1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40# Kselftest framework requirement - SKIP code is 4. 41ksft_skip=4 42 43VERBOSE=0 44 45NSA_DEV=eth1 46NSA_DEV2=eth2 47NSB_DEV=eth1 48NSC_DEV=eth2 49VRF=red 50VRF_TABLE=1101 51 52# IPv4 config 53NSA_IP=172.16.1.1 54NSB_IP=172.16.1.2 55VRF_IP=172.16.3.1 56NS_NET=172.16.1.0/24 57 58# IPv6 config 59NSA_IP6=2001:db8:1::1 60NSB_IP6=2001:db8:1::2 61VRF_IP6=2001:db8:3::1 62NS_NET6=2001:db8:1::/120 63 64NSA_LO_IP=172.16.2.1 65NSB_LO_IP=172.16.2.2 66NSA_LO_IP6=2001:db8:2::1 67NSB_LO_IP6=2001:db8:2::2 68 69MD5_PW=abc123 70MD5_WRONG_PW=abc1234 71 72MCAST=ff02::1 73# set after namespace create 74NSA_LINKIP6= 75NSB_LINKIP6= 76 77NSA=ns-A 78NSB=ns-B 79NSC=ns-C 80 81NSA_CMD="ip netns exec ${NSA}" 82NSB_CMD="ip netns exec ${NSB}" 83NSC_CMD="ip netns exec ${NSC}" 84 85which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 86 87################################################################################ 88# utilities 89 90log_test() 91{ 92 local rc=$1 93 local expected=$2 94 local msg="$3" 95 96 [ "${VERBOSE}" = "1" ] && echo 97 98 if [ ${rc} -eq ${expected} ]; then 99 nsuccess=$((nsuccess+1)) 100 printf "TEST: %-70s [ OK ]\n" "${msg}" 101 else 102 nfail=$((nfail+1)) 103 printf "TEST: %-70s [FAIL]\n" "${msg}" 104 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 105 echo 106 echo "hit enter to continue, 'q' to quit" 107 read a 108 [ "$a" = "q" ] && exit 1 109 fi 110 fi 111 112 if [ "${PAUSE}" = "yes" ]; then 113 echo 114 echo "hit enter to continue, 'q' to quit" 115 read a 116 [ "$a" = "q" ] && exit 1 117 fi 118 119 kill_procs 120} 121 122log_test_addr() 123{ 124 local addr=$1 125 local rc=$2 126 local expected=$3 127 local msg="$4" 128 local astr 129 130 astr=$(addr2str ${addr}) 131 log_test $rc $expected "$msg - ${astr}" 132} 133 134log_section() 135{ 136 echo 137 echo "###########################################################################" 138 echo "$*" 139 echo "###########################################################################" 140 echo 141} 142 143log_subsection() 144{ 145 echo 146 echo "#################################################################" 147 echo "$*" 148 echo 149} 150 151log_start() 152{ 153 # make sure we have no test instances running 154 kill_procs 155 156 if [ "${VERBOSE}" = "1" ]; then 157 echo 158 echo "#######################################################" 159 fi 160} 161 162log_debug() 163{ 164 if [ "${VERBOSE}" = "1" ]; then 165 echo 166 echo "$*" 167 echo 168 fi 169} 170 171show_hint() 172{ 173 if [ "${VERBOSE}" = "1" ]; then 174 echo "HINT: $*" 175 echo 176 fi 177} 178 179kill_procs() 180{ 181 killall nettest ping ping6 >/dev/null 2>&1 182 sleep 1 183} 184 185do_run_cmd() 186{ 187 local cmd="$*" 188 local out 189 190 if [ "$VERBOSE" = "1" ]; then 191 echo "COMMAND: ${cmd}" 192 fi 193 194 out=$($cmd 2>&1) 195 rc=$? 196 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 197 echo "$out" 198 fi 199 200 return $rc 201} 202 203run_cmd() 204{ 205 do_run_cmd ${NSA_CMD} $* 206} 207 208run_cmd_nsb() 209{ 210 do_run_cmd ${NSB_CMD} $* 211} 212 213run_cmd_nsc() 214{ 215 do_run_cmd ${NSC_CMD} $* 216} 217 218setup_cmd() 219{ 220 local cmd="$*" 221 local rc 222 223 run_cmd ${cmd} 224 rc=$? 225 if [ $rc -ne 0 ]; then 226 # show user the command if not done so already 227 if [ "$VERBOSE" = "0" ]; then 228 echo "setup command: $cmd" 229 fi 230 echo "failed. stopping tests" 231 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 232 echo 233 echo "hit enter to continue" 234 read a 235 fi 236 exit $rc 237 fi 238} 239 240setup_cmd_nsb() 241{ 242 local cmd="$*" 243 local rc 244 245 run_cmd_nsb ${cmd} 246 rc=$? 247 if [ $rc -ne 0 ]; then 248 # show user the command if not done so already 249 if [ "$VERBOSE" = "0" ]; then 250 echo "setup command: $cmd" 251 fi 252 echo "failed. stopping tests" 253 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 254 echo 255 echo "hit enter to continue" 256 read a 257 fi 258 exit $rc 259 fi 260} 261 262setup_cmd_nsc() 263{ 264 local cmd="$*" 265 local rc 266 267 run_cmd_nsc ${cmd} 268 rc=$? 269 if [ $rc -ne 0 ]; then 270 # show user the command if not done so already 271 if [ "$VERBOSE" = "0" ]; then 272 echo "setup command: $cmd" 273 fi 274 echo "failed. stopping tests" 275 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 276 echo 277 echo "hit enter to continue" 278 read a 279 fi 280 exit $rc 281 fi 282} 283 284# set sysctl values in NS-A 285set_sysctl() 286{ 287 echo "SYSCTL: $*" 288 echo 289 run_cmd sysctl -q -w $* 290} 291 292################################################################################ 293# Setup for tests 294 295addr2str() 296{ 297 case "$1" in 298 127.0.0.1) echo "loopback";; 299 ::1) echo "IPv6 loopback";; 300 301 ${NSA_IP}) echo "ns-A IP";; 302 ${NSA_IP6}) echo "ns-A IPv6";; 303 ${NSA_LO_IP}) echo "ns-A loopback IP";; 304 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 305 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 306 307 ${NSB_IP}) echo "ns-B IP";; 308 ${NSB_IP6}) echo "ns-B IPv6";; 309 ${NSB_LO_IP}) echo "ns-B loopback IP";; 310 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 311 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 312 313 ${VRF_IP}) echo "VRF IP";; 314 ${VRF_IP6}) echo "VRF IPv6";; 315 316 ${MCAST}%*) echo "multicast IP";; 317 318 *) echo "unknown";; 319 esac 320} 321 322get_linklocal() 323{ 324 local ns=$1 325 local dev=$2 326 local addr 327 328 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 329 awk '{ 330 for (i = 3; i <= NF; ++i) { 331 if ($i ~ /^fe80/) 332 print $i 333 } 334 }' 335 ) 336 addr=${addr/\/*} 337 338 [ -z "$addr" ] && return 1 339 340 echo $addr 341 342 return 0 343} 344 345################################################################################ 346# create namespaces and vrf 347 348create_vrf() 349{ 350 local ns=$1 351 local vrf=$2 352 local table=$3 353 local addr=$4 354 local addr6=$5 355 356 ip -netns ${ns} link add ${vrf} type vrf table ${table} 357 ip -netns ${ns} link set ${vrf} up 358 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 359 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 360 361 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 362 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 363 if [ "${addr}" != "-" ]; then 364 ip -netns ${ns} addr add dev ${vrf} ${addr} 365 fi 366 if [ "${addr6}" != "-" ]; then 367 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 368 fi 369 370 ip -netns ${ns} ru del pref 0 371 ip -netns ${ns} ru add pref 32765 from all lookup local 372 ip -netns ${ns} -6 ru del pref 0 373 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 374} 375 376create_ns() 377{ 378 local ns=$1 379 local addr=$2 380 local addr6=$3 381 382 ip netns add ${ns} 383 384 ip -netns ${ns} link set lo up 385 if [ "${addr}" != "-" ]; then 386 ip -netns ${ns} addr add dev lo ${addr} 387 fi 388 if [ "${addr6}" != "-" ]; then 389 ip -netns ${ns} -6 addr add dev lo ${addr6} 390 fi 391 392 ip -netns ${ns} ro add unreachable default metric 8192 393 ip -netns ${ns} -6 ro add unreachable default metric 8192 394 395 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 396 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 397 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 398 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 399} 400 401# create veth pair to connect namespaces and apply addresses. 402connect_ns() 403{ 404 local ns1=$1 405 local ns1_dev=$2 406 local ns1_addr=$3 407 local ns1_addr6=$4 408 local ns2=$5 409 local ns2_dev=$6 410 local ns2_addr=$7 411 local ns2_addr6=$8 412 413 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 414 ip -netns ${ns1} li set ${ns1_dev} up 415 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 416 ip -netns ${ns2} li set ${ns2_dev} up 417 418 if [ "${ns1_addr}" != "-" ]; then 419 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 420 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 421 fi 422 423 if [ "${ns1_addr6}" != "-" ]; then 424 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 425 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 426 fi 427} 428 429cleanup() 430{ 431 # explicit cleanups to check those code paths 432 ip netns | grep -q ${NSA} 433 if [ $? -eq 0 ]; then 434 ip -netns ${NSA} link delete ${VRF} 435 ip -netns ${NSA} ro flush table ${VRF_TABLE} 436 437 ip -netns ${NSA} addr flush dev ${NSA_DEV} 438 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 439 ip -netns ${NSA} link set dev ${NSA_DEV} down 440 ip -netns ${NSA} link del dev ${NSA_DEV} 441 442 ip netns del ${NSA} 443 fi 444 445 ip netns del ${NSB} 446 ip netns del ${NSC} >/dev/null 2>&1 447} 448 449setup() 450{ 451 local with_vrf=${1} 452 453 # make sure we are starting with a clean slate 454 kill_procs 455 cleanup 2>/dev/null 456 457 log_debug "Configuring network namespaces" 458 set -e 459 460 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 461 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 462 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 463 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 464 465 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 466 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 467 468 # tell ns-A how to get to remote addresses of ns-B 469 if [ "${with_vrf}" = "yes" ]; then 470 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 471 472 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 473 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 474 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 475 476 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 477 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 478 479 # some VRF tests use ns-C which has the same config as 480 # ns-B but for a device NOT in the VRF 481 create_ns ${NSC} "-" "-" 482 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 483 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 484 else 485 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 486 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 487 fi 488 489 490 # tell ns-B how to get to remote addresses of ns-A 491 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 492 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 493 494 set +e 495 496 sleep 1 497} 498 499setup_lla_only() 500{ 501 # make sure we are starting with a clean slate 502 kill_procs 503 cleanup 2>/dev/null 504 505 log_debug "Configuring network namespaces" 506 set -e 507 508 create_ns ${NSA} "-" "-" 509 create_ns ${NSB} "-" "-" 510 create_ns ${NSC} "-" "-" 511 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 512 ${NSB} ${NSB_DEV} "-" "-" 513 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 514 ${NSC} ${NSC_DEV} "-" "-" 515 516 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 517 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 518 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 519 520 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 521 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 522 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 523 524 set +e 525 526 sleep 1 527} 528 529################################################################################ 530# IPv4 531 532ipv4_ping_novrf() 533{ 534 local a 535 536 # 537 # out 538 # 539 for a in ${NSB_IP} ${NSB_LO_IP} 540 do 541 log_start 542 run_cmd ping -c1 -w1 ${a} 543 log_test_addr ${a} $? 0 "ping out" 544 545 log_start 546 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 547 log_test_addr ${a} $? 0 "ping out, device bind" 548 549 log_start 550 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 551 log_test_addr ${a} $? 0 "ping out, address bind" 552 done 553 554 # 555 # in 556 # 557 for a in ${NSA_IP} ${NSA_LO_IP} 558 do 559 log_start 560 run_cmd_nsb ping -c1 -w1 ${a} 561 log_test_addr ${a} $? 0 "ping in" 562 done 563 564 # 565 # local traffic 566 # 567 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 568 do 569 log_start 570 run_cmd ping -c1 -w1 ${a} 571 log_test_addr ${a} $? 0 "ping local" 572 done 573 574 # 575 # local traffic, socket bound to device 576 # 577 # address on device 578 a=${NSA_IP} 579 log_start 580 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 581 log_test_addr ${a} $? 0 "ping local, device bind" 582 583 # loopback addresses not reachable from device bind 584 # fails in a really weird way though because ipv4 special cases 585 # route lookups with oif set. 586 for a in ${NSA_LO_IP} 127.0.0.1 587 do 588 log_start 589 show_hint "Fails since address on loopback device is out of device scope" 590 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 591 log_test_addr ${a} $? 1 "ping local, device bind" 592 done 593 594 # 595 # ip rule blocks reachability to remote address 596 # 597 log_start 598 setup_cmd ip rule add pref 32765 from all lookup local 599 setup_cmd ip rule del pref 0 from all lookup local 600 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 601 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 602 603 a=${NSB_LO_IP} 604 run_cmd ping -c1 -w1 ${a} 605 log_test_addr ${a} $? 2 "ping out, blocked by rule" 606 607 # NOTE: ipv4 actually allows the lookup to fail and yet still create 608 # a viable rtable if the oif (e.g., bind to device) is set, so this 609 # case succeeds despite the rule 610 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 611 612 a=${NSA_LO_IP} 613 log_start 614 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 615 run_cmd_nsb ping -c1 -w1 ${a} 616 log_test_addr ${a} $? 