xref: /linux/tools/testing/selftests/net/fcnal-test.sh (revision 44fd1917314e9d4f53dd95dd65df1c152f503d3a)
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
5#
6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups
7# for various permutations:
8#   1. icmp, tcp, udp and netfilter
9#   2. client, server, no-server
10#   3. global address on interface
11#   4. global address on 'lo'
12#   5. remote and local traffic
13#   6. VRF and non-VRF permutations
14#
15# Setup:
16#                     ns-A     |     ns-B
17# No VRF case:
18#    [ lo ]         [ eth1 ]---|---[ eth1 ]      [ lo ]
19#                                                remote address
20# VRF case:
21#         [ red ]---[ eth1 ]---|---[ eth1 ]      [ lo ]
22#
23# ns-A:
24#     eth1: 172.16.1.1/24, 2001:db8:1::1/64
25#       lo: 127.0.0.1/8, ::1/128
26#           172.16.2.1/32, 2001:db8:2::1/128
27#      red: 127.0.0.1/8, ::1/128
28#           172.16.3.1/32, 2001:db8:3::1/128
29#
30# ns-B:
31#     eth1: 172.16.1.2/24, 2001:db8:1::2/64
32#      lo2: 127.0.0.1/8, ::1/128
33#           172.16.2.2/32, 2001:db8:2::2/128
34#
35# ns-A to ns-C connection - only for VRF and same config
36# as ns-A to ns-B
37#
38# server / client nomenclature relative to ns-A
39
40# Kselftest framework requirement - SKIP code is 4.
41ksft_skip=4
42
43VERBOSE=0
44
45NSA_DEV=eth1
46NSA_DEV2=eth2
47NSB_DEV=eth1
48NSC_DEV=eth2
49VRF=red
50VRF_TABLE=1101
51
52# IPv4 config
53NSA_IP=172.16.1.1
54NSB_IP=172.16.1.2
55VRF_IP=172.16.3.1
56NS_NET=172.16.1.0/24
57
58# IPv6 config
59NSA_IP6=2001:db8:1::1
60NSB_IP6=2001:db8:1::2
61VRF_IP6=2001:db8:3::1
62NS_NET6=2001:db8:1::/120
63
64NSA_LO_IP=172.16.2.1
65NSB_LO_IP=172.16.2.2
66NSA_LO_IP6=2001:db8:2::1
67NSB_LO_IP6=2001:db8:2::2
68
69# non-local addresses for freebind tests
70NL_IP=172.17.1.1
71NL_IP6=2001:db8:4::1
72
73# multicast and broadcast addresses
74MCAST_IP=224.0.0.1
75BCAST_IP=255.255.255.255
76
77MD5_PW=abc123
78MD5_WRONG_PW=abc1234
79
80MCAST=ff02::1
81# set after namespace create
82NSA_LINKIP6=
83NSB_LINKIP6=
84
85NSA=ns-A
86NSB=ns-B
87NSC=ns-C
88
89NSA_CMD="ip netns exec ${NSA}"
90NSB_CMD="ip netns exec ${NSB}"
91NSC_CMD="ip netns exec ${NSC}"
92
93which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
94
95################################################################################
96# utilities
97
98log_test()
99{
100	local rc=$1
101	local expected=$2
102	local msg="$3"
103
104	[ "${VERBOSE}" = "1" ] && echo
105
106	if [ ${rc} -eq ${expected} ]; then
107		nsuccess=$((nsuccess+1))
108		printf "TEST: %-70s  [ OK ]\n" "${msg}"
109	else
110		nfail=$((nfail+1))
111		printf "TEST: %-70s  [FAIL]\n" "${msg}"
112		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
113			echo
114			echo "hit enter to continue, 'q' to quit"
115			read a
116			[ "$a" = "q" ] && exit 1
117		fi
118	fi
119
120	if [ "${PAUSE}" = "yes" ]; then
121		echo
122		echo "hit enter to continue, 'q' to quit"
123		read a
124		[ "$a" = "q" ] && exit 1
125	fi
126
127	kill_procs
128}
129
130log_test_addr()
131{
132	local addr=$1
133	local rc=$2
134	local expected=$3
135	local msg="$4"
136	local astr
137
138	astr=$(addr2str ${addr})
139	log_test $rc $expected "$msg - ${astr}"
140}
141
142log_section()
143{
144	echo
145	echo "###########################################################################"
146	echo "$*"
147	echo "###########################################################################"
148	echo
149}
150
151log_subsection()
152{
153	echo
154	echo "#################################################################"
155	echo "$*"
156	echo
157}
158
159log_start()
160{
161	# make sure we have no test instances running
162	kill_procs
163
164	if [ "${VERBOSE}" = "1" ]; then
165		echo
166		echo "#######################################################"
167	fi
168}
169
170log_debug()
171{
172	if [ "${VERBOSE}" = "1" ]; then
173		echo
174		echo "$*"
175		echo
176	fi
177}
178
179show_hint()
180{
181	if [ "${VERBOSE}" = "1" ]; then
182		echo "HINT: $*"
183		echo
184	fi
185}
186
187kill_procs()
188{
189	killall nettest ping ping6 >/dev/null 2>&1
190	sleep 1
191}
192
193do_run_cmd()
194{
195	local cmd="$*"
196	local out
197
198	if [ "$VERBOSE" = "1" ]; then
199		echo "COMMAND: ${cmd}"
200	fi
201
202	out=$($cmd 2>&1)
203	rc=$?
204	if [ "$VERBOSE" = "1" -a -n "$out" ]; then
205		echo "$out"
206	fi
207
208	return $rc
209}
210
211run_cmd()
212{
213	do_run_cmd ${NSA_CMD} $*
214}
215
216run_cmd_nsb()
217{
218	do_run_cmd ${NSB_CMD} $*
219}
220
221run_cmd_nsc()
222{
223	do_run_cmd ${NSC_CMD} $*
224}
225
226setup_cmd()
227{
228	local cmd="$*"
229	local rc
230
231	run_cmd ${cmd}
232	rc=$?
233	if [ $rc -ne 0 ]; then
234		# show user the command if not done so already
235		if [ "$VERBOSE" = "0" ]; then
236			echo "setup command: $cmd"
237		fi
238		echo "failed. stopping tests"
239		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
240			echo
241			echo "hit enter to continue"
242			read a
243		fi
244		exit $rc
245	fi
246}
247
248setup_cmd_nsb()
249{
250	local cmd="$*"
251	local rc
252
253	run_cmd_nsb ${cmd}
254	rc=$?
255	if [ $rc -ne 0 ]; then
256		# show user the command if not done so already
257		if [ "$VERBOSE" = "0" ]; then
258			echo "setup command: $cmd"
259		fi
260		echo "failed. stopping tests"
261		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
262			echo
263			echo "hit enter to continue"
264			read a
265		fi
266		exit $rc
267	fi
268}
269
270setup_cmd_nsc()
271{
272	local cmd="$*"
273	local rc
274
275	run_cmd_nsc ${cmd}
276	rc=$?
277	if [ $rc -ne 0 ]; then
278		# show user the command if not done so already
279		if [ "$VERBOSE" = "0" ]; then
280			echo "setup command: $cmd"
281		fi
282		echo "failed. stopping tests"
283		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
284			echo
285			echo "hit enter to continue"
286			read a
287		fi
288		exit $rc
289	fi
290}
291
292# set sysctl values in NS-A
293set_sysctl()
294{
295	echo "SYSCTL: $*"
296	echo
297	run_cmd sysctl -q -w $*
298}
299
300# get sysctl values in NS-A
301get_sysctl()
302{
303	${NSA_CMD} sysctl -n $*
304}
305
306################################################################################
307# Setup for tests
308
309addr2str()
310{
311	case "$1" in
312	127.0.0.1) echo "loopback";;
313	::1) echo "IPv6 loopback";;
314
315	${BCAST_IP}) echo "broadcast";;
316	${MCAST_IP}) echo "multicast";;
317
318	${NSA_IP})	echo "ns-A IP";;
319	${NSA_IP6})	echo "ns-A IPv6";;
320	${NSA_LO_IP})	echo "ns-A loopback IP";;
321	${NSA_LO_IP6})	echo "ns-A loopback IPv6";;
322	${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";;
323
324	${NSB_IP})	echo "ns-B IP";;
325	${NSB_IP6})	echo "ns-B IPv6";;
326	${NSB_LO_IP})	echo "ns-B loopback IP";;
327	${NSB_LO_IP6})	echo "ns-B loopback IPv6";;
328	${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";;
329
330	${NL_IP})       echo "nonlocal IP";;
331	${NL_IP6})      echo "nonlocal IPv6";;
332
333	${VRF_IP})	echo "VRF IP";;
334	${VRF_IP6})	echo "VRF IPv6";;
335
336	${MCAST}%*)	echo "multicast IP";;
337
338	*) echo "unknown";;
339	esac
340}
341
342get_linklocal()
343{
344	local ns=$1
345	local dev=$2
346	local addr
347
348	addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \
349	awk '{
350		for (i = 3; i <= NF; ++i) {
351			if ($i ~ /^fe80/)
352				print $i
353		}
354	}'
355	)
356	addr=${addr/\/*}
357
358	[ -z "$addr" ] && return 1
359
360	echo $addr
361
362	return 0
363}
364
365################################################################################
366# create namespaces and vrf
367
368create_vrf()
369{
370	local ns=$1
371	local vrf=$2
372	local table=$3
373	local addr=$4
374	local addr6=$5
375
376	ip -netns ${ns} link add ${vrf} type vrf table ${table}
377	ip -netns ${ns} link set ${vrf} up
378	ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192
379	ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
380
381	ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf}
382	ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad
383	if [ "${addr}" != "-" ]; then
384		ip -netns ${ns} addr add dev ${vrf} ${addr}
385	fi
386	if [ "${addr6}" != "-" ]; then
387		ip -netns ${ns} -6 addr add dev ${vrf} ${addr6}
388	fi
389
390	ip -netns ${ns} ru del pref 0
391	ip -netns ${ns} ru add pref 32765 from all lookup local
392	ip -netns ${ns} -6 ru del pref 0
393	ip -netns ${ns} -6 ru add pref 32765 from all lookup local
394}
395
396create_ns()
397{
398	local ns=$1
399	local addr=$2
400	local addr6=$3
401
402	ip netns add ${ns}
403
404	ip -netns ${ns} link set lo up
405	if [ "${addr}" != "-" ]; then
406		ip -netns ${ns} addr add dev lo ${addr}
407	fi
408	if [ "${addr6}" != "-" ]; then
409		ip -netns ${ns} -6 addr add dev lo ${addr6}
410	fi
411
412	ip -netns ${ns} ro add unreachable default metric 8192
413	ip -netns ${ns} -6 ro add unreachable default metric 8192
414
415	ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
416	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
417	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
418	ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
419}
420
421# create veth pair to connect namespaces and apply addresses.
422connect_ns()
423{
424	local ns1=$1
425	local ns1_dev=$2
426	local ns1_addr=$3
427	local ns1_addr6=$4
428	local ns2=$5
429	local ns2_dev=$6
430	local ns2_addr=$7
431	local ns2_addr6=$8
432
433	ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
434	ip -netns ${ns1} li set ${ns1_dev} up
435	ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
436	ip -netns ${ns2} li set ${ns2_dev} up
437
438	if [ "${ns1_addr}" != "-" ]; then
439		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
440		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
441	fi
442
443	if [ "${ns1_addr6}" != "-" ]; then
444		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
445		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
446	fi
447}
448
449cleanup()
450{
451	# explicit cleanups to check those code paths
452	ip netns | grep -q ${NSA}
453	if [ $? -eq 0 ]; then
454		ip -netns ${NSA} link delete ${VRF}
455		ip -netns ${NSA} ro flush table ${VRF_TABLE}
456
457		ip -netns ${NSA} addr flush dev ${NSA_DEV}
458		ip -netns ${NSA} -6 addr flush dev ${NSA_DEV}
459		ip -netns ${NSA} link set dev ${NSA_DEV} down
460		ip -netns ${NSA} link del dev ${NSA_DEV}
461
462		ip netns pids ${NSA} | xargs kill 2>/dev/null
463		ip netns del ${NSA}
464	fi
465
466	ip netns pids ${NSB} | xargs kill 2>/dev/null
467	ip netns del ${NSB}
468	ip netns pids ${NSC} | xargs kill 2>/dev/null
469	ip netns del ${NSC} >/dev/null 2>&1
470}
471
472cleanup_vrf_dup()
473{
474	ip link del ${NSA_DEV2} >/dev/null 2>&1
475	ip netns pids ${NSC} | xargs kill 2>/dev/null
476	ip netns del ${NSC} >/dev/null 2>&1
477}
478
479setup_vrf_dup()
480{
481	# some VRF tests use ns-C which has the same config as
482	# ns-B but for a device NOT in the VRF
483	create_ns ${NSC} "-" "-"
484	connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
485		   ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
486}
487
488setup()
489{
490	local with_vrf=${1}
491
492	# make sure we are starting with a clean slate
493	kill_procs
494	cleanup 2>/dev/null
495
496	log_debug "Configuring network namespaces"
497	set -e
498
499	create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128
500	create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128
501	connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \
502		   ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
503
504	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
505	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
506
507	# tell ns-A how to get to remote addresses of ns-B
508	if [ "${with_vrf}" = "yes" ]; then
509		create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6}
510
511		ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
512		ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
513		ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
514
515		ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
516		ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
517	else
518		ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
519		ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
520	fi
521
522
523	# tell ns-B how to get to remote addresses of ns-A
524	ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
525	ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
526
527	set +e
528
529	sleep 1
530}
531
532setup_lla_only()
533{
534	# make sure we are starting with a clean slate
535	kill_procs
536	cleanup 2>/dev/null
537
538	log_debug "Configuring network namespaces"
539	set -e
540
541	create_ns ${NSA} "-" "-"
542	create_ns ${NSB} "-" "-"
543	create_ns ${NSC} "-" "-"
544	connect_ns ${NSA} ${NSA_DEV} "-" "-" \
545		   ${NSB} ${NSB_DEV} "-" "-"
546	connect_ns ${NSA} ${NSA_DEV2} "-" "-" \
547		   ${NSC} ${NSC_DEV}  "-" "-"
548
549	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
550	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
551	NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV})
552
553	create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-"
554	ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
555	ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF}
556
557	set +e
558
559	sleep 1
560}
561
562################################################################################
563# IPv4
564
565ipv4_ping_novrf()
566{
567	local a
568
569	#
570	# out
571	#
572	for a in ${NSB_IP} ${NSB_LO_IP}
573	do
574		log_start
575		run_cmd ping -c1 -w1 ${a}
576		log_test_addr ${a} $? 0 "ping out"
577
578		log_start
579		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
580		log_test_addr ${a} $? 0 "ping out, device bind"
581
582		log_start
583		run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a}
584		log_test_addr ${a} $? 0 "ping out, address bind"
585	done
586
587	#
588	# in
589	#
590	for a in ${NSA_IP} ${NSA_LO_IP}
591	do
592		log_start
593		run_cmd_nsb ping -c1 -w1 ${a}
594		log_test_addr ${a} $? 0 "ping in"
595	done
596
597	#
598	# local traffic
599	#
600	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
601	do
602		log_start
603		run_cmd ping -c1 -w1 ${a}
604		log_test_addr ${a} $? 0 "ping local"
605	done
606
607	#
608	# local traffic, socket bound to device
609	#
610	# address on device
611	a=${NSA_IP}
612	log_start
613	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
614	log_test_addr ${a} $? 0 "ping local, device bind"
615
616	# loopback addresses not reachable from device bind
617	# fails in a really weird way though because ipv4 special cases
618	# route lookups with oif set.
