1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
5#
6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups
7# for various permutations:
8#   1. icmp, tcp, udp and netfilter
9#   2. client, server, no-server
10#   3. global address on interface
11#   4. global address on 'lo'
12#   5. remote and local traffic
13#   6. VRF and non-VRF permutations
14#
15# Setup:
16#                     ns-A     |     ns-B
17# No VRF case:
18#    [ lo ]         [ eth1 ]---|---[ eth1 ]      [ lo ]
19#                                                remote address
20# VRF case:
21#         [ red ]---[ eth1 ]---|---[ eth1 ]      [ lo ]
22#
23# ns-A:
24#     eth1: 172.16.1.1/24, 2001:db8:1::1/64
25#       lo: 127.0.0.1/8, ::1/128
26#           172.16.2.1/32, 2001:db8:2::1/128
27#      red: 127.0.0.1/8, ::1/128
28#           172.16.3.1/32, 2001:db8:3::1/128
29#
30# ns-B:
31#     eth1: 172.16.1.2/24, 2001:db8:1::2/64
32#      lo2: 127.0.0.1/8, ::1/128
33#           172.16.2.2/32, 2001:db8:2::2/128
34#
35# ns-A to ns-C connection - only for VRF and same config
36# as ns-A to ns-B
37#
38# server / client nomenclature relative to ns-A
39
40VERBOSE=0
41
42NSA_DEV=eth1
43NSA_DEV2=eth2
44NSB_DEV=eth1
45NSC_DEV=eth2
46VRF=red
47VRF_TABLE=1101
48
49# IPv4 config
50NSA_IP=172.16.1.1
51NSB_IP=172.16.1.2
52VRF_IP=172.16.3.1
53NS_NET=172.16.1.0/24
54
55# IPv6 config
56NSA_IP6=2001:db8:1::1
57NSB_IP6=2001:db8:1::2
58VRF_IP6=2001:db8:3::1
59NS_NET6=2001:db8:1::/120
60
61NSA_LO_IP=172.16.2.1
62NSB_LO_IP=172.16.2.2
63NSA_LO_IP6=2001:db8:2::1
64NSB_LO_IP6=2001:db8:2::2
65
66MD5_PW=abc123
67MD5_WRONG_PW=abc1234
68
69MCAST=ff02::1
70# set after namespace create
71NSA_LINKIP6=
72NSB_LINKIP6=
73
74NSA=ns-A
75NSB=ns-B
76NSC=ns-C
77
78NSA_CMD="ip netns exec ${NSA}"
79NSB_CMD="ip netns exec ${NSB}"
80NSC_CMD="ip netns exec ${NSC}"
81
82which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
83
84################################################################################
85# utilities
86
87log_test()
88{
89	local rc=$1
90	local expected=$2
91	local msg="$3"
92
93	[ "${VERBOSE}" = "1" ] && echo
94
95	if [ ${rc} -eq ${expected} ]; then
96		nsuccess=$((nsuccess+1))
97		printf "TEST: %-70s  [ OK ]\n" "${msg}"
98	else
99		nfail=$((nfail+1))
100		printf "TEST: %-70s  [FAIL]\n" "${msg}"
101		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
102			echo
103			echo "hit enter to continue, 'q' to quit"
104			read a
105			[ "$a" = "q" ] && exit 1
106		fi
107	fi
108
109	if [ "${PAUSE}" = "yes" ]; then
110		echo
111		echo "hit enter to continue, 'q' to quit"
112		read a
113		[ "$a" = "q" ] && exit 1
114	fi
115
116	kill_procs
117}
118
119log_test_addr()
120{
121	local addr=$1
122	local rc=$2
123	local expected=$3
124	local msg="$4"
125	local astr
126
127	astr=$(addr2str ${addr})
128	log_test $rc $expected "$msg - ${astr}"
129}
130
131log_section()
132{
133	echo
134	echo "###########################################################################"
135	echo "$*"
136	echo "###########################################################################"
137	echo
138}
139
140log_subsection()
141{
142	echo
143	echo "#################################################################"
144	echo "$*"
145	echo
146}
147
148log_start()
149{
150	# make sure we have no test instances running
151	kill_procs
152
153	if [ "${VERBOSE}" = "1" ]; then
154		echo
155		echo "#######################################################"
156	fi
157}
158
159log_debug()
160{
161	if [ "${VERBOSE}" = "1" ]; then
162		echo
163		echo "$*"
164		echo
165	fi
166}
167
168show_hint()
169{
170	if [ "${VERBOSE}" = "1" ]; then
171		echo "HINT: $*"
172		echo
173	fi
174}
175
176kill_procs()
177{
178	killall nettest ping ping6 >/dev/null 2>&1
179	sleep 1
180}
181
182do_run_cmd()
183{
184	local cmd="$*"
185	local out
186
187	if [ "$VERBOSE" = "1" ]; then
188		echo "COMMAND: ${cmd}"
189	fi
190
191	out=$($cmd 2>&1)
192	rc=$?
193	if [ "$VERBOSE" = "1" -a -n "$out" ]; then
194		echo "$out"
195	fi
196
197	return $rc
198}
199
200run_cmd()
201{
202	do_run_cmd ${NSA_CMD} $*
203}
204
205run_cmd_nsb()
206{
207	do_run_cmd ${NSB_CMD} $*
208}
209
210run_cmd_nsc()
211{
212	do_run_cmd ${NSC_CMD} $*
213}
214
215setup_cmd()
216{
217	local cmd="$*"
218	local rc
219
220	run_cmd ${cmd}
221	rc=$?
222	if [ $rc -ne 0 ]; then
223		# show user the command if not done so already
224		if [ "$VERBOSE" = "0" ]; then
225			echo "setup command: $cmd"
226		fi
227		echo "failed. stopping tests"
228		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
229			echo
230			echo "hit enter to continue"
231			read a
232		fi
233		exit $rc
234	fi
235}
236
237setup_cmd_nsb()
238{
239	local cmd="$*"
240	local rc
241
242	run_cmd_nsb ${cmd}
243	rc=$?
244	if [ $rc -ne 0 ]; then
245		# show user the command if not done so already
246		if [ "$VERBOSE" = "0" ]; then
247			echo "setup command: $cmd"
248		fi
249		echo "failed. stopping tests"
250		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
251			echo
252			echo "hit enter to continue"
253			read a
254		fi
255		exit $rc
256	fi
257}
258
259setup_cmd_nsc()
260{
261	local cmd="$*"
262	local rc
263
264	run_cmd_nsc ${cmd}
265	rc=$?
266	if [ $rc -ne 0 ]; then
267		# show user the command if not done so already
268		if [ "$VERBOSE" = "0" ]; then
269			echo "setup command: $cmd"
270		fi
271		echo "failed. stopping tests"
272		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
273			echo
274			echo "hit enter to continue"
275			read a
276		fi
277		exit $rc
278	fi
279}
280
281# set sysctl values in NS-A
282set_sysctl()
283{
284	echo "SYSCTL: $*"
285	echo
286	run_cmd sysctl -q -w $*
287}
288
289################################################################################
290# Setup for tests
291
292addr2str()
293{
294	case "$1" in
295	127.0.0.1) echo "loopback";;
296	::1) echo "IPv6 loopback";;
297
298	${NSA_IP})	echo "ns-A IP";;
299	${NSA_IP6})	echo "ns-A IPv6";;
300	${NSA_LO_IP})	echo "ns-A loopback IP";;
301	${NSA_LO_IP6})	echo "ns-A loopback IPv6";;
302	${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";;
303
304	${NSB_IP})	echo "ns-B IP";;
305	${NSB_IP6})	echo "ns-B IPv6";;
306	${NSB_LO_IP})	echo "ns-B loopback IP";;
307	${NSB_LO_IP6})	echo "ns-B loopback IPv6";;
308	${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";;
309
310	${VRF_IP})	echo "VRF IP";;
311	${VRF_IP6})	echo "VRF IPv6";;
312
313	${MCAST}%*)	echo "multicast IP";;
314
315	*) echo "unknown";;
316	esac
317}
318
319get_linklocal()
320{
321	local ns=$1
322	local dev=$2
323	local addr
324
325	addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \
326	awk '{
327		for (i = 3; i <= NF; ++i) {
328			if ($i ~ /^fe80/)
329				print $i
330		}
331	}'
332	)
333	addr=${addr/\/*}
334
335	[ -z "$addr" ] && return 1
336
337	echo $addr
338
339	return 0
340}
341
342################################################################################
343# create namespaces and vrf
344
345create_vrf()
346{
347	local ns=$1
348	local vrf=$2
349	local table=$3
350	local addr=$4
351	local addr6=$5
352
353	ip -netns ${ns} link add ${vrf} type vrf table ${table}
354	ip -netns ${ns} link set ${vrf} up
355	ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192
356	ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
357
358	ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf}
359	ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad
360	if [ "${addr}" != "-" ]; then
361		ip -netns ${ns} addr add dev ${vrf} ${addr}
362	fi
363	if [ "${addr6}" != "-" ]; then
364		ip -netns ${ns} -6 addr add dev ${vrf} ${addr6}
365	fi
366
367	ip -netns ${ns} ru del pref 0
368	ip -netns ${ns} ru add pref 32765 from all lookup local
369	ip -netns ${ns} -6 ru del pref 0
370	ip -netns ${ns} -6 ru add pref 32765 from all lookup local
371}
372
373create_ns()
374{
375	local ns=$1
376	local addr=$2
377	local addr6=$3
378
379	ip netns add ${ns}
380
381	ip -netns ${ns} link set lo up
382	if [ "${addr}" != "-" ]; then
383		ip -netns ${ns} addr add dev lo ${addr}
384	fi
385	if [ "${addr6}" != "-" ]; then
386		ip -netns ${ns} -6 addr add dev lo ${addr6}
387	fi
388
389	ip -netns ${ns} ro add unreachable default metric 8192
390	ip -netns ${ns} -6 ro add unreachable default metric 8192
391
392	ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
393	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
394	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
395	ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
396}
397
398# create veth pair to connect namespaces and apply addresses.
399connect_ns()
400{
401	local ns1=$1
402	local ns1_dev=$2
403	local ns1_addr=$3
404	local ns1_addr6=$4
405	local ns2=$5
406	local ns2_dev=$6
407	local ns2_addr=$7
408	local ns2_addr6=$8
409
410	ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
411	ip -netns ${ns1} li set ${ns1_dev} up
412	ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
413	ip -netns ${ns2} li set ${ns2_dev} up
414
415	if [ "${ns1_addr}" != "-" ]; then
416		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
417		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
418	fi
419
420	if [ "${ns1_addr6}" != "-" ]; then
421		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
422		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
423	fi
424}
425
426cleanup()
427{
428	# explicit cleanups to check those code paths
429	ip netns | grep -q ${NSA}
430	if [ $? -eq 0 ]; then
431		ip -netns ${NSA} link delete ${VRF}
432		ip -netns ${NSA} ro flush table ${VRF_TABLE}
433
434		ip -netns ${NSA} addr flush dev ${NSA_DEV}
435		ip -netns ${NSA} -6 addr flush dev ${NSA_DEV}
436		ip -netns ${NSA} link set dev ${NSA_DEV} down
437		ip -netns ${NSA} link del dev ${NSA_DEV}
438
439		ip netns del ${NSA}
440	fi
441
442	ip netns del ${NSB}
443	ip netns del ${NSC} >/dev/null 2>&1
444}
445
446setup()
447{
448	local with_vrf=${1}
449
450	# make sure we are starting with a clean slate
451	kill_procs
452	cleanup 2>/dev/null
453
454	log_debug "Configuring network namespaces"
455	set -e
456
457	create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128
458	create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128
459	connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \
460		   ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
461
462	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
463	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
464
465	# tell ns-A how to get to remote addresses of ns-B
466	if [ "${with_vrf}" = "yes" ]; then
467		create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6}
468
469		ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
470		ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
471		ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
472
473		ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
474		ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
475
476		# some VRF tests use ns-C which has the same config as
477		# ns-B but for a device NOT in the VRF
478		create_ns ${NSC} "-" "-"
479		connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
480			   ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
481	else
482		ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
483		ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
484	fi
485
486
487	# tell ns-B how to get to remote addresses of ns-A
488	ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
489	ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
490
491	set +e
492
493	sleep 1
494}
495
496setup_lla_only()
497{
498	# make sure we are starting with a clean slate
499	kill_procs
500	cleanup 2>/dev/null
501
502	log_debug "Configuring network namespaces"
503	set -e
504
505	create_ns ${NSA} "-" "-"
506	create_ns ${NSB} "-" "-"
507	create_ns ${NSC} "-" "-"
508	connect_ns ${NSA} ${NSA_DEV} "-" "-" \
509		   ${NSB} ${NSB_DEV} "-" "-"
510	connect_ns ${NSA} ${NSA_DEV2} "-" "-" \
511		   ${NSC} ${NSC_DEV}  "-" "-"
512
513	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
514	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
515	NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV})
516
517	create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-"
518	ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
519	ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF}
520
521	set +e
522
523	sleep 1
524}
525
526################################################################################
527# IPv4
528
529ipv4_ping_novrf()
530{
531	local a
532
533	#
534	# out
535	#
536	for a in ${NSB_IP} ${NSB_LO_IP}
537	do
538		log_start
539		run_cmd ping -c1 -w1 ${a}
540		log_test_addr ${a} $? 0 "ping out"
541
542		log_start
543		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
544		log_test_addr ${a} $? 0 "ping out, device bind"
545
546		log_start
547		run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a}
548		log_test_addr ${a} $? 0 "ping out, address bind"
549	done
550
551	#
552	# in
553	#
554	for a in ${NSA_IP} ${NSA_LO_IP}
555	do
556		log_start
557		run_cmd_nsb ping -c1 -w1 ${a}
558		log_test_addr ${a} $? 0 "ping in"
559	done
560
561	#
562	# local traffic
563	#
564	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
565	do
566		log_start
567		run_cmd ping -c1 -w1 ${a}
568		log_test_addr ${a} $? 0 "ping local"
569	done
570
571	#
572	# local traffic, socket bound to device
573	#
574	# address on device
575	a=${NSA_IP}
576	log_start
577	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
578	log_test_addr ${a} $? 0 "ping local, device bind"
579
580	# loopback addresses not reachable from device bind
581	# fails in a really weird way though because ipv4 special cases
582	# route lookups with oif set.
