1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40# Kselftest framework requirement - SKIP code is 4. 41ksft_skip=4 42 43VERBOSE=0 44 45NSA_DEV=eth1 46NSA_DEV2=eth2 47NSB_DEV=eth1 48NSC_DEV=eth2 49VRF=red 50VRF_TABLE=1101 51 52# IPv4 config 53NSA_IP=172.16.1.1 54NSB_IP=172.16.1.2 55VRF_IP=172.16.3.1 56NS_NET=172.16.1.0/24 57 58# IPv6 config 59NSA_IP6=2001:db8:1::1 60NSB_IP6=2001:db8:1::2 61VRF_IP6=2001:db8:3::1 62NS_NET6=2001:db8:1::/120 63 64NSA_LO_IP=172.16.2.1 65NSB_LO_IP=172.16.2.2 66NSA_LO_IP6=2001:db8:2::1 67NSB_LO_IP6=2001:db8:2::2 68 69MD5_PW=abc123 70MD5_WRONG_PW=abc1234 71 72MCAST=ff02::1 73# set after namespace create 74NSA_LINKIP6= 75NSB_LINKIP6= 76 77NSA=ns-A 78NSB=ns-B 79NSC=ns-C 80 81NSA_CMD="ip netns exec ${NSA}" 82NSB_CMD="ip netns exec ${NSB}" 83NSC_CMD="ip netns exec ${NSC}" 84 85which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 86 87################################################################################ 88# utilities 89 90log_test() 91{ 92 local rc=$1 93 local expected=$2 94 local msg="$3" 95 96 [ "${VERBOSE}" = "1" ] && echo 97 98 if [ ${rc} -eq ${expected} ]; then 99 nsuccess=$((nsuccess+1)) 100 printf "TEST: %-70s [ OK ]\n" "${msg}" 101 else 102 nfail=$((nfail+1)) 103 printf "TEST: %-70s [FAIL]\n" "${msg}" 104 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 105 echo 106 echo "hit enter to continue, 'q' to quit" 107 read a 108 [ "$a" = "q" ] && exit 1 109 fi 110 fi 111 112 if [ "${PAUSE}" = "yes" ]; then 113 echo 114 echo "hit enter to continue, 'q' to quit" 115 read a 116 [ "$a" = "q" ] && exit 1 117 fi 118 119 kill_procs 120} 121 122log_test_addr() 123{ 124 local addr=$1 125 local rc=$2 126 local expected=$3 127 local msg="$4" 128 local astr 129 130 astr=$(addr2str ${addr}) 131 log_test $rc $expected "$msg - ${astr}" 132} 133 134log_section() 135{ 136 echo 137 echo "###########################################################################" 138 echo "$*" 139 echo "###########################################################################" 140 echo 141} 142 143log_subsection() 144{ 145 echo 146 echo "#################################################################" 147 echo "$*" 148 echo 149} 150 151log_start() 152{ 153 # make sure we have no test instances running 154 kill_procs 155 156 if [ "${VERBOSE}" = "1" ]; then 157 echo 158 echo "#######################################################" 159 fi 160} 161 162log_debug() 163{ 164 if [ "${VERBOSE}" = "1" ]; then 165 echo 166 echo "$*" 167 echo 168 fi 169} 170 171show_hint() 172{ 173 if [ "${VERBOSE}" = "1" ]; then 174 echo "HINT: $*" 175 echo 176 fi 177} 178 179kill_procs() 180{ 181 killall nettest ping ping6 >/dev/null 2>&1 182 sleep 1 183} 184 185do_run_cmd() 186{ 187 local cmd="$*" 188 local out 189 190 if [ "$VERBOSE" = "1" ]; then 191 echo "COMMAND: ${cmd}" 192 fi 193 194 out=$($cmd 2>&1) 195 rc=$? 196 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 197 echo "$out" 198 fi 199 200 return $rc 201} 202 203run_cmd() 204{ 205 do_run_cmd ${NSA_CMD} $* 206} 207 208run_cmd_nsb() 209{ 210 do_run_cmd ${NSB_CMD} $* 211} 212 213run_cmd_nsc() 214{ 215 do_run_cmd ${NSC_CMD} $* 216} 217 218setup_cmd() 219{ 220 local cmd="$*" 221 local rc 222 223 run_cmd ${cmd} 224 rc=$? 225 if [ $rc -ne 0 ]; then 226 # show user the command if not done so already 227 if [ "$VERBOSE" = "0" ]; then 228 echo "setup command: $cmd" 229 fi 230 echo "failed. stopping tests" 231 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 232 echo 233 echo "hit enter to continue" 234 read a 235 fi 236 exit $rc 237 fi 238} 239 240setup_cmd_nsb() 241{ 242 local cmd="$*" 243 local rc 244 245 run_cmd_nsb ${cmd} 246 rc=$? 247 if [ $rc -ne 0 ]; then 248 # show user the command if not done so already 249 if [ "$VERBOSE" = "0" ]; then 250 echo "setup command: $cmd" 251 fi 252 echo "failed. stopping tests" 253 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 254 echo 255 echo "hit enter to continue" 256 read a 257 fi 258 exit $rc 259 fi 260} 261 262setup_cmd_nsc() 263{ 264 local cmd="$*" 265 local rc 266 267 run_cmd_nsc ${cmd} 268 rc=$? 269 if [ $rc -ne 0 ]; then 270 # show user the command if not done so already 271 if [ "$VERBOSE" = "0" ]; then 272 echo "setup command: $cmd" 273 fi 274 echo "failed. stopping tests" 275 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 276 echo 277 echo "hit enter to continue" 278 read a 279 fi 280 exit $rc 281 fi 282} 283 284# set sysctl values in NS-A 285set_sysctl() 286{ 287 echo "SYSCTL: $*" 288 echo 289 run_cmd sysctl -q -w $* 290} 291 292# get sysctl values in NS-A 293get_sysctl() 294{ 295 ${NSA_CMD} sysctl -n $* 296} 297 298################################################################################ 299# Setup for tests 300 301addr2str() 302{ 303 case "$1" in 304 127.0.0.1) echo "loopback";; 305 ::1) echo "IPv6 loopback";; 306 307 ${NSA_IP}) echo "ns-A IP";; 308 ${NSA_IP6}) echo "ns-A IPv6";; 309 ${NSA_LO_IP}) echo "ns-A loopback IP";; 310 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 311 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 312 313 ${NSB_IP}) echo "ns-B IP";; 314 ${NSB_IP6}) echo "ns-B IPv6";; 315 ${NSB_LO_IP}) echo "ns-B loopback IP";; 316 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 317 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 318 319 ${VRF_IP}) echo "VRF IP";; 320 ${VRF_IP6}) echo "VRF IPv6";; 321 322 ${MCAST}%*) echo "multicast IP";; 323 324 *) echo "unknown";; 325 esac 326} 327 328get_linklocal() 329{ 330 local ns=$1 331 local dev=$2 332 local addr 333 334 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 335 awk '{ 336 for (i = 3; i <= NF; ++i) { 337 if ($i ~ /^fe80/) 338 print $i 339 } 340 }' 341 ) 342 addr=${addr/\/*} 343 344 [ -z "$addr" ] && return 1 345 346 echo $addr 347 348 return 0 349} 350 351################################################################################ 352# create namespaces and vrf 353 354create_vrf() 355{ 356 local ns=$1 357 local vrf=$2 358 local table=$3 359 local addr=$4 360 local addr6=$5 361 362 ip -netns ${ns} link add ${vrf} type vrf table ${table} 363 ip -netns ${ns} link set ${vrf} up 364 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 365 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 366 367 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 368 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 369 if [ "${addr}" != "-" ]; then 370 ip -netns ${ns} addr add dev ${vrf} ${addr} 371 fi 372 if [ "${addr6}" != "-" ]; then 373 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 374 fi 375 376 ip -netns ${ns} ru del pref 0 377 ip -netns ${ns} ru add pref 32765 from all lookup local 378 ip -netns ${ns} -6 ru del pref 0 379 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 380} 381 382create_ns() 383{ 384 local ns=$1 385 local addr=$2 386 local addr6=$3 387 388 ip netns add ${ns} 389 390 ip -netns ${ns} link set lo up 391 if [ "${addr}" != "-" ]; then 392 ip -netns ${ns} addr add dev lo ${addr} 393 fi 394 if [ "${addr6}" != "-" ]; then 395 ip -netns ${ns} -6 addr add dev lo ${addr6} 396 fi 397 398 ip -netns ${ns} ro add unreachable default metric 8192 399 ip -netns ${ns} -6 ro add unreachable default metric 8192 400 401 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 402 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 403 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 404 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 405} 406 407# create veth pair to connect namespaces and apply addresses. 408connect_ns() 409{ 410 local ns1=$1 411 local ns1_dev=$2 412 local ns1_addr=$3 413 local ns1_addr6=$4 414 local ns2=$5 415 local ns2_dev=$6 416 local ns2_addr=$7 417 local ns2_addr6=$8 418 419 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 420 ip -netns ${ns1} li set ${ns1_dev} up 421 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 422 ip -netns ${ns2} li set ${ns2_dev} up 423 424 if [ "${ns1_addr}" != "-" ]; then 425 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 426 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 427 fi 428 429 if [ "${ns1_addr6}" != "-" ]; then 430 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 431 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 432 fi 433} 434 435cleanup() 436{ 437 # explicit cleanups to check those code paths 438 ip netns | grep -q ${NSA} 439 if [ $? -eq 0 ]; then 440 ip -netns ${NSA} link delete ${VRF} 441 ip -netns ${NSA} ro flush table ${VRF_TABLE} 442 443 ip -netns ${NSA} addr flush dev ${NSA_DEV} 444 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 445 ip -netns ${NSA} link set dev ${NSA_DEV} down 446 ip -netns ${NSA} link del dev ${NSA_DEV} 447 448 ip netns pids ${NSA} | xargs kill 2>/dev/null 449 ip netns del ${NSA} 450 fi 451 452 ip netns pids ${NSB} | xargs kill 2>/dev/null 453 ip netns del ${NSB} 454 ip netns pids ${NSC} | xargs kill 2>/dev/null 455 ip netns del ${NSC} >/dev/null 2>&1 456} 457 458setup() 459{ 460 local with_vrf=${1} 461 462 # make sure we are starting with a clean slate 463 kill_procs 464 cleanup 2>/dev/null 465 466 log_debug "Configuring network namespaces" 467 set -e 468 469 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 470 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 471 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 472 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 473 474 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 475 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 476 477 # tell ns-A how to get to remote addresses of ns-B 478 if [ "${with_vrf}" = "yes" ]; then 479 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 480 481 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 482 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 483 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 484 485 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 486 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 487 488 # some VRF tests use ns-C which has the same config as 489 # ns-B but for a device NOT in the VRF 490 create_ns ${NSC} "-" "-" 491 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 492 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 493 else 494 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 495 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 496 fi 497 498 499 # tell ns-B how to get to remote addresses of ns-A 500 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 501 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 502 503 set +e 504 505 sleep 1 506} 507 508setup_lla_only() 509{ 510 # make sure we are starting with a clean slate 511 kill_procs 512 cleanup 2>/dev/null 513 514 log_debug "Configuring network namespaces" 515 set -e 516 517 create_ns ${NSA} "-" "-" 518 create_ns ${NSB} "-" "-" 519 create_ns ${NSC} "-" "-" 520 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 521 ${NSB} ${NSB_DEV} "-" "-" 522 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 523 ${NSC} ${NSC_DEV} "-" "-" 524 525 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 526 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 527 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 528 529 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 530 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 531 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 532 533 set +e 534 535 sleep 1 536} 537 538################################################################################ 539# IPv4 540 541ipv4_ping_novrf() 542{ 543 local a 544 545 # 546 # out 547 # 548 for a in ${NSB_IP} ${NSB_LO_IP} 549 do 550 log_start 551 run_cmd ping -c1 -w1 ${a} 552 log_test_addr ${a} $? 0 "ping out" 553 554 log_start 555 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 556 log_test_addr ${a} $? 0 "ping out, device bind" 557 558 log_start 559 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 560 log_test_addr ${a} $? 0 "ping out, address bind" 561 done 562 563 # 564 # in 565 # 566 for a in ${NSA_IP} ${NSA_LO_IP} 567 do 568 log_start 569 run_cmd_nsb ping -c1 -w1 ${a} 570 log_test_addr ${a} $? 0 "ping in" 571 done 572 573 # 574 # local traffic 575 # 576 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 577 do 578 log_start 579 run_cmd ping -c1 -w1 ${a} 580 log_test_addr ${a} $? 0 "ping local" 581 done 582 583 # 584 # local traffic, socket bound to device 585 # 586 # address on device 587 a=${NSA_IP} 588 log_start 589 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 590 log_test_addr ${a} $? 0 "ping local, device bind" 591 592 # loopback addresses not reachable from device bind 593 # fails in a really weird way though because ipv4 special cases 594 # route lookups with oif set. 595 for a in ${NSA_LO_IP} 127.0.0.1 596 do 597 log_start 598 show_hint "Fails since address on loopback device is out of device scope" 599 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 600 log_test_addr ${a} $? 1 "ping local, device bind" 601 done 602 603 # 604 # ip rule blocks reachability to remote address 605 # 606 log_start 607 setup_cmd ip rule add pref 32765 from all lookup local 608 setup_cmd ip rule del pref 0 from all lookup local 609 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 610 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 611 612 a=${NSB_LO_IP} 613 run_cmd ping -c1 -w1 ${a} 614 log_test_addr ${a} $? 2 "ping out, blocked by rule" 615 616 # NOTE: ipv4 actually allows the lookup to fail and yet still create 617 # a viable rtable if the oif (e.g., bind to device) is set, so this 618 # case succeeds despite the rule 619 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 620 621 a=${NSA_LO_IP} 622 log_start 623 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 624 run_cmd_nsb ping -c1 -w1 ${a} 625 log_test_addr ${a} $? 