1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40# Kselftest framework requirement - SKIP code is 4. 41ksft_skip=4 42 43VERBOSE=0 44 45NSA_DEV=eth1 46NSA_DEV2=eth2 47NSB_DEV=eth1 48NSC_DEV=eth2 49VRF=red 50VRF_TABLE=1101 51 52# IPv4 config 53NSA_IP=172.16.1.1 54NSB_IP=172.16.1.2 55VRF_IP=172.16.3.1 56NS_NET=172.16.1.0/24 57 58# IPv6 config 59NSA_IP6=2001:db8:1::1 60NSB_IP6=2001:db8:1::2 61VRF_IP6=2001:db8:3::1 62NS_NET6=2001:db8:1::/120 63 64NSA_LO_IP=172.16.2.1 65NSB_LO_IP=172.16.2.2 66NSA_LO_IP6=2001:db8:2::1 67NSB_LO_IP6=2001:db8:2::2 68 69# non-local addresses for freebind tests 70NL_IP=172.17.1.1 71NL_IP6=2001:db8:4::1 72 73# multicast and broadcast addresses 74MCAST_IP=224.0.0.1 75BCAST_IP=255.255.255.255 76 77MD5_PW=abc123 78MD5_WRONG_PW=abc1234 79 80MCAST=ff02::1 81# set after namespace create 82NSA_LINKIP6= 83NSB_LINKIP6= 84 85NSA=ns-A 86NSB=ns-B 87NSC=ns-C 88 89NSA_CMD="ip netns exec ${NSA}" 90NSB_CMD="ip netns exec ${NSB}" 91NSC_CMD="ip netns exec ${NSC}" 92 93which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 94 95################################################################################ 96# utilities 97 98log_test() 99{ 100 local rc=$1 101 local expected=$2 102 local msg="$3" 103 104 [ "${VERBOSE}" = "1" ] && echo 105 106 if [ ${rc} -eq ${expected} ]; then 107 nsuccess=$((nsuccess+1)) 108 printf "TEST: %-70s [ OK ]\n" "${msg}" 109 else 110 nfail=$((nfail+1)) 111 printf "TEST: %-70s [FAIL]\n" "${msg}" 112 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 113 echo 114 echo "hit enter to continue, 'q' to quit" 115 read a 116 [ "$a" = "q" ] && exit 1 117 fi 118 fi 119 120 if [ "${PAUSE}" = "yes" ]; then 121 echo 122 echo "hit enter to continue, 'q' to quit" 123 read a 124 [ "$a" = "q" ] && exit 1 125 fi 126 127 kill_procs 128} 129 130log_test_addr() 131{ 132 local addr=$1 133 local rc=$2 134 local expected=$3 135 local msg="$4" 136 local astr 137 138 astr=$(addr2str ${addr}) 139 log_test $rc $expected "$msg - ${astr}" 140} 141 142log_section() 143{ 144 echo 145 echo "###########################################################################" 146 echo "$*" 147 echo "###########################################################################" 148 echo 149} 150 151log_subsection() 152{ 153 echo 154 echo "#################################################################" 155 echo "$*" 156 echo 157} 158 159log_start() 160{ 161 # make sure we have no test instances running 162 kill_procs 163 164 if [ "${VERBOSE}" = "1" ]; then 165 echo 166 echo "#######################################################" 167 fi 168} 169 170log_debug() 171{ 172 if [ "${VERBOSE}" = "1" ]; then 173 echo 174 echo "$*" 175 echo 176 fi 177} 178 179show_hint() 180{ 181 if [ "${VERBOSE}" = "1" ]; then 182 echo "HINT: $*" 183 echo 184 fi 185} 186 187kill_procs() 188{ 189 killall nettest ping ping6 >/dev/null 2>&1 190 sleep 1 191} 192 193do_run_cmd() 194{ 195 local cmd="$*" 196 local out 197 198 if [ "$VERBOSE" = "1" ]; then 199 echo "COMMAND: ${cmd}" 200 fi 201 202 out=$($cmd 2>&1) 203 rc=$? 204 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 205 echo "$out" 206 fi 207 208 return $rc 209} 210 211run_cmd() 212{ 213 do_run_cmd ${NSA_CMD} $* 214} 215 216run_cmd_nsb() 217{ 218 do_run_cmd ${NSB_CMD} $* 219} 220 221run_cmd_nsc() 222{ 223 do_run_cmd ${NSC_CMD} $* 224} 225 226setup_cmd() 227{ 228 local cmd="$*" 229 local rc 230 231 run_cmd ${cmd} 232 rc=$? 233 if [ $rc -ne 0 ]; then 234 # show user the command if not done so already 235 if [ "$VERBOSE" = "0" ]; then 236 echo "setup command: $cmd" 237 fi 238 echo "failed. stopping tests" 239 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 240 echo 241 echo "hit enter to continue" 242 read a 243 fi 244 exit $rc 245 fi 246} 247 248setup_cmd_nsb() 249{ 250 local cmd="$*" 251 local rc 252 253 run_cmd_nsb ${cmd} 254 rc=$? 255 if [ $rc -ne 0 ]; then 256 # show user the command if not done so already 257 if [ "$VERBOSE" = "0" ]; then 258 echo "setup command: $cmd" 259 fi 260 echo "failed. stopping tests" 261 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 262 echo 263 echo "hit enter to continue" 264 read a 265 fi 266 exit $rc 267 fi 268} 269 270setup_cmd_nsc() 271{ 272 local cmd="$*" 273 local rc 274 275 run_cmd_nsc ${cmd} 276 rc=$? 277 if [ $rc -ne 0 ]; then 278 # show user the command if not done so already 279 if [ "$VERBOSE" = "0" ]; then 280 echo "setup command: $cmd" 281 fi 282 echo "failed. stopping tests" 283 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 284 echo 285 echo "hit enter to continue" 286 read a 287 fi 288 exit $rc 289 fi 290} 291 292# set sysctl values in NS-A 293set_sysctl() 294{ 295 echo "SYSCTL: $*" 296 echo 297 run_cmd sysctl -q -w $* 298} 299 300# get sysctl values in NS-A 301get_sysctl() 302{ 303 ${NSA_CMD} sysctl -n $* 304} 305 306################################################################################ 307# Setup for tests 308 309addr2str() 310{ 311 case "$1" in 312 127.0.0.1) echo "loopback";; 313 ::1) echo "IPv6 loopback";; 314 315 ${BCAST_IP}) echo "broadcast";; 316 ${MCAST_IP}) echo "multicast";; 317 318 ${NSA_IP}) echo "ns-A IP";; 319 ${NSA_IP6}) echo "ns-A IPv6";; 320 ${NSA_LO_IP}) echo "ns-A loopback IP";; 321 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 322 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 323 324 ${NSB_IP}) echo "ns-B IP";; 325 ${NSB_IP6}) echo "ns-B IPv6";; 326 ${NSB_LO_IP}) echo "ns-B loopback IP";; 327 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 328 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 329 330 ${NL_IP}) echo "nonlocal IP";; 331 ${NL_IP6}) echo "nonlocal IPv6";; 332 333 ${VRF_IP}) echo "VRF IP";; 334 ${VRF_IP6}) echo "VRF IPv6";; 335 336 ${MCAST}%*) echo "multicast IP";; 337 338 *) echo "unknown";; 339 esac 340} 341 342get_linklocal() 343{ 344 local ns=$1 345 local dev=$2 346 local addr 347 348 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 349 awk '{ 350 for (i = 3; i <= NF; ++i) { 351 if ($i ~ /^fe80/) 352 print $i 353 } 354 }' 355 ) 356 addr=${addr/\/*} 357 358 [ -z "$addr" ] && return 1 359 360 echo $addr 361 362 return 0 363} 364 365################################################################################ 366# create namespaces and vrf 367 368create_vrf() 369{ 370 local ns=$1 371 local vrf=$2 372 local table=$3 373 local addr=$4 374 local addr6=$5 375 376 ip -netns ${ns} link add ${vrf} type vrf table ${table} 377 ip -netns ${ns} link set ${vrf} up 378 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 379 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 380 381 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 382 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 383 if [ "${addr}" != "-" ]; then 384 ip -netns ${ns} addr add dev ${vrf} ${addr} 385 fi 386 if [ "${addr6}" != "-" ]; then 387 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 388 fi 389 390 ip -netns ${ns} ru del pref 0 391 ip -netns ${ns} ru add pref 32765 from all lookup local 392 ip -netns ${ns} -6 ru del pref 0 393 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 394} 395 396create_ns() 397{ 398 local ns=$1 399 local addr=$2 400 local addr6=$3 401 402 ip netns add ${ns} 403 404 ip -netns ${ns} link set lo up 405 if [ "${addr}" != "-" ]; then 406 ip -netns ${ns} addr add dev lo ${addr} 407 fi 408 if [ "${addr6}" != "-" ]; then 409 ip -netns ${ns} -6 addr add dev lo ${addr6} 410 fi 411 412 ip -netns ${ns} ro add unreachable default metric 8192 413 ip -netns ${ns} -6 ro add unreachable default metric 8192 414 415 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 416 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 417 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 418 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 419} 420 421# create veth pair to connect namespaces and apply addresses. 422connect_ns() 423{ 424 local ns1=$1 425 local ns1_dev=$2 426 local ns1_addr=$3 427 local ns1_addr6=$4 428 local ns2=$5 429 local ns2_dev=$6 430 local ns2_addr=$7 431 local ns2_addr6=$8 432 433 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 434 ip -netns ${ns1} li set ${ns1_dev} up 435 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 436 ip -netns ${ns2} li set ${ns2_dev} up 437 438 if [ "${ns1_addr}" != "-" ]; then 439 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 440 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 441 fi 442 443 if [ "${ns1_addr6}" != "-" ]; then 444 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 445 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 446 fi 447} 448 449cleanup() 450{ 451 # explicit cleanups to check those code paths 452 ip netns | grep -q ${NSA} 453 if [ $? -eq 0 ]; then 454 ip -netns ${NSA} link delete ${VRF} 455 ip -netns ${NSA} ro flush table ${VRF_TABLE} 456 457 ip -netns ${NSA} addr flush dev ${NSA_DEV} 458 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 459 ip -netns ${NSA} link set dev ${NSA_DEV} down 460 ip -netns ${NSA} link del dev ${NSA_DEV} 461 462 ip netns pids ${NSA} | xargs kill 2>/dev/null 463 ip netns del ${NSA} 464 fi 465 466 ip netns pids ${NSB} | xargs kill 2>/dev/null 467 ip netns del ${NSB} 468 ip netns pids ${NSC} | xargs kill 2>/dev/null 469 ip netns del ${NSC} >/dev/null 2>&1 470} 471 472cleanup_vrf_dup() 473{ 474 ip link del ${NSA_DEV2} >/dev/null 2>&1 475 ip netns pids ${NSC} | xargs kill 2>/dev/null 476 ip netns del ${NSC} >/dev/null 2>&1 477} 478 479setup_vrf_dup() 480{ 481 # some VRF tests use ns-C which has the same config as 482 # ns-B but for a device NOT in the VRF 483 create_ns ${NSC} "-" "-" 484 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 485 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 486} 487 488setup() 489{ 490 local with_vrf=${1} 491 492 # make sure we are starting with a clean slate 493 kill_procs 494 cleanup 2>/dev/null 495 496 log_debug "Configuring network namespaces" 497 set -e 498 499 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 500 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 501 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 502 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 503 504 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 505 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 506 507 # tell ns-A how to get to remote addresses of ns-B 508 if [ "${with_vrf}" = "yes" ]; then 509 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 510 511 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 512 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 513 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 514 515 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 516 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 517 else 518 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 519 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 520 fi 521 522 523 # tell ns-B how to get to remote addresses of ns-A 524 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 525 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 526 527 set +e 528 529 sleep 1 530} 531 532setup_lla_only() 533{ 534 # make sure we are starting with a clean slate 535 kill_procs 536 cleanup 2>/dev/null 537 538 log_debug "Configuring network namespaces" 539 set -e 540 541 create_ns ${NSA} "-" "-" 542 create_ns ${NSB} "-" "-" 543 create_ns ${NSC} "-" "-" 544 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 545 ${NSB} ${NSB_DEV} "-" "-" 546 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 547 ${NSC} ${NSC_DEV} "-" "-" 548 549 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 550 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 551 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 552 553 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 554 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 555 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 556 557 set +e 558 559 sleep 1 560} 561 562################################################################################ 563# IPv4 564 565ipv4_ping_novrf() 566{ 567 local a 568 569 # 570 # out 571 # 572 for a in ${NSB_IP} ${NSB_LO_IP} 573 do 574 log_start 575 run_cmd ping -c1 -w1 ${a} 576 log_test_addr ${a} $? 0 "ping out" 577 578 log_start 579 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 580 log_test_addr ${a} $? 0 "ping out, device bind" 581 582 log_start 583 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 584 log_test_addr ${a} $? 0 "ping out, address bind" 585 done 586 587 # 588 # in 589 # 590 for a in ${NSA_IP} ${NSA_LO_IP} 591 do 592 log_start 593 run_cmd_nsb ping -c1 -w1 ${a} 594 log_test_addr ${a} $? 0 "ping in" 595 done 596 597 # 598 # local traffic 599 # 600 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 601 do 602 log_start 603 run_cmd ping -c1 -w1 ${a} 604 log_test_addr ${a} $? 0 "ping local" 605 done 606 607 # 608 # local traffic, socket bound to device 609 # 610 # address on device 611 a=${NSA_IP} 612 log_start 613 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 614 log_test_addr ${a} $? 0 "ping local, device bind" 615 616 # loopback addresses not reachable from device bind 617 # fails in a really weird way though because ipv4 special cases 618 # route lookups with oif set. 619 for a in ${NSA_LO_IP} 127.0.0.1 620 do 621 log_start 622 show_hint "Fails since address on loopback device is out of device scope" 623 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 624 log_test_addr ${a} $? 1 "ping local, device bind" 625 done 626 627 # 628 # ip rule blocks reachability to remote address 629 # 630 log_start 631 setup_cmd ip rule add pref 32765 from all lookup local 632 setup_cmd ip rule del pref 0 from all lookup local 633 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 634 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 635 636 a=${NSB_LO_IP} 637 run_cmd ping -c1 -w1 ${a} 638 log_test_addr ${a} $? 2 "ping out, blocked by rule" 639 640 # NOTE: ipv4 actually allows the lookup to fail and yet still create 641 # a viable rtable if the oif (e.g., bind to device) is set, so this 642 # case succeeds despite the rule 643 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 644 645 a=${NSA_LO_IP} 646 log_start 647 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 648 run_cmd_nsb ping -c1 -w1 ${a} 649 log_test_addr ${a} $? 