1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40# Kselftest framework requirement - SKIP code is 4. 41ksft_skip=4 42 43VERBOSE=0 44 45NSA_DEV=eth1 46NSA_DEV2=eth2 47NSB_DEV=eth1 48NSC_DEV=eth2 49VRF=red 50VRF_TABLE=1101 51 52# IPv4 config 53NSA_IP=172.16.1.1 54NSB_IP=172.16.1.2 55VRF_IP=172.16.3.1 56NS_NET=172.16.1.0/24 57 58# IPv6 config 59NSA_IP6=2001:db8:1::1 60NSB_IP6=2001:db8:1::2 61VRF_IP6=2001:db8:3::1 62NS_NET6=2001:db8:1::/120 63 64NSA_LO_IP=172.16.2.1 65NSB_LO_IP=172.16.2.2 66NSA_LO_IP6=2001:db8:2::1 67NSB_LO_IP6=2001:db8:2::2 68 69MD5_PW=abc123 70MD5_WRONG_PW=abc1234 71 72MCAST=ff02::1 73# set after namespace create 74NSA_LINKIP6= 75NSB_LINKIP6= 76 77NSA=ns-A 78NSB=ns-B 79NSC=ns-C 80 81NSA_CMD="ip netns exec ${NSA}" 82NSB_CMD="ip netns exec ${NSB}" 83NSC_CMD="ip netns exec ${NSC}" 84 85which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 86 87################################################################################ 88# utilities 89 90log_test() 91{ 92 local rc=$1 93 local expected=$2 94 local msg="$3" 95 96 [ "${VERBOSE}" = "1" ] && echo 97 98 if [ ${rc} -eq ${expected} ]; then 99 nsuccess=$((nsuccess+1)) 100 printf "TEST: %-70s [ OK ]\n" "${msg}" 101 else 102 nfail=$((nfail+1)) 103 printf "TEST: %-70s [FAIL]\n" "${msg}" 104 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 105 echo 106 echo "hit enter to continue, 'q' to quit" 107 read a 108 [ "$a" = "q" ] && exit 1 109 fi 110 fi 111 112 if [ "${PAUSE}" = "yes" ]; then 113 echo 114 echo "hit enter to continue, 'q' to quit" 115 read a 116 [ "$a" = "q" ] && exit 1 117 fi 118 119 kill_procs 120} 121 122log_test_addr() 123{ 124 local addr=$1 125 local rc=$2 126 local expected=$3 127 local msg="$4" 128 local astr 129 130 astr=$(addr2str ${addr}) 131 log_test $rc $expected "$msg - ${astr}" 132} 133 134log_section() 135{ 136 echo 137 echo "###########################################################################" 138 echo "$*" 139 echo "###########################################################################" 140 echo 141} 142 143log_subsection() 144{ 145 echo 146 echo "#################################################################" 147 echo "$*" 148 echo 149} 150 151log_start() 152{ 153 # make sure we have no test instances running 154 kill_procs 155 156 if [ "${VERBOSE}" = "1" ]; then 157 echo 158 echo "#######################################################" 159 fi 160} 161 162log_debug() 163{ 164 if [ "${VERBOSE}" = "1" ]; then 165 echo 166 echo "$*" 167 echo 168 fi 169} 170 171show_hint() 172{ 173 if [ "${VERBOSE}" = "1" ]; then 174 echo "HINT: $*" 175 echo 176 fi 177} 178 179kill_procs() 180{ 181 killall nettest ping ping6 >/dev/null 2>&1 182 sleep 1 183} 184 185do_run_cmd() 186{ 187 local cmd="$*" 188 local out 189 190 if [ "$VERBOSE" = "1" ]; then 191 echo "COMMAND: ${cmd}" 192 fi 193 194 out=$($cmd 2>&1) 195 rc=$? 196 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 197 echo "$out" 198 fi 199 200 return $rc 201} 202 203run_cmd() 204{ 205 do_run_cmd ${NSA_CMD} $* 206} 207 208run_cmd_nsb() 209{ 210 do_run_cmd ${NSB_CMD} $* 211} 212 213run_cmd_nsc() 214{ 215 do_run_cmd ${NSC_CMD} $* 216} 217 218setup_cmd() 219{ 220 local cmd="$*" 221 local rc 222 223 run_cmd ${cmd} 224 rc=$? 225 if [ $rc -ne 0 ]; then 226 # show user the command if not done so already 227 if [ "$VERBOSE" = "0" ]; then 228 echo "setup command: $cmd" 229 fi 230 echo "failed. stopping tests" 231 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 232 echo 233 echo "hit enter to continue" 234 read a 235 fi 236 exit $rc 237 fi 238} 239 240setup_cmd_nsb() 241{ 242 local cmd="$*" 243 local rc 244 245 run_cmd_nsb ${cmd} 246 rc=$? 247 if [ $rc -ne 0 ]; then 248 # show user the command if not done so already 249 if [ "$VERBOSE" = "0" ]; then 250 echo "setup command: $cmd" 251 fi 252 echo "failed. stopping tests" 253 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 254 echo 255 echo "hit enter to continue" 256 read a 257 fi 258 exit $rc 259 fi 260} 261 262setup_cmd_nsc() 263{ 264 local cmd="$*" 265 local rc 266 267 run_cmd_nsc ${cmd} 268 rc=$? 269 if [ $rc -ne 0 ]; then 270 # show user the command if not done so already 271 if [ "$VERBOSE" = "0" ]; then 272 echo "setup command: $cmd" 273 fi 274 echo "failed. stopping tests" 275 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 276 echo 277 echo "hit enter to continue" 278 read a 279 fi 280 exit $rc 281 fi 282} 283 284# set sysctl values in NS-A 285set_sysctl() 286{ 287 echo "SYSCTL: $*" 288 echo 289 run_cmd sysctl -q -w $* 290} 291 292# get sysctl values in NS-A 293get_sysctl() 294{ 295 ${NSA_CMD} sysctl -n $* 296} 297 298################################################################################ 299# Setup for tests 300 301addr2str() 302{ 303 case "$1" in 304 127.0.0.1) echo "loopback";; 305 ::1) echo "IPv6 loopback";; 306 307 ${NSA_IP}) echo "ns-A IP";; 308 ${NSA_IP6}) echo "ns-A IPv6";; 309 ${NSA_LO_IP}) echo "ns-A loopback IP";; 310 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 311 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 312 313 ${NSB_IP}) echo "ns-B IP";; 314 ${NSB_IP6}) echo "ns-B IPv6";; 315 ${NSB_LO_IP}) echo "ns-B loopback IP";; 316 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 317 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 318 319 ${VRF_IP}) echo "VRF IP";; 320 ${VRF_IP6}) echo "VRF IPv6";; 321 322 ${MCAST}%*) echo "multicast IP";; 323 324 *) echo "unknown";; 325 esac 326} 327 328get_linklocal() 329{ 330 local ns=$1 331 local dev=$2 332 local addr 333 334 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 335 awk '{ 336 for (i = 3; i <= NF; ++i) { 337 if ($i ~ /^fe80/) 338 print $i 339 } 340 }' 341 ) 342 addr=${addr/\/*} 343 344 [ -z "$addr" ] && return 1 345 346 echo $addr 347 348 return 0 349} 350 351################################################################################ 352# create namespaces and vrf 353 354create_vrf() 355{ 356 local ns=$1 357 local vrf=$2 358 local table=$3 359 local addr=$4 360 local addr6=$5 361 362 ip -netns ${ns} link add ${vrf} type vrf table ${table} 363 ip -netns ${ns} link set ${vrf} up 364 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 365 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 366 367 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 368 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 369 if [ "${addr}" != "-" ]; then 370 ip -netns ${ns} addr add dev ${vrf} ${addr} 371 fi 372 if [ "${addr6}" != "-" ]; then 373 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 374 fi 375 376 ip -netns ${ns} ru del pref 0 377 ip -netns ${ns} ru add pref 32765 from all lookup local 378 ip -netns ${ns} -6 ru del pref 0 379 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 380} 381 382create_ns() 383{ 384 local ns=$1 385 local addr=$2 386 local addr6=$3 387 388 ip netns add ${ns} 389 390 ip -netns ${ns} link set lo up 391 if [ "${addr}" != "-" ]; then 392 ip -netns ${ns} addr add dev lo ${addr} 393 fi 394 if [ "${addr6}" != "-" ]; then 395 ip -netns ${ns} -6 addr add dev lo ${addr6} 396 fi 397 398 ip -netns ${ns} ro add unreachable default metric 8192 399 ip -netns ${ns} -6 ro add unreachable default metric 8192 400 401 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 402 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 403 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 404 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 405} 406 407# create veth pair to connect namespaces and apply addresses. 408connect_ns() 409{ 410 local ns1=$1 411 local ns1_dev=$2 412 local ns1_addr=$3 413 local ns1_addr6=$4 414 local ns2=$5 415 local ns2_dev=$6 416 local ns2_addr=$7 417 local ns2_addr6=$8 418 419 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 420 ip -netns ${ns1} li set ${ns1_dev} up 421 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 422 ip -netns ${ns2} li set ${ns2_dev} up 423 424 if [ "${ns1_addr}" != "-" ]; then 425 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 426 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 427 fi 428 429 if [ "${ns1_addr6}" != "-" ]; then 430 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 431 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 432 fi 433} 434 435cleanup() 436{ 437 # explicit cleanups to check those code paths 438 ip netns | grep -q ${NSA} 439 if [ $? -eq 0 ]; then 440 ip -netns ${NSA} link delete ${VRF} 441 ip -netns ${NSA} ro flush table ${VRF_TABLE} 442 443 ip -netns ${NSA} addr flush dev ${NSA_DEV} 444 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 445 ip -netns ${NSA} link set dev ${NSA_DEV} down 446 ip -netns ${NSA} link del dev ${NSA_DEV} 447 448 ip netns pids ${NSA} | xargs kill 2>/dev/null 449 ip netns del ${NSA} 450 fi 451 452 ip netns pids ${NSB} | xargs kill 2>/dev/null 453 ip netns del ${NSB} 454 ip netns pids ${NSC} | xargs kill 2>/dev/null 455 ip netns del ${NSC} >/dev/null 2>&1 456} 457 458cleanup_vrf_dup() 459{ 460 ip link del ${NSA_DEV2} >/dev/null 2>&1 461 ip netns pids ${NSC} | xargs kill 2>/dev/null 462 ip netns del ${NSC} >/dev/null 2>&1 463} 464 465setup_vrf_dup() 466{ 467 # some VRF tests use ns-C which has the same config as 468 # ns-B but for a device NOT in the VRF 469 create_ns ${NSC} "-" "-" 470 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 471 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 472} 473 474setup() 475{ 476 local with_vrf=${1} 477 478 # make sure we are starting with a clean slate 479 kill_procs 480 cleanup 2>/dev/null 481 482 log_debug "Configuring network namespaces" 483 set -e 484 485 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 486 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 487 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 488 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 489 490 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 491 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 492 493 # tell ns-A how to get to remote addresses of ns-B 494 if [ "${with_vrf}" = "yes" ]; then 495 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 496 497 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 498 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 499 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 500 501 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 502 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 503 else 504 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 505 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 506 fi 507 508 509 # tell ns-B how to get to remote addresses of ns-A 510 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 511 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 512 513 set +e 514 515 sleep 1 516} 517 518setup_lla_only() 519{ 520 # make sure we are starting with a clean slate 521 kill_procs 522 cleanup 2>/dev/null 523 524 log_debug "Configuring network namespaces" 525 set -e 526 527 create_ns ${NSA} "-" "-" 528 create_ns ${NSB} "-" "-" 529 create_ns ${NSC} "-" "-" 530 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 531 ${NSB} ${NSB_DEV} "-" "-" 532 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 533 ${NSC} ${NSC_DEV} "-" "-" 534 535 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 536 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 537 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 538 539 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 540 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 541 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 542 543 set +e 544 545 sleep 1 546} 547 548################################################################################ 549# IPv4 550 551ipv4_ping_novrf() 552{ 553 local a 554 555 # 556 # out 557 # 558 for a in ${NSB_IP} ${NSB_LO_IP} 559 do 560 log_start 561 run_cmd ping -c1 -w1 ${a} 562 log_test_addr ${a} $? 0 "ping out" 563 564 log_start 565 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 566 log_test_addr ${a} $? 0 "ping out, device bind" 567 568 log_start 569 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 570 log_test_addr ${a} $? 0 "ping out, address bind" 571 done 572 573 # 574 # in 575 # 576 for a in ${NSA_IP} ${NSA_LO_IP} 577 do 578 log_start 579 run_cmd_nsb ping -c1 -w1 ${a} 580 log_test_addr ${a} $? 0 "ping in" 581 done 582 583 # 584 # local traffic 585 # 586 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 587 do 588 log_start 589 run_cmd ping -c1 -w1 ${a} 590 log_test_addr ${a} $? 0 "ping local" 591 done 592 593 # 594 # local traffic, socket bound to device 595 # 596 # address on device 597 a=${NSA_IP} 598 log_start 599 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 600 log_test_addr ${a} $? 0 "ping local, device bind" 601 602 # loopback addresses not reachable from device bind 603 # fails in a really weird way though because ipv4 special cases 604 # route lookups with oif set. 605 for a in ${NSA_LO_IP} 127.0.0.1 606 do 607 log_start 608 show_hint "Fails since address on loopback device is out of device scope" 609 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 610 log_test_addr ${a} $? 1 "ping local, device bind" 611 done 612 613 # 614 # ip rule blocks reachability to remote address 615 # 616 log_start 617 setup_cmd ip rule add pref 32765 from all lookup local 618 setup_cmd ip rule del pref 0 from all lookup local 619 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 620 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 621 622 a=${NSB_LO_IP} 623 run_cmd ping -c1 -w1 ${a} 624 log_test_addr ${a} $? 2 "ping out, blocked by rule" 625 626 # NOTE: ipv4 actually allows the lookup to fail and yet still create 627 # a viable rtable if the oif (e.g., bind to device) is set, so this 628 # case succeeds despite the rule 629 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 630 631 a=${NSA_LO_IP} 632 log_start 633 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 634 run_cmd_nsb ping -c1 -w1 ${a} 635 log_test_addr ${a} $? 