1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40source lib.sh 41 42PATH=$PWD:$PWD/tools/testing/selftests/net:$PATH 43 44VERBOSE=0 45 46NSA_DEV=eth1 47NSA_DEV2=eth2 48NSB_DEV=eth1 49NSC_DEV=eth2 50VRF=red 51VRF_TABLE=1101 52 53# IPv4 config 54NSA_IP=172.16.1.1 55NSB_IP=172.16.1.2 56VRF_IP=172.16.3.1 57NS_NET=172.16.1.0/24 58 59# IPv6 config 60NSA_IP6=2001:db8:1::1 61NSB_IP6=2001:db8:1::2 62VRF_IP6=2001:db8:3::1 63NS_NET6=2001:db8:1::/120 64 65NSA_LO_IP=172.16.2.1 66NSB_LO_IP=172.16.2.2 67NSA_LO_IP6=2001:db8:2::1 68NSB_LO_IP6=2001:db8:2::2 69 70# non-local addresses for freebind tests 71NL_IP=172.17.1.1 72NL_IP6=2001:db8:4::1 73 74# multicast and broadcast addresses 75MCAST_IP=224.0.0.1 76BCAST_IP=255.255.255.255 77 78MD5_PW=abc123 79MD5_WRONG_PW=abc1234 80 81MCAST=ff02::1 82# set after namespace create 83NSA_LINKIP6= 84NSB_LINKIP6= 85 86which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 87 88# Check if FIPS mode is enabled 89if [ -f /proc/sys/crypto/fips_enabled ]; then 90 fips_enabled=`cat /proc/sys/crypto/fips_enabled` 91else 92 fips_enabled=0 93fi 94 95################################################################################ 96# utilities 97 98log_test() 99{ 100 local rc=$1 101 local expected=$2 102 local msg="$3" 103 local ans 104 105 [ "${VERBOSE}" = "1" ] && echo 106 107 if [ ${rc} -eq ${expected} ]; then 108 nsuccess=$((nsuccess+1)) 109 printf "TEST: %-70s [ OK ]\n" "${msg}" 110 else 111 nfail=$((nfail+1)) 112 printf "TEST: %-70s [FAIL]\n" "${msg}" 113 echo " expected rc $expected; actual rc $rc" 114 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 115 echo 116 echo "hit enter to continue, 'q' to quit" 117 read ans 118 [ "$ans" = "q" ] && exit 1 119 fi 120 fi 121 122 if [ "${PAUSE}" = "yes" ]; then 123 echo 124 echo "hit enter to continue, 'q' to quit" 125 read ans 126 [ "$ans" = "q" ] && exit 1 127 fi 128 129 kill_procs 130} 131 132log_test_addr() 133{ 134 local addr=$1 135 local rc=$2 136 local expected=$3 137 local msg="$4" 138 local astr 139 140 astr=$(addr2str ${addr}) 141 log_test $rc $expected "$msg - ${astr}" 142} 143 144log_section() 145{ 146 echo 147 echo "###########################################################################" 148 echo "$*" 149 echo "###########################################################################" 150 echo 151} 152 153log_subsection() 154{ 155 echo 156 echo "#################################################################" 157 echo "$*" 158 echo 159} 160 161log_start() 162{ 163 # make sure we have no test instances running 164 kill_procs 165 166 if [ "${VERBOSE}" = "1" ]; then 167 echo 168 echo "#######################################################" 169 fi 170} 171 172log_debug() 173{ 174 if [ "${VERBOSE}" = "1" ]; then 175 echo 176 echo "$*" 177 echo 178 fi 179} 180 181show_hint() 182{ 183 if [ "${VERBOSE}" = "1" ]; then 184 echo "HINT: $*" 185 echo 186 fi 187} 188 189kill_procs() 190{ 191 killall nettest ping ping6 >/dev/null 2>&1 192 slowwait 2 sh -c 'test -z "$(pgrep '"'^(nettest|ping|ping6)$'"')"' 193} 194 195set_ping_group() 196{ 197 if [ "$VERBOSE" = "1" ]; then 198 echo "COMMAND: ${NSA_CMD} sysctl -q -w net.ipv4.ping_group_range='0 2147483647'" 199 fi 200 201 ${NSA_CMD} sysctl -q -w net.ipv4.ping_group_range='0 2147483647' 202} 203 204do_run_cmd() 205{ 206 local cmd="$*" 207 local out 208 209 if [ "$VERBOSE" = "1" ]; then 210 echo "COMMAND: ${cmd}" 211 fi 212 213 out=$($cmd 2>&1) 214 rc=$? 215 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 216 echo "$out" 217 fi 218 219 return $rc 220} 221 222run_cmd() 223{ 224 do_run_cmd ${NSA_CMD} $* 225} 226 227run_cmd_nsb() 228{ 229 do_run_cmd ${NSB_CMD} $* 230} 231 232run_cmd_nsc() 233{ 234 do_run_cmd ${NSC_CMD} $* 235} 236 237setup_cmd() 238{ 239 local cmd="$*" 240 local rc 241 242 run_cmd ${cmd} 243 rc=$? 244 if [ $rc -ne 0 ]; then 245 # show user the command if not done so already 246 if [ "$VERBOSE" = "0" ]; then 247 echo "setup command: $cmd" 248 fi 249 echo "failed. stopping tests" 250 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 251 echo 252 echo "hit enter to continue" 253 read a 254 fi 255 exit $rc 256 fi 257} 258 259setup_cmd_nsb() 260{ 261 local cmd="$*" 262 local rc 263 264 run_cmd_nsb ${cmd} 265 rc=$? 266 if [ $rc -ne 0 ]; then 267 # show user the command if not done so already 268 if [ "$VERBOSE" = "0" ]; then 269 echo "setup command: $cmd" 270 fi 271 echo "failed. stopping tests" 272 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 273 echo 274 echo "hit enter to continue" 275 read a 276 fi 277 exit $rc 278 fi 279} 280 281setup_cmd_nsc() 282{ 283 local cmd="$*" 284 local rc 285 286 run_cmd_nsc ${cmd} 287 rc=$? 288 if [ $rc -ne 0 ]; then 289 # show user the command if not done so already 290 if [ "$VERBOSE" = "0" ]; then 291 echo "setup command: $cmd" 292 fi 293 echo "failed. stopping tests" 294 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 295 echo 296 echo "hit enter to continue" 297 read a 298 fi 299 exit $rc 300 fi 301} 302 303# set sysctl values in NS-A 304set_sysctl() 305{ 306 echo "SYSCTL: $*" 307 echo 308 run_cmd sysctl -q -w $* 309} 310 311# get sysctl values in NS-A 312get_sysctl() 313{ 314 ${NSA_CMD} sysctl -n $* 315} 316 317################################################################################ 318# Setup for tests 319 320addr2str() 321{ 322 case "$1" in 323 127.0.0.1) echo "loopback";; 324 ::1) echo "IPv6 loopback";; 325 326 ${BCAST_IP}) echo "broadcast";; 327 ${MCAST_IP}) echo "multicast";; 328 329 ${NSA_IP}) echo "ns-A IP";; 330 ${NSA_IP6}) echo "ns-A IPv6";; 331 ${NSA_LO_IP}) echo "ns-A loopback IP";; 332 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 333 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 334 335 ${NSB_IP}) echo "ns-B IP";; 336 ${NSB_IP6}) echo "ns-B IPv6";; 337 ${NSB_LO_IP}) echo "ns-B loopback IP";; 338 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 339 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 340 341 ${NL_IP}) echo "nonlocal IP";; 342 ${NL_IP6}) echo "nonlocal IPv6";; 343 344 ${VRF_IP}) echo "VRF IP";; 345 ${VRF_IP6}) echo "VRF IPv6";; 346 347 ${MCAST}%*) echo "multicast IP";; 348 349 *) echo "unknown";; 350 esac 351} 352 353get_linklocal() 354{ 355 local ns=$1 356 local dev=$2 357 local addr 358 359 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 360 awk '{ 361 for (i = 3; i <= NF; ++i) { 362 if ($i ~ /^fe80/) 363 print $i 364 } 365 }' 366 ) 367 addr=${addr/\/*} 368 369 [ -z "$addr" ] && return 1 370 371 echo $addr 372 373 return 0 374} 375 376################################################################################ 377# create namespaces and vrf 378 379create_vrf() 380{ 381 local ns=$1 382 local vrf=$2 383 local table=$3 384 local addr=$4 385 local addr6=$5 386 387 ip -netns ${ns} link add ${vrf} type vrf table ${table} 388 ip -netns ${ns} link set ${vrf} up 389 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 390 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 391 392 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 393 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 394 if [ "${addr}" != "-" ]; then 395 ip -netns ${ns} addr add dev ${vrf} ${addr} 396 fi 397 if [ "${addr6}" != "-" ]; then 398 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 399 fi 400 401 ip -netns ${ns} ru del pref 0 402 ip -netns ${ns} ru add pref 32765 from all lookup local 403 ip -netns ${ns} -6 ru del pref 0 404 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 405} 406 407create_ns() 408{ 409 local ns=$1 410 local addr=$2 411 local addr6=$3 412 413 if [ "${addr}" != "-" ]; then 414 ip -netns ${ns} addr add dev lo ${addr} 415 fi 416 if [ "${addr6}" != "-" ]; then 417 ip -netns ${ns} -6 addr add dev lo ${addr6} 418 fi 419 420 ip -netns ${ns} ro add unreachable default metric 8192 421 ip -netns ${ns} -6 ro add unreachable default metric 8192 422 423 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 424 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 425 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 426 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 427 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.accept_dad=0 428 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.accept_dad=0 429} 430 431# create veth pair to connect namespaces and apply addresses. 432connect_ns() 433{ 434 local ns1=$1 435 local ns1_dev=$2 436 local ns1_addr=$3 437 local ns1_addr6=$4 438 local ns2=$5 439 local ns2_dev=$6 440 local ns2_addr=$7 441 local ns2_addr6=$8 442 443 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 444 ip -netns ${ns1} li set ${ns1_dev} up 445 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 446 ip -netns ${ns2} li set ${ns2_dev} up 447 448 if [ "${ns1_addr}" != "-" ]; then 449 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 450 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 451 fi 452 453 if [ "${ns1_addr6}" != "-" ]; then 454 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 455 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 456 fi 457} 458 459cleanup() 460{ 461 # explicit cleanups to check those code paths 462 ip netns | grep -q ${NSA} 463 if [ $? -eq 0 ]; then 464 ip -netns ${NSA} link delete ${VRF} 465 ip -netns ${NSA} ro flush table ${VRF_TABLE} 466 467 ip -netns ${NSA} addr flush dev ${NSA_DEV} 468 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 469 ip -netns ${NSA} link set dev ${NSA_DEV} down 470 ip -netns ${NSA} link del dev ${NSA_DEV} 471 472 ip netns pids ${NSA} | xargs kill 2>/dev/null 473 cleanup_ns ${NSA} 474 fi 475 476 ip netns pids ${NSB} | xargs kill 2>/dev/null 477 ip netns pids ${NSC} | xargs kill 2>/dev/null 478 cleanup_ns ${NSB} ${NSC} 479} 480 481cleanup_vrf_dup() 482{ 483 ip link del ${NSA_DEV2} >/dev/null 2>&1 484 ip netns pids ${NSC} | xargs kill 2>/dev/null 485 ip netns del ${NSC} >/dev/null 2>&1 486} 487 488setup_vrf_dup() 489{ 490 # some VRF tests use ns-C which has the same config as 491 # ns-B but for a device NOT in the VRF 492 setup_ns NSC 493 NSC_CMD="ip netns exec ${NSC}" 494 create_ns ${NSC} "-" "-" 495 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 496 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 497} 498 499setup() 500{ 501 local with_vrf=${1} 502 503 # make sure we are starting with a clean slate 504 kill_procs 505 cleanup 2>/dev/null 506 507 log_debug "Configuring network namespaces" 508 set -e 509 510 setup_ns NSA NSB 511 NSA_CMD="ip netns exec ${NSA}" 512 NSB_CMD="ip netns exec ${NSB}" 513 514 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 515 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 516 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 517 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 518 519 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 520 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 521 522 # tell ns-A how to get to remote addresses of ns-B 523 if [ "${with_vrf}" = "yes" ]; then 524 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 525 526 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 527 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 528 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 529 530 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 531 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 532 else 533 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 534 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 535 fi 536 537 538 # tell ns-B how to get to remote addresses of ns-A 539 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 540 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 541 542 set +e 543 544 sleep 1 545} 546 547setup_lla_only() 548{ 549 # make sure we are starting with a clean slate 550 kill_procs 551 cleanup 2>/dev/null 552 553 log_debug "Configuring network namespaces" 554 set -e 555 556 setup_ns NSA NSB NSC 557 NSA_CMD="ip netns exec ${NSA}" 558 NSB_CMD="ip netns exec ${NSB}" 559 NSC_CMD="ip netns exec ${NSC}" 560 create_ns ${NSA} "-" "-" 561 create_ns ${NSB} "-" "-" 562 create_ns ${NSC} "-" "-" 563 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 564 ${NSB} ${NSB_DEV} "-" "-" 565 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 566 ${NSC} ${NSC_DEV} "-" "-" 567 568 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 569 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 570 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 571 572 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 573 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 574 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 575 576 set +e 577 578 sleep 1 579} 580 581################################################################################ 582# IPv4 583 584ipv4_ping_novrf() 585{ 586 local a 587 588 # 589 # out 590 # 591 for a in ${NSB_IP} ${NSB_LO_IP} 592 do 593 log_start 594 run_cmd ping -c1 -w1 ${a} 595 log_test_addr ${a} $? 0 "ping out" 596 597 log_start 598 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 599 log_test_addr ${a} $? 0 "ping out, device bind" 600 601 log_start 602 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 603 log_test_addr ${a} $? 0 "ping out, address bind" 604 done 605 606 # 607 # out, but don't use gateway if peer is not on link 608 # 609 a=${NSB_IP} 610 log_start 611 run_cmd ping -c 1 -w 1 -r ${a} 612 log_test_addr ${a} $? 0 "ping out (don't route), peer on link" 613 614 a=${NSB_LO_IP} 615 log_start 616 show_hint "Fails since peer is not on link" 617 run_cmd ping -c 1 -w 1 -r ${a} 618 log_test_addr ${a} $? 1 "ping out (don't route), peer not on link" 619 620 # 621 # in 622 # 623 for a in ${NSA_IP} ${NSA_LO_IP} 624 do 625 log_start 626 run_cmd_nsb ping -c1 -w1 ${a} 627 log_test_addr ${a} $? 0 "ping in" 628 done 629 630 # 631 # local traffic 632 # 633 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 634 do 635 log_start 636 run_cmd ping -c1 -w1 ${a} 637 log_test_addr ${a} $? 0 "ping local" 638 done 639 640 # 641 # local traffic, socket bound to device 642 # 643 # address on device 644 a=${NSA_IP} 645 log_start 646 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 647 log_test_addr ${a} $? 0 "ping local, device bind" 648 649 # loopback addresses not reachable from device bind 650 # fails in a really weird way though because ipv4 special cases 651 # route lookups with oif set. 652 for a in ${NSA_LO_IP} 127.0.0.1 653 do 654 log_start 655 show_hint "Fails since address on loopback device is out of device scope" 656 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 657 log_test_addr ${a} $? 1 "ping local, device bind" 658 done 659 660 # 661 # ip rule blocks reachability to remote address 662 # 663 log_start 664 setup_cmd ip rule add pref 32765 from all lookup local 665 setup_cmd ip rule del pref 0 from all lookup local 666 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 667 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 668 669 a=${NSB_LO_IP} 670 run_cmd ping -c1 -w1 ${a} 671 log_test_addr ${a} $? 2 "ping out, blocked by rule" 672 673 # NOTE: ipv4 actually allows the lookup to fail and yet still create 674 # a viable rtable if the oif (e.g., bind to device) is set, so this 675 # case succeeds despite the rule 676 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 677 678 a=${NSA_LO_IP} 679 log_start 680 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 681 run_cmd_nsb ping -c1 -w1 ${a} 682 log_test_addr ${a} $? 1 "ping in, blocked by rule" 683 684 [ "$VERBOSE" = "1" ] && echo 685 setup_cmd ip rule del pref 32765 from all lookup local 686 setup_cmd ip rule add pref 0 from all lookup local 687 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 688 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 689 690 # 691 # route blocks reachability to remote address 692 # 693 log_start 694 setup_cmd ip route replace unreachable ${NSB_LO_IP} 695 setup_cmd ip route replace unreachable ${NSB_IP} 696 697 a=${NSB_LO_IP} 698 run_cmd ping -c1 -w1 ${a} 699 log_test_addr ${a} $? 