1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40# Kselftest framework requirement - SKIP code is 4. 41ksft_skip=4 42 43VERBOSE=0 44 45NSA_DEV=eth1 46NSA_DEV2=eth2 47NSB_DEV=eth1 48NSC_DEV=eth2 49VRF=red 50VRF_TABLE=1101 51 52# IPv4 config 53NSA_IP=172.16.1.1 54NSB_IP=172.16.1.2 55VRF_IP=172.16.3.1 56NS_NET=172.16.1.0/24 57 58# IPv6 config 59NSA_IP6=2001:db8:1::1 60NSB_IP6=2001:db8:1::2 61VRF_IP6=2001:db8:3::1 62NS_NET6=2001:db8:1::/120 63 64NSA_LO_IP=172.16.2.1 65NSB_LO_IP=172.16.2.2 66NSA_LO_IP6=2001:db8:2::1 67NSB_LO_IP6=2001:db8:2::2 68 69# non-local addresses for freebind tests 70NL_IP=172.17.1.1 71NL_IP6=2001:db8:4::1 72 73MD5_PW=abc123 74MD5_WRONG_PW=abc1234 75 76MCAST=ff02::1 77# set after namespace create 78NSA_LINKIP6= 79NSB_LINKIP6= 80 81NSA=ns-A 82NSB=ns-B 83NSC=ns-C 84 85NSA_CMD="ip netns exec ${NSA}" 86NSB_CMD="ip netns exec ${NSB}" 87NSC_CMD="ip netns exec ${NSC}" 88 89which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 90 91################################################################################ 92# utilities 93 94log_test() 95{ 96 local rc=$1 97 local expected=$2 98 local msg="$3" 99 100 [ "${VERBOSE}" = "1" ] && echo 101 102 if [ ${rc} -eq ${expected} ]; then 103 nsuccess=$((nsuccess+1)) 104 printf "TEST: %-70s [ OK ]\n" "${msg}" 105 else 106 nfail=$((nfail+1)) 107 printf "TEST: %-70s [FAIL]\n" "${msg}" 108 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 109 echo 110 echo "hit enter to continue, 'q' to quit" 111 read a 112 [ "$a" = "q" ] && exit 1 113 fi 114 fi 115 116 if [ "${PAUSE}" = "yes" ]; then 117 echo 118 echo "hit enter to continue, 'q' to quit" 119 read a 120 [ "$a" = "q" ] && exit 1 121 fi 122 123 kill_procs 124} 125 126log_test_addr() 127{ 128 local addr=$1 129 local rc=$2 130 local expected=$3 131 local msg="$4" 132 local astr 133 134 astr=$(addr2str ${addr}) 135 log_test $rc $expected "$msg - ${astr}" 136} 137 138log_section() 139{ 140 echo 141 echo "###########################################################################" 142 echo "$*" 143 echo "###########################################################################" 144 echo 145} 146 147log_subsection() 148{ 149 echo 150 echo "#################################################################" 151 echo "$*" 152 echo 153} 154 155log_start() 156{ 157 # make sure we have no test instances running 158 kill_procs 159 160 if [ "${VERBOSE}" = "1" ]; then 161 echo 162 echo "#######################################################" 163 fi 164} 165 166log_debug() 167{ 168 if [ "${VERBOSE}" = "1" ]; then 169 echo 170 echo "$*" 171 echo 172 fi 173} 174 175show_hint() 176{ 177 if [ "${VERBOSE}" = "1" ]; then 178 echo "HINT: $*" 179 echo 180 fi 181} 182 183kill_procs() 184{ 185 killall nettest ping ping6 >/dev/null 2>&1 186 sleep 1 187} 188 189do_run_cmd() 190{ 191 local cmd="$*" 192 local out 193 194 if [ "$VERBOSE" = "1" ]; then 195 echo "COMMAND: ${cmd}" 196 fi 197 198 out=$($cmd 2>&1) 199 rc=$? 200 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 201 echo "$out" 202 fi 203 204 return $rc 205} 206 207run_cmd() 208{ 209 do_run_cmd ${NSA_CMD} $* 210} 211 212run_cmd_nsb() 213{ 214 do_run_cmd ${NSB_CMD} $* 215} 216 217run_cmd_nsc() 218{ 219 do_run_cmd ${NSC_CMD} $* 220} 221 222setup_cmd() 223{ 224 local cmd="$*" 225 local rc 226 227 run_cmd ${cmd} 228 rc=$? 229 if [ $rc -ne 0 ]; then 230 # show user the command if not done so already 231 if [ "$VERBOSE" = "0" ]; then 232 echo "setup command: $cmd" 233 fi 234 echo "failed. stopping tests" 235 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 236 echo 237 echo "hit enter to continue" 238 read a 239 fi 240 exit $rc 241 fi 242} 243 244setup_cmd_nsb() 245{ 246 local cmd="$*" 247 local rc 248 249 run_cmd_nsb ${cmd} 250 rc=$? 251 if [ $rc -ne 0 ]; then 252 # show user the command if not done so already 253 if [ "$VERBOSE" = "0" ]; then 254 echo "setup command: $cmd" 255 fi 256 echo "failed. stopping tests" 257 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 258 echo 259 echo "hit enter to continue" 260 read a 261 fi 262 exit $rc 263 fi 264} 265 266setup_cmd_nsc() 267{ 268 local cmd="$*" 269 local rc 270 271 run_cmd_nsc ${cmd} 272 rc=$? 273 if [ $rc -ne 0 ]; then 274 # show user the command if not done so already 275 if [ "$VERBOSE" = "0" ]; then 276 echo "setup command: $cmd" 277 fi 278 echo "failed. stopping tests" 279 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 280 echo 281 echo "hit enter to continue" 282 read a 283 fi 284 exit $rc 285 fi 286} 287 288# set sysctl values in NS-A 289set_sysctl() 290{ 291 echo "SYSCTL: $*" 292 echo 293 run_cmd sysctl -q -w $* 294} 295 296# get sysctl values in NS-A 297get_sysctl() 298{ 299 ${NSA_CMD} sysctl -n $* 300} 301 302################################################################################ 303# Setup for tests 304 305addr2str() 306{ 307 case "$1" in 308 127.0.0.1) echo "loopback";; 309 ::1) echo "IPv6 loopback";; 310 311 ${NSA_IP}) echo "ns-A IP";; 312 ${NSA_IP6}) echo "ns-A IPv6";; 313 ${NSA_LO_IP}) echo "ns-A loopback IP";; 314 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 315 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 316 317 ${NSB_IP}) echo "ns-B IP";; 318 ${NSB_IP6}) echo "ns-B IPv6";; 319 ${NSB_LO_IP}) echo "ns-B loopback IP";; 320 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 321 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 322 323 ${NL_IP}) echo "nonlocal IP";; 324 ${NL_IP6}) echo "nonlocal IPv6";; 325 326 ${VRF_IP}) echo "VRF IP";; 327 ${VRF_IP6}) echo "VRF IPv6";; 328 329 ${MCAST}%*) echo "multicast IP";; 330 331 *) echo "unknown";; 332 esac 333} 334 335get_linklocal() 336{ 337 local ns=$1 338 local dev=$2 339 local addr 340 341 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 342 awk '{ 343 for (i = 3; i <= NF; ++i) { 344 if ($i ~ /^fe80/) 345 print $i 346 } 347 }' 348 ) 349 addr=${addr/\/*} 350 351 [ -z "$addr" ] && return 1 352 353 echo $addr 354 355 return 0 356} 357 358################################################################################ 359# create namespaces and vrf 360 361create_vrf() 362{ 363 local ns=$1 364 local vrf=$2 365 local table=$3 366 local addr=$4 367 local addr6=$5 368 369 ip -netns ${ns} link add ${vrf} type vrf table ${table} 370 ip -netns ${ns} link set ${vrf} up 371 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 372 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 373 374 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 375 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 376 if [ "${addr}" != "-" ]; then 377 ip -netns ${ns} addr add dev ${vrf} ${addr} 378 fi 379 if [ "${addr6}" != "-" ]; then 380 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 381 fi 382 383 ip -netns ${ns} ru del pref 0 384 ip -netns ${ns} ru add pref 32765 from all lookup local 385 ip -netns ${ns} -6 ru del pref 0 386 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 387} 388 389create_ns() 390{ 391 local ns=$1 392 local addr=$2 393 local addr6=$3 394 395 ip netns add ${ns} 396 397 ip -netns ${ns} link set lo up 398 if [ "${addr}" != "-" ]; then 399 ip -netns ${ns} addr add dev lo ${addr} 400 fi 401 if [ "${addr6}" != "-" ]; then 402 ip -netns ${ns} -6 addr add dev lo ${addr6} 403 fi 404 405 ip -netns ${ns} ro add unreachable default metric 8192 406 ip -netns ${ns} -6 ro add unreachable default metric 8192 407 408 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 409 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 410 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 411 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 412} 413 414# create veth pair to connect namespaces and apply addresses. 415connect_ns() 416{ 417 local ns1=$1 418 local ns1_dev=$2 419 local ns1_addr=$3 420 local ns1_addr6=$4 421 local ns2=$5 422 local ns2_dev=$6 423 local ns2_addr=$7 424 local ns2_addr6=$8 425 426 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 427 ip -netns ${ns1} li set ${ns1_dev} up 428 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 429 ip -netns ${ns2} li set ${ns2_dev} up 430 431 if [ "${ns1_addr}" != "-" ]; then 432 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 433 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 434 fi 435 436 if [ "${ns1_addr6}" != "-" ]; then 437 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 438 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 439 fi 440} 441 442cleanup() 443{ 444 # explicit cleanups to check those code paths 445 ip netns | grep -q ${NSA} 446 if [ $? -eq 0 ]; then 447 ip -netns ${NSA} link delete ${VRF} 448 ip -netns ${NSA} ro flush table ${VRF_TABLE} 449 450 ip -netns ${NSA} addr flush dev ${NSA_DEV} 451 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 452 ip -netns ${NSA} link set dev ${NSA_DEV} down 453 ip -netns ${NSA} link del dev ${NSA_DEV} 454 455 ip netns pids ${NSA} | xargs kill 2>/dev/null 456 ip netns del ${NSA} 457 fi 458 459 ip netns pids ${NSB} | xargs kill 2>/dev/null 460 ip netns del ${NSB} 461 ip netns pids ${NSC} | xargs kill 2>/dev/null 462 ip netns del ${NSC} >/dev/null 2>&1 463} 464 465setup() 466{ 467 local with_vrf=${1} 468 469 # make sure we are starting with a clean slate 470 kill_procs 471 cleanup 2>/dev/null 472 473 log_debug "Configuring network namespaces" 474 set -e 475 476 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 477 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 478 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 479 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 480 481 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 482 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 483 484 # tell ns-A how to get to remote addresses of ns-B 485 if [ "${with_vrf}" = "yes" ]; then 486 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 487 488 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 489 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 490 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 491 492 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 493 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 494 495 # some VRF tests use ns-C which has the same config as 496 # ns-B but for a device NOT in the VRF 497 create_ns ${NSC} "-" "-" 498 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 499 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 500 else 501 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 502 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 503 fi 504 505 506 # tell ns-B how to get to remote addresses of ns-A 507 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 508 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 509 510 set +e 511 512 sleep 1 513} 514 515setup_lla_only() 516{ 517 # make sure we are starting with a clean slate 518 kill_procs 519 cleanup 2>/dev/null 520 521 log_debug "Configuring network namespaces" 522 set -e 523 524 create_ns ${NSA} "-" "-" 525 create_ns ${NSB} "-" "-" 526 create_ns ${NSC} "-" "-" 527 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 528 ${NSB} ${NSB_DEV} "-" "-" 529 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 530 ${NSC} ${NSC_DEV} "-" "-" 531 532 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 533 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 534 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 535 536 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 537 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 538 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 539 540 set +e 541 542 sleep 1 543} 544 545################################################################################ 546# IPv4 547 548ipv4_ping_novrf() 549{ 550 local a 551 552 # 553 # out 554 # 555 for a in ${NSB_IP} ${NSB_LO_IP} 556 do 557 log_start 558 run_cmd ping -c1 -w1 ${a} 559 log_test_addr ${a} $? 0 "ping out" 560 561 log_start 562 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 563 log_test_addr ${a} $? 0 "ping out, device bind" 564 565 log_start 566 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 567 log_test_addr ${a} $? 0 "ping out, address bind" 568 done 569 570 # 571 # in 572 # 573 for a in ${NSA_IP} ${NSA_LO_IP} 574 do 575 log_start 576 run_cmd_nsb ping -c1 -w1 ${a} 577 log_test_addr ${a} $? 0 "ping in" 578 done 579 580 # 581 # local traffic 582 # 583 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 584 do 585 log_start 586 run_cmd ping -c1 -w1 ${a} 587 log_test_addr ${a} $? 0 "ping local" 588 done 589 590 # 591 # local traffic, socket bound to device 592 # 593 # address on device 594 a=${NSA_IP} 595 log_start 596 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 597 log_test_addr ${a} $? 0 "ping local, device bind" 598 599 # loopback addresses not reachable from device bind 600 # fails in a really weird way though because ipv4 special cases 601 # route lookups with oif set. 602 for a in ${NSA_LO_IP} 127.0.0.1 603 do 604 log_start 605 show_hint "Fails since address on loopback device is out of device scope" 606 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 607 log_test_addr ${a} $? 1 "ping local, device bind" 608 done 609 610 # 611 # ip rule blocks reachability to remote address 612 # 613 log_start 614 setup_cmd ip rule add pref 32765 from all lookup local 615 setup_cmd ip rule del pref 0 from all lookup local 616 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 617 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 618 619 a=${NSB_LO_IP} 620 run_cmd ping -c1 -w1 ${a} 621 log_test_addr ${a} $? 2 "ping out, blocked by rule" 622 623 # NOTE: ipv4 actually allows the lookup to fail and yet still create 624 # a viable rtable if the oif (e.g., bind to device) is set, so this 625 # case succeeds despite the rule 626 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 627 628 a=${NSA_LO_IP} 629 log_start 630 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 631 run_cmd_nsb ping -c1 -w1 ${a} 632 log_test_addr ${a} $? 