1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
5#
6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups
7# for various permutations:
8#   1. icmp, tcp, udp and netfilter
9#   2. client, server, no-server
10#   3. global address on interface
11#   4. global address on 'lo'
12#   5. remote and local traffic
13#   6. VRF and non-VRF permutations
14#
15# Setup:
16#                     ns-A     |     ns-B
17# No VRF case:
18#    [ lo ]         [ eth1 ]---|---[ eth1 ]      [ lo ]
19#                                                remote address
20# VRF case:
21#         [ red ]---[ eth1 ]---|---[ eth1 ]      [ lo ]
22#
23# ns-A:
24#     eth1: 172.16.1.1/24, 2001:db8:1::1/64
25#       lo: 127.0.0.1/8, ::1/128
26#           172.16.2.1/32, 2001:db8:2::1/128
27#      red: 127.0.0.1/8, ::1/128
28#           172.16.3.1/32, 2001:db8:3::1/128
29#
30# ns-B:
31#     eth1: 172.16.1.2/24, 2001:db8:1::2/64
32#      lo2: 127.0.0.1/8, ::1/128
33#           172.16.2.2/32, 2001:db8:2::2/128
34#
35# ns-A to ns-C connection - only for VRF and same config
36# as ns-A to ns-B
37#
38# server / client nomenclature relative to ns-A
39
40# Kselftest framework requirement - SKIP code is 4.
41ksft_skip=4
42
43VERBOSE=0
44
45NSA_DEV=eth1
46NSA_DEV2=eth2
47NSB_DEV=eth1
48NSC_DEV=eth2
49VRF=red
50VRF_TABLE=1101
51
52# IPv4 config
53NSA_IP=172.16.1.1
54NSB_IP=172.16.1.2
55VRF_IP=172.16.3.1
56NS_NET=172.16.1.0/24
57
58# IPv6 config
59NSA_IP6=2001:db8:1::1
60NSB_IP6=2001:db8:1::2
61VRF_IP6=2001:db8:3::1
62NS_NET6=2001:db8:1::/120
63
64NSA_LO_IP=172.16.2.1
65NSB_LO_IP=172.16.2.2
66NSA_LO_IP6=2001:db8:2::1
67NSB_LO_IP6=2001:db8:2::2
68
69# non-local addresses for freebind tests
70NL_IP=172.17.1.1
71NL_IP6=2001:db8:4::1
72
73# multicast and broadcast addresses
74MCAST_IP=224.0.0.1
75BCAST_IP=255.255.255.255
76
77MD5_PW=abc123
78MD5_WRONG_PW=abc1234
79
80MCAST=ff02::1
81# set after namespace create
82NSA_LINKIP6=
83NSB_LINKIP6=
84
85NSA=ns-A
86NSB=ns-B
87NSC=ns-C
88
89NSA_CMD="ip netns exec ${NSA}"
90NSB_CMD="ip netns exec ${NSB}"
91NSC_CMD="ip netns exec ${NSC}"
92
93which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
94
95################################################################################
96# utilities
97
98log_test()
99{
100	local rc=$1
101	local expected=$2
102	local msg="$3"
103
104	[ "${VERBOSE}" = "1" ] && echo
105
106	if [ ${rc} -eq ${expected} ]; then
107		nsuccess=$((nsuccess+1))
108		printf "TEST: %-70s  [ OK ]\n" "${msg}"
109	else
110		nfail=$((nfail+1))
111		printf "TEST: %-70s  [FAIL]\n" "${msg}"
112		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
113			echo
114			echo "hit enter to continue, 'q' to quit"
115			read a
116			[ "$a" = "q" ] && exit 1
117		fi
118	fi
119
120	if [ "${PAUSE}" = "yes" ]; then
121		echo
122		echo "hit enter to continue, 'q' to quit"
123		read a
124		[ "$a" = "q" ] && exit 1
125	fi
126
127	kill_procs
128}
129
130log_test_addr()
131{
132	local addr=$1
133	local rc=$2
134	local expected=$3
135	local msg="$4"
136	local astr
137
138	astr=$(addr2str ${addr})
139	log_test $rc $expected "$msg - ${astr}"
140}
141
142log_section()
143{
144	echo
145	echo "###########################################################################"
146	echo "$*"
147	echo "###########################################################################"
148	echo
149}
150
151log_subsection()
152{
153	echo
154	echo "#################################################################"
155	echo "$*"
156	echo
157}
158
159log_start()
160{
161	# make sure we have no test instances running
162	kill_procs
163
164	if [ "${VERBOSE}" = "1" ]; then
165		echo
166		echo "#######################################################"
167	fi
168}
169
170log_debug()
171{
172	if [ "${VERBOSE}" = "1" ]; then
173		echo
174		echo "$*"
175		echo
176	fi
177}
178
179show_hint()
180{
181	if [ "${VERBOSE}" = "1" ]; then
182		echo "HINT: $*"
183		echo
184	fi
185}
186
187kill_procs()
188{
189	killall nettest ping ping6 >/dev/null 2>&1
190	sleep 1
191}
192
193do_run_cmd()
194{
195	local cmd="$*"
196	local out
197
198	if [ "$VERBOSE" = "1" ]; then
199		echo "COMMAND: ${cmd}"
200	fi
201
202	out=$($cmd 2>&1)
203	rc=$?
204	if [ "$VERBOSE" = "1" -a -n "$out" ]; then
205		echo "$out"
206	fi
207
208	return $rc
209}
210
211run_cmd()
212{
213	do_run_cmd ${NSA_CMD} $*
214}
215
216run_cmd_nsb()
217{
218	do_run_cmd ${NSB_CMD} $*
219}
220
221run_cmd_nsc()
222{
223	do_run_cmd ${NSC_CMD} $*
224}
225
226setup_cmd()
227{
228	local cmd="$*"
229	local rc
230
231	run_cmd ${cmd}
232	rc=$?
233	if [ $rc -ne 0 ]; then
234		# show user the command if not done so already
235		if [ "$VERBOSE" = "0" ]; then
236			echo "setup command: $cmd"
237		fi
238		echo "failed. stopping tests"
239		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
240			echo
241			echo "hit enter to continue"
242			read a
243		fi
244		exit $rc
245	fi
246}
247
248setup_cmd_nsb()
249{
250	local cmd="$*"
251	local rc
252
253	run_cmd_nsb ${cmd}
254	rc=$?
255	if [ $rc -ne 0 ]; then
256		# show user the command if not done so already
257		if [ "$VERBOSE" = "0" ]; then
258			echo "setup command: $cmd"
259		fi
260		echo "failed. stopping tests"
261		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
262			echo
263			echo "hit enter to continue"
264			read a
265		fi
266		exit $rc
267	fi
268}
269
270setup_cmd_nsc()
271{
272	local cmd="$*"
273	local rc
274
275	run_cmd_nsc ${cmd}
276	rc=$?
277	if [ $rc -ne 0 ]; then
278		# show user the command if not done so already
279		if [ "$VERBOSE" = "0" ]; then
280			echo "setup command: $cmd"
281		fi
282		echo "failed. stopping tests"
283		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
284			echo
285			echo "hit enter to continue"
286			read a
287		fi
288		exit $rc
289	fi
290}
291
292# set sysctl values in NS-A
293set_sysctl()
294{
295	echo "SYSCTL: $*"
296	echo
297	run_cmd sysctl -q -w $*
298}
299
300# get sysctl values in NS-A
301get_sysctl()
302{
303	${NSA_CMD} sysctl -n $*
304}
305
306################################################################################
307# Setup for tests
308
309addr2str()
310{
311	case "$1" in
312	127.0.0.1) echo "loopback";;
313	::1) echo "IPv6 loopback";;
314
315	${BCAST_IP}) echo "broadcast";;
316	${MCAST_IP}) echo "multicast";;
317
318	${NSA_IP})	echo "ns-A IP";;
319	${NSA_IP6})	echo "ns-A IPv6";;
320	${NSA_LO_IP})	echo "ns-A loopback IP";;
321	${NSA_LO_IP6})	echo "ns-A loopback IPv6";;
322	${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";;
323
324	${NSB_IP})	echo "ns-B IP";;
325	${NSB_IP6})	echo "ns-B IPv6";;
326	${NSB_LO_IP})	echo "ns-B loopback IP";;
327	${NSB_LO_IP6})	echo "ns-B loopback IPv6";;
328	${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";;
329
330	${NL_IP})       echo "nonlocal IP";;
331	${NL_IP6})      echo "nonlocal IPv6";;
332
333	${VRF_IP})	echo "VRF IP";;
334	${VRF_IP6})	echo "VRF IPv6";;
335
336	${MCAST}%*)	echo "multicast IP";;
337
338	*) echo "unknown";;
339	esac
340}
341
342get_linklocal()
343{
344	local ns=$1
345	local dev=$2
346	local addr
347
348	addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \
349	awk '{
350		for (i = 3; i <= NF; ++i) {
351			if ($i ~ /^fe80/)
352				print $i
353		}
354	}'
355	)
356	addr=${addr/\/*}
357
358	[ -z "$addr" ] && return 1
359
360	echo $addr
361
362	return 0
363}
364
365################################################################################
366# create namespaces and vrf
367
368create_vrf()
369{
370	local ns=$1
371	local vrf=$2
372	local table=$3
373	local addr=$4
374	local addr6=$5
375
376	ip -netns ${ns} link add ${vrf} type vrf table ${table}
377	ip -netns ${ns} link set ${vrf} up
378	ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192
379	ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
380
381	ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf}
382	ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad
383	if [ "${addr}" != "-" ]; then
384		ip -netns ${ns} addr add dev ${vrf} ${addr}
385	fi
386	if [ "${addr6}" != "-" ]; then
387		ip -netns ${ns} -6 addr add dev ${vrf} ${addr6}
388	fi
389
390	ip -netns ${ns} ru del pref 0
391	ip -netns ${ns} ru add pref 32765 from all lookup local
392	ip -netns ${ns} -6 ru del pref 0
393	ip -netns ${ns} -6 ru add pref 32765 from all lookup local
394}
395
396create_ns()
397{
398	local ns=$1
399	local addr=$2
400	local addr6=$3
401
402	ip netns add ${ns}
403
404	ip -netns ${ns} link set lo up
405	if [ "${addr}" != "-" ]; then
406		ip -netns ${ns} addr add dev lo ${addr}
407	fi
408	if [ "${addr6}" != "-" ]; then
409		ip -netns ${ns} -6 addr add dev lo ${addr6}
410	fi
411
412	ip -netns ${ns} ro add unreachable default metric 8192
413	ip -netns ${ns} -6 ro add unreachable default metric 8192
414
415	ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
416	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
417	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
418	ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
419}
420
421# create veth pair to connect namespaces and apply addresses.
422connect_ns()
423{
424	local ns1=$1
425	local ns1_dev=$2
426	local ns1_addr=$3
427	local ns1_addr6=$4
428	local ns2=$5
429	local ns2_dev=$6
430	local ns2_addr=$7
431	local ns2_addr6=$8
432
433	ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
434	ip -netns ${ns1} li set ${ns1_dev} up
435	ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
436	ip -netns ${ns2} li set ${ns2_dev} up
437
438	if [ "${ns1_addr}" != "-" ]; then
439		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
440		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
441	fi
442
443	if [ "${ns1_addr6}" != "-" ]; then
444		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
445		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
446	fi
447}
448
449cleanup()
450{
451	# explicit cleanups to check those code paths
452	ip netns | grep -q ${NSA}
453	if [ $? -eq 0 ]; then
454		ip -netns ${NSA} link delete ${VRF}
455		ip -netns ${NSA} ro flush table ${VRF_TABLE}
456
457		ip -netns ${NSA} addr flush dev ${NSA_DEV}
458		ip -netns ${NSA} -6 addr flush dev ${NSA_DEV}
459		ip -netns ${NSA} link set dev ${NSA_DEV} down
460		ip -netns ${NSA} link del dev ${NSA_DEV}
461
462		ip netns pids ${NSA} | xargs kill 2>/dev/null
463		ip netns del ${NSA}
464	fi
465
466	ip netns pids ${NSB} | xargs kill 2>/dev/null
467	ip netns del ${NSB}
468	ip netns pids ${NSC} | xargs kill 2>/dev/null
469	ip netns del ${NSC} >/dev/null 2>&1
470}
471
472cleanup_vrf_dup()
473{
474	ip link del ${NSA_DEV2} >/dev/null 2>&1
475	ip netns pids ${NSC} | xargs kill 2>/dev/null
476	ip netns del ${NSC} >/dev/null 2>&1
477}
478
479setup_vrf_dup()
480{
481	# some VRF tests use ns-C which has the same config as
482	# ns-B but for a device NOT in the VRF
483	create_ns ${NSC} "-" "-"
484	connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
485		   ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
486}
487
488setup()
489{
490	local with_vrf=${1}
491
492	# make sure we are starting with a clean slate
493	kill_procs
494	cleanup 2>/dev/null
495
496	log_debug "Configuring network namespaces"
497	set -e
498
499	create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128
500	create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128
501	connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \
502		   ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
503
504	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
505	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
506
507	# tell ns-A how to get to remote addresses of ns-B
508	if [ "${with_vrf}" = "yes" ]; then
509		create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6}
510
511		ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
512		ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
513		ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
514
515		ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
516		ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
517	else
518		ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
519		ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
520	fi
521
522
523	# tell ns-B how to get to remote addresses of ns-A
524	ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
525	ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
526
527	set +e
528
529	sleep 1
530}
531
532setup_lla_only()
533{
534	# make sure we are starting with a clean slate
535	kill_procs
536	cleanup 2>/dev/null
537
538	log_debug "Configuring network namespaces"
539	set -e
540
541	create_ns ${NSA} "-" "-"
542	create_ns ${NSB} "-" "-"
543	create_ns ${NSC} "-" "-"
544	connect_ns ${NSA} ${NSA_DEV} "-" "-" \
545		   ${NSB} ${NSB_DEV} "-" "-"
546	connect_ns ${NSA} ${NSA_DEV2} "-" "-" \
547		   ${NSC} ${NSC_DEV}  "-" "-"
548
549	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
550	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
551	NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV})
552
553	create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-"
554	ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
555	ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF}
556
557	set +e
558
559	sleep 1
560}
561
562################################################################################
563# IPv4
564
565ipv4_ping_novrf()
566{
567	local a
568
569	#
570	# out
571	#
572	for a in ${NSB_IP} ${NSB_LO_IP}
573	do
574		log_start
575		run_cmd ping -c1 -w1 ${a}
576		log_test_addr ${a} $? 0 "ping out"
577
578		log_start
579		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
580		log_test_addr ${a} $? 0 "ping out, device bind"
581
582		log_start
583		run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a}
584		log_test_addr ${a} $? 0 "ping out, address bind"
585	done
586
587	#
588	# in
589	#
590	for a in ${NSA_IP} ${NSA_LO_IP}
591	do
592		log_start
593		run_cmd_nsb ping -c1 -w1 ${a}
594		log_test_addr ${a} $? 0 "ping in"
595	done
596
597	#
598	# local traffic
599	#
600	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
601	do
602		log_start
603		run_cmd ping -c1 -w1 ${a}
604		log_test_addr ${a} $? 0 "ping local"
605	done
606
607	#
608	# local traffic, socket bound to device
609	#
610	# address on device
611	a=${NSA_IP}
612	log_start
613	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
614	log_test_addr ${a} $? 0 "ping local, device bind"
615
616	# loopback addresses not reachable from device bind
617	# fails in a really weird way though because ipv4 special cases
618	# route lookups with oif set.