2 "ping out, blocked by route" 700 701 # NOTE: ipv4 actually allows the lookup to fail and yet still create 702 # a viable rtable if the oif (e.g., bind to device) is set, so this 703 # case succeeds despite not having a route for the address 704 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 705 706 a=${NSA_LO_IP} 707 log_start 708 show_hint "Response is dropped (or arp request is ignored) due to ip route" 709 run_cmd_nsb ping -c1 -w1 ${a} 710 log_test_addr ${a} $? 1 "ping in, blocked by route" 711 712 # 713 # remove 'remote' routes; fallback to default 714 # 715 log_start 716 setup_cmd ip ro del ${NSB_LO_IP} 717 718 a=${NSB_LO_IP} 719 run_cmd ping -c1 -w1 ${a} 720 log_test_addr ${a} $? 2 "ping out, unreachable default route" 721 722 # NOTE: ipv4 actually allows the lookup to fail and yet still create 723 # a viable rtable if the oif (e.g., bind to device) is set, so this 724 # case succeeds despite not having a route for the address 725 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 726} 727 728ipv4_ping_vrf() 729{ 730 local a 731 732 # should default on; does not exist on older kernels 733 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 734 735 # 736 # out 737 # 738 for a in ${NSB_IP} ${NSB_LO_IP} 739 do 740 log_start 741 run_cmd ping -c1 -w1 -I ${VRF} ${a} 742 log_test_addr ${a} $? 0 "ping out, VRF bind" 743 744 log_start 745 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 746 log_test_addr ${a} $? 0 "ping out, device bind" 747 748 log_start 749 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 750 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 751 752 log_start 753 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 754 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 755 done 756 757 # 758 # in 759 # 760 for a in ${NSA_IP} ${VRF_IP} 761 do 762 log_start 763 run_cmd_nsb ping -c1 -w1 ${a} 764 log_test_addr ${a} $? 0 "ping in" 765 done 766 767 # 768 # local traffic, local address 769 # 770 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 771 do 772 log_start 773 show_hint "Source address should be ${a}" 774 run_cmd ping -c1 -w1 -I ${VRF} ${a} 775 log_test_addr ${a} $? 0 "ping local, VRF bind" 776 done 777 778 # 779 # local traffic, socket bound to device 780 # 781 # address on device 782 a=${NSA_IP} 783 log_start 784 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 785 log_test_addr ${a} $? 0 "ping local, device bind" 786 787 # vrf device is out of scope 788 for a in ${VRF_IP} 127.0.0.1 789 do 790 log_start 791 show_hint "Fails since address on vrf device is out of device scope" 792 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 793 log_test_addr ${a} $? 2 "ping local, device bind" 794 done 795 796 # 797 # ip rule blocks address 798 # 799 log_start 800 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 801 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 802 803 a=${NSB_LO_IP} 804 run_cmd ping -c1 -w1 -I ${VRF} ${a} 805 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 806 807 log_start 808 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 809 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 810 811 a=${NSA_LO_IP} 812 log_start 813 show_hint "Response lost due to ip rule" 814 run_cmd_nsb ping -c1 -w1 ${a} 815 log_test_addr ${a} $? 1 "ping in, blocked by rule" 816 817 [ "$VERBOSE" = "1" ] && echo 818 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 819 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 820 821 # 822 # remove 'remote' routes; fallback to default 823 # 824 log_start 825 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 826 827 a=${NSB_LO_IP} 828 run_cmd ping -c1 -w1 -I ${VRF} ${a} 829 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 830 831 log_start 832 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 833 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 834 835 a=${NSA_LO_IP} 836 log_start 837 show_hint "Response lost by unreachable route" 838 run_cmd_nsb ping -c1 -w1 ${a} 839 log_test_addr ${a} $? 1 "ping in, unreachable route" 840} 841 842ipv4_ping() 843{ 844 log_section "IPv4 ping" 845 846 log_subsection "No VRF" 847 setup 848 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 849 ipv4_ping_novrf 850 setup 851 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 852 ipv4_ping_novrf 853 setup 854 set_ping_group 855 ipv4_ping_novrf 856 857 log_subsection "With VRF" 858 setup "yes" 859 ipv4_ping_vrf 860 setup "yes" 861 set_ping_group 862 ipv4_ping_vrf 863} 864 865################################################################################ 866# IPv4 TCP 867 868# 869# MD5 tests without VRF 870# 871ipv4_tcp_md5_novrf() 872{ 873 # 874 # single address 875 # 876 877 # basic use case 878 log_start 879 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 880 wait_local_port_listen ${NSA} 12345 tcp 881 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 882 log_test $? 0 "MD5: Single address config" 883 884 # client sends MD5, server not configured 885 log_start 886 show_hint "Should timeout due to MD5 mismatch" 887 run_cmd nettest -s & 888 wait_local_port_listen ${NSA} 12345 tcp 889 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 890 log_test $? 2 "MD5: Server no config, client uses password" 891 892 # wrong password 893 log_start 894 show_hint "Should timeout since client uses wrong password" 895 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 896 wait_local_port_listen ${NSA} 12345 tcp 897 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 898 log_test $? 2 "MD5: Client uses wrong password" 899 900 # client from different address 901 log_start 902 show_hint "Should timeout due to MD5 mismatch" 903 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 904 wait_local_port_listen ${NSA} 12345 tcp 905 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 906 log_test $? 2 "MD5: Client address does not match address configured with password" 907 908 # 909 # MD5 extension - prefix length 910 # 911 912 # client in prefix 913 log_start 914 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 915 wait_local_port_listen ${NSA} 12345 tcp 916 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 917 log_test $? 0 "MD5: Prefix config" 918 919 # client in prefix, wrong password 920 log_start 921 show_hint "Should timeout since client uses wrong password" 922 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 923 wait_local_port_listen ${NSA} 12345 tcp 924 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 925 log_test $? 2 "MD5: Prefix config, client uses wrong password" 926 927 # client outside of prefix 928 log_start 929 show_hint "Should timeout due to MD5 mismatch" 930 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 931 wait_local_port_listen ${NSA} 12345 tcp 932 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 933 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 934} 935 936# 937# MD5 tests with VRF 938# 939ipv4_tcp_md5() 940{ 941 # 942 # single address 943 # 944 945 # basic use case 946 log_start 947 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 948 wait_local_port_listen ${NSA} 12345 tcp 949 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 950 log_test $? 0 "MD5: VRF: Single address config" 951 952 # client sends MD5, server not configured 953 log_start 954 show_hint "Should timeout since server does not have MD5 auth" 955 run_cmd nettest -s -I ${VRF} & 956 wait_local_port_listen ${NSA} 12345 tcp 957 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 958 log_test $? 2 "MD5: VRF: Server no config, client uses password" 959 960 # wrong password 961 log_start 962 show_hint "Should timeout since client uses wrong password" 963 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 964 wait_local_port_listen ${NSA} 12345 tcp 965 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 966 log_test $? 2 "MD5: VRF: Client uses wrong password" 967 968 # client from different address 969 log_start 970 show_hint "Should timeout since server config differs from client" 971 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 972 wait_local_port_listen ${NSA} 12345 tcp 973 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 974 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 975 976 # 977 # MD5 extension - prefix length 978 # 979 980 # client in prefix 981 log_start 982 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 983 wait_local_port_listen ${NSA} 12345 tcp 984 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 985 log_test $? 0 "MD5: VRF: Prefix config" 986 987 # client in prefix, wrong password 988 log_start 989 show_hint "Should timeout since client uses wrong password" 990 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 991 wait_local_port_listen ${NSA} 12345 tcp 992 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 993 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 994 995 # client outside of prefix 996 log_start 997 show_hint "Should timeout since client address is outside of prefix" 998 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 999 wait_local_port_listen ${NSA} 12345 tcp 1000 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 1001 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 1002 1003 # 1004 # duplicate config between default VRF and a VRF 1005 # 1006 1007 log_start 1008 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1009 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1010 wait_local_port_listen ${NSA} 12345 tcp 1011 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1012 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 1013 1014 log_start 1015 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1016 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1017 wait_local_port_listen ${NSA} 12345 tcp 1018 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1019 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 1020 1021 log_start 1022 show_hint "Should timeout since client in default VRF uses VRF password" 1023 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1024 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1025 wait_local_port_listen ${NSA} 12345 tcp 1026 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1027 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 1028 1029 log_start 1030 show_hint "Should timeout since client in VRF uses default VRF password" 1031 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1032 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1033 wait_local_port_listen ${NSA} 12345 tcp 1034 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1035 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 1036 1037 log_start 1038 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1039 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1040 wait_local_port_listen ${NSA} 12345 tcp 1041 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1042 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 1043 1044 log_start 1045 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1046 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1047 wait_local_port_listen ${NSA} 12345 tcp 1048 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1049 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 1050 1051 log_start 1052 show_hint "Should timeout since client in default VRF uses VRF password" 1053 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1054 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1055 wait_local_port_listen ${NSA} 12345 tcp 1056 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1057 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1058 1059 log_start 1060 show_hint "Should timeout since client in VRF uses default VRF password" 1061 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1062 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1063 wait_local_port_listen ${NSA} 12345 tcp 1064 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1065 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1066 1067 # 1068 # negative tests 1069 # 1070 log_start 1071 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1072 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1073 1074 log_start 1075 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1076 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1077 1078 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1079 test_ipv4_md5_vrf__global_server__bind_ifindex0 1080} 1081 1082test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1083{ 1084 log_start 1085 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1086 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1087 wait_local_port_listen ${NSA} 12345 tcp 1088 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1089 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1090 1091 log_start 1092 show_hint "Binding both the socket and the key is not required but it works" 1093 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1094 wait_local_port_listen ${NSA} 12345 tcp 1095 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1096 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1097} 1098 1099test_ipv4_md5_vrf__global_server__bind_ifindex0() 1100{ 1101 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1102 local old_tcp_l3mdev_accept 1103 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1104 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1105 1106 log_start 1107 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1108 wait_local_port_listen ${NSA} 12345 tcp 1109 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1110 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1111 1112 log_start 1113 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1114 wait_local_port_listen ${NSA} 12345 tcp 1115 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1116 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1117 log_start 1118 1119 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1120 wait_local_port_listen ${NSA} 12345 tcp 1121 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1122 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1123 1124 log_start 1125 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1126 wait_local_port_listen ${NSA} 12345 tcp 1127 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1128 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1129 1130 # restore value 1131 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1132} 1133 1134ipv4_tcp_dontroute() 1135{ 1136 local syncookies=$1 1137 local nsa_syncookies 1138 local nsb_syncookies 1139 local a 1140 1141 # 1142 # Link local connection tests (SO_DONTROUTE). 1143 # Connections should succeed only when the remote IP address is 1144 # on link (doesn't need to be routed through a gateway). 1145 # 1146 1147 nsa_syncookies=$(ip netns exec "${NSA}" sysctl -n net.ipv4.tcp_syncookies) 1148 nsb_syncookies=$(ip netns exec "${NSB}" sysctl -n net.ipv4.tcp_syncookies) 1149 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies} 1150 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies} 1151 1152 # Test with eth1 address (on link). 1153 1154 a=${NSB_IP} 1155 log_start 1156 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1157 log_test_addr ${a} $? 0 "SO_DONTROUTE client, syncookies=${syncookies}" 1158 1159 a=${NSB_IP} 1160 log_start 1161 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --server-dontroute 1162 log_test_addr ${a} $? 0 "SO_DONTROUTE server, syncookies=${syncookies}" 1163 1164 # Test with loopback address (routed). 1165 # 1166 # The client would use the eth1 address as source IP by default. 1167 # Therefore, we need to use the -c option here, to force the use of the 1168 # routed (loopback) address as source IP (so that the server will try 1169 # to respond to a routed address and not a link local one). 