583	for a in ${NSA_LO_IP} 127.0.0.1
584	do
585		log_start
586		show_hint "Fails since address on loopback device is out of device scope"
587		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
588		log_test_addr ${a} $? 1 "ping local, device bind"
589	done
590
591	#
592	# ip rule blocks reachability to remote address
593	#
594	log_start
595	setup_cmd ip rule add pref 32765 from all lookup local
596	setup_cmd ip rule del pref 0 from all lookup local
597	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
598	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
599
600	a=${NSB_LO_IP}
601	run_cmd ping -c1 -w1 ${a}
602	log_test_addr ${a} $? 2 "ping out, blocked by rule"
603
604	# NOTE: ipv4 actually allows the lookup to fail and yet still create
605	# a viable rtable if the oif (e.g., bind to device) is set, so this
606	# case succeeds despite the rule
607	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
608
609	a=${NSA_LO_IP}
610	log_start
611	show_hint "Response generates ICMP (or arp request is ignored) due to ip rule"
612	run_cmd_nsb ping -c1 -w1 ${a}
613	log_test_addr ${a} $? 1 "ping in, blocked by rule"
614
615	[ "$VERBOSE" = "1" ] && echo
616	setup_cmd ip rule del pref 32765 from all lookup local
617	setup_cmd ip rule add pref 0 from all lookup local
618	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
619	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
620
621	#
622	# route blocks reachability to remote address
623	#
624	log_start
625	setup_cmd ip route replace unreachable ${NSB_LO_IP}
626	setup_cmd ip route replace unreachable ${NSB_IP}
627
628	a=${NSB_LO_IP}
629	run_cmd ping -c1 -w1 ${a}
630	log_test_addr ${a} $? 2 "ping out, blocked by route"
631
632	# NOTE: ipv4 actually allows the lookup to fail and yet still create
633	# a viable rtable if the oif (e.g., bind to device) is set, so this
634	# case succeeds despite not having a route for the address
635	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
636
637	a=${NSA_LO_IP}
638	log_start
639	show_hint "Response is dropped (or arp request is ignored) due to ip route"
640	run_cmd_nsb ping -c1 -w1 ${a}
641	log_test_addr ${a} $? 1 "ping in, blocked by route"
642
643	#
644	# remove 'remote' routes; fallback to default
645	#
646	log_start
647	setup_cmd ip ro del ${NSB_LO_IP}
648
649	a=${NSB_LO_IP}
650	run_cmd ping -c1 -w1 ${a}
651	log_test_addr ${a} $? 2 "ping out, unreachable default route"
652
653	# NOTE: ipv4 actually allows the lookup to fail and yet still create
654	# a viable rtable if the oif (e.g., bind to device) is set, so this
655	# case succeeds despite not having a route for the address
656	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
657}
658
659ipv4_ping_vrf()
660{
661	local a
662
663	# should default on; does not exist on older kernels
664	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
665
666	#
667	# out
668	#
669	for a in ${NSB_IP} ${NSB_LO_IP}
670	do
671		log_start
672		run_cmd ping -c1 -w1 -I ${VRF} ${a}
673		log_test_addr ${a} $? 0 "ping out, VRF bind"
674
675		log_start
676		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
677		log_test_addr ${a} $? 0 "ping out, device bind"
678
679		log_start
680		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a}
681		log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind"
682
683		log_start
684		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a}
685		log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind"
686	done
687
688	#
689	# in
690	#
691	for a in ${NSA_IP} ${VRF_IP}
692	do
693		log_start
694		run_cmd_nsb ping -c1 -w1 ${a}
695		log_test_addr ${a} $? 0 "ping in"
696	done
697
698	#
699	# local traffic, local address
700	#
701	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
702	do
703		log_start
704		show_hint "Source address should be ${a}"
705		run_cmd ping -c1 -w1 -I ${VRF} ${a}
706		log_test_addr ${a} $? 0 "ping local, VRF bind"
707	done
708
709	#
710	# local traffic, socket bound to device
711	#
712	# address on device
713	a=${NSA_IP}
714	log_start
715	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
716	log_test_addr ${a} $? 0 "ping local, device bind"
717
718	# vrf device is out of scope
719	for a in ${VRF_IP} 127.0.0.1
720	do
721		log_start
722		show_hint "Fails since address on vrf device is out of device scope"
723		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
724		log_test_addr ${a} $? 1 "ping local, device bind"
725	done
726
727	#
728	# ip rule blocks address
729	#
730	log_start
731	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
732	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
733
734	a=${NSB_LO_IP}
735	run_cmd ping -c1 -w1 -I ${VRF} ${a}
736	log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule"
737
738	log_start
739	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
740	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
741
742	a=${NSA_LO_IP}
743	log_start
744	show_hint "Response lost due to ip rule"
745	run_cmd_nsb ping -c1 -w1 ${a}
746	log_test_addr ${a} $? 1 "ping in, blocked by rule"
747
748	[ "$VERBOSE" = "1" ] && echo
749	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
750	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
751
752	#
753	# remove 'remote' routes; fallback to default
754	#
755	log_start
756	setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP}
757
758	a=${NSB_LO_IP}
759	run_cmd ping -c1 -w1 -I ${VRF} ${a}
760	log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route"
761
762	log_start
763	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
764	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
765
766	a=${NSA_LO_IP}
767	log_start
768	show_hint "Response lost by unreachable route"
769	run_cmd_nsb ping -c1 -w1 ${a}
770	log_test_addr ${a} $? 1 "ping in, unreachable route"
771}
772
773ipv4_ping()
774{
775	log_section "IPv4 ping"
776
777	log_subsection "No VRF"
778	setup
779	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
780	ipv4_ping_novrf
781	setup
782	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
783	ipv4_ping_novrf
784
785	log_subsection "With VRF"
786	setup "yes"
787	ipv4_ping_vrf
788}
789
790################################################################################
791# IPv4 TCP
792
793#
794# MD5 tests without VRF
795#
796ipv4_tcp_md5_novrf()
797{
798	#
799	# single address
800	#
801
802	# basic use case
803	log_start
804	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
805	sleep 1
806	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
807	log_test $? 0 "MD5: Single address config"
808
809	# client sends MD5, server not configured
810	log_start
811	show_hint "Should timeout due to MD5 mismatch"
812	run_cmd nettest -s &
813	sleep 1
814	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
815	log_test $? 2 "MD5: Server no config, client uses password"
816
817	# wrong password
818	log_start
819	show_hint "Should timeout since client uses wrong password"
820	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
821	sleep 1
822	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
823	log_test $? 2 "MD5: Client uses wrong password"
824
825	# client from different address
826	log_start
827	show_hint "Should timeout due to MD5 mismatch"
828	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} &
829	sleep 1
830	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
831	log_test $? 2 "MD5: Client address does not match address configured with password"
832
833	#
834	# MD5 extension - prefix length
835	#
836
837	# client in prefix
838	log_start
839	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
840	sleep 1
841	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
842	log_test $? 0 "MD5: Prefix config"
843
844	# client in prefix, wrong password
845	log_start
846	show_hint "Should timeout since client uses wrong password"
847	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
848	sleep 1
849	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
850	log_test $? 2 "MD5: Prefix config, client uses wrong password"
851
852	# client outside of prefix
853	log_start
854	show_hint "Should timeout due to MD5 mismatch"
855	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
856	sleep 1
857	run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
858	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
859}
860
861#
862# MD5 tests with VRF
863#
864ipv4_tcp_md5()
865{
866	#
867	# single address
868	#
869
870	# basic use case
871	log_start
872	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
873	sleep 1
874	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
875	log_test $? 0 "MD5: VRF: Single address config"
876
877	# client sends MD5, server not configured
878	log_start
879	show_hint "Should timeout since server does not have MD5 auth"
880	run_cmd nettest -s -I ${VRF} &
881	sleep 1
882	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
883	log_test $? 2 "MD5: VRF: Server no config, client uses password"
884
885	# wrong password
886	log_start
887	show_hint "Should timeout since client uses wrong password"
888	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
889	sleep 1
890	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
891	log_test $? 2 "MD5: VRF: Client uses wrong password"
892
893	# client from different address
894	log_start
895	show_hint "Should timeout since server config differs from client"
896	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} &
897	sleep 1
898	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
899	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
900
901	#
902	# MD5 extension - prefix length
903	#
904
905	# client in prefix
906	log_start
907	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
908	sleep 1
909	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
910	log_test $? 0 "MD5: VRF: Prefix config"
911
912	# client in prefix, wrong password
913	log_start
914	show_hint "Should timeout since client uses wrong password"
915	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
916	sleep 1
917	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
918	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
919
920	# client outside of prefix
921	log_start
922	show_hint "Should timeout since client address is outside of prefix"
923	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
924	sleep 1
925	run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
926	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
927
928	#
929	# duplicate config between default VRF and a VRF
930	#
931
932	log_start
933	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
934	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
935	sleep 1
936	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
937	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
938
939	log_start
940	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
941	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
942	sleep 1
943	run_cmd_nsc nettest  -r ${NSA_IP} -X ${MD5_WRONG_PW}
944	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
945
946	log_start
947	show_hint "Should timeout since client in default VRF uses VRF password"
948	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
949	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
950	sleep 1
951	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
952	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
953
954	log_start
955	show_hint "Should timeout since client in VRF uses default VRF password"
956	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
957	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
958	sleep 1
959	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
960	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
961
962	log_start
963	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
964	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
965	sleep 1
966	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
967	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
968
969	log_start
970	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
971	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
972	sleep 1
973	run_cmd_nsc nettest  -r ${NSA_IP} -X ${MD5_WRONG_PW}
974	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
975
976	log_start
977	show_hint "Should timeout since client in default VRF uses VRF password"
978	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
979	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
980	sleep 1
981	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
982	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
983
984	log_start
985	show_hint "Should timeout since client in VRF uses default VRF password"
986	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
987	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
988	sleep 1
989	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
990	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
991
992	#
993	# negative tests
994	#
995	log_start
996	run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP}
997	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
998
999	log_start
1000	run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET}
1001	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
1002
1003}
1004
1005ipv4_tcp_novrf()
1006{