1 "ping in, blocked by rule" 617 618 [ "$VERBOSE" = "1" ] && echo 619 setup_cmd ip rule del pref 32765 from all lookup local 620 setup_cmd ip rule add pref 0 from all lookup local 621 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 622 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 623 624 # 625 # route blocks reachability to remote address 626 # 627 log_start 628 setup_cmd ip route replace unreachable ${NSB_LO_IP} 629 setup_cmd ip route replace unreachable ${NSB_IP} 630 631 a=${NSB_LO_IP} 632 run_cmd ping -c1 -w1 ${a} 633 log_test_addr ${a} $? 2 "ping out, blocked by route" 634 635 # NOTE: ipv4 actually allows the lookup to fail and yet still create 636 # a viable rtable if the oif (e.g., bind to device) is set, so this 637 # case succeeds despite not having a route for the address 638 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 639 640 a=${NSA_LO_IP} 641 log_start 642 show_hint "Response is dropped (or arp request is ignored) due to ip route" 643 run_cmd_nsb ping -c1 -w1 ${a} 644 log_test_addr ${a} $? 1 "ping in, blocked by route" 645 646 # 647 # remove 'remote' routes; fallback to default 648 # 649 log_start 650 setup_cmd ip ro del ${NSB_LO_IP} 651 652 a=${NSB_LO_IP} 653 run_cmd ping -c1 -w1 ${a} 654 log_test_addr ${a} $? 2 "ping out, unreachable default route" 655 656 # NOTE: ipv4 actually allows the lookup to fail and yet still create 657 # a viable rtable if the oif (e.g., bind to device) is set, so this 658 # case succeeds despite not having a route for the address 659 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 660} 661 662ipv4_ping_vrf() 663{ 664 local a 665 666 # should default on; does not exist on older kernels 667 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 668 669 # 670 # out 671 # 672 for a in ${NSB_IP} ${NSB_LO_IP} 673 do 674 log_start 675 run_cmd ping -c1 -w1 -I ${VRF} ${a} 676 log_test_addr ${a} $? 0 "ping out, VRF bind" 677 678 log_start 679 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 680 log_test_addr ${a} $? 0 "ping out, device bind" 681 682 log_start 683 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 684 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 685 686 log_start 687 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 688 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 689 done 690 691 # 692 # in 693 # 694 for a in ${NSA_IP} ${VRF_IP} 695 do 696 log_start 697 run_cmd_nsb ping -c1 -w1 ${a} 698 log_test_addr ${a} $? 0 "ping in" 699 done 700 701 # 702 # local traffic, local address 703 # 704 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 705 do 706 log_start 707 show_hint "Source address should be ${a}" 708 run_cmd ping -c1 -w1 -I ${VRF} ${a} 709 log_test_addr ${a} $? 0 "ping local, VRF bind" 710 done 711 712 # 713 # local traffic, socket bound to device 714 # 715 # address on device 716 a=${NSA_IP} 717 log_start 718 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 719 log_test_addr ${a} $? 0 "ping local, device bind" 720 721 # vrf device is out of scope 722 for a in ${VRF_IP} 127.0.0.1 723 do 724 log_start 725 show_hint "Fails since address on vrf device is out of device scope" 726 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 727 log_test_addr ${a} $? 1 "ping local, device bind" 728 done 729 730 # 731 # ip rule blocks address 732 # 733 log_start 734 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 735 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 736 737 a=${NSB_LO_IP} 738 run_cmd ping -c1 -w1 -I ${VRF} ${a} 739 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 740 741 log_start 742 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 743 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 744 745 a=${NSA_LO_IP} 746 log_start 747 show_hint "Response lost due to ip rule" 748 run_cmd_nsb ping -c1 -w1 ${a} 749 log_test_addr ${a} $? 1 "ping in, blocked by rule" 750 751 [ "$VERBOSE" = "1" ] && echo 752 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 753 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 754 755 # 756 # remove 'remote' routes; fallback to default 757 # 758 log_start 759 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 760 761 a=${NSB_LO_IP} 762 run_cmd ping -c1 -w1 -I ${VRF} ${a} 763 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 764 765 log_start 766 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 767 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 768 769 a=${NSA_LO_IP} 770 log_start 771 show_hint "Response lost by unreachable route" 772 run_cmd_nsb ping -c1 -w1 ${a} 773 log_test_addr ${a} $? 1 "ping in, unreachable route" 774} 775 776ipv4_ping() 777{ 778 log_section "IPv4 ping" 779 780 log_subsection "No VRF" 781 setup 782 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 783 ipv4_ping_novrf 784 setup 785 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 786 ipv4_ping_novrf 787 788 log_subsection "With VRF" 789 setup "yes" 790 ipv4_ping_vrf 791} 792 793################################################################################ 794# IPv4 TCP 795 796# 797# MD5 tests without VRF 798# 799ipv4_tcp_md5_novrf() 800{ 801 # 802 # single address 803 # 804 805 # basic use case 806 log_start 807 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 808 sleep 1 809 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 810 log_test $? 0 "MD5: Single address config" 811 812 # client sends MD5, server not configured 813 log_start 814 show_hint "Should timeout due to MD5 mismatch" 815 run_cmd nettest -s & 816 sleep 1 817 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 818 log_test $? 2 "MD5: Server no config, client uses password" 819 820 # wrong password 821 log_start 822 show_hint "Should timeout since client uses wrong password" 823 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 824 sleep 1 825 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 826 log_test $? 2 "MD5: Client uses wrong password" 827 828 # client from different address 829 log_start 830 show_hint "Should timeout due to MD5 mismatch" 831 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 832 sleep 1 833 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 834 log_test $? 2 "MD5: Client address does not match address configured with password" 835 836 # 837 # MD5 extension - prefix length 838 # 839 840 # client in prefix 841 log_start 842 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 843 sleep 1 844 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 845 log_test $? 0 "MD5: Prefix config" 846 847 # client in prefix, wrong password 848 log_start 849 show_hint "Should timeout since client uses wrong password" 850 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 851 sleep 1 852 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 853 log_test $? 2 "MD5: Prefix config, client uses wrong password" 854 855 # client outside of prefix 856 log_start 857 show_hint "Should timeout due to MD5 mismatch" 858 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 859 sleep 1 860 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 861 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 862} 863 864# 865# MD5 tests with VRF 866# 867ipv4_tcp_md5() 868{ 869 # 870 # single address 871 # 872 873 # basic use case 874 log_start 875 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 876 sleep 1 877 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 878 log_test $? 0 "MD5: VRF: Single address config" 879 880 # client sends MD5, server not configured 881 log_start 882 show_hint "Should timeout since server does not have MD5 auth" 883 run_cmd nettest -s -I ${VRF} & 884 sleep 1 885 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 886 log_test $? 2 "MD5: VRF: Server no config, client uses password" 887 888 # wrong password 889 log_start 890 show_hint "Should timeout since client uses wrong password" 891 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 892 sleep 1 893 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 894 log_test $? 2 "MD5: VRF: Client uses wrong password" 895 896 # client from different address 897 log_start 898 show_hint "Should timeout since server config differs from client" 899 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 900 sleep 1 901 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 902 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 903 904 # 905 # MD5 extension - prefix length 906 # 907 908 # client in prefix 909 log_start 910 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 911 sleep 1 912 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 913 log_test $? 0 "MD5: VRF: Prefix config" 914 915 # client in prefix, wrong password 916 log_start 917 show_hint "Should timeout since client uses wrong password" 918 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 919 sleep 1 920 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 921 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 922 923 # client outside of prefix 924 log_start 925 show_hint "Should timeout since client address is outside of prefix" 926 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 927 sleep 1 928 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 929 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 930 931 # 932 # duplicate config between default VRF and a VRF 933 # 934 935 log_start 936 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 937 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 938 sleep 1 939 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 940 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 941 942 log_start 943 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 944 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 945 sleep 1 946 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 947 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 948 949 log_start 950 show_hint "Should timeout since client in default VRF uses VRF password" 951 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 952 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 953 sleep 1 954 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 955 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 956 957 log_start 958 show_hint "Should timeout since client in VRF uses default VRF password" 959 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 960 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 961 sleep 1 962 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 963 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 964 965 log_start 966 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 967 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 968 sleep 1 969 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 970 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 971 972 log_start 973 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 974 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 975 sleep 1 976 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 977 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 978 979 log_start 980 show_hint "Should timeout since client in default VRF uses VRF password" 981 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 982 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 983 sleep 1 984 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 985 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 986 987 log_start 988 show_hint "Should timeout since client in VRF uses default VRF password" 989 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 990 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 991 sleep 1 992 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 993 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 994 995 # 996 # negative tests 997 # 998 log_start 999 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1000 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1001 1002 log_start 1003 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1004 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1005 1006} 1007 1008ipv4_tcp_novrf() 1009{ 1010 local a 1011 1012 # 1013 # server tests 1014 # 1015 for a in ${NSA_IP} ${NSA_LO_IP} 1016 do 1017 log_start 1018 run_cmd nettest -s & 1019 sleep 1 1020 run_cmd_nsb nettest -r ${a} 1021 log_test_addr ${a} $? 0 "Global server" 1022 done 1023 1024 a=${NSA_IP} 1025 log_start 1026 run_cmd nettest -s -I ${NSA_DEV} & 1027 sleep 1 1028 run_cmd_nsb nettest -r ${a} 1029 log_test_addr ${a} $? 0 "Device server" 1030 1031 # verify TCP reset sent and received 1032 for a in ${NSA_IP} ${NSA_LO_IP} 1033 do 1034 log_start 1035 show_hint "Should fail 'Connection refused' since there is no server" 1036 run_cmd_nsb nettest -r ${a} 1037 log_test_addr ${a} $? 1 "No server" 1038 done 1039 1040 # 1041 # client 1042 # 1043 for a in ${NSB_IP} ${NSB_LO_IP} 1044 do 1045 log_start 1046 run_cmd_nsb nettest -s & 1047 sleep 1 1048 run_cmd nettest -r ${a} -0 ${NSA_IP} 1049 log_test_addr ${a} $? 0 "Client" 1050 1051 log_start 1052 run_cmd_nsb nettest -s & 1053 sleep 1 1054 run_cmd nettest -r ${a} -d ${NSA_DEV} 1055 log_test_addr ${a} $? 0 "Client, device bind" 1056 1057 log_start 1058 show_hint "Should fail 'Connection refused'" 1059 run_cmd nettest -r ${a} 1060 log_test_addr ${a} $? 1 "No server, unbound client" 1061 1062 log_start 1063 show_hint "Should fail 'Connection refused'" 1064 run_cmd nettest -r ${a} -d ${NSA_DEV} 1065 log_test_addr ${a} $? 1 "No server, device client" 1066 done 1067 1068 # 1069 # local address tests 1070 # 1071 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1072 do 1073 log_start 1074 run_cmd nettest -s & 1075 sleep 1 1076 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1077 log_test_addr ${a} $? 