1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40source lib.sh 41 42PATH=$PWD:$PWD/tools/testing/selftests/net:$PATH 43 44VERBOSE=0 45 46NSA_DEV=eth1 47NSA_DEV2=eth2 48NSB_DEV=eth1 49NSC_DEV=eth2 50VRF=red 51VRF_TABLE=1101 52 53# IPv4 config 54NSA_IP=172.16.1.1 55NSB_IP=172.16.1.2 56VRF_IP=172.16.3.1 57NS_NET=172.16.1.0/24 58 59# IPv6 config 60NSA_IP6=2001:db8:1::1 61NSB_IP6=2001:db8:1::2 62VRF_IP6=2001:db8:3::1 63NS_NET6=2001:db8:1::/120 64 65NSA_LO_IP=172.16.2.1 66NSB_LO_IP=172.16.2.2 67NSA_LO_IP6=2001:db8:2::1 68NSB_LO_IP6=2001:db8:2::2 69 70# non-local addresses for freebind tests 71NL_IP=172.17.1.1 72NL_IP6=2001:db8:4::1 73 74# multicast and broadcast addresses 75MCAST_IP=224.0.0.1 76BCAST_IP=255.255.255.255 77 78MD5_PW=abc123 79MD5_WRONG_PW=abc1234 80 81MCAST=ff02::1 82# set after namespace create 83NSA_LINKIP6= 84NSB_LINKIP6= 85 86which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 87 88# Check if FIPS mode is enabled 89if [ -f /proc/sys/crypto/fips_enabled ]; then 90 fips_enabled=`cat /proc/sys/crypto/fips_enabled` 91else 92 fips_enabled=0 93fi 94 95################################################################################ 96# utilities 97 98log_test() 99{ 100 local rc=$1 101 local expected=$2 102 local msg="$3" 103 local ans 104 105 [ "${VERBOSE}" = "1" ] && echo 106 107 if [ ${rc} -eq ${expected} ]; then 108 nsuccess=$((nsuccess+1)) 109 printf "TEST: %-70s [ OK ]\n" "${msg}" 110 else 111 nfail=$((nfail+1)) 112 printf "TEST: %-70s [FAIL]\n" "${msg}" 113 echo " expected rc $expected; actual rc $rc" 114 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 115 echo 116 echo "hit enter to continue, 'q' to quit" 117 read ans 118 [ "$ans" = "q" ] && exit 1 119 fi 120 fi 121 122 if [ "${PAUSE}" = "yes" ]; then 123 echo 124 echo "hit enter to continue, 'q' to quit" 125 read ans 126 [ "$ans" = "q" ] && exit 1 127 fi 128 129 kill_procs 130} 131 132log_test_addr() 133{ 134 local addr=$1 135 local rc=$2 136 local expected=$3 137 local msg="$4" 138 local astr 139 140 astr=$(addr2str ${addr}) 141 log_test $rc $expected "$msg - ${astr}" 142} 143 144log_section() 145{ 146 echo 147 echo "###########################################################################" 148 echo "$*" 149 echo "###########################################################################" 150 echo 151} 152 153log_subsection() 154{ 155 echo 156 echo "#################################################################" 157 echo "$*" 158 echo 159} 160 161log_start() 162{ 163 # make sure we have no test instances running 164 kill_procs 165 166 if [ "${VERBOSE}" = "1" ]; then 167 echo 168 echo "#######################################################" 169 fi 170} 171 172log_debug() 173{ 174 if [ "${VERBOSE}" = "1" ]; then 175 echo 176 echo "$*" 177 echo 178 fi 179} 180 181show_hint() 182{ 183 if [ "${VERBOSE}" = "1" ]; then 184 echo "HINT: $*" 185 echo 186 fi 187} 188 189kill_procs() 190{ 191 killall nettest ping ping6 >/dev/null 2>&1 192 sleep 1 193} 194 195set_ping_group() 196{ 197 if [ "$VERBOSE" = "1" ]; then 198 echo "COMMAND: ${NSA_CMD} sysctl -q -w net.ipv4.ping_group_range='0 2147483647'" 199 fi 200 201 ${NSA_CMD} sysctl -q -w net.ipv4.ping_group_range='0 2147483647' 202} 203 204do_run_cmd() 205{ 206 local cmd="$*" 207 local out 208 209 if [ "$VERBOSE" = "1" ]; then 210 echo "COMMAND: ${cmd}" 211 fi 212 213 out=$($cmd 2>&1) 214 rc=$? 215 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 216 echo "$out" 217 fi 218 219 return $rc 220} 221 222run_cmd() 223{ 224 do_run_cmd ${NSA_CMD} $* 225} 226 227run_cmd_nsb() 228{ 229 do_run_cmd ${NSB_CMD} $* 230} 231 232run_cmd_nsc() 233{ 234 do_run_cmd ${NSC_CMD} $* 235} 236 237setup_cmd() 238{ 239 local cmd="$*" 240 local rc 241 242 run_cmd ${cmd} 243 rc=$? 244 if [ $rc -ne 0 ]; then 245 # show user the command if not done so already 246 if [ "$VERBOSE" = "0" ]; then 247 echo "setup command: $cmd" 248 fi 249 echo "failed. stopping tests" 250 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 251 echo 252 echo "hit enter to continue" 253 read a 254 fi 255 exit $rc 256 fi 257} 258 259setup_cmd_nsb() 260{ 261 local cmd="$*" 262 local rc 263 264 run_cmd_nsb ${cmd} 265 rc=$? 266 if [ $rc -ne 0 ]; then 267 # show user the command if not done so already 268 if [ "$VERBOSE" = "0" ]; then 269 echo "setup command: $cmd" 270 fi 271 echo "failed. stopping tests" 272 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 273 echo 274 echo "hit enter to continue" 275 read a 276 fi 277 exit $rc 278 fi 279} 280 281setup_cmd_nsc() 282{ 283 local cmd="$*" 284 local rc 285 286 run_cmd_nsc ${cmd} 287 rc=$? 288 if [ $rc -ne 0 ]; then 289 # show user the command if not done so already 290 if [ "$VERBOSE" = "0" ]; then 291 echo "setup command: $cmd" 292 fi 293 echo "failed. stopping tests" 294 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 295 echo 296 echo "hit enter to continue" 297 read a 298 fi 299 exit $rc 300 fi 301} 302 303# set sysctl values in NS-A 304set_sysctl() 305{ 306 echo "SYSCTL: $*" 307 echo 308 run_cmd sysctl -q -w $* 309} 310 311# get sysctl values in NS-A 312get_sysctl() 313{ 314 ${NSA_CMD} sysctl -n $* 315} 316 317################################################################################ 318# Setup for tests 319 320addr2str() 321{ 322 case "$1" in 323 127.0.0.1) echo "loopback";; 324 ::1) echo "IPv6 loopback";; 325 326 ${BCAST_IP}) echo "broadcast";; 327 ${MCAST_IP}) echo "multicast";; 328 329 ${NSA_IP}) echo "ns-A IP";; 330 ${NSA_IP6}) echo "ns-A IPv6";; 331 ${NSA_LO_IP}) echo "ns-A loopback IP";; 332 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 333 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 334 335 ${NSB_IP}) echo "ns-B IP";; 336 ${NSB_IP6}) echo "ns-B IPv6";; 337 ${NSB_LO_IP}) echo "ns-B loopback IP";; 338 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 339 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 340 341 ${NL_IP}) echo "nonlocal IP";; 342 ${NL_IP6}) echo "nonlocal IPv6";; 343 344 ${VRF_IP}) echo "VRF IP";; 345 ${VRF_IP6}) echo "VRF IPv6";; 346 347 ${MCAST}%*) echo "multicast IP";; 348 349 *) echo "unknown";; 350 esac 351} 352 353get_linklocal() 354{ 355 local ns=$1 356 local dev=$2 357 local addr 358 359 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 360 awk '{ 361 for (i = 3; i <= NF; ++i) { 362 if ($i ~ /^fe80/) 363 print $i 364 } 365 }' 366 ) 367 addr=${addr/\/*} 368 369 [ -z "$addr" ] && return 1 370 371 echo $addr 372 373 return 0 374} 375 376################################################################################ 377# create namespaces and vrf 378 379create_vrf() 380{ 381 local ns=$1 382 local vrf=$2 383 local table=$3 384 local addr=$4 385 local addr6=$5 386 387 ip -netns ${ns} link add ${vrf} type vrf table ${table} 388 ip -netns ${ns} link set ${vrf} up 389 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 390 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 391 392 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 393 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 394 if [ "${addr}" != "-" ]; then 395 ip -netns ${ns} addr add dev ${vrf} ${addr} 396 fi 397 if [ "${addr6}" != "-" ]; then 398 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 399 fi 400 401 ip -netns ${ns} ru del pref 0 402 ip -netns ${ns} ru add pref 32765 from all lookup local 403 ip -netns ${ns} -6 ru del pref 0 404 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 405} 406 407create_ns() 408{ 409 local ns=$1 410 local addr=$2 411 local addr6=$3 412 413 if [ "${addr}" != "-" ]; then 414 ip -netns ${ns} addr add dev lo ${addr} 415 fi 416 if [ "${addr6}" != "-" ]; then 417 ip -netns ${ns} -6 addr add dev lo ${addr6} 418 fi 419 420 ip -netns ${ns} ro add unreachable default metric 8192 421 ip -netns ${ns} -6 ro add unreachable default metric 8192 422 423 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 424 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 425 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 426 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 427} 428 429# create veth pair to connect namespaces and apply addresses. 430connect_ns() 431{ 432 local ns1=$1 433 local ns1_dev=$2 434 local ns1_addr=$3 435 local ns1_addr6=$4 436 local ns2=$5 437 local ns2_dev=$6 438 local ns2_addr=$7 439 local ns2_addr6=$8 440 441 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 442 ip -netns ${ns1} li set ${ns1_dev} up 443 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 444 ip -netns ${ns2} li set ${ns2_dev} up 445 446 if [ "${ns1_addr}" != "-" ]; then 447 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 448 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 449 fi 450 451 if [ "${ns1_addr6}" != "-" ]; then 452 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 453 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 454 fi 455} 456 457cleanup() 458{ 459 # explicit cleanups to check those code paths 460 ip netns | grep -q ${NSA} 461 if [ $? -eq 0 ]; then 462 ip -netns ${NSA} link delete ${VRF} 463 ip -netns ${NSA} ro flush table ${VRF_TABLE} 464 465 ip -netns ${NSA} addr flush dev ${NSA_DEV} 466 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 467 ip -netns ${NSA} link set dev ${NSA_DEV} down 468 ip -netns ${NSA} link del dev ${NSA_DEV} 469 470 ip netns pids ${NSA} | xargs kill 2>/dev/null 471 cleanup_ns ${NSA} 472 fi 473 474 ip netns pids ${NSB} | xargs kill 2>/dev/null 475 ip netns pids ${NSC} | xargs kill 2>/dev/null 476 cleanup_ns ${NSB} ${NSC} 477} 478 479cleanup_vrf_dup() 480{ 481 ip link del ${NSA_DEV2} >/dev/null 2>&1 482 ip netns pids ${NSC} | xargs kill 2>/dev/null 483 ip netns del ${NSC} >/dev/null 2>&1 484} 485 486setup_vrf_dup() 487{ 488 # some VRF tests use ns-C which has the same config as 489 # ns-B but for a device NOT in the VRF 490 setup_ns NSC 491 NSC_CMD="ip netns exec ${NSC}" 492 create_ns ${NSC} "-" "-" 493 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 494 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 495} 496 497setup() 498{ 499 local with_vrf=${1} 500 501 # make sure we are starting with a clean slate 502 kill_procs 503 cleanup 2>/dev/null 504 505 log_debug "Configuring network namespaces" 506 set -e 507 508 setup_ns NSA NSB 509 NSA_CMD="ip netns exec ${NSA}" 510 NSB_CMD="ip netns exec ${NSB}" 511 512 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 513 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 514 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 515 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 516 517 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 518 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 519 520 # tell ns-A how to get to remote addresses of ns-B 521 if [ "${with_vrf}" = "yes" ]; then 522 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 523 524 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 525 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 526 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 527 528 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 529 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 530 else 531 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 532 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 533 fi 534 535 536 # tell ns-B how to get to remote addresses of ns-A 537 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 538 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 539 540 set +e 541 542 sleep 1 543} 544 545setup_lla_only() 546{ 547 # make sure we are starting with a clean slate 548 kill_procs 549 cleanup 2>/dev/null 550 551 log_debug "Configuring network namespaces" 552 set -e 553 554 setup_ns NSA NSB NSC 555 NSA_CMD="ip netns exec ${NSA}" 556 NSB_CMD="ip netns exec ${NSB}" 557 NSC_CMD="ip netns exec ${NSC}" 558 create_ns ${NSA} "-" "-" 559 create_ns ${NSB} "-" "-" 560 create_ns ${NSC} "-" "-" 561 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 562 ${NSB} ${NSB_DEV} "-" "-" 563 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 564 ${NSC} ${NSC_DEV} "-" "-" 565 566 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 567 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 568 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 569 570 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 571 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 572 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 573 574 set +e 575 576 sleep 1 577} 578 579################################################################################ 580# IPv4 581 582ipv4_ping_novrf() 583{ 584 local a 585 586 # 587 # out 588 # 589 for a in ${NSB_IP} ${NSB_LO_IP} 590 do 591 log_start 592 run_cmd ping -c1 -w1 ${a} 593 log_test_addr ${a} $? 0 "ping out" 594 595 log_start 596 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 597 log_test_addr ${a} $? 0 "ping out, device bind" 598 599 log_start 600 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 601 log_test_addr ${a} $? 0 "ping out, address bind" 602 done 603 604 # 605 # out, but don't use gateway if peer is not on link 606 # 607 a=${NSB_IP} 608 log_start 609 run_cmd ping -c 1 -w 1 -r ${a} 610 log_test_addr ${a} $? 0 "ping out (don't route), peer on link" 611 612 a=${NSB_LO_IP} 613 log_start 614 show_hint "Fails since peer is not on link" 615 run_cmd ping -c 1 -w 1 -r ${a} 616 log_test_addr ${a} $? 1 "ping out (don't route), peer not on link" 617 618 # 619 # in 620 # 621 for a in ${NSA_IP} ${NSA_LO_IP} 622 do 623 log_start 624 run_cmd_nsb ping -c1 -w1 ${a} 625 log_test_addr ${a} $? 0 "ping in" 626 done 627 628 # 629 # local traffic 630 # 631 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 632 do 633 log_start 634 run_cmd ping -c1 -w1 ${a} 635 log_test_addr ${a} $? 0 "ping local" 636 done 637 638 # 639 # local traffic, socket bound to device 640 # 641 # address on device 642 a=${NSA_IP} 643 log_start 644 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 645 log_test_addr ${a} $? 0 "ping local, device bind" 646 647 # loopback addresses not reachable from device bind 648 # fails in a really weird way though because ipv4 special cases 649 # route lookups with oif set. 650 for a in ${NSA_LO_IP} 127.0.0.1 651 do 652 log_start 653 show_hint "Fails since address on loopback device is out of device scope" 654 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 655 log_test_addr ${a} $? 1 "ping local, device bind" 656 done 657 658 # 659 # ip rule blocks reachability to remote address 660 # 661 log_start 662 setup_cmd ip rule add pref 32765 from all lookup local 663 setup_cmd ip rule del pref 0 from all lookup local 664 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 665 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 666 667 a=${NSB_LO_IP} 668 run_cmd ping -c1 -w1 ${a} 669 log_test_addr ${a} $? 