1 "ping in, blocked by rule" 636 637 [ "$VERBOSE" = "1" ] && echo 638 setup_cmd ip rule del pref 32765 from all lookup local 639 setup_cmd ip rule add pref 0 from all lookup local 640 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 641 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 642 643 # 644 # route blocks reachability to remote address 645 # 646 log_start 647 setup_cmd ip route replace unreachable ${NSB_LO_IP} 648 setup_cmd ip route replace unreachable ${NSB_IP} 649 650 a=${NSB_LO_IP} 651 run_cmd ping -c1 -w1 ${a} 652 log_test_addr ${a} $? 2 "ping out, blocked by route" 653 654 # NOTE: ipv4 actually allows the lookup to fail and yet still create 655 # a viable rtable if the oif (e.g., bind to device) is set, so this 656 # case succeeds despite not having a route for the address 657 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 658 659 a=${NSA_LO_IP} 660 log_start 661 show_hint "Response is dropped (or arp request is ignored) due to ip route" 662 run_cmd_nsb ping -c1 -w1 ${a} 663 log_test_addr ${a} $? 1 "ping in, blocked by route" 664 665 # 666 # remove 'remote' routes; fallback to default 667 # 668 log_start 669 setup_cmd ip ro del ${NSB_LO_IP} 670 671 a=${NSB_LO_IP} 672 run_cmd ping -c1 -w1 ${a} 673 log_test_addr ${a} $? 2 "ping out, unreachable default route" 674 675 # NOTE: ipv4 actually allows the lookup to fail and yet still create 676 # a viable rtable if the oif (e.g., bind to device) is set, so this 677 # case succeeds despite not having a route for the address 678 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 679} 680 681ipv4_ping_vrf() 682{ 683 local a 684 685 # should default on; does not exist on older kernels 686 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 687 688 # 689 # out 690 # 691 for a in ${NSB_IP} ${NSB_LO_IP} 692 do 693 log_start 694 run_cmd ping -c1 -w1 -I ${VRF} ${a} 695 log_test_addr ${a} $? 0 "ping out, VRF bind" 696 697 log_start 698 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 699 log_test_addr ${a} $? 0 "ping out, device bind" 700 701 log_start 702 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 703 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 704 705 log_start 706 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 707 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 708 done 709 710 # 711 # in 712 # 713 for a in ${NSA_IP} ${VRF_IP} 714 do 715 log_start 716 run_cmd_nsb ping -c1 -w1 ${a} 717 log_test_addr ${a} $? 0 "ping in" 718 done 719 720 # 721 # local traffic, local address 722 # 723 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 724 do 725 log_start 726 show_hint "Source address should be ${a}" 727 run_cmd ping -c1 -w1 -I ${VRF} ${a} 728 log_test_addr ${a} $? 0 "ping local, VRF bind" 729 done 730 731 # 732 # local traffic, socket bound to device 733 # 734 # address on device 735 a=${NSA_IP} 736 log_start 737 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 738 log_test_addr ${a} $? 0 "ping local, device bind" 739 740 # vrf device is out of scope 741 for a in ${VRF_IP} 127.0.0.1 742 do 743 log_start 744 show_hint "Fails since address on vrf device is out of device scope" 745 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 746 log_test_addr ${a} $? 1 "ping local, device bind" 747 done 748 749 # 750 # ip rule blocks address 751 # 752 log_start 753 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 754 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 755 756 a=${NSB_LO_IP} 757 run_cmd ping -c1 -w1 -I ${VRF} ${a} 758 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 759 760 log_start 761 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 762 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 763 764 a=${NSA_LO_IP} 765 log_start 766 show_hint "Response lost due to ip rule" 767 run_cmd_nsb ping -c1 -w1 ${a} 768 log_test_addr ${a} $? 1 "ping in, blocked by rule" 769 770 [ "$VERBOSE" = "1" ] && echo 771 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 772 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 773 774 # 775 # remove 'remote' routes; fallback to default 776 # 777 log_start 778 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 779 780 a=${NSB_LO_IP} 781 run_cmd ping -c1 -w1 -I ${VRF} ${a} 782 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 783 784 log_start 785 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 786 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 787 788 a=${NSA_LO_IP} 789 log_start 790 show_hint "Response lost by unreachable route" 791 run_cmd_nsb ping -c1 -w1 ${a} 792 log_test_addr ${a} $? 1 "ping in, unreachable route" 793} 794 795ipv4_ping() 796{ 797 log_section "IPv4 ping" 798 799 log_subsection "No VRF" 800 setup 801 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 802 ipv4_ping_novrf 803 setup 804 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 805 ipv4_ping_novrf 806 807 log_subsection "With VRF" 808 setup "yes" 809 ipv4_ping_vrf 810} 811 812################################################################################ 813# IPv4 TCP 814 815# 816# MD5 tests without VRF 817# 818ipv4_tcp_md5_novrf() 819{ 820 # 821 # single address 822 # 823 824 # basic use case 825 log_start 826 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 827 sleep 1 828 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 829 log_test $? 0 "MD5: Single address config" 830 831 # client sends MD5, server not configured 832 log_start 833 show_hint "Should timeout due to MD5 mismatch" 834 run_cmd nettest -s & 835 sleep 1 836 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 837 log_test $? 2 "MD5: Server no config, client uses password" 838 839 # wrong password 840 log_start 841 show_hint "Should timeout since client uses wrong password" 842 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 843 sleep 1 844 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 845 log_test $? 2 "MD5: Client uses wrong password" 846 847 # client from different address 848 log_start 849 show_hint "Should timeout due to MD5 mismatch" 850 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 851 sleep 1 852 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 853 log_test $? 2 "MD5: Client address does not match address configured with password" 854 855 # 856 # MD5 extension - prefix length 857 # 858 859 # client in prefix 860 log_start 861 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 862 sleep 1 863 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 864 log_test $? 0 "MD5: Prefix config" 865 866 # client in prefix, wrong password 867 log_start 868 show_hint "Should timeout since client uses wrong password" 869 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 870 sleep 1 871 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 872 log_test $? 2 "MD5: Prefix config, client uses wrong password" 873 874 # client outside of prefix 875 log_start 876 show_hint "Should timeout due to MD5 mismatch" 877 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 878 sleep 1 879 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 880 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 881} 882 883# 884# MD5 tests with VRF 885# 886ipv4_tcp_md5() 887{ 888 # 889 # single address 890 # 891 892 # basic use case 893 log_start 894 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 895 sleep 1 896 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 897 log_test $? 0 "MD5: VRF: Single address config" 898 899 # client sends MD5, server not configured 900 log_start 901 show_hint "Should timeout since server does not have MD5 auth" 902 run_cmd nettest -s -I ${VRF} & 903 sleep 1 904 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 905 log_test $? 2 "MD5: VRF: Server no config, client uses password" 906 907 # wrong password 908 log_start 909 show_hint "Should timeout since client uses wrong password" 910 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 911 sleep 1 912 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 913 log_test $? 2 "MD5: VRF: Client uses wrong password" 914 915 # client from different address 916 log_start 917 show_hint "Should timeout since server config differs from client" 918 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 919 sleep 1 920 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 921 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 922 923 # 924 # MD5 extension - prefix length 925 # 926 927 # client in prefix 928 log_start 929 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 930 sleep 1 931 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 932 log_test $? 0 "MD5: VRF: Prefix config" 933 934 # client in prefix, wrong password 935 log_start 936 show_hint "Should timeout since client uses wrong password" 937 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 938 sleep 1 939 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 940 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 941 942 # client outside of prefix 943 log_start 944 show_hint "Should timeout since client address is outside of prefix" 945 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 946 sleep 1 947 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 948 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 949 950 # 951 # duplicate config between default VRF and a VRF 952 # 953 954 log_start 955 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 956 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 957 sleep 1 958 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 959 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 960 961 log_start 962 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 963 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 964 sleep 1 965 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 966 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 967 968 log_start 969 show_hint "Should timeout since client in default VRF uses VRF password" 970 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 971 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 972 sleep 1 973 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 974 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 975 976 log_start 977 show_hint "Should timeout since client in VRF uses default VRF password" 978 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 979 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 980 sleep 1 981 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 982 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 983 984 log_start 985 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 986 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 987 sleep 1 988 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 989 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 990 991 log_start 992 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 993 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 994 sleep 1 995 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 996 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 997 998 log_start 999 show_hint "Should timeout since client in default VRF uses VRF password" 1000 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1001 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1002 sleep 1 1003 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1004 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1005 1006 log_start 1007 show_hint "Should timeout since client in VRF uses default VRF password" 1008 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1009 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1010 sleep 1 1011 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1012 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1013 1014 # 1015 # negative tests 1016 # 1017 log_start 1018 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1019 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1020 1021 log_start 1022 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1023 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1024 1025 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1026 test_ipv4_md5_vrf__global_server__bind_ifindex0 1027} 1028 1029test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1030{ 1031 log_start 1032 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1033 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1034 sleep 1 1035 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1036 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1037 1038 log_start 1039 show_hint "Binding both the socket and the key is not required but it works" 1040 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1041 sleep 1 1042 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1043 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1044} 1045 1046test_ipv4_md5_vrf__global_server__bind_ifindex0() 1047{ 1048 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1049 local old_tcp_l3mdev_accept 1050 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1051 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1052 1053 log_start 1054 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1055 sleep 1 1056 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1057 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1058 1059 log_start 1060 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1061 sleep 1 1062 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1063 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1064 log_start 1065 1066 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1067 sleep 1 1068 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1069 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1070 1071 log_start 1072 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1073 sleep 1 1074 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1075 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1076 1077 # restore value 1078 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1079} 1080 1081ipv4_tcp_novrf() 1082{ 1083 local a 1084 1085 # 1086 # server tests 1087 # 1088 for a in ${NSA_IP} ${NSA_LO_IP} 1089 do 1090 log_start 1091 run_cmd nettest -s & 1092 sleep 1 1093 run_cmd_nsb nettest -r ${a} 1094 log_test_addr ${a} $? 