619	for a in ${NSA_LO_IP} 127.0.0.1
620	do
621		log_start
622		show_hint "Fails since address on loopback device is out of device scope"
623		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
624		log_test_addr ${a} $? 1 "ping local, device bind"
625	done
626
627	#
628	# ip rule blocks reachability to remote address
629	#
630	log_start
631	setup_cmd ip rule add pref 32765 from all lookup local
632	setup_cmd ip rule del pref 0 from all lookup local
633	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
634	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
635
636	a=${NSB_LO_IP}
637	run_cmd ping -c1 -w1 ${a}
638	log_test_addr ${a} $? 2 "ping out, blocked by rule"
639
640	# NOTE: ipv4 actually allows the lookup to fail and yet still create
641	# a viable rtable if the oif (e.g., bind to device) is set, so this
642	# case succeeds despite the rule
643	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
644
645	a=${NSA_LO_IP}
646	log_start
647	show_hint "Response generates ICMP (or arp request is ignored) due to ip rule"
648	run_cmd_nsb ping -c1 -w1 ${a}
649	log_test_addr ${a} $? 1 "ping in, blocked by rule"
650
651	[ "$VERBOSE" = "1" ] && echo
652	setup_cmd ip rule del pref 32765 from all lookup local
653	setup_cmd ip rule add pref 0 from all lookup local
654	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
655	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
656
657	#
658	# route blocks reachability to remote address
659	#
660	log_start
661	setup_cmd ip route replace unreachable ${NSB_LO_IP}
662	setup_cmd ip route replace unreachable ${NSB_IP}
663
664	a=${NSB_LO_IP}
665	run_cmd ping -c1 -w1 ${a}
666	log_test_addr ${a} $? 2 "ping out, blocked by route"
667
668	# NOTE: ipv4 actually allows the lookup to fail and yet still create
669	# a viable rtable if the oif (e.g., bind to device) is set, so this
670	# case succeeds despite not having a route for the address
671	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
672
673	a=${NSA_LO_IP}
674	log_start
675	show_hint "Response is dropped (or arp request is ignored) due to ip route"
676	run_cmd_nsb ping -c1 -w1 ${a}
677	log_test_addr ${a} $? 1 "ping in, blocked by route"
678
679	#
680	# remove 'remote' routes; fallback to default
681	#
682	log_start
683	setup_cmd ip ro del ${NSB_LO_IP}
684
685	a=${NSB_LO_IP}
686	run_cmd ping -c1 -w1 ${a}
687	log_test_addr ${a} $? 2 "ping out, unreachable default route"
688
689	# NOTE: ipv4 actually allows the lookup to fail and yet still create
690	# a viable rtable if the oif (e.g., bind to device) is set, so this
691	# case succeeds despite not having a route for the address
692	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
693}
694
695ipv4_ping_vrf()
696{
697	local a
698
699	# should default on; does not exist on older kernels
700	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
701
702	#
703	# out
704	#
705	for a in ${NSB_IP} ${NSB_LO_IP}
706	do
707		log_start
708		run_cmd ping -c1 -w1 -I ${VRF} ${a}
709		log_test_addr ${a} $? 0 "ping out, VRF bind"
710
711		log_start
712		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
713		log_test_addr ${a} $? 0 "ping out, device bind"
714
715		log_start
716		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a}
717		log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind"
718
719		log_start
720		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a}
721		log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind"
722	done
723
724	#
725	# in
726	#
727	for a in ${NSA_IP} ${VRF_IP}
728	do
729		log_start
730		run_cmd_nsb ping -c1 -w1 ${a}
731		log_test_addr ${a} $? 0 "ping in"
732	done
733
734	#
735	# local traffic, local address
736	#
737	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
738	do
739		log_start
740		show_hint "Source address should be ${a}"
741		run_cmd ping -c1 -w1 -I ${VRF} ${a}
742		log_test_addr ${a} $? 0 "ping local, VRF bind"
743	done
744
745	#
746	# local traffic, socket bound to device
747	#
748	# address on device
749	a=${NSA_IP}
750	log_start
751	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
752	log_test_addr ${a} $? 0 "ping local, device bind"
753
754	# vrf device is out of scope
755	for a in ${VRF_IP} 127.0.0.1
756	do
757		log_start
758		show_hint "Fails since address on vrf device is out of device scope"
759		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
760		log_test_addr ${a} $? 2 "ping local, device bind"
761	done
762
763	#
764	# ip rule blocks address
765	#
766	log_start
767	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
768	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
769
770	a=${NSB_LO_IP}
771	run_cmd ping -c1 -w1 -I ${VRF} ${a}
772	log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule"
773
774	log_start
775	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
776	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
777
778	a=${NSA_LO_IP}
779	log_start
780	show_hint "Response lost due to ip rule"
781	run_cmd_nsb ping -c1 -w1 ${a}
782	log_test_addr ${a} $? 1 "ping in, blocked by rule"
783
784	[ "$VERBOSE" = "1" ] && echo
785	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
786	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
787
788	#
789	# remove 'remote' routes; fallback to default
790	#
791	log_start
792	setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP}
793
794	a=${NSB_LO_IP}
795	run_cmd ping -c1 -w1 -I ${VRF} ${a}
796	log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route"
797
798	log_start
799	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
800	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
801
802	a=${NSA_LO_IP}
803	log_start
804	show_hint "Response lost by unreachable route"
805	run_cmd_nsb ping -c1 -w1 ${a}
806	log_test_addr ${a} $? 1 "ping in, unreachable route"
807}
808
809ipv4_ping()
810{
811	log_section "IPv4 ping"
812
813	log_subsection "No VRF"
814	setup
815	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
816	ipv4_ping_novrf
817	setup
818	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
819	ipv4_ping_novrf
820	setup
821	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
822	ipv4_ping_novrf
823
824	log_subsection "With VRF"
825	setup "yes"
826	ipv4_ping_vrf
827	setup "yes"
828	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
829	ipv4_ping_vrf
830}
831
832################################################################################
833# IPv4 TCP
834
835#
836# MD5 tests without VRF
837#
838ipv4_tcp_md5_novrf()
839{
840	#
841	# single address
842	#
843
844	# basic use case
845	log_start
846	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
847	sleep 1
848	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
849	log_test $? 0 "MD5: Single address config"
850
851	# client sends MD5, server not configured
852	log_start
853	show_hint "Should timeout due to MD5 mismatch"
854	run_cmd nettest -s &
855	sleep 1
856	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
857	log_test $? 2 "MD5: Server no config, client uses password"
858
859	# wrong password
860	log_start
861	show_hint "Should timeout since client uses wrong password"
862	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
863	sleep 1
864	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
865	log_test $? 2 "MD5: Client uses wrong password"
866
867	# client from different address
868	log_start
869	show_hint "Should timeout due to MD5 mismatch"
870	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} &
871	sleep 1
872	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
873	log_test $? 2 "MD5: Client address does not match address configured with password"
874
875	#
876	# MD5 extension - prefix length
877	#
878
879	# client in prefix
880	log_start
881	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
882	sleep 1
883	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
884	log_test $? 0 "MD5: Prefix config"
885
886	# client in prefix, wrong password
887	log_start
888	show_hint "Should timeout since client uses wrong password"
889	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
890	sleep 1
891	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
892	log_test $? 2 "MD5: Prefix config, client uses wrong password"
893
894	# client outside of prefix
895	log_start
896	show_hint "Should timeout due to MD5 mismatch"
897	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
898	sleep 1
899	run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
900	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
901}
902
903#
904# MD5 tests with VRF
905#
906ipv4_tcp_md5()
907{
908	#
909	# single address
910	#
911
912	# basic use case
913	log_start
914	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
915	sleep 1
916	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
917	log_test $? 0 "MD5: VRF: Single address config"
918
919	# client sends MD5, server not configured
920	log_start
921	show_hint "Should timeout since server does not have MD5 auth"
922	run_cmd nettest -s -I ${VRF} &
923	sleep 1
924	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
925	log_test $? 2 "MD5: VRF: Server no config, client uses password"
926
927	# wrong password
928	log_start
929	show_hint "Should timeout since client uses wrong password"
930	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
931	sleep 1
932	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
933	log_test $? 2 "MD5: VRF: Client uses wrong password"
934
935	# client from different address
936	log_start
937	show_hint "Should timeout since server config differs from client"
938	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} &
939	sleep 1
940	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
941	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
942
943	#
944	# MD5 extension - prefix length
945	#
946
947	# client in prefix
948	log_start
949	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
950	sleep 1
951	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
952	log_test $? 0 "MD5: VRF: Prefix config"
953
954	# client in prefix, wrong password
955	log_start
956	show_hint "Should timeout since client uses wrong password"
957	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
958	sleep 1
959	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
960	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
961
962	# client outside of prefix
963	log_start
964	show_hint "Should timeout since client address is outside of prefix"
965	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
966	sleep 1
967	run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
968	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
969
970	#
971	# duplicate config between default VRF and a VRF
972	#
973
974	log_start
975	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
976	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
977	sleep 1
978	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
979	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
980
981	log_start
982	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
983	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
984	sleep 1
985	run_cmd_nsc nettest  -r ${NSA_IP} -X ${MD5_WRONG_PW}
986	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
987
988	log_start
989	show_hint "Should timeout since client in default VRF uses VRF password"
990	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
991	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
992	sleep 1
993	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
994	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
995
996	log_start
997	show_hint "Should timeout since client in VRF uses default VRF password"
998	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
999	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1000	sleep 1
1001	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1002	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
1003
1004	log_start
1005	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1006	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1007	sleep 1
1008	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
1009	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
1010
1011	log_start
1012	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1013	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1014	sleep 1
1015	run_cmd_nsc nettest  -r ${NSA_IP} -X ${MD5_WRONG_PW}
1016	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
1017
1018	log_start
1019	show_hint "Should timeout since client in default VRF uses VRF password"
1020	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1021	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1022	sleep 1
1023	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1024	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
1025
1026	log_start
1027	show_hint "Should timeout since client in VRF uses default VRF password"
1028	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1029	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1030	sleep 1
1031	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1032	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
1033
1034	#
1035	# negative tests
1036	#
1037	log_start
1038	run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP}
1039	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
1040
1041	log_start
1042	run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET}
1043	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
1044
1045	test_ipv4_md5_vrf__vrf_server__no_bind_ifindex
1046	test_ipv4_md5_vrf__global_server__bind_ifindex0
1047}
1048
1049test_ipv4_md5_vrf__vrf_server__no_bind_ifindex()
1050{
1051	log_start
1052	show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX"
1053	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1054	sleep 1
1055	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1056	log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection"
1057
1058	log_start
1059	show_hint "Binding both the socket and the key is not required but it works"
1060	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1061	sleep 1
1062	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1063	log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection"
1064}
1065
1066test_ipv4_md5_vrf__global_server__bind_ifindex0()
1067{
