xref: /linux/tools/testing/selftests/net/fcnal-test.sh (revision 07fdad3a93756b872da7b53647715c48d0f4a2d0)
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
5#
6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups
7# for various permutations:
8#   1. icmp, tcp, udp and netfilter
9#   2. client, server, no-server
10#   3. global address on interface
11#   4. global address on 'lo'
12#   5. remote and local traffic
13#   6. VRF and non-VRF permutations
14#
15# Setup:
16#                     ns-A     |     ns-B
17# No VRF case:
18#    [ lo ]         [ eth1 ]---|---[ eth1 ]      [ lo ]
19#                                                remote address
20# VRF case:
21#         [ red ]---[ eth1 ]---|---[ eth1 ]      [ lo ]
22#
23# ns-A:
24#     eth1: 172.16.1.1/24, 2001:db8:1::1/64
25#       lo: 127.0.0.1/8, ::1/128
26#           172.16.2.1/32, 2001:db8:2::1/128
27#      red: 127.0.0.1/8, ::1/128
28#           172.16.3.1/32, 2001:db8:3::1/128
29#
30# ns-B:
31#     eth1: 172.16.1.2/24, 2001:db8:1::2/64
32#      lo2: 127.0.0.1/8, ::1/128
33#           172.16.2.2/32, 2001:db8:2::2/128
34#
35# ns-A to ns-C connection - only for VRF and same config
36# as ns-A to ns-B
37#
38# server / client nomenclature relative to ns-A
39
40source lib.sh
41
42PATH=$PWD:$PWD/tools/testing/selftests/net:$PATH
43
44VERBOSE=0
45
46NSA_DEV=eth1
47NSA_DEV2=eth2
48NSB_DEV=eth1
49NSC_DEV=eth2
50VRF=red
51VRF_TABLE=1101
52
53# IPv4 config
54NSA_IP=172.16.1.1
55NSB_IP=172.16.1.2
56VRF_IP=172.16.3.1
57NS_NET=172.16.1.0/24
58
59# IPv6 config
60NSA_IP6=2001:db8:1::1
61NSB_IP6=2001:db8:1::2
62VRF_IP6=2001:db8:3::1
63NS_NET6=2001:db8:1::/120
64
65NSA_LO_IP=172.16.2.1
66NSB_LO_IP=172.16.2.2
67NSA_LO_IP6=2001:db8:2::1
68NSB_LO_IP6=2001:db8:2::2
69
70# non-local addresses for freebind tests
71NL_IP=172.17.1.1
72NL_IP6=2001:db8:4::1
73
74# multicast and broadcast addresses
75MCAST_IP=224.0.0.1
76BCAST_IP=255.255.255.255
77
78MD5_PW=abc123
79MD5_WRONG_PW=abc1234
80
81MCAST=ff02::1
82# set after namespace create
83NSA_LINKIP6=
84NSB_LINKIP6=
85
86which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
87
88# Check if FIPS mode is enabled
89if [ -f /proc/sys/crypto/fips_enabled ]; then
90	fips_enabled=`cat /proc/sys/crypto/fips_enabled`
91else
92	fips_enabled=0
93fi
94
95################################################################################
96# utilities
97
98log_test()
99{
100	local rc=$1
101	local expected=$2
102	local msg="$3"
103	local ans
104
105	[ "${VERBOSE}" = "1" ] && echo
106
107	if [ ${rc} -eq ${expected} ]; then
108		nsuccess=$((nsuccess+1))
109		printf "TEST: %-70s  [ OK ]\n" "${msg}"
110	else
111		nfail=$((nfail+1))
112		printf "TEST: %-70s  [FAIL]\n" "${msg}"
113		echo "    expected rc $expected; actual rc $rc"
114		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
115			echo
116			echo "hit enter to continue, 'q' to quit"
117			read ans
118			[ "$ans" = "q" ] && exit 1
119		fi
120	fi
121
122	if [ "${PAUSE}" = "yes" ]; then
123		echo
124		echo "hit enter to continue, 'q' to quit"
125		read ans
126		[ "$ans" = "q" ] && exit 1
127	fi
128
129	kill_procs
130}
131
132log_test_addr()
133{
134	local addr=$1
135	local rc=$2
136	local expected=$3
137	local msg="$4"
138	local astr
139
140	astr=$(addr2str ${addr})
141	log_test $rc $expected "$msg - ${astr}"
142}
143
144log_section()
145{
146	echo
147	echo "###########################################################################"
148	echo "$*"
149	echo "###########################################################################"
150	echo
151}
152
153log_subsection()
154{
155	echo
156	echo "#################################################################"
157	echo "$*"
158	echo
159}
160
161log_start()
162{
163	# make sure we have no test instances running
164	kill_procs
165
166	if [ "${VERBOSE}" = "1" ]; then
167		echo
168		echo "#######################################################"
169	fi
170}
171
172log_debug()
173{
174	if [ "${VERBOSE}" = "1" ]; then
175		echo
176		echo "$*"
177		echo
178	fi
179}
180
181show_hint()
182{
183	if [ "${VERBOSE}" = "1" ]; then
184		echo "HINT: $*"
185		echo
186	fi
187}
188
189kill_procs()
190{
191	killall nettest ping ping6 >/dev/null 2>&1
192	slowwait 2 sh -c 'test -z "$(pgrep '"'^(nettest|ping|ping6)$'"')"'
193}
194
195set_ping_group()
196{
197	if [ "$VERBOSE" = "1" ]; then
198		echo "COMMAND: ${NSA_CMD} sysctl -q -w net.ipv4.ping_group_range='0 2147483647'"
199	fi
200
201	${NSA_CMD} sysctl -q -w net.ipv4.ping_group_range='0 2147483647'
202}
203
204do_run_cmd()
205{
206	local cmd="$*"
207	local out
208
209	if [ "$VERBOSE" = "1" ]; then
210		echo "COMMAND: ${cmd}"
211	fi
212
213	out=$($cmd 2>&1)
214	rc=$?
215	if [ "$VERBOSE" = "1" -a -n "$out" ]; then
216		echo "$out"
217	fi
218
219	return $rc
220}
221
222run_cmd()
223{
224	do_run_cmd ${NSA_CMD} $*
225}
226
227run_cmd_nsb()
228{
229	do_run_cmd ${NSB_CMD} $*
230}
231
232run_cmd_nsc()
233{
234	do_run_cmd ${NSC_CMD} $*
235}
236
237setup_cmd()
238{
239	local cmd="$*"
240	local rc
241
242	run_cmd ${cmd}
243	rc=$?
244	if [ $rc -ne 0 ]; then
245		# show user the command if not done so already
246		if [ "$VERBOSE" = "0" ]; then
247			echo "setup command: $cmd"
248		fi
249		echo "failed. stopping tests"
250		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
251			echo
252			echo "hit enter to continue"
253			read a
254		fi
255		exit $rc
256	fi
257}
258
259setup_cmd_nsb()
260{
261	local cmd="$*"
262	local rc
263
264	run_cmd_nsb ${cmd}
265	rc=$?
266	if [ $rc -ne 0 ]; then
267		# show user the command if not done so already
268		if [ "$VERBOSE" = "0" ]; then
269			echo "setup command: $cmd"
270		fi
271		echo "failed. stopping tests"
272		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
273			echo
274			echo "hit enter to continue"
275			read a
276		fi
277		exit $rc
278	fi
279}
280
281setup_cmd_nsc()
282{
283	local cmd="$*"
284	local rc
285
286	run_cmd_nsc ${cmd}
287	rc=$?
288	if [ $rc -ne 0 ]; then
289		# show user the command if not done so already
290		if [ "$VERBOSE" = "0" ]; then
291			echo "setup command: $cmd"
292		fi
293		echo "failed. stopping tests"
294		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
295			echo
296			echo "hit enter to continue"
297			read a
298		fi
299		exit $rc
300	fi
301}
302
303# set sysctl values in NS-A
304set_sysctl()
305{
306	echo "SYSCTL: $*"
307	echo
308	run_cmd sysctl -q -w $*
309}
310
311# get sysctl values in NS-A
312get_sysctl()
313{
314	${NSA_CMD} sysctl -n $*
315}
316
317################################################################################
318# Setup for tests
319
320addr2str()
321{
322	case "$1" in
323	127.0.0.1) echo "loopback";;
324	::1) echo "IPv6 loopback";;
325
326	${BCAST_IP}) echo "broadcast";;
327	${MCAST_IP}) echo "multicast";;
328
329	${NSA_IP})	echo "ns-A IP";;
330	${NSA_IP6})	echo "ns-A IPv6";;
331	${NSA_LO_IP})	echo "ns-A loopback IP";;
332	${NSA_LO_IP6})	echo "ns-A loopback IPv6";;
333	${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";;
334
335	${NSB_IP})	echo "ns-B IP";;
336	${NSB_IP6})	echo "ns-B IPv6";;
337	${NSB_LO_IP})	echo "ns-B loopback IP";;
338	${NSB_LO_IP6})	echo "ns-B loopback IPv6";;
339	${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";;
340
341	${NL_IP})       echo "nonlocal IP";;
342	${NL_IP6})      echo "nonlocal IPv6";;
343
344	${VRF_IP})	echo "VRF IP";;
345	${VRF_IP6})	echo "VRF IPv6";;
346
347	${MCAST}%*)	echo "multicast IP";;
348
349	*) echo "unknown";;
350	esac
351}
352
353get_linklocal()
354{
355	local ns=$1
356	local dev=$2
357	local addr
358
359	addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \
360	awk '{
361		for (i = 3; i <= NF; ++i) {
362			if ($i ~ /^fe80/)
363				print $i
364		}
365	}'
366	)
367	addr=${addr/\/*}
368
369	[ -z "$addr" ] && return 1
370
371	echo $addr
372
373	return 0
374}
375
376################################################################################
377# create namespaces and vrf
378
379create_vrf()
380{
381	local ns=$1
382	local vrf=$2
383	local table=$3
384	local addr=$4
385	local addr6=$5
386
387	ip -netns ${ns} link add ${vrf} type vrf table ${table}
388	ip -netns ${ns} link set ${vrf} up
389	ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192
390	ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
391
392	ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf}
393	ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad
394	if [ "${addr}" != "-" ]; then
395		ip -netns ${ns} addr add dev ${vrf} ${addr}
396	fi
397	if [ "${addr6}" != "-" ]; then
398		ip -netns ${ns} -6 addr add dev ${vrf} ${addr6}
399	fi
400
401	ip -netns ${ns} ru del pref 0
402	ip -netns ${ns} ru add pref 32765 from all lookup local
403	ip -netns ${ns} -6 ru del pref 0
404	ip -netns ${ns} -6 ru add pref 32765 from all lookup local
405}
406
407create_ns()
408{
409	local ns=$1
410	local addr=$2
411	local addr6=$3
412
413	if [ "${addr}" != "-" ]; then
414		ip -netns ${ns} addr add dev lo ${addr}
415	fi
416	if [ "${addr6}" != "-" ]; then
417		ip -netns ${ns} -6 addr add dev lo ${addr6}
418	fi
419
420	ip -netns ${ns} ro add unreachable default metric 8192
421	ip -netns ${ns} -6 ro add unreachable default metric 8192
422
423	ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
424	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
425	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
426	ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
427	ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.accept_dad=0
428	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.accept_dad=0
429}
430
431# create veth pair to connect namespaces and apply addresses.
432connect_ns()
433{
434	local ns1=$1
435	local ns1_dev=$2
436	local ns1_addr=$3
437	local ns1_addr6=$4
438	local ns2=$5
439	local ns2_dev=$6
440	local ns2_addr=$7
441	local ns2_addr6=$8
442
443	ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
444	ip -netns ${ns1} li set ${ns1_dev} up
445	ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
446	ip -netns ${ns2} li set ${ns2_dev} up
447
448	if [ "${ns1_addr}" != "-" ]; then
449		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
450		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
451	fi
452
453	if [ "${ns1_addr6}" != "-" ]; then
454		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
455		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
456	fi
457}
458
459cleanup()
460{
461	# explicit cleanups to check those code paths
462	ip netns | grep -q ${NSA}
463	if [ $? -eq 0 ]; then
464		ip -netns ${NSA} link delete ${VRF}
465		ip -netns ${NSA} ro flush table ${VRF_TABLE}
466
467		ip -netns ${NSA} addr flush dev ${NSA_DEV}
468		ip -netns ${NSA} -6 addr flush dev ${NSA_DEV}
469		ip -netns ${NSA} link set dev ${NSA_DEV} down
470		ip -netns ${NSA} link del dev ${NSA_DEV}
471
472		ip netns pids ${NSA} | xargs kill 2>/dev/null
473		cleanup_ns ${NSA}
474	fi
475
476	ip netns pids ${NSB} | xargs kill 2>/dev/null
477	ip netns pids ${NSC} | xargs kill 2>/dev/null
478	cleanup_ns ${NSB} ${NSC}
479}
480
481cleanup_vrf_dup()
482{
483	ip link del ${NSA_DEV2} >/dev/null 2>&1
484	ip netns pids ${NSC} | xargs kill 2>/dev/null
485	ip netns del ${NSC} >/dev/null 2>&1
486}
487
488setup_vrf_dup()
489{
490	# some VRF tests use ns-C which has the same config as
491	# ns-B but for a device NOT in the VRF
492	setup_ns NSC
493	NSC_CMD="ip netns exec ${NSC}"
494	create_ns ${NSC} "-" "-"
495	connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
496		   ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
497}
498
499setup()
500{
501	local with_vrf=${1}
502
503	# make sure we are starting with a clean slate
504	kill_procs
505	cleanup 2>/dev/null
506
507	log_debug "Configuring network namespaces"
508	set -e
509
510	setup_ns NSA NSB
511	NSA_CMD="ip netns exec ${NSA}"
512	NSB_CMD="ip netns exec ${NSB}"
513
514	create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128
515	create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128
516	connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \
517		   ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
518
519	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
520	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
521
522	# tell ns-A how to get to remote addresses of ns-B
523	if [ "${with_vrf}" = "yes" ]; then
524		create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6}
525
526		ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
527		ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
528		ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
529
530		ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
531		ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
532	else
533		ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
534		ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
535	fi
536
537
538	# tell ns-B how to get to remote addresses of ns-A
539	ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
540	ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
541
542	set +e
543
544	sleep 1
545}
546
547setup_lla_only()
548{
549	# make sure we are starting with a clean slate
550	kill_procs
551	cleanup 2>/dev/null
552
553	log_debug "Configuring network namespaces"
554	set -e
555
556	setup_ns NSA NSB NSC
557	NSA_CMD="ip netns exec ${NSA}"
558	NSB_CMD="ip netns exec ${NSB}"
559	NSC_CMD="ip netns exec ${NSC}"
560	create_ns ${NSA} "-" "-"
561	create_ns ${NSB} "-" "-"
562	create_ns ${NSC} "-" "-"
563	connect_ns ${NSA} ${NSA_DEV} "-" "-" \
564		   ${NSB} ${NSB_DEV} "-" "-"
565	connect_ns ${NSA} ${NSA_DEV2} "-" "-" \
566		   ${NSC} ${NSC_DEV}  "-" "-"
567
568	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
569	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
570	NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV})
571
572	create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-"
573	ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
574	ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF}
575
576	set +e
577
578	sleep 1
579}
580
581################################################################################
582# IPv4
583
584ipv4_ping_novrf()
585{
586	local a
587
588	#
589	# out
590	#
591	for a in ${NSB_IP} ${NSB_LO_IP}
592	do
593		log_start
594		run_cmd ping -c1 -w1 ${a}
595		log_test_addr ${a} $? 0 "ping out"
596
597		log_start
598		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
599		log_test_addr ${a} $? 0 "ping out, device bind"
600
601		log_start
602		run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a}
603		log_test_addr ${a} $? 0 "ping out, address bind"
604	done
605
606	#
607	# out, but don't use gateway if peer is not on link
608	#
609	a=${NSB_IP}
610	log_start
611	run_cmd ping -c 1 -w 1 -r ${a}
612	log_test_addr ${a} $? 0 "ping out (don't route), peer on link"
613
614	a=${NSB_LO_IP}
615	log_start
616	show_hint "Fails since peer is not on link"
617	run_cmd ping -c 1 -w 1 -r ${a}
618	log_test_addr ${a} $? 1 "ping out (don't route), peer not on link"
619
620	#
621	# in
622	#
623	for a in ${NSA_IP} ${NSA_LO_IP}
624	do
625		log_start
626		run_cmd_nsb ping -c1 -w1 ${a}
627		log_test_addr ${a} $? 0 "ping in"
628	done
629
630	#
631	# local traffic
632	#
633	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
634	do
635		log_start
636		run_cmd ping -c1 -w1 ${a}
637		log_test_addr ${a} $? 0 "ping local"
638	done
639
640	#
641	# local traffic, socket bound to device
642	#
643	# address on device
644	a=${NSA_IP}
645	log_start
646	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
647	log_test_addr ${a} $? 0 "ping local, device bind"
648
649	# loopback addresses not reachable from device bind
650	# fails in a really weird way though because ipv4 special cases
651	# route lookups with oif set.
