xref: /linux/tools/testing/selftests/net/fcnal-test.sh (revision 15a1fbdcfb519c2bd291ed01c6c94e0b89537a77)
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
5#
6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups
7# for various permutations:
8#   1. icmp, tcp, udp and netfilter
9#   2. client, server, no-server
10#   3. global address on interface
11#   4. global address on 'lo'
12#   5. remote and local traffic
13#   6. VRF and non-VRF permutations
14#
15# Setup:
16#                     ns-A     |     ns-B
17# No VRF case:
18#    [ lo ]         [ eth1 ]---|---[ eth1 ]      [ lo ]
19#                                                remote address
20# VRF case:
21#         [ red ]---[ eth1 ]---|---[ eth1 ]      [ lo ]
22#
23# ns-A:
24#     eth1: 172.16.1.1/24, 2001:db8:1::1/64
25#       lo: 127.0.0.1/8, ::1/128
26#           172.16.2.1/32, 2001:db8:2::1/128
27#      red: 127.0.0.1/8, ::1/128
28#           172.16.3.1/32, 2001:db8:3::1/128
29#
30# ns-B:
31#     eth1: 172.16.1.2/24, 2001:db8:1::2/64
32#      lo2: 127.0.0.1/8, ::1/128
33#           172.16.2.2/32, 2001:db8:2::2/128
34#
35# ns-A to ns-C connection - only for VRF and same config
36# as ns-A to ns-B
37#
38# server / client nomenclature relative to ns-A
39
40VERBOSE=0
41
42NSA_DEV=eth1
43NSA_DEV2=eth2
44NSB_DEV=eth1
45NSC_DEV=eth2
46VRF=red
47VRF_TABLE=1101
48
49# IPv4 config
50NSA_IP=172.16.1.1
51NSB_IP=172.16.1.2
52VRF_IP=172.16.3.1
53NS_NET=172.16.1.0/24
54
55# IPv6 config
56NSA_IP6=2001:db8:1::1
57NSB_IP6=2001:db8:1::2
58VRF_IP6=2001:db8:3::1
59NS_NET6=2001:db8:1::/120
60
61NSA_LO_IP=172.16.2.1
62NSB_LO_IP=172.16.2.2
63NSA_LO_IP6=2001:db8:2::1
64NSB_LO_IP6=2001:db8:2::2
65
66MD5_PW=abc123
67MD5_WRONG_PW=abc1234
68
69MCAST=ff02::1
70# set after namespace create
71NSA_LINKIP6=
72NSB_LINKIP6=
73
74NSA=ns-A
75NSB=ns-B
76NSC=ns-C
77
78NSA_CMD="ip netns exec ${NSA}"
79NSB_CMD="ip netns exec ${NSB}"
80NSC_CMD="ip netns exec ${NSC}"
81
82which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
83
84################################################################################
85# utilities
86
87log_test()
88{
89	local rc=$1
90	local expected=$2
91	local msg="$3"
92
93	[ "${VERBOSE}" = "1" ] && echo
94
95	if [ ${rc} -eq ${expected} ]; then
96		nsuccess=$((nsuccess+1))
97		printf "TEST: %-70s  [ OK ]\n" "${msg}"
98	else
99		nfail=$((nfail+1))
100		printf "TEST: %-70s  [FAIL]\n" "${msg}"
101		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
102			echo
103			echo "hit enter to continue, 'q' to quit"
104			read a
105			[ "$a" = "q" ] && exit 1
106		fi
107	fi
108
109	if [ "${PAUSE}" = "yes" ]; then
110		echo
111		echo "hit enter to continue, 'q' to quit"
112		read a
113		[ "$a" = "q" ] && exit 1
114	fi
115
116	kill_procs
117}
118
119log_test_addr()
120{
121	local addr=$1
122	local rc=$2
123	local expected=$3
124	local msg="$4"
125	local astr
126
127	astr=$(addr2str ${addr})
128	log_test $rc $expected "$msg - ${astr}"
129}
130
131log_section()
132{
133	echo
134	echo "###########################################################################"
135	echo "$*"
136	echo "###########################################################################"
137	echo
138}
139
140log_subsection()
141{
142	echo
143	echo "#################################################################"
144	echo "$*"
145	echo
146}
147
148log_start()
149{
150	# make sure we have no test instances running
151	kill_procs
152
153	if [ "${VERBOSE}" = "1" ]; then
154		echo
155		echo "#######################################################"
156	fi
157}
158
159log_debug()
160{
161	if [ "${VERBOSE}" = "1" ]; then
162		echo
163		echo "$*"
164		echo
165	fi
166}
167
168show_hint()
169{
170	if [ "${VERBOSE}" = "1" ]; then
171		echo "HINT: $*"
172		echo
173	fi
174}
175
176kill_procs()
177{
178	killall nettest ping ping6 >/dev/null 2>&1
179	sleep 1
180}
181
182do_run_cmd()
183{
184	local cmd="$*"
185	local out
186
187	if [ "$VERBOSE" = "1" ]; then
188		echo "COMMAND: ${cmd}"
189	fi
190
191	out=$($cmd 2>&1)
192	rc=$?
193	if [ "$VERBOSE" = "1" -a -n "$out" ]; then
194		echo "$out"
195	fi
196
197	return $rc
198}
199
200run_cmd()
201{
202	do_run_cmd ${NSA_CMD} $*
203}
204
205run_cmd_nsb()
206{
207	do_run_cmd ${NSB_CMD} $*
208}
209
210run_cmd_nsc()
211{
212	do_run_cmd ${NSC_CMD} $*
213}
214
215setup_cmd()
216{
217	local cmd="$*"
218	local rc
219
220	run_cmd ${cmd}
221	rc=$?
222	if [ $rc -ne 0 ]; then
223		# show user the command if not done so already
224		if [ "$VERBOSE" = "0" ]; then
225			echo "setup command: $cmd"
226		fi
227		echo "failed. stopping tests"
228		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
229			echo
230			echo "hit enter to continue"
231			read a
232		fi
233		exit $rc
234	fi
235}
236
237setup_cmd_nsb()
238{
239	local cmd="$*"
240	local rc
241
242	run_cmd_nsb ${cmd}
243	rc=$?
244	if [ $rc -ne 0 ]; then
245		# show user the command if not done so already
246		if [ "$VERBOSE" = "0" ]; then
247			echo "setup command: $cmd"
248		fi
249		echo "failed. stopping tests"
250		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
251			echo
252			echo "hit enter to continue"
253			read a
254		fi
255		exit $rc
256	fi
257}
258
259# set sysctl values in NS-A
260set_sysctl()
261{
262	echo "SYSCTL: $*"
263	echo
264	run_cmd sysctl -q -w $*
265}
266
267################################################################################
268# Setup for tests
269
270addr2str()
271{
272	case "$1" in
273	127.0.0.1) echo "loopback";;
274	::1) echo "IPv6 loopback";;
275
276	${NSA_IP})	echo "ns-A IP";;
277	${NSA_IP6})	echo "ns-A IPv6";;
278	${NSA_LO_IP})	echo "ns-A loopback IP";;
279	${NSA_LO_IP6})	echo "ns-A loopback IPv6";;
280	${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";;
281
282	${NSB_IP})	echo "ns-B IP";;
283	${NSB_IP6})	echo "ns-B IPv6";;
284	${NSB_LO_IP})	echo "ns-B loopback IP";;
285	${NSB_LO_IP6})	echo "ns-B loopback IPv6";;
286	${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";;
287
288	${VRF_IP})	echo "VRF IP";;
289	${VRF_IP6})	echo "VRF IPv6";;
290
291	${MCAST}%*)	echo "multicast IP";;
292
293	*) echo "unknown";;
294	esac
295}
296
297get_linklocal()
298{
299	local ns=$1
300	local dev=$2
301	local addr
302
303	addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \
304	awk '{
305		for (i = 3; i <= NF; ++i) {
306			if ($i ~ /^fe80/)
307				print $i
308		}
309	}'
310	)
311	addr=${addr/\/*}
312
313	[ -z "$addr" ] && return 1
314
315	echo $addr
316
317	return 0
318}
319
320################################################################################
321# create namespaces and vrf
322
323create_vrf()
324{
325	local ns=$1
326	local vrf=$2
327	local table=$3
328	local addr=$4
329	local addr6=$5
330
331	ip -netns ${ns} link add ${vrf} type vrf table ${table}
332	ip -netns ${ns} link set ${vrf} up
333	ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192
334	ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
335
336	ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf}
337	ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad
338	if [ "${addr}" != "-" ]; then
339		ip -netns ${ns} addr add dev ${vrf} ${addr}
340	fi
341	if [ "${addr6}" != "-" ]; then
342		ip -netns ${ns} -6 addr add dev ${vrf} ${addr6}
343	fi
344
345	ip -netns ${ns} ru del pref 0
346	ip -netns ${ns} ru add pref 32765 from all lookup local
347	ip -netns ${ns} -6 ru del pref 0
348	ip -netns ${ns} -6 ru add pref 32765 from all lookup local
349}
350
351create_ns()
352{
353	local ns=$1
354	local addr=$2
355	local addr6=$3
356
357	ip netns add ${ns}
358
359	ip -netns ${ns} link set lo up
360	if [ "${addr}" != "-" ]; then
361		ip -netns ${ns} addr add dev lo ${addr}
362	fi
363	if [ "${addr6}" != "-" ]; then
364		ip -netns ${ns} -6 addr add dev lo ${addr6}
365	fi
366
367	ip -netns ${ns} ro add unreachable default metric 8192
368	ip -netns ${ns} -6 ro add unreachable default metric 8192
369
370	ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
371	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
372	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
373	ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
374}
375
376# create veth pair to connect namespaces and apply addresses.
377connect_ns()
378{
379	local ns1=$1
380	local ns1_dev=$2
381	local ns1_addr=$3
382	local ns1_addr6=$4
383	local ns2=$5
384	local ns2_dev=$6
385	local ns2_addr=$7
386	local ns2_addr6=$8
387
388	ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
389	ip -netns ${ns1} li set ${ns1_dev} up
390	ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
391	ip -netns ${ns2} li set ${ns2_dev} up
392
393	if [ "${ns1_addr}" != "-" ]; then
394		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
395		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
396	fi
397
398	if [ "${ns1_addr6}" != "-" ]; then
399		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
400		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
401	fi
402}
403
404cleanup()
405{
406	# explicit cleanups to check those code paths
407	ip netns | grep -q ${NSA}
408	if [ $? -eq 0 ]; then
409		ip -netns ${NSA} link delete ${VRF}
410		ip -netns ${NSA} ro flush table ${VRF_TABLE}
411
412		ip -netns ${NSA} addr flush dev ${NSA_DEV}
413		ip -netns ${NSA} -6 addr flush dev ${NSA_DEV}
414		ip -netns ${NSA} link set dev ${NSA_DEV} down
415		ip -netns ${NSA} link del dev ${NSA_DEV}
416
417		ip netns del ${NSA}
418	fi
419
420	ip netns del ${NSB}
421	ip netns del ${NSC} >/dev/null 2>&1
422}
423
424setup()
425{
426	local with_vrf=${1}
427
428	# make sure we are starting with a clean slate
429	kill_procs
430	cleanup 2>/dev/null
431
432	log_debug "Configuring network namespaces"
433	set -e
434
435	create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128
436	create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128
437	connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \
438		   ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
439
440	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
441	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
442
443	# tell ns-A how to get to remote addresses of ns-B
444	if [ "${with_vrf}" = "yes" ]; then
445		create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6}
446
447		ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
448		ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
449		ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
450
451		ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
452		ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
453
454		# some VRF tests use ns-C which has the same config as
455		# ns-B but for a device NOT in the VRF
456		create_ns ${NSC} "-" "-"
457		connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
458			   ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
459	else
460		ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
461		ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
462	fi
463
464
465	# tell ns-B how to get to remote addresses of ns-A
466	ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
467	ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
468
469	set +e
470
471	sleep 1
472}
473
474################################################################################
475# IPv4
476
477ipv4_ping_novrf()
478{
479	local a
480
481	#
482	# out
483	#
484	for a in ${NSB_IP} ${NSB_LO_IP}
485	do
486		log_start
487		run_cmd ping -c1 -w1 ${a}
488		log_test_addr ${a} $? 0 "ping out"
489
490		log_start
491		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
492		log_test_addr ${a} $? 0 "ping out, device bind"
493
494		log_start
495		run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a}
496		log_test_addr ${a} $? 0 "ping out, address bind"
497	done
498
499	#
500	# in
501	#
502	for a in ${NSA_IP} ${NSA_LO_IP}
503	do
504		log_start
505		run_cmd_nsb ping -c1 -w1 ${a}
506		log_test_addr ${a} $? 0 "ping in"
507	done
508
509	#
510	# local traffic
511	#
512	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
513	do
514		log_start
515		run_cmd ping -c1 -w1 ${a}
516		log_test_addr ${a} $? 0 "ping local"
517	done
518
519	#
520	# local traffic, socket bound to device
521	#
522	# address on device
523	a=${NSA_IP}
524	log_start
525	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
526	log_test_addr ${a} $? 0 "ping local, device bind"
527
528	# loopback addresses not reachable from device bind
529	# fails in a really weird way though because ipv4 special cases
530	# route lookups with oif set.
