1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40source lib.sh 41 42PATH=$PWD:$PWD/tools/testing/selftests/net:$PATH 43 44VERBOSE=0 45 46NSA_DEV=eth1 47NSA_DEV2=eth2 48NSB_DEV=eth1 49NSC_DEV=eth2 50VRF=red 51VRF_TABLE=1101 52 53# IPv4 config 54NSA_IP=172.16.1.1 55NSB_IP=172.16.1.2 56VRF_IP=172.16.3.1 57NS_NET=172.16.1.0/24 58 59# IPv6 config 60NSA_IP6=2001:db8:1::1 61NSB_IP6=2001:db8:1::2 62VRF_IP6=2001:db8:3::1 63NS_NET6=2001:db8:1::/120 64 65NSA_LO_IP=172.16.2.1 66NSB_LO_IP=172.16.2.2 67NSA_LO_IP6=2001:db8:2::1 68NSB_LO_IP6=2001:db8:2::2 69 70# non-local addresses for freebind tests 71NL_IP=172.17.1.1 72NL_IP6=2001:db8:4::1 73 74# multicast and broadcast addresses 75MCAST_IP=224.0.0.1 76BCAST_IP=255.255.255.255 77 78MD5_PW=abc123 79MD5_WRONG_PW=abc1234 80 81MCAST=ff02::1 82# set after namespace create 83NSA_LINKIP6= 84NSB_LINKIP6= 85 86which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 87 88# Check if FIPS mode is enabled 89if [ -f /proc/sys/crypto/fips_enabled ]; then 90 fips_enabled=`cat /proc/sys/crypto/fips_enabled` 91else 92 fips_enabled=0 93fi 94 95################################################################################ 96# utilities 97 98log_test() 99{ 100 local rc=$1 101 local expected=$2 102 local msg="$3" 103 local ans 104 105 [ "${VERBOSE}" = "1" ] && echo 106 107 if [ ${rc} -eq ${expected} ]; then 108 nsuccess=$((nsuccess+1)) 109 printf "TEST: %-70s [ OK ]\n" "${msg}" 110 else 111 nfail=$((nfail+1)) 112 printf "TEST: %-70s [FAIL]\n" "${msg}" 113 echo " expected rc $expected; actual rc $rc" 114 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 115 echo 116 echo "hit enter to continue, 'q' to quit" 117 read ans 118 [ "$ans" = "q" ] && exit 1 119 fi 120 fi 121 122 if [ "${PAUSE}" = "yes" ]; then 123 echo 124 echo "hit enter to continue, 'q' to quit" 125 read ans 126 [ "$ans" = "q" ] && exit 1 127 fi 128 129 kill_procs 130} 131 132log_test_addr() 133{ 134 local addr=$1 135 local rc=$2 136 local expected=$3 137 local msg="$4" 138 local astr 139 140 astr=$(addr2str ${addr}) 141 log_test $rc $expected "$msg - ${astr}" 142} 143 144log_section() 145{ 146 echo 147 echo "###########################################################################" 148 echo "$*" 149 echo "###########################################################################" 150 echo 151} 152 153log_subsection() 154{ 155 echo 156 echo "#################################################################" 157 echo "$*" 158 echo 159} 160 161log_start() 162{ 163 # make sure we have no test instances running 164 kill_procs 165 166 if [ "${VERBOSE}" = "1" ]; then 167 echo 168 echo "#######################################################" 169 fi 170} 171 172log_debug() 173{ 174 if [ "${VERBOSE}" = "1" ]; then 175 echo 176 echo "$*" 177 echo 178 fi 179} 180 181show_hint() 182{ 183 if [ "${VERBOSE}" = "1" ]; then 184 echo "HINT: $*" 185 echo 186 fi 187} 188 189kill_procs() 190{ 191 killall nettest ping ping6 >/dev/null 2>&1 192 slowwait 2 sh -c 'test -z "$(pgrep '"'^(nettest|ping|ping6)$'"')"' 193} 194 195set_ping_group() 196{ 197 if [ "$VERBOSE" = "1" ]; then 198 echo "COMMAND: ${NSA_CMD} sysctl -q -w net.ipv4.ping_group_range='0 2147483647'" 199 fi 200 201 ${NSA_CMD} sysctl -q -w net.ipv4.ping_group_range='0 2147483647' 202} 203 204do_run_cmd() 205{ 206 local cmd="$*" 207 local out 208 209 if [ "$VERBOSE" = "1" ]; then 210 echo "COMMAND: ${cmd}" 211 fi 212 213 out=$($cmd 2>&1) 214 rc=$? 215 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 216 echo "$out" 217 fi 218 219 return $rc 220} 221 222run_cmd() 223{ 224 do_run_cmd ${NSA_CMD} $* 225} 226 227run_cmd_nsb() 228{ 229 do_run_cmd ${NSB_CMD} $* 230} 231 232run_cmd_nsc() 233{ 234 do_run_cmd ${NSC_CMD} $* 235} 236 237setup_cmd() 238{ 239 local cmd="$*" 240 local rc 241 242 run_cmd ${cmd} 243 rc=$? 244 if [ $rc -ne 0 ]; then 245 # show user the command if not done so already 246 if [ "$VERBOSE" = "0" ]; then 247 echo "setup command: $cmd" 248 fi 249 echo "failed. stopping tests" 250 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 251 echo 252 echo "hit enter to continue" 253 read a 254 fi 255 exit $rc 256 fi 257} 258 259setup_cmd_nsb() 260{ 261 local cmd="$*" 262 local rc 263 264 run_cmd_nsb ${cmd} 265 rc=$? 266 if [ $rc -ne 0 ]; then 267 # show user the command if not done so already 268 if [ "$VERBOSE" = "0" ]; then 269 echo "setup command: $cmd" 270 fi 271 echo "failed. stopping tests" 272 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 273 echo 274 echo "hit enter to continue" 275 read a 276 fi 277 exit $rc 278 fi 279} 280 281setup_cmd_nsc() 282{ 283 local cmd="$*" 284 local rc 285 286 run_cmd_nsc ${cmd} 287 rc=$? 288 if [ $rc -ne 0 ]; then 289 # show user the command if not done so already 290 if [ "$VERBOSE" = "0" ]; then 291 echo "setup command: $cmd" 292 fi 293 echo "failed. stopping tests" 294 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 295 echo 296 echo "hit enter to continue" 297 read a 298 fi 299 exit $rc 300 fi 301} 302 303# set sysctl values in NS-A 304set_sysctl() 305{ 306 echo "SYSCTL: $*" 307 echo 308 run_cmd sysctl -q -w $* 309} 310 311# get sysctl values in NS-A 312get_sysctl() 313{ 314 ${NSA_CMD} sysctl -n $* 315} 316 317################################################################################ 318# Setup for tests 319 320addr2str() 321{ 322 case "$1" in 323 127.0.0.1) echo "loopback";; 324 ::1) echo "IPv6 loopback";; 325 326 ${BCAST_IP}) echo "broadcast";; 327 ${MCAST_IP}) echo "multicast";; 328 329 ${NSA_IP}) echo "ns-A IP";; 330 ${NSA_IP6}) echo "ns-A IPv6";; 331 ${NSA_LO_IP}) echo "ns-A loopback IP";; 332 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 333 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 334 335 ${NSB_IP}) echo "ns-B IP";; 336 ${NSB_IP6}) echo "ns-B IPv6";; 337 ${NSB_LO_IP}) echo "ns-B loopback IP";; 338 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 339 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 340 341 ${NL_IP}) echo "nonlocal IP";; 342 ${NL_IP6}) echo "nonlocal IPv6";; 343 344 ${VRF_IP}) echo "VRF IP";; 345 ${VRF_IP6}) echo "VRF IPv6";; 346 347 ${MCAST}%*) echo "multicast IP";; 348 349 *) echo "unknown";; 350 esac 351} 352 353get_linklocal() 354{ 355 local ns=$1 356 local dev=$2 357 local addr 358 359 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 360 awk '{ 361 for (i = 3; i <= NF; ++i) { 362 if ($i ~ /^fe80/) 363 print $i 364 } 365 }' 366 ) 367 addr=${addr/\/*} 368 369 [ -z "$addr" ] && return 1 370 371 echo $addr 372 373 return 0 374} 375 376################################################################################ 377# create namespaces and vrf 378 379create_vrf() 380{ 381 local ns=$1 382 local vrf=$2 383 local table=$3 384 local addr=$4 385 local addr6=$5 386 387 ip -netns ${ns} link add ${vrf} type vrf table ${table} 388 ip -netns ${ns} link set ${vrf} up 389 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 390 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 391 392 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 393 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 394 if [ "${addr}" != "-" ]; then 395 ip -netns ${ns} addr add dev ${vrf} ${addr} 396 fi 397 if [ "${addr6}" != "-" ]; then 398 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 399 fi 400 401 ip -netns ${ns} ru del pref 0 402 ip -netns ${ns} ru add pref 32765 from all lookup local 403 ip -netns ${ns} -6 ru del pref 0 404 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 405} 406 407create_ns() 408{ 409 local ns=$1 410 local addr=$2 411 local addr6=$3 412 413 if [ "${addr}" != "-" ]; then 414 ip -netns ${ns} addr add dev lo ${addr} 415 fi 416 if [ "${addr6}" != "-" ]; then 417 ip -netns ${ns} -6 addr add dev lo ${addr6} 418 fi 419 420 ip -netns ${ns} ro add unreachable default metric 8192 421 ip -netns ${ns} -6 ro add unreachable default metric 8192 422 423 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 424 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 425 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 426 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 427 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.accept_dad=0 428 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.accept_dad=0 429} 430 431# create veth pair to connect namespaces and apply addresses. 432connect_ns() 433{ 434 local ns1=$1 435 local ns1_dev=$2 436 local ns1_addr=$3 437 local ns1_addr6=$4 438 local ns2=$5 439 local ns2_dev=$6 440 local ns2_addr=$7 441 local ns2_addr6=$8 442 443 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 444 ip -netns ${ns1} li set ${ns1_dev} up 445 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 446 ip -netns ${ns2} li set ${ns2_dev} up 447 448 if [ "${ns1_addr}" != "-" ]; then 449 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 450 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 451 fi 452 453 if [ "${ns1_addr6}" != "-" ]; then 454 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 455 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 456 fi 457} 458 459cleanup() 460{ 461 # explicit cleanups to check those code paths 462 ip netns | grep -q ${NSA} 463 if [ $? -eq 0 ]; then 464 ip -netns ${NSA} link delete ${VRF} 465 ip -netns ${NSA} ro flush table ${VRF_TABLE} 466 467 ip -netns ${NSA} addr flush dev ${NSA_DEV} 468 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 469 ip -netns ${NSA} link set dev ${NSA_DEV} down 470 ip -netns ${NSA} link del dev ${NSA_DEV} 471 472 ip netns pids ${NSA} | xargs kill 2>/dev/null 473 cleanup_ns ${NSA} 474 fi 475 476 ip netns pids ${NSB} | xargs kill 2>/dev/null 477 ip netns pids ${NSC} | xargs kill 2>/dev/null 478 cleanup_ns ${NSB} ${NSC} 479} 480 481cleanup_vrf_dup() 482{ 483 ip link del ${NSA_DEV2} >/dev/null 2>&1 484 ip netns pids ${NSC} | xargs kill 2>/dev/null 485 ip netns del ${NSC} >/dev/null 2>&1 486} 487 488setup_vrf_dup() 489{ 490 # some VRF tests use ns-C which has the same config as 491 # ns-B but for a device NOT in the VRF 492 setup_ns NSC 493 NSC_CMD="ip netns exec ${NSC}" 494 create_ns ${NSC} "-" "-" 495 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 496 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 497} 498 499setup() 500{ 501 local with_vrf=${1} 502 503 # make sure we are starting with a clean slate 504 kill_procs 505 cleanup 2>/dev/null 506 507 log_debug "Configuring network namespaces" 508 set -e 509 510 setup_ns NSA NSB 511 NSA_CMD="ip netns exec ${NSA}" 512 NSB_CMD="ip netns exec ${NSB}" 513 514 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 515 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 516 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 517 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 518 519 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 520 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 521 522 # tell ns-A how to get to remote addresses of ns-B 523 if [ "${with_vrf}" = "yes" ]; then 524 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 525 526 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 527 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 528 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 529 530 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 531 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 532 else 533 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 534 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 535 fi 536 537 538 # tell ns-B how to get to remote addresses of ns-A 539 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 540 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 541 542 set +e 543 544 sleep 1 545} 546 547setup_lla_only() 548{ 549 # make sure we are starting with a clean slate 550 kill_procs 551 cleanup 2>/dev/null 552 553 log_debug "Configuring network namespaces" 554 set -e 555 556 setup_ns NSA NSB NSC 557 NSA_CMD="ip netns exec ${NSA}" 558 NSB_CMD="ip netns exec ${NSB}" 559 NSC_CMD="ip netns exec ${NSC}" 560 create_ns ${NSA} "-" "-" 561 create_ns ${NSB} "-" "-" 562 create_ns ${NSC} "-" "-" 563 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 564 ${NSB} ${NSB_DEV} "-" "-" 565 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 566 ${NSC} ${NSC_DEV} "-" "-" 567 568 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 569 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 570 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 571 572 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 573 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 574 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 575 576 set +e 577 578 sleep 1 579} 580 581################################################################################ 582# IPv4 583 584ipv4_ping_novrf() 585{ 586 local a 587 588 # 589 # out 590 # 591 for a in ${NSB_IP} ${NSB_LO_IP} 592 do 593 log_start 594 run_cmd ping -c1 -w1 ${a} 595 log_test_addr ${a} $? 0 "ping out" 596 597 log_start 598 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 599 log_test_addr ${a} $? 0 "ping out, device bind" 600 601 log_start 602 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 603 log_test_addr ${a} $? 0 "ping out, address bind" 604 done 605 606 # 607 # out, but don't use gateway if peer is not on link 608 # 609 a=${NSB_IP} 610 log_start 611 run_cmd ping -c 1 -w 1 -r ${a} 612 log_test_addr ${a} $? 0 "ping out (don't route), peer on link" 613 614 a=${NSB_LO_IP} 615 log_start 616 show_hint "Fails since peer is not on link" 617 run_cmd ping -c 1 -w 1 -r ${a} 618 log_test_addr ${a} $? 1 "ping out (don't route), peer not on link" 619 620 # 621 # in 622 # 623 for a in ${NSA_IP} ${NSA_LO_IP} 624 do 625 log_start 626 run_cmd_nsb ping -c1 -w1 ${a} 627 log_test_addr ${a} $? 0 "ping in" 628 done 629 630 # 631 # local traffic 632 # 633 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 634 do 635 log_start 636 run_cmd ping -c1 -w1 ${a} 637 log_test_addr ${a} $? 0 "ping local" 638 done 639 640 # 641 # local traffic, socket bound to device 642 # 643 # address on device 644 a=${NSA_IP} 645 log_start 646 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 647 log_test_addr ${a} $? 0 "ping local, device bind" 648 649 # loopback addresses not reachable from device bind 650 # fails in a really weird way though because ipv4 special cases 651 # route lookups with oif set. 652 for a in ${NSA_LO_IP} 127.0.0.1 653 do 654 log_start 655 show_hint "Fails since address on loopback device is out of device scope" 656 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 657 log_test_addr ${a} $? 1 "ping local, device bind" 658 done 659 660 # 661 # ip rule blocks reachability to remote address 662 # 663 log_start 664 setup_cmd ip rule add pref 32765 from all lookup local 665 setup_cmd ip rule del pref 0 from all lookup local 666 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 667 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 668 669 a=${NSB_LO_IP} 670 run_cmd ping -c1 -w1 ${a} 671 log_test_addr ${a} $? 2 "ping out, blocked by rule" 672 673 # NOTE: ipv4 actually allows the lookup to fail and yet still create 674 # a viable rtable if the oif (e.g., bind to device) is set, so this 675 # case succeeds despite the rule 676 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 677 678 a=${NSA_LO_IP} 679 log_start 680 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 681 run_cmd_nsb ping -c1 -w1 ${a} 682 log_test_addr ${a} $? 1 "ping in, blocked by rule" 683 684 [ "$VERBOSE" = "1" ] && echo 685 setup_cmd ip rule del pref 32765 from all lookup local 686 setup_cmd ip rule add pref 0 from all lookup local 687 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 688 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 689 690 # 691 # route blocks reachability to remote address 692 # 693 log_start 694 setup_cmd ip route replace unreachable ${NSB_LO_IP} 695 setup_cmd ip route replace unreachable ${NSB_IP} 696 697 a=${NSB_LO_IP} 698 run_cmd ping -c1 -w1 ${a} 699 log_test_addr ${a} $? 