1068	# This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections
1069	local old_tcp_l3mdev_accept
1070	old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept)
1071	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1072
1073	log_start
1074	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1075	sleep 1
1076	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1077	log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection"
1078
1079	log_start
1080	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1081	sleep 1
1082	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1083	log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection"
1084	log_start
1085
1086	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1087	sleep 1
1088	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1089	log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection"
1090
1091	log_start
1092	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1093	sleep 1
1094	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1095	log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection"
1096
1097	# restore value
1098	set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept"
1099}
1100
1101ipv4_tcp_novrf()
1102{
1103	local a
1104
1105	#
1106	# server tests
1107	#
1108	for a in ${NSA_IP} ${NSA_LO_IP}
1109	do
1110		log_start
1111		run_cmd nettest -s &
1112		sleep 1
1113		run_cmd_nsb nettest -r ${a}
1114		log_test_addr ${a} $? 0 "Global server"
1115	done
1116
1117	a=${NSA_IP}
1118	log_start
1119	run_cmd nettest -s -I ${NSA_DEV} &
1120	sleep 1
1121	run_cmd_nsb nettest -r ${a}
1122	log_test_addr ${a} $? 0 "Device server"
1123
1124	# verify TCP reset sent and received
1125	for a in ${NSA_IP} ${NSA_LO_IP}
1126	do
1127		log_start
1128		show_hint "Should fail 'Connection refused' since there is no server"
1129		run_cmd_nsb nettest -r ${a}
1130		log_test_addr ${a} $? 1 "No server"
1131	done
1132
1133	#
1134	# client
1135	#
1136	for a in ${NSB_IP} ${NSB_LO_IP}
1137	do
1138		log_start
1139		run_cmd_nsb nettest -s &
1140		sleep 1
1141		run_cmd nettest -r ${a} -0 ${NSA_IP}
1142		log_test_addr ${a} $? 0 "Client"
1143
1144		log_start
1145		run_cmd_nsb nettest -s &
1146		sleep 1
1147		run_cmd nettest -r ${a} -d ${NSA_DEV}
1148		log_test_addr ${a} $? 0 "Client, device bind"
1149
1150		log_start
1151		show_hint "Should fail 'Connection refused'"
1152		run_cmd nettest -r ${a}
1153		log_test_addr ${a} $? 1 "No server, unbound client"
1154
1155		log_start
1156		show_hint "Should fail 'Connection refused'"
1157		run_cmd nettest -r ${a} -d ${NSA_DEV}
1158		log_test_addr ${a} $? 1 "No server, device client"
1159	done
1160
1161	#
1162	# local address tests
1163	#
1164	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1165	do
1166		log_start
1167		run_cmd nettest -s &
1168		sleep 1
1169		run_cmd nettest -r ${a} -0 ${a} -1 ${a}
1170		log_test_addr ${a} $? 0 "Global server, local connection"
1171	done
1172
1173	a=${NSA_IP}
1174	log_start
1175	run_cmd nettest -s -I ${NSA_DEV} &
1176	sleep 1
1177	run_cmd nettest -r ${a} -0 ${a}
1178	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1179
1180	for a in ${NSA_LO_IP} 127.0.0.1
1181	do
1182		log_start
1183		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
1184		run_cmd nettest -s -I ${NSA_DEV} &
1185		sleep 1
1186		run_cmd nettest -r ${a}
1187		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1188	done
1189
1190	a=${NSA_IP}
1191	log_start
1192	run_cmd nettest -s &
1193	sleep 1
1194	run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV}
1195	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1196
1197	for a in ${NSA_LO_IP} 127.0.0.1
1198	do
1199		log_start
1200		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
1201		run_cmd nettest -s &
1202		sleep 1
1203		run_cmd nettest -r ${a} -d ${NSA_DEV}
1204		log_test_addr ${a} $? 1 "Global server, device client, local connection"
1205	done
1206
1207	a=${NSA_IP}
1208	log_start
1209	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1210	sleep 1
1211	run_cmd nettest  -d ${NSA_DEV} -r ${a} -0 ${a}
1212	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1213
1214	log_start
1215	show_hint "Should fail 'Connection refused'"
1216	run_cmd nettest -d ${NSA_DEV} -r ${a}
1217	log_test_addr ${a} $? 1 "No server, device client, local conn"
1218
1219	ipv4_tcp_md5_novrf
1220}
1221
1222ipv4_tcp_vrf()
1223{
1224	local a
1225
1226	# disable global server
1227	log_subsection "Global server disabled"
1228
1229	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1230
1231	#
1232	# server tests
1233	#
1234	for a in ${NSA_IP} ${VRF_IP}
1235	do
1236		log_start
1237		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1238		run_cmd nettest -s &
1239		sleep 1
1240		run_cmd_nsb nettest -r ${a}
1241		log_test_addr ${a} $? 1 "Global server"
1242
1243		log_start
1244		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1245		sleep 1
1246		run_cmd_nsb nettest -r ${a}
1247		log_test_addr ${a} $? 0 "VRF server"
1248
1249		log_start
1250		run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1251		sleep 1
1252		run_cmd_nsb nettest -r ${a}
1253		log_test_addr ${a} $? 0 "Device server"
1254
1255		# verify TCP reset received
1256		log_start
1257		show_hint "Should fail 'Connection refused' since there is no server"
1258		run_cmd_nsb nettest -r ${a}
1259		log_test_addr ${a} $? 1 "No server"
1260	done
1261
1262	# local address tests
1263	# (${VRF_IP} and 127.0.0.1 both timeout)
1264	a=${NSA_IP}
1265	log_start
1266	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1267	run_cmd nettest -s &
1268	sleep 1
1269	run_cmd nettest -r ${a} -d ${NSA_DEV}
1270	log_test_addr ${a} $? 1 "Global server, local connection"
1271
1272	# run MD5 tests
1273	setup_vrf_dup
1274	ipv4_tcp_md5
1275	cleanup_vrf_dup
1276
1277	#
1278	# enable VRF global server
1279	#
1280	log_subsection "VRF Global server enabled"
1281	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1282
1283	for a in ${NSA_IP} ${VRF_IP}
1284	do
1285		log_start
1286		show_hint "client socket should be bound to VRF"
1287		run_cmd nettest -s -3 ${VRF} &
1288		sleep 1
1289		run_cmd_nsb nettest -r ${a}
1290		log_test_addr ${a} $? 0 "Global server"
1291
1292		log_start
1293		show_hint "client socket should be bound to VRF"
1294		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1295		sleep 1
1296		run_cmd_nsb nettest -r ${a}
1297		log_test_addr ${a} $? 0 "VRF server"
1298
1299		# verify TCP reset received
1300		log_start
1301		show_hint "Should fail 'Connection refused'"
1302		run_cmd_nsb nettest -r ${a}
1303		log_test_addr ${a} $? 1 "No server"
1304	done
1305
1306	a=${NSA_IP}
1307	log_start
1308	show_hint "client socket should be bound to device"
1309	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1310	sleep 1
1311	run_cmd_nsb nettest -r ${a}
1312	log_test_addr ${a} $? 0 "Device server"
1313
1314	# local address tests
1315	for a in ${NSA_IP} ${VRF_IP}
1316	do
1317		log_start
1318		show_hint "Should fail 'Connection refused' since client is not bound to VRF"
1319		run_cmd nettest -s -I ${VRF} &
1320		sleep 1
1321		run_cmd nettest -r ${a}
1322		log_test_addr ${a} $? 1 "Global server, local connection"
1323	done
1324
1325	#
1326	# client
1327	#
1328	for a in ${NSB_IP} ${NSB_LO_IP}
1329	do
1330		log_start
1331		run_cmd_nsb nettest -s &
1332		sleep 1
1333		run_cmd nettest -r ${a} -d ${VRF}
1334		log_test_addr ${a} $? 0 "Client, VRF bind"
1335
1336		log_start
1337		run_cmd_nsb nettest -s &
1338		sleep 1
1339		run_cmd nettest -r ${a} -d ${NSA_DEV}
1340		log_test_addr ${a} $? 0 "Client, device bind"
1341
1342		log_start
1343		show_hint "Should fail 'Connection refused'"
1344		run_cmd nettest -r ${a} -d ${VRF}
1345		log_test_addr ${a} $? 1 "No server, VRF client"
1346
1347		log_start
1348		show_hint "Should fail 'Connection refused'"
1349		run_cmd nettest -r ${a} -d ${NSA_DEV}
1350		log_test_addr ${a} $? 1 "No server, device client"
1351	done
1352
1353	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1354	do
1355		log_start
1356		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1357		sleep 1
1358		run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1359		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
1360	done
1361
1362	a=${NSA_IP}
1363	log_start
1364	run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1365	sleep 1
1366	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1367	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
1368
1369	log_start
1370	show_hint "Should fail 'No route to host' since client is out of VRF scope"
1371	run_cmd nettest -s -I ${VRF} &
1372	sleep 1
1373	run_cmd nettest -r ${a}
1374	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
1375
1376	log_start
1377	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1378	sleep 1
1379	run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1380	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
1381
1382	log_start
1383	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1384	sleep 1
1385	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1386	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1387}
1388
1389ipv4_tcp()
1390{
1391	log_section "IPv4/TCP"
1392	log_subsection "No VRF"
1393	setup
1394
1395	# tcp_l3mdev_accept should have no affect without VRF;
1396	# run tests with it enabled and disabled to verify
1397	log_subsection "tcp_l3mdev_accept disabled"
1398	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1399	ipv4_tcp_novrf
1400	log_subsection "tcp_l3mdev_accept enabled"
1401	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1402	ipv4_tcp_novrf
1403
1404	log_subsection "With VRF"
1405	setup "yes"
1406	ipv4_tcp_vrf
1407}
1408
1409################################################################################
1410# IPv4 UDP
1411
1412ipv4_udp_novrf()
1413{
1414	local a
1415
1416	#
1417	# server tests
1418	#
1419	for a in ${NSA_IP} ${NSA_LO_IP}
1420	do
1421		log_start
1422		run_cmd nettest -D -s -3 ${NSA_DEV} &
1423		sleep 1
1424		run_cmd_nsb nettest -D -r ${a}
1425		log_test_addr ${a} $? 0 "Global server"
1426
1427		log_start
1428		show_hint "Should fail 'Connection refused' since there is no server"
1429		run_cmd_nsb nettest -D -r ${a}
1430		log_test_addr ${a} $? 1 "No server"
1431	done
1432
1433	a=${NSA_IP}
1434	log_start
1435	run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1436	sleep 1
1437	run_cmd_nsb nettest -D -r ${a}
1438	log_test_addr ${a} $? 0 "Device server"
1439
1440	#
1441	# client
1442	#
1443	for a in ${NSB_IP} ${NSB_LO_IP}
1444	do
1445		log_start
1446		run_cmd_nsb nettest -D -s &
1447		sleep 1
1448		run_cmd nettest -D -r ${a} -0 ${NSA_IP}
1449		log_test_addr ${a} $? 0 "Client"
1450
1451		log_start
1452		run_cmd_nsb nettest -D -s &
1453		sleep 1
1454		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP}
1455		log_test_addr ${a} $? 0 "Client, device bind"
1456
1457		log_start
1458		run_cmd_nsb nettest -D -s &
1459		sleep 1
1460		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP}
1461		log_test_addr ${a} $? 0 "Client, device send via cmsg"
1462
1463		log_start
1464		run_cmd_nsb nettest -D -s &
1465		sleep 1
1466		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
1467		log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
1468
1469		log_start
1470		run_cmd_nsb nettest -D -s &
1471		sleep 1
1472		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U
1473		log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()"
1474
1475
1476		log_start
1477		show_hint "Should fail 'Connection refused'"
1478		run_cmd nettest -D -r ${a}
1479		log_test_addr ${a} $? 1 "No server, unbound client"
1480
1481		log_start
1482		show_hint "Should fail 'Connection refused'"
1483		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1484		log_test_addr ${a} $? 1 "No server, device client"
1485	done
1486
1487	#
1488	# local address tests
1489	#
1490	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1491	do
1492		log_start
1493		run_cmd nettest -D -s &
1494		sleep 1
1495		run_cmd nettest -D -r ${a} -0 ${a} -1 ${a}
1496		log_test_addr ${a} $? 0 "Global server, local connection"
1497	done
1498
1499	a=${NSA_IP}
1500	log_start
1501	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1502	sleep 1
1503	run_cmd nettest -D -r ${a}
1504	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1505
1506	for a in ${NSA_LO_IP} 127.0.0.1
1507	do
1508		log_start
1509		show_hint "Should fail 'Connection refused' since address is out of device scope"
1510		run_cmd nettest -s -D -I ${NSA_DEV} &
1511		sleep 1
1512		run_cmd nettest -D -r ${a}
1513		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1514	done
1515
1516	a=${NSA_IP}
1517	log_start
1518	run_cmd nettest -s -D &
1519	sleep 1
1520	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1521	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1522
1523	log_start
1524	run_cmd nettest -s -D &
1525	sleep 1
1526	run_cmd nettest -D -d ${NSA_DEV} -C -r ${a}
1527	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
1528
1529	log_start
1530	run_cmd nettest -s -D &
1531	sleep 1
1532	run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
1533	log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
1534
1535	log_start
1536	run_cmd nettest -s -D &
1537	sleep 1
1538	run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U
1539	log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
1540
1541
1542	# IPv4 with device bind has really weird behavior - it overrides the
1543	# fib lookup, generates an rtable and tries to send the packet. This
1544	# causes failures for local traffic at different places
1545	for a in ${NSA_LO_IP} 127.0.0.1
1546	do
1547		log_start
1548		show_hint "Should fail since addresses on loopback are out of device scope"
1549		run_cmd nettest -D -s &
1550		sleep 1
1551		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1552		log_test_addr ${a} $? 2 "Global server, device client, local connection"
1553
1554		log_start
1555		show_hint "Should fail since addresses on loopback are out of device scope"
1556		run_cmd nettest -D -s &
1557		sleep 1
1558		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C
1559		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
1560
1561		log_start
1562		show_hint "Should fail since addresses on loopback are out of device scope"
1563		run_cmd nettest -D -s &
1564		sleep 1