0 "Global server" 1095 done 1096 1097 a=${NSA_IP} 1098 log_start 1099 run_cmd nettest -s -I ${NSA_DEV} & 1100 sleep 1 1101 run_cmd_nsb nettest -r ${a} 1102 log_test_addr ${a} $? 0 "Device server" 1103 1104 # verify TCP reset sent and received 1105 for a in ${NSA_IP} ${NSA_LO_IP} 1106 do 1107 log_start 1108 show_hint "Should fail 'Connection refused' since there is no server" 1109 run_cmd_nsb nettest -r ${a} 1110 log_test_addr ${a} $? 1 "No server" 1111 done 1112 1113 # 1114 # client 1115 # 1116 for a in ${NSB_IP} ${NSB_LO_IP} 1117 do 1118 log_start 1119 run_cmd_nsb nettest -s & 1120 sleep 1 1121 run_cmd nettest -r ${a} -0 ${NSA_IP} 1122 log_test_addr ${a} $? 0 "Client" 1123 1124 log_start 1125 run_cmd_nsb nettest -s & 1126 sleep 1 1127 run_cmd nettest -r ${a} -d ${NSA_DEV} 1128 log_test_addr ${a} $? 0 "Client, device bind" 1129 1130 log_start 1131 show_hint "Should fail 'Connection refused'" 1132 run_cmd nettest -r ${a} 1133 log_test_addr ${a} $? 1 "No server, unbound client" 1134 1135 log_start 1136 show_hint "Should fail 'Connection refused'" 1137 run_cmd nettest -r ${a} -d ${NSA_DEV} 1138 log_test_addr ${a} $? 1 "No server, device client" 1139 done 1140 1141 # 1142 # local address tests 1143 # 1144 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1145 do 1146 log_start 1147 run_cmd nettest -s & 1148 sleep 1 1149 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1150 log_test_addr ${a} $? 0 "Global server, local connection" 1151 done 1152 1153 a=${NSA_IP} 1154 log_start 1155 run_cmd nettest -s -I ${NSA_DEV} & 1156 sleep 1 1157 run_cmd nettest -r ${a} -0 ${a} 1158 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1159 1160 for a in ${NSA_LO_IP} 127.0.0.1 1161 do 1162 log_start 1163 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1164 run_cmd nettest -s -I ${NSA_DEV} & 1165 sleep 1 1166 run_cmd nettest -r ${a} 1167 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1168 done 1169 1170 a=${NSA_IP} 1171 log_start 1172 run_cmd nettest -s & 1173 sleep 1 1174 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1175 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1176 1177 for a in ${NSA_LO_IP} 127.0.0.1 1178 do 1179 log_start 1180 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1181 run_cmd nettest -s & 1182 sleep 1 1183 run_cmd nettest -r ${a} -d ${NSA_DEV} 1184 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1185 done 1186 1187 a=${NSA_IP} 1188 log_start 1189 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1190 sleep 1 1191 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1192 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1193 1194 log_start 1195 show_hint "Should fail 'Connection refused'" 1196 run_cmd nettest -d ${NSA_DEV} -r ${a} 1197 log_test_addr ${a} $? 1 "No server, device client, local conn" 1198 1199 ipv4_tcp_md5_novrf 1200} 1201 1202ipv4_tcp_vrf() 1203{ 1204 local a 1205 1206 # disable global server 1207 log_subsection "Global server disabled" 1208 1209 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1210 1211 # 1212 # server tests 1213 # 1214 for a in ${NSA_IP} ${VRF_IP} 1215 do 1216 log_start 1217 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1218 run_cmd nettest -s & 1219 sleep 1 1220 run_cmd_nsb nettest -r ${a} 1221 log_test_addr ${a} $? 1 "Global server" 1222 1223 log_start 1224 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1225 sleep 1 1226 run_cmd_nsb nettest -r ${a} 1227 log_test_addr ${a} $? 0 "VRF server" 1228 1229 log_start 1230 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1231 sleep 1 1232 run_cmd_nsb nettest -r ${a} 1233 log_test_addr ${a} $? 0 "Device server" 1234 1235 # verify TCP reset received 1236 log_start 1237 show_hint "Should fail 'Connection refused' since there is no server" 1238 run_cmd_nsb nettest -r ${a} 1239 log_test_addr ${a} $? 1 "No server" 1240 done 1241 1242 # local address tests 1243 # (${VRF_IP} and 127.0.0.1 both timeout) 1244 a=${NSA_IP} 1245 log_start 1246 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1247 run_cmd nettest -s & 1248 sleep 1 1249 run_cmd nettest -r ${a} -d ${NSA_DEV} 1250 log_test_addr ${a} $? 1 "Global server, local connection" 1251 1252 # run MD5 tests 1253 setup_vrf_dup 1254 ipv4_tcp_md5 1255 cleanup_vrf_dup 1256 1257 # 1258 # enable VRF global server 1259 # 1260 log_subsection "VRF Global server enabled" 1261 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1262 1263 for a in ${NSA_IP} ${VRF_IP} 1264 do 1265 log_start 1266 show_hint "client socket should be bound to VRF" 1267 run_cmd nettest -s -3 ${VRF} & 1268 sleep 1 1269 run_cmd_nsb nettest -r ${a} 1270 log_test_addr ${a} $? 0 "Global server" 1271 1272 log_start 1273 show_hint "client socket should be bound to VRF" 1274 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1275 sleep 1 1276 run_cmd_nsb nettest -r ${a} 1277 log_test_addr ${a} $? 0 "VRF server" 1278 1279 # verify TCP reset received 1280 log_start 1281 show_hint "Should fail 'Connection refused'" 1282 run_cmd_nsb nettest -r ${a} 1283 log_test_addr ${a} $? 1 "No server" 1284 done 1285 1286 a=${NSA_IP} 1287 log_start 1288 show_hint "client socket should be bound to device" 1289 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1290 sleep 1 1291 run_cmd_nsb nettest -r ${a} 1292 log_test_addr ${a} $? 0 "Device server" 1293 1294 # local address tests 1295 for a in ${NSA_IP} ${VRF_IP} 1296 do 1297 log_start 1298 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1299 run_cmd nettest -s -I ${VRF} & 1300 sleep 1 1301 run_cmd nettest -r ${a} 1302 log_test_addr ${a} $? 1 "Global server, local connection" 1303 done 1304 1305 # 1306 # client 1307 # 1308 for a in ${NSB_IP} ${NSB_LO_IP} 1309 do 1310 log_start 1311 run_cmd_nsb nettest -s & 1312 sleep 1 1313 run_cmd nettest -r ${a} -d ${VRF} 1314 log_test_addr ${a} $? 0 "Client, VRF bind" 1315 1316 log_start 1317 run_cmd_nsb nettest -s & 1318 sleep 1 1319 run_cmd nettest -r ${a} -d ${NSA_DEV} 1320 log_test_addr ${a} $? 0 "Client, device bind" 1321 1322 log_start 1323 show_hint "Should fail 'Connection refused'" 1324 run_cmd nettest -r ${a} -d ${VRF} 1325 log_test_addr ${a} $? 1 "No server, VRF client" 1326 1327 log_start 1328 show_hint "Should fail 'Connection refused'" 1329 run_cmd nettest -r ${a} -d ${NSA_DEV} 1330 log_test_addr ${a} $? 1 "No server, device client" 1331 done 1332 1333 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1334 do 1335 log_start 1336 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1337 sleep 1 1338 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1339 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1340 done 1341 1342 a=${NSA_IP} 1343 log_start 1344 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1345 sleep 1 1346 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1347 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1348 1349 log_start 1350 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1351 run_cmd nettest -s -I ${VRF} & 1352 sleep 1 1353 run_cmd nettest -r ${a} 1354 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1355 1356 log_start 1357 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1358 sleep 1 1359 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1360 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1361 1362 log_start 1363 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1364 sleep 1 1365 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1366 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1367} 1368 1369ipv4_tcp() 1370{ 1371 log_section "IPv4/TCP" 1372 log_subsection "No VRF" 1373 setup 1374 1375 # tcp_l3mdev_accept should have no affect without VRF; 1376 # run tests with it enabled and disabled to verify 1377 log_subsection "tcp_l3mdev_accept disabled" 1378 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1379 ipv4_tcp_novrf 1380 log_subsection "tcp_l3mdev_accept enabled" 1381 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1382 ipv4_tcp_novrf 1383 1384 log_subsection "With VRF" 1385 setup "yes" 1386 ipv4_tcp_vrf 1387} 1388 1389################################################################################ 1390# IPv4 UDP 1391 1392ipv4_udp_novrf() 1393{ 1394 local a 1395 1396 # 1397 # server tests 1398 # 1399 for a in ${NSA_IP} ${NSA_LO_IP} 1400 do 1401 log_start 1402 run_cmd nettest -D -s -3 ${NSA_DEV} & 1403 sleep 1 1404 run_cmd_nsb nettest -D -r ${a} 1405 log_test_addr ${a} $? 0 "Global server" 1406 1407 log_start 1408 show_hint "Should fail 'Connection refused' since there is no server" 1409 run_cmd_nsb nettest -D -r ${a} 1410 log_test_addr ${a} $? 1 "No server" 1411 done 1412 1413 a=${NSA_IP} 1414 log_start 1415 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1416 sleep 1 1417 run_cmd_nsb nettest -D -r ${a} 1418 log_test_addr ${a} $? 0 "Device server" 1419 1420 # 1421 # client 1422 # 1423 for a in ${NSB_IP} ${NSB_LO_IP} 1424 do 1425 log_start 1426 run_cmd_nsb nettest -D -s & 1427 sleep 1 1428 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1429 log_test_addr ${a} $? 0 "Client" 1430 1431 log_start 1432 run_cmd_nsb nettest -D -s & 1433 sleep 1 1434 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1435 log_test_addr ${a} $? 0 "Client, device bind" 1436 1437 log_start 1438 run_cmd_nsb nettest -D -s & 1439 sleep 1 1440 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1441 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1442 1443 log_start 1444 run_cmd_nsb nettest -D -s & 1445 sleep 1 1446 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1447 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1448 1449 log_start 1450 show_hint "Should fail 'Connection refused'" 1451 run_cmd nettest -D -r ${a} 1452 log_test_addr ${a} $? 1 "No server, unbound client" 1453 1454 log_start 1455 show_hint "Should fail 'Connection refused'" 1456 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1457 log_test_addr ${a} $? 1 "No server, device client" 1458 done 1459 1460 # 1461 # local address tests 1462 # 1463 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1464 do 1465 log_start 1466 run_cmd nettest -D -s & 1467 sleep 1 1468 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1469 log_test_addr ${a} $? 0 "Global server, local connection" 1470 done 1471 1472 a=${NSA_IP} 1473 log_start 1474 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1475 sleep 1 1476 run_cmd nettest -D -r ${a} 1477 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1478 1479 for a in ${NSA_LO_IP} 127.0.0.1 1480 do 1481 log_start 1482 show_hint "Should fail 'Connection refused' since address is out of device scope" 1483 run_cmd nettest -s -D -I ${NSA_DEV} & 1484 sleep 1 1485 run_cmd nettest -D -r ${a} 1486 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1487 done 1488 1489 a=${NSA_IP} 1490 log_start 1491 run_cmd nettest -s -D & 1492 sleep 1 1493 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1494 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1495 1496 log_start 1497 run_cmd nettest -s -D & 1498 sleep 1 1499 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1500 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1501 1502 log_start 1503 run_cmd nettest -s -D & 1504 sleep 1 1505 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1506 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1507 1508 # IPv4 with device bind has really weird behavior - it overrides the 1509 # fib lookup, generates an rtable and tries to send the packet. This 1510 # causes failures for local traffic at different places 1511 for a in ${NSA_LO_IP} 127.0.0.1 1512 do 1513 log_start 1514 show_hint "Should fail since addresses on loopback are out of device scope" 1515 run_cmd nettest -D -s & 1516 sleep 1 1517 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1518 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1519 1520 log_start 1521 show_hint "Should fail since addresses on loopback are out of device scope" 1522 run_cmd nettest -D -s & 1523 sleep 1 1524 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1525 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1526 1527 log_start 1528 show_hint "Should fail since addresses on loopback are out of device scope" 1529 run_cmd nettest -D -s & 1530 sleep 1 1531 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1532 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1533 done 1534 1535 a=${NSA_IP} 1536 log_start 1537 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1538 sleep 1 1539 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1540 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1541 1542 log_start 1543 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1544 log_test_addr ${a} $? 2 "No server, device client, local conn" 1545} 1546 1547ipv4_udp_vrf() 1548{ 1549 local a 1550 1551 # disable global server 1552 log_subsection "Global server disabled" 1553 set_sysctl net.ipv4.udp_l3mdev_accept=0 1554 1555 # 1556 # server tests 1557 # 1558 for a in ${NSA_IP} ${VRF_IP} 1559 do 1560 log_start 1561 show_hint "Fails because ingress is in a VRF and global server is disabled" 1562 run_cmd nettest -D -s & 1563 sleep 1 1564 run_cmd_nsb nettest -D -r ${a} 1565 log_test_addr ${a} $? 1 "Global server" 1566 1567 log_start 1568 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1569 sleep 1 1570 run_cmd_nsb nettest -D -r ${a} 1571 log_test_addr ${a} $? 0 "VRF server" 1572 1573 log_start 1574 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1575 sleep 1 1576 run_cmd_nsb nettest -D -r ${a} 1577 log_test_addr ${a} $? 0 "Enslaved device server" 1578 1579 log_start 1580 show_hint "Should fail 'Connection refused' since there is no server" 1581 run_cmd_nsb nettest -D -r ${a} 1582 log_test_addr ${a} $? 