0 "Global server, local connection" 1078 done 1079 1080 a=${NSA_IP} 1081 log_start 1082 run_cmd nettest -s -I ${NSA_DEV} & 1083 sleep 1 1084 run_cmd nettest -r ${a} -0 ${a} 1085 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1086 1087 for a in ${NSA_LO_IP} 127.0.0.1 1088 do 1089 log_start 1090 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1091 run_cmd nettest -s -I ${NSA_DEV} & 1092 sleep 1 1093 run_cmd nettest -r ${a} 1094 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1095 done 1096 1097 a=${NSA_IP} 1098 log_start 1099 run_cmd nettest -s & 1100 sleep 1 1101 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1102 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1103 1104 for a in ${NSA_LO_IP} 127.0.0.1 1105 do 1106 log_start 1107 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1108 run_cmd nettest -s & 1109 sleep 1 1110 run_cmd nettest -r ${a} -d ${NSA_DEV} 1111 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1112 done 1113 1114 a=${NSA_IP} 1115 log_start 1116 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1117 sleep 1 1118 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1119 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1120 1121 log_start 1122 show_hint "Should fail 'Connection refused'" 1123 run_cmd nettest -d ${NSA_DEV} -r ${a} 1124 log_test_addr ${a} $? 1 "No server, device client, local conn" 1125 1126 ipv4_tcp_md5_novrf 1127} 1128 1129ipv4_tcp_vrf() 1130{ 1131 local a 1132 1133 # disable global server 1134 log_subsection "Global server disabled" 1135 1136 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1137 1138 # 1139 # server tests 1140 # 1141 for a in ${NSA_IP} ${VRF_IP} 1142 do 1143 log_start 1144 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1145 run_cmd nettest -s & 1146 sleep 1 1147 run_cmd_nsb nettest -r ${a} 1148 log_test_addr ${a} $? 1 "Global server" 1149 1150 log_start 1151 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1152 sleep 1 1153 run_cmd_nsb nettest -r ${a} 1154 log_test_addr ${a} $? 0 "VRF server" 1155 1156 log_start 1157 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1158 sleep 1 1159 run_cmd_nsb nettest -r ${a} 1160 log_test_addr ${a} $? 0 "Device server" 1161 1162 # verify TCP reset received 1163 log_start 1164 show_hint "Should fail 'Connection refused' since there is no server" 1165 run_cmd_nsb nettest -r ${a} 1166 log_test_addr ${a} $? 1 "No server" 1167 done 1168 1169 # local address tests 1170 # (${VRF_IP} and 127.0.0.1 both timeout) 1171 a=${NSA_IP} 1172 log_start 1173 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1174 run_cmd nettest -s & 1175 sleep 1 1176 run_cmd nettest -r ${a} -d ${NSA_DEV} 1177 log_test_addr ${a} $? 1 "Global server, local connection" 1178 1179 # run MD5 tests 1180 ipv4_tcp_md5 1181 1182 # 1183 # enable VRF global server 1184 # 1185 log_subsection "VRF Global server enabled" 1186 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1187 1188 for a in ${NSA_IP} ${VRF_IP} 1189 do 1190 log_start 1191 show_hint "client socket should be bound to VRF" 1192 run_cmd nettest -s -3 ${VRF} & 1193 sleep 1 1194 run_cmd_nsb nettest -r ${a} 1195 log_test_addr ${a} $? 0 "Global server" 1196 1197 log_start 1198 show_hint "client socket should be bound to VRF" 1199 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1200 sleep 1 1201 run_cmd_nsb nettest -r ${a} 1202 log_test_addr ${a} $? 0 "VRF server" 1203 1204 # verify TCP reset received 1205 log_start 1206 show_hint "Should fail 'Connection refused'" 1207 run_cmd_nsb nettest -r ${a} 1208 log_test_addr ${a} $? 1 "No server" 1209 done 1210 1211 a=${NSA_IP} 1212 log_start 1213 show_hint "client socket should be bound to device" 1214 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1215 sleep 1 1216 run_cmd_nsb nettest -r ${a} 1217 log_test_addr ${a} $? 0 "Device server" 1218 1219 # local address tests 1220 for a in ${NSA_IP} ${VRF_IP} 1221 do 1222 log_start 1223 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1224 run_cmd nettest -s -I ${VRF} & 1225 sleep 1 1226 run_cmd nettest -r ${a} 1227 log_test_addr ${a} $? 1 "Global server, local connection" 1228 done 1229 1230 # 1231 # client 1232 # 1233 for a in ${NSB_IP} ${NSB_LO_IP} 1234 do 1235 log_start 1236 run_cmd_nsb nettest -s & 1237 sleep 1 1238 run_cmd nettest -r ${a} -d ${VRF} 1239 log_test_addr ${a} $? 0 "Client, VRF bind" 1240 1241 log_start 1242 run_cmd_nsb nettest -s & 1243 sleep 1 1244 run_cmd nettest -r ${a} -d ${NSA_DEV} 1245 log_test_addr ${a} $? 0 "Client, device bind" 1246 1247 log_start 1248 show_hint "Should fail 'Connection refused'" 1249 run_cmd nettest -r ${a} -d ${VRF} 1250 log_test_addr ${a} $? 1 "No server, VRF client" 1251 1252 log_start 1253 show_hint "Should fail 'Connection refused'" 1254 run_cmd nettest -r ${a} -d ${NSA_DEV} 1255 log_test_addr ${a} $? 1 "No server, device client" 1256 done 1257 1258 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1259 do 1260 log_start 1261 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1262 sleep 1 1263 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1264 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1265 done 1266 1267 a=${NSA_IP} 1268 log_start 1269 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1270 sleep 1 1271 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1272 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1273 1274 log_start 1275 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1276 run_cmd nettest -s -I ${VRF} & 1277 sleep 1 1278 run_cmd nettest -r ${a} 1279 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1280 1281 log_start 1282 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1283 sleep 1 1284 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1285 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1286 1287 log_start 1288 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1289 sleep 1 1290 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1291 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1292} 1293 1294ipv4_tcp() 1295{ 1296 log_section "IPv4/TCP" 1297 log_subsection "No VRF" 1298 setup 1299 1300 # tcp_l3mdev_accept should have no affect without VRF; 1301 # run tests with it enabled and disabled to verify 1302 log_subsection "tcp_l3mdev_accept disabled" 1303 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1304 ipv4_tcp_novrf 1305 log_subsection "tcp_l3mdev_accept enabled" 1306 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1307 ipv4_tcp_novrf 1308 1309 log_subsection "With VRF" 1310 setup "yes" 1311 ipv4_tcp_vrf 1312} 1313 1314################################################################################ 1315# IPv4 UDP 1316 1317ipv4_udp_novrf() 1318{ 1319 local a 1320 1321 # 1322 # server tests 1323 # 1324 for a in ${NSA_IP} ${NSA_LO_IP} 1325 do 1326 log_start 1327 run_cmd nettest -D -s -3 ${NSA_DEV} & 1328 sleep 1 1329 run_cmd_nsb nettest -D -r ${a} 1330 log_test_addr ${a} $? 0 "Global server" 1331 1332 log_start 1333 show_hint "Should fail 'Connection refused' since there is no server" 1334 run_cmd_nsb nettest -D -r ${a} 1335 log_test_addr ${a} $? 1 "No server" 1336 done 1337 1338 a=${NSA_IP} 1339 log_start 1340 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1341 sleep 1 1342 run_cmd_nsb nettest -D -r ${a} 1343 log_test_addr ${a} $? 0 "Device server" 1344 1345 # 1346 # client 1347 # 1348 for a in ${NSB_IP} ${NSB_LO_IP} 1349 do 1350 log_start 1351 run_cmd_nsb nettest -D -s & 1352 sleep 1 1353 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1354 log_test_addr ${a} $? 0 "Client" 1355 1356 log_start 1357 run_cmd_nsb nettest -D -s & 1358 sleep 1 1359 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1360 log_test_addr ${a} $? 0 "Client, device bind" 1361 1362 log_start 1363 run_cmd_nsb nettest -D -s & 1364 sleep 1 1365 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1366 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1367 1368 log_start 1369 run_cmd_nsb nettest -D -s & 1370 sleep 1 1371 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1372 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1373 1374 log_start 1375 show_hint "Should fail 'Connection refused'" 1376 run_cmd nettest -D -r ${a} 1377 log_test_addr ${a} $? 1 "No server, unbound client" 1378 1379 log_start 1380 show_hint "Should fail 'Connection refused'" 1381 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1382 log_test_addr ${a} $? 1 "No server, device client" 1383 done 1384 1385 # 1386 # local address tests 1387 # 1388 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1389 do 1390 log_start 1391 run_cmd nettest -D -s & 1392 sleep 1 1393 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1394 log_test_addr ${a} $? 0 "Global server, local connection" 1395 done 1396 1397 a=${NSA_IP} 1398 log_start 1399 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1400 sleep 1 1401 run_cmd nettest -D -r ${a} 1402 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1403 1404 for a in ${NSA_LO_IP} 127.0.0.1 1405 do 1406 log_start 1407 show_hint "Should fail 'Connection refused' since address is out of device scope" 1408 run_cmd nettest -s -D -I ${NSA_DEV} & 1409 sleep 1 1410 run_cmd nettest -D -r ${a} 1411 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1412 done 1413 1414 a=${NSA_IP} 1415 log_start 1416 run_cmd nettest -s -D & 1417 sleep 1 1418 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1419 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1420 1421 log_start 1422 run_cmd nettest -s -D & 1423 sleep 1 1424 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1425 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1426 1427 log_start 1428 run_cmd nettest -s -D & 1429 sleep 1 1430 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1431 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1432 1433 # IPv4 with device bind has really weird behavior - it overrides the 1434 # fib lookup, generates an rtable and tries to send the packet. This 1435 # causes failures for local traffic at different places 1436 for a in ${NSA_LO_IP} 127.0.0.1 1437 do 1438 log_start 1439 show_hint "Should fail since addresses on loopback are out of device scope" 1440 run_cmd nettest -D -s & 1441 sleep 1 1442 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1443 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1444 1445 log_start 1446 show_hint "Should fail since addresses on loopback are out of device scope" 1447 run_cmd nettest -D -s & 1448 sleep 1 1449 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1450 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1451 1452 log_start 1453 show_hint "Should fail since addresses on loopback are out of device scope" 1454 run_cmd nettest -D -s & 1455 sleep 1 1456 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1457 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1458 done 1459 1460 a=${NSA_IP} 1461 log_start 1462 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1463 sleep 1 1464 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1465 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1466 1467 log_start 1468 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1469 log_test_addr ${a} $? 2 "No server, device client, local conn" 1470} 1471 1472ipv4_udp_vrf() 1473{ 1474 local a 1475 1476 # disable global server 1477 log_subsection "Global server disabled" 1478 set_sysctl net.ipv4.udp_l3mdev_accept=0 1479 1480 # 1481 # server tests 1482 # 1483 for a in ${NSA_IP} ${VRF_IP} 1484 do 1485 log_start 1486 show_hint "Fails because ingress is in a VRF and global server is disabled" 1487 run_cmd nettest -D -s & 1488 sleep 1 1489 run_cmd_nsb nettest -D -r ${a} 1490 log_test_addr ${a} $? 1 "Global server" 1491 1492 log_start 1493 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1494 sleep 1 1495 run_cmd_nsb nettest -D -r ${a} 1496 log_test_addr ${a} $? 0 "VRF server" 1497 1498 log_start 1499 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1500 sleep 1 1501 run_cmd_nsb nettest -D -r ${a} 1502 log_test_addr ${a} $? 0 "Enslaved device server" 1503 1504 log_start 1505 show_hint "Should fail 'Connection refused' since there is no server" 1506 run_cmd_nsb nettest -D -r ${a} 1507 log_test_addr ${a} $? 1 "No server" 1508 1509 log_start 1510 show_hint "Should fail 'Connection refused' since global server is out of scope" 1511 run_cmd nettest -D -s & 1512 sleep 1 1513 run_cmd nettest -D -d ${VRF} -r ${a} 1514 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1515 done 1516 1517 a=${NSA_IP} 1518 log_start 1519 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1520 sleep 1 1521 run_cmd nettest -D -d ${VRF} -r ${a} 1522 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1523 1524 log_start 1525 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1526 sleep 1 1527 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1528 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1529 1530 a=${NSA_IP} 1531 log_start 1532 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1533 sleep 1 1534 run_cmd nettest -D -d ${VRF} -r ${a} 1535 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1536 1537 log_start 1538 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1539 sleep 1 1540 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1541 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1542 1543 # enable global server 1544 log_subsection "Global server enabled" 1545 set_sysctl net.ipv4.udp_l3mdev_accept=1 1546 1547 # 1548 # server tests 1549 # 1550 for a in ${NSA_IP} ${VRF_IP} 1551 do 1552 log_start 1553 run_cmd nettest -D -s -3 ${NSA_DEV} & 1554 sleep 1 1555 run_cmd_nsb nettest -D -r ${a} 1556 log_test_addr ${a} $? 0 "Global server" 1557 1558 log_start 1559 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1560 sleep 1 1561 run_cmd_nsb nettest -D -r ${a} 1562 log_test_addr ${a} $? 