531	for a in ${NSA_LO_IP} 127.0.0.1
532	do
533		log_start
534		show_hint "Fails since address on loopback device is out of device scope"
535		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
536		log_test_addr ${a} $? 1 "ping local, device bind"
537	done
538
539	#
540	# ip rule blocks reachability to remote address
541	#
542	log_start
543	setup_cmd ip rule add pref 32765 from all lookup local
544	setup_cmd ip rule del pref 0 from all lookup local
545	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
546	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
547
548	a=${NSB_LO_IP}
549	run_cmd ping -c1 -w1 ${a}
550	log_test_addr ${a} $? 2 "ping out, blocked by rule"
551
552	# NOTE: ipv4 actually allows the lookup to fail and yet still create
553	# a viable rtable if the oif (e.g., bind to device) is set, so this
554	# case succeeds despite the rule
555	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
556
557	a=${NSA_LO_IP}
558	log_start
559	show_hint "Response generates ICMP (or arp request is ignored) due to ip rule"
560	run_cmd_nsb ping -c1 -w1 ${a}
561	log_test_addr ${a} $? 1 "ping in, blocked by rule"
562
563	[ "$VERBOSE" = "1" ] && echo
564	setup_cmd ip rule del pref 32765 from all lookup local
565	setup_cmd ip rule add pref 0 from all lookup local
566	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
567	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
568
569	#
570	# route blocks reachability to remote address
571	#
572	log_start
573	setup_cmd ip route replace unreachable ${NSB_LO_IP}
574	setup_cmd ip route replace unreachable ${NSB_IP}
575
576	a=${NSB_LO_IP}
577	run_cmd ping -c1 -w1 ${a}
578	log_test_addr ${a} $? 2 "ping out, blocked by route"
579
580	# NOTE: ipv4 actually allows the lookup to fail and yet still create
581	# a viable rtable if the oif (e.g., bind to device) is set, so this
582	# case succeeds despite not having a route for the address
583	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
584
585	a=${NSA_LO_IP}
586	log_start
587	show_hint "Response is dropped (or arp request is ignored) due to ip route"
588	run_cmd_nsb ping -c1 -w1 ${a}
589	log_test_addr ${a} $? 1 "ping in, blocked by route"
590
591	#
592	# remove 'remote' routes; fallback to default
593	#
594	log_start
595	setup_cmd ip ro del ${NSB_LO_IP}
596
597	a=${NSB_LO_IP}
598	run_cmd ping -c1 -w1 ${a}
599	log_test_addr ${a} $? 2 "ping out, unreachable default route"
600
601	# NOTE: ipv4 actually allows the lookup to fail and yet still create
602	# a viable rtable if the oif (e.g., bind to device) is set, so this
603	# case succeeds despite not having a route for the address
604	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
605}
606
607ipv4_ping_vrf()
608{
609	local a
610
611	# should default on; does not exist on older kernels
612	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
613
614	#
615	# out
616	#
617	for a in ${NSB_IP} ${NSB_LO_IP}
618	do
619		log_start
620		run_cmd ping -c1 -w1 -I ${VRF} ${a}
621		log_test_addr ${a} $? 0 "ping out, VRF bind"
622
623		log_start
624		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
625		log_test_addr ${a} $? 0 "ping out, device bind"
626
627		log_start
628		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a}
629		log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind"
630
631		log_start
632		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a}
633		log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind"
634	done
635
636	#
637	# in
638	#
639	for a in ${NSA_IP} ${VRF_IP}
640	do
641		log_start
642		run_cmd_nsb ping -c1 -w1 ${a}
643		log_test_addr ${a} $? 0 "ping in"
644	done
645
646	#
647	# local traffic, local address
648	#
649	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
650	do
651		log_start
652		show_hint "Source address should be ${a}"
653		run_cmd ping -c1 -w1 -I ${VRF} ${a}
654		log_test_addr ${a} $? 0 "ping local, VRF bind"
655	done
656
657	#
658	# local traffic, socket bound to device
659	#
660	# address on device
661	a=${NSA_IP}
662	log_start
663	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
664	log_test_addr ${a} $? 0 "ping local, device bind"
665
666	# vrf device is out of scope
667	for a in ${VRF_IP} 127.0.0.1
668	do
669		log_start
670		show_hint "Fails since address on vrf device is out of device scope"
671		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
672		log_test_addr ${a} $? 1 "ping local, device bind"
673	done
674
675	#
676	# ip rule blocks address
677	#
678	log_start
679	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
680	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
681
682	a=${NSB_LO_IP}
683	run_cmd ping -c1 -w1 -I ${VRF} ${a}
684	log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule"
685
686	log_start
687	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
688	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
689
690	a=${NSA_LO_IP}
691	log_start
692	show_hint "Response lost due to ip rule"
693	run_cmd_nsb ping -c1 -w1 ${a}
694	log_test_addr ${a} $? 1 "ping in, blocked by rule"
695
696	[ "$VERBOSE" = "1" ] && echo
697	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
698	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
699
700	#
701	# remove 'remote' routes; fallback to default
702	#
703	log_start
704	setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP}
705
706	a=${NSB_LO_IP}
707	run_cmd ping -c1 -w1 -I ${VRF} ${a}
708	log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route"
709
710	log_start
711	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
712	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
713
714	a=${NSA_LO_IP}
715	log_start
716	show_hint "Response lost by unreachable route"
717	run_cmd_nsb ping -c1 -w1 ${a}
718	log_test_addr ${a} $? 1 "ping in, unreachable route"
719}
720
721ipv4_ping()
722{
723	log_section "IPv4 ping"
724
725	log_subsection "No VRF"
726	setup
727	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
728	ipv4_ping_novrf
729	setup
730	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
731	ipv4_ping_novrf
732
733	log_subsection "With VRF"
734	setup "yes"
735	ipv4_ping_vrf
736}
737
738################################################################################
739# IPv4 TCP
740
741#
742# MD5 tests without VRF
743#
744ipv4_tcp_md5_novrf()
745{
746	#
747	# single address
748	#
749
750	# basic use case
751	log_start
752	run_cmd nettest -s -M ${MD5_PW} -r ${NSB_IP} &
753	sleep 1
754	run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
755	log_test $? 0 "MD5: Single address config"
756
757	# client sends MD5, server not configured
758	log_start
759	show_hint "Should timeout due to MD5 mismatch"
760	run_cmd nettest -s &
761	sleep 1
762	run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
763	log_test $? 2 "MD5: Server no config, client uses password"
764
765	# wrong password
766	log_start
767	show_hint "Should timeout since client uses wrong password"
768	run_cmd nettest -s -M ${MD5_PW} -r ${NSB_IP} &
769	sleep 1
770	run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW}
771	log_test $? 2 "MD5: Client uses wrong password"
772
773	# client from different address
774	log_start
775	show_hint "Should timeout due to MD5 mismatch"
776	run_cmd nettest -s -M ${MD5_PW} -r ${NSB_LO_IP} &
777	sleep 1
778	run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
779	log_test $? 2 "MD5: Client address does not match address configured with password"
780
781	#
782	# MD5 extension - prefix length
783	#
784
785	# client in prefix
786	log_start
787	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
788	sleep 1
789	run_cmd_nsb nettest  -r ${NSA_IP} -M ${MD5_PW}
790	log_test $? 0 "MD5: Prefix config"
791
792	# client in prefix, wrong password
793	log_start
794	show_hint "Should timeout since client uses wrong password"
795	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
796	sleep 1
797	run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW}
798	log_test $? 2 "MD5: Prefix config, client uses wrong password"
799
800	# client outside of prefix
801	log_start
802	show_hint "Should timeout due to MD5 mismatch"
803	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
804	sleep 1
805	run_cmd_nsb nettest -l ${NSB_LO_IP} -r ${NSA_IP} -M ${MD5_PW}
806	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
807}
808
809#
810# MD5 tests with VRF
811#
812ipv4_tcp_md5()
813{
814	#
815	# single address
816	#
817
818	# basic use case
819	log_start
820	run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} &
821	sleep 1
822	run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
823	log_test $? 0 "MD5: VRF: Single address config"
824
825	# client sends MD5, server not configured
826	log_start
827	show_hint "Should timeout since server does not have MD5 auth"
828	run_cmd nettest -s -d ${VRF} &
829	sleep 1
830	run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
831	log_test $? 2 "MD5: VRF: Server no config, client uses password"
832
833	# wrong password
834	log_start
835	show_hint "Should timeout since client uses wrong password"
836	run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} &
837	sleep 1
838	run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW}
839	log_test $? 2 "MD5: VRF: Client uses wrong password"
840
841	# client from different address
842	log_start
843	show_hint "Should timeout since server config differs from client"
844	run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_LO_IP} &
845	sleep 1
846	run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
847	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
848
849	#
850	# MD5 extension - prefix length
851	#
852
853	# client in prefix
854	log_start
855	run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} &
856	sleep 1
857	run_cmd_nsb nettest  -r ${NSA_IP} -M ${MD5_PW}
858	log_test $? 0 "MD5: VRF: Prefix config"
859
860	# client in prefix, wrong password
861	log_start
862	show_hint "Should timeout since client uses wrong password"
863	run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} &
864	sleep 1
865	run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW}
866	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
867
868	# client outside of prefix
869	log_start
870	show_hint "Should timeout since client address is outside of prefix"
871	run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} &
872	sleep 1
873	run_cmd_nsb nettest -l ${NSB_LO_IP} -r ${NSA_IP} -M ${MD5_PW}
874	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
875
876	#
877	# duplicate config between default VRF and a VRF
878	#
879
880	log_start
881	run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} &
882	run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} &
883	sleep 1
884	run_cmd_nsb nettest  -r ${NSA_IP} -M ${MD5_PW}
885	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
886
887	log_start
888	run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} &
889	run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} &
890	sleep 1
891	run_cmd_nsc nettest  -r ${NSA_IP} -M ${MD5_WRONG_PW}
892	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
893
894	log_start
895	show_hint "Should timeout since client in default VRF uses VRF password"
896	run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} &
897	run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} &
898	sleep 1
899	run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_PW}
900	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
901
902	log_start
903	show_hint "Should timeout since client in VRF uses default VRF password"
904	run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} &
905	run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} &
906	sleep 1
907	run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW}
908	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
909
910	log_start
911	run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} &
912	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
913	sleep 1
914	run_cmd_nsb nettest  -r ${NSA_IP} -M ${MD5_PW}
915	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
916
917	log_start
918	run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} &
919	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
920	sleep 1
921	run_cmd_nsc nettest  -r ${NSA_IP} -M ${MD5_WRONG_PW}
922	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
923
924	log_start
925	show_hint "Should timeout since client in default VRF uses VRF password"
926	run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} &
927	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
928	sleep 1
929	run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_PW}
930	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
931
932	log_start
933	show_hint "Should timeout since client in VRF uses default VRF password"
934	run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} &
935	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
936	sleep 1
937	run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW}
938	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
939
940	#
941	# negative tests
942	#
943	log_start
944	run_cmd nettest -s -d ${NSA_DEV} -M ${MD5_PW} -r ${NSB_IP}
945	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
946
947	log_start
948	run_cmd nettest -s -d ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET}
