xref: /linux/tools/testing/selftests/net/vrf_route_leaking.sh (revision 9410645520e9b820069761f3450ef6661418e279)
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
5# Copyright (c) 2020 Michael Jeanson <mjeanson@efficios.com>. All rights reserved.
6#
7# Requires CONFIG_NET_VRF, CONFIG_VETH, CONFIG_BRIDGE and CONFIG_NET_NS.
8#
9#
10# Symmetric routing topology
11#
12#                     blue         red
13# +----+              .253 +----+ .253              +----+
14# | h1 |-------------------| r1 |-------------------| h2 |
15# +----+ .1                +----+                .2 +----+
16#         172.16.1/24                  172.16.2/24
17#    2001:db8:16:1/64                  2001:db8:16:2/64
18#
19#
20# Route from h1 to h2 and back goes through r1, incoming vrf blue has a route
21# to the outgoing vrf red for the n2 network and red has a route back to n1.
22# The red VRF interface has a MTU of 1400.
23#
24# The first test sends a ping with a ttl of 1 from h1 to h2 and parses the
25# output of the command to check that a ttl expired error is received.
26#
27# The second test runs traceroute from h1 to h2 and parses the output to check
28# for a hop on r1.
29#
30# The third test sends a ping with a packet size of 1450 from h1 to h2 and
31# parses the output of the command to check that a fragmentation error is
32# received.
33#
34#
35# Asymmetric routing topology
36#
37# This topology represents a customer setup where the issue with icmp errors
38# and VRF route leaking was initialy reported. The MTU test isn't done here
39# because of the lack of a return route in the red VRF.
40#
41#                     blue         red
42#                     .253 +----+ .253
43#                     +----| r1 |----+
44#                     |    +----+    |
45# +----+              |              |              +----+
46# | h1 |--------------+              +--------------| h2 |
47# +----+ .1           |              |           .2 +----+
48#         172.16.1/24 |    +----+    | 172.16.2/24
49#    2001:db8:16:1/64 +----| r2 |----+ 2001:db8:16:2/64
50#                     .254 +----+ .254
51#
52#
53# Route from h1 to h2 goes through r1, incoming vrf blue has a route to the
54# outgoing vrf red for the n2 network but red doesn't have a route back to n1.
55# Route from h2 to h1 goes through r2.
56#
57# The objective is to check that the incoming vrf routing table is selected
58# to send an ICMP error back to the source when the ttl of a packet reaches 1
59# while it is forwarded between different vrfs.
60
61source lib.sh
62VERBOSE=0
63PAUSE_ON_FAIL=no
64DEFAULT_TTYPE=sym
65
66H1_N1=172.16.1.0/24
67H1_N1_6=2001:db8:16:1::/64
68
69H1_N1_IP=172.16.1.1
70R1_N1_IP=172.16.1.253
71R2_N1_IP=172.16.1.254
72
73H1_N1_IP6=2001:db8:16:1::1
74R1_N1_IP6=2001:db8:16:1::253
75R2_N1_IP6=2001:db8:16:1::254
76
77H2_N2=172.16.2.0/24
78H2_N2_6=2001:db8:16:2::/64
79
80H2_N2_IP=172.16.2.2
81R1_N2_IP=172.16.2.253
82R2_N2_IP=172.16.2.254
83
84H2_N2_IP6=2001:db8:16:2::2
85R1_N2_IP6=2001:db8:16:2::253
86R2_N2_IP6=2001:db8:16:2::254
87
88################################################################################
89# helpers
90
91log_section()
92{
93	echo
94	echo "###########################################################################"
95	echo "$*"
96	echo "###########################################################################"
97	echo
98}
99
100log_test()
101{
102	local rc=$1
103	local expected=$2
104	local msg="$3"
105
106	if [ "${rc}" -eq "${expected}" ]; then
107		printf "TEST: %-60s  [ OK ]\n" "${msg}"
108		nsuccess=$((nsuccess+1))
109	else
110		ret=1
111		nfail=$((nfail+1))
112		printf "TEST: %-60s  [FAIL]\n" "${msg}"
113		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
114			echo
115			echo "hit enter to continue, 'q' to quit"
116			read -r a
117			[ "$a" = "q" ] && exit 1
118		fi
119	fi
120}
121
122run_cmd()
123{
124	local cmd="$*"
125	local out
126	local rc
127
128	if [ "$VERBOSE" = "1" ]; then
129		echo "COMMAND: $cmd"
130	fi
131
132	# shellcheck disable=SC2086
133	out=$(eval $cmd 2>&1)
134	rc=$?