619	for a in ${NSA_LO_IP} 127.0.0.1
620	do
621		log_start
622		show_hint "Fails since address on loopback device is out of device scope"
623		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
624		log_test_addr ${a} $? 1 "ping local, device bind"
625	done
626
627	#
628	# ip rule blocks reachability to remote address
629	#
630	log_start
631	setup_cmd ip rule add pref 32765 from all lookup local
632	setup_cmd ip rule del pref 0 from all lookup local
633	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
634	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
635
636	a=${NSB_LO_IP}
637	run_cmd ping -c1 -w1 ${a}
638	log_test_addr ${a} $? 2 "ping out, blocked by rule"
639
640	# NOTE: ipv4 actually allows the lookup to fail and yet still create
641	# a viable rtable if the oif (e.g., bind to device) is set, so this
642	# case succeeds despite the rule
643	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
644
645	a=${NSA_LO_IP}
646	log_start
647	show_hint "Response generates ICMP (or arp request is ignored) due to ip rule"
648	run_cmd_nsb ping -c1 -w1 ${a}
649	log_test_addr ${a} $? 1 "ping in, blocked by rule"
650
651	[ "$VERBOSE" = "1" ] && echo
652	setup_cmd ip rule del pref 32765 from all lookup local
653	setup_cmd ip rule add pref 0 from all lookup local
654	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
655	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
656
657	#
658	# route blocks reachability to remote address
659	#
660	log_start
661	setup_cmd ip route replace unreachable ${NSB_LO_IP}
662	setup_cmd ip route replace unreachable ${NSB_IP}
663
664	a=${NSB_LO_IP}
665	run_cmd ping -c1 -w1 ${a}
666	log_test_addr ${a} $? 2 "ping out, blocked by route"
667
668	# NOTE: ipv4 actually allows the lookup to fail and yet still create
669	# a viable rtable if the oif (e.g., bind to device) is set, so this
670	# case succeeds despite not having a route for the address
671	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
672
673	a=${NSA_LO_IP}
674	log_start
675	show_hint "Response is dropped (or arp request is ignored) due to ip route"
676	run_cmd_nsb ping -c1 -w1 ${a}
677	log_test_addr ${a} $? 1 "ping in, blocked by route"
678
679	#
680	# remove 'remote' routes; fallback to default
681	#
682	log_start
683	setup_cmd ip ro del ${NSB_LO_IP}
684
685	a=${NSB_LO_IP}
686	run_cmd ping -c1 -w1 ${a}
687	log_test_addr ${a} $? 2 "ping out, unreachable default route"
688
689	# NOTE: ipv4 actually allows the lookup to fail and yet still create
690	# a viable rtable if the oif (e.g., bind to device) is set, so this
691	# case succeeds despite not having a route for the address
692	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
693}
694
695ipv4_ping_vrf()
696{
697	local a
698
699	# should default on; does not exist on older kernels
700	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
701
702	#
703	# out
704	#
705	for a in ${NSB_IP} ${NSB_LO_IP}
706	do
707		log_start
708		run_cmd ping -c1 -w1 -I ${VRF} ${a}
709		log_test_addr ${a} $? 0 "ping out, VRF bind"
710
711		log_start
712		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
713		log_test_addr ${a} $? 0 "ping out, device bind"
714
715		log_start
716		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a}
717		log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind"
718
719		log_start
720		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a}
721		log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind"
722	done
723
724	#
725	# in
726	#
727	for a in ${NSA_IP} ${VRF_IP}
728	do
729		log_start
730		run_cmd_nsb ping -c1 -w1 ${a}
731		log_test_addr ${a} $? 0 "ping in"
732	done
733
734	#
735	# local traffic, local address
736	#
737	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
738	do
739		log_start
740		show_hint "Source address should be ${a}"
741		run_cmd ping -c1 -w1 -I ${VRF} ${a}
742		log_test_addr ${a} $? 0 "ping local, VRF bind"
743	done
744
745	#
746	# local traffic, socket bound to device
747	#
748	# address on device
749	a=${NSA_IP}
750	log_start
751	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
752	log_test_addr ${a} $? 0 "ping local, device bind"
753
754	# vrf device is out of scope
755	for a in ${VRF_IP} 127.0.0.1
756	do
757		log_start
758		show_hint "Fails since address on vrf device is out of device scope"
759		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
760		log_test_addr ${a} $? 2 "ping local, device bind"
761	done
762
763	#
764	# ip rule blocks address
765	#
766	log_start
767	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
768	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
769
770	a=${NSB_LO_IP}
771	run_cmd ping -c1 -w1 -I ${VRF} ${a}
772	log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule"
773
774	log_start
775	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
776	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
777
778	a=${NSA_LO_IP}
779	log_start
780	show_hint "Response lost due to ip rule"
781	run_cmd_nsb ping -c1 -w1 ${a}
782	log_test_addr ${a} $? 1 "ping in, blocked by rule"
783
784	[ "$VERBOSE" = "1" ] && echo
785	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
786	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
787
788	#
789	# remove 'remote' routes; fallback to default
790	#
791	log_start
792	setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP}
793
794	a=${NSB_LO_IP}
795	run_cmd ping -c1 -w1 -I ${VRF} ${a}
796	log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route"
797
798	log_start
799	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
800	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
801
802	a=${NSA_LO_IP}
803	log_start
804	show_hint "Response lost by unreachable route"
805	run_cmd_nsb ping -c1 -w1 ${a}
806	log_test_addr ${a} $? 1 "ping in, unreachable route"
807}
808
809ipv4_ping()
810{
811	log_section "IPv4 ping"
812
813	log_subsection "No VRF"
814	setup
815	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
816	ipv4_ping_novrf
817	setup
818	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
819	ipv4_ping_novrf
820	setup
821	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
822	ipv4_ping_novrf
823
824	log_subsection "With VRF"
825	setup "yes"
826	ipv4_ping_vrf
827	setup "yes"
828	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
829	ipv4_ping_vrf
830}
831
832################################################################################
833# IPv4 TCP
834
835#
836# MD5 tests without VRF
837#
838ipv4_tcp_md5_novrf()
839{
840	#
841	# single address
842	#
843
844	# basic use case
845	log_start
846	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
847	sleep 1
848	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
849	log_test $? 0 "MD5: Single address config"
850
851	# client sends MD5, server not configured
852	log_start
853	show_hint "Should timeout due to MD5 mismatch"
854	run_cmd nettest -s &
855	sleep 1
856	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
857	log_test $? 2 "MD5: Server no config, client uses password"
858
859	# wrong password
860	log_start
861	show_hint "Should timeout since client uses wrong password"
862	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
863	sleep 1
864	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
865	log_test $? 2 "MD5: Client uses wrong password"
866
867	# client from different address
868	log_start
869	show_hint "Should timeout due to MD5 mismatch"
870	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} &
871	sleep 1
872	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
873	log_test $? 2 "MD5: Client address does not match address configured with password"
874
875	#
876	# MD5 extension - prefix length
877	#
878
879	# client in prefix
880	log_start
881	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
882	sleep 1
883	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
884	log_test $? 0 "MD5: Prefix config"
885
886	# client in prefix, wrong password
887	log_start
888	show_hint "Should timeout since client uses wrong password"
889	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
890	sleep 1
891	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
892	log_test $? 2 "MD5: Prefix config, client uses wrong password"
893
894	# client outside of prefix
895	log_start
896	show_hint "Should timeout due to MD5 mismatch"
897	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
898	sleep 1
899	run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
900	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
901}
902
903#
904# MD5 tests with VRF
905#
906ipv4_tcp_md5()
907{
908	#
909	# single address
910	#
911
912	# basic use case
913	log_start
914	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
915	sleep 1
916	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
917	log_test $? 0 "MD5: VRF: Single address config"
918
919	# client sends MD5, server not configured
920	log_start
921	show_hint "Should timeout since server does not have MD5 auth"
922	run_cmd nettest -s -I ${VRF} &
923	sleep 1
924	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
925	log_test $? 2 "MD5: VRF: Server no config, client uses password"
926
927	# wrong password
928	log_start
929	show_hint "Should timeout since client uses wrong password"
930	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
931	sleep 1
932	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
933	log_test $? 2 "MD5: VRF: Client uses wrong password"
934
935	# client from different address
936	log_start
937	show_hint "Should timeout since server config differs from client"
938	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} &
939	sleep 1
940	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
941	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
942
943	#
944	# MD5 extension - prefix length
945	#
946
947	# client in prefix
948	log_start
949	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
950	sleep 1
951	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
952	log_test $? 0 "MD5: VRF: Prefix config"
953
954	# client in prefix, wrong password
955	log_start
956	show_hint "Should timeout since client uses wrong password"
957	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
958	sleep 1
959	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
960	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
961
962	# client outside of prefix
963	log_start
964	show_hint "Should timeout since client address is outside of prefix"
965	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
966	sleep 1
967	run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
968	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
969
970	#
971	# duplicate config between default VRF and a VRF
972	#
973
974	log_start
975	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
976	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
977	sleep 1
978	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
979	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
980
981	log_start
982	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
983	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
984	sleep 1
985	run_cmd_nsc nettest  -r ${NSA_IP} -X ${MD5_WRONG_PW}
986	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
987
988	log_start
989	show_hint "Should timeout since client in default VRF uses VRF password"
990	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
991	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
992	sleep 1
993	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
994	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
995
996	log_start
997	show_hint "Should timeout since client in VRF uses default VRF password"
998	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
999	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1000	sleep 1
1001	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1002	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
1003
1004	log_start
1005	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1006	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1007	sleep 1
1008	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
1009	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
1010
1011	log_start
1012	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1013	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1014	sleep 1
1015	run_cmd_nsc nettest  -r ${NSA_IP} -X ${MD5_WRONG_PW}
1016	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
1017
1018	log_start
1019	show_hint "Should timeout since client in default VRF uses VRF password"
1020	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1021	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1022	sleep 1
1023	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1024	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
1025
1026	log_start
1027	show_hint "Should timeout since client in VRF uses default VRF password"
1028	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1029	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1030	sleep 1
1031	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1032	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
1033
1034	#
1035	# negative tests
1036	#
1037	log_start
1038	run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP}
1039	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
1040
1041	log_start
1042	run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET}
1043	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
1044
1045	test_ipv4_md5_vrf__vrf_server__no_bind_ifindex
1046	test_ipv4_md5_vrf__global_server__bind_ifindex0
1047}
1048
1049test_ipv4_md5_vrf__vrf_server__no_bind_ifindex()
1050{
1051	log_start
1052	show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX"
1053	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1054	sleep 1
1055	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1056	log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection"
1057
1058	log_start
1059	show_hint "Binding both the socket and the key is not required but it works"
1060	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1061	sleep 1
1062	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1063	log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection"