1565		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
1566		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
1567
1568		log_start
1569		show_hint "Should fail since addresses on loopback are out of device scope"
1570		run_cmd nettest -D -s &
1571		sleep 1
1572		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U
1573		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
1574
1575
1576	done
1577
1578	a=${NSA_IP}
1579	log_start
1580	run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1581	sleep 1
1582	run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a}
1583	log_test_addr ${a} $? 0 "Device server, device client, local conn"
1584
1585	log_start
1586	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1587	log_test_addr ${a} $? 2 "No server, device client, local conn"
1588}
1589
1590ipv4_udp_vrf()
1591{
1592	local a
1593
1594	# disable global server
1595	log_subsection "Global server disabled"
1596	set_sysctl net.ipv4.udp_l3mdev_accept=0
1597
1598	#
1599	# server tests
1600	#
1601	for a in ${NSA_IP} ${VRF_IP}
1602	do
1603		log_start
1604		show_hint "Fails because ingress is in a VRF and global server is disabled"
1605		run_cmd nettest -D -s &
1606		sleep 1
1607		run_cmd_nsb nettest -D -r ${a}
1608		log_test_addr ${a} $? 1 "Global server"
1609
1610		log_start
1611		run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1612		sleep 1
1613		run_cmd_nsb nettest -D -r ${a}
1614		log_test_addr ${a} $? 0 "VRF server"
1615
1616		log_start
1617		run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1618		sleep 1
1619		run_cmd_nsb nettest -D -r ${a}
1620		log_test_addr ${a} $? 0 "Enslaved device server"
1621
1622		log_start
1623		show_hint "Should fail 'Connection refused' since there is no server"
1624		run_cmd_nsb nettest -D -r ${a}
1625		log_test_addr ${a} $? 1 "No server"
1626
1627		log_start
1628		show_hint "Should fail 'Connection refused' since global server is out of scope"
1629		run_cmd nettest -D -s &
1630		sleep 1
1631		run_cmd nettest -D -d ${VRF} -r ${a}
1632		log_test_addr ${a} $? 1 "Global server, VRF client, local connection"
1633	done
1634
1635	a=${NSA_IP}
1636	log_start
1637	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1638	sleep 1
1639	run_cmd nettest -D -d ${VRF} -r ${a}
1640	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1641
1642	log_start
1643	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1644	sleep 1
1645	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1646	log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection"
1647
1648	a=${NSA_IP}
1649	log_start
1650	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1651	sleep 1
1652	run_cmd nettest -D -d ${VRF} -r ${a}
1653	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1654
1655	log_start
1656	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1657	sleep 1
1658	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1659	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1660
1661	# enable global server
1662	log_subsection "Global server enabled"
1663	set_sysctl net.ipv4.udp_l3mdev_accept=1
1664
1665	#
1666	# server tests
1667	#
1668	for a in ${NSA_IP} ${VRF_IP}
1669	do
1670		log_start
1671		run_cmd nettest -D -s -3 ${NSA_DEV} &
1672		sleep 1
1673		run_cmd_nsb nettest -D -r ${a}
1674		log_test_addr ${a} $? 0 "Global server"
1675
1676		log_start
1677		run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1678		sleep 1
1679		run_cmd_nsb nettest -D -r ${a}
1680		log_test_addr ${a} $? 0 "VRF server"
1681
1682		log_start
1683		run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1684		sleep 1
1685		run_cmd_nsb nettest -D -r ${a}
1686		log_test_addr ${a} $? 0 "Enslaved device server"
1687
1688		log_start
1689		show_hint "Should fail 'Connection refused'"
1690		run_cmd_nsb nettest -D -r ${a}
1691		log_test_addr ${a} $? 1 "No server"
1692	done
1693
1694	#
1695	# client tests
1696	#
1697	log_start
1698	run_cmd_nsb nettest -D -s &
1699	sleep 1
1700	run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP}
1701	log_test $? 0 "VRF client"
1702
1703	log_start
1704	run_cmd_nsb nettest -D -s &
1705	sleep 1
1706	run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP}
1707	log_test $? 0 "Enslaved device client"
1708
1709	# negative test - should fail
1710	log_start
1711	show_hint "Should fail 'Connection refused'"
1712	run_cmd nettest -D -d ${VRF} -r ${NSB_IP}
1713	log_test $? 1 "No server, VRF client"
1714
1715	log_start
1716	show_hint "Should fail 'Connection refused'"
1717	run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP}
1718	log_test $? 1 "No server, enslaved device client"
1719
1720	#
1721	# local address tests
1722	#
1723	a=${NSA_IP}
1724	log_start
1725	run_cmd nettest -D -s -3 ${NSA_DEV} &
1726	sleep 1
1727	run_cmd nettest -D -d ${VRF} -r ${a}
1728	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1729
1730	log_start
1731	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1732	sleep 1
1733	run_cmd nettest -D -d ${VRF} -r ${a}
1734	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1735
1736	log_start
1737	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1738	sleep 1
1739	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1740	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
1741
1742	log_start
1743	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1744	sleep 1
1745	run_cmd nettest -D -d ${VRF} -r ${a}
1746	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1747
1748	log_start
1749	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1750	sleep 1
1751	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1752	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1753
1754	for a in ${VRF_IP} 127.0.0.1
1755	do
1756		log_start
1757		run_cmd nettest -D -s -3 ${VRF} &
1758		sleep 1
1759		run_cmd nettest -D -d ${VRF} -r ${a}
1760		log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1761	done
1762
1763	for a in ${VRF_IP} 127.0.0.1
1764	do
1765		log_start
1766		run_cmd nettest -s -D -I ${VRF} -3 ${VRF} &
1767		sleep 1
1768		run_cmd nettest -D -d ${VRF} -r ${a}
1769		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1770	done
1771
1772	# negative test - should fail
1773	# verifies ECONNREFUSED
1774	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1775	do
1776		log_start
1777		show_hint "Should fail 'Connection refused'"
1778		run_cmd nettest -D -d ${VRF} -r ${a}
1779		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
1780	done
1781}
1782
1783ipv4_udp()
1784{
1785	log_section "IPv4/UDP"
1786	log_subsection "No VRF"
1787
1788	setup
1789
1790	# udp_l3mdev_accept should have no affect without VRF;
1791	# run tests with it enabled and disabled to verify
1792	log_subsection "udp_l3mdev_accept disabled"
1793	set_sysctl net.ipv4.udp_l3mdev_accept=0
1794	ipv4_udp_novrf
1795	log_subsection "udp_l3mdev_accept enabled"
1796	set_sysctl net.ipv4.udp_l3mdev_accept=1
1797	ipv4_udp_novrf
1798
1799	log_subsection "With VRF"
1800	setup "yes"
1801	ipv4_udp_vrf
1802}
1803
1804################################################################################
1805# IPv4 address bind
1806#
1807# verifies ability or inability to bind to an address / device
1808
1809ipv4_addr_bind_novrf()
1810{
1811	#
1812	# raw socket
1813	#
1814	for a in ${NSA_IP} ${NSA_LO_IP}
1815	do
1816		log_start
1817		run_cmd nettest -s -R -P icmp -l ${a} -b
1818		log_test_addr ${a} $? 0 "Raw socket bind to local address"
1819
1820		log_start
1821		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1822		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1823	done
1824
1825	#
1826	# tests for nonlocal bind
1827	#
1828	a=${NL_IP}
1829	log_start
1830	run_cmd nettest -s -R -f -l ${a} -b
1831	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
1832
1833	log_start
1834	run_cmd nettest -s -f -l ${a} -b
1835	log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address"
1836
1837	log_start
1838	run_cmd nettest -s -D -P icmp -f -l ${a} -b
1839	log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address"
1840
1841	#
1842	# check that ICMP sockets cannot bind to broadcast and multicast addresses
1843	#
1844	a=${BCAST_IP}
1845	log_start
1846	run_cmd nettest -s -D -P icmp -l ${a} -b
1847	log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address"
1848
1849	a=${MCAST_IP}
1850	log_start
1851	run_cmd nettest -s -D -P icmp -l ${a} -b
1852	log_test_addr ${a} $? 1 "ICMP socket bind to multicast address"
1853
1854	#
1855	# tcp sockets
1856	#
1857	a=${NSA_IP}
1858	log_start
1859	run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b
1860	log_test_addr ${a} $? 0 "TCP socket bind to local address"
1861
1862	log_start
1863	run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b
1864	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1865
1866	# Sadly, the kernel allows binding a socket to a device and then
1867	# binding to an address not on the device. The only restriction
1868	# is that the address is valid in the L3 domain. So this test
1869	# passes when it really should not
1870	#a=${NSA_LO_IP}
1871	#log_start
1872	#show_hint "Should fail with 'Cannot assign requested address'"
1873	#run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1874	#log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
1875}
1876
1877ipv4_addr_bind_vrf()
1878{
1879	#
1880	# raw socket
1881	#
1882	for a in ${NSA_IP} ${VRF_IP}
1883	do
1884		log_start
1885		show_hint "Socket not bound to VRF, but address is in VRF"
1886		run_cmd nettest -s -R -P icmp -l ${a} -b
1887		log_test_addr ${a} $? 1 "Raw socket bind to local address"
1888
1889		log_start
1890		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1891		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1892		log_start
1893		run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1894		log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind"
1895	done
1896
1897	a=${NSA_LO_IP}
1898	log_start
1899	show_hint "Address on loopback is out of VRF scope"
1900	run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1901	log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind"
1902
1903	#
1904	# tests for nonlocal bind
1905	#
1906	a=${NL_IP}
1907	log_start
1908	run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b
1909	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
1910
1911	log_start
1912	run_cmd nettest -s -f -l ${a} -I ${VRF} -b
1913	log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind"
1914
1915	log_start
1916	run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b
1917	log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind"
1918
1919	#
1920	# check that ICMP sockets cannot bind to broadcast and multicast addresses
1921	#
1922	a=${BCAST_IP}
1923	log_start
1924	run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
1925	log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind"
1926
1927	a=${MCAST_IP}
1928	log_start
1929	run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
1930	log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind"
1931
1932	#
1933	# tcp sockets
1934	#
1935	for a in ${NSA_IP} ${VRF_IP}
1936	do
1937		log_start
1938		run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
1939		log_test_addr ${a} $? 0 "TCP socket bind to local address"
1940
1941		log_start
1942		run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1943		log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1944	done
1945
1946	a=${NSA_LO_IP}
1947	log_start
1948	show_hint "Address on loopback out of scope for VRF"
1949	run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
1950	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
1951
1952	log_start
1953	show_hint "Address on loopback out of scope for device in VRF"
1954	run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1955	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
1956}
1957
1958ipv4_addr_bind()
1959{
1960	log_section "IPv4 address binds"
1961
1962	log_subsection "No VRF"
1963	setup
1964	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
1965	ipv4_addr_bind_novrf
1966
1967	log_subsection "With VRF"
1968	setup "yes"
1969	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
1970	ipv4_addr_bind_vrf
1971}
1972
1973################################################################################
1974# IPv4 runtime tests
1975
1976ipv4_rt()
1977{
1978	local desc="$1"
1979	local varg="$2"
1980	local with_vrf="yes"
1981	local a
1982
1983	#
1984	# server tests
1985	#
1986	for a in ${NSA_IP} ${VRF_IP}
1987	do
1988		log_start
1989		run_cmd nettest ${varg} -s &
1990		sleep 1
1991		run_cmd_nsb nettest ${varg} -r ${a} &
1992		sleep 3
1993		run_cmd ip link del ${VRF}
1994		sleep 1
1995		log_test_addr ${a} 0 0 "${desc}, global server"
1996
1997		setup ${with_vrf}
1998	done
1999
2000	for a in ${NSA_IP} ${VRF_IP}
2001	do
2002		log_start
2003		run_cmd nettest ${varg} -s -I ${VRF} &
2004		sleep 1
2005		run_cmd_nsb nettest ${varg} -r ${a} &
2006		sleep 3
2007		run_cmd ip link del ${VRF}
2008		sleep 1
2009		log_test_addr ${a} 0 0 "${desc}, VRF server"
2010
2011		setup ${with_vrf}
2012	done
2013
2014	a=${NSA_IP}
2015	log_start
2016	run_cmd nettest ${varg} -s -I ${NSA_DEV} &
2017	sleep 1
2018	run_cmd_nsb nettest ${varg} -r ${a} &
2019	sleep 3
2020	run_cmd ip link del ${VRF}
2021	sleep 1
2022	log_test_addr ${a} 0 0 "${desc}, enslaved device server"
2023
2024	setup ${with_vrf}
2025
2026	#
2027	# client test
2028	#
2029	log_start
2030	run_cmd_nsb nettest ${varg} -s &
2031	sleep 1
2032	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} &
2033	sleep 3
2034	run_cmd ip link del ${VRF}
2035	sleep 1
2036	log_test_addr ${a} 0 0 "${desc}, VRF client"
2037
2038	setup ${with_vrf}
2039
2040	log_start
2041	run_cmd_nsb nettest ${varg} -s &
2042	sleep 1
2043	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} &
2044	sleep 3
2045	run_cmd ip link del ${VRF}
2046	sleep 1
2047	log_test_addr ${a} 0 0 "${desc}, enslaved device client"
2048
2049	setup ${with_vrf}
2050
2051	#
2052	# local address tests
2053	#
2054	for a in ${NSA_IP} ${VRF_IP}
2055	do
2056		log_start
2057		run_cmd nettest ${varg} -s &
2058		sleep 1
2059		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2060		sleep 3
2061		run_cmd ip link del ${VRF}
2062		sleep 1
2063		log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local"
2064
2065		setup ${with_vrf}
2066	done
2067
2068	for a in ${NSA_IP} ${VRF_IP}