949	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
950
951}
952
953ipv4_tcp_novrf()
954{
955	local a
956
957	#
958	# server tests
959	#
960	for a in ${NSA_IP} ${NSA_LO_IP}
961	do
962		log_start
963		run_cmd nettest -s &
964		sleep 1
965		run_cmd_nsb nettest -r ${a}
966		log_test_addr ${a} $? 0 "Global server"
967	done
968
969	a=${NSA_IP}
970	log_start
971	run_cmd nettest -s -d ${NSA_DEV} &
972	sleep 1
973	run_cmd_nsb nettest -r ${a}
974	log_test_addr ${a} $? 0 "Device server"
975
976	# verify TCP reset sent and received
977	for a in ${NSA_IP} ${NSA_LO_IP}
978	do
979		log_start
980		show_hint "Should fail 'Connection refused' since there is no server"
981		run_cmd_nsb nettest -r ${a}
982		log_test_addr ${a} $? 1 "No server"
983	done
984
985	#
986	# client
987	#
988	for a in ${NSB_IP} ${NSB_LO_IP}
989	do
990		log_start
991		run_cmd_nsb nettest -s &
992		sleep 1
993		run_cmd nettest -r ${a} -0 ${NSA_IP}
994		log_test_addr ${a} $? 0 "Client"
995
996		log_start
997		run_cmd_nsb nettest -s &
998		sleep 1
999		run_cmd nettest -r ${a} -d ${NSA_DEV}
1000		log_test_addr ${a} $? 0 "Client, device bind"
1001
1002		log_start
1003		show_hint "Should fail 'Connection refused'"
1004		run_cmd nettest -r ${a}
1005		log_test_addr ${a} $? 1 "No server, unbound client"
1006
1007		log_start
1008		show_hint "Should fail 'Connection refused'"
1009		run_cmd nettest -r ${a} -d ${NSA_DEV}
1010		log_test_addr ${a} $? 1 "No server, device client"
1011	done
1012
1013	#
1014	# local address tests
1015	#
1016	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1017	do
1018		log_start
1019		run_cmd nettest -s &
1020		sleep 1
1021		run_cmd nettest -r ${a} -0 ${a} -1 ${a}
1022		log_test_addr ${a} $? 0 "Global server, local connection"
1023	done
1024
1025	a=${NSA_IP}
1026	log_start
1027	run_cmd nettest -s -d ${NSA_DEV} &
1028	sleep 1
1029	run_cmd nettest -r ${a} -0 ${a}
1030	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1031
1032	for a in ${NSA_LO_IP} 127.0.0.1
1033	do
1034		log_start
1035		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
1036		run_cmd nettest -s -d ${NSA_DEV} &
1037		sleep 1
1038		run_cmd nettest -r ${a}
1039		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1040	done
1041
1042	a=${NSA_IP}
1043	log_start
1044	run_cmd nettest -s &
1045	sleep 1
1046	run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV}
1047	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1048
1049	for a in ${NSA_LO_IP} 127.0.0.1
1050	do
1051		log_start
1052		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
1053		run_cmd nettest -s &
1054		sleep 1
1055		run_cmd nettest -r ${a} -d ${NSA_DEV}
1056		log_test_addr ${a} $? 1 "Global server, device client, local connection"
1057	done
1058
1059	a=${NSA_IP}
1060	log_start
1061	run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
1062	sleep 1
1063	run_cmd nettest  -d ${NSA_DEV} -r ${a} -0 ${a}
1064	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1065
1066	log_start
1067	show_hint "Should fail 'Connection refused'"
1068	run_cmd nettest -d ${NSA_DEV} -r ${a}
1069	log_test_addr ${a} $? 1 "No server, device client, local conn"
1070
1071	ipv4_tcp_md5_novrf
1072}
1073
1074ipv4_tcp_vrf()
1075{
1076	local a
1077
1078	# disable global server
1079	log_subsection "Global server disabled"
1080
1081	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1082
1083	#
1084	# server tests
1085	#
1086	for a in ${NSA_IP} ${VRF_IP}
1087	do
1088		log_start
1089		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1090		run_cmd nettest -s &
1091		sleep 1
1092		run_cmd_nsb nettest -r ${a}
1093		log_test_addr ${a} $? 1 "Global server"
1094
1095		log_start
1096		run_cmd nettest -s -d ${VRF} -2 ${VRF} &
1097		sleep 1
1098		run_cmd_nsb nettest -r ${a}
1099		log_test_addr ${a} $? 0 "VRF server"
1100
1101		log_start
1102		run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
1103		sleep 1
1104		run_cmd_nsb nettest -r ${a}
1105		log_test_addr ${a} $? 0 "Device server"
1106
1107		# verify TCP reset received
1108		log_start
1109		show_hint "Should fail 'Connection refused' since there is no server"
1110		run_cmd_nsb nettest -r ${a}
1111		log_test_addr ${a} $? 1 "No server"
1112	done
1113
1114	# local address tests
1115	# (${VRF_IP} and 127.0.0.1 both timeout)
1116	a=${NSA_IP}
1117	log_start
1118	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1119	run_cmd nettest -s &
1120	sleep 1
1121	run_cmd nettest -r ${a} -d ${NSA_DEV}
1122	log_test_addr ${a} $? 1 "Global server, local connection"
1123
1124	# run MD5 tests
1125	ipv4_tcp_md5
1126
1127	#
1128	# enable VRF global server
1129	#
1130	log_subsection "VRF Global server enabled"
1131	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1132
1133	for a in ${NSA_IP} ${VRF_IP}
1134	do
1135		log_start
1136		show_hint "client socket should be bound to VRF"
1137		run_cmd nettest -s -2 ${VRF} &
1138		sleep 1
1139		run_cmd_nsb nettest -r ${a}
1140		log_test_addr ${a} $? 0 "Global server"
1141
1142		log_start
1143		show_hint "client socket should be bound to VRF"
1144		run_cmd nettest -s -d ${VRF} -2 ${VRF} &
1145		sleep 1
1146		run_cmd_nsb nettest -r ${a}
1147		log_test_addr ${a} $? 0 "VRF server"
1148
1149		# verify TCP reset received
1150		log_start
1151		show_hint "Should fail 'Connection refused'"
1152		run_cmd_nsb nettest -r ${a}
1153		log_test_addr ${a} $? 1 "No server"
1154	done
1155
1156	a=${NSA_IP}
1157	log_start
1158	show_hint "client socket should be bound to device"
1159	run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
1160	sleep 1
1161	run_cmd_nsb nettest -r ${a}
1162	log_test_addr ${a} $? 0 "Device server"
1163
1164	# local address tests
1165	for a in ${NSA_IP} ${VRF_IP}
1166	do
1167		log_start
1168		show_hint "Should fail 'Connection refused' since client is not bound to VRF"
1169		run_cmd nettest -s -d ${VRF} &
1170		sleep 1
1171		run_cmd nettest -r ${a}
1172		log_test_addr ${a} $? 1 "Global server, local connection"
1173	done
1174
1175	#
1176	# client
1177	#
1178	for a in ${NSB_IP} ${NSB_LO_IP}
1179	do
1180		log_start
1181		run_cmd_nsb nettest -s &
1182		sleep 1
1183		run_cmd nettest -r ${a} -d ${VRF}
1184		log_test_addr ${a} $? 0 "Client, VRF bind"
1185
1186		log_start
1187		run_cmd_nsb nettest -s &
1188		sleep 1
1189		run_cmd nettest -r ${a} -d ${NSA_DEV}
1190		log_test_addr ${a} $? 0 "Client, device bind"
1191
1192		log_start
1193		show_hint "Should fail 'Connection refused'"
1194		run_cmd nettest -r ${a} -d ${VRF}
1195		log_test_addr ${a} $? 1 "No server, VRF client"
1196
1197		log_start
1198		show_hint "Should fail 'Connection refused'"
1199		run_cmd nettest -r ${a} -d ${NSA_DEV}
1200		log_test_addr ${a} $? 1 "No server, device client"
1201	done
1202
1203	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1204	do
1205		log_start
1206		run_cmd nettest -s -d ${VRF} -2 ${VRF} &
1207		sleep 1
1208		run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1209		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
1210	done
1211
1212	a=${NSA_IP}
1213	log_start
1214	run_cmd nettest -s -d ${VRF} -2 ${VRF} &
1215	sleep 1
1216	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1217	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
1218
1219	log_start
1220	show_hint "Should fail 'No route to host' since client is out of VRF scope"
1221	run_cmd nettest -s -d ${VRF} &
1222	sleep 1
1223	run_cmd nettest -r ${a}
1224	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
1225
1226	log_start
1227	run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
1228	sleep 1
1229	run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1230	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
1231
1232	log_start
1233	run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
1234	sleep 1
1235	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1236	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1237}
1238
1239ipv4_tcp()
1240{
1241	log_section "IPv4/TCP"
1242	log_subsection "No VRF"
1243	setup
1244
1245	# tcp_l3mdev_accept should have no affect without VRF;
1246	# run tests with it enabled and disabled to verify
1247	log_subsection "tcp_l3mdev_accept disabled"
1248	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1249	ipv4_tcp_novrf
1250	log_subsection "tcp_l3mdev_accept enabled"
1251	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1252	ipv4_tcp_novrf
1253
1254	log_subsection "With VRF"
1255	setup "yes"
1256	ipv4_tcp_vrf
1257}
1258
1259################################################################################
1260# IPv4 UDP
1261
1262ipv4_udp_novrf()
1263{
1264	local a
1265
1266	#
1267	# server tests
1268	#
1269	for a in ${NSA_IP} ${NSA_LO_IP}
1270	do
1271		log_start
1272		run_cmd nettest -D -s -2 ${NSA_DEV} &
1273		sleep 1
1274		run_cmd_nsb nettest -D -r ${a}
1275		log_test_addr ${a} $? 0 "Global server"
1276
1277		log_start
1278		show_hint "Should fail 'Connection refused' since there is no server"
1279		run_cmd_nsb nettest -D -r ${a}
1280		log_test_addr ${a} $? 1 "No server"
1281	done
1282
1283	a=${NSA_IP}
1284	log_start
1285	run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
1286	sleep 1
1287	run_cmd_nsb nettest -D -r ${a}
1288	log_test_addr ${a} $? 0 "Device server"
1289
1290	#
1291	# client
1292	#
1293	for a in ${NSB_IP} ${NSB_LO_IP}
1294	do
1295		log_start
1296		run_cmd_nsb nettest -D -s &
1297		sleep 1
1298		run_cmd nettest -D -r ${a} -0 ${NSA_IP}
1299		log_test_addr ${a} $? 0 "Client"
1300
1301		log_start
1302		run_cmd_nsb nettest -D -s &
1303		sleep 1
1304		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP}
1305		log_test_addr ${a} $? 0 "Client, device bind"
1306
1307		log_start
1308		run_cmd_nsb nettest -D -s &
1309		sleep 1
1310		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP}
1311		log_test_addr ${a} $? 0 "Client, device send via cmsg"
1312
1313		log_start
1314		run_cmd_nsb nettest -D -s &
1315		sleep 1
1316		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
1317		log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
1318
1319		log_start
1320		show_hint "Should fail 'Connection refused'"
1321		run_cmd nettest -D -r ${a}
1322		log_test_addr ${a} $? 1 "No server, unbound client"
1323
1324		log_start
1325		show_hint "Should fail 'Connection refused'"
1326		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1327		log_test_addr ${a} $? 1 "No server, device client"
1328	done
1329
1330	#
1331	# local address tests
1332	#
1333	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1334	do
1335		log_start
1336		run_cmd nettest -D -s &
1337		sleep 1
1338		run_cmd nettest -D -r ${a} -0 ${a} -1 ${a}
1339		log_test_addr ${a} $? 0 "Global server, local connection"
1340	done
1341
1342	a=${NSA_IP}
1343	log_start
1344	run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1345	sleep 1
1346	run_cmd nettest -D -r ${a}
1347	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1348
1349	for a in ${NSA_LO_IP} 127.0.0.1
1350	do
1351		log_start
1352		show_hint "Should fail 'Connection refused' since address is out of device scope"
1353		run_cmd nettest -s -D -d ${NSA_DEV} &
1354		sleep 1
1355		run_cmd nettest -D -r ${a}
1356		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1357	done
1358
1359	a=${NSA_IP}
1360	log_start
1361	run_cmd nettest -s -D &
1362	sleep 1
1363	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1364	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1365
1366	log_start
1367	run_cmd nettest -s -D &
1368	sleep 1
1369	run_cmd nettest -D -d ${NSA_DEV} -C -r ${a}
1370	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
1371
1372	log_start
1373	run_cmd nettest -s -D &
1374	sleep 1
1375	run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
1376	log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
1377
1378	# IPv4 with device bind has really weird behavior - it overrides the
1379	# fib lookup, generates an rtable and tries to send the packet. This
1380	# causes failures for local traffic at different places
1381	for a in ${NSA_LO_IP} 127.0.0.1
1382	do
1383		log_start
1384		show_hint "Should fail since addresses on loopback are out of device scope"
1385		run_cmd nettest -D -s &
1386		sleep 1
1387		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1388		log_test_addr ${a} $? 2 "Global server, device client, local connection"
1389
1390		log_start
1391		show_hint "Should fail since addresses on loopback are out of device scope"
1392		run_cmd nettest -D -s &
1393		sleep 1
1394		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C
1395		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
1396
1397		log_start
1398		show_hint "Should fail since addresses on loopback are out of device scope"
1399		run_cmd nettest -D -s &
1400		sleep 1
1401		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
1402		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
1403	done
1404
1405	a=${NSA_IP}
1406	log_start
1407	run_cmd nettest -D -s -d ${NSA_DEV} -2 ${NSA_DEV} &
1408	sleep 1
1409	run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a}
1410	log_test_addr ${a} $? 0 "Device server, device client, local conn"
1411
1412	log_start
1413	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1414	log_test_addr ${a} $? 2 "No server, device client, local conn"
1415}
1416
1417ipv4_udp_vrf()
1418{
1419	local a
1420
1421	# disable global server
1422	log_subsection "Global server disabled"
1423	set_sysctl net.ipv4.udp_l3mdev_accept=0