2 "ping out, blocked by rule" 670 671 # NOTE: ipv4 actually allows the lookup to fail and yet still create 672 # a viable rtable if the oif (e.g., bind to device) is set, so this 673 # case succeeds despite the rule 674 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 675 676 a=${NSA_LO_IP} 677 log_start 678 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 679 run_cmd_nsb ping -c1 -w1 ${a} 680 log_test_addr ${a} $? 1 "ping in, blocked by rule" 681 682 [ "$VERBOSE" = "1" ] && echo 683 setup_cmd ip rule del pref 32765 from all lookup local 684 setup_cmd ip rule add pref 0 from all lookup local 685 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 686 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 687 688 # 689 # route blocks reachability to remote address 690 # 691 log_start 692 setup_cmd ip route replace unreachable ${NSB_LO_IP} 693 setup_cmd ip route replace unreachable ${NSB_IP} 694 695 a=${NSB_LO_IP} 696 run_cmd ping -c1 -w1 ${a} 697 log_test_addr ${a} $? 2 "ping out, blocked by route" 698 699 # NOTE: ipv4 actually allows the lookup to fail and yet still create 700 # a viable rtable if the oif (e.g., bind to device) is set, so this 701 # case succeeds despite not having a route for the address 702 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 703 704 a=${NSA_LO_IP} 705 log_start 706 show_hint "Response is dropped (or arp request is ignored) due to ip route" 707 run_cmd_nsb ping -c1 -w1 ${a} 708 log_test_addr ${a} $? 1 "ping in, blocked by route" 709 710 # 711 # remove 'remote' routes; fallback to default 712 # 713 log_start 714 setup_cmd ip ro del ${NSB_LO_IP} 715 716 a=${NSB_LO_IP} 717 run_cmd ping -c1 -w1 ${a} 718 log_test_addr ${a} $? 2 "ping out, unreachable default route" 719 720 # NOTE: ipv4 actually allows the lookup to fail and yet still create 721 # a viable rtable if the oif (e.g., bind to device) is set, so this 722 # case succeeds despite not having a route for the address 723 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 724} 725 726ipv4_ping_vrf() 727{ 728 local a 729 730 # should default on; does not exist on older kernels 731 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 732 733 # 734 # out 735 # 736 for a in ${NSB_IP} ${NSB_LO_IP} 737 do 738 log_start 739 run_cmd ping -c1 -w1 -I ${VRF} ${a} 740 log_test_addr ${a} $? 0 "ping out, VRF bind" 741 742 log_start 743 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 744 log_test_addr ${a} $? 0 "ping out, device bind" 745 746 log_start 747 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 748 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 749 750 log_start 751 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 752 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 753 done 754 755 # 756 # in 757 # 758 for a in ${NSA_IP} ${VRF_IP} 759 do 760 log_start 761 run_cmd_nsb ping -c1 -w1 ${a} 762 log_test_addr ${a} $? 0 "ping in" 763 done 764 765 # 766 # local traffic, local address 767 # 768 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 769 do 770 log_start 771 show_hint "Source address should be ${a}" 772 run_cmd ping -c1 -w1 -I ${VRF} ${a} 773 log_test_addr ${a} $? 0 "ping local, VRF bind" 774 done 775 776 # 777 # local traffic, socket bound to device 778 # 779 # address on device 780 a=${NSA_IP} 781 log_start 782 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 783 log_test_addr ${a} $? 0 "ping local, device bind" 784 785 # vrf device is out of scope 786 for a in ${VRF_IP} 127.0.0.1 787 do 788 log_start 789 show_hint "Fails since address on vrf device is out of device scope" 790 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 791 log_test_addr ${a} $? 2 "ping local, device bind" 792 done 793 794 # 795 # ip rule blocks address 796 # 797 log_start 798 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 799 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 800 801 a=${NSB_LO_IP} 802 run_cmd ping -c1 -w1 -I ${VRF} ${a} 803 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 804 805 log_start 806 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 807 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 808 809 a=${NSA_LO_IP} 810 log_start 811 show_hint "Response lost due to ip rule" 812 run_cmd_nsb ping -c1 -w1 ${a} 813 log_test_addr ${a} $? 1 "ping in, blocked by rule" 814 815 [ "$VERBOSE" = "1" ] && echo 816 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 817 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 818 819 # 820 # remove 'remote' routes; fallback to default 821 # 822 log_start 823 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 824 825 a=${NSB_LO_IP} 826 run_cmd ping -c1 -w1 -I ${VRF} ${a} 827 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 828 829 log_start 830 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 831 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 832 833 a=${NSA_LO_IP} 834 log_start 835 show_hint "Response lost by unreachable route" 836 run_cmd_nsb ping -c1 -w1 ${a} 837 log_test_addr ${a} $? 1 "ping in, unreachable route" 838} 839 840ipv4_ping() 841{ 842 log_section "IPv4 ping" 843 844 log_subsection "No VRF" 845 setup 846 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 847 ipv4_ping_novrf 848 setup 849 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 850 ipv4_ping_novrf 851 setup 852 set_ping_group 853 ipv4_ping_novrf 854 855 log_subsection "With VRF" 856 setup "yes" 857 ipv4_ping_vrf 858 setup "yes" 859 set_ping_group 860 ipv4_ping_vrf 861} 862 863################################################################################ 864# IPv4 TCP 865 866# 867# MD5 tests without VRF 868# 869ipv4_tcp_md5_novrf() 870{ 871 # 872 # single address 873 # 874 875 # basic use case 876 log_start 877 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 878 sleep 1 879 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 880 log_test $? 0 "MD5: Single address config" 881 882 # client sends MD5, server not configured 883 log_start 884 show_hint "Should timeout due to MD5 mismatch" 885 run_cmd nettest -s & 886 sleep 1 887 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 888 log_test $? 2 "MD5: Server no config, client uses password" 889 890 # wrong password 891 log_start 892 show_hint "Should timeout since client uses wrong password" 893 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 894 sleep 1 895 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 896 log_test $? 2 "MD5: Client uses wrong password" 897 898 # client from different address 899 log_start 900 show_hint "Should timeout due to MD5 mismatch" 901 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 902 sleep 1 903 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 904 log_test $? 2 "MD5: Client address does not match address configured with password" 905 906 # 907 # MD5 extension - prefix length 908 # 909 910 # client in prefix 911 log_start 912 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 913 sleep 1 914 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 915 log_test $? 0 "MD5: Prefix config" 916 917 # client in prefix, wrong password 918 log_start 919 show_hint "Should timeout since client uses wrong password" 920 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 921 sleep 1 922 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 923 log_test $? 2 "MD5: Prefix config, client uses wrong password" 924 925 # client outside of prefix 926 log_start 927 show_hint "Should timeout due to MD5 mismatch" 928 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 929 sleep 1 930 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 931 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 932} 933 934# 935# MD5 tests with VRF 936# 937ipv4_tcp_md5() 938{ 939 # 940 # single address 941 # 942 943 # basic use case 944 log_start 945 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 946 sleep 1 947 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 948 log_test $? 0 "MD5: VRF: Single address config" 949 950 # client sends MD5, server not configured 951 log_start 952 show_hint "Should timeout since server does not have MD5 auth" 953 run_cmd nettest -s -I ${VRF} & 954 sleep 1 955 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 956 log_test $? 2 "MD5: VRF: Server no config, client uses password" 957 958 # wrong password 959 log_start 960 show_hint "Should timeout since client uses wrong password" 961 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 962 sleep 1 963 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 964 log_test $? 2 "MD5: VRF: Client uses wrong password" 965 966 # client from different address 967 log_start 968 show_hint "Should timeout since server config differs from client" 969 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 970 sleep 1 971 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 972 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 973 974 # 975 # MD5 extension - prefix length 976 # 977 978 # client in prefix 979 log_start 980 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 981 sleep 1 982 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 983 log_test $? 0 "MD5: VRF: Prefix config" 984 985 # client in prefix, wrong password 986 log_start 987 show_hint "Should timeout since client uses wrong password" 988 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 989 sleep 1 990 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 991 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 992 993 # client outside of prefix 994 log_start 995 show_hint "Should timeout since client address is outside of prefix" 996 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 997 sleep 1 998 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 999 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 1000 1001 # 1002 # duplicate config between default VRF and a VRF 1003 # 1004 1005 log_start 1006 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1007 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1008 sleep 1 1009 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1010 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 1011 1012 log_start 1013 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1014 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1015 sleep 1 1016 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1017 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 1018 1019 log_start 1020 show_hint "Should timeout since client in default VRF uses VRF password" 1021 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1022 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1023 sleep 1 1024 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1025 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 1026 1027 log_start 1028 show_hint "Should timeout since client in VRF uses default VRF password" 1029 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1030 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1031 sleep 1 1032 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1033 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 1034 1035 log_start 1036 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1037 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1038 sleep 1 1039 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1040 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 1041 1042 log_start 1043 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1044 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1045 sleep 1 1046 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1047 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 1048 1049 log_start 1050 show_hint "Should timeout since client in default VRF uses VRF password" 1051 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1052 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1053 sleep 1 1054 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1055 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1056 1057 log_start 1058 show_hint "Should timeout since client in VRF uses default VRF password" 1059 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1060 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1061 sleep 1 1062 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1063 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1064 1065 # 1066 # negative tests 1067 # 1068 log_start 1069 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1070 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1071 1072 log_start 1073 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1074 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1075 1076 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1077 test_ipv4_md5_vrf__global_server__bind_ifindex0 1078} 1079 1080test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1081{ 1082 log_start 1083 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1084 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1085 sleep 1 1086 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1087 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1088 1089 log_start 1090 show_hint "Binding both the socket and the key is not required but it works" 1091 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1092 sleep 1 1093 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1094 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1095} 1096 1097test_ipv4_md5_vrf__global_server__bind_ifindex0() 1098{ 1099 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1100 local old_tcp_l3mdev_accept 1101 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1102 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1103 1104 log_start 1105 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1106 sleep 1 1107 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1108 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1109 1110 log_start 1111 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1112 sleep 1 1113 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1114 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1115 log_start 1116 1117 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1118 sleep 1 1119 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1120 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1121 1122 log_start 1123 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1124 sleep 1 1125 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1126 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1127 1128 # restore value 1129 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1130} 1131 1132ipv4_tcp_dontroute() 1133{ 1134 local syncookies=$1 1135 local nsa_syncookies 1136 local nsb_syncookies 1137 local a 1138 1139 # 1140 # Link local connection tests (SO_DONTROUTE). 1141 # Connections should succeed only when the remote IP address is 1142 # on link (doesn't need to be routed through a gateway). 1143 # 1144 1145 nsa_syncookies=$(ip netns exec "${NSA}" sysctl -n net.ipv4.tcp_syncookies) 1146 nsb_syncookies=$(ip netns exec "${NSB}" sysctl -n net.ipv4.tcp_syncookies) 1147 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies} 1148 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies} 1149 1150 # Test with eth1 address (on link). 