1064}
1065
1066test_ipv4_md5_vrf__global_server__bind_ifindex0()
1067{
1068	# This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections
1069	local old_tcp_l3mdev_accept
1070	old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept)
1071	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1072
1073	log_start
1074	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1075	sleep 1
1076	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1077	log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection"
1078
1079	log_start
1080	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1081	sleep 1
1082	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1083	log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection"
1084	log_start
1085
1086	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1087	sleep 1
1088	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1089	log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection"
1090
1091	log_start
1092	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1093	sleep 1
1094	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1095	log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection"
1096
1097	# restore value
1098	set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept"
1099}
1100
1101ipv4_tcp_novrf()
1102{
1103	local a
1104
1105	#
1106	# server tests
1107	#
1108	for a in ${NSA_IP} ${NSA_LO_IP}
1109	do
1110		log_start
1111		run_cmd nettest -s &
1112		sleep 1
1113		run_cmd_nsb nettest -r ${a}
1114		log_test_addr ${a} $? 0 "Global server"
1115	done
1116
1117	a=${NSA_IP}
1118	log_start
1119	run_cmd nettest -s -I ${NSA_DEV} &
1120	sleep 1
1121	run_cmd_nsb nettest -r ${a}
1122	log_test_addr ${a} $? 0 "Device server"
1123
1124	# verify TCP reset sent and received
1125	for a in ${NSA_IP} ${NSA_LO_IP}
1126	do
1127		log_start
1128		show_hint "Should fail 'Connection refused' since there is no server"
1129		run_cmd_nsb nettest -r ${a}
1130		log_test_addr ${a} $? 1 "No server"
1131	done
1132
1133	#
1134	# client
1135	#
1136	for a in ${NSB_IP} ${NSB_LO_IP}
1137	do
1138		log_start
1139		run_cmd_nsb nettest -s &
1140		sleep 1
1141		run_cmd nettest -r ${a} -0 ${NSA_IP}
1142		log_test_addr ${a} $? 0 "Client"
1143
1144		log_start
1145		run_cmd_nsb nettest -s &
1146		sleep 1
1147		run_cmd nettest -r ${a} -d ${NSA_DEV}
1148		log_test_addr ${a} $? 0 "Client, device bind"
1149
1150		log_start
1151		show_hint "Should fail 'Connection refused'"
1152		run_cmd nettest -r ${a}
1153		log_test_addr ${a} $? 1 "No server, unbound client"
1154
1155		log_start
1156		show_hint "Should fail 'Connection refused'"
1157		run_cmd nettest -r ${a} -d ${NSA_DEV}
1158		log_test_addr ${a} $? 1 "No server, device client"
1159	done
1160
1161	#
1162	# local address tests
1163	#
1164	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1165	do
1166		log_start
1167		run_cmd nettest -s &
1168		sleep 1
1169		run_cmd nettest -r ${a} -0 ${a} -1 ${a}
1170		log_test_addr ${a} $? 0 "Global server, local connection"
1171	done
1172
1173	a=${NSA_IP}
1174	log_start
1175	run_cmd nettest -s -I ${NSA_DEV} &
1176	sleep 1
1177	run_cmd nettest -r ${a} -0 ${a}
1178	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1179
1180	for a in ${NSA_LO_IP} 127.0.0.1
1181	do
1182		log_start
1183		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
1184		run_cmd nettest -s -I ${NSA_DEV} &
1185		sleep 1
1186		run_cmd nettest -r ${a}
1187		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1188	done
1189
1190	a=${NSA_IP}
1191	log_start
1192	run_cmd nettest -s &
1193	sleep 1
1194	run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV}
1195	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1196
1197	for a in ${NSA_LO_IP} 127.0.0.1
1198	do
1199		log_start
1200		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
1201		run_cmd nettest -s &
1202		sleep 1
1203		run_cmd nettest -r ${a} -d ${NSA_DEV}
1204		log_test_addr ${a} $? 1 "Global server, device client, local connection"
1205	done
1206
1207	a=${NSA_IP}
1208	log_start
1209	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1210	sleep 1
1211	run_cmd nettest  -d ${NSA_DEV} -r ${a} -0 ${a}
1212	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1213
1214	log_start
1215	show_hint "Should fail 'Connection refused'"
1216	run_cmd nettest -d ${NSA_DEV} -r ${a}
1217	log_test_addr ${a} $? 1 "No server, device client, local conn"
1218
1219	ipv4_tcp_md5_novrf
1220}
1221
1222ipv4_tcp_vrf()
1223{
1224	local a
1225
1226	# disable global server
1227	log_subsection "Global server disabled"
1228
1229	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1230
1231	#
1232	# server tests
1233	#
1234	for a in ${NSA_IP} ${VRF_IP}
1235	do
1236		log_start
1237		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1238		run_cmd nettest -s &
1239		sleep 1
1240		run_cmd_nsb nettest -r ${a}
1241		log_test_addr ${a} $? 1 "Global server"
1242
1243		log_start
1244		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1245		sleep 1
1246		run_cmd_nsb nettest -r ${a}
1247		log_test_addr ${a} $? 0 "VRF server"
1248
1249		log_start
1250		run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1251		sleep 1
1252		run_cmd_nsb nettest -r ${a}
1253		log_test_addr ${a} $? 0 "Device server"
1254
1255		# verify TCP reset received
1256		log_start
1257		show_hint "Should fail 'Connection refused' since there is no server"
1258		run_cmd_nsb nettest -r ${a}
1259		log_test_addr ${a} $? 1 "No server"
1260	done
1261
1262	# local address tests
1263	# (${VRF_IP} and 127.0.0.1 both timeout)
1264	a=${NSA_IP}
1265	log_start
1266	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1267	run_cmd nettest -s &
1268	sleep 1
1269	run_cmd nettest -r ${a} -d ${NSA_DEV}
1270	log_test_addr ${a} $? 1 "Global server, local connection"
1271
1272	# run MD5 tests
1273	setup_vrf_dup
1274	ipv4_tcp_md5
1275	cleanup_vrf_dup
1276
1277	#
1278	# enable VRF global server
1279	#
1280	log_subsection "VRF Global server enabled"
1281	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1282
1283	for a in ${NSA_IP} ${VRF_IP}
1284	do
1285		log_start
1286		show_hint "client socket should be bound to VRF"
1287		run_cmd nettest -s -3 ${VRF} &
1288		sleep 1
1289		run_cmd_nsb nettest -r ${a}
1290		log_test_addr ${a} $? 0 "Global server"
1291
1292		log_start
1293		show_hint "client socket should be bound to VRF"
1294		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1295		sleep 1
1296		run_cmd_nsb nettest -r ${a}
1297		log_test_addr ${a} $? 0 "VRF server"
1298
1299		# verify TCP reset received
1300		log_start
1301		show_hint "Should fail 'Connection refused'"
1302		run_cmd_nsb nettest -r ${a}
1303		log_test_addr ${a} $? 1 "No server"
1304	done
1305
1306	a=${NSA_IP}
1307	log_start
1308	show_hint "client socket should be bound to device"
1309	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1310	sleep 1
1311	run_cmd_nsb nettest -r ${a}
1312	log_test_addr ${a} $? 0 "Device server"
1313
1314	# local address tests
1315	for a in ${NSA_IP} ${VRF_IP}
1316	do
1317		log_start
1318		show_hint "Should fail 'Connection refused' since client is not bound to VRF"
1319		run_cmd nettest -s -I ${VRF} &
1320		sleep 1
1321		run_cmd nettest -r ${a}
1322		log_test_addr ${a} $? 1 "Global server, local connection"
1323	done
1324
1325	#
1326	# client
1327	#
1328	for a in ${NSB_IP} ${NSB_LO_IP}
1329	do
1330		log_start
1331		run_cmd_nsb nettest -s &
1332		sleep 1
1333		run_cmd nettest -r ${a} -d ${VRF}
1334		log_test_addr ${a} $? 0 "Client, VRF bind"
1335
1336		log_start
1337		run_cmd_nsb nettest -s &
1338		sleep 1
1339		run_cmd nettest -r ${a} -d ${NSA_DEV}
1340		log_test_addr ${a} $? 0 "Client, device bind"
1341
1342		log_start
1343		show_hint "Should fail 'Connection refused'"
1344		run_cmd nettest -r ${a} -d ${VRF}
1345		log_test_addr ${a} $? 1 "No server, VRF client"
1346
1347		log_start
1348		show_hint "Should fail 'Connection refused'"
1349		run_cmd nettest -r ${a} -d ${NSA_DEV}
1350		log_test_addr ${a} $? 1 "No server, device client"
1351	done
1352
1353	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1354	do
1355		log_start
1356		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1357		sleep 1
1358		run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1359		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
1360	done
1361
1362	a=${NSA_IP}
1363	log_start
1364	run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1365	sleep 1
1366	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1367	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
1368
1369	log_start
1370	show_hint "Should fail 'No route to host' since client is out of VRF scope"
1371	run_cmd nettest -s -I ${VRF} &
1372	sleep 1
1373	run_cmd nettest -r ${a}
1374	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
1375
1376	log_start
1377	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1378	sleep 1
1379	run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1380	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
1381
1382	log_start
1383	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1384	sleep 1
1385	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1386	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1387}
1388
1389ipv4_tcp()
1390{
1391	log_section "IPv4/TCP"
1392	log_subsection "No VRF"
1393	setup
1394
1395	# tcp_l3mdev_accept should have no affect without VRF;
1396	# run tests with it enabled and disabled to verify
1397	log_subsection "tcp_l3mdev_accept disabled"
1398	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1399	ipv4_tcp_novrf
1400	log_subsection "tcp_l3mdev_accept enabled"
1401	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1402	ipv4_tcp_novrf
1403
1404	log_subsection "With VRF"
1405	setup "yes"
1406	ipv4_tcp_vrf
1407}
1408
1409################################################################################
1410# IPv4 UDP
1411
1412ipv4_udp_novrf()
1413{
1414	local a
1415
1416	#
1417	# server tests
1418	#
1419	for a in ${NSA_IP} ${NSA_LO_IP}
1420	do
1421		log_start
1422		run_cmd nettest -D -s -3 ${NSA_DEV} &
1423		sleep 1
1424		run_cmd_nsb nettest -D -r ${a}
1425		log_test_addr ${a} $? 0 "Global server"
1426
1427		log_start
1428		show_hint "Should fail 'Connection refused' since there is no server"
1429		run_cmd_nsb nettest -D -r ${a}
1430		log_test_addr ${a} $? 1 "No server"
1431	done
1432
1433	a=${NSA_IP}
1434	log_start
1435	run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1436	sleep 1
1437	run_cmd_nsb nettest -D -r ${a}
1438	log_test_addr ${a} $? 0 "Device server"
1439
1440	#
1441	# client
1442	#
1443	for a in ${NSB_IP} ${NSB_LO_IP}
1444	do
1445		log_start
1446		run_cmd_nsb nettest -D -s &
1447		sleep 1
1448		run_cmd nettest -D -r ${a} -0 ${NSA_IP}
1449		log_test_addr ${a} $? 0 "Client"
1450
1451		log_start
1452		run_cmd_nsb nettest -D -s &
1453		sleep 1
1454		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP}
1455		log_test_addr ${a} $? 0 "Client, device bind"
1456
1457		log_start
1458		run_cmd_nsb nettest -D -s &
1459		sleep 1
1460		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP}
1461		log_test_addr ${a} $? 0 "Client, device send via cmsg"
1462
1463		log_start
1464		run_cmd_nsb nettest -D -s &
1465		sleep 1
1466		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
1467		log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
1468
1469		log_start
1470		show_hint "Should fail 'Connection refused'"
1471		run_cmd nettest -D -r ${a}
1472		log_test_addr ${a} $? 1 "No server, unbound client"
1473
1474		log_start
1475		show_hint "Should fail 'Connection refused'"
1476		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1477		log_test_addr ${a} $? 1 "No server, device client"
1478	done
1479
1480	#
1481	# local address tests
1482	#
1483	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1484	do
1485		log_start
1486		run_cmd nettest -D -s &
1487		sleep 1
1488		run_cmd nettest -D -r ${a} -0 ${a} -1 ${a}
1489		log_test_addr ${a} $? 0 "Global server, local connection"
1490	done
1491
1492	a=${NSA_IP}
1493	log_start
1494	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1495	sleep 1
1496	run_cmd nettest -D -r ${a}
1497	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1498
1499	for a in ${NSA_LO_IP} 127.0.0.1
1500	do
1501		log_start
1502		show_hint "Should fail 'Connection refused' since address is out of device scope"
1503		run_cmd nettest -s -D -I ${NSA_DEV} &
1504		sleep 1
1505		run_cmd nettest -D -r ${a}
1506		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1507	done
1508
1509	a=${NSA_IP}
1510	log_start
1511	run_cmd nettest -s -D &
1512	sleep 1
1513	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1514	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1515
1516	log_start
1517	run_cmd nettest -s -D &
1518	sleep 1
1519	run_cmd nettest -D -d ${NSA_DEV} -C -r ${a}
1520	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
1521
1522	log_start
1523	run_cmd nettest -s -D &
1524	sleep 1
1525	run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
1526	log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
1527
1528	# IPv4 with device bind has really weird behavior - it overrides the
1529	# fib lookup, generates an rtable and tries to send the packet. This
1530	# causes failures for local traffic at different places
1531	for a in ${NSA_LO_IP} 127.0.0.1
1532	do
1533		log_start
1534		show_hint "Should fail since addresses on loopback are out of device scope"
1535		run_cmd nettest -D -s &
1536		sleep 1
1537		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1538		log_test_addr ${a} $? 2 "Global server, device client, local connection"
1539
1540		log_start
1541		show_hint "Should fail since addresses on loopback are out of device scope"
1542		run_cmd nettest -D -s &
1543		sleep 1
1544		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C
1545		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
1546
1547		log_start
1548		show_hint "Should fail since addresses on loopback are out of device scope"
1549		run_cmd nettest -D -s &
1550		sleep 1
1551		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
1552		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
1553	done
1554