1 "No server" 1583 1584 log_start 1585 show_hint "Should fail 'Connection refused' since global server is out of scope" 1586 run_cmd nettest -D -s & 1587 sleep 1 1588 run_cmd nettest -D -d ${VRF} -r ${a} 1589 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1590 done 1591 1592 a=${NSA_IP} 1593 log_start 1594 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1595 sleep 1 1596 run_cmd nettest -D -d ${VRF} -r ${a} 1597 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1598 1599 log_start 1600 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1601 sleep 1 1602 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1603 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1604 1605 a=${NSA_IP} 1606 log_start 1607 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1608 sleep 1 1609 run_cmd nettest -D -d ${VRF} -r ${a} 1610 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1611 1612 log_start 1613 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1614 sleep 1 1615 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1616 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1617 1618 # enable global server 1619 log_subsection "Global server enabled" 1620 set_sysctl net.ipv4.udp_l3mdev_accept=1 1621 1622 # 1623 # server tests 1624 # 1625 for a in ${NSA_IP} ${VRF_IP} 1626 do 1627 log_start 1628 run_cmd nettest -D -s -3 ${NSA_DEV} & 1629 sleep 1 1630 run_cmd_nsb nettest -D -r ${a} 1631 log_test_addr ${a} $? 0 "Global server" 1632 1633 log_start 1634 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1635 sleep 1 1636 run_cmd_nsb nettest -D -r ${a} 1637 log_test_addr ${a} $? 0 "VRF server" 1638 1639 log_start 1640 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1641 sleep 1 1642 run_cmd_nsb nettest -D -r ${a} 1643 log_test_addr ${a} $? 0 "Enslaved device server" 1644 1645 log_start 1646 show_hint "Should fail 'Connection refused'" 1647 run_cmd_nsb nettest -D -r ${a} 1648 log_test_addr ${a} $? 1 "No server" 1649 done 1650 1651 # 1652 # client tests 1653 # 1654 log_start 1655 run_cmd_nsb nettest -D -s & 1656 sleep 1 1657 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1658 log_test $? 0 "VRF client" 1659 1660 log_start 1661 run_cmd_nsb nettest -D -s & 1662 sleep 1 1663 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1664 log_test $? 0 "Enslaved device client" 1665 1666 # negative test - should fail 1667 log_start 1668 show_hint "Should fail 'Connection refused'" 1669 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1670 log_test $? 1 "No server, VRF client" 1671 1672 log_start 1673 show_hint "Should fail 'Connection refused'" 1674 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1675 log_test $? 1 "No server, enslaved device client" 1676 1677 # 1678 # local address tests 1679 # 1680 a=${NSA_IP} 1681 log_start 1682 run_cmd nettest -D -s -3 ${NSA_DEV} & 1683 sleep 1 1684 run_cmd nettest -D -d ${VRF} -r ${a} 1685 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1686 1687 log_start 1688 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1689 sleep 1 1690 run_cmd nettest -D -d ${VRF} -r ${a} 1691 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1692 1693 log_start 1694 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1695 sleep 1 1696 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1697 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1698 1699 log_start 1700 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1701 sleep 1 1702 run_cmd nettest -D -d ${VRF} -r ${a} 1703 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1704 1705 log_start 1706 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1707 sleep 1 1708 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1709 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1710 1711 for a in ${VRF_IP} 127.0.0.1 1712 do 1713 log_start 1714 run_cmd nettest -D -s -3 ${VRF} & 1715 sleep 1 1716 run_cmd nettest -D -d ${VRF} -r ${a} 1717 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1718 done 1719 1720 for a in ${VRF_IP} 127.0.0.1 1721 do 1722 log_start 1723 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1724 sleep 1 1725 run_cmd nettest -D -d ${VRF} -r ${a} 1726 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1727 done 1728 1729 # negative test - should fail 1730 # verifies ECONNREFUSED 1731 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1732 do 1733 log_start 1734 show_hint "Should fail 'Connection refused'" 1735 run_cmd nettest -D -d ${VRF} -r ${a} 1736 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1737 done 1738} 1739 1740ipv4_udp() 1741{ 1742 log_section "IPv4/UDP" 1743 log_subsection "No VRF" 1744 1745 setup 1746 1747 # udp_l3mdev_accept should have no affect without VRF; 1748 # run tests with it enabled and disabled to verify 1749 log_subsection "udp_l3mdev_accept disabled" 1750 set_sysctl net.ipv4.udp_l3mdev_accept=0 1751 ipv4_udp_novrf 1752 log_subsection "udp_l3mdev_accept enabled" 1753 set_sysctl net.ipv4.udp_l3mdev_accept=1 1754 ipv4_udp_novrf 1755 1756 log_subsection "With VRF" 1757 setup "yes" 1758 ipv4_udp_vrf 1759} 1760 1761################################################################################ 1762# IPv4 address bind 1763# 1764# verifies ability or inability to bind to an address / device 1765 1766ipv4_addr_bind_novrf() 1767{ 1768 # 1769 # raw socket 1770 # 1771 for a in ${NSA_IP} ${NSA_LO_IP} 1772 do 1773 log_start 1774 run_cmd nettest -s -R -P icmp -l ${a} -b 1775 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1776 1777 log_start 1778 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1779 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1780 done 1781 1782 # 1783 # tcp sockets 1784 # 1785 a=${NSA_IP} 1786 log_start 1787 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1788 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1789 1790 log_start 1791 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1792 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1793 1794 # Sadly, the kernel allows binding a socket to a device and then 1795 # binding to an address not on the device. The only restriction 1796 # is that the address is valid in the L3 domain. So this test 1797 # passes when it really should not 1798 #a=${NSA_LO_IP} 1799 #log_start 1800 #show_hint "Should fail with 'Cannot assign requested address'" 1801 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1802 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1803} 1804 1805ipv4_addr_bind_vrf() 1806{ 1807 # 1808 # raw socket 1809 # 1810 for a in ${NSA_IP} ${VRF_IP} 1811 do 1812 log_start 1813 show_hint "Socket not bound to VRF, but address is in VRF" 1814 run_cmd nettest -s -R -P icmp -l ${a} -b 1815 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1816 1817 log_start 1818 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1819 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1820 log_start 1821 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1822 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1823 done 1824 1825 a=${NSA_LO_IP} 1826 log_start 1827 show_hint "Address on loopback is out of VRF scope" 1828 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1829 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1830 1831 # 1832 # tcp sockets 1833 # 1834 for a in ${NSA_IP} ${VRF_IP} 1835 do 1836 log_start 1837 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1838 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1839 1840 log_start 1841 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1842 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1843 done 1844 1845 a=${NSA_LO_IP} 1846 log_start 1847 show_hint "Address on loopback out of scope for VRF" 1848 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1849 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 1850 1851 log_start 1852 show_hint "Address on loopback out of scope for device in VRF" 1853 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1854 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 1855} 1856 1857ipv4_addr_bind() 1858{ 1859 log_section "IPv4 address binds" 1860 1861 log_subsection "No VRF" 1862 setup 1863 ipv4_addr_bind_novrf 1864 1865 log_subsection "With VRF" 1866 setup "yes" 1867 ipv4_addr_bind_vrf 1868} 1869 1870################################################################################ 1871# IPv4 runtime tests 1872 1873ipv4_rt() 1874{ 1875 local desc="$1" 1876 local varg="$2" 1877 local with_vrf="yes" 1878 local a 1879 1880 # 1881 # server tests 1882 # 1883 for a in ${NSA_IP} ${VRF_IP} 1884 do 1885 log_start 1886 run_cmd nettest ${varg} -s & 1887 sleep 1 1888 run_cmd_nsb nettest ${varg} -r ${a} & 1889 sleep 3 1890 run_cmd ip link del ${VRF} 1891 sleep 1 1892 log_test_addr ${a} 0 0 "${desc}, global server" 1893 1894 setup ${with_vrf} 1895 done 1896 1897 for a in ${NSA_IP} ${VRF_IP} 1898 do 1899 log_start 1900 run_cmd nettest ${varg} -s -I ${VRF} & 1901 sleep 1 1902 run_cmd_nsb nettest ${varg} -r ${a} & 1903 sleep 3 1904 run_cmd ip link del ${VRF} 1905 sleep 1 1906 log_test_addr ${a} 0 0 "${desc}, VRF server" 1907 1908 setup ${with_vrf} 1909 done 1910 1911 a=${NSA_IP} 1912 log_start 1913 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 1914 sleep 1 1915 run_cmd_nsb nettest ${varg} -r ${a} & 1916 sleep 3 1917 run_cmd ip link del ${VRF} 1918 sleep 1 1919 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 1920 1921 setup ${with_vrf} 1922 1923 # 1924 # client test 1925 # 1926 log_start 1927 run_cmd_nsb nettest ${varg} -s & 1928 sleep 1 1929 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 1930 sleep 3 1931 run_cmd ip link del ${VRF} 1932 sleep 1 1933 log_test_addr ${a} 0 0 "${desc}, VRF client" 1934 1935 setup ${with_vrf} 1936 1937 log_start 1938 run_cmd_nsb nettest ${varg} -s & 1939 sleep 1 1940 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 1941 sleep 3 1942 run_cmd ip link del ${VRF} 1943 sleep 1 1944 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 1945 1946 setup ${with_vrf} 1947 1948 # 1949 # local address tests 1950 # 1951 for a in ${NSA_IP} ${VRF_IP} 1952 do 1953 log_start 1954 run_cmd nettest ${varg} -s & 1955 sleep 1 1956 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1957 sleep 3 1958 run_cmd ip link del ${VRF} 1959 sleep 1 1960 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 1961 1962 setup ${with_vrf} 1963 done 1964 1965 for a in ${NSA_IP} ${VRF_IP} 1966 do 1967 log_start 1968 run_cmd nettest ${varg} -I ${VRF} -s & 1969 sleep 1 1970 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1971 sleep 3 1972 run_cmd ip link del ${VRF} 1973 sleep 1 1974 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 1975 1976 setup ${with_vrf} 1977 done 1978 1979 a=${NSA_IP} 1980 log_start 1981 run_cmd nettest ${varg} -s & 1982 sleep 1 1983 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1984 sleep 3 1985 run_cmd ip link del ${VRF} 1986 sleep 1 1987 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 1988 1989 setup ${with_vrf} 1990 1991 log_start 1992 run_cmd nettest ${varg} -I ${VRF} -s & 1993 sleep 1 1994 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1995 sleep 3 1996 run_cmd ip link del ${VRF} 1997 sleep 1 1998 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 1999 2000 setup ${with_vrf} 2001 2002 log_start 2003 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2004 sleep 1 2005 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2006 sleep 3 2007 run_cmd ip link del ${VRF} 2008 sleep 1 2009 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2010} 2011 2012ipv4_ping_rt() 2013{ 2014 local with_vrf="yes" 2015 local a 2016 2017 for a in ${NSA_IP} ${VRF_IP} 2018 do 2019 log_start 2020 run_cmd_nsb ping -f ${a} & 2021 sleep 3 2022 run_cmd ip link del ${VRF} 2023 sleep 1 2024 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2025 2026 setup ${with_vrf} 2027 done 2028 2029 a=${NSB_IP} 2030 log_start 2031 run_cmd ping -f -I ${VRF} ${a} & 2032 sleep 3 2033 run_cmd ip link del ${VRF} 2034 sleep 1 2035 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2036} 2037 2038ipv4_runtime() 2039{ 2040 log_section "Run time tests - ipv4" 2041 2042 setup "yes" 2043 ipv4_ping_rt 2044 2045 setup "yes" 2046 ipv4_rt "TCP active socket" "-n -1" 2047 2048 setup "yes" 2049 ipv4_rt "TCP passive socket" "-i" 2050} 2051 2052################################################################################ 2053# IPv6 2054 2055ipv6_ping_novrf() 2056{ 2057 local a 2058 2059 # should not have an impact, but make a known state 2060 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2061 2062 # 2063 # out 2064 # 2065 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2066 do 2067 log_start 2068 run_cmd ${ping6} -c1 -w1 ${a} 2069 log_test_addr ${a} $? 0 "ping out" 2070 done 2071 2072 for a in ${NSB_IP6} ${NSB_LO_IP6} 2073 do 2074 log_start 2075 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2076 log_test_addr ${a} $? 0 "ping out, device bind" 2077 2078 log_start 2079 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2080 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2081 done 2082 2083 # 2084 # in 2085 # 2086 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2087 do 2088 log_start 2089 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2090 log_test_addr ${a} $? 0 "ping in" 2091 done 2092 2093 # 2094 # local traffic, local address 2095 # 2096 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2097 do 2098 log_start 2099 run_cmd ${ping6} -c1 -w1 ${a} 2100 log_test_addr ${a} $? 0 "ping local, no bind" 2101 done 2102 2103 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2104 do 2105 log_start 2106 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2107 log_test_addr ${a} $? 0 "ping local, device bind" 2108 done 2109 2110 for a in ${NSA_LO_IP6} ::1 2111 do 2112 log_start 2113 show_hint "Fails since address on loopback is out of device scope" 2114 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2115 log_test_addr ${a} $? 