1151 1152 a=${NSB_IP} 1153 log_start 1154 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1155 log_test_addr ${a} $? 0 "SO_DONTROUTE client, syncookies=${syncookies}" 1156 1157 a=${NSB_IP} 1158 log_start 1159 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --server-dontroute 1160 log_test_addr ${a} $? 0 "SO_DONTROUTE server, syncookies=${syncookies}" 1161 1162 # Test with loopback address (routed). 1163 # 1164 # The client would use the eth1 address as source IP by default. 1165 # Therefore, we need to use the -c option here, to force the use of the 1166 # routed (loopback) address as source IP (so that the server will try 1167 # to respond to a routed address and not a link local one). 1168 1169 a=${NSB_LO_IP} 1170 log_start 1171 show_hint "Should fail 'Network is unreachable' since server is not on link" 1172 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --client-dontroute 1173 log_test_addr ${a} $? 1 "SO_DONTROUTE client, syncookies=${syncookies}" 1174 1175 a=${NSB_LO_IP} 1176 log_start 1177 show_hint "Should timeout since server cannot respond (client is not on link)" 1178 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --server-dontroute 1179 log_test_addr ${a} $? 2 "SO_DONTROUTE server, syncookies=${syncookies}" 1180 1181 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${nsb_syncookies} 1182 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${nsa_syncookies} 1183} 1184 1185ipv4_tcp_novrf() 1186{ 1187 local a 1188 1189 # 1190 # server tests 1191 # 1192 for a in ${NSA_IP} ${NSA_LO_IP} 1193 do 1194 log_start 1195 run_cmd nettest -s & 1196 sleep 1 1197 run_cmd_nsb nettest -r ${a} 1198 log_test_addr ${a} $? 0 "Global server" 1199 done 1200 1201 a=${NSA_IP} 1202 log_start 1203 run_cmd nettest -s -I ${NSA_DEV} & 1204 sleep 1 1205 run_cmd_nsb nettest -r ${a} 1206 log_test_addr ${a} $? 0 "Device server" 1207 1208 # verify TCP reset sent and received 1209 for a in ${NSA_IP} ${NSA_LO_IP} 1210 do 1211 log_start 1212 show_hint "Should fail 'Connection refused' since there is no server" 1213 run_cmd_nsb nettest -r ${a} 1214 log_test_addr ${a} $? 1 "No server" 1215 done 1216 1217 # 1218 # client 1219 # 1220 for a in ${NSB_IP} ${NSB_LO_IP} 1221 do 1222 log_start 1223 run_cmd_nsb nettest -s & 1224 sleep 1 1225 run_cmd nettest -r ${a} -0 ${NSA_IP} 1226 log_test_addr ${a} $? 0 "Client" 1227 1228 log_start 1229 run_cmd_nsb nettest -s & 1230 sleep 1 1231 run_cmd nettest -r ${a} -d ${NSA_DEV} 1232 log_test_addr ${a} $? 0 "Client, device bind" 1233 1234 log_start 1235 show_hint "Should fail 'Connection refused'" 1236 run_cmd nettest -r ${a} 1237 log_test_addr ${a} $? 1 "No server, unbound client" 1238 1239 log_start 1240 show_hint "Should fail 'Connection refused'" 1241 run_cmd nettest -r ${a} -d ${NSA_DEV} 1242 log_test_addr ${a} $? 1 "No server, device client" 1243 done 1244 1245 # 1246 # local address tests 1247 # 1248 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1249 do 1250 log_start 1251 run_cmd nettest -s & 1252 sleep 1 1253 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1254 log_test_addr ${a} $? 0 "Global server, local connection" 1255 done 1256 1257 a=${NSA_IP} 1258 log_start 1259 run_cmd nettest -s -I ${NSA_DEV} & 1260 sleep 1 1261 run_cmd nettest -r ${a} -0 ${a} 1262 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1263 1264 for a in ${NSA_LO_IP} 127.0.0.1 1265 do 1266 log_start 1267 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1268 run_cmd nettest -s -I ${NSA_DEV} & 1269 sleep 1 1270 run_cmd nettest -r ${a} 1271 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1272 done 1273 1274 a=${NSA_IP} 1275 log_start 1276 run_cmd nettest -s & 1277 sleep 1 1278 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1279 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1280 1281 for a in ${NSA_LO_IP} 127.0.0.1 1282 do 1283 log_start 1284 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1285 run_cmd nettest -s & 1286 sleep 1 1287 run_cmd nettest -r ${a} -d ${NSA_DEV} 1288 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1289 done 1290 1291 a=${NSA_IP} 1292 log_start 1293 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1294 sleep 1 1295 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1296 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1297 1298 log_start 1299 show_hint "Should fail 'Connection refused'" 1300 run_cmd nettest -d ${NSA_DEV} -r ${a} 1301 log_test_addr ${a} $? 1 "No server, device client, local conn" 1302 1303 [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf 1304 1305 ipv4_tcp_dontroute 0 1306 ipv4_tcp_dontroute 2 1307} 1308 1309ipv4_tcp_vrf() 1310{ 1311 local a 1312 1313 # disable global server 1314 log_subsection "Global server disabled" 1315 1316 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1317 1318 # 1319 # server tests 1320 # 1321 for a in ${NSA_IP} ${VRF_IP} 1322 do 1323 log_start 1324 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1325 run_cmd nettest -s & 1326 sleep 1 1327 run_cmd_nsb nettest -r ${a} 1328 log_test_addr ${a} $? 1 "Global server" 1329 1330 log_start 1331 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1332 sleep 1 1333 run_cmd_nsb nettest -r ${a} 1334 log_test_addr ${a} $? 0 "VRF server" 1335 1336 log_start 1337 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1338 sleep 1 1339 run_cmd_nsb nettest -r ${a} 1340 log_test_addr ${a} $? 0 "Device server" 1341 1342 # verify TCP reset received 1343 log_start 1344 show_hint "Should fail 'Connection refused' since there is no server" 1345 run_cmd_nsb nettest -r ${a} 1346 log_test_addr ${a} $? 1 "No server" 1347 done 1348 1349 # local address tests 1350 # (${VRF_IP} and 127.0.0.1 both timeout) 1351 a=${NSA_IP} 1352 log_start 1353 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1354 run_cmd nettest -s & 1355 sleep 1 1356 run_cmd nettest -r ${a} -d ${NSA_DEV} 1357 log_test_addr ${a} $? 1 "Global server, local connection" 1358 1359 # run MD5 tests 1360 if [ "$fips_enabled" = "0" ]; then 1361 setup_vrf_dup 1362 ipv4_tcp_md5 1363 cleanup_vrf_dup 1364 fi 1365 1366 # 1367 # enable VRF global server 1368 # 1369 log_subsection "VRF Global server enabled" 1370 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1371 1372 for a in ${NSA_IP} ${VRF_IP} 1373 do 1374 log_start 1375 show_hint "client socket should be bound to VRF" 1376 run_cmd nettest -s -3 ${VRF} & 1377 sleep 1 1378 run_cmd_nsb nettest -r ${a} 1379 log_test_addr ${a} $? 0 "Global server" 1380 1381 log_start 1382 show_hint "client socket should be bound to VRF" 1383 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1384 sleep 1 1385 run_cmd_nsb nettest -r ${a} 1386 log_test_addr ${a} $? 0 "VRF server" 1387 1388 # verify TCP reset received 1389 log_start 1390 show_hint "Should fail 'Connection refused'" 1391 run_cmd_nsb nettest -r ${a} 1392 log_test_addr ${a} $? 1 "No server" 1393 done 1394 1395 a=${NSA_IP} 1396 log_start 1397 show_hint "client socket should be bound to device" 1398 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1399 sleep 1 1400 run_cmd_nsb nettest -r ${a} 1401 log_test_addr ${a} $? 0 "Device server" 1402 1403 # local address tests 1404 for a in ${NSA_IP} ${VRF_IP} 1405 do 1406 log_start 1407 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1408 run_cmd nettest -s -I ${VRF} & 1409 sleep 1 1410 run_cmd nettest -r ${a} 1411 log_test_addr ${a} $? 1 "Global server, local connection" 1412 done 1413 1414 # 1415 # client 1416 # 1417 for a in ${NSB_IP} ${NSB_LO_IP} 1418 do 1419 log_start 1420 run_cmd_nsb nettest -s & 1421 sleep 1 1422 run_cmd nettest -r ${a} -d ${VRF} 1423 log_test_addr ${a} $? 0 "Client, VRF bind" 1424 1425 log_start 1426 run_cmd_nsb nettest -s & 1427 sleep 1 1428 run_cmd nettest -r ${a} -d ${NSA_DEV} 1429 log_test_addr ${a} $? 0 "Client, device bind" 1430 1431 log_start 1432 show_hint "Should fail 'Connection refused'" 1433 run_cmd nettest -r ${a} -d ${VRF} 1434 log_test_addr ${a} $? 1 "No server, VRF client" 1435 1436 log_start 1437 show_hint "Should fail 'Connection refused'" 1438 run_cmd nettest -r ${a} -d ${NSA_DEV} 1439 log_test_addr ${a} $? 1 "No server, device client" 1440 done 1441 1442 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1443 do 1444 log_start 1445 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1446 sleep 1 1447 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1448 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1449 done 1450 1451 a=${NSA_IP} 1452 log_start 1453 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1454 sleep 1 1455 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1456 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1457 1458 log_start 1459 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1460 run_cmd nettest -s -I ${VRF} & 1461 sleep 1 1462 run_cmd nettest -r ${a} 1463 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1464 1465 log_start 1466 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1467 sleep 1 1468 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1469 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1470 1471 log_start 1472 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1473 sleep 1 1474 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1475 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1476} 1477 1478ipv4_tcp() 1479{ 1480 log_section "IPv4/TCP" 1481 log_subsection "No VRF" 1482 setup 1483 1484 # tcp_l3mdev_accept should have no affect without VRF; 1485 # run tests with it enabled and disabled to verify 1486 log_subsection "tcp_l3mdev_accept disabled" 1487 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1488 ipv4_tcp_novrf 1489 log_subsection "tcp_l3mdev_accept enabled" 1490 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1491 ipv4_tcp_novrf 1492 1493 log_subsection "With VRF" 1494 setup "yes" 1495 ipv4_tcp_vrf 1496} 1497 1498################################################################################ 1499# IPv4 UDP 1500 1501ipv4_udp_novrf() 1502{ 1503 local a 1504 1505 # 1506 # server tests 1507 # 1508 for a in ${NSA_IP} ${NSA_LO_IP} 1509 do 1510 log_start 1511 run_cmd nettest -D -s -3 ${NSA_DEV} & 1512 sleep 1 1513 run_cmd_nsb nettest -D -r ${a} 1514 log_test_addr ${a} $? 0 "Global server" 1515 1516 log_start 1517 show_hint "Should fail 'Connection refused' since there is no server" 1518 run_cmd_nsb nettest -D -r ${a} 1519 log_test_addr ${a} $? 1 "No server" 1520 done 1521 1522 a=${NSA_IP} 1523 log_start 1524 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1525 sleep 1 1526 run_cmd_nsb nettest -D -r ${a} 1527 log_test_addr ${a} $? 0 "Device server" 1528 1529 # 1530 # client 1531 # 1532 for a in ${NSB_IP} ${NSB_LO_IP} 1533 do 1534 log_start 1535 run_cmd_nsb nettest -D -s & 1536 sleep 1 1537 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1538 log_test_addr ${a} $? 0 "Client" 1539 1540 log_start 1541 run_cmd_nsb nettest -D -s & 1542 sleep 1 1543 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1544 log_test_addr ${a} $? 0 "Client, device bind" 1545 1546 log_start 1547 run_cmd_nsb nettest -D -s & 1548 sleep 1 1549 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1550 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1551 1552 log_start 1553 run_cmd_nsb nettest -D -s & 1554 sleep 1 1555 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1556 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1557 1558 log_start 1559 run_cmd_nsb nettest -D -s & 1560 sleep 1 1561 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U 1562 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()" 1563 1564 1565 log_start 1566 show_hint "Should fail 'Connection refused'" 1567 run_cmd nettest -D -r ${a} 1568 log_test_addr ${a} $? 1 "No server, unbound client" 1569 1570 log_start 1571 show_hint "Should fail 'Connection refused'" 1572 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1573 log_test_addr ${a} $? 1 "No server, device client" 1574 done 1575 1576 # 1577 # local address tests 1578 # 1579 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1580 do 1581 log_start 1582 run_cmd nettest -D -s & 1583 sleep 1 1584 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1585 log_test_addr ${a} $? 0 "Global server, local connection" 1586 done 1587 1588 a=${NSA_IP} 1589 log_start 1590 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1591 sleep 1 1592 run_cmd nettest -D -r ${a} 1593 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1594 1595 for a in ${NSA_LO_IP} 127.0.0.1 1596 do 1597 log_start 1598 show_hint "Should fail 'Connection refused' since address is out of device scope" 1599 run_cmd nettest -s -D -I ${NSA_DEV} & 1600 sleep 1 1601 run_cmd nettest -D -r ${a} 1602 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1603 done 1604 1605 a=${NSA_IP} 1606 log_start 1607 run_cmd nettest -s -D & 1608 sleep 1 1609 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1610 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1611 1612 log_start 1613 run_cmd nettest -s -D & 1614 sleep 1 1615 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1616 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1617 1618 log_start 1619 run_cmd nettest -s -D & 1620 sleep 1 1621 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1622 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1623 1624 log_start 1625 run_cmd nettest -s -D & 1626 sleep 1 1627 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U 1628 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1629 1630 1631 # IPv4 with device bind has really weird behavior - it overrides the 1632 # fib lookup, generates an rtable and tries to send the packet. This 1633 # causes failures for local traffic at different places 1634 for a in ${NSA_LO_IP} 127.0.0.1 1635 do 1636 log_start 1637 show_hint "Should fail since addresses on loopback are out of device scope" 1638 run_cmd nettest -D -s & 1639 sleep 1 1640 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1641 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1642 1643 log_start 1644 show_hint "Should fail since addresses on loopback are out of device scope" 1645 run_cmd nettest -D -s & 1646 sleep 1 1647 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1648 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1649 1650 log_start 1651 show_hint "Should fail since addresses on loopback are out of device scope" 1652 run_cmd nettest -D -s & 1653 sleep 1 1654 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1655 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1656 1657 log_start 1658 show_hint "Should fail since addresses on loopback are out of device scope" 1659 run_cmd nettest -D -s & 1660 sleep 1 1661 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U 1662 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1663 1664 1665 done 1666 1667 a=${NSA_IP} 1668 log_start 1669 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1670 sleep 1 1671 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1672 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1673 1674 log_start 1675 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1676 log_test_addr ${a} $? 