652	for a in ${NSA_LO_IP} 127.0.0.1
653	do
654		log_start
655		show_hint "Fails since address on loopback device is out of device scope"
656		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
657		log_test_addr ${a} $? 1 "ping local, device bind"
658	done
659
660	#
661	# ip rule blocks reachability to remote address
662	#
663	log_start
664	setup_cmd ip rule add pref 32765 from all lookup local
665	setup_cmd ip rule del pref 0 from all lookup local
666	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
667	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
668
669	a=${NSB_LO_IP}
670	run_cmd ping -c1 -w1 ${a}
671	log_test_addr ${a} $? 2 "ping out, blocked by rule"
672
673	# NOTE: ipv4 actually allows the lookup to fail and yet still create
674	# a viable rtable if the oif (e.g., bind to device) is set, so this
675	# case succeeds despite the rule
676	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
677
678	a=${NSA_LO_IP}
679	log_start
680	show_hint "Response generates ICMP (or arp request is ignored) due to ip rule"
681	run_cmd_nsb ping -c1 -w1 ${a}
682	log_test_addr ${a} $? 1 "ping in, blocked by rule"
683
684	[ "$VERBOSE" = "1" ] && echo
685	setup_cmd ip rule del pref 32765 from all lookup local
686	setup_cmd ip rule add pref 0 from all lookup local
687	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
688	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
689
690	#
691	# route blocks reachability to remote address
692	#
693	log_start
694	setup_cmd ip route replace unreachable ${NSB_LO_IP}
695	setup_cmd ip route replace unreachable ${NSB_IP}
696
697	a=${NSB_LO_IP}
698	run_cmd ping -c1 -w1 ${a}
699	log_test_addr ${a} $? 2 "ping out, blocked by route"
700
701	# NOTE: ipv4 actually allows the lookup to fail and yet still create
702	# a viable rtable if the oif (e.g., bind to device) is set, so this
703	# case succeeds despite not having a route for the address
704	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
705
706	a=${NSA_LO_IP}
707	log_start
708	show_hint "Response is dropped (or arp request is ignored) due to ip route"
709	run_cmd_nsb ping -c1 -w1 ${a}
710	log_test_addr ${a} $? 1 "ping in, blocked by route"
711
712	#
713	# remove 'remote' routes; fallback to default
714	#
715	log_start
716	setup_cmd ip ro del ${NSB_LO_IP}
717
718	a=${NSB_LO_IP}
719	run_cmd ping -c1 -w1 ${a}
720	log_test_addr ${a} $? 2 "ping out, unreachable default route"
721
722	# NOTE: ipv4 actually allows the lookup to fail and yet still create
723	# a viable rtable if the oif (e.g., bind to device) is set, so this
724	# case succeeds despite not having a route for the address
725	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
726}
727
728ipv4_ping_vrf()
729{
730	local a
731
732	# should default on; does not exist on older kernels
733	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
734
735	#
736	# out
737	#
738	for a in ${NSB_IP} ${NSB_LO_IP}
739	do
740		log_start
741		run_cmd ping -c1 -w1 -I ${VRF} ${a}
742		log_test_addr ${a} $? 0 "ping out, VRF bind"
743
744		log_start
745		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
746		log_test_addr ${a} $? 0 "ping out, device bind"
747
748		log_start
749		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a}
750		log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind"
751
752		log_start
753		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a}
754		log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind"
755	done
756
757	#
758	# in
759	#
760	for a in ${NSA_IP} ${VRF_IP}
761	do
762		log_start
763		run_cmd_nsb ping -c1 -w1 ${a}
764		log_test_addr ${a} $? 0 "ping in"
765	done
766
767	#
768	# local traffic, local address
769	#
770	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
771	do
772		log_start
773		show_hint "Source address should be ${a}"
774		run_cmd ping -c1 -w1 -I ${VRF} ${a}
775		log_test_addr ${a} $? 0 "ping local, VRF bind"
776	done
777
778	#
779	# local traffic, socket bound to device
780	#
781	# address on device
782	a=${NSA_IP}
783	log_start
784	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
785	log_test_addr ${a} $? 0 "ping local, device bind"
786
787	# vrf device is out of scope
788	for a in ${VRF_IP} 127.0.0.1
789	do
790		log_start
791		show_hint "Fails since address on vrf device is out of device scope"
792		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
793		log_test_addr ${a} $? 2 "ping local, device bind"
794	done
795
796	#
797	# ip rule blocks address
798	#
799	log_start
800	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
801	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
802
803	a=${NSB_LO_IP}
804	run_cmd ping -c1 -w1 -I ${VRF} ${a}
805	log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule"
806
807	log_start
808	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
809	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
810
811	a=${NSA_LO_IP}
812	log_start
813	show_hint "Response lost due to ip rule"
814	run_cmd_nsb ping -c1 -w1 ${a}
815	log_test_addr ${a} $? 1 "ping in, blocked by rule"
816
817	[ "$VERBOSE" = "1" ] && echo
818	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
819	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
820
821	#
822	# remove 'remote' routes; fallback to default
823	#
824	log_start
825	setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP}
826
827	a=${NSB_LO_IP}
828	run_cmd ping -c1 -w1 -I ${VRF} ${a}
829	log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route"
830
831	log_start
832	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
833	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
834
835	a=${NSA_LO_IP}
836	log_start
837	show_hint "Response lost by unreachable route"
838	run_cmd_nsb ping -c1 -w1 ${a}
839	log_test_addr ${a} $? 1 "ping in, unreachable route"
840}
841
842ipv4_ping()
843{
844	log_section "IPv4 ping"
845
846	log_subsection "No VRF"
847	setup
848	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
849	ipv4_ping_novrf
850	setup
851	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
852	ipv4_ping_novrf
853	setup
854	set_ping_group
855	ipv4_ping_novrf
856
857	log_subsection "With VRF"
858	setup "yes"
859	ipv4_ping_vrf
860	setup "yes"
861	set_ping_group
862	ipv4_ping_vrf
863}
864
865################################################################################
866# IPv4 TCP
867
868#
869# MD5 tests without VRF
870#
871ipv4_tcp_md5_novrf()
872{
873	#
874	# single address
875	#
876
877	# basic use case
878	log_start
879	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
880	wait_local_port_listen ${NSA} 12345 tcp
881	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
882	log_test $? 0 "MD5: Single address config"
883
884	# client sends MD5, server not configured
885	log_start
886	show_hint "Should timeout due to MD5 mismatch"
887	run_cmd nettest -s &
888	wait_local_port_listen ${NSA} 12345 tcp
889	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
890	log_test $? 2 "MD5: Server no config, client uses password"
891
892	# wrong password
893	log_start
894	show_hint "Should timeout since client uses wrong password"
895	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
896	wait_local_port_listen ${NSA} 12345 tcp
897	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
898	log_test $? 2 "MD5: Client uses wrong password"
899
900	# client from different address
901	log_start
902	show_hint "Should timeout due to MD5 mismatch"
903	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} &
904	wait_local_port_listen ${NSA} 12345 tcp
905	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
906	log_test $? 2 "MD5: Client address does not match address configured with password"
907
908	#
909	# MD5 extension - prefix length
910	#
911
912	# client in prefix
913	log_start
914	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
915	wait_local_port_listen ${NSA} 12345 tcp
916	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
917	log_test $? 0 "MD5: Prefix config"
918
919	# client in prefix, wrong password
920	log_start
921	show_hint "Should timeout since client uses wrong password"
922	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
923	wait_local_port_listen ${NSA} 12345 tcp
924	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
925	log_test $? 2 "MD5: Prefix config, client uses wrong password"
926
927	# client outside of prefix
928	log_start
929	show_hint "Should timeout due to MD5 mismatch"
930	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
931	wait_local_port_listen ${NSA} 12345 tcp
932	run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
933	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
934}
935
936#
937# MD5 tests with VRF
938#
939ipv4_tcp_md5()
940{
941	#
942	# single address
943	#
944
945	# basic use case
946	log_start
947	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
948	wait_local_port_listen ${NSA} 12345 tcp
949	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
950	log_test $? 0 "MD5: VRF: Single address config"
951
952	# client sends MD5, server not configured
953	log_start
954	show_hint "Should timeout since server does not have MD5 auth"
955	run_cmd nettest -s -I ${VRF} &
956	wait_local_port_listen ${NSA} 12345 tcp
957	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
958	log_test $? 2 "MD5: VRF: Server no config, client uses password"
959
960	# wrong password
961	log_start
962	show_hint "Should timeout since client uses wrong password"
963	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
964	wait_local_port_listen ${NSA} 12345 tcp
965	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
966	log_test $? 2 "MD5: VRF: Client uses wrong password"
967
968	# client from different address
969	log_start
970	show_hint "Should timeout since server config differs from client"
971	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} &
972	wait_local_port_listen ${NSA} 12345 tcp
973	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
974	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
975
976	#
977	# MD5 extension - prefix length
978	#
979
980	# client in prefix
981	log_start
982	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
983	wait_local_port_listen ${NSA} 12345 tcp
984	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
985	log_test $? 0 "MD5: VRF: Prefix config"
986
987	# client in prefix, wrong password
988	log_start
989	show_hint "Should timeout since client uses wrong password"
990	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
991	wait_local_port_listen ${NSA} 12345 tcp
992	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
993	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
994
995	# client outside of prefix
996	log_start
997	show_hint "Should timeout since client address is outside of prefix"
998	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
999	wait_local_port_listen ${NSA} 12345 tcp
1000	run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
1001	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
1002
1003	#
1004	# duplicate config between default VRF and a VRF
1005	#
1006
1007	log_start
1008	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1009	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1010	wait_local_port_listen ${NSA} 12345 tcp
1011	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
1012	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
1013
1014	log_start
1015	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1016	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1017	wait_local_port_listen ${NSA} 12345 tcp
1018	run_cmd_nsc nettest  -r ${NSA_IP} -X ${MD5_WRONG_PW}
1019	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
1020
1021	log_start
1022	show_hint "Should timeout since client in default VRF uses VRF password"
1023	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1024	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1025	wait_local_port_listen ${NSA} 12345 tcp
1026	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1027	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
1028
1029	log_start
1030	show_hint "Should timeout since client in VRF uses default VRF password"
1031	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1032	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1033	wait_local_port_listen ${NSA} 12345 tcp
1034	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1035	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
1036
1037	log_start
1038	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1039	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1040	wait_local_port_listen ${NSA} 12345 tcp
1041	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
1042	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
1043
1044	log_start
1045	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1046	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1047	wait_local_port_listen ${NSA} 12345 tcp
1048	run_cmd_nsc nettest  -r ${NSA_IP} -X ${MD5_WRONG_PW}
1049	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
1050
1051	log_start
1052	show_hint "Should timeout since client in default VRF uses VRF password"
1053	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1054	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1055	wait_local_port_listen ${NSA} 12345 tcp
1056	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1057	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
1058
1059	log_start
1060	show_hint "Should timeout since client in VRF uses default VRF password"
1061	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1062	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1063	wait_local_port_listen ${NSA} 12345 tcp
1064	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1065	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
1066
1067	#
1068	# negative tests
1069	#
1070	log_start
1071	run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP}
1072	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
1073
1074	log_start
1075	run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET}
1076	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
1077
1078	test_ipv4_md5_vrf__vrf_server__no_bind_ifindex
1079	test_ipv4_md5_vrf__global_server__bind_ifindex0
1080}
1081
1082test_ipv4_md5_vrf__vrf_server__no_bind_ifindex()
1083{
1084	log_start
1085	show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX"
1086	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1087	wait_local_port_listen ${NSA} 12345 tcp
1088	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1089	log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection"
1090
1091	log_start
1092	show_hint "Binding both the socket and the key is not required but it works"
1093	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1094	wait_local_port_listen ${NSA} 12345 tcp
1095	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1096	log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection"
1097}
1098
1099test_ipv4_md5_vrf__global_server__bind_ifindex0()
1100{
1101	# This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections
1102	local old_tcp_l3mdev_accept
1103	old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept)
1104	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1105
1106	log_start
1107	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1108	wait_local_port_listen ${NSA} 12345 tcp
1109	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1110	log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection"
1111
1112	log_start
1113	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1114	wait_local_port_listen ${NSA} 12345 tcp
1115	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1116	log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection"
1117	log_start
1118
1119	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1120	wait_local_port_listen ${NSA} 12345 tcp
1121	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1122	log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection"
1123
1124	log_start
1125	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1126	wait_local_port_listen ${NSA} 12345 tcp
1127	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1128	log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection"
1129
1130	# restore value
1131	set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept"
1132}
1133
1134ipv4_tcp_dontroute()
1135{
1136	local syncookies=$1
1137	local nsa_syncookies
1138	local nsb_syncookies
1139	local a
1140
1141	#
1142	# Link local connection tests (SO_DONTROUTE).
1143	# Connections should succeed only when the remote IP address is
1144	# on link (doesn't need to be routed through a gateway).
1145	#
1146
1147	nsa_syncookies=$(ip netns exec "${NSA}" sysctl -n net.ipv4.tcp_syncookies)
1148	nsb_syncookies=$(ip netns exec "${NSB}" sysctl -n net.ipv4.tcp_syncookies)
1149	ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies}
1150	ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies}
1151
1152	# Test with eth1 address (on link).
1153
1154	a=${NSB_IP}
1155	log_start
1156	do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1157	log_test_addr ${a} $? 0 "SO_DONTROUTE client, syncookies=${syncookies}"
1158
1159	a=${NSB_IP}
1160	log_start
1161	do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --server-dontroute
1162	log_test_addr ${a} $? 0 "SO_DONTROUTE server, syncookies=${syncookies}"
1163
1164	# Test with loopback address (routed).
1165	#
1166	# The client would use the eth1 address as source IP by default.
1167	# Therefore, we need to use the -c option here, to force the use of the
1168	# routed (loopback) address as source IP (so that the server will try
1169	# to respond to a routed address and not a link local one).
