 netfilter_icmp6 "UDP" 3945 3946 log_start 3947 ip6tables -F 3948} 3949 3950################################################################################ 3951# specific use cases 3952 3953# VRF only. 3954# ns-A device enslaved to bridge. Verify traffic with and without 3955# br_netfilter module loaded. Repeat with SVI on bridge. 3956use_case_br() 3957{ 3958 setup "yes" 3959 3960 setup_cmd ip link set ${NSA_DEV} down 3961 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 3962 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 3963 3964 setup_cmd ip link add br0 type bridge 3965 setup_cmd ip addr add dev br0 ${NSA_IP}/24 3966 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 3967 3968 setup_cmd ip li set ${NSA_DEV} master br0 3969 setup_cmd ip li set ${NSA_DEV} up 3970 setup_cmd ip li set br0 up 3971 setup_cmd ip li set br0 vrf ${VRF} 3972 3973 rmmod br_netfilter 2>/dev/null 3974 sleep 5 # DAD 3975 3976 run_cmd ip neigh flush all 3977 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3978 log_test $? 0 "Bridge into VRF - IPv4 ping out" 3979 3980 run_cmd ip neigh flush all 3981 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3982 log_test $? 0 "Bridge into VRF - IPv6 ping out" 3983 3984 run_cmd ip neigh flush all 3985 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3986 log_test $? 0 "Bridge into VRF - IPv4 ping in" 3987 3988 run_cmd ip neigh flush all 3989 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3990 log_test $? 0 "Bridge into VRF - IPv6 ping in" 3991 3992 modprobe br_netfilter 3993 if [ $? -eq 0 ]; then 3994 run_cmd ip neigh flush all 3995 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3996 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 3997 3998 run_cmd ip neigh flush all 3999 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4000 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 4001 4002 run_cmd ip neigh flush all 4003 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4004 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 4005 4006 run_cmd ip neigh flush all 4007 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4008 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 4009 fi 4010 4011 setup_cmd ip li set br0 nomaster 4012 setup_cmd ip li add br0.100 link br0 type vlan id 100 4013 setup_cmd ip li set br0.100 vrf ${VRF} up 4014 setup_cmd ip addr add dev br0.100 172.16.101.1/24 4015 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 4016 4017 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 4018 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 4019 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 4020 setup_cmd_nsb ip li set vlan100 up 4021 sleep 1 4022 4023 rmmod br_netfilter 2>/dev/null 4024 4025 run_cmd ip neigh flush all 4026 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4027 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 4028 4029 run_cmd ip neigh flush all 4030 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4031 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 4032 4033 run_cmd ip neigh flush all 4034 run_cmd_nsb ping -c1 -w1 172.16.101.1 4035 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4036 4037 run_cmd ip neigh flush all 4038 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4039 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4040 4041 modprobe br_netfilter 4042 if [ $? -eq 0 ]; then 4043 run_cmd ip neigh flush all 4044 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4045 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 4046 4047 run_cmd ip neigh flush all 4048 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4049 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 4050 4051 run_cmd ip neigh flush all 4052 run_cmd_nsb ping -c1 -w1 172.16.101.1 4053 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4054 4055 run_cmd ip neigh flush all 4056 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4057 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4058 fi 4059 4060 setup_cmd ip li del br0 2>/dev/null 4061 setup_cmd_nsb ip li del vlan100 2>/dev/null 4062} 4063 4064# VRF only. 4065# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 4066# LLA on the interfaces 4067use_case_ping_lla_multi() 4068{ 4069 setup_lla_only 4070 # only want reply from ns-A 4071 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4072 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4073 4074 log_start 4075 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4076 