1 "ping in, blocked by rule" 626 627 [ "$VERBOSE" = "1" ] && echo 628 setup_cmd ip rule del pref 32765 from all lookup local 629 setup_cmd ip rule add pref 0 from all lookup local 630 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 631 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 632 633 # 634 # route blocks reachability to remote address 635 # 636 log_start 637 setup_cmd ip route replace unreachable ${NSB_LO_IP} 638 setup_cmd ip route replace unreachable ${NSB_IP} 639 640 a=${NSB_LO_IP} 641 run_cmd ping -c1 -w1 ${a} 642 log_test_addr ${a} $? 2 "ping out, blocked by route" 643 644 # NOTE: ipv4 actually allows the lookup to fail and yet still create 645 # a viable rtable if the oif (e.g., bind to device) is set, so this 646 # case succeeds despite not having a route for the address 647 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 648 649 a=${NSA_LO_IP} 650 log_start 651 show_hint "Response is dropped (or arp request is ignored) due to ip route" 652 run_cmd_nsb ping -c1 -w1 ${a} 653 log_test_addr ${a} $? 1 "ping in, blocked by route" 654 655 # 656 # remove 'remote' routes; fallback to default 657 # 658 log_start 659 setup_cmd ip ro del ${NSB_LO_IP} 660 661 a=${NSB_LO_IP} 662 run_cmd ping -c1 -w1 ${a} 663 log_test_addr ${a} $? 2 "ping out, unreachable default route" 664 665 # NOTE: ipv4 actually allows the lookup to fail and yet still create 666 # a viable rtable if the oif (e.g., bind to device) is set, so this 667 # case succeeds despite not having a route for the address 668 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 669} 670 671ipv4_ping_vrf() 672{ 673 local a 674 675 # should default on; does not exist on older kernels 676 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 677 678 # 679 # out 680 # 681 for a in ${NSB_IP} ${NSB_LO_IP} 682 do 683 log_start 684 run_cmd ping -c1 -w1 -I ${VRF} ${a} 685 log_test_addr ${a} $? 0 "ping out, VRF bind" 686 687 log_start 688 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 689 log_test_addr ${a} $? 0 "ping out, device bind" 690 691 log_start 692 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 693 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 694 695 log_start 696 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 697 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 698 done 699 700 # 701 # in 702 # 703 for a in ${NSA_IP} ${VRF_IP} 704 do 705 log_start 706 run_cmd_nsb ping -c1 -w1 ${a} 707 log_test_addr ${a} $? 0 "ping in" 708 done 709 710 # 711 # local traffic, local address 712 # 713 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 714 do 715 log_start 716 show_hint "Source address should be ${a}" 717 run_cmd ping -c1 -w1 -I ${VRF} ${a} 718 log_test_addr ${a} $? 0 "ping local, VRF bind" 719 done 720 721 # 722 # local traffic, socket bound to device 723 # 724 # address on device 725 a=${NSA_IP} 726 log_start 727 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 728 log_test_addr ${a} $? 0 "ping local, device bind" 729 730 # vrf device is out of scope 731 for a in ${VRF_IP} 127.0.0.1 732 do 733 log_start 734 show_hint "Fails since address on vrf device is out of device scope" 735 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 736 log_test_addr ${a} $? 1 "ping local, device bind" 737 done 738 739 # 740 # ip rule blocks address 741 # 742 log_start 743 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 744 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 745 746 a=${NSB_LO_IP} 747 run_cmd ping -c1 -w1 -I ${VRF} ${a} 748 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 749 750 log_start 751 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 752 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 753 754 a=${NSA_LO_IP} 755 log_start 756 show_hint "Response lost due to ip rule" 757 run_cmd_nsb ping -c1 -w1 ${a} 758 log_test_addr ${a} $? 1 "ping in, blocked by rule" 759 760 [ "$VERBOSE" = "1" ] && echo 761 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 762 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 763 764 # 765 # remove 'remote' routes; fallback to default 766 # 767 log_start 768 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 769 770 a=${NSB_LO_IP} 771 run_cmd ping -c1 -w1 -I ${VRF} ${a} 772 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 773 774 log_start 775 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 776 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 777 778 a=${NSA_LO_IP} 779 log_start 780 show_hint "Response lost by unreachable route" 781 run_cmd_nsb ping -c1 -w1 ${a} 782 log_test_addr ${a} $? 1 "ping in, unreachable route" 783} 784 785ipv4_ping() 786{ 787 log_section "IPv4 ping" 788 789 log_subsection "No VRF" 790 setup 791 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 792 ipv4_ping_novrf 793 setup 794 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 795 ipv4_ping_novrf 796 797 log_subsection "With VRF" 798 setup "yes" 799 ipv4_ping_vrf 800} 801 802################################################################################ 803# IPv4 TCP 804 805# 806# MD5 tests without VRF 807# 808ipv4_tcp_md5_novrf() 809{ 810 # 811 # single address 812 # 813 814 # basic use case 815 log_start 816 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 817 sleep 1 818 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 819 log_test $? 0 "MD5: Single address config" 820 821 # client sends MD5, server not configured 822 log_start 823 show_hint "Should timeout due to MD5 mismatch" 824 run_cmd nettest -s & 825 sleep 1 826 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 827 log_test $? 2 "MD5: Server no config, client uses password" 828 829 # wrong password 830 log_start 831 show_hint "Should timeout since client uses wrong password" 832 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 833 sleep 1 834 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 835 log_test $? 2 "MD5: Client uses wrong password" 836 837 # client from different address 838 log_start 839 show_hint "Should timeout due to MD5 mismatch" 840 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 841 sleep 1 842 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 843 log_test $? 2 "MD5: Client address does not match address configured with password" 844 845 # 846 # MD5 extension - prefix length 847 # 848 849 # client in prefix 850 log_start 851 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 852 sleep 1 853 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 854 log_test $? 0 "MD5: Prefix config" 855 856 # client in prefix, wrong password 857 log_start 858 show_hint "Should timeout since client uses wrong password" 859 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 860 sleep 1 861 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 862 log_test $? 2 "MD5: Prefix config, client uses wrong password" 863 864 # client outside of prefix 865 log_start 866 show_hint "Should timeout due to MD5 mismatch" 867 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 868 sleep 1 869 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 870 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 871} 872 873# 874# MD5 tests with VRF 875# 876ipv4_tcp_md5() 877{ 878 # 879 # single address 880 # 881 882 # basic use case 883 log_start 884 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 885 sleep 1 886 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 887 log_test $? 0 "MD5: VRF: Single address config" 888 889 # client sends MD5, server not configured 890 log_start 891 show_hint "Should timeout since server does not have MD5 auth" 892 run_cmd nettest -s -I ${VRF} & 893 sleep 1 894 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 895 log_test $? 2 "MD5: VRF: Server no config, client uses password" 896 897 # wrong password 898 log_start 899 show_hint "Should timeout since client uses wrong password" 900 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 901 sleep 1 902 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 903 log_test $? 2 "MD5: VRF: Client uses wrong password" 904 905 # client from different address 906 log_start 907 show_hint "Should timeout since server config differs from client" 908 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 909 sleep 1 910 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 911 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 912 913 # 914 # MD5 extension - prefix length 915 # 916 917 # client in prefix 918 log_start 919 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 920 sleep 1 921 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 922 log_test $? 0 "MD5: VRF: Prefix config" 923 924 # client in prefix, wrong password 925 log_start 926 show_hint "Should timeout since client uses wrong password" 927 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 928 sleep 1 929 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 930 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 931 932 # client outside of prefix 933 log_start 934 show_hint "Should timeout since client address is outside of prefix" 935 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 936 sleep 1 937 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 938 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 939 940 # 941 # duplicate config between default VRF and a VRF 942 # 943 944 log_start 945 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 946 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 947 sleep 1 948 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 949 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 950 951 log_start 952 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 953 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 954 sleep 1 955 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 956 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 957 958 log_start 959 show_hint "Should timeout since client in default VRF uses VRF password" 960 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 961 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 962 sleep 1 963 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 964 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 965 966 log_start 967 show_hint "Should timeout since client in VRF uses default VRF password" 968 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 969 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 970 sleep 1 971 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 972 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 973 974 log_start 975 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 976 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 977 sleep 1 978 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 979 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 980 981 log_start 982 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 983 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 984 sleep 1 985 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 986 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 987 988 log_start 989 show_hint "Should timeout since client in default VRF uses VRF password" 990 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 991 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 992 sleep 1 993 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 994 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 995 996 log_start 997 show_hint "Should timeout since client in VRF uses default VRF password" 998 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 999 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1000 sleep 1 1001 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1002 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1003 1004 # 1005 # negative tests 1006 # 1007 log_start 1008 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1009 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1010 1011 log_start 1012 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1013 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1014 1015 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1016 test_ipv4_md5_vrf__global_server__bind_ifindex0 1017} 1018 1019test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1020{ 1021 log_start 1022 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1023 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1024 sleep 1 1025 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1026 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1027 1028 log_start 1029 show_hint "Binding both the socket and the key is not required but it works" 1030 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1031 sleep 1 1032 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1033 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1034} 1035 1036test_ipv4_md5_vrf__global_server__bind_ifindex0() 1037{ 1038 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1039 local old_tcp_l3mdev_accept 1040 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1041 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1042 1043 log_start 1044 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1045 sleep 1 1046 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1047 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1048 1049 log_start 1050 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1051 sleep 1 1052 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1053 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1054 log_start 1055 1056 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1057 sleep 1 1058 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1059 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1060 1061 log_start 1062 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1063 sleep 1 1064 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1065 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1066 1067 # restore value 1068 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1069} 1070 1071ipv4_tcp_novrf() 1072{ 1073 local a 1074 1075 # 1076 # server tests 1077 # 1078 for a in ${NSA_IP} ${NSA_LO_IP} 1079 do 1080 log_start 1081 run_cmd nettest -s & 1082 sleep 1 1083 run_cmd_nsb nettest -r ${a} 1084 log_test_addr ${a} $? 