1 "ping in, blocked by rule" 633 634 [ "$VERBOSE" = "1" ] && echo 635 setup_cmd ip rule del pref 32765 from all lookup local 636 setup_cmd ip rule add pref 0 from all lookup local 637 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 638 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 639 640 # 641 # route blocks reachability to remote address 642 # 643 log_start 644 setup_cmd ip route replace unreachable ${NSB_LO_IP} 645 setup_cmd ip route replace unreachable ${NSB_IP} 646 647 a=${NSB_LO_IP} 648 run_cmd ping -c1 -w1 ${a} 649 log_test_addr ${a} $? 2 "ping out, blocked by route" 650 651 # NOTE: ipv4 actually allows the lookup to fail and yet still create 652 # a viable rtable if the oif (e.g., bind to device) is set, so this 653 # case succeeds despite not having a route for the address 654 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 655 656 a=${NSA_LO_IP} 657 log_start 658 show_hint "Response is dropped (or arp request is ignored) due to ip route" 659 run_cmd_nsb ping -c1 -w1 ${a} 660 log_test_addr ${a} $? 1 "ping in, blocked by route" 661 662 # 663 # remove 'remote' routes; fallback to default 664 # 665 log_start 666 setup_cmd ip ro del ${NSB_LO_IP} 667 668 a=${NSB_LO_IP} 669 run_cmd ping -c1 -w1 ${a} 670 log_test_addr ${a} $? 2 "ping out, unreachable default route" 671 672 # NOTE: ipv4 actually allows the lookup to fail and yet still create 673 # a viable rtable if the oif (e.g., bind to device) is set, so this 674 # case succeeds despite not having a route for the address 675 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 676} 677 678ipv4_ping_vrf() 679{ 680 local a 681 682 # should default on; does not exist on older kernels 683 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 684 685 # 686 # out 687 # 688 for a in ${NSB_IP} ${NSB_LO_IP} 689 do 690 log_start 691 run_cmd ping -c1 -w1 -I ${VRF} ${a} 692 log_test_addr ${a} $? 0 "ping out, VRF bind" 693 694 log_start 695 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 696 log_test_addr ${a} $? 0 "ping out, device bind" 697 698 log_start 699 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 700 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 701 702 log_start 703 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 704 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 705 done 706 707 # 708 # in 709 # 710 for a in ${NSA_IP} ${VRF_IP} 711 do 712 log_start 713 run_cmd_nsb ping -c1 -w1 ${a} 714 log_test_addr ${a} $? 0 "ping in" 715 done 716 717 # 718 # local traffic, local address 719 # 720 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 721 do 722 log_start 723 show_hint "Source address should be ${a}" 724 run_cmd ping -c1 -w1 -I ${VRF} ${a} 725 log_test_addr ${a} $? 0 "ping local, VRF bind" 726 done 727 728 # 729 # local traffic, socket bound to device 730 # 731 # address on device 732 a=${NSA_IP} 733 log_start 734 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 735 log_test_addr ${a} $? 0 "ping local, device bind" 736 737 # vrf device is out of scope 738 for a in ${VRF_IP} 127.0.0.1 739 do 740 log_start 741 show_hint "Fails since address on vrf device is out of device scope" 742 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 743 log_test_addr ${a} $? 1 "ping local, device bind" 744 done 745 746 # 747 # ip rule blocks address 748 # 749 log_start 750 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 751 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 752 753 a=${NSB_LO_IP} 754 run_cmd ping -c1 -w1 -I ${VRF} ${a} 755 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 756 757 log_start 758 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 759 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 760 761 a=${NSA_LO_IP} 762 log_start 763 show_hint "Response lost due to ip rule" 764 run_cmd_nsb ping -c1 -w1 ${a} 765 log_test_addr ${a} $? 1 "ping in, blocked by rule" 766 767 [ "$VERBOSE" = "1" ] && echo 768 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 769 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 770 771 # 772 # remove 'remote' routes; fallback to default 773 # 774 log_start 775 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 776 777 a=${NSB_LO_IP} 778 run_cmd ping -c1 -w1 -I ${VRF} ${a} 779 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 780 781 log_start 782 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 783 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 784 785 a=${NSA_LO_IP} 786 log_start 787 show_hint "Response lost by unreachable route" 788 run_cmd_nsb ping -c1 -w1 ${a} 789 log_test_addr ${a} $? 1 "ping in, unreachable route" 790} 791 792ipv4_ping() 793{ 794 log_section "IPv4 ping" 795 796 log_subsection "No VRF" 797 setup 798 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 799 ipv4_ping_novrf 800 setup 801 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 802 ipv4_ping_novrf 803 804 log_subsection "With VRF" 805 setup "yes" 806 ipv4_ping_vrf 807} 808 809################################################################################ 810# IPv4 TCP 811 812# 813# MD5 tests without VRF 814# 815ipv4_tcp_md5_novrf() 816{ 817 # 818 # single address 819 # 820 821 # basic use case 822 log_start 823 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 824 sleep 1 825 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 826 log_test $? 0 "MD5: Single address config" 827 828 # client sends MD5, server not configured 829 log_start 830 show_hint "Should timeout due to MD5 mismatch" 831 run_cmd nettest -s & 832 sleep 1 833 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 834 log_test $? 2 "MD5: Server no config, client uses password" 835 836 # wrong password 837 log_start 838 show_hint "Should timeout since client uses wrong password" 839 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 840 sleep 1 841 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 842 log_test $? 2 "MD5: Client uses wrong password" 843 844 # client from different address 845 log_start 846 show_hint "Should timeout due to MD5 mismatch" 847 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 848 sleep 1 849 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 850 log_test $? 2 "MD5: Client address does not match address configured with password" 851 852 # 853 # MD5 extension - prefix length 854 # 855 856 # client in prefix 857 log_start 858 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 859 sleep 1 860 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 861 log_test $? 0 "MD5: Prefix config" 862 863 # client in prefix, wrong password 864 log_start 865 show_hint "Should timeout since client uses wrong password" 866 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 867 sleep 1 868 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 869 log_test $? 2 "MD5: Prefix config, client uses wrong password" 870 871 # client outside of prefix 872 log_start 873 show_hint "Should timeout due to MD5 mismatch" 874 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 875 sleep 1 876 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 877 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 878} 879 880# 881# MD5 tests with VRF 882# 883ipv4_tcp_md5() 884{ 885 # 886 # single address 887 # 888 889 # basic use case 890 log_start 891 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 892 sleep 1 893 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 894 log_test $? 0 "MD5: VRF: Single address config" 895 896 # client sends MD5, server not configured 897 log_start 898 show_hint "Should timeout since server does not have MD5 auth" 899 run_cmd nettest -s -I ${VRF} & 900 sleep 1 901 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 902 log_test $? 2 "MD5: VRF: Server no config, client uses password" 903 904 # wrong password 905 log_start 906 show_hint "Should timeout since client uses wrong password" 907 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 908 sleep 1 909 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 910 log_test $? 2 "MD5: VRF: Client uses wrong password" 911 912 # client from different address 913 log_start 914 show_hint "Should timeout since server config differs from client" 915 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 916 sleep 1 917 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 918 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 919 920 # 921 # MD5 extension - prefix length 922 # 923 924 # client in prefix 925 log_start 926 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 927 sleep 1 928 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 929 log_test $? 0 "MD5: VRF: Prefix config" 930 931 # client in prefix, wrong password 932 log_start 933 show_hint "Should timeout since client uses wrong password" 934 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 935 sleep 1 936 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 937 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 938 939 # client outside of prefix 940 log_start 941 show_hint "Should timeout since client address is outside of prefix" 942 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 943 sleep 1 944 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 945 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 946 947 # 948 # duplicate config between default VRF and a VRF 949 # 950 951 log_start 952 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 953 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 954 sleep 1 955 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 956 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 957 958 log_start 959 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 960 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 961 sleep 1 962 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 963 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 964 965 log_start 966 show_hint "Should timeout since client in default VRF uses VRF password" 967 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 968 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 969 sleep 1 970 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 971 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 972 973 log_start 974 show_hint "Should timeout since client in VRF uses default VRF password" 975 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 976 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 977 sleep 1 978 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 979 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 980 981 log_start 982 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 983 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 984 sleep 1 985 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 986 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 987 988 log_start 989 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 990 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 991 sleep 1 992 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 993 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 994 995 log_start 996 show_hint "Should timeout since client in default VRF uses VRF password" 997 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 998 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 999 sleep 1 1000 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1001 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1002 1003 log_start 1004 show_hint "Should timeout since client in VRF uses default VRF password" 1005 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1006 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1007 sleep 1 1008 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1009 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1010 1011 # 1012 # negative tests 1013 # 1014 log_start 1015 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1016 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1017 1018 log_start 1019 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1020 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1021 1022 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1023 test_ipv4_md5_vrf__global_server__bind_ifindex0 1024} 1025 1026test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1027{ 1028 log_start 1029 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1030 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1031 sleep 1 1032 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1033 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1034 1035 log_start 1036 show_hint "Binding both the socket and the key is not required but it works" 1037 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1038 sleep 1 1039 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1040 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1041} 1042 1043test_ipv4_md5_vrf__global_server__bind_ifindex0() 1044{ 1045 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1046 local old_tcp_l3mdev_accept 1047 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1048 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1049 1050 log_start 1051 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1052 sleep 1 1053 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1054 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1055 1056 log_start 1057 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1058 sleep 1 1059 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1060 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1061 log_start 1062 1063 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1064 sleep 1 1065 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1066 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1067 1068 log_start 1069 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1070 sleep 1 1071 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1072 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1073 1074 # restore value 1075 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1076} 1077 1078ipv4_tcp_novrf() 1079{ 1080 local a 1081 1082 # 1083 # server tests 1084 # 1085 for a in ${NSA_IP} ${NSA_LO_IP} 1086 do 1087 log_start 1088 run_cmd nettest -s & 1089 sleep 1 1090 run_cmd_nsb nettest -r ${a} 1091 log_test_addr ${a} $? 