0 "VRF server" 1563 1564 log_start 1565 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1566 sleep 1 1567 run_cmd_nsb nettest -D -r ${a} 1568 log_test_addr ${a} $? 0 "Enslaved device server" 1569 1570 log_start 1571 show_hint "Should fail 'Connection refused'" 1572 run_cmd_nsb nettest -D -r ${a} 1573 log_test_addr ${a} $? 1 "No server" 1574 done 1575 1576 # 1577 # client tests 1578 # 1579 log_start 1580 run_cmd_nsb nettest -D -s & 1581 sleep 1 1582 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1583 log_test $? 0 "VRF client" 1584 1585 log_start 1586 run_cmd_nsb nettest -D -s & 1587 sleep 1 1588 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1589 log_test $? 0 "Enslaved device client" 1590 1591 # negative test - should fail 1592 log_start 1593 show_hint "Should fail 'Connection refused'" 1594 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1595 log_test $? 1 "No server, VRF client" 1596 1597 log_start 1598 show_hint "Should fail 'Connection refused'" 1599 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1600 log_test $? 1 "No server, enslaved device client" 1601 1602 # 1603 # local address tests 1604 # 1605 a=${NSA_IP} 1606 log_start 1607 run_cmd nettest -D -s -3 ${NSA_DEV} & 1608 sleep 1 1609 run_cmd nettest -D -d ${VRF} -r ${a} 1610 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1611 1612 log_start 1613 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1614 sleep 1 1615 run_cmd nettest -D -d ${VRF} -r ${a} 1616 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1617 1618 log_start 1619 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1620 sleep 1 1621 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1622 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1623 1624 log_start 1625 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1626 sleep 1 1627 run_cmd nettest -D -d ${VRF} -r ${a} 1628 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1629 1630 log_start 1631 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1632 sleep 1 1633 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1634 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1635 1636 for a in ${VRF_IP} 127.0.0.1 1637 do 1638 log_start 1639 run_cmd nettest -D -s -3 ${VRF} & 1640 sleep 1 1641 run_cmd nettest -D -d ${VRF} -r ${a} 1642 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1643 done 1644 1645 for a in ${VRF_IP} 127.0.0.1 1646 do 1647 log_start 1648 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1649 sleep 1 1650 run_cmd nettest -D -d ${VRF} -r ${a} 1651 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1652 done 1653 1654 # negative test - should fail 1655 # verifies ECONNREFUSED 1656 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1657 do 1658 log_start 1659 show_hint "Should fail 'Connection refused'" 1660 run_cmd nettest -D -d ${VRF} -r ${a} 1661 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1662 done 1663} 1664 1665ipv4_udp() 1666{ 1667 log_section "IPv4/UDP" 1668 log_subsection "No VRF" 1669 1670 setup 1671 1672 # udp_l3mdev_accept should have no affect without VRF; 1673 # run tests with it enabled and disabled to verify 1674 log_subsection "udp_l3mdev_accept disabled" 1675 set_sysctl net.ipv4.udp_l3mdev_accept=0 1676 ipv4_udp_novrf 1677 log_subsection "udp_l3mdev_accept enabled" 1678 set_sysctl net.ipv4.udp_l3mdev_accept=1 1679 ipv4_udp_novrf 1680 1681 log_subsection "With VRF" 1682 setup "yes" 1683 ipv4_udp_vrf 1684} 1685 1686################################################################################ 1687# IPv4 address bind 1688# 1689# verifies ability or inability to bind to an address / device 1690 1691ipv4_addr_bind_novrf() 1692{ 1693 # 1694 # raw socket 1695 # 1696 for a in ${NSA_IP} ${NSA_LO_IP} 1697 do 1698 log_start 1699 run_cmd nettest -s -R -P icmp -l ${a} -b 1700 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1701 1702 log_start 1703 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1704 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1705 done 1706 1707 # 1708 # tcp sockets 1709 # 1710 a=${NSA_IP} 1711 log_start 1712 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1713 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1714 1715 log_start 1716 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1717 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1718 1719 # Sadly, the kernel allows binding a socket to a device and then 1720 # binding to an address not on the device. The only restriction 1721 # is that the address is valid in the L3 domain. So this test 1722 # passes when it really should not 1723 #a=${NSA_LO_IP} 1724 #log_start 1725 #show_hint "Should fail with 'Cannot assign requested address'" 1726 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1727 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1728} 1729 1730ipv4_addr_bind_vrf() 1731{ 1732 # 1733 # raw socket 1734 # 1735 for a in ${NSA_IP} ${VRF_IP} 1736 do 1737 log_start 1738 run_cmd nettest -s -R -P icmp -l ${a} -b 1739 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1740 1741 log_start 1742 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1743 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1744 log_start 1745 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1746 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1747 done 1748 1749 a=${NSA_LO_IP} 1750 log_start 1751 show_hint "Address on loopback is out of VRF scope" 1752 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1753 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1754 1755 # 1756 # tcp sockets 1757 # 1758 for a in ${NSA_IP} ${VRF_IP} 1759 do 1760 log_start 1761 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1762 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1763 1764 log_start 1765 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1766 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1767 done 1768 1769 a=${NSA_LO_IP} 1770 log_start 1771 show_hint "Address on loopback out of scope for VRF" 1772 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1773 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 1774 1775 log_start 1776 show_hint "Address on loopback out of scope for device in VRF" 1777 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1778 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 1779} 1780 1781ipv4_addr_bind() 1782{ 1783 log_section "IPv4 address binds" 1784 1785 log_subsection "No VRF" 1786 setup 1787 ipv4_addr_bind_novrf 1788 1789 log_subsection "With VRF" 1790 setup "yes" 1791 ipv4_addr_bind_vrf 1792} 1793 1794################################################################################ 1795# IPv4 runtime tests 1796 1797ipv4_rt() 1798{ 1799 local desc="$1" 1800 local varg="$2" 1801 local with_vrf="yes" 1802 local a 1803 1804 # 1805 # server tests 1806 # 1807 for a in ${NSA_IP} ${VRF_IP} 1808 do 1809 log_start 1810 run_cmd nettest ${varg} -s & 1811 sleep 1 1812 run_cmd_nsb nettest ${varg} -r ${a} & 1813 sleep 3 1814 run_cmd ip link del ${VRF} 1815 sleep 1 1816 log_test_addr ${a} 0 0 "${desc}, global server" 1817 1818 setup ${with_vrf} 1819 done 1820 1821 for a in ${NSA_IP} ${VRF_IP} 1822 do 1823 log_start 1824 run_cmd nettest ${varg} -s -I ${VRF} & 1825 sleep 1 1826 run_cmd_nsb nettest ${varg} -r ${a} & 1827 sleep 3 1828 run_cmd ip link del ${VRF} 1829 sleep 1 1830 log_test_addr ${a} 0 0 "${desc}, VRF server" 1831 1832 setup ${with_vrf} 1833 done 1834 1835 a=${NSA_IP} 1836 log_start 1837 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 1838 sleep 1 1839 run_cmd_nsb nettest ${varg} -r ${a} & 1840 sleep 3 1841 run_cmd ip link del ${VRF} 1842 sleep 1 1843 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 1844 1845 setup ${with_vrf} 1846 1847 # 1848 # client test 1849 # 1850 log_start 1851 run_cmd_nsb nettest ${varg} -s & 1852 sleep 1 1853 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 1854 sleep 3 1855 run_cmd ip link del ${VRF} 1856 sleep 1 1857 log_test_addr ${a} 0 0 "${desc}, VRF client" 1858 1859 setup ${with_vrf} 1860 1861 log_start 1862 run_cmd_nsb nettest ${varg} -s & 1863 sleep 1 1864 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 1865 sleep 3 1866 run_cmd ip link del ${VRF} 1867 sleep 1 1868 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 1869 1870 setup ${with_vrf} 1871 1872 # 1873 # local address tests 1874 # 1875 for a in ${NSA_IP} ${VRF_IP} 1876 do 1877 log_start 1878 run_cmd nettest ${varg} -s & 1879 sleep 1 1880 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1881 sleep 3 1882 run_cmd ip link del ${VRF} 1883 sleep 1 1884 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 1885 1886 setup ${with_vrf} 1887 done 1888 1889 for a in ${NSA_IP} ${VRF_IP} 1890 do 1891 log_start 1892 run_cmd nettest ${varg} -I ${VRF} -s & 1893 sleep 1 1894 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1895 sleep 3 1896 run_cmd ip link del ${VRF} 1897 sleep 1 1898 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 1899 1900 setup ${with_vrf} 1901 done 1902 1903 a=${NSA_IP} 1904 log_start 1905 run_cmd nettest ${varg} -s & 1906 sleep 1 1907 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1908 sleep 3 1909 run_cmd ip link del ${VRF} 1910 sleep 1 1911 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 1912 1913 setup ${with_vrf} 1914 1915 log_start 1916 run_cmd nettest ${varg} -I ${VRF} -s & 1917 sleep 1 1918 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1919 sleep 3 1920 run_cmd ip link del ${VRF} 1921 sleep 1 1922 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 1923 1924 setup ${with_vrf} 1925 1926 log_start 1927 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 1928 sleep 1 1929 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1930 sleep 3 1931 run_cmd ip link del ${VRF} 1932 sleep 1 1933 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 1934} 1935 1936ipv4_ping_rt() 1937{ 1938 local with_vrf="yes" 1939 local a 1940 1941 for a in ${NSA_IP} ${VRF_IP} 1942 do 1943 log_start 1944 run_cmd_nsb ping -f ${a} & 1945 sleep 3 1946 run_cmd ip link del ${VRF} 1947 sleep 1 1948 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 1949 1950 setup ${with_vrf} 1951 done 1952 1953 a=${NSB_IP} 1954 log_start 1955 run_cmd ping -f -I ${VRF} ${a} & 1956 sleep 3 1957 run_cmd ip link del ${VRF} 1958 sleep 1 1959 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 1960} 1961 1962ipv4_runtime() 1963{ 1964 log_section "Run time tests - ipv4" 1965 1966 setup "yes" 1967 ipv4_ping_rt 1968 1969 setup "yes" 1970 ipv4_rt "TCP active socket" "-n -1" 1971 1972 setup "yes" 1973 ipv4_rt "TCP passive socket" "-i" 1974} 1975 1976################################################################################ 1977# IPv6 1978 1979ipv6_ping_novrf() 1980{ 1981 local a 1982 1983 # should not have an impact, but make a known state 1984 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 1985 1986 # 1987 # out 1988 # 1989 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 1990 do 1991 log_start 1992 run_cmd ${ping6} -c1 -w1 ${a} 1993 log_test_addr ${a} $? 0 "ping out" 1994 done 1995 1996 for a in ${NSB_IP6} ${NSB_LO_IP6} 1997 do 1998 log_start 1999 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2000 log_test_addr ${a} $? 0 "ping out, device bind" 2001 2002 log_start 2003 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2004 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2005 done 2006 2007 # 2008 # in 2009 # 2010 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2011 do 2012 log_start 2013 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2014 log_test_addr ${a} $? 0 "ping in" 2015 done 2016 2017 # 2018 # local traffic, local address 2019 # 2020 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2021 do 2022 log_start 2023 run_cmd ${ping6} -c1 -w1 ${a} 2024 log_test_addr ${a} $? 0 "ping local, no bind" 2025 done 2026 2027 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2028 do 2029 log_start 2030 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2031 log_test_addr ${a} $? 0 "ping local, device bind" 2032 done 2033 2034 for a in ${NSA_LO_IP6} ::1 2035 do 2036 log_start 2037 show_hint "Fails since address on loopback is out of device scope" 2038 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2039 log_test_addr ${a} $? 2 "ping local, device bind" 2040 done 2041 2042 # 2043 # ip rule blocks address 2044 # 2045 log_start 2046 setup_cmd ip -6 rule add pref 32765 from all lookup local 2047 setup_cmd ip -6 rule del pref 0 from all lookup local 2048 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2049 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2050 2051 a=${NSB_LO_IP6} 2052 run_cmd ${ping6} -c1 -w1 ${a} 2053 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2054 2055 log_start 2056 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2057 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2058 2059 a=${NSA_LO_IP6} 2060 log_start 2061 show_hint "Response lost due to ip rule" 2062 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2063 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2064 2065 setup_cmd ip -6 rule add pref 0 from all lookup local 2066 setup_cmd ip -6 rule del pref 32765 from all lookup local 2067 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2068 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2069 2070 # 2071 # route blocks reachability to remote address 2072 # 2073 log_start 2074 setup_cmd ip -6 route del ${NSB_LO_IP6} 2075 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2076 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2077 2078 a=${NSB_LO_IP6} 2079 run_cmd ${ping6} -c1 -w1 ${a} 2080 log_test_addr ${a} $? 