2 "No server, device client, local conn" 1677 1678 # 1679 # Link local connection tests (SO_DONTROUTE). 1680 # Connections should succeed only when the remote IP address is 1681 # on link (doesn't need to be routed through a gateway). 1682 # 1683 1684 a=${NSB_IP} 1685 log_start 1686 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1687 log_test_addr ${a} $? 0 "SO_DONTROUTE client" 1688 1689 a=${NSB_LO_IP} 1690 log_start 1691 show_hint "Should fail 'Network is unreachable' since server is not on link" 1692 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1693 log_test_addr ${a} $? 1 "SO_DONTROUTE client" 1694} 1695 1696ipv4_udp_vrf() 1697{ 1698 local a 1699 1700 # disable global server 1701 log_subsection "Global server disabled" 1702 set_sysctl net.ipv4.udp_l3mdev_accept=0 1703 1704 # 1705 # server tests 1706 # 1707 for a in ${NSA_IP} ${VRF_IP} 1708 do 1709 log_start 1710 show_hint "Fails because ingress is in a VRF and global server is disabled" 1711 run_cmd nettest -D -s & 1712 sleep 1 1713 run_cmd_nsb nettest -D -r ${a} 1714 log_test_addr ${a} $? 1 "Global server" 1715 1716 log_start 1717 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1718 sleep 1 1719 run_cmd_nsb nettest -D -r ${a} 1720 log_test_addr ${a} $? 0 "VRF server" 1721 1722 log_start 1723 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1724 sleep 1 1725 run_cmd_nsb nettest -D -r ${a} 1726 log_test_addr ${a} $? 0 "Enslaved device server" 1727 1728 log_start 1729 show_hint "Should fail 'Connection refused' since there is no server" 1730 run_cmd_nsb nettest -D -r ${a} 1731 log_test_addr ${a} $? 1 "No server" 1732 1733 log_start 1734 show_hint "Should fail 'Connection refused' since global server is out of scope" 1735 run_cmd nettest -D -s & 1736 sleep 1 1737 run_cmd nettest -D -d ${VRF} -r ${a} 1738 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1739 done 1740 1741 a=${NSA_IP} 1742 log_start 1743 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1744 sleep 1 1745 run_cmd nettest -D -d ${VRF} -r ${a} 1746 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1747 1748 log_start 1749 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1750 sleep 1 1751 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1752 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1753 1754 a=${NSA_IP} 1755 log_start 1756 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1757 sleep 1 1758 run_cmd nettest -D -d ${VRF} -r ${a} 1759 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1760 1761 log_start 1762 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1763 sleep 1 1764 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1765 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1766 1767 # enable global server 1768 log_subsection "Global server enabled" 1769 set_sysctl net.ipv4.udp_l3mdev_accept=1 1770 1771 # 1772 # server tests 1773 # 1774 for a in ${NSA_IP} ${VRF_IP} 1775 do 1776 log_start 1777 run_cmd nettest -D -s -3 ${NSA_DEV} & 1778 sleep 1 1779 run_cmd_nsb nettest -D -r ${a} 1780 log_test_addr ${a} $? 0 "Global server" 1781 1782 log_start 1783 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1784 sleep 1 1785 run_cmd_nsb nettest -D -r ${a} 1786 log_test_addr ${a} $? 0 "VRF server" 1787 1788 log_start 1789 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1790 sleep 1 1791 run_cmd_nsb nettest -D -r ${a} 1792 log_test_addr ${a} $? 0 "Enslaved device server" 1793 1794 log_start 1795 show_hint "Should fail 'Connection refused'" 1796 run_cmd_nsb nettest -D -r ${a} 1797 log_test_addr ${a} $? 1 "No server" 1798 done 1799 1800 # 1801 # client tests 1802 # 1803 log_start 1804 run_cmd_nsb nettest -D -s & 1805 sleep 1 1806 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1807 log_test $? 0 "VRF client" 1808 1809 log_start 1810 run_cmd_nsb nettest -D -s & 1811 sleep 1 1812 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1813 log_test $? 0 "Enslaved device client" 1814 1815 # negative test - should fail 1816 log_start 1817 show_hint "Should fail 'Connection refused'" 1818 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1819 log_test $? 1 "No server, VRF client" 1820 1821 log_start 1822 show_hint "Should fail 'Connection refused'" 1823 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1824 log_test $? 1 "No server, enslaved device client" 1825 1826 # 1827 # local address tests 1828 # 1829 a=${NSA_IP} 1830 log_start 1831 run_cmd nettest -D -s -3 ${NSA_DEV} & 1832 sleep 1 1833 run_cmd nettest -D -d ${VRF} -r ${a} 1834 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1835 1836 log_start 1837 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1838 sleep 1 1839 run_cmd nettest -D -d ${VRF} -r ${a} 1840 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1841 1842 log_start 1843 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1844 sleep 1 1845 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1846 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1847 1848 log_start 1849 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1850 sleep 1 1851 run_cmd nettest -D -d ${VRF} -r ${a} 1852 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1853 1854 log_start 1855 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1856 sleep 1 1857 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1858 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1859 1860 for a in ${VRF_IP} 127.0.0.1 1861 do 1862 log_start 1863 run_cmd nettest -D -s -3 ${VRF} & 1864 sleep 1 1865 run_cmd nettest -D -d ${VRF} -r ${a} 1866 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1867 done 1868 1869 for a in ${VRF_IP} 127.0.0.1 1870 do 1871 log_start 1872 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1873 sleep 1 1874 run_cmd nettest -D -d ${VRF} -r ${a} 1875 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1876 done 1877 1878 # negative test - should fail 1879 # verifies ECONNREFUSED 1880 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1881 do 1882 log_start 1883 show_hint "Should fail 'Connection refused'" 1884 run_cmd nettest -D -d ${VRF} -r ${a} 1885 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1886 done 1887} 1888 1889ipv4_udp() 1890{ 1891 log_section "IPv4/UDP" 1892 log_subsection "No VRF" 1893 1894 setup 1895 1896 # udp_l3mdev_accept should have no affect without VRF; 1897 # run tests with it enabled and disabled to verify 1898 log_subsection "udp_l3mdev_accept disabled" 1899 set_sysctl net.ipv4.udp_l3mdev_accept=0 1900 ipv4_udp_novrf 1901 log_subsection "udp_l3mdev_accept enabled" 1902 set_sysctl net.ipv4.udp_l3mdev_accept=1 1903 ipv4_udp_novrf 1904 1905 log_subsection "With VRF" 1906 setup "yes" 1907 ipv4_udp_vrf 1908} 1909 1910################################################################################ 1911# IPv4 address bind 1912# 1913# verifies ability or inability to bind to an address / device 1914 1915ipv4_addr_bind_novrf() 1916{ 1917 # 1918 # raw socket 1919 # 1920 for a in ${NSA_IP} ${NSA_LO_IP} 1921 do 1922 log_start 1923 run_cmd nettest -s -R -P icmp -l ${a} -b 1924 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1925 1926 log_start 1927 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1928 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1929 done 1930 1931 # 1932 # tests for nonlocal bind 1933 # 1934 a=${NL_IP} 1935 log_start 1936 run_cmd nettest -s -R -f -l ${a} -b 1937 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 1938 1939 log_start 1940 run_cmd nettest -s -f -l ${a} -b 1941 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address" 1942 1943 log_start 1944 run_cmd nettest -s -D -P icmp -f -l ${a} -b 1945 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address" 1946 1947 # 1948 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1949 # 1950 a=${BCAST_IP} 1951 log_start 1952 run_cmd nettest -s -D -P icmp -l ${a} -b 1953 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address" 1954 1955 a=${MCAST_IP} 1956 log_start 1957 run_cmd nettest -s -D -P icmp -l ${a} -b 1958 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address" 1959 1960 # 1961 # tcp sockets 1962 # 1963 a=${NSA_IP} 1964 log_start 1965 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1966 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1967 1968 log_start 1969 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1970 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1971 1972 # Sadly, the kernel allows binding a socket to a device and then 1973 # binding to an address not on the device. The only restriction 1974 # is that the address is valid in the L3 domain. So this test 1975 # passes when it really should not 1976 #a=${NSA_LO_IP} 1977 #log_start 1978 #show_hint "Should fail with 'Cannot assign requested address'" 1979 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1980 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1981} 1982 1983ipv4_addr_bind_vrf() 1984{ 1985 # 1986 # raw socket 1987 # 1988 for a in ${NSA_IP} ${VRF_IP} 1989 do 1990 log_start 1991 show_hint "Socket not bound to VRF, but address is in VRF" 1992 run_cmd nettest -s -R -P icmp -l ${a} -b 1993 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1994 1995 log_start 1996 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1997 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1998 log_start 1999 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 2000 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 2001 done 2002 2003 a=${NSA_LO_IP} 2004 log_start 2005 show_hint "Address on loopback is out of VRF scope" 2006 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 2007 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 2008 2009 # 2010 # tests for nonlocal bind 2011 # 2012 a=${NL_IP} 2013 log_start 2014 run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b 2015 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 2016 2017 log_start 2018 run_cmd nettest -s -f -l ${a} -I ${VRF} -b 2019 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind" 2020 2021 log_start 2022 run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b 2023 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind" 2024 2025 # 2026 # check that ICMP sockets cannot bind to broadcast and multicast addresses 2027 # 2028 a=${BCAST_IP} 2029 log_start 2030 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 2031 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind" 2032 2033 a=${MCAST_IP} 2034 log_start 2035 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 2036 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind" 2037 2038 # 2039 # tcp sockets 2040 # 2041 for a in ${NSA_IP} ${VRF_IP} 2042 do 2043 log_start 2044 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 2045 log_test_addr ${a} $? 0 "TCP socket bind to local address" 2046 2047 log_start 2048 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 2049 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 2050 done 2051 2052 a=${NSA_LO_IP} 2053 log_start 2054 show_hint "Address on loopback out of scope for VRF" 2055 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 2056 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 2057 2058 log_start 2059 show_hint "Address on loopback out of scope for device in VRF" 2060 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 2061 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 2062} 2063 2064ipv4_addr_bind() 2065{ 2066 log_section "IPv4 address binds" 2067 2068 log_subsection "No VRF" 2069 setup 2070 set_ping_group 2071 ipv4_addr_bind_novrf 2072 2073 log_subsection "With VRF" 2074 setup "yes" 2075 set_ping_group 2076 ipv4_addr_bind_vrf 2077} 2078 2079################################################################################ 2080# IPv4 runtime tests 2081 2082ipv4_rt() 2083{ 2084 local desc="$1" 2085 local varg="$2" 2086 local with_vrf="yes" 2087 local a 2088 2089 # 2090 # server tests 2091 # 2092 for a in ${NSA_IP} ${VRF_IP} 2093 do 2094 log_start 2095 run_cmd nettest ${varg} -s & 2096 sleep 1 2097 run_cmd_nsb nettest ${varg} -r ${a} & 2098 sleep 3 2099 run_cmd ip link del ${VRF} 2100 sleep 1 2101 log_test_addr ${a} 0 0 "${desc}, global server" 2102 2103 setup ${with_vrf} 2104 done 2105 2106 for a in ${NSA_IP} ${VRF_IP} 2107 do 2108 log_start 2109 run_cmd nettest ${varg} -s -I ${VRF} & 2110 sleep 1 2111 run_cmd_nsb nettest ${varg} -r ${a} & 2112 sleep 3 2113 run_cmd ip link del ${VRF} 2114 sleep 1 2115 log_test_addr ${a} 0 0 "${desc}, VRF server" 2116 2117 setup ${with_vrf} 2118 done 2119 2120 a=${NSA_IP} 2121 log_start 2122 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 2123 sleep 1 2124 run_cmd_nsb nettest ${varg} -r ${a} & 2125 sleep 3 2126 run_cmd ip link del ${VRF} 2127 sleep 1 2128 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 2129 2130 setup ${with_vrf} 2131 2132 # 2133 # client test 2134 # 2135 log_start 2136 run_cmd_nsb nettest ${varg} -s & 2137 sleep 1 2138 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 2139 sleep 3 2140 run_cmd ip link del ${VRF} 2141 sleep 1 2142 log_test_addr ${a} 0 0 "${desc}, VRF client" 2143 2144 setup ${with_vrf} 2145 2146 log_start 2147 run_cmd_nsb nettest ${varg} -s & 2148 sleep 1 2149 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 2150 sleep 3 2151 run_cmd ip link del ${VRF} 2152 sleep 1 2153 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 2154 2155 setup ${with_vrf} 2156 2157 # 2158 # local address tests 2159 # 2160 for a in ${NSA_IP} ${VRF_IP} 2161 do 2162 log_start 2163 run_cmd nettest ${varg} -s & 2164 sleep 1 2165 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2166 sleep 3 2167 run_cmd ip link del ${VRF} 2168 sleep 1 2169 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 2170 2171 setup ${with_vrf} 2172 done 2173 2174 for a in ${NSA_IP} ${VRF_IP} 2175 do 2176 log_start 2177 run_cmd nettest ${varg} -I ${VRF} -s & 2178 sleep 1 2179 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2180 sleep 3 2181 run_cmd ip link del ${VRF} 2182 sleep 1 2183 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 2184 2185 setup ${with_vrf} 2186 done 2187 2188 a=${NSA_IP} 2189 log_start 2190 2191 run_cmd nettest ${varg} -s & 2192 sleep 1 2193 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2194 sleep 3 2195 run_cmd ip link del ${VRF} 2196 sleep 1 2197 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 2198 2199 setup ${with_vrf} 2200 2201 log_start 2202 run_cmd nettest ${varg} -I ${VRF} -s & 2203 sleep 1 2204 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2205 sleep 3 2206 run_cmd ip link del ${VRF} 2207 sleep 1 2208 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 2209 2210 setup ${with_vrf} 2211 2212 log_start 2213 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2214 sleep 1 2215 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2216 sleep 3 2217 run_cmd ip link del ${VRF} 2218 sleep 1 2219 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2220} 2221 2222ipv4_ping_rt() 2223{ 2224 local with_vrf="yes" 2225 local a 2226 2227 for a in ${NSA_IP} ${VRF_IP} 2228 do 2229 log_start 2230 run_cmd_nsb ping -f ${a} & 2231 sleep 3 2232 run_cmd ip link del ${VRF} 2233 sleep 1 2234 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2235 2236 setup ${with_vrf} 2237 done 2238 2239 a=${NSB_IP} 2240 log_start 2241 run_cmd ping -f -I ${VRF} ${a} & 2242 sleep 3 2243 run_cmd ip link del ${VRF} 2244 sleep 1 2245 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2246} 2247 2248ipv4_runtime() 2249{ 2250 log_section "Run time tests - ipv4" 2251 2252 setup "yes" 2253 ipv4_ping_rt 2254 2255 setup "yes" 2256 ipv4_rt "TCP active socket" "-n -1" 2257 2258 setup "yes" 2259 ipv4_rt "TCP passive socket" "-i" 2260} 2261 2262################################################################################ 2263# IPv6 2264 2265ipv6_ping_novrf() 2266{ 2267 local a 2268 2269 # should not have an impact, but make a known state 2270 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2271 2272 # 2273 # out 2274 # 2275 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2276 do 2277 log_start 2278 run_cmd ${ping6} -c1 -w1 ${a} 2279 log_test_addr ${a} $? 