0 "Global server" 1092 done 1093 1094 a=${NSA_IP} 1095 log_start 1096 run_cmd nettest -s -I ${NSA_DEV} & 1097 sleep 1 1098 run_cmd_nsb nettest -r ${a} 1099 log_test_addr ${a} $? 0 "Device server" 1100 1101 # verify TCP reset sent and received 1102 for a in ${NSA_IP} ${NSA_LO_IP} 1103 do 1104 log_start 1105 show_hint "Should fail 'Connection refused' since there is no server" 1106 run_cmd_nsb nettest -r ${a} 1107 log_test_addr ${a} $? 1 "No server" 1108 done 1109 1110 # 1111 # client 1112 # 1113 for a in ${NSB_IP} ${NSB_LO_IP} 1114 do 1115 log_start 1116 run_cmd_nsb nettest -s & 1117 sleep 1 1118 run_cmd nettest -r ${a} -0 ${NSA_IP} 1119 log_test_addr ${a} $? 0 "Client" 1120 1121 log_start 1122 run_cmd_nsb nettest -s & 1123 sleep 1 1124 run_cmd nettest -r ${a} -d ${NSA_DEV} 1125 log_test_addr ${a} $? 0 "Client, device bind" 1126 1127 log_start 1128 show_hint "Should fail 'Connection refused'" 1129 run_cmd nettest -r ${a} 1130 log_test_addr ${a} $? 1 "No server, unbound client" 1131 1132 log_start 1133 show_hint "Should fail 'Connection refused'" 1134 run_cmd nettest -r ${a} -d ${NSA_DEV} 1135 log_test_addr ${a} $? 1 "No server, device client" 1136 done 1137 1138 # 1139 # local address tests 1140 # 1141 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1142 do 1143 log_start 1144 run_cmd nettest -s & 1145 sleep 1 1146 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1147 log_test_addr ${a} $? 0 "Global server, local connection" 1148 done 1149 1150 a=${NSA_IP} 1151 log_start 1152 run_cmd nettest -s -I ${NSA_DEV} & 1153 sleep 1 1154 run_cmd nettest -r ${a} -0 ${a} 1155 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1156 1157 for a in ${NSA_LO_IP} 127.0.0.1 1158 do 1159 log_start 1160 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1161 run_cmd nettest -s -I ${NSA_DEV} & 1162 sleep 1 1163 run_cmd nettest -r ${a} 1164 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1165 done 1166 1167 a=${NSA_IP} 1168 log_start 1169 run_cmd nettest -s & 1170 sleep 1 1171 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1172 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1173 1174 for a in ${NSA_LO_IP} 127.0.0.1 1175 do 1176 log_start 1177 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1178 run_cmd nettest -s & 1179 sleep 1 1180 run_cmd nettest -r ${a} -d ${NSA_DEV} 1181 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1182 done 1183 1184 a=${NSA_IP} 1185 log_start 1186 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1187 sleep 1 1188 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1189 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1190 1191 log_start 1192 show_hint "Should fail 'Connection refused'" 1193 run_cmd nettest -d ${NSA_DEV} -r ${a} 1194 log_test_addr ${a} $? 1 "No server, device client, local conn" 1195 1196 ipv4_tcp_md5_novrf 1197} 1198 1199ipv4_tcp_vrf() 1200{ 1201 local a 1202 1203 # disable global server 1204 log_subsection "Global server disabled" 1205 1206 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1207 1208 # 1209 # server tests 1210 # 1211 for a in ${NSA_IP} ${VRF_IP} 1212 do 1213 log_start 1214 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1215 run_cmd nettest -s & 1216 sleep 1 1217 run_cmd_nsb nettest -r ${a} 1218 log_test_addr ${a} $? 1 "Global server" 1219 1220 log_start 1221 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1222 sleep 1 1223 run_cmd_nsb nettest -r ${a} 1224 log_test_addr ${a} $? 0 "VRF server" 1225 1226 log_start 1227 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1228 sleep 1 1229 run_cmd_nsb nettest -r ${a} 1230 log_test_addr ${a} $? 0 "Device server" 1231 1232 # verify TCP reset received 1233 log_start 1234 show_hint "Should fail 'Connection refused' since there is no server" 1235 run_cmd_nsb nettest -r ${a} 1236 log_test_addr ${a} $? 1 "No server" 1237 done 1238 1239 # local address tests 1240 # (${VRF_IP} and 127.0.0.1 both timeout) 1241 a=${NSA_IP} 1242 log_start 1243 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1244 run_cmd nettest -s & 1245 sleep 1 1246 run_cmd nettest -r ${a} -d ${NSA_DEV} 1247 log_test_addr ${a} $? 1 "Global server, local connection" 1248 1249 # run MD5 tests 1250 ipv4_tcp_md5 1251 1252 # 1253 # enable VRF global server 1254 # 1255 log_subsection "VRF Global server enabled" 1256 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1257 1258 for a in ${NSA_IP} ${VRF_IP} 1259 do 1260 log_start 1261 show_hint "client socket should be bound to VRF" 1262 run_cmd nettest -s -3 ${VRF} & 1263 sleep 1 1264 run_cmd_nsb nettest -r ${a} 1265 log_test_addr ${a} $? 0 "Global server" 1266 1267 log_start 1268 show_hint "client socket should be bound to VRF" 1269 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1270 sleep 1 1271 run_cmd_nsb nettest -r ${a} 1272 log_test_addr ${a} $? 0 "VRF server" 1273 1274 # verify TCP reset received 1275 log_start 1276 show_hint "Should fail 'Connection refused'" 1277 run_cmd_nsb nettest -r ${a} 1278 log_test_addr ${a} $? 1 "No server" 1279 done 1280 1281 a=${NSA_IP} 1282 log_start 1283 show_hint "client socket should be bound to device" 1284 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1285 sleep 1 1286 run_cmd_nsb nettest -r ${a} 1287 log_test_addr ${a} $? 0 "Device server" 1288 1289 # local address tests 1290 for a in ${NSA_IP} ${VRF_IP} 1291 do 1292 log_start 1293 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1294 run_cmd nettest -s -I ${VRF} & 1295 sleep 1 1296 run_cmd nettest -r ${a} 1297 log_test_addr ${a} $? 1 "Global server, local connection" 1298 done 1299 1300 # 1301 # client 1302 # 1303 for a in ${NSB_IP} ${NSB_LO_IP} 1304 do 1305 log_start 1306 run_cmd_nsb nettest -s & 1307 sleep 1 1308 run_cmd nettest -r ${a} -d ${VRF} 1309 log_test_addr ${a} $? 0 "Client, VRF bind" 1310 1311 log_start 1312 run_cmd_nsb nettest -s & 1313 sleep 1 1314 run_cmd nettest -r ${a} -d ${NSA_DEV} 1315 log_test_addr ${a} $? 0 "Client, device bind" 1316 1317 log_start 1318 show_hint "Should fail 'Connection refused'" 1319 run_cmd nettest -r ${a} -d ${VRF} 1320 log_test_addr ${a} $? 1 "No server, VRF client" 1321 1322 log_start 1323 show_hint "Should fail 'Connection refused'" 1324 run_cmd nettest -r ${a} -d ${NSA_DEV} 1325 log_test_addr ${a} $? 1 "No server, device client" 1326 done 1327 1328 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1329 do 1330 log_start 1331 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1332 sleep 1 1333 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1334 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1335 done 1336 1337 a=${NSA_IP} 1338 log_start 1339 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1340 sleep 1 1341 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1342 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1343 1344 log_start 1345 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1346 run_cmd nettest -s -I ${VRF} & 1347 sleep 1 1348 run_cmd nettest -r ${a} 1349 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1350 1351 log_start 1352 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1353 sleep 1 1354 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1355 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1356 1357 log_start 1358 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1359 sleep 1 1360 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1361 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1362} 1363 1364ipv4_tcp() 1365{ 1366 log_section "IPv4/TCP" 1367 log_subsection "No VRF" 1368 setup 1369 1370 # tcp_l3mdev_accept should have no affect without VRF; 1371 # run tests with it enabled and disabled to verify 1372 log_subsection "tcp_l3mdev_accept disabled" 1373 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1374 ipv4_tcp_novrf 1375 log_subsection "tcp_l3mdev_accept enabled" 1376 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1377 ipv4_tcp_novrf 1378 1379 log_subsection "With VRF" 1380 setup "yes" 1381 ipv4_tcp_vrf 1382} 1383 1384################################################################################ 1385# IPv4 UDP 1386 1387ipv4_udp_novrf() 1388{ 1389 local a 1390 1391 # 1392 # server tests 1393 # 1394 for a in ${NSA_IP} ${NSA_LO_IP} 1395 do 1396 log_start 1397 run_cmd nettest -D -s -3 ${NSA_DEV} & 1398 sleep 1 1399 run_cmd_nsb nettest -D -r ${a} 1400 log_test_addr ${a} $? 0 "Global server" 1401 1402 log_start 1403 show_hint "Should fail 'Connection refused' since there is no server" 1404 run_cmd_nsb nettest -D -r ${a} 1405 log_test_addr ${a} $? 1 "No server" 1406 done 1407 1408 a=${NSA_IP} 1409 log_start 1410 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1411 sleep 1 1412 run_cmd_nsb nettest -D -r ${a} 1413 log_test_addr ${a} $? 0 "Device server" 1414 1415 # 1416 # client 1417 # 1418 for a in ${NSB_IP} ${NSB_LO_IP} 1419 do 1420 log_start 1421 run_cmd_nsb nettest -D -s & 1422 sleep 1 1423 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1424 log_test_addr ${a} $? 0 "Client" 1425 1426 log_start 1427 run_cmd_nsb nettest -D -s & 1428 sleep 1 1429 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1430 log_test_addr ${a} $? 0 "Client, device bind" 1431 1432 log_start 1433 run_cmd_nsb nettest -D -s & 1434 sleep 1 1435 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1436 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1437 1438 log_start 1439 run_cmd_nsb nettest -D -s & 1440 sleep 1 1441 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1442 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1443 1444 log_start 1445 show_hint "Should fail 'Connection refused'" 1446 run_cmd nettest -D -r ${a} 1447 log_test_addr ${a} $? 1 "No server, unbound client" 1448 1449 log_start 1450 show_hint "Should fail 'Connection refused'" 1451 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1452 log_test_addr ${a} $? 1 "No server, device client" 1453 done 1454 1455 # 1456 # local address tests 1457 # 1458 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1459 do 1460 log_start 1461 run_cmd nettest -D -s & 1462 sleep 1 1463 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1464 log_test_addr ${a} $? 0 "Global server, local connection" 1465 done 1466 1467 a=${NSA_IP} 1468 log_start 1469 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1470 sleep 1 1471 run_cmd nettest -D -r ${a} 1472 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1473 1474 for a in ${NSA_LO_IP} 127.0.0.1 1475 do 1476 log_start 1477 show_hint "Should fail 'Connection refused' since address is out of device scope" 1478 run_cmd nettest -s -D -I ${NSA_DEV} & 1479 sleep 1 1480 run_cmd nettest -D -r ${a} 1481 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1482 done 1483 1484 a=${NSA_IP} 1485 log_start 1486 run_cmd nettest -s -D & 1487 sleep 1 1488 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1489 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1490 1491 log_start 1492 run_cmd nettest -s -D & 1493 sleep 1 1494 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1495 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1496 1497 log_start 1498 run_cmd nettest -s -D & 1499 sleep 1 1500 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1501 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1502 1503 # IPv4 with device bind has really weird behavior - it overrides the 1504 # fib lookup, generates an rtable and tries to send the packet. This 1505 # causes failures for local traffic at different places 1506 for a in ${NSA_LO_IP} 127.0.0.1 1507 do 1508 log_start 1509 show_hint "Should fail since addresses on loopback are out of device scope" 1510 run_cmd nettest -D -s & 1511 sleep 1 1512 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1513 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1514 1515 log_start 1516 show_hint "Should fail since addresses on loopback are out of device scope" 1517 run_cmd nettest -D -s & 1518 sleep 1 1519 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1520 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1521 1522 log_start 1523 show_hint "Should fail since addresses on loopback are out of device scope" 1524 run_cmd nettest -D -s & 1525 sleep 1 1526 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1527 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1528 done 1529 1530 a=${NSA_IP} 1531 log_start 1532 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1533 sleep 1 1534 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1535 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1536 1537 log_start 1538 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1539 log_test_addr ${a} $? 2 "No server, device client, local conn" 1540} 1541 1542ipv4_udp_vrf() 1543{ 1544 local a 1545 1546 # disable global server 1547 log_subsection "Global server disabled" 1548 set_sysctl net.ipv4.udp_l3mdev_accept=0 1549 1550 # 1551 # server tests 1552 # 1553 for a in ${NSA_IP} ${VRF_IP} 1554 do 1555 log_start 1556 show_hint "Fails because ingress is in a VRF and global server is disabled" 1557 run_cmd nettest -D -s & 1558 sleep 1 1559 run_cmd_nsb nettest -D -r ${a} 1560 log_test_addr ${a} $? 1 "Global server" 1561 1562 log_start 1563 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1564 sleep 1 1565 run_cmd_nsb nettest -D -r ${a} 1566 log_test_addr ${a} $? 0 "VRF server" 1567 1568 log_start 1569 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1570 sleep 1 1571 run_cmd_nsb nettest -D -r ${a} 1572 log_test_addr ${a} $? 0 "Enslaved device server" 1573 1574 log_start 1575 show_hint "Should fail 'Connection refused' since there is no server" 1576 run_cmd_nsb nettest -D -r ${a} 1577 log_test_addr ${a} $? 