1170 1171 a=${NSB_LO_IP} 1172 log_start 1173 show_hint "Should fail 'Network is unreachable' since server is not on link" 1174 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --client-dontroute 1175 log_test_addr ${a} $? 1 "SO_DONTROUTE client, syncookies=${syncookies}" 1176 1177 a=${NSB_LO_IP} 1178 log_start 1179 show_hint "Should timeout since server cannot respond (client is not on link)" 1180 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --server-dontroute 1181 log_test_addr ${a} $? 2 "SO_DONTROUTE server, syncookies=${syncookies}" 1182 1183 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${nsb_syncookies} 1184 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${nsa_syncookies} 1185} 1186 1187ipv4_tcp_novrf() 1188{ 1189 local a 1190 1191 # 1192 # server tests 1193 # 1194 for a in ${NSA_IP} ${NSA_LO_IP} 1195 do 1196 log_start 1197 run_cmd nettest -s & 1198 wait_local_port_listen ${NSA} 12345 tcp 1199 run_cmd_nsb nettest -r ${a} 1200 log_test_addr ${a} $? 0 "Global server" 1201 done 1202 1203 a=${NSA_IP} 1204 log_start 1205 run_cmd nettest -s -I ${NSA_DEV} & 1206 wait_local_port_listen ${NSA} 12345 tcp 1207 run_cmd_nsb nettest -r ${a} 1208 log_test_addr ${a} $? 0 "Device server" 1209 1210 # verify TCP reset sent and received 1211 for a in ${NSA_IP} ${NSA_LO_IP} 1212 do 1213 log_start 1214 show_hint "Should fail 'Connection refused' since there is no server" 1215 run_cmd_nsb nettest -r ${a} 1216 log_test_addr ${a} $? 1 "No server" 1217 done 1218 1219 # 1220 # client 1221 # 1222 for a in ${NSB_IP} ${NSB_LO_IP} 1223 do 1224 log_start 1225 run_cmd_nsb nettest -s & 1226 wait_local_port_listen ${NSB} 12345 tcp 1227 run_cmd nettest -r ${a} -0 ${NSA_IP} 1228 log_test_addr ${a} $? 0 "Client" 1229 1230 log_start 1231 run_cmd_nsb nettest -s & 1232 wait_local_port_listen ${NSB} 12345 tcp 1233 run_cmd nettest -r ${a} -d ${NSA_DEV} 1234 log_test_addr ${a} $? 0 "Client, device bind" 1235 1236 log_start 1237 show_hint "Should fail 'Connection refused'" 1238 run_cmd nettest -r ${a} 1239 log_test_addr ${a} $? 1 "No server, unbound client" 1240 1241 log_start 1242 show_hint "Should fail 'Connection refused'" 1243 run_cmd nettest -r ${a} -d ${NSA_DEV} 1244 log_test_addr ${a} $? 1 "No server, device client" 1245 done 1246 1247 # 1248 # local address tests 1249 # 1250 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1251 do 1252 log_start 1253 run_cmd nettest -s & 1254 wait_local_port_listen ${NSA} 12345 tcp 1255 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1256 log_test_addr ${a} $? 0 "Global server, local connection" 1257 done 1258 1259 a=${NSA_IP} 1260 log_start 1261 run_cmd nettest -s -I ${NSA_DEV} & 1262 wait_local_port_listen ${NSA} 12345 tcp 1263 run_cmd nettest -r ${a} -0 ${a} 1264 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1265 1266 for a in ${NSA_LO_IP} 127.0.0.1 1267 do 1268 log_start 1269 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1270 run_cmd nettest -s -I ${NSA_DEV} & 1271 wait_local_port_listen ${NSA} 12345 tcp 1272 run_cmd nettest -r ${a} 1273 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1274 done 1275 1276 a=${NSA_IP} 1277 log_start 1278 run_cmd nettest -s & 1279 wait_local_port_listen ${NSA} 12345 tcp 1280 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1281 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1282 1283 for a in ${NSA_LO_IP} 127.0.0.1 1284 do 1285 log_start 1286 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1287 run_cmd nettest -s & 1288 wait_local_port_listen ${NSA} 12345 tcp 1289 run_cmd nettest -r ${a} -d ${NSA_DEV} 1290 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1291 done 1292 1293 a=${NSA_IP} 1294 log_start 1295 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1296 wait_local_port_listen ${NSA} 12345 tcp 1297 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1298 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1299 1300 log_start 1301 show_hint "Should fail 'Connection refused'" 1302 run_cmd nettest -d ${NSA_DEV} -r ${a} 1303 log_test_addr ${a} $? 1 "No server, device client, local conn" 1304 1305 [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf 1306 1307 ipv4_tcp_dontroute 0 1308 ipv4_tcp_dontroute 2 1309} 1310 1311ipv4_tcp_vrf() 1312{ 1313 local a 1314 1315 # disable global server 1316 log_subsection "Global server disabled" 1317 1318 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1319 1320 # 1321 # server tests 1322 # 1323 for a in ${NSA_IP} ${VRF_IP} 1324 do 1325 log_start 1326 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1327 run_cmd nettest -s & 1328 wait_local_port_listen ${NSA} 12345 tcp 1329 run_cmd_nsb nettest -r ${a} 1330 log_test_addr ${a} $? 1 "Global server" 1331 1332 log_start 1333 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1334 wait_local_port_listen ${NSA} 12345 tcp 1335 run_cmd_nsb nettest -r ${a} 1336 log_test_addr ${a} $? 0 "VRF server" 1337 1338 log_start 1339 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1340 wait_local_port_listen ${NSA} 12345 tcp 1341 run_cmd_nsb nettest -r ${a} 1342 log_test_addr ${a} $? 0 "Device server" 1343 1344 # verify TCP reset received 1345 log_start 1346 show_hint "Should fail 'Connection refused' since there is no server" 1347 run_cmd_nsb nettest -r ${a} 1348 log_test_addr ${a} $? 1 "No server" 1349 done 1350 1351 # local address tests 1352 # (${VRF_IP} and 127.0.0.1 both timeout) 1353 a=${NSA_IP} 1354 log_start 1355 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1356 run_cmd nettest -s & 1357 wait_local_port_listen ${NSA} 12345 tcp 1358 run_cmd nettest -r ${a} -d ${NSA_DEV} 1359 log_test_addr ${a} $? 1 "Global server, local connection" 1360 1361 # run MD5 tests 1362 if [ "$fips_enabled" = "0" ]; then 1363 setup_vrf_dup 1364 ipv4_tcp_md5 1365 cleanup_vrf_dup 1366 fi 1367 1368 # 1369 # enable VRF global server 1370 # 1371 log_subsection "VRF Global server enabled" 1372 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1373 1374 for a in ${NSA_IP} ${VRF_IP} 1375 do 1376 log_start 1377 show_hint "client socket should be bound to VRF" 1378 run_cmd nettest -s -3 ${VRF} & 1379 wait_local_port_listen ${NSA} 12345 tcp 1380 run_cmd_nsb nettest -r ${a} 1381 log_test_addr ${a} $? 0 "Global server" 1382 1383 log_start 1384 show_hint "client socket should be bound to VRF" 1385 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1386 wait_local_port_listen ${NSA} 12345 tcp 1387 run_cmd_nsb nettest -r ${a} 1388 log_test_addr ${a} $? 0 "VRF server" 1389 1390 # verify TCP reset received 1391 log_start 1392 show_hint "Should fail 'Connection refused'" 1393 run_cmd_nsb nettest -r ${a} 1394 log_test_addr ${a} $? 1 "No server" 1395 done 1396 1397 a=${NSA_IP} 1398 log_start 1399 show_hint "client socket should be bound to device" 1400 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1401 wait_local_port_listen ${NSA} 12345 tcp 1402 run_cmd_nsb nettest -r ${a} 1403 log_test_addr ${a} $? 0 "Device server" 1404 1405 # local address tests 1406 for a in ${NSA_IP} ${VRF_IP} 1407 do 1408 log_start 1409 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1410 run_cmd nettest -s -I ${VRF} & 1411 wait_local_port_listen ${NSA} 12345 tcp 1412 run_cmd nettest -r ${a} 1413 log_test_addr ${a} $? 1 "Global server, local connection" 1414 done 1415 1416 # 1417 # client 1418 # 1419 for a in ${NSB_IP} ${NSB_LO_IP} 1420 do 1421 log_start 1422 run_cmd_nsb nettest -s & 1423 wait_local_port_listen ${NSB} 12345 tcp 1424 run_cmd nettest -r ${a} -d ${VRF} 1425 log_test_addr ${a} $? 0 "Client, VRF bind" 1426 1427 log_start 1428 run_cmd_nsb nettest -s & 1429 wait_local_port_listen ${NSB} 12345 tcp 1430 run_cmd nettest -r ${a} -d ${NSA_DEV} 1431 log_test_addr ${a} $? 0 "Client, device bind" 1432 1433 log_start 1434 show_hint "Should fail 'Connection refused'" 1435 run_cmd nettest -r ${a} -d ${VRF} 1436 log_test_addr ${a} $? 1 "No server, VRF client" 1437 1438 log_start 1439 show_hint "Should fail 'Connection refused'" 1440 run_cmd nettest -r ${a} -d ${NSA_DEV} 1441 log_test_addr ${a} $? 1 "No server, device client" 1442 done 1443 1444 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1445 do 1446 log_start 1447 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1448 wait_local_port_listen ${NSA} 12345 tcp 1449 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1450 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1451 done 1452 1453 a=${NSA_IP} 1454 log_start 1455 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1456 wait_local_port_listen ${NSA} 12345 tcp 1457 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1458 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1459 1460 log_start 1461 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1462 run_cmd nettest -s -I ${VRF} & 1463 wait_local_port_listen ${NSA} 12345 tcp 1464 run_cmd nettest -r ${a} 1465 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1466 1467 log_start 1468 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1469 wait_local_port_listen ${NSA} 12345 tcp 1470 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1471 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1472 1473 log_start 1474 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1475 wait_local_port_listen ${NSA} 12345 tcp 1476 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1477 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1478} 1479 1480ipv4_tcp() 1481{ 1482 log_section "IPv4/TCP" 1483 log_subsection "No VRF" 1484 setup 1485 1486 # tcp_l3mdev_accept should have no affect without VRF; 1487 # run tests with it enabled and disabled to verify 1488 log_subsection "tcp_l3mdev_accept disabled" 1489 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1490 ipv4_tcp_novrf 1491 log_subsection "tcp_l3mdev_accept enabled" 1492 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1493 ipv4_tcp_novrf 1494 1495 log_subsection "With VRF" 1496 setup "yes" 1497 ipv4_tcp_vrf 1498} 1499 1500################################################################################ 1501# IPv4 UDP 1502 1503ipv4_udp_novrf() 1504{ 1505 local a 1506 1507 # 1508 # server tests 1509 # 1510 for a in ${NSA_IP} ${NSA_LO_IP} 1511 do 1512 log_start 1513 run_cmd nettest -D -s -3 ${NSA_DEV} & 1514 wait_local_port_listen ${NSA} 12345 udp 1515 run_cmd_nsb nettest -D -r ${a} 1516 log_test_addr ${a} $? 0 "Global server" 1517 1518 log_start 1519 show_hint "Should fail 'Connection refused' since there is no server" 1520 run_cmd_nsb nettest -D -r ${a} 1521 log_test_addr ${a} $? 1 "No server" 1522 done 1523 1524 a=${NSA_IP} 1525 log_start 1526 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1527 wait_local_port_listen ${NSA} 12345 udp 1528 run_cmd_nsb nettest -D -r ${a} 1529 log_test_addr ${a} $? 0 "Device server" 1530 1531 # 1532 # client 1533 # 1534 for a in ${NSB_IP} ${NSB_LO_IP} 1535 do 1536 log_start 1537 run_cmd_nsb nettest -D -s & 1538 wait_local_port_listen ${NSB} 12345 udp 1539 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1540 log_test_addr ${a} $? 0 "Client" 1541 1542 log_start 1543 run_cmd_nsb nettest -D -s & 1544 wait_local_port_listen ${NSB} 12345 udp 1545 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1546 log_test_addr ${a} $? 0 "Client, device bind" 1547 1548 log_start 1549 run_cmd_nsb nettest -D -s & 1550 wait_local_port_listen ${NSB} 12345 udp 1551 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1552 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1553 1554 log_start 1555 run_cmd_nsb nettest -D -s & 1556 wait_local_port_listen ${NSB} 12345 udp 1557 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1558 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1559 1560 log_start 1561 run_cmd_nsb nettest -D -s & 1562 wait_local_port_listen ${NSB} 12345 udp 1563 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U 1564 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()" 1565 1566 1567 log_start 1568 show_hint "Should fail 'Connection refused'" 1569 run_cmd nettest -D -r ${a} 1570 log_test_addr ${a} $? 1 "No server, unbound client" 1571 1572 log_start 1573 show_hint "Should fail 'Connection refused'" 1574 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1575 log_test_addr ${a} $? 1 "No server, device client" 1576 done 1577 1578 # 1579 # local address tests 1580 # 1581 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1582 do 1583 log_start 1584 run_cmd nettest -D -s & 1585 wait_local_port_listen ${NSA} 12345 udp 1586 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1587 log_test_addr ${a} $? 0 "Global server, local connection" 1588 done 1589 1590 a=${NSA_IP} 1591 log_start 1592 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1593 wait_local_port_listen ${NSA} 12345 udp 1594 run_cmd nettest -D -r ${a} 1595 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1596 1597 for a in ${NSA_LO_IP} 127.0.0.1 1598 do 1599 log_start 1600 show_hint "Should fail 'Connection refused' since address is out of device scope" 1601 run_cmd nettest -s -D -I ${NSA_DEV} & 1602 wait_local_port_listen ${NSA} 12345 udp 1603 run_cmd nettest -D -r ${a} 1604 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1605 done 1606 1607 a=${NSA_IP} 1608 log_start 1609 run_cmd nettest -s -D & 1610 wait_local_port_listen ${NSA} 12345 udp 1611 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1612 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1613 1614 log_start 1615 run_cmd nettest -s -D & 1616 wait_local_port_listen ${NSA} 12345 udp 1617 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1618 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1619 1620 log_start 1621 run_cmd nettest -s -D & 1622 wait_local_port_listen ${NSA} 12345 udp 1623 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1624 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1625 1626 log_start 1627 run_cmd nettest -s -D & 1628 wait_local_port_listen ${NSA} 12345 udp 1629 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U 1630 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1631 1632 1633 # IPv4 with device bind has really weird behavior - it overrides the 1634 # fib lookup, generates an rtable and tries to send the packet. This 1635 # causes failures for local traffic at different places 1636 for a in ${NSA_LO_IP} 127.0.0.1 1637 do 1638 log_start 1639 show_hint "Should fail since addresses on loopback are out of device scope" 1640 run_cmd nettest -D -s & 1641 wait_local_port_listen ${NSA} 12345 udp 1642 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1643 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1644 1645 log_start 1646 show_hint "Should fail since addresses on loopback are out of device scope" 1647 run_cmd nettest -D -s & 1648 wait_local_port_listen ${NSA} 12345 udp 1649 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1650 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1651 1652 log_start 1653 show_hint "Should fail since addresses on loopback are out of device scope" 1654 run_cmd nettest -D -s & 1655 wait_local_port_listen ${NSA} 12345 udp 1656 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1657 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1658 1659 log_start 1660 show_hint "Should fail since addresses on loopback are out of device scope" 1661 run_cmd nettest -D -s & 1662 wait_local_port_listen ${NSA} 12345 udp 1663 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U 1664 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1665 1666 1667 done 1668 1669 a=${NSA_IP} 1670 log_start 1671 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1672 wait_local_port_listen ${NSA} 12345 udp 1673 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1674 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1675 1676 log_start 1677 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1678 log_test_addr ${a} $? 2 "No server, device client, local conn" 1679 1680 # 1681 # Link local connection tests (SO_DONTROUTE). 