0 "ping out" 2280 done 2281 2282 for a in ${NSB_IP6} ${NSB_LO_IP6} 2283 do 2284 log_start 2285 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2286 log_test_addr ${a} $? 0 "ping out, device bind" 2287 2288 log_start 2289 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2290 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2291 done 2292 2293 # 2294 # in 2295 # 2296 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2297 do 2298 log_start 2299 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2300 log_test_addr ${a} $? 0 "ping in" 2301 done 2302 2303 # 2304 # local traffic, local address 2305 # 2306 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2307 do 2308 log_start 2309 run_cmd ${ping6} -c1 -w1 ${a} 2310 log_test_addr ${a} $? 0 "ping local, no bind" 2311 done 2312 2313 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2314 do 2315 log_start 2316 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2317 log_test_addr ${a} $? 0 "ping local, device bind" 2318 done 2319 2320 for a in ${NSA_LO_IP6} ::1 2321 do 2322 log_start 2323 show_hint "Fails since address on loopback is out of device scope" 2324 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2325 log_test_addr ${a} $? 2 "ping local, device bind" 2326 done 2327 2328 # 2329 # ip rule blocks address 2330 # 2331 log_start 2332 setup_cmd ip -6 rule add pref 32765 from all lookup local 2333 setup_cmd ip -6 rule del pref 0 from all lookup local 2334 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2335 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2336 2337 a=${NSB_LO_IP6} 2338 run_cmd ${ping6} -c1 -w1 ${a} 2339 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2340 2341 log_start 2342 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2343 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2344 2345 a=${NSA_LO_IP6} 2346 log_start 2347 show_hint "Response lost due to ip rule" 2348 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2349 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2350 2351 setup_cmd ip -6 rule add pref 0 from all lookup local 2352 setup_cmd ip -6 rule del pref 32765 from all lookup local 2353 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2354 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2355 2356 # 2357 # route blocks reachability to remote address 2358 # 2359 log_start 2360 setup_cmd ip -6 route del ${NSB_LO_IP6} 2361 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2362 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2363 2364 a=${NSB_LO_IP6} 2365 run_cmd ${ping6} -c1 -w1 ${a} 2366 log_test_addr ${a} $? 2 "ping out, blocked by route" 2367 2368 log_start 2369 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2370 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2371 2372 a=${NSA_LO_IP6} 2373 log_start 2374 show_hint "Response lost due to ip route" 2375 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2376 log_test_addr ${a} $? 1 "ping in, blocked by route" 2377 2378 2379 # 2380 # remove 'remote' routes; fallback to default 2381 # 2382 log_start 2383 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2384 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2385 2386 a=${NSB_LO_IP6} 2387 run_cmd ${ping6} -c1 -w1 ${a} 2388 log_test_addr ${a} $? 2 "ping out, unreachable route" 2389 2390 log_start 2391 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2392 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2393} 2394 2395ipv6_ping_vrf() 2396{ 2397 local a 2398 2399 # should default on; does not exist on older kernels 2400 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2401 2402 # 2403 # out 2404 # 2405 for a in ${NSB_IP6} ${NSB_LO_IP6} 2406 do 2407 log_start 2408 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2409 log_test_addr ${a} $? 0 "ping out, VRF bind" 2410 done 2411 2412 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2413 do 2414 log_start 2415 show_hint "Fails since VRF device does not support linklocal or multicast" 2416 run_cmd ${ping6} -c1 -w1 ${a} 2417 log_test_addr ${a} $? 1 "ping out, VRF bind" 2418 done 2419 2420 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2421 do 2422 log_start 2423 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2424 log_test_addr ${a} $? 0 "ping out, device bind" 2425 done 2426 2427 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2428 do 2429 log_start 2430 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2431 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2432 done 2433 2434 # 2435 # in 2436 # 2437 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2438 do 2439 log_start 2440 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2441 log_test_addr ${a} $? 0 "ping in" 2442 done 2443 2444 a=${NSA_LO_IP6} 2445 log_start 2446 show_hint "Fails since loopback address is out of VRF scope" 2447 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2448 log_test_addr ${a} $? 1 "ping in" 2449 2450 # 2451 # local traffic, local address 2452 # 2453 for a in ${NSA_IP6} ${VRF_IP6} ::1 2454 do 2455 log_start 2456 show_hint "Source address should be ${a}" 2457 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2458 log_test_addr ${a} $? 0 "ping local, VRF bind" 2459 done 2460 2461 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2462 do 2463 log_start 2464 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2465 log_test_addr ${a} $? 0 "ping local, device bind" 2466 done 2467 2468 # LLA to GUA - remove ipv6 global addresses from ns-B 2469 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2470 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2471 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2472 2473 for a in ${NSA_IP6} ${VRF_IP6} 2474 do 2475 log_start 2476 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2477 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2478 done 2479 2480 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2481 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2482 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2483 2484 # 2485 # ip rule blocks address 2486 # 2487 log_start 2488 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2489 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2490 2491 a=${NSB_LO_IP6} 2492 run_cmd ${ping6} -c1 -w1 ${a} 2493 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2494 2495 log_start 2496 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2497 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2498 2499 a=${NSA_LO_IP6} 2500 log_start 2501 show_hint "Response lost due to ip rule" 2502 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2503 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2504 2505 log_start 2506 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2507 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2508 2509 # 2510 # remove 'remote' routes; fallback to default 2511 # 2512 log_start 2513 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2514 2515 a=${NSB_LO_IP6} 2516 run_cmd ${ping6} -c1 -w1 ${a} 2517 log_test_addr ${a} $? 2 "ping out, unreachable route" 2518 2519 log_start 2520 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2521 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2522 2523 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2524 a=${NSA_LO_IP6} 2525 log_start 2526 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2527 log_test_addr ${a} $? 2 "ping in, unreachable route" 2528} 2529 2530ipv6_ping() 2531{ 2532 log_section "IPv6 ping" 2533 2534 log_subsection "No VRF" 2535 setup 2536 ipv6_ping_novrf 2537 setup 2538 set_ping_group 2539 ipv6_ping_novrf 2540 2541 log_subsection "With VRF" 2542 setup "yes" 2543 ipv6_ping_vrf 2544 setup "yes" 2545 set_ping_group 2546 ipv6_ping_vrf 2547} 2548 2549################################################################################ 2550# IPv6 TCP 2551 2552# 2553# MD5 tests without VRF 2554# 2555ipv6_tcp_md5_novrf() 2556{ 2557 # 2558 # single address 2559 # 2560 2561 # basic use case 2562 log_start 2563 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2564 sleep 1 2565 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2566 log_test $? 0 "MD5: Single address config" 2567 2568 # client sends MD5, server not configured 2569 log_start 2570 show_hint "Should timeout due to MD5 mismatch" 2571 run_cmd nettest -6 -s & 2572 sleep 1 2573 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2574 log_test $? 2 "MD5: Server no config, client uses password" 2575 2576 # wrong password 2577 log_start 2578 show_hint "Should timeout since client uses wrong password" 2579 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2580 sleep 1 2581 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2582 log_test $? 2 "MD5: Client uses wrong password" 2583 2584 # client from different address 2585 log_start 2586 show_hint "Should timeout due to MD5 mismatch" 2587 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2588 sleep 1 2589 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2590 log_test $? 2 "MD5: Client address does not match address configured with password" 2591 2592 # 2593 # MD5 extension - prefix length 2594 # 2595 2596 # client in prefix 2597 log_start 2598 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2599 sleep 1 2600 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2601 log_test $? 0 "MD5: Prefix config" 2602 2603 # client in prefix, wrong password 2604 log_start 2605 show_hint "Should timeout since client uses wrong password" 2606 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2607 sleep 1 2608 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2609 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2610 2611 # client outside of prefix 2612 log_start 2613 show_hint "Should timeout due to MD5 mismatch" 2614 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2615 sleep 1 2616 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2617 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2618} 2619 2620# 2621# MD5 tests with VRF 2622# 2623ipv6_tcp_md5() 2624{ 2625 # 2626 # single address 2627 # 2628 2629 # basic use case 2630 log_start 2631 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2632 sleep 1 2633 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2634 log_test $? 0 "MD5: VRF: Single address config" 2635 2636 # client sends MD5, server not configured 2637 log_start 2638 show_hint "Should timeout since server does not have MD5 auth" 2639 run_cmd nettest -6 -s -I ${VRF} & 2640 sleep 1 2641 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2642 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2643 2644 # wrong password 2645 log_start 2646 show_hint "Should timeout since client uses wrong password" 2647 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2648 sleep 1 2649 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2650 log_test $? 2 "MD5: VRF: Client uses wrong password" 2651 2652 # client from different address 2653 log_start 2654 show_hint "Should timeout since server config differs from client" 2655 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2656 sleep 1 2657 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2658 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2659 2660 # 2661 # MD5 extension - prefix length 2662 # 2663 2664 # client in prefix 2665 log_start 2666 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2667 sleep 1 2668 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2669 log_test $? 0 "MD5: VRF: Prefix config" 2670 2671 # client in prefix, wrong password 2672 log_start 2673 show_hint "Should timeout since client uses wrong password" 2674 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2675 sleep 1 2676 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2677 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2678 2679 # client outside of prefix 2680 log_start 2681 show_hint "Should timeout since client address is outside of prefix" 2682 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2683 sleep 1 2684 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2685 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2686 2687 # 2688 # duplicate config between default VRF and a VRF 2689 # 2690 2691 log_start 2692 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2693 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2694 sleep 1 2695 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2696 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2697 2698 log_start 2699 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2700 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2701 sleep 1 2702 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2703 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2704 2705 log_start 2706 show_hint "Should timeout since client in default VRF uses VRF password" 2707 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2708 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2709 sleep 1 2710 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2711 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2712 2713 log_start 2714 show_hint "Should timeout since client in VRF uses default VRF password" 2715 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2716 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2717 sleep 1 2718 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2719 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2720 2721 log_start 2722 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2723 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2724 sleep 1 2725 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2726 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2727 2728 log_start 2729 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2730 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2731 sleep 1 2732 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2733 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2734 2735 log_start 2736 show_hint "Should timeout since client in default VRF uses VRF password" 2737 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2738 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2739 sleep 1 2740 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2741 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2742 2743 log_start 2744 show_hint "Should timeout since client in VRF uses default VRF password" 2745 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2746 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2747 sleep 1 2748 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2749 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2750 2751 # 2752 # negative tests 2753 # 2754 log_start 2755 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2756 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2757 2758 log_start 2759 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2760 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2761 2762} 2763 2764ipv6_tcp_novrf() 2765{ 2766 local a 2767 2768 # 2769 # server tests 2770 # 2771 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2772 do 2773 log_start 2774 run_cmd nettest -6 -s & 2775 sleep 1 2776 run_cmd_nsb nettest -6 -r ${a} 2777 log_test_addr ${a} $? 