2 "ping out, blocked by route" 2081 2082 log_start 2083 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2084 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2085 2086 a=${NSA_LO_IP6} 2087 log_start 2088 show_hint "Response lost due to ip route" 2089 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2090 log_test_addr ${a} $? 1 "ping in, blocked by route" 2091 2092 2093 # 2094 # remove 'remote' routes; fallback to default 2095 # 2096 log_start 2097 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2098 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2099 2100 a=${NSB_LO_IP6} 2101 run_cmd ${ping6} -c1 -w1 ${a} 2102 log_test_addr ${a} $? 2 "ping out, unreachable route" 2103 2104 log_start 2105 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2106 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2107} 2108 2109ipv6_ping_vrf() 2110{ 2111 local a 2112 2113 # should default on; does not exist on older kernels 2114 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2115 2116 # 2117 # out 2118 # 2119 for a in ${NSB_IP6} ${NSB_LO_IP6} 2120 do 2121 log_start 2122 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2123 log_test_addr ${a} $? 0 "ping out, VRF bind" 2124 done 2125 2126 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2127 do 2128 log_start 2129 show_hint "Fails since VRF device does not support linklocal or multicast" 2130 run_cmd ${ping6} -c1 -w1 ${a} 2131 log_test_addr ${a} $? 2 "ping out, VRF bind" 2132 done 2133 2134 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2135 do 2136 log_start 2137 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2138 log_test_addr ${a} $? 0 "ping out, device bind" 2139 done 2140 2141 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2142 do 2143 log_start 2144 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2145 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2146 done 2147 2148 # 2149 # in 2150 # 2151 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2152 do 2153 log_start 2154 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2155 log_test_addr ${a} $? 0 "ping in" 2156 done 2157 2158 a=${NSA_LO_IP6} 2159 log_start 2160 show_hint "Fails since loopback address is out of VRF scope" 2161 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2162 log_test_addr ${a} $? 1 "ping in" 2163 2164 # 2165 # local traffic, local address 2166 # 2167 for a in ${NSA_IP6} ${VRF_IP6} ::1 2168 do 2169 log_start 2170 show_hint "Source address should be ${a}" 2171 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2172 log_test_addr ${a} $? 0 "ping local, VRF bind" 2173 done 2174 2175 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2176 do 2177 log_start 2178 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2179 log_test_addr ${a} $? 0 "ping local, device bind" 2180 done 2181 2182 # LLA to GUA - remove ipv6 global addresses from ns-B 2183 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2184 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2185 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2186 2187 for a in ${NSA_IP6} ${VRF_IP6} 2188 do 2189 log_start 2190 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2191 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2192 done 2193 2194 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2195 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2196 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2197 2198 # 2199 # ip rule blocks address 2200 # 2201 log_start 2202 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2203 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2204 2205 a=${NSB_LO_IP6} 2206 run_cmd ${ping6} -c1 -w1 ${a} 2207 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2208 2209 log_start 2210 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2211 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2212 2213 a=${NSA_LO_IP6} 2214 log_start 2215 show_hint "Response lost due to ip rule" 2216 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2217 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2218 2219 log_start 2220 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2221 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2222 2223 # 2224 # remove 'remote' routes; fallback to default 2225 # 2226 log_start 2227 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2228 2229 a=${NSB_LO_IP6} 2230 run_cmd ${ping6} -c1 -w1 ${a} 2231 log_test_addr ${a} $? 2 "ping out, unreachable route" 2232 2233 log_start 2234 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2235 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2236 2237 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2238 a=${NSA_LO_IP6} 2239 log_start 2240 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2241 log_test_addr ${a} $? 2 "ping in, unreachable route" 2242} 2243 2244ipv6_ping() 2245{ 2246 log_section "IPv6 ping" 2247 2248 log_subsection "No VRF" 2249 setup 2250 ipv6_ping_novrf 2251 2252 log_subsection "With VRF" 2253 setup "yes" 2254 ipv6_ping_vrf 2255} 2256 2257################################################################################ 2258# IPv6 TCP 2259 2260# 2261# MD5 tests without VRF 2262# 2263ipv6_tcp_md5_novrf() 2264{ 2265 # 2266 # single address 2267 # 2268 2269 # basic use case 2270 log_start 2271 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2272 sleep 1 2273 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2274 log_test $? 0 "MD5: Single address config" 2275 2276 # client sends MD5, server not configured 2277 log_start 2278 show_hint "Should timeout due to MD5 mismatch" 2279 run_cmd nettest -6 -s & 2280 sleep 1 2281 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2282 log_test $? 2 "MD5: Server no config, client uses password" 2283 2284 # wrong password 2285 log_start 2286 show_hint "Should timeout since client uses wrong password" 2287 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2288 sleep 1 2289 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2290 log_test $? 2 "MD5: Client uses wrong password" 2291 2292 # client from different address 2293 log_start 2294 show_hint "Should timeout due to MD5 mismatch" 2295 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2296 sleep 1 2297 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2298 log_test $? 2 "MD5: Client address does not match address configured with password" 2299 2300 # 2301 # MD5 extension - prefix length 2302 # 2303 2304 # client in prefix 2305 log_start 2306 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2307 sleep 1 2308 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2309 log_test $? 0 "MD5: Prefix config" 2310 2311 # client in prefix, wrong password 2312 log_start 2313 show_hint "Should timeout since client uses wrong password" 2314 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2315 sleep 1 2316 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2317 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2318 2319 # client outside of prefix 2320 log_start 2321 show_hint "Should timeout due to MD5 mismatch" 2322 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2323 sleep 1 2324 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2325 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2326} 2327 2328# 2329# MD5 tests with VRF 2330# 2331ipv6_tcp_md5() 2332{ 2333 # 2334 # single address 2335 # 2336 2337 # basic use case 2338 log_start 2339 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2340 sleep 1 2341 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2342 log_test $? 0 "MD5: VRF: Single address config" 2343 2344 # client sends MD5, server not configured 2345 log_start 2346 show_hint "Should timeout since server does not have MD5 auth" 2347 run_cmd nettest -6 -s -I ${VRF} & 2348 sleep 1 2349 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2350 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2351 2352 # wrong password 2353 log_start 2354 show_hint "Should timeout since client uses wrong password" 2355 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2356 sleep 1 2357 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2358 log_test $? 2 "MD5: VRF: Client uses wrong password" 2359 2360 # client from different address 2361 log_start 2362 show_hint "Should timeout since server config differs from client" 2363 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2364 sleep 1 2365 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2366 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2367 2368 # 2369 # MD5 extension - prefix length 2370 # 2371 2372 # client in prefix 2373 log_start 2374 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2375 sleep 1 2376 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2377 log_test $? 0 "MD5: VRF: Prefix config" 2378 2379 # client in prefix, wrong password 2380 log_start 2381 show_hint "Should timeout since client uses wrong password" 2382 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2383 sleep 1 2384 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2385 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2386 2387 # client outside of prefix 2388 log_start 2389 show_hint "Should timeout since client address is outside of prefix" 2390 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2391 sleep 1 2392 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2393 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2394 2395 # 2396 # duplicate config between default VRF and a VRF 2397 # 2398 2399 log_start 2400 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2401 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2402 sleep 1 2403 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2404 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2405 2406 log_start 2407 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2408 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2409 sleep 1 2410 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2411 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2412 2413 log_start 2414 show_hint "Should timeout since client in default VRF uses VRF password" 2415 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2416 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2417 sleep 1 2418 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2419 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2420 2421 log_start 2422 show_hint "Should timeout since client in VRF uses default VRF password" 2423 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2424 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2425 sleep 1 2426 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2427 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2428 2429 log_start 2430 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2431 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2432 sleep 1 2433 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2434 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2435 2436 log_start 2437 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2438 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2439 sleep 1 2440 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2441 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2442 2443 log_start 2444 show_hint "Should timeout since client in default VRF uses VRF password" 2445 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2446 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2447 sleep 1 2448 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2449 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2450 2451 log_start 2452 show_hint "Should timeout since client in VRF uses default VRF password" 2453 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2454 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2455 sleep 1 2456 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2457 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2458 2459 # 2460 # negative tests 2461 # 2462 log_start 2463 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2464 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2465 2466 log_start 2467 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2468 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2469 2470} 2471 2472ipv6_tcp_novrf() 2473{ 2474 local a 2475 2476 # 2477 # server tests 2478 # 2479 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2480 do 2481 log_start 2482 run_cmd nettest -6 -s & 2483 sleep 1 2484 run_cmd_nsb nettest -6 -r ${a} 2485 log_test_addr ${a} $? 0 "Global server" 2486 done 2487 2488 # verify TCP reset received 2489 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2490 do 2491 log_start 2492 show_hint "Should fail 'Connection refused'" 2493 run_cmd_nsb nettest -6 -r ${a} 2494 log_test_addr ${a} $? 1 "No server" 2495 done 2496 2497 # 2498 # client 2499 # 2500 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2501 do 2502 log_start 2503 run_cmd_nsb nettest -6 -s & 2504 sleep 1 2505 run_cmd nettest -6 -r ${a} 2506 log_test_addr ${a} $? 0 "Client" 2507 done 2508 2509 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2510 do 2511 log_start 2512 run_cmd_nsb nettest -6 -s & 2513 sleep 1 2514 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2515 log_test_addr ${a} $? 0 "Client, device bind" 2516 done 2517 2518 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2519 do 2520 log_start 2521 show_hint "Should fail 'Connection refused'" 2522 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2523 log_test_addr ${a} $? 1 "No server, device client" 2524 done 2525 2526 # 2527 # local address tests 2528 # 2529 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2530 do 2531 log_start 2532 run_cmd nettest -6 -s & 2533 sleep 1 2534 run_cmd nettest -6 -r ${a} 2535 log_test_addr ${a} $? 