1007	local a
1008
1009	#
1010	# server tests
1011	#
1012	for a in ${NSA_IP} ${NSA_LO_IP}
1013	do
1014		log_start
1015		run_cmd nettest -s &
1016		sleep 1
1017		run_cmd_nsb nettest -r ${a}
1018		log_test_addr ${a} $? 0 "Global server"
1019	done
1020
1021	a=${NSA_IP}
1022	log_start
1023	run_cmd nettest -s -I ${NSA_DEV} &
1024	sleep 1
1025	run_cmd_nsb nettest -r ${a}
1026	log_test_addr ${a} $? 0 "Device server"
1027
1028	# verify TCP reset sent and received
1029	for a in ${NSA_IP} ${NSA_LO_IP}
1030	do
1031		log_start
1032		show_hint "Should fail 'Connection refused' since there is no server"
1033		run_cmd_nsb nettest -r ${a}
1034		log_test_addr ${a} $? 1 "No server"
1035	done
1036
1037	#
1038	# client
1039	#
1040	for a in ${NSB_IP} ${NSB_LO_IP}
1041	do
1042		log_start
1043		run_cmd_nsb nettest -s &
1044		sleep 1
1045		run_cmd nettest -r ${a} -0 ${NSA_IP}
1046		log_test_addr ${a} $? 0 "Client"
1047
1048		log_start
1049		run_cmd_nsb nettest -s &
1050		sleep 1
1051		run_cmd nettest -r ${a} -d ${NSA_DEV}
1052		log_test_addr ${a} $? 0 "Client, device bind"
1053
1054		log_start
1055		show_hint "Should fail 'Connection refused'"
1056		run_cmd nettest -r ${a}
1057		log_test_addr ${a} $? 1 "No server, unbound client"
1058
1059		log_start
1060		show_hint "Should fail 'Connection refused'"
1061		run_cmd nettest -r ${a} -d ${NSA_DEV}
1062		log_test_addr ${a} $? 1 "No server, device client"
1063	done
1064
1065	#
1066	# local address tests
1067	#
1068	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1069	do
1070		log_start
1071		run_cmd nettest -s &
1072		sleep 1
1073		run_cmd nettest -r ${a} -0 ${a} -1 ${a}
1074		log_test_addr ${a} $? 0 "Global server, local connection"
1075	done
1076
1077	a=${NSA_IP}
1078	log_start
1079	run_cmd nettest -s -I ${NSA_DEV} &
1080	sleep 1
1081	run_cmd nettest -r ${a} -0 ${a}
1082	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1083
1084	for a in ${NSA_LO_IP} 127.0.0.1
1085	do
1086		log_start
1087		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
1088		run_cmd nettest -s -I ${NSA_DEV} &
1089		sleep 1
1090		run_cmd nettest -r ${a}
1091		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1092	done
1093
1094	a=${NSA_IP}
1095	log_start
1096	run_cmd nettest -s &
1097	sleep 1
1098	run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV}
1099	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1100
1101	for a in ${NSA_LO_IP} 127.0.0.1
1102	do
1103		log_start
1104		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
1105		run_cmd nettest -s &
1106		sleep 1
1107		run_cmd nettest -r ${a} -d ${NSA_DEV}
1108		log_test_addr ${a} $? 1 "Global server, device client, local connection"
1109	done
1110
1111	a=${NSA_IP}
1112	log_start
1113	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1114	sleep 1
1115	run_cmd nettest  -d ${NSA_DEV} -r ${a} -0 ${a}
1116	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1117
1118	log_start
1119	show_hint "Should fail 'Connection refused'"
1120	run_cmd nettest -d ${NSA_DEV} -r ${a}
1121	log_test_addr ${a} $? 1 "No server, device client, local conn"
1122
1123	ipv4_tcp_md5_novrf
1124}
1125
1126ipv4_tcp_vrf()
1127{
1128	local a
1129
1130	# disable global server
1131	log_subsection "Global server disabled"
1132
1133	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1134
1135	#
1136	# server tests
1137	#
1138	for a in ${NSA_IP} ${VRF_IP}
1139	do
1140		log_start
1141		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1142		run_cmd nettest -s &
1143		sleep 1
1144		run_cmd_nsb nettest -r ${a}
1145		log_test_addr ${a} $? 1 "Global server"
1146
1147		log_start
1148		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1149		sleep 1
1150		run_cmd_nsb nettest -r ${a}
1151		log_test_addr ${a} $? 0 "VRF server"
1152
1153		log_start
1154		run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1155		sleep 1
1156		run_cmd_nsb nettest -r ${a}
1157		log_test_addr ${a} $? 0 "Device server"
1158
1159		# verify TCP reset received
1160		log_start
1161		show_hint "Should fail 'Connection refused' since there is no server"
1162		run_cmd_nsb nettest -r ${a}
1163		log_test_addr ${a} $? 1 "No server"
1164	done
1165
1166	# local address tests
1167	# (${VRF_IP} and 127.0.0.1 both timeout)
1168	a=${NSA_IP}
1169	log_start
1170	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1171	run_cmd nettest -s &
1172	sleep 1
1173	run_cmd nettest -r ${a} -d ${NSA_DEV}
1174	log_test_addr ${a} $? 1 "Global server, local connection"
1175
1176	# run MD5 tests
1177	ipv4_tcp_md5
1178
1179	#
1180	# enable VRF global server
1181	#
1182	log_subsection "VRF Global server enabled"
1183	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1184
1185	for a in ${NSA_IP} ${VRF_IP}
1186	do
1187		log_start
1188		show_hint "client socket should be bound to VRF"
1189		run_cmd nettest -s -3 ${VRF} &
1190		sleep 1
1191		run_cmd_nsb nettest -r ${a}
1192		log_test_addr ${a} $? 0 "Global server"
1193
1194		log_start
1195		show_hint "client socket should be bound to VRF"
1196		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1197		sleep 1
1198		run_cmd_nsb nettest -r ${a}
1199		log_test_addr ${a} $? 0 "VRF server"
1200
1201		# verify TCP reset received
1202		log_start
1203		show_hint "Should fail 'Connection refused'"
1204		run_cmd_nsb nettest -r ${a}
1205		log_test_addr ${a} $? 1 "No server"
1206	done
1207
1208	a=${NSA_IP}
1209	log_start
1210	show_hint "client socket should be bound to device"
1211	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1212	sleep 1
1213	run_cmd_nsb nettest -r ${a}
1214	log_test_addr ${a} $? 0 "Device server"
1215
1216	# local address tests
1217	for a in ${NSA_IP} ${VRF_IP}
1218	do
1219		log_start
1220		show_hint "Should fail 'Connection refused' since client is not bound to VRF"
1221		run_cmd nettest -s -I ${VRF} &
1222		sleep 1
1223		run_cmd nettest -r ${a}
1224		log_test_addr ${a} $? 1 "Global server, local connection"
1225	done
1226
1227	#
1228	# client
1229	#
1230	for a in ${NSB_IP} ${NSB_LO_IP}
1231	do
1232		log_start
1233		run_cmd_nsb nettest -s &
1234		sleep 1
1235		run_cmd nettest -r ${a} -d ${VRF}
1236		log_test_addr ${a} $? 0 "Client, VRF bind"
1237
1238		log_start
1239		run_cmd_nsb nettest -s &
1240		sleep 1
1241		run_cmd nettest -r ${a} -d ${NSA_DEV}
1242		log_test_addr ${a} $? 0 "Client, device bind"
1243
1244		log_start
1245		show_hint "Should fail 'Connection refused'"
1246		run_cmd nettest -r ${a} -d ${VRF}
1247		log_test_addr ${a} $? 1 "No server, VRF client"
1248
1249		log_start
1250		show_hint "Should fail 'Connection refused'"
1251		run_cmd nettest -r ${a} -d ${NSA_DEV}
1252		log_test_addr ${a} $? 1 "No server, device client"
1253	done
1254
1255	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1256	do
1257		log_start
1258		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1259		sleep 1
1260		run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1261		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
1262	done
1263
1264	a=${NSA_IP}
1265	log_start
1266	run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1267	sleep 1
1268	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1269	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
1270
1271	log_start
1272	show_hint "Should fail 'No route to host' since client is out of VRF scope"
1273	run_cmd nettest -s -I ${VRF} &
1274	sleep 1
1275	run_cmd nettest -r ${a}
1276	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
1277
1278	log_start
1279	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1280	sleep 1
1281	run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1282	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
1283
1284	log_start
1285	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1286	sleep 1
1287	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1288	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1289}
1290
1291ipv4_tcp()
1292{
1293	log_section "IPv4/TCP"
1294	log_subsection "No VRF"
1295	setup
1296
1297	# tcp_l3mdev_accept should have no affect without VRF;
1298	# run tests with it enabled and disabled to verify
1299	log_subsection "tcp_l3mdev_accept disabled"
1300	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1301	ipv4_tcp_novrf
1302	log_subsection "tcp_l3mdev_accept enabled"
1303	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1304	ipv4_tcp_novrf
1305
1306	log_subsection "With VRF"
1307	setup "yes"
1308	ipv4_tcp_vrf
1309}
1310
1311################################################################################
1312# IPv4 UDP
1313
1314ipv4_udp_novrf()
1315{
1316	local a
1317
1318	#
1319	# server tests
1320	#
1321	for a in ${NSA_IP} ${NSA_LO_IP}
1322	do
1323		log_start
1324		run_cmd nettest -D -s -3 ${NSA_DEV} &
1325		sleep 1
1326		run_cmd_nsb nettest -D -r ${a}
1327		log_test_addr ${a} $? 0 "Global server"
1328
1329		log_start
1330		show_hint "Should fail 'Connection refused' since there is no server"
1331		run_cmd_nsb nettest -D -r ${a}
1332		log_test_addr ${a} $? 1 "No server"
1333	done
1334
1335	a=${NSA_IP}
1336	log_start
1337	run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1338	sleep 1
1339	run_cmd_nsb nettest -D -r ${a}
1340	log_test_addr ${a} $? 0 "Device server"
1341
1342	#
1343	# client
1344	#
1345	for a in ${NSB_IP} ${NSB_LO_IP}
1346	do
1347		log_start
1348		run_cmd_nsb nettest -D -s &
1349		sleep 1
1350		run_cmd nettest -D -r ${a} -0 ${NSA_IP}
1351		log_test_addr ${a} $? 0 "Client"
1352
1353		log_start
1354		run_cmd_nsb nettest -D -s &
1355		sleep 1
1356		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP}
1357		log_test_addr ${a} $? 0 "Client, device bind"
1358
1359		log_start
1360		run_cmd_nsb nettest -D -s &
1361		sleep 1
1362		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP}
1363		log_test_addr ${a} $? 0 "Client, device send via cmsg"
1364
1365		log_start
1366		run_cmd_nsb nettest -D -s &
1367		sleep 1
1368		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
1369		log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
1370
1371		log_start
1372		show_hint "Should fail 'Connection refused'"
1373		run_cmd nettest -D -r ${a}
1374		log_test_addr ${a} $? 1 "No server, unbound client"
1375
1376		log_start
1377		show_hint "Should fail 'Connection refused'"
1378		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1379		log_test_addr ${a} $? 1 "No server, device client"
1380	done
1381
1382	#
1383	# local address tests
1384	#
1385	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1386	do
1387		log_start
1388		run_cmd nettest -D -s &
1389		sleep 1
1390		run_cmd nettest -D -r ${a} -0 ${a} -1 ${a}
1391		log_test_addr ${a} $? 0 "Global server, local connection"
1392	done
1393
1394	a=${NSA_IP}
1395	log_start
1396	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1397	sleep 1
1398	run_cmd nettest -D -r ${a}
1399	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1400
1401	for a in ${NSA_LO_IP} 127.0.0.1
1402	do
1403		log_start
1404		show_hint "Should fail 'Connection refused' since address is out of device scope"
1405		run_cmd nettest -s -D -I ${NSA_DEV} &
1406		sleep 1
1407		run_cmd nettest -D -r ${a}
1408		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1409	done
1410
1411	a=${NSA_IP}
1412	log_start
1413	run_cmd nettest -s -D &
1414	sleep 1
1415	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1416	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1417
1418	log_start
1419	run_cmd nettest -s -D &
1420	sleep 1
1421	run_cmd nettest -D -d ${NSA_DEV} -C -r ${a}
1422	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
1423
1424	log_start
1425	run_cmd nettest -s -D &
1426	sleep 1
1427	run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
1428	log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
1429
1430	# IPv4 with device bind has really weird behavior - it overrides the
1431	# fib lookup, generates an rtable and tries to send the packet. This
1432	# causes failures for local traffic at different places
1433	for a in ${NSA_LO_IP} 127.0.0.1
1434	do
1435		log_start
1436		show_hint "Should fail since addresses on loopback are out of device scope"
1437		run_cmd nettest -D -s &
1438		sleep 1
1439		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1440		log_test_addr ${a} $? 2 "Global server, device client, local connection"
1441
1442		log_start
1443		show_hint "Should fail since addresses on loopback are out of device scope"
1444		run_cmd nettest -D -s &
1445		sleep 1
1446		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C
1447		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
1448
1449		log_start
1450		show_hint "Should fail since addresses on loopback are out of device scope"
1451		run_cmd nettest -D -s &
1452		sleep 1
1453		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
1454		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
1455	done
1456
1457	a=${NSA_IP}
1458	log_start
1459	run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1460	sleep 1
1461	run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a}
1462	log_test_addr ${a} $? 0 "Device server, device client, local conn"
1463
1464	log_start
1465	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1466	log_test_addr ${a} $? 2 "No server, device client, local conn"
1467}
1468
1469ipv4_udp_vrf()
1470{
1471	local a
1472
1473	# disable global server
1474	log_subsection "Global server disabled"
