1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40source lib.sh 41 42PATH=$PWD:$PWD/tools/testing/selftests/net:$PATH 43 44VERBOSE=0 45 46NSA_DEV=eth1 47NSA_DEV2=eth2 48NSB_DEV=eth1 49NSC_DEV=eth2 50VRF=red 51VRF_TABLE=1101 52 53# IPv4 config 54NSA_IP=172.16.1.1 55NSB_IP=172.16.1.2 56VRF_IP=172.16.3.1 57NS_NET=172.16.1.0/24 58 59# IPv6 config 60NSA_IP6=2001:db8:1::1 61NSB_IP6=2001:db8:1::2 62VRF_IP6=2001:db8:3::1 63NS_NET6=2001:db8:1::/120 64 65NSA_LO_IP=172.16.2.1 66NSB_LO_IP=172.16.2.2 67NSA_LO_IP6=2001:db8:2::1 68NSB_LO_IP6=2001:db8:2::2 69 70# non-local addresses for freebind tests 71NL_IP=172.17.1.1 72NL_IP6=2001:db8:4::1 73 74# multicast and broadcast addresses 75MCAST_IP=224.0.0.1 76BCAST_IP=255.255.255.255 77 78MD5_PW=abc123 79MD5_WRONG_PW=abc1234 80 81MCAST=ff02::1 82# set after namespace create 83NSA_LINKIP6= 84NSB_LINKIP6= 85 86which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 87 88# Check if FIPS mode is enabled 89if [ -f /proc/sys/crypto/fips_enabled ]; then 90 fips_enabled=`cat /proc/sys/crypto/fips_enabled` 91else 92 fips_enabled=0 93fi 94 95################################################################################ 96# utilities 97 98log_test() 99{ 100 local rc=$1 101 local expected=$2 102 local msg="$3" 103 104 [ "${VERBOSE}" = "1" ] && echo 105 106 if [ ${rc} -eq ${expected} ]; then 107 nsuccess=$((nsuccess+1)) 108 printf "TEST: %-70s [ OK ]\n" "${msg}" 109 else 110 nfail=$((nfail+1)) 111 printf "TEST: %-70s [FAIL]\n" "${msg}" 112 echo " expected rc $expected; actual rc $rc" 113 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 114 echo 115 echo "hit enter to continue, 'q' to quit" 116 read a 117 [ "$a" = "q" ] && exit 1 118 fi 119 fi 120 121 if [ "${PAUSE}" = "yes" ]; then 122 echo 123 echo "hit enter to continue, 'q' to quit" 124 read a 125 [ "$a" = "q" ] && exit 1 126 fi 127 128 kill_procs 129} 130 131log_test_addr() 132{ 133 local addr=$1 134 local rc=$2 135 local expected=$3 136 local msg="$4" 137 local astr 138 139 astr=$(addr2str ${addr}) 140 log_test $rc $expected "$msg - ${astr}" 141} 142 143log_section() 144{ 145 echo 146 echo "###########################################################################" 147 echo "$*" 148 echo "###########################################################################" 149 echo 150} 151 152log_subsection() 153{ 154 echo 155 echo "#################################################################" 156 echo "$*" 157 echo 158} 159 160log_start() 161{ 162 # make sure we have no test instances running 163 kill_procs 164 165 if [ "${VERBOSE}" = "1" ]; then 166 echo 167 echo "#######################################################" 168 fi 169} 170 171log_debug() 172{ 173 if [ "${VERBOSE}" = "1" ]; then 174 echo 175 echo "$*" 176 echo 177 fi 178} 179 180show_hint() 181{ 182 if [ "${VERBOSE}" = "1" ]; then 183 echo "HINT: $*" 184 echo 185 fi 186} 187 188kill_procs() 189{ 190 killall nettest ping ping6 >/dev/null 2>&1 191 sleep 1 192} 193 194set_ping_group() 195{ 196 if [ "$VERBOSE" = "1" ]; then 197 echo "COMMAND: ${NSA_CMD} sysctl -q -w net.ipv4.ping_group_range='0 2147483647'" 198 fi 199 200 ${NSA_CMD} sysctl -q -w net.ipv4.ping_group_range='0 2147483647' 201} 202 203do_run_cmd() 204{ 205 local cmd="$*" 206 local out 207 208 if [ "$VERBOSE" = "1" ]; then 209 echo "COMMAND: ${cmd}" 210 fi 211 212 out=$($cmd 2>&1) 213 rc=$? 214 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 215 echo "$out" 216 fi 217 218 return $rc 219} 220 221run_cmd() 222{ 223 do_run_cmd ${NSA_CMD} $* 224} 225 226run_cmd_nsb() 227{ 228 do_run_cmd ${NSB_CMD} $* 229} 230 231run_cmd_nsc() 232{ 233 do_run_cmd ${NSC_CMD} $* 234} 235 236setup_cmd() 237{ 238 local cmd="$*" 239 local rc 240 241 run_cmd ${cmd} 242 rc=$? 243 if [ $rc -ne 0 ]; then 244 # show user the command if not done so already 245 if [ "$VERBOSE" = "0" ]; then 246 echo "setup command: $cmd" 247 fi 248 echo "failed. stopping tests" 249 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 250 echo 251 echo "hit enter to continue" 252 read a 253 fi 254 exit $rc 255 fi 256} 257 258setup_cmd_nsb() 259{ 260 local cmd="$*" 261 local rc 262 263 run_cmd_nsb ${cmd} 264 rc=$? 