1 "ping in, blocked by rule" 650 651 [ "$VERBOSE" = "1" ] && echo 652 setup_cmd ip rule del pref 32765 from all lookup local 653 setup_cmd ip rule add pref 0 from all lookup local 654 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 655 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 656 657 # 658 # route blocks reachability to remote address 659 # 660 log_start 661 setup_cmd ip route replace unreachable ${NSB_LO_IP} 662 setup_cmd ip route replace unreachable ${NSB_IP} 663 664 a=${NSB_LO_IP} 665 run_cmd ping -c1 -w1 ${a} 666 log_test_addr ${a} $? 2 "ping out, blocked by route" 667 668 # NOTE: ipv4 actually allows the lookup to fail and yet still create 669 # a viable rtable if the oif (e.g., bind to device) is set, so this 670 # case succeeds despite not having a route for the address 671 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 672 673 a=${NSA_LO_IP} 674 log_start 675 show_hint "Response is dropped (or arp request is ignored) due to ip route" 676 run_cmd_nsb ping -c1 -w1 ${a} 677 log_test_addr ${a} $? 1 "ping in, blocked by route" 678 679 # 680 # remove 'remote' routes; fallback to default 681 # 682 log_start 683 setup_cmd ip ro del ${NSB_LO_IP} 684 685 a=${NSB_LO_IP} 686 run_cmd ping -c1 -w1 ${a} 687 log_test_addr ${a} $? 2 "ping out, unreachable default route" 688 689 # NOTE: ipv4 actually allows the lookup to fail and yet still create 690 # a viable rtable if the oif (e.g., bind to device) is set, so this 691 # case succeeds despite not having a route for the address 692 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 693} 694 695ipv4_ping_vrf() 696{ 697 local a 698 699 # should default on; does not exist on older kernels 700 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 701 702 # 703 # out 704 # 705 for a in ${NSB_IP} ${NSB_LO_IP} 706 do 707 log_start 708 run_cmd ping -c1 -w1 -I ${VRF} ${a} 709 log_test_addr ${a} $? 0 "ping out, VRF bind" 710 711 log_start 712 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 713 log_test_addr ${a} $? 0 "ping out, device bind" 714 715 log_start 716 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 717 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 718 719 log_start 720 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 721 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 722 done 723 724 # 725 # in 726 # 727 for a in ${NSA_IP} ${VRF_IP} 728 do 729 log_start 730 run_cmd_nsb ping -c1 -w1 ${a} 731 log_test_addr ${a} $? 0 "ping in" 732 done 733 734 # 735 # local traffic, local address 736 # 737 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 738 do 739 log_start 740 show_hint "Source address should be ${a}" 741 run_cmd ping -c1 -w1 -I ${VRF} ${a} 742 log_test_addr ${a} $? 0 "ping local, VRF bind" 743 done 744 745 # 746 # local traffic, socket bound to device 747 # 748 # address on device 749 a=${NSA_IP} 750 log_start 751 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 752 log_test_addr ${a} $? 0 "ping local, device bind" 753 754 # vrf device is out of scope 755 for a in ${VRF_IP} 127.0.0.1 756 do 757 log_start 758 show_hint "Fails since address on vrf device is out of device scope" 759 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 760 log_test_addr ${a} $? 2 "ping local, device bind" 761 done 762 763 # 764 # ip rule blocks address 765 # 766 log_start 767 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 768 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 769 770 a=${NSB_LO_IP} 771 run_cmd ping -c1 -w1 -I ${VRF} ${a} 772 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 773 774 log_start 775 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 776 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 777 778 a=${NSA_LO_IP} 779 log_start 780 show_hint "Response lost due to ip rule" 781 run_cmd_nsb ping -c1 -w1 ${a} 782 log_test_addr ${a} $? 1 "ping in, blocked by rule" 783 784 [ "$VERBOSE" = "1" ] && echo 785 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 786 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 787 788 # 789 # remove 'remote' routes; fallback to default 790 # 791 log_start 792 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 793 794 a=${NSB_LO_IP} 795 run_cmd ping -c1 -w1 -I ${VRF} ${a} 796 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 797 798 log_start 799 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 800 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 801 802 a=${NSA_LO_IP} 803 log_start 804 show_hint "Response lost by unreachable route" 805 run_cmd_nsb ping -c1 -w1 ${a} 806 log_test_addr ${a} $? 1 "ping in, unreachable route" 807} 808 809ipv4_ping() 810{ 811 log_section "IPv4 ping" 812 813 log_subsection "No VRF" 814 setup 815 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 816 ipv4_ping_novrf 817 setup 818 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 819 ipv4_ping_novrf 820 setup 821 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 822 ipv4_ping_novrf 823 824 log_subsection "With VRF" 825 setup "yes" 826 ipv4_ping_vrf 827 setup "yes" 828 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 829 ipv4_ping_vrf 830} 831 832################################################################################ 833# IPv4 TCP 834 835# 836# MD5 tests without VRF 837# 838ipv4_tcp_md5_novrf() 839{ 840 # 841 # single address 842 # 843 844 # basic use case 845 log_start 846 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 847 sleep 1 848 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 849 log_test $? 0 "MD5: Single address config" 850 851 # client sends MD5, server not configured 852 log_start 853 show_hint "Should timeout due to MD5 mismatch" 854 run_cmd nettest -s & 855 sleep 1 856 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 857 log_test $? 2 "MD5: Server no config, client uses password" 858 859 # wrong password 860 log_start 861 show_hint "Should timeout since client uses wrong password" 862 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 863 sleep 1 864 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 865 log_test $? 2 "MD5: Client uses wrong password" 866 867 # client from different address 868 log_start 869 show_hint "Should timeout due to MD5 mismatch" 870 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 871 sleep 1 872 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 873 log_test $? 2 "MD5: Client address does not match address configured with password" 874 875 # 876 # MD5 extension - prefix length 877 # 878 879 # client in prefix 880 log_start 881 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 882 sleep 1 883 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 884 log_test $? 0 "MD5: Prefix config" 885 886 # client in prefix, wrong password 887 log_start 888 show_hint "Should timeout since client uses wrong password" 889 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 890 sleep 1 891 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 892 log_test $? 2 "MD5: Prefix config, client uses wrong password" 893 894 # client outside of prefix 895 log_start 896 show_hint "Should timeout due to MD5 mismatch" 897 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 898 sleep 1 899 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 900 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 901} 902 903# 904# MD5 tests with VRF 905# 906ipv4_tcp_md5() 907{ 908 # 909 # single address 910 # 911 912 # basic use case 913 log_start 914 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 915 sleep 1 916 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 917 log_test $? 0 "MD5: VRF: Single address config" 918 919 # client sends MD5, server not configured 920 log_start 921 show_hint "Should timeout since server does not have MD5 auth" 922 run_cmd nettest -s -I ${VRF} & 923 sleep 1 924 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 925 log_test $? 2 "MD5: VRF: Server no config, client uses password" 926 927 # wrong password 928 log_start 929 show_hint "Should timeout since client uses wrong password" 930 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 931 sleep 1 932 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 933 log_test $? 2 "MD5: VRF: Client uses wrong password" 934 935 # client from different address 936 log_start 937 show_hint "Should timeout since server config differs from client" 938 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 939 sleep 1 940 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 941 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 942 943 # 944 # MD5 extension - prefix length 945 # 946 947 # client in prefix 948 log_start 949 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 950 sleep 1 951 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 952 log_test $? 0 "MD5: VRF: Prefix config" 953 954 # client in prefix, wrong password 955 log_start 956 show_hint "Should timeout since client uses wrong password" 957 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 958 sleep 1 959 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 960 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 961 962 # client outside of prefix 963 log_start 964 show_hint "Should timeout since client address is outside of prefix" 965 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 966 sleep 1 967 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 968 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 969 970 # 971 # duplicate config between default VRF and a VRF 972 # 973 974 log_start 975 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 976 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 977 sleep 1 978 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 979 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 980 981 log_start 982 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 983 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 984 sleep 1 985 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 986 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 987 988 log_start 989 show_hint "Should timeout since client in default VRF uses VRF password" 990 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 991 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 992 sleep 1 993 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 994 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 995 996 log_start 997 show_hint "Should timeout since client in VRF uses default VRF password" 998 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 999 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1000 sleep 1 1001 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1002 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 1003 1004 log_start 1005 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1006 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1007 sleep 1 1008 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1009 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 1010 1011 log_start 1012 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1013 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1014 sleep 1 1015 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1016 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 1017 1018 log_start 1019 show_hint "Should timeout since client in default VRF uses VRF password" 1020 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1021 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1022 sleep 1 1023 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1024 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1025 1026 log_start 1027 show_hint "Should timeout since client in VRF uses default VRF password" 1028 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1029 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1030 sleep 1 1031 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1032 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1033 1034 # 1035 # negative tests 1036 # 1037 log_start 1038 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1039 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1040 1041 log_start 1042 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1043 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1044 1045 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1046 test_ipv4_md5_vrf__global_server__bind_ifindex0 1047} 1048 1049test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1050{ 1051 log_start 1052 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1053 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1054 sleep 1 1055 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1056 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1057 1058 log_start 1059 show_hint "Binding both the socket and the key is not required but it works" 1060 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1061 sleep 1 1062 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1063 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1064} 1065 1066test_ipv4_md5_vrf__global_server__bind_ifindex0() 1067{ 1068 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1069 local old_tcp_l3mdev_accept 1070 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1071 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1072 1073 log_start 1074 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1075 sleep 1 1076 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1077 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1078 1079 log_start 1080 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1081 sleep 1 1082 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1083 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1084 log_start 1085 1086 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1087 sleep 1 1088 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1089 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1090 1091 log_start 1092 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1093 sleep 1 1094 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1095 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1096 1097 # restore value 1098 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1099} 1100 1101ipv4_tcp_novrf() 1102{ 1103 local a 1104 1105 # 1106 # server tests 1107 # 1108 for a in ${NSA_IP} ${NSA_LO_IP} 1109 do 1110 log_start 1111 run_cmd nettest -s & 1112 sleep 1 1113 run_cmd_nsb nettest -r ${a} 1114 log_test_addr ${a} $? 