1475	set_sysctl net.ipv4.udp_l3mdev_accept=0
1476
1477	#
1478	# server tests
1479	#
1480	for a in ${NSA_IP} ${VRF_IP}
1481	do
1482		log_start
1483		show_hint "Fails because ingress is in a VRF and global server is disabled"
1484		run_cmd nettest -D -s &
1485		sleep 1
1486		run_cmd_nsb nettest -D -r ${a}
1487		log_test_addr ${a} $? 1 "Global server"
1488
1489		log_start
1490		run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1491		sleep 1
1492		run_cmd_nsb nettest -D -r ${a}
1493		log_test_addr ${a} $? 0 "VRF server"
1494
1495		log_start
1496		run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1497		sleep 1
1498		run_cmd_nsb nettest -D -r ${a}
1499		log_test_addr ${a} $? 0 "Enslaved device server"
1500
1501		log_start
1502		show_hint "Should fail 'Connection refused' since there is no server"
1503		run_cmd_nsb nettest -D -r ${a}
1504		log_test_addr ${a} $? 1 "No server"
1505
1506		log_start
1507		show_hint "Should fail 'Connection refused' since global server is out of scope"
1508		run_cmd nettest -D -s &
1509		sleep 1
1510		run_cmd nettest -D -d ${VRF} -r ${a}
1511		log_test_addr ${a} $? 1 "Global server, VRF client, local connection"
1512	done
1513
1514	a=${NSA_IP}
1515	log_start
1516	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1517	sleep 1
1518	run_cmd nettest -D -d ${VRF} -r ${a}
1519	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1520
1521	log_start
1522	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1523	sleep 1
1524	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1525	log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection"
1526
1527	a=${NSA_IP}
1528	log_start
1529	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1530	sleep 1
1531	run_cmd nettest -D -d ${VRF} -r ${a}
1532	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1533
1534	log_start
1535	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1536	sleep 1
1537	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1538	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1539
1540	# enable global server
1541	log_subsection "Global server enabled"
1542	set_sysctl net.ipv4.udp_l3mdev_accept=1
1543
1544	#
1545	# server tests
1546	#
1547	for a in ${NSA_IP} ${VRF_IP}
1548	do
1549		log_start
1550		run_cmd nettest -D -s -3 ${NSA_DEV} &
1551		sleep 1
1552		run_cmd_nsb nettest -D -r ${a}
1553		log_test_addr ${a} $? 0 "Global server"
1554
1555		log_start
1556		run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1557		sleep 1
1558		run_cmd_nsb nettest -D -r ${a}
1559		log_test_addr ${a} $? 0 "VRF server"
1560
1561		log_start
1562		run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1563		sleep 1
1564		run_cmd_nsb nettest -D -r ${a}
1565		log_test_addr ${a} $? 0 "Enslaved device server"
1566
1567		log_start
1568		show_hint "Should fail 'Connection refused'"
1569		run_cmd_nsb nettest -D -r ${a}
1570		log_test_addr ${a} $? 1 "No server"
1571	done
1572
1573	#
1574	# client tests
1575	#
1576	log_start
1577	run_cmd_nsb nettest -D -s &
1578	sleep 1
1579	run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP}
1580	log_test $? 0 "VRF client"
1581
1582	log_start
1583	run_cmd_nsb nettest -D -s &
1584	sleep 1
1585	run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP}
1586	log_test $? 0 "Enslaved device client"
1587
1588	# negative test - should fail
1589	log_start
1590	show_hint "Should fail 'Connection refused'"
1591	run_cmd nettest -D -d ${VRF} -r ${NSB_IP}
1592	log_test $? 1 "No server, VRF client"
1593
1594	log_start
1595	show_hint "Should fail 'Connection refused'"
1596	run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP}
1597	log_test $? 1 "No server, enslaved device client"
1598
1599	#
1600	# local address tests
1601	#
1602	a=${NSA_IP}
1603	log_start
1604	run_cmd nettest -D -s -3 ${NSA_DEV} &
1605	sleep 1
1606	run_cmd nettest -D -d ${VRF} -r ${a}
1607	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1608
1609	log_start
1610	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1611	sleep 1
1612	run_cmd nettest -D -d ${VRF} -r ${a}
1613	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1614
1615	log_start
1616	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1617	sleep 1
1618	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1619	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
1620
1621	log_start
1622	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1623	sleep 1
1624	run_cmd nettest -D -d ${VRF} -r ${a}
1625	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1626
1627	log_start
1628	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1629	sleep 1
1630	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1631	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1632
1633	for a in ${VRF_IP} 127.0.0.1
1634	do
1635		log_start
1636		run_cmd nettest -D -s -3 ${VRF} &
1637		sleep 1
1638		run_cmd nettest -D -d ${VRF} -r ${a}
1639		log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1640	done
1641
1642	for a in ${VRF_IP} 127.0.0.1
1643	do
1644		log_start
1645		run_cmd nettest -s -D -I ${VRF} -3 ${VRF} &
1646		sleep 1
1647		run_cmd nettest -D -d ${VRF} -r ${a}
1648		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1649	done
1650
1651	# negative test - should fail
1652	# verifies ECONNREFUSED
1653	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1654	do
1655		log_start
1656		show_hint "Should fail 'Connection refused'"
1657		run_cmd nettest -D -d ${VRF} -r ${a}
1658		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
1659	done
1660}
1661
1662ipv4_udp()
1663{
1664	log_section "IPv4/UDP"
1665	log_subsection "No VRF"
1666
1667	setup
1668
1669	# udp_l3mdev_accept should have no affect without VRF;
1670	# run tests with it enabled and disabled to verify
1671	log_subsection "udp_l3mdev_accept disabled"
1672	set_sysctl net.ipv4.udp_l3mdev_accept=0
1673	ipv4_udp_novrf
1674	log_subsection "udp_l3mdev_accept enabled"
1675	set_sysctl net.ipv4.udp_l3mdev_accept=1
1676	ipv4_udp_novrf
1677
1678	log_subsection "With VRF"
1679	setup "yes"
1680	ipv4_udp_vrf
1681}
1682
1683################################################################################
1684# IPv4 address bind
1685#
1686# verifies ability or inability to bind to an address / device
1687
1688ipv4_addr_bind_novrf()
1689{
1690	#
1691	# raw socket
1692	#
1693	for a in ${NSA_IP} ${NSA_LO_IP}
1694	do
1695		log_start
1696		run_cmd nettest -s -R -P icmp -l ${a} -b
1697		log_test_addr ${a} $? 0 "Raw socket bind to local address"
1698
1699		log_start
1700		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1701		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1702	done
1703
1704	#
1705	# tcp sockets
1706	#
1707	a=${NSA_IP}
1708	log_start
1709	run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b
1710	log_test_addr ${a} $? 0 "TCP socket bind to local address"
1711
1712	log_start
1713	run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b
1714	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1715
1716	# Sadly, the kernel allows binding a socket to a device and then
1717	# binding to an address not on the device. The only restriction
1718	# is that the address is valid in the L3 domain. So this test
1719	# passes when it really should not
1720	#a=${NSA_LO_IP}
1721	#log_start
1722	#show_hint "Should fail with 'Cannot assign requested address'"
1723	#run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1724	#log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
1725}
1726
1727ipv4_addr_bind_vrf()
1728{
1729	#
1730	# raw socket
1731	#
1732	for a in ${NSA_IP} ${VRF_IP}
1733	do
1734		log_start
1735		run_cmd nettest -s -R -P icmp -l ${a} -b
1736		log_test_addr ${a} $? 0 "Raw socket bind to local address"
1737
1738		log_start
1739		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1740		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1741		log_start
1742		run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1743		log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind"
1744	done
1745
1746	a=${NSA_LO_IP}
1747	log_start
1748	show_hint "Address on loopback is out of VRF scope"
1749	run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1750	log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind"
1751
1752	#
1753	# tcp sockets
1754	#
1755	for a in ${NSA_IP} ${VRF_IP}
1756	do
1757		log_start
1758		run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
1759		log_test_addr ${a} $? 0 "TCP socket bind to local address"
1760
1761		log_start
1762		run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1763		log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1764	done
1765
1766	a=${NSA_LO_IP}
1767	log_start
1768	show_hint "Address on loopback out of scope for VRF"
1769	run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
1770	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
1771
1772	log_start
1773	show_hint "Address on loopback out of scope for device in VRF"
1774	run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1775	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
1776}
1777
1778ipv4_addr_bind()
1779{
1780	log_section "IPv4 address binds"
1781
1782	log_subsection "No VRF"
1783	setup
1784	ipv4_addr_bind_novrf
1785
1786	log_subsection "With VRF"
1787	setup "yes"
1788	ipv4_addr_bind_vrf
1789}
1790
1791################################################################################
1792# IPv4 runtime tests
1793
1794ipv4_rt()
1795{
1796	local desc="$1"
1797	local varg="$2"
1798	local with_vrf="yes"
1799	local a
1800
1801	#
1802	# server tests
1803	#
1804	for a in ${NSA_IP} ${VRF_IP}
1805	do
1806		log_start
1807		run_cmd nettest ${varg} -s &
1808		sleep 1
1809		run_cmd_nsb nettest ${varg} -r ${a} &
1810		sleep 3
1811		run_cmd ip link del ${VRF}
1812		sleep 1
1813		log_test_addr ${a} 0 0 "${desc}, global server"
1814
1815		setup ${with_vrf}
1816	done
1817
1818	for a in ${NSA_IP} ${VRF_IP}
1819	do
1820		log_start
1821		run_cmd nettest ${varg} -s -I ${VRF} &
1822		sleep 1
1823		run_cmd_nsb nettest ${varg} -r ${a} &
1824		sleep 3
1825		run_cmd ip link del ${VRF}
1826		sleep 1
1827		log_test_addr ${a} 0 0 "${desc}, VRF server"
1828
1829		setup ${with_vrf}
1830	done
1831
1832	a=${NSA_IP}
1833	log_start
1834	run_cmd nettest ${varg} -s -I ${NSA_DEV} &
1835	sleep 1
1836	run_cmd_nsb nettest ${varg} -r ${a} &
1837	sleep 3
1838	run_cmd ip link del ${VRF}
1839	sleep 1
1840	log_test_addr ${a} 0 0 "${desc}, enslaved device server"
1841
1842	setup ${with_vrf}
1843
1844	#
1845	# client test
1846	#
1847	log_start
1848	run_cmd_nsb nettest ${varg} -s &
1849	sleep 1
1850	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} &
1851	sleep 3
1852	run_cmd ip link del ${VRF}
1853	sleep 1
1854	log_test_addr ${a} 0 0 "${desc}, VRF client"
1855
1856	setup ${with_vrf}
1857
1858	log_start
1859	run_cmd_nsb nettest ${varg} -s &
1860	sleep 1
1861	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} &
1862	sleep 3
1863	run_cmd ip link del ${VRF}
1864	sleep 1
1865	log_test_addr ${a} 0 0 "${desc}, enslaved device client"
1866
1867	setup ${with_vrf}
1868
1869	#
1870	# local address tests
1871	#
1872	for a in ${NSA_IP} ${VRF_IP}
1873	do
1874		log_start
1875		run_cmd nettest ${varg} -s &
1876		sleep 1
1877		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
1878		sleep 3
1879		run_cmd ip link del ${VRF}
1880		sleep 1
1881		log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local"
1882
1883		setup ${with_vrf}
1884	done
1885
1886	for a in ${NSA_IP} ${VRF_IP}
1887	do
1888		log_start
1889		run_cmd nettest ${varg} -I ${VRF} -s &
1890		sleep 1
1891		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
1892		sleep 3
1893		run_cmd ip link del ${VRF}
1894		sleep 1
1895		log_test_addr ${a} 0 0 "${desc}, VRF server and client, local"
1896
1897		setup ${with_vrf}
1898	done
1899
1900	a=${NSA_IP}
1901	log_start
1902	run_cmd nettest ${varg} -s &
1903	sleep 1
1904	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
1905	sleep 3
1906	run_cmd ip link del ${VRF}
1907	sleep 1
1908	log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local"
1909
1910	setup ${with_vrf}
1911
1912	log_start
1913	run_cmd nettest ${varg} -I ${VRF} -s &
1914	sleep 1
1915	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
1916	sleep 3
1917	run_cmd ip link del ${VRF}
1918	sleep 1
1919	log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local"
1920
1921	setup ${with_vrf}
1922
1923	log_start
1924	run_cmd nettest ${varg} -I ${NSA_DEV} -s &
1925	sleep 1
1926	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
1927	sleep 3
1928	run_cmd ip link del ${VRF}
1929	sleep 1
1930	log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local"
1931}
1932
1933ipv4_ping_rt()
1934{
1935	local with_vrf="yes"
1936	local a
1937
1938	for a in ${NSA_IP} ${VRF_IP}
1939	do
1940		log_start
1941		run_cmd_nsb ping -f ${a} &
1942		sleep 3
1943		run_cmd ip link del ${VRF}
1944		sleep 1
1945		log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
1946
1947		setup ${with_vrf}
1948	done
1949
1950	a=${NSB_IP}
1951	log_start
1952	run_cmd ping -f -I ${VRF} ${a} &
1953	sleep 3
1954	run_cmd ip link del ${VRF}
1955	sleep 1
1956	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
1957}
1958
1959ipv4_runtime()
1960{
1961	log_section "Run time tests - ipv4"
1962
1963	setup "yes"
1964	ipv4_ping_rt