1170
1171	a=${NSB_LO_IP}
1172	log_start
1173	show_hint "Should fail 'Network is unreachable' since server is not on link"
1174	do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --client-dontroute
1175	log_test_addr ${a} $? 1 "SO_DONTROUTE client, syncookies=${syncookies}"
1176
1177	a=${NSB_LO_IP}
1178	log_start
1179	show_hint "Should timeout since server cannot respond (client is not on link)"
1180	do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --server-dontroute
1181	log_test_addr ${a} $? 2 "SO_DONTROUTE server, syncookies=${syncookies}"
1182
1183	ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${nsb_syncookies}
1184	ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${nsa_syncookies}
1185}
1186
1187ipv4_tcp_novrf()
1188{
1189	local a
1190
1191	#
1192	# server tests
1193	#
1194	for a in ${NSA_IP} ${NSA_LO_IP}
1195	do
1196		log_start
1197		run_cmd nettest -s &
1198		wait_local_port_listen ${NSA} 12345 tcp
1199		run_cmd_nsb nettest -r ${a}
1200		log_test_addr ${a} $? 0 "Global server"
1201	done
1202
1203	a=${NSA_IP}
1204	log_start
1205	run_cmd nettest -s -I ${NSA_DEV} &
1206	wait_local_port_listen ${NSA} 12345 tcp
1207	run_cmd_nsb nettest -r ${a}
1208	log_test_addr ${a} $? 0 "Device server"
1209
1210	# verify TCP reset sent and received
1211	for a in ${NSA_IP} ${NSA_LO_IP}
1212	do
1213		log_start
1214		show_hint "Should fail 'Connection refused' since there is no server"
1215		run_cmd_nsb nettest -r ${a}
1216		log_test_addr ${a} $? 1 "No server"
1217	done
1218
1219	#
1220	# client
1221	#
1222	for a in ${NSB_IP} ${NSB_LO_IP}
1223	do
1224		log_start
1225		run_cmd_nsb nettest -s &
1226		wait_local_port_listen ${NSB} 12345 tcp
1227		run_cmd nettest -r ${a} -0 ${NSA_IP}
1228		log_test_addr ${a} $? 0 "Client"
1229
1230		log_start
1231		run_cmd_nsb nettest -s &
1232		wait_local_port_listen ${NSB} 12345 tcp
1233		run_cmd nettest -r ${a} -d ${NSA_DEV}
1234		log_test_addr ${a} $? 0 "Client, device bind"
1235
1236		log_start
1237		show_hint "Should fail 'Connection refused'"
1238		run_cmd nettest -r ${a}
1239		log_test_addr ${a} $? 1 "No server, unbound client"
1240
1241		log_start
1242		show_hint "Should fail 'Connection refused'"
1243		run_cmd nettest -r ${a} -d ${NSA_DEV}
1244		log_test_addr ${a} $? 1 "No server, device client"
1245	done
1246
1247	#
1248	# local address tests
1249	#
1250	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1251	do
1252		log_start
1253		run_cmd nettest -s &
1254		wait_local_port_listen ${NSA} 12345 tcp
1255		run_cmd nettest -r ${a} -0 ${a} -1 ${a}
1256		log_test_addr ${a} $? 0 "Global server, local connection"
1257	done
1258
1259	a=${NSA_IP}
1260	log_start
1261	run_cmd nettest -s -I ${NSA_DEV} &
1262	wait_local_port_listen ${NSA} 12345 tcp
1263	run_cmd nettest -r ${a} -0 ${a}
1264	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1265
1266	for a in ${NSA_LO_IP} 127.0.0.1
1267	do
1268		log_start
1269		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
1270		run_cmd nettest -s -I ${NSA_DEV} &
1271		wait_local_port_listen ${NSA} 12345 tcp
1272		run_cmd nettest -r ${a}
1273		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1274	done
1275
1276	a=${NSA_IP}
1277	log_start
1278	run_cmd nettest -s &
1279	wait_local_port_listen ${NSA} 12345 tcp
1280	run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV}
1281	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1282
1283	for a in ${NSA_LO_IP} 127.0.0.1
1284	do
1285		log_start
1286		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
1287		run_cmd nettest -s &
1288		wait_local_port_listen ${NSA} 12345 tcp
1289		run_cmd nettest -r ${a} -d ${NSA_DEV}
1290		log_test_addr ${a} $? 1 "Global server, device client, local connection"
1291	done
1292
1293	a=${NSA_IP}
1294	log_start
1295	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1296	wait_local_port_listen ${NSA} 12345 tcp
1297	run_cmd nettest  -d ${NSA_DEV} -r ${a} -0 ${a}
1298	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1299
1300	log_start
1301	show_hint "Should fail 'Connection refused'"
1302	run_cmd nettest -d ${NSA_DEV} -r ${a}
1303	log_test_addr ${a} $? 1 "No server, device client, local conn"
1304
1305	[ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf
1306
1307	ipv4_tcp_dontroute 0
1308	ipv4_tcp_dontroute 2
1309}
1310
1311ipv4_tcp_vrf()
1312{
1313	local a
1314
1315	# disable global server
1316	log_subsection "Global server disabled"
1317
1318	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1319
1320	#
1321	# server tests
1322	#
1323	for a in ${NSA_IP} ${VRF_IP}
1324	do
1325		log_start
1326		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1327		run_cmd nettest -s &
1328		wait_local_port_listen ${NSA} 12345 tcp
1329		run_cmd_nsb nettest -r ${a}
1330		log_test_addr ${a} $? 1 "Global server"
1331
1332		log_start
1333		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1334		wait_local_port_listen ${NSA} 12345 tcp
1335		run_cmd_nsb nettest -r ${a}
1336		log_test_addr ${a} $? 0 "VRF server"
1337
1338		log_start
1339		run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1340		wait_local_port_listen ${NSA} 12345 tcp
1341		run_cmd_nsb nettest -r ${a}
1342		log_test_addr ${a} $? 0 "Device server"
1343
1344		# verify TCP reset received
1345		log_start
1346		show_hint "Should fail 'Connection refused' since there is no server"
1347		run_cmd_nsb nettest -r ${a}
1348		log_test_addr ${a} $? 1 "No server"
1349	done
1350
1351	# local address tests
1352	# (${VRF_IP} and 127.0.0.1 both timeout)
1353	a=${NSA_IP}
1354	log_start
1355	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1356	run_cmd nettest -s &
1357	wait_local_port_listen ${NSA} 12345 tcp
1358	run_cmd nettest -r ${a} -d ${NSA_DEV}
1359	log_test_addr ${a} $? 1 "Global server, local connection"
1360
1361	# run MD5 tests
1362	if [ "$fips_enabled" = "0" ]; then
1363		setup_vrf_dup
1364		ipv4_tcp_md5
1365		cleanup_vrf_dup
1366	fi
1367
1368	#
1369	# enable VRF global server
1370	#
1371	log_subsection "VRF Global server enabled"
1372	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1373
1374	for a in ${NSA_IP} ${VRF_IP}
1375	do
1376		log_start
1377		show_hint "client socket should be bound to VRF"
1378		run_cmd nettest -s -3 ${VRF} &
1379		wait_local_port_listen ${NSA} 12345 tcp
1380		run_cmd_nsb nettest -r ${a}
1381		log_test_addr ${a} $? 0 "Global server"
1382
1383		log_start
1384		show_hint "client socket should be bound to VRF"
1385		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1386		wait_local_port_listen ${NSA} 12345 tcp
1387		run_cmd_nsb nettest -r ${a}
1388		log_test_addr ${a} $? 0 "VRF server"
1389
1390		# verify TCP reset received
1391		log_start
1392		show_hint "Should fail 'Connection refused'"
1393		run_cmd_nsb nettest -r ${a}
1394		log_test_addr ${a} $? 1 "No server"
1395	done
1396
1397	a=${NSA_IP}
1398	log_start
1399	show_hint "client socket should be bound to device"
1400	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1401	wait_local_port_listen ${NSA} 12345 tcp
1402	run_cmd_nsb nettest -r ${a}
1403	log_test_addr ${a} $? 0 "Device server"
1404
1405	# local address tests
1406	for a in ${NSA_IP} ${VRF_IP}
1407	do
1408		log_start
1409		show_hint "Should fail 'Connection refused' since client is not bound to VRF"
1410		run_cmd nettest -s -I ${VRF} &
1411		wait_local_port_listen ${NSA} 12345 tcp
1412		run_cmd nettest -r ${a}
1413		log_test_addr ${a} $? 1 "Global server, local connection"
1414	done
1415
1416	#
1417	# client
1418	#
1419	for a in ${NSB_IP} ${NSB_LO_IP}
1420	do
1421		log_start
1422		run_cmd_nsb nettest -s &
1423		wait_local_port_listen ${NSB} 12345 tcp
1424		run_cmd nettest -r ${a} -d ${VRF}
1425		log_test_addr ${a} $? 0 "Client, VRF bind"
1426
1427		log_start
1428		run_cmd_nsb nettest -s &
1429		wait_local_port_listen ${NSB} 12345 tcp
1430		run_cmd nettest -r ${a} -d ${NSA_DEV}
1431		log_test_addr ${a} $? 0 "Client, device bind"
1432
1433		log_start
1434		show_hint "Should fail 'Connection refused'"
1435		run_cmd nettest -r ${a} -d ${VRF}
1436		log_test_addr ${a} $? 1 "No server, VRF client"
1437
1438		log_start
1439		show_hint "Should fail 'Connection refused'"
1440		run_cmd nettest -r ${a} -d ${NSA_DEV}
1441		log_test_addr ${a} $? 1 "No server, device client"
1442	done
1443
1444	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1445	do
1446		log_start
1447		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1448		wait_local_port_listen ${NSA} 12345 tcp
1449		run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1450		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
1451	done
1452
1453	a=${NSA_IP}
1454	log_start
1455	run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1456	wait_local_port_listen ${NSA} 12345 tcp
1457	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1458	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
1459
1460	log_start
1461	show_hint "Should fail 'No route to host' since client is out of VRF scope"
1462	run_cmd nettest -s -I ${VRF} &
1463	wait_local_port_listen ${NSA} 12345 tcp
1464	run_cmd nettest -r ${a}
1465	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
1466
1467	log_start
1468	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1469	wait_local_port_listen ${NSA} 12345 tcp
1470	run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1471	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
1472
1473	log_start
1474	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1475	wait_local_port_listen ${NSA} 12345 tcp
1476	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1477	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1478}
1479
1480ipv4_tcp()
1481{
1482	log_section "IPv4/TCP"
1483	log_subsection "No VRF"
1484	setup
1485
1486	# tcp_l3mdev_accept should have no affect without VRF;
1487	# run tests with it enabled and disabled to verify
1488	log_subsection "tcp_l3mdev_accept disabled"
1489	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1490	ipv4_tcp_novrf
1491	log_subsection "tcp_l3mdev_accept enabled"
1492	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1493	ipv4_tcp_novrf
1494
1495	log_subsection "With VRF"
1496	setup "yes"
1497	ipv4_tcp_vrf
1498}
1499
1500################################################################################
1501# IPv4 UDP
1502
1503ipv4_udp_novrf()
1504{
1505	local a
1506
1507	#
1508	# server tests
1509	#
1510	for a in ${NSA_IP} ${NSA_LO_IP}
1511	do
1512		log_start
1513		run_cmd nettest -D -s -3 ${NSA_DEV} &
1514		wait_local_port_listen ${NSA} 12345 udp
1515		run_cmd_nsb nettest -D -r ${a}
1516		log_test_addr ${a} $? 0 "Global server"
1517
1518		log_start
1519		show_hint "Should fail 'Connection refused' since there is no server"
1520		run_cmd_nsb nettest -D -r ${a}
1521		log_test_addr ${a} $? 1 "No server"
1522	done
1523
1524	a=${NSA_IP}
1525	log_start
1526	run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1527	wait_local_port_listen ${NSA} 12345 udp
1528	run_cmd_nsb nettest -D -r ${a}
1529	log_test_addr ${a} $? 0 "Device server"
1530
1531	#
1532	# client
1533	#
1534	for a in ${NSB_IP} ${NSB_LO_IP}
1535	do
1536		log_start
1537		run_cmd_nsb nettest -D -s &
1538		wait_local_port_listen ${NSB} 12345 udp
1539		run_cmd nettest -D -r ${a} -0 ${NSA_IP}
1540		log_test_addr ${a} $? 0 "Client"
1541
1542		log_start
1543		run_cmd_nsb nettest -D -s &
1544		wait_local_port_listen ${NSB} 12345 udp
1545		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP}
1546		log_test_addr ${a} $? 0 "Client, device bind"
1547
1548		log_start
1549		run_cmd_nsb nettest -D -s &
1550		wait_local_port_listen ${NSB} 12345 udp
1551		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP}
1552		log_test_addr ${a} $? 0 "Client, device send via cmsg"
1553
1554		log_start
1555		run_cmd_nsb nettest -D -s &
1556		wait_local_port_listen ${NSB} 12345 udp
1557		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
1558		log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
1559
1560		log_start
1561		run_cmd_nsb nettest -D -s &
1562		wait_local_port_listen ${NSB} 12345 udp
1563		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U
1564		log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()"
1565
1566
1567		log_start
1568		show_hint "Should fail 'Connection refused'"
1569		run_cmd nettest -D -r ${a}
1570		log_test_addr ${a} $? 1 "No server, unbound client"
1571
1572		log_start
1573		show_hint "Should fail 'Connection refused'"
1574		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1575		log_test_addr ${a} $? 1 "No server, device client"
1576	done
1577
1578	#
1579	# local address tests
1580	#
1581	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1582	do
1583		log_start
1584		run_cmd nettest -D -s &
1585		wait_local_port_listen ${NSA} 12345 udp
1586		run_cmd nettest -D -r ${a} -0 ${a} -1 ${a}
1587		log_test_addr ${a} $? 0 "Global server, local connection"
1588	done
1589
1590	a=${NSA_IP}
1591	log_start
1592	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1593	wait_local_port_listen ${NSA} 12345 udp
1594	run_cmd nettest -D -r ${a}
1595	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1596
1597	for a in ${NSA_LO_IP} 127.0.0.1
1598	do
1599		log_start
1600		show_hint "Should fail 'Connection refused' since address is out of device scope"
1601		run_cmd nettest -s -D -I ${NSA_DEV} &
1602		wait_local_port_listen ${NSA} 12345 udp
1603		run_cmd nettest -D -r ${a}
1604		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1605	done
1606
1607	a=${NSA_IP}
1608	log_start
1609	run_cmd nettest -s -D &
1610	wait_local_port_listen ${NSA} 12345 udp
1611	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1612	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1613
1614	log_start
1615	run_cmd nettest -s -D &
1616	wait_local_port_listen ${NSA} 12345 udp
1617	run_cmd nettest -D -d ${NSA_DEV} -C -r ${a}
1618	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
1619
1620	log_start
1621	run_cmd nettest -s -D &
1622	wait_local_port_listen ${NSA} 12345 udp
1623	run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
1624	log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
1625
1626	log_start
1627	run_cmd nettest -s -D &
1628	wait_local_port_listen ${NSA} 12345 udp
1629	run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U
1630	log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
1631
1632
1633	# IPv4 with device bind has really weird behavior - it overrides the
1634	# fib lookup, generates an rtable and tries to send the packet. This
1635	# causes failures for local traffic at different places
1636	for a in ${NSA_LO_IP} 127.0.0.1
1637	do
1638		log_start
1639		show_hint "Should fail since addresses on loopback are out of device scope"
1640		run_cmd nettest -D -s &
1641		wait_local_port_listen ${NSA} 12345 udp
1642		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1643		log_test_addr ${a} $? 2 "Global server, device client, local connection"
1644
1645		log_start
1646		show_hint "Should fail since addresses on loopback are out of device scope"
1647		run_cmd nettest -D -s &
1648		wait_local_port_listen ${NSA} 12345 udp
1649		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C
1650		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
1651
1652		log_start
1653		show_hint "Should fail since addresses on loopback are out of device scope"
1654		run_cmd nettest -D -s &
1655		wait_local_port_listen ${NSA} 12345 udp
1656		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
1657		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
1658
1659		log_start
1660		show_hint "Should fail since addresses on loopback are out of device scope"
1661		run_cmd nettest -D -s &
1662		wait_local_port_listen ${NSA} 12345 udp
1663		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U
1664		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
1665
1666
1667	done
1668
1669	a=${NSA_IP}
1670	log_start
1671	run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1672	wait_local_port_listen ${NSA} 12345 udp
1673	run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a}
1674	log_test_addr ${a} $? 0 "Device server, device client, local conn"
1675
1676	log_start
1677	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1678	log_test_addr ${a} $? 2 "No server, device client, local conn"
1679
1680	#
1681	# Link local connection tests (SO_DONTROUTE).