0 "Global server" 1115 done 1116 1117 a=${NSA_IP} 1118 log_start 1119 run_cmd nettest -s -I ${NSA_DEV} & 1120 sleep 1 1121 run_cmd_nsb nettest -r ${a} 1122 log_test_addr ${a} $? 0 "Device server" 1123 1124 # verify TCP reset sent and received 1125 for a in ${NSA_IP} ${NSA_LO_IP} 1126 do 1127 log_start 1128 show_hint "Should fail 'Connection refused' since there is no server" 1129 run_cmd_nsb nettest -r ${a} 1130 log_test_addr ${a} $? 1 "No server" 1131 done 1132 1133 # 1134 # client 1135 # 1136 for a in ${NSB_IP} ${NSB_LO_IP} 1137 do 1138 log_start 1139 run_cmd_nsb nettest -s & 1140 sleep 1 1141 run_cmd nettest -r ${a} -0 ${NSA_IP} 1142 log_test_addr ${a} $? 0 "Client" 1143 1144 log_start 1145 run_cmd_nsb nettest -s & 1146 sleep 1 1147 run_cmd nettest -r ${a} -d ${NSA_DEV} 1148 log_test_addr ${a} $? 0 "Client, device bind" 1149 1150 log_start 1151 show_hint "Should fail 'Connection refused'" 1152 run_cmd nettest -r ${a} 1153 log_test_addr ${a} $? 1 "No server, unbound client" 1154 1155 log_start 1156 show_hint "Should fail 'Connection refused'" 1157 run_cmd nettest -r ${a} -d ${NSA_DEV} 1158 log_test_addr ${a} $? 1 "No server, device client" 1159 done 1160 1161 # 1162 # local address tests 1163 # 1164 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1165 do 1166 log_start 1167 run_cmd nettest -s & 1168 sleep 1 1169 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1170 log_test_addr ${a} $? 0 "Global server, local connection" 1171 done 1172 1173 a=${NSA_IP} 1174 log_start 1175 run_cmd nettest -s -I ${NSA_DEV} & 1176 sleep 1 1177 run_cmd nettest -r ${a} -0 ${a} 1178 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1179 1180 for a in ${NSA_LO_IP} 127.0.0.1 1181 do 1182 log_start 1183 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1184 run_cmd nettest -s -I ${NSA_DEV} & 1185 sleep 1 1186 run_cmd nettest -r ${a} 1187 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1188 done 1189 1190 a=${NSA_IP} 1191 log_start 1192 run_cmd nettest -s & 1193 sleep 1 1194 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1195 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1196 1197 for a in ${NSA_LO_IP} 127.0.0.1 1198 do 1199 log_start 1200 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1201 run_cmd nettest -s & 1202 sleep 1 1203 run_cmd nettest -r ${a} -d ${NSA_DEV} 1204 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1205 done 1206 1207 a=${NSA_IP} 1208 log_start 1209 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1210 sleep 1 1211 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1212 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1213 1214 log_start 1215 show_hint "Should fail 'Connection refused'" 1216 run_cmd nettest -d ${NSA_DEV} -r ${a} 1217 log_test_addr ${a} $? 1 "No server, device client, local conn" 1218 1219 ipv4_tcp_md5_novrf 1220} 1221 1222ipv4_tcp_vrf() 1223{ 1224 local a 1225 1226 # disable global server 1227 log_subsection "Global server disabled" 1228 1229 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1230 1231 # 1232 # server tests 1233 # 1234 for a in ${NSA_IP} ${VRF_IP} 1235 do 1236 log_start 1237 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1238 run_cmd nettest -s & 1239 sleep 1 1240 run_cmd_nsb nettest -r ${a} 1241 log_test_addr ${a} $? 1 "Global server" 1242 1243 log_start 1244 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1245 sleep 1 1246 run_cmd_nsb nettest -r ${a} 1247 log_test_addr ${a} $? 0 "VRF server" 1248 1249 log_start 1250 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1251 sleep 1 1252 run_cmd_nsb nettest -r ${a} 1253 log_test_addr ${a} $? 0 "Device server" 1254 1255 # verify TCP reset received 1256 log_start 1257 show_hint "Should fail 'Connection refused' since there is no server" 1258 run_cmd_nsb nettest -r ${a} 1259 log_test_addr ${a} $? 1 "No server" 1260 done 1261 1262 # local address tests 1263 # (${VRF_IP} and 127.0.0.1 both timeout) 1264 a=${NSA_IP} 1265 log_start 1266 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1267 run_cmd nettest -s & 1268 sleep 1 1269 run_cmd nettest -r ${a} -d ${NSA_DEV} 1270 log_test_addr ${a} $? 1 "Global server, local connection" 1271 1272 # run MD5 tests 1273 setup_vrf_dup 1274 ipv4_tcp_md5 1275 cleanup_vrf_dup 1276 1277 # 1278 # enable VRF global server 1279 # 1280 log_subsection "VRF Global server enabled" 1281 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1282 1283 for a in ${NSA_IP} ${VRF_IP} 1284 do 1285 log_start 1286 show_hint "client socket should be bound to VRF" 1287 run_cmd nettest -s -3 ${VRF} & 1288 sleep 1 1289 run_cmd_nsb nettest -r ${a} 1290 log_test_addr ${a} $? 0 "Global server" 1291 1292 log_start 1293 show_hint "client socket should be bound to VRF" 1294 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1295 sleep 1 1296 run_cmd_nsb nettest -r ${a} 1297 log_test_addr ${a} $? 0 "VRF server" 1298 1299 # verify TCP reset received 1300 log_start 1301 show_hint "Should fail 'Connection refused'" 1302 run_cmd_nsb nettest -r ${a} 1303 log_test_addr ${a} $? 1 "No server" 1304 done 1305 1306 a=${NSA_IP} 1307 log_start 1308 show_hint "client socket should be bound to device" 1309 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1310 sleep 1 1311 run_cmd_nsb nettest -r ${a} 1312 log_test_addr ${a} $? 0 "Device server" 1313 1314 # local address tests 1315 for a in ${NSA_IP} ${VRF_IP} 1316 do 1317 log_start 1318 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1319 run_cmd nettest -s -I ${VRF} & 1320 sleep 1 1321 run_cmd nettest -r ${a} 1322 log_test_addr ${a} $? 1 "Global server, local connection" 1323 done 1324 1325 # 1326 # client 1327 # 1328 for a in ${NSB_IP} ${NSB_LO_IP} 1329 do 1330 log_start 1331 run_cmd_nsb nettest -s & 1332 sleep 1 1333 run_cmd nettest -r ${a} -d ${VRF} 1334 log_test_addr ${a} $? 0 "Client, VRF bind" 1335 1336 log_start 1337 run_cmd_nsb nettest -s & 1338 sleep 1 1339 run_cmd nettest -r ${a} -d ${NSA_DEV} 1340 log_test_addr ${a} $? 0 "Client, device bind" 1341 1342 log_start 1343 show_hint "Should fail 'Connection refused'" 1344 run_cmd nettest -r ${a} -d ${VRF} 1345 log_test_addr ${a} $? 1 "No server, VRF client" 1346 1347 log_start 1348 show_hint "Should fail 'Connection refused'" 1349 run_cmd nettest -r ${a} -d ${NSA_DEV} 1350 log_test_addr ${a} $? 1 "No server, device client" 1351 done 1352 1353 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1354 do 1355 log_start 1356 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1357 sleep 1 1358 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1359 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1360 done 1361 1362 a=${NSA_IP} 1363 log_start 1364 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1365 sleep 1 1366 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1367 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1368 1369 log_start 1370 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1371 run_cmd nettest -s -I ${VRF} & 1372 sleep 1 1373 run_cmd nettest -r ${a} 1374 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1375 1376 log_start 1377 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1378 sleep 1 1379 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1380 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1381 1382 log_start 1383 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1384 sleep 1 1385 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1386 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1387} 1388 1389ipv4_tcp() 1390{ 1391 log_section "IPv4/TCP" 1392 log_subsection "No VRF" 1393 setup 1394 1395 # tcp_l3mdev_accept should have no affect without VRF; 1396 # run tests with it enabled and disabled to verify 1397 log_subsection "tcp_l3mdev_accept disabled" 1398 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1399 ipv4_tcp_novrf 1400 log_subsection "tcp_l3mdev_accept enabled" 1401 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1402 ipv4_tcp_novrf 1403 1404 log_subsection "With VRF" 1405 setup "yes" 1406 ipv4_tcp_vrf 1407} 1408 1409################################################################################ 1410# IPv4 UDP 1411 1412ipv4_udp_novrf() 1413{ 1414 local a 1415 1416 # 1417 # server tests 1418 # 1419 for a in ${NSA_IP} ${NSA_LO_IP} 1420 do 1421 log_start 1422 run_cmd nettest -D -s -3 ${NSA_DEV} & 1423 sleep 1 1424 run_cmd_nsb nettest -D -r ${a} 1425 log_test_addr ${a} $? 0 "Global server" 1426 1427 log_start 1428 show_hint "Should fail 'Connection refused' since there is no server" 1429 run_cmd_nsb nettest -D -r ${a} 1430 log_test_addr ${a} $? 1 "No server" 1431 done 1432 1433 a=${NSA_IP} 1434 log_start 1435 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1436 sleep 1 1437 run_cmd_nsb nettest -D -r ${a} 1438 log_test_addr ${a} $? 0 "Device server" 1439 1440 # 1441 # client 1442 # 1443 for a in ${NSB_IP} ${NSB_LO_IP} 1444 do 1445 log_start 1446 run_cmd_nsb nettest -D -s & 1447 sleep 1 1448 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1449 log_test_addr ${a} $? 0 "Client" 1450 1451 log_start 1452 run_cmd_nsb nettest -D -s & 1453 sleep 1 1454 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1455 log_test_addr ${a} $? 0 "Client, device bind" 1456 1457 log_start 1458 run_cmd_nsb nettest -D -s & 1459 sleep 1 1460 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1461 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1462 1463 log_start 1464 run_cmd_nsb nettest -D -s & 1465 sleep 1 1466 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1467 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1468 1469 log_start 1470 show_hint "Should fail 'Connection refused'" 1471 run_cmd nettest -D -r ${a} 1472 log_test_addr ${a} $? 1 "No server, unbound client" 1473 1474 log_start 1475 show_hint "Should fail 'Connection refused'" 1476 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1477 log_test_addr ${a} $? 1 "No server, device client" 1478 done 1479 1480 # 1481 # local address tests 1482 # 1483 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1484 do 1485 log_start 1486 run_cmd nettest -D -s & 1487 sleep 1 1488 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1489 log_test_addr ${a} $? 0 "Global server, local connection" 1490 done 1491 1492 a=${NSA_IP} 1493 log_start 1494 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1495 sleep 1 1496 run_cmd nettest -D -r ${a} 1497 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1498 1499 for a in ${NSA_LO_IP} 127.0.0.1 1500 do 1501 log_start 1502 show_hint "Should fail 'Connection refused' since address is out of device scope" 1503 run_cmd nettest -s -D -I ${NSA_DEV} & 1504 sleep 1 1505 run_cmd nettest -D -r ${a} 1506 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1507 done 1508 1509 a=${NSA_IP} 1510 log_start 1511 run_cmd nettest -s -D & 1512 sleep 1 1513 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1514 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1515 1516 log_start 1517 run_cmd nettest -s -D & 1518 sleep 1 1519 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1520 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1521 1522 log_start 1523 run_cmd nettest -s -D & 1524 sleep 1 1525 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1526 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1527 1528 # IPv4 with device bind has really weird behavior - it overrides the 1529 # fib lookup, generates an rtable and tries to send the packet. This 1530 # causes failures for local traffic at different places 1531 for a in ${NSA_LO_IP} 127.0.0.1 1532 do 1533 log_start 1534 show_hint "Should fail since addresses on loopback are out of device scope" 1535 run_cmd nettest -D -s & 1536 sleep 1 1537 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1538 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1539 1540 log_start 1541 show_hint "Should fail since addresses on loopback are out of device scope" 1542 run_cmd nettest -D -s & 1543 sleep 1 1544 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1545 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1546 1547 log_start 1548 show_hint "Should fail since addresses on loopback are out of device scope" 1549 run_cmd nettest -D -s & 1550 sleep 1 1551 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1552 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1553 done 1554 1555 a=${NSA_IP} 1556 log_start 1557 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1558 sleep 1 1559 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1560 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1561 1562 log_start 1563 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1564 log_test_addr ${a} $? 2 "No server, device client, local conn" 1565} 1566 1567ipv4_udp_vrf() 1568{ 1569 local a 1570 1571 # disable global server 1572 log_subsection "Global server disabled" 1573 set_sysctl net.ipv4.udp_l3mdev_accept=0 1574 1575 # 1576 # server tests 1577 # 1578 for a in ${NSA_IP} ${VRF_IP} 1579 do 1580 log_start 1581 show_hint "Fails because ingress is in a VRF and global server is disabled" 1582 run_cmd nettest -D -s & 1583 sleep 1 1584 run_cmd_nsb nettest -D -r ${a} 1585 log_test_addr ${a} $? 1 "Global server" 1586 1587 log_start 1588 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1589 sleep 1 1590 run_cmd_nsb nettest -D -r ${a} 1591 log_test_addr ${a} $? 0 "VRF server" 1592 1593 log_start 1594 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1595 sleep 1 1596 run_cmd_nsb nettest -D -r ${a} 1597 log_test_addr ${a} $? 0 "Enslaved device server" 1598 1599 log_start 1600 show_hint "Should fail 'Connection refused' since there is no server" 1601 run_cmd_nsb nettest -D -r ${a} 1602 log_test_addr ${a} $? 