2 "ping out, blocked by route" 700 701 # NOTE: ipv4 actually allows the lookup to fail and yet still create 702 # a viable rtable if the oif (e.g., bind to device) is set, so this 703 # case succeeds despite not having a route for the address 704 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 705 706 a=${NSA_LO_IP} 707 log_start 708 show_hint "Response is dropped (or arp request is ignored) due to ip route" 709 run_cmd_nsb ping -c1 -w1 ${a} 710 log_test_addr ${a} $? 1 "ping in, blocked by route" 711 712 # 713 # remove 'remote' routes; fallback to default 714 # 715 log_start 716 setup_cmd ip ro del ${NSB_LO_IP} 717 718 a=${NSB_LO_IP} 719 run_cmd ping -c1 -w1 ${a} 720 log_test_addr ${a} $? 2 "ping out, unreachable default route" 721 722 # NOTE: ipv4 actually allows the lookup to fail and yet still create 723 # a viable rtable if the oif (e.g., bind to device) is set, so this 724 # case succeeds despite not having a route for the address 725 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 726} 727 728ipv4_ping_vrf() 729{ 730 local a 731 732 # should default on; does not exist on older kernels 733 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 734 735 # 736 # out 737 # 738 for a in ${NSB_IP} ${NSB_LO_IP} 739 do 740 log_start 741 run_cmd ping -c1 -w1 -I ${VRF} ${a} 742 log_test_addr ${a} $? 0 "ping out, VRF bind" 743 744 log_start 745 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 746 log_test_addr ${a} $? 0 "ping out, device bind" 747 748 log_start 749 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 750 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 751 752 log_start 753 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 754 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 755 done 756 757 # 758 # in 759 # 760 for a in ${NSA_IP} ${VRF_IP} 761 do 762 log_start 763 run_cmd_nsb ping -c1 -w1 ${a} 764 log_test_addr ${a} $? 0 "ping in" 765 done 766 767 # 768 # local traffic, local address 769 # 770 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 771 do 772 log_start 773 show_hint "Source address should be ${a}" 774 run_cmd ping -c1 -w1 -I ${VRF} ${a} 775 log_test_addr ${a} $? 0 "ping local, VRF bind" 776 done 777 778 # 779 # local traffic, socket bound to device 780 # 781 # address on device 782 a=${NSA_IP} 783 log_start 784 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 785 log_test_addr ${a} $? 0 "ping local, device bind" 786 787 # vrf device is out of scope 788 for a in ${VRF_IP} 127.0.0.1 789 do 790 log_start 791 show_hint "Fails since address on vrf device is out of device scope" 792 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 793 log_test_addr ${a} $? 2 "ping local, device bind" 794 done 795 796 # 797 # ip rule blocks address 798 # 799 log_start 800 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 801 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 802 803 a=${NSB_LO_IP} 804 run_cmd ping -c1 -w1 -I ${VRF} ${a} 805 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 806 807 log_start 808 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 809 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 810 811 a=${NSA_LO_IP} 812 log_start 813 show_hint "Response lost due to ip rule" 814 run_cmd_nsb ping -c1 -w1 ${a} 815 log_test_addr ${a} $? 1 "ping in, blocked by rule" 816 817 [ "$VERBOSE" = "1" ] && echo 818 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 819 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 820 821 # 822 # remove 'remote' routes; fallback to default 823 # 824 log_start 825 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 826 827 a=${NSB_LO_IP} 828 run_cmd ping -c1 -w1 -I ${VRF} ${a} 829 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 830 831 log_start 832 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 833 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 834 835 a=${NSA_LO_IP} 836 log_start 837 show_hint "Response lost by unreachable route" 838 run_cmd_nsb ping -c1 -w1 ${a} 839 log_test_addr ${a} $? 1 "ping in, unreachable route" 840} 841 842ipv4_ping() 843{ 844 log_section "IPv4 ping" 845 846 log_subsection "No VRF" 847 setup 848 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 849 ipv4_ping_novrf 850 setup 851 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 852 ipv4_ping_novrf 853 setup 854 set_ping_group 855 ipv4_ping_novrf 856 857 log_subsection "With VRF" 858 setup "yes" 859 ipv4_ping_vrf 860 setup "yes" 861 set_ping_group 862 ipv4_ping_vrf 863} 864 865################################################################################ 866# IPv4 TCP 867 868# 869# MD5 tests without VRF 870# 871ipv4_tcp_md5_novrf() 872{ 873 # 874 # single address 875 # 876 877 # basic use case 878 log_start 879 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 880 wait_local_port_listen ${NSA} 12345 tcp 881 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 882 log_test $? 0 "MD5: Single address config" 883 884 # client sends MD5, server not configured 885 log_start 886 show_hint "Should timeout due to MD5 mismatch" 887 run_cmd nettest -s & 888 wait_local_port_listen ${NSA} 12345 tcp 889 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 890 log_test $? 2 "MD5: Server no config, client uses password" 891 892 # wrong password 893 log_start 894 show_hint "Should timeout since client uses wrong password" 895 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 896 wait_local_port_listen ${NSA} 12345 tcp 897 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 898 log_test $? 2 "MD5: Client uses wrong password" 899 900 # client from different address 901 log_start 902 show_hint "Should timeout due to MD5 mismatch" 903 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 904 wait_local_port_listen ${NSA} 12345 tcp 905 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 906 log_test $? 2 "MD5: Client address does not match address configured with password" 907 908 # 909 # MD5 extension - prefix length 910 # 911 912 # client in prefix 913 log_start 914 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 915 wait_local_port_listen ${NSA} 12345 tcp 916 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 917 log_test $? 0 "MD5: Prefix config" 918 919 # client in prefix, wrong password 920 log_start 921 show_hint "Should timeout since client uses wrong password" 922 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 923 wait_local_port_listen ${NSA} 12345 tcp 924 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 925 log_test $? 2 "MD5: Prefix config, client uses wrong password" 926 927 # client outside of prefix 928 log_start 929 show_hint "Should timeout due to MD5 mismatch" 930 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 931 wait_local_port_listen ${NSA} 12345 tcp 932 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 933 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 934} 935 936# 937# MD5 tests with VRF 938# 939ipv4_tcp_md5() 940{ 941 # 942 # single address 943 # 944 945 # basic use case 946 log_start 947 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 948 wait_local_port_listen ${NSA} 12345 tcp 949 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 950 log_test $? 0 "MD5: VRF: Single address config" 951 952 # client sends MD5, server not configured 953 log_start 954 show_hint "Should timeout since server does not have MD5 auth" 955 run_cmd nettest -s -I ${VRF} & 956 wait_local_port_listen ${NSA} 12345 tcp 957 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 958 log_test $? 2 "MD5: VRF: Server no config, client uses password" 959 960 # wrong password 961 log_start 962 show_hint "Should timeout since client uses wrong password" 963 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 964 wait_local_port_listen ${NSA} 12345 tcp 965 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 966 log_test $? 2 "MD5: VRF: Client uses wrong password" 967 968 # client from different address 969 log_start 970 show_hint "Should timeout since server config differs from client" 971 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 972 wait_local_port_listen ${NSA} 12345 tcp 973 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 974 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 975 976 # 977 # MD5 extension - prefix length 978 # 979 980 # client in prefix 981 log_start 982 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 983 wait_local_port_listen ${NSA} 12345 tcp 984 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 985 log_test $? 0 "MD5: VRF: Prefix config" 986 987 # client in prefix, wrong password 988 log_start 989 show_hint "Should timeout since client uses wrong password" 990 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 991 wait_local_port_listen ${NSA} 12345 tcp 992 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 993 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 994 995 # client outside of prefix 996 log_start 997 show_hint "Should timeout since client address is outside of prefix" 998 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 999 wait_local_port_listen ${NSA} 12345 tcp 1000 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 1001 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 1002 1003 # 1004 # duplicate config between default VRF and a VRF 1005 # 1006 1007 log_start 1008 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1009 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1010 wait_local_port_listen ${NSA} 12345 tcp 1011 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1012 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 1013 1014 log_start 1015 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1016 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1017 wait_local_port_listen ${NSA} 12345 tcp 1018 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1019 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 1020 1021 log_start 1022 show_hint "Should timeout since client in default VRF uses VRF password" 1023 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1024 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1025 wait_local_port_listen ${NSA} 12345 tcp 1026 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1027 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 1028 1029 log_start 1030 show_hint "Should timeout since client in VRF uses default VRF password" 1031 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1032 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1033 wait_local_port_listen ${NSA} 12345 tcp 1034 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1035 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 1036 1037 log_start 1038 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1039 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1040 wait_local_port_listen ${NSA} 12345 tcp 1041 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1042 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 1043 1044 log_start 1045 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1046 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1047 wait_local_port_listen ${NSA} 12345 tcp 1048 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1049 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 1050 1051 log_start 1052 show_hint "Should timeout since client in default VRF uses VRF password" 1053 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1054 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1055 wait_local_port_listen ${NSA} 12345 tcp 1056 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1057 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1058 1059 log_start 1060 show_hint "Should timeout since client in VRF uses default VRF password" 1061 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1062 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1063 wait_local_port_listen ${NSA} 12345 tcp 1064 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1065 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1066 1067 # 1068 # negative tests 1069 # 1070 log_start 1071 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1072 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1073 1074 log_start 1075 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1076 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1077 1078 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1079 test_ipv4_md5_vrf__global_server__bind_ifindex0 1080} 1081 1082test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1083{ 1084 log_start 1085 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1086 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1087 wait_local_port_listen ${NSA} 12345 tcp 1088 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1089 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1090 1091 log_start 1092 show_hint "Binding both the socket and the key is not required but it works" 1093 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1094 wait_local_port_listen ${NSA} 12345 tcp 1095 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1096 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1097} 1098 1099test_ipv4_md5_vrf__global_server__bind_ifindex0() 1100{ 1101 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1102 local old_tcp_l3mdev_accept 1103 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1104 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1105 1106 log_start 1107 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1108 wait_local_port_listen ${NSA} 12345 tcp 1109 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1110 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1111 1112 log_start 1113 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1114 wait_local_port_listen ${NSA} 12345 tcp 1115 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1116 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1117 log_start 1118 1119 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1120 wait_local_port_listen ${NSA} 12345 tcp 1121 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1122 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1123 1124 log_start 1125 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1126 wait_local_port_listen ${NSA} 12345 tcp 1127 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1128 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1129 1130 # restore value 1131 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1132} 1133 1134ipv4_tcp_dontroute() 1135{ 1136 local syncookies=$1 1137 local nsa_syncookies 1138 local nsb_syncookies 1139 local a 1140 1141 # 1142 # Link local connection tests (SO_DONTROUTE). 1143 # Connections should succeed only when the remote IP address is 1144 # on link (doesn't need to be routed through a gateway). 1145 # 1146 1147 nsa_syncookies=$(ip netns exec "${NSA}" sysctl -n net.ipv4.tcp_syncookies) 1148 nsb_syncookies=$(ip netns exec "${NSB}" sysctl -n net.ipv4.tcp_syncookies) 1149 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies} 1150 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies} 1151 1152 # Test with eth1 address (on link). 1153 1154 a=${NSB_IP} 1155 log_start 1156 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1157 log_test_addr ${a} $? 0 "SO_DONTROUTE client, syncookies=${syncookies}" 1158 1159 a=${NSB_IP} 1160 log_start 1161 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --server-dontroute 1162 log_test_addr ${a} $? 0 "SO_DONTROUTE server, syncookies=${syncookies}" 1163 1164 # Test with loopback address (routed). 1165 # 1166 # The client would use the eth1 address as source IP by default. 1167 # Therefore, we need to use the -c option here, to force the use of the 1168 # routed (loopback) address as source IP (so that the server will try 1169 # to respond to a routed address and not a link local one). 