0 "Global server" 1085 done 1086 1087 a=${NSA_IP} 1088 log_start 1089 run_cmd nettest -s -I ${NSA_DEV} & 1090 sleep 1 1091 run_cmd_nsb nettest -r ${a} 1092 log_test_addr ${a} $? 0 "Device server" 1093 1094 # verify TCP reset sent and received 1095 for a in ${NSA_IP} ${NSA_LO_IP} 1096 do 1097 log_start 1098 show_hint "Should fail 'Connection refused' since there is no server" 1099 run_cmd_nsb nettest -r ${a} 1100 log_test_addr ${a} $? 1 "No server" 1101 done 1102 1103 # 1104 # client 1105 # 1106 for a in ${NSB_IP} ${NSB_LO_IP} 1107 do 1108 log_start 1109 run_cmd_nsb nettest -s & 1110 sleep 1 1111 run_cmd nettest -r ${a} -0 ${NSA_IP} 1112 log_test_addr ${a} $? 0 "Client" 1113 1114 log_start 1115 run_cmd_nsb nettest -s & 1116 sleep 1 1117 run_cmd nettest -r ${a} -d ${NSA_DEV} 1118 log_test_addr ${a} $? 0 "Client, device bind" 1119 1120 log_start 1121 show_hint "Should fail 'Connection refused'" 1122 run_cmd nettest -r ${a} 1123 log_test_addr ${a} $? 1 "No server, unbound client" 1124 1125 log_start 1126 show_hint "Should fail 'Connection refused'" 1127 run_cmd nettest -r ${a} -d ${NSA_DEV} 1128 log_test_addr ${a} $? 1 "No server, device client" 1129 done 1130 1131 # 1132 # local address tests 1133 # 1134 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1135 do 1136 log_start 1137 run_cmd nettest -s & 1138 sleep 1 1139 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1140 log_test_addr ${a} $? 0 "Global server, local connection" 1141 done 1142 1143 a=${NSA_IP} 1144 log_start 1145 run_cmd nettest -s -I ${NSA_DEV} & 1146 sleep 1 1147 run_cmd nettest -r ${a} -0 ${a} 1148 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1149 1150 for a in ${NSA_LO_IP} 127.0.0.1 1151 do 1152 log_start 1153 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1154 run_cmd nettest -s -I ${NSA_DEV} & 1155 sleep 1 1156 run_cmd nettest -r ${a} 1157 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1158 done 1159 1160 a=${NSA_IP} 1161 log_start 1162 run_cmd nettest -s & 1163 sleep 1 1164 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1165 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1166 1167 for a in ${NSA_LO_IP} 127.0.0.1 1168 do 1169 log_start 1170 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1171 run_cmd nettest -s & 1172 sleep 1 1173 run_cmd nettest -r ${a} -d ${NSA_DEV} 1174 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1175 done 1176 1177 a=${NSA_IP} 1178 log_start 1179 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1180 sleep 1 1181 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1182 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1183 1184 log_start 1185 show_hint "Should fail 'Connection refused'" 1186 run_cmd nettest -d ${NSA_DEV} -r ${a} 1187 log_test_addr ${a} $? 1 "No server, device client, local conn" 1188 1189 ipv4_tcp_md5_novrf 1190} 1191 1192ipv4_tcp_vrf() 1193{ 1194 local a 1195 1196 # disable global server 1197 log_subsection "Global server disabled" 1198 1199 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1200 1201 # 1202 # server tests 1203 # 1204 for a in ${NSA_IP} ${VRF_IP} 1205 do 1206 log_start 1207 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1208 run_cmd nettest -s & 1209 sleep 1 1210 run_cmd_nsb nettest -r ${a} 1211 log_test_addr ${a} $? 1 "Global server" 1212 1213 log_start 1214 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1215 sleep 1 1216 run_cmd_nsb nettest -r ${a} 1217 log_test_addr ${a} $? 0 "VRF server" 1218 1219 log_start 1220 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1221 sleep 1 1222 run_cmd_nsb nettest -r ${a} 1223 log_test_addr ${a} $? 0 "Device server" 1224 1225 # verify TCP reset received 1226 log_start 1227 show_hint "Should fail 'Connection refused' since there is no server" 1228 run_cmd_nsb nettest -r ${a} 1229 log_test_addr ${a} $? 1 "No server" 1230 done 1231 1232 # local address tests 1233 # (${VRF_IP} and 127.0.0.1 both timeout) 1234 a=${NSA_IP} 1235 log_start 1236 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1237 run_cmd nettest -s & 1238 sleep 1 1239 run_cmd nettest -r ${a} -d ${NSA_DEV} 1240 log_test_addr ${a} $? 1 "Global server, local connection" 1241 1242 # run MD5 tests 1243 ipv4_tcp_md5 1244 1245 # 1246 # enable VRF global server 1247 # 1248 log_subsection "VRF Global server enabled" 1249 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1250 1251 for a in ${NSA_IP} ${VRF_IP} 1252 do 1253 log_start 1254 show_hint "client socket should be bound to VRF" 1255 run_cmd nettest -s -3 ${VRF} & 1256 sleep 1 1257 run_cmd_nsb nettest -r ${a} 1258 log_test_addr ${a} $? 0 "Global server" 1259 1260 log_start 1261 show_hint "client socket should be bound to VRF" 1262 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1263 sleep 1 1264 run_cmd_nsb nettest -r ${a} 1265 log_test_addr ${a} $? 0 "VRF server" 1266 1267 # verify TCP reset received 1268 log_start 1269 show_hint "Should fail 'Connection refused'" 1270 run_cmd_nsb nettest -r ${a} 1271 log_test_addr ${a} $? 1 "No server" 1272 done 1273 1274 a=${NSA_IP} 1275 log_start 1276 show_hint "client socket should be bound to device" 1277 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1278 sleep 1 1279 run_cmd_nsb nettest -r ${a} 1280 log_test_addr ${a} $? 0 "Device server" 1281 1282 # local address tests 1283 for a in ${NSA_IP} ${VRF_IP} 1284 do 1285 log_start 1286 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1287 run_cmd nettest -s -I ${VRF} & 1288 sleep 1 1289 run_cmd nettest -r ${a} 1290 log_test_addr ${a} $? 1 "Global server, local connection" 1291 done 1292 1293 # 1294 # client 1295 # 1296 for a in ${NSB_IP} ${NSB_LO_IP} 1297 do 1298 log_start 1299 run_cmd_nsb nettest -s & 1300 sleep 1 1301 run_cmd nettest -r ${a} -d ${VRF} 1302 log_test_addr ${a} $? 0 "Client, VRF bind" 1303 1304 log_start 1305 run_cmd_nsb nettest -s & 1306 sleep 1 1307 run_cmd nettest -r ${a} -d ${NSA_DEV} 1308 log_test_addr ${a} $? 0 "Client, device bind" 1309 1310 log_start 1311 show_hint "Should fail 'Connection refused'" 1312 run_cmd nettest -r ${a} -d ${VRF} 1313 log_test_addr ${a} $? 1 "No server, VRF client" 1314 1315 log_start 1316 show_hint "Should fail 'Connection refused'" 1317 run_cmd nettest -r ${a} -d ${NSA_DEV} 1318 log_test_addr ${a} $? 1 "No server, device client" 1319 done 1320 1321 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1322 do 1323 log_start 1324 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1325 sleep 1 1326 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1327 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1328 done 1329 1330 a=${NSA_IP} 1331 log_start 1332 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1333 sleep 1 1334 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1335 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1336 1337 log_start 1338 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1339 run_cmd nettest -s -I ${VRF} & 1340 sleep 1 1341 run_cmd nettest -r ${a} 1342 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1343 1344 log_start 1345 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1346 sleep 1 1347 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1348 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1349 1350 log_start 1351 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1352 sleep 1 1353 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1354 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1355} 1356 1357ipv4_tcp() 1358{ 1359 log_section "IPv4/TCP" 1360 log_subsection "No VRF" 1361 setup 1362 1363 # tcp_l3mdev_accept should have no affect without VRF; 1364 # run tests with it enabled and disabled to verify 1365 log_subsection "tcp_l3mdev_accept disabled" 1366 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1367 ipv4_tcp_novrf 1368 log_subsection "tcp_l3mdev_accept enabled" 1369 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1370 ipv4_tcp_novrf 1371 1372 log_subsection "With VRF" 1373 setup "yes" 1374 ipv4_tcp_vrf 1375} 1376 1377################################################################################ 1378# IPv4 UDP 1379 1380ipv4_udp_novrf() 1381{ 1382 local a 1383 1384 # 1385 # server tests 1386 # 1387 for a in ${NSA_IP} ${NSA_LO_IP} 1388 do 1389 log_start 1390 run_cmd nettest -D -s -3 ${NSA_DEV} & 1391 sleep 1 1392 run_cmd_nsb nettest -D -r ${a} 1393 log_test_addr ${a} $? 0 "Global server" 1394 1395 log_start 1396 show_hint "Should fail 'Connection refused' since there is no server" 1397 run_cmd_nsb nettest -D -r ${a} 1398 log_test_addr ${a} $? 1 "No server" 1399 done 1400 1401 a=${NSA_IP} 1402 log_start 1403 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1404 sleep 1 1405 run_cmd_nsb nettest -D -r ${a} 1406 log_test_addr ${a} $? 0 "Device server" 1407 1408 # 1409 # client 1410 # 1411 for a in ${NSB_IP} ${NSB_LO_IP} 1412 do 1413 log_start 1414 run_cmd_nsb nettest -D -s & 1415 sleep 1 1416 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1417 log_test_addr ${a} $? 0 "Client" 1418 1419 log_start 1420 run_cmd_nsb nettest -D -s & 1421 sleep 1 1422 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1423 log_test_addr ${a} $? 0 "Client, device bind" 1424 1425 log_start 1426 run_cmd_nsb nettest -D -s & 1427 sleep 1 1428 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1429 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1430 1431 log_start 1432 run_cmd_nsb nettest -D -s & 1433 sleep 1 1434 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1435 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1436 1437 log_start 1438 show_hint "Should fail 'Connection refused'" 1439 run_cmd nettest -D -r ${a} 1440 log_test_addr ${a} $? 1 "No server, unbound client" 1441 1442 log_start 1443 show_hint "Should fail 'Connection refused'" 1444 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1445 log_test_addr ${a} $? 1 "No server, device client" 1446 done 1447 1448 # 1449 # local address tests 1450 # 1451 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1452 do 1453 log_start 1454 run_cmd nettest -D -s & 1455 sleep 1 1456 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1457 log_test_addr ${a} $? 0 "Global server, local connection" 1458 done 1459 1460 a=${NSA_IP} 1461 log_start 1462 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1463 sleep 1 1464 run_cmd nettest -D -r ${a} 1465 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1466 1467 for a in ${NSA_LO_IP} 127.0.0.1 1468 do 1469 log_start 1470 show_hint "Should fail 'Connection refused' since address is out of device scope" 1471 run_cmd nettest -s -D -I ${NSA_DEV} & 1472 sleep 1 1473 run_cmd nettest -D -r ${a} 1474 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1475 done 1476 1477 a=${NSA_IP} 1478 log_start 1479 run_cmd nettest -s -D & 1480 sleep 1 1481 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1482 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1483 1484 log_start 1485 run_cmd nettest -s -D & 1486 sleep 1 1487 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1488 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1489 1490 log_start 1491 run_cmd nettest -s -D & 1492 sleep 1 1493 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1494 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1495 1496 # IPv4 with device bind has really weird behavior - it overrides the 1497 # fib lookup, generates an rtable and tries to send the packet. This 1498 # causes failures for local traffic at different places 1499 for a in ${NSA_LO_IP} 127.0.0.1 1500 do 1501 log_start 1502 show_hint "Should fail since addresses on loopback are out of device scope" 1503 run_cmd nettest -D -s & 1504 sleep 1 1505 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1506 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1507 1508 log_start 1509 show_hint "Should fail since addresses on loopback are out of device scope" 1510 run_cmd nettest -D -s & 1511 sleep 1 1512 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1513 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1514 1515 log_start 1516 show_hint "Should fail since addresses on loopback are out of device scope" 1517 run_cmd nettest -D -s & 1518 sleep 1 1519 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1520 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1521 done 1522 1523 a=${NSA_IP} 1524 log_start 1525 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1526 sleep 1 1527 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1528 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1529 1530 log_start 1531 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1532 log_test_addr ${a} $? 2 "No server, device client, local conn" 1533} 1534 1535ipv4_udp_vrf() 1536{ 1537 local a 1538 1539 # disable global server 1540 log_subsection "Global server disabled" 1541 set_sysctl net.ipv4.udp_l3mdev_accept=0 1542 1543 # 1544 # server tests 1545 # 1546 for a in ${NSA_IP} ${VRF_IP} 1547 do 1548 log_start 1549 show_hint "Fails because ingress is in a VRF and global server is disabled" 1550 run_cmd nettest -D -s & 1551 sleep 1 1552 run_cmd_nsb nettest -D -r ${a} 1553 log_test_addr ${a} $? 1 "Global server" 1554 1555 log_start 1556 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1557 sleep 1 1558 run_cmd_nsb nettest -D -r ${a} 1559 log_test_addr ${a} $? 0 "VRF server" 1560 1561 log_start 1562 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1563 sleep 1 1564 run_cmd_nsb nettest -D -r ${a} 1565 log_test_addr ${a} $? 0 "Enslaved device server" 1566 1567 log_start 1568 show_hint "Should fail 'Connection refused' since there is no server" 1569 run_cmd_nsb nettest -D -r ${a} 1570 log_test_addr ${a} $? 