0 "Global server, local connection" 2536 done 2537 2538 a=${NSA_IP6} 2539 log_start 2540 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2541 sleep 1 2542 run_cmd nettest -6 -r ${a} -0 ${a} 2543 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2544 2545 for a in ${NSA_LO_IP6} ::1 2546 do 2547 log_start 2548 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2549 run_cmd nettest -6 -s -I ${NSA_DEV} & 2550 sleep 1 2551 run_cmd nettest -6 -r ${a} 2552 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2553 done 2554 2555 a=${NSA_IP6} 2556 log_start 2557 run_cmd nettest -6 -s & 2558 sleep 1 2559 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2560 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2561 2562 for a in ${NSA_LO_IP6} ::1 2563 do 2564 log_start 2565 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2566 run_cmd nettest -6 -s & 2567 sleep 1 2568 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2569 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2570 done 2571 2572 for a in ${NSA_IP6} ${NSA_LINKIP6} 2573 do 2574 log_start 2575 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2576 sleep 1 2577 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2578 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2579 done 2580 2581 for a in ${NSA_IP6} ${NSA_LINKIP6} 2582 do 2583 log_start 2584 show_hint "Should fail 'Connection refused'" 2585 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2586 log_test_addr ${a} $? 1 "No server, device client, local conn" 2587 done 2588 2589 ipv6_tcp_md5_novrf 2590} 2591 2592ipv6_tcp_vrf() 2593{ 2594 local a 2595 2596 # disable global server 2597 log_subsection "Global server disabled" 2598 2599 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2600 2601 # 2602 # server tests 2603 # 2604 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2605 do 2606 log_start 2607 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2608 run_cmd nettest -6 -s & 2609 sleep 1 2610 run_cmd_nsb nettest -6 -r ${a} 2611 log_test_addr ${a} $? 1 "Global server" 2612 done 2613 2614 for a in ${NSA_IP6} ${VRF_IP6} 2615 do 2616 log_start 2617 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2618 sleep 1 2619 run_cmd_nsb nettest -6 -r ${a} 2620 log_test_addr ${a} $? 0 "VRF server" 2621 done 2622 2623 # link local is always bound to ingress device 2624 a=${NSA_LINKIP6}%${NSB_DEV} 2625 log_start 2626 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2627 sleep 1 2628 run_cmd_nsb nettest -6 -r ${a} 2629 log_test_addr ${a} $? 0 "VRF server" 2630 2631 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2632 do 2633 log_start 2634 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2635 sleep 1 2636 run_cmd_nsb nettest -6 -r ${a} 2637 log_test_addr ${a} $? 0 "Device server" 2638 done 2639 2640 # verify TCP reset received 2641 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2642 do 2643 log_start 2644 show_hint "Should fail 'Connection refused'" 2645 run_cmd_nsb nettest -6 -r ${a} 2646 log_test_addr ${a} $? 1 "No server" 2647 done 2648 2649 # local address tests 2650 a=${NSA_IP6} 2651 log_start 2652 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2653 run_cmd nettest -6 -s & 2654 sleep 1 2655 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2656 log_test_addr ${a} $? 1 "Global server, local connection" 2657 2658 # run MD5 tests 2659 ipv6_tcp_md5 2660 2661 # 2662 # enable VRF global server 2663 # 2664 log_subsection "VRF Global server enabled" 2665 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2666 2667 for a in ${NSA_IP6} ${VRF_IP6} 2668 do 2669 log_start 2670 run_cmd nettest -6 -s -3 ${VRF} & 2671 sleep 1 2672 run_cmd_nsb nettest -6 -r ${a} 2673 log_test_addr ${a} $? 0 "Global server" 2674 done 2675 2676 for a in ${NSA_IP6} ${VRF_IP6} 2677 do 2678 log_start 2679 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2680 sleep 1 2681 run_cmd_nsb nettest -6 -r ${a} 2682 log_test_addr ${a} $? 0 "VRF server" 2683 done 2684 2685 # For LLA, child socket is bound to device 2686 a=${NSA_LINKIP6}%${NSB_DEV} 2687 log_start 2688 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2689 sleep 1 2690 run_cmd_nsb nettest -6 -r ${a} 2691 log_test_addr ${a} $? 0 "Global server" 2692 2693 log_start 2694 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2695 sleep 1 2696 run_cmd_nsb nettest -6 -r ${a} 2697 log_test_addr ${a} $? 0 "VRF server" 2698 2699 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2700 do 2701 log_start 2702 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2703 sleep 1 2704 run_cmd_nsb nettest -6 -r ${a} 2705 log_test_addr ${a} $? 0 "Device server" 2706 done 2707 2708 # verify TCP reset received 2709 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2710 do 2711 log_start 2712 show_hint "Should fail 'Connection refused'" 2713 run_cmd_nsb nettest -6 -r ${a} 2714 log_test_addr ${a} $? 1 "No server" 2715 done 2716 2717 # local address tests 2718 for a in ${NSA_IP6} ${VRF_IP6} 2719 do 2720 log_start 2721 show_hint "Fails 'Connection refused' since client is not in VRF" 2722 run_cmd nettest -6 -s -I ${VRF} & 2723 sleep 1 2724 run_cmd nettest -6 -r ${a} 2725 log_test_addr ${a} $? 1 "Global server, local connection" 2726 done 2727 2728 2729 # 2730 # client 2731 # 2732 for a in ${NSB_IP6} ${NSB_LO_IP6} 2733 do 2734 log_start 2735 run_cmd_nsb nettest -6 -s & 2736 sleep 1 2737 run_cmd nettest -6 -r ${a} -d ${VRF} 2738 log_test_addr ${a} $? 0 "Client, VRF bind" 2739 done 2740 2741 a=${NSB_LINKIP6} 2742 log_start 2743 show_hint "Fails since VRF device does not allow linklocal addresses" 2744 run_cmd_nsb nettest -6 -s & 2745 sleep 1 2746 run_cmd nettest -6 -r ${a} -d ${VRF} 2747 log_test_addr ${a} $? 1 "Client, VRF bind" 2748 2749 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2750 do 2751 log_start 2752 run_cmd_nsb nettest -6 -s & 2753 sleep 1 2754 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2755 log_test_addr ${a} $? 0 "Client, device bind" 2756 done 2757 2758 for a in ${NSB_IP6} ${NSB_LO_IP6} 2759 do 2760 log_start 2761 show_hint "Should fail 'Connection refused'" 2762 run_cmd nettest -6 -r ${a} -d ${VRF} 2763 log_test_addr ${a} $? 1 "No server, VRF client" 2764 done 2765 2766 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2767 do 2768 log_start 2769 show_hint "Should fail 'Connection refused'" 2770 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2771 log_test_addr ${a} $? 1 "No server, device client" 2772 done 2773 2774 for a in ${NSA_IP6} ${VRF_IP6} ::1 2775 do 2776 log_start 2777 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2778 sleep 1 2779 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2780 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 2781 done 2782 2783 a=${NSA_IP6} 2784 log_start 2785 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2786 sleep 1 2787 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2788 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 2789 2790 a=${NSA_IP6} 2791 log_start 2792 show_hint "Should fail since unbound client is out of VRF scope" 2793 run_cmd nettest -6 -s -I ${VRF} & 2794 sleep 1 2795 run_cmd nettest -6 -r ${a} 2796 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 2797 2798 log_start 2799 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2800 sleep 1 2801 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2802 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 2803 2804 for a in ${NSA_IP6} ${NSA_LINKIP6} 2805 do 2806 log_start 2807 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2808 sleep 1 2809 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2810 log_test_addr ${a} $? 0 "Device server, device client, local connection" 2811 done 2812} 2813 2814ipv6_tcp() 2815{ 2816 log_section "IPv6/TCP" 2817 log_subsection "No VRF" 2818 setup 2819 2820 # tcp_l3mdev_accept should have no affect without VRF; 2821 # run tests with it enabled and disabled to verify 2822 log_subsection "tcp_l3mdev_accept disabled" 2823 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2824 ipv6_tcp_novrf 2825 log_subsection "tcp_l3mdev_accept enabled" 2826 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2827 ipv6_tcp_novrf 2828 2829 log_subsection "With VRF" 2830 setup "yes" 2831 ipv6_tcp_vrf 2832} 2833 2834################################################################################ 2835# IPv6 UDP 2836 2837ipv6_udp_novrf() 2838{ 2839 local a 2840 2841 # 2842 # server tests 2843 # 2844 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2845 do 2846 log_start 2847 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2848 sleep 1 2849 run_cmd_nsb nettest -6 -D -r ${a} 2850 log_test_addr ${a} $? 0 "Global server" 2851 2852 log_start 2853 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 2854 sleep 1 2855 run_cmd_nsb nettest -6 -D -r ${a} 2856 log_test_addr ${a} $? 0 "Device server" 2857 done 2858 2859 a=${NSA_LO_IP6} 2860 log_start 2861 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2862 sleep 1 2863 run_cmd_nsb nettest -6 -D -r ${a} 2864 log_test_addr ${a} $? 0 "Global server" 2865 2866 # should fail since loopback address is out of scope for a device 2867 # bound server, but it does not - hence this is more documenting 2868 # behavior. 2869 #log_start 2870 #show_hint "Should fail since loopback address is out of scope" 2871 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 2872 #sleep 1 2873 #run_cmd_nsb nettest -6 -D -r ${a} 2874 #log_test_addr ${a} $? 1 "Device server" 2875 2876 # negative test - should fail 2877 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2878 do 2879 log_start 2880 show_hint "Should fail 'Connection refused' since there is no server" 2881 run_cmd_nsb nettest -6 -D -r ${a} 2882 log_test_addr ${a} $? 1 "No server" 2883 done 2884 2885 # 2886 # client 2887 # 2888 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2889 do 2890 log_start 2891 run_cmd_nsb nettest -6 -D -s & 2892 sleep 1 2893 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 2894 log_test_addr ${a} $? 0 "Client" 2895 2896 log_start 2897 run_cmd_nsb nettest -6 -D -s & 2898 sleep 1 2899 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 2900 log_test_addr ${a} $? 0 "Client, device bind" 2901 2902 log_start 2903 run_cmd_nsb nettest -6 -D -s & 2904 sleep 1 2905 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 2906 log_test_addr ${a} $? 0 "Client, device send via cmsg" 2907 2908 log_start 2909 run_cmd_nsb nettest -6 -D -s & 2910 sleep 1 2911 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 2912 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 2913 2914 log_start 2915 show_hint "Should fail 'Connection refused'" 2916 run_cmd nettest -6 -D -r ${a} 2917 log_test_addr ${a} $? 1 "No server, unbound client" 2918 2919 log_start 2920 show_hint "Should fail 'Connection refused'" 2921 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 2922 log_test_addr ${a} $? 1 "No server, device client" 2923 done 2924 2925 # 2926 # local address tests 2927 # 2928 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2929 do 2930 log_start 2931 run_cmd nettest -6 -D -s & 2932 sleep 1 2933 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 2934 log_test_addr ${a} $? 0 "Global server, local connection" 2935 done 2936 2937 a=${NSA_IP6} 2938 log_start 2939 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 2940 sleep 1 2941 run_cmd nettest -6 -D -r ${a} 2942 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2943 2944 for a in ${NSA_LO_IP6} ::1 2945 do 2946 log_start 2947 show_hint "Should fail 'Connection refused' since address is out of device scope" 2948 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 2949 sleep 1 2950 run_cmd nettest -6 -D -r ${a} 2951 log_test_addr ${a} $? 1 "Device server, local connection" 2952 done 2953 2954 a=${NSA_IP6} 2955 log_start 2956 run_cmd nettest -6 -s -D & 2957 sleep 1 2958 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 2959 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2960 2961 log_start 2962 run_cmd nettest -6 -s -D & 2963 sleep 1 2964 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 2965 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 2966 2967 log_start 2968 run_cmd nettest -6 -s -D & 2969 sleep 1 2970 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 2971 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 2972 2973 for a in ${NSA_LO_IP6} ::1 2974 do 2975 log_start 2976 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 2977 run_cmd nettest -6 -D -s & 2978 sleep 1 2979 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 2980 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2981 2982 log_start 2983 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 2984 run_cmd nettest -6 -D -s & 2985 sleep 1 2986 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 2987 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 2988 2989 log_start 2990 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 2991 run_cmd nettest -6 -D -s & 2992 sleep 1 2993 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 2994 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 2995 done 2996 2997 a=${NSA_IP6} 2998 log_start 2999 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3000 sleep 1 3001 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3002 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3003 3004 log_start 3005 show_hint "Should fail 'Connection refused'" 3006 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3007 log_test_addr ${a} $? 