1170 1171 a=${NSB_LO_IP} 1172 log_start 1173 show_hint "Should fail 'Network is unreachable' since server is not on link" 1174 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --client-dontroute 1175 log_test_addr ${a} $? 1 "SO_DONTROUTE client, syncookies=${syncookies}" 1176 1177 a=${NSB_LO_IP} 1178 log_start 1179 show_hint "Should timeout since server cannot respond (client is not on link)" 1180 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --server-dontroute 1181 log_test_addr ${a} $? 2 "SO_DONTROUTE server, syncookies=${syncookies}" 1182 1183 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${nsb_syncookies} 1184 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${nsa_syncookies} 1185} 1186 1187ipv4_tcp_novrf() 1188{ 1189 local a 1190 1191 # 1192 # server tests 1193 # 1194 for a in ${NSA_IP} ${NSA_LO_IP} 1195 do 1196 log_start 1197 run_cmd nettest -s & 1198 wait_local_port_listen ${NSA} 12345 tcp 1199 run_cmd_nsb nettest -r ${a} 1200 log_test_addr ${a} $? 0 "Global server" 1201 done 1202 1203 a=${NSA_IP} 1204 log_start 1205 run_cmd nettest -s -I ${NSA_DEV} & 1206 wait_local_port_listen ${NSA} 12345 tcp 1207 run_cmd_nsb nettest -r ${a} 1208 log_test_addr ${a} $? 0 "Device server" 1209 1210 # verify TCP reset sent and received 1211 for a in ${NSA_IP} ${NSA_LO_IP} 1212 do 1213 log_start 1214 show_hint "Should fail 'Connection refused' since there is no server" 1215 run_cmd_nsb nettest -r ${a} 1216 log_test_addr ${a} $? 1 "No server" 1217 done 1218 1219 # 1220 # client 1221 # 1222 for a in ${NSB_IP} ${NSB_LO_IP} 1223 do 1224 log_start 1225 run_cmd_nsb nettest -s & 1226 wait_local_port_listen ${NSB} 12345 tcp 1227 run_cmd nettest -r ${a} -0 ${NSA_IP} 1228 log_test_addr ${a} $? 0 "Client" 1229 1230 log_start 1231 run_cmd_nsb nettest -s & 1232 wait_local_port_listen ${NSB} 12345 tcp 1233 run_cmd nettest -r ${a} -d ${NSA_DEV} 1234 log_test_addr ${a} $? 0 "Client, device bind" 1235 1236 log_start 1237 show_hint "Should fail 'Connection refused'" 1238 run_cmd nettest -r ${a} 1239 log_test_addr ${a} $? 1 "No server, unbound client" 1240 1241 log_start 1242 show_hint "Should fail 'Connection refused'" 1243 run_cmd nettest -r ${a} -d ${NSA_DEV} 1244 log_test_addr ${a} $? 1 "No server, device client" 1245 done 1246 1247 # 1248 # local address tests 1249 # 1250 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1251 do 1252 log_start 1253 run_cmd nettest -s & 1254 wait_local_port_listen ${NSA} 12345 tcp 1255 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1256 log_test_addr ${a} $? 0 "Global server, local connection" 1257 done 1258 1259 a=${NSA_IP} 1260 log_start 1261 run_cmd nettest -s -I ${NSA_DEV} & 1262 wait_local_port_listen ${NSA} 12345 tcp 1263 run_cmd nettest -r ${a} -0 ${a} 1264 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1265 1266 for a in ${NSA_LO_IP} 127.0.0.1 1267 do 1268 log_start 1269 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1270 run_cmd nettest -s -I ${NSA_DEV} & 1271 wait_local_port_listen ${NSA} 12345 tcp 1272 run_cmd nettest -r ${a} 1273 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1274 done 1275 1276 a=${NSA_IP} 1277 log_start 1278 run_cmd nettest -s & 1279 wait_local_port_listen ${NSA} 12345 tcp 1280 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1281 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1282 1283 for a in ${NSA_LO_IP} 127.0.0.1 1284 do 1285 log_start 1286 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1287 run_cmd nettest -s & 1288 wait_local_port_listen ${NSA} 12345 tcp 1289 run_cmd nettest -r ${a} -d ${NSA_DEV} 1290 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1291 done 1292 1293 a=${NSA_IP} 1294 log_start 1295 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1296 wait_local_port_listen ${NSA} 12345 tcp 1297 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1298 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1299 1300 log_start 1301 show_hint "Should fail 'Connection refused'" 1302 run_cmd nettest -d ${NSA_DEV} -r ${a} 1303 log_test_addr ${a} $? 1 "No server, device client, local conn" 1304 1305 [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf 1306 1307 ipv4_tcp_dontroute 0 1308 ipv4_tcp_dontroute 2 1309} 1310 1311ipv4_tcp_vrf() 1312{ 1313 local a 1314 1315 # disable global server 1316 log_subsection "Global server disabled" 1317 1318 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1319 1320 # 1321 # server tests 1322 # 1323 for a in ${NSA_IP} ${VRF_IP} 1324 do 1325 log_start 1326 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1327 run_cmd nettest -s & 1328 wait_local_port_listen ${NSA} 12345 tcp 1329 run_cmd_nsb nettest -r ${a} 1330 log_test_addr ${a} $? 1 "Global server" 1331 1332 log_start 1333 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1334 wait_local_port_listen ${NSA} 12345 tcp 1335 run_cmd_nsb nettest -r ${a} 1336 log_test_addr ${a} $? 0 "VRF server" 1337 1338 log_start 1339 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1340 wait_local_port_listen ${NSA} 12345 tcp 1341 run_cmd_nsb nettest -r ${a} 1342 log_test_addr ${a} $? 0 "Device server" 1343 1344 # verify TCP reset received 1345 log_start 1346 show_hint "Should fail 'Connection refused' since there is no server" 1347 run_cmd_nsb nettest -r ${a} 1348 log_test_addr ${a} $? 1 "No server" 1349 done 1350 1351 # local address tests 1352 # (${VRF_IP} and 127.0.0.1 both timeout) 1353 a=${NSA_IP} 1354 log_start 1355 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1356 run_cmd nettest -s & 1357 wait_local_port_listen ${NSA} 12345 tcp 1358 run_cmd nettest -r ${a} -d ${NSA_DEV} 1359 log_test_addr ${a} $? 1 "Global server, local connection" 1360 1361 # run MD5 tests 1362 if [ "$fips_enabled" = "0" ]; then 1363 setup_vrf_dup 1364 ipv4_tcp_md5 1365 cleanup_vrf_dup 1366 fi 1367 1368 # 1369 # enable VRF global server 1370 # 1371 log_subsection "VRF Global server enabled" 1372 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1373 1374 for a in ${NSA_IP} ${VRF_IP} 1375 do 1376 log_start 1377 show_hint "client socket should be bound to VRF" 1378 run_cmd nettest -s -3 ${VRF} & 1379 wait_local_port_listen ${NSA} 12345 tcp 1380 run_cmd_nsb nettest -r ${a} 1381 log_test_addr ${a} $? 0 "Global server" 1382 1383 log_start 1384 show_hint "client socket should be bound to VRF" 1385 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1386 wait_local_port_listen ${NSA} 12345 tcp 1387 run_cmd_nsb nettest -r ${a} 1388 log_test_addr ${a} $? 0 "VRF server" 1389 1390 # verify TCP reset received 1391 log_start 1392 show_hint "Should fail 'Connection refused'" 1393 run_cmd_nsb nettest -r ${a} 1394 log_test_addr ${a} $? 1 "No server" 1395 done 1396 1397 a=${NSA_IP} 1398 log_start 1399 show_hint "client socket should be bound to device" 1400 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1401 wait_local_port_listen ${NSA} 12345 tcp 1402 run_cmd_nsb nettest -r ${a} 1403 log_test_addr ${a} $? 0 "Device server" 1404 1405 # local address tests 1406 for a in ${NSA_IP} ${VRF_IP} 1407 do 1408 log_start 1409 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1410 run_cmd nettest -s -I ${VRF} & 1411 wait_local_port_listen ${NSA} 12345 tcp 1412 run_cmd nettest -r ${a} 1413 log_test_addr ${a} $? 1 "Global server, local connection" 1414 done 1415 1416 # 1417 # client 1418 # 1419 for a in ${NSB_IP} ${NSB_LO_IP} 1420 do 1421 log_start 1422 run_cmd_nsb nettest -s & 1423 wait_local_port_listen ${NSB} 12345 tcp 1424 run_cmd nettest -r ${a} -d ${VRF} 1425 log_test_addr ${a} $? 0 "Client, VRF bind" 1426 1427 log_start 1428 run_cmd_nsb nettest -s & 1429 wait_local_port_listen ${NSB} 12345 tcp 1430 run_cmd nettest -r ${a} -d ${NSA_DEV} 1431 log_test_addr ${a} $? 0 "Client, device bind" 1432 1433 log_start 1434 show_hint "Should fail 'Connection refused'" 1435 run_cmd nettest -r ${a} -d ${VRF} 1436 log_test_addr ${a} $? 1 "No server, VRF client" 1437 1438 log_start 1439 show_hint "Should fail 'Connection refused'" 1440 run_cmd nettest -r ${a} -d ${NSA_DEV} 1441 log_test_addr ${a} $? 1 "No server, device client" 1442 done 1443 1444 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1445 do 1446 log_start 1447 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1448 wait_local_port_listen ${NSA} 12345 tcp 1449 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1450 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1451 done 1452 1453 a=${NSA_IP} 1454 log_start 1455 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1456 wait_local_port_listen ${NSA} 12345 tcp 1457 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1458 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1459 1460 log_start 1461 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1462 run_cmd nettest -s -I ${VRF} & 1463 wait_local_port_listen ${NSA} 12345 tcp 1464 run_cmd nettest -r ${a} 1465 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1466 1467 log_start 1468 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1469 wait_local_port_listen ${NSA} 12345 tcp 1470 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1471 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1472 1473 log_start 1474 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1475 wait_local_port_listen ${NSA} 12345 tcp 1476 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1477 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1478} 1479 1480ipv4_tcp() 1481{ 1482 log_section "IPv4/TCP" 1483 log_subsection "No VRF" 1484 setup 1485 1486 # tcp_l3mdev_accept should have no affect without VRF; 1487 # run tests with it enabled and disabled to verify 1488 log_subsection "tcp_l3mdev_accept disabled" 1489 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1490 ipv4_tcp_novrf 1491 log_subsection "tcp_l3mdev_accept enabled" 1492 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1493 ipv4_tcp_novrf 1494 1495 log_subsection "With VRF" 1496 setup "yes" 1497 ipv4_tcp_vrf 1498} 1499 1500################################################################################ 1501# IPv4 UDP 1502 1503ipv4_udp_novrf() 1504{ 1505 local a 1506 1507 # 1508 # server tests 1509 # 1510 for a in ${NSA_IP} ${NSA_LO_IP} 1511 do 1512 log_start 1513 run_cmd nettest -D -s -3 ${NSA_DEV} & 1514 wait_local_port_listen ${NSA} 12345 udp 1515 run_cmd_nsb nettest -D -r ${a} 1516 log_test_addr ${a} $? 0 "Global server" 1517 1518 log_start 1519 show_hint "Should fail 'Connection refused' since there is no server" 1520 run_cmd_nsb nettest -D -r ${a} 1521 log_test_addr ${a} $? 1 "No server" 1522 done 1523 1524 a=${NSA_IP} 1525 log_start 1526 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1527 wait_local_port_listen ${NSA} 12345 udp 1528 run_cmd_nsb nettest -D -r ${a} 1529 log_test_addr ${a} $? 0 "Device server" 1530 1531 # 1532 # client 1533 # 1534 for a in ${NSB_IP} ${NSB_LO_IP} 1535 do 1536 log_start 1537 run_cmd_nsb nettest -D -s & 1538 wait_local_port_listen ${NSB} 12345 udp 1539 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1540 log_test_addr ${a} $? 0 "Client" 1541 1542 log_start 1543 run_cmd_nsb nettest -D -s & 1544 wait_local_port_listen ${NSB} 12345 udp 1545 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1546 log_test_addr ${a} $? 0 "Client, device bind" 1547 1548 log_start 1549 run_cmd_nsb nettest -D -s & 1550 wait_local_port_listen ${NSB} 12345 udp 1551 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1552 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1553 1554 log_start 1555 run_cmd_nsb nettest -D -s & 1556 wait_local_port_listen ${NSB} 12345 udp 1557 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1558 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1559 1560 log_start 1561 run_cmd_nsb nettest -D -s & 1562 wait_local_port_listen ${NSB} 12345 udp 1563 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U 1564 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()" 1565 1566 1567 log_start 1568 show_hint "Should fail 'Connection refused'" 1569 run_cmd nettest -D -r ${a} 1570 log_test_addr ${a} $? 1 "No server, unbound client" 1571 1572 log_start 1573 show_hint "Should fail 'Connection refused'" 1574 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1575 log_test_addr ${a} $? 1 "No server, device client" 1576 done 1577 1578 # 1579 # local address tests 1580 # 1581 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1582 do 1583 log_start 1584 run_cmd nettest -D -s & 1585 wait_local_port_listen ${NSA} 12345 udp 1586 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1587 log_test_addr ${a} $? 0 "Global server, local connection" 1588 done 1589 1590 a=${NSA_IP} 1591 log_start 1592 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1593 wait_local_port_listen ${NSA} 12345 udp 1594 run_cmd nettest -D -r ${a} 1595 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1596 1597 for a in ${NSA_LO_IP} 127.0.0.1 1598 do 1599 log_start 1600 show_hint "Should fail 'Connection refused' since address is out of device scope" 1601 run_cmd nettest -s -D -I ${NSA_DEV} & 1602 wait_local_port_listen ${NSA} 12345 udp 1603 run_cmd nettest -D -r ${a} 1604 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1605 done 1606 1607 a=${NSA_IP} 1608 log_start 1609 run_cmd nettest -s -D & 1610 wait_local_port_listen ${NSA} 12345 udp 1611 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1612 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1613 1614 log_start 1615 run_cmd nettest -s -D & 1616 wait_local_port_listen ${NSA} 12345 udp 1617 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1618 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1619 1620 log_start 1621 run_cmd nettest -s -D & 1622 wait_local_port_listen ${NSA} 12345 udp 1623 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1624 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1625 1626 log_start 1627 run_cmd nettest -s -D & 1628 wait_local_port_listen ${NSA} 12345 udp 1629 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U 1630 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1631 1632 1633 # IPv4 with device bind has really weird behavior - it overrides the 1634 # fib lookup, generates an rtable and tries to send the packet. This 1635 # causes failures for local traffic at different places 1636 for a in ${NSA_LO_IP} 127.0.0.1 1637 do 1638 log_start 1639 show_hint "Should fail since addresses on loopback are out of device scope" 1640 run_cmd nettest -D -s & 1641 wait_local_port_listen ${NSA} 12345 udp 1642 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1643 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1644 1645 log_start 1646 show_hint "Should fail since addresses on loopback are out of device scope" 1647 run_cmd nettest -D -s & 1648 wait_local_port_listen ${NSA} 12345 udp 1649 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1650 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1651 1652 log_start 1653 show_hint "Should fail since addresses on loopback are out of device scope" 1654 run_cmd nettest -D -s & 1655 wait_local_port_listen ${NSA} 12345 udp 1656 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1657 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1658 1659 log_start 1660 show_hint "Should fail since addresses on loopback are out of device scope" 1661 run_cmd nettest -D -s & 1662 wait_local_port_listen ${NSA} 12345 udp 1663 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U 1664 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1665 1666 1667 done 1668 1669 a=${NSA_IP} 1670 log_start 1671 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1672 wait_local_port_listen ${NSA} 12345 udp 1673 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1674 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1675 1676 log_start 1677 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1678 log_test_addr ${a} $? 2 "No server, device client, local conn" 1679 1680 # 1681 # Link local connection tests (SO_DONTROUTE). 