135	if [ "$VERBOSE" = "1" ] && [ -n "$out" ]; then
136		echo "$out"
137	fi
138
139	[ "$VERBOSE" = "1" ] && echo
140
141	return $rc
142}
143
144run_cmd_grep()
145{
146	local grep_pattern="$1"
147	shift
148	local cmd="$*"
149	local out
150	local rc
151
152	if [ "$VERBOSE" = "1" ]; then
153		echo "COMMAND: $cmd"
154	fi
155
156	# shellcheck disable=SC2086
157	out=$(eval $cmd 2>&1)
158	if [ "$VERBOSE" = "1" ] && [ -n "$out" ]; then
159		echo "$out"
160	fi
161
162	echo "$out" | grep -q "$grep_pattern"
163	rc=$?
164
165	[ "$VERBOSE" = "1" ] && echo
166
167	return $rc
168}
169
170################################################################################
171# setup and teardown
172
173cleanup()
174{
175	cleanup_ns $h1 $h2 $r1 $r2
176}
177
178setup_vrf()
179{
180	local ns=$1
181
182	ip -netns "${ns}" rule del pref 0
183	ip -netns "${ns}" rule add pref 32765 from all lookup local
184	ip -netns "${ns}" -6 rule del pref 0
185	ip -netns "${ns}" -6 rule add pref 32765 from all lookup local
186}
187
188create_vrf()
189{
190	local ns=$1
191	local vrf=$2
192	local table=$3
193
194	ip -netns "${ns}" link add "${vrf}" type vrf table "${table}"
195	ip -netns "${ns}" link set "${vrf}" up
196	ip -netns "${ns}" route add vrf "${vrf}" unreachable default metric 8192
197	ip -netns "${ns}" -6 route add vrf "${vrf}" unreachable default metric 8192
198
199	ip -netns "${ns}" addr add 127.0.0.1/8 dev "${vrf}"
200	ip -netns "${ns}" -6 addr add ::1 dev "${vrf}" nodad
201}
202
203setup_sym()
204{
205	local ns
206
207	# make sure we are starting with a clean slate
208	cleanup
209
210	#
211	# create nodes as namespaces
212	setup_ns h1 h2 r1
213	for ns in $h1 $h2 $r1; do
214		if echo $ns | grep -q h[12]-; then
215			ip netns exec $ns sysctl -q -w net.ipv6.conf.all.forwarding=0
216			ip netns exec $ns sysctl -q -w net.ipv6.conf.all.keep_addr_on_down=1
217		else
218			ip netns exec $ns sysctl -q -w net.ipv4.ip_forward=1
219			ip netns exec $ns sysctl -q -w net.ipv6.conf.all.forwarding=1
220		fi
221	done
222
223	#
224	# create interconnects
225	#
226	ip -netns $h1 link add eth0 type veth peer name r1h1
227	ip -netns $h1 link set r1h1 netns $r1 name eth0 up
228
229	ip -netns $h2 link add eth0 type veth peer name r1h2
230	ip -netns $h2 link set r1h2 netns $r1 name eth1 up
231
232	#
233	# h1
234	#
235	ip -netns $h1 addr add dev eth0 ${H1_N1_IP}/24
236	ip -netns $h1 -6 addr add dev eth0 ${H1_N1_IP6}/64 nodad
237	ip -netns $h1 link set eth0 up
238
239	# h1 to h2 via r1
240	ip -netns $h1    route add ${H2_N2} via ${R1_N1_IP} dev eth0
241	ip -netns $h1 -6 route add ${H2_N2_6} via "${R1_N1_IP6}" dev eth0
242
243	#
244	# h2
245	#
246	ip -netns $h2 addr add dev eth0 ${H2_N2_IP}/24
247	ip -netns $h2 -6 addr add dev eth0 ${H2_N2_IP6}/64 nodad
248	ip -netns $h2 link set eth0 up
249
250	# h2 to h1 via r1
251	ip -netns $h2 route add default via ${R1_N2_IP} dev eth0
252	ip -netns $h2 -6 route add default via ${R1_N2_IP6} dev eth0
253
254	#
255	# r1
256	#
257	setup_vrf $r1