1682	# Connections should succeed only when the remote IP address is
1683	# on link (doesn't need to be routed through a gateway).
1684	#
1685
1686	a=${NSB_IP}
1687	log_start
1688	do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1689	log_test_addr ${a} $? 0 "SO_DONTROUTE client"
1690
1691	a=${NSB_LO_IP}
1692	log_start
1693	show_hint "Should fail 'Network is unreachable' since server is not on link"
1694	do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1695	log_test_addr ${a} $? 1 "SO_DONTROUTE client"
1696}
1697
1698ipv4_udp_vrf()
1699{
1700	local a
1701
1702	# disable global server
1703	log_subsection "Global server disabled"
1704	set_sysctl net.ipv4.udp_l3mdev_accept=0
1705
1706	#
1707	# server tests
1708	#
1709	for a in ${NSA_IP} ${VRF_IP}
1710	do
1711		log_start
1712		show_hint "Fails because ingress is in a VRF and global server is disabled"
1713		run_cmd nettest -D -s &
1714		wait_local_port_listen ${NSA} 12345 udp
1715		run_cmd_nsb nettest -D -r ${a}
1716		log_test_addr ${a} $? 1 "Global server"
1717
1718		log_start
1719		run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1720		wait_local_port_listen ${NSA} 12345 udp
1721		run_cmd_nsb nettest -D -r ${a}
1722		log_test_addr ${a} $? 0 "VRF server"
1723
1724		log_start
1725		run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1726		wait_local_port_listen ${NSA} 12345 udp
1727		run_cmd_nsb nettest -D -r ${a}
1728		log_test_addr ${a} $? 0 "Enslaved device server"
1729
1730		log_start
1731		show_hint "Should fail 'Connection refused' since there is no server"
1732		run_cmd_nsb nettest -D -r ${a}
1733		log_test_addr ${a} $? 1 "No server"
1734
1735		log_start
1736		show_hint "Should fail 'Connection refused' since global server is out of scope"
1737		run_cmd nettest -D -s &
1738		wait_local_port_listen ${NSA} 12345 udp
1739		run_cmd nettest -D -d ${VRF} -r ${a}
1740		log_test_addr ${a} $? 1 "Global server, VRF client, local connection"
1741	done
1742
1743	a=${NSA_IP}
1744	log_start
1745	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1746	wait_local_port_listen ${NSA} 12345 udp
1747	run_cmd nettest -D -d ${VRF} -r ${a}
1748	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1749
1750	log_start
1751	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1752	wait_local_port_listen ${NSA} 12345 udp
1753	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1754	log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection"
1755
1756	a=${NSA_IP}
1757	log_start
1758	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1759	wait_local_port_listen ${NSA} 12345 udp
1760	run_cmd nettest -D -d ${VRF} -r ${a}
1761	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1762
1763	log_start
1764	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1765	wait_local_port_listen ${NSA} 12345 udp
1766	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1767	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1768
1769	# enable global server
1770	log_subsection "Global server enabled"
1771	set_sysctl net.ipv4.udp_l3mdev_accept=1
1772
1773	#
1774	# server tests
1775	#
1776	for a in ${NSA_IP} ${VRF_IP}
1777	do
1778		log_start
1779		run_cmd nettest -D -s -3 ${NSA_DEV} &
1780		wait_local_port_listen ${NSA} 12345 udp
1781		run_cmd_nsb nettest -D -r ${a}
1782		log_test_addr ${a} $? 0 "Global server"
1783
1784		log_start
1785		run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1786		wait_local_port_listen ${NSA} 12345 udp
1787		run_cmd_nsb nettest -D -r ${a}
1788		log_test_addr ${a} $? 0 "VRF server"
1789
1790		log_start
1791		run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1792		wait_local_port_listen ${NSA} 12345 udp
1793		run_cmd_nsb nettest -D -r ${a}
1794		log_test_addr ${a} $? 0 "Enslaved device server"
1795
1796		log_start
1797		show_hint "Should fail 'Connection refused'"
1798		run_cmd_nsb nettest -D -r ${a}
1799		log_test_addr ${a} $? 1 "No server"
1800	done
1801
1802	#
1803	# client tests
1804	#
1805	log_start
1806	run_cmd_nsb nettest -D -s &
1807	wait_local_port_listen ${NSB} 12345 udp
1808	run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP}
1809	log_test $? 0 "VRF client"
1810
1811	log_start
1812	run_cmd_nsb nettest -D -s &
1813	wait_local_port_listen ${NSB} 12345 udp
1814	run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP}
1815	log_test $? 0 "Enslaved device client"
1816
1817	# negative test - should fail
1818	log_start
1819	show_hint "Should fail 'Connection refused'"
1820	run_cmd nettest -D -d ${VRF} -r ${NSB_IP}
1821	log_test $? 1 "No server, VRF client"
1822
1823	log_start
1824	show_hint "Should fail 'Connection refused'"
1825	run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP}
1826	log_test $? 1 "No server, enslaved device client"
1827
1828	#
1829	# local address tests
1830	#
1831	a=${NSA_IP}
1832	log_start
1833	run_cmd nettest -D -s -3 ${NSA_DEV} &
1834	wait_local_port_listen ${NSA} 12345 udp
1835	run_cmd nettest -D -d ${VRF} -r ${a}
1836	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1837
1838	log_start
1839	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1840	wait_local_port_listen ${NSA} 12345 udp
1841	run_cmd nettest -D -d ${VRF} -r ${a}
1842	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1843
1844	log_start
1845	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1846	wait_local_port_listen ${NSA} 12345 udp
1847	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1848	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
1849
1850	log_start
1851	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1852	wait_local_port_listen ${NSA} 12345 udp
1853	run_cmd nettest -D -d ${VRF} -r ${a}
1854	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1855
1856	log_start
1857	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1858	wait_local_port_listen ${NSA} 12345 udp
1859	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1860	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1861
1862	for a in ${VRF_IP} 127.0.0.1
1863	do
1864		log_start
1865		run_cmd nettest -D -s -3 ${VRF} &
1866		wait_local_port_listen ${NSA} 12345 udp
1867		run_cmd nettest -D -d ${VRF} -r ${a}
1868		log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1869	done
1870
1871	for a in ${VRF_IP} 127.0.0.1
1872	do
1873		log_start
1874		run_cmd nettest -s -D -I ${VRF} -3 ${VRF} &
1875		wait_local_port_listen ${NSA} 12345 udp
1876		run_cmd nettest -D -d ${VRF} -r ${a}
1877		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1878	done
1879
1880	# negative test - should fail
1881	# verifies ECONNREFUSED
1882	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1883	do
1884		log_start
1885		show_hint "Should fail 'Connection refused'"
1886		run_cmd nettest -D -d ${VRF} -r ${a}
1887		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
1888	done
1889}
1890
1891ipv4_udp()
1892{
1893	log_section "IPv4/UDP"
1894	log_subsection "No VRF"
1895
1896	setup
1897
1898	# udp_l3mdev_accept should have no affect without VRF;
1899	# run tests with it enabled and disabled to verify
1900	log_subsection "udp_l3mdev_accept disabled"
1901	set_sysctl net.ipv4.udp_l3mdev_accept=0
1902	ipv4_udp_novrf
1903	log_subsection "udp_l3mdev_accept enabled"
1904	set_sysctl net.ipv4.udp_l3mdev_accept=1
1905	ipv4_udp_novrf
1906
1907	log_subsection "With VRF"
1908	setup "yes"
1909	ipv4_udp_vrf
1910}
1911
1912################################################################################
1913# IPv4 address bind
1914#
1915# verifies ability or inability to bind to an address / device
1916
1917ipv4_addr_bind_novrf()
1918{
1919	#
1920	# raw socket
1921	#
1922	for a in ${NSA_IP} ${NSA_LO_IP}
1923	do
1924		log_start
1925		run_cmd nettest -s -R -P icmp -l ${a} -b
1926		log_test_addr ${a} $? 0 "Raw socket bind to local address"
1927
1928		log_start
1929		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1930		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1931	done
1932
1933	#
1934	# tests for nonlocal bind
1935	#
1936	a=${NL_IP}
1937	log_start
1938	run_cmd nettest -s -R -f -l ${a} -b
1939	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
1940
1941	log_start
1942	run_cmd nettest -s -f -l ${a} -b
1943	log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address"
1944
1945	log_start
1946	run_cmd nettest -s -D -P icmp -f -l ${a} -b
1947	log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address"
1948
1949	#
1950	# check that ICMP sockets cannot bind to broadcast and multicast addresses
1951	#
1952	a=${BCAST_IP}
1953	log_start
1954	run_cmd nettest -s -D -P icmp -l ${a} -b
1955	log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address"
1956
1957	a=${MCAST_IP}
1958	log_start
1959	run_cmd nettest -s -D -P icmp -l ${a} -b
1960	log_test_addr ${a} $? 1 "ICMP socket bind to multicast address"
1961
1962	#
1963	# tcp sockets
1964	#
1965	a=${NSA_IP}
1966	log_start
1967	run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b
1968	log_test_addr ${a} $? 0 "TCP socket bind to local address"
1969
1970	log_start
1971	run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b
1972	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1973
1974	# Sadly, the kernel allows binding a socket to a device and then
1975	# binding to an address not on the device. The only restriction
1976	# is that the address is valid in the L3 domain. So this test
1977	# passes when it really should not
1978	#a=${NSA_LO_IP}
1979	#log_start
1980	#show_hint "Should fail with 'Cannot assign requested address'"
1981	#run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1982	#log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
1983}
1984
1985ipv4_addr_bind_vrf()
1986{
1987	#
1988	# raw socket
1989	#
1990	for a in ${NSA_IP} ${VRF_IP}
1991	do
1992		log_start
1993		show_hint "Socket not bound to VRF, but address is in VRF"
1994		run_cmd nettest -s -R -P icmp -l ${a} -b
1995		log_test_addr ${a} $? 1 "Raw socket bind to local address"
1996
1997		log_start
1998		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1999		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
2000		log_start
2001		run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
2002		log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind"
2003	done
2004
2005	a=${NSA_LO_IP}
2006	log_start
2007	show_hint "Address on loopback is out of VRF scope"
2008	run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
2009	log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind"
2010
2011	#
2012	# tests for nonlocal bind
2013	#
2014	a=${NL_IP}
2015	log_start
2016	run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b
2017	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
2018
2019	log_start
2020	run_cmd nettest -s -f -l ${a} -I ${VRF} -b
2021	log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind"
2022
2023	log_start
2024	run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b
2025	log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind"
2026
2027	#
2028	# check that ICMP sockets cannot bind to broadcast and multicast addresses
2029	#
2030	a=${BCAST_IP}
2031	log_start
2032	run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
2033	log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind"
2034
2035	a=${MCAST_IP}
2036	log_start
2037	run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
2038	log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind"
2039
2040	#
2041	# tcp sockets
2042	#
2043	for a in ${NSA_IP} ${VRF_IP}
2044	do
2045		log_start
2046		run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
2047		log_test_addr ${a} $? 0 "TCP socket bind to local address"
2048
2049		log_start
2050		run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
2051		log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
2052	done
2053
2054	a=${NSA_LO_IP}
2055	log_start
2056	show_hint "Address on loopback out of scope for VRF"
2057	run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
2058	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
2059
2060	log_start
2061	show_hint "Address on loopback out of scope for device in VRF"
2062	run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
2063	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
2064}
2065
2066ipv4_addr_bind()
2067{
2068	log_section "IPv4 address binds"
2069
2070	log_subsection "No VRF"
2071	setup
2072	set_ping_group
2073	ipv4_addr_bind_novrf
2074
2075	log_subsection "With VRF"
2076	setup "yes"
2077	set_ping_group
2078	ipv4_addr_bind_vrf
2079}
2080
2081################################################################################
2082# IPv4 runtime tests
2083
2084ipv4_rt()
2085{
2086	local desc="$1"
2087	local varg="$2"
2088	local with_vrf="yes"
2089	local a
2090
2091	#
2092	# server tests
2093	#
2094	for a in ${NSA_IP} ${VRF_IP}
2095	do
2096		log_start
2097		run_cmd nettest ${varg} -s &
2098		wait_local_port_listen ${NSA} 12345 tcp
2099		run_cmd_nsb nettest ${varg} -r ${a} &
2100		sleep 3
2101		run_cmd ip link del ${VRF}
2102		sleep 1
2103		log_test_addr ${a} 0 0 "${desc}, global server"
2104
2105		setup ${with_vrf}
2106	done
2107
2108	for a in ${NSA_IP} ${VRF_IP}
2109	do
2110		log_start
2111		run_cmd nettest ${varg} -s -I ${VRF} &
2112		wait_local_port_listen ${NSA} 12345 tcp
2113		run_cmd_nsb nettest ${varg} -r ${a} &
2114		sleep 3
2115		run_cmd ip link del ${VRF}
2116		sleep 1
2117		log_test_addr ${a} 0 0 "${desc}, VRF server"
2118
2119		setup ${with_vrf}
2120	done
2121
2122	a=${NSA_IP}
2123	log_start
2124	run_cmd nettest ${varg} -s -I ${NSA_DEV} &
2125	wait_local_port_listen ${NSA} 12345 tcp
2126	run_cmd_nsb nettest ${varg} -r ${a} &
2127	sleep 3
2128	run_cmd ip link del ${VRF}
2129	sleep 1
2130	log_test_addr ${a} 0 0 "${desc}, enslaved device server"
2131
2132	setup ${with_vrf}
2133
2134	#
2135	# client test
2136	#
2137	log_start
2138	run_cmd_nsb nettest ${varg} -s &
2139	wait_local_port_listen ${NSB} 12345 tcp
2140	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} &
2141	sleep 3
2142	run_cmd ip link del ${VRF}
2143	sleep 1
2144	log_test_addr ${a} 0 0 "${desc}, VRF client"
2145
2146	setup ${with_vrf}
2147
2148	log_start
2149	run_cmd_nsb nettest ${varg} -s &
2150	wait_local_port_listen ${NSB} 12345 tcp
2151	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} &
2152	sleep 3
2153	run_cmd ip link del ${VRF}
2154	sleep 1
2155	log_test_addr ${a} 0 0 "${desc}, enslaved device client"
2156
2157	setup ${with_vrf}
2158
2159	#
2160	# local address tests
2161	#
2162	for a in ${NSA_IP} ${VRF_IP}
2163	do
2164		log_start
2165		run_cmd nettest ${varg} -s &
2166		wait_local_port_listen ${NSA} 12345 tcp
2167		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2168		sleep 3
2169		run_cmd ip link del ${VRF}
2170		sleep 1
2171		log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local"
2172
2173		setup ${with_vrf}
2174	done
2175
2176	for a in ${NSA_IP} ${VRF_IP}
2177	do
2178		log_start
2179		run_cmd nettest ${varg} -I ${VRF} -s &
2180		wait_local_port_listen ${NSA} 12345 tcp
2181		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2182		sleep 3
2183		run_cmd ip link del ${VRF}
2184		sleep 1
2185		log_test_addr ${a} 0 0 "${desc}, VRF server and client, local"