1682 # Connections should succeed only when the remote IP address is 1683 # on link (doesn't need to be routed through a gateway). 1684 # 1685 1686 a=${NSB_IP} 1687 log_start 1688 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1689 log_test_addr ${a} $? 0 "SO_DONTROUTE client" 1690 1691 a=${NSB_LO_IP} 1692 log_start 1693 show_hint "Should fail 'Network is unreachable' since server is not on link" 1694 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1695 log_test_addr ${a} $? 1 "SO_DONTROUTE client" 1696} 1697 1698ipv4_udp_vrf() 1699{ 1700 local a 1701 1702 # disable global server 1703 log_subsection "Global server disabled" 1704 set_sysctl net.ipv4.udp_l3mdev_accept=0 1705 1706 # 1707 # server tests 1708 # 1709 for a in ${NSA_IP} ${VRF_IP} 1710 do 1711 log_start 1712 show_hint "Fails because ingress is in a VRF and global server is disabled" 1713 run_cmd nettest -D -s & 1714 wait_local_port_listen ${NSA} 12345 udp 1715 run_cmd_nsb nettest -D -r ${a} 1716 log_test_addr ${a} $? 1 "Global server" 1717 1718 log_start 1719 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1720 wait_local_port_listen ${NSA} 12345 udp 1721 run_cmd_nsb nettest -D -r ${a} 1722 log_test_addr ${a} $? 0 "VRF server" 1723 1724 log_start 1725 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1726 wait_local_port_listen ${NSA} 12345 udp 1727 run_cmd_nsb nettest -D -r ${a} 1728 log_test_addr ${a} $? 0 "Enslaved device server" 1729 1730 log_start 1731 show_hint "Should fail 'Connection refused' since there is no server" 1732 run_cmd_nsb nettest -D -r ${a} 1733 log_test_addr ${a} $? 1 "No server" 1734 1735 log_start 1736 show_hint "Should fail 'Connection refused' since global server is out of scope" 1737 run_cmd nettest -D -s & 1738 wait_local_port_listen ${NSA} 12345 udp 1739 run_cmd nettest -D -d ${VRF} -r ${a} 1740 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1741 done 1742 1743 a=${NSA_IP} 1744 log_start 1745 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1746 wait_local_port_listen ${NSA} 12345 udp 1747 run_cmd nettest -D -d ${VRF} -r ${a} 1748 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1749 1750 log_start 1751 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1752 wait_local_port_listen ${NSA} 12345 udp 1753 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1754 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1755 1756 a=${NSA_IP} 1757 log_start 1758 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1759 wait_local_port_listen ${NSA} 12345 udp 1760 run_cmd nettest -D -d ${VRF} -r ${a} 1761 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1762 1763 log_start 1764 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1765 wait_local_port_listen ${NSA} 12345 udp 1766 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1767 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1768 1769 # enable global server 1770 log_subsection "Global server enabled" 1771 set_sysctl net.ipv4.udp_l3mdev_accept=1 1772 1773 # 1774 # server tests 1775 # 1776 for a in ${NSA_IP} ${VRF_IP} 1777 do 1778 log_start 1779 run_cmd nettest -D -s -3 ${NSA_DEV} & 1780 wait_local_port_listen ${NSA} 12345 udp 1781 run_cmd_nsb nettest -D -r ${a} 1782 log_test_addr ${a} $? 0 "Global server" 1783 1784 log_start 1785 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1786 wait_local_port_listen ${NSA} 12345 udp 1787 run_cmd_nsb nettest -D -r ${a} 1788 log_test_addr ${a} $? 0 "VRF server" 1789 1790 log_start 1791 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1792 wait_local_port_listen ${NSA} 12345 udp 1793 run_cmd_nsb nettest -D -r ${a} 1794 log_test_addr ${a} $? 0 "Enslaved device server" 1795 1796 log_start 1797 show_hint "Should fail 'Connection refused'" 1798 run_cmd_nsb nettest -D -r ${a} 1799 log_test_addr ${a} $? 1 "No server" 1800 done 1801 1802 # 1803 # client tests 1804 # 1805 log_start 1806 run_cmd_nsb nettest -D -s & 1807 wait_local_port_listen ${NSB} 12345 udp 1808 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1809 log_test $? 0 "VRF client" 1810 1811 log_start 1812 run_cmd_nsb nettest -D -s & 1813 wait_local_port_listen ${NSB} 12345 udp 1814 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1815 log_test $? 0 "Enslaved device client" 1816 1817 # negative test - should fail 1818 log_start 1819 show_hint "Should fail 'Connection refused'" 1820 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1821 log_test $? 1 "No server, VRF client" 1822 1823 log_start 1824 show_hint "Should fail 'Connection refused'" 1825 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1826 log_test $? 1 "No server, enslaved device client" 1827 1828 # 1829 # local address tests 1830 # 1831 a=${NSA_IP} 1832 log_start 1833 run_cmd nettest -D -s -3 ${NSA_DEV} & 1834 wait_local_port_listen ${NSA} 12345 udp 1835 run_cmd nettest -D -d ${VRF} -r ${a} 1836 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1837 1838 log_start 1839 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1840 wait_local_port_listen ${NSA} 12345 udp 1841 run_cmd nettest -D -d ${VRF} -r ${a} 1842 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1843 1844 log_start 1845 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1846 wait_local_port_listen ${NSA} 12345 udp 1847 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1848 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1849 1850 log_start 1851 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1852 wait_local_port_listen ${NSA} 12345 udp 1853 run_cmd nettest -D -d ${VRF} -r ${a} 1854 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1855 1856 log_start 1857 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1858 wait_local_port_listen ${NSA} 12345 udp 1859 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1860 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1861 1862 for a in ${VRF_IP} 127.0.0.1 1863 do 1864 log_start 1865 run_cmd nettest -D -s -3 ${VRF} & 1866 wait_local_port_listen ${NSA} 12345 udp 1867 run_cmd nettest -D -d ${VRF} -r ${a} 1868 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1869 done 1870 1871 for a in ${VRF_IP} 127.0.0.1 1872 do 1873 log_start 1874 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1875 wait_local_port_listen ${NSA} 12345 udp 1876 run_cmd nettest -D -d ${VRF} -r ${a} 1877 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1878 done 1879 1880 # negative test - should fail 1881 # verifies ECONNREFUSED 1882 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1883 do 1884 log_start 1885 show_hint "Should fail 'Connection refused'" 1886 run_cmd nettest -D -d ${VRF} -r ${a} 1887 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1888 done 1889} 1890 1891ipv4_udp() 1892{ 1893 log_section "IPv4/UDP" 1894 log_subsection "No VRF" 1895 1896 setup 1897 1898 # udp_l3mdev_accept should have no affect without VRF; 1899 # run tests with it enabled and disabled to verify 1900 log_subsection "udp_l3mdev_accept disabled" 1901 set_sysctl net.ipv4.udp_l3mdev_accept=0 1902 ipv4_udp_novrf 1903 log_subsection "udp_l3mdev_accept enabled" 1904 set_sysctl net.ipv4.udp_l3mdev_accept=1 1905 ipv4_udp_novrf 1906 1907 log_subsection "With VRF" 1908 setup "yes" 1909 ipv4_udp_vrf 1910} 1911 1912################################################################################ 1913# IPv4 address bind 1914# 1915# verifies ability or inability to bind to an address / device 1916 1917ipv4_addr_bind_novrf() 1918{ 1919 # 1920 # raw socket 1921 # 1922 for a in ${NSA_IP} ${NSA_LO_IP} 1923 do 1924 log_start 1925 run_cmd nettest -s -R -P icmp -l ${a} -b 1926 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1927 1928 log_start 1929 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1930 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1931 done 1932 1933 # 1934 # tests for nonlocal bind 1935 # 1936 a=${NL_IP} 1937 log_start 1938 run_cmd nettest -s -R -f -l ${a} -b 1939 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 1940 1941 log_start 1942 run_cmd nettest -s -f -l ${a} -b 1943 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address" 1944 1945 log_start 1946 run_cmd nettest -s -D -P icmp -f -l ${a} -b 1947 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address" 1948 1949 # 1950 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1951 # 1952 a=${BCAST_IP} 1953 log_start 1954 run_cmd nettest -s -D -P icmp -l ${a} -b 1955 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address" 1956 1957 a=${MCAST_IP} 1958 log_start 1959 run_cmd nettest -s -D -P icmp -l ${a} -b 1960 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address" 1961 1962 # 1963 # tcp sockets 1964 # 1965 a=${NSA_IP} 1966 log_start 1967 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1968 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1969 1970 log_start 1971 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1972 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1973 1974 # Sadly, the kernel allows binding a socket to a device and then 1975 # binding to an address not on the device. The only restriction 1976 # is that the address is valid in the L3 domain. So this test 1977 # passes when it really should not 1978 #a=${NSA_LO_IP} 1979 #log_start 1980 #show_hint "Should fail with 'Cannot assign requested address'" 1981 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1982 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1983} 1984 1985ipv4_addr_bind_vrf() 1986{ 1987 # 1988 # raw socket 1989 # 1990 for a in ${NSA_IP} ${VRF_IP} 1991 do 1992 log_start 1993 show_hint "Socket not bound to VRF, but address is in VRF" 1994 run_cmd nettest -s -R -P icmp -l ${a} -b 1995 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1996 1997 log_start 1998 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1999 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 2000 log_start 2001 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 2002 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 2003 done 2004 2005 a=${NSA_LO_IP} 2006 log_start 2007 show_hint "Address on loopback is out of VRF scope" 2008 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 2009 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 2010 2011 # 2012 # tests for nonlocal bind 2013 # 2014 a=${NL_IP} 2015 log_start 2016 run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b 2017 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 2018 2019 log_start 2020 run_cmd nettest -s -f -l ${a} -I ${VRF} -b 2021 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind" 2022 2023 log_start 2024 run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b 2025 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind" 2026 2027 # 2028 # check that ICMP sockets cannot bind to broadcast and multicast addresses 2029 # 2030 a=${BCAST_IP} 2031 log_start 2032 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 2033 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind" 2034 2035 a=${MCAST_IP} 2036 log_start 2037 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 2038 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind" 2039 2040 # 2041 # tcp sockets 2042 # 2043 for a in ${NSA_IP} ${VRF_IP} 2044 do 2045 log_start 2046 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 2047 log_test_addr ${a} $? 0 "TCP socket bind to local address" 2048 2049 log_start 2050 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 2051 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 2052 done 2053 2054 a=${NSA_LO_IP} 2055 log_start 2056 show_hint "Address on loopback out of scope for VRF" 2057 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 2058 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 2059 2060 log_start 2061 show_hint "Address on loopback out of scope for device in VRF" 2062 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 2063 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 2064} 2065 2066ipv4_addr_bind() 2067{ 2068 log_section "IPv4 address binds" 2069 2070 log_subsection "No VRF" 2071 setup 2072 set_ping_group 2073 ipv4_addr_bind_novrf 2074 2075 log_subsection "With VRF" 2076 setup "yes" 2077 set_ping_group 2078 ipv4_addr_bind_vrf 2079} 2080 2081################################################################################ 2082# IPv4 runtime tests 2083 2084ipv4_rt() 2085{ 2086 local desc="$1" 2087 local varg="$2" 2088 local with_vrf="yes" 2089 local a 2090 2091 # 2092 # server tests 2093 # 2094 for a in ${NSA_IP} ${VRF_IP} 2095 do 2096 log_start 2097 run_cmd nettest ${varg} -s & 2098 wait_local_port_listen ${NSA} 12345 tcp 2099 run_cmd_nsb nettest ${varg} -r ${a} & 2100 sleep 3 2101 run_cmd ip link del ${VRF} 2102 sleep 1 2103 log_test_addr ${a} 0 0 "${desc}, global server" 2104 2105 setup ${with_vrf} 2106 done 2107 2108 for a in ${NSA_IP} ${VRF_IP} 2109 do 2110 log_start 2111 run_cmd nettest ${varg} -s -I ${VRF} & 2112 wait_local_port_listen ${NSA} 12345 tcp 2113 run_cmd_nsb nettest ${varg} -r ${a} & 2114 sleep 3 2115 run_cmd ip link del ${VRF} 2116 sleep 1 2117 log_test_addr ${a} 0 0 "${desc}, VRF server" 2118 2119 setup ${with_vrf} 2120 done 2121 2122 a=${NSA_IP} 2123 log_start 2124 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 2125 wait_local_port_listen ${NSA} 12345 tcp 2126 run_cmd_nsb nettest ${varg} -r ${a} & 2127 sleep 3 2128 run_cmd ip link del ${VRF} 2129 sleep 1 2130 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 2131 2132 setup ${with_vrf} 2133 2134 # 2135 # client test 2136 # 2137 log_start 2138 run_cmd_nsb nettest ${varg} -s & 2139 wait_local_port_listen ${NSB} 12345 tcp 2140 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 2141 sleep 3 2142 run_cmd ip link del ${VRF} 2143 sleep 1 2144 log_test_addr ${a} 0 0 "${desc}, VRF client" 2145 2146 setup ${with_vrf} 2147 2148 log_start 2149 run_cmd_nsb nettest ${varg} -s & 2150 wait_local_port_listen ${NSB} 12345 tcp 2151 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 2152 sleep 3 2153 run_cmd ip link del ${VRF} 2154 sleep 1 2155 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 2156 2157 setup ${with_vrf} 2158 2159 # 2160 # local address tests 2161 # 2162 for a in ${NSA_IP} ${VRF_IP} 2163 do 2164 log_start 2165 run_cmd nettest ${varg} -s & 2166 wait_local_port_listen ${NSA} 12345 tcp 2167 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2168 sleep 3 2169 run_cmd ip link del ${VRF} 2170 sleep 1 2171 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 2172 2173 setup ${with_vrf} 2174 done 2175 2176 for a in ${NSA_IP} ${VRF_IP} 2177 do 2178 log_start 2179 run_cmd nettest ${varg} -I ${VRF} -s & 2180 wait_local_port_listen ${NSA} 12345 tcp 2181 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2182 sleep 3 2183 run_cmd ip link del ${VRF} 2184 sleep 1 2185 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 2186 2187 setup ${with_vrf} 2188 done 2189 2190 a=${NSA_IP} 2191 log_start 2192 2193 run_cmd nettest ${varg} -s & 2194 wait_local_port_listen ${NSA} 12345 tcp 2195 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2196 sleep 3 2197 run_cmd ip link del ${VRF} 2198 sleep 1 2199 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 2200 2201 setup ${with_vrf} 2202 2203 log_start 2204 run_cmd nettest ${varg} -I ${VRF} -s & 2205 wait_local_port_listen ${NSA} 12345 tcp 2206 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2207 sleep 3 2208 run_cmd ip link del ${VRF} 2209 sleep 1 2210 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 2211 2212 setup ${with_vrf} 2213 2214 log_start 2215 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2216 wait_local_port_listen ${NSA} 12345 tcp 2217 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2218 sleep 3 2219 run_cmd ip link del ${VRF} 2220 sleep 1 2221 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2222} 2223 2224ipv4_ping_rt() 2225{ 2226 local with_vrf="yes" 2227 local a 2228 2229 for a in ${NSA_IP} ${VRF_IP} 2230 do 2231 log_start 2232 run_cmd_nsb ping -f ${a} & 2233 sleep 3 2234 run_cmd ip link del ${VRF} 2235 sleep 1 2236 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2237 2238 setup ${with_vrf} 2239 done 2240 2241 a=${NSB_IP} 2242 log_start 2243 run_cmd ping -f -I ${VRF} ${a} & 2244 sleep 3 2245 run_cmd ip link del ${VRF} 2246 sleep 1 2247 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2248} 2249 2250ipv4_runtime() 2251{ 2252 log_section "Run time tests - ipv4" 2253 2254 setup "yes" 2255 ipv4_ping_rt 2256 2257 setup "yes" 2258 ipv4_rt "TCP active socket" "-n -1" 2259 2260 setup "yes" 2261 ipv4_rt "TCP passive socket" "-i" 2262} 2263 2264################################################################################ 2265# IPv6 2266 2267ipv6_ping_novrf() 2268{ 2269 local a 2270 2271 # should not have an impact, but make a known state 2272 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2273 2274 # 2275 # out 2276 # 2277 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2278 do 2279 log_start 2280 run_cmd ${ping6} -c1 -w1 ${a} 2281 log_test_addr ${a} $? 