258	create_vrf $r1 blue 1101
259	create_vrf $r1 red 1102
260	ip -netns $r1 link set mtu 1400 dev eth1
261	ip -netns $r1 link set eth0 vrf blue up
262	ip -netns $r1 link set eth1 vrf red up
263	ip -netns $r1 addr add dev eth0 ${R1_N1_IP}/24
264	ip -netns $r1 -6 addr add dev eth0 ${R1_N1_IP6}/64 nodad
265	ip -netns $r1 addr add dev eth1 ${R1_N2_IP}/24
266	ip -netns $r1 -6 addr add dev eth1 ${R1_N2_IP6}/64 nodad
267
268	# Route leak from blue to red
269	ip -netns $r1 route add vrf blue ${H2_N2} dev red
270	ip -netns $r1 -6 route add vrf blue ${H2_N2_6} dev red
271
272	# Route leak from red to blue
273	ip -netns $r1 route add vrf red ${H1_N1} dev blue
274	ip -netns $r1 -6 route add vrf red ${H1_N1_6} dev blue
275
276
277	# Wait for ip config to settle
278	sleep 2
279}
280
281setup_asym()
282{
283	local ns
284
285	# make sure we are starting with a clean slate
286	cleanup
287
288	#
289	# create nodes as namespaces
290	setup_ns h1 h2 r1 r2
291	for ns in $h1 $h2 $r1 $r2; do
292		if echo $ns | grep -q h[12]-; then
293			ip netns exec $ns sysctl -q -w net.ipv6.conf.all.forwarding=0
294			ip netns exec $ns sysctl -q -w net.ipv6.conf.all.keep_addr_on_down=1
295		else
296			ip netns exec $ns sysctl -q -w net.ipv4.ip_forward=1
297			ip netns exec $ns sysctl -q -w net.ipv6.conf.all.forwarding=1
298		fi
299	done
300
301	#
302	# create interconnects
303	#
304	ip -netns $h1 link add eth0 type veth peer name r1h1
305	ip -netns $h1 link set r1h1 netns $r1 name eth0 up
306
307	ip -netns $h1 link add eth1 type veth peer name r2h1
308	ip -netns $h1 link set r2h1 netns $r2 name eth0 up
309
310	ip -netns $h2 link add eth0 type veth peer name r1h2
311	ip -netns $h2 link set r1h2 netns $r1 name eth1 up
312
313	ip -netns $h2 link add eth1 type veth peer name r2h2
314	ip -netns $h2 link set r2h2 netns $r2 name eth1 up
315
316	#
317	# h1
318	#
319	ip -netns $h1 link add br0 type bridge
320	ip -netns $h1 link set br0 up
321	ip -netns $h1 addr add dev br0 ${H1_N1_IP}/24
322	ip -netns $h1 -6 addr add dev br0 ${H1_N1_IP6}/64 nodad
323	ip -netns $h1 link set eth0 master br0 up
324	ip -netns $h1 link set eth1 master br0 up
325
326	# h1 to h2 via r1
327	ip -netns $h1    route add ${H2_N2} via ${R1_N1_IP} dev br0
328	ip -netns $h1 -6 route add ${H2_N2_6} via "${R1_N1_IP6}" dev br0
329
330	#
331	# h2
332	#
333	ip -netns $h2 link add br0 type bridge
334	ip -netns $h2 link set br0 up
335	ip -netns $h2 addr add dev br0 ${H2_N2_IP}/24
336	ip -netns $h2 -6 addr add dev br0 ${H2_N2_IP6}/64 nodad
337	ip -netns $h2 link set eth0 master br0 up
338	ip -netns $h2 link set eth1 master br0 up
339
340	# h2 to h1 via r2
341	ip -netns $h2 route add default via ${R2_N2_IP} dev br0
342	ip -netns $h2 -6 route add default via ${R2_N2_IP6} dev br0
343
344	#
345	# r1
346	#
347	setup_vrf $r1
348	create_vrf $r1 blue 1101
349	create_vrf $r1 red 1102
350	ip -netns $r1 link set mtu 1400 dev eth1
351	ip -netns $r1 link set eth0 vrf blue up
352	ip -netns $r1 link set eth1 vrf red up
353	ip -netns $r1 addr add dev eth0 ${R1_N1_IP}/24