2069	do
2070		log_start
2071		run_cmd nettest ${varg} -I ${VRF} -s &
2072		sleep 1
2073		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2074		sleep 3
2075		run_cmd ip link del ${VRF}
2076		sleep 1
2077		log_test_addr ${a} 0 0 "${desc}, VRF server and client, local"
2078
2079		setup ${with_vrf}
2080	done
2081
2082	a=${NSA_IP}
2083	log_start
2084
2085	run_cmd nettest ${varg} -s &
2086	sleep 1
2087	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2088	sleep 3
2089	run_cmd ip link del ${VRF}
2090	sleep 1
2091	log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local"
2092
2093	setup ${with_vrf}
2094
2095	log_start
2096	run_cmd nettest ${varg} -I ${VRF} -s &
2097	sleep 1
2098	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2099	sleep 3
2100	run_cmd ip link del ${VRF}
2101	sleep 1
2102	log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local"
2103
2104	setup ${with_vrf}
2105
2106	log_start
2107	run_cmd nettest ${varg} -I ${NSA_DEV} -s &
2108	sleep 1
2109	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2110	sleep 3
2111	run_cmd ip link del ${VRF}
2112	sleep 1
2113	log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local"
2114}
2115
2116ipv4_ping_rt()
2117{
2118	local with_vrf="yes"
2119	local a
2120
2121	for a in ${NSA_IP} ${VRF_IP}
2122	do
2123		log_start
2124		run_cmd_nsb ping -f ${a} &
2125		sleep 3
2126		run_cmd ip link del ${VRF}
2127		sleep 1
2128		log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
2129
2130		setup ${with_vrf}
2131	done
2132
2133	a=${NSB_IP}
2134	log_start
2135	run_cmd ping -f -I ${VRF} ${a} &
2136	sleep 3
2137	run_cmd ip link del ${VRF}
2138	sleep 1
2139	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
2140}
2141
2142ipv4_runtime()
2143{
2144	log_section "Run time tests - ipv4"
2145
2146	setup "yes"
2147	ipv4_ping_rt
2148
2149	setup "yes"
2150	ipv4_rt "TCP active socket"  "-n -1"
2151
2152	setup "yes"
2153	ipv4_rt "TCP passive socket" "-i"
2154}
2155
2156################################################################################
2157# IPv6
2158
2159ipv6_ping_novrf()
2160{
2161	local a
2162
2163	# should not have an impact, but make a known state
2164	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
2165
2166	#
2167	# out
2168	#
2169	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2170	do
2171		log_start
2172		run_cmd ${ping6} -c1 -w1 ${a}
2173		log_test_addr ${a} $? 0 "ping out"
2174	done
2175
2176	for a in ${NSB_IP6} ${NSB_LO_IP6}
2177	do
2178		log_start
2179		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2180		log_test_addr ${a} $? 0 "ping out, device bind"
2181
2182		log_start
2183		run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a}
2184		log_test_addr ${a} $? 0 "ping out, loopback address bind"
2185	done
2186
2187	#
2188	# in
2189	#
2190	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2191	do
2192		log_start
2193		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2194		log_test_addr ${a} $? 0 "ping in"
2195	done
2196
2197	#
2198	# local traffic, local address
2199	#
2200	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2201	do
2202		log_start
2203		run_cmd ${ping6} -c1 -w1 ${a}
2204		log_test_addr ${a} $? 0 "ping local, no bind"
2205	done
2206
2207	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2208	do
2209		log_start
2210		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2211		log_test_addr ${a} $? 0 "ping local, device bind"
2212	done
2213
2214	for a in ${NSA_LO_IP6} ::1
2215	do
2216		log_start
2217		show_hint "Fails since address on loopback is out of device scope"
2218		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2219		log_test_addr ${a} $? 2 "ping local, device bind"
2220	done
2221
2222	#
2223	# ip rule blocks address
2224	#
2225	log_start
2226	setup_cmd ip -6 rule add pref 32765 from all lookup local
2227	setup_cmd ip -6 rule del pref 0 from all lookup local
2228	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2229	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2230
2231	a=${NSB_LO_IP6}
2232	run_cmd ${ping6} -c1 -w1 ${a}
2233	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2234
2235	log_start
2236	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2237	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2238
2239	a=${NSA_LO_IP6}
2240	log_start
2241	show_hint "Response lost due to ip rule"
2242	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2243	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2244
2245	setup_cmd ip -6 rule add pref 0 from all lookup local
2246	setup_cmd ip -6 rule del pref 32765 from all lookup local
2247	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2248	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2249
2250	#
2251	# route blocks reachability to remote address
2252	#
2253	log_start
2254	setup_cmd ip -6 route del ${NSB_LO_IP6}
2255	setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10
2256	setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10
2257
2258	a=${NSB_LO_IP6}
2259	run_cmd ${ping6} -c1 -w1 ${a}
2260	log_test_addr ${a} $? 2 "ping out, blocked by route"
2261
2262	log_start
2263	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2264	log_test_addr ${a} $? 2 "ping out, device bind, blocked by route"
2265
2266	a=${NSA_LO_IP6}
2267	log_start
2268	show_hint "Response lost due to ip route"
2269	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2270	log_test_addr ${a} $? 1 "ping in, blocked by route"
2271
2272
2273	#
2274	# remove 'remote' routes; fallback to default
2275	#
2276	log_start
2277	setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6}
2278	setup_cmd ip -6 ro del unreachable ${NSB_IP6}
2279
2280	a=${NSB_LO_IP6}
2281	run_cmd ${ping6} -c1 -w1 ${a}
2282	log_test_addr ${a} $? 2 "ping out, unreachable route"
2283
2284	log_start
2285	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2286	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2287}
2288
2289ipv6_ping_vrf()
2290{
2291	local a
2292
2293	# should default on; does not exist on older kernels
2294	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
2295
2296	#
2297	# out
2298	#
2299	for a in ${NSB_IP6} ${NSB_LO_IP6}
2300	do
2301		log_start
2302		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2303		log_test_addr ${a} $? 0 "ping out, VRF bind"
2304	done
2305
2306	for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF}
2307	do
2308		log_start
2309		show_hint "Fails since VRF device does not support linklocal or multicast"
2310		run_cmd ${ping6} -c1 -w1 ${a}
2311		log_test_addr ${a} $? 1 "ping out, VRF bind"
2312	done
2313
2314	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2315	do
2316		log_start
2317		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2318		log_test_addr ${a} $? 0 "ping out, device bind"
2319	done
2320
2321	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2322	do
2323		log_start
2324		run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a}
2325		log_test_addr ${a} $? 0 "ping out, vrf device+address bind"
2326	done
2327
2328	#
2329	# in
2330	#
2331	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2332	do
2333		log_start
2334		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2335		log_test_addr ${a} $? 0 "ping in"
2336	done
2337
2338	a=${NSA_LO_IP6}
2339	log_start
2340	show_hint "Fails since loopback address is out of VRF scope"
2341	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2342	log_test_addr ${a} $? 1 "ping in"
2343
2344	#
2345	# local traffic, local address
2346	#
2347	for a in ${NSA_IP6} ${VRF_IP6} ::1
2348	do
2349		log_start
2350		show_hint "Source address should be ${a}"
2351		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2352		log_test_addr ${a} $? 0 "ping local, VRF bind"
2353	done
2354
2355	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2356	do
2357		log_start
2358		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2359		log_test_addr ${a} $? 0 "ping local, device bind"
2360	done
2361
2362	# LLA to GUA - remove ipv6 global addresses from ns-B
2363	setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2364	setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo
2365	setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2366
2367	for a in ${NSA_IP6} ${VRF_IP6}
2368	do
2369		log_start
2370		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
2371		log_test_addr ${a} $? 0 "ping in, LLA to GUA"
2372	done
2373
2374	setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2375	setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV}
2376	setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo
2377
2378	#
2379	# ip rule blocks address
2380	#
2381	log_start
2382	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2383	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2384
2385	a=${NSB_LO_IP6}
2386	run_cmd ${ping6} -c1 -w1 ${a}
2387	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2388
2389	log_start
2390	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2391	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2392
2393	a=${NSA_LO_IP6}
2394	log_start
2395	show_hint "Response lost due to ip rule"
2396	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2397	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2398
2399	log_start
2400	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2401	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2402
2403	#
2404	# remove 'remote' routes; fallback to default
2405	#
2406	log_start
2407	setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF}
2408
2409	a=${NSB_LO_IP6}
2410	run_cmd ${ping6} -c1 -w1 ${a}
2411	log_test_addr ${a} $? 2 "ping out, unreachable route"
2412
2413	log_start
2414	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2415	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2416
2417	ip -netns ${NSB} -6 ro del ${NSA_LO_IP6}
2418	a=${NSA_LO_IP6}
2419	log_start
2420	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2421	log_test_addr ${a} $? 2 "ping in, unreachable route"
2422}
2423
2424ipv6_ping()
2425{
2426	log_section "IPv6 ping"
2427
2428	log_subsection "No VRF"
2429	setup
2430	ipv6_ping_novrf
2431	setup
2432	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
2433	ipv6_ping_novrf
2434
2435	log_subsection "With VRF"
2436	setup "yes"
2437	ipv6_ping_vrf
2438	setup "yes"
2439	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
2440	ipv6_ping_vrf
2441}
2442
2443################################################################################
2444# IPv6 TCP
2445
2446#
2447# MD5 tests without VRF
2448#
2449ipv6_tcp_md5_novrf()
2450{
2451	#
2452	# single address
2453	#
2454
2455	# basic use case
2456	log_start
2457	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2458	sleep 1
2459	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2460	log_test $? 0 "MD5: Single address config"
2461
2462	# client sends MD5, server not configured
2463	log_start
2464	show_hint "Should timeout due to MD5 mismatch"
2465	run_cmd nettest -6 -s &
2466	sleep 1
2467	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2468	log_test $? 2 "MD5: Server no config, client uses password"
2469
2470	# wrong password
2471	log_start
2472	show_hint "Should timeout since client uses wrong password"
2473	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2474	sleep 1
2475	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2476	log_test $? 2 "MD5: Client uses wrong password"
2477
2478	# client from different address
2479	log_start
2480	show_hint "Should timeout due to MD5 mismatch"
2481	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} &
2482	sleep 1
2483	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2484	log_test $? 2 "MD5: Client address does not match address configured with password"
2485
2486	#
2487	# MD5 extension - prefix length
2488	#
2489
2490	# client in prefix
2491	log_start
2492	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2493	sleep 1
2494	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2495	log_test $? 0 "MD5: Prefix config"
2496
2497	# client in prefix, wrong password
2498	log_start
2499	show_hint "Should timeout since client uses wrong password"
2500	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2501	sleep 1
2502	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2503	log_test $? 2 "MD5: Prefix config, client uses wrong password"
2504
2505	# client outside of prefix
2506	log_start
2507	show_hint "Should timeout due to MD5 mismatch"
2508	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2509	sleep 1
2510	run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2511	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
2512}
2513
2514#
2515# MD5 tests with VRF
2516#
2517ipv6_tcp_md5()
2518{
2519	#
2520	# single address
2521	#
2522
2523	# basic use case
2524	log_start
2525	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2526	sleep 1
2527	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2528	log_test $? 0 "MD5: VRF: Single address config"
2529
2530	# client sends MD5, server not configured
2531	log_start
2532	show_hint "Should timeout since server does not have MD5 auth"
2533	run_cmd nettest -6 -s -I ${VRF} &
2534	sleep 1
2535	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2536	log_test $? 2 "MD5: VRF: Server no config, client uses password"
2537
2538	# wrong password
2539	log_start
2540	show_hint "Should timeout since client uses wrong password"
2541	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2542	sleep 1
2543	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2544	log_test $? 2 "MD5: VRF: Client uses wrong password"
2545
2546	# client from different address
2547	log_start
2548	show_hint "Should timeout since server config differs from client"
2549	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} &
2550	sleep 1
2551	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2552	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
2553
2554	#
2555	# MD5 extension - prefix length
2556	#
2557
2558	# client in prefix
2559	log_start
2560	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2561	sleep 1
2562	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2563	log_test $? 0 "MD5: VRF: Prefix config"
2564
2565	# client in prefix, wrong password
2566	log_start
2567	show_hint "Should timeout since client uses wrong password"