1555	a=${NSA_IP}
1556	log_start
1557	run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1558	sleep 1
1559	run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a}
1560	log_test_addr ${a} $? 0 "Device server, device client, local conn"
1561
1562	log_start
1563	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1564	log_test_addr ${a} $? 2 "No server, device client, local conn"
1565}
1566
1567ipv4_udp_vrf()
1568{
1569	local a
1570
1571	# disable global server
1572	log_subsection "Global server disabled"
1573	set_sysctl net.ipv4.udp_l3mdev_accept=0
1574
1575	#
1576	# server tests
1577	#
1578	for a in ${NSA_IP} ${VRF_IP}
1579	do
1580		log_start
1581		show_hint "Fails because ingress is in a VRF and global server is disabled"
1582		run_cmd nettest -D -s &
1583		sleep 1
1584		run_cmd_nsb nettest -D -r ${a}
1585		log_test_addr ${a} $? 1 "Global server"
1586
1587		log_start
1588		run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1589		sleep 1
1590		run_cmd_nsb nettest -D -r ${a}
1591		log_test_addr ${a} $? 0 "VRF server"
1592
1593		log_start
1594		run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1595		sleep 1
1596		run_cmd_nsb nettest -D -r ${a}
1597		log_test_addr ${a} $? 0 "Enslaved device server"
1598
1599		log_start
1600		show_hint "Should fail 'Connection refused' since there is no server"
1601		run_cmd_nsb nettest -D -r ${a}
1602		log_test_addr ${a} $? 1 "No server"
1603
1604		log_start
1605		show_hint "Should fail 'Connection refused' since global server is out of scope"
1606		run_cmd nettest -D -s &
1607		sleep 1
1608		run_cmd nettest -D -d ${VRF} -r ${a}
1609		log_test_addr ${a} $? 1 "Global server, VRF client, local connection"
1610	done
1611
1612	a=${NSA_IP}
1613	log_start
1614	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1615	sleep 1
1616	run_cmd nettest -D -d ${VRF} -r ${a}
1617	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1618
1619	log_start
1620	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1621	sleep 1
1622	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1623	log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection"
1624
1625	a=${NSA_IP}
1626	log_start
1627	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1628	sleep 1
1629	run_cmd nettest -D -d ${VRF} -r ${a}
1630	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1631
1632	log_start
1633	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1634	sleep 1
1635	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1636	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1637
1638	# enable global server
1639	log_subsection "Global server enabled"
1640	set_sysctl net.ipv4.udp_l3mdev_accept=1
1641
1642	#
1643	# server tests
1644	#
1645	for a in ${NSA_IP} ${VRF_IP}
1646	do
1647		log_start
1648		run_cmd nettest -D -s -3 ${NSA_DEV} &
1649		sleep 1
1650		run_cmd_nsb nettest -D -r ${a}
1651		log_test_addr ${a} $? 0 "Global server"
1652
1653		log_start
1654		run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1655		sleep 1
1656		run_cmd_nsb nettest -D -r ${a}
1657		log_test_addr ${a} $? 0 "VRF server"
1658
1659		log_start
1660		run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1661		sleep 1
1662		run_cmd_nsb nettest -D -r ${a}
1663		log_test_addr ${a} $? 0 "Enslaved device server"
1664
1665		log_start
1666		show_hint "Should fail 'Connection refused'"
1667		run_cmd_nsb nettest -D -r ${a}
1668		log_test_addr ${a} $? 1 "No server"
1669	done
1670
1671	#
1672	# client tests
1673	#
1674	log_start
1675	run_cmd_nsb nettest -D -s &
1676	sleep 1
1677	run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP}
1678	log_test $? 0 "VRF client"
1679
1680	log_start
1681	run_cmd_nsb nettest -D -s &
1682	sleep 1
1683	run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP}
1684	log_test $? 0 "Enslaved device client"
1685
1686	# negative test - should fail
1687	log_start
1688	show_hint "Should fail 'Connection refused'"
1689	run_cmd nettest -D -d ${VRF} -r ${NSB_IP}
1690	log_test $? 1 "No server, VRF client"
1691
1692	log_start
1693	show_hint "Should fail 'Connection refused'"
1694	run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP}
1695	log_test $? 1 "No server, enslaved device client"
1696
1697	#
1698	# local address tests
1699	#
1700	a=${NSA_IP}
1701	log_start
1702	run_cmd nettest -D -s -3 ${NSA_DEV} &
1703	sleep 1
1704	run_cmd nettest -D -d ${VRF} -r ${a}
1705	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1706
1707	log_start
1708	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1709	sleep 1
1710	run_cmd nettest -D -d ${VRF} -r ${a}
1711	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1712
1713	log_start
1714	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1715	sleep 1
1716	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1717	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
1718
1719	log_start
1720	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1721	sleep 1
1722	run_cmd nettest -D -d ${VRF} -r ${a}
1723	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1724
1725	log_start
1726	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1727	sleep 1
1728	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1729	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1730
1731	for a in ${VRF_IP} 127.0.0.1
1732	do
1733		log_start
1734		run_cmd nettest -D -s -3 ${VRF} &
1735		sleep 1
1736		run_cmd nettest -D -d ${VRF} -r ${a}
1737		log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1738	done
1739
1740	for a in ${VRF_IP} 127.0.0.1
1741	do
1742		log_start
1743		run_cmd nettest -s -D -I ${VRF} -3 ${VRF} &
1744		sleep 1
1745		run_cmd nettest -D -d ${VRF} -r ${a}
1746		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1747	done
1748
1749	# negative test - should fail
1750	# verifies ECONNREFUSED
1751	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1752	do
1753		log_start
1754		show_hint "Should fail 'Connection refused'"
1755		run_cmd nettest -D -d ${VRF} -r ${a}
1756		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
1757	done
1758}
1759
1760ipv4_udp()
1761{
1762	log_section "IPv4/UDP"
1763	log_subsection "No VRF"
1764
1765	setup
1766
1767	# udp_l3mdev_accept should have no affect without VRF;
1768	# run tests with it enabled and disabled to verify
1769	log_subsection "udp_l3mdev_accept disabled"
1770	set_sysctl net.ipv4.udp_l3mdev_accept=0
1771	ipv4_udp_novrf
1772	log_subsection "udp_l3mdev_accept enabled"
1773	set_sysctl net.ipv4.udp_l3mdev_accept=1
1774	ipv4_udp_novrf
1775
1776	log_subsection "With VRF"
1777	setup "yes"
1778	ipv4_udp_vrf
1779}
1780
1781################################################################################
1782# IPv4 address bind
1783#
1784# verifies ability or inability to bind to an address / device
1785
1786ipv4_addr_bind_novrf()
1787{
1788	#
1789	# raw socket
1790	#
1791	for a in ${NSA_IP} ${NSA_LO_IP}
1792	do
1793		log_start
1794		run_cmd nettest -s -R -P icmp -l ${a} -b
1795		log_test_addr ${a} $? 0 "Raw socket bind to local address"
1796
1797		log_start
1798		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1799		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1800	done
1801
1802	#
1803	# tests for nonlocal bind
1804	#
1805	a=${NL_IP}
1806	log_start
1807	run_cmd nettest -s -R -f -l ${a} -b
1808	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
1809
1810	log_start
1811	run_cmd nettest -s -f -l ${a} -b
1812	log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address"
1813
1814	log_start
1815	run_cmd nettest -s -D -P icmp -f -l ${a} -b
1816	log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address"
1817
1818	#
1819	# check that ICMP sockets cannot bind to broadcast and multicast addresses
1820	#
1821	a=${BCAST_IP}
1822	log_start
1823	run_cmd nettest -s -D -P icmp -l ${a} -b
1824	log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address"
1825
1826	a=${MCAST_IP}
1827	log_start
1828	run_cmd nettest -s -D -P icmp -l ${a} -b
1829	log_test_addr ${a} $? 1 "ICMP socket bind to multicast address"
1830
1831	#
1832	# tcp sockets
1833	#
1834	a=${NSA_IP}
1835	log_start
1836	run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b
1837	log_test_addr ${a} $? 0 "TCP socket bind to local address"
1838
1839	log_start
1840	run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b
1841	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1842
1843	# Sadly, the kernel allows binding a socket to a device and then
1844	# binding to an address not on the device. The only restriction
1845	# is that the address is valid in the L3 domain. So this test
1846	# passes when it really should not
1847	#a=${NSA_LO_IP}
1848	#log_start
1849	#show_hint "Should fail with 'Cannot assign requested address'"
1850	#run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1851	#log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
1852}
1853
1854ipv4_addr_bind_vrf()
1855{
1856	#
1857	# raw socket
1858	#
1859	for a in ${NSA_IP} ${VRF_IP}
1860	do
1861		log_start
1862		show_hint "Socket not bound to VRF, but address is in VRF"
1863		run_cmd nettest -s -R -P icmp -l ${a} -b
1864		log_test_addr ${a} $? 1 "Raw socket bind to local address"
1865
1866		log_start
1867		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1868		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1869		log_start
1870		run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1871		log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind"
1872	done
1873
1874	a=${NSA_LO_IP}
1875	log_start
1876	show_hint "Address on loopback is out of VRF scope"
1877	run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1878	log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind"
1879
1880	#
1881	# tests for nonlocal bind
1882	#
1883	a=${NL_IP}
1884	log_start
1885	run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b
1886	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
1887
1888	log_start
1889	run_cmd nettest -s -f -l ${a} -I ${VRF} -b
1890	log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind"
1891
1892	log_start
1893	run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b
1894	log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind"
1895
1896	#
1897	# check that ICMP sockets cannot bind to broadcast and multicast addresses
1898	#
1899	a=${BCAST_IP}
1900	log_start
1901	run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
1902	log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind"
1903
1904	a=${MCAST_IP}
1905	log_start
1906	run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
1907	log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind"
1908
1909	#
1910	# tcp sockets
1911	#
1912	for a in ${NSA_IP} ${VRF_IP}
1913	do
1914		log_start
1915		run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
1916		log_test_addr ${a} $? 0 "TCP socket bind to local address"
1917
1918		log_start
1919		run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1920		log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1921	done
1922
1923	a=${NSA_LO_IP}
1924	log_start
1925	show_hint "Address on loopback out of scope for VRF"
1926	run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
1927	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
1928
1929	log_start
1930	show_hint "Address on loopback out of scope for device in VRF"
1931	run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1932	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
1933}
1934
1935ipv4_addr_bind()
1936{
1937	log_section "IPv4 address binds"
1938
1939	log_subsection "No VRF"
1940	setup
1941	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
1942	ipv4_addr_bind_novrf
1943
1944	log_subsection "With VRF"
1945	setup "yes"
1946	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
1947	ipv4_addr_bind_vrf
1948}
1949
1950################################################################################
1951# IPv4 runtime tests
1952
1953ipv4_rt()
1954{
1955	local desc="$1"
1956	local varg="$2"
1957	local with_vrf="yes"
1958	local a
1959
1960	#
1961	# server tests
1962	#
1963	for a in ${NSA_IP} ${VRF_IP}
1964	do
1965		log_start
1966		run_cmd nettest ${varg} -s &
1967		sleep 1
1968		run_cmd_nsb nettest ${varg} -r ${a} &
1969		sleep 3
1970		run_cmd ip link del ${VRF}
1971		sleep 1
1972		log_test_addr ${a} 0 0 "${desc}, global server"
1973
1974		setup ${with_vrf}
1975	done
1976
1977	for a in ${NSA_IP} ${VRF_IP}
1978	do
1979		log_start
1980		run_cmd nettest ${varg} -s -I ${VRF} &
1981		sleep 1
1982		run_cmd_nsb nettest ${varg} -r ${a} &
1983		sleep 3
1984		run_cmd ip link del ${VRF}
1985		sleep 1
1986		log_test_addr ${a} 0 0 "${desc}, VRF server"
1987
1988		setup ${with_vrf}
1989	done
1990
1991	a=${NSA_IP}
1992	log_start
1993	run_cmd nettest ${varg} -s -I ${NSA_DEV} &
1994	sleep 1
1995	run_cmd_nsb nettest ${varg} -r ${a} &
1996	sleep 3
1997	run_cmd ip link del ${VRF}
1998	sleep 1
1999	log_test_addr ${a} 0 0 "${desc}, enslaved device server"
2000
2001	setup ${with_vrf}
2002
2003	#
2004	# client test
2005	#
2006	log_start
2007	run_cmd_nsb nettest ${varg} -s &
2008	sleep 1
2009	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} &
2010	sleep 3
2011	run_cmd ip link del ${VRF}
2012	sleep 1
2013	log_test_addr ${a} 0 0 "${desc}, VRF client"
2014
2015	setup ${with_vrf}
2016
2017	log_start
2018	run_cmd_nsb nettest ${varg} -s &
2019	sleep 1
2020	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} &
2021	sleep 3
2022	run_cmd ip link del ${VRF}
2023	sleep 1
2024	log_test_addr ${a} 0 0 "${desc}, enslaved device client"
2025
2026	setup ${with_vrf}
2027
2028	#
2029	# local address tests
2030	#
2031	for a in ${NSA_IP} ${VRF_IP}
2032	do
2033		log_start
2034		run_cmd nettest ${varg} -s &
2035		sleep 1
2036		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2037		sleep 3
2038		run_cmd ip link del ${VRF}
2039		sleep 1
2040		log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local"
2041
2042		setup ${with_vrf}
2043	done
2044
2045	for a in ${NSA_IP} ${VRF_IP}
2046	do
2047		log_start
2048		run_cmd nettest ${varg} -I ${VRF} -s &
2049		sleep 1
2050		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2051		sleep 3
2052		run_cmd ip link del ${VRF}
2053		sleep 1
2054		log_test_addr ${a} 0 0 "${desc}, VRF server and client, local"