1 "No server" 1603 1604 log_start 1605 show_hint "Should fail 'Connection refused' since global server is out of scope" 1606 run_cmd nettest -D -s & 1607 sleep 1 1608 run_cmd nettest -D -d ${VRF} -r ${a} 1609 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1610 done 1611 1612 a=${NSA_IP} 1613 log_start 1614 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1615 sleep 1 1616 run_cmd nettest -D -d ${VRF} -r ${a} 1617 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1618 1619 log_start 1620 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1621 sleep 1 1622 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1623 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1624 1625 a=${NSA_IP} 1626 log_start 1627 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1628 sleep 1 1629 run_cmd nettest -D -d ${VRF} -r ${a} 1630 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1631 1632 log_start 1633 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1634 sleep 1 1635 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1636 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1637 1638 # enable global server 1639 log_subsection "Global server enabled" 1640 set_sysctl net.ipv4.udp_l3mdev_accept=1 1641 1642 # 1643 # server tests 1644 # 1645 for a in ${NSA_IP} ${VRF_IP} 1646 do 1647 log_start 1648 run_cmd nettest -D -s -3 ${NSA_DEV} & 1649 sleep 1 1650 run_cmd_nsb nettest -D -r ${a} 1651 log_test_addr ${a} $? 0 "Global server" 1652 1653 log_start 1654 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1655 sleep 1 1656 run_cmd_nsb nettest -D -r ${a} 1657 log_test_addr ${a} $? 0 "VRF server" 1658 1659 log_start 1660 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1661 sleep 1 1662 run_cmd_nsb nettest -D -r ${a} 1663 log_test_addr ${a} $? 0 "Enslaved device server" 1664 1665 log_start 1666 show_hint "Should fail 'Connection refused'" 1667 run_cmd_nsb nettest -D -r ${a} 1668 log_test_addr ${a} $? 1 "No server" 1669 done 1670 1671 # 1672 # client tests 1673 # 1674 log_start 1675 run_cmd_nsb nettest -D -s & 1676 sleep 1 1677 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1678 log_test $? 0 "VRF client" 1679 1680 log_start 1681 run_cmd_nsb nettest -D -s & 1682 sleep 1 1683 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1684 log_test $? 0 "Enslaved device client" 1685 1686 # negative test - should fail 1687 log_start 1688 show_hint "Should fail 'Connection refused'" 1689 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1690 log_test $? 1 "No server, VRF client" 1691 1692 log_start 1693 show_hint "Should fail 'Connection refused'" 1694 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1695 log_test $? 1 "No server, enslaved device client" 1696 1697 # 1698 # local address tests 1699 # 1700 a=${NSA_IP} 1701 log_start 1702 run_cmd nettest -D -s -3 ${NSA_DEV} & 1703 sleep 1 1704 run_cmd nettest -D -d ${VRF} -r ${a} 1705 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1706 1707 log_start 1708 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1709 sleep 1 1710 run_cmd nettest -D -d ${VRF} -r ${a} 1711 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1712 1713 log_start 1714 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1715 sleep 1 1716 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1717 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1718 1719 log_start 1720 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1721 sleep 1 1722 run_cmd nettest -D -d ${VRF} -r ${a} 1723 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1724 1725 log_start 1726 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1727 sleep 1 1728 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1729 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1730 1731 for a in ${VRF_IP} 127.0.0.1 1732 do 1733 log_start 1734 run_cmd nettest -D -s -3 ${VRF} & 1735 sleep 1 1736 run_cmd nettest -D -d ${VRF} -r ${a} 1737 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1738 done 1739 1740 for a in ${VRF_IP} 127.0.0.1 1741 do 1742 log_start 1743 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1744 sleep 1 1745 run_cmd nettest -D -d ${VRF} -r ${a} 1746 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1747 done 1748 1749 # negative test - should fail 1750 # verifies ECONNREFUSED 1751 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1752 do 1753 log_start 1754 show_hint "Should fail 'Connection refused'" 1755 run_cmd nettest -D -d ${VRF} -r ${a} 1756 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1757 done 1758} 1759 1760ipv4_udp() 1761{ 1762 log_section "IPv4/UDP" 1763 log_subsection "No VRF" 1764 1765 setup 1766 1767 # udp_l3mdev_accept should have no affect without VRF; 1768 # run tests with it enabled and disabled to verify 1769 log_subsection "udp_l3mdev_accept disabled" 1770 set_sysctl net.ipv4.udp_l3mdev_accept=0 1771 ipv4_udp_novrf 1772 log_subsection "udp_l3mdev_accept enabled" 1773 set_sysctl net.ipv4.udp_l3mdev_accept=1 1774 ipv4_udp_novrf 1775 1776 log_subsection "With VRF" 1777 setup "yes" 1778 ipv4_udp_vrf 1779} 1780 1781################################################################################ 1782# IPv4 address bind 1783# 1784# verifies ability or inability to bind to an address / device 1785 1786ipv4_addr_bind_novrf() 1787{ 1788 # 1789 # raw socket 1790 # 1791 for a in ${NSA_IP} ${NSA_LO_IP} 1792 do 1793 log_start 1794 run_cmd nettest -s -R -P icmp -l ${a} -b 1795 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1796 1797 log_start 1798 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1799 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1800 done 1801 1802 # 1803 # raw socket with nonlocal bind 1804 # 1805 a=${NL_IP} 1806 log_start 1807 run_cmd nettest -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 1808 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after device bind" 1809 1810 # 1811 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1812 # 1813 a=${BCAST_IP} 1814 log_start 1815 run_cmd nettest -s -R -P icmp -l ${a} -b 1816 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address" 1817 1818 a=${MCAST_IP} 1819 log_start 1820 run_cmd nettest -s -R -P icmp -f -l ${a} -b 1821 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address" 1822 1823 # 1824 # tcp sockets 1825 # 1826 a=${NSA_IP} 1827 log_start 1828 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1829 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1830 1831 log_start 1832 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1833 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1834 1835 # Sadly, the kernel allows binding a socket to a device and then 1836 # binding to an address not on the device. The only restriction 1837 # is that the address is valid in the L3 domain. So this test 1838 # passes when it really should not 1839 #a=${NSA_LO_IP} 1840 #log_start 1841 #show_hint "Should fail with 'Cannot assign requested address'" 1842 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1843 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1844} 1845 1846ipv4_addr_bind_vrf() 1847{ 1848 # 1849 # raw socket 1850 # 1851 for a in ${NSA_IP} ${VRF_IP} 1852 do 1853 log_start 1854 show_hint "Socket not bound to VRF, but address is in VRF" 1855 run_cmd nettest -s -R -P icmp -l ${a} -b 1856 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1857 1858 log_start 1859 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1860 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1861 log_start 1862 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1863 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1864 done 1865 1866 a=${NSA_LO_IP} 1867 log_start 1868 show_hint "Address on loopback is out of VRF scope" 1869 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1870 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1871 1872 # 1873 # raw socket with nonlocal bind 1874 # 1875 a=${NL_IP} 1876 log_start 1877 run_cmd nettest -s -R -P icmp -f -l ${a} -I ${VRF} -b 1878 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 1879 1880 # 1881 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1882 # 1883 a=${BCAST_IP} 1884 log_start 1885 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1886 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind" 1887 1888 a=${MCAST_IP} 1889 log_start 1890 run_cmd nettest -s -R -P icmp -f -l ${a} -I ${VRF} -b 1891 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind" 1892 1893 # 1894 # tcp sockets 1895 # 1896 for a in ${NSA_IP} ${VRF_IP} 1897 do 1898 log_start 1899 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1900 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1901 1902 log_start 1903 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1904 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1905 done 1906 1907 a=${NSA_LO_IP} 1908 log_start 1909 show_hint "Address on loopback out of scope for VRF" 1910 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1911 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 1912 1913 log_start 1914 show_hint "Address on loopback out of scope for device in VRF" 1915 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1916 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 1917} 1918 1919ipv4_addr_bind() 1920{ 1921 log_section "IPv4 address binds" 1922 1923 log_subsection "No VRF" 1924 setup 1925 ipv4_addr_bind_novrf 1926 1927 log_subsection "With VRF" 1928 setup "yes" 1929 ipv4_addr_bind_vrf 1930} 1931 1932################################################################################ 1933# IPv4 runtime tests 1934 1935ipv4_rt() 1936{ 1937 local desc="$1" 1938 local varg="$2" 1939 local with_vrf="yes" 1940 local a 1941 1942 # 1943 # server tests 1944 # 1945 for a in ${NSA_IP} ${VRF_IP} 1946 do 1947 log_start 1948 run_cmd nettest ${varg} -s & 1949 sleep 1 1950 run_cmd_nsb nettest ${varg} -r ${a} & 1951 sleep 3 1952 run_cmd ip link del ${VRF} 1953 sleep 1 1954 log_test_addr ${a} 0 0 "${desc}, global server" 1955 1956 setup ${with_vrf} 1957 done 1958 1959 for a in ${NSA_IP} ${VRF_IP} 1960 do 1961 log_start 1962 run_cmd nettest ${varg} -s -I ${VRF} & 1963 sleep 1 1964 run_cmd_nsb nettest ${varg} -r ${a} & 1965 sleep 3 1966 run_cmd ip link del ${VRF} 1967 sleep 1 1968 log_test_addr ${a} 0 0 "${desc}, VRF server" 1969 1970 setup ${with_vrf} 1971 done 1972 1973 a=${NSA_IP} 1974 log_start 1975 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 1976 sleep 1 1977 run_cmd_nsb nettest ${varg} -r ${a} & 1978 sleep 3 1979 run_cmd ip link del ${VRF} 1980 sleep 1 1981 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 1982 1983 setup ${with_vrf} 1984 1985 # 1986 # client test 1987 # 1988 log_start 1989 run_cmd_nsb nettest ${varg} -s & 1990 sleep 1 1991 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 1992 sleep 3 1993 run_cmd ip link del ${VRF} 1994 sleep 1 1995 log_test_addr ${a} 0 0 "${desc}, VRF client" 1996 1997 setup ${with_vrf} 1998 1999 log_start 2000 run_cmd_nsb nettest ${varg} -s & 2001 sleep 1 2002 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 2003 sleep 3 2004 run_cmd ip link del ${VRF} 2005 sleep 1 2006 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 2007 2008 setup ${with_vrf} 2009 2010 # 2011 # local address tests 2012 # 2013 for a in ${NSA_IP} ${VRF_IP} 2014 do 2015 log_start 2016 run_cmd nettest ${varg} -s & 2017 sleep 1 2018 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2019 sleep 3 2020 run_cmd ip link del ${VRF} 2021 sleep 1 2022 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 2023 2024 setup ${with_vrf} 2025 done 2026 2027 for a in ${NSA_IP} ${VRF_IP} 2028 do 2029 log_start 2030 run_cmd nettest ${varg} -I ${VRF} -s & 2031 sleep 1 2032 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2033 sleep 3 2034 run_cmd ip link del ${VRF} 2035 sleep 1 2036 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 2037 2038 setup ${with_vrf} 2039 done 2040 2041 a=${NSA_IP} 2042 log_start 2043 2044 run_cmd nettest ${varg} -s & 2045 sleep 1 2046 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2047 sleep 3 2048 run_cmd ip link del ${VRF} 2049 sleep 1 2050 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 2051 2052 setup ${with_vrf} 2053 2054 log_start 2055 run_cmd nettest ${varg} -I ${VRF} -s & 2056 sleep 1 2057 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2058 sleep 3 2059 run_cmd ip link del ${VRF} 2060 sleep 1 2061 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 2062 2063 setup ${with_vrf} 2064 2065 log_start 2066 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2067 sleep 1 2068 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2069 sleep 3 2070 run_cmd ip link del ${VRF} 2071 sleep 1 2072 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2073} 2074 2075ipv4_ping_rt() 2076{ 2077 local with_vrf="yes" 2078 local a 2079 2080 for a in ${NSA_IP} ${VRF_IP} 2081 do 2082 log_start 2083 run_cmd_nsb ping -f ${a} & 2084 sleep 3 2085 run_cmd ip link del ${VRF} 2086 sleep 1 2087 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2088 2089 setup ${with_vrf} 2090 done 2091 2092 a=${NSB_IP} 2093 log_start 2094 run_cmd ping -f -I ${VRF} ${a} & 2095 sleep 3 2096 run_cmd ip link del ${VRF} 2097 sleep 1 2098 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2099} 2100 2101ipv4_runtime() 2102{ 2103 log_section "Run time tests - ipv4" 2104 2105 setup "yes" 2106 ipv4_ping_rt 2107 2108 setup "yes" 2109 ipv4_rt "TCP active socket" "-n -1" 2110 2111 setup "yes" 2112 ipv4_rt "TCP passive socket" "-i" 2113} 2114 2115################################################################################ 2116# IPv6 2117 2118ipv6_ping_novrf() 2119{ 2120 local a 2121 2122 # should not have an impact, but make a known state 2123 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2124 2125 # 2126 # out 2127 # 2128 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2129 do 2130 log_start 2131 run_cmd ${ping6} -c1 -w1 ${a} 2132 log_test_addr ${a} $? 0 "ping out" 2133 done 2134 2135 for a in ${NSB_IP6} ${NSB_LO_IP6} 2136 do 2137 log_start 2138 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2139 log_test_addr ${a} $? 0 "ping out, device bind" 2140 2141 log_start 2142 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2143 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2144 done 2145 2146 # 2147 # in 2148 # 2149 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2150 do 2151 log_start 2152 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2153 log_test_addr ${a} $? 0 "ping in" 2154 done 2155 2156 # 2157 # local traffic, local address 2158 # 2159 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2160 do 2161 log_start 2162 run_cmd ${ping6} -c1 -w1 ${a} 2163 log_test_addr ${a} $? 0 "ping local, no bind" 2164 done 2165 2166 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2167 do 2168 log_start 2169 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2170 log_test_addr ${a} $? 0 "ping local, device bind" 2171 done 2172 2173 for a in ${NSA_LO_IP6} ::1 2174 do 2175 log_start 2176 show_hint "Fails since address on loopback is out of device scope" 2177 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2178 log_test_addr ${a} $? 