1 "No server" 1571 1572 log_start 1573 show_hint "Should fail 'Connection refused' since global server is out of scope" 1574 run_cmd nettest -D -s & 1575 sleep 1 1576 run_cmd nettest -D -d ${VRF} -r ${a} 1577 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1578 done 1579 1580 a=${NSA_IP} 1581 log_start 1582 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1583 sleep 1 1584 run_cmd nettest -D -d ${VRF} -r ${a} 1585 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1586 1587 log_start 1588 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1589 sleep 1 1590 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1591 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1592 1593 a=${NSA_IP} 1594 log_start 1595 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1596 sleep 1 1597 run_cmd nettest -D -d ${VRF} -r ${a} 1598 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1599 1600 log_start 1601 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1602 sleep 1 1603 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1604 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1605 1606 # enable global server 1607 log_subsection "Global server enabled" 1608 set_sysctl net.ipv4.udp_l3mdev_accept=1 1609 1610 # 1611 # server tests 1612 # 1613 for a in ${NSA_IP} ${VRF_IP} 1614 do 1615 log_start 1616 run_cmd nettest -D -s -3 ${NSA_DEV} & 1617 sleep 1 1618 run_cmd_nsb nettest -D -r ${a} 1619 log_test_addr ${a} $? 0 "Global server" 1620 1621 log_start 1622 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1623 sleep 1 1624 run_cmd_nsb nettest -D -r ${a} 1625 log_test_addr ${a} $? 0 "VRF server" 1626 1627 log_start 1628 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1629 sleep 1 1630 run_cmd_nsb nettest -D -r ${a} 1631 log_test_addr ${a} $? 0 "Enslaved device server" 1632 1633 log_start 1634 show_hint "Should fail 'Connection refused'" 1635 run_cmd_nsb nettest -D -r ${a} 1636 log_test_addr ${a} $? 1 "No server" 1637 done 1638 1639 # 1640 # client tests 1641 # 1642 log_start 1643 run_cmd_nsb nettest -D -s & 1644 sleep 1 1645 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1646 log_test $? 0 "VRF client" 1647 1648 log_start 1649 run_cmd_nsb nettest -D -s & 1650 sleep 1 1651 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1652 log_test $? 0 "Enslaved device client" 1653 1654 # negative test - should fail 1655 log_start 1656 show_hint "Should fail 'Connection refused'" 1657 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1658 log_test $? 1 "No server, VRF client" 1659 1660 log_start 1661 show_hint "Should fail 'Connection refused'" 1662 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1663 log_test $? 1 "No server, enslaved device client" 1664 1665 # 1666 # local address tests 1667 # 1668 a=${NSA_IP} 1669 log_start 1670 run_cmd nettest -D -s -3 ${NSA_DEV} & 1671 sleep 1 1672 run_cmd nettest -D -d ${VRF} -r ${a} 1673 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1674 1675 log_start 1676 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1677 sleep 1 1678 run_cmd nettest -D -d ${VRF} -r ${a} 1679 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1680 1681 log_start 1682 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1683 sleep 1 1684 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1685 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1686 1687 log_start 1688 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1689 sleep 1 1690 run_cmd nettest -D -d ${VRF} -r ${a} 1691 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1692 1693 log_start 1694 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1695 sleep 1 1696 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1697 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1698 1699 for a in ${VRF_IP} 127.0.0.1 1700 do 1701 log_start 1702 run_cmd nettest -D -s -3 ${VRF} & 1703 sleep 1 1704 run_cmd nettest -D -d ${VRF} -r ${a} 1705 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1706 done 1707 1708 for a in ${VRF_IP} 127.0.0.1 1709 do 1710 log_start 1711 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1712 sleep 1 1713 run_cmd nettest -D -d ${VRF} -r ${a} 1714 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1715 done 1716 1717 # negative test - should fail 1718 # verifies ECONNREFUSED 1719 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1720 do 1721 log_start 1722 show_hint "Should fail 'Connection refused'" 1723 run_cmd nettest -D -d ${VRF} -r ${a} 1724 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1725 done 1726} 1727 1728ipv4_udp() 1729{ 1730 log_section "IPv4/UDP" 1731 log_subsection "No VRF" 1732 1733 setup 1734 1735 # udp_l3mdev_accept should have no affect without VRF; 1736 # run tests with it enabled and disabled to verify 1737 log_subsection "udp_l3mdev_accept disabled" 1738 set_sysctl net.ipv4.udp_l3mdev_accept=0 1739 ipv4_udp_novrf 1740 log_subsection "udp_l3mdev_accept enabled" 1741 set_sysctl net.ipv4.udp_l3mdev_accept=1 1742 ipv4_udp_novrf 1743 1744 log_subsection "With VRF" 1745 setup "yes" 1746 ipv4_udp_vrf 1747} 1748 1749################################################################################ 1750# IPv4 address bind 1751# 1752# verifies ability or inability to bind to an address / device 1753 1754ipv4_addr_bind_novrf() 1755{ 1756 # 1757 # raw socket 1758 # 1759 for a in ${NSA_IP} ${NSA_LO_IP} 1760 do 1761 log_start 1762 run_cmd nettest -s -R -P icmp -l ${a} -b 1763 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1764 1765 log_start 1766 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1767 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1768 done 1769 1770 # 1771 # tcp sockets 1772 # 1773 a=${NSA_IP} 1774 log_start 1775 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1776 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1777 1778 log_start 1779 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1780 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1781 1782 # Sadly, the kernel allows binding a socket to a device and then 1783 # binding to an address not on the device. The only restriction 1784 # is that the address is valid in the L3 domain. So this test 1785 # passes when it really should not 1786 #a=${NSA_LO_IP} 1787 #log_start 1788 #show_hint "Should fail with 'Cannot assign requested address'" 1789 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1790 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1791} 1792 1793ipv4_addr_bind_vrf() 1794{ 1795 # 1796 # raw socket 1797 # 1798 for a in ${NSA_IP} ${VRF_IP} 1799 do 1800 log_start 1801 run_cmd nettest -s -R -P icmp -l ${a} -b 1802 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1803 1804 log_start 1805 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1806 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1807 log_start 1808 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1809 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1810 done 1811 1812 a=${NSA_LO_IP} 1813 log_start 1814 show_hint "Address on loopback is out of VRF scope" 1815 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1816 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1817 1818 # 1819 # tcp sockets 1820 # 1821 for a in ${NSA_IP} ${VRF_IP} 1822 do 1823 log_start 1824 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1825 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1826 1827 log_start 1828 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1829 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1830 done 1831 1832 a=${NSA_LO_IP} 1833 log_start 1834 show_hint "Address on loopback out of scope for VRF" 1835 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1836 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 1837 1838 log_start 1839 show_hint "Address on loopback out of scope for device in VRF" 1840 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1841 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 1842} 1843 1844ipv4_addr_bind() 1845{ 1846 log_section "IPv4 address binds" 1847 1848 log_subsection "No VRF" 1849 setup 1850 ipv4_addr_bind_novrf 1851 1852 log_subsection "With VRF" 1853 setup "yes" 1854 ipv4_addr_bind_vrf 1855} 1856 1857################################################################################ 1858# IPv4 runtime tests 1859 1860ipv4_rt() 1861{ 1862 local desc="$1" 1863 local varg="$2" 1864 local with_vrf="yes" 1865 local a 1866 1867 # 1868 # server tests 1869 # 1870 for a in ${NSA_IP} ${VRF_IP} 1871 do 1872 log_start 1873 run_cmd nettest ${varg} -s & 1874 sleep 1 1875 run_cmd_nsb nettest ${varg} -r ${a} & 1876 sleep 3 1877 run_cmd ip link del ${VRF} 1878 sleep 1 1879 log_test_addr ${a} 0 0 "${desc}, global server" 1880 1881 setup ${with_vrf} 1882 done 1883 1884 for a in ${NSA_IP} ${VRF_IP} 1885 do 1886 log_start 1887 run_cmd nettest ${varg} -s -I ${VRF} & 1888 sleep 1 1889 run_cmd_nsb nettest ${varg} -r ${a} & 1890 sleep 3 1891 run_cmd ip link del ${VRF} 1892 sleep 1 1893 log_test_addr ${a} 0 0 "${desc}, VRF server" 1894 1895 setup ${with_vrf} 1896 done 1897 1898 a=${NSA_IP} 1899 log_start 1900 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 1901 sleep 1 1902 run_cmd_nsb nettest ${varg} -r ${a} & 1903 sleep 3 1904 run_cmd ip link del ${VRF} 1905 sleep 1 1906 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 1907 1908 setup ${with_vrf} 1909 1910 # 1911 # client test 1912 # 1913 log_start 1914 run_cmd_nsb nettest ${varg} -s & 1915 sleep 1 1916 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 1917 sleep 3 1918 run_cmd ip link del ${VRF} 1919 sleep 1 1920 log_test_addr ${a} 0 0 "${desc}, VRF client" 1921 1922 setup ${with_vrf} 1923 1924 log_start 1925 run_cmd_nsb nettest ${varg} -s & 1926 sleep 1 1927 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 1928 sleep 3 1929 run_cmd ip link del ${VRF} 1930 sleep 1 1931 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 1932 1933 setup ${with_vrf} 1934 1935 # 1936 # local address tests 1937 # 1938 for a in ${NSA_IP} ${VRF_IP} 1939 do 1940 log_start 1941 run_cmd nettest ${varg} -s & 1942 sleep 1 1943 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1944 sleep 3 1945 run_cmd ip link del ${VRF} 1946 sleep 1 1947 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 1948 1949 setup ${with_vrf} 1950 done 1951 1952 for a in ${NSA_IP} ${VRF_IP} 1953 do 1954 log_start 1955 run_cmd nettest ${varg} -I ${VRF} -s & 1956 sleep 1 1957 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1958 sleep 3 1959 run_cmd ip link del ${VRF} 1960 sleep 1 1961 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 1962 1963 setup ${with_vrf} 1964 done 1965 1966 a=${NSA_IP} 1967 log_start 1968 run_cmd nettest ${varg} -s & 1969 sleep 1 1970 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1971 sleep 3 1972 run_cmd ip link del ${VRF} 1973 sleep 1 1974 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 1975 1976 setup ${with_vrf} 1977 1978 log_start 1979 run_cmd nettest ${varg} -I ${VRF} -s & 1980 sleep 1 1981 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1982 sleep 3 1983 run_cmd ip link del ${VRF} 1984 sleep 1 1985 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 1986 1987 setup ${with_vrf} 1988 1989 log_start 1990 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 1991 sleep 1 1992 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1993 sleep 3 1994 run_cmd ip link del ${VRF} 1995 sleep 1 1996 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 1997} 1998 1999ipv4_ping_rt() 2000{ 2001 local with_vrf="yes" 2002 local a 2003 2004 for a in ${NSA_IP} ${VRF_IP} 2005 do 2006 log_start 2007 run_cmd_nsb ping -f ${a} & 2008 sleep 3 2009 run_cmd ip link del ${VRF} 2010 sleep 1 2011 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2012 2013 setup ${with_vrf} 2014 done 2015 2016 a=${NSB_IP} 2017 log_start 2018 run_cmd ping -f -I ${VRF} ${a} & 2019 sleep 3 2020 run_cmd ip link del ${VRF} 2021 sleep 1 2022 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2023} 2024 2025ipv4_runtime() 2026{ 2027 log_section "Run time tests - ipv4" 2028 2029 setup "yes" 2030 ipv4_ping_rt 2031 2032 setup "yes" 2033 ipv4_rt "TCP active socket" "-n -1" 2034 2035 setup "yes" 2036 ipv4_rt "TCP passive socket" "-i" 2037} 2038 2039################################################################################ 2040# IPv6 2041 2042ipv6_ping_novrf() 2043{ 2044 local a 2045 2046 # should not have an impact, but make a known state 2047 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2048 2049 # 2050 # out 2051 # 2052 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2053 do 2054 log_start 2055 run_cmd ${ping6} -c1 -w1 ${a} 2056 log_test_addr ${a} $? 0 "ping out" 2057 done 2058 2059 for a in ${NSB_IP6} ${NSB_LO_IP6} 2060 do 2061 log_start 2062 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2063 log_test_addr ${a} $? 0 "ping out, device bind" 2064 2065 log_start 2066 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2067 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2068 done 2069 2070 # 2071 # in 2072 # 2073 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2074 do 2075 log_start 2076 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2077 log_test_addr ${a} $? 0 "ping in" 2078 done 2079 2080 # 2081 # local traffic, local address 2082 # 2083 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2084 do 2085 log_start 2086 run_cmd ${ping6} -c1 -w1 ${a} 2087 log_test_addr ${a} $? 0 "ping local, no bind" 2088 done 2089 2090 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2091 do 2092 log_start 2093 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2094 log_test_addr ${a} $? 0 "ping local, device bind" 2095 done 2096 2097 for a in ${NSA_LO_IP6} ::1 2098 do 2099 log_start 2100 show_hint "Fails since address on loopback is out of device scope" 2101 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2102 log_test_addr ${a} $? 