1682 # Connections should succeed only when the remote IP address is 1683 # on link (doesn't need to be routed through a gateway). 1684 # 1685 1686 a=${NSB_IP} 1687 log_start 1688 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1689 log_test_addr ${a} $? 0 "SO_DONTROUTE client" 1690 1691 a=${NSB_LO_IP} 1692 log_start 1693 show_hint "Should fail 'Network is unreachable' since server is not on link" 1694 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1695 log_test_addr ${a} $? 1 "SO_DONTROUTE client" 1696} 1697 1698ipv4_udp_vrf() 1699{ 1700 local a 1701 1702 # disable global server 1703 log_subsection "Global server disabled" 1704 set_sysctl net.ipv4.udp_l3mdev_accept=0 1705 1706 # 1707 # server tests 1708 # 1709 for a in ${NSA_IP} ${VRF_IP} 1710 do 1711 log_start 1712 show_hint "Fails because ingress is in a VRF and global server is disabled" 1713 run_cmd nettest -D -s & 1714 wait_local_port_listen ${NSA} 12345 udp 1715 run_cmd_nsb nettest -D -r ${a} 1716 log_test_addr ${a} $? 1 "Global server" 1717 1718 log_start 1719 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1720 wait_local_port_listen ${NSA} 12345 udp 1721 run_cmd_nsb nettest -D -r ${a} 1722 log_test_addr ${a} $? 0 "VRF server" 1723 1724 log_start 1725 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1726 wait_local_port_listen ${NSA} 12345 udp 1727 run_cmd_nsb nettest -D -r ${a} 1728 log_test_addr ${a} $? 0 "Enslaved device server" 1729 1730 log_start 1731 show_hint "Should fail 'Connection refused' since there is no server" 1732 run_cmd_nsb nettest -D -r ${a} 1733 log_test_addr ${a} $? 1 "No server" 1734 1735 log_start 1736 show_hint "Should fail 'Connection refused' since global server is out of scope" 1737 run_cmd nettest -D -s & 1738 wait_local_port_listen ${NSA} 12345 udp 1739 run_cmd nettest -D -d ${VRF} -r ${a} 1740 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1741 done 1742 1743 a=${NSA_IP} 1744 log_start 1745 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1746 wait_local_port_listen ${NSA} 12345 udp 1747 run_cmd nettest -D -d ${VRF} -r ${a} 1748 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1749 1750 log_start 1751 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1752 wait_local_port_listen ${NSA} 12345 udp 1753 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1754 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1755 1756 a=${NSA_IP} 1757 log_start 1758 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1759 wait_local_port_listen ${NSA} 12345 udp 1760 run_cmd nettest -D -d ${VRF} -r ${a} 1761 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1762 1763 log_start 1764 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1765 wait_local_port_listen ${NSA} 12345 udp 1766 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1767 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1768 1769 # enable global server 1770 log_subsection "Global server enabled" 1771 set_sysctl net.ipv4.udp_l3mdev_accept=1 1772 1773 # 1774 # server tests 1775 # 1776 for a in ${NSA_IP} ${VRF_IP} 1777 do 1778 log_start 1779 run_cmd nettest -D -s -3 ${NSA_DEV} & 1780 wait_local_port_listen ${NSA} 12345 udp 1781 run_cmd_nsb nettest -D -r ${a} 1782 log_test_addr ${a} $? 0 "Global server" 1783 1784 log_start 1785 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1786 wait_local_port_listen ${NSA} 12345 udp 1787 run_cmd_nsb nettest -D -r ${a} 1788 log_test_addr ${a} $? 0 "VRF server" 1789 1790 log_start 1791 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1792 wait_local_port_listen ${NSA} 12345 udp 1793 run_cmd_nsb nettest -D -r ${a} 1794 log_test_addr ${a} $? 0 "Enslaved device server" 1795 1796 log_start 1797 show_hint "Should fail 'Connection refused'" 1798 run_cmd_nsb nettest -D -r ${a} 1799 log_test_addr ${a} $? 1 "No server" 1800 done 1801 1802 # 1803 # client tests 1804 # 1805 log_start 1806 run_cmd_nsb nettest -D -s & 1807 wait_local_port_listen ${NSB} 12345 udp 1808 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1809 log_test $? 0 "VRF client" 1810 1811 log_start 1812 run_cmd_nsb nettest -D -s & 1813 wait_local_port_listen ${NSB} 12345 udp 1814 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1815 log_test $? 0 "Enslaved device client" 1816 1817 # negative test - should fail 1818 log_start 1819 show_hint "Should fail 'Connection refused'" 1820 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1821 log_test $? 1 "No server, VRF client" 1822 1823 log_start 1824 show_hint "Should fail 'Connection refused'" 1825 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1826 log_test $? 1 "No server, enslaved device client" 1827 1828 # 1829 # local address tests 1830 # 1831 a=${NSA_IP} 1832 log_start 1833 run_cmd nettest -D -s -3 ${NSA_DEV} & 1834 wait_local_port_listen ${NSA} 12345 udp 1835 run_cmd nettest -D -d ${VRF} -r ${a} 1836 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1837 1838 log_start 1839 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1840 wait_local_port_listen ${NSA} 12345 udp 1841 run_cmd nettest -D -d ${VRF} -r ${a} 1842 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1843 1844 log_start 1845 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1846 wait_local_port_listen ${NSA} 12345 udp 1847 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1848 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1849 1850 log_start 1851 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1852 wait_local_port_listen ${NSA} 12345 udp 1853 run_cmd nettest -D -d ${VRF} -r ${a} 1854 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1855 1856 log_start 1857 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1858 wait_local_port_listen ${NSA} 12345 udp 1859 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1860 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1861 1862 for a in ${VRF_IP} 127.0.0.1 1863 do 1864 log_start 1865 run_cmd nettest -D -s -3 ${VRF} & 1866 wait_local_port_listen ${NSA} 12345 udp 1867 run_cmd nettest -D -d ${VRF} -r ${a} 1868 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1869 done 1870 1871 for a in ${VRF_IP} 127.0.0.1 1872 do 1873 log_start 1874 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1875 wait_local_port_listen ${NSA} 12345 udp 1876 run_cmd nettest -D -d ${VRF} -r ${a} 1877 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1878 done 1879 1880 # negative test - should fail 1881 # verifies ECONNREFUSED 1882 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1883 do 1884 log_start 1885 show_hint "Should fail 'Connection refused'" 1886 run_cmd nettest -D -d ${VRF} -r ${a} 1887 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1888 done 1889} 1890 1891ipv4_udp() 1892{ 1893 log_section "IPv4/UDP" 1894 log_subsection "No VRF" 1895 1896 setup 1897 1898 # udp_l3mdev_accept should have no affect without VRF; 1899 # run tests with it enabled and disabled to verify 1900 log_subsection "udp_l3mdev_accept disabled" 1901 set_sysctl net.ipv4.udp_l3mdev_accept=0 1902 ipv4_udp_novrf 1903 log_subsection "udp_l3mdev_accept enabled" 1904 set_sysctl net.ipv4.udp_l3mdev_accept=1 1905 ipv4_udp_novrf 1906 1907 log_subsection "With VRF" 1908 setup "yes" 1909 ipv4_udp_vrf 1910} 1911 1912################################################################################ 1913# IPv4 address bind 1914# 1915# verifies ability or inability to bind to an address / device 1916 1917ipv4_addr_bind_novrf() 1918{ 1919 # 1920 # raw socket 1921 # 1922 for a in ${NSA_IP} ${NSA_LO_IP} 1923 do 1924 log_start 1925 run_cmd nettest -s -R -P icmp -l ${a} -b 1926 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1927 1928 log_start 1929 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1930 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1931 done 1932 1933 # 1934 # tests for nonlocal bind 1935 # 1936 a=${NL_IP} 1937 log_start 1938 run_cmd nettest -s -R -f -l ${a} -b 1939 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 1940 1941 log_start 1942 run_cmd nettest -s -f -l ${a} -b 1943 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address" 1944 1945 log_start 1946 run_cmd nettest -s -D -P icmp -f -l ${a} -b 1947 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address" 1948 1949 # 1950 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1951 # 1952 a=${BCAST_IP} 1953 log_start 1954 run_cmd nettest -s -D -P icmp -l ${a} -b 1955 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address" 1956 1957 a=${MCAST_IP} 1958 log_start 1959 run_cmd nettest -s -D -P icmp -l ${a} -b 1960 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address" 1961 1962 # 1963 # tcp sockets 1964 # 1965 a=${NSA_IP} 1966 log_start 1967 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1968 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1969 1970 log_start 1971 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1972 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1973 1974 # Sadly, the kernel allows binding a socket to a device and then 1975 # binding to an address not on the device. The only restriction 1976 # is that the address is valid in the L3 domain. So this test 1977 # passes when it really should not 1978 #a=${NSA_LO_IP} 1979 #log_start 1980 #show_hint "Should fail with 'Cannot assign requested address'" 1981 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1982 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1983} 1984 1985ipv4_addr_bind_vrf() 1986{ 1987 # 1988 # raw socket 1989 # 1990 for a in ${NSA_IP} ${VRF_IP} 1991 do 1992 log_start 1993 show_hint "Socket not bound to VRF, but address is in VRF" 1994 run_cmd nettest -s -R -P icmp -l ${a} -b 1995 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1996 1997 log_start 1998 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1999 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 2000 log_start 2001 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 2002 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 2003 done 2004 2005 a=${NSA_LO_IP} 2006 log_start 2007 show_hint "Address on loopback is out of VRF scope" 2008 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 2009 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 2010 2011 # 2012 # tests for nonlocal bind 2013 # 2014 a=${NL_IP} 2015 log_start 2016 run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b 2017 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 2018 2019 log_start 2020 run_cmd nettest -s -f -l ${a} -I ${VRF} -b 2021 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind" 2022 2023 log_start 2024 run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b 2025 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind" 2026 2027 # 2028 # check that ICMP sockets cannot bind to broadcast and multicast addresses 2029 # 2030 a=${BCAST_IP} 2031 log_start 2032 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 2033 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind" 2034 2035 a=${MCAST_IP} 2036 log_start 2037 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 2038 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind" 2039 2040 # 2041 # tcp sockets 2042 # 2043 for a in ${NSA_IP} ${VRF_IP} 2044 do 2045 log_start 2046 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 2047 log_test_addr ${a} $? 0 "TCP socket bind to local address" 2048 2049 log_start 2050 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 2051 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 2052 done 2053 2054 a=${NSA_LO_IP} 2055 log_start 2056 show_hint "Address on loopback out of scope for VRF" 2057 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 2058 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 2059 2060 log_start 2061 show_hint "Address on loopback out of scope for device in VRF" 2062 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 2063 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 2064} 2065 2066ipv4_addr_bind() 2067{ 2068 log_section "IPv4 address binds" 2069 2070 log_subsection "No VRF" 2071 setup 2072 set_ping_group 2073 ipv4_addr_bind_novrf 2074 2075 log_subsection "With VRF" 2076 setup "yes" 2077 set_ping_group 2078 ipv4_addr_bind_vrf 2079} 2080 2081################################################################################ 2082# IPv4 runtime tests 2083 2084ipv4_rt() 2085{ 2086 local desc="$1" 2087 local varg="$2" 2088 local with_vrf="yes" 2089 local a 2090 2091 # 2092 # server tests 2093 # 2094 for a in ${NSA_IP} ${VRF_IP} 2095 do 2096 log_start 2097 run_cmd nettest ${varg} -s & 2098 wait_local_port_listen ${NSA} 12345 tcp 2099 run_cmd_nsb nettest ${varg} -r ${a} & 2100 sleep 3 2101 run_cmd ip link del ${VRF} 2102 sleep 1 2103 log_test_addr ${a} 0 0 "${desc}, global server" 2104 2105 setup ${with_vrf} 2106 done 2107 2108 for a in ${NSA_IP} ${VRF_IP} 2109 do 2110 log_start 2111 run_cmd nettest ${varg} -s -I ${VRF} & 2112 wait_local_port_listen ${NSA} 12345 tcp 2113 run_cmd_nsb nettest ${varg} -r ${a} & 2114 sleep 3 2115 run_cmd ip link del ${VRF} 2116 sleep 1 2117 log_test_addr ${a} 0 0 "${desc}, VRF server" 2118 2119 setup ${with_vrf} 2120 done 2121 2122 a=${NSA_IP} 2123 log_start 2124 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 2125 wait_local_port_listen ${NSA} 12345 tcp 2126 run_cmd_nsb nettest ${varg} -r ${a} & 2127 sleep 3 2128 run_cmd ip link del ${VRF} 2129 sleep 1 2130 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 2131 2132 setup ${with_vrf} 2133 2134 # 2135 # client test 2136 # 2137 log_start 2138 run_cmd_nsb nettest ${varg} -s & 2139 wait_local_port_listen ${NSB} 12345 tcp 2140 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 2141 sleep 3 2142 run_cmd ip link del ${VRF} 2143 sleep 1 2144 log_test_addr ${a} 0 0 "${desc}, VRF client" 2145 2146 setup ${with_vrf} 2147 2148 log_start 2149 run_cmd_nsb nettest ${varg} -s & 2150 wait_local_port_listen ${NSB} 12345 tcp 2151 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 2152 sleep 3 2153 run_cmd ip link del ${VRF} 2154 sleep 1 2155 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 2156 2157 setup ${with_vrf} 2158 2159 # 2160 # local address tests 2161 # 2162 for a in ${NSA_IP} ${VRF_IP} 2163 do 2164 log_start 2165 run_cmd nettest ${varg} -s & 2166 wait_local_port_listen ${NSA} 12345 tcp 2167 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2168 sleep 3 2169 run_cmd ip link del ${VRF} 2170 sleep 1 2171 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 2172 2173 setup ${with_vrf} 2174 done 2175 2176 for a in ${NSA_IP} ${VRF_IP} 2177 do 2178 log_start 2179 run_cmd nettest ${varg} -I ${VRF} -s & 2180 wait_local_port_listen ${NSA} 12345 tcp 2181 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2182 sleep 3 2183 run_cmd ip link del ${VRF} 2184 sleep 1 2185 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 2186 2187 setup ${with_vrf} 2188 done 2189 2190 a=${NSA_IP} 2191 log_start 2192 2193 run_cmd nettest ${varg} -s & 2194 wait_local_port_listen ${NSA} 12345 tcp 2195 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2196 sleep 3 2197 run_cmd ip link del ${VRF} 2198 sleep 1 2199 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 2200 2201 setup ${with_vrf} 2202 2203 log_start 2204 run_cmd nettest ${varg} -I ${VRF} -s & 2205 wait_local_port_listen ${NSA} 12345 tcp 2206 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2207 sleep 3 2208 run_cmd ip link del ${VRF} 2209 sleep 1 2210 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 2211 2212 setup ${with_vrf} 2213 2214 log_start 2215 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2216 wait_local_port_listen ${NSA} 12345 tcp 2217 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2218 sleep 3 2219 run_cmd ip link del ${VRF} 2220 sleep 1 2221 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2222} 2223 2224ipv4_ping_rt() 2225{ 2226 local with_vrf="yes" 2227 local a 2228 2229 for a in ${NSA_IP} ${VRF_IP} 2230 do 2231 log_start 2232 run_cmd_nsb ping -f ${a} & 2233 sleep 3 2234 run_cmd ip link del ${VRF} 2235 sleep 1 2236 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2237 2238 setup ${with_vrf} 2239 done 2240 2241 a=${NSB_IP} 2242 log_start 2243 run_cmd ping -f -I ${VRF} ${a} & 2244 sleep 3 2245 run_cmd ip link del ${VRF} 2246 sleep 1 2247 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2248} 2249 2250ipv4_runtime() 2251{ 2252 log_section "Run time tests - ipv4" 2253 2254 setup "yes" 2255 ipv4_ping_rt 2256 2257 setup "yes" 2258 ipv4_rt "TCP active socket" "-n -1" 2259 2260 setup "yes" 2261 ipv4_rt "TCP passive socket" "-i" 2262} 2263 2264################################################################################ 2265# IPv6 2266 2267ipv6_ping_novrf() 2268{ 2269 local a 2270 2271 # should not have an impact, but make a known state 2272 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2273 2274 # 2275 # out 2276 # 2277 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2278 do 2279 log_start 2280 run_cmd ${ping6} -c1 -w1 ${a} 2281 log_test_addr ${a} $? 