1424
1425	#
1426	# server tests
1427	#
1428	for a in ${NSA_IP} ${VRF_IP}
1429	do
1430		log_start
1431		show_hint "Fails because ingress is in a VRF and global server is disabled"
1432		run_cmd nettest -D -s &
1433		sleep 1
1434		run_cmd_nsb nettest -D -r ${a}
1435		log_test_addr ${a} $? 1 "Global server"
1436
1437		log_start
1438		run_cmd nettest -D -d ${VRF} -s -2 ${NSA_DEV} &
1439		sleep 1
1440		run_cmd_nsb nettest -D -r ${a}
1441		log_test_addr ${a} $? 0 "VRF server"
1442
1443		log_start
1444		run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
1445		sleep 1
1446		run_cmd_nsb nettest -D -r ${a}
1447		log_test_addr ${a} $? 0 "Enslaved device server"
1448
1449		log_start
1450		show_hint "Should fail 'Connection refused' since there is no server"
1451		run_cmd_nsb nettest -D -r ${a}
1452		log_test_addr ${a} $? 1 "No server"
1453
1454		log_start
1455		show_hint "Should fail 'Connection refused' since global server is out of scope"
1456		run_cmd nettest -D -s &
1457		sleep 1
1458		run_cmd nettest -D -d ${VRF} -r ${a}
1459		log_test_addr ${a} $? 1 "Global server, VRF client, local connection"
1460	done
1461
1462	a=${NSA_IP}
1463	log_start
1464	run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} &
1465	sleep 1
1466	run_cmd nettest -D -d ${VRF} -r ${a}
1467	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1468
1469	log_start
1470	run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} &
1471	sleep 1
1472	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1473	log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection"
1474
1475	a=${NSA_IP}
1476	log_start
1477	run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1478	sleep 1
1479	run_cmd nettest -D -d ${VRF} -r ${a}
1480	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1481
1482	log_start
1483	run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1484	sleep 1
1485	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1486	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1487
1488	# enable global server
1489	log_subsection "Global server enabled"
1490	set_sysctl net.ipv4.udp_l3mdev_accept=1
1491
1492	#
1493	# server tests
1494	#
1495	for a in ${NSA_IP} ${VRF_IP}
1496	do
1497		log_start
1498		run_cmd nettest -D -s -2 ${NSA_DEV} &
1499		sleep 1
1500		run_cmd_nsb nettest -D -r ${a}
1501		log_test_addr ${a} $? 0 "Global server"
1502
1503		log_start
1504		run_cmd nettest -D -d ${VRF} -s -2 ${NSA_DEV} &
1505		sleep 1
1506		run_cmd_nsb nettest -D -r ${a}
1507		log_test_addr ${a} $? 0 "VRF server"
1508
1509		log_start
1510		run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
1511		sleep 1
1512		run_cmd_nsb nettest -D -r ${a}
1513		log_test_addr ${a} $? 0 "Enslaved device server"
1514
1515		log_start
1516		show_hint "Should fail 'Connection refused'"
1517		run_cmd_nsb nettest -D -r ${a}
1518		log_test_addr ${a} $? 1 "No server"
1519	done
1520
1521	#
1522	# client tests
1523	#
1524	log_start
1525	run_cmd_nsb nettest -D -s &
1526	sleep 1
1527	run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP}
1528	log_test $? 0 "VRF client"
1529
1530	log_start
1531	run_cmd_nsb nettest -D -s &
1532	sleep 1
1533	run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP}
1534	log_test $? 0 "Enslaved device client"
1535
1536	# negative test - should fail
1537	log_start
1538	show_hint "Should fail 'Connection refused'"
1539	run_cmd nettest -D -d ${VRF} -r ${NSB_IP}
1540	log_test $? 1 "No server, VRF client"
1541
1542	log_start
1543	show_hint "Should fail 'Connection refused'"
1544	run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP}
1545	log_test $? 1 "No server, enslaved device client"
1546
1547	#
1548	# local address tests
1549	#
1550	a=${NSA_IP}
1551	log_start
1552	run_cmd nettest -D -s -2 ${NSA_DEV} &
1553	sleep 1
1554	run_cmd nettest -D -d ${VRF} -r ${a}
1555	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1556
1557	log_start
1558	run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} &
1559	sleep 1
1560	run_cmd nettest -D -d ${VRF} -r ${a}
1561	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1562
1563	log_start
1564	run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} &
1565	sleep 1
1566	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1567	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
1568
1569	log_start
1570	run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1571	sleep 1
1572	run_cmd nettest -D -d ${VRF} -r ${a}
1573	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1574
1575	log_start
1576	run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1577	sleep 1
1578	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1579	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1580
1581	for a in ${VRF_IP} 127.0.0.1
1582	do
1583		log_start
1584		run_cmd nettest -D -s -2 ${VRF} &
1585		sleep 1
1586		run_cmd nettest -D -d ${VRF} -r ${a}
1587		log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1588	done
1589
1590	for a in ${VRF_IP} 127.0.0.1
1591	do
1592		log_start
1593		run_cmd nettest -s -D -d ${VRF} -2 ${VRF} &
1594		sleep 1
1595		run_cmd nettest -D -d ${VRF} -r ${a}
1596		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1597	done
1598
1599	# negative test - should fail
1600	# verifies ECONNREFUSED
1601	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1602	do
1603		log_start
1604		show_hint "Should fail 'Connection refused'"
1605		run_cmd nettest -D -d ${VRF} -r ${a}
1606		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
1607	done
1608}
1609
1610ipv4_udp()
1611{
1612	log_section "IPv4/UDP"
1613	log_subsection "No VRF"
1614
1615	setup
1616
1617	# udp_l3mdev_accept should have no affect without VRF;
1618	# run tests with it enabled and disabled to verify
1619	log_subsection "udp_l3mdev_accept disabled"
1620	set_sysctl net.ipv4.udp_l3mdev_accept=0
1621	ipv4_udp_novrf
1622	log_subsection "udp_l3mdev_accept enabled"
1623	set_sysctl net.ipv4.udp_l3mdev_accept=1
1624	ipv4_udp_novrf
1625
1626	log_subsection "With VRF"
1627	setup "yes"
1628	ipv4_udp_vrf
1629}
1630
1631################################################################################
1632# IPv4 address bind
1633#
1634# verifies ability or inability to bind to an address / device
1635
1636ipv4_addr_bind_novrf()
1637{
1638	#
1639	# raw socket
1640	#
1641	for a in ${NSA_IP} ${NSA_LO_IP}
1642	do
1643		log_start
1644		run_cmd nettest -s -R -P icmp -l ${a} -b
1645		log_test_addr ${a} $? 0 "Raw socket bind to local address"
1646
1647		log_start
1648		run_cmd nettest -s -R -P icmp -l ${a} -d ${NSA_DEV} -b
1649		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1650	done
1651
1652	#
1653	# tcp sockets
1654	#
1655	a=${NSA_IP}
1656	log_start
1657	run_cmd nettest -l ${a} -r ${NSB_IP} -t1 -b
1658	log_test_addr ${a} $? 0 "TCP socket bind to local address"
1659
1660	log_start
1661	run_cmd nettest -l ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b
1662	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1663
1664	# Sadly, the kernel allows binding a socket to a device and then
1665	# binding to an address not on the device. The only restriction
1666	# is that the address is valid in the L3 domain. So this test
1667	# passes when it really should not
1668	#a=${NSA_LO_IP}
1669	#log_start
1670	#show_hint "Should fail with 'Cannot assign requested address'"
1671	#run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b
1672	#log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
1673}
1674
1675ipv4_addr_bind_vrf()
1676{
1677	#
1678	# raw socket
1679	#
1680	for a in ${NSA_IP} ${VRF_IP}
1681	do
1682		log_start
1683		run_cmd nettest -s -R -P icmp -l ${a} -b
1684		log_test_addr ${a} $? 0 "Raw socket bind to local address"
1685
1686		log_start
1687		run_cmd nettest -s -R -P icmp -l ${a} -d ${NSA_DEV} -b
1688		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1689		log_start
1690		run_cmd nettest -s -R -P icmp -l ${a} -d ${VRF} -b
1691		log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind"
1692	done
1693
1694	a=${NSA_LO_IP}
1695	log_start
1696	show_hint "Address on loopback is out of VRF scope"
1697	run_cmd nettest -s -R -P icmp -l ${a} -d ${VRF} -b
1698	log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind"
1699
1700	#
1701	# tcp sockets
1702	#
1703	for a in ${NSA_IP} ${VRF_IP}
1704	do
1705		log_start
1706		run_cmd nettest -s -l ${a} -d ${VRF} -t1 -b
1707		log_test_addr ${a} $? 0 "TCP socket bind to local address"
1708
1709		log_start
1710		run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b
1711		log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1712	done
1713
1714	a=${NSA_LO_IP}
1715	log_start
1716	show_hint "Address on loopback out of scope for VRF"
1717	run_cmd nettest -s -l ${a} -d ${VRF} -t1 -b
1718	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
1719
1720	log_start
1721	show_hint "Address on loopback out of scope for device in VRF"
1722	run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b
1723	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
1724}
1725
1726ipv4_addr_bind()
1727{
1728	log_section "IPv4 address binds"
1729
1730	log_subsection "No VRF"
1731	setup
1732	ipv4_addr_bind_novrf
1733
1734	log_subsection "With VRF"
1735	setup "yes"
1736	ipv4_addr_bind_vrf
1737}
1738
1739################################################################################
1740# IPv4 runtime tests
1741
1742ipv4_rt()
1743{
1744	local desc="$1"
1745	local varg="$2"
1746	local with_vrf="yes"
1747	local a
1748
1749	#
1750	# server tests
1751	#
1752	for a in ${NSA_IP} ${VRF_IP}
1753	do
1754		log_start
1755		run_cmd nettest ${varg} -s &
1756		sleep 1
1757		run_cmd_nsb nettest ${varg} -r ${a} &
1758		sleep 3
1759		run_cmd ip link del ${VRF}
1760		sleep 1
1761		log_test_addr ${a} 0 0 "${desc}, global server"
1762
1763		setup ${with_vrf}
1764	done
1765
1766	for a in ${NSA_IP} ${VRF_IP}
1767	do
1768		log_start
1769		run_cmd nettest ${varg} -s -d ${VRF} &
1770		sleep 1
1771		run_cmd_nsb nettest ${varg} -r ${a} &
1772		sleep 3
1773		run_cmd ip link del ${VRF}
1774		sleep 1
1775		log_test_addr ${a} 0 0 "${desc}, VRF server"
1776
1777		setup ${with_vrf}
1778	done
1779
1780	a=${NSA_IP}
1781	log_start
1782	run_cmd nettest ${varg} -s -d ${NSA_DEV} &
1783	sleep 1
1784	run_cmd_nsb nettest ${varg} -r ${a} &
1785	sleep 3
1786	run_cmd ip link del ${VRF}
1787	sleep 1
1788	log_test_addr ${a} 0 0 "${desc}, enslaved device server"
1789
1790	setup ${with_vrf}
1791
1792	#
1793	# client test
1794	#
1795	log_start
1796	run_cmd_nsb nettest ${varg} -s &
1797	sleep 1
1798	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} &
1799	sleep 3
1800	run_cmd ip link del ${VRF}
1801	sleep 1
1802	log_test_addr ${a} 0 0 "${desc}, VRF client"
1803
1804	setup ${with_vrf}
1805
1806	log_start
1807	run_cmd_nsb nettest ${varg} -s &
1808	sleep 1
1809	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} &
1810	sleep 3
1811	run_cmd ip link del ${VRF}
1812	sleep 1
1813	log_test_addr ${a} 0 0 "${desc}, enslaved device client"
1814
1815	setup ${with_vrf}
1816
1817	#
1818	# local address tests
1819	#
1820	for a in ${NSA_IP} ${VRF_IP}
1821	do
1822		log_start
1823		run_cmd nettest ${varg} -s &
1824		sleep 1
1825		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
1826		sleep 3
1827		run_cmd ip link del ${VRF}
1828		sleep 1
1829		log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local"
1830
1831		setup ${with_vrf}
1832	done
1833
1834	for a in ${NSA_IP} ${VRF_IP}
1835	do
1836		log_start
1837		run_cmd nettest ${varg} -d ${VRF} -s &
1838		sleep 1
1839		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
1840		sleep 3
1841		run_cmd ip link del ${VRF}
1842		sleep 1
1843		log_test_addr ${a} 0 0 "${desc}, VRF server and client, local"
1844
1845		setup ${with_vrf}
1846	done
1847
1848	a=${NSA_IP}
1849	log_start
1850	run_cmd nettest ${varg} -s &
1851	sleep 1
1852	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
1853	sleep 3
1854	run_cmd ip link del ${VRF}
1855	sleep 1
1856	log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local"
1857
1858	setup ${with_vrf}
1859
1860	log_start
1861	run_cmd nettest ${varg} -d ${VRF} -s &
1862	sleep 1
1863	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
1864	sleep 3
1865	run_cmd ip link del ${VRF}
1866	sleep 1
1867	log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local"
1868
1869	setup ${with_vrf}
1870
1871	log_start
1872	run_cmd nettest ${varg} -d ${NSA_DEV} -s &
1873	sleep 1
1874	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
1875	sleep 3
1876	run_cmd ip link del ${VRF}
1877	sleep 1
1878	log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local"
1879}
1880
1881ipv4_ping_rt()
1882{
1883	local with_vrf="yes"
1884	local a
1885
1886	for a in ${NSA_IP} ${VRF_IP}
1887	do
1888		log_start
1889		run_cmd_nsb ping -f ${a} &
1890		sleep 3
1891		run_cmd ip link del ${VRF}
1892		sleep 1
1893		log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
1894
1895		setup ${with_vrf}
1896	done
1897
1898	a=${NSB_IP}
1899	log_start
1900	run_cmd ping -f -I ${VRF} ${a} &
1901	sleep 3
1902	run_cmd ip link del ${VRF}
1903	sleep 1
1904	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
1905}
1906
1907ipv4_runtime()
1908{
1909	log_section "Run time tests - ipv4"
1910
1911	setup "yes"
1912	ipv4_ping_rt
1913
1914	setup "yes"
1915	ipv4_rt "TCP active socket"  "-n -1"
1916
1917	setup "yes"
1918	ipv4_rt "TCP passive socket" "-i"
1919}