2 "ping local, device bind" 2103 done 2104 2105 # 2106 # ip rule blocks address 2107 # 2108 log_start 2109 setup_cmd ip -6 rule add pref 32765 from all lookup local 2110 setup_cmd ip -6 rule del pref 0 from all lookup local 2111 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2112 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2113 2114 a=${NSB_LO_IP6} 2115 run_cmd ${ping6} -c1 -w1 ${a} 2116 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2117 2118 log_start 2119 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2120 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2121 2122 a=${NSA_LO_IP6} 2123 log_start 2124 show_hint "Response lost due to ip rule" 2125 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2126 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2127 2128 setup_cmd ip -6 rule add pref 0 from all lookup local 2129 setup_cmd ip -6 rule del pref 32765 from all lookup local 2130 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2131 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2132 2133 # 2134 # route blocks reachability to remote address 2135 # 2136 log_start 2137 setup_cmd ip -6 route del ${NSB_LO_IP6} 2138 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2139 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2140 2141 a=${NSB_LO_IP6} 2142 run_cmd ${ping6} -c1 -w1 ${a} 2143 log_test_addr ${a} $? 2 "ping out, blocked by route" 2144 2145 log_start 2146 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2147 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2148 2149 a=${NSA_LO_IP6} 2150 log_start 2151 show_hint "Response lost due to ip route" 2152 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2153 log_test_addr ${a} $? 1 "ping in, blocked by route" 2154 2155 2156 # 2157 # remove 'remote' routes; fallback to default 2158 # 2159 log_start 2160 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2161 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2162 2163 a=${NSB_LO_IP6} 2164 run_cmd ${ping6} -c1 -w1 ${a} 2165 log_test_addr ${a} $? 2 "ping out, unreachable route" 2166 2167 log_start 2168 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2169 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2170} 2171 2172ipv6_ping_vrf() 2173{ 2174 local a 2175 2176 # should default on; does not exist on older kernels 2177 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2178 2179 # 2180 # out 2181 # 2182 for a in ${NSB_IP6} ${NSB_LO_IP6} 2183 do 2184 log_start 2185 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2186 log_test_addr ${a} $? 0 "ping out, VRF bind" 2187 done 2188 2189 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2190 do 2191 log_start 2192 show_hint "Fails since VRF device does not support linklocal or multicast" 2193 run_cmd ${ping6} -c1 -w1 ${a} 2194 log_test_addr ${a} $? 2 "ping out, VRF bind" 2195 done 2196 2197 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2198 do 2199 log_start 2200 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2201 log_test_addr ${a} $? 0 "ping out, device bind" 2202 done 2203 2204 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2205 do 2206 log_start 2207 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2208 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2209 done 2210 2211 # 2212 # in 2213 # 2214 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2215 do 2216 log_start 2217 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2218 log_test_addr ${a} $? 0 "ping in" 2219 done 2220 2221 a=${NSA_LO_IP6} 2222 log_start 2223 show_hint "Fails since loopback address is out of VRF scope" 2224 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2225 log_test_addr ${a} $? 1 "ping in" 2226 2227 # 2228 # local traffic, local address 2229 # 2230 for a in ${NSA_IP6} ${VRF_IP6} ::1 2231 do 2232 log_start 2233 show_hint "Source address should be ${a}" 2234 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2235 log_test_addr ${a} $? 0 "ping local, VRF bind" 2236 done 2237 2238 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2239 do 2240 log_start 2241 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2242 log_test_addr ${a} $? 0 "ping local, device bind" 2243 done 2244 2245 # LLA to GUA - remove ipv6 global addresses from ns-B 2246 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2247 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2248 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2249 2250 for a in ${NSA_IP6} ${VRF_IP6} 2251 do 2252 log_start 2253 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2254 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2255 done 2256 2257 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2258 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2259 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2260 2261 # 2262 # ip rule blocks address 2263 # 2264 log_start 2265 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2266 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2267 2268 a=${NSB_LO_IP6} 2269 run_cmd ${ping6} -c1 -w1 ${a} 2270 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2271 2272 log_start 2273 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2274 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2275 2276 a=${NSA_LO_IP6} 2277 log_start 2278 show_hint "Response lost due to ip rule" 2279 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2280 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2281 2282 log_start 2283 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2284 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2285 2286 # 2287 # remove 'remote' routes; fallback to default 2288 # 2289 log_start 2290 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2291 2292 a=${NSB_LO_IP6} 2293 run_cmd ${ping6} -c1 -w1 ${a} 2294 log_test_addr ${a} $? 2 "ping out, unreachable route" 2295 2296 log_start 2297 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2298 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2299 2300 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2301 a=${NSA_LO_IP6} 2302 log_start 2303 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2304 log_test_addr ${a} $? 2 "ping in, unreachable route" 2305} 2306 2307ipv6_ping() 2308{ 2309 log_section "IPv6 ping" 2310 2311 log_subsection "No VRF" 2312 setup 2313 ipv6_ping_novrf 2314 2315 log_subsection "With VRF" 2316 setup "yes" 2317 ipv6_ping_vrf 2318} 2319 2320################################################################################ 2321# IPv6 TCP 2322 2323# 2324# MD5 tests without VRF 2325# 2326ipv6_tcp_md5_novrf() 2327{ 2328 # 2329 # single address 2330 # 2331 2332 # basic use case 2333 log_start 2334 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2335 sleep 1 2336 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2337 log_test $? 0 "MD5: Single address config" 2338 2339 # client sends MD5, server not configured 2340 log_start 2341 show_hint "Should timeout due to MD5 mismatch" 2342 run_cmd nettest -6 -s & 2343 sleep 1 2344 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2345 log_test $? 2 "MD5: Server no config, client uses password" 2346 2347 # wrong password 2348 log_start 2349 show_hint "Should timeout since client uses wrong password" 2350 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2351 sleep 1 2352 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2353 log_test $? 2 "MD5: Client uses wrong password" 2354 2355 # client from different address 2356 log_start 2357 show_hint "Should timeout due to MD5 mismatch" 2358 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2359 sleep 1 2360 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2361 log_test $? 2 "MD5: Client address does not match address configured with password" 2362 2363 # 2364 # MD5 extension - prefix length 2365 # 2366 2367 # client in prefix 2368 log_start 2369 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2370 sleep 1 2371 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2372 log_test $? 0 "MD5: Prefix config" 2373 2374 # client in prefix, wrong password 2375 log_start 2376 show_hint "Should timeout since client uses wrong password" 2377 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2378 sleep 1 2379 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2380 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2381 2382 # client outside of prefix 2383 log_start 2384 show_hint "Should timeout due to MD5 mismatch" 2385 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2386 sleep 1 2387 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2388 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2389} 2390 2391# 2392# MD5 tests with VRF 2393# 2394ipv6_tcp_md5() 2395{ 2396 # 2397 # single address 2398 # 2399 2400 # basic use case 2401 log_start 2402 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2403 sleep 1 2404 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2405 log_test $? 0 "MD5: VRF: Single address config" 2406 2407 # client sends MD5, server not configured 2408 log_start 2409 show_hint "Should timeout since server does not have MD5 auth" 2410 run_cmd nettest -6 -s -I ${VRF} & 2411 sleep 1 2412 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2413 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2414 2415 # wrong password 2416 log_start 2417 show_hint "Should timeout since client uses wrong password" 2418 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2419 sleep 1 2420 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2421 log_test $? 2 "MD5: VRF: Client uses wrong password" 2422 2423 # client from different address 2424 log_start 2425 show_hint "Should timeout since server config differs from client" 2426 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2427 sleep 1 2428 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2429 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2430 2431 # 2432 # MD5 extension - prefix length 2433 # 2434 2435 # client in prefix 2436 log_start 2437 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2438 sleep 1 2439 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2440 log_test $? 0 "MD5: VRF: Prefix config" 2441 2442 # client in prefix, wrong password 2443 log_start 2444 show_hint "Should timeout since client uses wrong password" 2445 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2446 sleep 1 2447 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2448 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2449 2450 # client outside of prefix 2451 log_start 2452 show_hint "Should timeout since client address is outside of prefix" 2453 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2454 sleep 1 2455 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2456 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2457 2458 # 2459 # duplicate config between default VRF and a VRF 2460 # 2461 2462 log_start 2463 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2464 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2465 sleep 1 2466 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2467 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2468 2469 log_start 2470 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2471 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2472 sleep 1 2473 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2474 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2475 2476 log_start 2477 show_hint "Should timeout since client in default VRF uses VRF password" 2478 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2479 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2480 sleep 1 2481 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2482 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2483 2484 log_start 2485 show_hint "Should timeout since client in VRF uses default VRF password" 2486 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2487 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2488 sleep 1 2489 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2490 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2491 2492 log_start 2493 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2494 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2495 sleep 1 2496 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2497 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2498 2499 log_start 2500 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2501 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2502 sleep 1 2503 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2504 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2505 2506 log_start 2507 show_hint "Should timeout since client in default VRF uses VRF password" 2508 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2509 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2510 sleep 1 2511 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2512 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2513 2514 log_start 2515 show_hint "Should timeout since client in VRF uses default VRF password" 2516 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2517 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2518 sleep 1 2519 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2520 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2521 2522 # 2523 # negative tests 2524 # 2525 log_start 2526 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2527 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2528 2529 log_start 2530 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2531 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2532 2533} 2534 2535ipv6_tcp_novrf() 2536{ 2537 local a 2538 2539 # 2540 # server tests 2541 # 2542 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2543 do 2544 log_start 2545 run_cmd nettest -6 -s & 2546 sleep 1 2547 run_cmd_nsb nettest -6 -r ${a} 2548 log_test_addr ${a} $? 0 "Global server" 2549 done 2550 2551 # verify TCP reset received 2552 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2553 do 2554 log_start 2555 show_hint "Should fail 'Connection refused'" 2556 run_cmd_nsb nettest -6 -r ${a} 2557 log_test_addr ${a} $? 