0 "Global server" 2778 done 2779 2780 # verify TCP reset received 2781 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2782 do 2783 log_start 2784 show_hint "Should fail 'Connection refused'" 2785 run_cmd_nsb nettest -6 -r ${a} 2786 log_test_addr ${a} $? 1 "No server" 2787 done 2788 2789 # 2790 # client 2791 # 2792 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2793 do 2794 log_start 2795 run_cmd_nsb nettest -6 -s & 2796 sleep 1 2797 run_cmd nettest -6 -r ${a} 2798 log_test_addr ${a} $? 0 "Client" 2799 done 2800 2801 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2802 do 2803 log_start 2804 run_cmd_nsb nettest -6 -s & 2805 sleep 1 2806 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2807 log_test_addr ${a} $? 0 "Client, device bind" 2808 done 2809 2810 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2811 do 2812 log_start 2813 show_hint "Should fail 'Connection refused'" 2814 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2815 log_test_addr ${a} $? 1 "No server, device client" 2816 done 2817 2818 # 2819 # local address tests 2820 # 2821 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2822 do 2823 log_start 2824 run_cmd nettest -6 -s & 2825 sleep 1 2826 run_cmd nettest -6 -r ${a} 2827 log_test_addr ${a} $? 0 "Global server, local connection" 2828 done 2829 2830 a=${NSA_IP6} 2831 log_start 2832 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2833 sleep 1 2834 run_cmd nettest -6 -r ${a} -0 ${a} 2835 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2836 2837 for a in ${NSA_LO_IP6} ::1 2838 do 2839 log_start 2840 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2841 run_cmd nettest -6 -s -I ${NSA_DEV} & 2842 sleep 1 2843 run_cmd nettest -6 -r ${a} 2844 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2845 done 2846 2847 a=${NSA_IP6} 2848 log_start 2849 run_cmd nettest -6 -s & 2850 sleep 1 2851 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2852 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2853 2854 for a in ${NSA_LO_IP6} ::1 2855 do 2856 log_start 2857 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2858 run_cmd nettest -6 -s & 2859 sleep 1 2860 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2861 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2862 done 2863 2864 for a in ${NSA_IP6} ${NSA_LINKIP6} 2865 do 2866 log_start 2867 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2868 sleep 1 2869 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2870 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2871 done 2872 2873 for a in ${NSA_IP6} ${NSA_LINKIP6} 2874 do 2875 log_start 2876 show_hint "Should fail 'Connection refused'" 2877 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2878 log_test_addr ${a} $? 1 "No server, device client, local conn" 2879 done 2880 2881 [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf 2882} 2883 2884ipv6_tcp_vrf() 2885{ 2886 local a 2887 2888 # disable global server 2889 log_subsection "Global server disabled" 2890 2891 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2892 2893 # 2894 # server tests 2895 # 2896 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2897 do 2898 log_start 2899 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2900 run_cmd nettest -6 -s & 2901 sleep 1 2902 run_cmd_nsb nettest -6 -r ${a} 2903 log_test_addr ${a} $? 1 "Global server" 2904 done 2905 2906 for a in ${NSA_IP6} ${VRF_IP6} 2907 do 2908 log_start 2909 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2910 sleep 1 2911 run_cmd_nsb nettest -6 -r ${a} 2912 log_test_addr ${a} $? 0 "VRF server" 2913 done 2914 2915 # link local is always bound to ingress device 2916 a=${NSA_LINKIP6}%${NSB_DEV} 2917 log_start 2918 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2919 sleep 1 2920 run_cmd_nsb nettest -6 -r ${a} 2921 log_test_addr ${a} $? 0 "VRF server" 2922 2923 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2924 do 2925 log_start 2926 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2927 sleep 1 2928 run_cmd_nsb nettest -6 -r ${a} 2929 log_test_addr ${a} $? 0 "Device server" 2930 done 2931 2932 # verify TCP reset received 2933 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2934 do 2935 log_start 2936 show_hint "Should fail 'Connection refused'" 2937 run_cmd_nsb nettest -6 -r ${a} 2938 log_test_addr ${a} $? 1 "No server" 2939 done 2940 2941 # local address tests 2942 a=${NSA_IP6} 2943 log_start 2944 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2945 run_cmd nettest -6 -s & 2946 sleep 1 2947 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2948 log_test_addr ${a} $? 1 "Global server, local connection" 2949 2950 # run MD5 tests 2951 if [ "$fips_enabled" = "0" ]; then 2952 setup_vrf_dup 2953 ipv6_tcp_md5 2954 cleanup_vrf_dup 2955 fi 2956 2957 # 2958 # enable VRF global server 2959 # 2960 log_subsection "VRF Global server enabled" 2961 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2962 2963 for a in ${NSA_IP6} ${VRF_IP6} 2964 do 2965 log_start 2966 run_cmd nettest -6 -s -3 ${VRF} & 2967 sleep 1 2968 run_cmd_nsb nettest -6 -r ${a} 2969 log_test_addr ${a} $? 0 "Global server" 2970 done 2971 2972 for a in ${NSA_IP6} ${VRF_IP6} 2973 do 2974 log_start 2975 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2976 sleep 1 2977 run_cmd_nsb nettest -6 -r ${a} 2978 log_test_addr ${a} $? 0 "VRF server" 2979 done 2980 2981 # For LLA, child socket is bound to device 2982 a=${NSA_LINKIP6}%${NSB_DEV} 2983 log_start 2984 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2985 sleep 1 2986 run_cmd_nsb nettest -6 -r ${a} 2987 log_test_addr ${a} $? 0 "Global server" 2988 2989 log_start 2990 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2991 sleep 1 2992 run_cmd_nsb nettest -6 -r ${a} 2993 log_test_addr ${a} $? 0 "VRF server" 2994 2995 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2996 do 2997 log_start 2998 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2999 sleep 1 3000 run_cmd_nsb nettest -6 -r ${a} 3001 log_test_addr ${a} $? 0 "Device server" 3002 done 3003 3004 # verify TCP reset received 3005 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3006 do 3007 log_start 3008 show_hint "Should fail 'Connection refused'" 3009 run_cmd_nsb nettest -6 -r ${a} 3010 log_test_addr ${a} $? 1 "No server" 3011 done 3012 3013 # local address tests 3014 for a in ${NSA_IP6} ${VRF_IP6} 3015 do 3016 log_start 3017 show_hint "Fails 'Connection refused' since client is not in VRF" 3018 run_cmd nettest -6 -s -I ${VRF} & 3019 sleep 1 3020 run_cmd nettest -6 -r ${a} 3021 log_test_addr ${a} $? 1 "Global server, local connection" 3022 done 3023 3024 3025 # 3026 # client 3027 # 3028 for a in ${NSB_IP6} ${NSB_LO_IP6} 3029 do 3030 log_start 3031 run_cmd_nsb nettest -6 -s & 3032 sleep 1 3033 run_cmd nettest -6 -r ${a} -d ${VRF} 3034 log_test_addr ${a} $? 0 "Client, VRF bind" 3035 done 3036 3037 a=${NSB_LINKIP6} 3038 log_start 3039 show_hint "Fails since VRF device does not allow linklocal addresses" 3040 run_cmd_nsb nettest -6 -s & 3041 sleep 1 3042 run_cmd nettest -6 -r ${a} -d ${VRF} 3043 log_test_addr ${a} $? 1 "Client, VRF bind" 3044 3045 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 3046 do 3047 log_start 3048 run_cmd_nsb nettest -6 -s & 3049 sleep 1 3050 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 3051 log_test_addr ${a} $? 0 "Client, device bind" 3052 done 3053 3054 for a in ${NSB_IP6} ${NSB_LO_IP6} 3055 do 3056 log_start 3057 show_hint "Should fail 'Connection refused'" 3058 run_cmd nettest -6 -r ${a} -d ${VRF} 3059 log_test_addr ${a} $? 1 "No server, VRF client" 3060 done 3061 3062 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 3063 do 3064 log_start 3065 show_hint "Should fail 'Connection refused'" 3066 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 3067 log_test_addr ${a} $? 1 "No server, device client" 3068 done 3069 3070 for a in ${NSA_IP6} ${VRF_IP6} ::1 3071 do 3072 log_start 3073 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 3074 sleep 1 3075 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3076 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 3077 done 3078 3079 a=${NSA_IP6} 3080 log_start 3081 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 3082 sleep 1 3083 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3084 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 3085 3086 a=${NSA_IP6} 3087 log_start 3088 show_hint "Should fail since unbound client is out of VRF scope" 3089 run_cmd nettest -6 -s -I ${VRF} & 3090 sleep 1 3091 run_cmd nettest -6 -r ${a} 3092 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 3093 3094 log_start 3095 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3096 sleep 1 3097 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3098 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 3099 3100 for a in ${NSA_IP6} ${NSA_LINKIP6} 3101 do 3102 log_start 3103 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3104 sleep 1 3105 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3106 log_test_addr ${a} $? 0 "Device server, device client, local connection" 3107 done 3108} 3109 3110ipv6_tcp() 3111{ 3112 log_section "IPv6/TCP" 3113 log_subsection "No VRF" 3114 setup 3115 3116 # tcp_l3mdev_accept should have no affect without VRF; 3117 # run tests with it enabled and disabled to verify 3118 log_subsection "tcp_l3mdev_accept disabled" 3119 set_sysctl net.ipv4.tcp_l3mdev_accept=0 3120 ipv6_tcp_novrf 3121 log_subsection "tcp_l3mdev_accept enabled" 3122 set_sysctl net.ipv4.tcp_l3mdev_accept=1 3123 ipv6_tcp_novrf 3124 3125 log_subsection "With VRF" 3126 setup "yes" 3127 ipv6_tcp_vrf 3128} 3129 3130################################################################################ 3131# IPv6 UDP 3132 3133ipv6_udp_novrf() 3134{ 3135 local a 3136 3137 # 3138 # server tests 3139 # 3140 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3141 do 3142 log_start 3143 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3144 sleep 1 3145 run_cmd_nsb nettest -6 -D -r ${a} 3146 log_test_addr ${a} $? 0 "Global server" 3147 3148 log_start 3149 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3150 sleep 1 3151 run_cmd_nsb nettest -6 -D -r ${a} 3152 log_test_addr ${a} $? 0 "Device server" 3153 done 3154 3155 a=${NSA_LO_IP6} 3156 log_start 3157 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3158 sleep 1 3159 run_cmd_nsb nettest -6 -D -r ${a} 3160 log_test_addr ${a} $? 0 "Global server" 3161 3162 # should fail since loopback address is out of scope for a device 3163 # bound server, but it does not - hence this is more documenting 3164 # behavior. 3165 #log_start 3166 #show_hint "Should fail since loopback address is out of scope" 3167 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3168 #sleep 1 3169 #run_cmd_nsb nettest -6 -D -r ${a} 3170 #log_test_addr ${a} $? 1 "Device server" 3171 3172 # negative test - should fail 3173 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3174 do 3175 log_start 3176 show_hint "Should fail 'Connection refused' since there is no server" 3177 run_cmd_nsb nettest -6 -D -r ${a} 3178 log_test_addr ${a} $? 1 "No server" 3179 done 3180 3181 # 3182 # client 3183 # 3184 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 3185 do 3186 log_start 3187 run_cmd_nsb nettest -6 -D -s & 3188 sleep 1 3189 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 3190 log_test_addr ${a} $? 0 "Client" 3191 3192 log_start 3193 run_cmd_nsb nettest -6 -D -s & 3194 sleep 1 3195 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 3196 log_test_addr ${a} $? 0 "Client, device bind" 3197 3198 log_start 3199 run_cmd_nsb nettest -6 -D -s & 3200 sleep 1 3201 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 3202 log_test_addr ${a} $? 0 "Client, device send via cmsg" 3203 3204 log_start 3205 run_cmd_nsb nettest -6 -D -s & 3206 sleep 1 3207 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 3208 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 3209 3210 log_start 3211 show_hint "Should fail 'Connection refused'" 3212 run_cmd nettest -6 -D -r ${a} 3213 log_test_addr ${a} $? 1 "No server, unbound client" 3214 3215 log_start 3216 show_hint "Should fail 'Connection refused'" 3217 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3218 log_test_addr ${a} $? 1 "No server, device client" 3219 done 3220 3221 # 3222 # local address tests 3223 # 3224 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3225 do 3226 log_start 3227 run_cmd nettest -6 -D -s & 3228 sleep 1 3229 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3230 log_test_addr ${a} $? 0 "Global server, local connection" 3231 done 3232 3233 a=${NSA_IP6} 3234 log_start 3235 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3236 sleep 1 3237 run_cmd nettest -6 -D -r ${a} 3238 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3239 3240 for a in ${NSA_LO_IP6} ::1 3241 do 3242 log_start 3243 show_hint "Should fail 'Connection refused' since address is out of device scope" 3244 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3245 sleep 1 3246 run_cmd nettest -6 -D -r ${a} 3247 log_test_addr ${a} $? 