2 "ping local, device bind" 2116 done 2117 2118 # 2119 # ip rule blocks address 2120 # 2121 log_start 2122 setup_cmd ip -6 rule add pref 32765 from all lookup local 2123 setup_cmd ip -6 rule del pref 0 from all lookup local 2124 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2125 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2126 2127 a=${NSB_LO_IP6} 2128 run_cmd ${ping6} -c1 -w1 ${a} 2129 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2130 2131 log_start 2132 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2133 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2134 2135 a=${NSA_LO_IP6} 2136 log_start 2137 show_hint "Response lost due to ip rule" 2138 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2139 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2140 2141 setup_cmd ip -6 rule add pref 0 from all lookup local 2142 setup_cmd ip -6 rule del pref 32765 from all lookup local 2143 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2144 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2145 2146 # 2147 # route blocks reachability to remote address 2148 # 2149 log_start 2150 setup_cmd ip -6 route del ${NSB_LO_IP6} 2151 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2152 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2153 2154 a=${NSB_LO_IP6} 2155 run_cmd ${ping6} -c1 -w1 ${a} 2156 log_test_addr ${a} $? 2 "ping out, blocked by route" 2157 2158 log_start 2159 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2160 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2161 2162 a=${NSA_LO_IP6} 2163 log_start 2164 show_hint "Response lost due to ip route" 2165 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2166 log_test_addr ${a} $? 1 "ping in, blocked by route" 2167 2168 2169 # 2170 # remove 'remote' routes; fallback to default 2171 # 2172 log_start 2173 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2174 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2175 2176 a=${NSB_LO_IP6} 2177 run_cmd ${ping6} -c1 -w1 ${a} 2178 log_test_addr ${a} $? 2 "ping out, unreachable route" 2179 2180 log_start 2181 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2182 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2183} 2184 2185ipv6_ping_vrf() 2186{ 2187 local a 2188 2189 # should default on; does not exist on older kernels 2190 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2191 2192 # 2193 # out 2194 # 2195 for a in ${NSB_IP6} ${NSB_LO_IP6} 2196 do 2197 log_start 2198 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2199 log_test_addr ${a} $? 0 "ping out, VRF bind" 2200 done 2201 2202 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2203 do 2204 log_start 2205 show_hint "Fails since VRF device does not support linklocal or multicast" 2206 run_cmd ${ping6} -c1 -w1 ${a} 2207 log_test_addr ${a} $? 1 "ping out, VRF bind" 2208 done 2209 2210 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2211 do 2212 log_start 2213 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2214 log_test_addr ${a} $? 0 "ping out, device bind" 2215 done 2216 2217 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2218 do 2219 log_start 2220 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2221 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2222 done 2223 2224 # 2225 # in 2226 # 2227 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2228 do 2229 log_start 2230 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2231 log_test_addr ${a} $? 0 "ping in" 2232 done 2233 2234 a=${NSA_LO_IP6} 2235 log_start 2236 show_hint "Fails since loopback address is out of VRF scope" 2237 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2238 log_test_addr ${a} $? 1 "ping in" 2239 2240 # 2241 # local traffic, local address 2242 # 2243 for a in ${NSA_IP6} ${VRF_IP6} ::1 2244 do 2245 log_start 2246 show_hint "Source address should be ${a}" 2247 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2248 log_test_addr ${a} $? 0 "ping local, VRF bind" 2249 done 2250 2251 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2252 do 2253 log_start 2254 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2255 log_test_addr ${a} $? 0 "ping local, device bind" 2256 done 2257 2258 # LLA to GUA - remove ipv6 global addresses from ns-B 2259 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2260 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2261 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2262 2263 for a in ${NSA_IP6} ${VRF_IP6} 2264 do 2265 log_start 2266 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2267 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2268 done 2269 2270 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2271 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2272 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2273 2274 # 2275 # ip rule blocks address 2276 # 2277 log_start 2278 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2279 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2280 2281 a=${NSB_LO_IP6} 2282 run_cmd ${ping6} -c1 -w1 ${a} 2283 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2284 2285 log_start 2286 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2287 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2288 2289 a=${NSA_LO_IP6} 2290 log_start 2291 show_hint "Response lost due to ip rule" 2292 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2293 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2294 2295 log_start 2296 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2297 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2298 2299 # 2300 # remove 'remote' routes; fallback to default 2301 # 2302 log_start 2303 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2304 2305 a=${NSB_LO_IP6} 2306 run_cmd ${ping6} -c1 -w1 ${a} 2307 log_test_addr ${a} $? 2 "ping out, unreachable route" 2308 2309 log_start 2310 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2311 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2312 2313 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2314 a=${NSA_LO_IP6} 2315 log_start 2316 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2317 log_test_addr ${a} $? 2 "ping in, unreachable route" 2318} 2319 2320ipv6_ping() 2321{ 2322 log_section "IPv6 ping" 2323 2324 log_subsection "No VRF" 2325 setup 2326 ipv6_ping_novrf 2327 2328 log_subsection "With VRF" 2329 setup "yes" 2330 ipv6_ping_vrf 2331} 2332 2333################################################################################ 2334# IPv6 TCP 2335 2336# 2337# MD5 tests without VRF 2338# 2339ipv6_tcp_md5_novrf() 2340{ 2341 # 2342 # single address 2343 # 2344 2345 # basic use case 2346 log_start 2347 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2348 sleep 1 2349 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2350 log_test $? 0 "MD5: Single address config" 2351 2352 # client sends MD5, server not configured 2353 log_start 2354 show_hint "Should timeout due to MD5 mismatch" 2355 run_cmd nettest -6 -s & 2356 sleep 1 2357 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2358 log_test $? 2 "MD5: Server no config, client uses password" 2359 2360 # wrong password 2361 log_start 2362 show_hint "Should timeout since client uses wrong password" 2363 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2364 sleep 1 2365 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2366 log_test $? 2 "MD5: Client uses wrong password" 2367 2368 # client from different address 2369 log_start 2370 show_hint "Should timeout due to MD5 mismatch" 2371 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2372 sleep 1 2373 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2374 log_test $? 2 "MD5: Client address does not match address configured with password" 2375 2376 # 2377 # MD5 extension - prefix length 2378 # 2379 2380 # client in prefix 2381 log_start 2382 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2383 sleep 1 2384 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2385 log_test $? 0 "MD5: Prefix config" 2386 2387 # client in prefix, wrong password 2388 log_start 2389 show_hint "Should timeout since client uses wrong password" 2390 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2391 sleep 1 2392 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2393 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2394 2395 # client outside of prefix 2396 log_start 2397 show_hint "Should timeout due to MD5 mismatch" 2398 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2399 sleep 1 2400 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2401 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2402} 2403 2404# 2405# MD5 tests with VRF 2406# 2407ipv6_tcp_md5() 2408{ 2409 # 2410 # single address 2411 # 2412 2413 # basic use case 2414 log_start 2415 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2416 sleep 1 2417 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2418 log_test $? 0 "MD5: VRF: Single address config" 2419 2420 # client sends MD5, server not configured 2421 log_start 2422 show_hint "Should timeout since server does not have MD5 auth" 2423 run_cmd nettest -6 -s -I ${VRF} & 2424 sleep 1 2425 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2426 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2427 2428 # wrong password 2429 log_start 2430 show_hint "Should timeout since client uses wrong password" 2431 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2432 sleep 1 2433 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2434 log_test $? 2 "MD5: VRF: Client uses wrong password" 2435 2436 # client from different address 2437 log_start 2438 show_hint "Should timeout since server config differs from client" 2439 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2440 sleep 1 2441 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2442 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2443 2444 # 2445 # MD5 extension - prefix length 2446 # 2447 2448 # client in prefix 2449 log_start 2450 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2451 sleep 1 2452 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2453 log_test $? 0 "MD5: VRF: Prefix config" 2454 2455 # client in prefix, wrong password 2456 log_start 2457 show_hint "Should timeout since client uses wrong password" 2458 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2459 sleep 1 2460 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2461 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2462 2463 # client outside of prefix 2464 log_start 2465 show_hint "Should timeout since client address is outside of prefix" 2466 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2467 sleep 1 2468 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2469 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2470 2471 # 2472 # duplicate config between default VRF and a VRF 2473 # 2474 2475 log_start 2476 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2477 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2478 sleep 1 2479 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2480 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2481 2482 log_start 2483 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2484 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2485 sleep 1 2486 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2487 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2488 2489 log_start 2490 show_hint "Should timeout since client in default VRF uses VRF password" 2491 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2492 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2493 sleep 1 2494 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2495 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2496 2497 log_start 2498 show_hint "Should timeout since client in VRF uses default VRF password" 2499 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2500 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2501 sleep 1 2502 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2503 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2504 2505 log_start 2506 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2507 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2508 sleep 1 2509 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2510 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2511 2512 log_start 2513 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2514 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2515 sleep 1 2516 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2517 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2518 2519 log_start 2520 show_hint "Should timeout since client in default VRF uses VRF password" 2521 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2522 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2523 sleep 1 2524 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2525 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2526 2527 log_start 2528 show_hint "Should timeout since client in VRF uses default VRF password" 2529 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2530 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2531 sleep 1 2532 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2533 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2534 2535 # 2536 # negative tests 2537 # 2538 log_start 2539 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2540 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2541 2542 log_start 2543 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2544 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2545 2546} 2547 2548ipv6_tcp_novrf() 2549{ 2550 local a 2551 2552 # 2553 # server tests 2554 # 2555 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2556 do 2557 log_start 2558 run_cmd nettest -6 -s & 2559 sleep 1 2560 run_cmd_nsb nettest -6 -r ${a} 2561 log_test_addr ${a} $? 0 "Global server" 2562 done 2563 2564 # verify TCP reset received 2565 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2566 do 2567 log_start 2568 show_hint "Should fail 'Connection refused'" 2569 run_cmd_nsb nettest -6 -r ${a} 2570 log_test_addr ${a} $? 1 "No server" 2571 done 2572 2573 # 2574 # client 2575 # 2576 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2577 do 2578 log_start 2579 run_cmd_nsb nettest -6 -s & 2580 sleep 1 2581 run_cmd nettest -6 -r ${a} 2582 log_test_addr ${a} $? 0 "Client" 2583 done 2584 2585 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2586 do 2587 log_start 2588 run_cmd_nsb nettest -6 -s & 2589 sleep 1 2590 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2591 log_test_addr ${a} $? 