2055
2056		setup ${with_vrf}
2057	done
2058
2059	a=${NSA_IP}
2060	log_start
2061
2062	run_cmd nettest ${varg} -s &
2063	sleep 1
2064	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2065	sleep 3
2066	run_cmd ip link del ${VRF}
2067	sleep 1
2068	log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local"
2069
2070	setup ${with_vrf}
2071
2072	log_start
2073	run_cmd nettest ${varg} -I ${VRF} -s &
2074	sleep 1
2075	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2076	sleep 3
2077	run_cmd ip link del ${VRF}
2078	sleep 1
2079	log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local"
2080
2081	setup ${with_vrf}
2082
2083	log_start
2084	run_cmd nettest ${varg} -I ${NSA_DEV} -s &
2085	sleep 1
2086	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2087	sleep 3
2088	run_cmd ip link del ${VRF}
2089	sleep 1
2090	log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local"
2091}
2092
2093ipv4_ping_rt()
2094{
2095	local with_vrf="yes"
2096	local a
2097
2098	for a in ${NSA_IP} ${VRF_IP}
2099	do
2100		log_start
2101		run_cmd_nsb ping -f ${a} &
2102		sleep 3
2103		run_cmd ip link del ${VRF}
2104		sleep 1
2105		log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
2106
2107		setup ${with_vrf}
2108	done
2109
2110	a=${NSB_IP}
2111	log_start
2112	run_cmd ping -f -I ${VRF} ${a} &
2113	sleep 3
2114	run_cmd ip link del ${VRF}
2115	sleep 1
2116	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
2117}
2118
2119ipv4_runtime()
2120{
2121	log_section "Run time tests - ipv4"
2122
2123	setup "yes"
2124	ipv4_ping_rt
2125
2126	setup "yes"
2127	ipv4_rt "TCP active socket"  "-n -1"
2128
2129	setup "yes"
2130	ipv4_rt "TCP passive socket" "-i"
2131}
2132
2133################################################################################
2134# IPv6
2135
2136ipv6_ping_novrf()
2137{
2138	local a
2139
2140	# should not have an impact, but make a known state
2141	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
2142
2143	#
2144	# out
2145	#
2146	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2147	do
2148		log_start
2149		run_cmd ${ping6} -c1 -w1 ${a}
2150		log_test_addr ${a} $? 0 "ping out"
2151	done
2152
2153	for a in ${NSB_IP6} ${NSB_LO_IP6}
2154	do
2155		log_start
2156		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2157		log_test_addr ${a} $? 0 "ping out, device bind"
2158
2159		log_start
2160		run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a}
2161		log_test_addr ${a} $? 0 "ping out, loopback address bind"
2162	done
2163
2164	#
2165	# in
2166	#
2167	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2168	do
2169		log_start
2170		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2171		log_test_addr ${a} $? 0 "ping in"
2172	done
2173
2174	#
2175	# local traffic, local address
2176	#
2177	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2178	do
2179		log_start
2180		run_cmd ${ping6} -c1 -w1 ${a}
2181		log_test_addr ${a} $? 0 "ping local, no bind"
2182	done
2183
2184	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2185	do
2186		log_start
2187		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2188		log_test_addr ${a} $? 0 "ping local, device bind"
2189	done
2190
2191	for a in ${NSA_LO_IP6} ::1
2192	do
2193		log_start
2194		show_hint "Fails since address on loopback is out of device scope"
2195		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2196		log_test_addr ${a} $? 2 "ping local, device bind"
2197	done
2198
2199	#
2200	# ip rule blocks address
2201	#
2202	log_start
2203	setup_cmd ip -6 rule add pref 32765 from all lookup local
2204	setup_cmd ip -6 rule del pref 0 from all lookup local
2205	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2206	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2207
2208	a=${NSB_LO_IP6}
2209	run_cmd ${ping6} -c1 -w1 ${a}
2210	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2211
2212	log_start
2213	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2214	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2215
2216	a=${NSA_LO_IP6}
2217	log_start
2218	show_hint "Response lost due to ip rule"
2219	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2220	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2221
2222	setup_cmd ip -6 rule add pref 0 from all lookup local
2223	setup_cmd ip -6 rule del pref 32765 from all lookup local
2224	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2225	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2226
2227	#
2228	# route blocks reachability to remote address
2229	#
2230	log_start
2231	setup_cmd ip -6 route del ${NSB_LO_IP6}
2232	setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10
2233	setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10
2234
2235	a=${NSB_LO_IP6}
2236	run_cmd ${ping6} -c1 -w1 ${a}
2237	log_test_addr ${a} $? 2 "ping out, blocked by route"
2238
2239	log_start
2240	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2241	log_test_addr ${a} $? 2 "ping out, device bind, blocked by route"
2242
2243	a=${NSA_LO_IP6}
2244	log_start
2245	show_hint "Response lost due to ip route"
2246	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2247	log_test_addr ${a} $? 1 "ping in, blocked by route"
2248
2249
2250	#
2251	# remove 'remote' routes; fallback to default
2252	#
2253	log_start
2254	setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6}
2255	setup_cmd ip -6 ro del unreachable ${NSB_IP6}
2256
2257	a=${NSB_LO_IP6}
2258	run_cmd ${ping6} -c1 -w1 ${a}
2259	log_test_addr ${a} $? 2 "ping out, unreachable route"
2260
2261	log_start
2262	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2263	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2264}
2265
2266ipv6_ping_vrf()
2267{
2268	local a
2269
2270	# should default on; does not exist on older kernels
2271	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
2272
2273	#
2274	# out
2275	#
2276	for a in ${NSB_IP6} ${NSB_LO_IP6}
2277	do
2278		log_start
2279		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2280		log_test_addr ${a} $? 0 "ping out, VRF bind"
2281	done
2282
2283	for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF}
2284	do
2285		log_start
2286		show_hint "Fails since VRF device does not support linklocal or multicast"
2287		run_cmd ${ping6} -c1 -w1 ${a}
2288		log_test_addr ${a} $? 1 "ping out, VRF bind"
2289	done
2290
2291	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2292	do
2293		log_start
2294		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2295		log_test_addr ${a} $? 0 "ping out, device bind"
2296	done
2297
2298	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2299	do
2300		log_start
2301		run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a}
2302		log_test_addr ${a} $? 0 "ping out, vrf device+address bind"
2303	done
2304
2305	#
2306	# in
2307	#
2308	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2309	do
2310		log_start
2311		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2312		log_test_addr ${a} $? 0 "ping in"
2313	done
2314
2315	a=${NSA_LO_IP6}
2316	log_start
2317	show_hint "Fails since loopback address is out of VRF scope"
2318	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2319	log_test_addr ${a} $? 1 "ping in"
2320
2321	#
2322	# local traffic, local address
2323	#
2324	for a in ${NSA_IP6} ${VRF_IP6} ::1
2325	do
2326		log_start
2327		show_hint "Source address should be ${a}"
2328		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2329		log_test_addr ${a} $? 0 "ping local, VRF bind"
2330	done
2331
2332	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2333	do
2334		log_start
2335		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2336		log_test_addr ${a} $? 0 "ping local, device bind"
2337	done
2338
2339	# LLA to GUA - remove ipv6 global addresses from ns-B
2340	setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2341	setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo
2342	setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2343
2344	for a in ${NSA_IP6} ${VRF_IP6}
2345	do
2346		log_start
2347		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
2348		log_test_addr ${a} $? 0 "ping in, LLA to GUA"
2349	done
2350
2351	setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2352	setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV}
2353	setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo
2354
2355	#
2356	# ip rule blocks address
2357	#
2358	log_start
2359	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2360	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2361
2362	a=${NSB_LO_IP6}
2363	run_cmd ${ping6} -c1 -w1 ${a}
2364	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2365
2366	log_start
2367	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2368	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2369
2370	a=${NSA_LO_IP6}
2371	log_start
2372	show_hint "Response lost due to ip rule"
2373	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2374	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2375
2376	log_start
2377	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2378	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2379
2380	#
2381	# remove 'remote' routes; fallback to default
2382	#
2383	log_start
2384	setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF}
2385
2386	a=${NSB_LO_IP6}
2387	run_cmd ${ping6} -c1 -w1 ${a}
2388	log_test_addr ${a} $? 2 "ping out, unreachable route"
2389
2390	log_start
2391	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2392	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2393
2394	ip -netns ${NSB} -6 ro del ${NSA_LO_IP6}
2395	a=${NSA_LO_IP6}
2396	log_start
2397	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2398	log_test_addr ${a} $? 2 "ping in, unreachable route"
2399}
2400
2401ipv6_ping()
2402{
2403	log_section "IPv6 ping"
2404
2405	log_subsection "No VRF"
2406	setup
2407	ipv6_ping_novrf
2408	setup
2409	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
2410	ipv6_ping_novrf
2411
2412	log_subsection "With VRF"
2413	setup "yes"
2414	ipv6_ping_vrf
2415	setup "yes"
2416	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
2417	ipv6_ping_vrf
2418}
2419
2420################################################################################
2421# IPv6 TCP
2422
2423#
2424# MD5 tests without VRF
2425#
2426ipv6_tcp_md5_novrf()
2427{
2428	#
2429	# single address
2430	#
2431
2432	# basic use case
2433	log_start
2434	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2435	sleep 1
2436	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2437	log_test $? 0 "MD5: Single address config"
2438
2439	# client sends MD5, server not configured
2440	log_start
2441	show_hint "Should timeout due to MD5 mismatch"
2442	run_cmd nettest -6 -s &
2443	sleep 1
2444	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2445	log_test $? 2 "MD5: Server no config, client uses password"
2446
2447	# wrong password
2448	log_start
2449	show_hint "Should timeout since client uses wrong password"
2450	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2451	sleep 1
2452	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2453	log_test $? 2 "MD5: Client uses wrong password"
2454
2455	# client from different address
2456	log_start
2457	show_hint "Should timeout due to MD5 mismatch"
2458	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} &
2459	sleep 1
2460	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2461	log_test $? 2 "MD5: Client address does not match address configured with password"
2462
2463	#
2464	# MD5 extension - prefix length
2465	#
2466
2467	# client in prefix
2468	log_start
2469	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2470	sleep 1
2471	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2472	log_test $? 0 "MD5: Prefix config"
2473
2474	# client in prefix, wrong password
2475	log_start
2476	show_hint "Should timeout since client uses wrong password"
2477	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2478	sleep 1
2479	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2480	log_test $? 2 "MD5: Prefix config, client uses wrong password"
2481
2482	# client outside of prefix
2483	log_start
2484	show_hint "Should timeout due to MD5 mismatch"
2485	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2486	sleep 1
2487	run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2488	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
2489}
2490
2491#
2492# MD5 tests with VRF
2493#
2494ipv6_tcp_md5()
2495{
2496	#
2497	# single address
2498	#
2499
2500	# basic use case
2501	log_start
2502	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2503	sleep 1
2504	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2505	log_test $? 0 "MD5: VRF: Single address config"
2506
2507	# client sends MD5, server not configured
2508	log_start
2509	show_hint "Should timeout since server does not have MD5 auth"
2510	run_cmd nettest -6 -s -I ${VRF} &
2511	sleep 1
2512	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2513	log_test $? 2 "MD5: VRF: Server no config, client uses password"
2514
2515	# wrong password
2516	log_start
2517	show_hint "Should timeout since client uses wrong password"
2518	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2519	sleep 1
2520	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2521	log_test $? 2 "MD5: VRF: Client uses wrong password"
2522
2523	# client from different address
2524	log_start
2525	show_hint "Should timeout since server config differs from client"
2526	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} &
2527	sleep 1
2528	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2529	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
2530
2531	#
2532	# MD5 extension - prefix length
2533	#
2534
2535	# client in prefix
2536	log_start
2537	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2538	sleep 1
2539	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2540	log_test $? 0 "MD5: VRF: Prefix config"
2541
2542	# client in prefix, wrong password
2543	log_start
2544	show_hint "Should timeout since client uses wrong password"
2545	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2546	sleep 1
2547	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2548	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