1 "No server, device client, local conn" 3008 3009 # LLA to GUA 3010 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3011 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3012 log_start 3013 run_cmd nettest -6 -s -D & 3014 sleep 1 3015 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3016 log_test $? 0 "UDP in - LLA to GUA" 3017 3018 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3019 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3020} 3021 3022ipv6_udp_vrf() 3023{ 3024 local a 3025 3026 # disable global server 3027 log_subsection "Global server disabled" 3028 set_sysctl net.ipv4.udp_l3mdev_accept=0 3029 3030 # 3031 # server tests 3032 # 3033 for a in ${NSA_IP6} ${VRF_IP6} 3034 do 3035 log_start 3036 show_hint "Should fail 'Connection refused' since global server is disabled" 3037 run_cmd nettest -6 -D -s & 3038 sleep 1 3039 run_cmd_nsb nettest -6 -D -r ${a} 3040 log_test_addr ${a} $? 1 "Global server" 3041 done 3042 3043 for a in ${NSA_IP6} ${VRF_IP6} 3044 do 3045 log_start 3046 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3047 sleep 1 3048 run_cmd_nsb nettest -6 -D -r ${a} 3049 log_test_addr ${a} $? 0 "VRF server" 3050 done 3051 3052 for a in ${NSA_IP6} ${VRF_IP6} 3053 do 3054 log_start 3055 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3056 sleep 1 3057 run_cmd_nsb nettest -6 -D -r ${a} 3058 log_test_addr ${a} $? 0 "Enslaved device server" 3059 done 3060 3061 # negative test - should fail 3062 for a in ${NSA_IP6} ${VRF_IP6} 3063 do 3064 log_start 3065 show_hint "Should fail 'Connection refused' since there is no server" 3066 run_cmd_nsb nettest -6 -D -r ${a} 3067 log_test_addr ${a} $? 1 "No server" 3068 done 3069 3070 # 3071 # local address tests 3072 # 3073 for a in ${NSA_IP6} ${VRF_IP6} 3074 do 3075 log_start 3076 show_hint "Should fail 'Connection refused' since global server is disabled" 3077 run_cmd nettest -6 -D -s & 3078 sleep 1 3079 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3080 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3081 done 3082 3083 for a in ${NSA_IP6} ${VRF_IP6} 3084 do 3085 log_start 3086 run_cmd nettest -6 -D -I ${VRF} -s & 3087 sleep 1 3088 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3089 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3090 done 3091 3092 a=${NSA_IP6} 3093 log_start 3094 show_hint "Should fail 'Connection refused' since global server is disabled" 3095 run_cmd nettest -6 -D -s & 3096 sleep 1 3097 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3098 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3099 3100 log_start 3101 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3102 sleep 1 3103 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3104 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3105 3106 log_start 3107 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3108 sleep 1 3109 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3110 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3111 3112 log_start 3113 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3114 sleep 1 3115 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3116 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3117 3118 # disable global server 3119 log_subsection "Global server enabled" 3120 set_sysctl net.ipv4.udp_l3mdev_accept=1 3121 3122 # 3123 # server tests 3124 # 3125 for a in ${NSA_IP6} ${VRF_IP6} 3126 do 3127 log_start 3128 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3129 sleep 1 3130 run_cmd_nsb nettest -6 -D -r ${a} 3131 log_test_addr ${a} $? 0 "Global server" 3132 done 3133 3134 for a in ${NSA_IP6} ${VRF_IP6} 3135 do 3136 log_start 3137 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3138 sleep 1 3139 run_cmd_nsb nettest -6 -D -r ${a} 3140 log_test_addr ${a} $? 0 "VRF server" 3141 done 3142 3143 for a in ${NSA_IP6} ${VRF_IP6} 3144 do 3145 log_start 3146 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3147 sleep 1 3148 run_cmd_nsb nettest -6 -D -r ${a} 3149 log_test_addr ${a} $? 0 "Enslaved device server" 3150 done 3151 3152 # negative test - should fail 3153 for a in ${NSA_IP6} ${VRF_IP6} 3154 do 3155 log_start 3156 run_cmd_nsb nettest -6 -D -r ${a} 3157 log_test_addr ${a} $? 1 "No server" 3158 done 3159 3160 # 3161 # client tests 3162 # 3163 log_start 3164 run_cmd_nsb nettest -6 -D -s & 3165 sleep 1 3166 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3167 log_test $? 0 "VRF client" 3168 3169 # negative test - should fail 3170 log_start 3171 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3172 log_test $? 1 "No server, VRF client" 3173 3174 log_start 3175 run_cmd_nsb nettest -6 -D -s & 3176 sleep 1 3177 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3178 log_test $? 0 "Enslaved device client" 3179 3180 # negative test - should fail 3181 log_start 3182 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3183 log_test $? 1 "No server, enslaved device client" 3184 3185 # 3186 # local address tests 3187 # 3188 a=${NSA_IP6} 3189 log_start 3190 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3191 sleep 1 3192 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3193 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3194 3195 #log_start 3196 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3197 sleep 1 3198 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3199 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3200 3201 3202 a=${VRF_IP6} 3203 log_start 3204 run_cmd nettest -6 -D -s -3 ${VRF} & 3205 sleep 1 3206 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3207 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3208 3209 log_start 3210 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3211 sleep 1 3212 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3213 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3214 3215 # negative test - should fail 3216 for a in ${NSA_IP6} ${VRF_IP6} 3217 do 3218 log_start 3219 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3220 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3221 done 3222 3223 # device to global IP 3224 a=${NSA_IP6} 3225 log_start 3226 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3227 sleep 1 3228 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3229 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3230 3231 log_start 3232 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3233 sleep 1 3234 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3235 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3236 3237 log_start 3238 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3239 sleep 1 3240 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3241 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3242 3243 log_start 3244 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3245 sleep 1 3246 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3247 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3248 3249 log_start 3250 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3251 log_test_addr ${a} $? 1 "No server, device client, local conn" 3252 3253 3254 # link local addresses 3255 log_start 3256 run_cmd nettest -6 -D -s & 3257 sleep 1 3258 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3259 log_test $? 0 "Global server, linklocal IP" 3260 3261 log_start 3262 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3263 log_test $? 1 "No server, linklocal IP" 3264 3265 3266 log_start 3267 run_cmd_nsb nettest -6 -D -s & 3268 sleep 1 3269 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3270 log_test $? 0 "Enslaved device client, linklocal IP" 3271 3272 log_start 3273 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3274 log_test $? 1 "No server, device client, peer linklocal IP" 3275 3276 3277 log_start 3278 run_cmd nettest -6 -D -s & 3279 sleep 1 3280 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3281 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3282 3283 log_start 3284 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3285 log_test $? 1 "No server, device client, local conn - linklocal IP" 3286 3287 # LLA to GUA 3288 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3289 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3290 log_start 3291 run_cmd nettest -6 -s -D & 3292 sleep 1 3293 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3294 log_test $? 0 "UDP in - LLA to GUA" 3295 3296 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3297 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3298} 3299 3300ipv6_udp() 3301{ 3302 # should not matter, but set to known state 3303 set_sysctl net.ipv4.udp_early_demux=1 3304 3305 log_section "IPv6/UDP" 3306 log_subsection "No VRF" 3307 setup 3308 3309 # udp_l3mdev_accept should have no affect without VRF; 3310 # run tests with it enabled and disabled to verify 3311 log_subsection "udp_l3mdev_accept disabled" 3312 set_sysctl net.ipv4.udp_l3mdev_accept=0 3313 ipv6_udp_novrf 3314 log_subsection "udp_l3mdev_accept enabled" 3315 set_sysctl net.ipv4.udp_l3mdev_accept=1 3316 ipv6_udp_novrf 3317 3318 log_subsection "With VRF" 3319 setup "yes" 3320 ipv6_udp_vrf 3321} 3322 3323################################################################################ 3324# IPv6 address bind 3325 3326ipv6_addr_bind_novrf() 3327{ 3328 # 3329 # raw socket 3330 # 3331 for a in ${NSA_IP6} ${NSA_LO_IP6} 3332 do 3333 log_start 3334 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3335 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3336 3337 log_start 3338 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3339 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3340 done 3341 3342 # 3343 # tcp sockets 3344 # 3345 a=${NSA_IP6} 3346 log_start 3347 run_cmd nettest -6 -s -l ${a} -t1 -b 3348 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3349 3350 log_start 3351 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3352 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3353 3354 a=${NSA_LO_IP6} 3355 log_start 3356 show_hint "Should fail with 'Cannot assign requested address'" 3357 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3358 log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 3359} 3360 3361ipv6_addr_bind_vrf() 3362{ 3363 # 3364 # raw socket 3365 # 3366 for a in ${NSA_IP6} ${VRF_IP6} 3367 do 3368 log_start 3369 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3370 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3371 3372 log_start 3373 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3374 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3375 done 3376 3377 a=${NSA_LO_IP6} 3378 log_start 3379 show_hint "Address on loopback is out of VRF scope" 3380 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3381 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3382 3383 # 3384 # tcp sockets 3385 # 3386 # address on enslaved device is valid for the VRF or device in a VRF 3387 for a in ${NSA_IP6} ${VRF_IP6} 3388 do 3389 log_start 3390 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3391 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3392 done 3393 3394 a=${NSA_IP6} 3395 log_start 3396 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3397 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3398 3399 a=${VRF_IP6} 3400 log_start 3401 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3402 log_test_addr ${a} $? 1 "TCP socket bind to VRF address with device bind" 3403 3404 a=${NSA_LO_IP6} 3405 log_start 3406 show_hint "Address on loopback out of scope for VRF" 3407 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3408 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3409 3410 log_start 3411 show_hint "Address on loopback out of scope for device in VRF" 3412 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3413 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3414 3415} 3416 3417ipv6_addr_bind() 3418{ 3419 log_section "IPv6 address binds" 3420 3421 log_subsection "No VRF" 3422 setup 3423 ipv6_addr_bind_novrf 3424 3425 log_subsection "With VRF" 3426 setup "yes" 3427 ipv6_addr_bind_vrf 3428} 3429 3430################################################################################ 3431# IPv6 runtime tests 3432 3433ipv6_rt() 3434{ 3435 local desc="$1" 3436 local varg="-6 $2" 3437 local with_vrf="yes" 3438 local a 3439 3440 # 3441 # server tests 3442 # 3443 for a in ${NSA_IP6} ${VRF_IP6} 3444 do 3445 log_start 3446 run_cmd nettest ${varg} -s & 3447 sleep 1 3448 run_cmd_nsb nettest ${varg} -r ${a} & 3449 sleep 3 3450 run_cmd ip link del ${VRF} 3451 sleep 1 3452 log_test_addr ${a} 0 0 "${desc}, global server" 3453 3454 setup ${with_vrf} 3455 done 3456 3457 for a in ${NSA_IP6} ${VRF_IP6} 3458 do 3459 log_start 3460 run_cmd nettest ${varg} -I ${VRF} -s & 3461 sleep 1 3462 run_cmd_nsb nettest ${varg} -r ${a} & 3463 sleep 3 3464 run_cmd ip link del ${VRF} 3465 sleep 1 3466 log_test_addr ${a} 0 0 "${desc}, VRF server" 3467 3468 setup ${with_vrf} 3469 done 3470 3471 for a in ${NSA_IP6} ${VRF_IP6} 3472 do 3473 log_start 3474 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3475 sleep 1 3476 run_cmd_nsb nettest ${varg} -r ${a} & 3477 sleep 3 3478 run_cmd ip link del ${VRF} 3479 sleep 1 3480 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3481 3482 setup ${with_vrf} 3483 done 3484 3485 # 3486 # client test 3487 # 3488 log_start 3489 run_cmd_nsb nettest ${varg} -s & 3490 sleep 1 3491 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3492 sleep 3 3493 run_cmd ip link del ${VRF} 3494 sleep 1 3495 log_test 0 0 "${desc}, VRF client" 3496 3497 setup ${with_vrf} 3498 3499 log_start 3500 run_cmd_nsb nettest ${varg} -s & 3501 sleep 1 3502 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3503 sleep 3 3504 run_cmd ip link del ${VRF} 3505 sleep 1 3506 log_test 0 0 "${desc}, enslaved device client" 