2186
2187		setup ${with_vrf}
2188	done
2189
2190	a=${NSA_IP}
2191	log_start
2192
2193	run_cmd nettest ${varg} -s &
2194	wait_local_port_listen ${NSA} 12345 tcp
2195	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2196	sleep 3
2197	run_cmd ip link del ${VRF}
2198	sleep 1
2199	log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local"
2200
2201	setup ${with_vrf}
2202
2203	log_start
2204	run_cmd nettest ${varg} -I ${VRF} -s &
2205	wait_local_port_listen ${NSA} 12345 tcp
2206	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2207	sleep 3
2208	run_cmd ip link del ${VRF}
2209	sleep 1
2210	log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local"
2211
2212	setup ${with_vrf}
2213
2214	log_start
2215	run_cmd nettest ${varg} -I ${NSA_DEV} -s &
2216	wait_local_port_listen ${NSA} 12345 tcp
2217	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2218	sleep 3
2219	run_cmd ip link del ${VRF}
2220	sleep 1
2221	log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local"
2222}
2223
2224ipv4_ping_rt()
2225{
2226	local with_vrf="yes"
2227	local a
2228
2229	for a in ${NSA_IP} ${VRF_IP}
2230	do
2231		log_start
2232		run_cmd_nsb ping -f ${a} &
2233		sleep 3
2234		run_cmd ip link del ${VRF}
2235		sleep 1
2236		log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
2237
2238		setup ${with_vrf}
2239	done
2240
2241	a=${NSB_IP}
2242	log_start
2243	run_cmd ping -f -I ${VRF} ${a} &
2244	sleep 3
2245	run_cmd ip link del ${VRF}
2246	sleep 1
2247	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
2248}
2249
2250ipv4_runtime()
2251{
2252	log_section "Run time tests - ipv4"
2253
2254	setup "yes"
2255	ipv4_ping_rt
2256
2257	setup "yes"
2258	ipv4_rt "TCP active socket"  "-n -1"
2259
2260	setup "yes"
2261	ipv4_rt "TCP passive socket" "-i"
2262}
2263
2264################################################################################
2265# IPv6
2266
2267ipv6_ping_novrf()
2268{
2269	local a
2270
2271	# should not have an impact, but make a known state
2272	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
2273
2274	#
2275	# out
2276	#
2277	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2278	do
2279		log_start
2280		run_cmd ${ping6} -c1 -w1 ${a}
2281		log_test_addr ${a} $? 0 "ping out"
2282	done
2283
2284	for a in ${NSB_IP6} ${NSB_LO_IP6}
2285	do
2286		log_start
2287		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2288		log_test_addr ${a} $? 0 "ping out, device bind"
2289
2290		log_start
2291		run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a}
2292		log_test_addr ${a} $? 0 "ping out, loopback address bind"
2293	done
2294
2295	#
2296	# in
2297	#
2298	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2299	do
2300		log_start
2301		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2302		log_test_addr ${a} $? 0 "ping in"
2303	done
2304
2305	#
2306	# local traffic, local address
2307	#
2308	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2309	do
2310		log_start
2311		run_cmd ${ping6} -c1 -w1 ${a}
2312		log_test_addr ${a} $? 0 "ping local, no bind"
2313	done
2314
2315	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2316	do
2317		log_start
2318		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2319		log_test_addr ${a} $? 0 "ping local, device bind"
2320	done
2321
2322	for a in ${NSA_LO_IP6} ::1
2323	do
2324		log_start
2325		show_hint "Fails since address on loopback is out of device scope"
2326		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2327		log_test_addr ${a} $? 2 "ping local, device bind"
2328	done
2329
2330	#
2331	# ip rule blocks address
2332	#
2333	log_start
2334	setup_cmd ip -6 rule add pref 32765 from all lookup local
2335	setup_cmd ip -6 rule del pref 0 from all lookup local
2336	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2337	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2338
2339	a=${NSB_LO_IP6}
2340	run_cmd ${ping6} -c1 -w1 ${a}
2341	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2342
2343	log_start
2344	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2345	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2346
2347	a=${NSA_LO_IP6}
2348	log_start
2349	show_hint "Response lost due to ip rule"
2350	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2351	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2352
2353	setup_cmd ip -6 rule add pref 0 from all lookup local
2354	setup_cmd ip -6 rule del pref 32765 from all lookup local
2355	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2356	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2357
2358	#
2359	# route blocks reachability to remote address
2360	#
2361	log_start
2362	setup_cmd ip -6 route del ${NSB_LO_IP6}
2363	setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10
2364	setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10
2365
2366	a=${NSB_LO_IP6}
2367	run_cmd ${ping6} -c1 -w1 ${a}
2368	log_test_addr ${a} $? 2 "ping out, blocked by route"
2369
2370	log_start
2371	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2372	log_test_addr ${a} $? 2 "ping out, device bind, blocked by route"
2373
2374	a=${NSA_LO_IP6}
2375	log_start
2376	show_hint "Response lost due to ip route"
2377	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2378	log_test_addr ${a} $? 1 "ping in, blocked by route"
2379
2380
2381	#
2382	# remove 'remote' routes; fallback to default
2383	#
2384	log_start
2385	setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6}
2386	setup_cmd ip -6 ro del unreachable ${NSB_IP6}
2387
2388	a=${NSB_LO_IP6}
2389	run_cmd ${ping6} -c1 -w1 ${a}
2390	log_test_addr ${a} $? 2 "ping out, unreachable route"
2391
2392	log_start
2393	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2394	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2395}
2396
2397ipv6_ping_vrf()
2398{
2399	local a
2400
2401	# should default on; does not exist on older kernels
2402	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
2403
2404	#
2405	# out
2406	#
2407	for a in ${NSB_IP6} ${NSB_LO_IP6}
2408	do
2409		log_start
2410		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2411		log_test_addr ${a} $? 0 "ping out, VRF bind"
2412	done
2413
2414	for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF}
2415	do
2416		log_start
2417		show_hint "Fails since VRF device does not support linklocal or multicast"
2418		run_cmd ${ping6} -c1 -w1 ${a}
2419		log_test_addr ${a} $? 1 "ping out, VRF bind"
2420	done
2421
2422	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2423	do
2424		log_start
2425		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2426		log_test_addr ${a} $? 0 "ping out, device bind"
2427	done
2428
2429	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2430	do
2431		log_start
2432		run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a}
2433		log_test_addr ${a} $? 0 "ping out, vrf device+address bind"
2434	done
2435
2436	#
2437	# in
2438	#
2439	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2440	do
2441		log_start
2442		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2443		log_test_addr ${a} $? 0 "ping in"
2444	done
2445
2446	a=${NSA_LO_IP6}
2447	log_start
2448	show_hint "Fails since loopback address is out of VRF scope"
2449	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2450	log_test_addr ${a} $? 1 "ping in"
2451
2452	#
2453	# local traffic, local address
2454	#
2455	for a in ${NSA_IP6} ${VRF_IP6} ::1
2456	do
2457		log_start
2458		show_hint "Source address should be ${a}"
2459		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2460		log_test_addr ${a} $? 0 "ping local, VRF bind"
2461	done
2462
2463	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2464	do
2465		log_start
2466		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2467		log_test_addr ${a} $? 0 "ping local, device bind"
2468	done
2469
2470	# LLA to GUA - remove ipv6 global addresses from ns-B
2471	setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2472	setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo
2473	setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2474
2475	for a in ${NSA_IP6} ${VRF_IP6}
2476	do
2477		log_start
2478		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
2479		log_test_addr ${a} $? 0 "ping in, LLA to GUA"
2480	done
2481
2482	setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2483	setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV}
2484	setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo
2485
2486	#
2487	# ip rule blocks address
2488	#
2489	log_start
2490	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2491	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2492
2493	a=${NSB_LO_IP6}
2494	run_cmd ${ping6} -c1 -w1 ${a}
2495	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2496
2497	log_start
2498	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2499	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2500
2501	a=${NSA_LO_IP6}
2502	log_start
2503	show_hint "Response lost due to ip rule"
2504	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2505	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2506
2507	log_start
2508	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2509	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2510
2511	#
2512	# remove 'remote' routes; fallback to default
2513	#
2514	log_start
2515	setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF}
2516
2517	a=${NSB_LO_IP6}
2518	run_cmd ${ping6} -c1 -w1 ${a}
2519	log_test_addr ${a} $? 2 "ping out, unreachable route"
2520
2521	log_start
2522	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2523	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2524
2525	ip -netns ${NSB} -6 ro del ${NSA_LO_IP6}
2526	a=${NSA_LO_IP6}
2527	log_start
2528	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2529	log_test_addr ${a} $? 2 "ping in, unreachable route"
2530}
2531
2532ipv6_ping()
2533{
2534	log_section "IPv6 ping"
2535
2536	log_subsection "No VRF"
2537	setup
2538	ipv6_ping_novrf
2539	setup
2540	set_ping_group
2541	ipv6_ping_novrf
2542
2543	log_subsection "With VRF"
2544	setup "yes"
2545	ipv6_ping_vrf
2546	setup "yes"
2547	set_ping_group
2548	ipv6_ping_vrf
2549}
2550
2551################################################################################
2552# IPv6 TCP
2553
2554#
2555# MD5 tests without VRF
2556#
2557ipv6_tcp_md5_novrf()
2558{
2559	#
2560	# single address
2561	#
2562
2563	# basic use case
2564	log_start
2565	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2566	wait_local_port_listen ${NSA} 12345 tcp
2567	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2568	log_test $? 0 "MD5: Single address config"
2569
2570	# client sends MD5, server not configured
2571	log_start
2572	show_hint "Should timeout due to MD5 mismatch"
2573	run_cmd nettest -6 -s &
2574	wait_local_port_listen ${NSA} 12345 tcp
2575	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2576	log_test $? 2 "MD5: Server no config, client uses password"
2577
2578	# wrong password
2579	log_start
2580	show_hint "Should timeout since client uses wrong password"
2581	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2582	wait_local_port_listen ${NSA} 12345 tcp
2583	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2584	log_test $? 2 "MD5: Client uses wrong password"
2585
2586	# client from different address
2587	log_start
2588	show_hint "Should timeout due to MD5 mismatch"
2589	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} &
2590	wait_local_port_listen ${NSA} 12345 tcp
2591	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2592	log_test $? 2 "MD5: Client address does not match address configured with password"
2593
2594	#
2595	# MD5 extension - prefix length
2596	#
2597
2598	# client in prefix
2599	log_start
2600	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2601	wait_local_port_listen ${NSA} 12345 tcp
2602	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2603	log_test $? 0 "MD5: Prefix config"
2604
2605	# client in prefix, wrong password
2606	log_start
2607	show_hint "Should timeout since client uses wrong password"
2608	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2609	wait_local_port_listen ${NSA} 12345 tcp
2610	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2611	log_test $? 2 "MD5: Prefix config, client uses wrong password"
2612
2613	# client outside of prefix
2614	log_start
2615	show_hint "Should timeout due to MD5 mismatch"
2616	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2617	wait_local_port_listen ${NSA} 12345 tcp
2618	run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2619	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
2620}
2621
2622#
2623# MD5 tests with VRF
2624#
2625ipv6_tcp_md5()
2626{
2627	#
2628	# single address
2629	#
2630
2631	# basic use case
2632	log_start
2633	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2634	wait_local_port_listen ${NSA} 12345 tcp
2635	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2636	log_test $? 0 "MD5: VRF: Single address config"
2637
2638	# client sends MD5, server not configured
2639	log_start
2640	show_hint "Should timeout since server does not have MD5 auth"
2641	run_cmd nettest -6 -s -I ${VRF} &
2642	wait_local_port_listen ${NSA} 12345 tcp
2643	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2644	log_test $? 2 "MD5: VRF: Server no config, client uses password"
2645
2646	# wrong password
2647	log_start
2648	show_hint "Should timeout since client uses wrong password"
2649	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2650	wait_local_port_listen ${NSA} 12345 tcp
2651	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2652	log_test $? 2 "MD5: VRF: Client uses wrong password"
2653
2654	# client from different address
2655	log_start
2656	show_hint "Should timeout since server config differs from client"
2657	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} &
2658	wait_local_port_listen ${NSA} 12345 tcp
2659	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2660	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
2661
2662	#
2663	# MD5 extension - prefix length
2664	#
2665
2666	# client in prefix
2667	log_start
2668	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2669	wait_local_port_listen ${NSA} 12345 tcp
2670	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2671	log_test $? 0 "MD5: VRF: Prefix config"
2672
2673	# client in prefix, wrong password
2674	log_start
2675	show_hint "Should timeout since client uses wrong password"
2676	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2677	wait_local_port_listen ${NSA} 12345 tcp
2678	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2679	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
2680
2681	# client outside of prefix
2682	log_start
2683	show_hint "Should timeout since client address is outside of prefix"
2684	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2685	wait_local_port_listen ${NSA} 12345 tcp
2686	run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2687	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
2688
2689	#
2690	# duplicate config between default VRF and a VRF
2691	#
2692
2693	log_start