1 "No server" 2558 done 2559 2560 # 2561 # client 2562 # 2563 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2564 do 2565 log_start 2566 run_cmd_nsb nettest -6 -s & 2567 sleep 1 2568 run_cmd nettest -6 -r ${a} 2569 log_test_addr ${a} $? 0 "Client" 2570 done 2571 2572 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2573 do 2574 log_start 2575 run_cmd_nsb nettest -6 -s & 2576 sleep 1 2577 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2578 log_test_addr ${a} $? 0 "Client, device bind" 2579 done 2580 2581 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2582 do 2583 log_start 2584 show_hint "Should fail 'Connection refused'" 2585 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2586 log_test_addr ${a} $? 1 "No server, device client" 2587 done 2588 2589 # 2590 # local address tests 2591 # 2592 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2593 do 2594 log_start 2595 run_cmd nettest -6 -s & 2596 sleep 1 2597 run_cmd nettest -6 -r ${a} 2598 log_test_addr ${a} $? 0 "Global server, local connection" 2599 done 2600 2601 a=${NSA_IP6} 2602 log_start 2603 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2604 sleep 1 2605 run_cmd nettest -6 -r ${a} -0 ${a} 2606 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2607 2608 for a in ${NSA_LO_IP6} ::1 2609 do 2610 log_start 2611 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2612 run_cmd nettest -6 -s -I ${NSA_DEV} & 2613 sleep 1 2614 run_cmd nettest -6 -r ${a} 2615 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2616 done 2617 2618 a=${NSA_IP6} 2619 log_start 2620 run_cmd nettest -6 -s & 2621 sleep 1 2622 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2623 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2624 2625 for a in ${NSA_LO_IP6} ::1 2626 do 2627 log_start 2628 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2629 run_cmd nettest -6 -s & 2630 sleep 1 2631 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2632 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2633 done 2634 2635 for a in ${NSA_IP6} ${NSA_LINKIP6} 2636 do 2637 log_start 2638 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2639 sleep 1 2640 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2641 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2642 done 2643 2644 for a in ${NSA_IP6} ${NSA_LINKIP6} 2645 do 2646 log_start 2647 show_hint "Should fail 'Connection refused'" 2648 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2649 log_test_addr ${a} $? 1 "No server, device client, local conn" 2650 done 2651 2652 ipv6_tcp_md5_novrf 2653} 2654 2655ipv6_tcp_vrf() 2656{ 2657 local a 2658 2659 # disable global server 2660 log_subsection "Global server disabled" 2661 2662 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2663 2664 # 2665 # server tests 2666 # 2667 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2668 do 2669 log_start 2670 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2671 run_cmd nettest -6 -s & 2672 sleep 1 2673 run_cmd_nsb nettest -6 -r ${a} 2674 log_test_addr ${a} $? 1 "Global server" 2675 done 2676 2677 for a in ${NSA_IP6} ${VRF_IP6} 2678 do 2679 log_start 2680 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2681 sleep 1 2682 run_cmd_nsb nettest -6 -r ${a} 2683 log_test_addr ${a} $? 0 "VRF server" 2684 done 2685 2686 # link local is always bound to ingress device 2687 a=${NSA_LINKIP6}%${NSB_DEV} 2688 log_start 2689 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2690 sleep 1 2691 run_cmd_nsb nettest -6 -r ${a} 2692 log_test_addr ${a} $? 0 "VRF server" 2693 2694 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2695 do 2696 log_start 2697 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2698 sleep 1 2699 run_cmd_nsb nettest -6 -r ${a} 2700 log_test_addr ${a} $? 0 "Device server" 2701 done 2702 2703 # verify TCP reset received 2704 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2705 do 2706 log_start 2707 show_hint "Should fail 'Connection refused'" 2708 run_cmd_nsb nettest -6 -r ${a} 2709 log_test_addr ${a} $? 1 "No server" 2710 done 2711 2712 # local address tests 2713 a=${NSA_IP6} 2714 log_start 2715 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2716 run_cmd nettest -6 -s & 2717 sleep 1 2718 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2719 log_test_addr ${a} $? 1 "Global server, local connection" 2720 2721 # run MD5 tests 2722 ipv6_tcp_md5 2723 2724 # 2725 # enable VRF global server 2726 # 2727 log_subsection "VRF Global server enabled" 2728 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2729 2730 for a in ${NSA_IP6} ${VRF_IP6} 2731 do 2732 log_start 2733 run_cmd nettest -6 -s -3 ${VRF} & 2734 sleep 1 2735 run_cmd_nsb nettest -6 -r ${a} 2736 log_test_addr ${a} $? 0 "Global server" 2737 done 2738 2739 for a in ${NSA_IP6} ${VRF_IP6} 2740 do 2741 log_start 2742 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2743 sleep 1 2744 run_cmd_nsb nettest -6 -r ${a} 2745 log_test_addr ${a} $? 0 "VRF server" 2746 done 2747 2748 # For LLA, child socket is bound to device 2749 a=${NSA_LINKIP6}%${NSB_DEV} 2750 log_start 2751 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2752 sleep 1 2753 run_cmd_nsb nettest -6 -r ${a} 2754 log_test_addr ${a} $? 0 "Global server" 2755 2756 log_start 2757 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2758 sleep 1 2759 run_cmd_nsb nettest -6 -r ${a} 2760 log_test_addr ${a} $? 0 "VRF server" 2761 2762 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2763 do 2764 log_start 2765 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2766 sleep 1 2767 run_cmd_nsb nettest -6 -r ${a} 2768 log_test_addr ${a} $? 0 "Device server" 2769 done 2770 2771 # verify TCP reset received 2772 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2773 do 2774 log_start 2775 show_hint "Should fail 'Connection refused'" 2776 run_cmd_nsb nettest -6 -r ${a} 2777 log_test_addr ${a} $? 1 "No server" 2778 done 2779 2780 # local address tests 2781 for a in ${NSA_IP6} ${VRF_IP6} 2782 do 2783 log_start 2784 show_hint "Fails 'Connection refused' since client is not in VRF" 2785 run_cmd nettest -6 -s -I ${VRF} & 2786 sleep 1 2787 run_cmd nettest -6 -r ${a} 2788 log_test_addr ${a} $? 1 "Global server, local connection" 2789 done 2790 2791 2792 # 2793 # client 2794 # 2795 for a in ${NSB_IP6} ${NSB_LO_IP6} 2796 do 2797 log_start 2798 run_cmd_nsb nettest -6 -s & 2799 sleep 1 2800 run_cmd nettest -6 -r ${a} -d ${VRF} 2801 log_test_addr ${a} $? 0 "Client, VRF bind" 2802 done 2803 2804 a=${NSB_LINKIP6} 2805 log_start 2806 show_hint "Fails since VRF device does not allow linklocal addresses" 2807 run_cmd_nsb nettest -6 -s & 2808 sleep 1 2809 run_cmd nettest -6 -r ${a} -d ${VRF} 2810 log_test_addr ${a} $? 1 "Client, VRF bind" 2811 2812 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2813 do 2814 log_start 2815 run_cmd_nsb nettest -6 -s & 2816 sleep 1 2817 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2818 log_test_addr ${a} $? 0 "Client, device bind" 2819 done 2820 2821 for a in ${NSB_IP6} ${NSB_LO_IP6} 2822 do 2823 log_start 2824 show_hint "Should fail 'Connection refused'" 2825 run_cmd nettest -6 -r ${a} -d ${VRF} 2826 log_test_addr ${a} $? 1 "No server, VRF client" 2827 done 2828 2829 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2830 do 2831 log_start 2832 show_hint "Should fail 'Connection refused'" 2833 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2834 log_test_addr ${a} $? 1 "No server, device client" 2835 done 2836 2837 for a in ${NSA_IP6} ${VRF_IP6} ::1 2838 do 2839 log_start 2840 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2841 sleep 1 2842 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2843 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 2844 done 2845 2846 a=${NSA_IP6} 2847 log_start 2848 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2849 sleep 1 2850 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2851 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 2852 2853 a=${NSA_IP6} 2854 log_start 2855 show_hint "Should fail since unbound client is out of VRF scope" 2856 run_cmd nettest -6 -s -I ${VRF} & 2857 sleep 1 2858 run_cmd nettest -6 -r ${a} 2859 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 2860 2861 log_start 2862 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2863 sleep 1 2864 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2865 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 2866 2867 for a in ${NSA_IP6} ${NSA_LINKIP6} 2868 do 2869 log_start 2870 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2871 sleep 1 2872 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2873 log_test_addr ${a} $? 0 "Device server, device client, local connection" 2874 done 2875} 2876 2877ipv6_tcp() 2878{ 2879 log_section "IPv6/TCP" 2880 log_subsection "No VRF" 2881 setup 2882 2883 # tcp_l3mdev_accept should have no affect without VRF; 2884 # run tests with it enabled and disabled to verify 2885 log_subsection "tcp_l3mdev_accept disabled" 2886 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2887 ipv6_tcp_novrf 2888 log_subsection "tcp_l3mdev_accept enabled" 2889 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2890 ipv6_tcp_novrf 2891 2892 log_subsection "With VRF" 2893 setup "yes" 2894 ipv6_tcp_vrf 2895} 2896 2897################################################################################ 2898# IPv6 UDP 2899 2900ipv6_udp_novrf() 2901{ 2902 local a 2903 2904 # 2905 # server tests 2906 # 2907 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2908 do 2909 log_start 2910 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2911 sleep 1 2912 run_cmd_nsb nettest -6 -D -r ${a} 2913 log_test_addr ${a} $? 0 "Global server" 2914 2915 log_start 2916 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 2917 sleep 1 2918 run_cmd_nsb nettest -6 -D -r ${a} 2919 log_test_addr ${a} $? 0 "Device server" 2920 done 2921 2922 a=${NSA_LO_IP6} 2923 log_start 2924 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2925 sleep 1 2926 run_cmd_nsb nettest -6 -D -r ${a} 2927 log_test_addr ${a} $? 0 "Global server" 2928 2929 # should fail since loopback address is out of scope for a device 2930 # bound server, but it does not - hence this is more documenting 2931 # behavior. 2932 #log_start 2933 #show_hint "Should fail since loopback address is out of scope" 2934 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 2935 #sleep 1 2936 #run_cmd_nsb nettest -6 -D -r ${a} 2937 #log_test_addr ${a} $? 1 "Device server" 2938 2939 # negative test - should fail 2940 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2941 do 2942 log_start 2943 show_hint "Should fail 'Connection refused' since there is no server" 2944 run_cmd_nsb nettest -6 -D -r ${a} 2945 log_test_addr ${a} $? 1 "No server" 2946 done 2947 2948 # 2949 # client 2950 # 2951 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2952 do 2953 log_start 2954 run_cmd_nsb nettest -6 -D -s & 2955 sleep 1 2956 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 2957 log_test_addr ${a} $? 0 "Client" 2958 2959 log_start 2960 run_cmd_nsb nettest -6 -D -s & 2961 sleep 1 2962 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 2963 log_test_addr ${a} $? 0 "Client, device bind" 2964 2965 log_start 2966 run_cmd_nsb nettest -6 -D -s & 2967 sleep 1 2968 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 2969 log_test_addr ${a} $? 0 "Client, device send via cmsg" 2970 2971 log_start 2972 run_cmd_nsb nettest -6 -D -s & 2973 sleep 1 2974 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 2975 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 2976 2977 log_start 2978 show_hint "Should fail 'Connection refused'" 2979 run_cmd nettest -6 -D -r ${a} 2980 log_test_addr ${a} $? 1 "No server, unbound client" 2981 2982 log_start 2983 show_hint "Should fail 'Connection refused'" 2984 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 2985 log_test_addr ${a} $? 1 "No server, device client" 2986 done 2987 2988 # 2989 # local address tests 2990 # 2991 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2992 do 2993 log_start 2994 run_cmd nettest -6 -D -s & 2995 sleep 1 2996 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 2997 log_test_addr ${a} $? 0 "Global server, local connection" 2998 done 2999 3000 a=${NSA_IP6} 3001 log_start 3002 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3003 sleep 1 3004 run_cmd nettest -6 -D -r ${a} 3005 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3006 3007 for a in ${NSA_LO_IP6} ::1 3008 do 3009 log_start 3010 show_hint "Should fail 'Connection refused' since address is out of device scope" 3011 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3012 sleep 1 3013 run_cmd nettest -6 -D -r ${a} 3014 log_test_addr ${a} $? 1 "Device server, local connection" 3015 done 3016 3017 a=${NSA_IP6} 3018 log_start 3019 run_cmd nettest -6 -s -D & 3020 sleep 1 3021 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3022 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3023 3024 log_start 3025 run_cmd nettest -6 -s -D & 3026 sleep 1 3027 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3028 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3029 3030 log_start 3031 run_cmd nettest -6 -s -D & 3032 sleep 1 3033 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3034 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3035 3036 for a in ${NSA_LO_IP6} ::1 3037 do 3038 log_start 3039 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3040 run_cmd nettest -6 -D -s & 3041 sleep 1 3042 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3043 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3044 3045 log_start 3046 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3047 run_cmd nettest -6 -D -s & 3048 sleep 1 3049 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3050 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3051 3052 log_start 3053 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3054 run_cmd nettest -6 -D -s & 3055 sleep 1 3056 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3057 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3058 done 3059 3060 a=${NSA_IP6} 3061 log_start 3062 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3063 sleep 1 3064 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3065 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3066 3067 log_start 3068 show_hint "Should fail 'Connection refused'" 3069 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3070 log_test_addr ${a} $? 