2 "ping local, device bind" 2179 done 2180 2181 # 2182 # ip rule blocks address 2183 # 2184 log_start 2185 setup_cmd ip -6 rule add pref 32765 from all lookup local 2186 setup_cmd ip -6 rule del pref 0 from all lookup local 2187 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2188 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2189 2190 a=${NSB_LO_IP6} 2191 run_cmd ${ping6} -c1 -w1 ${a} 2192 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2193 2194 log_start 2195 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2196 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2197 2198 a=${NSA_LO_IP6} 2199 log_start 2200 show_hint "Response lost due to ip rule" 2201 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2202 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2203 2204 setup_cmd ip -6 rule add pref 0 from all lookup local 2205 setup_cmd ip -6 rule del pref 32765 from all lookup local 2206 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2207 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2208 2209 # 2210 # route blocks reachability to remote address 2211 # 2212 log_start 2213 setup_cmd ip -6 route del ${NSB_LO_IP6} 2214 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2215 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2216 2217 a=${NSB_LO_IP6} 2218 run_cmd ${ping6} -c1 -w1 ${a} 2219 log_test_addr ${a} $? 2 "ping out, blocked by route" 2220 2221 log_start 2222 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2223 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2224 2225 a=${NSA_LO_IP6} 2226 log_start 2227 show_hint "Response lost due to ip route" 2228 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2229 log_test_addr ${a} $? 1 "ping in, blocked by route" 2230 2231 2232 # 2233 # remove 'remote' routes; fallback to default 2234 # 2235 log_start 2236 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2237 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2238 2239 a=${NSB_LO_IP6} 2240 run_cmd ${ping6} -c1 -w1 ${a} 2241 log_test_addr ${a} $? 2 "ping out, unreachable route" 2242 2243 log_start 2244 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2245 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2246} 2247 2248ipv6_ping_vrf() 2249{ 2250 local a 2251 2252 # should default on; does not exist on older kernels 2253 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2254 2255 # 2256 # out 2257 # 2258 for a in ${NSB_IP6} ${NSB_LO_IP6} 2259 do 2260 log_start 2261 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2262 log_test_addr ${a} $? 0 "ping out, VRF bind" 2263 done 2264 2265 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2266 do 2267 log_start 2268 show_hint "Fails since VRF device does not support linklocal or multicast" 2269 run_cmd ${ping6} -c1 -w1 ${a} 2270 log_test_addr ${a} $? 1 "ping out, VRF bind" 2271 done 2272 2273 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2274 do 2275 log_start 2276 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2277 log_test_addr ${a} $? 0 "ping out, device bind" 2278 done 2279 2280 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2281 do 2282 log_start 2283 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2284 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2285 done 2286 2287 # 2288 # in 2289 # 2290 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2291 do 2292 log_start 2293 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2294 log_test_addr ${a} $? 0 "ping in" 2295 done 2296 2297 a=${NSA_LO_IP6} 2298 log_start 2299 show_hint "Fails since loopback address is out of VRF scope" 2300 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2301 log_test_addr ${a} $? 1 "ping in" 2302 2303 # 2304 # local traffic, local address 2305 # 2306 for a in ${NSA_IP6} ${VRF_IP6} ::1 2307 do 2308 log_start 2309 show_hint "Source address should be ${a}" 2310 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2311 log_test_addr ${a} $? 0 "ping local, VRF bind" 2312 done 2313 2314 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2315 do 2316 log_start 2317 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2318 log_test_addr ${a} $? 0 "ping local, device bind" 2319 done 2320 2321 # LLA to GUA - remove ipv6 global addresses from ns-B 2322 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2323 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2324 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2325 2326 for a in ${NSA_IP6} ${VRF_IP6} 2327 do 2328 log_start 2329 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2330 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2331 done 2332 2333 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2334 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2335 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2336 2337 # 2338 # ip rule blocks address 2339 # 2340 log_start 2341 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2342 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2343 2344 a=${NSB_LO_IP6} 2345 run_cmd ${ping6} -c1 -w1 ${a} 2346 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2347 2348 log_start 2349 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2350 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2351 2352 a=${NSA_LO_IP6} 2353 log_start 2354 show_hint "Response lost due to ip rule" 2355 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2356 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2357 2358 log_start 2359 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2360 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2361 2362 # 2363 # remove 'remote' routes; fallback to default 2364 # 2365 log_start 2366 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2367 2368 a=${NSB_LO_IP6} 2369 run_cmd ${ping6} -c1 -w1 ${a} 2370 log_test_addr ${a} $? 2 "ping out, unreachable route" 2371 2372 log_start 2373 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2374 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2375 2376 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2377 a=${NSA_LO_IP6} 2378 log_start 2379 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2380 log_test_addr ${a} $? 2 "ping in, unreachable route" 2381} 2382 2383ipv6_ping() 2384{ 2385 log_section "IPv6 ping" 2386 2387 log_subsection "No VRF" 2388 setup 2389 ipv6_ping_novrf 2390 setup 2391 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2392 ipv6_ping_novrf 2393 2394 log_subsection "With VRF" 2395 setup "yes" 2396 ipv6_ping_vrf 2397 setup "yes" 2398 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2399 ipv6_ping_vrf 2400} 2401 2402################################################################################ 2403# IPv6 TCP 2404 2405# 2406# MD5 tests without VRF 2407# 2408ipv6_tcp_md5_novrf() 2409{ 2410 # 2411 # single address 2412 # 2413 2414 # basic use case 2415 log_start 2416 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2417 sleep 1 2418 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2419 log_test $? 0 "MD5: Single address config" 2420 2421 # client sends MD5, server not configured 2422 log_start 2423 show_hint "Should timeout due to MD5 mismatch" 2424 run_cmd nettest -6 -s & 2425 sleep 1 2426 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2427 log_test $? 2 "MD5: Server no config, client uses password" 2428 2429 # wrong password 2430 log_start 2431 show_hint "Should timeout since client uses wrong password" 2432 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2433 sleep 1 2434 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2435 log_test $? 2 "MD5: Client uses wrong password" 2436 2437 # client from different address 2438 log_start 2439 show_hint "Should timeout due to MD5 mismatch" 2440 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2441 sleep 1 2442 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2443 log_test $? 2 "MD5: Client address does not match address configured with password" 2444 2445 # 2446 # MD5 extension - prefix length 2447 # 2448 2449 # client in prefix 2450 log_start 2451 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2452 sleep 1 2453 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2454 log_test $? 0 "MD5: Prefix config" 2455 2456 # client in prefix, wrong password 2457 log_start 2458 show_hint "Should timeout since client uses wrong password" 2459 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2460 sleep 1 2461 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2462 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2463 2464 # client outside of prefix 2465 log_start 2466 show_hint "Should timeout due to MD5 mismatch" 2467 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2468 sleep 1 2469 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2470 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2471} 2472 2473# 2474# MD5 tests with VRF 2475# 2476ipv6_tcp_md5() 2477{ 2478 # 2479 # single address 2480 # 2481 2482 # basic use case 2483 log_start 2484 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2485 sleep 1 2486 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2487 log_test $? 0 "MD5: VRF: Single address config" 2488 2489 # client sends MD5, server not configured 2490 log_start 2491 show_hint "Should timeout since server does not have MD5 auth" 2492 run_cmd nettest -6 -s -I ${VRF} & 2493 sleep 1 2494 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2495 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2496 2497 # wrong password 2498 log_start 2499 show_hint "Should timeout since client uses wrong password" 2500 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2501 sleep 1 2502 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2503 log_test $? 2 "MD5: VRF: Client uses wrong password" 2504 2505 # client from different address 2506 log_start 2507 show_hint "Should timeout since server config differs from client" 2508 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2509 sleep 1 2510 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2511 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2512 2513 # 2514 # MD5 extension - prefix length 2515 # 2516 2517 # client in prefix 2518 log_start 2519 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2520 sleep 1 2521 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2522 log_test $? 0 "MD5: VRF: Prefix config" 2523 2524 # client in prefix, wrong password 2525 log_start 2526 show_hint "Should timeout since client uses wrong password" 2527 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2528 sleep 1 2529 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2530 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2531 2532 # client outside of prefix 2533 log_start 2534 show_hint "Should timeout since client address is outside of prefix" 2535 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2536 sleep 1 2537 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2538 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2539 2540 # 2541 # duplicate config between default VRF and a VRF 2542 # 2543 2544 log_start 2545 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2546 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2547 sleep 1 2548 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2549 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2550 2551 log_start 2552 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2553 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2554 sleep 1 2555 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2556 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2557 2558 log_start 2559 show_hint "Should timeout since client in default VRF uses VRF password" 2560 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2561 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2562 sleep 1 2563 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2564 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2565 2566 log_start 2567 show_hint "Should timeout since client in VRF uses default VRF password" 2568 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2569 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2570 sleep 1 2571 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2572 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2573 2574 log_start 2575 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2576 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2577 sleep 1 2578 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2579 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2580 2581 log_start 2582 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2583 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2584 sleep 1 2585 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2586 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2587 2588 log_start 2589 show_hint "Should timeout since client in default VRF uses VRF password" 2590 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2591 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2592 sleep 1 2593 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2594 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2595 2596 log_start 2597 show_hint "Should timeout since client in VRF uses default VRF password" 2598 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2599 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2600 sleep 1 2601 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2602 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2603 2604 # 2605 # negative tests 2606 # 2607 log_start 2608 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2609 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2610 2611 log_start 2612 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2613 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2614 2615} 2616 2617ipv6_tcp_novrf() 2618{ 2619 local a 2620 2621 # 2622 # server tests 2623 # 2624 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2625 do 2626 log_start 2627 run_cmd nettest -6 -s & 2628 sleep 1 2629 run_cmd_nsb nettest -6 -r ${a} 2630 log_test_addr ${a} $? 0 "Global server" 2631 done 2632 2633 # verify TCP reset received 2634 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2635 do 2636 log_start 2637 show_hint "Should fail 'Connection refused'" 2638 run_cmd_nsb nettest -6 -r ${a} 2639 log_test_addr ${a} $? 