2694	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2695	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2696	wait_local_port_listen ${NSA} 12345 tcp
2697	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2698	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
2699
2700	log_start
2701	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2702	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2703	wait_local_port_listen ${NSA} 12345 tcp
2704	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2705	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
2706
2707	log_start
2708	show_hint "Should timeout since client in default VRF uses VRF password"
2709	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2710	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2711	wait_local_port_listen ${NSA} 12345 tcp
2712	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2713	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
2714
2715	log_start
2716	show_hint "Should timeout since client in VRF uses default VRF password"
2717	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2718	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2719	wait_local_port_listen ${NSA} 12345 tcp
2720	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2721	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
2722
2723	log_start
2724	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2725	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2726	wait_local_port_listen ${NSA} 12345 tcp
2727	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2728	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
2729
2730	log_start
2731	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2732	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2733	wait_local_port_listen ${NSA} 12345 tcp
2734	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2735	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
2736
2737	log_start
2738	show_hint "Should timeout since client in default VRF uses VRF password"
2739	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2740	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2741	wait_local_port_listen ${NSA} 12345 tcp
2742	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2743	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
2744
2745	log_start
2746	show_hint "Should timeout since client in VRF uses default VRF password"
2747	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2748	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2749	wait_local_port_listen ${NSA} 12345 tcp
2750	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2751	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
2752
2753	#
2754	# negative tests
2755	#
2756	log_start
2757	run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6}
2758	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
2759
2760	log_start
2761	run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6}
2762	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
2763
2764}
2765
2766ipv6_tcp_novrf()
2767{
2768	local a
2769
2770	#
2771	# server tests
2772	#
2773	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2774	do
2775		log_start
2776		run_cmd nettest -6 -s &
2777		wait_local_port_listen ${NSA} 12345 tcp
2778		run_cmd_nsb nettest -6 -r ${a}
2779		log_test_addr ${a} $? 0 "Global server"
2780	done
2781
2782	# verify TCP reset received
2783	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2784	do
2785		log_start
2786		show_hint "Should fail 'Connection refused'"
2787		run_cmd_nsb nettest -6 -r ${a}
2788		log_test_addr ${a} $? 1 "No server"
2789	done
2790
2791	#
2792	# client
2793	#
2794	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2795	do
2796		log_start
2797		run_cmd_nsb nettest -6 -s &
2798		wait_local_port_listen ${NSB} 12345 tcp
2799		run_cmd nettest -6 -r ${a}
2800		log_test_addr ${a} $? 0 "Client"
2801	done
2802
2803	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2804	do
2805		log_start
2806		run_cmd_nsb nettest -6 -s &
2807		wait_local_port_listen ${NSB} 12345 tcp
2808		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2809		log_test_addr ${a} $? 0 "Client, device bind"
2810	done
2811
2812	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2813	do
2814		log_start
2815		show_hint "Should fail 'Connection refused'"
2816		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2817		log_test_addr ${a} $? 1 "No server, device client"
2818	done
2819
2820	#
2821	# local address tests
2822	#
2823	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2824	do
2825		log_start
2826		run_cmd nettest -6 -s &
2827		wait_local_port_listen ${NSA} 12345 tcp
2828		run_cmd nettest -6 -r ${a}
2829		log_test_addr ${a} $? 0 "Global server, local connection"
2830	done
2831
2832	a=${NSA_IP6}
2833	log_start
2834	run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2835	wait_local_port_listen ${NSA} 12345 tcp
2836	run_cmd nettest -6 -r ${a} -0 ${a}
2837	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2838
2839	for a in ${NSA_LO_IP6} ::1
2840	do
2841		log_start
2842		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2843		run_cmd nettest -6 -s -I ${NSA_DEV} &
2844		wait_local_port_listen ${NSA} 12345 tcp
2845		run_cmd nettest -6 -r ${a}
2846		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
2847	done
2848
2849	a=${NSA_IP6}
2850	log_start
2851	run_cmd nettest -6 -s &
2852	wait_local_port_listen ${NSA} 12345 tcp
2853	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2854	log_test_addr ${a} $? 0 "Global server, device client, local connection"
2855
2856	for a in ${NSA_LO_IP6} ::1
2857	do
2858		log_start
2859		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2860		run_cmd nettest -6 -s &
2861		wait_local_port_listen ${NSA} 12345 tcp
2862		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2863		log_test_addr ${a} $? 1 "Global server, device client, local connection"
2864	done
2865
2866	for a in ${NSA_IP6} ${NSA_LINKIP6}
2867	do
2868		log_start
2869		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2870		wait_local_port_listen ${NSA} 12345 tcp
2871		run_cmd nettest -6  -d ${NSA_DEV} -r ${a}
2872		log_test_addr ${a} $? 0 "Device server, device client, local conn"
2873	done
2874
2875	for a in ${NSA_IP6} ${NSA_LINKIP6}
2876	do
2877		log_start
2878		show_hint "Should fail 'Connection refused'"
2879		run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2880		log_test_addr ${a} $? 1 "No server, device client, local conn"
2881	done
2882
2883	[ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf
2884}
2885
2886ipv6_tcp_vrf()
2887{
2888	local a
2889
2890	# disable global server
2891	log_subsection "Global server disabled"
2892
2893	set_sysctl net.ipv4.tcp_l3mdev_accept=0
2894
2895	#
2896	# server tests
2897	#
2898	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2899	do
2900		log_start
2901		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2902		run_cmd nettest -6 -s &
2903		wait_local_port_listen ${NSA} 12345 tcp
2904		run_cmd_nsb nettest -6 -r ${a}
2905		log_test_addr ${a} $? 1 "Global server"
2906	done
2907
2908	for a in ${NSA_IP6} ${VRF_IP6}
2909	do
2910		log_start
2911		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2912		wait_local_port_listen ${NSA} 12345 tcp
2913		run_cmd_nsb nettest -6 -r ${a}
2914		log_test_addr ${a} $? 0 "VRF server"
2915	done
2916
2917	# link local is always bound to ingress device
2918	a=${NSA_LINKIP6}%${NSB_DEV}
2919	log_start
2920	run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2921	wait_local_port_listen ${NSA} 12345 tcp
2922	run_cmd_nsb nettest -6 -r ${a}
2923	log_test_addr ${a} $? 0 "VRF server"
2924
2925	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2926	do
2927		log_start
2928		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2929		wait_local_port_listen ${NSA} 12345 tcp
2930		run_cmd_nsb nettest -6 -r ${a}
2931		log_test_addr ${a} $? 0 "Device server"
2932	done
2933
2934	# verify TCP reset received
2935	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2936	do
2937		log_start
2938		show_hint "Should fail 'Connection refused'"
2939		run_cmd_nsb nettest -6 -r ${a}
2940		log_test_addr ${a} $? 1 "No server"
2941	done
2942
2943	# local address tests
2944	a=${NSA_IP6}
2945	log_start
2946	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2947	run_cmd nettest -6 -s &
2948	wait_local_port_listen ${NSA} 12345 tcp
2949	run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2950	log_test_addr ${a} $? 1 "Global server, local connection"
2951
2952	# run MD5 tests
2953	if [ "$fips_enabled" = "0" ]; then
2954		setup_vrf_dup
2955		ipv6_tcp_md5
2956		cleanup_vrf_dup
2957	fi
2958
2959	#
2960	# enable VRF global server
2961	#
2962	log_subsection "VRF Global server enabled"
2963	set_sysctl net.ipv4.tcp_l3mdev_accept=1
2964
2965	for a in ${NSA_IP6} ${VRF_IP6}
2966	do
2967		log_start
2968		run_cmd nettest -6 -s -3 ${VRF} &
2969		wait_local_port_listen ${NSA} 12345 tcp
2970		run_cmd_nsb nettest -6 -r ${a}
2971		log_test_addr ${a} $? 0 "Global server"
2972	done
2973
2974	for a in ${NSA_IP6} ${VRF_IP6}
2975	do
2976		log_start
2977		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2978		wait_local_port_listen ${NSA} 12345 tcp
2979		run_cmd_nsb nettest -6 -r ${a}
2980		log_test_addr ${a} $? 0 "VRF server"
2981	done
2982
2983	# For LLA, child socket is bound to device
2984	a=${NSA_LINKIP6}%${NSB_DEV}
2985	log_start
2986	run_cmd nettest -6 -s -3 ${NSA_DEV} &
2987	wait_local_port_listen ${NSA} 12345 tcp
2988	run_cmd_nsb nettest -6 -r ${a}
2989	log_test_addr ${a} $? 0 "Global server"
2990
2991	log_start
2992	run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2993	wait_local_port_listen ${NSA} 12345 tcp
2994	run_cmd_nsb nettest -6 -r ${a}
2995	log_test_addr ${a} $? 0 "VRF server"
2996
2997	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2998	do
2999		log_start
3000		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3001		wait_local_port_listen ${NSA} 12345 tcp
3002		run_cmd_nsb nettest -6 -r ${a}
3003		log_test_addr ${a} $? 0 "Device server"
3004	done
3005
3006	# verify TCP reset received
3007	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3008	do
3009		log_start
3010		show_hint "Should fail 'Connection refused'"
3011		run_cmd_nsb nettest -6 -r ${a}
3012		log_test_addr ${a} $? 1 "No server"
3013	done
3014
3015	# local address tests
3016	for a in ${NSA_IP6} ${VRF_IP6}
3017	do
3018		log_start
3019		show_hint "Fails 'Connection refused' since client is not in VRF"
3020		run_cmd nettest -6 -s -I ${VRF} &
3021		wait_local_port_listen ${NSA} 12345 tcp
3022		run_cmd nettest -6 -r ${a}
3023		log_test_addr ${a} $? 1 "Global server, local connection"
3024	done
3025
3026
3027	#
3028	# client
3029	#
3030	for a in ${NSB_IP6} ${NSB_LO_IP6}
3031	do
3032		log_start
3033		run_cmd_nsb nettest -6 -s &
3034		wait_local_port_listen ${NSB} 12345 tcp
3035		run_cmd nettest -6 -r ${a} -d ${VRF}
3036		log_test_addr ${a} $? 0 "Client, VRF bind"
3037	done
3038
3039	a=${NSB_LINKIP6}
3040	log_start
3041	show_hint "Fails since VRF device does not allow linklocal addresses"
3042	run_cmd_nsb nettest -6 -s &
3043	wait_local_port_listen ${NSB} 12345 tcp
3044	run_cmd nettest -6 -r ${a} -d ${VRF}
3045	log_test_addr ${a} $? 1 "Client, VRF bind"
3046
3047	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
3048	do
3049		log_start
3050		run_cmd_nsb nettest -6 -s &
3051		wait_local_port_listen ${NSB} 12345 tcp
3052		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
3053		log_test_addr ${a} $? 0 "Client, device bind"
3054	done
3055
3056	for a in ${NSB_IP6} ${NSB_LO_IP6}
3057	do
3058		log_start
3059		show_hint "Should fail 'Connection refused'"
3060		run_cmd nettest -6 -r ${a} -d ${VRF}
3061		log_test_addr ${a} $? 1 "No server, VRF client"
3062	done
3063
3064	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
3065	do
3066		log_start
3067		show_hint "Should fail 'Connection refused'"
3068		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
3069		log_test_addr ${a} $? 1 "No server, device client"
3070	done
3071
3072	for a in ${NSA_IP6} ${VRF_IP6} ::1
3073	do
3074		log_start
3075		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
3076		wait_local_port_listen ${NSA} 12345 tcp
3077		run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
3078		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
3079	done
3080
3081	a=${NSA_IP6}
3082	log_start
3083	run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
3084	wait_local_port_listen ${NSA} 12345 tcp
3085	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
3086	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
3087
3088	a=${NSA_IP6}
3089	log_start
3090	show_hint "Should fail since unbound client is out of VRF scope"
3091	run_cmd nettest -6 -s -I ${VRF} &
3092	wait_local_port_listen ${NSA} 12345 tcp
3093	run_cmd nettest -6 -r ${a}
3094	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
3095
3096	log_start
3097	run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3098	wait_local_port_listen ${NSA} 12345 tcp
3099	run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
3100	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
3101
3102	for a in ${NSA_IP6} ${NSA_LINKIP6}
3103	do
3104		log_start
3105		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3106		wait_local_port_listen ${NSA} 12345 tcp
3107		run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
3108		log_test_addr ${a} $? 0 "Device server, device client, local connection"
3109	done
3110}
3111
3112ipv6_tcp()
3113{
3114	log_section "IPv6/TCP"
3115	log_subsection "No VRF"
3116	setup
3117
3118	# tcp_l3mdev_accept should have no affect without VRF;
3119	# run tests with it enabled and disabled to verify
3120	log_subsection "tcp_l3mdev_accept disabled"
3121	set_sysctl net.ipv4.tcp_l3mdev_accept=0
3122	ipv6_tcp_novrf
3123	log_subsection "tcp_l3mdev_accept enabled"
3124	set_sysctl net.ipv4.tcp_l3mdev_accept=1
3125	ipv6_tcp_novrf
3126
3127	log_subsection "With VRF"
3128	setup "yes"
3129	ipv6_tcp_vrf
3130}
3131
3132################################################################################
3133# IPv6 UDP
3134
3135ipv6_udp_novrf()
3136{
3137	local a
3138
3139	#
3140	# server tests
3141	#
3142	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3143	do
3144		log_start
3145		run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3146		wait_local_port_listen ${NSA} 12345 udp
3147		run_cmd_nsb nettest -6 -D -r ${a}
3148		log_test_addr ${a} $? 0 "Global server"
3149
3150		log_start
3151		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3152		wait_local_port_listen ${NSA} 12345 udp
3153		run_cmd_nsb nettest -6 -D -r ${a}
3154		log_test_addr ${a} $? 0 "Device server"
3155	done
3156
3157	a=${NSA_LO_IP6}
3158	log_start
3159	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3160	wait_local_port_listen ${NSA} 12345 udp
3161	run_cmd_nsb nettest -6 -D -r ${a}
3162	log_test_addr ${a} $? 0 "Global server"
3163
3164	# should fail since loopback address is out of scope for a device
3165	# bound server, but it does not - hence this is more documenting
3166	# behavior.