0 "ping out" 2282 done 2283 2284 for a in ${NSB_IP6} ${NSB_LO_IP6} 2285 do 2286 log_start 2287 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2288 log_test_addr ${a} $? 0 "ping out, device bind" 2289 2290 log_start 2291 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2292 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2293 done 2294 2295 # 2296 # in 2297 # 2298 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2299 do 2300 log_start 2301 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2302 log_test_addr ${a} $? 0 "ping in" 2303 done 2304 2305 # 2306 # local traffic, local address 2307 # 2308 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2309 do 2310 log_start 2311 run_cmd ${ping6} -c1 -w1 ${a} 2312 log_test_addr ${a} $? 0 "ping local, no bind" 2313 done 2314 2315 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2316 do 2317 log_start 2318 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2319 log_test_addr ${a} $? 0 "ping local, device bind" 2320 done 2321 2322 for a in ${NSA_LO_IP6} ::1 2323 do 2324 log_start 2325 show_hint "Fails since address on loopback is out of device scope" 2326 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2327 log_test_addr ${a} $? 2 "ping local, device bind" 2328 done 2329 2330 # 2331 # ip rule blocks address 2332 # 2333 log_start 2334 setup_cmd ip -6 rule add pref 32765 from all lookup local 2335 setup_cmd ip -6 rule del pref 0 from all lookup local 2336 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2337 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2338 2339 a=${NSB_LO_IP6} 2340 run_cmd ${ping6} -c1 -w1 ${a} 2341 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2342 2343 log_start 2344 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2345 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2346 2347 a=${NSA_LO_IP6} 2348 log_start 2349 show_hint "Response lost due to ip rule" 2350 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2351 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2352 2353 setup_cmd ip -6 rule add pref 0 from all lookup local 2354 setup_cmd ip -6 rule del pref 32765 from all lookup local 2355 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2356 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2357 2358 # 2359 # route blocks reachability to remote address 2360 # 2361 log_start 2362 setup_cmd ip -6 route del ${NSB_LO_IP6} 2363 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2364 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2365 2366 a=${NSB_LO_IP6} 2367 run_cmd ${ping6} -c1 -w1 ${a} 2368 log_test_addr ${a} $? 2 "ping out, blocked by route" 2369 2370 log_start 2371 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2372 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2373 2374 a=${NSA_LO_IP6} 2375 log_start 2376 show_hint "Response lost due to ip route" 2377 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2378 log_test_addr ${a} $? 1 "ping in, blocked by route" 2379 2380 2381 # 2382 # remove 'remote' routes; fallback to default 2383 # 2384 log_start 2385 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2386 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2387 2388 a=${NSB_LO_IP6} 2389 run_cmd ${ping6} -c1 -w1 ${a} 2390 log_test_addr ${a} $? 2 "ping out, unreachable route" 2391 2392 log_start 2393 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2394 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2395} 2396 2397ipv6_ping_vrf() 2398{ 2399 local a 2400 2401 # should default on; does not exist on older kernels 2402 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2403 2404 # 2405 # out 2406 # 2407 for a in ${NSB_IP6} ${NSB_LO_IP6} 2408 do 2409 log_start 2410 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2411 log_test_addr ${a} $? 0 "ping out, VRF bind" 2412 done 2413 2414 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2415 do 2416 log_start 2417 show_hint "Fails since VRF device does not support linklocal or multicast" 2418 run_cmd ${ping6} -c1 -w1 ${a} 2419 log_test_addr ${a} $? 1 "ping out, VRF bind" 2420 done 2421 2422 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2423 do 2424 log_start 2425 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2426 log_test_addr ${a} $? 0 "ping out, device bind" 2427 done 2428 2429 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2430 do 2431 log_start 2432 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2433 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2434 done 2435 2436 # 2437 # in 2438 # 2439 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2440 do 2441 log_start 2442 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2443 log_test_addr ${a} $? 0 "ping in" 2444 done 2445 2446 a=${NSA_LO_IP6} 2447 log_start 2448 show_hint "Fails since loopback address is out of VRF scope" 2449 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2450 log_test_addr ${a} $? 1 "ping in" 2451 2452 # 2453 # local traffic, local address 2454 # 2455 for a in ${NSA_IP6} ${VRF_IP6} ::1 2456 do 2457 log_start 2458 show_hint "Source address should be ${a}" 2459 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2460 log_test_addr ${a} $? 0 "ping local, VRF bind" 2461 done 2462 2463 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2464 do 2465 log_start 2466 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2467 log_test_addr ${a} $? 0 "ping local, device bind" 2468 done 2469 2470 # LLA to GUA - remove ipv6 global addresses from ns-B 2471 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2472 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2473 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2474 2475 for a in ${NSA_IP6} ${VRF_IP6} 2476 do 2477 log_start 2478 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2479 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2480 done 2481 2482 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2483 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2484 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2485 2486 # 2487 # ip rule blocks address 2488 # 2489 log_start 2490 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2491 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2492 2493 a=${NSB_LO_IP6} 2494 run_cmd ${ping6} -c1 -w1 ${a} 2495 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2496 2497 log_start 2498 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2499 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2500 2501 a=${NSA_LO_IP6} 2502 log_start 2503 show_hint "Response lost due to ip rule" 2504 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2505 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2506 2507 log_start 2508 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2509 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2510 2511 # 2512 # remove 'remote' routes; fallback to default 2513 # 2514 log_start 2515 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2516 2517 a=${NSB_LO_IP6} 2518 run_cmd ${ping6} -c1 -w1 ${a} 2519 log_test_addr ${a} $? 2 "ping out, unreachable route" 2520 2521 log_start 2522 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2523 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2524 2525 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2526 a=${NSA_LO_IP6} 2527 log_start 2528 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2529 log_test_addr ${a} $? 2 "ping in, unreachable route" 2530} 2531 2532ipv6_ping() 2533{ 2534 log_section "IPv6 ping" 2535 2536 log_subsection "No VRF" 2537 setup 2538 ipv6_ping_novrf 2539 setup 2540 set_ping_group 2541 ipv6_ping_novrf 2542 2543 log_subsection "With VRF" 2544 setup "yes" 2545 ipv6_ping_vrf 2546 setup "yes" 2547 set_ping_group 2548 ipv6_ping_vrf 2549} 2550 2551################################################################################ 2552# IPv6 TCP 2553 2554# 2555# MD5 tests without VRF 2556# 2557ipv6_tcp_md5_novrf() 2558{ 2559 # 2560 # single address 2561 # 2562 2563 # basic use case 2564 log_start 2565 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2566 wait_local_port_listen ${NSA} 12345 tcp 2567 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2568 log_test $? 0 "MD5: Single address config" 2569 2570 # client sends MD5, server not configured 2571 log_start 2572 show_hint "Should timeout due to MD5 mismatch" 2573 run_cmd nettest -6 -s & 2574 wait_local_port_listen ${NSA} 12345 tcp 2575 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2576 log_test $? 2 "MD5: Server no config, client uses password" 2577 2578 # wrong password 2579 log_start 2580 show_hint "Should timeout since client uses wrong password" 2581 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2582 wait_local_port_listen ${NSA} 12345 tcp 2583 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2584 log_test $? 2 "MD5: Client uses wrong password" 2585 2586 # client from different address 2587 log_start 2588 show_hint "Should timeout due to MD5 mismatch" 2589 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2590 wait_local_port_listen ${NSA} 12345 tcp 2591 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2592 log_test $? 2 "MD5: Client address does not match address configured with password" 2593 2594 # 2595 # MD5 extension - prefix length 2596 # 2597 2598 # client in prefix 2599 log_start 2600 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2601 wait_local_port_listen ${NSA} 12345 tcp 2602 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2603 log_test $? 0 "MD5: Prefix config" 2604 2605 # client in prefix, wrong password 2606 log_start 2607 show_hint "Should timeout since client uses wrong password" 2608 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2609 wait_local_port_listen ${NSA} 12345 tcp 2610 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2611 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2612 2613 # client outside of prefix 2614 log_start 2615 show_hint "Should timeout due to MD5 mismatch" 2616 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2617 wait_local_port_listen ${NSA} 12345 tcp 2618 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2619 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2620} 2621 2622# 2623# MD5 tests with VRF 2624# 2625ipv6_tcp_md5() 2626{ 2627 # 2628 # single address 2629 # 2630 2631 # basic use case 2632 log_start 2633 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2634 wait_local_port_listen ${NSA} 12345 tcp 2635 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2636 log_test $? 0 "MD5: VRF: Single address config" 2637 2638 # client sends MD5, server not configured 2639 log_start 2640 show_hint "Should timeout since server does not have MD5 auth" 2641 run_cmd nettest -6 -s -I ${VRF} & 2642 wait_local_port_listen ${NSA} 12345 tcp 2643 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2644 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2645 2646 # wrong password 2647 log_start 2648 show_hint "Should timeout since client uses wrong password" 2649 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2650 wait_local_port_listen ${NSA} 12345 tcp 2651 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2652 log_test $? 2 "MD5: VRF: Client uses wrong password" 2653 2654 # client from different address 2655 log_start 2656 show_hint "Should timeout since server config differs from client" 2657 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2658 wait_local_port_listen ${NSA} 12345 tcp 2659 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2660 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2661 2662 # 2663 # MD5 extension - prefix length 2664 # 2665 2666 # client in prefix 2667 log_start 2668 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2669 wait_local_port_listen ${NSA} 12345 tcp 2670 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2671 log_test $? 0 "MD5: VRF: Prefix config" 2672 2673 # client in prefix, wrong password 2674 log_start 2675 show_hint "Should timeout since client uses wrong password" 2676 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2677 wait_local_port_listen ${NSA} 12345 tcp 2678 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2679 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2680 2681 # client outside of prefix 2682 log_start 2683 show_hint "Should timeout since client address is outside of prefix" 2684 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2685 wait_local_port_listen ${NSA} 12345 tcp 2686 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2687 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2688 2689 # 2690 # duplicate config between default VRF and a VRF 2691 # 2692 2693 log_start 2694 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2695 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2696 wait_local_port_listen ${NSA} 12345 tcp 2697 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2698 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2699 2700 log_start 2701 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2702 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2703 wait_local_port_listen ${NSA} 12345 tcp 2704 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2705 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2706 2707 log_start 2708 show_hint "Should timeout since client in default VRF uses VRF password" 2709 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2710 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2711 wait_local_port_listen ${NSA} 12345 tcp 2712 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2713 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2714 2715 log_start 2716 show_hint "Should timeout since client in VRF uses default VRF password" 2717 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2718 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2719 wait_local_port_listen ${NSA} 12345 tcp 2720 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2721 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2722 2723 log_start 2724 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2725 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2726 wait_local_port_listen ${NSA} 12345 tcp 2727 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2728 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2729 2730 log_start 2731 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2732 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2733 wait_local_port_listen ${NSA} 12345 tcp 2734 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2735 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2736 2737 log_start 2738 show_hint "Should timeout since client in default VRF uses VRF password" 2739 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2740 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2741 wait_local_port_listen ${NSA} 12345 tcp 2742 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2743 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2744 2745 log_start 2746 show_hint "Should timeout since client in VRF uses default VRF password" 2747 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2748 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2749 wait_local_port_listen ${NSA} 12345 tcp 2750 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2751 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2752 2753 # 2754 # negative tests 2755 # 2756 log_start 2757 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2758 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2759 2760 log_start 2761 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2762 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2763 2764} 2765 2766ipv6_tcp_novrf() 2767{ 2768 local a 2769 2770 # 2771 # server tests 2772 # 2773 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2774 do 2775 log_start 2776 run_cmd nettest -6 -s & 2777 wait_local_port_listen ${NSA} 12345 tcp 2778 run_cmd_nsb nettest -6 -r ${a} 2779 log_test_addr ${a} $? 