2568	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2569	sleep 1
2570	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2571	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
2572
2573	# client outside of prefix
2574	log_start
2575	show_hint "Should timeout since client address is outside of prefix"
2576	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2577	sleep 1
2578	run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2579	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
2580
2581	#
2582	# duplicate config between default VRF and a VRF
2583	#
2584
2585	log_start
2586	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2587	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2588	sleep 1
2589	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2590	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
2591
2592	log_start
2593	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2594	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2595	sleep 1
2596	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2597	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
2598
2599	log_start
2600	show_hint "Should timeout since client in default VRF uses VRF password"
2601	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2602	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2603	sleep 1
2604	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2605	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
2606
2607	log_start
2608	show_hint "Should timeout since client in VRF uses default VRF password"
2609	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2610	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2611	sleep 1
2612	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2613	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
2614
2615	log_start
2616	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2617	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2618	sleep 1
2619	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2620	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
2621
2622	log_start
2623	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2624	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2625	sleep 1
2626	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2627	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
2628
2629	log_start
2630	show_hint "Should timeout since client in default VRF uses VRF password"
2631	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2632	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2633	sleep 1
2634	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2635	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
2636
2637	log_start
2638	show_hint "Should timeout since client in VRF uses default VRF password"
2639	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2640	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2641	sleep 1
2642	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2643	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
2644
2645	#
2646	# negative tests
2647	#
2648	log_start
2649	run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6}
2650	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
2651
2652	log_start
2653	run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6}
2654	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
2655
2656}
2657
2658ipv6_tcp_novrf()
2659{
2660	local a
2661
2662	#
2663	# server tests
2664	#
2665	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2666	do
2667		log_start
2668		run_cmd nettest -6 -s &
2669		sleep 1
2670		run_cmd_nsb nettest -6 -r ${a}
2671		log_test_addr ${a} $? 0 "Global server"
2672	done
2673
2674	# verify TCP reset received
2675	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2676	do
2677		log_start
2678		show_hint "Should fail 'Connection refused'"
2679		run_cmd_nsb nettest -6 -r ${a}
2680		log_test_addr ${a} $? 1 "No server"
2681	done
2682
2683	#
2684	# client
2685	#
2686	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2687	do
2688		log_start
2689		run_cmd_nsb nettest -6 -s &
2690		sleep 1
2691		run_cmd nettest -6 -r ${a}
2692		log_test_addr ${a} $? 0 "Client"
2693	done
2694
2695	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2696	do
2697		log_start
2698		run_cmd_nsb nettest -6 -s &
2699		sleep 1
2700		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2701		log_test_addr ${a} $? 0 "Client, device bind"
2702	done
2703
2704	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2705	do
2706		log_start
2707		show_hint "Should fail 'Connection refused'"
2708		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2709		log_test_addr ${a} $? 1 "No server, device client"
2710	done
2711
2712	#
2713	# local address tests
2714	#
2715	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2716	do
2717		log_start
2718		run_cmd nettest -6 -s &
2719		sleep 1
2720		run_cmd nettest -6 -r ${a}
2721		log_test_addr ${a} $? 0 "Global server, local connection"
2722	done
2723
2724	a=${NSA_IP6}
2725	log_start
2726	run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2727	sleep 1
2728	run_cmd nettest -6 -r ${a} -0 ${a}
2729	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2730
2731	for a in ${NSA_LO_IP6} ::1
2732	do
2733		log_start
2734		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2735		run_cmd nettest -6 -s -I ${NSA_DEV} &
2736		sleep 1
2737		run_cmd nettest -6 -r ${a}
2738		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
2739	done
2740
2741	a=${NSA_IP6}
2742	log_start
2743	run_cmd nettest -6 -s &
2744	sleep 1
2745	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2746	log_test_addr ${a} $? 0 "Global server, device client, local connection"
2747
2748	for a in ${NSA_LO_IP6} ::1
2749	do
2750		log_start
2751		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2752		run_cmd nettest -6 -s &
2753		sleep 1
2754		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2755		log_test_addr ${a} $? 1 "Global server, device client, local connection"
2756	done
2757
2758	for a in ${NSA_IP6} ${NSA_LINKIP6}
2759	do
2760		log_start
2761		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2762		sleep 1
2763		run_cmd nettest -6  -d ${NSA_DEV} -r ${a}
2764		log_test_addr ${a} $? 0 "Device server, device client, local conn"
2765	done
2766
2767	for a in ${NSA_IP6} ${NSA_LINKIP6}
2768	do
2769		log_start
2770		show_hint "Should fail 'Connection refused'"
2771		run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2772		log_test_addr ${a} $? 1 "No server, device client, local conn"
2773	done
2774
2775	ipv6_tcp_md5_novrf
2776}
2777
2778ipv6_tcp_vrf()
2779{
2780	local a
2781
2782	# disable global server
2783	log_subsection "Global server disabled"
2784
2785	set_sysctl net.ipv4.tcp_l3mdev_accept=0
2786
2787	#
2788	# server tests
2789	#
2790	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2791	do
2792		log_start
2793		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2794		run_cmd nettest -6 -s &
2795		sleep 1
2796		run_cmd_nsb nettest -6 -r ${a}
2797		log_test_addr ${a} $? 1 "Global server"
2798	done
2799
2800	for a in ${NSA_IP6} ${VRF_IP6}
2801	do
2802		log_start
2803		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2804		sleep 1
2805		run_cmd_nsb nettest -6 -r ${a}
2806		log_test_addr ${a} $? 0 "VRF server"
2807	done
2808
2809	# link local is always bound to ingress device
2810	a=${NSA_LINKIP6}%${NSB_DEV}
2811	log_start
2812	run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2813	sleep 1
2814	run_cmd_nsb nettest -6 -r ${a}
2815	log_test_addr ${a} $? 0 "VRF server"
2816
2817	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2818	do
2819		log_start
2820		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2821		sleep 1
2822		run_cmd_nsb nettest -6 -r ${a}
2823		log_test_addr ${a} $? 0 "Device server"
2824	done
2825
2826	# verify TCP reset received
2827	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2828	do
2829		log_start
2830		show_hint "Should fail 'Connection refused'"
2831		run_cmd_nsb nettest -6 -r ${a}
2832		log_test_addr ${a} $? 1 "No server"
2833	done
2834
2835	# local address tests
2836	a=${NSA_IP6}
2837	log_start
2838	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2839	run_cmd nettest -6 -s &
2840	sleep 1
2841	run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2842	log_test_addr ${a} $? 1 "Global server, local connection"
2843
2844	# run MD5 tests
2845	setup_vrf_dup
2846	ipv6_tcp_md5
2847	cleanup_vrf_dup
2848
2849	#
2850	# enable VRF global server
2851	#
2852	log_subsection "VRF Global server enabled"
2853	set_sysctl net.ipv4.tcp_l3mdev_accept=1
2854
2855	for a in ${NSA_IP6} ${VRF_IP6}
2856	do
2857		log_start
2858		run_cmd nettest -6 -s -3 ${VRF} &
2859		sleep 1
2860		run_cmd_nsb nettest -6 -r ${a}
2861		log_test_addr ${a} $? 0 "Global server"
2862	done
2863
2864	for a in ${NSA_IP6} ${VRF_IP6}
2865	do
2866		log_start
2867		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2868		sleep 1
2869		run_cmd_nsb nettest -6 -r ${a}
2870		log_test_addr ${a} $? 0 "VRF server"
2871	done
2872
2873	# For LLA, child socket is bound to device
2874	a=${NSA_LINKIP6}%${NSB_DEV}
2875	log_start
2876	run_cmd nettest -6 -s -3 ${NSA_DEV} &
2877	sleep 1
2878	run_cmd_nsb nettest -6 -r ${a}
2879	log_test_addr ${a} $? 0 "Global server"
2880
2881	log_start
2882	run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2883	sleep 1
2884	run_cmd_nsb nettest -6 -r ${a}
2885	log_test_addr ${a} $? 0 "VRF server"
2886
2887	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2888	do
2889		log_start
2890		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2891		sleep 1
2892		run_cmd_nsb nettest -6 -r ${a}
2893		log_test_addr ${a} $? 0 "Device server"
2894	done
2895
2896	# verify TCP reset received
2897	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2898	do
2899		log_start
2900		show_hint "Should fail 'Connection refused'"
2901		run_cmd_nsb nettest -6 -r ${a}
2902		log_test_addr ${a} $? 1 "No server"
2903	done
2904
2905	# local address tests
2906	for a in ${NSA_IP6} ${VRF_IP6}
2907	do
2908		log_start
2909		show_hint "Fails 'Connection refused' since client is not in VRF"
2910		run_cmd nettest -6 -s -I ${VRF} &
2911		sleep 1
2912		run_cmd nettest -6 -r ${a}
2913		log_test_addr ${a} $? 1 "Global server, local connection"
2914	done
2915
2916
2917	#
2918	# client
2919	#
2920	for a in ${NSB_IP6} ${NSB_LO_IP6}
2921	do
2922		log_start
2923		run_cmd_nsb nettest -6 -s &
2924		sleep 1
2925		run_cmd nettest -6 -r ${a} -d ${VRF}
2926		log_test_addr ${a} $? 0 "Client, VRF bind"
2927	done
2928
2929	a=${NSB_LINKIP6}
2930	log_start
2931	show_hint "Fails since VRF device does not allow linklocal addresses"
2932	run_cmd_nsb nettest -6 -s &
2933	sleep 1
2934	run_cmd nettest -6 -r ${a} -d ${VRF}
2935	log_test_addr ${a} $? 1 "Client, VRF bind"
2936
2937	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2938	do
2939		log_start
2940		run_cmd_nsb nettest -6 -s &
2941		sleep 1
2942		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2943		log_test_addr ${a} $? 0 "Client, device bind"
2944	done
2945
2946	for a in ${NSB_IP6} ${NSB_LO_IP6}
2947	do
2948		log_start
2949		show_hint "Should fail 'Connection refused'"
2950		run_cmd nettest -6 -r ${a} -d ${VRF}
2951		log_test_addr ${a} $? 1 "No server, VRF client"
2952	done
2953
2954	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2955	do
2956		log_start
2957		show_hint "Should fail 'Connection refused'"
2958		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2959		log_test_addr ${a} $? 1 "No server, device client"
2960	done
2961
2962	for a in ${NSA_IP6} ${VRF_IP6} ::1
2963	do
2964		log_start
2965		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2966		sleep 1
2967		run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2968		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
2969	done
2970
2971	a=${NSA_IP6}
2972	log_start
2973	run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2974	sleep 1
2975	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2976	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
2977
2978	a=${NSA_IP6}
2979	log_start
2980	show_hint "Should fail since unbound client is out of VRF scope"
2981	run_cmd nettest -6 -s -I ${VRF} &
2982	sleep 1
2983	run_cmd nettest -6 -r ${a}
2984	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
2985
2986	log_start
2987	run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2988	sleep 1
2989	run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2990	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
2991
2992	for a in ${NSA_IP6} ${NSA_LINKIP6}
2993	do
2994		log_start
2995		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2996		sleep 1
2997		run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2998		log_test_addr ${a} $? 0 "Device server, device client, local connection"
2999	done
3000}
3001
3002ipv6_tcp()
3003{
3004	log_section "IPv6/TCP"
3005	log_subsection "No VRF"
3006	setup
3007
3008	# tcp_l3mdev_accept should have no affect without VRF;
3009	# run tests with it enabled and disabled to verify
3010	log_subsection "tcp_l3mdev_accept disabled"
3011	set_sysctl net.ipv4.tcp_l3mdev_accept=0
3012	ipv6_tcp_novrf
3013	log_subsection "tcp_l3mdev_accept enabled"
3014	set_sysctl net.ipv4.tcp_l3mdev_accept=1
3015	ipv6_tcp_novrf
3016
3017	log_subsection "With VRF"
3018	setup "yes"
3019	ipv6_tcp_vrf
3020}
3021
3022################################################################################
3023# IPv6 UDP
3024
3025ipv6_udp_novrf()
3026{
3027	local a
3028
3029	#
3030	# server tests
3031	#
3032	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3033	do
3034		log_start
3035		run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3036		sleep 1
3037		run_cmd_nsb nettest -6 -D -r ${a}
3038		log_test_addr ${a} $? 0 "Global server"
3039
3040		log_start
3041		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3042		sleep 1
3043		run_cmd_nsb nettest -6 -D -r ${a}
3044		log_test_addr ${a} $? 0 "Device server"
3045	done
3046
3047	a=${NSA_LO_IP6}
3048	log_start
3049	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3050	sleep 1
3051	run_cmd_nsb nettest -6 -D -r ${a}
3052	log_test_addr ${a} $? 0 "Global server"
3053
3054	# should fail since loopback address is out of scope for a device
3055	# bound server, but it does not - hence this is more documenting
3056	# behavior.