1965
1966	setup "yes"
1967	ipv4_rt "TCP active socket"  "-n -1"
1968
1969	setup "yes"
1970	ipv4_rt "TCP passive socket" "-i"
1971}
1972
1973################################################################################
1974# IPv6
1975
1976ipv6_ping_novrf()
1977{
1978	local a
1979
1980	# should not have an impact, but make a known state
1981	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
1982
1983	#
1984	# out
1985	#
1986	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
1987	do
1988		log_start
1989		run_cmd ${ping6} -c1 -w1 ${a}
1990		log_test_addr ${a} $? 0 "ping out"
1991	done
1992
1993	for a in ${NSB_IP6} ${NSB_LO_IP6}
1994	do
1995		log_start
1996		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1997		log_test_addr ${a} $? 0 "ping out, device bind"
1998
1999		log_start
2000		run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a}
2001		log_test_addr ${a} $? 0 "ping out, loopback address bind"
2002	done
2003
2004	#
2005	# in
2006	#
2007	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2008	do
2009		log_start
2010		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2011		log_test_addr ${a} $? 0 "ping in"
2012	done
2013
2014	#
2015	# local traffic, local address
2016	#
2017	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2018	do
2019		log_start
2020		run_cmd ${ping6} -c1 -w1 ${a}
2021		log_test_addr ${a} $? 0 "ping local, no bind"
2022	done
2023
2024	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2025	do
2026		log_start
2027		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2028		log_test_addr ${a} $? 0 "ping local, device bind"
2029	done
2030
2031	for a in ${NSA_LO_IP6} ::1
2032	do
2033		log_start
2034		show_hint "Fails since address on loopback is out of device scope"
2035		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2036		log_test_addr ${a} $? 2 "ping local, device bind"
2037	done
2038
2039	#
2040	# ip rule blocks address
2041	#
2042	log_start
2043	setup_cmd ip -6 rule add pref 32765 from all lookup local
2044	setup_cmd ip -6 rule del pref 0 from all lookup local
2045	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2046	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2047
2048	a=${NSB_LO_IP6}
2049	run_cmd ${ping6} -c1 -w1 ${a}
2050	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2051
2052	log_start
2053	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2054	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2055
2056	a=${NSA_LO_IP6}
2057	log_start
2058	show_hint "Response lost due to ip rule"
2059	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2060	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2061
2062	setup_cmd ip -6 rule add pref 0 from all lookup local
2063	setup_cmd ip -6 rule del pref 32765 from all lookup local
2064	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2065	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2066
2067	#
2068	# route blocks reachability to remote address
2069	#
2070	log_start
2071	setup_cmd ip -6 route del ${NSB_LO_IP6}
2072	setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10
2073	setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10
2074
2075	a=${NSB_LO_IP6}
2076	run_cmd ${ping6} -c1 -w1 ${a}
2077	log_test_addr ${a} $? 2 "ping out, blocked by route"
2078
2079	log_start
2080	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2081	log_test_addr ${a} $? 2 "ping out, device bind, blocked by route"
2082
2083	a=${NSA_LO_IP6}
2084	log_start
2085	show_hint "Response lost due to ip route"
2086	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2087	log_test_addr ${a} $? 1 "ping in, blocked by route"
2088
2089
2090	#
2091	# remove 'remote' routes; fallback to default
2092	#
2093	log_start
2094	setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6}
2095	setup_cmd ip -6 ro del unreachable ${NSB_IP6}
2096
2097	a=${NSB_LO_IP6}
2098	run_cmd ${ping6} -c1 -w1 ${a}
2099	log_test_addr ${a} $? 2 "ping out, unreachable route"
2100
2101	log_start
2102	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2103	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2104}
2105
2106ipv6_ping_vrf()
2107{
2108	local a
2109
2110	# should default on; does not exist on older kernels
2111	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
2112
2113	#
2114	# out
2115	#
2116	for a in ${NSB_IP6} ${NSB_LO_IP6}
2117	do
2118		log_start
2119		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2120		log_test_addr ${a} $? 0 "ping out, VRF bind"
2121	done
2122
2123	for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF}
2124	do
2125		log_start
2126		show_hint "Fails since VRF device does not support linklocal or multicast"
2127		run_cmd ${ping6} -c1 -w1 ${a}
2128		log_test_addr ${a} $? 2 "ping out, VRF bind"
2129	done
2130
2131	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2132	do
2133		log_start
2134		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2135		log_test_addr ${a} $? 0 "ping out, device bind"
2136	done
2137
2138	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2139	do
2140		log_start
2141		run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a}
2142		log_test_addr ${a} $? 0 "ping out, vrf device+address bind"
2143	done
2144
2145	#
2146	# in
2147	#
2148	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2149	do
2150		log_start
2151		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2152		log_test_addr ${a} $? 0 "ping in"
2153	done
2154
2155	a=${NSA_LO_IP6}
2156	log_start
2157	show_hint "Fails since loopback address is out of VRF scope"
2158	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2159	log_test_addr ${a} $? 1 "ping in"
2160
2161	#
2162	# local traffic, local address
2163	#
2164	for a in ${NSA_IP6} ${VRF_IP6} ::1
2165	do
2166		log_start
2167		show_hint "Source address should be ${a}"
2168		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2169		log_test_addr ${a} $? 0 "ping local, VRF bind"
2170	done
2171
2172	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2173	do
2174		log_start
2175		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2176		log_test_addr ${a} $? 0 "ping local, device bind"
2177	done
2178
2179	# LLA to GUA - remove ipv6 global addresses from ns-B
2180	setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2181	setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo
2182	setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2183
2184	for a in ${NSA_IP6} ${VRF_IP6}
2185	do
2186		log_start
2187		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
2188		log_test_addr ${a} $? 0 "ping in, LLA to GUA"
2189	done
2190
2191	setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2192	setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV}
2193	setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo
2194
2195	#
2196	# ip rule blocks address
2197	#
2198	log_start
2199	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2200	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2201
2202	a=${NSB_LO_IP6}
2203	run_cmd ${ping6} -c1 -w1 ${a}
2204	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2205
2206	log_start
2207	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2208	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2209
2210	a=${NSA_LO_IP6}
2211	log_start
2212	show_hint "Response lost due to ip rule"
2213	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2214	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2215
2216	log_start
2217	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2218	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2219
2220	#
2221	# remove 'remote' routes; fallback to default
2222	#
2223	log_start
2224	setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF}
2225
2226	a=${NSB_LO_IP6}
2227	run_cmd ${ping6} -c1 -w1 ${a}
2228	log_test_addr ${a} $? 2 "ping out, unreachable route"
2229
2230	log_start
2231	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2232	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2233
2234	ip -netns ${NSB} -6 ro del ${NSA_LO_IP6}
2235	a=${NSA_LO_IP6}
2236	log_start
2237	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2238	log_test_addr ${a} $? 2 "ping in, unreachable route"
2239}
2240
2241ipv6_ping()
2242{
2243	log_section "IPv6 ping"
2244
2245	log_subsection "No VRF"
2246	setup
2247	ipv6_ping_novrf
2248
2249	log_subsection "With VRF"
2250	setup "yes"
2251	ipv6_ping_vrf
2252}
2253
2254################################################################################
2255# IPv6 TCP
2256
2257#
2258# MD5 tests without VRF
2259#
2260ipv6_tcp_md5_novrf()
2261{
2262	#
2263	# single address
2264	#
2265
2266	# basic use case
2267	log_start
2268	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2269	sleep 1
2270	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2271	log_test $? 0 "MD5: Single address config"
2272
2273	# client sends MD5, server not configured
2274	log_start
2275	show_hint "Should timeout due to MD5 mismatch"
2276	run_cmd nettest -6 -s &
2277	sleep 1
2278	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2279	log_test $? 2 "MD5: Server no config, client uses password"
2280
2281	# wrong password
2282	log_start
2283	show_hint "Should timeout since client uses wrong password"
2284	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2285	sleep 1
2286	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2287	log_test $? 2 "MD5: Client uses wrong password"
2288
2289	# client from different address
2290	log_start
2291	show_hint "Should timeout due to MD5 mismatch"
2292	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} &
2293	sleep 1
2294	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2295	log_test $? 2 "MD5: Client address does not match address configured with password"
2296
2297	#
2298	# MD5 extension - prefix length
2299	#
2300
2301	# client in prefix
2302	log_start
2303	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2304	sleep 1
2305	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2306	log_test $? 0 "MD5: Prefix config"
2307
2308	# client in prefix, wrong password
2309	log_start
2310	show_hint "Should timeout since client uses wrong password"
2311	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2312	sleep 1
2313	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2314	log_test $? 2 "MD5: Prefix config, client uses wrong password"
2315
2316	# client outside of prefix
2317	log_start
2318	show_hint "Should timeout due to MD5 mismatch"
2319	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2320	sleep 1
2321	run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2322	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
2323}
2324
2325#
2326# MD5 tests with VRF
2327#
2328ipv6_tcp_md5()
2329{
2330	#
2331	# single address
2332	#
2333
2334	# basic use case
2335	log_start
2336	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2337	sleep 1
2338	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2339	log_test $? 0 "MD5: VRF: Single address config"
2340
2341	# client sends MD5, server not configured
2342	log_start
2343	show_hint "Should timeout since server does not have MD5 auth"
2344	run_cmd nettest -6 -s -I ${VRF} &
2345	sleep 1
2346	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2347	log_test $? 2 "MD5: VRF: Server no config, client uses password"
2348
2349	# wrong password
2350	log_start
2351	show_hint "Should timeout since client uses wrong password"
2352	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2353	sleep 1
2354	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2355	log_test $? 2 "MD5: VRF: Client uses wrong password"
2356
2357	# client from different address
2358	log_start
2359	show_hint "Should timeout since server config differs from client"
2360	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} &
2361	sleep 1
2362	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2363	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
2364
2365	#
2366	# MD5 extension - prefix length
2367	#
2368
2369	# client in prefix
2370	log_start
2371	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2372	sleep 1
2373	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2374	log_test $? 0 "MD5: VRF: Prefix config"
2375
2376	# client in prefix, wrong password
2377	log_start
2378	show_hint "Should timeout since client uses wrong password"
2379	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2380	sleep 1
2381	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2382	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
2383
2384	# client outside of prefix
2385	log_start
2386	show_hint "Should timeout since client address is outside of prefix"
2387	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2388	sleep 1
2389	run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2390	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
2391
2392	#
2393	# duplicate config between default VRF and a VRF
2394	#
2395
2396	log_start
2397	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2398	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2399	sleep 1
2400	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2401	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
2402
2403	log_start
2404	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2405	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2406	sleep 1