1920
1921################################################################################
1922# IPv6
1923
1924ipv6_ping_novrf()
1925{
1926	local a
1927
1928	# should not have an impact, but make a known state
1929	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
1930
1931	#
1932	# out
1933	#
1934	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
1935	do
1936		log_start
1937		run_cmd ${ping6} -c1 -w1 ${a}
1938		log_test_addr ${a} $? 0 "ping out"
1939	done
1940
1941	for a in ${NSB_IP6} ${NSB_LO_IP6}
1942	do
1943		log_start
1944		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1945		log_test_addr ${a} $? 0 "ping out, device bind"
1946
1947		log_start
1948		run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a}
1949		log_test_addr ${a} $? 0 "ping out, loopback address bind"
1950	done
1951
1952	#
1953	# in
1954	#
1955	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
1956	do
1957		log_start
1958		run_cmd_nsb ${ping6} -c1 -w1 ${a}
1959		log_test_addr ${a} $? 0 "ping in"
1960	done
1961
1962	#
1963	# local traffic, local address
1964	#
1965	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
1966	do
1967		log_start
1968		run_cmd ${ping6} -c1 -w1 ${a}
1969		log_test_addr ${a} $? 0 "ping local, no bind"
1970	done
1971
1972	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
1973	do
1974		log_start
1975		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1976		log_test_addr ${a} $? 0 "ping local, device bind"
1977	done
1978
1979	for a in ${NSA_LO_IP6} ::1
1980	do
1981		log_start
1982		show_hint "Fails since address on loopback is out of device scope"
1983		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1984		log_test_addr ${a} $? 2 "ping local, device bind"
1985	done
1986
1987	#
1988	# ip rule blocks address
1989	#
1990	log_start
1991	setup_cmd ip -6 rule add pref 32765 from all lookup local
1992	setup_cmd ip -6 rule del pref 0 from all lookup local
1993	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
1994	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
1995
1996	a=${NSB_LO_IP6}
1997	run_cmd ${ping6} -c1 -w1 ${a}
1998	log_test_addr ${a} $? 2 "ping out, blocked by rule"
1999
2000	log_start
2001	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2002	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2003
2004	a=${NSA_LO_IP6}
2005	log_start
2006	show_hint "Response lost due to ip rule"
2007	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2008	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2009
2010	setup_cmd ip -6 rule add pref 0 from all lookup local
2011	setup_cmd ip -6 rule del pref 32765 from all lookup local
2012	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2013	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2014
2015	#
2016	# route blocks reachability to remote address
2017	#
2018	log_start
2019	setup_cmd ip -6 route del ${NSB_LO_IP6}
2020	setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10
2021	setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10
2022
2023	a=${NSB_LO_IP6}
2024	run_cmd ${ping6} -c1 -w1 ${a}
2025	log_test_addr ${a} $? 2 "ping out, blocked by route"
2026
2027	log_start
2028	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2029	log_test_addr ${a} $? 2 "ping out, device bind, blocked by route"
2030
2031	a=${NSA_LO_IP6}
2032	log_start
2033	show_hint "Response lost due to ip route"
2034	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2035	log_test_addr ${a} $? 1 "ping in, blocked by route"
2036
2037
2038	#
2039	# remove 'remote' routes; fallback to default
2040	#
2041	log_start
2042	setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6}
2043	setup_cmd ip -6 ro del unreachable ${NSB_IP6}
2044
2045	a=${NSB_LO_IP6}
2046	run_cmd ${ping6} -c1 -w1 ${a}
2047	log_test_addr ${a} $? 2 "ping out, unreachable route"
2048
2049	log_start
2050	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2051	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2052}
2053
2054ipv6_ping_vrf()
2055{
2056	local a
2057
2058	# should default on; does not exist on older kernels
2059	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
2060
2061	#
2062	# out
2063	#
2064	for a in ${NSB_IP6} ${NSB_LO_IP6}
2065	do
2066		log_start
2067		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2068		log_test_addr ${a} $? 0 "ping out, VRF bind"
2069	done
2070
2071	for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF}
2072	do
2073		log_start
2074		show_hint "Fails since VRF device does not support linklocal or multicast"
2075		run_cmd ${ping6} -c1 -w1 ${a}
2076		log_test_addr ${a} $? 2 "ping out, VRF bind"
2077	done
2078
2079	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2080	do
2081		log_start
2082		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2083		log_test_addr ${a} $? 0 "ping out, device bind"
2084	done
2085
2086	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2087	do
2088		log_start
2089		run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a}
2090		log_test_addr ${a} $? 0 "ping out, vrf device+address bind"
2091	done
2092
2093	#
2094	# in
2095	#
2096	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2097	do
2098		log_start
2099		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2100		log_test_addr ${a} $? 0 "ping in"
2101	done
2102
2103	a=${NSA_LO_IP6}
2104	log_start
2105	show_hint "Fails since loopback address is out of VRF scope"
2106	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2107	log_test_addr ${a} $? 1 "ping in"
2108
2109	#
2110	# local traffic, local address
2111	#
2112	for a in ${NSA_IP6} ${VRF_IP6} ::1
2113	do
2114		log_start
2115		show_hint "Source address should be ${a}"
2116		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2117		log_test_addr ${a} $? 0 "ping local, VRF bind"
2118	done
2119
2120	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2121	do
2122		log_start
2123		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2124		log_test_addr ${a} $? 0 "ping local, device bind"
2125	done
2126
2127	# LLA to GUA - remove ipv6 global addresses from ns-B
2128	setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2129	setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo
2130	setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2131
2132	for a in ${NSA_IP6} ${VRF_IP6}
2133	do
2134		log_start
2135		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
2136		log_test_addr ${a} $? 0 "ping in, LLA to GUA"
2137	done
2138
2139	setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2140	setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV}
2141	setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo
2142
2143	#
2144	# ip rule blocks address
2145	#
2146	log_start
2147	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2148	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2149
2150	a=${NSB_LO_IP6}
2151	run_cmd ${ping6} -c1 -w1 ${a}
2152	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2153
2154	log_start
2155	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2156	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2157
2158	a=${NSA_LO_IP6}
2159	log_start
2160	show_hint "Response lost due to ip rule"
2161	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2162	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2163
2164	log_start
2165	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2166	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2167
2168	#
2169	# remove 'remote' routes; fallback to default
2170	#
2171	log_start
2172	setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF}
2173
2174	a=${NSB_LO_IP6}
2175	run_cmd ${ping6} -c1 -w1 ${a}
2176	log_test_addr ${a} $? 2 "ping out, unreachable route"
2177
2178	log_start
2179	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2180	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2181
2182	ip -netns ${NSB} -6 ro del ${NSA_LO_IP6}
2183	a=${NSA_LO_IP6}
2184	log_start
2185	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2186	log_test_addr ${a} $? 2 "ping in, unreachable route"
2187}
2188
2189ipv6_ping()
2190{
2191	log_section "IPv6 ping"
2192
2193	log_subsection "No VRF"
2194	setup
2195	ipv6_ping_novrf
2196
2197	log_subsection "With VRF"
2198	setup "yes"
2199	ipv6_ping_vrf
2200}
2201
2202################################################################################
2203# IPv6 TCP
2204
2205#
2206# MD5 tests without VRF
2207#
2208ipv6_tcp_md5_novrf()
2209{
2210	#
2211	# single address
2212	#
2213
2214	# basic use case
2215	log_start
2216	run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_IP6} &
2217	sleep 1
2218	run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2219	log_test $? 0 "MD5: Single address config"
2220
2221	# client sends MD5, server not configured
2222	log_start
2223	show_hint "Should timeout due to MD5 mismatch"
2224	run_cmd nettest -6 -s &
2225	sleep 1
2226	run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2227	log_test $? 2 "MD5: Server no config, client uses password"
2228
2229	# wrong password
2230	log_start
2231	show_hint "Should timeout since client uses wrong password"
2232	run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_IP6} &
2233	sleep 1
2234	run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2235	log_test $? 2 "MD5: Client uses wrong password"
2236
2237	# client from different address
2238	log_start
2239	show_hint "Should timeout due to MD5 mismatch"
2240	run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_LO_IP6} &
2241	sleep 1
2242	run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2243	log_test $? 2 "MD5: Client address does not match address configured with password"
2244
2245	#
2246	# MD5 extension - prefix length
2247	#
2248
2249	# client in prefix
2250	log_start
2251	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2252	sleep 1
2253	run_cmd_nsb nettest -6  -r ${NSA_IP6} -M ${MD5_PW}
2254	log_test $? 0 "MD5: Prefix config"
2255
2256	# client in prefix, wrong password
2257	log_start
2258	show_hint "Should timeout since client uses wrong password"
2259	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2260	sleep 1
2261	run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2262	log_test $? 2 "MD5: Prefix config, client uses wrong password"
2263
2264	# client outside of prefix
2265	log_start
2266	show_hint "Should timeout due to MD5 mismatch"
2267	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2268	sleep 1
2269	run_cmd_nsb nettest -6 -l ${NSB_LO_IP6} -r ${NSA_IP6} -M ${MD5_PW}
2270	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
2271}
2272
2273#
2274# MD5 tests with VRF
2275#
2276ipv6_tcp_md5()
2277{
2278	#
2279	# single address
2280	#
2281
2282	# basic use case
2283	log_start
2284	run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} &
2285	sleep 1
2286	run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2287	log_test $? 0 "MD5: VRF: Single address config"
2288
2289	# client sends MD5, server not configured
2290	log_start
2291	show_hint "Should timeout since server does not have MD5 auth"
2292	run_cmd nettest -6 -s -d ${VRF} &
2293	sleep 1
2294	run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2295	log_test $? 2 "MD5: VRF: Server no config, client uses password"
2296
2297	# wrong password
2298	log_start
2299	show_hint "Should timeout since client uses wrong password"
2300	run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} &
2301	sleep 1
2302	run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2303	log_test $? 2 "MD5: VRF: Client uses wrong password"
2304
2305	# client from different address
2306	log_start
2307	show_hint "Should timeout since server config differs from client"
2308	run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_LO_IP6} &
2309	sleep 1
2310	run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2311	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
2312
2313	#
2314	# MD5 extension - prefix length
2315	#
2316
2317	# client in prefix
2318	log_start
2319	run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2320	sleep 1
2321	run_cmd_nsb nettest -6  -r ${NSA_IP6} -M ${MD5_PW}
2322	log_test $? 0 "MD5: VRF: Prefix config"
2323
2324	# client in prefix, wrong password
2325	log_start
2326	show_hint "Should timeout since client uses wrong password"
2327	run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2328	sleep 1
2329	run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2330	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
2331
2332	# client outside of prefix
2333	log_start
2334	show_hint "Should timeout since client address is outside of prefix"
2335	run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2336	sleep 1
2337	run_cmd_nsb nettest -6 -l ${NSB_LO_IP6} -r ${NSA_IP6} -M ${MD5_PW}
2338	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
2339
2340	#
2341	# duplicate config between default VRF and a VRF
2342	#
2343
2344	log_start
2345	run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} &
2346	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} &
2347	sleep 1
2348	run_cmd_nsb nettest -6  -r ${NSA_IP6} -M ${MD5_PW}
2349	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
2350
2351	log_start
2352	run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} &
2353	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} &
2354	sleep 1
2355	run_cmd_nsc nettest -6  -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2356	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