0 "ping out" 2282 done 2283 2284 for a in ${NSB_IP6} ${NSB_LO_IP6} 2285 do 2286 log_start 2287 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2288 log_test_addr ${a} $? 0 "ping out, device bind" 2289 2290 log_start 2291 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2292 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2293 done 2294 2295 # 2296 # in 2297 # 2298 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2299 do 2300 log_start 2301 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2302 log_test_addr ${a} $? 0 "ping in" 2303 done 2304 2305 # 2306 # local traffic, local address 2307 # 2308 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2309 do 2310 log_start 2311 run_cmd ${ping6} -c1 -w1 ${a} 2312 log_test_addr ${a} $? 0 "ping local, no bind" 2313 done 2314 2315 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2316 do 2317 log_start 2318 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2319 log_test_addr ${a} $? 0 "ping local, device bind" 2320 done 2321 2322 for a in ${NSA_LO_IP6} ::1 2323 do 2324 log_start 2325 show_hint "Fails since address on loopback is out of device scope" 2326 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2327 log_test_addr ${a} $? 2 "ping local, device bind" 2328 done 2329 2330 for a in ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${NSA_IP6} 2331 do 2332 log_start 2333 run_cmd ${ping6} -c1 -w1 -I ::1 ${a} 2334 log_test_addr ${a} $? 0 "ping local, from localhost" 2335 done 2336 2337 # 2338 # ip rule blocks address 2339 # 2340 log_start 2341 setup_cmd ip -6 rule add pref 32765 from all lookup local 2342 setup_cmd ip -6 rule del pref 0 from all lookup local 2343 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2344 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2345 2346 a=${NSB_LO_IP6} 2347 run_cmd ${ping6} -c1 -w1 ${a} 2348 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2349 2350 log_start 2351 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2352 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2353 2354 a=${NSA_LO_IP6} 2355 log_start 2356 show_hint "Response lost due to ip rule" 2357 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2358 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2359 2360 setup_cmd ip -6 rule add pref 0 from all lookup local 2361 setup_cmd ip -6 rule del pref 32765 from all lookup local 2362 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2363 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2364 2365 # 2366 # route blocks reachability to remote address 2367 # 2368 log_start 2369 setup_cmd ip -6 route del ${NSB_LO_IP6} 2370 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2371 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2372 2373 a=${NSB_LO_IP6} 2374 run_cmd ${ping6} -c1 -w1 ${a} 2375 log_test_addr ${a} $? 2 "ping out, blocked by route" 2376 2377 log_start 2378 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2379 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2380 2381 a=${NSA_LO_IP6} 2382 log_start 2383 show_hint "Response lost due to ip route" 2384 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2385 log_test_addr ${a} $? 1 "ping in, blocked by route" 2386 2387 2388 # 2389 # remove 'remote' routes; fallback to default 2390 # 2391 log_start 2392 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2393 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2394 2395 a=${NSB_LO_IP6} 2396 run_cmd ${ping6} -c1 -w1 ${a} 2397 log_test_addr ${a} $? 2 "ping out, unreachable route" 2398 2399 log_start 2400 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2401 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2402} 2403 2404ipv6_ping_vrf() 2405{ 2406 local a 2407 2408 # should default on; does not exist on older kernels 2409 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2410 2411 # 2412 # out 2413 # 2414 for a in ${NSB_IP6} ${NSB_LO_IP6} 2415 do 2416 log_start 2417 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2418 log_test_addr ${a} $? 0 "ping out, VRF bind" 2419 done 2420 2421 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2422 do 2423 log_start 2424 show_hint "Fails since VRF device does not support linklocal or multicast" 2425 run_cmd ${ping6} -c1 -w1 ${a} 2426 log_test_addr ${a} $? 1 "ping out, VRF bind" 2427 done 2428 2429 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2430 do 2431 log_start 2432 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2433 log_test_addr ${a} $? 0 "ping out, device bind" 2434 done 2435 2436 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2437 do 2438 log_start 2439 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2440 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2441 done 2442 2443 # 2444 # in 2445 # 2446 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2447 do 2448 log_start 2449 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2450 log_test_addr ${a} $? 0 "ping in" 2451 done 2452 2453 a=${NSA_LO_IP6} 2454 log_start 2455 show_hint "Fails since loopback address is out of VRF scope" 2456 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2457 log_test_addr ${a} $? 1 "ping in" 2458 2459 # 2460 # local traffic, local address 2461 # 2462 for a in ${NSA_IP6} ${VRF_IP6} ::1 2463 do 2464 log_start 2465 show_hint "Source address should be ${a}" 2466 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2467 log_test_addr ${a} $? 0 "ping local, VRF bind" 2468 done 2469 2470 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2471 do 2472 log_start 2473 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2474 log_test_addr ${a} $? 0 "ping local, device bind" 2475 done 2476 2477 # LLA to GUA - remove ipv6 global addresses from ns-B 2478 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2479 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2480 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2481 2482 for a in ${NSA_IP6} ${VRF_IP6} 2483 do 2484 log_start 2485 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2486 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2487 done 2488 2489 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2490 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2491 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2492 2493 # 2494 # ip rule blocks address 2495 # 2496 log_start 2497 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2498 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2499 2500 a=${NSB_LO_IP6} 2501 run_cmd ${ping6} -c1 -w1 ${a} 2502 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2503 2504 log_start 2505 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2506 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2507 2508 a=${NSA_LO_IP6} 2509 log_start 2510 show_hint "Response lost due to ip rule" 2511 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2512 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2513 2514 log_start 2515 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2516 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2517 2518 # 2519 # remove 'remote' routes; fallback to default 2520 # 2521 log_start 2522 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2523 2524 a=${NSB_LO_IP6} 2525 run_cmd ${ping6} -c1 -w1 ${a} 2526 log_test_addr ${a} $? 2 "ping out, unreachable route" 2527 2528 log_start 2529 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2530 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2531 2532 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2533 a=${NSA_LO_IP6} 2534 log_start 2535 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2536 log_test_addr ${a} $? 2 "ping in, unreachable route" 2537} 2538 2539ipv6_ping() 2540{ 2541 log_section "IPv6 ping" 2542 2543 log_subsection "No VRF" 2544 setup 2545 ipv6_ping_novrf 2546 setup 2547 set_ping_group 2548 ipv6_ping_novrf 2549 2550 log_subsection "With VRF" 2551 setup "yes" 2552 ipv6_ping_vrf 2553 setup "yes" 2554 set_ping_group 2555 ipv6_ping_vrf 2556} 2557 2558################################################################################ 2559# IPv6 TCP 2560 2561# 2562# MD5 tests without VRF 2563# 2564ipv6_tcp_md5_novrf() 2565{ 2566 # 2567 # single address 2568 # 2569 2570 # basic use case 2571 log_start 2572 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2573 wait_local_port_listen ${NSA} 12345 tcp 2574 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2575 log_test $? 0 "MD5: Single address config" 2576 2577 # client sends MD5, server not configured 2578 log_start 2579 show_hint "Should timeout due to MD5 mismatch" 2580 run_cmd nettest -6 -s & 2581 wait_local_port_listen ${NSA} 12345 tcp 2582 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2583 log_test $? 2 "MD5: Server no config, client uses password" 2584 2585 # wrong password 2586 log_start 2587 show_hint "Should timeout since client uses wrong password" 2588 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2589 wait_local_port_listen ${NSA} 12345 tcp 2590 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2591 log_test $? 2 "MD5: Client uses wrong password" 2592 2593 # client from different address 2594 log_start 2595 show_hint "Should timeout due to MD5 mismatch" 2596 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2597 wait_local_port_listen ${NSA} 12345 tcp 2598 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2599 log_test $? 2 "MD5: Client address does not match address configured with password" 2600 2601 # 2602 # MD5 extension - prefix length 2603 # 2604 2605 # client in prefix 2606 log_start 2607 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2608 wait_local_port_listen ${NSA} 12345 tcp 2609 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2610 log_test $? 0 "MD5: Prefix config" 2611 2612 # client in prefix, wrong password 2613 log_start 2614 show_hint "Should timeout since client uses wrong password" 2615 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2616 wait_local_port_listen ${NSA} 12345 tcp 2617 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2618 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2619 2620 # client outside of prefix 2621 log_start 2622 show_hint "Should timeout due to MD5 mismatch" 2623 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2624 wait_local_port_listen ${NSA} 12345 tcp 2625 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2626 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2627} 2628 2629# 2630# MD5 tests with VRF 2631# 2632ipv6_tcp_md5() 2633{ 2634 # 2635 # single address 2636 # 2637 2638 # basic use case 2639 log_start 2640 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2641 wait_local_port_listen ${NSA} 12345 tcp 2642 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2643 log_test $? 0 "MD5: VRF: Single address config" 2644 2645 # client sends MD5, server not configured 2646 log_start 2647 show_hint "Should timeout since server does not have MD5 auth" 2648 run_cmd nettest -6 -s -I ${VRF} & 2649 wait_local_port_listen ${NSA} 12345 tcp 2650 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2651 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2652 2653 # wrong password 2654 log_start 2655 show_hint "Should timeout since client uses wrong password" 2656 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2657 wait_local_port_listen ${NSA} 12345 tcp 2658 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2659 log_test $? 2 "MD5: VRF: Client uses wrong password" 2660 2661 # client from different address 2662 log_start 2663 show_hint "Should timeout since server config differs from client" 2664 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2665 wait_local_port_listen ${NSA} 12345 tcp 2666 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2667 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2668 2669 # 2670 # MD5 extension - prefix length 2671 # 2672 2673 # client in prefix 2674 log_start 2675 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2676 wait_local_port_listen ${NSA} 12345 tcp 2677 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2678 log_test $? 0 "MD5: VRF: Prefix config" 2679 2680 # client in prefix, wrong password 2681 log_start 2682 show_hint "Should timeout since client uses wrong password" 2683 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2684 wait_local_port_listen ${NSA} 12345 tcp 2685 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2686 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2687 2688 # client outside of prefix 2689 log_start 2690 show_hint "Should timeout since client address is outside of prefix" 2691 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2692 wait_local_port_listen ${NSA} 12345 tcp 2693 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2694 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2695 2696 # 2697 # duplicate config between default VRF and a VRF 2698 # 2699 2700 log_start 2701 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2702 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2703 wait_local_port_listen ${NSA} 12345 tcp 2704 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2705 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2706 2707 log_start 2708 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2709 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2710 wait_local_port_listen ${NSA} 12345 tcp 2711 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2712 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2713 2714 log_start 2715 show_hint "Should timeout since client in default VRF uses VRF password" 2716 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2717 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2718 wait_local_port_listen ${NSA} 12345 tcp 2719 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2720 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2721 2722 log_start 2723 show_hint "Should timeout since client in VRF uses default VRF password" 2724 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2725 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2726 wait_local_port_listen ${NSA} 12345 tcp 2727 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2728 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2729 2730 log_start 2731 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2732 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2733 wait_local_port_listen ${NSA} 12345 tcp 2734 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2735 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2736 2737 log_start 2738 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2739 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2740 wait_local_port_listen ${NSA} 12345 tcp 2741 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2742 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2743 2744 log_start 2745 show_hint "Should timeout since client in default VRF uses VRF password" 2746 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2747 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2748 wait_local_port_listen ${NSA} 12345 tcp 2749 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2750 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2751 2752 log_start 2753 show_hint "Should timeout since client in VRF uses default VRF password" 2754 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2755 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2756 wait_local_port_listen ${NSA} 12345 tcp 2757 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2758 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2759 2760 # 2761 # negative tests 2762 # 2763 log_start 2764 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2765 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2766 2767 log_start 2768 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2769 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2770 2771} 2772 2773ipv6_tcp_novrf() 2774{ 2775 local a 2776 2777 # 2778 # server tests 2779 # 2780 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2781 do 2782 log_start 2783 run_cmd nettest -6 -s & 2784 wait_local_port_listen ${NSA} 12345 tcp 2785 run_cmd_nsb nettest -6 -r ${a} 2786 log_test_addr ${a} $? 