3057	#log_start
3058	#show_hint "Should fail since loopback address is out of scope"
3059	#run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3060	#sleep 1
3061	#run_cmd_nsb nettest -6 -D -r ${a}
3062	#log_test_addr ${a} $? 1 "Device server"
3063
3064	# negative test - should fail
3065	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3066	do
3067		log_start
3068		show_hint "Should fail 'Connection refused' since there is no server"
3069		run_cmd_nsb nettest -6 -D -r ${a}
3070		log_test_addr ${a} $? 1 "No server"
3071	done
3072
3073	#
3074	# client
3075	#
3076	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
3077	do
3078		log_start
3079		run_cmd_nsb nettest -6 -D -s &
3080		sleep 1
3081		run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6}
3082		log_test_addr ${a} $? 0 "Client"
3083
3084		log_start
3085		run_cmd_nsb nettest -6 -D -s &
3086		sleep 1
3087		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6}
3088		log_test_addr ${a} $? 0 "Client, device bind"
3089
3090		log_start
3091		run_cmd_nsb nettest -6 -D -s &
3092		sleep 1
3093		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6}
3094		log_test_addr ${a} $? 0 "Client, device send via cmsg"
3095
3096		log_start
3097		run_cmd_nsb nettest -6 -D -s &
3098		sleep 1
3099		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6}
3100		log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF"
3101
3102		log_start
3103		show_hint "Should fail 'Connection refused'"
3104		run_cmd nettest -6 -D -r ${a}
3105		log_test_addr ${a} $? 1 "No server, unbound client"
3106
3107		log_start
3108		show_hint "Should fail 'Connection refused'"
3109		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3110		log_test_addr ${a} $? 1 "No server, device client"
3111	done
3112
3113	#
3114	# local address tests
3115	#
3116	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
3117	do
3118		log_start
3119		run_cmd nettest -6 -D -s &
3120		sleep 1
3121		run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a}
3122		log_test_addr ${a} $? 0 "Global server, local connection"
3123	done
3124
3125	a=${NSA_IP6}
3126	log_start
3127	run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
3128	sleep 1
3129	run_cmd nettest -6 -D -r ${a}
3130	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
3131
3132	for a in ${NSA_LO_IP6} ::1
3133	do
3134		log_start
3135		show_hint "Should fail 'Connection refused' since address is out of device scope"
3136		run_cmd nettest -6 -s -D -I ${NSA_DEV} &
3137		sleep 1
3138		run_cmd nettest -6 -D -r ${a}
3139		log_test_addr ${a} $? 1 "Device server, local connection"
3140	done
3141
3142	a=${NSA_IP6}
3143	log_start
3144	run_cmd nettest -6 -s -D &
3145	sleep 1
3146	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3147	log_test_addr ${a} $? 0 "Global server, device client, local connection"
3148
3149	log_start
3150	run_cmd nettest -6 -s -D &
3151	sleep 1
3152	run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a}
3153	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
3154
3155	log_start
3156	run_cmd nettest -6 -s -D &
3157	sleep 1
3158	run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a}
3159	log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection"
3160
3161	for a in ${NSA_LO_IP6} ::1
3162	do
3163		log_start
3164		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3165		run_cmd nettest -6 -D -s &
3166		sleep 1
3167		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3168		log_test_addr ${a} $? 1 "Global server, device client, local connection"
3169
3170		log_start
3171		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3172		run_cmd nettest -6 -D -s &
3173		sleep 1
3174		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C
3175		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
3176
3177		log_start
3178		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3179		run_cmd nettest -6 -D -s &
3180		sleep 1
3181		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
3182		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
3183
3184		log_start
3185		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3186		run_cmd nettest -6 -D -s &
3187		sleep 1
3188		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U
3189		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
3190	done
3191
3192	a=${NSA_IP6}
3193	log_start
3194	run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3195	sleep 1
3196	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a}
3197	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3198
3199	log_start
3200	show_hint "Should fail 'Connection refused'"
3201	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3202	log_test_addr ${a} $? 1 "No server, device client, local conn"
3203
3204	# LLA to GUA
3205	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3206	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3207	log_start
3208	run_cmd nettest -6 -s -D &
3209	sleep 1
3210	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3211	log_test $? 0 "UDP in - LLA to GUA"
3212
3213	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3214	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3215}
3216
3217ipv6_udp_vrf()
3218{
3219	local a
3220
3221	# disable global server
3222	log_subsection "Global server disabled"
3223	set_sysctl net.ipv4.udp_l3mdev_accept=0
3224
3225	#
3226	# server tests
3227	#
3228	for a in ${NSA_IP6} ${VRF_IP6}
3229	do
3230		log_start
3231		show_hint "Should fail 'Connection refused' since global server is disabled"
3232		run_cmd nettest -6 -D -s &
3233		sleep 1
3234		run_cmd_nsb nettest -6 -D -r ${a}
3235		log_test_addr ${a} $? 1 "Global server"
3236	done
3237
3238	for a in ${NSA_IP6} ${VRF_IP6}
3239	do
3240		log_start
3241		run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3242		sleep 1
3243		run_cmd_nsb nettest -6 -D -r ${a}
3244		log_test_addr ${a} $? 0 "VRF server"
3245	done
3246
3247	for a in ${NSA_IP6} ${VRF_IP6}
3248	do
3249		log_start
3250		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3251		sleep 1
3252		run_cmd_nsb nettest -6 -D -r ${a}
3253		log_test_addr ${a} $? 0 "Enslaved device server"
3254	done
3255
3256	# negative test - should fail
3257	for a in ${NSA_IP6} ${VRF_IP6}
3258	do
3259		log_start
3260		show_hint "Should fail 'Connection refused' since there is no server"
3261		run_cmd_nsb nettest -6 -D -r ${a}
3262		log_test_addr ${a} $? 1 "No server"
3263	done
3264
3265	#
3266	# local address tests
3267	#
3268	for a in ${NSA_IP6} ${VRF_IP6}
3269	do
3270		log_start
3271		show_hint "Should fail 'Connection refused' since global server is disabled"
3272		run_cmd nettest -6 -D -s &
3273		sleep 1
3274		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3275		log_test_addr ${a} $? 1 "Global server, VRF client, local conn"
3276	done
3277
3278	for a in ${NSA_IP6} ${VRF_IP6}
3279	do
3280		log_start
3281		run_cmd nettest -6 -D -I ${VRF} -s &
3282		sleep 1
3283		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3284		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3285	done
3286
3287	a=${NSA_IP6}
3288	log_start
3289	show_hint "Should fail 'Connection refused' since global server is disabled"
3290	run_cmd nettest -6 -D -s &
3291	sleep 1
3292	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3293	log_test_addr ${a} $? 1 "Global server, device client, local conn"
3294
3295	log_start
3296	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3297	sleep 1
3298	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3299	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3300
3301	log_start
3302	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3303	sleep 1
3304	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3305	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
3306
3307	log_start
3308	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3309	sleep 1
3310	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3311	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
3312
3313	# disable global server
3314	log_subsection "Global server enabled"
3315	set_sysctl net.ipv4.udp_l3mdev_accept=1
3316
3317	#
3318	# server tests
3319	#
3320	for a in ${NSA_IP6} ${VRF_IP6}
3321	do
3322		log_start
3323		run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3324		sleep 1
3325		run_cmd_nsb nettest -6 -D -r ${a}
3326		log_test_addr ${a} $? 0 "Global server"
3327	done
3328
3329	for a in ${NSA_IP6} ${VRF_IP6}
3330	do
3331		log_start
3332		run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3333		sleep 1
3334		run_cmd_nsb nettest -6 -D -r ${a}
3335		log_test_addr ${a} $? 0 "VRF server"
3336	done
3337
3338	for a in ${NSA_IP6} ${VRF_IP6}
3339	do
3340		log_start
3341		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3342		sleep 1
3343		run_cmd_nsb nettest -6 -D -r ${a}
3344		log_test_addr ${a} $? 0 "Enslaved device server"
3345	done
3346
3347	# negative test - should fail
3348	for a in ${NSA_IP6} ${VRF_IP6}
3349	do
3350		log_start
3351		run_cmd_nsb nettest -6 -D -r ${a}
3352		log_test_addr ${a} $? 1 "No server"
3353	done
3354
3355	#
3356	# client tests
3357	#
3358	log_start
3359	run_cmd_nsb nettest -6 -D -s &
3360	sleep 1
3361	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3362	log_test $? 0 "VRF client"
3363
3364	# negative test - should fail
3365	log_start
3366	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3367	log_test $? 1 "No server, VRF client"
3368
3369	log_start
3370	run_cmd_nsb nettest -6 -D -s &
3371	sleep 1
3372	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3373	log_test $? 0 "Enslaved device client"
3374
3375	# negative test - should fail
3376	log_start
3377	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3378	log_test $? 1 "No server, enslaved device client"
3379
3380	#
3381	# local address tests
3382	#
3383	a=${NSA_IP6}
3384	log_start
3385	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3386	sleep 1
3387	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3388	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3389
3390	#log_start
3391	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3392	sleep 1
3393	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3394	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3395
3396
3397	a=${VRF_IP6}
3398	log_start
3399	run_cmd nettest -6 -D -s -3 ${VRF} &
3400	sleep 1
3401	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3402	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3403
3404	log_start
3405	run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} &
3406	sleep 1
3407	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3408	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3409
3410	# negative test - should fail
3411	for a in ${NSA_IP6} ${VRF_IP6}
3412	do
3413		log_start
3414		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3415		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
3416	done
3417
3418	# device to global IP
3419	a=${NSA_IP6}
3420	log_start
3421	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3422	sleep 1
3423	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3424	log_test_addr ${a} $? 0 "Global server, device client, local conn"
3425
3426	log_start
3427	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3428	sleep 1
3429	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3430	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3431
3432	log_start
3433	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3434	sleep 1
3435	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3436	log_test_addr ${a} $? 0 "Device server, VRF client, local conn"
3437
3438	log_start
3439	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3440	sleep 1
3441	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3442	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3443
3444	log_start
3445	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3446	log_test_addr ${a} $? 1 "No server, device client, local conn"
3447
3448
3449	# link local addresses
3450	log_start
3451	run_cmd nettest -6 -D -s &
3452	sleep 1
3453	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3454	log_test $? 0 "Global server, linklocal IP"
3455
3456	log_start
3457	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3458	log_test $? 1 "No server, linklocal IP"
3459
3460
3461	log_start
3462	run_cmd_nsb nettest -6 -D -s &
3463	sleep 1
3464	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3465	log_test $? 0 "Enslaved device client, linklocal IP"
3466
3467	log_start
3468	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3469	log_test $? 1 "No server, device client, peer linklocal IP"
3470
3471
3472	log_start
3473	run_cmd nettest -6 -D -s &
3474	sleep 1
3475	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3476	log_test $? 0 "Enslaved device client, local conn - linklocal IP"
3477
3478	log_start
3479	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3480	log_test $? 1 "No server, device client, local conn  - linklocal IP"
3481
3482	# LLA to GUA
3483	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3484	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3485	log_start
3486	run_cmd nettest -6 -s -D &
3487	sleep 1
3488	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3489	log_test $? 0 "UDP in - LLA to GUA"
3490
3491	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3492	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3493}
3494
3495ipv6_udp()
3496{
3497        # should not matter, but set to known state
3498        set_sysctl net.ipv4.udp_early_demux=1
3499
3500        log_section "IPv6/UDP"
3501        log_subsection "No VRF"
3502        setup
3503
3504        # udp_l3mdev_accept should have no affect without VRF;
3505        # run tests with it enabled and disabled to verify
3506        log_subsection "udp_l3mdev_accept disabled"
3507        set_sysctl net.ipv4.udp_l3mdev_accept=0
3508        ipv6_udp_novrf
3509        log_subsection "udp_l3mdev_accept enabled"
3510        set_sysctl net.ipv4.udp_l3mdev_accept=1
3511        ipv6_udp_novrf
3512
3513        log_subsection "With VRF"
3514        setup "yes"
3515        ipv6_udp_vrf
3516}
3517
3518################################################################################
3519# IPv6 address bind
3520
3521ipv6_addr_bind_novrf()
3522{
3523	#
3524	# raw socket
3525	#
3526	for a in ${NSA_IP6} ${NSA_LO_IP6}
3527	do
3528		log_start
3529		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b
3530		log_test_addr ${a} $? 0 "Raw socket bind to local address"
3531
3532		log_start
3533		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3534		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3535	done
3536
3537	#
3538	# raw socket with nonlocal bind
3539	#
3540	a=${NL_IP6}
3541	log_start
3542	run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b
3543	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
3544
3545	#
3546	# tcp sockets
3547	#
3548	a=${NSA_IP6}
3549	log_start
3550	run_cmd nettest -6 -s -l ${a} -t1 -b
3551	log_test_addr ${a} $? 0 "TCP socket bind to local address"
3552
3553	log_start
3554	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3555	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
3556
3557	# Sadly, the kernel allows binding a socket to a device and then
3558	# binding to an address not on the device. So this test passes
3559	# when it really should not
3560	a=${NSA_LO_IP6}
3561	log_start
3562	show_hint "Tecnically should fail since address is not on device but kernel allows"
3563	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3564	log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address"
3565}
3566
3567ipv6_addr_bind_vrf()
3568{
3569	#
3570	# raw socket
3571	#
3572	for a in ${NSA_IP6} ${VRF_IP6}
3573	do
3574		log_start
3575		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3576		log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind"
3577
3578		log_start
3579		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3580		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3581	done
3582
3583	a=${NSA_LO_IP6}
3584	log_start
3585	show_hint "Address on loopback is out of VRF scope"
3586	run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3587	log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind"
3588
3589	#
3590	# raw socket with nonlocal bind
3591	#
3592	a=${NL_IP6}
3593	log_start
3594	run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b
3595	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
3596
3597	#
3598	# tcp sockets
3599	#
3600	# address on enslaved device is valid for the VRF or device in a VRF
3601	for a in ${NSA_IP6} ${VRF_IP6}
3602	do
3603		log_start
3604		run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3605		log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind"
3606	done
3607
3608	a=${NSA_IP6}
3609	log_start
3610	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3611	log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
3612
3613	# Sadly, the kernel allows binding a socket to a device and then
3614	# binding to an address not on the device. The only restriction