0 "Client, device bind" 2592 done 2593 2594 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2595 do 2596 log_start 2597 show_hint "Should fail 'Connection refused'" 2598 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2599 log_test_addr ${a} $? 1 "No server, device client" 2600 done 2601 2602 # 2603 # local address tests 2604 # 2605 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2606 do 2607 log_start 2608 run_cmd nettest -6 -s & 2609 sleep 1 2610 run_cmd nettest -6 -r ${a} 2611 log_test_addr ${a} $? 0 "Global server, local connection" 2612 done 2613 2614 a=${NSA_IP6} 2615 log_start 2616 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2617 sleep 1 2618 run_cmd nettest -6 -r ${a} -0 ${a} 2619 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2620 2621 for a in ${NSA_LO_IP6} ::1 2622 do 2623 log_start 2624 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2625 run_cmd nettest -6 -s -I ${NSA_DEV} & 2626 sleep 1 2627 run_cmd nettest -6 -r ${a} 2628 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2629 done 2630 2631 a=${NSA_IP6} 2632 log_start 2633 run_cmd nettest -6 -s & 2634 sleep 1 2635 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2636 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2637 2638 for a in ${NSA_LO_IP6} ::1 2639 do 2640 log_start 2641 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2642 run_cmd nettest -6 -s & 2643 sleep 1 2644 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2645 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2646 done 2647 2648 for a in ${NSA_IP6} ${NSA_LINKIP6} 2649 do 2650 log_start 2651 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2652 sleep 1 2653 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2654 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2655 done 2656 2657 for a in ${NSA_IP6} ${NSA_LINKIP6} 2658 do 2659 log_start 2660 show_hint "Should fail 'Connection refused'" 2661 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2662 log_test_addr ${a} $? 1 "No server, device client, local conn" 2663 done 2664 2665 ipv6_tcp_md5_novrf 2666} 2667 2668ipv6_tcp_vrf() 2669{ 2670 local a 2671 2672 # disable global server 2673 log_subsection "Global server disabled" 2674 2675 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2676 2677 # 2678 # server tests 2679 # 2680 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2681 do 2682 log_start 2683 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2684 run_cmd nettest -6 -s & 2685 sleep 1 2686 run_cmd_nsb nettest -6 -r ${a} 2687 log_test_addr ${a} $? 1 "Global server" 2688 done 2689 2690 for a in ${NSA_IP6} ${VRF_IP6} 2691 do 2692 log_start 2693 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2694 sleep 1 2695 run_cmd_nsb nettest -6 -r ${a} 2696 log_test_addr ${a} $? 0 "VRF server" 2697 done 2698 2699 # link local is always bound to ingress device 2700 a=${NSA_LINKIP6}%${NSB_DEV} 2701 log_start 2702 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2703 sleep 1 2704 run_cmd_nsb nettest -6 -r ${a} 2705 log_test_addr ${a} $? 0 "VRF server" 2706 2707 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2708 do 2709 log_start 2710 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2711 sleep 1 2712 run_cmd_nsb nettest -6 -r ${a} 2713 log_test_addr ${a} $? 0 "Device server" 2714 done 2715 2716 # verify TCP reset received 2717 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2718 do 2719 log_start 2720 show_hint "Should fail 'Connection refused'" 2721 run_cmd_nsb nettest -6 -r ${a} 2722 log_test_addr ${a} $? 1 "No server" 2723 done 2724 2725 # local address tests 2726 a=${NSA_IP6} 2727 log_start 2728 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2729 run_cmd nettest -6 -s & 2730 sleep 1 2731 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2732 log_test_addr ${a} $? 1 "Global server, local connection" 2733 2734 # run MD5 tests 2735 setup_vrf_dup 2736 ipv6_tcp_md5 2737 cleanup_vrf_dup 2738 2739 # 2740 # enable VRF global server 2741 # 2742 log_subsection "VRF Global server enabled" 2743 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2744 2745 for a in ${NSA_IP6} ${VRF_IP6} 2746 do 2747 log_start 2748 run_cmd nettest -6 -s -3 ${VRF} & 2749 sleep 1 2750 run_cmd_nsb nettest -6 -r ${a} 2751 log_test_addr ${a} $? 0 "Global server" 2752 done 2753 2754 for a in ${NSA_IP6} ${VRF_IP6} 2755 do 2756 log_start 2757 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2758 sleep 1 2759 run_cmd_nsb nettest -6 -r ${a} 2760 log_test_addr ${a} $? 0 "VRF server" 2761 done 2762 2763 # For LLA, child socket is bound to device 2764 a=${NSA_LINKIP6}%${NSB_DEV} 2765 log_start 2766 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2767 sleep 1 2768 run_cmd_nsb nettest -6 -r ${a} 2769 log_test_addr ${a} $? 0 "Global server" 2770 2771 log_start 2772 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2773 sleep 1 2774 run_cmd_nsb nettest -6 -r ${a} 2775 log_test_addr ${a} $? 0 "VRF server" 2776 2777 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2778 do 2779 log_start 2780 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2781 sleep 1 2782 run_cmd_nsb nettest -6 -r ${a} 2783 log_test_addr ${a} $? 0 "Device server" 2784 done 2785 2786 # verify TCP reset received 2787 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2788 do 2789 log_start 2790 show_hint "Should fail 'Connection refused'" 2791 run_cmd_nsb nettest -6 -r ${a} 2792 log_test_addr ${a} $? 1 "No server" 2793 done 2794 2795 # local address tests 2796 for a in ${NSA_IP6} ${VRF_IP6} 2797 do 2798 log_start 2799 show_hint "Fails 'Connection refused' since client is not in VRF" 2800 run_cmd nettest -6 -s -I ${VRF} & 2801 sleep 1 2802 run_cmd nettest -6 -r ${a} 2803 log_test_addr ${a} $? 1 "Global server, local connection" 2804 done 2805 2806 2807 # 2808 # client 2809 # 2810 for a in ${NSB_IP6} ${NSB_LO_IP6} 2811 do 2812 log_start 2813 run_cmd_nsb nettest -6 -s & 2814 sleep 1 2815 run_cmd nettest -6 -r ${a} -d ${VRF} 2816 log_test_addr ${a} $? 0 "Client, VRF bind" 2817 done 2818 2819 a=${NSB_LINKIP6} 2820 log_start 2821 show_hint "Fails since VRF device does not allow linklocal addresses" 2822 run_cmd_nsb nettest -6 -s & 2823 sleep 1 2824 run_cmd nettest -6 -r ${a} -d ${VRF} 2825 log_test_addr ${a} $? 1 "Client, VRF bind" 2826 2827 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2828 do 2829 log_start 2830 run_cmd_nsb nettest -6 -s & 2831 sleep 1 2832 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2833 log_test_addr ${a} $? 0 "Client, device bind" 2834 done 2835 2836 for a in ${NSB_IP6} ${NSB_LO_IP6} 2837 do 2838 log_start 2839 show_hint "Should fail 'Connection refused'" 2840 run_cmd nettest -6 -r ${a} -d ${VRF} 2841 log_test_addr ${a} $? 1 "No server, VRF client" 2842 done 2843 2844 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2845 do 2846 log_start 2847 show_hint "Should fail 'Connection refused'" 2848 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2849 log_test_addr ${a} $? 1 "No server, device client" 2850 done 2851 2852 for a in ${NSA_IP6} ${VRF_IP6} ::1 2853 do 2854 log_start 2855 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2856 sleep 1 2857 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2858 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 2859 done 2860 2861 a=${NSA_IP6} 2862 log_start 2863 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2864 sleep 1 2865 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2866 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 2867 2868 a=${NSA_IP6} 2869 log_start 2870 show_hint "Should fail since unbound client is out of VRF scope" 2871 run_cmd nettest -6 -s -I ${VRF} & 2872 sleep 1 2873 run_cmd nettest -6 -r ${a} 2874 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 2875 2876 log_start 2877 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2878 sleep 1 2879 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2880 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 2881 2882 for a in ${NSA_IP6} ${NSA_LINKIP6} 2883 do 2884 log_start 2885 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2886 sleep 1 2887 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2888 log_test_addr ${a} $? 0 "Device server, device client, local connection" 2889 done 2890} 2891 2892ipv6_tcp() 2893{ 2894 log_section "IPv6/TCP" 2895 log_subsection "No VRF" 2896 setup 2897 2898 # tcp_l3mdev_accept should have no affect without VRF; 2899 # run tests with it enabled and disabled to verify 2900 log_subsection "tcp_l3mdev_accept disabled" 2901 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2902 ipv6_tcp_novrf 2903 log_subsection "tcp_l3mdev_accept enabled" 2904 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2905 ipv6_tcp_novrf 2906 2907 log_subsection "With VRF" 2908 setup "yes" 2909 ipv6_tcp_vrf 2910} 2911 2912################################################################################ 2913# IPv6 UDP 2914 2915ipv6_udp_novrf() 2916{ 2917 local a 2918 2919 # 2920 # server tests 2921 # 2922 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2923 do 2924 log_start 2925 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2926 sleep 1 2927 run_cmd_nsb nettest -6 -D -r ${a} 2928 log_test_addr ${a} $? 0 "Global server" 2929 2930 log_start 2931 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 2932 sleep 1 2933 run_cmd_nsb nettest -6 -D -r ${a} 2934 log_test_addr ${a} $? 0 "Device server" 2935 done 2936 2937 a=${NSA_LO_IP6} 2938 log_start 2939 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2940 sleep 1 2941 run_cmd_nsb nettest -6 -D -r ${a} 2942 log_test_addr ${a} $? 0 "Global server" 2943 2944 # should fail since loopback address is out of scope for a device 2945 # bound server, but it does not - hence this is more documenting 2946 # behavior. 2947 #log_start 2948 #show_hint "Should fail since loopback address is out of scope" 2949 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 2950 #sleep 1 2951 #run_cmd_nsb nettest -6 -D -r ${a} 2952 #log_test_addr ${a} $? 1 "Device server" 2953 2954 # negative test - should fail 2955 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2956 do 2957 log_start 2958 show_hint "Should fail 'Connection refused' since there is no server" 2959 run_cmd_nsb nettest -6 -D -r ${a} 2960 log_test_addr ${a} $? 1 "No server" 2961 done 2962 2963 # 2964 # client 2965 # 2966 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2967 do 2968 log_start 2969 run_cmd_nsb nettest -6 -D -s & 2970 sleep 1 2971 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 2972 log_test_addr ${a} $? 0 "Client" 2973 2974 log_start 2975 run_cmd_nsb nettest -6 -D -s & 2976 sleep 1 2977 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 2978 log_test_addr ${a} $? 0 "Client, device bind" 2979 2980 log_start 2981 run_cmd_nsb nettest -6 -D -s & 2982 sleep 1 2983 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 2984 log_test_addr ${a} $? 0 "Client, device send via cmsg" 2985 2986 log_start 2987 run_cmd_nsb nettest -6 -D -s & 2988 sleep 1 2989 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 2990 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 2991 2992 log_start 2993 show_hint "Should fail 'Connection refused'" 2994 run_cmd nettest -6 -D -r ${a} 2995 log_test_addr ${a} $? 1 "No server, unbound client" 2996 2997 log_start 2998 show_hint "Should fail 'Connection refused'" 2999 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3000 log_test_addr ${a} $? 1 "No server, device client" 3001 done 3002 3003 # 3004 # local address tests 3005 # 3006 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3007 do 3008 log_start 3009 run_cmd nettest -6 -D -s & 3010 sleep 1 3011 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3012 log_test_addr ${a} $? 0 "Global server, local connection" 3013 done 3014 3015 a=${NSA_IP6} 3016 log_start 3017 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3018 sleep 1 3019 run_cmd nettest -6 -D -r ${a} 3020 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3021 3022 for a in ${NSA_LO_IP6} ::1 3023 do 3024 log_start 3025 show_hint "Should fail 'Connection refused' since address is out of device scope" 3026 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3027 sleep 1 3028 run_cmd nettest -6 -D -r ${a} 3029 log_test_addr ${a} $? 1 "Device server, local connection" 3030 done 3031 3032 a=${NSA_IP6} 3033 log_start 3034 run_cmd nettest -6 -s -D & 3035 sleep 1 3036 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3037 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3038 3039 log_start 3040 run_cmd nettest -6 -s -D & 3041 sleep 1 3042 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3043 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3044 3045 log_start 3046 run_cmd nettest -6 -s -D & 3047 sleep 1 3048 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3049 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3050 3051 for a in ${NSA_LO_IP6} ::1 3052 do 3053 log_start 3054 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3055 run_cmd nettest -6 -D -s & 3056 sleep 1 3057 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3058 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3059 3060 log_start 3061 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3062 run_cmd nettest -6 -D -s & 3063 sleep 1 3064 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3065 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3066 3067 log_start 3068 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3069 run_cmd nettest -6 -D -s & 3070 sleep 1 3071 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3072 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3073 done 3074 3075 a=${NSA_IP6} 3076 log_start 3077 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3078 sleep 1 3079 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3080 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3081 3082 log_start 3083 show_hint "Should fail 'Connection refused'" 3084 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3085 log_test_addr ${a} $? 