1 "No server, device client, local conn" 3071 3072 # LLA to GUA 3073 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3074 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3075 log_start 3076 run_cmd nettest -6 -s -D & 3077 sleep 1 3078 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3079 log_test $? 0 "UDP in - LLA to GUA" 3080 3081 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3082 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3083} 3084 3085ipv6_udp_vrf() 3086{ 3087 local a 3088 3089 # disable global server 3090 log_subsection "Global server disabled" 3091 set_sysctl net.ipv4.udp_l3mdev_accept=0 3092 3093 # 3094 # server tests 3095 # 3096 for a in ${NSA_IP6} ${VRF_IP6} 3097 do 3098 log_start 3099 show_hint "Should fail 'Connection refused' since global server is disabled" 3100 run_cmd nettest -6 -D -s & 3101 sleep 1 3102 run_cmd_nsb nettest -6 -D -r ${a} 3103 log_test_addr ${a} $? 1 "Global server" 3104 done 3105 3106 for a in ${NSA_IP6} ${VRF_IP6} 3107 do 3108 log_start 3109 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3110 sleep 1 3111 run_cmd_nsb nettest -6 -D -r ${a} 3112 log_test_addr ${a} $? 0 "VRF server" 3113 done 3114 3115 for a in ${NSA_IP6} ${VRF_IP6} 3116 do 3117 log_start 3118 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3119 sleep 1 3120 run_cmd_nsb nettest -6 -D -r ${a} 3121 log_test_addr ${a} $? 0 "Enslaved device server" 3122 done 3123 3124 # negative test - should fail 3125 for a in ${NSA_IP6} ${VRF_IP6} 3126 do 3127 log_start 3128 show_hint "Should fail 'Connection refused' since there is no server" 3129 run_cmd_nsb nettest -6 -D -r ${a} 3130 log_test_addr ${a} $? 1 "No server" 3131 done 3132 3133 # 3134 # local address tests 3135 # 3136 for a in ${NSA_IP6} ${VRF_IP6} 3137 do 3138 log_start 3139 show_hint "Should fail 'Connection refused' since global server is disabled" 3140 run_cmd nettest -6 -D -s & 3141 sleep 1 3142 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3143 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3144 done 3145 3146 for a in ${NSA_IP6} ${VRF_IP6} 3147 do 3148 log_start 3149 run_cmd nettest -6 -D -I ${VRF} -s & 3150 sleep 1 3151 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3152 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3153 done 3154 3155 a=${NSA_IP6} 3156 log_start 3157 show_hint "Should fail 'Connection refused' since global server is disabled" 3158 run_cmd nettest -6 -D -s & 3159 sleep 1 3160 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3161 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3162 3163 log_start 3164 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3165 sleep 1 3166 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3167 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3168 3169 log_start 3170 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3171 sleep 1 3172 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3173 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3174 3175 log_start 3176 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3177 sleep 1 3178 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3179 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3180 3181 # disable global server 3182 log_subsection "Global server enabled" 3183 set_sysctl net.ipv4.udp_l3mdev_accept=1 3184 3185 # 3186 # server tests 3187 # 3188 for a in ${NSA_IP6} ${VRF_IP6} 3189 do 3190 log_start 3191 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3192 sleep 1 3193 run_cmd_nsb nettest -6 -D -r ${a} 3194 log_test_addr ${a} $? 0 "Global server" 3195 done 3196 3197 for a in ${NSA_IP6} ${VRF_IP6} 3198 do 3199 log_start 3200 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3201 sleep 1 3202 run_cmd_nsb nettest -6 -D -r ${a} 3203 log_test_addr ${a} $? 0 "VRF server" 3204 done 3205 3206 for a in ${NSA_IP6} ${VRF_IP6} 3207 do 3208 log_start 3209 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3210 sleep 1 3211 run_cmd_nsb nettest -6 -D -r ${a} 3212 log_test_addr ${a} $? 0 "Enslaved device server" 3213 done 3214 3215 # negative test - should fail 3216 for a in ${NSA_IP6} ${VRF_IP6} 3217 do 3218 log_start 3219 run_cmd_nsb nettest -6 -D -r ${a} 3220 log_test_addr ${a} $? 1 "No server" 3221 done 3222 3223 # 3224 # client tests 3225 # 3226 log_start 3227 run_cmd_nsb nettest -6 -D -s & 3228 sleep 1 3229 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3230 log_test $? 0 "VRF client" 3231 3232 # negative test - should fail 3233 log_start 3234 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3235 log_test $? 1 "No server, VRF client" 3236 3237 log_start 3238 run_cmd_nsb nettest -6 -D -s & 3239 sleep 1 3240 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3241 log_test $? 0 "Enslaved device client" 3242 3243 # negative test - should fail 3244 log_start 3245 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3246 log_test $? 1 "No server, enslaved device client" 3247 3248 # 3249 # local address tests 3250 # 3251 a=${NSA_IP6} 3252 log_start 3253 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3254 sleep 1 3255 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3256 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3257 3258 #log_start 3259 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3260 sleep 1 3261 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3262 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3263 3264 3265 a=${VRF_IP6} 3266 log_start 3267 run_cmd nettest -6 -D -s -3 ${VRF} & 3268 sleep 1 3269 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3270 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3271 3272 log_start 3273 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3274 sleep 1 3275 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3276 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3277 3278 # negative test - should fail 3279 for a in ${NSA_IP6} ${VRF_IP6} 3280 do 3281 log_start 3282 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3283 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3284 done 3285 3286 # device to global IP 3287 a=${NSA_IP6} 3288 log_start 3289 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3290 sleep 1 3291 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3292 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3293 3294 log_start 3295 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3296 sleep 1 3297 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3298 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3299 3300 log_start 3301 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3302 sleep 1 3303 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3304 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3305 3306 log_start 3307 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3308 sleep 1 3309 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3310 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3311 3312 log_start 3313 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3314 log_test_addr ${a} $? 1 "No server, device client, local conn" 3315 3316 3317 # link local addresses 3318 log_start 3319 run_cmd nettest -6 -D -s & 3320 sleep 1 3321 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3322 log_test $? 0 "Global server, linklocal IP" 3323 3324 log_start 3325 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3326 log_test $? 1 "No server, linklocal IP" 3327 3328 3329 log_start 3330 run_cmd_nsb nettest -6 -D -s & 3331 sleep 1 3332 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3333 log_test $? 0 "Enslaved device client, linklocal IP" 3334 3335 log_start 3336 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3337 log_test $? 1 "No server, device client, peer linklocal IP" 3338 3339 3340 log_start 3341 run_cmd nettest -6 -D -s & 3342 sleep 1 3343 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3344 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3345 3346 log_start 3347 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3348 log_test $? 1 "No server, device client, local conn - linklocal IP" 3349 3350 # LLA to GUA 3351 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3352 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3353 log_start 3354 run_cmd nettest -6 -s -D & 3355 sleep 1 3356 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3357 log_test $? 0 "UDP in - LLA to GUA" 3358 3359 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3360 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3361} 3362 3363ipv6_udp() 3364{ 3365 # should not matter, but set to known state 3366 set_sysctl net.ipv4.udp_early_demux=1 3367 3368 log_section "IPv6/UDP" 3369 log_subsection "No VRF" 3370 setup 3371 3372 # udp_l3mdev_accept should have no affect without VRF; 3373 # run tests with it enabled and disabled to verify 3374 log_subsection "udp_l3mdev_accept disabled" 3375 set_sysctl net.ipv4.udp_l3mdev_accept=0 3376 ipv6_udp_novrf 3377 log_subsection "udp_l3mdev_accept enabled" 3378 set_sysctl net.ipv4.udp_l3mdev_accept=1 3379 ipv6_udp_novrf 3380 3381 log_subsection "With VRF" 3382 setup "yes" 3383 ipv6_udp_vrf 3384} 3385 3386################################################################################ 3387# IPv6 address bind 3388 3389ipv6_addr_bind_novrf() 3390{ 3391 # 3392 # raw socket 3393 # 3394 for a in ${NSA_IP6} ${NSA_LO_IP6} 3395 do 3396 log_start 3397 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3398 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3399 3400 log_start 3401 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3402 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3403 done 3404 3405 # 3406 # tcp sockets 3407 # 3408 a=${NSA_IP6} 3409 log_start 3410 run_cmd nettest -6 -s -l ${a} -t1 -b 3411 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3412 3413 log_start 3414 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3415 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3416 3417 a=${NSA_LO_IP6} 3418 log_start 3419 show_hint "Should fail with 'Cannot assign requested address'" 3420 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3421 log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 3422} 3423 3424ipv6_addr_bind_vrf() 3425{ 3426 # 3427 # raw socket 3428 # 3429 for a in ${NSA_IP6} ${VRF_IP6} 3430 do 3431 log_start 3432 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3433 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3434 3435 log_start 3436 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3437 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3438 done 3439 3440 a=${NSA_LO_IP6} 3441 log_start 3442 show_hint "Address on loopback is out of VRF scope" 3443 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3444 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3445 3446 # 3447 # tcp sockets 3448 # 3449 # address on enslaved device is valid for the VRF or device in a VRF 3450 for a in ${NSA_IP6} ${VRF_IP6} 3451 do 3452 log_start 3453 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3454 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3455 done 3456 3457 a=${NSA_IP6} 3458 log_start 3459 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3460 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3461 3462 a=${VRF_IP6} 3463 log_start 3464 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3465 log_test_addr ${a} $? 1 "TCP socket bind to VRF address with device bind" 3466 3467 a=${NSA_LO_IP6} 3468 log_start 3469 show_hint "Address on loopback out of scope for VRF" 3470 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3471 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3472 3473 log_start 3474 show_hint "Address on loopback out of scope for device in VRF" 3475 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3476 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3477 3478} 3479 3480ipv6_addr_bind() 3481{ 3482 log_section "IPv6 address binds" 3483 3484 log_subsection "No VRF" 3485 setup 3486 ipv6_addr_bind_novrf 3487 3488 log_subsection "With VRF" 3489 setup "yes" 3490 ipv6_addr_bind_vrf 3491} 3492 3493################################################################################ 3494# IPv6 runtime tests 3495 3496ipv6_rt() 3497{ 3498 local desc="$1" 3499 local varg="-6 $2" 3500 local with_vrf="yes" 3501 local a 3502 3503 # 3504 # server tests 3505 # 3506 for a in ${NSA_IP6} ${VRF_IP6} 3507 do 3508 log_start 3509 run_cmd nettest ${varg} -s & 3510 sleep 1 3511 run_cmd_nsb nettest ${varg} -r ${a} & 3512 sleep 3 3513 run_cmd ip link del ${VRF} 3514 sleep 1 3515 log_test_addr ${a} 0 0 "${desc}, global server" 3516 3517 setup ${with_vrf} 3518 done 3519 3520 for a in ${NSA_IP6} ${VRF_IP6} 3521 do 3522 log_start 3523 run_cmd nettest ${varg} -I ${VRF} -s & 3524 sleep 1 3525 run_cmd_nsb nettest ${varg} -r ${a} & 3526 sleep 3 3527 run_cmd ip link del ${VRF} 3528 sleep 1 3529 log_test_addr ${a} 0 0 "${desc}, VRF server" 3530 3531 setup ${with_vrf} 3532 done 3533 3534 for a in ${NSA_IP6} ${VRF_IP6} 3535 do 3536 log_start 3537 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3538 sleep 1 3539 run_cmd_nsb nettest ${varg} -r ${a} & 3540 sleep 3 3541 run_cmd ip link del ${VRF} 3542 sleep 1 3543 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3544 3545 setup ${with_vrf} 3546 done 3547 3548 # 3549 # client test 3550 # 3551 log_start 3552 run_cmd_nsb nettest ${varg} -s & 3553 sleep 1 3554 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3555 sleep 3 3556 run_cmd ip link del ${VRF} 3557 sleep 1 3558 log_test 0 0 "${desc}, VRF