265 if [ $rc -ne 0 ]; then 266 # show user the command if not done so already 267 if [ "$VERBOSE" = "0" ]; then 268 echo "setup command: $cmd" 269 fi 270 echo "failed. stopping tests" 271 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 272 echo 273 echo "hit enter to continue" 274 read a 275 fi 276 exit $rc 277 fi 278} 279 280setup_cmd_nsc() 281{ 282 local cmd="$*" 283 local rc 284 285 run_cmd_nsc ${cmd} 286 rc=$? 287 if [ $rc -ne 0 ]; then 288 # show user the command if not done so already 289 if [ "$VERBOSE" = "0" ]; then 290 echo "setup command: $cmd" 291 fi 292 echo "failed. stopping tests" 293 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 294 echo 295 echo "hit enter to continue" 296 read a 297 fi 298 exit $rc 299 fi 300} 301 302# set sysctl values in NS-A 303set_sysctl() 304{ 305 echo "SYSCTL: $*" 306 echo 307 run_cmd sysctl -q -w $* 308} 309 310# get sysctl values in NS-A 311get_sysctl() 312{ 313 ${NSA_CMD} sysctl -n $* 314} 315 316################################################################################ 317# Setup for tests 318 319addr2str() 320{ 321 case "$1" in 322 127.0.0.1) echo "loopback";; 323 ::1) echo "IPv6 loopback";; 324 325 ${BCAST_IP}) echo "broadcast";; 326 ${MCAST_IP}) echo "multicast";; 327 328 ${NSA_IP}) echo "ns-A IP";; 329 ${NSA_IP6}) echo "ns-A IPv6";; 330 ${NSA_LO_IP}) echo "ns-A loopback IP";; 331 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 332 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 333 334 ${NSB_IP}) echo "ns-B IP";; 335 ${NSB_IP6}) echo "ns-B IPv6";; 336 ${NSB_LO_IP}) echo "ns-B loopback IP";; 337 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 338 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 339 340 ${NL_IP}) echo "nonlocal IP";; 341 ${NL_IP6}) echo "nonlocal IPv6";; 342 343 ${VRF_IP}) echo "VRF IP";; 344 ${VRF_IP6}) echo "VRF IPv6";; 345 346 ${MCAST}%*) echo "multicast IP";; 347 348 *) echo "unknown";; 349 esac 350} 351 352get_linklocal() 353{ 354 local ns=$1 355 local dev=$2 356 local addr 357 358 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 359 awk '{ 360 for (i = 3; i <= NF; ++i) { 361 if ($i ~ /^fe80/) 362 print $i 363 } 364 }' 365 ) 366 addr=${addr/\/*} 367 368 [ -z "$addr" ] && return 1 369 370 echo $addr 371 372 return 0 373} 374 375################################################################################ 376# create namespaces and vrf 377 378create_vrf() 379{ 380 local ns=$1 381 local vrf=$2 382 local table=$3 383 local addr=$4 384 local addr6=$5 385 386 ip -netns ${ns} link add ${vrf} type vrf table ${table} 387 ip -netns ${ns} link set ${vrf} up 388 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 389 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 390 391 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 392 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 393 if [ "${addr}" != "-" ]; then 394 ip -netns ${ns} addr add dev ${vrf} ${addr} 395 fi 396 if [ "${addr6}" != "-" ]; then 397 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 398 fi 399 400 ip -netns ${ns} ru del pref 0 401 ip -netns ${ns} ru add pref 32765 from all lookup local 402 ip -netns ${ns} -6 ru del pref 0 403 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 404} 405 406create_ns() 407{ 408 local ns=$1 409 local addr=$2 410 local addr6=$3 411 412 if [ "${addr}" != "-" ]; then 413 ip -netns ${ns} addr add dev lo ${addr} 414 fi 415 if [ "${addr6}" != "-" ]; then 416 ip -netns ${ns} -6 addr add dev lo ${addr6} 417 fi 418 419 ip -netns ${ns} ro add unreachable default metric 8192 420 ip -netns ${ns} -6 ro add unreachable default metric 8192 421 422 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 423 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 424 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 425 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 426} 427 428# create veth pair to connect namespaces and apply addresses. 