2407	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2408	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
2409
2410	log_start
2411	show_hint "Should timeout since client in default VRF uses VRF password"
2412	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2413	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2414	sleep 1
2415	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2416	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
2417
2418	log_start
2419	show_hint "Should timeout since client in VRF uses default VRF password"
2420	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2421	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2422	sleep 1
2423	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2424	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
2425
2426	log_start
2427	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2428	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2429	sleep 1
2430	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2431	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
2432
2433	log_start
2434	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2435	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2436	sleep 1
2437	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2438	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
2439
2440	log_start
2441	show_hint "Should timeout since client in default VRF uses VRF password"
2442	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2443	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2444	sleep 1
2445	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2446	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
2447
2448	log_start
2449	show_hint "Should timeout since client in VRF uses default VRF password"
2450	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2451	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2452	sleep 1
2453	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2454	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
2455
2456	#
2457	# negative tests
2458	#
2459	log_start
2460	run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6}
2461	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
2462
2463	log_start
2464	run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6}
2465	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
2466
2467}
2468
2469ipv6_tcp_novrf()
2470{
2471	local a
2472
2473	#
2474	# server tests
2475	#
2476	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2477	do
2478		log_start
2479		run_cmd nettest -6 -s &
2480		sleep 1
2481		run_cmd_nsb nettest -6 -r ${a}
2482		log_test_addr ${a} $? 0 "Global server"
2483	done
2484
2485	# verify TCP reset received
2486	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2487	do
2488		log_start
2489		show_hint "Should fail 'Connection refused'"
2490		run_cmd_nsb nettest -6 -r ${a}
2491		log_test_addr ${a} $? 1 "No server"
2492	done
2493
2494	#
2495	# client
2496	#
2497	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2498	do
2499		log_start
2500		run_cmd_nsb nettest -6 -s &
2501		sleep 1
2502		run_cmd nettest -6 -r ${a}
2503		log_test_addr ${a} $? 0 "Client"
2504	done
2505
2506	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2507	do
2508		log_start
2509		run_cmd_nsb nettest -6 -s &
2510		sleep 1
2511		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2512		log_test_addr ${a} $? 0 "Client, device bind"
2513	done
2514
2515	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2516	do
2517		log_start
2518		show_hint "Should fail 'Connection refused'"
2519		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2520		log_test_addr ${a} $? 1 "No server, device client"
2521	done
2522
2523	#
2524	# local address tests
2525	#
2526	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2527	do
2528		log_start
2529		run_cmd nettest -6 -s &
2530		sleep 1
2531		run_cmd nettest -6 -r ${a}
2532		log_test_addr ${a} $? 0 "Global server, local connection"
2533	done
2534
2535	a=${NSA_IP6}
2536	log_start
2537	run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2538	sleep 1
2539	run_cmd nettest -6 -r ${a} -0 ${a}
2540	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2541
2542	for a in ${NSA_LO_IP6} ::1
2543	do
2544		log_start
2545		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2546		run_cmd nettest -6 -s -I ${NSA_DEV} &
2547		sleep 1
2548		run_cmd nettest -6 -r ${a}
2549		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
2550	done
2551
2552	a=${NSA_IP6}
2553	log_start
2554	run_cmd nettest -6 -s &
2555	sleep 1
2556	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2557	log_test_addr ${a} $? 0 "Global server, device client, local connection"
2558
2559	for a in ${NSA_LO_IP6} ::1
2560	do
2561		log_start
2562		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2563		run_cmd nettest -6 -s &
2564		sleep 1
2565		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2566		log_test_addr ${a} $? 1 "Global server, device client, local connection"
2567	done
2568
2569	for a in ${NSA_IP6} ${NSA_LINKIP6}
2570	do
2571		log_start
2572		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2573		sleep 1
2574		run_cmd nettest -6  -d ${NSA_DEV} -r ${a}
2575		log_test_addr ${a} $? 0 "Device server, device client, local conn"
2576	done
2577
2578	for a in ${NSA_IP6} ${NSA_LINKIP6}
2579	do
2580		log_start
2581		show_hint "Should fail 'Connection refused'"
2582		run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2583		log_test_addr ${a} $? 1 "No server, device client, local conn"
2584	done
2585
2586	ipv6_tcp_md5_novrf
2587}
2588
2589ipv6_tcp_vrf()
2590{
2591	local a
2592
2593	# disable global server
2594	log_subsection "Global server disabled"
2595
2596	set_sysctl net.ipv4.tcp_l3mdev_accept=0
2597
2598	#
2599	# server tests
2600	#
2601	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2602	do
2603		log_start
2604		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2605		run_cmd nettest -6 -s &
2606		sleep 1
2607		run_cmd_nsb nettest -6 -r ${a}
2608		log_test_addr ${a} $? 1 "Global server"
2609	done
2610
2611	for a in ${NSA_IP6} ${VRF_IP6}
2612	do
2613		log_start
2614		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2615		sleep 1
2616		run_cmd_nsb nettest -6 -r ${a}
2617		log_test_addr ${a} $? 0 "VRF server"
2618	done
2619
2620	# link local is always bound to ingress device
2621	a=${NSA_LINKIP6}%${NSB_DEV}
2622	log_start
2623	run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2624	sleep 1
2625	run_cmd_nsb nettest -6 -r ${a}
2626	log_test_addr ${a} $? 0 "VRF server"
2627
2628	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2629	do
2630		log_start
2631		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2632		sleep 1
2633		run_cmd_nsb nettest -6 -r ${a}
2634		log_test_addr ${a} $? 0 "Device server"
2635	done
2636
2637	# verify TCP reset received
2638	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2639	do
2640		log_start
2641		show_hint "Should fail 'Connection refused'"
2642		run_cmd_nsb nettest -6 -r ${a}
2643		log_test_addr ${a} $? 1 "No server"
2644	done
2645
2646	# local address tests
2647	a=${NSA_IP6}
2648	log_start
2649	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2650	run_cmd nettest -6 -s &
2651	sleep 1
2652	run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2653	log_test_addr ${a} $? 1 "Global server, local connection"
2654
2655	# run MD5 tests
2656	ipv6_tcp_md5
2657
2658	#
2659	# enable VRF global server
2660	#
2661	log_subsection "VRF Global server enabled"
2662	set_sysctl net.ipv4.tcp_l3mdev_accept=1
2663
2664	for a in ${NSA_IP6} ${VRF_IP6}
2665	do
2666		log_start
2667		run_cmd nettest -6 -s -3 ${VRF} &
2668		sleep 1
2669		run_cmd_nsb nettest -6 -r ${a}
2670		log_test_addr ${a} $? 0 "Global server"
2671	done
2672
2673	for a in ${NSA_IP6} ${VRF_IP6}
2674	do
2675		log_start
2676		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2677		sleep 1
2678		run_cmd_nsb nettest -6 -r ${a}
2679		log_test_addr ${a} $? 0 "VRF server"
2680	done
2681
2682	# For LLA, child socket is bound to device
2683	a=${NSA_LINKIP6}%${NSB_DEV}
2684	log_start
2685	run_cmd nettest -6 -s -3 ${NSA_DEV} &
2686	sleep 1
2687	run_cmd_nsb nettest -6 -r ${a}
2688	log_test_addr ${a} $? 0 "Global server"
2689
2690	log_start
2691	run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2692	sleep 1
2693	run_cmd_nsb nettest -6 -r ${a}
2694	log_test_addr ${a} $? 0 "VRF server"
2695
2696	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2697	do
2698		log_start
2699		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2700		sleep 1
2701		run_cmd_nsb nettest -6 -r ${a}
2702		log_test_addr ${a} $? 0 "Device server"
2703	done
2704
2705	# verify TCP reset received
2706	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2707	do
2708		log_start
2709		show_hint "Should fail 'Connection refused'"
2710		run_cmd_nsb nettest -6 -r ${a}
2711		log_test_addr ${a} $? 1 "No server"
2712	done
2713
2714	# local address tests
2715	for a in ${NSA_IP6} ${VRF_IP6}
2716	do
2717		log_start
2718		show_hint "Fails 'Connection refused' since client is not in VRF"
2719		run_cmd nettest -6 -s -I ${VRF} &
2720		sleep 1
2721		run_cmd nettest -6 -r ${a}
2722		log_test_addr ${a} $? 1 "Global server, local connection"
2723	done
2724
2725
2726	#
2727	# client
2728	#
2729	for a in ${NSB_IP6} ${NSB_LO_IP6}
2730	do
2731		log_start
2732		run_cmd_nsb nettest -6 -s &
2733		sleep 1
2734		run_cmd nettest -6 -r ${a} -d ${VRF}
2735		log_test_addr ${a} $? 0 "Client, VRF bind"
2736	done
2737
2738	a=${NSB_LINKIP6}
2739	log_start
2740	show_hint "Fails since VRF device does not allow linklocal addresses"
2741	run_cmd_nsb nettest -6 -s &
2742	sleep 1
2743	run_cmd nettest -6 -r ${a} -d ${VRF}
2744	log_test_addr ${a} $? 1 "Client, VRF bind"
2745
2746	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2747	do
2748		log_start
2749		run_cmd_nsb nettest -6 -s &
2750		sleep 1
2751		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2752		log_test_addr ${a} $? 0 "Client, device bind"
2753	done
2754
2755	for a in ${NSB_IP6} ${NSB_LO_IP6}
2756	do
2757		log_start
2758		show_hint "Should fail 'Connection refused'"
2759		run_cmd nettest -6 -r ${a} -d ${VRF}
2760		log_test_addr ${a} $? 1 "No server, VRF client"
2761	done
2762
2763	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2764	do
2765		log_start
2766		show_hint "Should fail 'Connection refused'"
2767		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2768		log_test_addr ${a} $? 1 "No server, device client"
2769	done
2770
2771	for a in ${NSA_IP6} ${VRF_IP6} ::1
2772	do
2773		log_start
2774		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2775		sleep 1
2776		run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2777		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
2778	done
2779
2780	a=${NSA_IP6}
2781	log_start
2782	run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2783	sleep 1
2784	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2785	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
2786
2787	a=${NSA_IP6}
2788	log_start
2789	show_hint "Should fail since unbound client is out of VRF scope"
2790	run_cmd nettest -6 -s -I ${VRF} &
2791	sleep 1
2792	run_cmd nettest -6 -r ${a}
2793	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
2794
2795	log_start
2796	run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2797	sleep 1
2798	run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2799	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
2800
2801	for a in ${NSA_IP6} ${NSA_LINKIP6}
2802	do
2803		log_start
2804		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2805		sleep 1
2806		run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2807		log_test_addr ${a} $? 0 "Device server, device client, local connection"
2808	done
2809}
2810
2811ipv6_tcp()
2812{
2813	log_section "IPv6/TCP"
2814	log_subsection "No VRF"
2815	setup
2816
2817	# tcp_l3mdev_accept should have no affect without VRF;
2818	# run tests with it enabled and disabled to verify
2819	log_subsection "tcp_l3mdev_accept disabled"
2820	set_sysctl net.ipv4.tcp_l3mdev_accept=0
2821	ipv6_tcp_novrf
2822	log_subsection "tcp_l3mdev_accept enabled"
2823	set_sysctl net.ipv4.tcp_l3mdev_accept=1
2824	ipv6_tcp_novrf
2825
2826	log_subsection "With VRF"
2827	setup "yes"
2828	ipv6_tcp_vrf
2829}
2830
2831################################################################################
2832# IPv6 UDP
2833
2834ipv6_udp_novrf()
2835{
2836	local a
2837
2838	#
2839	# server tests
2840	#
2841	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2842	do
2843		log_start
2844		run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
2845		sleep 1
2846		run_cmd_nsb nettest -6 -D -r ${a}
2847		log_test_addr ${a} $? 0 "Global server"
2848
2849		log_start
2850		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
2851		sleep 1
2852		run_cmd_nsb nettest -6 -D -r ${a}
2853		log_test_addr ${a} $? 0 "Device server"
2854	done
2855
2856	a=${NSA_LO_IP6}
2857	log_start
2858	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
2859	sleep 1
2860	run_cmd_nsb nettest -6 -D -r ${a}
2861	log_test_addr ${a} $? 0 "Global server"
2862
2863	# should fail since loopback address is out of scope for a device
2864	# bound server, but it does not - hence this is more documenting
2865	# behavior.