0 "Global server" 2780 done 2781 2782 # verify TCP reset received 2783 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2784 do 2785 log_start 2786 show_hint "Should fail 'Connection refused'" 2787 run_cmd_nsb nettest -6 -r ${a} 2788 log_test_addr ${a} $? 1 "No server" 2789 done 2790 2791 # 2792 # client 2793 # 2794 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2795 do 2796 log_start 2797 run_cmd_nsb nettest -6 -s & 2798 wait_local_port_listen ${NSB} 12345 tcp 2799 run_cmd nettest -6 -r ${a} 2800 log_test_addr ${a} $? 0 "Client" 2801 done 2802 2803 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2804 do 2805 log_start 2806 run_cmd_nsb nettest -6 -s & 2807 wait_local_port_listen ${NSB} 12345 tcp 2808 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2809 log_test_addr ${a} $? 0 "Client, device bind" 2810 done 2811 2812 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2813 do 2814 log_start 2815 show_hint "Should fail 'Connection refused'" 2816 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2817 log_test_addr ${a} $? 1 "No server, device client" 2818 done 2819 2820 # 2821 # local address tests 2822 # 2823 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2824 do 2825 log_start 2826 run_cmd nettest -6 -s & 2827 wait_local_port_listen ${NSA} 12345 tcp 2828 run_cmd nettest -6 -r ${a} 2829 log_test_addr ${a} $? 0 "Global server, local connection" 2830 done 2831 2832 a=${NSA_IP6} 2833 log_start 2834 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2835 wait_local_port_listen ${NSA} 12345 tcp 2836 run_cmd nettest -6 -r ${a} -0 ${a} 2837 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2838 2839 for a in ${NSA_LO_IP6} ::1 2840 do 2841 log_start 2842 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2843 run_cmd nettest -6 -s -I ${NSA_DEV} & 2844 wait_local_port_listen ${NSA} 12345 tcp 2845 run_cmd nettest -6 -r ${a} 2846 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2847 done 2848 2849 a=${NSA_IP6} 2850 log_start 2851 run_cmd nettest -6 -s & 2852 wait_local_port_listen ${NSA} 12345 tcp 2853 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2854 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2855 2856 for a in ${NSA_LO_IP6} ::1 2857 do 2858 log_start 2859 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2860 run_cmd nettest -6 -s & 2861 wait_local_port_listen ${NSA} 12345 tcp 2862 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2863 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2864 done 2865 2866 for a in ${NSA_IP6} ${NSA_LINKIP6} 2867 do 2868 log_start 2869 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2870 wait_local_port_listen ${NSA} 12345 tcp 2871 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2872 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2873 done 2874 2875 for a in ${NSA_IP6} ${NSA_LINKIP6} 2876 do 2877 log_start 2878 show_hint "Should fail 'Connection refused'" 2879 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2880 log_test_addr ${a} $? 1 "No server, device client, local conn" 2881 done 2882 2883 [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf 2884} 2885 2886ipv6_tcp_vrf() 2887{ 2888 local a 2889 2890 # disable global server 2891 log_subsection "Global server disabled" 2892 2893 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2894 2895 # 2896 # server tests 2897 # 2898 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2899 do 2900 log_start 2901 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2902 run_cmd nettest -6 -s & 2903 wait_local_port_listen ${NSA} 12345 tcp 2904 run_cmd_nsb nettest -6 -r ${a} 2905 log_test_addr ${a} $? 1 "Global server" 2906 done 2907 2908 for a in ${NSA_IP6} ${VRF_IP6} 2909 do 2910 log_start 2911 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2912 wait_local_port_listen ${NSA} 12345 tcp 2913 run_cmd_nsb nettest -6 -r ${a} 2914 log_test_addr ${a} $? 0 "VRF server" 2915 done 2916 2917 # link local is always bound to ingress device 2918 a=${NSA_LINKIP6}%${NSB_DEV} 2919 log_start 2920 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2921 wait_local_port_listen ${NSA} 12345 tcp 2922 run_cmd_nsb nettest -6 -r ${a} 2923 log_test_addr ${a} $? 0 "VRF server" 2924 2925 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2926 do 2927 log_start 2928 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2929 wait_local_port_listen ${NSA} 12345 tcp 2930 run_cmd_nsb nettest -6 -r ${a} 2931 log_test_addr ${a} $? 0 "Device server" 2932 done 2933 2934 # verify TCP reset received 2935 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2936 do 2937 log_start 2938 show_hint "Should fail 'Connection refused'" 2939 run_cmd_nsb nettest -6 -r ${a} 2940 log_test_addr ${a} $? 1 "No server" 2941 done 2942 2943 # local address tests 2944 a=${NSA_IP6} 2945 log_start 2946 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2947 run_cmd nettest -6 -s & 2948 wait_local_port_listen ${NSA} 12345 tcp 2949 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2950 log_test_addr ${a} $? 1 "Global server, local connection" 2951 2952 # run MD5 tests 2953 if [ "$fips_enabled" = "0" ]; then 2954 setup_vrf_dup 2955 ipv6_tcp_md5 2956 cleanup_vrf_dup 2957 fi 2958 2959 # 2960 # enable VRF global server 2961 # 2962 log_subsection "VRF Global server enabled" 2963 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2964 2965 for a in ${NSA_IP6} ${VRF_IP6} 2966 do 2967 log_start 2968 run_cmd nettest -6 -s -3 ${VRF} & 2969 wait_local_port_listen ${NSA} 12345 tcp 2970 run_cmd_nsb nettest -6 -r ${a} 2971 log_test_addr ${a} $? 0 "Global server" 2972 done 2973 2974 for a in ${NSA_IP6} ${VRF_IP6} 2975 do 2976 log_start 2977 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2978 wait_local_port_listen ${NSA} 12345 tcp 2979 run_cmd_nsb nettest -6 -r ${a} 2980 log_test_addr ${a} $? 0 "VRF server" 2981 done 2982 2983 # For LLA, child socket is bound to device 2984 a=${NSA_LINKIP6}%${NSB_DEV} 2985 log_start 2986 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2987 wait_local_port_listen ${NSA} 12345 tcp 2988 run_cmd_nsb nettest -6 -r ${a} 2989 log_test_addr ${a} $? 0 "Global server" 2990 2991 log_start 2992 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2993 wait_local_port_listen ${NSA} 12345 tcp 2994 run_cmd_nsb nettest -6 -r ${a} 2995 log_test_addr ${a} $? 0 "VRF server" 2996 2997 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2998 do 2999 log_start 3000 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3001 wait_local_port_listen ${NSA} 12345 tcp 3002 run_cmd_nsb nettest -6 -r ${a} 3003 log_test_addr ${a} $? 0 "Device server" 3004 done 3005 3006 # verify TCP reset received 3007 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3008 do 3009 log_start 3010 show_hint "Should fail 'Connection refused'" 3011 run_cmd_nsb nettest -6 -r ${a} 3012 log_test_addr ${a} $? 1 "No server" 3013 done 3014 3015 # local address tests 3016 for a in ${NSA_IP6} ${VRF_IP6} 3017 do 3018 log_start 3019 show_hint "Fails 'Connection refused' since client is not in VRF" 3020 run_cmd nettest -6 -s -I ${VRF} & 3021 wait_local_port_listen ${NSA} 12345 tcp 3022 run_cmd nettest -6 -r ${a} 3023 log_test_addr ${a} $? 1 "Global server, local connection" 3024 done 3025 3026 3027 # 3028 # client 3029 # 3030 for a in ${NSB_IP6} ${NSB_LO_IP6} 3031 do 3032 log_start 3033 run_cmd_nsb nettest -6 -s & 3034 wait_local_port_listen ${NSB} 12345 tcp 3035 run_cmd nettest -6 -r ${a} -d ${VRF} 3036 log_test_addr ${a} $? 0 "Client, VRF bind" 3037 done 3038 3039 a=${NSB_LINKIP6} 3040 log_start 3041 show_hint "Fails since VRF device does not allow linklocal addresses" 3042 run_cmd_nsb nettest -6 -s & 3043 wait_local_port_listen ${NSB} 12345 tcp 3044 run_cmd nettest -6 -r ${a} -d ${VRF} 3045 log_test_addr ${a} $? 1 "Client, VRF bind" 3046 3047 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 3048 do 3049 log_start 3050 run_cmd_nsb nettest -6 -s & 3051 wait_local_port_listen ${NSB} 12345 tcp 3052 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 3053 log_test_addr ${a} $? 0 "Client, device bind" 3054 done 3055 3056 for a in ${NSB_IP6} ${NSB_LO_IP6} 3057 do 3058 log_start 3059 show_hint "Should fail 'Connection refused'" 3060 run_cmd nettest -6 -r ${a} -d ${VRF} 3061 log_test_addr ${a} $? 1 "No server, VRF client" 3062 done 3063 3064 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 3065 do 3066 log_start 3067 show_hint "Should fail 'Connection refused'" 3068 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 3069 log_test_addr ${a} $? 1 "No server, device client" 3070 done 3071 3072 for a in ${NSA_IP6} ${VRF_IP6} ::1 3073 do 3074 log_start 3075 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 3076 wait_local_port_listen ${NSA} 12345 tcp 3077 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3078 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 3079 done 3080 3081 a=${NSA_IP6} 3082 log_start 3083 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 3084 wait_local_port_listen ${NSA} 12345 tcp 3085 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3086 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 3087 3088 a=${NSA_IP6} 3089 log_start 3090 show_hint "Should fail since unbound client is out of VRF scope" 3091 run_cmd nettest -6 -s -I ${VRF} & 3092 wait_local_port_listen ${NSA} 12345 tcp 3093 run_cmd nettest -6 -r ${a} 3094 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 3095 3096 log_start 3097 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3098 wait_local_port_listen ${NSA} 12345 tcp 3099 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3100 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 3101 3102 for a in ${NSA_IP6} ${NSA_LINKIP6} 3103 do 3104 log_start 3105 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3106 wait_local_port_listen ${NSA} 12345 tcp 3107 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3108 log_test_addr ${a} $? 0 "Device server, device client, local connection" 3109 done 3110} 3111 3112ipv6_tcp() 3113{ 3114 log_section "IPv6/TCP" 3115 log_subsection "No VRF" 3116 setup 3117 3118 # tcp_l3mdev_accept should have no affect without VRF; 3119 # run tests with it enabled and disabled to verify 3120 log_subsection "tcp_l3mdev_accept disabled" 3121 set_sysctl net.ipv4.tcp_l3mdev_accept=0 3122 ipv6_tcp_novrf 3123 log_subsection "tcp_l3mdev_accept enabled" 3124 set_sysctl net.ipv4.tcp_l3mdev_accept=1 3125 ipv6_tcp_novrf 3126 3127 log_subsection "With VRF" 3128 setup "yes" 3129 ipv6_tcp_vrf 3130} 3131 3132################################################################################ 3133# IPv6 UDP 3134 3135ipv6_udp_novrf() 3136{ 3137 local a 3138 3139 # 3140 # server tests 3141 # 3142 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3143 do 3144 log_start 3145 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3146 wait_local_port_listen ${NSA} 12345 udp 3147 run_cmd_nsb nettest -6 -D -r ${a} 3148 log_test_addr ${a} $? 0 "Global server" 3149 3150 log_start 3151 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3152 wait_local_port_listen ${NSA} 12345 udp 3153 run_cmd_nsb nettest -6 -D -r ${a} 3154 log_test_addr ${a} $? 0 "Device server" 3155 done 3156 3157 a=${NSA_LO_IP6} 3158 log_start 3159 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3160 wait_local_port_listen ${NSA} 12345 udp 3161 run_cmd_nsb nettest -6 -D -r ${a} 3162 log_test_addr ${a} $? 0 "Global server" 3163 3164 # should fail since loopback address is out of scope for a device 3165 # bound server, but it does not - hence this is more documenting 3166 # behavior. 3167 #log_start 3168 #show_hint "Should fail since loopback address is out of scope" 3169 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3170 wait_local_port_listen ${NSA} 12345 udp 3171 #run_cmd_nsb nettest -6 -D -r ${a} 3172 #log_test_addr ${a} $? 1 "Device server" 3173 3174 # negative test - should fail 3175 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3176 do 3177 log_start 3178 show_hint "Should fail 'Connection refused' since there is no server" 3179 run_cmd_nsb nettest -6 -D -r ${a} 3180 log_test_addr ${a} $? 1 "No server" 3181 done 3182 3183 # 3184 # client 3185 # 3186 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 3187 do 3188 log_start 3189 run_cmd_nsb nettest -6 -D -s & 3190 wait_local_port_listen ${NSB} 12345 udp 3191 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 3192 log_test_addr ${a} $? 0 "Client" 3193 3194 log_start 3195 run_cmd_nsb nettest -6 -D -s & 3196 wait_local_port_listen ${NSB} 12345 udp 3197 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 3198 log_test_addr ${a} $? 0 "Client, device bind" 3199 3200 log_start 3201 run_cmd_nsb nettest -6 -D -s & 3202 wait_local_port_listen ${NSB} 12345 udp 3203 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 3204 log_test_addr ${a} $? 0 "Client, device send via cmsg" 3205 3206 log_start 3207 run_cmd_nsb nettest -6 -D -s & 3208 wait_local_port_listen ${NSB} 12345 udp 3209 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 3210 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 3211 3212 log_start 3213 show_hint "Should fail 'Connection refused'" 3214 run_cmd nettest -6 -D -r ${a} 3215 log_test_addr ${a} $? 1 "No server, unbound client" 3216 3217 log_start 3218 show_hint "Should fail 'Connection refused'" 3219 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3220 log_test_addr ${a} $? 1 "No server, device client" 3221 done 3222 3223 # 3224 # local address tests 3225 # 3226 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3227 do 3228 log_start 3229 run_cmd nettest -6 -D -s & 3230 wait_local_port_listen ${NSA} 12345 udp 3231 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3232 log_test_addr ${a} $? 0 "Global server, local connection" 3233 done 3234 3235 a=${NSA_IP6} 3236 log_start 3237 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3238 wait_local_port_listen ${NSA} 12345 udp 3239 run_cmd nettest -6 -D -r ${a} 3240 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3241 3242 for a in ${NSA_LO_IP6} ::1 3243 do 3244 log_start 3245 show_hint "Should fail 'Connection refused' since address is out of device scope" 3246 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3247 wait_local_port_listen ${NSA} 12345 udp 3248 run_cmd nettest -6 -D -r ${a} 3249 log_test_addr ${a} $? 