429connect_ns() 430{ 431 local ns1=$1 432 local ns1_dev=$2 433 local ns1_addr=$3 434 local ns1_addr6=$4 435 local ns2=$5 436 local ns2_dev=$6 437 local ns2_addr=$7 438 local ns2_addr6=$8 439 440 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 441 ip -netns ${ns1} li set ${ns1_dev} up 442 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 443 ip -netns ${ns2} li set ${ns2_dev} up 444 445 if [ "${ns1_addr}" != "-" ]; then 446 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 447 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 448 fi 449 450 if [ "${ns1_addr6}" != "-" ]; then 451 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 452 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 453 fi 454} 455 456cleanup() 457{ 458 # explicit cleanups to check those code paths 459 ip netns | grep -q ${NSA} 460 if [ $? -eq 0 ]; then 461 ip -netns ${NSA} link delete ${VRF} 462 ip -netns ${NSA} ro flush table ${VRF_TABLE} 463 464 ip -netns ${NSA} addr flush dev ${NSA_DEV} 465 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 466 ip -netns ${NSA} link set dev ${NSA_DEV} down 467 ip -netns ${NSA} link del dev ${NSA_DEV} 468 469 ip netns pids ${NSA} | xargs kill 2>/dev/null 470 cleanup_ns ${NSA} 471 fi 472 473 ip netns pids ${NSB} | xargs kill 2>/dev/null 474 ip netns pids ${NSC} | xargs kill 2>/dev/null 475 cleanup_ns ${NSB} ${NSC} 476} 477 478cleanup_vrf_dup() 479{ 480 ip link del ${NSA_DEV2} >/dev/null 2>&1 481 ip netns pids ${NSC} | xargs kill 2>/dev/null 482 ip netns del ${NSC} >/dev/null 2>&1 483} 484 485setup_vrf_dup() 486{ 487 # some VRF tests use ns-C which has the same config as 488 # ns-B but for a device NOT in the VRF 489 setup_ns NSC 490 NSC_CMD="ip netns exec ${NSC}" 491 create_ns ${NSC} "-" "-" 492 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 493 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 494} 495 496setup() 497{ 498 local with_vrf=${1} 499 500 # make sure we are starting with a clean slate 501 kill_procs 502 cleanup 2>/dev/null 503 504 log_debug "Configuring network namespaces" 505 set -e 506 507 setup_ns NSA NSB 508 NSA_CMD="ip netns exec ${NSA}" 509 NSB_CMD="ip netns exec ${NSB}" 510 511 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 512 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 513 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 514 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 515 516 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 517 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 518 519 # tell ns-A how to get to remote addresses of ns-B 520 if [ "${with_vrf}" = "yes" ]; then 521 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 522 523 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 524 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 525 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 526 527 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 528 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 529 else 530 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 531 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 532 fi 533 534 535 # tell ns-B how to get to remote addresses of ns-A 536 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 537 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 538 539 set +e 540 541 sleep 1 542} 543 544setup_lla_only() 545{ 546 # make sure we are starting with a clean slate 547 kill_procs 548 cleanup 2>/dev/null 549 550 log_debug "Configuring network namespaces" 551 set -e 552 553 setup_ns NSA NSB NSC 554 NSA_CMD="ip netns exec ${NSA}" 555 NSB_CMD="ip netns exec ${NSB}" 556 NSC_CMD="ip netns exec ${NSC}" 557 create_ns ${NSA} "-" "-" 558 create_ns ${NSB} "-" "-" 559 create_ns ${NSC} "-" "-" 560 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 561 ${NSB} ${NSB_DEV} "-" "-" 562 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 563 ${NSC} ${NSC_DEV} "-" "-" 564 565 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 566 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 567 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 568 569 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 570 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 571 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 572 573 set +e 574 575 sleep 1 576} 577 578################################################################################ 579# IPv4 580 581ipv4_ping_novrf() 582{ 583 local a 584 585 # 586 # out 587 # 588 for a in ${NSB_IP} ${NSB_LO_IP} 589 do 590 log_start 591 run_cmd ping -c1 -w1 ${a} 592 log_test_addr ${a} $? 0 "ping out" 593 594 log_start 595 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 596 log_test_addr ${a} $? 0 "ping out, device bind" 597 598 log_start 599 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 600 log_test_addr ${a} $? 