2866	#log_start
2867	#show_hint "Should fail since loopback address is out of scope"
2868	#run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
2869	#sleep 1
2870	#run_cmd_nsb nettest -6 -D -r ${a}
2871	#log_test_addr ${a} $? 1 "Device server"
2872
2873	# negative test - should fail
2874	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2875	do
2876		log_start
2877		show_hint "Should fail 'Connection refused' since there is no server"
2878		run_cmd_nsb nettest -6 -D -r ${a}
2879		log_test_addr ${a} $? 1 "No server"
2880	done
2881
2882	#
2883	# client
2884	#
2885	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2886	do
2887		log_start
2888		run_cmd_nsb nettest -6 -D -s &
2889		sleep 1
2890		run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6}
2891		log_test_addr ${a} $? 0 "Client"
2892
2893		log_start
2894		run_cmd_nsb nettest -6 -D -s &
2895		sleep 1
2896		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6}
2897		log_test_addr ${a} $? 0 "Client, device bind"
2898
2899		log_start
2900		run_cmd_nsb nettest -6 -D -s &
2901		sleep 1
2902		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6}
2903		log_test_addr ${a} $? 0 "Client, device send via cmsg"
2904
2905		log_start
2906		run_cmd_nsb nettest -6 -D -s &
2907		sleep 1
2908		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6}
2909		log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF"
2910
2911		log_start
2912		show_hint "Should fail 'Connection refused'"
2913		run_cmd nettest -6 -D -r ${a}
2914		log_test_addr ${a} $? 1 "No server, unbound client"
2915
2916		log_start
2917		show_hint "Should fail 'Connection refused'"
2918		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
2919		log_test_addr ${a} $? 1 "No server, device client"
2920	done
2921
2922	#
2923	# local address tests
2924	#
2925	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2926	do
2927		log_start
2928		run_cmd nettest -6 -D -s &
2929		sleep 1
2930		run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a}
2931		log_test_addr ${a} $? 0 "Global server, local connection"
2932	done
2933
2934	a=${NSA_IP6}
2935	log_start
2936	run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
2937	sleep 1
2938	run_cmd nettest -6 -D -r ${a}
2939	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2940
2941	for a in ${NSA_LO_IP6} ::1
2942	do
2943		log_start
2944		show_hint "Should fail 'Connection refused' since address is out of device scope"
2945		run_cmd nettest -6 -s -D -I ${NSA_DEV} &
2946		sleep 1
2947		run_cmd nettest -6 -D -r ${a}
2948		log_test_addr ${a} $? 1 "Device server, local connection"
2949	done
2950
2951	a=${NSA_IP6}
2952	log_start
2953	run_cmd nettest -6 -s -D &
2954	sleep 1
2955	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
2956	log_test_addr ${a} $? 0 "Global server, device client, local connection"
2957
2958	log_start
2959	run_cmd nettest -6 -s -D &
2960	sleep 1
2961	run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a}
2962	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
2963
2964	log_start
2965	run_cmd nettest -6 -s -D &
2966	sleep 1
2967	run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a}
2968	log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection"
2969
2970	for a in ${NSA_LO_IP6} ::1
2971	do
2972		log_start
2973		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
2974		run_cmd nettest -6 -D -s &
2975		sleep 1
2976		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
2977		log_test_addr ${a} $? 1 "Global server, device client, local connection"
2978
2979		log_start
2980		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
2981		run_cmd nettest -6 -D -s &
2982		sleep 1
2983		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C
2984		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
2985
2986		log_start
2987		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
2988		run_cmd nettest -6 -D -s &
2989		sleep 1
2990		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
2991		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
2992	done
2993
2994	a=${NSA_IP6}
2995	log_start
2996	run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2997	sleep 1
2998	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a}
2999	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3000
3001	log_start
3002	show_hint "Should fail 'Connection refused'"
3003	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3004	log_test_addr ${a} $? 1 "No server, device client, local conn"
3005
3006	# LLA to GUA
3007	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3008	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3009	log_start
3010	run_cmd nettest -6 -s -D &
3011	sleep 1
3012	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3013	log_test $? 0 "UDP in - LLA to GUA"
3014
3015	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3016	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3017}
3018
3019ipv6_udp_vrf()
3020{
3021	local a
3022
3023	# disable global server
3024	log_subsection "Global server disabled"
3025	set_sysctl net.ipv4.udp_l3mdev_accept=0
3026
3027	#
3028	# server tests
3029	#
3030	for a in ${NSA_IP6} ${VRF_IP6}
3031	do
3032		log_start
3033		show_hint "Should fail 'Connection refused' since global server is disabled"
3034		run_cmd nettest -6 -D -s &
3035		sleep 1
3036		run_cmd_nsb nettest -6 -D -r ${a}
3037		log_test_addr ${a} $? 1 "Global server"
3038	done
3039
3040	for a in ${NSA_IP6} ${VRF_IP6}
3041	do
3042		log_start
3043		run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3044		sleep 1
3045		run_cmd_nsb nettest -6 -D -r ${a}
3046		log_test_addr ${a} $? 0 "VRF server"
3047	done
3048
3049	for a in ${NSA_IP6} ${VRF_IP6}
3050	do
3051		log_start
3052		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3053		sleep 1
3054		run_cmd_nsb nettest -6 -D -r ${a}
3055		log_test_addr ${a} $? 0 "Enslaved device server"
3056	done
3057
3058	# negative test - should fail
3059	for a in ${NSA_IP6} ${VRF_IP6}
3060	do
3061		log_start
3062		show_hint "Should fail 'Connection refused' since there is no server"
3063		run_cmd_nsb nettest -6 -D -r ${a}
3064		log_test_addr ${a} $? 1 "No server"
3065	done
3066
3067	#
3068	# local address tests
3069	#
3070	for a in ${NSA_IP6} ${VRF_IP6}
3071	do
3072		log_start
3073		show_hint "Should fail 'Connection refused' since global server is disabled"
3074		run_cmd nettest -6 -D -s &
3075		sleep 1
3076		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3077		log_test_addr ${a} $? 1 "Global server, VRF client, local conn"
3078	done
3079
3080	for a in ${NSA_IP6} ${VRF_IP6}
3081	do
3082		log_start
3083		run_cmd nettest -6 -D -I ${VRF} -s &
3084		sleep 1
3085		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3086		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3087	done
3088
3089	a=${NSA_IP6}
3090	log_start
3091	show_hint "Should fail 'Connection refused' since global server is disabled"
3092	run_cmd nettest -6 -D -s &
3093	sleep 1
3094	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3095	log_test_addr ${a} $? 1 "Global server, device client, local conn"
3096
3097	log_start
3098	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3099	sleep 1
3100	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3101	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3102
3103	log_start
3104	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3105	sleep 1
3106	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3107	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
3108
3109	log_start
3110	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3111	sleep 1
3112	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3113	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
3114
3115	# disable global server
3116	log_subsection "Global server enabled"
3117	set_sysctl net.ipv4.udp_l3mdev_accept=1
3118
3119	#
3120	# server tests
3121	#
3122	for a in ${NSA_IP6} ${VRF_IP6}
3123	do
3124		log_start
3125		run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3126		sleep 1
3127		run_cmd_nsb nettest -6 -D -r ${a}
3128		log_test_addr ${a} $? 0 "Global server"
3129	done
3130
3131	for a in ${NSA_IP6} ${VRF_IP6}
3132	do
3133		log_start
3134		run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3135		sleep 1
3136		run_cmd_nsb nettest -6 -D -r ${a}
3137		log_test_addr ${a} $? 0 "VRF server"
3138	done
3139
3140	for a in ${NSA_IP6} ${VRF_IP6}
3141	do
3142		log_start
3143		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3144		sleep 1
3145		run_cmd_nsb nettest -6 -D -r ${a}
3146		log_test_addr ${a} $? 0 "Enslaved device server"
3147	done
3148
3149	# negative test - should fail
3150	for a in ${NSA_IP6} ${VRF_IP6}
3151	do
3152		log_start
3153		run_cmd_nsb nettest -6 -D -r ${a}
3154		log_test_addr ${a} $? 1 "No server"
3155	done
3156
3157	#
3158	# client tests
3159	#
3160	log_start
3161	run_cmd_nsb nettest -6 -D -s &
3162	sleep 1
3163	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3164	log_test $? 0 "VRF client"
3165
3166	# negative test - should fail
3167	log_start
3168	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3169	log_test $? 1 "No server, VRF client"
3170
3171	log_start
3172	run_cmd_nsb nettest -6 -D -s &
3173	sleep 1
3174	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3175	log_test $? 0 "Enslaved device client"
3176
3177	# negative test - should fail
3178	log_start
3179	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3180	log_test $? 1 "No server, enslaved device client"
3181
3182	#
3183	# local address tests
3184	#
3185	a=${NSA_IP6}
3186	log_start
3187	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3188	sleep 1
3189	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3190	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3191
3192	#log_start
3193	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3194	sleep 1
3195	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3196	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3197
3198
3199	a=${VRF_IP6}
3200	log_start
3201	run_cmd nettest -6 -D -s -3 ${VRF} &
3202	sleep 1
3203	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3204	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3205
3206	log_start
3207	run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} &
3208	sleep 1
3209	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3210	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3211
3212	# negative test - should fail
3213	for a in ${NSA_IP6} ${VRF_IP6}
3214	do
3215		log_start
3216		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3217		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
3218	done
3219
3220	# device to global IP
3221	a=${NSA_IP6}
3222	log_start
3223	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3224	sleep 1
3225	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3226	log_test_addr ${a} $? 0 "Global server, device client, local conn"
3227
3228	log_start
3229	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3230	sleep 1
3231	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3232	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3233
3234	log_start
3235	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3236	sleep 1
3237	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3238	log_test_addr ${a} $? 0 "Device server, VRF client, local conn"
3239
3240	log_start
3241	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3242	sleep 1
3243	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3244	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3245
3246	log_start
3247	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3248	log_test_addr ${a} $? 1 "No server, device client, local conn"
3249
3250
3251	# link local addresses
3252	log_start
3253	run_cmd nettest -6 -D -s &
3254	sleep 1
3255	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3256	log_test $? 0 "Global server, linklocal IP"
3257
3258	log_start
3259	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3260	log_test $? 1 "No server, linklocal IP"
3261
3262
3263	log_start
3264	run_cmd_nsb nettest -6 -D -s &
3265	sleep 1
3266	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3267	log_test $? 0 "Enslaved device client, linklocal IP"
3268
3269	log_start
3270	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3271	log_test $? 1 "No server, device client, peer linklocal IP"
3272
3273
3274	log_start
3275	run_cmd nettest -6 -D -s &
3276	sleep 1
3277	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3278	log_test $? 0 "Enslaved device client, local conn - linklocal IP"
3279
3280	log_start
3281	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3282	log_test $? 1 "No server, device client, local conn  - linklocal IP"
3283
3284	# LLA to GUA
3285	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3286	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3287	log_start
3288	run_cmd nettest -6 -s -D &
3289	sleep 1
3290	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3291	log_test $? 0 "UDP in - LLA to GUA"
3292
3293	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3294	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3295}
3296
3297ipv6_udp()
3298{
3299        # should not matter, but set to known state
3300        set_sysctl net.ipv4.udp_early_demux=1
3301
3302        log_section "IPv6/UDP"
3303        log_subsection "No VRF"
3304        setup
3305
3306        # udp_l3mdev_accept should have no affect without VRF;
3307        # run tests with it enabled and disabled to verify
3308        log_subsection "udp_l3mdev_accept disabled"
3309        set_sysctl net.ipv4.udp_l3mdev_accept=0
3310        ipv6_udp_novrf
3311        log_subsection "udp_l3mdev_accept enabled"
3312        set_sysctl net.ipv4.udp_l3mdev_accept=1
3313        ipv6_udp_novrf
3314
3315        log_subsection "With VRF"
3316        setup "yes"
3317        ipv6_udp_vrf
3318}
3319
3320################################################################################
3321# IPv6 address bind
3322
3323ipv6_addr_bind_novrf()
3324{
3325	#
3326	# raw socket
3327	#
3328	for a in ${NSA_IP6} ${NSA_LO_IP6}
3329	do
3330		log_start
3331		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b
3332		log_test_addr ${a} $? 0 "Raw socket bind to local address"
3333
3334		log_start
3335		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3336		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3337	done
3338
3339	#
3340	# tcp sockets
3341	#
3342	a=${NSA_IP6}
3343	log_start
3344	run_cmd nettest -6 -s -l ${a} -t1 -b
3345	log_test_addr ${a} $? 0 "TCP socket bind to local address"
3346
3347	log_start
3348	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3349	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
3350
3351	a=${NSA_LO_IP6}
3352	log_start
3353	show_hint "Should fail with 'Cannot assign requested address'"
3354	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3355	log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
3356}
3357
3358ipv6_addr_bind_vrf()
3359{
3360	#
3361	# raw socket
3362	#
3363	for a in ${NSA_IP6} ${VRF_IP6}
3364	do
3365		log_start
3366		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3367		log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind"
3368
3369		log_start
3370		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3371		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3372	done
3373
3374	a=${NSA_LO_IP6}
3375	log_start
3376	show_hint "Address on loopback is out of VRF scope"
3377	run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3378	log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind"
3379
3380	#
3381	# tcp sockets
3382	#
3383	# address on enslaved device is valid for the VRF or device in a VRF
3384	for a in ${NSA_IP6} ${VRF_IP6}
3385	do
3386		log_start
3387		run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3388		log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind"
3389	done
3390
3391	a=${NSA_IP6}
3392	log_start