354	ip -netns $r1 -6 addr add dev eth0 ${R1_N1_IP6}/64 nodad
355	ip -netns $r1 addr add dev eth1 ${R1_N2_IP}/24
356	ip -netns $r1 -6 addr add dev eth1 ${R1_N2_IP6}/64 nodad
357
358	# Route leak from blue to red
359	ip -netns $r1 route add vrf blue ${H2_N2} dev red
360	ip -netns $r1 -6 route add vrf blue ${H2_N2_6} dev red
361
362	# No route leak from red to blue
363
364	#
365	# r2
366	#
367	ip -netns $r2 addr add dev eth0 ${R2_N1_IP}/24
368	ip -netns $r2 -6 addr add dev eth0 ${R2_N1_IP6}/64 nodad
369	ip -netns $r2 addr add dev eth1 ${R2_N2_IP}/24
370	ip -netns $r2 -6 addr add dev eth1 ${R2_N2_IP6}/64 nodad
371
372	# Wait for ip config to settle
373	sleep 2
374}
375
376check_connectivity()
377{
378	ip netns exec $h1 ping -c1 -w1 ${H2_N2_IP} >/dev/null 2>&1
379	log_test $? 0 "Basic IPv4 connectivity"
380	return $?
381}
382
383check_connectivity6()
384{
385	ip netns exec $h1 "${ping6}" -c1 -w1 ${H2_N2_IP6} >/dev/null 2>&1
386	log_test $? 0 "Basic IPv6 connectivity"
387	return $?
388}
389
390check_traceroute()
391{
392	if [ ! -x "$(command -v traceroute)" ]; then
393		echo "SKIP: Could not run IPV4 test without traceroute"
394		return 1
395	fi
396}
397
398check_traceroute6()
399{
400	if [ ! -x "$(command -v traceroute6)" ]; then
401		echo "SKIP: Could not run IPV6 test without traceroute6"
402		return 1
403	fi
404}
405
406ipv4_traceroute()
407{
408	local ttype="$1"
409
410	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"
411
412	log_section "IPv4 ($ttype route): VRF ICMP error route lookup traceroute"
413
414	check_traceroute || return
415
416	setup_"$ttype"
417
418	check_connectivity || return
419
420	run_cmd_grep "${R1_N1_IP}" ip netns exec $h1 traceroute ${H2_N2_IP}
421	log_test $? 0 "Traceroute reports a hop on r1"
422}
423
424ipv4_traceroute_asym()
425{
426	ipv4_traceroute asym
427}
428
429ipv6_traceroute()
430{
431	local ttype="$1"
432
433	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"
434
435	log_section "IPv6 ($ttype route): VRF ICMP error route lookup traceroute"
436
437	check_traceroute6 || return
438
439	setup_"$ttype"
440
441	check_connectivity6 || return
442
443	run_cmd_grep "${R1_N1_IP6}" ip netns exec $h1 traceroute6 ${H2_N2_IP6}
444	log_test $? 0 "Traceroute6 reports a hop on r1"
445}
446
447ipv6_traceroute_asym()
448{
449	ipv6_traceroute asym
450}
451
452ipv4_ping_ttl()
453{
454	local ttype="$1"
455
456	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"
457
458	log_section "IPv4 ($ttype route): VRF ICMP ttl error route lookup ping"
459
460	setup_"$ttype"
461
462	check_connectivity || return
463
464	run_cmd_grep "Time to live exceeded" ip netns exec $h1 ping -t1 -c1 -W2 ${H2_N2_IP}
465	log_test $? 0 "Ping received ICMP ttl exceeded"
466}
467
468ipv4_ping_ttl_asym()
469{
470	ipv4_ping_ttl asym
471}
472
473ipv4_ping_frag()
474{
475	local ttype="$1"
476
477	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"
478
479	log_section "IPv4 ($ttype route): VRF ICMP fragmentation error route lookup ping"