2357
2358	log_start
2359	show_hint "Should timeout since client in default VRF uses VRF password"
2360	run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} &
2361	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} &
2362	sleep 1
2363	run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2364	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
2365
2366	log_start
2367	show_hint "Should timeout since client in VRF uses default VRF password"
2368	run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} &
2369	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} &
2370	sleep 1
2371	run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2372	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
2373
2374	log_start
2375	run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2376	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2377	sleep 1
2378	run_cmd_nsb nettest -6  -r ${NSA_IP6} -M ${MD5_PW}
2379	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
2380
2381	log_start
2382	run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2383	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2384	sleep 1
2385	run_cmd_nsc nettest -6  -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2386	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
2387
2388	log_start
2389	show_hint "Should timeout since client in default VRF uses VRF password"
2390	run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2391	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2392	sleep 1
2393	run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2394	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
2395
2396	log_start
2397	show_hint "Should timeout since client in VRF uses default VRF password"
2398	run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2399	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2400	sleep 1
2401	run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2402	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
2403
2404	#
2405	# negative tests
2406	#
2407	log_start
2408	run_cmd nettest -6 -s -d ${NSA_DEV} -M ${MD5_PW} -r ${NSB_IP6}
2409	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
2410
2411	log_start
2412	run_cmd nettest -6 -s -d ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6}
2413	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
2414
2415}
2416
2417ipv6_tcp_novrf()
2418{
2419	local a
2420
2421	#
2422	# server tests
2423	#
2424	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2425	do
2426		log_start
2427		run_cmd nettest -6 -s &
2428		sleep 1
2429		run_cmd_nsb nettest -6 -r ${a}
2430		log_test_addr ${a} $? 0 "Global server"
2431	done
2432
2433	# verify TCP reset received
2434	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2435	do
2436		log_start
2437		show_hint "Should fail 'Connection refused'"
2438		run_cmd_nsb nettest -6 -r ${a}
2439		log_test_addr ${a} $? 1 "No server"
2440	done
2441
2442	#
2443	# client
2444	#
2445	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2446	do
2447		log_start
2448		run_cmd_nsb nettest -6 -s &
2449		sleep 1
2450		run_cmd nettest -6 -r ${a}
2451		log_test_addr ${a} $? 0 "Client"
2452	done
2453
2454	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2455	do
2456		log_start
2457		run_cmd_nsb nettest -6 -s &
2458		sleep 1
2459		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2460		log_test_addr ${a} $? 0 "Client, device bind"
2461	done
2462
2463	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2464	do
2465		log_start
2466		show_hint "Should fail 'Connection refused'"
2467		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2468		log_test_addr ${a} $? 1 "No server, device client"
2469	done
2470
2471	#
2472	# local address tests
2473	#
2474	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2475	do
2476		log_start
2477		run_cmd nettest -6 -s &
2478		sleep 1
2479		run_cmd nettest -6 -r ${a}
2480		log_test_addr ${a} $? 0 "Global server, local connection"
2481	done
2482
2483	a=${NSA_IP6}
2484	log_start
2485	run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2486	sleep 1
2487	run_cmd nettest -6 -r ${a} -0 ${a}
2488	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2489
2490	for a in ${NSA_LO_IP6} ::1
2491	do
2492		log_start
2493		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2494		run_cmd nettest -6 -s -d ${NSA_DEV} &
2495		sleep 1
2496		run_cmd nettest -6 -r ${a}
2497		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
2498	done
2499
2500	a=${NSA_IP6}
2501	log_start
2502	run_cmd nettest -6 -s &
2503	sleep 1
2504	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2505	log_test_addr ${a} $? 0 "Global server, device client, local connection"
2506
2507	for a in ${NSA_LO_IP6} ::1
2508	do
2509		log_start
2510		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2511		run_cmd nettest -6 -s &
2512		sleep 1
2513		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2514		log_test_addr ${a} $? 1 "Global server, device client, local connection"
2515	done
2516
2517	for a in ${NSA_IP6} ${NSA_LINKIP6}
2518	do
2519		log_start
2520		run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2521		sleep 1
2522		run_cmd nettest -6  -d ${NSA_DEV} -r ${a}
2523		log_test_addr ${a} $? 0 "Device server, device client, local conn"
2524	done
2525
2526	for a in ${NSA_IP6} ${NSA_LINKIP6}
2527	do
2528		log_start
2529		show_hint "Should fail 'Connection refused'"
2530		run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2531		log_test_addr ${a} $? 1 "No server, device client, local conn"
2532	done
2533
2534	ipv6_tcp_md5_novrf
2535}
2536
2537ipv6_tcp_vrf()
2538{
2539	local a
2540
2541	# disable global server
2542	log_subsection "Global server disabled"
2543
2544	set_sysctl net.ipv4.tcp_l3mdev_accept=0
2545
2546	#
2547	# server tests
2548	#
2549	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2550	do
2551		log_start
2552		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2553		run_cmd nettest -6 -s &
2554		sleep 1
2555		run_cmd_nsb nettest -6 -r ${a}
2556		log_test_addr ${a} $? 1 "Global server"
2557	done
2558
2559	for a in ${NSA_IP6} ${VRF_IP6}
2560	do
2561		log_start
2562		run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} &
2563		sleep 1
2564		run_cmd_nsb nettest -6 -r ${a}
2565		log_test_addr ${a} $? 0 "VRF server"
2566	done
2567
2568	# link local is always bound to ingress device
2569	a=${NSA_LINKIP6}%${NSB_DEV}
2570	log_start
2571	run_cmd nettest -6 -s -d ${VRF} -2 ${NSA_DEV} &
2572	sleep 1
2573	run_cmd_nsb nettest -6 -r ${a}
2574	log_test_addr ${a} $? 0 "VRF server"
2575
2576	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2577	do
2578		log_start
2579		run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2580		sleep 1
2581		run_cmd_nsb nettest -6 -r ${a}
2582		log_test_addr ${a} $? 0 "Device server"
2583	done
2584
2585	# verify TCP reset received
2586	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2587	do
2588		log_start
2589		show_hint "Should fail 'Connection refused'"
2590		run_cmd_nsb nettest -6 -r ${a}
2591		log_test_addr ${a} $? 1 "No server"
2592	done
2593
2594	# local address tests
2595	a=${NSA_IP6}
2596	log_start
2597	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2598	run_cmd nettest -6 -s &
2599	sleep 1
2600	run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2601	log_test_addr ${a} $? 1 "Global server, local connection"
2602
2603	# run MD5 tests
2604	ipv6_tcp_md5
2605
2606	#
2607	# enable VRF global server
2608	#
2609	log_subsection "VRF Global server enabled"
2610	set_sysctl net.ipv4.tcp_l3mdev_accept=1
2611
2612	for a in ${NSA_IP6} ${VRF_IP6}
2613	do
2614		log_start
2615		run_cmd nettest -6 -s -2 ${VRF} &
2616		sleep 1
2617		run_cmd_nsb nettest -6 -r ${a}
2618		log_test_addr ${a} $? 0 "Global server"
2619	done
2620
2621	for a in ${NSA_IP6} ${VRF_IP6}
2622	do
2623		log_start
2624		run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} &
2625		sleep 1
2626		run_cmd_nsb nettest -6 -r ${a}
2627		log_test_addr ${a} $? 0 "VRF server"
2628	done
2629
2630	# For LLA, child socket is bound to device
2631	a=${NSA_LINKIP6}%${NSB_DEV}
2632	log_start
2633	run_cmd nettest -6 -s -2 ${NSA_DEV} &
2634	sleep 1
2635	run_cmd_nsb nettest -6 -r ${a}
2636	log_test_addr ${a} $? 0 "Global server"
2637
2638	log_start
2639	run_cmd nettest -6 -s -d ${VRF} -2 ${NSA_DEV} &
2640	sleep 1
2641	run_cmd_nsb nettest -6 -r ${a}
2642	log_test_addr ${a} $? 0 "VRF server"
2643
2644	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2645	do
2646		log_start
2647		run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2648		sleep 1
2649		run_cmd_nsb nettest -6 -r ${a}
2650		log_test_addr ${a} $? 0 "Device server"
2651	done
2652
2653	# verify TCP reset received
2654	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2655	do
2656		log_start
2657		show_hint "Should fail 'Connection refused'"
2658		run_cmd_nsb nettest -6 -r ${a}
2659		log_test_addr ${a} $? 1 "No server"
2660	done
2661
2662	# local address tests
2663	for a in ${NSA_IP6} ${VRF_IP6}
2664	do
2665		log_start
2666		show_hint "Fails 'Connection refused' since client is not in VRF"
2667		run_cmd nettest -6 -s -d ${VRF} &
2668		sleep 1
2669		run_cmd nettest -6 -r ${a}
2670		log_test_addr ${a} $? 1 "Global server, local connection"
2671	done
2672
2673
2674	#
2675	# client
2676	#
2677	for a in ${NSB_IP6} ${NSB_LO_IP6}
2678	do
2679		log_start
2680		run_cmd_nsb nettest -6 -s &
2681		sleep 1
2682		run_cmd nettest -6 -r ${a} -d ${VRF}
2683		log_test_addr ${a} $? 0 "Client, VRF bind"
2684	done
2685
2686	a=${NSB_LINKIP6}
2687	log_start
2688	show_hint "Fails since VRF device does not allow linklocal addresses"
2689	run_cmd_nsb nettest -6 -s &
2690	sleep 1
2691	run_cmd nettest -6 -r ${a} -d ${VRF}
2692	log_test_addr ${a} $? 1 "Client, VRF bind"
2693
2694	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2695	do
2696		log_start
2697		run_cmd_nsb nettest -6 -s &
2698		sleep 1
2699		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2700		log_test_addr ${a} $? 0 "Client, device bind"
2701	done
2702
2703	for a in ${NSB_IP6} ${NSB_LO_IP6}
2704	do
2705		log_start
2706		show_hint "Should fail 'Connection refused'"
2707		run_cmd nettest -6 -r ${a} -d ${VRF}
2708		log_test_addr ${a} $? 1 "No server, VRF client"
2709	done
2710
2711	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2712	do
2713		log_start
2714		show_hint "Should fail 'Connection refused'"
2715		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2716		log_test_addr ${a} $? 1 "No server, device client"
2717	done
2718
2719	for a in ${NSA_IP6} ${VRF_IP6} ::1
2720	do
2721		log_start
2722		run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} &
2723		sleep 1
2724		run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2725		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
2726	done
2727
2728	a=${NSA_IP6}
2729	log_start
2730	run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} &
2731	sleep 1
2732	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2733	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
2734
2735	a=${NSA_IP6}
2736	log_start
2737	show_hint "Should fail since unbound client is out of VRF scope"
2738	run_cmd nettest -6 -s -d ${VRF} &
2739	sleep 1
2740	run_cmd nettest -6 -r ${a}
2741	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
2742
2743	log_start
2744	run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2745	sleep 1
2746	run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2747	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
2748
2749	for a in ${NSA_IP6} ${NSA_LINKIP6}
2750	do
2751		log_start
2752		run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2753		sleep 1
2754		run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2755		log_test_addr ${a} $? 0 "Device server, device client, local connection"
2756	done
2757}
2758
2759ipv6_tcp()
2760{
2761	log_section "IPv6/TCP"
2762	log_subsection "No VRF"
2763	setup
2764
2765	# tcp_l3mdev_accept should have no affect without VRF;
2766	# run tests with it enabled and disabled to verify
2767	log_subsection "tcp_l3mdev_accept disabled"
2768	set_sysctl net.ipv4.tcp_l3mdev_accept=0
2769	ipv6_tcp_novrf
2770	log_subsection "tcp_l3mdev_accept enabled"
2771	set_sysctl net.ipv4.tcp_l3mdev_accept=1
2772	ipv6_tcp_novrf
2773
2774	log_subsection "With VRF"
2775	setup "yes"
2776	ipv6_tcp_vrf
2777}
2778
2779################################################################################
2780# IPv6 UDP
2781
2782ipv6_udp_novrf()
2783{
2784	local a
2785
2786	#
2787	# server tests
2788	#
2789	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2790	do
2791		log_start
2792		run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
2793		sleep 1
2794		run_cmd_nsb nettest -6 -D -r ${a}
2795		log_test_addr ${a} $? 0 "Global server"
2796
2797		log_start
2798		run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
2799		sleep 1
2800		run_cmd_nsb nettest -6 -D -r ${a}
2801		log_test_addr ${a} $? 0 "Device server"
2802	done
2803
2804	a=${NSA_LO_IP6}
2805	log_start
2806	run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
2807	sleep 1
2808	run_cmd_nsb nettest -6 -D -r ${a}
2809	log_test_addr ${a} $? 0 "Global server"
2810
2811	# should fail since loopback address is out of scope for a device
2812	# bound server, but it does not - hence this is more documenting
2813	# behavior.