2549
2550	# client outside of prefix
2551	log_start
2552	show_hint "Should timeout since client address is outside of prefix"
2553	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2554	sleep 1
2555	run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2556	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
2557
2558	#
2559	# duplicate config between default VRF and a VRF
2560	#
2561
2562	log_start
2563	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2564	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2565	sleep 1
2566	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2567	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
2568
2569	log_start
2570	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2571	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2572	sleep 1
2573	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2574	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
2575
2576	log_start
2577	show_hint "Should timeout since client in default VRF uses VRF password"
2578	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2579	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2580	sleep 1
2581	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2582	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
2583
2584	log_start
2585	show_hint "Should timeout since client in VRF uses default VRF password"
2586	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2587	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2588	sleep 1
2589	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2590	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
2591
2592	log_start
2593	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2594	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2595	sleep 1
2596	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2597	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
2598
2599	log_start
2600	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2601	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2602	sleep 1
2603	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2604	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
2605
2606	log_start
2607	show_hint "Should timeout since client in default VRF uses VRF password"
2608	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2609	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2610	sleep 1
2611	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2612	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
2613
2614	log_start
2615	show_hint "Should timeout since client in VRF uses default VRF password"
2616	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2617	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2618	sleep 1
2619	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2620	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
2621
2622	#
2623	# negative tests
2624	#
2625	log_start
2626	run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6}
2627	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
2628
2629	log_start
2630	run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6}
2631	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
2632
2633}
2634
2635ipv6_tcp_novrf()
2636{
2637	local a
2638
2639	#
2640	# server tests
2641	#
2642	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2643	do
2644		log_start
2645		run_cmd nettest -6 -s &
2646		sleep 1
2647		run_cmd_nsb nettest -6 -r ${a}
2648		log_test_addr ${a} $? 0 "Global server"
2649	done
2650
2651	# verify TCP reset received
2652	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2653	do
2654		log_start
2655		show_hint "Should fail 'Connection refused'"
2656		run_cmd_nsb nettest -6 -r ${a}
2657		log_test_addr ${a} $? 1 "No server"
2658	done
2659
2660	#
2661	# client
2662	#
2663	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2664	do
2665		log_start
2666		run_cmd_nsb nettest -6 -s &
2667		sleep 1
2668		run_cmd nettest -6 -r ${a}
2669		log_test_addr ${a} $? 0 "Client"
2670	done
2671
2672	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2673	do
2674		log_start
2675		run_cmd_nsb nettest -6 -s &
2676		sleep 1
2677		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2678		log_test_addr ${a} $? 0 "Client, device bind"
2679	done
2680
2681	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2682	do
2683		log_start
2684		show_hint "Should fail 'Connection refused'"
2685		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2686		log_test_addr ${a} $? 1 "No server, device client"
2687	done
2688
2689	#
2690	# local address tests
2691	#
2692	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2693	do
2694		log_start
2695		run_cmd nettest -6 -s &
2696		sleep 1
2697		run_cmd nettest -6 -r ${a}
2698		log_test_addr ${a} $? 0 "Global server, local connection"
2699	done
2700
2701	a=${NSA_IP6}
2702	log_start
2703	run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2704	sleep 1
2705	run_cmd nettest -6 -r ${a} -0 ${a}
2706	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2707
2708	for a in ${NSA_LO_IP6} ::1
2709	do
2710		log_start
2711		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2712		run_cmd nettest -6 -s -I ${NSA_DEV} &
2713		sleep 1
2714		run_cmd nettest -6 -r ${a}
2715		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
2716	done
2717
2718	a=${NSA_IP6}
2719	log_start
2720	run_cmd nettest -6 -s &
2721	sleep 1
2722	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2723	log_test_addr ${a} $? 0 "Global server, device client, local connection"
2724
2725	for a in ${NSA_LO_IP6} ::1
2726	do
2727		log_start
2728		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2729		run_cmd nettest -6 -s &
2730		sleep 1
2731		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2732		log_test_addr ${a} $? 1 "Global server, device client, local connection"
2733	done
2734
2735	for a in ${NSA_IP6} ${NSA_LINKIP6}
2736	do
2737		log_start
2738		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2739		sleep 1
2740		run_cmd nettest -6  -d ${NSA_DEV} -r ${a}
2741		log_test_addr ${a} $? 0 "Device server, device client, local conn"
2742	done
2743
2744	for a in ${NSA_IP6} ${NSA_LINKIP6}
2745	do
2746		log_start
2747		show_hint "Should fail 'Connection refused'"
2748		run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2749		log_test_addr ${a} $? 1 "No server, device client, local conn"
2750	done
2751
2752	ipv6_tcp_md5_novrf
2753}
2754
2755ipv6_tcp_vrf()
2756{
2757	local a
2758
2759	# disable global server
2760	log_subsection "Global server disabled"
2761
2762	set_sysctl net.ipv4.tcp_l3mdev_accept=0
2763
2764	#
2765	# server tests
2766	#
2767	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2768	do
2769		log_start
2770		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2771		run_cmd nettest -6 -s &
2772		sleep 1
2773		run_cmd_nsb nettest -6 -r ${a}
2774		log_test_addr ${a} $? 1 "Global server"
2775	done
2776
2777	for a in ${NSA_IP6} ${VRF_IP6}
2778	do
2779		log_start
2780		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2781		sleep 1
2782		run_cmd_nsb nettest -6 -r ${a}
2783		log_test_addr ${a} $? 0 "VRF server"
2784	done
2785
2786	# link local is always bound to ingress device
2787	a=${NSA_LINKIP6}%${NSB_DEV}
2788	log_start
2789	run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2790	sleep 1
2791	run_cmd_nsb nettest -6 -r ${a}
2792	log_test_addr ${a} $? 0 "VRF server"
2793
2794	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2795	do
2796		log_start
2797		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2798		sleep 1
2799		run_cmd_nsb nettest -6 -r ${a}
2800		log_test_addr ${a} $? 0 "Device server"
2801	done
2802
2803	# verify TCP reset received
2804	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2805	do
2806		log_start
2807		show_hint "Should fail 'Connection refused'"
2808		run_cmd_nsb nettest -6 -r ${a}
2809		log_test_addr ${a} $? 1 "No server"
2810	done
2811
2812	# local address tests
2813	a=${NSA_IP6}
2814	log_start
2815	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2816	run_cmd nettest -6 -s &
2817	sleep 1
2818	run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2819	log_test_addr ${a} $? 1 "Global server, local connection"
2820
2821	# run MD5 tests
2822	setup_vrf_dup
2823	ipv6_tcp_md5
2824	cleanup_vrf_dup
2825
2826	#
2827	# enable VRF global server
2828	#
2829	log_subsection "VRF Global server enabled"
2830	set_sysctl net.ipv4.tcp_l3mdev_accept=1
2831
2832	for a in ${NSA_IP6} ${VRF_IP6}
2833	do
2834		log_start
2835		run_cmd nettest -6 -s -3 ${VRF} &
2836		sleep 1
2837		run_cmd_nsb nettest -6 -r ${a}
2838		log_test_addr ${a} $? 0 "Global server"
2839	done
2840
2841	for a in ${NSA_IP6} ${VRF_IP6}
2842	do
2843		log_start
2844		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2845		sleep 1
2846		run_cmd_nsb nettest -6 -r ${a}
2847		log_test_addr ${a} $? 0 "VRF server"
2848	done
2849
2850	# For LLA, child socket is bound to device
2851	a=${NSA_LINKIP6}%${NSB_DEV}
2852	log_start
2853	run_cmd nettest -6 -s -3 ${NSA_DEV} &
2854	sleep 1
2855	run_cmd_nsb nettest -6 -r ${a}
2856	log_test_addr ${a} $? 0 "Global server"
2857
2858	log_start
2859	run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2860	sleep 1
2861	run_cmd_nsb nettest -6 -r ${a}
2862	log_test_addr ${a} $? 0 "VRF server"
2863
2864	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2865	do
2866		log_start
2867		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2868		sleep 1
2869		run_cmd_nsb nettest -6 -r ${a}
2870		log_test_addr ${a} $? 0 "Device server"
2871	done
2872
2873	# verify TCP reset received
2874	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2875	do
2876		log_start
2877		show_hint "Should fail 'Connection refused'"
2878		run_cmd_nsb nettest -6 -r ${a}
2879		log_test_addr ${a} $? 1 "No server"
2880	done
2881
2882	# local address tests
2883	for a in ${NSA_IP6} ${VRF_IP6}
2884	do
2885		log_start
2886		show_hint "Fails 'Connection refused' since client is not in VRF"
2887		run_cmd nettest -6 -s -I ${VRF} &
2888		sleep 1
2889		run_cmd nettest -6 -r ${a}
2890		log_test_addr ${a} $? 1 "Global server, local connection"
2891	done
2892
2893
2894	#
2895	# client
2896	#
2897	for a in ${NSB_IP6} ${NSB_LO_IP6}
2898	do
2899		log_start
2900		run_cmd_nsb nettest -6 -s &
2901		sleep 1
2902		run_cmd nettest -6 -r ${a} -d ${VRF}
2903		log_test_addr ${a} $? 0 "Client, VRF bind"
2904	done
2905
2906	a=${NSB_LINKIP6}
2907	log_start
2908	show_hint "Fails since VRF device does not allow linklocal addresses"
2909	run_cmd_nsb nettest -6 -s &
2910	sleep 1
2911	run_cmd nettest -6 -r ${a} -d ${VRF}
2912	log_test_addr ${a} $? 1 "Client, VRF bind"
2913
2914	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2915	do
2916		log_start
2917		run_cmd_nsb nettest -6 -s &
2918		sleep 1
2919		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2920		log_test_addr ${a} $? 0 "Client, device bind"
2921	done
2922
2923	for a in ${NSB_IP6} ${NSB_LO_IP6}
2924	do
2925		log_start
2926		show_hint "Should fail 'Connection refused'"
2927		run_cmd nettest -6 -r ${a} -d ${VRF}
2928		log_test_addr ${a} $? 1 "No server, VRF client"
2929	done
2930
2931	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2932	do
2933		log_start
2934		show_hint "Should fail 'Connection refused'"
2935		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2936		log_test_addr ${a} $? 1 "No server, device client"
2937	done
2938
2939	for a in ${NSA_IP6} ${VRF_IP6} ::1
2940	do
2941		log_start
2942		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2943		sleep 1
2944		run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2945		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
2946	done
2947
2948	a=${NSA_IP6}
2949	log_start
2950	run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2951	sleep 1
2952	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2953	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
2954
2955	a=${NSA_IP6}
2956	log_start
2957	show_hint "Should fail since unbound client is out of VRF scope"
2958	run_cmd nettest -6 -s -I ${VRF} &
2959	sleep 1
2960	run_cmd nettest -6 -r ${a}
2961	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
2962
2963	log_start
2964	run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2965	sleep 1
2966	run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2967	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
2968
2969	for a in ${NSA_IP6} ${NSA_LINKIP6}
2970	do
2971		log_start
2972		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2973		sleep 1
2974		run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2975		log_test_addr ${a} $? 0 "Device server, device client, local connection"
2976	done
2977}
2978
2979ipv6_tcp()
2980{
2981	log_section "IPv6/TCP"
2982	log_subsection "No VRF"
2983	setup
2984
2985	# tcp_l3mdev_accept should have no affect without VRF;
2986	# run tests with it enabled and disabled to verify
2987	log_subsection "tcp_l3mdev_accept disabled"
2988	set_sysctl net.ipv4.tcp_l3mdev_accept=0
2989	ipv6_tcp_novrf
2990	log_subsection "tcp_l3mdev_accept enabled"
2991	set_sysctl net.ipv4.tcp_l3mdev_accept=1
2992	ipv6_tcp_novrf
2993
2994	log_subsection "With VRF"
2995	setup "yes"
2996	ipv6_tcp_vrf
2997}
2998
2999################################################################################
3000# IPv6 UDP
3001
3002ipv6_udp_novrf()
3003{
3004	local a
3005
3006	#
3007	# server tests
3008	#
3009	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3010	do
3011		log_start
3012		run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3013		sleep 1
3014		run_cmd_nsb nettest -6 -D -r ${a}
3015		log_test_addr ${a} $? 0 "Global server"
3016
3017		log_start
3018		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3019		sleep 1
3020		run_cmd_nsb nettest -6 -D -r ${a}
3021		log_test_addr ${a} $? 0 "Device server"
3022	done
3023
3024	a=${NSA_LO_IP6}
3025	log_start
3026	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3027	sleep 1
3028	run_cmd_nsb nettest -6 -D -r ${a}
3029	log_test_addr ${a} $? 0 "Global server"
3030
3031	# should fail since loopback address is out of scope for a device
3032	# bound server, but it does not - hence this is more documenting
3033	# behavior.