1 "No server, device client, local conn" 3086 3087 # LLA to GUA 3088 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3089 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3090 log_start 3091 run_cmd nettest -6 -s -D & 3092 sleep 1 3093 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3094 log_test $? 0 "UDP in - LLA to GUA" 3095 3096 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3097 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3098} 3099 3100ipv6_udp_vrf() 3101{ 3102 local a 3103 3104 # disable global server 3105 log_subsection "Global server disabled" 3106 set_sysctl net.ipv4.udp_l3mdev_accept=0 3107 3108 # 3109 # server tests 3110 # 3111 for a in ${NSA_IP6} ${VRF_IP6} 3112 do 3113 log_start 3114 show_hint "Should fail 'Connection refused' since global server is disabled" 3115 run_cmd nettest -6 -D -s & 3116 sleep 1 3117 run_cmd_nsb nettest -6 -D -r ${a} 3118 log_test_addr ${a} $? 1 "Global server" 3119 done 3120 3121 for a in ${NSA_IP6} ${VRF_IP6} 3122 do 3123 log_start 3124 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3125 sleep 1 3126 run_cmd_nsb nettest -6 -D -r ${a} 3127 log_test_addr ${a} $? 0 "VRF server" 3128 done 3129 3130 for a in ${NSA_IP6} ${VRF_IP6} 3131 do 3132 log_start 3133 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3134 sleep 1 3135 run_cmd_nsb nettest -6 -D -r ${a} 3136 log_test_addr ${a} $? 0 "Enslaved device server" 3137 done 3138 3139 # negative test - should fail 3140 for a in ${NSA_IP6} ${VRF_IP6} 3141 do 3142 log_start 3143 show_hint "Should fail 'Connection refused' since there is no server" 3144 run_cmd_nsb nettest -6 -D -r ${a} 3145 log_test_addr ${a} $? 1 "No server" 3146 done 3147 3148 # 3149 # local address tests 3150 # 3151 for a in ${NSA_IP6} ${VRF_IP6} 3152 do 3153 log_start 3154 show_hint "Should fail 'Connection refused' since global server is disabled" 3155 run_cmd nettest -6 -D -s & 3156 sleep 1 3157 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3158 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3159 done 3160 3161 for a in ${NSA_IP6} ${VRF_IP6} 3162 do 3163 log_start 3164 run_cmd nettest -6 -D -I ${VRF} -s & 3165 sleep 1 3166 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3167 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3168 done 3169 3170 a=${NSA_IP6} 3171 log_start 3172 show_hint "Should fail 'Connection refused' since global server is disabled" 3173 run_cmd nettest -6 -D -s & 3174 sleep 1 3175 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3176 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3177 3178 log_start 3179 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3180 sleep 1 3181 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3182 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3183 3184 log_start 3185 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3186 sleep 1 3187 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3188 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3189 3190 log_start 3191 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3192 sleep 1 3193 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3194 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3195 3196 # disable global server 3197 log_subsection "Global server enabled" 3198 set_sysctl net.ipv4.udp_l3mdev_accept=1 3199 3200 # 3201 # server tests 3202 # 3203 for a in ${NSA_IP6} ${VRF_IP6} 3204 do 3205 log_start 3206 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3207 sleep 1 3208 run_cmd_nsb nettest -6 -D -r ${a} 3209 log_test_addr ${a} $? 0 "Global server" 3210 done 3211 3212 for a in ${NSA_IP6} ${VRF_IP6} 3213 do 3214 log_start 3215 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3216 sleep 1 3217 run_cmd_nsb nettest -6 -D -r ${a} 3218 log_test_addr ${a} $? 0 "VRF server" 3219 done 3220 3221 for a in ${NSA_IP6} ${VRF_IP6} 3222 do 3223 log_start 3224 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3225 sleep 1 3226 run_cmd_nsb nettest -6 -D -r ${a} 3227 log_test_addr ${a} $? 0 "Enslaved device server" 3228 done 3229 3230 # negative test - should fail 3231 for a in ${NSA_IP6} ${VRF_IP6} 3232 do 3233 log_start 3234 run_cmd_nsb nettest -6 -D -r ${a} 3235 log_test_addr ${a} $? 1 "No server" 3236 done 3237 3238 # 3239 # client tests 3240 # 3241 log_start 3242 run_cmd_nsb nettest -6 -D -s & 3243 sleep 1 3244 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3245 log_test $? 0 "VRF client" 3246 3247 # negative test - should fail 3248 log_start 3249 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3250 log_test $? 1 "No server, VRF client" 3251 3252 log_start 3253 run_cmd_nsb nettest -6 -D -s & 3254 sleep 1 3255 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3256 log_test $? 0 "Enslaved device client" 3257 3258 # negative test - should fail 3259 log_start 3260 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3261 log_test $? 1 "No server, enslaved device client" 3262 3263 # 3264 # local address tests 3265 # 3266 a=${NSA_IP6} 3267 log_start 3268 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3269 sleep 1 3270 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3271 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3272 3273 #log_start 3274 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3275 sleep 1 3276 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3277 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3278 3279 3280 a=${VRF_IP6} 3281 log_start 3282 run_cmd nettest -6 -D -s -3 ${VRF} & 3283 sleep 1 3284 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3285 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3286 3287 log_start 3288 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3289 sleep 1 3290 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3291 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3292 3293 # negative test - should fail 3294 for a in ${NSA_IP6} ${VRF_IP6} 3295 do 3296 log_start 3297 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3298 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3299 done 3300 3301 # device to global IP 3302 a=${NSA_IP6} 3303 log_start 3304 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3305 sleep 1 3306 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3307 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3308 3309 log_start 3310 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3311 sleep 1 3312 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3313 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3314 3315 log_start 3316 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3317 sleep 1 3318 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3319 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3320 3321 log_start 3322 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3323 sleep 1 3324 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3325 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3326 3327 log_start 3328 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3329 log_test_addr ${a} $? 1 "No server, device client, local conn" 3330 3331 3332 # link local addresses 3333 log_start 3334 run_cmd nettest -6 -D -s & 3335 sleep 1 3336 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3337 log_test $? 0 "Global server, linklocal IP" 3338 3339 log_start 3340 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3341 log_test $? 1 "No server, linklocal IP" 3342 3343 3344 log_start 3345 run_cmd_nsb nettest -6 -D -s & 3346 sleep 1 3347 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3348 log_test $? 0 "Enslaved device client, linklocal IP" 3349 3350 log_start 3351 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3352 log_test $? 1 "No server, device client, peer linklocal IP" 3353 3354 3355 log_start 3356 run_cmd nettest -6 -D -s & 3357 sleep 1 3358 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3359 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3360 3361 log_start 3362 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3363 log_test $? 1 "No server, device client, local conn - linklocal IP" 3364 3365 # LLA to GUA 3366 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3367 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3368 log_start 3369 run_cmd nettest -6 -s -D & 3370 sleep 1 3371 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3372 log_test $? 0 "UDP in - LLA to GUA" 3373 3374 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3375 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3376} 3377 3378ipv6_udp() 3379{ 3380 # should not matter, but set to known state 3381 set_sysctl net.ipv4.udp_early_demux=1 3382 3383 log_section "IPv6/UDP" 3384 log_subsection "No VRF" 3385 setup 3386 3387 # udp_l3mdev_accept should have no affect without VRF; 3388 # run tests with it enabled and disabled to verify 3389 log_subsection "udp_l3mdev_accept disabled" 3390 set_sysctl net.ipv4.udp_l3mdev_accept=0 3391 ipv6_udp_novrf 3392 log_subsection "udp_l3mdev_accept enabled" 3393 set_sysctl net.ipv4.udp_l3mdev_accept=1 3394 ipv6_udp_novrf 3395 3396 log_subsection "With VRF" 3397 setup "yes" 3398 ipv6_udp_vrf 3399} 3400 3401################################################################################ 3402# IPv6 address bind 3403 3404ipv6_addr_bind_novrf() 3405{ 3406 # 3407 # raw socket 3408 # 3409 for a in ${NSA_IP6} ${NSA_LO_IP6} 3410 do 3411 log_start 3412 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3413 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3414 3415 log_start 3416 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3417 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3418 done 3419 3420 # 3421 # tcp sockets 3422 # 3423 a=${NSA_IP6} 3424 log_start 3425 run_cmd nettest -6 -s -l ${a} -t1 -b 3426 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3427 3428 log_start 3429 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3430 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3431 3432 # Sadly, the kernel allows binding a socket to a device and then 3433 # binding to an address not on the device. So this test passes 3434 # when it really should not 3435 a=${NSA_LO_IP6} 3436 log_start 3437 show_hint "Tecnically should fail since address is not on device but kernel allows" 3438 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3439 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3440} 3441 3442ipv6_addr_bind_vrf() 3443{ 3444 # 3445 # raw socket 3446 # 3447 for a in ${NSA_IP6} ${VRF_IP6} 3448 do 3449 log_start 3450 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3451 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3452 3453 log_start 3454 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3455 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3456 done 3457 3458 a=${NSA_LO_IP6} 3459 log_start 3460 show_hint "Address on loopback is out of VRF scope" 3461 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3462 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3463 3464 # 3465 # tcp sockets 3466 # 3467 # address on enslaved device is valid for the VRF or device in a VRF 3468 for a in ${NSA_IP6} ${VRF_IP6} 3469 do 3470 log_start 3471 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3472 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3473 done 3474 3475 a=${NSA_IP6} 3476 log_start 3477 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3478 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3479 3480 # Sadly, the kernel allows binding a socket to a device and then 3481 # binding to an address not on the device. The only restriction 3482 # is that the address is valid in the L3 domain. So this test 3483 # passes when it really should not 3484 a=${VRF_IP6} 3485 log_start 3486 show_hint "Tecnically should fail since address is not on device but kernel allows" 3487 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3488 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3489 3490 a=${NSA_LO_IP6} 3491 log_start 3492 show_hint "Address on loopback out of scope for VRF" 3493 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3494 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3495 3496 log_start 3497 show_hint "Address on loopback out of scope for device in VRF" 3498 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3499 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3500 3501} 3502 3503ipv6_addr_bind() 3504{ 3505 log_section "IPv6 address binds" 3506 3507 log_subsection "No VRF" 3508 setup 3509 ipv6_addr_bind_novrf 3510 3511 log_subsection "With VRF" 3512 setup "yes" 3513 ipv6_addr_bind_vrf 3514} 3515 3516################################################################################ 3517# IPv6 runtime tests 3518 3519ipv6_rt() 3520{ 3521 local desc="$1" 3522 local varg="-6 $2" 3523 local with_vrf="yes" 3524 local a 3525 3526 # 3527 # server tests 3528 # 3529 for a in ${NSA_IP6} ${VRF_IP6} 3530 do 3531 log_start 3532 run_cmd nettest ${varg} -s & 3533 sleep 1 3534 run_cmd_nsb nettest ${varg} -r ${a} & 3535 sleep 3 3536 run_cmd ip link del ${VRF} 3537 sleep 1 3538 log_test_addr ${a} 0 0 "${desc}, global server" 3539 3540 setup ${with_vrf} 3541 done 3542 3543 for a in ${NSA_IP6} ${VRF_IP6} 3544 do 3545 log_start 3546 run_cmd nettest ${varg} -I ${VRF} -s & 3547 sleep 1 3548 run_cmd_nsb nettest ${varg} -r ${a} & 3549 sleep 3 3550 run_cmd ip link del ${VRF} 3551 sleep 1 3552 log_test_addr ${a} 0 0 "${desc}, VRF server" 3553 3554 setup ${with_vrf} 3555 done 3556 3557 for a in ${NSA_IP6} ${VRF_IP6} 3558 do 3559 log_start 3560 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3561 sleep 1 3562 run_cmd_nsb nettest ${varg} -r ${a} & 3563 sleep 3 3564 run_cmd ip link del ${VRF} 3565 sleep 1 3566 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3567 3568 setup ${with_vrf} 3569 done 3570 3571 # 3572 # client test 3573 # 3574 log_start 3575 run_cmd_nsb nettest ${varg} -s & 3576 sleep 1 3577 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3578 sleep 3 3579 run_cmd ip link del ${VRF} 