3393	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3394	log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
3395
3396	a=${VRF_IP6}
3397	log_start
3398	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3399	log_test_addr ${a} $? 1 "TCP socket bind to VRF address with device bind"
3400
3401	a=${NSA_LO_IP6}
3402	log_start
3403	show_hint "Address on loopback out of scope for VRF"
3404	run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3405	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
3406
3407	log_start
3408	show_hint "Address on loopback out of scope for device in VRF"
3409	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3410	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
3411
3412}
3413
3414ipv6_addr_bind()
3415{
3416	log_section "IPv6 address binds"
3417
3418	log_subsection "No VRF"
3419	setup
3420	ipv6_addr_bind_novrf
3421
3422	log_subsection "With VRF"
3423	setup "yes"
3424	ipv6_addr_bind_vrf
3425}
3426
3427################################################################################
3428# IPv6 runtime tests
3429
3430ipv6_rt()
3431{
3432	local desc="$1"
3433	local varg="-6 $2"
3434	local with_vrf="yes"
3435	local a
3436
3437	#
3438	# server tests
3439	#
3440	for a in ${NSA_IP6} ${VRF_IP6}
3441	do
3442		log_start
3443		run_cmd nettest ${varg} -s &
3444		sleep 1
3445		run_cmd_nsb nettest ${varg} -r ${a} &
3446		sleep 3
3447		run_cmd ip link del ${VRF}
3448		sleep 1
3449		log_test_addr ${a} 0 0 "${desc}, global server"
3450
3451		setup ${with_vrf}
3452	done
3453
3454	for a in ${NSA_IP6} ${VRF_IP6}
3455	do
3456		log_start
3457		run_cmd nettest ${varg} -I ${VRF} -s &
3458		sleep 1
3459		run_cmd_nsb nettest ${varg} -r ${a} &
3460		sleep 3
3461		run_cmd ip link del ${VRF}
3462		sleep 1
3463		log_test_addr ${a} 0 0 "${desc}, VRF server"
3464
3465		setup ${with_vrf}
3466	done
3467
3468	for a in ${NSA_IP6} ${VRF_IP6}
3469	do
3470		log_start
3471		run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3472		sleep 1
3473		run_cmd_nsb nettest ${varg} -r ${a} &
3474		sleep 3
3475		run_cmd ip link del ${VRF}
3476		sleep 1
3477		log_test_addr ${a} 0 0 "${desc}, enslaved device server"
3478
3479		setup ${with_vrf}
3480	done
3481
3482	#
3483	# client test
3484	#
3485	log_start
3486	run_cmd_nsb nettest ${varg} -s &
3487	sleep 1
3488	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} &
3489	sleep 3
3490	run_cmd ip link del ${VRF}
3491	sleep 1
3492	log_test  0 0 "${desc}, VRF client"
3493
3494	setup ${with_vrf}
3495
3496	log_start
3497	run_cmd_nsb nettest ${varg} -s &
3498	sleep 1
3499	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} &
3500	sleep 3
3501	run_cmd ip link del ${VRF}
3502	sleep 1
3503	log_test  0 0 "${desc}, enslaved device client"
3504
3505	setup ${with_vrf}
3506
3507
3508	#
3509	# local address tests
3510	#
3511	for a in ${NSA_IP6} ${VRF_IP6}
3512	do
3513		log_start
3514		run_cmd nettest ${varg} -s &
3515		sleep 1
3516		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3517		sleep 3
3518		run_cmd ip link del ${VRF}
3519		sleep 1
3520		log_test_addr ${a} 0 0 "${desc}, global server, VRF client"
3521
3522		setup ${with_vrf}
3523	done
3524
3525	for a in ${NSA_IP6} ${VRF_IP6}
3526	do
3527		log_start
3528		run_cmd nettest ${varg} -I ${VRF} -s &
3529		sleep 1
3530		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3531		sleep 3
3532		run_cmd ip link del ${VRF}
3533		sleep 1
3534		log_test_addr ${a} 0 0 "${desc}, VRF server and client"
3535
3536		setup ${with_vrf}
3537	done
3538
3539	a=${NSA_IP6}
3540	log_start
3541	run_cmd nettest ${varg} -s &
3542	sleep 1
3543	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3544	sleep 3
3545	run_cmd ip link del ${VRF}
3546	sleep 1
3547	log_test_addr ${a} 0 0 "${desc}, global server, device client"
3548
3549	setup ${with_vrf}
3550
3551	log_start
3552	run_cmd nettest ${varg} -I ${VRF} -s &
3553	sleep 1
3554	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3555	sleep 3
3556	run_cmd ip link del ${VRF}
3557	sleep 1
3558	log_test_addr ${a} 0 0 "${desc}, VRF server, device client"
3559
3560	setup ${with_vrf}
3561
3562	log_start
3563	run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3564	sleep 1
3565	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3566	sleep 3
3567	run_cmd ip link del ${VRF}
3568	sleep 1
3569	log_test_addr ${a} 0 0 "${desc}, device server, device client"
3570}
3571
3572ipv6_ping_rt()
3573{
3574	local with_vrf="yes"
3575	local a
3576
3577	a=${NSA_IP6}
3578	log_start
3579	run_cmd_nsb ${ping6} -f ${a} &
3580	sleep 3
3581	run_cmd ip link del ${VRF}
3582	sleep 1
3583	log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
3584
3585	setup ${with_vrf}
3586
3587	log_start
3588	run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} &
3589	sleep 1
3590	run_cmd ip link del ${VRF}
3591	sleep 1
3592	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
3593}
3594
3595ipv6_runtime()
3596{
3597	log_section "Run time tests - ipv6"
3598
3599	setup "yes"
3600	ipv6_ping_rt
3601
3602	setup "yes"
3603	ipv6_rt "TCP active socket"  "-n -1"
3604
3605	setup "yes"
3606	ipv6_rt "TCP passive socket" "-i"
3607
3608	setup "yes"
3609	ipv6_rt "UDP active socket"  "-D -n -1"
3610}
3611
3612################################################################################
3613# netfilter blocking connections
3614
3615netfilter_tcp_reset()
3616{
3617	local a
3618
3619	for a in ${NSA_IP} ${VRF_IP}
3620	do
3621		log_start
3622		run_cmd nettest -s &
3623		sleep 1
3624		run_cmd_nsb nettest -r ${a}
3625		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3626	done
3627}
3628
3629netfilter_icmp()
3630{
3631	local stype="$1"
3632	local arg
3633	local a
3634
3635	[ "${stype}" = "UDP" ] && arg="-D"
3636
3637	for a in ${NSA_IP} ${VRF_IP}
3638	do
3639		log_start
3640		run_cmd nettest ${arg} -s &
3641		sleep 1
3642		run_cmd_nsb nettest ${arg} -r ${a}
3643		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3644	done
3645}
3646
3647ipv4_netfilter()
3648{
3649	log_section "IPv4 Netfilter"
3650	log_subsection "TCP reset"
3651
3652	setup "yes"
3653	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3654
3655	netfilter_tcp_reset
3656
3657	log_start
3658	log_subsection "ICMP unreachable"
3659
3660	log_start
3661	run_cmd iptables -F
3662	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3663	run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3664
3665	netfilter_icmp "TCP"
3666	netfilter_icmp "UDP"
3667
3668	log_start
3669	iptables -F
3670}
3671
3672netfilter_tcp6_reset()
3673{
3674	local a
3675
3676	for a in ${NSA_IP6} ${VRF_IP6}
3677	do
3678		log_start
3679		run_cmd nettest -6 -s &
3680		sleep 1
3681		run_cmd_nsb nettest -6 -r ${a}
3682		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3683	done
3684}
3685
3686netfilter_icmp6()
3687{
3688	local stype="$1"
3689	local arg
3690	local a
3691
3692	[ "${stype}" = "UDP" ] && arg="$arg -D"
3693
3694	for a in ${NSA_IP6} ${VRF_IP6}
3695	do
3696		log_start
3697		run_cmd nettest -6 -s ${arg} &
3698		sleep 1
3699		run_cmd_nsb nettest -6 ${arg} -r ${a}
3700		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3701	done
3702}
3703
3704ipv6_netfilter()
3705{
3706	log_section "IPv6 Netfilter"
3707	log_subsection "TCP reset"
3708
3709	setup "yes"
3710	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3711
3712	netfilter_tcp6_reset
3713
3714	log_subsection "ICMP unreachable"
3715
3716	log_start
3717	run_cmd ip6tables -F
3718	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3719	run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3720
3721	netfilter_icmp6 "TCP"
3722	netfilter_icmp6 "UDP"
3723
3724	log_start
3725	ip6tables -F
3726}
3727
3728################################################################################
3729# specific use cases
3730
3731# VRF only.
3732# ns-A device enslaved to bridge. Verify traffic with and without
3733# br_netfilter module loaded. Repeat with SVI on bridge.
3734use_case_br()
3735{
3736	setup "yes"
3737
3738	setup_cmd ip link set ${NSA_DEV} down
3739	setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24
3740	setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64
3741
3742	setup_cmd ip link add br0 type bridge
3743	setup_cmd ip addr add dev br0 ${NSA_IP}/24
3744	setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad
3745
3746	setup_cmd ip li set ${NSA_DEV} master br0
3747	setup_cmd ip li set ${NSA_DEV} up
3748	setup_cmd ip li set br0 up
3749	setup_cmd ip li set br0 vrf ${VRF}
3750
3751	rmmod br_netfilter 2>/dev/null
3752	sleep 5 # DAD
3753
3754	run_cmd ip neigh flush all
3755	run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3756	log_test $? 0 "Bridge into VRF - IPv4 ping out"
3757
3758	run_cmd ip neigh flush all
3759	run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3760	log_test $? 0 "Bridge into VRF - IPv6 ping out"
3761
3762	run_cmd ip neigh flush all
3763	run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3764	log_test $? 0 "Bridge into VRF - IPv4 ping in"
3765
3766	run_cmd ip neigh flush all
3767	run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3768	log_test $? 0 "Bridge into VRF - IPv6 ping in"
3769
3770	modprobe br_netfilter
3771	if [ $? -eq 0 ]; then
3772		run_cmd ip neigh flush all
3773		run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3774		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out"
3775
3776		run_cmd ip neigh flush all
3777		run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3778		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out"
3779
3780		run_cmd ip neigh flush all
3781		run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3782		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in"
3783
3784		run_cmd ip neigh flush all
3785		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3786		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in"
3787	fi
3788
3789	setup_cmd ip li set br0 nomaster
3790	setup_cmd ip li add br0.100 link br0 type vlan id 100
3791	setup_cmd ip li set br0.100 vrf ${VRF} up
3792	setup_cmd ip    addr add dev br0.100 172.16.101.1/24
3793	setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad
3794
3795	setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100
3796	setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24
3797	setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad
3798	setup_cmd_nsb ip li set vlan100 up
3799	sleep 1
3800
3801	rmmod br_netfilter 2>/dev/null
3802
3803	run_cmd ip neigh flush all
3804	run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
3805	log_test $? 0 "Bridge vlan into VRF - IPv4 ping out"
3806
3807	run_cmd ip neigh flush all
3808	run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
3809	log_test $? 0 "Bridge vlan into VRF - IPv6 ping out"
3810
3811	run_cmd ip neigh flush all
3812	run_cmd_nsb ping -c1 -w1 172.16.101.1
3813	log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
3814
3815	run_cmd ip neigh flush all
3816	run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
3817	log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
3818
3819	modprobe br_netfilter
3820	if [ $? -eq 0 ]; then
3821		run_cmd ip neigh flush all
3822		run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
3823		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out"
3824
3825		run_cmd ip neigh flush all
3826		run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
3827		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out"
3828
3829		run_cmd ip neigh flush all
3830		run_cmd_nsb ping -c1 -w1 172.16.101.1
3831		log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
3832
3833		run_cmd ip neigh flush all
3834		run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
3835		log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
3836	fi
3837
3838	setup_cmd ip li del br0 2>/dev/null
3839	setup_cmd_nsb ip li del vlan100 2>/dev/null
3840}
3841
3842# VRF only.
3843# ns-A device is connected to both ns-B and ns-C on a single VRF but only has
3844# LLA on the interfaces
3845use_case_ping_lla_multi()
3846{
3847	setup_lla_only
3848	# only want reply from ns-A
3849	setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
3850	setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
3851
3852	log_start
3853	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
3854	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B"
3855
3856	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
3857	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C"
3858
3859	# cycle/flap the first ns-A interface
3860	setup_cmd ip link set ${NSA_DEV} down
3861	setup_cmd ip link set ${NSA_DEV} up
3862	sleep 1
3863
3864	log_start
3865	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
3866	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B"
3867	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
3868	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C"
3869
3870	# cycle/flap the second ns-A interface
3871	setup_cmd ip link set ${NSA_DEV2} down
3872	setup_cmd ip link set ${NSA_DEV2} up
3873	sleep 1
3874
3875	log_start
3876	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
3877	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B"
3878	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
3879	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C"
3880}
3881
3882use_cases()
3883{
3884	log_section "Use cases"
3885	log_subsection "Device enslaved to bridge"
3886	use_case_br
3887	log_subsection "Ping LLA with multiple interfaces"
3888	use_case_ping_lla_multi
3889}
3890
3891################################################################################
3892# usage
3893
3894usage()
3895{
3896	cat <<EOF
3897usage: ${0##*/} OPTS
3898
3899	-4          IPv4 tests only
3900	-6          IPv6 tests only
3901	-t <test>   Test name/set to run
3902	-p          Pause on fail
3903	-P          Pause after each test
3904	-v          Be verbose
3905EOF
3906}
3907
3908################################################################################
3909# main
3910
3911TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_addr_bind ipv4_runtime ipv4_netfilter"
3912TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_addr_bind ipv6_runtime ipv6_netfilter"
3913TESTS_OTHER="use_cases"
3914
3915PAUSE_ON_FAIL=no
3916PAUSE=no
3917
3918while getopts :46t:pPvh o
3919do
3920	case $o in
3921		4) TESTS=ipv4;;
3922		6) TESTS=ipv6;;
3923		t) TESTS=$OPTARG;;
3924		p) PAUSE_ON_FAIL=yes;;
3925		P) PAUSE=yes;;
3926		v) VERBOSE=1;;
3927		h) usage; exit 0;;
3928		*) usage; exit 1;;
3929	esac
3930done
3931
3932# make sure we don't pause twice
3933[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no
3934
3935#
3936# show user test config
3937#
3938if [ -z "$TESTS" ]; then
3939	TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER"
3940elif [ "$TESTS" = "ipv4" ]; then
3941	TESTS="$TESTS_IPV4"
3942elif [ "$TESTS" = "ipv6" ]; then
3943	TESTS="$TESTS_IPV6"
3944fi
3945
3946which nettest >/dev/null
3947if [ $? -ne 0 ]; then
3948	echo "'nettest' command not found; skipping tests"
3949	exit 0
3950fi
3951
3952declare -i nfail=0
3953declare -i nsuccess=0
3954
3955for t in $TESTS
3956do
3957	case $t in
3958	ipv4_ping|ping)  ipv4_ping;;
3959	ipv4_tcp|tcp)    ipv4_tcp;;
3960	ipv4_udp|udp)    ipv4_udp;;
3961	ipv4_bind|bind)  ipv4_addr_bind;;
3962	ipv4_runtime)    ipv4_runtime;;
3963	ipv4_netfilter)  ipv4_netfilter;;
3964
3965	ipv6_ping|ping6) ipv6_ping;;
3966	ipv6_tcp|tcp6)   ipv6_tcp;;
3967	ipv6_udp|udp6)   ipv6_udp;;
3968	ipv6_bind|bind6) ipv6_addr_bind;;
3969	ipv6_runtime)    ipv6_runtime;;
3970	ipv6_netfilter)  ipv6_netfilter;;
3971
3972	use_cases)       use_cases;;
3973
3974	# setup namespaces and config, but do not run any tests
3975	setup)		 setup; exit 0;;
3976	vrf_setup)	 setup "yes"; exit 0;;
3977
3978	help)            echo "Test names: $TESTS"; exit 0;;
3979	esac
3980done
3981
3982cleanup 2>/dev/null
3983
3984printf "\nTests passed: %3d\n" ${nsuccess}
3985printf "Tests failed: %3d\n"   ${nfail}
3986