3034	#log_start
3035	#show_hint "Should fail since loopback address is out of scope"
3036	#run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3037	#sleep 1
3038	#run_cmd_nsb nettest -6 -D -r ${a}
3039	#log_test_addr ${a} $? 1 "Device server"
3040
3041	# negative test - should fail
3042	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3043	do
3044		log_start
3045		show_hint "Should fail 'Connection refused' since there is no server"
3046		run_cmd_nsb nettest -6 -D -r ${a}
3047		log_test_addr ${a} $? 1 "No server"
3048	done
3049
3050	#
3051	# client
3052	#
3053	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
3054	do
3055		log_start
3056		run_cmd_nsb nettest -6 -D -s &
3057		sleep 1
3058		run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6}
3059		log_test_addr ${a} $? 0 "Client"
3060
3061		log_start
3062		run_cmd_nsb nettest -6 -D -s &
3063		sleep 1
3064		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6}
3065		log_test_addr ${a} $? 0 "Client, device bind"
3066
3067		log_start
3068		run_cmd_nsb nettest -6 -D -s &
3069		sleep 1
3070		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6}
3071		log_test_addr ${a} $? 0 "Client, device send via cmsg"
3072
3073		log_start
3074		run_cmd_nsb nettest -6 -D -s &
3075		sleep 1
3076		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6}
3077		log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF"
3078
3079		log_start
3080		show_hint "Should fail 'Connection refused'"
3081		run_cmd nettest -6 -D -r ${a}
3082		log_test_addr ${a} $? 1 "No server, unbound client"
3083
3084		log_start
3085		show_hint "Should fail 'Connection refused'"
3086		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3087		log_test_addr ${a} $? 1 "No server, device client"
3088	done
3089
3090	#
3091	# local address tests
3092	#
3093	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
3094	do
3095		log_start
3096		run_cmd nettest -6 -D -s &
3097		sleep 1
3098		run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a}
3099		log_test_addr ${a} $? 0 "Global server, local connection"
3100	done
3101
3102	a=${NSA_IP6}
3103	log_start
3104	run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
3105	sleep 1
3106	run_cmd nettest -6 -D -r ${a}
3107	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
3108
3109	for a in ${NSA_LO_IP6} ::1
3110	do
3111		log_start
3112		show_hint "Should fail 'Connection refused' since address is out of device scope"
3113		run_cmd nettest -6 -s -D -I ${NSA_DEV} &
3114		sleep 1
3115		run_cmd nettest -6 -D -r ${a}
3116		log_test_addr ${a} $? 1 "Device server, local connection"
3117	done
3118
3119	a=${NSA_IP6}
3120	log_start
3121	run_cmd nettest -6 -s -D &
3122	sleep 1
3123	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3124	log_test_addr ${a} $? 0 "Global server, device client, local connection"
3125
3126	log_start
3127	run_cmd nettest -6 -s -D &
3128	sleep 1
3129	run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a}
3130	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
3131
3132	log_start
3133	run_cmd nettest -6 -s -D &
3134	sleep 1
3135	run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a}
3136	log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection"
3137
3138	for a in ${NSA_LO_IP6} ::1
3139	do
3140		log_start
3141		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3142		run_cmd nettest -6 -D -s &
3143		sleep 1
3144		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3145		log_test_addr ${a} $? 1 "Global server, device client, local connection"
3146
3147		log_start
3148		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3149		run_cmd nettest -6 -D -s &
3150		sleep 1
3151		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C
3152		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
3153
3154		log_start
3155		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3156		run_cmd nettest -6 -D -s &
3157		sleep 1
3158		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
3159		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
3160	done
3161
3162	a=${NSA_IP6}
3163	log_start
3164	run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3165	sleep 1
3166	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a}
3167	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3168
3169	log_start
3170	show_hint "Should fail 'Connection refused'"
3171	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3172	log_test_addr ${a} $? 1 "No server, device client, local conn"
3173
3174	# LLA to GUA
3175	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3176	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3177	log_start
3178	run_cmd nettest -6 -s -D &
3179	sleep 1
3180	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3181	log_test $? 0 "UDP in - LLA to GUA"
3182
3183	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3184	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3185}
3186
3187ipv6_udp_vrf()
3188{
3189	local a
3190
3191	# disable global server
3192	log_subsection "Global server disabled"
3193	set_sysctl net.ipv4.udp_l3mdev_accept=0
3194
3195	#
3196	# server tests
3197	#
3198	for a in ${NSA_IP6} ${VRF_IP6}
3199	do
3200		log_start
3201		show_hint "Should fail 'Connection refused' since global server is disabled"
3202		run_cmd nettest -6 -D -s &
3203		sleep 1
3204		run_cmd_nsb nettest -6 -D -r ${a}
3205		log_test_addr ${a} $? 1 "Global server"
3206	done
3207
3208	for a in ${NSA_IP6} ${VRF_IP6}
3209	do
3210		log_start
3211		run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3212		sleep 1
3213		run_cmd_nsb nettest -6 -D -r ${a}
3214		log_test_addr ${a} $? 0 "VRF server"
3215	done
3216
3217	for a in ${NSA_IP6} ${VRF_IP6}
3218	do
3219		log_start
3220		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3221		sleep 1
3222		run_cmd_nsb nettest -6 -D -r ${a}
3223		log_test_addr ${a} $? 0 "Enslaved device server"
3224	done
3225
3226	# negative test - should fail
3227	for a in ${NSA_IP6} ${VRF_IP6}
3228	do
3229		log_start
3230		show_hint "Should fail 'Connection refused' since there is no server"
3231		run_cmd_nsb nettest -6 -D -r ${a}
3232		log_test_addr ${a} $? 1 "No server"
3233	done
3234
3235	#
3236	# local address tests
3237	#
3238	for a in ${NSA_IP6} ${VRF_IP6}
3239	do
3240		log_start
3241		show_hint "Should fail 'Connection refused' since global server is disabled"
3242		run_cmd nettest -6 -D -s &
3243		sleep 1
3244		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3245		log_test_addr ${a} $? 1 "Global server, VRF client, local conn"
3246	done
3247
3248	for a in ${NSA_IP6} ${VRF_IP6}
3249	do
3250		log_start
3251		run_cmd nettest -6 -D -I ${VRF} -s &
3252		sleep 1
3253		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3254		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3255	done
3256
3257	a=${NSA_IP6}
3258	log_start
3259	show_hint "Should fail 'Connection refused' since global server is disabled"
3260	run_cmd nettest -6 -D -s &
3261	sleep 1
3262	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3263	log_test_addr ${a} $? 1 "Global server, device client, local conn"
3264
3265	log_start
3266	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3267	sleep 1
3268	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3269	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3270
3271	log_start
3272	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3273	sleep 1
3274	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3275	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
3276
3277	log_start
3278	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3279	sleep 1
3280	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3281	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
3282
3283	# disable global server
3284	log_subsection "Global server enabled"
3285	set_sysctl net.ipv4.udp_l3mdev_accept=1
3286
3287	#
3288	# server tests
3289	#
3290	for a in ${NSA_IP6} ${VRF_IP6}
3291	do
3292		log_start
3293		run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3294		sleep 1
3295		run_cmd_nsb nettest -6 -D -r ${a}
3296		log_test_addr ${a} $? 0 "Global server"
3297	done
3298
3299	for a in ${NSA_IP6} ${VRF_IP6}
3300	do
3301		log_start
3302		run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3303		sleep 1
3304		run_cmd_nsb nettest -6 -D -r ${a}
3305		log_test_addr ${a} $? 0 "VRF server"
3306	done
3307
3308	for a in ${NSA_IP6} ${VRF_IP6}
3309	do
3310		log_start
3311		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3312		sleep 1
3313		run_cmd_nsb nettest -6 -D -r ${a}
3314		log_test_addr ${a} $? 0 "Enslaved device server"
3315	done
3316
3317	# negative test - should fail
3318	for a in ${NSA_IP6} ${VRF_IP6}
3319	do
3320		log_start
3321		run_cmd_nsb nettest -6 -D -r ${a}
3322		log_test_addr ${a} $? 1 "No server"
3323	done
3324
3325	#
3326	# client tests
3327	#
3328	log_start
3329	run_cmd_nsb nettest -6 -D -s &
3330	sleep 1
3331	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3332	log_test $? 0 "VRF client"
3333
3334	# negative test - should fail
3335	log_start
3336	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3337	log_test $? 1 "No server, VRF client"
3338
3339	log_start
3340	run_cmd_nsb nettest -6 -D -s &
3341	sleep 1
3342	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3343	log_test $? 0 "Enslaved device client"
3344
3345	# negative test - should fail
3346	log_start
3347	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3348	log_test $? 1 "No server, enslaved device client"
3349
3350	#
3351	# local address tests
3352	#
3353	a=${NSA_IP6}
3354	log_start
3355	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3356	sleep 1
3357	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3358	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3359
3360	#log_start
3361	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3362	sleep 1
3363	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3364	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3365
3366
3367	a=${VRF_IP6}
3368	log_start
3369	run_cmd nettest -6 -D -s -3 ${VRF} &
3370	sleep 1
3371	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3372	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3373
3374	log_start
3375	run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} &
3376	sleep 1
3377	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3378	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3379
3380	# negative test - should fail
3381	for a in ${NSA_IP6} ${VRF_IP6}
3382	do
3383		log_start
3384		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3385		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
3386	done
3387
3388	# device to global IP
3389	a=${NSA_IP6}
3390	log_start
3391	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3392	sleep 1
3393	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3394	log_test_addr ${a} $? 0 "Global server, device client, local conn"
3395
3396	log_start
3397	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3398	sleep 1
3399	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3400	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3401
3402	log_start
3403	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3404	sleep 1
3405	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3406	log_test_addr ${a} $? 0 "Device server, VRF client, local conn"
3407
3408	log_start
3409	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3410	sleep 1
3411	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3412	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3413
3414	log_start
3415	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3416	log_test_addr ${a} $? 1 "No server, device client, local conn"
3417
3418
3419	# link local addresses
3420	log_start
3421	run_cmd nettest -6 -D -s &
3422	sleep 1
3423	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3424	log_test $? 0 "Global server, linklocal IP"
3425
3426	log_start
3427	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3428	log_test $? 1 "No server, linklocal IP"
3429
3430
3431	log_start
3432	run_cmd_nsb nettest -6 -D -s &
3433	sleep 1
3434	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3435	log_test $? 0 "Enslaved device client, linklocal IP"
3436
3437	log_start
3438	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3439	log_test $? 1 "No server, device client, peer linklocal IP"
3440
3441
3442	log_start
3443	run_cmd nettest -6 -D -s &
3444	sleep 1
3445	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3446	log_test $? 0 "Enslaved device client, local conn - linklocal IP"
3447
3448	log_start
3449	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3450	log_test $? 1 "No server, device client, local conn  - linklocal IP"
3451
3452	# LLA to GUA
3453	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3454	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3455	log_start
3456	run_cmd nettest -6 -s -D &
3457	sleep 1
3458	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3459	log_test $? 0 "UDP in - LLA to GUA"
3460
3461	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3462	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3463}
3464
3465ipv6_udp()
3466{
3467        # should not matter, but set to known state
3468        set_sysctl net.ipv4.udp_early_demux=1
3469
3470        log_section "IPv6/UDP"
3471        log_subsection "No VRF"
3472        setup
3473
3474        # udp_l3mdev_accept should have no affect without VRF;
3475        # run tests with it enabled and disabled to verify
3476        log_subsection "udp_l3mdev_accept disabled"
3477        set_sysctl net.ipv4.udp_l3mdev_accept=0
3478        ipv6_udp_novrf
3479        log_subsection "udp_l3mdev_accept enabled"
3480        set_sysctl net.ipv4.udp_l3mdev_accept=1
3481        ipv6_udp_novrf
3482
3483        log_subsection "With VRF"
3484        setup "yes"
3485        ipv6_udp_vrf
3486}
3487
3488################################################################################
3489# IPv6 address bind
3490
3491ipv6_addr_bind_novrf()
3492{
3493	#
3494	# raw socket
3495	#
3496	for a in ${NSA_IP6} ${NSA_LO_IP6}
3497	do
3498		log_start
3499		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b
3500		log_test_addr ${a} $? 0 "Raw socket bind to local address"
3501
3502		log_start
3503		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3504		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3505	done
3506
3507	#
3508	# raw socket with nonlocal bind
3509	#
3510	a=${NL_IP6}
3511	log_start
3512	run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b
3513	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
3514
3515	#
3516	# tcp sockets
3517	#
3518	a=${NSA_IP6}
3519	log_start
3520	run_cmd nettest -6 -s -l ${a} -t1 -b
3521	log_test_addr ${a} $? 0 "TCP socket bind to local address"
3522
3523	log_start
3524	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3525	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
3526
3527	# Sadly, the kernel allows binding a socket to a device and then
3528	# binding to an address not on the device. So this test passes
3529	# when it really should not
3530	a=${NSA_LO_IP6}
3531	log_start
3532	show_hint "Tecnically should fail since address is not on device but kernel allows"
3533	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3534	log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address"
3535}
3536
3537ipv6_addr_bind_vrf()
3538{
3539	#
3540	# raw socket
3541	#
3542	for a in ${NSA_IP6} ${VRF_IP6}
3543	do
3544		log_start
3545		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3546		log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind"
3547
3548		log_start
3549		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3550		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3551	done
3552
3553	a=${NSA_LO_IP6}
3554	log_start
3555	show_hint "Address on loopback is out of VRF scope"
3556	run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3557	log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind"
3558
3559	#
3560	# raw socket with nonlocal bind
3561	#
3562	a=${NL_IP6}
3563	log_start
3564	run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b
3565	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
3566
3567	#
3568	# tcp sockets
3569	#
3570	# address on enslaved device is valid for the VRF or device in a VRF
3571	for a in ${NSA_IP6} ${VRF_IP6}
3572	do
3573		log_start
3574		run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3575		log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind"
3576	done
3577
3578	a=${NSA_IP6}
3579	log_start
3580	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3581	log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
3582
3583	# Sadly, the kernel allows binding a socket to a device and then
3584	# binding to an address not on the device. The only restriction
3585	# is that the address is valid in the L3 domain. So this test
3586	# passes when it really should not
3587	a=${VRF_IP6}