1 "Device server, local connection" 3248 done 3249 3250 a=${NSA_IP6} 3251 log_start 3252 run_cmd nettest -6 -s -D & 3253 sleep 1 3254 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3255 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3256 3257 log_start 3258 run_cmd nettest -6 -s -D & 3259 sleep 1 3260 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3261 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3262 3263 log_start 3264 run_cmd nettest -6 -s -D & 3265 sleep 1 3266 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3267 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3268 3269 for a in ${NSA_LO_IP6} ::1 3270 do 3271 log_start 3272 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3273 run_cmd nettest -6 -D -s & 3274 sleep 1 3275 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3276 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3277 3278 log_start 3279 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3280 run_cmd nettest -6 -D -s & 3281 sleep 1 3282 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3283 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3284 3285 log_start 3286 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3287 run_cmd nettest -6 -D -s & 3288 sleep 1 3289 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3290 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3291 3292 log_start 3293 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3294 run_cmd nettest -6 -D -s & 3295 sleep 1 3296 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U 3297 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 3298 done 3299 3300 a=${NSA_IP6} 3301 log_start 3302 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3303 sleep 1 3304 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3305 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3306 3307 log_start 3308 show_hint "Should fail 'Connection refused'" 3309 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3310 log_test_addr ${a} $? 1 "No server, device client, local conn" 3311 3312 # LLA to GUA 3313 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3314 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3315 log_start 3316 run_cmd nettest -6 -s -D & 3317 sleep 1 3318 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3319 log_test $? 0 "UDP in - LLA to GUA" 3320 3321 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3322 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3323} 3324 3325ipv6_udp_vrf() 3326{ 3327 local a 3328 3329 # disable global server 3330 log_subsection "Global server disabled" 3331 set_sysctl net.ipv4.udp_l3mdev_accept=0 3332 3333 # 3334 # server tests 3335 # 3336 for a in ${NSA_IP6} ${VRF_IP6} 3337 do 3338 log_start 3339 show_hint "Should fail 'Connection refused' since global server is disabled" 3340 run_cmd nettest -6 -D -s & 3341 sleep 1 3342 run_cmd_nsb nettest -6 -D -r ${a} 3343 log_test_addr ${a} $? 1 "Global server" 3344 done 3345 3346 for a in ${NSA_IP6} ${VRF_IP6} 3347 do 3348 log_start 3349 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3350 sleep 1 3351 run_cmd_nsb nettest -6 -D -r ${a} 3352 log_test_addr ${a} $? 0 "VRF server" 3353 done 3354 3355 for a in ${NSA_IP6} ${VRF_IP6} 3356 do 3357 log_start 3358 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3359 sleep 1 3360 run_cmd_nsb nettest -6 -D -r ${a} 3361 log_test_addr ${a} $? 0 "Enslaved device server" 3362 done 3363 3364 # negative test - should fail 3365 for a in ${NSA_IP6} ${VRF_IP6} 3366 do 3367 log_start 3368 show_hint "Should fail 'Connection refused' since there is no server" 3369 run_cmd_nsb nettest -6 -D -r ${a} 3370 log_test_addr ${a} $? 1 "No server" 3371 done 3372 3373 # 3374 # local address tests 3375 # 3376 for a in ${NSA_IP6} ${VRF_IP6} 3377 do 3378 log_start 3379 show_hint "Should fail 'Connection refused' since global server is disabled" 3380 run_cmd nettest -6 -D -s & 3381 sleep 1 3382 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3383 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3384 done 3385 3386 for a in ${NSA_IP6} ${VRF_IP6} 3387 do 3388 log_start 3389 run_cmd nettest -6 -D -I ${VRF} -s & 3390 sleep 1 3391 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3392 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3393 done 3394 3395 a=${NSA_IP6} 3396 log_start 3397 show_hint "Should fail 'Connection refused' since global server is disabled" 3398 run_cmd nettest -6 -D -s & 3399 sleep 1 3400 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3401 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3402 3403 log_start 3404 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3405 sleep 1 3406 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3407 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3408 3409 log_start 3410 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3411 sleep 1 3412 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3413 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3414 3415 log_start 3416 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3417 sleep 1 3418 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3419 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3420 3421 # disable global server 3422 log_subsection "Global server enabled" 3423 set_sysctl net.ipv4.udp_l3mdev_accept=1 3424 3425 # 3426 # server tests 3427 # 3428 for a in ${NSA_IP6} ${VRF_IP6} 3429 do 3430 log_start 3431 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3432 sleep 1 3433 run_cmd_nsb nettest -6 -D -r ${a} 3434 log_test_addr ${a} $? 0 "Global server" 3435 done 3436 3437 for a in ${NSA_IP6} ${VRF_IP6} 3438 do 3439 log_start 3440 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3441 sleep 1 3442 run_cmd_nsb nettest -6 -D -r ${a} 3443 log_test_addr ${a} $? 0 "VRF server" 3444 done 3445 3446 for a in ${NSA_IP6} ${VRF_IP6} 3447 do 3448 log_start 3449 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3450 sleep 1 3451 run_cmd_nsb nettest -6 -D -r ${a} 3452 log_test_addr ${a} $? 0 "Enslaved device server" 3453 done 3454 3455 # negative test - should fail 3456 for a in ${NSA_IP6} ${VRF_IP6} 3457 do 3458 log_start 3459 run_cmd_nsb nettest -6 -D -r ${a} 3460 log_test_addr ${a} $? 1 "No server" 3461 done 3462 3463 # 3464 # client tests 3465 # 3466 log_start 3467 run_cmd_nsb nettest -6 -D -s & 3468 sleep 1 3469 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3470 log_test $? 0 "VRF client" 3471 3472 # negative test - should fail 3473 log_start 3474 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3475 log_test $? 1 "No server, VRF client" 3476 3477 log_start 3478 run_cmd_nsb nettest -6 -D -s & 3479 sleep 1 3480 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3481 log_test $? 0 "Enslaved device client" 3482 3483 # negative test - should fail 3484 log_start 3485 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3486 log_test $? 1 "No server, enslaved device client" 3487 3488 # 3489 # local address tests 3490 # 3491 a=${NSA_IP6} 3492 log_start 3493 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3494 sleep 1 3495 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3496 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3497 3498 #log_start 3499 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3500 sleep 1 3501 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3502 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3503 3504 3505 a=${VRF_IP6} 3506 log_start 3507 run_cmd nettest -6 -D -s -3 ${VRF} & 3508 sleep 1 3509 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3510 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3511 3512 log_start 3513 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3514 sleep 1 3515 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3516 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3517 3518 # negative test - should fail 3519 for a in ${NSA_IP6} ${VRF_IP6} 3520 do 3521 log_start 3522 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3523 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3524 done 3525 3526 # device to global IP 3527 a=${NSA_IP6} 3528 log_start 3529 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3530 sleep 1 3531 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3532 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3533 3534 log_start 3535 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3536 sleep 1 3537 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3538 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3539 3540 log_start 3541 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3542 sleep 1 3543 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3544 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3545 3546 log_start 3547 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3548 sleep 1 3549 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3550 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3551 3552 log_start 3553 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3554 log_test_addr ${a} $? 1 "No server, device client, local conn" 3555 3556 3557 # link local addresses 3558 log_start 3559 run_cmd nettest -6 -D -s & 3560 sleep 1 3561 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3562 log_test $? 0 "Global server, linklocal IP" 3563 3564 log_start 3565 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3566 log_test $? 1 "No server, linklocal IP" 3567 3568 3569 log_start 3570 run_cmd_nsb nettest -6 -D -s & 3571 sleep 1 3572 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3573 log_test $? 0 "Enslaved device client, linklocal IP" 3574 3575 log_start 3576 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3577 log_test $? 1 "No server, device client, peer linklocal IP" 3578 3579 3580 log_start 3581 run_cmd nettest -6 -D -s & 3582 sleep 1 3583 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3584 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3585 3586 log_start 3587 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3588 log_test $? 1 "No server, device client, local conn - linklocal IP" 3589 3590 # LLA to GUA 3591 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3592 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3593 log_start 3594 run_cmd nettest -6 -s -D & 3595 sleep 1 3596 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3597 log_test $? 0 "UDP in - LLA to GUA" 3598 3599 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3600 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3601} 3602 3603ipv6_udp() 3604{ 3605 # should not matter, but set to known state 3606 set_sysctl net.ipv4.udp_early_demux=1 3607 3608 log_section "IPv6/UDP" 3609 log_subsection "No VRF" 3610 setup 3611 3612 # udp_l3mdev_accept should have no affect without VRF; 3613 # run tests with it enabled and disabled to verify 3614 log_subsection "udp_l3mdev_accept disabled" 3615 set_sysctl net.ipv4.udp_l3mdev_accept=0 3616 ipv6_udp_novrf 3617 log_subsection "udp_l3mdev_accept enabled" 3618 set_sysctl net.ipv4.udp_l3mdev_accept=1 3619 ipv6_udp_novrf 3620 3621 log_subsection "With VRF" 3622 setup "yes" 3623 ipv6_udp_vrf 3624} 3625 3626################################################################################ 3627# IPv6 address bind 3628 3629ipv6_addr_bind_novrf() 3630{ 3631 # 3632 # raw socket 3633 # 3634 for a in ${NSA_IP6} ${NSA_LO_IP6} 3635 do 3636 log_start 3637 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3638 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3639 3640 log_start 3641 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3642 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3643 done 3644 3645 # 3646 # raw socket with nonlocal bind 3647 # 3648 a=${NL_IP6} 3649 log_start 3650 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 3651 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 3652 3653 # 3654 # tcp sockets 3655 # 3656 a=${NSA_IP6} 3657 log_start 3658 run_cmd nettest -6 -s -l ${a} -t1 -b 3659 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3660 3661 log_start 3662 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3663 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3664 3665 # Sadly, the kernel allows binding a socket to a device and then 3666 # binding to an address not on the device. So this test passes 3667 # when it really should not 3668 a=${NSA_LO_IP6} 3669 log_start 3670 show_hint "Tecnically should fail since address is not on device but kernel allows" 3671 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3672 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3673} 3674 3675ipv6_addr_bind_vrf() 3676{ 3677 # 3678 # raw socket 3679 # 3680 for a in ${NSA_IP6} ${VRF_IP6} 3681 do 3682 log_start 3683 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3684 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3685 3686 log_start 3687 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3688 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3689 done 3690 3691 a=${NSA_LO_IP6} 3692 log_start 3693 show_hint "Address on loopback is out of VRF scope" 3694 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3695 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3696 3697 # 3698 # raw socket with nonlocal bind 3699 # 3700 a=${NL_IP6} 3701 log_start 3702 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b 3703 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 3704 3705 # 3706 # tcp sockets 3707 # 3708 # address on enslaved device is valid for the VRF or device in a VRF 3709 for a in ${NSA_IP6} ${VRF_IP6} 3710 do 3711 log_start 3712 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3713 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3714 done 3715 3716 a=${NSA_IP6} 3717 log_start 3718 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3719 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3720 3721 # Sadly, the kernel allows binding a socket to a device and then 3722 # binding to an address not on the device. The only restriction 3723 # is that the address is valid in the L3 domain. So this test 3724 # passes when it really should not 3725 a=${VRF_IP6} 3726 log_start 3727 show_hint "Tecnically should fail since address is not on device but kernel allows" 3728 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3729 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3730 3731 a=${NSA_LO_IP6} 3732 log_start 3733 show_hint "Address on loopback out of scope for VRF" 3734 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3735 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3736 3737 log_start 3738 show_hint "Address on loopback out of scope for device in VRF" 3739 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3740 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3741 3742} 3743 3744ipv6_addr_bind() 3745{ 3746 log_section "IPv6 address binds" 3747 3748 log_subsection "No VRF" 3749 setup 3750 ipv6_addr_bind_novrf 3751 3752 log_subsection "With VRF" 3753 setup "yes" 3754 ipv6_addr_bind_vrf 3755} 3756 3757################################################################################ 3758# IPv6 runtime tests 3759 3760ipv6_rt() 3761{ 3762 local desc="$1" 3763 local varg="-6 $2" 3764 local with_vrf="yes" 3765 local a 3766 3767 # 3768 # server tests 3769 # 3770 for a in ${NSA_IP6} ${VRF_IP6} 3771 do 3772 log_start 3773 run_cmd nettest ${varg} -s & 3774 sleep 1 3775 run_cmd_nsb nettest ${varg} -r ${a} & 