0 "ping out, address bind" 601 done 602 603 # 604 # out, but don't use gateway if peer is not on link 605 # 606 a=${NSB_IP} 607 log_start 608 run_cmd ping -c 1 -w 1 -r ${a} 609 log_test_addr ${a} $? 0 "ping out (don't route), peer on link" 610 611 a=${NSB_LO_IP} 612 log_start 613 show_hint "Fails since peer is not on link" 614 run_cmd ping -c 1 -w 1 -r ${a} 615 log_test_addr ${a} $? 1 "ping out (don't route), peer not on link" 616 617 # 618 # in 619 # 620 for a in ${NSA_IP} ${NSA_LO_IP} 621 do 622 log_start 623 run_cmd_nsb ping -c1 -w1 ${a} 624 log_test_addr ${a} $? 0 "ping in" 625 done 626 627 # 628 # local traffic 629 # 630 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 631 do 632 log_start 633 run_cmd ping -c1 -w1 ${a} 634 log_test_addr ${a} $? 0 "ping local" 635 done 636 637 # 638 # local traffic, socket bound to device 639 # 640 # address on device 641 a=${NSA_IP} 642 log_start 643 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 644 log_test_addr ${a} $? 0 "ping local, device bind" 645 646 # loopback addresses not reachable from device bind 647 # fails in a really weird way though because ipv4 special cases 648 # route lookups with oif set. 649 for a in ${NSA_LO_IP} 127.0.0.1 650 do 651 log_start 652 show_hint "Fails since address on loopback device is out of device scope" 653 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 654 log_test_addr ${a} $? 1 "ping local, device bind" 655 done 656 657 # 658 # ip rule blocks reachability to remote address 659 # 660 log_start 661 setup_cmd ip rule add pref 32765 from all lookup local 662 setup_cmd ip rule del pref 0 from all lookup local 663 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 664 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 665 666 a=${NSB_LO_IP} 667 run_cmd ping -c1 -w1 ${a} 668 log_test_addr ${a} $? 2 "ping out, blocked by rule" 669 670 # NOTE: ipv4 actually allows the lookup to fail and yet still create 671 # a viable rtable if the oif (e.g., bind to device) is set, so this 672 # case succeeds despite the rule 673 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 674 675 a=${NSA_LO_IP} 676 log_start 677 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 678 run_cmd_nsb ping -c1 -w1 ${a} 679 log_test_addr ${a} $? 1 "ping in, blocked by rule" 680 681 [ "$VERBOSE" = "1" ] && echo 682 setup_cmd ip rule del pref 32765 from all lookup local 683 setup_cmd ip rule add pref 0 from all lookup local 684 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 685 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 686 687 # 688 # route blocks reachability to remote address 689 # 690 log_start 691 setup_cmd ip route replace unreachable ${NSB_LO_IP} 692 setup_cmd ip route replace unreachable ${NSB_IP} 693 694 a=${NSB_LO_IP} 695 run_cmd ping -c1 -w1 ${a} 696 log_test_addr ${a} $? 2 "ping out, blocked by route" 697 698 # NOTE: ipv4 actually allows the lookup to fail and yet still create 699 # a viable rtable if the oif (e.g., bind to device) is set, so this 700 # case succeeds despite not having a route for the address 701 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 702 703 a=${NSA_LO_IP} 704 log_start 705 show_hint "Response is dropped (or arp request is ignored) due to ip route" 706 run_cmd_nsb ping -c1 -w1 ${a} 707 log_test_addr ${a} $? 1 "ping in, blocked by route" 708 709 # 710 # remove 'remote' routes; fallback to default 711 # 712 log_start 713 setup_cmd ip ro del ${NSB_LO_IP} 714 715 a=${NSB_LO_IP} 716 run_cmd ping -c1 -w1 ${a} 717 log_test_addr ${a} $? 2 "ping out, unreachable default route" 718 719 # NOTE: ipv4 actually allows the lookup to fail and yet still create 720 # a viable rtable if the oif (e.g., bind to device) is set, so this 721 # case succeeds despite not having a route for the address 722 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 723} 724 725ipv4_ping_vrf() 726{ 727 local a 728 729 # should default on; does not exist on older kernels 730 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 731 732 # 733 # out 734 # 735 for a in ${NSB_IP} ${NSB_LO_IP} 736 do 737 log_start 738 run_cmd ping -c1 -w1 -I ${VRF} ${a} 739 log_test_addr ${a} $? 0 "ping out, VRF bind" 740 741 log_start 742 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 743 log_test_addr ${a} $? 