1 "Device server, local connection" 3250 done 3251 3252 a=${NSA_IP6} 3253 log_start 3254 run_cmd nettest -6 -s -D & 3255 wait_local_port_listen ${NSA} 12345 udp 3256 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3257 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3258 3259 log_start 3260 run_cmd nettest -6 -s -D & 3261 wait_local_port_listen ${NSA} 12345 udp 3262 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3263 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3264 3265 log_start 3266 run_cmd nettest -6 -s -D & 3267 wait_local_port_listen ${NSA} 12345 udp 3268 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3269 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3270 3271 for a in ${NSA_LO_IP6} ::1 3272 do 3273 log_start 3274 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3275 run_cmd nettest -6 -D -s & 3276 wait_local_port_listen ${NSA} 12345 udp 3277 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3278 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3279 3280 log_start 3281 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3282 run_cmd nettest -6 -D -s & 3283 wait_local_port_listen ${NSA} 12345 udp 3284 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3285 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3286 3287 log_start 3288 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3289 run_cmd nettest -6 -D -s & 3290 wait_local_port_listen ${NSA} 12345 udp 3291 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3292 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3293 3294 log_start 3295 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3296 run_cmd nettest -6 -D -s & 3297 wait_local_port_listen ${NSA} 12345 udp 3298 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U 3299 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 3300 done 3301 3302 a=${NSA_IP6} 3303 log_start 3304 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3305 wait_local_port_listen ${NSA} 12345 udp 3306 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3307 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3308 3309 log_start 3310 show_hint "Should fail 'Connection refused'" 3311 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3312 log_test_addr ${a} $? 1 "No server, device client, local conn" 3313 3314 # LLA to GUA 3315 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3316 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3317 log_start 3318 run_cmd nettest -6 -s -D & 3319 wait_local_port_listen ${NSA} 12345 udp 3320 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3321 log_test $? 0 "UDP in - LLA to GUA" 3322 3323 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3324 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3325} 3326 3327ipv6_udp_vrf() 3328{ 3329 local a 3330 3331 # disable global server 3332 log_subsection "Global server disabled" 3333 set_sysctl net.ipv4.udp_l3mdev_accept=0 3334 3335 # 3336 # server tests 3337 # 3338 for a in ${NSA_IP6} ${VRF_IP6} 3339 do 3340 log_start 3341 show_hint "Should fail 'Connection refused' since global server is disabled" 3342 run_cmd nettest -6 -D -s & 3343 wait_local_port_listen ${NSA} 12345 udp 3344 run_cmd_nsb nettest -6 -D -r ${a} 3345 log_test_addr ${a} $? 1 "Global server" 3346 done 3347 3348 for a in ${NSA_IP6} ${VRF_IP6} 3349 do 3350 log_start 3351 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3352 wait_local_port_listen ${NSA} 12345 udp 3353 run_cmd_nsb nettest -6 -D -r ${a} 3354 log_test_addr ${a} $? 0 "VRF server" 3355 done 3356 3357 for a in ${NSA_IP6} ${VRF_IP6} 3358 do 3359 log_start 3360 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3361 wait_local_port_listen ${NSA} 12345 udp 3362 run_cmd_nsb nettest -6 -D -r ${a} 3363 log_test_addr ${a} $? 0 "Enslaved device server" 3364 done 3365 3366 # negative test - should fail 3367 for a in ${NSA_IP6} ${VRF_IP6} 3368 do 3369 log_start 3370 show_hint "Should fail 'Connection refused' since there is no server" 3371 run_cmd_nsb nettest -6 -D -r ${a} 3372 log_test_addr ${a} $? 1 "No server" 3373 done 3374 3375 # 3376 # local address tests 3377 # 3378 for a in ${NSA_IP6} ${VRF_IP6} 3379 do 3380 log_start 3381 show_hint "Should fail 'Connection refused' since global server is disabled" 3382 run_cmd nettest -6 -D -s & 3383 wait_local_port_listen ${NSA} 12345 udp 3384 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3385 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3386 done 3387 3388 for a in ${NSA_IP6} ${VRF_IP6} 3389 do 3390 log_start 3391 run_cmd nettest -6 -D -I ${VRF} -s & 3392 wait_local_port_listen ${NSA} 12345 udp 3393 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3394 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3395 done 3396 3397 a=${NSA_IP6} 3398 log_start 3399 show_hint "Should fail 'Connection refused' since global server is disabled" 3400 run_cmd nettest -6 -D -s & 3401 wait_local_port_listen ${NSA} 12345 udp 3402 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3403 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3404 3405 log_start 3406 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3407 wait_local_port_listen ${NSA} 12345 udp 3408 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3409 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3410 3411 log_start 3412 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3413 wait_local_port_listen ${NSA} 12345 udp 3414 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3415 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3416 3417 log_start 3418 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3419 wait_local_port_listen ${NSA} 12345 udp 3420 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3421 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3422 3423 # disable global server 3424 log_subsection "Global server enabled" 3425 set_sysctl net.ipv4.udp_l3mdev_accept=1 3426 3427 # 3428 # server tests 3429 # 3430 for a in ${NSA_IP6} ${VRF_IP6} 3431 do 3432 log_start 3433 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3434 wait_local_port_listen ${NSA} 12345 udp 3435 run_cmd_nsb nettest -6 -D -r ${a} 3436 log_test_addr ${a} $? 0 "Global server" 3437 done 3438 3439 for a in ${NSA_IP6} ${VRF_IP6} 3440 do 3441 log_start 3442 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3443 wait_local_port_listen ${NSA} 12345 udp 3444 run_cmd_nsb nettest -6 -D -r ${a} 3445 log_test_addr ${a} $? 0 "VRF server" 3446 done 3447 3448 for a in ${NSA_IP6} ${VRF_IP6} 3449 do 3450 log_start 3451 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3452 wait_local_port_listen ${NSA} 12345 udp 3453 run_cmd_nsb nettest -6 -D -r ${a} 3454 log_test_addr ${a} $? 0 "Enslaved device server" 3455 done 3456 3457 # negative test - should fail 3458 for a in ${NSA_IP6} ${VRF_IP6} 3459 do 3460 log_start 3461 run_cmd_nsb nettest -6 -D -r ${a} 3462 log_test_addr ${a} $? 1 "No server" 3463 done 3464 3465 # 3466 # client tests 3467 # 3468 log_start 3469 run_cmd_nsb nettest -6 -D -s & 3470 wait_local_port_listen ${NSB} 12345 udp 3471 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3472 log_test $? 0 "VRF client" 3473 3474 # negative test - should fail 3475 log_start 3476 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3477 log_test $? 1 "No server, VRF client" 3478 3479 log_start 3480 run_cmd_nsb nettest -6 -D -s & 3481 wait_local_port_listen ${NSB} 12345 udp 3482 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3483 log_test $? 0 "Enslaved device client" 3484 3485 # negative test - should fail 3486 log_start 3487 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3488 log_test $? 1 "No server, enslaved device client" 3489 3490 # 3491 # local address tests 3492 # 3493 a=${NSA_IP6} 3494 log_start 3495 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3496 wait_local_port_listen ${NSA} 12345 udp 3497 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3498 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3499 3500 #log_start 3501 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3502 wait_local_port_listen ${NSA} 12345 udp 3503 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3504 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3505 3506 3507 a=${VRF_IP6} 3508 log_start 3509 run_cmd nettest -6 -D -s -3 ${VRF} & 3510 wait_local_port_listen ${NSA} 12345 udp 3511 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3512 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3513 3514 log_start 3515 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3516 wait_local_port_listen ${NSA} 12345 udp 3517 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3518 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3519 3520 # negative test - should fail 3521 for a in ${NSA_IP6} ${VRF_IP6} 3522 do 3523 log_start 3524 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3525 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3526 done 3527 3528 # device to global IP 3529 a=${NSA_IP6} 3530 log_start 3531 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3532 wait_local_port_listen ${NSA} 12345 udp 3533 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3534 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3535 3536 log_start 3537 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3538 wait_local_port_listen ${NSA} 12345 udp 3539 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3540 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3541 3542 log_start 3543 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3544 wait_local_port_listen ${NSA} 12345 udp 3545 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3546 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3547 3548 log_start 3549 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3550 wait_local_port_listen ${NSA} 12345 udp 3551 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3552 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3553 3554 log_start 3555 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3556 log_test_addr ${a} $? 1 "No server, device client, local conn" 3557 3558 3559 # link local addresses 3560 log_start 3561 run_cmd nettest -6 -D -s & 3562 wait_local_port_listen ${NSA} 12345 udp 3563 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3564 log_test $? 0 "Global server, linklocal IP" 3565 3566 log_start 3567 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3568 log_test $? 1 "No server, linklocal IP" 3569 3570 3571 log_start 3572 run_cmd_nsb nettest -6 -D -s & 3573 wait_local_port_listen ${NSB} 12345 udp 3574 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3575 log_test $? 0 "Enslaved device client, linklocal IP" 3576 3577 log_start 3578 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3579 log_test $? 1 "No server, device client, peer linklocal IP" 3580 3581 3582 log_start 3583 run_cmd nettest -6 -D -s & 3584 wait_local_port_listen ${NSA} 12345 udp 3585 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3586 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3587 3588 log_start 3589 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3590 log_test $? 1 "No server, device client, local conn - linklocal IP" 3591 3592 # LLA to GUA 3593 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3594 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3595 log_start 3596 run_cmd nettest -6 -s -D & 3597 wait_local_port_listen ${NSA} 12345 udp 3598 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3599 log_test $? 0 "UDP in - LLA to GUA" 3600 3601 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3602 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3603} 3604 3605ipv6_udp() 3606{ 3607 # should not matter, but set to known state 3608 set_sysctl net.ipv4.udp_early_demux=1 3609 3610 log_section "IPv6/UDP" 3611 log_subsection "No VRF" 3612 setup 3613 3614 # udp_l3mdev_accept should have no affect without VRF; 3615 # run tests with it enabled and disabled to verify 3616 log_subsection "udp_l3mdev_accept disabled" 3617 set_sysctl net.ipv4.udp_l3mdev_accept=0 3618 ipv6_udp_novrf 3619 log_subsection "udp_l3mdev_accept enabled" 3620 set_sysctl net.ipv4.udp_l3mdev_accept=1 3621 ipv6_udp_novrf 3622 3623 log_subsection "With VRF" 3624 setup "yes" 3625 ipv6_udp_vrf 3626} 3627 3628################################################################################ 3629# IPv6 address bind 3630 3631ipv6_addr_bind_novrf() 3632{ 3633 # 3634 # raw socket 3635 # 3636 for a in ${NSA_IP6} ${NSA_LO_IP6} 3637 do 3638 log_start 3639 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3640 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3641 3642 log_start 3643 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3644 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3645 done 3646 3647 # 3648 # raw socket with nonlocal bind 3649 # 3650 a=${NL_IP6} 3651 log_start 3652 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 3653 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 3654 3655 # 3656 # tcp sockets 3657 # 3658 a=${NSA_IP6} 3659 log_start 3660 run_cmd nettest -6 -s -l ${a} -t1 -b 3661 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3662 3663 log_start 3664 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3665 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3666 3667 # Sadly, the kernel allows binding a socket to a device and then 3668 # binding to an address not on the device. So this test passes 3669 # when it really should not 3670 a=${NSA_LO_IP6} 3671 log_start 3672 show_hint "Technically should fail since address is not on device but kernel allows" 3673 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3674 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3675} 3676 3677ipv6_addr_bind_vrf() 3678{ 3679 # 3680 # raw socket 3681 # 3682 for a in ${NSA_IP6} ${VRF_IP6} 3683 do 3684 log_start 3685 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3686 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3687 3688 log_start 3689 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3690 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3691 done 3692 3693 a=${NSA_LO_IP6} 3694 log_start 3695 show_hint "Address on loopback is out of VRF scope" 3696 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3697 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3698 3699 # 3700 # raw socket with nonlocal bind 3701 # 3702 a=${NL_IP6} 3703 log_start 3704 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b 3705 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 3706 3707 # 3708 # tcp sockets 3709 # 3710 # address on enslaved device is valid for the VRF or device in a VRF 3711 for a in ${NSA_IP6} ${VRF_IP6} 3712 do 3713 log_start 3714 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3715 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3716 done 3717 3718 a=${NSA_IP6} 3719 log_start 3720 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3721 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3722 3723 # Sadly, the kernel allows binding a socket to a device and then 3724 # binding to an address not on the device. The only restriction 3725 # is that the address is valid in the L3 domain. So this test 3726 # passes when it really should not 3727 a=${VRF_IP6} 3728 log_start 3729 show_hint "Technically should fail since address is not on device but kernel allows" 3730 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3731 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3732 3733 a=${NSA_LO_IP6} 3734 log_start 3735 show_hint "Address on loopback out of scope for VRF" 3736 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3737 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3738 3739 log_start 3740 show_hint "Address on loopback out of scope for device in VRF" 3741 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3742 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3743 3744} 3745 3746ipv6_addr_bind() 3747{ 3748 log_section "IPv6 address binds" 3749 3750 log_subsection "No VRF" 3751 setup 3752 ipv6_addr_bind_novrf 3753 3754 log_subsection "With VRF" 3755 setup "yes" 3756 ipv6_addr_bind_vrf 3757} 3758 3759################################################################################ 3760# IPv6 runtime tests 3761 3762ipv6_rt() 3763{ 3764 local desc="$1" 