0 "Global server" 2787 done 2788 2789 # verify TCP reset received 2790 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2791 do 2792 log_start 2793 show_hint "Should fail 'Connection refused'" 2794 run_cmd_nsb nettest -6 -r ${a} 2795 log_test_addr ${a} $? 1 "No server" 2796 done 2797 2798 # 2799 # client 2800 # 2801 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2802 do 2803 log_start 2804 run_cmd_nsb nettest -6 -s & 2805 wait_local_port_listen ${NSB} 12345 tcp 2806 run_cmd nettest -6 -r ${a} 2807 log_test_addr ${a} $? 0 "Client" 2808 done 2809 2810 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2811 do 2812 log_start 2813 run_cmd_nsb nettest -6 -s & 2814 wait_local_port_listen ${NSB} 12345 tcp 2815 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2816 log_test_addr ${a} $? 0 "Client, device bind" 2817 done 2818 2819 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2820 do 2821 log_start 2822 show_hint "Should fail 'Connection refused'" 2823 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2824 log_test_addr ${a} $? 1 "No server, device client" 2825 done 2826 2827 # 2828 # local address tests 2829 # 2830 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2831 do 2832 log_start 2833 run_cmd nettest -6 -s & 2834 wait_local_port_listen ${NSA} 12345 tcp 2835 run_cmd nettest -6 -r ${a} 2836 log_test_addr ${a} $? 0 "Global server, local connection" 2837 done 2838 2839 a=${NSA_IP6} 2840 log_start 2841 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2842 wait_local_port_listen ${NSA} 12345 tcp 2843 run_cmd nettest -6 -r ${a} -0 ${a} 2844 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2845 2846 for a in ${NSA_LO_IP6} ::1 2847 do 2848 log_start 2849 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2850 run_cmd nettest -6 -s -I ${NSA_DEV} & 2851 wait_local_port_listen ${NSA} 12345 tcp 2852 run_cmd nettest -6 -r ${a} 2853 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2854 done 2855 2856 a=${NSA_IP6} 2857 log_start 2858 run_cmd nettest -6 -s & 2859 wait_local_port_listen ${NSA} 12345 tcp 2860 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2861 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2862 2863 for a in ${NSA_LO_IP6} ::1 2864 do 2865 log_start 2866 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2867 run_cmd nettest -6 -s & 2868 wait_local_port_listen ${NSA} 12345 tcp 2869 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2870 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2871 done 2872 2873 for a in ${NSA_IP6} ${NSA_LINKIP6} 2874 do 2875 log_start 2876 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2877 wait_local_port_listen ${NSA} 12345 tcp 2878 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2879 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2880 done 2881 2882 for a in ${NSA_IP6} ${NSA_LINKIP6} 2883 do 2884 log_start 2885 show_hint "Should fail 'Connection refused'" 2886 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2887 log_test_addr ${a} $? 1 "No server, device client, local conn" 2888 done 2889 2890 [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf 2891} 2892 2893ipv6_tcp_vrf() 2894{ 2895 local a 2896 2897 # disable global server 2898 log_subsection "Global server disabled" 2899 2900 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2901 2902 # 2903 # server tests 2904 # 2905 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2906 do 2907 log_start 2908 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2909 run_cmd nettest -6 -s & 2910 wait_local_port_listen ${NSA} 12345 tcp 2911 run_cmd_nsb nettest -6 -r ${a} 2912 log_test_addr ${a} $? 1 "Global server" 2913 done 2914 2915 for a in ${NSA_IP6} ${VRF_IP6} 2916 do 2917 log_start 2918 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2919 wait_local_port_listen ${NSA} 12345 tcp 2920 run_cmd_nsb nettest -6 -r ${a} 2921 log_test_addr ${a} $? 0 "VRF server" 2922 done 2923 2924 # link local is always bound to ingress device 2925 a=${NSA_LINKIP6}%${NSB_DEV} 2926 log_start 2927 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2928 wait_local_port_listen ${NSA} 12345 tcp 2929 run_cmd_nsb nettest -6 -r ${a} 2930 log_test_addr ${a} $? 0 "VRF server" 2931 2932 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2933 do 2934 log_start 2935 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2936 wait_local_port_listen ${NSA} 12345 tcp 2937 run_cmd_nsb nettest -6 -r ${a} 2938 log_test_addr ${a} $? 0 "Device server" 2939 done 2940 2941 # verify TCP reset received 2942 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2943 do 2944 log_start 2945 show_hint "Should fail 'Connection refused'" 2946 run_cmd_nsb nettest -6 -r ${a} 2947 log_test_addr ${a} $? 1 "No server" 2948 done 2949 2950 # local address tests 2951 a=${NSA_IP6} 2952 log_start 2953 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2954 run_cmd nettest -6 -s & 2955 wait_local_port_listen ${NSA} 12345 tcp 2956 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2957 log_test_addr ${a} $? 1 "Global server, local connection" 2958 2959 # run MD5 tests 2960 if [ "$fips_enabled" = "0" ]; then 2961 setup_vrf_dup 2962 ipv6_tcp_md5 2963 cleanup_vrf_dup 2964 fi 2965 2966 # 2967 # enable VRF global server 2968 # 2969 log_subsection "VRF Global server enabled" 2970 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2971 2972 for a in ${NSA_IP6} ${VRF_IP6} 2973 do 2974 log_start 2975 run_cmd nettest -6 -s -3 ${VRF} & 2976 wait_local_port_listen ${NSA} 12345 tcp 2977 run_cmd_nsb nettest -6 -r ${a} 2978 log_test_addr ${a} $? 0 "Global server" 2979 done 2980 2981 for a in ${NSA_IP6} ${VRF_IP6} 2982 do 2983 log_start 2984 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2985 wait_local_port_listen ${NSA} 12345 tcp 2986 run_cmd_nsb nettest -6 -r ${a} 2987 log_test_addr ${a} $? 0 "VRF server" 2988 done 2989 2990 # For LLA, child socket is bound to device 2991 a=${NSA_LINKIP6}%${NSB_DEV} 2992 log_start 2993 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2994 wait_local_port_listen ${NSA} 12345 tcp 2995 run_cmd_nsb nettest -6 -r ${a} 2996 log_test_addr ${a} $? 0 "Global server" 2997 2998 log_start 2999 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 3000 wait_local_port_listen ${NSA} 12345 tcp 3001 run_cmd_nsb nettest -6 -r ${a} 3002 log_test_addr ${a} $? 0 "VRF server" 3003 3004 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3005 do 3006 log_start 3007 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3008 wait_local_port_listen ${NSA} 12345 tcp 3009 run_cmd_nsb nettest -6 -r ${a} 3010 log_test_addr ${a} $? 0 "Device server" 3011 done 3012 3013 # verify TCP reset received 3014 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3015 do 3016 log_start 3017 show_hint "Should fail 'Connection refused'" 3018 run_cmd_nsb nettest -6 -r ${a} 3019 log_test_addr ${a} $? 1 "No server" 3020 done 3021 3022 # local address tests 3023 for a in ${NSA_IP6} ${VRF_IP6} 3024 do 3025 log_start 3026 show_hint "Fails 'Connection refused' since client is not in VRF" 3027 run_cmd nettest -6 -s -I ${VRF} & 3028 wait_local_port_listen ${NSA} 12345 tcp 3029 run_cmd nettest -6 -r ${a} 3030 log_test_addr ${a} $? 1 "Global server, local connection" 3031 done 3032 3033 3034 # 3035 # client 3036 # 3037 for a in ${NSB_IP6} ${NSB_LO_IP6} 3038 do 3039 log_start 3040 run_cmd_nsb nettest -6 -s & 3041 wait_local_port_listen ${NSB} 12345 tcp 3042 run_cmd nettest -6 -r ${a} -d ${VRF} 3043 log_test_addr ${a} $? 0 "Client, VRF bind" 3044 done 3045 3046 a=${NSB_LINKIP6} 3047 log_start 3048 show_hint "Fails since VRF device does not allow linklocal addresses" 3049 run_cmd_nsb nettest -6 -s & 3050 wait_local_port_listen ${NSB} 12345 tcp 3051 run_cmd nettest -6 -r ${a} -d ${VRF} 3052 log_test_addr ${a} $? 1 "Client, VRF bind" 3053 3054 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 3055 do 3056 log_start 3057 run_cmd_nsb nettest -6 -s & 3058 wait_local_port_listen ${NSB} 12345 tcp 3059 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 3060 log_test_addr ${a} $? 0 "Client, device bind" 3061 done 3062 3063 for a in ${NSB_IP6} ${NSB_LO_IP6} 3064 do 3065 log_start 3066 show_hint "Should fail 'Connection refused'" 3067 run_cmd nettest -6 -r ${a} -d ${VRF} 3068 log_test_addr ${a} $? 1 "No server, VRF client" 3069 done 3070 3071 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 3072 do 3073 log_start 3074 show_hint "Should fail 'Connection refused'" 3075 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 3076 log_test_addr ${a} $? 1 "No server, device client" 3077 done 3078 3079 for a in ${NSA_IP6} ${VRF_IP6} ::1 3080 do 3081 log_start 3082 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 3083 wait_local_port_listen ${NSA} 12345 tcp 3084 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3085 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 3086 done 3087 3088 a=${NSA_IP6} 3089 log_start 3090 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 3091 wait_local_port_listen ${NSA} 12345 tcp 3092 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3093 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 3094 3095 a=${NSA_IP6} 3096 log_start 3097 show_hint "Should fail since unbound client is out of VRF scope" 3098 run_cmd nettest -6 -s -I ${VRF} & 3099 wait_local_port_listen ${NSA} 12345 tcp 3100 run_cmd nettest -6 -r ${a} 3101 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 3102 3103 log_start 3104 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3105 wait_local_port_listen ${NSA} 12345 tcp 3106 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3107 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 3108 3109 for a in ${NSA_IP6} ${NSA_LINKIP6} 3110 do 3111 log_start 3112 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3113 wait_local_port_listen ${NSA} 12345 tcp 3114 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3115 log_test_addr ${a} $? 0 "Device server, device client, local connection" 3116 done 3117} 3118 3119ipv6_tcp() 3120{ 3121 log_section "IPv6/TCP" 3122 log_subsection "No VRF" 3123 setup 3124 3125 # tcp_l3mdev_accept should have no affect without VRF; 3126 # run tests with it enabled and disabled to verify 3127 log_subsection "tcp_l3mdev_accept disabled" 3128 set_sysctl net.ipv4.tcp_l3mdev_accept=0 3129 ipv6_tcp_novrf 3130 log_subsection "tcp_l3mdev_accept enabled" 3131 set_sysctl net.ipv4.tcp_l3mdev_accept=1 3132 ipv6_tcp_novrf 3133 3134 log_subsection "With VRF" 3135 setup "yes" 3136 ipv6_tcp_vrf 3137} 3138 3139################################################################################ 3140# IPv6 UDP 3141 3142ipv6_udp_novrf() 3143{ 3144 local a 3145 3146 # 3147 # server tests 3148 # 3149 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3150 do 3151 log_start 3152 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3153 wait_local_port_listen ${NSA} 12345 udp 3154 run_cmd_nsb nettest -6 -D -r ${a} 3155 log_test_addr ${a} $? 0 "Global server" 3156 3157 log_start 3158 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3159 wait_local_port_listen ${NSA} 12345 udp 3160 run_cmd_nsb nettest -6 -D -r ${a} 3161 log_test_addr ${a} $? 0 "Device server" 3162 done 3163 3164 a=${NSA_LO_IP6} 3165 log_start 3166 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3167 wait_local_port_listen ${NSA} 12345 udp 3168 run_cmd_nsb nettest -6 -D -r ${a} 3169 log_test_addr ${a} $? 0 "Global server" 3170 3171 # should fail since loopback address is out of scope for a device 3172 # bound server, but it does not - hence this is more documenting 3173 # behavior. 3174 #log_start 3175 #show_hint "Should fail since loopback address is out of scope" 3176 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3177 wait_local_port_listen ${NSA} 12345 udp 3178 #run_cmd_nsb nettest -6 -D -r ${a} 3179 #log_test_addr ${a} $? 1 "Device server" 3180 3181 # negative test - should fail 3182 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3183 do 3184 log_start 3185 show_hint "Should fail 'Connection refused' since there is no server" 3186 run_cmd_nsb nettest -6 -D -r ${a} 3187 log_test_addr ${a} $? 1 "No server" 3188 done 3189 3190 # 3191 # client 3192 # 3193 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 3194 do 3195 log_start 3196 run_cmd_nsb nettest -6 -D -s & 3197 wait_local_port_listen ${NSB} 12345 udp 3198 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 3199 log_test_addr ${a} $? 0 "Client" 3200 3201 log_start 3202 run_cmd_nsb nettest -6 -D -s & 3203 wait_local_port_listen ${NSB} 12345 udp 3204 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 3205 log_test_addr ${a} $? 0 "Client, device bind" 3206 3207 log_start 3208 run_cmd_nsb nettest -6 -D -s & 3209 wait_local_port_listen ${NSB} 12345 udp 3210 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 3211 log_test_addr ${a} $? 0 "Client, device send via cmsg" 3212 3213 log_start 3214 run_cmd_nsb nettest -6 -D -s & 3215 wait_local_port_listen ${NSB} 12345 udp 3216 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 3217 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 3218 3219 log_start 3220 show_hint "Should fail 'Connection refused'" 3221 run_cmd nettest -6 -D -r ${a} 3222 log_test_addr ${a} $? 1 "No server, unbound client" 3223 3224 log_start 3225 show_hint "Should fail 'Connection refused'" 3226 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3227 log_test_addr ${a} $? 1 "No server, device client" 3228 done 3229 3230 # 3231 # local address tests 3232 # 3233 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3234 do 3235 log_start 3236 run_cmd nettest -6 -D -s & 3237 wait_local_port_listen ${NSA} 12345 udp 3238 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3239 log_test_addr ${a} $? 0 "Global server, local connection" 3240 done 3241 3242 a=${NSA_IP6} 3243 log_start 3244 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3245 wait_local_port_listen ${NSA} 12345 udp 3246 run_cmd nettest -6 -D -r ${a} 3247 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3248 3249 for a in ${NSA_LO_IP6} ::1 3250 do 3251 log_start 3252 show_hint "Should fail 'Connection refused' since address is out of device scope" 3253 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3254 wait_local_port_listen ${NSA} 12345 udp 3255 run_cmd nettest -6 -D -r ${a} 3256 log_test_addr ${a} $? 