1 "No server" 2640 done 2641 2642 # 2643 # client 2644 # 2645 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2646 do 2647 log_start 2648 run_cmd_nsb nettest -6 -s & 2649 sleep 1 2650 run_cmd nettest -6 -r ${a} 2651 log_test_addr ${a} $? 0 "Client" 2652 done 2653 2654 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2655 do 2656 log_start 2657 run_cmd_nsb nettest -6 -s & 2658 sleep 1 2659 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2660 log_test_addr ${a} $? 0 "Client, device bind" 2661 done 2662 2663 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2664 do 2665 log_start 2666 show_hint "Should fail 'Connection refused'" 2667 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2668 log_test_addr ${a} $? 1 "No server, device client" 2669 done 2670 2671 # 2672 # local address tests 2673 # 2674 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2675 do 2676 log_start 2677 run_cmd nettest -6 -s & 2678 sleep 1 2679 run_cmd nettest -6 -r ${a} 2680 log_test_addr ${a} $? 0 "Global server, local connection" 2681 done 2682 2683 a=${NSA_IP6} 2684 log_start 2685 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2686 sleep 1 2687 run_cmd nettest -6 -r ${a} -0 ${a} 2688 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2689 2690 for a in ${NSA_LO_IP6} ::1 2691 do 2692 log_start 2693 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2694 run_cmd nettest -6 -s -I ${NSA_DEV} & 2695 sleep 1 2696 run_cmd nettest -6 -r ${a} 2697 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2698 done 2699 2700 a=${NSA_IP6} 2701 log_start 2702 run_cmd nettest -6 -s & 2703 sleep 1 2704 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2705 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2706 2707 for a in ${NSA_LO_IP6} ::1 2708 do 2709 log_start 2710 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2711 run_cmd nettest -6 -s & 2712 sleep 1 2713 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2714 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2715 done 2716 2717 for a in ${NSA_IP6} ${NSA_LINKIP6} 2718 do 2719 log_start 2720 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2721 sleep 1 2722 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2723 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2724 done 2725 2726 for a in ${NSA_IP6} ${NSA_LINKIP6} 2727 do 2728 log_start 2729 show_hint "Should fail 'Connection refused'" 2730 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2731 log_test_addr ${a} $? 1 "No server, device client, local conn" 2732 done 2733 2734 ipv6_tcp_md5_novrf 2735} 2736 2737ipv6_tcp_vrf() 2738{ 2739 local a 2740 2741 # disable global server 2742 log_subsection "Global server disabled" 2743 2744 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2745 2746 # 2747 # server tests 2748 # 2749 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2750 do 2751 log_start 2752 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2753 run_cmd nettest -6 -s & 2754 sleep 1 2755 run_cmd_nsb nettest -6 -r ${a} 2756 log_test_addr ${a} $? 1 "Global server" 2757 done 2758 2759 for a in ${NSA_IP6} ${VRF_IP6} 2760 do 2761 log_start 2762 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2763 sleep 1 2764 run_cmd_nsb nettest -6 -r ${a} 2765 log_test_addr ${a} $? 0 "VRF server" 2766 done 2767 2768 # link local is always bound to ingress device 2769 a=${NSA_LINKIP6}%${NSB_DEV} 2770 log_start 2771 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2772 sleep 1 2773 run_cmd_nsb nettest -6 -r ${a} 2774 log_test_addr ${a} $? 0 "VRF server" 2775 2776 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2777 do 2778 log_start 2779 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2780 sleep 1 2781 run_cmd_nsb nettest -6 -r ${a} 2782 log_test_addr ${a} $? 0 "Device server" 2783 done 2784 2785 # verify TCP reset received 2786 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2787 do 2788 log_start 2789 show_hint "Should fail 'Connection refused'" 2790 run_cmd_nsb nettest -6 -r ${a} 2791 log_test_addr ${a} $? 1 "No server" 2792 done 2793 2794 # local address tests 2795 a=${NSA_IP6} 2796 log_start 2797 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2798 run_cmd nettest -6 -s & 2799 sleep 1 2800 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2801 log_test_addr ${a} $? 1 "Global server, local connection" 2802 2803 # run MD5 tests 2804 setup_vrf_dup 2805 ipv6_tcp_md5 2806 cleanup_vrf_dup 2807 2808 # 2809 # enable VRF global server 2810 # 2811 log_subsection "VRF Global server enabled" 2812 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2813 2814 for a in ${NSA_IP6} ${VRF_IP6} 2815 do 2816 log_start 2817 run_cmd nettest -6 -s -3 ${VRF} & 2818 sleep 1 2819 run_cmd_nsb nettest -6 -r ${a} 2820 log_test_addr ${a} $? 0 "Global server" 2821 done 2822 2823 for a in ${NSA_IP6} ${VRF_IP6} 2824 do 2825 log_start 2826 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2827 sleep 1 2828 run_cmd_nsb nettest -6 -r ${a} 2829 log_test_addr ${a} $? 0 "VRF server" 2830 done 2831 2832 # For LLA, child socket is bound to device 2833 a=${NSA_LINKIP6}%${NSB_DEV} 2834 log_start 2835 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2836 sleep 1 2837 run_cmd_nsb nettest -6 -r ${a} 2838 log_test_addr ${a} $? 0 "Global server" 2839 2840 log_start 2841 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2842 sleep 1 2843 run_cmd_nsb nettest -6 -r ${a} 2844 log_test_addr ${a} $? 0 "VRF server" 2845 2846 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2847 do 2848 log_start 2849 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2850 sleep 1 2851 run_cmd_nsb nettest -6 -r ${a} 2852 log_test_addr ${a} $? 0 "Device server" 2853 done 2854 2855 # verify TCP reset received 2856 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2857 do 2858 log_start 2859 show_hint "Should fail 'Connection refused'" 2860 run_cmd_nsb nettest -6 -r ${a} 2861 log_test_addr ${a} $? 1 "No server" 2862 done 2863 2864 # local address tests 2865 for a in ${NSA_IP6} ${VRF_IP6} 2866 do 2867 log_start 2868 show_hint "Fails 'Connection refused' since client is not in VRF" 2869 run_cmd nettest -6 -s -I ${VRF} & 2870 sleep 1 2871 run_cmd nettest -6 -r ${a} 2872 log_test_addr ${a} $? 1 "Global server, local connection" 2873 done 2874 2875 2876 # 2877 # client 2878 # 2879 for a in ${NSB_IP6} ${NSB_LO_IP6} 2880 do 2881 log_start 2882 run_cmd_nsb nettest -6 -s & 2883 sleep 1 2884 run_cmd nettest -6 -r ${a} -d ${VRF} 2885 log_test_addr ${a} $? 0 "Client, VRF bind" 2886 done 2887 2888 a=${NSB_LINKIP6} 2889 log_start 2890 show_hint "Fails since VRF device does not allow linklocal addresses" 2891 run_cmd_nsb nettest -6 -s & 2892 sleep 1 2893 run_cmd nettest -6 -r ${a} -d ${VRF} 2894 log_test_addr ${a} $? 1 "Client, VRF bind" 2895 2896 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2897 do 2898 log_start 2899 run_cmd_nsb nettest -6 -s & 2900 sleep 1 2901 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2902 log_test_addr ${a} $? 0 "Client, device bind" 2903 done 2904 2905 for a in ${NSB_IP6} ${NSB_LO_IP6} 2906 do 2907 log_start 2908 show_hint "Should fail 'Connection refused'" 2909 run_cmd nettest -6 -r ${a} -d ${VRF} 2910 log_test_addr ${a} $? 1 "No server, VRF client" 2911 done 2912 2913 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2914 do 2915 log_start 2916 show_hint "Should fail 'Connection refused'" 2917 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2918 log_test_addr ${a} $? 1 "No server, device client" 2919 done 2920 2921 for a in ${NSA_IP6} ${VRF_IP6} ::1 2922 do 2923 log_start 2924 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2925 sleep 1 2926 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2927 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 2928 done 2929 2930 a=${NSA_IP6} 2931 log_start 2932 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2933 sleep 1 2934 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2935 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 2936 2937 a=${NSA_IP6} 2938 log_start 2939 show_hint "Should fail since unbound client is out of VRF scope" 2940 run_cmd nettest -6 -s -I ${VRF} & 2941 sleep 1 2942 run_cmd nettest -6 -r ${a} 2943 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 2944 2945 log_start 2946 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2947 sleep 1 2948 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2949 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 2950 2951 for a in ${NSA_IP6} ${NSA_LINKIP6} 2952 do 2953 log_start 2954 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2955 sleep 1 2956 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2957 log_test_addr ${a} $? 0 "Device server, device client, local connection" 2958 done 2959} 2960 2961ipv6_tcp() 2962{ 2963 log_section "IPv6/TCP" 2964 log_subsection "No VRF" 2965 setup 2966 2967 # tcp_l3mdev_accept should have no affect without VRF; 2968 # run tests with it enabled and disabled to verify 2969 log_subsection "tcp_l3mdev_accept disabled" 2970 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2971 ipv6_tcp_novrf 2972 log_subsection "tcp_l3mdev_accept enabled" 2973 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2974 ipv6_tcp_novrf 2975 2976 log_subsection "With VRF" 2977 setup "yes" 2978 ipv6_tcp_vrf 2979} 2980 2981################################################################################ 2982# IPv6 UDP 2983 2984ipv6_udp_novrf() 2985{ 2986 local a 2987 2988 # 2989 # server tests 2990 # 2991 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2992 do 2993 log_start 2994 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2995 sleep 1 2996 run_cmd_nsb nettest -6 -D -r ${a} 2997 log_test_addr ${a} $? 0 "Global server" 2998 2999 log_start 3000 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3001 sleep 1 3002 run_cmd_nsb nettest -6 -D -r ${a} 3003 log_test_addr ${a} $? 0 "Device server" 3004 done 3005 3006 a=${NSA_LO_IP6} 3007 log_start 3008 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3009 sleep 1 3010 run_cmd_nsb nettest -6 -D -r ${a} 3011 log_test_addr ${a} $? 0 "Global server" 3012 3013 # should fail since loopback address is out of scope for a device 3014 # bound server, but it does not - hence this is more documenting 3015 # behavior. 3016 #log_start 3017 #show_hint "Should fail since loopback address is out of scope" 3018 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3019 #sleep 1 3020 #run_cmd_nsb nettest -6 -D -r ${a} 3021 #log_test_addr ${a} $? 1 "Device server" 3022 3023 # negative test - should fail 3024 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3025 do 3026 log_start 3027 show_hint "Should fail 'Connection refused' since there is no server" 3028 run_cmd_nsb nettest -6 -D -r ${a} 3029 log_test_addr ${a} $? 1 "No server" 3030 done 3031 3032 # 3033 # client 3034 # 3035 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 3036 do 3037 log_start 3038 run_cmd_nsb nettest -6 -D -s & 3039 sleep 1 3040 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 3041 log_test_addr ${a} $? 0 "Client" 3042 3043 log_start 3044 run_cmd_nsb nettest -6 -D -s & 3045 sleep 1 3046 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 3047 log_test_addr ${a} $? 0 "Client, device bind" 3048 3049 log_start 3050 run_cmd_nsb nettest -6 -D -s & 3051 sleep 1 3052 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 3053 log_test_addr ${a} $? 0 "Client, device send via cmsg" 3054 3055 log_start 3056 run_cmd_nsb nettest -6 -D -s & 3057 sleep 1 3058 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 3059 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 3060 3061 log_start 3062 show_hint "Should fail 'Connection refused'" 3063 run_cmd nettest -6 -D -r ${a} 3064 log_test_addr ${a} $? 1 "No server, unbound client" 3065 3066 log_start 3067 show_hint "Should fail 'Connection refused'" 3068 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3069 log_test_addr ${a} $? 1 "No server, device client" 3070 done 3071 3072 # 3073 # local address tests 3074 # 3075 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3076 do 3077 log_start 3078 run_cmd nettest -6 -D -s & 3079 sleep 1 3080 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3081 log_test_addr ${a} $? 0 "Global server, local connection" 3082 done 3083 3084 a=${NSA_IP6} 3085 log_start 3086 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3087 sleep 1 3088 run_cmd nettest -6 -D -r ${a} 3089 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3090 3091 for a in ${NSA_LO_IP6} ::1 3092 do 3093 log_start 3094 show_hint "Should fail 'Connection refused' since address is out of device scope" 3095 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3096 sleep 1 3097 run_cmd nettest -6 -D -r ${a} 3098 log_test_addr ${a} $? 1 "Device server, local connection" 3099 done 3100 3101 a=${NSA_IP6} 3102 log_start 3103 run_cmd nettest -6 -s -D & 3104 sleep 1 3105 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3106 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3107 3108 log_start 3109 run_cmd nettest -6 -s -D & 3110 sleep 1 3111 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3112 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3113 3114 log_start 3115 run_cmd nettest -6 -s -D & 3116 sleep 1 3117 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3118 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3119 3120 for a in ${NSA_LO_IP6} ::1 3121 do 3122 log_start 3123 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3124 run_cmd nettest -6 -D -s & 3125 sleep 1 3126 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3127 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3128 3129 log_start 3130 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3131 run_cmd nettest -6 -D -s & 3132 sleep 1 3133 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3134 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3135 3136 log_start 3137 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3138 run_cmd nettest -6 -D -s & 3139 sleep 1 3140 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3141 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3142 done 3143 3144 a=${NSA_IP6} 3145 log_start 3146 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3147 sleep 1 3148 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3149 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3150 3151 log_start 3152 show_hint "Should fail 'Connection refused'" 3153 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3154 log_test_addr ${a} $? 