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 4077 4078 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4079 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 4080 4081 # cycle/flap the first ns-A interface 4082 setup_cmd ip link set ${NSA_DEV} down 4083 setup_cmd ip link set ${NSA_DEV} up 4084 sleep 1 4085 4086 log_start 4087 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4088 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 4089 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4090 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 4091 4092 # cycle/flap the second ns-A interface 4093 setup_cmd ip link set ${NSA_DEV2} down 4094 setup_cmd ip link set ${NSA_DEV2} up 4095 sleep 1 4096 4097 log_start 4098 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4099 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 4100 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4101 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 4102} 4103 4104# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 4105# established with ns-B. 4106use_case_snat_on_vrf() 4107{ 4108 setup "yes" 4109 4110 local port="12345" 4111 4112 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4113 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4114 4115 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 4116 sleep 1 4117 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 4118 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 4119 4120 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 4121 sleep 1 4122 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 4123 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 4124 4125 # Cleanup 4126 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4127 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4128} 4129 4130use_cases() 4131{ 4132 log_section "Use cases" 4133 log_subsection "Device enslaved to bridge" 4134 use_case_br 4135 log_subsection "Ping LLA with multiple interfaces" 4136 use_case_ping_lla_multi 4137 log_subsection "SNAT on VRF" 4138 use_case_snat_on_vrf 4139} 4140 4141################################################################################ 4142# usage 4143 4144usage() 4145{ 4146 cat <<EOF 4147usage: ${0##*/} OPTS 4148 4149 -4 IPv4 tests only 4150 -6 IPv6 tests only 4151 -t <test> Test name/set to run 4152 -p Pause on fail 4153 -P Pause after each test 4154 -v Be verbose 4155 4156Tests: 4157 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER 4158EOF 4159} 4160 4161################################################################################ 4162# main 4163 4164TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4165TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4166TESTS_OTHER="use_cases" 4167 4168PAUSE_ON_FAIL=no 4169PAUSE=no 4170 4171while getopts :46t:pPvh o 4172do 4173 case $o in 4174 4) TESTS=ipv4;; 4175 6) TESTS=ipv6;; 4176 t) TESTS=$OPTARG;; 4177 p) PAUSE_ON_FAIL=yes;; 4178 P) PAUSE=yes;; 4179 v) VERBOSE=1;; 4180 h) usage; exit 0;; 4181 *) usage; exit 1;; 4182 esac 4183done 4184 4185# make sure we don't pause twice 4186[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4187 4188# 4189# show user test config 4190# 4191if [ -z "$TESTS" ]; then 4192 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4193elif [ "$TESTS" = "ipv4" ]; then 4194 TESTS="$TESTS_IPV4" 4195elif [ "$TESTS" = "ipv6" ]; then 4196 TESTS="$TESTS_IPV6" 4197fi 4198 4199which nettest >/dev/null 4200if [ $? -ne 0 ]; then 4201 echo "'nettest' command not found; skipping tests" 4202 exit $ksft_skip 4203fi 4204 4205declare -i nfail=0 4206declare -i nsuccess=0 4207 4208for t in $TESTS 4209do 4210 case $t in 4211 ipv4_ping|ping) ipv4_ping;; 4212 ipv4_tcp|tcp) ipv4_tcp;; 4213 ipv4_udp|udp) ipv4_udp;; 4214 ipv4_bind|bind) ipv4_addr_bind;; 4215 ipv4_runtime) ipv4_runtime;; 4216 ipv4_netfilter) ipv4_netfilter;; 4217 4218 ipv6_ping|ping6) ipv6_ping;; 4219 ipv6_tcp|tcp6) ipv6_tcp;; 4220 ipv6_udp|udp6) ipv6_udp;; 4221 ipv6_bind|bind6) ipv6_addr_bind;; 4222 ipv6_runtime) ipv6_runtime;; 4223 ipv6_netfilter) ipv6_netfilter;; 4224 4225 use_cases) use_cases;; 4226 4227 # setup namespaces and config, but do not run any tests 4228 setup) setup; exit 0;; 4229 vrf_setup) setup "yes"; exit 0;; 4230 esac 4231done 4232 4233cleanup 2>/dev/null 4234 4235printf "\nTests passed: %3d\n" ${nsuccess} 4236printf "Tests failed: %3d\n" ${nfail} 4237 4238if [ $nfail -ne 0 ]; then 4239 exit 1 # KSFT_FAIL 4240elif [ $nsuccess -eq 0 ]; then 4241 exit $ksft_skip 4242fi 4243 4244exit 0 # KSFT_PASS 4245