1 "Device server, local connection" 3257 done 3258 3259 a=${NSA_IP6} 3260 log_start 3261 run_cmd nettest -6 -s -D & 3262 wait_local_port_listen ${NSA} 12345 udp 3263 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3264 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3265 3266 log_start 3267 run_cmd nettest -6 -s -D & 3268 wait_local_port_listen ${NSA} 12345 udp 3269 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3270 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3271 3272 log_start 3273 run_cmd nettest -6 -s -D & 3274 wait_local_port_listen ${NSA} 12345 udp 3275 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3276 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3277 3278 for a in ${NSA_LO_IP6} ::1 3279 do 3280 log_start 3281 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3282 run_cmd nettest -6 -D -s & 3283 wait_local_port_listen ${NSA} 12345 udp 3284 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3285 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3286 3287 log_start 3288 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3289 run_cmd nettest -6 -D -s & 3290 wait_local_port_listen ${NSA} 12345 udp 3291 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3292 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3293 3294 log_start 3295 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3296 run_cmd nettest -6 -D -s & 3297 wait_local_port_listen ${NSA} 12345 udp 3298 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3299 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3300 3301 log_start 3302 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3303 run_cmd nettest -6 -D -s & 3304 wait_local_port_listen ${NSA} 12345 udp 3305 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U 3306 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 3307 done 3308 3309 a=${NSA_IP6} 3310 log_start 3311 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3312 wait_local_port_listen ${NSA} 12345 udp 3313 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3314 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3315 3316 log_start 3317 show_hint "Should fail 'Connection refused'" 3318 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3319 log_test_addr ${a} $? 1 "No server, device client, local conn" 3320 3321 # LLA to GUA 3322 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3323 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3324 log_start 3325 run_cmd nettest -6 -s -D & 3326 wait_local_port_listen ${NSA} 12345 udp 3327 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3328 log_test $? 0 "UDP in - LLA to GUA" 3329 3330 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3331 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3332} 3333 3334ipv6_udp_vrf() 3335{ 3336 local a 3337 3338 # disable global server 3339 log_subsection "Global server disabled" 3340 set_sysctl net.ipv4.udp_l3mdev_accept=0 3341 3342 # 3343 # server tests 3344 # 3345 for a in ${NSA_IP6} ${VRF_IP6} 3346 do 3347 log_start 3348 show_hint "Should fail 'Connection refused' since global server is disabled" 3349 run_cmd nettest -6 -D -s & 3350 wait_local_port_listen ${NSA} 12345 udp 3351 run_cmd_nsb nettest -6 -D -r ${a} 3352 log_test_addr ${a} $? 1 "Global server" 3353 done 3354 3355 for a in ${NSA_IP6} ${VRF_IP6} 3356 do 3357 log_start 3358 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3359 wait_local_port_listen ${NSA} 12345 udp 3360 run_cmd_nsb nettest -6 -D -r ${a} 3361 log_test_addr ${a} $? 0 "VRF server" 3362 done 3363 3364 for a in ${NSA_IP6} ${VRF_IP6} 3365 do 3366 log_start 3367 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3368 wait_local_port_listen ${NSA} 12345 udp 3369 run_cmd_nsb nettest -6 -D -r ${a} 3370 log_test_addr ${a} $? 0 "Enslaved device server" 3371 done 3372 3373 # negative test - should fail 3374 for a in ${NSA_IP6} ${VRF_IP6} 3375 do 3376 log_start 3377 show_hint "Should fail 'Connection refused' since there is no server" 3378 run_cmd_nsb nettest -6 -D -r ${a} 3379 log_test_addr ${a} $? 1 "No server" 3380 done 3381 3382 # 3383 # local address tests 3384 # 3385 for a in ${NSA_IP6} ${VRF_IP6} 3386 do 3387 log_start 3388 show_hint "Should fail 'Connection refused' since global server is disabled" 3389 run_cmd nettest -6 -D -s & 3390 wait_local_port_listen ${NSA} 12345 udp 3391 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3392 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3393 done 3394 3395 for a in ${NSA_IP6} ${VRF_IP6} 3396 do 3397 log_start 3398 run_cmd nettest -6 -D -I ${VRF} -s & 3399 wait_local_port_listen ${NSA} 12345 udp 3400 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3401 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3402 done 3403 3404 a=${NSA_IP6} 3405 log_start 3406 show_hint "Should fail 'Connection refused' since global server is disabled" 3407 run_cmd nettest -6 -D -s & 3408 wait_local_port_listen ${NSA} 12345 udp 3409 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3410 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3411 3412 log_start 3413 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3414 wait_local_port_listen ${NSA} 12345 udp 3415 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3416 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3417 3418 log_start 3419 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3420 wait_local_port_listen ${NSA} 12345 udp 3421 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3422 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3423 3424 log_start 3425 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3426 wait_local_port_listen ${NSA} 12345 udp 3427 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3428 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3429 3430 # disable global server 3431 log_subsection "Global server enabled" 3432 set_sysctl net.ipv4.udp_l3mdev_accept=1 3433 3434 # 3435 # server tests 3436 # 3437 for a in ${NSA_IP6} ${VRF_IP6} 3438 do 3439 log_start 3440 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3441 wait_local_port_listen ${NSA} 12345 udp 3442 run_cmd_nsb nettest -6 -D -r ${a} 3443 log_test_addr ${a} $? 0 "Global server" 3444 done 3445 3446 for a in ${NSA_IP6} ${VRF_IP6} 3447 do 3448 log_start 3449 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3450 wait_local_port_listen ${NSA} 12345 udp 3451 run_cmd_nsb nettest -6 -D -r ${a} 3452 log_test_addr ${a} $? 0 "VRF server" 3453 done 3454 3455 for a in ${NSA_IP6} ${VRF_IP6} 3456 do 3457 log_start 3458 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3459 wait_local_port_listen ${NSA} 12345 udp 3460 run_cmd_nsb nettest -6 -D -r ${a} 3461 log_test_addr ${a} $? 0 "Enslaved device server" 3462 done 3463 3464 # negative test - should fail 3465 for a in ${NSA_IP6} ${VRF_IP6} 3466 do 3467 log_start 3468 run_cmd_nsb nettest -6 -D -r ${a} 3469 log_test_addr ${a} $? 1 "No server" 3470 done 3471 3472 # 3473 # client tests 3474 # 3475 log_start 3476 run_cmd_nsb nettest -6 -D -s & 3477 wait_local_port_listen ${NSB} 12345 udp 3478 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3479 log_test $? 0 "VRF client" 3480 3481 # negative test - should fail 3482 log_start 3483 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3484 log_test $? 1 "No server, VRF client" 3485 3486 log_start 3487 run_cmd_nsb nettest -6 -D -s & 3488 wait_local_port_listen ${NSB} 12345 udp 3489 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3490 log_test $? 0 "Enslaved device client" 3491 3492 # negative test - should fail 3493 log_start 3494 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3495 log_test $? 1 "No server, enslaved device client" 3496 3497 # 3498 # local address tests 3499 # 3500 a=${NSA_IP6} 3501 log_start 3502 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3503 wait_local_port_listen ${NSA} 12345 udp 3504 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3505 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3506 3507 #log_start 3508 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3509 wait_local_port_listen ${NSA} 12345 udp 3510 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3511 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3512 3513 3514 a=${VRF_IP6} 3515 log_start 3516 run_cmd nettest -6 -D -s -3 ${VRF} & 3517 wait_local_port_listen ${NSA} 12345 udp 3518 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3519 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3520 3521 log_start 3522 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3523 wait_local_port_listen ${NSA} 12345 udp 3524 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3525 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3526 3527 # negative test - should fail 3528 for a in ${NSA_IP6} ${VRF_IP6} 3529 do 3530 log_start 3531 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3532 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3533 done 3534 3535 # device to global IP 3536 a=${NSA_IP6} 3537 log_start 3538 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3539 wait_local_port_listen ${NSA} 12345 udp 3540 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3541 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3542 3543 log_start 3544 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3545 wait_local_port_listen ${NSA} 12345 udp 3546 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3547 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3548 3549 log_start 3550 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3551 wait_local_port_listen ${NSA} 12345 udp 3552 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3553 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3554 3555 log_start 3556 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3557 wait_local_port_listen ${NSA} 12345 udp 3558 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3559 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3560 3561 log_start 3562 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3563 log_test_addr ${a} $? 1 "No server, device client, local conn" 3564 3565 3566 # link local addresses 3567 log_start 3568 run_cmd nettest -6 -D -s & 3569 wait_local_port_listen ${NSA} 12345 udp 3570 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3571 log_test $? 0 "Global server, linklocal IP" 3572 3573 log_start 3574 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3575 log_test $? 1 "No server, linklocal IP" 3576 3577 3578 log_start 3579 run_cmd_nsb nettest -6 -D -s & 3580 wait_local_port_listen ${NSB} 12345 udp 3581 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3582 log_test $? 0 "Enslaved device client, linklocal IP" 3583 3584 log_start 3585 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3586 log_test $? 1 "No server, device client, peer linklocal IP" 3587 3588 3589 log_start 3590 run_cmd nettest -6 -D -s & 3591 wait_local_port_listen ${NSA} 12345 udp 3592 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3593 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3594 3595 log_start 3596 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3597 log_test $? 1 "No server, device client, local conn - linklocal IP" 3598 3599 # LLA to GUA 3600 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3601 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3602 log_start 3603 run_cmd nettest -6 -s -D & 3604 wait_local_port_listen ${NSA} 12345 udp 3605 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3606 log_test $? 0 "UDP in - LLA to GUA" 3607 3608 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3609 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3610} 3611 3612ipv6_udp() 3613{ 3614 # should not matter, but set to known state 3615 set_sysctl net.ipv4.udp_early_demux=1 3616 3617 log_section "IPv6/UDP" 3618 log_subsection "No VRF" 3619 setup 3620 3621 # udp_l3mdev_accept should have no affect without VRF; 3622 # run tests with it enabled and disabled to verify 3623 log_subsection "udp_l3mdev_accept disabled" 3624 set_sysctl net.ipv4.udp_l3mdev_accept=0 3625 ipv6_udp_novrf 3626 log_subsection "udp_l3mdev_accept enabled" 3627 set_sysctl net.ipv4.udp_l3mdev_accept=1 3628 ipv6_udp_novrf 3629 3630 log_subsection "With VRF" 3631 setup "yes" 3632 ipv6_udp_vrf 3633} 3634 3635################################################################################ 3636# IPv6 address bind 3637 3638ipv6_addr_bind_novrf() 3639{ 3640 # 3641 # raw socket 3642 # 3643 for a in ${NSA_IP6} ${NSA_LO_IP6} 3644 do 3645 log_start 3646 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3647 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3648 3649 log_start 3650 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3651 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3652 done 3653 3654 # 3655 # raw socket with nonlocal bind 3656 # 3657 a=${NL_IP6} 3658 log_start 3659 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 3660 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 3661 3662 # 3663 # tcp sockets 3664 # 3665 a=${NSA_IP6} 3666 log_start 3667 run_cmd nettest -6 -s -l ${a} -t1 -b 3668 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3669 3670 log_start 3671 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3672 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3673 3674 # Sadly, the kernel allows binding a socket to a device and then 3675 # binding to an address not on the device. So this test passes 3676 # when it really should not 3677 a=${NSA_LO_IP6} 3678 log_start 3679 show_hint "Technically should fail since address is not on device but kernel allows" 3680 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3681 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3682} 3683 3684ipv6_addr_bind_vrf() 3685{ 3686 # 3687 # raw socket 3688 # 3689 for a in ${NSA_IP6} ${VRF_IP6} 3690 do 3691 log_start 3692 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3693 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3694 3695 log_start 3696 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3697 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3698 done 3699 3700 a=${NSA_LO_IP6} 3701 log_start 3702 show_hint "Address on loopback is out of VRF scope" 3703 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3704 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3705 3706 # 3707 # raw socket with nonlocal bind 3708 # 3709 a=${NL_IP6} 3710 log_start 3711 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b 3712 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 3713 3714 # 3715 # tcp sockets 3716 # 3717 # address on enslaved device is valid for the VRF or device in a VRF 3718 for a in ${NSA_IP6} ${VRF_IP6} 3719 do 3720 log_start 3721 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3722 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3723 done 3724 3725 a=${NSA_IP6} 3726 log_start 3727 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3728 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3729 3730 # Sadly, the kernel allows binding a socket to a device and then 3731 # binding to an address not on the device. The only restriction 3732 # is that the address is valid in the L3 domain. So this test 3733 # passes when it really should not 3734 a=${VRF_IP6} 3735 log_start 3736 show_hint "Technically should fail since address is not on device but kernel allows" 3737 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3738 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3739 3740 a=${NSA_LO_IP6} 3741 log_start 3742 show_hint "Address on loopback out of scope for VRF" 3743 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3744 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3745 3746 log_start 3747 show_hint "Address on loopback out of scope for device in VRF" 3748 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3749 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3750 3751} 3752 3753ipv6_addr_bind() 3754{ 3755 log_section "IPv6 address binds" 3756 3757 log_subsection "No VRF" 3758 setup 3759 ipv6_addr_bind_novrf 3760 3761 log_subsection "With VRF" 3762 setup "yes" 3763 ipv6_addr_bind_vrf 3764} 3765 3766################################################################################ 3767# IPv6 runtime tests 3768 3769ipv6_rt() 3770{ 