3588	log_start
3589	show_hint "Tecnically should fail since address is not on device but kernel allows"
3590	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3591	log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind"
3592
3593	a=${NSA_LO_IP6}
3594	log_start
3595	show_hint "Address on loopback out of scope for VRF"
3596	run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3597	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
3598
3599	log_start
3600	show_hint "Address on loopback out of scope for device in VRF"
3601	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3602	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
3603
3604}
3605
3606ipv6_addr_bind()
3607{
3608	log_section "IPv6 address binds"
3609
3610	log_subsection "No VRF"
3611	setup
3612	ipv6_addr_bind_novrf
3613
3614	log_subsection "With VRF"
3615	setup "yes"
3616	ipv6_addr_bind_vrf
3617}
3618
3619################################################################################
3620# IPv6 runtime tests
3621
3622ipv6_rt()
3623{
3624	local desc="$1"
3625	local varg="-6 $2"
3626	local with_vrf="yes"
3627	local a
3628
3629	#
3630	# server tests
3631	#
3632	for a in ${NSA_IP6} ${VRF_IP6}
3633	do
3634		log_start
3635		run_cmd nettest ${varg} -s &
3636		sleep 1
3637		run_cmd_nsb nettest ${varg} -r ${a} &
3638		sleep 3
3639		run_cmd ip link del ${VRF}
3640		sleep 1
3641		log_test_addr ${a} 0 0 "${desc}, global server"
3642
3643		setup ${with_vrf}
3644	done
3645
3646	for a in ${NSA_IP6} ${VRF_IP6}
3647	do
3648		log_start
3649		run_cmd nettest ${varg} -I ${VRF} -s &
3650		sleep 1
3651		run_cmd_nsb nettest ${varg} -r ${a} &
3652		sleep 3
3653		run_cmd ip link del ${VRF}
3654		sleep 1
3655		log_test_addr ${a} 0 0 "${desc}, VRF server"
3656
3657		setup ${with_vrf}
3658	done
3659
3660	for a in ${NSA_IP6} ${VRF_IP6}
3661	do
3662		log_start
3663		run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3664		sleep 1
3665		run_cmd_nsb nettest ${varg} -r ${a} &
3666		sleep 3
3667		run_cmd ip link del ${VRF}
3668		sleep 1
3669		log_test_addr ${a} 0 0 "${desc}, enslaved device server"
3670
3671		setup ${with_vrf}
3672	done
3673
3674	#
3675	# client test
3676	#
3677	log_start
3678	run_cmd_nsb nettest ${varg} -s &
3679	sleep 1
3680	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} &
3681	sleep 3
3682	run_cmd ip link del ${VRF}
3683	sleep 1
3684	log_test  0 0 "${desc}, VRF client"
3685
3686	setup ${with_vrf}
3687
3688	log_start
3689	run_cmd_nsb nettest ${varg} -s &
3690	sleep 1
3691	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} &
3692	sleep 3
3693	run_cmd ip link del ${VRF}
3694	sleep 1
3695	log_test  0 0 "${desc}, enslaved device client"
3696
3697	setup ${with_vrf}
3698
3699
3700	#
3701	# local address tests
3702	#
3703	for a in ${NSA_IP6} ${VRF_IP6}
3704	do
3705		log_start
3706		run_cmd nettest ${varg} -s &
3707		sleep 1
3708		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3709		sleep 3
3710		run_cmd ip link del ${VRF}
3711		sleep 1
3712		log_test_addr ${a} 0 0 "${desc}, global server, VRF client"
3713
3714		setup ${with_vrf}
3715	done
3716
3717	for a in ${NSA_IP6} ${VRF_IP6}
3718	do
3719		log_start
3720		run_cmd nettest ${varg} -I ${VRF} -s &
3721		sleep 1
3722		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3723		sleep 3
3724		run_cmd ip link del ${VRF}
3725		sleep 1
3726		log_test_addr ${a} 0 0 "${desc}, VRF server and client"
3727
3728		setup ${with_vrf}
3729	done
3730
3731	a=${NSA_IP6}
3732	log_start
3733	run_cmd nettest ${varg} -s &
3734	sleep 1
3735	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3736	sleep 3
3737	run_cmd ip link del ${VRF}
3738	sleep 1
3739	log_test_addr ${a} 0 0 "${desc}, global server, device client"
3740
3741	setup ${with_vrf}
3742
3743	log_start
3744	run_cmd nettest ${varg} -I ${VRF} -s &
3745	sleep 1
3746	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3747	sleep 3
3748	run_cmd ip link del ${VRF}
3749	sleep 1
3750	log_test_addr ${a} 0 0 "${desc}, VRF server, device client"
3751
3752	setup ${with_vrf}
3753
3754	log_start
3755	run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3756	sleep 1
3757	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3758	sleep 3
3759	run_cmd ip link del ${VRF}
3760	sleep 1
3761	log_test_addr ${a} 0 0 "${desc}, device server, device client"
3762}
3763
3764ipv6_ping_rt()
3765{
3766	local with_vrf="yes"
3767	local a
3768
3769	a=${NSA_IP6}
3770	log_start
3771	run_cmd_nsb ${ping6} -f ${a} &
3772	sleep 3
3773	run_cmd ip link del ${VRF}
3774	sleep 1
3775	log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
3776
3777	setup ${with_vrf}
3778
3779	log_start
3780	run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} &
3781	sleep 1
3782	run_cmd ip link del ${VRF}
3783	sleep 1
3784	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
3785}
3786
3787ipv6_runtime()
3788{
3789	log_section "Run time tests - ipv6"
3790
3791	setup "yes"
3792	ipv6_ping_rt
3793
3794	setup "yes"
3795	ipv6_rt "TCP active socket"  "-n -1"
3796
3797	setup "yes"
3798	ipv6_rt "TCP passive socket" "-i"
3799
3800	setup "yes"
3801	ipv6_rt "UDP active socket"  "-D -n -1"
3802}
3803
3804################################################################################
3805# netfilter blocking connections
3806
3807netfilter_tcp_reset()
3808{
3809	local a
3810
3811	for a in ${NSA_IP} ${VRF_IP}
3812	do
3813		log_start
3814		run_cmd nettest -s &
3815		sleep 1
3816		run_cmd_nsb nettest -r ${a}
3817		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3818	done
3819}
3820
3821netfilter_icmp()
3822{
3823	local stype="$1"
3824	local arg
3825	local a
3826
3827	[ "${stype}" = "UDP" ] && arg="-D"
3828
3829	for a in ${NSA_IP} ${VRF_IP}
3830	do
3831		log_start
3832		run_cmd nettest ${arg} -s &
3833		sleep 1
3834		run_cmd_nsb nettest ${arg} -r ${a}
3835		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3836	done
3837}
3838
3839ipv4_netfilter()
3840{
3841	log_section "IPv4 Netfilter"
3842	log_subsection "TCP reset"
3843
3844	setup "yes"
3845	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3846
3847	netfilter_tcp_reset
3848
3849	log_start
3850	log_subsection "ICMP unreachable"
3851
3852	log_start
3853	run_cmd iptables -F
3854	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3855	run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3856
3857	netfilter_icmp "TCP"
3858	netfilter_icmp "UDP"
3859
3860	log_start
3861	iptables -F
3862}
3863
3864netfilter_tcp6_reset()
3865{
3866	local a
3867
3868	for a in ${NSA_IP6} ${VRF_IP6}
3869	do
3870		log_start
3871		run_cmd nettest -6 -s &
3872		sleep 1
3873		run_cmd_nsb nettest -6 -r ${a}
3874		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3875	done
3876}
3877
3878netfilter_icmp6()
3879{
3880	local stype="$1"
3881	local arg
3882	local a
3883
3884	[ "${stype}" = "UDP" ] && arg="$arg -D"
3885
3886	for a in ${NSA_IP6} ${VRF_IP6}
3887	do
3888		log_start
3889		run_cmd nettest -6 -s ${arg} &
3890		sleep 1
3891		run_cmd_nsb nettest -6 ${arg} -r ${a}
3892		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3893	done
3894}
3895
3896ipv6_netfilter()
3897{
3898	log_section "IPv6 Netfilter"
3899	log_subsection "TCP reset"
3900
3901	setup "yes"
3902	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3903
3904	netfilter_tcp6_reset
3905
3906	log_subsection "ICMP unreachable"
3907
3908	log_start
3909	run_cmd ip6tables -F
3910	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3911	run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3912
3913	netfilter_icmp6 "TCP"
3914	netfilter_icmp6 "UDP"
3915
3916	log_start
3917	ip6tables -F
3918}
3919
3920################################################################################
3921# specific use cases
3922
3923# VRF only.
3924# ns-A device enslaved to bridge. Verify traffic with and without
3925# br_netfilter module loaded. Repeat with SVI on bridge.
3926use_case_br()
3927{
3928	setup "yes"
3929
3930	setup_cmd ip link set ${NSA_DEV} down
3931	setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24
3932	setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64
3933
3934	setup_cmd ip link add br0 type bridge
3935	setup_cmd ip addr add dev br0 ${NSA_IP}/24
3936	setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad
3937
3938	setup_cmd ip li set ${NSA_DEV} master br0
3939	setup_cmd ip li set ${NSA_DEV} up
3940	setup_cmd ip li set br0 up
3941	setup_cmd ip li set br0 vrf ${VRF}
3942
3943	rmmod br_netfilter 2>/dev/null
3944	sleep 5 # DAD
3945
3946	run_cmd ip neigh flush all
3947	run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3948	log_test $? 0 "Bridge into VRF - IPv4 ping out"
3949
3950	run_cmd ip neigh flush all
3951	run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3952	log_test $? 0 "Bridge into VRF - IPv6 ping out"
3953
3954	run_cmd ip neigh flush all
3955	run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3956	log_test $? 0 "Bridge into VRF - IPv4 ping in"
3957
3958	run_cmd ip neigh flush all
3959	run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3960	log_test $? 0 "Bridge into VRF - IPv6 ping in"
3961
3962	modprobe br_netfilter
3963	if [ $? -eq 0 ]; then
3964		run_cmd ip neigh flush all
3965		run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3966		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out"
3967
3968		run_cmd ip neigh flush all
3969		run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3970		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out"
3971
3972		run_cmd ip neigh flush all
3973		run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3974		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in"
3975
3976		run_cmd ip neigh flush all
3977		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3978		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in"
3979	fi
3980
3981	setup_cmd ip li set br0 nomaster
3982	setup_cmd ip li add br0.100 link br0 type vlan id 100
3983	setup_cmd ip li set br0.100 vrf ${VRF} up
3984	setup_cmd ip    addr add dev br0.100 172.16.101.1/24
3985	setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad
3986
3987	setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100
3988	setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24
3989	setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad
3990	setup_cmd_nsb ip li set vlan100 up
3991	sleep 1
3992
3993	rmmod br_netfilter 2>/dev/null
3994
3995	run_cmd ip neigh flush all
3996	run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
3997	log_test $? 0 "Bridge vlan into VRF - IPv4 ping out"
3998
3999	run_cmd ip neigh flush all
4000	run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4001	log_test $? 0 "Bridge vlan into VRF - IPv6 ping out"
4002
4003	run_cmd ip neigh flush all
4004	run_cmd_nsb ping -c1 -w1 172.16.101.1
4005	log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4006
4007	run_cmd ip neigh flush all
4008	run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4009	log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4010
4011	modprobe br_netfilter
4012	if [ $? -eq 0 ]; then
4013		run_cmd ip neigh flush all
4014		run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
4015		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out"
4016
4017		run_cmd ip neigh flush all
4018		run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4019		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out"
4020
4021		run_cmd ip neigh flush all
4022		run_cmd_nsb ping -c1 -w1 172.16.101.1
4023		log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4024
4025		run_cmd ip neigh flush all
4026		run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4027		log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4028	fi
4029
4030	setup_cmd ip li del br0 2>/dev/null
4031	setup_cmd_nsb ip li del vlan100 2>/dev/null
4032}
4033
4034# VRF only.
4035# ns-A device is connected to both ns-B and ns-C on a single VRF but only has
4036# LLA on the interfaces
4037use_case_ping_lla_multi()
4038{
4039	setup_lla_only
4040	# only want reply from ns-A
4041	setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4042	setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4043
4044	log_start
4045	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4046	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B"
4047
4048	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4049	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C"
4050
4051	# cycle/flap the first ns-A interface
4052	setup_cmd ip link set ${NSA_DEV} down
4053	setup_cmd ip link set ${NSA_DEV} up
4054	sleep 1
4055
4056	log_start
4057	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4058	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B"
4059	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4060	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C"
4061
4062	# cycle/flap the second ns-A interface
4063	setup_cmd ip link set ${NSA_DEV2} down
4064	setup_cmd ip link set ${NSA_DEV2} up
4065	sleep 1
4066
4067	log_start
4068	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4069	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B"
4070	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4071	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C"
4072}
4073
4074# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully
4075# established with ns-B.
4076use_case_snat_on_vrf()
4077{
4078	setup "yes"
4079
4080	local port="12345"
4081
4082	run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4083	run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4084
4085	run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} &
4086	sleep 1
4087	run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port}
4088	log_test $? 0 "IPv4 TCP connection over VRF with SNAT"
4089
4090	run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} &
4091	sleep 1
4092	run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port}
4093	log_test $? 0 "IPv6 TCP connection over VRF with SNAT"
4094
4095	# Cleanup
4096	run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4097	run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4098}
4099
4100use_cases()
4101{
4102	log_section "Use cases"
4103	log_subsection "Device enslaved to bridge"
4104	use_case_br
4105	log_subsection "Ping LLA with multiple interfaces"
4106	use_case_ping_lla_multi
4107	log_subsection "SNAT on VRF"
4108	use_case_snat_on_vrf
4109}
4110
4111################################################################################
4112# usage
4113
4114usage()
4115{
4116	cat <<EOF
4117usage: ${0##*/} OPTS
4118
4119	-4          IPv4 tests only
4120	-6          IPv6 tests only
4121	-t <test>   Test name/set to run
4122	-p          Pause on fail
4123	-P          Pause after each test
4124	-v          Be verbose
4125
4126Tests:
4127	$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER
4128EOF
4129}
4130
4131################################################################################
4132# main
4133
4134TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter"
4135TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter"
4136TESTS_OTHER="use_cases"
4137
4138PAUSE_ON_FAIL=no
4139PAUSE=no
4140
4141while getopts :46t:pPvh o
4142do
4143	case $o in
4144		4) TESTS=ipv4;;
4145		6) TESTS=ipv6;;
4146		t) TESTS=$OPTARG;;
4147		p) PAUSE_ON_FAIL=yes;;
4148		P) PAUSE=yes;;
4149		v) VERBOSE=1;;
4150		h) usage; exit 0;;
4151		*) usage; exit 1;;
4152	esac
4153done
4154
4155# make sure we don't pause twice
4156[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no
4157
4158#
4159# show user test config
4160#
4161if [ -z "$TESTS" ]; then
4162	TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER"
4163elif [ "$TESTS" = "ipv4" ]; then
4164	TESTS="$TESTS_IPV4"
4165elif [ "$TESTS" = "ipv6" ]; then
4166	TESTS="$TESTS_IPV6"
4167fi
4168
4169which nettest >/dev/null
4170if [ $? -ne 0 ]; then
4171	echo "'nettest' command not found; skipping tests"
4172	exit $ksft_skip
4173fi
4174
4175declare -i nfail=0
4176declare -i nsuccess=0
4177
4178for t in $TESTS
4179do
4180	case $t in
4181	ipv4_ping|ping)  ipv4_ping;;
4182	ipv4_tcp|tcp)    ipv4_tcp;;
4183	ipv4_udp|udp)    ipv4_udp;;
4184	ipv4_bind|bind)  ipv4_addr_bind;;
4185	ipv4_runtime)    ipv4_runtime;;
4186	ipv4_netfilter)  ipv4_netfilter;;
4187
4188	ipv6_ping|ping6) ipv6_ping;;
4189	ipv6_tcp|tcp6)   ipv6_tcp;;
4190	ipv6_udp|udp6)   ipv6_udp;;
4191	ipv6_bind|bind6) ipv6_addr_bind;;
4192	ipv6_runtime)    ipv6_runtime;;
4193	ipv6_netfilter)  ipv6_netfilter;;
4194
4195	use_cases)       use_cases;;
4196
4197	# setup namespaces and config, but do not run any tests
4198	setup)		 setup; exit 0;;
4199	vrf_setup)	 setup "yes"; exit 0;;
4200	esac
4201done
4202
4203cleanup 2>/dev/null
4204
4205printf "\nTests passed: %3d\n" ${nsuccess}
4206printf "Tests failed: %3d\n"   ${nfail}
4207
4208if [ $nfail -ne 0 ]; then
4209	exit 1 # KSFT_FAIL
4210elif [ $nsuccess -eq 0 ]; then
4211	exit $ksft_skip
4212fi
4213
4214exit 0 # KSFT_PASS
4215