3507 3508 setup ${with_vrf} 3509 3510 3511 # 3512 # local address tests 3513 # 3514 for a in ${NSA_IP6} ${VRF_IP6} 3515 do 3516 log_start 3517 run_cmd nettest ${varg} -s & 3518 sleep 1 3519 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3520 sleep 3 3521 run_cmd ip link del ${VRF} 3522 sleep 1 3523 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3524 3525 setup ${with_vrf} 3526 done 3527 3528 for a in ${NSA_IP6} ${VRF_IP6} 3529 do 3530 log_start 3531 run_cmd nettest ${varg} -I ${VRF} -s & 3532 sleep 1 3533 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3534 sleep 3 3535 run_cmd ip link del ${VRF} 3536 sleep 1 3537 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3538 3539 setup ${with_vrf} 3540 done 3541 3542 a=${NSA_IP6} 3543 log_start 3544 run_cmd nettest ${varg} -s & 3545 sleep 1 3546 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3547 sleep 3 3548 run_cmd ip link del ${VRF} 3549 sleep 1 3550 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3551 3552 setup ${with_vrf} 3553 3554 log_start 3555 run_cmd nettest ${varg} -I ${VRF} -s & 3556 sleep 1 3557 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3558 sleep 3 3559 run_cmd ip link del ${VRF} 3560 sleep 1 3561 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3562 3563 setup ${with_vrf} 3564 3565 log_start 3566 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3567 sleep 1 3568 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3569 sleep 3 3570 run_cmd ip link del ${VRF} 3571 sleep 1 3572 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3573} 3574 3575ipv6_ping_rt() 3576{ 3577 local with_vrf="yes" 3578 local a 3579 3580 a=${NSA_IP6} 3581 log_start 3582 run_cmd_nsb ${ping6} -f ${a} & 3583 sleep 3 3584 run_cmd ip link del ${VRF} 3585 sleep 1 3586 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3587 3588 setup ${with_vrf} 3589 3590 log_start 3591 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3592 sleep 1 3593 run_cmd ip link del ${VRF} 3594 sleep 1 3595 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3596} 3597 3598ipv6_runtime() 3599{ 3600 log_section "Run time tests - ipv6" 3601 3602 setup "yes" 3603 ipv6_ping_rt 3604 3605 setup "yes" 3606 ipv6_rt "TCP active socket" "-n -1" 3607 3608 setup "yes" 3609 ipv6_rt "TCP passive socket" "-i" 3610 3611 setup "yes" 3612 ipv6_rt "UDP active socket" "-D -n -1" 3613} 3614 3615################################################################################ 3616# netfilter blocking connections 3617 3618netfilter_tcp_reset() 3619{ 3620 local a 3621 3622 for a in ${NSA_IP} ${VRF_IP} 3623 do 3624 log_start 3625 run_cmd nettest -s & 3626 sleep 1 3627 run_cmd_nsb nettest -r ${a} 3628 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3629 done 3630} 3631 3632netfilter_icmp() 3633{ 3634 local stype="$1" 3635 local arg 3636 local a 3637 3638 [ "${stype}" = "UDP" ] && arg="-D" 3639 3640 for a in ${NSA_IP} ${VRF_IP} 3641 do 3642 log_start 3643 run_cmd nettest ${arg} -s & 3644 sleep 1 3645 run_cmd_nsb nettest ${arg} -r ${a} 3646 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3647 done 3648} 3649 3650ipv4_netfilter() 3651{ 3652 log_section "IPv4 Netfilter" 3653 log_subsection "TCP reset" 3654 3655 setup "yes" 3656 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3657 3658 netfilter_tcp_reset 3659 3660 log_start 3661 log_subsection "ICMP unreachable" 3662 3663 log_start 3664 run_cmd iptables -F 3665 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3666 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3667 3668 netfilter_icmp "TCP" 3669 netfilter_icmp "UDP" 3670 3671 log_start 3672 iptables -F 3673} 3674 3675netfilter_tcp6_reset() 3676{ 3677 local a 3678 3679 for a in ${NSA_IP6} ${VRF_IP6} 3680 do 3681 log_start 3682 run_cmd nettest -6 -s & 3683 sleep 1 3684 run_cmd_nsb nettest -6 -r ${a} 3685 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3686 done 3687} 3688 3689netfilter_icmp6() 3690{ 3691 local stype="$1" 3692 local arg 3693 local a 3694 3695 [ "${stype}" = "UDP" ] && arg="$arg -D" 3696 3697 for a in ${NSA_IP6} ${VRF_IP6} 3698 do 3699 log_start 3700 run_cmd nettest -6 -s ${arg} & 3701 sleep 1 3702 run_cmd_nsb nettest -6 ${arg} -r ${a} 3703 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3704 done 3705} 3706 3707ipv6_netfilter() 3708{ 3709 log_section "IPv6 Netfilter" 3710 log_subsection "TCP reset" 3711 3712 setup "yes" 3713 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3714 3715 netfilter_tcp6_reset 3716 3717 log_subsection "ICMP unreachable" 3718 3719 log_start 3720 run_cmd ip6tables -F 3721 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3722 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3723 3724 netfilter_icmp6 "TCP" 3725 netfilter_icmp6 "UDP" 3726 3727 log_start 3728 ip6tables -F 3729} 3730 3731################################################################################ 3732# specific use cases 3733 3734# VRF only. 3735# ns-A device enslaved to bridge. Verify traffic with and without 3736# br_netfilter module loaded. Repeat with SVI on bridge. 3737use_case_br() 3738{ 3739 setup "yes" 3740 3741 setup_cmd ip link set ${NSA_DEV} down 3742 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 3743 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 3744 3745 setup_cmd ip link add br0 type bridge 3746 setup_cmd ip addr add dev br0 ${NSA_IP}/24 3747 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 3748 3749 setup_cmd ip li set ${NSA_DEV} master br0 3750 setup_cmd ip li set ${NSA_DEV} up 3751 setup_cmd ip li set br0 up 3752 setup_cmd ip li set br0 vrf ${VRF} 3753 3754 rmmod br_netfilter 2>/dev/null 3755 sleep 5 # DAD 3756 3757 run_cmd ip neigh flush all 3758 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3759 log_test $? 0 "Bridge into VRF - IPv4 ping out" 3760 3761 run_cmd ip neigh flush all 3762 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3763 log_test $? 0 "Bridge into VRF - IPv6 ping out" 3764 3765 run_cmd ip neigh flush all 3766 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3767 log_test $? 0 "Bridge into VRF - IPv4 ping in" 3768 3769 run_cmd ip neigh flush all 3770 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3771 log_test $? 0 "Bridge into VRF - IPv6 ping in" 3772 3773 modprobe br_netfilter 3774 if [ $? -eq 0 ]; then 3775 run_cmd ip neigh flush all 3776 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3777 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 3778 3779 run_cmd ip neigh flush all 3780 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3781 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 3782 3783 run_cmd ip neigh flush all 3784 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3785 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 3786 3787 run_cmd ip neigh flush all 3788 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3789 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 3790 fi 3791 3792 setup_cmd ip li set br0 nomaster 3793 setup_cmd ip li add br0.100 link br0 type vlan id 100 3794 setup_cmd ip li set br0.100 vrf ${VRF} up 3795 setup_cmd ip addr add dev br0.100 172.16.101.1/24 3796 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 3797 3798 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 3799 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 3800 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 3801 setup_cmd_nsb ip li set vlan100 up 3802 sleep 1 3803 3804 rmmod br_netfilter 2>/dev/null 3805 3806 run_cmd ip neigh flush all 3807 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3808 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 3809 3810 run_cmd ip neigh flush all 3811 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3812 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 3813 3814 run_cmd ip neigh flush all 3815 run_cmd_nsb ping -c1 -w1 172.16.101.1 3816 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3817 3818 run_cmd ip neigh flush all 3819 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3820 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3821 3822 modprobe br_netfilter 3823 if [ $? -eq 0 ]; then 3824 run_cmd ip neigh flush all 3825 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3826 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 3827 3828 run_cmd ip neigh flush all 3829 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3830 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 3831 3832 run_cmd ip neigh flush all 3833 run_cmd_nsb ping -c1 -w1 172.16.101.1 3834 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3835 3836 run_cmd ip neigh flush all 3837 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3838 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3839 fi 3840 3841 setup_cmd ip li del br0 2>/dev/null 3842 setup_cmd_nsb ip li del vlan100 2>/dev/null 3843} 3844 3845# VRF only. 3846# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 3847# LLA on the interfaces 3848use_case_ping_lla_multi() 3849{ 3850 setup_lla_only 3851 # only want reply from ns-A 3852 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3853 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3854 3855 log_start 3856 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3857 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 3858 3859 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3860 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 3861 3862 # cycle/flap the first ns-A interface 3863 setup_cmd ip link set ${NSA_DEV} down 3864 setup_cmd ip link set ${NSA_DEV} up 3865 sleep 1 3866 3867 log_start 3868 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3869 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 3870 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3871 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 3872 3873 # cycle/flap the second ns-A interface 3874 setup_cmd ip link set ${NSA_DEV2} down 3875 setup_cmd ip link set ${NSA_DEV2} up 3876 sleep 1 3877 3878 log_start 3879 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3880 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 3881 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3882 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 3883} 3884 3885# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 3886# established with ns-B. 3887use_case_snat_on_vrf() 3888{ 3889 setup "yes" 3890 3891 local port="12345" 3892 3893 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 3894 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 3895 3896 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 3897 sleep 1 3898 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 3899 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 3900 3901 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 3902 sleep 1 3903 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 3904 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 3905 3906 # Cleanup 3907 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 3908 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 3909} 3910 3911use_cases() 3912{ 3913 log_section "Use cases" 3914 log_subsection "Device enslaved to bridge" 3915 use_case_br 3916 log_subsection "Ping LLA with multiple interfaces" 3917 use_case_ping_lla_multi 3918 log_subsection "SNAT on VRF" 3919 use_case_snat_on_vrf 3920} 3921 3922################################################################################ 3923# usage 3924 3925usage() 3926{ 3927 cat <<EOF 3928usage: ${0##*/} OPTS 3929 3930 -4 IPv4 tests only 3931 -6 IPv6 tests only 3932 -t <test> Test name/set to run 3933 -p Pause on fail 3934 -P Pause after each test 3935 -v Be verbose 3936EOF 3937} 3938 3939################################################################################ 3940# main 3941 3942TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_addr_bind ipv4_runtime ipv4_netfilter" 3943TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_addr_bind ipv6_runtime ipv6_netfilter" 3944TESTS_OTHER="use_cases" 3945 3946PAUSE_ON_FAIL=no 3947PAUSE=no 3948 3949while getopts :46t:pPvh o 3950do 3951 case $o in 3952 4) TESTS=ipv4;; 3953 6) TESTS=ipv6;; 3954 t) TESTS=$OPTARG;; 3955 p) PAUSE_ON_FAIL=yes;; 3956 P) PAUSE=yes;; 3957 v) VERBOSE=1;; 3958 h) usage; exit 0;; 3959 *) usage; exit 1;; 3960 esac 3961done 3962 3963# make sure we don't pause twice 3964[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 3965 3966# 3967# show user test config 3968# 3969if [ -z "$TESTS" ]; then 3970 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 3971elif [ "$TESTS" = "ipv4" ]; then 3972 TESTS="$TESTS_IPV4" 3973elif [ "$TESTS" = "ipv6" ]; then 3974 TESTS="$TESTS_IPV6" 3975fi 3976 3977which nettest >/dev/null 3978if [ $? -ne 0 ]; then 3979 echo "'nettest' command not found; skipping tests" 3980 exit $ksft_skip 3981fi 3982 3983declare -i nfail=0 3984declare -i nsuccess=0 3985 3986for t in $TESTS 3987do 3988 case $t in 3989 ipv4_ping|ping) ipv4_ping;; 3990 ipv4_tcp|tcp) ipv4_tcp;; 3991 ipv4_udp|udp) ipv4_udp;; 3992 ipv4_bind|bind) ipv4_addr_bind;; 3993 ipv4_runtime) ipv4_runtime;; 3994 ipv4_netfilter) ipv4_netfilter;; 3995 3996 ipv6_ping|ping6) ipv6_ping;; 3997 ipv6_tcp|tcp6) ipv6_tcp;; 3998 ipv6_udp|udp6) ipv6_udp;; 3999 ipv6_bind|bind6) ipv6_addr_bind;; 4000 ipv6_runtime) ipv6_runtime;; 4001 ipv6_netfilter) ipv6_netfilter;; 4002 4003 use_cases) use_cases;; 4004 4005 # setup namespaces and config, but do not run any tests 4006 setup) setup; exit 0;; 4007 vrf_setup) setup "yes"; exit 0;; 4008 4009 help) echo "Test names: $TESTS"; exit 0;; 4010 esac 4011done 4012 4013cleanup 2>/dev/null 4014 4015printf "\nTests passed: %3d\n" ${nsuccess} 4016printf "Tests failed: %3d\n" ${nfail} 4017