2814	#log_start
2815	#show_hint "Should fail since loopback address is out of scope"
2816	#run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
2817	#sleep 1
2818	#run_cmd_nsb nettest -6 -D -r ${a}
2819	#log_test_addr ${a} $? 1 "Device server"
2820
2821	# negative test - should fail
2822	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2823	do
2824		log_start
2825		show_hint "Should fail 'Connection refused' since there is no server"
2826		run_cmd_nsb nettest -6 -D -r ${a}
2827		log_test_addr ${a} $? 1 "No server"
2828	done
2829
2830	#
2831	# client
2832	#
2833	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2834	do
2835		log_start
2836		run_cmd_nsb nettest -6 -D -s &
2837		sleep 1
2838		run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6}
2839		log_test_addr ${a} $? 0 "Client"
2840
2841		log_start
2842		run_cmd_nsb nettest -6 -D -s &
2843		sleep 1
2844		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6}
2845		log_test_addr ${a} $? 0 "Client, device bind"
2846
2847		log_start
2848		run_cmd_nsb nettest -6 -D -s &
2849		sleep 1
2850		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6}
2851		log_test_addr ${a} $? 0 "Client, device send via cmsg"
2852
2853		log_start
2854		run_cmd_nsb nettest -6 -D -s &
2855		sleep 1
2856		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6}
2857		log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF"
2858
2859		log_start
2860		show_hint "Should fail 'Connection refused'"
2861		run_cmd nettest -6 -D -r ${a}
2862		log_test_addr ${a} $? 1 "No server, unbound client"
2863
2864		log_start
2865		show_hint "Should fail 'Connection refused'"
2866		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
2867		log_test_addr ${a} $? 1 "No server, device client"
2868	done
2869
2870	#
2871	# local address tests
2872	#
2873	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2874	do
2875		log_start
2876		run_cmd nettest -6 -D -s &
2877		sleep 1
2878		run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a}
2879		log_test_addr ${a} $? 0 "Global server, local connection"
2880	done
2881
2882	a=${NSA_IP6}
2883	log_start
2884	run_cmd nettest -6 -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
2885	sleep 1
2886	run_cmd nettest -6 -D -r ${a}
2887	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2888
2889	for a in ${NSA_LO_IP6} ::1
2890	do
2891		log_start
2892		show_hint "Should fail 'Connection refused' since address is out of device scope"
2893		run_cmd nettest -6 -s -D -d ${NSA_DEV} &
2894		sleep 1
2895		run_cmd nettest -6 -D -r ${a}
2896		log_test_addr ${a} $? 1 "Device server, local connection"
2897	done
2898
2899	a=${NSA_IP6}
2900	log_start
2901	run_cmd nettest -6 -s -D &
2902	sleep 1
2903	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
2904	log_test_addr ${a} $? 0 "Global server, device client, local connection"
2905
2906	log_start
2907	run_cmd nettest -6 -s -D &
2908	sleep 1
2909	run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a}
2910	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
2911
2912	log_start
2913	run_cmd nettest -6 -s -D &
2914	sleep 1
2915	run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a}
2916	log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection"
2917
2918	for a in ${NSA_LO_IP6} ::1
2919	do
2920		log_start
2921		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
2922		run_cmd nettest -6 -D -s &
2923		sleep 1
2924		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
2925		log_test_addr ${a} $? 1 "Global server, device client, local connection"
2926
2927		log_start
2928		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
2929		run_cmd nettest -6 -D -s &
2930		sleep 1
2931		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C
2932		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
2933
2934		log_start
2935		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
2936		run_cmd nettest -6 -D -s &
2937		sleep 1
2938		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
2939		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
2940	done
2941
2942	a=${NSA_IP6}
2943	log_start
2944	run_cmd nettest -6 -D -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2945	sleep 1
2946	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a}
2947	log_test_addr ${a} $? 0 "Device server, device client, local conn"
2948
2949	log_start
2950	show_hint "Should fail 'Connection refused'"
2951	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
2952	log_test_addr ${a} $? 1 "No server, device client, local conn"
2953
2954	# LLA to GUA
2955	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2956	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
2957	log_start
2958	run_cmd nettest -6 -s -D &
2959	sleep 1
2960	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
2961	log_test $? 0 "UDP in - LLA to GUA"
2962
2963	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
2964	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
2965}
2966
2967ipv6_udp_vrf()
2968{
2969	local a
2970
2971	# disable global server
2972	log_subsection "Global server disabled"
2973	set_sysctl net.ipv4.udp_l3mdev_accept=0
2974
2975	#
2976	# server tests
2977	#
2978	for a in ${NSA_IP6} ${VRF_IP6}
2979	do
2980		log_start
2981		show_hint "Should fail 'Connection refused' since global server is disabled"
2982		run_cmd nettest -6 -D -s &
2983		sleep 1
2984		run_cmd_nsb nettest -6 -D -r ${a}
2985		log_test_addr ${a} $? 1 "Global server"
2986	done
2987
2988	for a in ${NSA_IP6} ${VRF_IP6}
2989	do
2990		log_start
2991		run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
2992		sleep 1
2993		run_cmd_nsb nettest -6 -D -r ${a}
2994		log_test_addr ${a} $? 0 "VRF server"
2995	done
2996
2997	for a in ${NSA_IP6} ${VRF_IP6}
2998	do
2999		log_start
3000		run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
3001		sleep 1
3002		run_cmd_nsb nettest -6 -D -r ${a}
3003		log_test_addr ${a} $? 0 "Enslaved device server"
3004	done
3005
3006	# negative test - should fail
3007	for a in ${NSA_IP6} ${VRF_IP6}
3008	do
3009		log_start
3010		show_hint "Should fail 'Connection refused' since there is no server"
3011		run_cmd_nsb nettest -6 -D -r ${a}
3012		log_test_addr ${a} $? 1 "No server"
3013	done
3014
3015	#
3016	# local address tests
3017	#
3018	for a in ${NSA_IP6} ${VRF_IP6}
3019	do
3020		log_start
3021		show_hint "Should fail 'Connection refused' since global server is disabled"
3022		run_cmd nettest -6 -D -s &
3023		sleep 1
3024		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3025		log_test_addr ${a} $? 1 "Global server, VRF client, local conn"
3026	done
3027
3028	for a in ${NSA_IP6} ${VRF_IP6}
3029	do
3030		log_start
3031		run_cmd nettest -6 -D -d ${VRF} -s &
3032		sleep 1
3033		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3034		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3035	done
3036
3037	a=${NSA_IP6}
3038	log_start
3039	show_hint "Should fail 'Connection refused' since global server is disabled"
3040	run_cmd nettest -6 -D -s &
3041	sleep 1
3042	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3043	log_test_addr ${a} $? 1 "Global server, device client, local conn"
3044
3045	log_start
3046	run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
3047	sleep 1
3048	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3049	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3050
3051	log_start
3052	run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
3053	sleep 1
3054	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3055	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
3056
3057	log_start
3058	run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
3059	sleep 1
3060	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3061	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
3062
3063	# disable global server
3064	log_subsection "Global server enabled"
3065	set_sysctl net.ipv4.udp_l3mdev_accept=1
3066
3067	#
3068	# server tests
3069	#
3070	for a in ${NSA_IP6} ${VRF_IP6}
3071	do
3072		log_start
3073		run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
3074		sleep 1
3075		run_cmd_nsb nettest -6 -D -r ${a}
3076		log_test_addr ${a} $? 0 "Global server"
3077	done
3078
3079	for a in ${NSA_IP6} ${VRF_IP6}
3080	do
3081		log_start
3082		run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
3083		sleep 1
3084		run_cmd_nsb nettest -6 -D -r ${a}
3085		log_test_addr ${a} $? 0 "VRF server"
3086	done
3087
3088	for a in ${NSA_IP6} ${VRF_IP6}
3089	do
3090		log_start
3091		run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
3092		sleep 1
3093		run_cmd_nsb nettest -6 -D -r ${a}
3094		log_test_addr ${a} $? 0 "Enslaved device server"
3095	done
3096
3097	# negative test - should fail
3098	for a in ${NSA_IP6} ${VRF_IP6}
3099	do
3100		log_start
3101		run_cmd_nsb nettest -6 -D -r ${a}
3102		log_test_addr ${a} $? 1 "No server"
3103	done
3104
3105	#
3106	# client tests
3107	#
3108	log_start
3109	run_cmd_nsb nettest -6 -D -s &
3110	sleep 1
3111	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3112	log_test $? 0 "VRF client"
3113
3114	# negative test - should fail
3115	log_start
3116	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3117	log_test $? 1 "No server, VRF client"
3118
3119	log_start
3120	run_cmd_nsb nettest -6 -D -s &
3121	sleep 1
3122	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3123	log_test $? 0 "Enslaved device client"
3124
3125	# negative test - should fail
3126	log_start
3127	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3128	log_test $? 1 "No server, enslaved device client"
3129
3130	#
3131	# local address tests
3132	#
3133	a=${NSA_IP6}
3134	log_start
3135	run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
3136	sleep 1
3137	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3138	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3139
3140	#log_start
3141	run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
3142	sleep 1
3143	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3144	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3145
3146
3147	a=${VRF_IP6}
3148	log_start
3149	run_cmd nettest -6 -D -s -2 ${VRF} &
3150	sleep 1
3151	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3152	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3153
3154	log_start
3155	run_cmd nettest -6 -D -d ${VRF} -s -2 ${VRF} &
3156	sleep 1
3157	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3158	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3159
3160	# negative test - should fail
3161	for a in ${NSA_IP6} ${VRF_IP6}
3162	do
3163		log_start
3164		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3165		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
3166	done
3167
3168	# device to global IP
3169	a=${NSA_IP6}
3170	log_start
3171	run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
3172	sleep 1
3173	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3174	log_test_addr ${a} $? 0 "Global server, device client, local conn"
3175
3176	log_start
3177	run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
3178	sleep 1
3179	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3180	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3181
3182	log_start
3183	run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
3184	sleep 1
3185	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3186	log_test_addr ${a} $? 0 "Device server, VRF client, local conn"
3187
3188	log_start
3189	run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
3190	sleep 1
3191	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3192	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3193
3194	log_start
3195	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3196	log_test_addr ${a} $? 1 "No server, device client, local conn"
3197
3198
3199	# link local addresses
3200	log_start
3201	run_cmd nettest -6 -D -s &
3202	sleep 1
3203	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3204	log_test $? 0 "Global server, linklocal IP"
3205
3206	log_start
3207	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3208	log_test $? 1 "No server, linklocal IP"
3209
3210
3211	log_start
3212	run_cmd_nsb nettest -6 -D -s &
3213	sleep 1
3214	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3215	log_test $? 0 "Enslaved device client, linklocal IP"
3216
3217	log_start
3218	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3219	log_test $? 1 "No server, device client, peer linklocal IP"
3220
3221
3222	log_start
3223	run_cmd nettest -6 -D -s &
3224	sleep 1
3225	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3226	log_test $? 0 "Enslaved device client, local conn - linklocal IP"
3227
3228	log_start
3229	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3230	log_test $? 1 "No server, device client, local conn  - linklocal IP"
3231
3232	# LLA to GUA
3233	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3234	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3235	log_start
3236	run_cmd nettest -6 -s -D &
3237	sleep 1
3238	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3239	log_test $? 0 "UDP in - LLA to GUA"
3240
3241	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3242	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3243}
3244
3245ipv6_udp()
3246{
3247        # should not matter, but set to known state
3248        set_sysctl net.ipv4.udp_early_demux=1
3249
3250        log_section "IPv6/UDP"
3251        log_subsection "No VRF"
3252        setup
3253
3254        # udp_l3mdev_accept should have no affect without VRF;
3255        # run tests with it enabled and disabled to verify
3256        log_subsection "udp_l3mdev_accept disabled"
3257        set_sysctl net.ipv4.udp_l3mdev_accept=0
3258        ipv6_udp_novrf
3259        log_subsection "udp_l3mdev_accept enabled"
3260        set_sysctl net.ipv4.udp_l3mdev_accept=1
3261        ipv6_udp_novrf
3262
3263        log_subsection "With VRF"
3264        setup "yes"
3265        ipv6_udp_vrf
3266}
3267
3268################################################################################
3269# IPv6 address bind
3270
3271ipv6_addr_bind_novrf()
3272{
3273	#
3274	# raw socket
3275	#
3276	for a in ${NSA_IP6} ${NSA_LO_IP6}
3277	do
3278		log_start
3279		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b
3280		log_test_addr ${a} $? 0 "Raw socket bind to local address"
3281
3282		log_start
3283		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${NSA_DEV} -b
3284		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3285	done
3286
3287	#
3288	# tcp sockets
3289	#
3290	a=${NSA_IP6}
3291	log_start
3292	run_cmd nettest -6 -s -l ${a} -t1 -b
3293	log_test_addr ${a} $? 0 "TCP socket bind to local address"
3294
3295	log_start
3296	run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
3297	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
3298
3299	a=${NSA_LO_IP6}
3300	log_start
3301	show_hint "Should fail with 'Cannot assign requested address'"
3302	run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
3303	log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
3304}
3305
3306ipv6_addr_bind_vrf()
3307{
3308	#
3309	# raw socket
3310	#
3311	for a in ${NSA_IP6} ${VRF_IP6}
3312	do
3313		log_start
3314		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${VRF} -b