3167	#log_start
3168	#show_hint "Should fail since loopback address is out of scope"
3169	#run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3170	wait_local_port_listen ${NSA} 12345 udp
3171	#run_cmd_nsb nettest -6 -D -r ${a}
3172	#log_test_addr ${a} $? 1 "Device server"
3173
3174	# negative test - should fail
3175	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3176	do
3177		log_start
3178		show_hint "Should fail 'Connection refused' since there is no server"
3179		run_cmd_nsb nettest -6 -D -r ${a}
3180		log_test_addr ${a} $? 1 "No server"
3181	done
3182
3183	#
3184	# client
3185	#
3186	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
3187	do
3188		log_start
3189		run_cmd_nsb nettest -6 -D -s &
3190		wait_local_port_listen ${NSB} 12345 udp
3191		run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6}
3192		log_test_addr ${a} $? 0 "Client"
3193
3194		log_start
3195		run_cmd_nsb nettest -6 -D -s &
3196		wait_local_port_listen ${NSB} 12345 udp
3197		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6}
3198		log_test_addr ${a} $? 0 "Client, device bind"
3199
3200		log_start
3201		run_cmd_nsb nettest -6 -D -s &
3202		wait_local_port_listen ${NSB} 12345 udp
3203		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6}
3204		log_test_addr ${a} $? 0 "Client, device send via cmsg"
3205
3206		log_start
3207		run_cmd_nsb nettest -6 -D -s &
3208		wait_local_port_listen ${NSB} 12345 udp
3209		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6}
3210		log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF"
3211
3212		log_start
3213		show_hint "Should fail 'Connection refused'"
3214		run_cmd nettest -6 -D -r ${a}
3215		log_test_addr ${a} $? 1 "No server, unbound client"
3216
3217		log_start
3218		show_hint "Should fail 'Connection refused'"
3219		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3220		log_test_addr ${a} $? 1 "No server, device client"
3221	done
3222
3223	#
3224	# local address tests
3225	#
3226	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
3227	do
3228		log_start
3229		run_cmd nettest -6 -D -s &
3230		wait_local_port_listen ${NSA} 12345 udp
3231		run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a}
3232		log_test_addr ${a} $? 0 "Global server, local connection"
3233	done
3234
3235	a=${NSA_IP6}
3236	log_start
3237	run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
3238	wait_local_port_listen ${NSA} 12345 udp
3239	run_cmd nettest -6 -D -r ${a}
3240	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
3241
3242	for a in ${NSA_LO_IP6} ::1
3243	do
3244		log_start
3245		show_hint "Should fail 'Connection refused' since address is out of device scope"
3246		run_cmd nettest -6 -s -D -I ${NSA_DEV} &
3247		wait_local_port_listen ${NSA} 12345 udp
3248		run_cmd nettest -6 -D -r ${a}
3249		log_test_addr ${a} $? 1 "Device server, local connection"
3250	done
3251
3252	a=${NSA_IP6}
3253	log_start
3254	run_cmd nettest -6 -s -D &
3255	wait_local_port_listen ${NSA} 12345 udp
3256	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3257	log_test_addr ${a} $? 0 "Global server, device client, local connection"
3258
3259	log_start
3260	run_cmd nettest -6 -s -D &
3261	wait_local_port_listen ${NSA} 12345 udp
3262	run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a}
3263	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
3264
3265	log_start
3266	run_cmd nettest -6 -s -D &
3267	wait_local_port_listen ${NSA} 12345 udp
3268	run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a}
3269	log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection"
3270
3271	for a in ${NSA_LO_IP6} ::1
3272	do
3273		log_start
3274		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3275		run_cmd nettest -6 -D -s &
3276		wait_local_port_listen ${NSA} 12345 udp
3277		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3278		log_test_addr ${a} $? 1 "Global server, device client, local connection"
3279
3280		log_start
3281		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3282		run_cmd nettest -6 -D -s &
3283		wait_local_port_listen ${NSA} 12345 udp
3284		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C
3285		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
3286
3287		log_start
3288		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3289		run_cmd nettest -6 -D -s &
3290		wait_local_port_listen ${NSA} 12345 udp
3291		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
3292		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
3293
3294		log_start
3295		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3296		run_cmd nettest -6 -D -s &
3297		wait_local_port_listen ${NSA} 12345 udp
3298		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U
3299		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
3300	done
3301
3302	a=${NSA_IP6}
3303	log_start
3304	run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3305	wait_local_port_listen ${NSA} 12345 udp
3306	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a}
3307	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3308
3309	log_start
3310	show_hint "Should fail 'Connection refused'"
3311	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3312	log_test_addr ${a} $? 1 "No server, device client, local conn"
3313
3314	# LLA to GUA
3315	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3316	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3317	log_start
3318	run_cmd nettest -6 -s -D &
3319	wait_local_port_listen ${NSA} 12345 udp
3320	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3321	log_test $? 0 "UDP in - LLA to GUA"
3322
3323	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3324	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3325}
3326
3327ipv6_udp_vrf()
3328{
3329	local a
3330
3331	# disable global server
3332	log_subsection "Global server disabled"
3333	set_sysctl net.ipv4.udp_l3mdev_accept=0
3334
3335	#
3336	# server tests
3337	#
3338	for a in ${NSA_IP6} ${VRF_IP6}
3339	do
3340		log_start
3341		show_hint "Should fail 'Connection refused' since global server is disabled"
3342		run_cmd nettest -6 -D -s &
3343		wait_local_port_listen ${NSA} 12345 udp
3344		run_cmd_nsb nettest -6 -D -r ${a}
3345		log_test_addr ${a} $? 1 "Global server"
3346	done
3347
3348	for a in ${NSA_IP6} ${VRF_IP6}
3349	do
3350		log_start
3351		run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3352		wait_local_port_listen ${NSA} 12345 udp
3353		run_cmd_nsb nettest -6 -D -r ${a}
3354		log_test_addr ${a} $? 0 "VRF server"
3355	done
3356
3357	for a in ${NSA_IP6} ${VRF_IP6}
3358	do
3359		log_start
3360		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3361		wait_local_port_listen ${NSA} 12345 udp
3362		run_cmd_nsb nettest -6 -D -r ${a}
3363		log_test_addr ${a} $? 0 "Enslaved device server"
3364	done
3365
3366	# negative test - should fail
3367	for a in ${NSA_IP6} ${VRF_IP6}
3368	do
3369		log_start
3370		show_hint "Should fail 'Connection refused' since there is no server"
3371		run_cmd_nsb nettest -6 -D -r ${a}
3372		log_test_addr ${a} $? 1 "No server"
3373	done
3374
3375	#
3376	# local address tests
3377	#
3378	for a in ${NSA_IP6} ${VRF_IP6}
3379	do
3380		log_start
3381		show_hint "Should fail 'Connection refused' since global server is disabled"
3382		run_cmd nettest -6 -D -s &
3383		wait_local_port_listen ${NSA} 12345 udp
3384		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3385		log_test_addr ${a} $? 1 "Global server, VRF client, local conn"
3386	done
3387
3388	for a in ${NSA_IP6} ${VRF_IP6}
3389	do
3390		log_start
3391		run_cmd nettest -6 -D -I ${VRF} -s &
3392		wait_local_port_listen ${NSA} 12345 udp
3393		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3394		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3395	done
3396
3397	a=${NSA_IP6}
3398	log_start
3399	show_hint "Should fail 'Connection refused' since global server is disabled"
3400	run_cmd nettest -6 -D -s &
3401	wait_local_port_listen ${NSA} 12345 udp
3402	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3403	log_test_addr ${a} $? 1 "Global server, device client, local conn"
3404
3405	log_start
3406	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3407	wait_local_port_listen ${NSA} 12345 udp
3408	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3409	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3410
3411	log_start
3412	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3413	wait_local_port_listen ${NSA} 12345 udp
3414	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3415	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
3416
3417	log_start
3418	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3419	wait_local_port_listen ${NSA} 12345 udp
3420	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3421	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
3422
3423	# disable global server
3424	log_subsection "Global server enabled"
3425	set_sysctl net.ipv4.udp_l3mdev_accept=1
3426
3427	#
3428	# server tests
3429	#
3430	for a in ${NSA_IP6} ${VRF_IP6}
3431	do
3432		log_start
3433		run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3434		wait_local_port_listen ${NSA} 12345 udp
3435		run_cmd_nsb nettest -6 -D -r ${a}
3436		log_test_addr ${a} $? 0 "Global server"
3437	done
3438
3439	for a in ${NSA_IP6} ${VRF_IP6}
3440	do
3441		log_start
3442		run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3443		wait_local_port_listen ${NSA} 12345 udp
3444		run_cmd_nsb nettest -6 -D -r ${a}
3445		log_test_addr ${a} $? 0 "VRF server"
3446	done
3447
3448	for a in ${NSA_IP6} ${VRF_IP6}
3449	do
3450		log_start
3451		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3452		wait_local_port_listen ${NSA} 12345 udp
3453		run_cmd_nsb nettest -6 -D -r ${a}
3454		log_test_addr ${a} $? 0 "Enslaved device server"
3455	done
3456
3457	# negative test - should fail
3458	for a in ${NSA_IP6} ${VRF_IP6}
3459	do
3460		log_start
3461		run_cmd_nsb nettest -6 -D -r ${a}
3462		log_test_addr ${a} $? 1 "No server"
3463	done
3464
3465	#
3466	# client tests
3467	#
3468	log_start
3469	run_cmd_nsb nettest -6 -D -s &
3470	wait_local_port_listen ${NSB} 12345 udp
3471	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3472	log_test $? 0 "VRF client"
3473
3474	# negative test - should fail
3475	log_start
3476	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3477	log_test $? 1 "No server, VRF client"
3478
3479	log_start
3480	run_cmd_nsb nettest -6 -D -s &
3481	wait_local_port_listen ${NSB} 12345 udp
3482	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3483	log_test $? 0 "Enslaved device client"
3484
3485	# negative test - should fail
3486	log_start
3487	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3488	log_test $? 1 "No server, enslaved device client"
3489
3490	#
3491	# local address tests
3492	#
3493	a=${NSA_IP6}
3494	log_start
3495	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3496	wait_local_port_listen ${NSA} 12345 udp
3497	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3498	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3499
3500	#log_start
3501	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3502	wait_local_port_listen ${NSA} 12345 udp
3503	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3504	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3505
3506
3507	a=${VRF_IP6}
3508	log_start
3509	run_cmd nettest -6 -D -s -3 ${VRF} &
3510	wait_local_port_listen ${NSA} 12345 udp
3511	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3512	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3513
3514	log_start
3515	run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} &
3516	wait_local_port_listen ${NSA} 12345 udp
3517	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3518	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3519
3520	# negative test - should fail
3521	for a in ${NSA_IP6} ${VRF_IP6}
3522	do
3523		log_start
3524		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3525		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
3526	done
3527
3528	# device to global IP
3529	a=${NSA_IP6}
3530	log_start
3531	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3532	wait_local_port_listen ${NSA} 12345 udp
3533	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3534	log_test_addr ${a} $? 0 "Global server, device client, local conn"
3535
3536	log_start
3537	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3538	wait_local_port_listen ${NSA} 12345 udp
3539	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3540	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3541
3542	log_start
3543	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3544	wait_local_port_listen ${NSA} 12345 udp
3545	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3546	log_test_addr ${a} $? 0 "Device server, VRF client, local conn"
3547
3548	log_start
3549	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3550	wait_local_port_listen ${NSA} 12345 udp
3551	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3552	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3553
3554	log_start
3555	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3556	log_test_addr ${a} $? 1 "No server, device client, local conn"
3557
3558
3559	# link local addresses
3560	log_start
3561	run_cmd nettest -6 -D -s &
3562	wait_local_port_listen ${NSA} 12345 udp
3563	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3564	log_test $? 0 "Global server, linklocal IP"
3565
3566	log_start
3567	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3568	log_test $? 1 "No server, linklocal IP"
3569
3570
3571	log_start
3572	run_cmd_nsb nettest -6 -D -s &
3573	wait_local_port_listen ${NSB} 12345 udp
3574	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3575	log_test $? 0 "Enslaved device client, linklocal IP"
3576
3577	log_start
3578	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3579	log_test $? 1 "No server, device client, peer linklocal IP"
3580
3581
3582	log_start
3583	run_cmd nettest -6 -D -s &
3584	wait_local_port_listen ${NSA} 12345 udp
3585	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3586	log_test $? 0 "Enslaved device client, local conn - linklocal IP"
3587
3588	log_start
3589	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3590	log_test $? 1 "No server, device client, local conn  - linklocal IP"
3591
3592	# LLA to GUA
3593	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3594	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3595	log_start
3596	run_cmd nettest -6 -s -D &
3597	wait_local_port_listen ${NSA} 12345 udp
3598	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3599	log_test $? 0 "UDP in - LLA to GUA"
3600
3601	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3602	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3603}
3604
3605ipv6_udp()
3606{
3607        # should not matter, but set to known state
3608        set_sysctl net.ipv4.udp_early_demux=1
3609
3610        log_section "IPv6/UDP"
3611        log_subsection "No VRF"
3612        setup
3613
3614        # udp_l3mdev_accept should have no affect without VRF;
3615        # run tests with it enabled and disabled to verify
3616        log_subsection "udp_l3mdev_accept disabled"
3617        set_sysctl net.ipv4.udp_l3mdev_accept=0
3618        ipv6_udp_novrf
3619        log_subsection "udp_l3mdev_accept enabled"
3620        set_sysctl net.ipv4.udp_l3mdev_accept=1
3621        ipv6_udp_novrf
3622
3623        log_subsection "With VRF"
3624        setup "yes"
3625        ipv6_udp_vrf
3626}
3627
3628################################################################################
3629# IPv6 address bind
3630
3631ipv6_addr_bind_novrf()
3632{
3633	#
3634	# raw socket
3635	#
3636	for a in ${NSA_IP6} ${NSA_LO_IP6}
3637	do
3638		log_start
3639		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b
3640		log_test_addr ${a} $? 0 "Raw socket bind to local address"
3641
3642		log_start
3643		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3644		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3645	done
3646
3647	#
3648	# raw socket with nonlocal bind
3649	#
3650	a=${NL_IP6}
3651	log_start
3652	run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b
3653	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
3654
3655	#
3656	# tcp sockets
3657	#
3658	a=${NSA_IP6}
3659	log_start
3660	run_cmd nettest -6 -s -l ${a} -t1 -b
3661	log_test_addr ${a} $? 0 "TCP socket bind to local address"
3662
3663	log_start
3664	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3665	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
3666
3667	# Sadly, the kernel allows binding a socket to a device and then
3668	# binding to an address not on the device. So this test passes
3669	# when it really should not
3670	a=${NSA_LO_IP6}
3671	log_start
3672	show_hint "Technically should fail since address is not on device but kernel allows"
3673	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3674	log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address"
3675}
3676
3677ipv6_addr_bind_vrf()
3678{
3679	#
3680	# raw socket
3681	#
3682	for a in ${NSA_IP6} ${VRF_IP6}
3683	do
3684		log_start
3685		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3686		log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind"
3687
3688		log_start
3689		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3690		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3691	done
3692
3693	a=${NSA_LO_IP6}
3694	log_start
3695	show_hint "Address on loopback is out of VRF scope"
3696	run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3697	log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind"
3698
3699	#
3700	# raw socket with nonlocal bind
3701	#
3702	a=${NL_IP6}
3703	log_start
3704	run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b
3705	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
3706
3707	#
3708	# tcp sockets
3709	#
3710	# address on enslaved device is valid for the VRF or device in a VRF
3711	for a in ${NSA_IP6} ${VRF_IP6}
3712	do
3713		log_start