1 "No server" 1578 1579 log_start 1580 show_hint "Should fail 'Connection refused' since global server is out of scope" 1581 run_cmd nettest -D -s & 1582 sleep 1 1583 run_cmd nettest -D -d ${VRF} -r ${a} 1584 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1585 done 1586 1587 a=${NSA_IP} 1588 log_start 1589 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1590 sleep 1 1591 run_cmd nettest -D -d ${VRF} -r ${a} 1592 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1593 1594 log_start 1595 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1596 sleep 1 1597 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1598 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1599 1600 a=${NSA_IP} 1601 log_start 1602 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1603 sleep 1 1604 run_cmd nettest -D -d ${VRF} -r ${a} 1605 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1606 1607 log_start 1608 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1609 sleep 1 1610 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1611 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1612 1613 # enable global server 1614 log_subsection "Global server enabled" 1615 set_sysctl net.ipv4.udp_l3mdev_accept=1 1616 1617 # 1618 # server tests 1619 # 1620 for a in ${NSA_IP} ${VRF_IP} 1621 do 1622 log_start 1623 run_cmd nettest -D -s -3 ${NSA_DEV} & 1624 sleep 1 1625 run_cmd_nsb nettest -D -r ${a} 1626 log_test_addr ${a} $? 0 "Global server" 1627 1628 log_start 1629 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1630 sleep 1 1631 run_cmd_nsb nettest -D -r ${a} 1632 log_test_addr ${a} $? 0 "VRF server" 1633 1634 log_start 1635 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1636 sleep 1 1637 run_cmd_nsb nettest -D -r ${a} 1638 log_test_addr ${a} $? 0 "Enslaved device server" 1639 1640 log_start 1641 show_hint "Should fail 'Connection refused'" 1642 run_cmd_nsb nettest -D -r ${a} 1643 log_test_addr ${a} $? 1 "No server" 1644 done 1645 1646 # 1647 # client tests 1648 # 1649 log_start 1650 run_cmd_nsb nettest -D -s & 1651 sleep 1 1652 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1653 log_test $? 0 "VRF client" 1654 1655 log_start 1656 run_cmd_nsb nettest -D -s & 1657 sleep 1 1658 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1659 log_test $? 0 "Enslaved device client" 1660 1661 # negative test - should fail 1662 log_start 1663 show_hint "Should fail 'Connection refused'" 1664 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1665 log_test $? 1 "No server, VRF client" 1666 1667 log_start 1668 show_hint "Should fail 'Connection refused'" 1669 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1670 log_test $? 1 "No server, enslaved device client" 1671 1672 # 1673 # local address tests 1674 # 1675 a=${NSA_IP} 1676 log_start 1677 run_cmd nettest -D -s -3 ${NSA_DEV} & 1678 sleep 1 1679 run_cmd nettest -D -d ${VRF} -r ${a} 1680 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1681 1682 log_start 1683 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1684 sleep 1 1685 run_cmd nettest -D -d ${VRF} -r ${a} 1686 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1687 1688 log_start 1689 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1690 sleep 1 1691 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1692 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1693 1694 log_start 1695 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1696 sleep 1 1697 run_cmd nettest -D -d ${VRF} -r ${a} 1698 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1699 1700 log_start 1701 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1702 sleep 1 1703 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1704 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1705 1706 for a in ${VRF_IP} 127.0.0.1 1707 do 1708 log_start 1709 run_cmd nettest -D -s -3 ${VRF} & 1710 sleep 1 1711 run_cmd nettest -D -d ${VRF} -r ${a} 1712 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1713 done 1714 1715 for a in ${VRF_IP} 127.0.0.1 1716 do 1717 log_start 1718 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1719 sleep 1 1720 run_cmd nettest -D -d ${VRF} -r ${a} 1721 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1722 done 1723 1724 # negative test - should fail 1725 # verifies ECONNREFUSED 1726 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1727 do 1728 log_start 1729 show_hint "Should fail 'Connection refused'" 1730 run_cmd nettest -D -d ${VRF} -r ${a} 1731 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1732 done 1733} 1734 1735ipv4_udp() 1736{ 1737 log_section "IPv4/UDP" 1738 log_subsection "No VRF" 1739 1740 setup 1741 1742 # udp_l3mdev_accept should have no affect without VRF; 1743 # run tests with it enabled and disabled to verify 1744 log_subsection "udp_l3mdev_accept disabled" 1745 set_sysctl net.ipv4.udp_l3mdev_accept=0 1746 ipv4_udp_novrf 1747 log_subsection "udp_l3mdev_accept enabled" 1748 set_sysctl net.ipv4.udp_l3mdev_accept=1 1749 ipv4_udp_novrf 1750 1751 log_subsection "With VRF" 1752 setup "yes" 1753 ipv4_udp_vrf 1754} 1755 1756################################################################################ 1757# IPv4 address bind 1758# 1759# verifies ability or inability to bind to an address / device 1760 1761ipv4_addr_bind_novrf() 1762{ 1763 # 1764 # raw socket 1765 # 1766 for a in ${NSA_IP} ${NSA_LO_IP} 1767 do 1768 log_start 1769 run_cmd nettest -s -R -P icmp -l ${a} -b 1770 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1771 1772 log_start 1773 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1774 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1775 done 1776 1777 # 1778 # raw socket with nonlocal bind 1779 # 1780 a=${NL_IP} 1781 log_start 1782 run_cmd nettest -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 1783 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after device bind" 1784 1785 # 1786 # tcp sockets 1787 # 1788 a=${NSA_IP} 1789 log_start 1790 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1791 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1792 1793 log_start 1794 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1795 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1796 1797 # Sadly, the kernel allows binding a socket to a device and then 1798 # binding to an address not on the device. The only restriction 1799 # is that the address is valid in the L3 domain. So this test 1800 # passes when it really should not 1801 #a=${NSA_LO_IP} 1802 #log_start 1803 #show_hint "Should fail with 'Cannot assign requested address'" 1804 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1805 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1806} 1807 1808ipv4_addr_bind_vrf() 1809{ 1810 # 1811 # raw socket 1812 # 1813 for a in ${NSA_IP} ${VRF_IP} 1814 do 1815 log_start 1816 run_cmd nettest -s -R -P icmp -l ${a} -b 1817 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1818 1819 log_start 1820 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1821 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1822 log_start 1823 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1824 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1825 done 1826 1827 a=${NSA_LO_IP} 1828 log_start 1829 show_hint "Address on loopback is out of VRF scope" 1830 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1831 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1832 1833 # 1834 # raw socket with nonlocal bind 1835 # 1836 a=${NL_IP} 1837 log_start 1838 run_cmd nettest -s -R -P icmp -f -l ${a} -I ${VRF} -b 1839 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 1840 1841 # 1842 # tcp sockets 1843 # 1844 for a in ${NSA_IP} ${VRF_IP} 1845 do 1846 log_start 1847 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1848 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1849 1850 log_start 1851 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1852 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1853 done 1854 1855 a=${NSA_LO_IP} 1856 log_start 1857 show_hint "Address on loopback out of scope for VRF" 1858 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1859 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 1860 1861 log_start 1862 show_hint "Address on loopback out of scope for device in VRF" 1863 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1864 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 1865} 1866 1867ipv4_addr_bind() 1868{ 1869 log_section "IPv4 address binds" 1870 1871 log_subsection "No VRF" 1872 setup 1873 ipv4_addr_bind_novrf 1874 1875 log_subsection "With VRF" 1876 setup "yes" 1877 ipv4_addr_bind_vrf 1878} 1879 1880################################################################################ 1881# IPv4 runtime tests 1882 1883ipv4_rt() 1884{ 1885 local desc="$1" 1886 local varg="$2" 1887 local with_vrf="yes" 1888 local a 1889 1890 # 1891 # server tests 1892 # 1893 for a in ${NSA_IP} ${VRF_IP} 1894 do 1895 log_start 1896 run_cmd nettest ${varg} -s & 1897 sleep 1 1898 run_cmd_nsb nettest ${varg} -r ${a} & 1899 sleep 3 1900 run_cmd ip link del ${VRF} 1901 sleep 1 1902 log_test_addr ${a} 0 0 "${desc}, global server" 1903 1904 setup ${with_vrf} 1905 done 1906 1907 for a in ${NSA_IP} ${VRF_IP} 1908 do 1909 log_start 1910 run_cmd nettest ${varg} -s -I ${VRF} & 1911 sleep 1 1912 run_cmd_nsb nettest ${varg} -r ${a} & 1913 sleep 3 1914 run_cmd ip link del ${VRF} 1915 sleep 1 1916 log_test_addr ${a} 0 0 "${desc}, VRF server" 1917 1918 setup ${with_vrf} 1919 done 1920 1921 a=${NSA_IP} 1922 log_start 1923 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 1924 sleep 1 1925 run_cmd_nsb nettest ${varg} -r ${a} & 1926 sleep 3 1927 run_cmd ip link del ${VRF} 1928 sleep 1 1929 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 1930 1931 setup ${with_vrf} 1932 1933 # 1934 # client test 1935 # 1936 log_start 1937 run_cmd_nsb nettest ${varg} -s & 1938 sleep 1 1939 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 1940 sleep 3 1941 run_cmd ip link del ${VRF} 1942 sleep 1 1943 log_test_addr ${a} 0 0 "${desc}, VRF client" 1944 1945 setup ${with_vrf} 1946 1947 log_start 1948 run_cmd_nsb nettest ${varg} -s & 1949 sleep 1 1950 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 1951 sleep 3 1952 run_cmd ip link del ${VRF} 1953 sleep 1 1954 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 1955 1956 setup ${with_vrf} 1957 1958 # 1959 # local address tests 1960 # 1961 for a in ${NSA_IP} ${VRF_IP} 1962 do 1963 log_start 1964 run_cmd nettest ${varg} -s & 1965 sleep 1 1966 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1967 sleep 3 1968 run_cmd ip link del ${VRF} 1969 sleep 1 1970 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 1971 1972 setup ${with_vrf} 1973 done 1974 1975 for a in ${NSA_IP} ${VRF_IP} 1976 do 1977 log_start 1978 run_cmd nettest ${varg} -I ${VRF} -s & 1979 sleep 1 1980 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1981 sleep 3 1982 run_cmd ip link del ${VRF} 1983 sleep 1 1984 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 1985 1986 setup ${with_vrf} 1987 done 1988 1989 a=${NSA_IP} 1990 log_start 1991 1992 run_cmd nettest ${varg} -s & 1993 sleep 1 1994 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1995 sleep 3 1996 run_cmd ip link del ${VRF} 1997 sleep 1 1998 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 1999 2000 setup ${with_vrf} 2001 2002 log_start 2003 run_cmd nettest ${varg} -I ${VRF} -s & 2004 sleep 1 2005 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2006 sleep 3 2007 run_cmd ip link del ${VRF} 2008 sleep 1 2009 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 2010 2011 setup ${with_vrf} 2012 2013 log_start 2014 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2015 sleep 1 2016 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2017 sleep 3 2018 run_cmd ip link del ${VRF} 2019 sleep 1 2020 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2021} 2022 2023ipv4_ping_rt() 2024{ 2025 local with_vrf="yes" 2026 local a 2027 2028 for a in ${NSA_IP} ${VRF_IP} 2029 do 2030 log_start 2031 run_cmd_nsb ping -f ${a} & 2032 sleep 3 2033 run_cmd ip link del ${VRF} 2034 sleep 1 2035 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2036 2037 setup ${with_vrf} 2038 done 2039 2040 a=${NSB_IP} 2041 log_start 2042 run_cmd ping -f -I ${VRF} ${a} & 2043 sleep 3 2044 run_cmd ip link del ${VRF} 2045 sleep 1 2046 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2047} 2048 2049ipv4_runtime() 2050{ 2051 log_section "Run time tests - ipv4" 2052 2053 setup "yes" 2054 ipv4_ping_rt 2055 2056 setup "yes" 2057 ipv4_rt "TCP active socket" "-n -1" 2058 2059 setup "yes" 2060 ipv4_rt "TCP passive socket" "-i" 2061} 2062 2063################################################################################ 2064# IPv6 2065 2066ipv6_ping_novrf() 2067{ 2068 local a 2069 2070 # should not have an impact, but make a known state 2071 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2072 2073 # 2074 # out 2075 # 2076 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2077 do 2078 log_start 2079 run_cmd ${ping6} -c1 -w1 ${a} 2080 log_test_addr ${a} $? 0 "ping out" 2081 done 2082 2083 for a in ${NSB_IP6} ${NSB_LO_IP6} 2084 do 2085 log_start 2086 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2087 log_test_addr ${a} $? 0 "ping out, device bind" 2088 2089 log_start 2090 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2091 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2092 done 2093 2094 # 2095 # in 2096 # 2097 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2098 do 2099 log_start 2100 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2101 log_test_addr ${a} $? 0 "ping in" 2102 done 2103 2104 # 2105 # local traffic, local address 2106 # 2107 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2108 do 2109 log_start 2110 run_cmd ${ping6} -c1 -w1 ${a} 2111 log_test_addr ${a} $? 0 "ping local, no bind" 2112 done 2113 2114 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2115 do 2116 log_start 2117 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2118 log_test_addr ${a} $? 0 "ping local, device bind" 2119 done 2120 2121 for a in ${NSA_LO_IP6} ::1 2122 do 2123 log_start 2124 show_hint "Fails since address on loopback is out of device scope" 2125 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2126 log_test_addr ${a} $? 