3765 local varg="-6 $2" 3766 local with_vrf="yes" 3767 local a 3768 3769 # 3770 # server tests 3771 # 3772 for a in ${NSA_IP6} ${VRF_IP6} 3773 do 3774 log_start 3775 run_cmd nettest ${varg} -s & 3776 wait_local_port_listen ${NSA} 12345 tcp 3777 run_cmd_nsb nettest ${varg} -r ${a} & 3778 sleep 3 3779 run_cmd ip link del ${VRF} 3780 sleep 1 3781 log_test_addr ${a} 0 0 "${desc}, global server" 3782 3783 setup ${with_vrf} 3784 done 3785 3786 for a in ${NSA_IP6} ${VRF_IP6} 3787 do 3788 log_start 3789 run_cmd nettest ${varg} -I ${VRF} -s & 3790 wait_local_port_listen ${NSA} 12345 tcp 3791 run_cmd_nsb nettest ${varg} -r ${a} & 3792 sleep 3 3793 run_cmd ip link del ${VRF} 3794 sleep 1 3795 log_test_addr ${a} 0 0 "${desc}, VRF server" 3796 3797 setup ${with_vrf} 3798 done 3799 3800 for a in ${NSA_IP6} ${VRF_IP6} 3801 do 3802 log_start 3803 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3804 wait_local_port_listen ${NSA} 12345 tcp 3805 run_cmd_nsb nettest ${varg} -r ${a} & 3806 sleep 3 3807 run_cmd ip link del ${VRF} 3808 sleep 1 3809 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3810 3811 setup ${with_vrf} 3812 done 3813 3814 # 3815 # client test 3816 # 3817 log_start 3818 run_cmd_nsb nettest ${varg} -s & 3819 wait_local_port_listen ${NSB} 12345 tcp 3820 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3821 sleep 3 3822 run_cmd ip link del ${VRF} 3823 sleep 1 3824 log_test 0 0 "${desc}, VRF client" 3825 3826 setup ${with_vrf} 3827 3828 log_start 3829 run_cmd_nsb nettest ${varg} -s & 3830 wait_local_port_listen ${NSB} 12345 tcp 3831 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3832 sleep 3 3833 run_cmd ip link del ${VRF} 3834 sleep 1 3835 log_test 0 0 "${desc}, enslaved device client" 3836 3837 setup ${with_vrf} 3838 3839 3840 # 3841 # local address tests 3842 # 3843 for a in ${NSA_IP6} ${VRF_IP6} 3844 do 3845 log_start 3846 run_cmd nettest ${varg} -s & 3847 wait_local_port_listen ${NSA} 12345 tcp 3848 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3849 sleep 3 3850 run_cmd ip link del ${VRF} 3851 sleep 1 3852 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3853 3854 setup ${with_vrf} 3855 done 3856 3857 for a in ${NSA_IP6} ${VRF_IP6} 3858 do 3859 log_start 3860 run_cmd nettest ${varg} -I ${VRF} -s & 3861 wait_local_port_listen ${NSA} 12345 tcp 3862 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3863 sleep 3 3864 run_cmd ip link del ${VRF} 3865 sleep 1 3866 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3867 3868 setup ${with_vrf} 3869 done 3870 3871 a=${NSA_IP6} 3872 log_start 3873 run_cmd nettest ${varg} -s & 3874 wait_local_port_listen ${NSA} 12345 tcp 3875 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3876 sleep 3 3877 run_cmd ip link del ${VRF} 3878 sleep 1 3879 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3880 3881 setup ${with_vrf} 3882 3883 log_start 3884 run_cmd nettest ${varg} -I ${VRF} -s & 3885 wait_local_port_listen ${NSA} 12345 tcp 3886 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3887 sleep 3 3888 run_cmd ip link del ${VRF} 3889 sleep 1 3890 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3891 3892 setup ${with_vrf} 3893 3894 log_start 3895 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3896 wait_local_port_listen ${NSA} 12345 tcp 3897 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3898 sleep 3 3899 run_cmd ip link del ${VRF} 3900 sleep 1 3901 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3902} 3903 3904ipv6_ping_rt() 3905{ 3906 local with_vrf="yes" 3907 local a 3908 3909 a=${NSA_IP6} 3910 log_start 3911 run_cmd_nsb ${ping6} -f ${a} & 3912 sleep 3 3913 run_cmd ip link del ${VRF} 3914 sleep 1 3915 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3916 3917 setup ${with_vrf} 3918 3919 log_start 3920 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3921 sleep 1 3922 run_cmd ip link del ${VRF} 3923 sleep 1 3924 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3925} 3926 3927ipv6_runtime() 3928{ 3929 log_section "Run time tests - ipv6" 3930 3931 setup "yes" 3932 ipv6_ping_rt 3933 3934 setup "yes" 3935 ipv6_rt "TCP active socket" "-n -1" 3936 3937 setup "yes" 3938 ipv6_rt "TCP passive socket" "-i" 3939 3940 setup "yes" 3941 ipv6_rt "UDP active socket" "-D -n -1" 3942} 3943 3944################################################################################ 3945# netfilter blocking connections 3946 3947netfilter_tcp_reset() 3948{ 3949 local a 3950 3951 for a in ${NSA_IP} ${VRF_IP} 3952 do 3953 log_start 3954 run_cmd nettest -s & 3955 wait_local_port_listen ${NSA} 12345 tcp 3956 run_cmd_nsb nettest -r ${a} 3957 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3958 done 3959} 3960 3961netfilter_icmp() 3962{ 3963 local stype="$1" 3964 local arg 3965 local a 3966 3967 [ "${stype}" = "UDP" ] && arg="-D" 3968 3969 for a in ${NSA_IP} ${VRF_IP} 3970 do 3971 log_start 3972 run_cmd nettest ${arg} -s & 3973 wait_local_port_listen ${NSA} 12345 tcp 3974 run_cmd_nsb nettest ${arg} -r ${a} 3975 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3976 done 3977} 3978 3979ipv4_netfilter() 3980{ 3981 log_section "IPv4 Netfilter" 3982 log_subsection "TCP reset" 3983 3984 setup "yes" 3985 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3986 3987 netfilter_tcp_reset 3988 3989 log_start 3990 log_subsection "ICMP unreachable" 3991 3992 log_start 3993 run_cmd iptables -F 3994 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3995 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3996 3997 netfilter_icmp "TCP" 3998 netfilter_icmp "UDP" 3999 4000 log_start 4001 iptables -F 4002} 4003 4004netfilter_tcp6_reset() 4005{ 4006 local a 4007 4008 for a in ${NSA_IP6} ${VRF_IP6} 4009 do 4010 log_start 4011 run_cmd nettest -6 -s & 4012 wait_local_port_listen ${NSA} 12345 tcp 4013 run_cmd_nsb nettest -6 -r ${a} 4014 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 4015 done 4016} 4017 4018netfilter_icmp6() 4019{ 4020 local stype="$1" 4021 local arg 4022 local a 4023 4024 [ "${stype}" = "UDP" ] && arg="$arg -D" 4025 4026 for a in ${NSA_IP6} ${VRF_IP6} 4027 do 4028 log_start 4029 run_cmd nettest -6 -s ${arg} & 4030 wait_local_port_listen ${NSA} 12345 tcp 4031 run_cmd_nsb nettest -6 ${arg} -r ${a} 4032 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 4033 done 4034} 4035 4036ipv6_netfilter() 4037{ 4038 log_section "IPv6 Netfilter" 4039 log_subsection "TCP reset" 4040 4041 setup "yes" 4042 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 4043 4044 netfilter_tcp6_reset 4045 4046 log_subsection "ICMP unreachable" 4047 4048 log_start 4049 run_cmd ip6tables -F 4050 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 4051 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 4052 4053 netfilter_icmp6 "TCP" 4054 netfilter_icmp6 "UDP" 4055 4056 log_start 4057 ip6tables -F 4058} 4059 4060################################################################################ 4061# specific use cases 4062 4063# VRF only. 4064# ns-A device enslaved to bridge. Verify traffic with and without 4065# br_netfilter module loaded. Repeat with SVI on bridge. 4066use_case_br() 4067{ 4068 setup "yes" 4069 4070 setup_cmd ip link set ${NSA_DEV} down 4071 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 4072 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 4073 4074 setup_cmd ip link add br0 type bridge 4075 setup_cmd ip addr add dev br0 ${NSA_IP}/24 4076 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 4077 4078 setup_cmd ip li set ${NSA_DEV} master br0 4079 setup_cmd ip li set ${NSA_DEV} up 4080 setup_cmd ip li set br0 up 4081 setup_cmd ip li set br0 vrf ${VRF} 4082 4083 rmmod br_netfilter 2>/dev/null 4084 sleep 5 # DAD 4085 4086 run_cmd ip neigh flush all 4087 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4088 log_test $? 0 "Bridge into VRF - IPv4 ping out" 4089 4090 run_cmd ip neigh flush all 4091 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4092 log_test $? 0 "Bridge into VRF - IPv6 ping out" 4093 4094 run_cmd ip neigh flush all 4095 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4096 log_test $? 0 "Bridge into VRF - IPv4 ping in" 4097 4098 run_cmd ip neigh flush all 4099 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4100 log_test $? 0 "Bridge into VRF - IPv6 ping in" 4101 4102 modprobe br_netfilter 4103 if [ $? -eq 0 ]; then 4104 run_cmd ip neigh flush all 4105 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4106 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 4107 4108 run_cmd ip neigh flush all 4109 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4110 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 4111 4112 run_cmd ip neigh flush all 4113 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4114 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 4115 4116 run_cmd ip neigh flush all 4117 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4118 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 4119 fi 4120 4121 setup_cmd ip li set br0 nomaster 4122 setup_cmd ip li add br0.100 link br0 type vlan id 100 4123 setup_cmd ip li set br0.100 vrf ${VRF} up 4124 setup_cmd ip addr add dev br0.100 172.16.101.1/24 4125 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 4126 4127 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 4128 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 4129 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 4130 setup_cmd_nsb ip li set vlan100 up 4131 sleep 1 4132 4133 rmmod br_netfilter 2>/dev/null 4134 4135 run_cmd ip neigh flush all 4136 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4137 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 4138 4139 run_cmd ip neigh flush all 4140 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4141 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 4142 4143 run_cmd ip neigh flush all 4144 run_cmd_nsb ping -c1 -w1 172.16.101.1 4145 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4146 4147 run_cmd ip neigh flush all 4148 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4149 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4150 4151 modprobe br_netfilter 4152 if [ $? -eq 0 ]; then 4153 run_cmd ip neigh flush all 4154 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4155 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 4156 4157 run_cmd ip neigh flush all 4158 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4159 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 4160 4161 run_cmd ip neigh flush all 4162 run_cmd_nsb ping -c1 -w1 172.16.101.1 4163 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4164 4165 run_cmd ip neigh flush all 4166 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4167 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4168 fi 4169 4170 setup_cmd ip li del br0 2>/dev/null 4171 setup_cmd_nsb ip li del vlan100 2>/dev/null 4172} 4173 4174# VRF only. 4175# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 4176# LLA on the interfaces 4177use_case_ping_lla_multi() 4178{ 4179 setup_lla_only 4180 # only want reply from ns-A 4181 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4182 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4183 4184 log_start 4185 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4186 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 4187 4188 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4189 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 4190 4191 # cycle/flap the first ns-A interface 4192 setup_cmd ip link set ${NSA_DEV} down 4193 setup_cmd ip link set ${NSA_DEV} up 4194 sleep 1 4195 4196 log_start 4197 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4198 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 4199 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4200 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 4201 4202 # cycle/flap the second ns-A interface 4203 setup_cmd ip link set ${NSA_DEV2} down 4204 setup_cmd ip link set ${NSA_DEV2} up 4205 sleep 1 4206 4207 log_start 4208 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4209 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 4210 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4211 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 4212} 4213 4214# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 4215# established with ns-B. 4216use_case_snat_on_vrf() 4217{ 4218 setup "yes" 4219 4220 local port="12345" 4221 4222 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4223 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4224 4225 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 4226 wait_local_port_listen ${NSB} ${port} tcp 4227 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 4228 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 4229 4230 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 4231 wait_local_port_listen ${NSB} ${port} tcp 4232 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 4233 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 4234 4235 # Cleanup 4236 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4237 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4238} 4239 4240use_cases() 4241{ 4242 log_section "Use cases" 4243 log_subsection "Device enslaved to bridge" 4244 use_case_br 4245 log_subsection "Ping LLA with multiple interfaces" 4246 use_case_ping_lla_multi 4247 log_subsection "SNAT on VRF" 4248 use_case_snat_on_vrf 4249} 4250 4251################################################################################ 4252# usage 4253 4254usage() 4255{ 4256 cat <<EOF 4257usage: ${0##*/} OPTS 4258 4259 -4 IPv4 tests only 4260 -6 IPv6 tests only 4261 -t <test> Test name/set to run 4262 -p Pause on fail 4263 -P Pause after each test 4264 -v Be verbose 4265 4266Tests: 4267 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER 4268EOF 4269} 4270 4271################################################################################ 4272# main 4273 4274TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4275TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4276TESTS_OTHER="use_cases" 4277# note: each TEST_ group needs a dedicated runner, e.g. fcnal-ipv4.sh 4278 4279PAUSE_ON_FAIL=no 4280PAUSE=no 4281 4282while getopts :46t:pPvh o 4283do 4284 case $o in 4285 4) TESTS=ipv4;; 4286 6) TESTS=ipv6;; 4287 t) TESTS=$OPTARG;; 4288 p) PAUSE_ON_FAIL=yes;; 4289 P) PAUSE=yes;; 4290 v) VERBOSE=1;; 4291 h) usage; exit 0;; 4292 *) usage; exit 1;; 4293 esac 4294done 4295 4296# make sure we don't pause twice 4297[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4298 4299# 4300# show user test config 4301# 4302if [ -z "$TESTS" ]; then 4303 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4304elif [ "$TESTS" = "ipv4" ]; then 4305 TESTS="$TESTS_IPV4" 4306elif [ "$TESTS" = "ipv6" ]; then 4307 TESTS="$TESTS_IPV6" 4308elif [ "$TESTS" = "other" ]; then 4309 TESTS="$TESTS_OTHER" 4310fi 4311 4312check_gen_prog "nettest" 4313 4314declare -i nfail=0 4315declare -i nsuccess=0 4316 4317for t in $TESTS 4318do 4319 case $t in 4320 ipv4_ping|ping) ipv4_ping;; 4321 ipv4_tcp|tcp) ipv4_tcp;; 4322 ipv4_udp|udp) ipv4_udp;; 4323 ipv4_bind|bind) ipv4_addr_bind;; 4324 ipv4_runtime) ipv4_runtime;; 4325 ipv4_netfilter) ipv4_netfilter;; 4326 4327 ipv6_ping|ping6) ipv6_ping;; 4328 ipv6_tcp|tcp6) ipv6_tcp;; 4329 ipv6_udp|udp6) ipv6_udp;; 4330 ipv6_bind|bind6) ipv6_addr_bind;; 4331 ipv6_runtime) ipv6_runtime;; 4332 ipv6_netfilter) ipv6_netfilter;; 4333 4334 use_cases) use_cases;; 4335 4336 # setup namespaces and config, but do not run any tests 4337 setup) setup; exit 0;; 4338 vrf_setup) setup "yes"; exit 0;; 4339 esac 4340done 4341 4342cleanup 2>/dev/null 4343 4344printf "\nTests passed: %3d\n" ${nsuccess} 4345printf "Tests failed: %3d\n" ${nfail} 4346 4347if [ $nfail -ne 0 ]; then 4348 exit 1 # KSFT_FAIL 4349elif [ $nsuccess -eq 0 ]; then 4350 exit $ksft_skip 4351fi 4352 4353exit 0 # KSFT_PASS 4354