480
481	setup_"$ttype"
482
483	check_connectivity || return
484
485	run_cmd_grep "Frag needed" ip netns exec $h1 ping -s 1450 -Mdo -c1 -W2 ${H2_N2_IP}
486	log_test $? 0 "Ping received ICMP Frag needed"
487}
488
489ipv4_ping_frag_asym()
490{
491	ipv4_ping_frag asym
492}
493
494ipv6_ping_ttl()
495{
496	local ttype="$1"
497
498	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"
499
500	log_section "IPv6 ($ttype route): VRF ICMP ttl error route lookup ping"
501
502	setup_"$ttype"
503
504	check_connectivity6 || return
505
506	run_cmd_grep "Time exceeded: Hop limit" ip netns exec $h1 "${ping6}" -t1 -c1 -W2 ${H2_N2_IP6}
507	log_test $? 0 "Ping received ICMP Hop limit"
508}
509
510ipv6_ping_ttl_asym()
511{
512	ipv6_ping_ttl asym
513}
514
515ipv6_ping_frag()
516{
517	local ttype="$1"
518
519	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"
520
521	log_section "IPv6 ($ttype route): VRF ICMP fragmentation error route lookup ping"
522
523	setup_"$ttype"
524
525	check_connectivity6 || return
526
527	run_cmd_grep "Packet too big" ip netns exec $h1 "${ping6}" -s 1450 -Mdo -c1 -W2 ${H2_N2_IP6}
528	log_test $? 0 "Ping received ICMP Packet too big"
529}
530
531ipv6_ping_frag_asym()
532{
533	ipv6_ping_frag asym
534}
535
536ipv4_ping_local()
537{
538	log_section "IPv4 (sym route): VRF ICMP local error route lookup ping"
539
540	setup_sym
541
542	check_connectivity || return
543
544	run_cmd ip netns exec $r1 ip vrf exec blue ping -c1 -w1 ${H2_N2_IP}
545	log_test $? 0 "VRF ICMP local IPv4"
546}
547
548ipv4_tcp_local()
549{
550	log_section "IPv4 (sym route): VRF tcp local connection"
551
552	setup_sym
553
554	check_connectivity || return
555
556	run_cmd nettest -s -O "$h2" -l ${H2_N2_IP} -I eth0 -3 eth0 &
557	sleep 1
558	run_cmd nettest -N "$r1" -d blue -r ${H2_N2_IP}
559	log_test $? 0 "VRF tcp local connection IPv4"
560}
561
562ipv4_udp_local()
563{
564	log_section "IPv4 (sym route): VRF udp local connection"
565
566	setup_sym
567
568	check_connectivity || return
569
570	run_cmd nettest -s -D -O "$h2" -l ${H2_N2_IP} -I eth0 -3 eth0 &
571	sleep 1
572	run_cmd nettest -D -N "$r1" -d blue -r ${H2_N2_IP}
573	log_test $? 0 "VRF udp local connection IPv4"
574}
575
576ipv6_ping_local()
577{
578	log_section "IPv6 (sym route): VRF ICMP local error route lookup ping"
579
580	setup_sym
581
582	check_connectivity6 || return
583
584	run_cmd ip netns exec $r1 ip vrf exec blue ${ping6} -c1 -w1 ${H2_N2_IP6}
585	log_test $? 0 "VRF ICMP local IPv6"
586}
587
588ipv6_tcp_local()
589{
590	log_section "IPv6 (sym route): VRF tcp local connection"
591
592	setup_sym
593
594	check_connectivity6 || return
595
596	run_cmd nettest -s -6 -O "$h2" -l ${H2_N2_IP6} -I eth0 -3 eth0 &
597	sleep 1
598	run_cmd nettest -6 -N "$r1" -d blue -r ${H2_N2_IP6}
599	log_test $? 0 "VRF tcp local connection IPv6"
600}
601
602ipv6_udp_local()
603{
604	log_section "IPv6 (sym route): VRF udp local connection"
605
606	setup_sym
607
608	check_connectivity6 || return
609