2 "ping local, device bind" 2127 done 2128 2129 # 2130 # ip rule blocks address 2131 # 2132 log_start 2133 setup_cmd ip -6 rule add pref 32765 from all lookup local 2134 setup_cmd ip -6 rule del pref 0 from all lookup local 2135 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2136 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2137 2138 a=${NSB_LO_IP6} 2139 run_cmd ${ping6} -c1 -w1 ${a} 2140 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2141 2142 log_start 2143 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2144 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2145 2146 a=${NSA_LO_IP6} 2147 log_start 2148 show_hint "Response lost due to ip rule" 2149 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2150 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2151 2152 setup_cmd ip -6 rule add pref 0 from all lookup local 2153 setup_cmd ip -6 rule del pref 32765 from all lookup local 2154 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2155 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2156 2157 # 2158 # route blocks reachability to remote address 2159 # 2160 log_start 2161 setup_cmd ip -6 route del ${NSB_LO_IP6} 2162 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2163 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2164 2165 a=${NSB_LO_IP6} 2166 run_cmd ${ping6} -c1 -w1 ${a} 2167 log_test_addr ${a} $? 2 "ping out, blocked by route" 2168 2169 log_start 2170 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2171 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2172 2173 a=${NSA_LO_IP6} 2174 log_start 2175 show_hint "Response lost due to ip route" 2176 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2177 log_test_addr ${a} $? 1 "ping in, blocked by route" 2178 2179 2180 # 2181 # remove 'remote' routes; fallback to default 2182 # 2183 log_start 2184 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2185 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2186 2187 a=${NSB_LO_IP6} 2188 run_cmd ${ping6} -c1 -w1 ${a} 2189 log_test_addr ${a} $? 2 "ping out, unreachable route" 2190 2191 log_start 2192 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2193 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2194} 2195 2196ipv6_ping_vrf() 2197{ 2198 local a 2199 2200 # should default on; does not exist on older kernels 2201 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2202 2203 # 2204 # out 2205 # 2206 for a in ${NSB_IP6} ${NSB_LO_IP6} 2207 do 2208 log_start 2209 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2210 log_test_addr ${a} $? 0 "ping out, VRF bind" 2211 done 2212 2213 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2214 do 2215 log_start 2216 show_hint "Fails since VRF device does not support linklocal or multicast" 2217 run_cmd ${ping6} -c1 -w1 ${a} 2218 log_test_addr ${a} $? 2 "ping out, VRF bind" 2219 done 2220 2221 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2222 do 2223 log_start 2224 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2225 log_test_addr ${a} $? 0 "ping out, device bind" 2226 done 2227 2228 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2229 do 2230 log_start 2231 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2232 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2233 done 2234 2235 # 2236 # in 2237 # 2238 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2239 do 2240 log_start 2241 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2242 log_test_addr ${a} $? 0 "ping in" 2243 done 2244 2245 a=${NSA_LO_IP6} 2246 log_start 2247 show_hint "Fails since loopback address is out of VRF scope" 2248 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2249 log_test_addr ${a} $? 1 "ping in" 2250 2251 # 2252 # local traffic, local address 2253 # 2254 for a in ${NSA_IP6} ${VRF_IP6} ::1 2255 do 2256 log_start 2257 show_hint "Source address should be ${a}" 2258 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2259 log_test_addr ${a} $? 0 "ping local, VRF bind" 2260 done 2261 2262 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2263 do 2264 log_start 2265 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2266 log_test_addr ${a} $? 0 "ping local, device bind" 2267 done 2268 2269 # LLA to GUA - remove ipv6 global addresses from ns-B 2270 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2271 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2272 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2273 2274 for a in ${NSA_IP6} ${VRF_IP6} 2275 do 2276 log_start 2277 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2278 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2279 done 2280 2281 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2282 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2283 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2284 2285 # 2286 # ip rule blocks address 2287 # 2288 log_start 2289 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2290 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2291 2292 a=${NSB_LO_IP6} 2293 run_cmd ${ping6} -c1 -w1 ${a} 2294 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2295 2296 log_start 2297 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2298 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2299 2300 a=${NSA_LO_IP6} 2301 log_start 2302 show_hint "Response lost due to ip rule" 2303 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2304 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2305 2306 log_start 2307 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2308 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2309 2310 # 2311 # remove 'remote' routes; fallback to default 2312 # 2313 log_start 2314 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2315 2316 a=${NSB_LO_IP6} 2317 run_cmd ${ping6} -c1 -w1 ${a} 2318 log_test_addr ${a} $? 2 "ping out, unreachable route" 2319 2320 log_start 2321 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2322 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2323 2324 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2325 a=${NSA_LO_IP6} 2326 log_start 2327 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2328 log_test_addr ${a} $? 2 "ping in, unreachable route" 2329} 2330 2331ipv6_ping() 2332{ 2333 log_section "IPv6 ping" 2334 2335 log_subsection "No VRF" 2336 setup 2337 ipv6_ping_novrf 2338 2339 log_subsection "With VRF" 2340 setup "yes" 2341 ipv6_ping_vrf 2342} 2343 2344################################################################################ 2345# IPv6 TCP 2346 2347# 2348# MD5 tests without VRF 2349# 2350ipv6_tcp_md5_novrf() 2351{ 2352 # 2353 # single address 2354 # 2355 2356 # basic use case 2357 log_start 2358 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2359 sleep 1 2360 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2361 log_test $? 0 "MD5: Single address config" 2362 2363 # client sends MD5, server not configured 2364 log_start 2365 show_hint "Should timeout due to MD5 mismatch" 2366 run_cmd nettest -6 -s & 2367 sleep 1 2368 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2369 log_test $? 2 "MD5: Server no config, client uses password" 2370 2371 # wrong password 2372 log_start 2373 show_hint "Should timeout since client uses wrong password" 2374 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2375 sleep 1 2376 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2377 log_test $? 2 "MD5: Client uses wrong password" 2378 2379 # client from different address 2380 log_start 2381 show_hint "Should timeout due to MD5 mismatch" 2382 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2383 sleep 1 2384 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2385 log_test $? 2 "MD5: Client address does not match address configured with password" 2386 2387 # 2388 # MD5 extension - prefix length 2389 # 2390 2391 # client in prefix 2392 log_start 2393 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2394 sleep 1 2395 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2396 log_test $? 0 "MD5: Prefix config" 2397 2398 # client in prefix, wrong password 2399 log_start 2400 show_hint "Should timeout since client uses wrong password" 2401 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2402 sleep 1 2403 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2404 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2405 2406 # client outside of prefix 2407 log_start 2408 show_hint "Should timeout due to MD5 mismatch" 2409 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2410 sleep 1 2411 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2412 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2413} 2414 2415# 2416# MD5 tests with VRF 2417# 2418ipv6_tcp_md5() 2419{ 2420 # 2421 # single address 2422 # 2423 2424 # basic use case 2425 log_start 2426 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2427 sleep 1 2428 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2429 log_test $? 0 "MD5: VRF: Single address config" 2430 2431 # client sends MD5, server not configured 2432 log_start 2433 show_hint "Should timeout since server does not have MD5 auth" 2434 run_cmd nettest -6 -s -I ${VRF} & 2435 sleep 1 2436 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2437 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2438 2439 # wrong password 2440 log_start 2441 show_hint "Should timeout since client uses wrong password" 2442 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2443 sleep 1 2444 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2445 log_test $? 2 "MD5: VRF: Client uses wrong password" 2446 2447 # client from different address 2448 log_start 2449 show_hint "Should timeout since server config differs from client" 2450 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2451 sleep 1 2452 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2453 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2454 2455 # 2456 # MD5 extension - prefix length 2457 # 2458 2459 # client in prefix 2460 log_start 2461 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2462 sleep 1 2463 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2464 log_test $? 0 "MD5: VRF: Prefix config" 2465 2466 # client in prefix, wrong password 2467 log_start 2468 show_hint "Should timeout since client uses wrong password" 2469 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2470 sleep 1 2471 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2472 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2473 2474 # client outside of prefix 2475 log_start 2476 show_hint "Should timeout since client address is outside of prefix" 2477 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2478 sleep 1 2479 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2480 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2481 2482 # 2483 # duplicate config between default VRF and a VRF 2484 # 2485 2486 log_start 2487 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2488 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2489 sleep 1 2490 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2491 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2492 2493 log_start 2494 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2495 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2496 sleep 1 2497 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2498 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2499 2500 log_start 2501 show_hint "Should timeout since client in default VRF uses VRF password" 2502 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2503 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2504 sleep 1 2505 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2506 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2507 2508 log_start 2509 show_hint "Should timeout since client in VRF uses default VRF password" 2510 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2511 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2512 sleep 1 2513 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2514 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2515 2516 log_start 2517 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2518 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2519 sleep 1 2520 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2521 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2522 2523 log_start 2524 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2525 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2526 sleep 1 2527 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2528 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2529 2530 log_start 2531 show_hint "Should timeout since client in default VRF uses VRF password" 2532 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2533 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2534 sleep 1 2535 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2536 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2537 2538 log_start 2539 show_hint "Should timeout since client in VRF uses default VRF password" 2540 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2541 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2542 sleep 1 2543 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2544 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2545 2546 # 2547 # negative tests 2548 # 2549 log_start 2550 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2551 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2552 2553 log_start 2554 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2555 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2556 2557} 2558 2559ipv6_tcp_novrf() 2560{ 2561 local a 2562 2563 # 2564 # server tests 2565 # 2566 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2567 do 2568 log_start 2569 run_cmd nettest -6 -s & 2570 sleep 1 2571 run_cmd_nsb nettest -6 -r ${a} 2572 log_test_addr ${a} $? 0 "Global server" 2573 done 2574 2575 # verify TCP reset received 2576 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2577 do 2578 log_start 2579 show_hint "Should fail 'Connection refused'" 2580 run_cmd_nsb nettest -6 -r ${a} 2581 log_test_addr ${a} $? 