3714		run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3715		log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind"
3716	done
3717
3718	a=${NSA_IP6}
3719	log_start
3720	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3721	log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
3722
3723	# Sadly, the kernel allows binding a socket to a device and then
3724	# binding to an address not on the device. The only restriction
3725	# is that the address is valid in the L3 domain. So this test
3726	# passes when it really should not
3727	a=${VRF_IP6}
3728	log_start
3729	show_hint "Technically should fail since address is not on device but kernel allows"
3730	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3731	log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind"
3732
3733	a=${NSA_LO_IP6}
3734	log_start
3735	show_hint "Address on loopback out of scope for VRF"
3736	run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3737	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
3738
3739	log_start
3740	show_hint "Address on loopback out of scope for device in VRF"
3741	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3742	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
3743
3744}
3745
3746ipv6_addr_bind()
3747{
3748	log_section "IPv6 address binds"
3749
3750	log_subsection "No VRF"
3751	setup
3752	ipv6_addr_bind_novrf
3753
3754	log_subsection "With VRF"
3755	setup "yes"
3756	ipv6_addr_bind_vrf
3757}
3758
3759################################################################################
3760# IPv6 runtime tests
3761
3762ipv6_rt()
3763{
3764	local desc="$1"
3765	local varg="-6 $2"
3766	local with_vrf="yes"
3767	local a
3768
3769	#
3770	# server tests
3771	#
3772	for a in ${NSA_IP6} ${VRF_IP6}
3773	do
3774		log_start
3775		run_cmd nettest ${varg} -s &
3776		wait_local_port_listen ${NSA} 12345 tcp
3777		run_cmd_nsb nettest ${varg} -r ${a} &
3778		sleep 3
3779		run_cmd ip link del ${VRF}
3780		sleep 1
3781		log_test_addr ${a} 0 0 "${desc}, global server"
3782
3783		setup ${with_vrf}
3784	done
3785
3786	for a in ${NSA_IP6} ${VRF_IP6}
3787	do
3788		log_start
3789		run_cmd nettest ${varg} -I ${VRF} -s &
3790		wait_local_port_listen ${NSA} 12345 tcp
3791		run_cmd_nsb nettest ${varg} -r ${a} &
3792		sleep 3
3793		run_cmd ip link del ${VRF}
3794		sleep 1
3795		log_test_addr ${a} 0 0 "${desc}, VRF server"
3796
3797		setup ${with_vrf}
3798	done
3799
3800	for a in ${NSA_IP6} ${VRF_IP6}
3801	do
3802		log_start
3803		run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3804		wait_local_port_listen ${NSA} 12345 tcp
3805		run_cmd_nsb nettest ${varg} -r ${a} &
3806		sleep 3
3807		run_cmd ip link del ${VRF}
3808		sleep 1
3809		log_test_addr ${a} 0 0 "${desc}, enslaved device server"
3810
3811		setup ${with_vrf}
3812	done
3813
3814	#
3815	# client test
3816	#
3817	log_start
3818	run_cmd_nsb nettest ${varg} -s &
3819	wait_local_port_listen ${NSB} 12345 tcp
3820	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} &
3821	sleep 3
3822	run_cmd ip link del ${VRF}
3823	sleep 1
3824	log_test  0 0 "${desc}, VRF client"
3825
3826	setup ${with_vrf}
3827
3828	log_start
3829	run_cmd_nsb nettest ${varg} -s &
3830	wait_local_port_listen ${NSB} 12345 tcp
3831	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} &
3832	sleep 3
3833	run_cmd ip link del ${VRF}
3834	sleep 1
3835	log_test  0 0 "${desc}, enslaved device client"
3836
3837	setup ${with_vrf}
3838
3839
3840	#
3841	# local address tests
3842	#
3843	for a in ${NSA_IP6} ${VRF_IP6}
3844	do
3845		log_start
3846		run_cmd nettest ${varg} -s &
3847		wait_local_port_listen ${NSA} 12345 tcp
3848		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3849		sleep 3
3850		run_cmd ip link del ${VRF}
3851		sleep 1
3852		log_test_addr ${a} 0 0 "${desc}, global server, VRF client"
3853
3854		setup ${with_vrf}
3855	done
3856
3857	for a in ${NSA_IP6} ${VRF_IP6}
3858	do
3859		log_start
3860		run_cmd nettest ${varg} -I ${VRF} -s &
3861		wait_local_port_listen ${NSA} 12345 tcp
3862		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3863		sleep 3
3864		run_cmd ip link del ${VRF}
3865		sleep 1
3866		log_test_addr ${a} 0 0 "${desc}, VRF server and client"
3867
3868		setup ${with_vrf}
3869	done
3870
3871	a=${NSA_IP6}
3872	log_start
3873	run_cmd nettest ${varg} -s &
3874	wait_local_port_listen ${NSA} 12345 tcp
3875	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3876	sleep 3
3877	run_cmd ip link del ${VRF}
3878	sleep 1
3879	log_test_addr ${a} 0 0 "${desc}, global server, device client"
3880
3881	setup ${with_vrf}
3882
3883	log_start
3884	run_cmd nettest ${varg} -I ${VRF} -s &
3885	wait_local_port_listen ${NSA} 12345 tcp
3886	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3887	sleep 3
3888	run_cmd ip link del ${VRF}
3889	sleep 1
3890	log_test_addr ${a} 0 0 "${desc}, VRF server, device client"
3891
3892	setup ${with_vrf}
3893
3894	log_start
3895	run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3896	wait_local_port_listen ${NSA} 12345 tcp
3897	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3898	sleep 3
3899	run_cmd ip link del ${VRF}
3900	sleep 1
3901	log_test_addr ${a} 0 0 "${desc}, device server, device client"
3902}
3903
3904ipv6_ping_rt()
3905{
3906	local with_vrf="yes"
3907	local a
3908
3909	a=${NSA_IP6}
3910	log_start
3911	run_cmd_nsb ${ping6} -f ${a} &
3912	sleep 3
3913	run_cmd ip link del ${VRF}
3914	sleep 1
3915	log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
3916
3917	setup ${with_vrf}
3918
3919	log_start
3920	run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} &
3921	sleep 1
3922	run_cmd ip link del ${VRF}
3923	sleep 1
3924	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
3925}
3926
3927ipv6_runtime()
3928{
3929	log_section "Run time tests - ipv6"
3930
3931	setup "yes"
3932	ipv6_ping_rt
3933
3934	setup "yes"
3935	ipv6_rt "TCP active socket"  "-n -1"
3936
3937	setup "yes"
3938	ipv6_rt "TCP passive socket" "-i"
3939
3940	setup "yes"
3941	ipv6_rt "UDP active socket"  "-D -n -1"
3942}
3943
3944################################################################################
3945# netfilter blocking connections
3946
3947netfilter_tcp_reset()
3948{
3949	local a
3950
3951	for a in ${NSA_IP} ${VRF_IP}
3952	do
3953		log_start
3954		run_cmd nettest -s &
3955		wait_local_port_listen ${NSA} 12345 tcp
3956		run_cmd_nsb nettest -r ${a}
3957		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3958	done
3959}
3960
3961netfilter_icmp()
3962{
3963	local stype="$1"
3964	local arg
3965	local a
3966
3967	[ "${stype}" = "UDP" ] && arg="-D"
3968
3969	for a in ${NSA_IP} ${VRF_IP}
3970	do
3971		log_start
3972		run_cmd nettest ${arg} -s &
3973		wait_local_port_listen ${NSA} 12345 tcp
3974		run_cmd_nsb nettest ${arg} -r ${a}
3975		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3976	done
3977}
3978
3979ipv4_netfilter()
3980{
3981	log_section "IPv4 Netfilter"
3982	log_subsection "TCP reset"
3983
3984	setup "yes"
3985	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3986
3987	netfilter_tcp_reset
3988
3989	log_start
3990	log_subsection "ICMP unreachable"
3991
3992	log_start
3993	run_cmd iptables -F
3994	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3995	run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3996
3997	netfilter_icmp "TCP"
3998	netfilter_icmp "UDP"
3999
4000	log_start
4001	iptables -F
4002}
4003
4004netfilter_tcp6_reset()
4005{
4006	local a
4007
4008	for a in ${NSA_IP6} ${VRF_IP6}
4009	do
4010		log_start
4011		run_cmd nettest -6 -s &
4012		wait_local_port_listen ${NSA} 12345 tcp
4013		run_cmd_nsb nettest -6 -r ${a}
4014		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
4015	done
4016}
4017
4018netfilter_icmp6()
4019{
4020	local stype="$1"
4021	local arg
4022	local a
4023
4024	[ "${stype}" = "UDP" ] && arg="$arg -D"
4025
4026	for a in ${NSA_IP6} ${VRF_IP6}
4027	do
4028		log_start
4029		run_cmd nettest -6 -s ${arg} &
4030		wait_local_port_listen ${NSA} 12345 tcp
4031		run_cmd_nsb nettest -6 ${arg} -r ${a}
4032		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
4033	done
4034}
4035
4036ipv6_netfilter()
4037{
4038	log_section "IPv6 Netfilter"
4039	log_subsection "TCP reset"
4040
4041	setup "yes"
4042	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
4043
4044	netfilter_tcp6_reset
4045
4046	log_subsection "ICMP unreachable"
4047
4048	log_start
4049	run_cmd ip6tables -F
4050	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
4051	run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
4052
4053	netfilter_icmp6 "TCP"
4054	netfilter_icmp6 "UDP"
4055
4056	log_start
4057	ip6tables -F
4058}
4059
4060################################################################################
4061# specific use cases
4062
4063# VRF only.
4064# ns-A device enslaved to bridge. Verify traffic with and without
4065# br_netfilter module loaded. Repeat with SVI on bridge.
4066use_case_br()
4067{
4068	setup "yes"
4069
4070	setup_cmd ip link set ${NSA_DEV} down
4071	setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24
4072	setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64
4073
4074	setup_cmd ip link add br0 type bridge
4075	setup_cmd ip addr add dev br0 ${NSA_IP}/24
4076	setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad
4077
4078	setup_cmd ip li set ${NSA_DEV} master br0
4079	setup_cmd ip li set ${NSA_DEV} up
4080	setup_cmd ip li set br0 up
4081	setup_cmd ip li set br0 vrf ${VRF}
4082
4083	rmmod br_netfilter 2>/dev/null
4084	sleep 5 # DAD
4085
4086	run_cmd ip neigh flush all
4087	run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
4088	log_test $? 0 "Bridge into VRF - IPv4 ping out"
4089
4090	run_cmd ip neigh flush all
4091	run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
4092	log_test $? 0 "Bridge into VRF - IPv6 ping out"
4093
4094	run_cmd ip neigh flush all
4095	run_cmd_nsb ping -c1 -w1 ${NSA_IP}
4096	log_test $? 0 "Bridge into VRF - IPv4 ping in"
4097
4098	run_cmd ip neigh flush all
4099	run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
4100	log_test $? 0 "Bridge into VRF - IPv6 ping in"
4101
4102	modprobe br_netfilter
4103	if [ $? -eq 0 ]; then
4104		run_cmd ip neigh flush all
4105		run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
4106		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out"
4107
4108		run_cmd ip neigh flush all
4109		run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
4110		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out"
4111
4112		run_cmd ip neigh flush all
4113		run_cmd_nsb ping -c1 -w1 ${NSA_IP}
4114		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in"
4115
4116		run_cmd ip neigh flush all
4117		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
4118		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in"
4119	fi
4120
4121	setup_cmd ip li set br0 nomaster
4122	setup_cmd ip li add br0.100 link br0 type vlan id 100
4123	setup_cmd ip li set br0.100 vrf ${VRF} up
4124	setup_cmd ip    addr add dev br0.100 172.16.101.1/24
4125	setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad
4126
4127	setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100
4128	setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24
4129	setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad
4130	setup_cmd_nsb ip li set vlan100 up
4131	sleep 1
4132
4133	rmmod br_netfilter 2>/dev/null
4134
4135	run_cmd ip neigh flush all
4136	run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
4137	log_test $? 0 "Bridge vlan into VRF - IPv4 ping out"
4138
4139	run_cmd ip neigh flush all
4140	run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4141	log_test $? 0 "Bridge vlan into VRF - IPv6 ping out"
4142
4143	run_cmd ip neigh flush all
4144	run_cmd_nsb ping -c1 -w1 172.16.101.1
4145	log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4146
4147	run_cmd ip neigh flush all
4148	run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4149	log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4150
4151	modprobe br_netfilter
4152	if [ $? -eq 0 ]; then
4153		run_cmd ip neigh flush all
4154		run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
4155		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out"
4156
4157		run_cmd ip neigh flush all
4158		run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4159		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out"
4160
4161		run_cmd ip neigh flush all
4162		run_cmd_nsb ping -c1 -w1 172.16.101.1
4163		log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4164
4165		run_cmd ip neigh flush all
4166		run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4167		log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4168	fi
4169
4170	setup_cmd ip li del br0 2>/dev/null
4171	setup_cmd_nsb ip li del vlan100 2>/dev/null
4172}
4173
4174# VRF only.
4175# ns-A device is connected to both ns-B and ns-C on a single VRF but only has
4176# LLA on the interfaces
4177use_case_ping_lla_multi()
4178{
4179	setup_lla_only
4180	# only want reply from ns-A
4181	setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4182	setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4183
4184	log_start
4185	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4186	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B"
4187
4188	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4189	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C"
4190
4191	# cycle/flap the first ns-A interface
4192	setup_cmd ip link set ${NSA_DEV} down
4193	setup_cmd ip link set ${NSA_DEV} up
4194	sleep 1
4195
4196	log_start
4197	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4198	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B"
4199	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4200	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C"
4201
4202	# cycle/flap the second ns-A interface
4203	setup_cmd ip link set ${NSA_DEV2} down
4204	setup_cmd ip link set ${NSA_DEV2} up
4205	sleep 1
4206
4207	log_start
4208	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4209	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B"
4210	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4211	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C"
4212}
4213
4214# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully
4215# established with ns-B.
4216use_case_snat_on_vrf()
4217{
4218	setup "yes"
4219
4220	local port="12345"
4221
4222	run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4223	run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4224
4225	run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} &
4226	wait_local_port_listen ${NSB} ${port} tcp
4227	run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port}
4228	log_test $? 0 "IPv4 TCP connection over VRF with SNAT"
4229
4230	run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} &
4231	wait_local_port_listen ${NSB} ${port} tcp
4232	run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port}
4233	log_test $? 0 "IPv6 TCP connection over VRF with SNAT"
4234
4235	# Cleanup
4236	run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4237	run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4238}
4239
4240use_cases()
4241{
4242	log_section "Use cases"
4243	log_subsection "Device enslaved to bridge"
4244	use_case_br
4245	log_subsection "Ping LLA with multiple interfaces"
4246	use_case_ping_lla_multi
4247	log_subsection "SNAT on VRF"
4248	use_case_snat_on_vrf
4249}
4250
4251################################################################################
4252# usage
4253
4254usage()
4255{
4256	cat <<EOF
4257usage: ${0##*/} OPTS
4258
4259	-4          IPv4 tests only
4260	-6          IPv6 tests only
4261	-t <test>   Test name/set to run
4262	-p          Pause on fail
4263	-P          Pause after each test
4264	-v          Be verbose
4265
4266Tests:
4267	$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER
4268EOF
4269}
4270
4271################################################################################
4272# main
4273
4274TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter"
4275TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter"
4276TESTS_OTHER="use_cases"
4277# note: each TEST_ group needs a dedicated runner, e.g. fcnal-ipv4.sh
4278
4279PAUSE_ON_FAIL=no
4280PAUSE=no
4281
4282while getopts :46t:pPvh o
4283do
4284	case $o in
4285		4) TESTS=ipv4;;
4286		6) TESTS=ipv6;;
4287		t) TESTS=$OPTARG;;
4288		p) PAUSE_ON_FAIL=yes;;
4289		P) PAUSE=yes;;
4290		v) VERBOSE=1;;
4291		h) usage; exit 0;;
4292		*) usage; exit 1;;
4293	esac
4294done
4295
4296# make sure we don't pause twice
4297[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no
4298
4299#
4300# show user test config
4301#
4302if [ -z "$TESTS" ]; then
4303	TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER"
4304elif [ "$TESTS" = "ipv4" ]; then
4305	TESTS="$TESTS_IPV4"
4306elif [ "$TESTS" = "ipv6" ]; then
4307	TESTS="$TESTS_IPV6"
4308elif [ "$TESTS" = "other" ]; then
4309	TESTS="$TESTS_OTHER"
4310fi
4311
4312check_gen_prog "nettest"
4313
4314declare -i nfail=0
4315declare -i nsuccess=0
4316
4317for t in $TESTS
4318do
4319	case $t in
4320	ipv4_ping|ping)  ipv4_ping;;
4321	ipv4_tcp|tcp)    ipv4_tcp;;
4322	ipv4_udp|udp)    ipv4_udp;;
4323	ipv4_bind|bind)  ipv4_addr_bind;;
4324	ipv4_runtime)    ipv4_runtime;;
4325	ipv4_netfilter)  ipv4_netfilter;;
4326
4327	ipv6_ping|ping6) ipv6_ping;;
4328	ipv6_tcp|tcp6)   ipv6_tcp;;
4329	ipv6_udp|udp6)   ipv6_udp;;
4330	ipv6_bind|bind6) ipv6_addr_bind;;
4331	ipv6_runtime)    ipv6_runtime;;
4332	ipv6_netfilter)  ipv6_netfilter;;
4333
4334	use_cases)       use_cases;;
4335
4336	# setup namespaces and config, but do not run any tests
4337	setup)		 setup; exit 0;;
4338	vrf_setup)	 setup "yes"; exit 0;;
4339	esac
4340done
4341
4342cleanup 2>/dev/null
4343
4344printf "\nTests passed: %3d\n" ${nsuccess}
4345printf "Tests failed: %3d\n"   ${nfail}
4346
4347if [ $nfail -ne 0 ]; then
4348	exit 1 # KSFT_FAIL
4349elif [ $nsuccess -eq 0 ]; then
4350	exit $ksft_skip
4351fi
4352
4353exit 0 # KSFT_PASS
4354