3580 sleep 1 3581 log_test 0 0 "${desc}, VRF client" 3582 3583 setup ${with_vrf} 3584 3585 log_start 3586 run_cmd_nsb nettest ${varg} -s & 3587 sleep 1 3588 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3589 sleep 3 3590 run_cmd ip link del ${VRF} 3591 sleep 1 3592 log_test 0 0 "${desc}, enslaved device client" 3593 3594 setup ${with_vrf} 3595 3596 3597 # 3598 # local address tests 3599 # 3600 for a in ${NSA_IP6} ${VRF_IP6} 3601 do 3602 log_start 3603 run_cmd nettest ${varg} -s & 3604 sleep 1 3605 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3606 sleep 3 3607 run_cmd ip link del ${VRF} 3608 sleep 1 3609 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3610 3611 setup ${with_vrf} 3612 done 3613 3614 for a in ${NSA_IP6} ${VRF_IP6} 3615 do 3616 log_start 3617 run_cmd nettest ${varg} -I ${VRF} -s & 3618 sleep 1 3619 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3620 sleep 3 3621 run_cmd ip link del ${VRF} 3622 sleep 1 3623 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3624 3625 setup ${with_vrf} 3626 done 3627 3628 a=${NSA_IP6} 3629 log_start 3630 run_cmd nettest ${varg} -s & 3631 sleep 1 3632 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3633 sleep 3 3634 run_cmd ip link del ${VRF} 3635 sleep 1 3636 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3637 3638 setup ${with_vrf} 3639 3640 log_start 3641 run_cmd nettest ${varg} -I ${VRF} -s & 3642 sleep 1 3643 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3644 sleep 3 3645 run_cmd ip link del ${VRF} 3646 sleep 1 3647 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3648 3649 setup ${with_vrf} 3650 3651 log_start 3652 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3653 sleep 1 3654 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3655 sleep 3 3656 run_cmd ip link del ${VRF} 3657 sleep 1 3658 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3659} 3660 3661ipv6_ping_rt() 3662{ 3663 local with_vrf="yes" 3664 local a 3665 3666 a=${NSA_IP6} 3667 log_start 3668 run_cmd_nsb ${ping6} -f ${a} & 3669 sleep 3 3670 run_cmd ip link del ${VRF} 3671 sleep 1 3672 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3673 3674 setup ${with_vrf} 3675 3676 log_start 3677 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3678 sleep 1 3679 run_cmd ip link del ${VRF} 3680 sleep 1 3681 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3682} 3683 3684ipv6_runtime() 3685{ 3686 log_section "Run time tests - ipv6" 3687 3688 setup "yes" 3689 ipv6_ping_rt 3690 3691 setup "yes" 3692 ipv6_rt "TCP active socket" "-n -1" 3693 3694 setup "yes" 3695 ipv6_rt "TCP passive socket" "-i" 3696 3697 setup "yes" 3698 ipv6_rt "UDP active socket" "-D -n -1" 3699} 3700 3701################################################################################ 3702# netfilter blocking connections 3703 3704netfilter_tcp_reset() 3705{ 3706 local a 3707 3708 for a in ${NSA_IP} ${VRF_IP} 3709 do 3710 log_start 3711 run_cmd nettest -s & 3712 sleep 1 3713 run_cmd_nsb nettest -r ${a} 3714 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3715 done 3716} 3717 3718netfilter_icmp() 3719{ 3720 local stype="$1" 3721 local arg 3722 local a 3723 3724 [ "${stype}" = "UDP" ] && arg="-D" 3725 3726 for a in ${NSA_IP} ${VRF_IP} 3727 do 3728 log_start 3729 run_cmd nettest ${arg} -s & 3730 sleep 1 3731 run_cmd_nsb nettest ${arg} -r ${a} 3732 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3733 done 3734} 3735 3736ipv4_netfilter() 3737{ 3738 log_section "IPv4 Netfilter" 3739 log_subsection "TCP reset" 3740 3741 setup "yes" 3742 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3743 3744 netfilter_tcp_reset 3745 3746 log_start 3747 log_subsection "ICMP unreachable" 3748 3749 log_start 3750 run_cmd iptables -F 3751 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3752 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3753 3754 netfilter_icmp "TCP" 3755 netfilter_icmp "UDP" 3756 3757 log_start 3758 iptables -F 3759} 3760 3761netfilter_tcp6_reset() 3762{ 3763 local a 3764 3765 for a in ${NSA_IP6} ${VRF_IP6} 3766 do 3767 log_start 3768 run_cmd nettest -6 -s & 3769 sleep 1 3770 run_cmd_nsb nettest -6 -r ${a} 3771 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3772 done 3773} 3774 3775netfilter_icmp6() 3776{ 3777 local stype="$1" 3778 local arg 3779 local a 3780 3781 [ "${stype}" = "UDP" ] && arg="$arg -D" 3782 3783 for a in ${NSA_IP6} ${VRF_IP6} 3784 do 3785 log_start 3786 run_cmd nettest -6 -s ${arg} & 3787 sleep 1 3788 run_cmd_nsb nettest -6 ${arg} -r ${a} 3789 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3790 done 3791} 3792 3793ipv6_netfilter() 3794{ 3795 log_section "IPv6 Netfilter" 3796 log_subsection "TCP reset" 3797 3798 setup "yes" 3799 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3800 3801 netfilter_tcp6_reset 3802 3803 log_subsection "ICMP unreachable" 3804 3805 log_start 3806 run_cmd ip6tables -F 3807 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3808 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3809 3810 netfilter_icmp6 "TCP" 3811 netfilter_icmp6 "UDP" 3812 3813 log_start 3814 ip6tables -F 3815} 3816 3817################################################################################ 3818# specific use cases 3819 3820# VRF only. 3821# ns-A device enslaved to bridge. Verify traffic with and without 3822# br_netfilter module loaded. Repeat with SVI on bridge. 3823use_case_br() 3824{ 3825 setup "yes" 3826 3827 setup_cmd ip link set ${NSA_DEV} down 3828 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 3829 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 3830 3831 setup_cmd ip link add br0 type bridge 3832 setup_cmd ip addr add dev br0 ${NSA_IP}/24 3833 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 3834 3835 setup_cmd ip li set ${NSA_DEV} master br0 3836 setup_cmd ip li set ${NSA_DEV} up 3837 setup_cmd ip li set br0 up 3838 setup_cmd ip li set br0 vrf ${VRF} 3839 3840 rmmod br_netfilter 2>/dev/null 3841 sleep 5 # DAD 3842 3843 run_cmd ip neigh flush all 3844 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3845 log_test $? 0 "Bridge into VRF - IPv4 ping out" 3846 3847 run_cmd ip neigh flush all 3848 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3849 log_test $? 0 "Bridge into VRF - IPv6 ping out" 3850 3851 run_cmd ip neigh flush all 3852 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3853 log_test $? 0 "Bridge into VRF - IPv4 ping in" 3854 3855 run_cmd ip neigh flush all 3856 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3857 log_test $? 0 "Bridge into VRF - IPv6 ping in" 3858 3859 modprobe br_netfilter 3860 if [ $? -eq 0 ]; then 3861 run_cmd ip neigh flush all 3862 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3863 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 3864 3865 run_cmd ip neigh flush all 3866 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3867 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 3868 3869 run_cmd ip neigh flush all 3870 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3871 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 3872 3873 run_cmd ip neigh flush all 3874 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3875 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 3876 fi 3877 3878 setup_cmd ip li set br0 nomaster 3879 setup_cmd ip li add br0.100 link br0 type vlan id 100 3880 setup_cmd ip li set br0.100 vrf ${VRF} up 3881 setup_cmd ip addr add dev br0.100 172.16.101.1/24 3882 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 3883 3884 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 3885 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 3886 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 3887 setup_cmd_nsb ip li set vlan100 up 3888 sleep 1 3889 3890 rmmod br_netfilter 2>/dev/null 3891 3892 run_cmd ip neigh flush all 3893 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3894 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 3895 3896 run_cmd ip neigh flush all 3897 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3898 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 3899 3900 run_cmd ip neigh flush all 3901 run_cmd_nsb ping -c1 -w1 172.16.101.1 3902 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3903 3904 run_cmd ip neigh flush all 3905 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3906 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3907 3908 modprobe br_netfilter 3909 if [ $? -eq 0 ]; then 3910 run_cmd ip neigh flush all 3911 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3912 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 3913 3914 run_cmd ip neigh flush all 3915 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3916 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 3917 3918 run_cmd ip neigh flush all 3919 run_cmd_nsb ping -c1 -w1 172.16.101.1 3920 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3921 3922 run_cmd ip neigh flush all 3923 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3924 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3925 fi 3926 3927 setup_cmd ip li del br0 2>/dev/null 3928 setup_cmd_nsb ip li del vlan100 2>/dev/null 3929} 3930 3931# VRF only. 3932# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 3933# LLA on the interfaces 3934use_case_ping_lla_multi() 3935{ 3936 setup_lla_only 3937 # only want reply from ns-A 3938 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3939 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3940 3941 log_start 3942 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3943 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 3944 3945 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3946 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 3947 3948 # cycle/flap the first ns-A interface 3949 setup_cmd ip link set ${NSA_DEV} down 3950 setup_cmd ip link set ${NSA_DEV} up 3951 sleep 1 3952 3953 log_start 3954 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3955 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 3956 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3957 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 3958 3959 # cycle/flap the second ns-A interface 3960 setup_cmd ip link set ${NSA_DEV2} down 3961 setup_cmd ip link set ${NSA_DEV2} up 3962 sleep 1 3963 3964 log_start 3965 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3966 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 3967 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3968 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 3969} 3970 3971# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 3972# established with ns-B. 3973use_case_snat_on_vrf() 3974{ 3975 setup "yes" 3976 3977 local port="12345" 3978 3979 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 3980 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 3981 3982 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 3983 sleep 1 3984 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 3985 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 3986 3987 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 3988 sleep 1 3989 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 3990 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 3991 3992 # Cleanup 3993 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 3994 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 3995} 3996 3997use_cases() 3998{ 3999 log_section "Use cases" 4000 log_subsection "Device enslaved to bridge" 4001 use_case_br 4002 log_subsection "Ping LLA with multiple interfaces" 4003 use_case_ping_lla_multi 4004 log_subsection "SNAT on VRF" 4005 use_case_snat_on_vrf 4006} 4007 4008################################################################################ 4009# usage 4010 4011usage() 4012{ 4013 cat <<EOF 4014usage: ${0##*/} OPTS 4015 4016 -4 IPv4 tests only 4017 -6 IPv6 tests only 4018 -t <test> Test name/set to run 4019 -p Pause on fail 4020 -P Pause after each test 4021 -v Be verbose 4022EOF 4023} 4024 4025################################################################################ 4026# main 4027 4028TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4029TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4030TESTS_OTHER="use_cases" 4031 4032PAUSE_ON_FAIL=no 4033PAUSE=no 4034 4035while getopts :46t:pPvh o 4036do 4037 case $o in 4038 4) TESTS=ipv4;; 4039 6) TESTS=ipv6;; 4040 t) TESTS=$OPTARG;; 4041 p) PAUSE_ON_FAIL=yes;; 4042 P) PAUSE=yes;; 4043 v) VERBOSE=1;; 4044 h) usage; exit 0;; 4045 *) usage; exit 1;; 4046 esac 4047done 4048 4049# make sure we don't pause twice 4050[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4051 4052# 4053# show user test config 4054# 4055if [ -z "$TESTS" ]; then 4056 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4057elif [ "$TESTS" = "ipv4" ]; then 4058 TESTS="$TESTS_IPV4" 4059elif [ "$TESTS" = "ipv6" ]; then 4060 TESTS="$TESTS_IPV6" 4061fi 4062 4063which nettest >/dev/null 4064if [ $? -ne 0 ]; then 4065 echo "'nettest' command not found; skipping tests" 4066 exit $ksft_skip 4067fi 4068 4069declare -i nfail=0 4070declare -i nsuccess=0 4071 4072for t in $TESTS 4073do 4074 case $t in 4075 ipv4_ping|ping) ipv4_ping;; 4076 ipv4_tcp|tcp) ipv4_tcp;; 4077 ipv4_udp|udp) ipv4_udp;; 4078 ipv4_bind|bind) ipv4_addr_bind;; 4079 ipv4_runtime) ipv4_runtime;; 4080 ipv4_netfilter) ipv4_netfilter;; 4081 4082 ipv6_ping|ping6) ipv6_ping;; 4083 ipv6_tcp|tcp6) ipv6_tcp;; 4084 ipv6_udp|udp6) ipv6_udp;; 4085 ipv6_bind|bind6) ipv6_addr_bind;; 4086 ipv6_runtime) ipv6_runtime;; 4087 ipv6_netfilter) ipv6_netfilter;; 4088 4089 use_cases) use_cases;; 4090 4091 # setup namespaces and config, but do not run any tests 4092 setup) setup; exit 0;; 4093 vrf_setup) setup "yes"; exit 0;; 4094 4095 help) echo "Test names: $TESTS"; exit 0;; 4096 esac 4097done 4098 4099cleanup 2>/dev/null 4100 4101printf "\nTests passed: %3d\n" ${nsuccess} 4102printf "Tests failed: %3d\n" ${nfail} 4103 4104if [ $nfail -ne 0 ]; then 4105 exit 1 # KSFT_FAIL 4106elif [ $nsuccess -eq 0 ]; then 4107 exit $ksft_skip 4108fi 4109 4110exit 0 # KSFT_PASS 4111