1 "No server" 2582 done 2583 2584 # 2585 # client 2586 # 2587 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2588 do 2589 log_start 2590 run_cmd_nsb nettest -6 -s & 2591 sleep 1 2592 run_cmd nettest -6 -r ${a} 2593 log_test_addr ${a} $? 0 "Client" 2594 done 2595 2596 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2597 do 2598 log_start 2599 run_cmd_nsb nettest -6 -s & 2600 sleep 1 2601 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2602 log_test_addr ${a} $? 0 "Client, device bind" 2603 done 2604 2605 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2606 do 2607 log_start 2608 show_hint "Should fail 'Connection refused'" 2609 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2610 log_test_addr ${a} $? 1 "No server, device client" 2611 done 2612 2613 # 2614 # local address tests 2615 # 2616 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2617 do 2618 log_start 2619 run_cmd nettest -6 -s & 2620 sleep 1 2621 run_cmd nettest -6 -r ${a} 2622 log_test_addr ${a} $? 0 "Global server, local connection" 2623 done 2624 2625 a=${NSA_IP6} 2626 log_start 2627 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2628 sleep 1 2629 run_cmd nettest -6 -r ${a} -0 ${a} 2630 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2631 2632 for a in ${NSA_LO_IP6} ::1 2633 do 2634 log_start 2635 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2636 run_cmd nettest -6 -s -I ${NSA_DEV} & 2637 sleep 1 2638 run_cmd nettest -6 -r ${a} 2639 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2640 done 2641 2642 a=${NSA_IP6} 2643 log_start 2644 run_cmd nettest -6 -s & 2645 sleep 1 2646 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2647 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2648 2649 for a in ${NSA_LO_IP6} ::1 2650 do 2651 log_start 2652 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2653 run_cmd nettest -6 -s & 2654 sleep 1 2655 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2656 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2657 done 2658 2659 for a in ${NSA_IP6} ${NSA_LINKIP6} 2660 do 2661 log_start 2662 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2663 sleep 1 2664 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2665 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2666 done 2667 2668 for a in ${NSA_IP6} ${NSA_LINKIP6} 2669 do 2670 log_start 2671 show_hint "Should fail 'Connection refused'" 2672 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2673 log_test_addr ${a} $? 1 "No server, device client, local conn" 2674 done 2675 2676 ipv6_tcp_md5_novrf 2677} 2678 2679ipv6_tcp_vrf() 2680{ 2681 local a 2682 2683 # disable global server 2684 log_subsection "Global server disabled" 2685 2686 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2687 2688 # 2689 # server tests 2690 # 2691 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2692 do 2693 log_start 2694 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2695 run_cmd nettest -6 -s & 2696 sleep 1 2697 run_cmd_nsb nettest -6 -r ${a} 2698 log_test_addr ${a} $? 1 "Global server" 2699 done 2700 2701 for a in ${NSA_IP6} ${VRF_IP6} 2702 do 2703 log_start 2704 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2705 sleep 1 2706 run_cmd_nsb nettest -6 -r ${a} 2707 log_test_addr ${a} $? 0 "VRF server" 2708 done 2709 2710 # link local is always bound to ingress device 2711 a=${NSA_LINKIP6}%${NSB_DEV} 2712 log_start 2713 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2714 sleep 1 2715 run_cmd_nsb nettest -6 -r ${a} 2716 log_test_addr ${a} $? 0 "VRF server" 2717 2718 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2719 do 2720 log_start 2721 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2722 sleep 1 2723 run_cmd_nsb nettest -6 -r ${a} 2724 log_test_addr ${a} $? 0 "Device server" 2725 done 2726 2727 # verify TCP reset received 2728 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2729 do 2730 log_start 2731 show_hint "Should fail 'Connection refused'" 2732 run_cmd_nsb nettest -6 -r ${a} 2733 log_test_addr ${a} $? 1 "No server" 2734 done 2735 2736 # local address tests 2737 a=${NSA_IP6} 2738 log_start 2739 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2740 run_cmd nettest -6 -s & 2741 sleep 1 2742 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2743 log_test_addr ${a} $? 1 "Global server, local connection" 2744 2745 # run MD5 tests 2746 ipv6_tcp_md5 2747 2748 # 2749 # enable VRF global server 2750 # 2751 log_subsection "VRF Global server enabled" 2752 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2753 2754 for a in ${NSA_IP6} ${VRF_IP6} 2755 do 2756 log_start 2757 run_cmd nettest -6 -s -3 ${VRF} & 2758 sleep 1 2759 run_cmd_nsb nettest -6 -r ${a} 2760 log_test_addr ${a} $? 0 "Global server" 2761 done 2762 2763 for a in ${NSA_IP6} ${VRF_IP6} 2764 do 2765 log_start 2766 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2767 sleep 1 2768 run_cmd_nsb nettest -6 -r ${a} 2769 log_test_addr ${a} $? 0 "VRF server" 2770 done 2771 2772 # For LLA, child socket is bound to device 2773 a=${NSA_LINKIP6}%${NSB_DEV} 2774 log_start 2775 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2776 sleep 1 2777 run_cmd_nsb nettest -6 -r ${a} 2778 log_test_addr ${a} $? 0 "Global server" 2779 2780 log_start 2781 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2782 sleep 1 2783 run_cmd_nsb nettest -6 -r ${a} 2784 log_test_addr ${a} $? 0 "VRF server" 2785 2786 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2787 do 2788 log_start 2789 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2790 sleep 1 2791 run_cmd_nsb nettest -6 -r ${a} 2792 log_test_addr ${a} $? 0 "Device server" 2793 done 2794 2795 # verify TCP reset received 2796 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2797 do 2798 log_start 2799 show_hint "Should fail 'Connection refused'" 2800 run_cmd_nsb nettest -6 -r ${a} 2801 log_test_addr ${a} $? 1 "No server" 2802 done 2803 2804 # local address tests 2805 for a in ${NSA_IP6} ${VRF_IP6} 2806 do 2807 log_start 2808 show_hint "Fails 'Connection refused' since client is not in VRF" 2809 run_cmd nettest -6 -s -I ${VRF} & 2810 sleep 1 2811 run_cmd nettest -6 -r ${a} 2812 log_test_addr ${a} $? 1 "Global server, local connection" 2813 done 2814 2815 2816 # 2817 # client 2818 # 2819 for a in ${NSB_IP6} ${NSB_LO_IP6} 2820 do 2821 log_start 2822 run_cmd_nsb nettest -6 -s & 2823 sleep 1 2824 run_cmd nettest -6 -r ${a} -d ${VRF} 2825 log_test_addr ${a} $? 0 "Client, VRF bind" 2826 done 2827 2828 a=${NSB_LINKIP6} 2829 log_start 2830 show_hint "Fails since VRF device does not allow linklocal addresses" 2831 run_cmd_nsb nettest -6 -s & 2832 sleep 1 2833 run_cmd nettest -6 -r ${a} -d ${VRF} 2834 log_test_addr ${a} $? 1 "Client, VRF bind" 2835 2836 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2837 do 2838 log_start 2839 run_cmd_nsb nettest -6 -s & 2840 sleep 1 2841 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2842 log_test_addr ${a} $? 0 "Client, device bind" 2843 done 2844 2845 for a in ${NSB_IP6} ${NSB_LO_IP6} 2846 do 2847 log_start 2848 show_hint "Should fail 'Connection refused'" 2849 run_cmd nettest -6 -r ${a} -d ${VRF} 2850 log_test_addr ${a} $? 1 "No server, VRF client" 2851 done 2852 2853 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2854 do 2855 log_start 2856 show_hint "Should fail 'Connection refused'" 2857 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2858 log_test_addr ${a} $? 1 "No server, device client" 2859 done 2860 2861 for a in ${NSA_IP6} ${VRF_IP6} ::1 2862 do 2863 log_start 2864 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2865 sleep 1 2866 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2867 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 2868 done 2869 2870 a=${NSA_IP6} 2871 log_start 2872 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2873 sleep 1 2874 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2875 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 2876 2877 a=${NSA_IP6} 2878 log_start 2879 show_hint "Should fail since unbound client is out of VRF scope" 2880 run_cmd nettest -6 -s -I ${VRF} & 2881 sleep 1 2882 run_cmd nettest -6 -r ${a} 2883 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 2884 2885 log_start 2886 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2887 sleep 1 2888 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2889 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 2890 2891 for a in ${NSA_IP6} ${NSA_LINKIP6} 2892 do 2893 log_start 2894 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2895 sleep 1 2896 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2897 log_test_addr ${a} $? 0 "Device server, device client, local connection" 2898 done 2899} 2900 2901ipv6_tcp() 2902{ 2903 log_section "IPv6/TCP" 2904 log_subsection "No VRF" 2905 setup 2906 2907 # tcp_l3mdev_accept should have no affect without VRF; 2908 # run tests with it enabled and disabled to verify 2909 log_subsection "tcp_l3mdev_accept disabled" 2910 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2911 ipv6_tcp_novrf 2912 log_subsection "tcp_l3mdev_accept enabled" 2913 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2914 ipv6_tcp_novrf 2915 2916 log_subsection "With VRF" 2917 setup "yes" 2918 ipv6_tcp_vrf 2919} 2920 2921################################################################################ 2922# IPv6 UDP 2923 2924ipv6_udp_novrf() 2925{ 2926 local a 2927 2928 # 2929 # server tests 2930 # 2931 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2932 do 2933 log_start 2934 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2935 sleep 1 2936 run_cmd_nsb nettest -6 -D -r ${a} 2937 log_test_addr ${a} $? 0 "Global server" 2938 2939 log_start 2940 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 2941 sleep 1 2942 run_cmd_nsb nettest -6 -D -r ${a} 2943 log_test_addr ${a} $? 0 "Device server" 2944 done 2945 2946 a=${NSA_LO_IP6} 2947 log_start 2948 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2949 sleep 1 2950 run_cmd_nsb nettest -6 -D -r ${a} 2951 log_test_addr ${a} $? 0 "Global server" 2952 2953 # should fail since loopback address is out of scope for a device 2954 # bound server, but it does not - hence this is more documenting 2955 # behavior. 2956 #log_start 2957 #show_hint "Should fail since loopback address is out of scope" 2958 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 2959 #sleep 1 2960 #run_cmd_nsb nettest -6 -D -r ${a} 2961 #log_test_addr ${a} $? 1 "Device server" 2962 2963 # negative test - should fail 2964 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2965 do 2966 log_start 2967 show_hint "Should fail 'Connection refused' since there is no server" 2968 run_cmd_nsb nettest -6 -D -r ${a} 2969 log_test_addr ${a} $? 1 "No server" 2970 done 2971 2972 # 2973 # client 2974 # 2975 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2976 do 2977 log_start 2978 run_cmd_nsb nettest -6 -D -s & 2979 sleep 1 2980 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 2981 log_test_addr ${a} $? 0 "Client" 2982 2983 log_start 2984 run_cmd_nsb nettest -6 -D -s & 2985 sleep 1 2986 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 2987 log_test_addr ${a} $? 0 "Client, device bind" 2988 2989 log_start 2990 run_cmd_nsb nettest -6 -D -s & 2991 sleep 1 2992 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 2993 log_test_addr ${a} $? 0 "Client, device send via cmsg" 2994 2995 log_start 2996 run_cmd_nsb nettest -6 -D -s & 2997 sleep 1 2998 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 2999 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 3000 3001 log_start 3002 show_hint "Should fail 'Connection refused'" 3003 run_cmd nettest -6 -D -r ${a} 3004 log_test_addr ${a} $? 1 "No server, unbound client" 3005 3006 log_start 3007 show_hint "Should fail 'Connection refused'" 3008 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3009 log_test_addr ${a} $? 1 "No server, device client" 3010 done 3011 3012 # 3013 # local address tests 3014 # 3015 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3016 do 3017 log_start 3018 run_cmd nettest -6 -D -s & 3019 sleep 1 3020 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3021 log_test_addr ${a} $? 0 "Global server, local connection" 3022 done 3023 3024 a=${NSA_IP6} 3025 log_start 3026 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3027 sleep 1 3028 run_cmd nettest -6 -D -r ${a} 3029 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3030 3031 for a in ${NSA_LO_IP6} ::1 3032 do 3033 log_start 3034 show_hint "Should fail 'Connection refused' since address is out of device scope" 3035 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3036 sleep 1 3037 run_cmd nettest -6 -D -r ${a} 3038 log_test_addr ${a} $? 1 "Device server, local connection" 3039 done 3040 3041 a=${NSA_IP6} 3042 log_start 3043 run_cmd nettest -6 -s -D & 3044 sleep 1 3045 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3046 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3047 3048 log_start 3049 run_cmd nettest -6 -s -D & 3050 sleep 1 3051 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3052 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3053 3054 log_start 3055 run_cmd nettest -6 -s -D & 3056 sleep 1 3057 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3058 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3059 3060 for a in ${NSA_LO_IP6} ::1 3061 do 3062 log_start 3063 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3064 run_cmd nettest -6 -D -s & 3065 sleep 1 3066 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3067 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3068 3069 log_start 3070 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3071 run_cmd nettest -6 -D -s & 3072 sleep 1 3073 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3074 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3075 3076 log_start 3077 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3078 run_cmd nettest -6 -D -s & 3079 sleep 1 3080 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3081 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3082 done 3083 3084 a=${NSA_IP6} 3085 log_start 3086 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3087 sleep 1 3088 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3089 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3090 3091 log_start 3092 show_hint "Should fail 'Connection refused'" 3093 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3094 log_test_addr ${a} $? 