3315		log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind"
3316
3317		log_start
3318		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${NSA_DEV} -b
3319		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3320	done
3321
3322	a=${NSA_LO_IP6}
3323	log_start
3324	show_hint "Address on loopback is out of VRF scope"
3325	run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${VRF} -b
3326	log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind"
3327
3328	#
3329	# tcp sockets
3330	#
3331	# address on enslaved device is valid for the VRF or device in a VRF
3332	for a in ${NSA_IP6} ${VRF_IP6}
3333	do
3334		log_start
3335		run_cmd nettest -6 -s -l ${a} -d ${VRF} -t1 -b
3336		log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind"
3337	done
3338
3339	a=${NSA_IP6}
3340	log_start
3341	run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
3342	log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
3343
3344	a=${VRF_IP6}
3345	log_start
3346	run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
3347	log_test_addr ${a} $? 1 "TCP socket bind to VRF address with device bind"
3348
3349	a=${NSA_LO_IP6}
3350	log_start
3351	show_hint "Address on loopback out of scope for VRF"
3352	run_cmd nettest -6 -s -l ${a} -d ${VRF} -t1 -b
3353	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
3354
3355	log_start
3356	show_hint "Address on loopback out of scope for device in VRF"
3357	run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
3358	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
3359
3360}
3361
3362ipv6_addr_bind()
3363{
3364	log_section "IPv6 address binds"
3365
3366	log_subsection "No VRF"
3367	setup
3368	ipv6_addr_bind_novrf
3369
3370	log_subsection "With VRF"
3371	setup "yes"
3372	ipv6_addr_bind_vrf
3373}
3374
3375################################################################################
3376# IPv6 runtime tests
3377
3378ipv6_rt()
3379{
3380	local desc="$1"
3381	local varg="-6 $2"
3382	local with_vrf="yes"
3383	local a
3384
3385	#
3386	# server tests
3387	#
3388	for a in ${NSA_IP6} ${VRF_IP6}
3389	do
3390		log_start
3391		run_cmd nettest ${varg} -s &
3392		sleep 1
3393		run_cmd_nsb nettest ${varg} -r ${a} &
3394		sleep 3
3395		run_cmd ip link del ${VRF}
3396		sleep 1
3397		log_test_addr ${a} 0 0 "${desc}, global server"
3398
3399		setup ${with_vrf}
3400	done
3401
3402	for a in ${NSA_IP6} ${VRF_IP6}
3403	do
3404		log_start
3405		run_cmd nettest ${varg} -d ${VRF} -s &
3406		sleep 1
3407		run_cmd_nsb nettest ${varg} -r ${a} &
3408		sleep 3
3409		run_cmd ip link del ${VRF}
3410		sleep 1
3411		log_test_addr ${a} 0 0 "${desc}, VRF server"
3412
3413		setup ${with_vrf}
3414	done
3415
3416	for a in ${NSA_IP6} ${VRF_IP6}
3417	do
3418		log_start
3419		run_cmd nettest ${varg} -d ${NSA_DEV} -s &
3420		sleep 1
3421		run_cmd_nsb nettest ${varg} -r ${a} &
3422		sleep 3
3423		run_cmd ip link del ${VRF}
3424		sleep 1
3425		log_test_addr ${a} 0 0 "${desc}, enslaved device server"
3426
3427		setup ${with_vrf}
3428	done
3429
3430	#
3431	# client test
3432	#
3433	log_start
3434	run_cmd_nsb nettest ${varg} -s &
3435	sleep 1
3436	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} &
3437	sleep 3
3438	run_cmd ip link del ${VRF}
3439	sleep 1
3440	log_test  0 0 "${desc}, VRF client"
3441
3442	setup ${with_vrf}
3443
3444	log_start
3445	run_cmd_nsb nettest ${varg} -s &
3446	sleep 1
3447	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} &
3448	sleep 3
3449	run_cmd ip link del ${VRF}
3450	sleep 1
3451	log_test  0 0 "${desc}, enslaved device client"
3452
3453	setup ${with_vrf}
3454
3455
3456	#
3457	# local address tests
3458	#
3459	for a in ${NSA_IP6} ${VRF_IP6}
3460	do
3461		log_start
3462		run_cmd nettest ${varg} -s &
3463		sleep 1
3464		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3465		sleep 3
3466		run_cmd ip link del ${VRF}
3467		sleep 1
3468		log_test_addr ${a} 0 0 "${desc}, global server, VRF client"
3469
3470		setup ${with_vrf}
3471	done
3472
3473	for a in ${NSA_IP6} ${VRF_IP6}
3474	do
3475		log_start
3476		run_cmd nettest ${varg} -d ${VRF} -s &
3477		sleep 1
3478		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3479		sleep 3
3480		run_cmd ip link del ${VRF}
3481		sleep 1
3482		log_test_addr ${a} 0 0 "${desc}, VRF server and client"
3483
3484		setup ${with_vrf}
3485	done
3486
3487	a=${NSA_IP6}
3488	log_start
3489	run_cmd nettest ${varg} -s &
3490	sleep 1
3491	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3492	sleep 3
3493	run_cmd ip link del ${VRF}
3494	sleep 1
3495	log_test_addr ${a} 0 0 "${desc}, global server, device client"
3496
3497	setup ${with_vrf}
3498
3499	log_start
3500	run_cmd nettest ${varg} -d ${VRF} -s &
3501	sleep 1
3502	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3503	sleep 3
3504	run_cmd ip link del ${VRF}
3505	sleep 1
3506	log_test_addr ${a} 0 0 "${desc}, VRF server, device client"
3507
3508	setup ${with_vrf}
3509
3510	log_start
3511	run_cmd nettest ${varg} -d ${NSA_DEV} -s &
3512	sleep 1
3513	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3514	sleep 3
3515	run_cmd ip link del ${VRF}
3516	sleep 1
3517	log_test_addr ${a} 0 0 "${desc}, device server, device client"
3518}
3519
3520ipv6_ping_rt()
3521{
3522	local with_vrf="yes"
3523	local a
3524
3525	a=${NSA_IP6}
3526	log_start
3527	run_cmd_nsb ${ping6} -f ${a} &
3528	sleep 3
3529	run_cmd ip link del ${VRF}
3530	sleep 1
3531	log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
3532
3533	setup ${with_vrf}
3534
3535	log_start
3536	run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} &
3537	sleep 1
3538	run_cmd ip link del ${VRF}
3539	sleep 1
3540	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
3541}
3542
3543ipv6_runtime()
3544{
3545	log_section "Run time tests - ipv6"
3546
3547	setup "yes"
3548	ipv6_ping_rt
3549
3550	setup "yes"
3551	ipv6_rt "TCP active socket"  "-n -1"
3552
3553	setup "yes"
3554	ipv6_rt "TCP passive socket" "-i"
3555
3556	setup "yes"
3557	ipv6_rt "UDP active socket"  "-D -n -1"
3558}
3559
3560################################################################################
3561# netfilter blocking connections
3562
3563netfilter_tcp_reset()
3564{
3565	local a
3566
3567	for a in ${NSA_IP} ${VRF_IP}
3568	do
3569		log_start
3570		run_cmd nettest -s &
3571		sleep 1
3572		run_cmd_nsb nettest -r ${a}
3573		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3574	done
3575}
3576
3577netfilter_icmp()
3578{
3579	local stype="$1"
3580	local arg
3581	local a
3582
3583	[ "${stype}" = "UDP" ] && arg="-D"
3584
3585	for a in ${NSA_IP} ${VRF_IP}
3586	do
3587		log_start
3588		run_cmd nettest ${arg} -s &
3589		sleep 1
3590		run_cmd_nsb nettest ${arg} -r ${a}
3591		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3592	done
3593}
3594
3595ipv4_netfilter()
3596{
3597	log_section "IPv4 Netfilter"
3598	log_subsection "TCP reset"
3599
3600	setup "yes"
3601	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3602
3603	netfilter_tcp_reset
3604
3605	log_start
3606	log_subsection "ICMP unreachable"
3607
3608	log_start
3609	run_cmd iptables -F
3610	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3611	run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3612
3613	netfilter_icmp "TCP"
3614	netfilter_icmp "UDP"
3615
3616	log_start
3617	iptables -F
3618}
3619
3620netfilter_tcp6_reset()
3621{
3622	local a
3623
3624	for a in ${NSA_IP6} ${VRF_IP6}
3625	do
3626		log_start
3627		run_cmd nettest -6 -s &
3628		sleep 1
3629		run_cmd_nsb nettest -6 -r ${a}
3630		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3631	done
3632}
3633
3634netfilter_icmp6()
3635{
3636	local stype="$1"
3637	local arg
3638	local a
3639
3640	[ "${stype}" = "UDP" ] && arg="$arg -D"
3641
3642	for a in ${NSA_IP6} ${VRF_IP6}
3643	do
3644		log_start
3645		run_cmd nettest -6 -s ${arg} &
3646		sleep 1
3647		run_cmd_nsb nettest -6 ${arg} -r ${a}
3648		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3649	done
3650}
3651
3652ipv6_netfilter()
3653{
3654	log_section "IPv6 Netfilter"
3655	log_subsection "TCP reset"
3656
3657	setup "yes"
3658	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3659
3660	netfilter_tcp6_reset
3661
3662	log_subsection "ICMP unreachable"
3663
3664	log_start
3665	run_cmd ip6tables -F
3666	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3667	run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3668
3669	netfilter_icmp6 "TCP"
3670	netfilter_icmp6 "UDP"
3671
3672	log_start
3673	ip6tables -F
3674}
3675
3676################################################################################
3677# specific use cases
3678
3679# VRF only.
3680# ns-A device enslaved to bridge. Verify traffic with and without
3681# br_netfilter module loaded. Repeat with SVI on bridge.
3682use_case_br()
3683{
3684	setup "yes"
3685
3686	setup_cmd ip link set ${NSA_DEV} down
3687	setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24
3688	setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64
3689
3690	setup_cmd ip link add br0 type bridge
3691	setup_cmd ip addr add dev br0 ${NSA_IP}/24
3692	setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad
3693
3694	setup_cmd ip li set ${NSA_DEV} master br0
3695	setup_cmd ip li set ${NSA_DEV} up
3696	setup_cmd ip li set br0 up
3697	setup_cmd ip li set br0 vrf ${VRF}
3698
3699	rmmod br_netfilter 2>/dev/null
3700	sleep 5 # DAD
3701
3702	run_cmd ip neigh flush all
3703	run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3704	log_test $? 0 "Bridge into VRF - IPv4 ping out"
3705
3706	run_cmd ip neigh flush all
3707	run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3708	log_test $? 0 "Bridge into VRF - IPv6 ping out"
3709
3710	run_cmd ip neigh flush all
3711	run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3712	log_test $? 0 "Bridge into VRF - IPv4 ping in"
3713
3714	run_cmd ip neigh flush all
3715	run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3716	log_test $? 0 "Bridge into VRF - IPv6 ping in"
3717
3718	modprobe br_netfilter
3719	if [ $? -eq 0 ]; then
3720		run_cmd ip neigh flush all
3721		run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3722		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out"
3723
3724		run_cmd ip neigh flush all
3725		run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3726		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out"
3727
3728		run_cmd ip neigh flush all
3729		run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3730		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in"
3731
3732		run_cmd ip neigh flush all
3733		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3734		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in"
3735	fi
3736
3737	setup_cmd ip li set br0 nomaster
3738	setup_cmd ip li add br0.100 link br0 type vlan id 100
3739	setup_cmd ip li set br0.100 vrf ${VRF} up
3740	setup_cmd ip    addr add dev br0.100 172.16.101.1/24
3741	setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad
3742
3743	setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100
3744	setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24
3745	setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad
3746	setup_cmd_nsb ip li set vlan100 up
3747	sleep 1
3748
3749	rmmod br_netfilter 2>/dev/null
3750
3751	run_cmd ip neigh flush all
3752	run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
3753	log_test $? 0 "Bridge vlan into VRF - IPv4 ping out"
3754
3755	run_cmd ip neigh flush all
3756	run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
3757	log_test $? 0 "Bridge vlan into VRF - IPv6 ping out"
3758
3759	run_cmd ip neigh flush all
3760	run_cmd_nsb ping -c1 -w1 172.16.101.1
3761	log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
3762
3763	run_cmd ip neigh flush all
3764	run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
3765	log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
3766
3767	modprobe br_netfilter
3768	if [ $? -eq 0 ]; then
3769		run_cmd ip neigh flush all
3770		run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
3771		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out"
3772
3773		run_cmd ip neigh flush all
3774		run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
3775		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out"
3776
3777		run_cmd ip neigh flush all
3778		run_cmd_nsb ping -c1 -w1 172.16.101.1
3779		log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
3780
3781		run_cmd ip neigh flush all
3782		run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
3783		log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
3784	fi
3785
3786	setup_cmd ip li del br0 2>/dev/null
3787	setup_cmd_nsb ip li del vlan100 2>/dev/null
3788}
3789
3790use_cases()
3791{
3792	log_section "Use cases"
3793	use_case_br
3794}
3795
3796################################################################################
3797# usage
3798
3799usage()
3800{
3801	cat <<EOF
3802usage: ${0##*/} OPTS
3803
3804	-4          IPv4 tests only
3805	-6          IPv6 tests only
3806	-t <test>   Test name/set to run
3807	-p          Pause on fail
3808	-P          Pause after each test
3809	-v          Be verbose
3810EOF
3811}
3812
3813################################################################################
3814# main
3815
3816TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_addr_bind ipv4_runtime ipv4_netfilter"
3817TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_addr_bind ipv6_runtime ipv6_netfilter"
3818TESTS_OTHER="use_cases"
3819
3820PAUSE_ON_FAIL=no
3821PAUSE=no
3822
3823while getopts :46t:pPvh o
3824do
3825	case $o in
3826		4) TESTS=ipv4;;
3827		6) TESTS=ipv6;;
3828		t) TESTS=$OPTARG;;
3829		p) PAUSE_ON_FAIL=yes;;
3830		P) PAUSE=yes;;
3831		v) VERBOSE=1;;
3832		h) usage; exit 0;;
3833		*) usage; exit 1;;
3834	esac
3835done
3836
3837# make sure we don't pause twice
3838[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no
3839
3840#
3841# show user test config
3842#
3843if [ -z "$TESTS" ]; then
3844	TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER"
3845elif [ "$TESTS" = "ipv4" ]; then
3846	TESTS="$TESTS_IPV4"
3847elif [ "$TESTS" = "ipv6" ]; then
3848	TESTS="$TESTS_IPV6"
3849fi
3850
3851which nettest >/dev/null
3852if [ $? -ne 0 ]; then
3853	echo "'nettest' command not found; skipping tests"
3854	exit 0
3855fi
3856
3857declare -i nfail=0
3858declare -i nsuccess=0
3859
3860for t in $TESTS
3861do
3862	case $t in
3863	ipv4_ping|ping)  ipv4_ping;;
3864	ipv4_tcp|tcp)    ipv4_tcp;;
3865	ipv4_udp|udp)    ipv4_udp;;
3866	ipv4_bind|bind)  ipv4_addr_bind;;
3867	ipv4_runtime)    ipv4_runtime;;
3868	ipv4_netfilter)  ipv4_netfilter;;
3869
3870	ipv6_ping|ping6) ipv6_ping;;
3871	ipv6_tcp|tcp6)   ipv6_tcp;;
3872	ipv6_udp|udp6)   ipv6_udp;;
3873	ipv6_bind|bind6) ipv6_addr_bind;;
3874	ipv6_runtime)    ipv6_runtime;;
3875	ipv6_netfilter)  ipv6_netfilter;;
3876
3877	use_cases)       use_cases;;
3878
3879	# setup namespaces and config, but do not run any tests
3880	setup)		 setup; exit 0;;
3881	vrf_setup)	 setup "yes"; exit 0;;
3882
3883	help)            echo "Test names: $TESTS"; exit 0;;
3884	esac
3885done
3886
3887cleanup 2>/dev/null
3888
3889printf "\nTests passed: %3d\n" ${nsuccess}
3890printf "Tests failed: %3d\n"   ${nfail}
3891