3771 local desc="$1" 3772 local varg="-6 $2" 3773 local with_vrf="yes" 3774 local a 3775 3776 # 3777 # server tests 3778 # 3779 for a in ${NSA_IP6} ${VRF_IP6} 3780 do 3781 log_start 3782 run_cmd nettest ${varg} -s & 3783 wait_local_port_listen ${NSA} 12345 tcp 3784 run_cmd_nsb nettest ${varg} -r ${a} & 3785 sleep 3 3786 run_cmd ip link del ${VRF} 3787 sleep 1 3788 log_test_addr ${a} 0 0 "${desc}, global server" 3789 3790 setup ${with_vrf} 3791 done 3792 3793 for a in ${NSA_IP6} ${VRF_IP6} 3794 do 3795 log_start 3796 run_cmd nettest ${varg} -I ${VRF} -s & 3797 wait_local_port_listen ${NSA} 12345 tcp 3798 run_cmd_nsb nettest ${varg} -r ${a} & 3799 sleep 3 3800 run_cmd ip link del ${VRF} 3801 sleep 1 3802 log_test_addr ${a} 0 0 "${desc}, VRF server" 3803 3804 setup ${with_vrf} 3805 done 3806 3807 for a in ${NSA_IP6} ${VRF_IP6} 3808 do 3809 log_start 3810 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3811 wait_local_port_listen ${NSA} 12345 tcp 3812 run_cmd_nsb nettest ${varg} -r ${a} & 3813 sleep 3 3814 run_cmd ip link del ${VRF} 3815 sleep 1 3816 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3817 3818 setup ${with_vrf} 3819 done 3820 3821 # 3822 # client test 3823 # 3824 log_start 3825 run_cmd_nsb nettest ${varg} -s & 3826 wait_local_port_listen ${NSB} 12345 tcp 3827 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3828 sleep 3 3829 run_cmd ip link del ${VRF} 3830 sleep 1 3831 log_test 0 0 "${desc}, VRF client" 3832 3833 setup ${with_vrf} 3834 3835 log_start 3836 run_cmd_nsb nettest ${varg} -s & 3837 wait_local_port_listen ${NSB} 12345 tcp 3838 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3839 sleep 3 3840 run_cmd ip link del ${VRF} 3841 sleep 1 3842 log_test 0 0 "${desc}, enslaved device client" 3843 3844 setup ${with_vrf} 3845 3846 3847 # 3848 # local address tests 3849 # 3850 for a in ${NSA_IP6} ${VRF_IP6} 3851 do 3852 log_start 3853 run_cmd nettest ${varg} -s & 3854 wait_local_port_listen ${NSA} 12345 tcp 3855 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3856 sleep 3 3857 run_cmd ip link del ${VRF} 3858 sleep 1 3859 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3860 3861 setup ${with_vrf} 3862 done 3863 3864 for a in ${NSA_IP6} ${VRF_IP6} 3865 do 3866 log_start 3867 run_cmd nettest ${varg} -I ${VRF} -s & 3868 wait_local_port_listen ${NSA} 12345 tcp 3869 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3870 sleep 3 3871 run_cmd ip link del ${VRF} 3872 sleep 1 3873 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3874 3875 setup ${with_vrf} 3876 done 3877 3878 a=${NSA_IP6} 3879 log_start 3880 run_cmd nettest ${varg} -s & 3881 wait_local_port_listen ${NSA} 12345 tcp 3882 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3883 sleep 3 3884 run_cmd ip link del ${VRF} 3885 sleep 1 3886 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3887 3888 setup ${with_vrf} 3889 3890 log_start 3891 run_cmd nettest ${varg} -I ${VRF} -s & 3892 wait_local_port_listen ${NSA} 12345 tcp 3893 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3894 sleep 3 3895 run_cmd ip link del ${VRF} 3896 sleep 1 3897 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3898 3899 setup ${with_vrf} 3900 3901 log_start 3902 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3903 wait_local_port_listen ${NSA} 12345 tcp 3904 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3905 sleep 3 3906 run_cmd ip link del ${VRF} 3907 sleep 1 3908 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3909} 3910 3911ipv6_ping_rt() 3912{ 3913 local with_vrf="yes" 3914 local a 3915 3916 a=${NSA_IP6} 3917 log_start 3918 run_cmd_nsb ${ping6} -f ${a} & 3919 sleep 3 3920 run_cmd ip link del ${VRF} 3921 sleep 1 3922 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3923 3924 setup ${with_vrf} 3925 3926 log_start 3927 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3928 sleep 1 3929 run_cmd ip link del ${VRF} 3930 sleep 1 3931 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3932} 3933 3934ipv6_runtime() 3935{ 3936 log_section "Run time tests - ipv6" 3937 3938 setup "yes" 3939 ipv6_ping_rt 3940 3941 setup "yes" 3942 ipv6_rt "TCP active socket" "-n -1" 3943 3944 setup "yes" 3945 ipv6_rt "TCP passive socket" "-i" 3946 3947 setup "yes" 3948 ipv6_rt "UDP active socket" "-D -n -1" 3949} 3950 3951################################################################################ 3952# netfilter blocking connections 3953 3954netfilter_tcp_reset() 3955{ 3956 local a 3957 3958 for a in ${NSA_IP} ${VRF_IP} 3959 do 3960 log_start 3961 run_cmd nettest -s & 3962 wait_local_port_listen ${NSA} 12345 tcp 3963 run_cmd_nsb nettest -r ${a} 3964 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3965 done 3966} 3967 3968netfilter_icmp() 3969{ 3970 local stype="$1" 3971 local arg 3972 local a 3973 3974 [ "${stype}" = "UDP" ] && arg="-D" 3975 3976 for a in ${NSA_IP} ${VRF_IP} 3977 do 3978 log_start 3979 run_cmd nettest ${arg} -s & 3980 wait_local_port_listen ${NSA} 12345 tcp 3981 run_cmd_nsb nettest ${arg} -r ${a} 3982 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3983 done 3984} 3985 3986ipv4_netfilter() 3987{ 3988 log_section "IPv4 Netfilter" 3989 log_subsection "TCP reset" 3990 3991 setup "yes" 3992 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3993 3994 netfilter_tcp_reset 3995 3996 log_start 3997 log_subsection "ICMP unreachable" 3998 3999 log_start 4000 run_cmd iptables -F 4001 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 4002 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 4003 4004 netfilter_icmp "TCP" 4005 netfilter_icmp "UDP" 4006 4007 log_start 4008 iptables -F 4009} 4010 4011netfilter_tcp6_reset() 4012{ 4013 local a 4014 4015 for a in ${NSA_IP6} ${VRF_IP6} 4016 do 4017 log_start 4018 run_cmd nettest -6 -s & 4019 wait_local_port_listen ${NSA} 12345 tcp 4020 run_cmd_nsb nettest -6 -r ${a} 4021 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 4022 done 4023} 4024 4025netfilter_icmp6() 4026{ 4027 local stype="$1" 4028 local arg 4029 local a 4030 4031 [ "${stype}" = "UDP" ] && arg="$arg -D" 4032 4033 for a in ${NSA_IP6} ${VRF_IP6} 4034 do 4035 log_start 4036 run_cmd nettest -6 -s ${arg} & 4037 wait_local_port_listen ${NSA} 12345 tcp 4038 run_cmd_nsb nettest -6 ${arg} -r ${a} 4039 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 4040 done 4041} 4042 4043ipv6_netfilter() 4044{ 4045 log_section "IPv6 Netfilter" 4046 log_subsection "TCP reset" 4047 4048 setup "yes" 4049 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 4050 4051 netfilter_tcp6_reset 4052 4053 log_subsection "ICMP unreachable" 4054 4055 log_start 4056 run_cmd ip6tables -F 4057 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 4058 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 4059 4060 netfilter_icmp6 "TCP" 4061 netfilter_icmp6 "UDP" 4062 4063 log_start 4064 ip6tables -F 4065} 4066 4067################################################################################ 4068# specific use cases 4069 4070# VRF only. 4071# ns-A device enslaved to bridge. Verify traffic with and without 4072# br_netfilter module loaded. Repeat with SVI on bridge. 4073use_case_br() 4074{ 4075 setup "yes" 4076 4077 setup_cmd ip link set ${NSA_DEV} down 4078 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 4079 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 4080 4081 setup_cmd ip link add br0 type bridge 4082 setup_cmd ip addr add dev br0 ${NSA_IP}/24 4083 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 4084 4085 setup_cmd ip li set ${NSA_DEV} master br0 4086 setup_cmd ip li set ${NSA_DEV} up 4087 setup_cmd ip li set br0 up 4088 setup_cmd ip li set br0 vrf ${VRF} 4089 4090 rmmod br_netfilter 2>/dev/null 4091 sleep 5 # DAD 4092 4093 run_cmd ip neigh flush all 4094 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4095 log_test $? 0 "Bridge into VRF - IPv4 ping out" 4096 4097 run_cmd ip neigh flush all 4098 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4099 log_test $? 0 "Bridge into VRF - IPv6 ping out" 4100 4101 run_cmd ip neigh flush all 4102 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4103 log_test $? 0 "Bridge into VRF - IPv4 ping in" 4104 4105 run_cmd ip neigh flush all 4106 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4107 log_test $? 0 "Bridge into VRF - IPv6 ping in" 4108 4109 modprobe br_netfilter 4110 if [ $? -eq 0 ]; then 4111 run_cmd ip neigh flush all 4112 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4113 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 4114 4115 run_cmd ip neigh flush all 4116 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4117 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 4118 4119 run_cmd ip neigh flush all 4120 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4121 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 4122 4123 run_cmd ip neigh flush all 4124 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4125 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 4126 fi 4127 4128 setup_cmd ip li set br0 nomaster 4129 setup_cmd ip li add br0.100 link br0 type vlan id 100 4130 setup_cmd ip li set br0.100 vrf ${VRF} up 4131 setup_cmd ip addr add dev br0.100 172.16.101.1/24 4132 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 4133 4134 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 4135 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 4136 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 4137 setup_cmd_nsb ip li set vlan100 up 4138 sleep 1 4139 4140 rmmod br_netfilter 2>/dev/null 4141 4142 run_cmd ip neigh flush all 4143 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4144 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 4145 4146 run_cmd ip neigh flush all 4147 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4148 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 4149 4150 run_cmd ip neigh flush all 4151 run_cmd_nsb ping -c1 -w1 172.16.101.1 4152 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4153 4154 run_cmd ip neigh flush all 4155 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4156 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4157 4158 modprobe br_netfilter 4159 if [ $? -eq 0 ]; then 4160 run_cmd ip neigh flush all 4161 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4162 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 4163 4164 run_cmd ip neigh flush all 4165 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4166 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 4167 4168 run_cmd ip neigh flush all 4169 run_cmd_nsb ping -c1 -w1 172.16.101.1 4170 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4171 4172 run_cmd ip neigh flush all 4173 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4174 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4175 fi 4176 4177 setup_cmd ip li del br0 2>/dev/null 4178 setup_cmd_nsb ip li del vlan100 2>/dev/null 4179} 4180 4181# VRF only. 4182# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 4183# LLA on the interfaces 4184use_case_ping_lla_multi() 4185{ 4186 setup_lla_only 4187 # only want reply from ns-A 4188 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4189 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4190 4191 log_start 4192 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4193 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 4194 4195 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4196 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 4197 4198 # cycle/flap the first ns-A interface 4199 setup_cmd ip link set ${NSA_DEV} down 4200 setup_cmd ip link set ${NSA_DEV} up 4201 sleep 1 4202 4203 log_start 4204 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4205 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 4206 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4207 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 4208 4209 # cycle/flap the second ns-A interface 4210 setup_cmd ip link set ${NSA_DEV2} down 4211 setup_cmd ip link set ${NSA_DEV2} up 4212 sleep 1 4213 4214 log_start 4215 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4216 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 4217 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4218 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 4219} 4220 4221# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 4222# established with ns-B. 4223use_case_snat_on_vrf() 4224{ 4225 setup "yes" 4226 4227 local port="12345" 4228 4229 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4230 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4231 4232 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 4233 wait_local_port_listen ${NSB} ${port} tcp 4234 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 4235 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 4236 4237 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 4238 wait_local_port_listen ${NSB} ${port} tcp 4239 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 4240 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 4241 4242 # Cleanup 4243 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4244 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4245} 4246 4247use_cases() 4248{ 4249 log_section "Use cases" 4250 log_subsection "Device enslaved to bridge" 4251 use_case_br 4252 log_subsection "Ping LLA with multiple interfaces" 4253 use_case_ping_lla_multi 4254 log_subsection "SNAT on VRF" 4255 use_case_snat_on_vrf 4256} 4257 4258################################################################################ 4259# usage 4260 4261usage() 4262{ 4263 cat <<EOF 4264usage: ${0##*/} OPTS 4265 4266 -4 IPv4 tests only 4267 -6 IPv6 tests only 4268 -t <test> Test name/set to run 4269 -p Pause on fail 4270 -P Pause after each test 4271 -v Be verbose 4272 4273Tests: 4274 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER 4275EOF 4276} 4277 4278################################################################################ 4279# main 4280 4281TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4282TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4283TESTS_OTHER="use_cases" 4284# note: each TEST_ group needs a dedicated runner, e.g. fcnal-ipv4.sh 4285 4286PAUSE_ON_FAIL=no 4287PAUSE=no 4288 4289while getopts :46t:pPvh o 4290do 4291 case $o in 4292 4) TESTS=ipv4;; 4293 6) TESTS=ipv6;; 4294 t) TESTS=$OPTARG;; 4295 p) PAUSE_ON_FAIL=yes;; 4296 P) PAUSE=yes;; 4297 v) VERBOSE=1;; 4298 h) usage; exit 0;; 4299 *) usage; exit 1;; 4300 esac 4301done 4302 4303# make sure we don't pause twice 4304[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4305 4306# 4307# show user test config 4308# 4309if [ -z "$TESTS" ]; then 4310 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4311elif [ "$TESTS" = "ipv4" ]; then 4312 TESTS="$TESTS_IPV4" 4313elif [ "$TESTS" = "ipv6" ]; then 4314 TESTS="$TESTS_IPV6" 4315elif [ "$TESTS" = "other" ]; then 4316 TESTS="$TESTS_OTHER" 4317fi 4318 4319check_gen_prog "nettest" 4320 4321declare -i nfail=0 4322declare -i nsuccess=0 4323 4324for t in $TESTS 4325do 4326 case $t in 4327 ipv4_ping|ping) ipv4_ping;; 4328 ipv4_tcp|tcp) ipv4_tcp;; 4329 ipv4_udp|udp) ipv4_udp;; 4330 ipv4_bind|bind) ipv4_addr_bind;; 4331 ipv4_runtime) ipv4_runtime;; 4332 ipv4_netfilter) ipv4_netfilter;; 4333 4334 ipv6_ping|ping6) ipv6_ping;; 4335 ipv6_tcp|tcp6) ipv6_tcp;; 4336 ipv6_udp|udp6) ipv6_udp;; 4337 ipv6_bind|bind6) ipv6_addr_bind;; 4338 ipv6_runtime) ipv6_runtime;; 4339 ipv6_netfilter) ipv6_netfilter;; 4340 4341 use_cases) use_cases;; 4342 4343 # setup namespaces and config, but do not run any tests 4344 setup) setup; exit 0;; 4345 vrf_setup) setup "yes"; exit 0;; 4346 esac 4347done 4348 4349cleanup 2>/dev/null 4350 4351printf "\nTests passed: %3d\n" ${nsuccess} 4352printf "Tests failed: %3d\n" ${nfail} 4353 4354if [ $nfail -ne 0 ]; then 4355 exit 1 # KSFT_FAIL 4356elif [ $nsuccess -eq 0 ]; then 4357 exit $ksft_skip 4358fi 4359 4360exit 0 # KSFT_PASS 4361