610	run_cmd nettest -s -6 -D -O "$h2" -l ${H2_N2_IP6} -I eth0 -3 eth0 &
611	sleep 1
612	run_cmd nettest -6 -D -N "$r1" -d blue -r ${H2_N2_IP6}
613	log_test $? 0 "VRF udp local connection IPv6"
614}
615
616################################################################################
617# usage
618
619usage()
620{
621        cat <<EOF
622usage: ${0##*/} OPTS
623
624	-4          Run IPv4 tests only
625	-6          Run IPv6 tests only
626        -t TEST     Run only TEST
627	-p          Pause on fail
628	-v          verbose mode (show commands and output)
629EOF
630}
631
632################################################################################
633# main
634
635# Some systems don't have a ping6 binary anymore
636command -v ping6 > /dev/null 2>&1 && ping6=$(command -v ping6) || ping6=$(command -v ping)
637
638check_gen_prog "nettest"
639
640TESTS_IPV4="ipv4_ping_ttl ipv4_traceroute ipv4_ping_frag ipv4_ping_local ipv4_tcp_local
641ipv4_udp_local ipv4_ping_ttl_asym ipv4_traceroute_asym"
642TESTS_IPV6="ipv6_ping_ttl ipv6_traceroute ipv6_ping_local ipv6_tcp_local ipv6_udp_local
643ipv6_ping_ttl_asym ipv6_traceroute_asym"
644
645ret=0
646nsuccess=0
647nfail=0
648
649while getopts :46t:pvh o
650do
651	case $o in
652		4) TESTS=ipv4;;
653		6) TESTS=ipv6;;
654		t) TESTS=$OPTARG;;
655		p) PAUSE_ON_FAIL=yes;;
656		v) VERBOSE=1;;
657		h) usage; exit 0;;
658		*) usage; exit 1;;
659	esac
660done
661
662#
663# show user test config
664#
665if [ -z "$TESTS" ]; then
666        TESTS="$TESTS_IPV4 $TESTS_IPV6"
667elif [ "$TESTS" = "ipv4" ]; then
668        TESTS="$TESTS_IPV4"
669elif [ "$TESTS" = "ipv6" ]; then
670        TESTS="$TESTS_IPV6"
671fi
672
673for t in $TESTS
674do
675	case $t in
676	ipv4_ping_ttl|ping)              ipv4_ping_ttl;;&
677	ipv4_ping_ttl_asym|ping)         ipv4_ping_ttl_asym;;&
678	ipv4_traceroute|traceroute)      ipv4_traceroute;;&
679	ipv4_traceroute_asym|traceroute) ipv4_traceroute_asym;;&
680	ipv4_ping_frag|ping)             ipv4_ping_frag;;&
681	ipv4_ping_local|ping)            ipv4_ping_local;;&
682	ipv4_tcp_local)                  ipv4_tcp_local;;&
683	ipv4_udp_local)                  ipv4_udp_local;;&
684
685	ipv6_ping_ttl|ping)              ipv6_ping_ttl;;&
686	ipv6_ping_ttl_asym|ping)         ipv6_ping_ttl_asym;;&
687	ipv6_traceroute|traceroute)      ipv6_traceroute;;&
688	ipv6_traceroute_asym|traceroute) ipv6_traceroute_asym;;&
689	ipv6_ping_frag|ping)             ipv6_ping_frag;;&
690	ipv6_ping_local|ping)            ipv6_ping_local;;&
691	ipv6_tcp_local)                  ipv6_tcp_local;;&
692	ipv6_udp_local)                  ipv6_udp_local;;&
693
694	# setup namespaces and config, but do not run any tests
695	setup_sym|setup)                 setup_sym; exit 0;;
696	setup_asym)                      setup_asym; exit 0;;
697
698	help)                       echo "Test names: $TESTS"; exit 0;;
699	esac
700done
701
702cleanup
703
704printf "\nTests passed: %3d\n" ${nsuccess}
705printf "Tests failed: %3d\n"   ${nfail}
706
707exit $ret
708