3776 sleep 3 3777 run_cmd ip link del ${VRF} 3778 sleep 1 3779 log_test_addr ${a} 0 0 "${desc}, global server" 3780 3781 setup ${with_vrf} 3782 done 3783 3784 for a in ${NSA_IP6} ${VRF_IP6} 3785 do 3786 log_start 3787 run_cmd nettest ${varg} -I ${VRF} -s & 3788 sleep 1 3789 run_cmd_nsb nettest ${varg} -r ${a} & 3790 sleep 3 3791 run_cmd ip link del ${VRF} 3792 sleep 1 3793 log_test_addr ${a} 0 0 "${desc}, VRF server" 3794 3795 setup ${with_vrf} 3796 done 3797 3798 for a in ${NSA_IP6} ${VRF_IP6} 3799 do 3800 log_start 3801 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3802 sleep 1 3803 run_cmd_nsb nettest ${varg} -r ${a} & 3804 sleep 3 3805 run_cmd ip link del ${VRF} 3806 sleep 1 3807 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3808 3809 setup ${with_vrf} 3810 done 3811 3812 # 3813 # client test 3814 # 3815 log_start 3816 run_cmd_nsb nettest ${varg} -s & 3817 sleep 1 3818 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3819 sleep 3 3820 run_cmd ip link del ${VRF} 3821 sleep 1 3822 log_test 0 0 "${desc}, VRF client" 3823 3824 setup ${with_vrf} 3825 3826 log_start 3827 run_cmd_nsb nettest ${varg} -s & 3828 sleep 1 3829 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3830 sleep 3 3831 run_cmd ip link del ${VRF} 3832 sleep 1 3833 log_test 0 0 "${desc}, enslaved device client" 3834 3835 setup ${with_vrf} 3836 3837 3838 # 3839 # local address tests 3840 # 3841 for a in ${NSA_IP6} ${VRF_IP6} 3842 do 3843 log_start 3844 run_cmd nettest ${varg} -s & 3845 sleep 1 3846 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3847 sleep 3 3848 run_cmd ip link del ${VRF} 3849 sleep 1 3850 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3851 3852 setup ${with_vrf} 3853 done 3854 3855 for a in ${NSA_IP6} ${VRF_IP6} 3856 do 3857 log_start 3858 run_cmd nettest ${varg} -I ${VRF} -s & 3859 sleep 1 3860 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3861 sleep 3 3862 run_cmd ip link del ${VRF} 3863 sleep 1 3864 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3865 3866 setup ${with_vrf} 3867 done 3868 3869 a=${NSA_IP6} 3870 log_start 3871 run_cmd nettest ${varg} -s & 3872 sleep 1 3873 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3874 sleep 3 3875 run_cmd ip link del ${VRF} 3876 sleep 1 3877 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3878 3879 setup ${with_vrf} 3880 3881 log_start 3882 run_cmd nettest ${varg} -I ${VRF} -s & 3883 sleep 1 3884 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3885 sleep 3 3886 run_cmd ip link del ${VRF} 3887 sleep 1 3888 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3889 3890 setup ${with_vrf} 3891 3892 log_start 3893 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3894 sleep 1 3895 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3896 sleep 3 3897 run_cmd ip link del ${VRF} 3898 sleep 1 3899 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3900} 3901 3902ipv6_ping_rt() 3903{ 3904 local with_vrf="yes" 3905 local a 3906 3907 a=${NSA_IP6} 3908 log_start 3909 run_cmd_nsb ${ping6} -f ${a} & 3910 sleep 3 3911 run_cmd ip link del ${VRF} 3912 sleep 1 3913 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3914 3915 setup ${with_vrf} 3916 3917 log_start 3918 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3919 sleep 1 3920 run_cmd ip link del ${VRF} 3921 sleep 1 3922 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3923} 3924 3925ipv6_runtime() 3926{ 3927 log_section "Run time tests - ipv6" 3928 3929 setup "yes" 3930 ipv6_ping_rt 3931 3932 setup "yes" 3933 ipv6_rt "TCP active socket" "-n -1" 3934 3935 setup "yes" 3936 ipv6_rt "TCP passive socket" "-i" 3937 3938 setup "yes" 3939 ipv6_rt "UDP active socket" "-D -n -1" 3940} 3941 3942################################################################################ 3943# netfilter blocking connections 3944 3945netfilter_tcp_reset() 3946{ 3947 local a 3948 3949 for a in ${NSA_IP} ${VRF_IP} 3950 do 3951 log_start 3952 run_cmd nettest -s & 3953 sleep 1 3954 run_cmd_nsb nettest -r ${a} 3955 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3956 done 3957} 3958 3959netfilter_icmp() 3960{ 3961 local stype="$1" 3962 local arg 3963 local a 3964 3965 [ "${stype}" = "UDP" ] && arg="-D" 3966 3967 for a in ${NSA_IP} ${VRF_IP} 3968 do 3969 log_start 3970 run_cmd nettest ${arg} -s & 3971 sleep 1 3972 run_cmd_nsb nettest ${arg} -r ${a} 3973 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3974 done 3975} 3976 3977ipv4_netfilter() 3978{ 3979 log_section "IPv4 Netfilter" 3980 log_subsection "TCP reset" 3981 3982 setup "yes" 3983 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3984 3985 netfilter_tcp_reset 3986 3987 log_start 3988 log_subsection "ICMP unreachable" 3989 3990 log_start 3991 run_cmd iptables -F 3992 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3993 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3994 3995 netfilter_icmp "TCP" 3996 netfilter_icmp "UDP" 3997 3998 log_start 3999 iptables -F 4000} 4001 4002netfilter_tcp6_reset() 4003{ 4004 local a 4005 4006 for a in ${NSA_IP6} ${VRF_IP6} 4007 do 4008 log_start 4009 run_cmd nettest -6 -s & 4010 sleep 1 4011 run_cmd_nsb nettest -6 -r ${a} 4012 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 4013 done 4014} 4015 4016netfilter_icmp6() 4017{ 4018 local stype="$1" 4019 local arg 4020 local a 4021 4022 [ "${stype}" = "UDP" ] && arg="$arg -D" 4023 4024 for a in ${NSA_IP6} ${VRF_IP6} 4025 do 4026 log_start 4027 run_cmd nettest -6 -s ${arg} & 4028 sleep 1 4029 run_cmd_nsb nettest -6 ${arg} -r ${a} 4030 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 4031 done 4032} 4033 4034ipv6_netfilter() 4035{ 4036 log_section "IPv6 Netfilter" 4037 log_subsection "TCP reset" 4038 4039 setup "yes" 4040 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 4041 4042 netfilter_tcp6_reset 4043 4044 log_subsection "ICMP unreachable" 4045 4046 log_start 4047 run_cmd ip6tables -F 4048 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 4049 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 4050 4051 netfilter_icmp6 "TCP" 4052 netfilter_icmp6 "UDP" 4053 4054 log_start 4055 ip6tables -F 4056} 4057 4058################################################################################ 4059# specific use cases 4060 4061# VRF only. 4062# ns-A device enslaved to bridge. Verify traffic with and without 4063# br_netfilter module loaded. Repeat with SVI on bridge. 4064use_case_br() 4065{ 4066 setup "yes" 4067 4068 setup_cmd ip link set ${NSA_DEV} down 4069 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 4070 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 4071 4072 setup_cmd ip link add br0 type bridge 4073 setup_cmd ip addr add dev br0 ${NSA_IP}/24 4074 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 4075 4076 setup_cmd ip li set ${NSA_DEV} master br0 4077 setup_cmd ip li set ${NSA_DEV} up 4078 setup_cmd ip li set br0 up 4079 setup_cmd ip li set br0 vrf ${VRF} 4080 4081 rmmod br_netfilter 2>/dev/null 4082 sleep 5 # DAD 4083 4084 run_cmd ip neigh flush all 4085 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4086 log_test $? 0 "Bridge into VRF - IPv4 ping out" 4087 4088 run_cmd ip neigh flush all 4089 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4090 log_test $? 0 "Bridge into VRF - IPv6 ping out" 4091 4092 run_cmd ip neigh flush all 4093 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4094 log_test $? 0 "Bridge into VRF - IPv4 ping in" 4095 4096 run_cmd ip neigh flush all 4097 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4098 log_test $? 0 "Bridge into VRF - IPv6 ping in" 4099 4100 modprobe br_netfilter 4101 if [ $? -eq 0 ]; then 4102 run_cmd ip neigh flush all 4103 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4104 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 4105 4106 run_cmd ip neigh flush all 4107 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4108 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 4109 4110 run_cmd ip neigh flush all 4111 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4112 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 4113 4114 run_cmd ip neigh flush all 4115 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4116 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 4117 fi 4118 4119 setup_cmd ip li set br0 nomaster 4120 setup_cmd ip li add br0.100 link br0 type vlan id 100 4121 setup_cmd ip li set br0.100 vrf ${VRF} up 4122 setup_cmd ip addr add dev br0.100 172.16.101.1/24 4123 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 4124 4125 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 4126 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 4127 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 4128 setup_cmd_nsb ip li set vlan100 up 4129 sleep 1 4130 4131 rmmod br_netfilter 2>/dev/null 4132 4133 run_cmd ip neigh flush all 4134 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4135 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 4136 4137 run_cmd ip neigh flush all 4138 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4139 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 4140 4141 run_cmd ip neigh flush all 4142 run_cmd_nsb ping -c1 -w1 172.16.101.1 4143 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4144 4145 run_cmd ip neigh flush all 4146 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4147 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4148 4149 modprobe br_netfilter 4150 if [ $? -eq 0 ]; then 4151 run_cmd ip neigh flush all 4152 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4153 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 4154 4155 run_cmd ip neigh flush all 4156 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4157 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 4158 4159 run_cmd ip neigh flush all 4160 run_cmd_nsb ping -c1 -w1 172.16.101.1 4161 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4162 4163 run_cmd ip neigh flush all 4164 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4165 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4166 fi 4167 4168 setup_cmd ip li del br0 2>/dev/null 4169 setup_cmd_nsb ip li del vlan100 2>/dev/null 4170} 4171 4172# VRF only. 4173# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 4174# LLA on the interfaces 4175use_case_ping_lla_multi() 4176{ 4177 setup_lla_only 4178 # only want reply from ns-A 4179 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4180 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4181 4182 log_start 4183 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4184 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 4185 4186 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4187 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 4188 4189 # cycle/flap the first ns-A interface 4190 setup_cmd ip link set ${NSA_DEV} down 4191 setup_cmd ip link set ${NSA_DEV} up 4192 sleep 1 4193 4194 log_start 4195 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4196 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 4197 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4198 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 4199 4200 # cycle/flap the second ns-A interface 4201 setup_cmd ip link set ${NSA_DEV2} down 4202 setup_cmd ip link set ${NSA_DEV2} up 4203 sleep 1 4204 4205 log_start 4206 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4207 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 4208 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4209 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 4210} 4211 4212# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 4213# established with ns-B. 4214use_case_snat_on_vrf() 4215{ 4216 setup "yes" 4217 4218 local port="12345" 4219 4220 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4221 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4222 4223 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 4224 sleep 1 4225 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 4226 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 4227 4228 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 4229 sleep 1 4230 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 4231 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 4232 4233 # Cleanup 4234 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4235 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4236} 4237 4238use_cases() 4239{ 4240 log_section "Use cases" 4241 log_subsection "Device enslaved to bridge" 4242 use_case_br 4243 log_subsection "Ping LLA with multiple interfaces" 4244 use_case_ping_lla_multi 4245 log_subsection "SNAT on VRF" 4246 use_case_snat_on_vrf 4247} 4248 4249################################################################################ 4250# usage 4251 4252usage() 4253{ 4254 cat <<EOF 4255usage: ${0##*/} OPTS 4256 4257 -4 IPv4 tests only 4258 -6 IPv6 tests only 4259 -t <test> Test name/set to run 4260 -p Pause on fail 4261 -P Pause after each test 4262 -v Be verbose 4263 4264Tests: 4265 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER 4266EOF 4267} 4268 4269################################################################################ 4270# main 4271 4272TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4273TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4274TESTS_OTHER="use_cases" 4275 4276PAUSE_ON_FAIL=no 4277PAUSE=no 4278 4279while getopts :46t:pPvh o 4280do 4281 case $o in 4282 4) TESTS=ipv4;; 4283 6) TESTS=ipv6;; 4284 t) TESTS=$OPTARG;; 4285 p) PAUSE_ON_FAIL=yes;; 4286 P) PAUSE=yes;; 4287 v) VERBOSE=1;; 4288 h) usage; exit 0;; 4289 *) usage; exit 1;; 4290 esac 4291done 4292 4293# make sure we don't pause twice 4294[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4295 4296# 4297# show user test config 4298# 4299if [ -z "$TESTS" ]; then 4300 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4301elif [ "$TESTS" = "ipv4" ]; then 4302 TESTS="$TESTS_IPV4" 4303elif [ "$TESTS" = "ipv6" ]; then 4304 TESTS="$TESTS_IPV6" 4305fi 4306 4307check_gen_prog "nettest" 4308 4309declare -i nfail=0 4310declare -i nsuccess=0 4311 4312for t in $TESTS 4313do 4314 case $t in 4315 ipv4_ping|ping) ipv4_ping;; 4316 ipv4_tcp|tcp) ipv4_tcp;; 4317 ipv4_udp|udp) ipv4_udp;; 4318 ipv4_bind|bind) ipv4_addr_bind;; 4319 ipv4_runtime) ipv4_runtime;; 4320 ipv4_netfilter) ipv4_netfilter;; 4321 4322 ipv6_ping|ping6) ipv6_ping;; 4323 ipv6_tcp|tcp6) ipv6_tcp;; 4324 ipv6_udp|udp6) ipv6_udp;; 4325 ipv6_bind|bind6) ipv6_addr_bind;; 4326 ipv6_runtime) ipv6_runtime;; 4327 ipv6_netfilter) ipv6_netfilter;; 4328 4329 use_cases) use_cases;; 4330 4331 # setup namespaces and config, but do not run any tests 4332 setup) setup; exit 0;; 4333 vrf_setup) setup "yes"; exit 0;; 4334 esac 4335done 4336 4337cleanup 2>/dev/null 4338 4339printf "\nTests passed: %3d\n" ${nsuccess} 4340printf "Tests failed: %3d\n" ${nfail} 4341 4342if [ $nfail -ne 0 ]; then 4343 exit 1 # KSFT_FAIL 4344elif [ $nsuccess -eq 0 ]; then 4345 exit $ksft_skip 4346fi 4347 4348exit 0 # KSFT_PASS 4349