1 "No server, device client, local conn" 3155 3156 # LLA to GUA 3157 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3158 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3159 log_start 3160 run_cmd nettest -6 -s -D & 3161 sleep 1 3162 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3163 log_test $? 0 "UDP in - LLA to GUA" 3164 3165 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3166 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3167} 3168 3169ipv6_udp_vrf() 3170{ 3171 local a 3172 3173 # disable global server 3174 log_subsection "Global server disabled" 3175 set_sysctl net.ipv4.udp_l3mdev_accept=0 3176 3177 # 3178 # server tests 3179 # 3180 for a in ${NSA_IP6} ${VRF_IP6} 3181 do 3182 log_start 3183 show_hint "Should fail 'Connection refused' since global server is disabled" 3184 run_cmd nettest -6 -D -s & 3185 sleep 1 3186 run_cmd_nsb nettest -6 -D -r ${a} 3187 log_test_addr ${a} $? 1 "Global server" 3188 done 3189 3190 for a in ${NSA_IP6} ${VRF_IP6} 3191 do 3192 log_start 3193 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3194 sleep 1 3195 run_cmd_nsb nettest -6 -D -r ${a} 3196 log_test_addr ${a} $? 0 "VRF server" 3197 done 3198 3199 for a in ${NSA_IP6} ${VRF_IP6} 3200 do 3201 log_start 3202 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3203 sleep 1 3204 run_cmd_nsb nettest -6 -D -r ${a} 3205 log_test_addr ${a} $? 0 "Enslaved device server" 3206 done 3207 3208 # negative test - should fail 3209 for a in ${NSA_IP6} ${VRF_IP6} 3210 do 3211 log_start 3212 show_hint "Should fail 'Connection refused' since there is no server" 3213 run_cmd_nsb nettest -6 -D -r ${a} 3214 log_test_addr ${a} $? 1 "No server" 3215 done 3216 3217 # 3218 # local address tests 3219 # 3220 for a in ${NSA_IP6} ${VRF_IP6} 3221 do 3222 log_start 3223 show_hint "Should fail 'Connection refused' since global server is disabled" 3224 run_cmd nettest -6 -D -s & 3225 sleep 1 3226 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3227 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3228 done 3229 3230 for a in ${NSA_IP6} ${VRF_IP6} 3231 do 3232 log_start 3233 run_cmd nettest -6 -D -I ${VRF} -s & 3234 sleep 1 3235 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3236 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3237 done 3238 3239 a=${NSA_IP6} 3240 log_start 3241 show_hint "Should fail 'Connection refused' since global server is disabled" 3242 run_cmd nettest -6 -D -s & 3243 sleep 1 3244 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3245 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3246 3247 log_start 3248 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3249 sleep 1 3250 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3251 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3252 3253 log_start 3254 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3255 sleep 1 3256 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3257 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3258 3259 log_start 3260 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3261 sleep 1 3262 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3263 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3264 3265 # disable global server 3266 log_subsection "Global server enabled" 3267 set_sysctl net.ipv4.udp_l3mdev_accept=1 3268 3269 # 3270 # server tests 3271 # 3272 for a in ${NSA_IP6} ${VRF_IP6} 3273 do 3274 log_start 3275 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3276 sleep 1 3277 run_cmd_nsb nettest -6 -D -r ${a} 3278 log_test_addr ${a} $? 0 "Global server" 3279 done 3280 3281 for a in ${NSA_IP6} ${VRF_IP6} 3282 do 3283 log_start 3284 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3285 sleep 1 3286 run_cmd_nsb nettest -6 -D -r ${a} 3287 log_test_addr ${a} $? 0 "VRF server" 3288 done 3289 3290 for a in ${NSA_IP6} ${VRF_IP6} 3291 do 3292 log_start 3293 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3294 sleep 1 3295 run_cmd_nsb nettest -6 -D -r ${a} 3296 log_test_addr ${a} $? 0 "Enslaved device server" 3297 done 3298 3299 # negative test - should fail 3300 for a in ${NSA_IP6} ${VRF_IP6} 3301 do 3302 log_start 3303 run_cmd_nsb nettest -6 -D -r ${a} 3304 log_test_addr ${a} $? 1 "No server" 3305 done 3306 3307 # 3308 # client tests 3309 # 3310 log_start 3311 run_cmd_nsb nettest -6 -D -s & 3312 sleep 1 3313 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3314 log_test $? 0 "VRF client" 3315 3316 # negative test - should fail 3317 log_start 3318 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3319 log_test $? 1 "No server, VRF client" 3320 3321 log_start 3322 run_cmd_nsb nettest -6 -D -s & 3323 sleep 1 3324 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3325 log_test $? 0 "Enslaved device client" 3326 3327 # negative test - should fail 3328 log_start 3329 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3330 log_test $? 1 "No server, enslaved device client" 3331 3332 # 3333 # local address tests 3334 # 3335 a=${NSA_IP6} 3336 log_start 3337 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3338 sleep 1 3339 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3340 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3341 3342 #log_start 3343 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3344 sleep 1 3345 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3346 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3347 3348 3349 a=${VRF_IP6} 3350 log_start 3351 run_cmd nettest -6 -D -s -3 ${VRF} & 3352 sleep 1 3353 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3354 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3355 3356 log_start 3357 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3358 sleep 1 3359 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3360 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3361 3362 # negative test - should fail 3363 for a in ${NSA_IP6} ${VRF_IP6} 3364 do 3365 log_start 3366 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3367 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3368 done 3369 3370 # device to global IP 3371 a=${NSA_IP6} 3372 log_start 3373 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3374 sleep 1 3375 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3376 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3377 3378 log_start 3379 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3380 sleep 1 3381 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3382 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3383 3384 log_start 3385 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3386 sleep 1 3387 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3388 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3389 3390 log_start 3391 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3392 sleep 1 3393 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3394 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3395 3396 log_start 3397 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3398 log_test_addr ${a} $? 1 "No server, device client, local conn" 3399 3400 3401 # link local addresses 3402 log_start 3403 run_cmd nettest -6 -D -s & 3404 sleep 1 3405 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3406 log_test $? 0 "Global server, linklocal IP" 3407 3408 log_start 3409 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3410 log_test $? 1 "No server, linklocal IP" 3411 3412 3413 log_start 3414 run_cmd_nsb nettest -6 -D -s & 3415 sleep 1 3416 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3417 log_test $? 0 "Enslaved device client, linklocal IP" 3418 3419 log_start 3420 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3421 log_test $? 1 "No server, device client, peer linklocal IP" 3422 3423 3424 log_start 3425 run_cmd nettest -6 -D -s & 3426 sleep 1 3427 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3428 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3429 3430 log_start 3431 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3432 log_test $? 1 "No server, device client, local conn - linklocal IP" 3433 3434 # LLA to GUA 3435 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3436 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3437 log_start 3438 run_cmd nettest -6 -s -D & 3439 sleep 1 3440 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3441 log_test $? 0 "UDP in - LLA to GUA" 3442 3443 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3444 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3445} 3446 3447ipv6_udp() 3448{ 3449 # should not matter, but set to known state 3450 set_sysctl net.ipv4.udp_early_demux=1 3451 3452 log_section "IPv6/UDP" 3453 log_subsection "No VRF" 3454 setup 3455 3456 # udp_l3mdev_accept should have no affect without VRF; 3457 # run tests with it enabled and disabled to verify 3458 log_subsection "udp_l3mdev_accept disabled" 3459 set_sysctl net.ipv4.udp_l3mdev_accept=0 3460 ipv6_udp_novrf 3461 log_subsection "udp_l3mdev_accept enabled" 3462 set_sysctl net.ipv4.udp_l3mdev_accept=1 3463 ipv6_udp_novrf 3464 3465 log_subsection "With VRF" 3466 setup "yes" 3467 ipv6_udp_vrf 3468} 3469 3470################################################################################ 3471# IPv6 address bind 3472 3473ipv6_addr_bind_novrf() 3474{ 3475 # 3476 # raw socket 3477 # 3478 for a in ${NSA_IP6} ${NSA_LO_IP6} 3479 do 3480 log_start 3481 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3482 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3483 3484 log_start 3485 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3486 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3487 done 3488 3489 # 3490 # raw socket with nonlocal bind 3491 # 3492 a=${NL_IP6} 3493 log_start 3494 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 3495 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 3496 3497 # 3498 # tcp sockets 3499 # 3500 a=${NSA_IP6} 3501 log_start 3502 run_cmd nettest -6 -s -l ${a} -t1 -b 3503 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3504 3505 log_start 3506 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3507 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3508 3509 # Sadly, the kernel allows binding a socket to a device and then 3510 # binding to an address not on the device. So this test passes 3511 # when it really should not 3512 a=${NSA_LO_IP6} 3513 log_start 3514 show_hint "Tecnically should fail since address is not on device but kernel allows" 3515 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3516 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3517} 3518 3519ipv6_addr_bind_vrf() 3520{ 3521 # 3522 # raw socket 3523 # 3524 for a in ${NSA_IP6} ${VRF_IP6} 3525 do 3526 log_start 3527 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3528 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3529 3530 log_start 3531 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3532 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3533 done 3534 3535 a=${NSA_LO_IP6} 3536 log_start 3537 show_hint "Address on loopback is out of VRF scope" 3538 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3539 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3540 3541 # 3542 # raw socket with nonlocal bind 3543 # 3544 a=${NL_IP6} 3545 log_start 3546 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b 3547 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 3548 3549 # 3550 # tcp sockets 3551 # 3552 # address on enslaved device is valid for the VRF or device in a VRF 3553 for a in ${NSA_IP6} ${VRF_IP6} 3554 do 3555 log_start 3556 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3557 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3558 done 3559 3560 a=${NSA_IP6} 3561 log_start 3562 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3563 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3564 3565 # Sadly, the kernel allows binding a socket to a device and then 3566 # binding to an address not on the device. The only restriction 3567 # is that the address is valid in the L3 domain. So this test 3568 # passes when it really should not 3569 a=${VRF_IP6} 3570 log_start 3571 show_hint "Tecnically should fail since address is not on device but kernel allows" 3572 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3573 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3574 3575 a=${NSA_LO_IP6} 3576 log_start 3577 show_hint "Address on loopback out of scope for VRF" 3578 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3579 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3580 3581 log_start 3582 show_hint "Address on loopback out of scope for device in VRF" 3583 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3584 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3585 3586} 3587 3588ipv6_addr_bind() 3589{ 3590 log_section "IPv6 address binds" 3591 3592 log_subsection "No VRF" 3593 setup 3594 ipv6_addr_bind_novrf 3595 3596 log_subsection "With VRF" 3597 setup "yes" 3598 ipv6_addr_bind_vrf 3599} 3600 3601################################################################################ 3602# IPv6 runtime tests 3603 3604ipv6_rt() 3605{ 3606 local desc="$1" 3607 local varg="-6 $2" 3608 local with_vrf="yes" 3609 local a 3610 3611 # 3612 # server tests 3613 # 3614 for a in ${NSA_IP6} ${VRF_IP6} 3615 do 3616 log_start 3617 run_cmd nettest ${varg} -s & 3618 sleep 1 3619 run_cmd_nsb nettest ${varg} -r ${a} & 3620 sleep 3 3621 run_cmd ip link del ${VRF} 3622 sleep 1 3623 log_test_addr ${a} 0 0 "${desc}, global server" 3624 3625 setup ${with_vrf} 3626 done 3627 3628 for a in ${NSA_IP6} ${VRF_IP6} 3629 do 3630 log_start 3631 run_cmd nettest ${varg} -I ${VRF} -s & 3632 sleep 1 3633 run_cmd_nsb nettest ${varg} -r ${a} & 3634 sleep 3 3635 run_cmd ip link del ${VRF} 3636 sleep 1 3637 log_test_addr ${a} 0 0 "${desc}, VRF server" 3638 3639 setup ${with_vrf} 3640 done 3641 3642 for a in ${NSA_IP6} ${VRF_IP6} 3643 do 3644 log_start 3645 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3646 sleep 1 3647 run_cmd_nsb nettest ${varg} -r ${a} & 3648 sleep 3 3649 run_cmd ip link del ${VRF} 3650 sleep 1 3651 