client" 3559 3560 setup ${with_vrf} 3561 3562 log_start 3563 run_cmd_nsb nettest ${varg} -s & 3564 sleep 1 3565 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3566 sleep 3 3567 run_cmd ip link del ${VRF} 3568 sleep 1 3569 log_test 0 0 "${desc}, enslaved device client" 3570 3571 setup ${with_vrf} 3572 3573 3574 # 3575 # local address tests 3576 # 3577 for a in ${NSA_IP6} ${VRF_IP6} 3578 do 3579 log_start 3580 run_cmd nettest ${varg} -s & 3581 sleep 1 3582 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3583 sleep 3 3584 run_cmd ip link del ${VRF} 3585 sleep 1 3586 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3587 3588 setup ${with_vrf} 3589 done 3590 3591 for a in ${NSA_IP6} ${VRF_IP6} 3592 do 3593 log_start 3594 run_cmd nettest ${varg} -I ${VRF} -s & 3595 sleep 1 3596 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3597 sleep 3 3598 run_cmd ip link del ${VRF} 3599 sleep 1 3600 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3601 3602 setup ${with_vrf} 3603 done 3604 3605 a=${NSA_IP6} 3606 log_start 3607 run_cmd nettest ${varg} -s & 3608 sleep 1 3609 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3610 sleep 3 3611 run_cmd ip link del ${VRF} 3612 sleep 1 3613 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3614 3615 setup ${with_vrf} 3616 3617 log_start 3618 run_cmd nettest ${varg} -I ${VRF} -s & 3619 sleep 1 3620 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3621 sleep 3 3622 run_cmd ip link del ${VRF} 3623 sleep 1 3624 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3625 3626 setup ${with_vrf} 3627 3628 log_start 3629 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3630 sleep 1 3631 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3632 sleep 3 3633 run_cmd ip link del ${VRF} 3634 sleep 1 3635 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3636} 3637 3638ipv6_ping_rt() 3639{ 3640 local with_vrf="yes" 3641 local a 3642 3643 a=${NSA_IP6} 3644 log_start 3645 run_cmd_nsb ${ping6} -f ${a} & 3646 sleep 3 3647 run_cmd ip link del ${VRF} 3648 sleep 1 3649 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3650 3651 setup ${with_vrf} 3652 3653 log_start 3654 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3655 sleep 1 3656 run_cmd ip link del ${VRF} 3657 sleep 1 3658 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3659} 3660 3661ipv6_runtime() 3662{ 3663 log_section "Run time tests - ipv6" 3664 3665 setup "yes" 3666 ipv6_ping_rt 3667 3668 setup "yes" 3669 ipv6_rt "TCP active socket" "-n -1" 3670 3671 setup "yes" 3672 ipv6_rt "TCP passive socket" "-i" 3673 3674 setup "yes" 3675 ipv6_rt "UDP active socket" "-D -n -1" 3676} 3677 3678################################################################################ 3679# netfilter blocking connections 3680 3681netfilter_tcp_reset() 3682{ 3683 local a 3684 3685 for a in ${NSA_IP} ${VRF_IP} 3686 do 3687 log_start 3688 run_cmd nettest -s & 3689 sleep 1 3690 run_cmd_nsb nettest -r ${a} 3691 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3692 done 3693} 3694 3695netfilter_icmp() 3696{ 3697 local stype="$1" 3698 local arg 3699 local a 3700 3701 [ "${stype}" = "UDP" ] && arg="-D" 3702 3703 for a in ${NSA_IP} ${VRF_IP} 3704 do 3705 log_start 3706 run_cmd nettest ${arg} -s & 3707 sleep 1 3708 run_cmd_nsb nettest ${arg} -r ${a} 3709 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3710 done 3711} 3712 3713ipv4_netfilter() 3714{ 3715 log_section "IPv4 Netfilter" 3716 log_subsection "TCP reset" 3717 3718 setup "yes" 3719 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3720 3721 netfilter_tcp_reset 3722 3723 log_start 3724 log_subsection "ICMP unreachable" 3725 3726 log_start 3727 run_cmd iptables -F 3728 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3729 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3730 3731 netfilter_icmp "TCP" 3732 netfilter_icmp "UDP" 3733 3734 log_start 3735 iptables -F 3736} 3737 3738netfilter_tcp6_reset() 3739{ 3740 local a 3741 3742 for a in ${NSA_IP6} ${VRF_IP6} 3743 do 3744 log_start 3745 run_cmd nettest -6 -s & 3746 sleep 1 3747 run_cmd_nsb nettest -6 -r ${a} 3748 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3749 done 3750} 3751 3752netfilter_icmp6() 3753{ 3754 local stype="$1" 3755 local arg 3756 local a 3757 3758 [ "${stype}" = "UDP" ] && arg="$arg -D" 3759 3760 for a in ${NSA_IP6} ${VRF_IP6} 3761 do 3762 log_start 3763 run_cmd nettest -6 -s ${arg} & 3764 sleep 1 3765 run_cmd_nsb nettest -6 ${arg} -r ${a} 3766 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3767 done 3768} 3769 3770ipv6_netfilter() 3771{ 3772 log_section "IPv6 Netfilter" 3773 log_subsection "TCP reset" 3774 3775 setup "yes" 3776 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3777 3778 netfilter_tcp6_reset 3779 3780 log_subsection "ICMP unreachable" 3781 3782 log_start 3783 run_cmd ip6tables -F 3784 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3785 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3786 3787 netfilter_icmp6 "TCP" 3788 netfilter_icmp6 "UDP" 3789 3790 log_start 3791 ip6tables -F 3792} 3793 3794################################################################################ 3795# specific use cases 3796 3797# VRF only. 3798# ns-A device enslaved to bridge. Verify traffic with and without 3799# br_netfilter module loaded. Repeat with SVI on bridge. 3800use_case_br() 3801{ 3802 setup "yes" 3803 3804 setup_cmd ip link set ${NSA_DEV} down 3805 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 3806 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 3807 3808 setup_cmd ip link add br0 type bridge 3809 setup_cmd ip addr add dev br0 ${NSA_IP}/24 3810 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 3811 3812 setup_cmd ip li set ${NSA_DEV} master br0 3813 setup_cmd ip li set ${NSA_DEV} up 3814 setup_cmd ip li set br0 up 3815 setup_cmd ip li set br0 vrf ${VRF} 3816 3817 rmmod br_netfilter 2>/dev/null 3818 sleep 5 # DAD 3819 3820 run_cmd ip neigh flush all 3821 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3822 log_test $? 0 "Bridge into VRF - IPv4 ping out" 3823 3824 run_cmd ip neigh flush all 3825 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3826 log_test $? 0 "Bridge into VRF - IPv6 ping out" 3827 3828 run_cmd ip neigh flush all 3829 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3830 log_test $? 0 "Bridge into VRF - IPv4 ping in" 3831 3832 run_cmd ip neigh flush all 3833 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3834 log_test $? 0 "Bridge into VRF - IPv6 ping in" 3835 3836 modprobe br_netfilter 3837 if [ $? -eq 0 ]; then 3838 run_cmd ip neigh flush all 3839 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3840 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 3841 3842 run_cmd ip neigh flush all 3843 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3844 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 3845 3846 run_cmd ip neigh flush all 3847 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3848 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 3849 3850 run_cmd ip neigh flush all 3851 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3852 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 3853 fi 3854 3855 setup_cmd ip li set br0 nomaster 3856 setup_cmd ip li add br0.100 link br0 type vlan id 100 3857 setup_cmd ip li set br0.100 vrf ${VRF} up 3858 setup_cmd ip addr add dev br0.100 172.16.101.1/24 3859 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 3860 3861 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 3862 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 3863 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 3864 setup_cmd_nsb ip li set vlan100 up 3865 sleep 1 3866 3867 rmmod br_netfilter 2>/dev/null 3868 3869 run_cmd ip neigh flush all 3870 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3871 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 3872 3873 run_cmd ip neigh flush all 3874 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3875 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 3876 3877 run_cmd ip neigh flush all 3878 run_cmd_nsb ping -c1 -w1 172.16.101.1 3879 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3880 3881 run_cmd ip neigh flush all 3882 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3883 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3884 3885 modprobe br_netfilter 3886 if [ $? -eq 0 ]; then 3887 run_cmd ip neigh flush all 3888 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3889 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 3890 3891 run_cmd ip neigh flush all 3892 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3893 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 3894 3895 run_cmd ip neigh flush all 3896 run_cmd_nsb ping -c1 -w1 172.16.101.1 3897 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3898 3899 run_cmd ip neigh flush all 3900 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3901 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3902 fi 3903 3904 setup_cmd ip li del br0 2>/dev/null 3905 setup_cmd_nsb ip li del vlan100 2>/dev/null 3906} 3907 3908# VRF only. 3909# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 3910# LLA on the interfaces 3911use_case_ping_lla_multi() 3912{ 3913 setup_lla_only 3914 # only want reply from ns-A 3915 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3916 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3917 3918 log_start 3919 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3920 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 3921 3922 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3923 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 3924 3925 # cycle/flap the first ns-A interface 3926 setup_cmd ip link set ${NSA_DEV} down 3927 setup_cmd ip link set ${NSA_DEV} up 3928 sleep 1 3929 3930 log_start 3931 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3932 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 3933 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3934 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 3935 3936 # cycle/flap the second ns-A interface 3937 setup_cmd ip link set ${NSA_DEV2} down 3938 setup_cmd ip link set ${NSA_DEV2} up 3939 sleep 1 3940 3941 log_start 3942 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3943 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 3944 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3945 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 3946} 3947 3948# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 3949# established with ns-B. 3950use_case_snat_on_vrf() 3951{ 3952 setup "yes" 3953 3954 local port="12345" 3955 3956 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 3957 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 3958 3959 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 3960 sleep 1 3961 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 3962 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 3963 3964 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 3965 sleep 1 3966 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 3967 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 3968 3969 # Cleanup 3970 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 3971 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 3972} 3973 3974use_cases() 3975{ 3976 log_section "Use cases" 3977 log_subsection "Device enslaved to bridge" 3978 use_case_br 3979 log_subsection "Ping LLA with multiple interfaces" 3980 use_case_ping_lla_multi 3981 log_subsection "SNAT on VRF" 3982 use_case_snat_on_vrf 3983} 3984 3985################################################################################ 3986# usage 3987 3988usage() 3989{ 3990 cat <<EOF 3991usage: ${0##*/} OPTS 3992 3993 -4 IPv4 tests only 3994 -6 IPv6 tests only 3995 -t <test> Test name/set to run 3996 -p Pause on fail 3997 -P Pause after each test 3998 -v Be verbose 3999EOF 4000} 4001 4002################################################################################ 4003# main 4004 4005TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_addr_bind ipv4_runtime ipv4_netfilter" 4006TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_addr_bind ipv6_runtime ipv6_netfilter" 4007TESTS_OTHER="use_cases" 4008 4009PAUSE_ON_FAIL=no 4010PAUSE=no 4011 4012while getopts :46t:pPvh o 4013do 4014 case $o in 4015 4) TESTS=ipv4;; 4016 6) TESTS=ipv6;; 4017 t) TESTS=$OPTARG;; 4018 p) PAUSE_ON_FAIL=yes;; 4019 P) PAUSE=yes;; 4020 v) VERBOSE=1;; 4021 h) usage; exit 0;; 4022 *) usage; exit 1;; 4023 esac 4024done 4025 4026# make sure we don't pause twice 4027[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4028 4029# 4030# show user test config 4031# 4032if [ -z "$TESTS" ]; then 4033 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4034elif [ "$TESTS" = "ipv4" ]; then 4035 TESTS="$TESTS_IPV4" 4036elif [ "$TESTS" = "ipv6" ]; then 4037 TESTS="$TESTS_IPV6" 4038fi 4039 4040which nettest >/dev/null 4041if [ $? -ne 0 ]; then 4042 echo "'nettest' command not found; skipping tests" 4043 exit $ksft_skip 4044fi 4045 4046declare -i nfail=0 4047declare -i nsuccess=0 4048 4049for t in $TESTS 4050do 4051 case $t in 4052 ipv4_ping|ping) ipv4_ping;; 4053 ipv4_tcp|tcp) ipv4_tcp;; 4054 ipv4_udp|udp) ipv4_udp;; 4055 ipv4_bind|bind) ipv4_addr_bind;; 4056 ipv4_runtime) ipv4_runtime;; 4057 ipv4_netfilter) ipv4_netfilter;; 4058 4059 ipv6_ping|ping6) ipv6_ping;; 4060 ipv6_tcp|tcp6) ipv6_tcp;; 4061 ipv6_udp|udp6) ipv6_udp;; 4062 ipv6_bind|bind6) ipv6_addr_bind;; 4063 ipv6_runtime) ipv6_runtime;; 4064 ipv6_netfilter) ipv6_netfilter;; 4065 4066 use_cases) use_cases;; 4067 4068 # setup namespaces and config, but do not run any tests 4069 setup) setup; exit 0;; 4070 vrf_setup) setup "yes"; exit 0;; 4071 4072 help) echo "Test names: $TESTS"; exit 0;; 4073 esac 4074done 4075 4076cleanup 2>/dev/null 4077 4078printf "\nTests passed: %3d\n" ${nsuccess} 4079printf "Tests failed: %3d\n" ${nfail} 4080