1 "No server, device client, local conn" 3095 3096 # LLA to GUA 3097 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3098 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3099 log_start 3100 run_cmd nettest -6 -s -D & 3101 sleep 1 3102 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3103 log_test $? 0 "UDP in - LLA to GUA" 3104 3105 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3106 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3107} 3108 3109ipv6_udp_vrf() 3110{ 3111 local a 3112 3113 # disable global server 3114 log_subsection "Global server disabled" 3115 set_sysctl net.ipv4.udp_l3mdev_accept=0 3116 3117 # 3118 # server tests 3119 # 3120 for a in ${NSA_IP6} ${VRF_IP6} 3121 do 3122 log_start 3123 show_hint "Should fail 'Connection refused' since global server is disabled" 3124 run_cmd nettest -6 -D -s & 3125 sleep 1 3126 run_cmd_nsb nettest -6 -D -r ${a} 3127 log_test_addr ${a} $? 1 "Global server" 3128 done 3129 3130 for a in ${NSA_IP6} ${VRF_IP6} 3131 do 3132 log_start 3133 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3134 sleep 1 3135 run_cmd_nsb nettest -6 -D -r ${a} 3136 log_test_addr ${a} $? 0 "VRF server" 3137 done 3138 3139 for a in ${NSA_IP6} ${VRF_IP6} 3140 do 3141 log_start 3142 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3143 sleep 1 3144 run_cmd_nsb nettest -6 -D -r ${a} 3145 log_test_addr ${a} $? 0 "Enslaved device server" 3146 done 3147 3148 # negative test - should fail 3149 for a in ${NSA_IP6} ${VRF_IP6} 3150 do 3151 log_start 3152 show_hint "Should fail 'Connection refused' since there is no server" 3153 run_cmd_nsb nettest -6 -D -r ${a} 3154 log_test_addr ${a} $? 1 "No server" 3155 done 3156 3157 # 3158 # local address tests 3159 # 3160 for a in ${NSA_IP6} ${VRF_IP6} 3161 do 3162 log_start 3163 show_hint "Should fail 'Connection refused' since global server is disabled" 3164 run_cmd nettest -6 -D -s & 3165 sleep 1 3166 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3167 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3168 done 3169 3170 for a in ${NSA_IP6} ${VRF_IP6} 3171 do 3172 log_start 3173 run_cmd nettest -6 -D -I ${VRF} -s & 3174 sleep 1 3175 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3176 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3177 done 3178 3179 a=${NSA_IP6} 3180 log_start 3181 show_hint "Should fail 'Connection refused' since global server is disabled" 3182 run_cmd nettest -6 -D -s & 3183 sleep 1 3184 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3185 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3186 3187 log_start 3188 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3189 sleep 1 3190 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3191 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3192 3193 log_start 3194 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3195 sleep 1 3196 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3197 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3198 3199 log_start 3200 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3201 sleep 1 3202 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3203 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3204 3205 # disable global server 3206 log_subsection "Global server enabled" 3207 set_sysctl net.ipv4.udp_l3mdev_accept=1 3208 3209 # 3210 # server tests 3211 # 3212 for a in ${NSA_IP6} ${VRF_IP6} 3213 do 3214 log_start 3215 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3216 sleep 1 3217 run_cmd_nsb nettest -6 -D -r ${a} 3218 log_test_addr ${a} $? 0 "Global server" 3219 done 3220 3221 for a in ${NSA_IP6} ${VRF_IP6} 3222 do 3223 log_start 3224 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3225 sleep 1 3226 run_cmd_nsb nettest -6 -D -r ${a} 3227 log_test_addr ${a} $? 0 "VRF server" 3228 done 3229 3230 for a in ${NSA_IP6} ${VRF_IP6} 3231 do 3232 log_start 3233 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3234 sleep 1 3235 run_cmd_nsb nettest -6 -D -r ${a} 3236 log_test_addr ${a} $? 0 "Enslaved device server" 3237 done 3238 3239 # negative test - should fail 3240 for a in ${NSA_IP6} ${VRF_IP6} 3241 do 3242 log_start 3243 run_cmd_nsb nettest -6 -D -r ${a} 3244 log_test_addr ${a} $? 1 "No server" 3245 done 3246 3247 # 3248 # client tests 3249 # 3250 log_start 3251 run_cmd_nsb nettest -6 -D -s & 3252 sleep 1 3253 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3254 log_test $? 0 "VRF client" 3255 3256 # negative test - should fail 3257 log_start 3258 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3259 log_test $? 1 "No server, VRF client" 3260 3261 log_start 3262 run_cmd_nsb nettest -6 -D -s & 3263 sleep 1 3264 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3265 log_test $? 0 "Enslaved device client" 3266 3267 # negative test - should fail 3268 log_start 3269 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3270 log_test $? 1 "No server, enslaved device client" 3271 3272 # 3273 # local address tests 3274 # 3275 a=${NSA_IP6} 3276 log_start 3277 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3278 sleep 1 3279 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3280 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3281 3282 #log_start 3283 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3284 sleep 1 3285 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3286 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3287 3288 3289 a=${VRF_IP6} 3290 log_start 3291 run_cmd nettest -6 -D -s -3 ${VRF} & 3292 sleep 1 3293 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3294 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3295 3296 log_start 3297 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3298 sleep 1 3299 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3300 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3301 3302 # negative test - should fail 3303 for a in ${NSA_IP6} ${VRF_IP6} 3304 do 3305 log_start 3306 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3307 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3308 done 3309 3310 # device to global IP 3311 a=${NSA_IP6} 3312 log_start 3313 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3314 sleep 1 3315 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3316 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3317 3318 log_start 3319 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3320 sleep 1 3321 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3322 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3323 3324 log_start 3325 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3326 sleep 1 3327 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3328 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3329 3330 log_start 3331 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3332 sleep 1 3333 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3334 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3335 3336 log_start 3337 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3338 log_test_addr ${a} $? 1 "No server, device client, local conn" 3339 3340 3341 # link local addresses 3342 log_start 3343 run_cmd nettest -6 -D -s & 3344 sleep 1 3345 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3346 log_test $? 0 "Global server, linklocal IP" 3347 3348 log_start 3349 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3350 log_test $? 1 "No server, linklocal IP" 3351 3352 3353 log_start 3354 run_cmd_nsb nettest -6 -D -s & 3355 sleep 1 3356 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3357 log_test $? 0 "Enslaved device client, linklocal IP" 3358 3359 log_start 3360 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3361 log_test $? 1 "No server, device client, peer linklocal IP" 3362 3363 3364 log_start 3365 run_cmd nettest -6 -D -s & 3366 sleep 1 3367 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3368 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3369 3370 log_start 3371 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3372 log_test $? 1 "No server, device client, local conn - linklocal IP" 3373 3374 # LLA to GUA 3375 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3376 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3377 log_start 3378 run_cmd nettest -6 -s -D & 3379 sleep 1 3380 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3381 log_test $? 0 "UDP in - LLA to GUA" 3382 3383 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3384 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3385} 3386 3387ipv6_udp() 3388{ 3389 # should not matter, but set to known state 3390 set_sysctl net.ipv4.udp_early_demux=1 3391 3392 log_section "IPv6/UDP" 3393 log_subsection "No VRF" 3394 setup 3395 3396 # udp_l3mdev_accept should have no affect without VRF; 3397 # run tests with it enabled and disabled to verify 3398 log_subsection "udp_l3mdev_accept disabled" 3399 set_sysctl net.ipv4.udp_l3mdev_accept=0 3400 ipv6_udp_novrf 3401 log_subsection "udp_l3mdev_accept enabled" 3402 set_sysctl net.ipv4.udp_l3mdev_accept=1 3403 ipv6_udp_novrf 3404 3405 log_subsection "With VRF" 3406 setup "yes" 3407 ipv6_udp_vrf 3408} 3409 3410################################################################################ 3411# IPv6 address bind 3412 3413ipv6_addr_bind_novrf() 3414{ 3415 # 3416 # raw socket 3417 # 3418 for a in ${NSA_IP6} ${NSA_LO_IP6} 3419 do 3420 log_start 3421 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3422 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3423 3424 log_start 3425 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3426 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3427 done 3428 3429 # 3430 # raw socket with nonlocal bind 3431 # 3432 a=${NL_IP6} 3433 log_start 3434 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 3435 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 3436 3437 # 3438 # tcp sockets 3439 # 3440 a=${NSA_IP6} 3441 log_start 3442 run_cmd nettest -6 -s -l ${a} -t1 -b 3443 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3444 3445 log_start 3446 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3447 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3448 3449 a=${NSA_LO_IP6} 3450 log_start 3451 show_hint "Should fail with 'Cannot assign requested address'" 3452 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3453 log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 3454} 3455 3456ipv6_addr_bind_vrf() 3457{ 3458 # 3459 # raw socket 3460 # 3461 for a in ${NSA_IP6} ${VRF_IP6} 3462 do 3463 log_start 3464 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3465 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3466 3467 log_start 3468 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3469 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3470 done 3471 3472 a=${NSA_LO_IP6} 3473 log_start 3474 show_hint "Address on loopback is out of VRF scope" 3475 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3476 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3477 3478 # 3479 # raw socket with nonlocal bind 3480 # 3481 a=${NL_IP6} 3482 log_start 3483 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b 3484 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 3485 3486 # 3487 # tcp sockets 3488 # 3489 # address on enslaved device is valid for the VRF or device in a VRF 3490 for a in ${NSA_IP6} ${VRF_IP6} 3491 do 3492 log_start 3493 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3494 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3495 done 3496 3497 a=${NSA_IP6} 3498 log_start 3499 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3500 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3501 3502 a=${VRF_IP6} 3503 log_start 3504 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3505 log_test_addr ${a} $? 