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3652 3653 setup ${with_vrf} 3654 done 3655 3656 # 3657 # client test 3658 # 3659 log_start 3660 run_cmd_nsb nettest ${varg} -s & 3661 sleep 1 3662 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3663 sleep 3 3664 run_cmd ip link del ${VRF} 3665 sleep 1 3666 log_test 0 0 "${desc}, VRF client" 3667 3668 setup ${with_vrf} 3669 3670 log_start 3671 run_cmd_nsb nettest ${varg} -s & 3672 sleep 1 3673 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3674 sleep 3 3675 run_cmd ip link del ${VRF} 3676 sleep 1 3677 log_test 0 0 "${desc}, enslaved device client" 3678 3679 setup ${with_vrf} 3680 3681 3682 # 3683 # local address tests 3684 # 3685 for a in ${NSA_IP6} ${VRF_IP6} 3686 do 3687 log_start 3688 run_cmd nettest ${varg} -s & 3689 sleep 1 3690 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3691 sleep 3 3692 run_cmd ip link del ${VRF} 3693 sleep 1 3694 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3695 3696 setup ${with_vrf} 3697 done 3698 3699 for a in ${NSA_IP6} ${VRF_IP6} 3700 do 3701 log_start 3702 run_cmd nettest ${varg} -I ${VRF} -s & 3703 sleep 1 3704 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3705 sleep 3 3706 run_cmd ip link del ${VRF} 3707 sleep 1 3708 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3709 3710 setup ${with_vrf} 3711 done 3712 3713 a=${NSA_IP6} 3714 log_start 3715 run_cmd nettest ${varg} -s & 3716 sleep 1 3717 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3718 sleep 3 3719 run_cmd ip link del ${VRF} 3720 sleep 1 3721 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3722 3723 setup ${with_vrf} 3724 3725 log_start 3726 run_cmd nettest ${varg} -I ${VRF} -s & 3727 sleep 1 3728 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3729 sleep 3 3730 run_cmd ip link del ${VRF} 3731 sleep 1 3732 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3733 3734 setup ${with_vrf} 3735 3736 log_start 3737 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3738 sleep 1 3739 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3740 sleep 3 3741 run_cmd ip link del ${VRF} 3742 sleep 1 3743 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3744} 3745 3746ipv6_ping_rt() 3747{ 3748 local with_vrf="yes" 3749 local a 3750 3751 a=${NSA_IP6} 3752 log_start 3753 run_cmd_nsb ${ping6} -f ${a} & 3754 sleep 3 3755 run_cmd ip link del ${VRF} 3756 sleep 1 3757 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3758 3759 setup ${with_vrf} 3760 3761 log_start 3762 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3763 sleep 1 3764 run_cmd ip link del ${VRF} 3765 sleep 1 3766 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3767} 3768 3769ipv6_runtime() 3770{ 3771 log_section "Run time tests - ipv6" 3772 3773 setup "yes" 3774 ipv6_ping_rt 3775 3776 setup "yes" 3777 ipv6_rt "TCP active socket" "-n -1" 3778 3779 setup "yes" 3780 ipv6_rt "TCP passive socket" "-i" 3781 3782 setup "yes" 3783 ipv6_rt "UDP active socket" "-D -n -1" 3784} 3785 3786################################################################################ 3787# netfilter blocking connections 3788 3789netfilter_tcp_reset() 3790{ 3791 local a 3792 3793 for a in ${NSA_IP} ${VRF_IP} 3794 do 3795 log_start 3796 run_cmd nettest -s & 3797 sleep 1 3798 run_cmd_nsb nettest -r ${a} 3799 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3800 done 3801} 3802 3803netfilter_icmp() 3804{ 3805 local stype="$1" 3806 local arg 3807 local a 3808 3809 [ "${stype}" = "UDP" ] && arg="-D" 3810 3811 for a in ${NSA_IP} ${VRF_IP} 3812 do 3813 log_start 3814 run_cmd nettest ${arg} -s & 3815 sleep 1 3816 run_cmd_nsb nettest ${arg} -r ${a} 3817 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3818 done 3819} 3820 3821ipv4_netfilter() 3822{ 3823 log_section "IPv4 Netfilter" 3824 log_subsection "TCP reset" 3825 3826 setup "yes" 3827 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3828 3829 netfilter_tcp_reset 3830 3831 log_start 3832 log_subsection "ICMP unreachable" 3833 3834 log_start 3835 run_cmd iptables -F 3836 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3837 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3838 3839 netfilter_icmp "TCP" 3840 netfilter_icmp "UDP" 3841 3842 log_start 3843 iptables -F 3844} 3845 3846netfilter_tcp6_reset() 3847{ 3848 local a 3849 3850 for a in ${NSA_IP6} ${VRF_IP6} 3851 do 3852 log_start 3853 run_cmd nettest -6 -s & 3854 sleep 1 3855 run_cmd_nsb nettest -6 -r ${a} 3856 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3857 done 3858} 3859 3860netfilter_icmp6() 3861{ 3862 local stype="$1" 3863 local arg 3864 local a 3865 3866 [ "${stype}" = "UDP" ] && arg="$arg -D" 3867 3868 for a in ${NSA_IP6} ${VRF_IP6} 3869 do 3870 log_start 3871 run_cmd nettest -6 -s ${arg} & 3872 sleep 1 3873 run_cmd_nsb nettest -6 ${arg} -r ${a} 3874 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3875 done 3876} 3877 3878ipv6_netfilter() 3879{ 3880 log_section "IPv6 Netfilter" 3881 log_subsection "TCP reset" 3882 3883 setup "yes" 3884 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3885 3886 netfilter_tcp6_reset 3887 3888 log_subsection "ICMP unreachable" 3889 3890 log_start 3891 run_cmd ip6tables -F 3892 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3893 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3894 3895 netfilter_icmp6 "TCP" 3896 netfilter_icmp6 "UDP" 3897 3898 log_start 3899 ip6tables -F 3900} 3901 3902################################################################################ 3903# specific use cases 3904 3905# VRF only. 3906# ns-A device enslaved to bridge. Verify traffic with and without 3907# br_netfilter module loaded. Repeat with SVI on bridge. 3908use_case_br() 3909{ 3910 setup "yes" 3911 3912 setup_cmd ip link set ${NSA_DEV} down 3913 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 3914 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 3915 3916 setup_cmd ip link add br0 type bridge 3917 setup_cmd ip addr add dev br0 ${NSA_IP}/24 3918 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 3919 3920 setup_cmd ip li set ${NSA_DEV} master br0 3921 setup_cmd ip li set ${NSA_DEV} up 3922 setup_cmd ip li set br0 up 3923 setup_cmd ip li set br0 vrf ${VRF} 3924 3925 rmmod br_netfilter 2>/dev/null 3926 sleep 5 # DAD 3927 3928 run_cmd ip neigh flush all 3929 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3930 log_test $? 0 "Bridge into VRF - IPv4 ping out" 3931 3932 run_cmd ip neigh flush all 3933 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3934 log_test $? 0 "Bridge into VRF - IPv6 ping out" 3935 3936 run_cmd ip neigh flush all 3937 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3938 log_test $? 0 "Bridge into VRF - IPv4 ping in" 3939 3940 run_cmd ip neigh flush all 3941 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3942 log_test $? 0 "Bridge into VRF - IPv6 ping in" 3943 3944 modprobe br_netfilter 3945 if [ $? -eq 0 ]; then 3946 run_cmd ip neigh flush all 3947 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3948 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 3949 3950 run_cmd ip neigh flush all 3951 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3952 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 3953 3954 run_cmd ip neigh flush all 3955 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3956 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 3957 3958 run_cmd ip neigh flush all 3959 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3960 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 3961 fi 3962 3963 setup_cmd ip li set br0 nomaster 3964 setup_cmd ip li add br0.100 link br0 type vlan id 100 3965 setup_cmd ip li set br0.100 vrf ${VRF} up 3966 setup_cmd ip addr add dev br0.100 172.16.101.1/24 3967 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 3968 3969 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 3970 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 3971 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 3972 setup_cmd_nsb ip li set vlan100 up 3973 sleep 1 3974 3975 rmmod br_netfilter 2>/dev/null 3976 3977 run_cmd ip neigh flush all 3978 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3979 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 3980 3981 run_cmd ip neigh flush all 3982 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3983 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 3984 3985 run_cmd ip neigh flush all 3986 run_cmd_nsb ping -c1 -w1 172.16.101.1 3987 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3988 3989 run_cmd ip neigh flush all 3990 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3991 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3992 3993 modprobe br_netfilter 3994 if [ $? -eq 0 ]; then 3995 run_cmd ip neigh flush all 3996 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3997 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 3998 3999 run_cmd ip neigh flush all 4000 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4001 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 4002 4003 run_cmd ip neigh flush all 4004 run_cmd_nsb ping -c1 -w1 172.16.101.1 4005 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4006 4007 run_cmd ip neigh flush all 4008 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4009 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4010 fi 4011 4012 setup_cmd ip li del br0 2>/dev/null 4013 setup_cmd_nsb ip li del vlan100 2>/dev/null 4014} 4015 4016# VRF only. 4017# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 4018# LLA on the interfaces 4019use_case_ping_lla_multi() 4020{ 4021 setup_lla_only 4022 # only want reply from ns-A 4023 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4024 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4025 4026 log_start 4027 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4028 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 4029 4030 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4031 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 4032 4033 # cycle/flap the first ns-A interface 4034 setup_cmd ip link set ${NSA_DEV} down 4035 setup_cmd ip link set ${NSA_DEV} up 4036 sleep 1 4037 4038 log_start 4039 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4040 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 4041 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4042 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 4043 4044 # cycle/flap the second ns-A interface 4045 setup_cmd ip link set ${NSA_DEV2} down 4046 setup_cmd ip link set ${NSA_DEV2} up 4047 sleep 1 4048 4049 log_start 4050 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4051 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 4052 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4053 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 4054} 4055 4056# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 4057# established with ns-B. 4058use_case_snat_on_vrf() 4059{ 4060 setup "yes" 4061 4062 local port="12345" 4063 4064 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4065 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4066 4067 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 4068 sleep 1 4069 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 4070 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 4071 4072 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 4073 sleep 1 4074 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 4075 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 4076 4077 # Cleanup 4078 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4079 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4080} 4081 4082use_cases() 4083{ 4084 log_section "Use cases" 4085 log_subsection "Device enslaved to bridge" 4086 use_case_br 4087 log_subsection "Ping LLA with multiple interfaces" 4088 use_case_ping_lla_multi 4089 log_subsection "SNAT on VRF" 4090 use_case_snat_on_vrf 4091} 4092 4093################################################################################ 4094# usage 4095 4096usage() 4097{ 4098 cat <<EOF 4099usage: ${0##*/} OPTS 4100 4101 -4 IPv4 tests only 4102 -6 IPv6 tests only 4103 -t <test> Test name/set to run 4104 -p Pause on fail 4105 -P Pause after each test 4106 -v Be verbose 4107 4108Tests: 4109 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER 4110EOF 4111} 4112 4113################################################################################ 4114# main 4115 4116TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4117TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4118TESTS_OTHER="use_cases" 4119 4120PAUSE_ON_FAIL=no 4121PAUSE=no 4122 4123while getopts :46t:pPvh o 4124do 4125 case $o in 4126 4) TESTS=ipv4;; 4127 6) TESTS=ipv6;; 4128 t) TESTS=$OPTARG;; 4129 p) PAUSE_ON_FAIL=yes;; 4130 P) PAUSE=yes;; 4131 v) VERBOSE=1;; 4132 h) usage; exit 0;; 4133 *) usage; exit 1;; 4134 esac 4135done 4136 4137# make sure we don't pause twice 4138[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4139 4140# 4141# show user test config 4142# 4143if [ -z "$TESTS" ]; then 4144 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4145elif [ "$TESTS" = "ipv4" ]; then 4146 TESTS="$TESTS_IPV4" 4147elif [ "$TESTS" = "ipv6" ]; then 4148 TESTS="$TESTS_IPV6" 4149fi 4150 4151which nettest >/dev/null 4152if [ $? -ne 0 ]; then 4153 echo "'nettest' command not found; skipping tests" 4154 exit $ksft_skip 4155fi 4156 4157declare -i nfail=0 4158declare -i nsuccess=0 4159 4160for t in $TESTS 4161do 4162 case $t in 4163 ipv4_ping|ping) ipv4_ping;; 4164 ipv4_tcp|tcp) ipv4_tcp;; 4165 ipv4_udp|udp) ipv4_udp;; 4166 ipv4_bind|bind) ipv4_addr_bind;; 4167 ipv4_runtime) ipv4_runtime;; 4168 ipv4_netfilter) ipv4_netfilter;; 4169 4170 ipv6_ping|ping6) ipv6_ping;; 4171 ipv6_tcp|tcp6) ipv6_tcp;; 4172 ipv6_udp|udp6) ipv6_udp;; 4173 ipv6_bind|bind6) ipv6_addr_bind;; 4174 ipv6_runtime) ipv6_runtime;; 4175 ipv6_netfilter) ipv6_netfilter;; 4176 4177 use_cases) use_cases;; 4178 4179 # setup namespaces and config, but do not run any tests 4180 setup) setup; exit 0;; 4181 vrf_setup) setup "yes"; exit 0;; 4182 esac 4183done 4184 4185cleanup 2>/dev/null 4186 4187printf "\nTests passed: %3d\n" ${nsuccess} 4188printf "Tests failed: %3d\n" ${nfail} 4189 4190if [ $nfail -ne 0 ]; then 4191 exit 1 # KSFT_FAIL 4192elif [ $nsuccess -eq 0 ]; then 4193 exit $ksft_skip 4194fi 4195 4196exit 0 # KSFT_PASS 4197