3615	# is that the address is valid in the L3 domain. So this test
3616	# passes when it really should not
3617	a=${VRF_IP6}
3618	log_start
3619	show_hint "Tecnically should fail since address is not on device but kernel allows"
3620	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3621	log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind"
3622
3623	a=${NSA_LO_IP6}
3624	log_start
3625	show_hint "Address on loopback out of scope for VRF"
3626	run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3627	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
3628
3629	log_start
3630	show_hint "Address on loopback out of scope for device in VRF"
3631	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3632	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
3633
3634}
3635
3636ipv6_addr_bind()
3637{
3638	log_section "IPv6 address binds"
3639
3640	log_subsection "No VRF"
3641	setup
3642	ipv6_addr_bind_novrf
3643
3644	log_subsection "With VRF"
3645	setup "yes"
3646	ipv6_addr_bind_vrf
3647}
3648
3649################################################################################
3650# IPv6 runtime tests
3651
3652ipv6_rt()
3653{
3654	local desc="$1"
3655	local varg="-6 $2"
3656	local with_vrf="yes"
3657	local a
3658
3659	#
3660	# server tests
3661	#
3662	for a in ${NSA_IP6} ${VRF_IP6}
3663	do
3664		log_start
3665		run_cmd nettest ${varg} -s &
3666		sleep 1
3667		run_cmd_nsb nettest ${varg} -r ${a} &
3668		sleep 3
3669		run_cmd ip link del ${VRF}
3670		sleep 1
3671		log_test_addr ${a} 0 0 "${desc}, global server"
3672
3673		setup ${with_vrf}
3674	done
3675
3676	for a in ${NSA_IP6} ${VRF_IP6}
3677	do
3678		log_start
3679		run_cmd nettest ${varg} -I ${VRF} -s &
3680		sleep 1
3681		run_cmd_nsb nettest ${varg} -r ${a} &
3682		sleep 3
3683		run_cmd ip link del ${VRF}
3684		sleep 1
3685		log_test_addr ${a} 0 0 "${desc}, VRF server"
3686
3687		setup ${with_vrf}
3688	done
3689
3690	for a in ${NSA_IP6} ${VRF_IP6}
3691	do
3692		log_start
3693		run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3694		sleep 1
3695		run_cmd_nsb nettest ${varg} -r ${a} &
3696		sleep 3
3697		run_cmd ip link del ${VRF}
3698		sleep 1
3699		log_test_addr ${a} 0 0 "${desc}, enslaved device server"
3700
3701		setup ${with_vrf}
3702	done
3703
3704	#
3705	# client test
3706	#
3707	log_start
3708	run_cmd_nsb nettest ${varg} -s &
3709	sleep 1
3710	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} &
3711	sleep 3
3712	run_cmd ip link del ${VRF}
3713	sleep 1
3714	log_test  0 0 "${desc}, VRF client"
3715
3716	setup ${with_vrf}
3717
3718	log_start
3719	run_cmd_nsb nettest ${varg} -s &
3720	sleep 1
3721	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} &
3722	sleep 3
3723	run_cmd ip link del ${VRF}
3724	sleep 1
3725	log_test  0 0 "${desc}, enslaved device client"
3726
3727	setup ${with_vrf}
3728
3729
3730	#
3731	# local address tests
3732	#
3733	for a in ${NSA_IP6} ${VRF_IP6}
3734	do
3735		log_start
3736		run_cmd nettest ${varg} -s &
3737		sleep 1
3738		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3739		sleep 3
3740		run_cmd ip link del ${VRF}
3741		sleep 1
3742		log_test_addr ${a} 0 0 "${desc}, global server, VRF client"
3743
3744		setup ${with_vrf}
3745	done
3746
3747	for a in ${NSA_IP6} ${VRF_IP6}
3748	do
3749		log_start
3750		run_cmd nettest ${varg} -I ${VRF} -s &
3751		sleep 1
3752		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3753		sleep 3
3754		run_cmd ip link del ${VRF}
3755		sleep 1
3756		log_test_addr ${a} 0 0 "${desc}, VRF server and client"
3757
3758		setup ${with_vrf}
3759	done
3760
3761	a=${NSA_IP6}
3762	log_start
3763	run_cmd nettest ${varg} -s &
3764	sleep 1
3765	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3766	sleep 3
3767	run_cmd ip link del ${VRF}
3768	sleep 1
3769	log_test_addr ${a} 0 0 "${desc}, global server, device client"
3770
3771	setup ${with_vrf}
3772
3773	log_start
3774	run_cmd nettest ${varg} -I ${VRF} -s &
3775	sleep 1
3776	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3777	sleep 3
3778	run_cmd ip link del ${VRF}
3779	sleep 1
3780	log_test_addr ${a} 0 0 "${desc}, VRF server, device client"
3781
3782	setup ${with_vrf}
3783
3784	log_start
3785	run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3786	sleep 1
3787	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3788	sleep 3
3789	run_cmd ip link del ${VRF}
3790	sleep 1
3791	log_test_addr ${a} 0 0 "${desc}, device server, device client"
3792}
3793
3794ipv6_ping_rt()
3795{
3796	local with_vrf="yes"
3797	local a
3798
3799	a=${NSA_IP6}
3800	log_start
3801	run_cmd_nsb ${ping6} -f ${a} &
3802	sleep 3
3803	run_cmd ip link del ${VRF}
3804	sleep 1
3805	log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
3806
3807	setup ${with_vrf}
3808
3809	log_start
3810	run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} &
3811	sleep 1
3812	run_cmd ip link del ${VRF}
3813	sleep 1
3814	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
3815}
3816
3817ipv6_runtime()
3818{
3819	log_section "Run time tests - ipv6"
3820
3821	setup "yes"
3822	ipv6_ping_rt
3823
3824	setup "yes"
3825	ipv6_rt "TCP active socket"  "-n -1"
3826
3827	setup "yes"
3828	ipv6_rt "TCP passive socket" "-i"
3829
3830	setup "yes"
3831	ipv6_rt "UDP active socket"  "-D -n -1"
3832}
3833
3834################################################################################
3835# netfilter blocking connections
3836
3837netfilter_tcp_reset()
3838{
3839	local a
3840
3841	for a in ${NSA_IP} ${VRF_IP}
3842	do
3843		log_start
3844		run_cmd nettest -s &
3845		sleep 1
3846		run_cmd_nsb nettest -r ${a}
3847		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3848	done
3849}
3850
3851netfilter_icmp()
3852{
3853	local stype="$1"
3854	local arg
3855	local a
3856
3857	[ "${stype}" = "UDP" ] && arg="-D"
3858
3859	for a in ${NSA_IP} ${VRF_IP}
3860	do
3861		log_start
3862		run_cmd nettest ${arg} -s &
3863		sleep 1
3864		run_cmd_nsb nettest ${arg} -r ${a}
3865		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3866	done
3867}
3868
3869ipv4_netfilter()
3870{
3871	log_section "IPv4 Netfilter"
3872	log_subsection "TCP reset"
3873
3874	setup "yes"
3875	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3876
3877	netfilter_tcp_reset
3878
3879	log_start
3880	log_subsection "ICMP unreachable"
3881
3882	log_start
3883	run_cmd iptables -F
3884	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3885	run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3886
3887	netfilter_icmp "TCP"
3888	netfilter_icmp "UDP"
3889
3890	log_start
3891	iptables -F
3892}
3893
3894netfilter_tcp6_reset()
3895{
3896	local a
3897
3898	for a in ${NSA_IP6} ${VRF_IP6}
3899	do
3900		log_start
3901		run_cmd nettest -6 -s &
3902		sleep 1
3903		run_cmd_nsb nettest -6 -r ${a}
3904		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3905	done
3906}
3907
3908netfilter_icmp6()
3909{
3910	local stype="$1"
3911	local arg
3912	local a
3913
3914	[ "${stype}" = "UDP" ] && arg="$arg -D"
3915
3916	for a in ${NSA_IP6} ${VRF_IP6}
3917	do
3918		log_start
3919		run_cmd nettest -6 -s ${arg} &
3920		sleep 1
3921		run_cmd_nsb nettest -6 ${arg} -r ${a}
3922		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3923	done
3924}
3925
3926ipv6_netfilter()
3927{
3928	log_section "IPv6 Netfilter"
3929	log_subsection "TCP reset"
3930
3931	setup "yes"
3932	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3933
3934	netfilter_tcp6_reset
3935
3936	log_subsection "ICMP unreachable"
3937
3938	log_start
3939	run_cmd ip6tables -F
3940	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3941	run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3942
3943	netfilter_icmp6 "TCP"
3944	netfilter_icmp6 "UDP"
3945
3946	log_start
3947	ip6tables -F
3948}
3949
3950################################################################################
3951# specific use cases
3952
3953# VRF only.
3954# ns-A device enslaved to bridge. Verify traffic with and without
3955# br_netfilter module loaded. Repeat with SVI on bridge.
3956use_case_br()
3957{
3958	setup "yes"
3959
3960	setup_cmd ip link set ${NSA_DEV} down
3961	setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24
3962	setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64
3963
3964	setup_cmd ip link add br0 type bridge
3965	setup_cmd ip addr add dev br0 ${NSA_IP}/24
3966	setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad
3967
3968	setup_cmd ip li set ${NSA_DEV} master br0
3969	setup_cmd ip li set ${NSA_DEV} up
3970	setup_cmd ip li set br0 up
3971	setup_cmd ip li set br0 vrf ${VRF}
3972
3973	rmmod br_netfilter 2>/dev/null
3974	sleep 5 # DAD
3975
3976	run_cmd ip neigh flush all
3977	run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3978	log_test $? 0 "Bridge into VRF - IPv4 ping out"
3979
3980	run_cmd ip neigh flush all
3981	run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3982	log_test $? 0 "Bridge into VRF - IPv6 ping out"
3983
3984	run_cmd ip neigh flush all
3985	run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3986	log_test $? 0 "Bridge into VRF - IPv4 ping in"
3987
3988	run_cmd ip neigh flush all
3989	run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3990	log_test $? 0 "Bridge into VRF - IPv6 ping in"
3991
3992	modprobe br_netfilter
3993	if [ $? -eq 0 ]; then
3994		run_cmd ip neigh flush all
3995		run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3996		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out"
3997
3998		run_cmd ip neigh flush all
3999		run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
4000		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out"
4001
4002		run_cmd ip neigh flush all
4003		run_cmd_nsb ping -c1 -w1 ${NSA_IP}
4004		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in"
4005
4006		run_cmd ip neigh flush all
4007		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
4008		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in"
4009	fi
4010
4011	setup_cmd ip li set br0 nomaster
4012	setup_cmd ip li add br0.100 link br0 type vlan id 100
4013	setup_cmd ip li set br0.100 vrf ${VRF} up
4014	setup_cmd ip    addr add dev br0.100 172.16.101.1/24
4015	setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad
4016
4017	setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100
4018	setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24
4019	setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad
4020	setup_cmd_nsb ip li set vlan100 up
4021	sleep 1
4022
4023	rmmod br_netfilter 2>/dev/null
4024
4025	run_cmd ip neigh flush all
4026	run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
4027	log_test $? 0 "Bridge vlan into VRF - IPv4 ping out"
4028
4029	run_cmd ip neigh flush all
4030	run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4031	log_test $? 0 "Bridge vlan into VRF - IPv6 ping out"
4032
4033	run_cmd ip neigh flush all
4034	run_cmd_nsb ping -c1 -w1 172.16.101.1
4035	log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4036
4037	run_cmd ip neigh flush all
4038	run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4039	log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4040
4041	modprobe br_netfilter
4042	if [ $? -eq 0 ]; then
4043		run_cmd ip neigh flush all
4044		run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
4045		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out"
4046
4047		run_cmd ip neigh flush all
4048		run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4049		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out"
4050
4051		run_cmd ip neigh flush all
4052		run_cmd_nsb ping -c1 -w1 172.16.101.1
4053		log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4054
4055		run_cmd ip neigh flush all
4056		run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4057		log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4058	fi
4059
4060	setup_cmd ip li del br0 2>/dev/null
4061	setup_cmd_nsb ip li del vlan100 2>/dev/null
4062}
4063
4064# VRF only.
4065# ns-A device is connected to both ns-B and ns-C on a single VRF but only has
4066# LLA on the interfaces
4067use_case_ping_lla_multi()
4068{
4069	setup_lla_only
4070	# only want reply from ns-A
4071	setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4072	setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4073
4074	log_start
4075	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4076	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B"
4077
4078	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4079	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C"
4080
4081	# cycle/flap the first ns-A interface
4082	setup_cmd ip link set ${NSA_DEV} down
4083	setup_cmd ip link set ${NSA_DEV} up
4084	sleep 1
4085
4086	log_start
4087	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4088	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B"
4089	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4090	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C"
4091
4092	# cycle/flap the second ns-A interface
4093	setup_cmd ip link set ${NSA_DEV2} down
4094	setup_cmd ip link set ${NSA_DEV2} up
4095	sleep 1
4096
4097	log_start
4098	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4099	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B"
4100	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4101	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C"
4102}
4103
4104# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully
4105# established with ns-B.
4106use_case_snat_on_vrf()
4107{
4108	setup "yes"
4109
4110	local port="12345"
4111
4112	run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4113	run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4114
4115	run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} &
4116	sleep 1
4117	run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port}
4118	log_test $? 0 "IPv4 TCP connection over VRF with SNAT"
4119
4120	run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} &
4121	sleep 1
4122	run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port}
4123	log_test $? 0 "IPv6 TCP connection over VRF with SNAT"
4124
4125	# Cleanup
4126	run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4127	run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4128}
4129
4130use_cases()
4131{
4132	log_section "Use cases"
4133	log_subsection "Device enslaved to bridge"
4134	use_case_br
4135	log_subsection "Ping LLA with multiple interfaces"
4136	use_case_ping_lla_multi
4137	log_subsection "SNAT on VRF"
4138	use_case_snat_on_vrf
4139}
4140
4141################################################################################
4142# usage
4143
4144usage()
4145{
4146	cat <<EOF
4147usage: ${0##*/} OPTS
4148
4149	-4          IPv4 tests only
4150	-6          IPv6 tests only
4151	-t <test>   Test name/set to run
4152	-p          Pause on fail
4153	-P          Pause after each test
4154	-v          Be verbose
4155
4156Tests:
4157	$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER
4158EOF
4159}
4160
4161################################################################################
4162# main
4163
4164TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter"
4165TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter"
4166TESTS_OTHER="use_cases"
4167
4168PAUSE_ON_FAIL=no
4169PAUSE=no
4170
4171while getopts :46t:pPvh o
4172do
4173	case $o in
4174		4) TESTS=ipv4;;
4175		6) TESTS=ipv6;;
4176		t) TESTS=$OPTARG;;
4177		p) PAUSE_ON_FAIL=yes;;
4178		P) PAUSE=yes;;
4179		v) VERBOSE=1;;
4180		h) usage; exit 0;;
4181		*) usage; exit 1;;
4182	esac
4183done
4184
4185# make sure we don't pause twice
4186[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no
4187
4188#
4189# show user test config
4190#
4191if [ -z "$TESTS" ]; then
4192	TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER"
4193elif [ "$TESTS" = "ipv4" ]; then
4194	TESTS="$TESTS_IPV4"
4195elif [ "$TESTS" = "ipv6" ]; then
4196	TESTS="$TESTS_IPV6"
4197fi
4198
4199which nettest >/dev/null
4200if [ $? -ne 0 ]; then
4201	echo "'nettest' command not found; skipping tests"
4202	exit $ksft_skip
4203fi
4204
4205declare -i nfail=0
4206declare -i nsuccess=0
4207
4208for t in $TESTS
4209do
4210	case $t in
4211	ipv4_ping|ping)  ipv4_ping;;
4212	ipv4_tcp|tcp)    ipv4_tcp;;
4213	ipv4_udp|udp)    ipv4_udp;;
4214	ipv4_bind|bind)  ipv4_addr_bind;;
4215	ipv4_runtime)    ipv4_runtime;;
4216	ipv4_netfilter)  ipv4_netfilter;;
4217
4218	ipv6_ping|ping6) ipv6_ping;;
4219	ipv6_tcp|tcp6)   ipv6_tcp;;
4220	ipv6_udp|udp6)   ipv6_udp;;
4221	ipv6_bind|bind6) ipv6_addr_bind;;
4222	ipv6_runtime)    ipv6_runtime;;
4223	ipv6_netfilter)  ipv6_netfilter;;
4224
4225	use_cases)       use_cases;;
4226
4227	# setup namespaces and config, but do not run any tests
4228	setup)		 setup; exit 0;;
4229	vrf_setup)	 setup "yes"; exit 0;;
4230	esac
4231done
4232
4233cleanup 2>/dev/null
4234
4235printf "\nTests passed: %3d\n" ${nsuccess}
4236printf "Tests failed: %3d\n"   ${nfail}
4237
4238if [ $nfail -ne 0 ]; then
4239	exit 1 # KSFT_FAIL
4240elif [ $nsuccess -eq 0 ]; then
4241	exit $ksft_skip
4242fi
4243
4244exit 0 # KSFT_PASS
4245