1 "TCP socket bind to VRF address with device bind" 3506 3507 a=${NSA_LO_IP6} 3508 log_start 3509 show_hint "Address on loopback out of scope for VRF" 3510 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3511 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3512 3513 log_start 3514 show_hint "Address on loopback out of scope for device in VRF" 3515 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3516 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3517 3518} 3519 3520ipv6_addr_bind() 3521{ 3522 log_section "IPv6 address binds" 3523 3524 log_subsection "No VRF" 3525 setup 3526 ipv6_addr_bind_novrf 3527 3528 log_subsection "With VRF" 3529 setup "yes" 3530 ipv6_addr_bind_vrf 3531} 3532 3533################################################################################ 3534# IPv6 runtime tests 3535 3536ipv6_rt() 3537{ 3538 local desc="$1" 3539 local varg="-6 $2" 3540 local with_vrf="yes" 3541 local a 3542 3543 # 3544 # server tests 3545 # 3546 for a in ${NSA_IP6} ${VRF_IP6} 3547 do 3548 log_start 3549 run_cmd nettest ${varg} -s & 3550 sleep 1 3551 run_cmd_nsb nettest ${varg} -r ${a} & 3552 sleep 3 3553 run_cmd ip link del ${VRF} 3554 sleep 1 3555 log_test_addr ${a} 0 0 "${desc}, global server" 3556 3557 setup ${with_vrf} 3558 done 3559 3560 for a in ${NSA_IP6} ${VRF_IP6} 3561 do 3562 log_start 3563 run_cmd nettest ${varg} -I ${VRF} -s & 3564 sleep 1 3565 run_cmd_nsb nettest ${varg} -r ${a} & 3566 sleep 3 3567 run_cmd ip link del ${VRF} 3568 sleep 1 3569 log_test_addr ${a} 0 0 "${desc}, VRF server" 3570 3571 setup ${with_vrf} 3572 done 3573 3574 for a in ${NSA_IP6} ${VRF_IP6} 3575 do 3576 log_start 3577 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3578 sleep 1 3579 run_cmd_nsb nettest ${varg} -r ${a} & 3580 sleep 3 3581 run_cmd ip link del ${VRF} 3582 sleep 1 3583 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3584 3585 setup ${with_vrf} 3586 done 3587 3588 # 3589 # client test 3590 # 3591 log_start 3592 run_cmd_nsb nettest ${varg} -s & 3593 sleep 1 3594 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3595 sleep 3 3596 run_cmd ip link del ${VRF} 3597 sleep 1 3598 log_test 0 0 "${desc}, VRF client" 3599 3600 setup ${with_vrf} 3601 3602 log_start 3603 run_cmd_nsb nettest ${varg} -s & 3604 sleep 1 3605 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3606 sleep 3 3607 run_cmd ip link del ${VRF} 3608 sleep 1 3609 log_test 0 0 "${desc}, enslaved device client" 3610 3611 setup ${with_vrf} 3612 3613 3614 # 3615 # local address tests 3616 # 3617 for a in ${NSA_IP6} ${VRF_IP6} 3618 do 3619 log_start 3620 run_cmd nettest ${varg} -s & 3621 sleep 1 3622 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3623 sleep 3 3624 run_cmd ip link del ${VRF} 3625 sleep 1 3626 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3627 3628 setup ${with_vrf} 3629 done 3630 3631 for a in ${NSA_IP6} ${VRF_IP6} 3632 do 3633 log_start 3634 run_cmd nettest ${varg} -I ${VRF} -s & 3635 sleep 1 3636 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3637 sleep 3 3638 run_cmd ip link del ${VRF} 3639 sleep 1 3640 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3641 3642 setup ${with_vrf} 3643 done 3644 3645 a=${NSA_IP6} 3646 log_start 3647 run_cmd nettest ${varg} -s & 3648 sleep 1 3649 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3650 sleep 3 3651 run_cmd ip link del ${VRF} 3652 sleep 1 3653 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3654 3655 setup ${with_vrf} 3656 3657 log_start 3658 run_cmd nettest ${varg} -I ${VRF} -s & 3659 sleep 1 3660 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3661 sleep 3 3662 run_cmd ip link del ${VRF} 3663 sleep 1 3664 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3665 3666 setup ${with_vrf} 3667 3668 log_start 3669 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3670 sleep 1 3671 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3672 sleep 3 3673 run_cmd ip link del ${VRF} 3674 sleep 1 3675 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3676} 3677 3678ipv6_ping_rt() 3679{ 3680 local with_vrf="yes" 3681 local a 3682 3683 a=${NSA_IP6} 3684 log_start 3685 run_cmd_nsb ${ping6} -f ${a} & 3686 sleep 3 3687 run_cmd ip link del ${VRF} 3688 sleep 1 3689 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3690 3691 setup ${with_vrf} 3692 3693 log_start 3694 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3695 sleep 1 3696 run_cmd ip link del ${VRF} 3697 sleep 1 3698 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3699} 3700 3701ipv6_runtime() 3702{ 3703 log_section "Run time tests - ipv6" 3704 3705 setup "yes" 3706 ipv6_ping_rt 3707 3708 setup "yes" 3709 ipv6_rt "TCP active socket" "-n -1" 3710 3711 setup "yes" 3712 ipv6_rt "TCP passive socket" "-i" 3713 3714 setup "yes" 3715 ipv6_rt "UDP active socket" "-D -n -1" 3716} 3717 3718################################################################################ 3719# netfilter blocking connections 3720 3721netfilter_tcp_reset() 3722{ 3723 local a 3724 3725 for a in ${NSA_IP} ${VRF_IP} 3726 do 3727 log_start 3728 run_cmd nettest -s & 3729 sleep 1 3730 run_cmd_nsb nettest -r ${a} 3731 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3732 done 3733} 3734 3735netfilter_icmp() 3736{ 3737 local stype="$1" 3738 local arg 3739 local a 3740 3741 [ "${stype}" = "UDP" ] && arg="-D" 3742 3743 for a in ${NSA_IP} ${VRF_IP} 3744 do 3745 log_start 3746 run_cmd nettest ${arg} -s & 3747 sleep 1 3748 run_cmd_nsb nettest ${arg} -r ${a} 3749 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3750 done 3751} 3752 3753ipv4_netfilter() 3754{ 3755 log_section "IPv4 Netfilter" 3756 log_subsection "TCP reset" 3757 3758 setup "yes" 3759 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3760 3761 netfilter_tcp_reset 3762 3763 log_start 3764 log_subsection "ICMP unreachable" 3765 3766 log_start 3767 run_cmd iptables -F 3768 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3769 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3770 3771 netfilter_icmp "TCP" 3772 netfilter_icmp "UDP" 3773 3774 log_start 3775 iptables -F 3776} 3777 3778netfilter_tcp6_reset() 3779{ 3780 local a 3781 3782 for a in ${NSA_IP6} ${VRF_IP6} 3783 do 3784 log_start 3785 run_cmd nettest -6 -s & 3786 sleep 1 3787 run_cmd_nsb nettest -6 -r ${a} 3788 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3789 done 3790} 3791 3792netfilter_icmp6() 3793{ 3794 local stype="$1" 3795 local arg 3796 local a 3797 3798 [ "${stype}" = "UDP" ] && arg="$arg -D" 3799 3800 for a in ${NSA_IP6} ${VRF_IP6} 3801 do 3802 log_start 3803 run_cmd nettest -6 -s ${arg} & 3804 sleep 1 3805 run_cmd_nsb nettest -6 ${arg} -r ${a} 3806 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3807 done 3808} 3809 3810ipv6_netfilter() 3811{ 3812 log_section "IPv6 Netfilter" 3813 log_subsection "TCP reset" 3814 3815 setup "yes" 3816 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3817 3818 netfilter_tcp6_reset 3819 3820 log_subsection "ICMP unreachable" 3821 3822 log_start 3823 run_cmd ip6tables -F 3824 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3825 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3826 3827 netfilter_icmp6 "TCP" 3828 netfilter_icmp6 "UDP" 3829 3830 log_start 3831 ip6tables -F 3832} 3833 3834################################################################################ 3835# specific use cases 3836 3837# VRF only. 3838# ns-A device enslaved to bridge. Verify traffic with and without 3839# br_netfilter module loaded. Repeat with SVI on bridge. 3840use_case_br() 3841{ 3842 setup "yes" 3843 3844 setup_cmd ip link set ${NSA_DEV} down 3845 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 3846 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 3847 3848 setup_cmd ip link add br0 type bridge 3849 setup_cmd ip addr add dev br0 ${NSA_IP}/24 3850 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 3851 3852 setup_cmd ip li set ${NSA_DEV} master br0 3853 setup_cmd ip li set ${NSA_DEV} up 3854 setup_cmd ip li set br0 up 3855 setup_cmd ip li set br0 vrf ${VRF} 3856 3857 rmmod br_netfilter 2>/dev/null 3858 sleep 5 # DAD 3859 3860 run_cmd ip neigh flush all 3861 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3862 log_test $? 0 "Bridge into VRF - IPv4 ping out" 3863 3864 run_cmd ip neigh flush all 3865 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3866 log_test $? 0 "Bridge into VRF - IPv6 ping out" 3867 3868 run_cmd ip neigh flush all 3869 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3870 log_test $? 0 "Bridge into VRF - IPv4 ping in" 3871 3872 run_cmd ip neigh flush all 3873 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3874 log_test $? 0 "Bridge into VRF - IPv6 ping in" 3875 3876 modprobe br_netfilter 3877 if [ $? -eq 0 ]; then 3878 run_cmd ip neigh flush all 3879 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3880 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 3881 3882 run_cmd ip neigh flush all 3883 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3884 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 3885 3886 run_cmd ip neigh flush all 3887 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3888 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 3889 3890 run_cmd ip neigh flush all 3891 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3892 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 3893 fi 3894 3895 setup_cmd ip li set br0 nomaster 3896 setup_cmd ip li add br0.100 link br0 type vlan id 100 3897 setup_cmd ip li set br0.100 vrf ${VRF} up 3898 setup_cmd ip addr add dev br0.100 172.16.101.1/24 3899 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 3900 3901 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 3902 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 3903 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 3904 setup_cmd_nsb ip li set vlan100 up 3905 sleep 1 3906 3907 rmmod br_netfilter 2>/dev/null 3908 3909 run_cmd ip neigh flush all 3910 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3911 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 3912 3913 run_cmd ip neigh flush all 3914 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3915 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 3916 3917 run_cmd ip neigh flush all 3918 run_cmd_nsb ping -c1 -w1 172.16.101.1 3919 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3920 3921 run_cmd ip neigh flush all 3922 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3923 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3924 3925 modprobe br_netfilter 3926 if [ $? -eq 0 ]; then 3927 run_cmd ip neigh flush all 3928 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3929 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 3930 3931 run_cmd ip neigh flush all 3932 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3933 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 3934 3935 run_cmd ip neigh flush all 3936 run_cmd_nsb ping -c1 -w1 172.16.101.1 3937 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3938 3939 run_cmd ip neigh flush all 3940 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3941 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3942 fi 3943 3944 setup_cmd ip li del br0 2>/dev/null 3945 setup_cmd_nsb ip li del vlan100 2>/dev/null 3946} 3947 3948# VRF only. 3949# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 3950# LLA on the interfaces 3951use_case_ping_lla_multi() 3952{ 3953 setup_lla_only 3954 # only want reply from ns-A 3955 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3956 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3957 3958 log_start 3959 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3960 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 3961 3962 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3963 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 3964 3965 # cycle/flap the first ns-A interface 3966 setup_cmd ip link set ${NSA_DEV} down 3967 setup_cmd ip link set ${NSA_DEV} up 3968 sleep 1 3969 3970 log_start 3971 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3972 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 3973 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3974 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 3975 3976 # cycle/flap the second ns-A interface 3977 setup_cmd ip link set ${NSA_DEV2} down 3978 setup_cmd ip link set ${NSA_DEV2} up 3979 sleep 1 3980 3981 log_start 3982 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3983 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 3984 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3985 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 3986} 3987 3988# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 3989# established with ns-B. 3990use_case_snat_on_vrf() 3991{ 3992 setup "yes" 3993 3994 local port="12345" 3995 3996 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 3997 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 3998 3999 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 4000 sleep 1 4001 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 4002 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 4003 4004 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 4005 sleep 1 4006 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 4007 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 4008 4009 # Cleanup 4010 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4011 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4012} 4013 4014use_cases() 4015{ 4016 log_section "Use cases" 4017 log_subsection "Device enslaved to bridge" 4018 use_case_br 4019 log_subsection "Ping LLA with multiple interfaces" 4020 use_case_ping_lla_multi 4021 log_subsection "SNAT on VRF" 4022 use_case_snat_on_vrf 4023} 4024 4025################################################################################ 4026# usage 4027 4028usage() 4029{ 4030 cat <<EOF 4031usage: ${0##*/} OPTS 4032 4033 -4 IPv4 tests only 4034 -6 IPv6 tests only 4035 -t <test> Test name/set to run 4036 -p Pause on fail 4037 -P Pause after each test 4038 -v Be verbose 4039EOF 4040} 4041 4042################################################################################ 4043# main 4044 4045TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4046TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4047TESTS_OTHER="use_cases" 4048 4049PAUSE_ON_FAIL=no 4050PAUSE=no 4051 4052while getopts :46t:pPvh o 4053do 4054 case $o in 4055 4) TESTS=ipv4;; 4056 6) TESTS=ipv6;; 4057 t) TESTS=$OPTARG;; 4058 p) PAUSE_ON_FAIL=yes;; 4059 P) PAUSE=yes;; 4060 v) VERBOSE=1;; 4061 h) usage; exit 0;; 4062 *) usage; exit 1;; 4063 esac 4064done 4065 4066# make sure we don't pause twice 4067[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4068 4069# 4070# show user test config 4071# 4072if [ -z "$TESTS" ]; then 4073 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4074elif [ "$TESTS" = "ipv4" ]; then 4075 TESTS="$TESTS_IPV4" 4076elif [ "$TESTS" = "ipv6" ]; then 4077 TESTS="$TESTS_IPV6" 4078fi 4079 4080which nettest >/dev/null 4081if [ $? -ne 0 ]; then 4082 echo "'nettest' command not found; skipping tests" 4083 exit $ksft_skip 4084fi 4085 4086declare -i nfail=0 4087declare -i nsuccess=0 4088 4089for t in $TESTS 4090do 4091 case $t in 4092 ipv4_ping|ping) ipv4_ping;; 4093 ipv4_tcp|tcp) ipv4_tcp;; 4094 ipv4_udp|udp) ipv4_udp;; 4095 ipv4_bind|bind) ipv4_addr_bind;; 4096 ipv4_runtime) ipv4_runtime;; 4097 ipv4_netfilter) ipv4_netfilter;; 4098 4099 ipv6_ping|ping6) ipv6_ping;; 4100 ipv6_tcp|tcp6) ipv6_tcp;; 4101 ipv6_udp|udp6) ipv6_udp;; 4102 ipv6_bind|bind6) ipv6_addr_bind;; 4103 ipv6_runtime) ipv6_runtime;; 4104 ipv6_netfilter) ipv6_netfilter;; 4105 4106 use_cases) use_cases;; 4107 4108 # setup namespaces and config, but do not run any tests 4109 setup) setup; exit 0;; 4110 vrf_setup) setup "yes"; exit 0;; 4111 esac 4112done 4113 4114cleanup 2>/dev/null 4115 4116printf "\nTests passed: %3d\n" ${nsuccess} 4117printf "Tests failed: %3d\n" ${nfail} 4118