0 "ping out, device bind" 744 745 log_start 746 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 747 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 748 749 log_start 750 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 751 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 752 done 753 754 # 755 # in 756 # 757 for a in ${NSA_IP} ${VRF_IP} 758 do 759 log_start 760 run_cmd_nsb ping -c1 -w1 ${a} 761 log_test_addr ${a} $? 0 "ping in" 762 done 763 764 # 765 # local traffic, local address 766 # 767 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 768 do 769 log_start 770 show_hint "Source address should be ${a}" 771 run_cmd ping -c1 -w1 -I ${VRF} ${a} 772 log_test_addr ${a} $? 0 "ping local, VRF bind" 773 done 774 775 # 776 # local traffic, socket bound to device 777 # 778 # address on device 779 a=${NSA_IP} 780 log_start 781 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 782 log_test_addr ${a} $? 0 "ping local, device bind" 783 784 # vrf device is out of scope 785 for a in ${VRF_IP} 127.0.0.1 786 do 787 log_start 788 show_hint "Fails since address on vrf device is out of device scope" 789 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 790 log_test_addr ${a} $? 2 "ping local, device bind" 791 done 792 793 # 794 # ip rule blocks address 795 # 796 log_start 797 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 798 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 799 800 a=${NSB_LO_IP} 801 run_cmd ping -c1 -w1 -I ${VRF} ${a} 802 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 803 804 log_start 805 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 806 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 807 808 a=${NSA_LO_IP} 809 log_start 810 show_hint "Response lost due to ip rule" 811 run_cmd_nsb ping -c1 -w1 ${a} 812 log_test_addr ${a} $? 1 "ping in, blocked by rule" 813 814 [ "$VERBOSE" = "1" ] && echo 815 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 816 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 817 818 # 819 # remove 'remote' routes; fallback to default 820 # 821 log_start 822 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 823 824 a=${NSB_LO_IP} 825 run_cmd ping -c1 -w1 -I ${VRF} ${a} 826 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 827 828 log_start 829 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 830 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 831 832 a=${NSA_LO_IP} 833 log_start 834 show_hint "Response lost by unreachable route" 835 run_cmd_nsb ping -c1 -w1 ${a} 836 log_test_addr ${a} $? 1 "ping in, unreachable route" 837} 838 839ipv4_ping() 840{ 841 log_section "IPv4 ping" 842 843 log_subsection "No VRF" 844 setup 845 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 846 ipv4_ping_novrf 847 setup 848 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 849 ipv4_ping_novrf 850 setup 851 set_ping_group 852 ipv4_ping_novrf 853 854 log_subsection "With VRF" 855 setup "yes" 856 ipv4_ping_vrf 857 setup "yes" 858 set_ping_group 859 ipv4_ping_vrf 860} 861 862################################################################################ 863# IPv4 TCP 864 865# 866# MD5 tests without VRF 867# 868ipv4_tcp_md5_novrf() 869{ 870 # 871 # single address 872 # 873 874 # basic use case 875 log_start 876 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 877 sleep 1 878 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 879 log_test $? 0 "MD5: Single address config" 880 881 # client sends MD5, server not configured 882 log_start 883 show_hint "Should timeout due to MD5 mismatch" 884 run_cmd nettest -s & 885 sleep 1 886 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 887 log_test $? 2 "MD5: Server no config, client uses password" 888 889 # wrong password 890 log_start 891 show_hint "Should timeout since client uses wrong password" 892 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 893 sleep 1 894 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 895 log_test $? 2 "MD5: Client uses wrong password" 896 897 # client from different address 898 log_start 899 show_hint "Should timeout due to MD5 mismatch" 900 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 901 sleep 1 902 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 903 log_test $? 2 "MD5: Client address does not match address configured with password" 904 905 # 906 # MD5 extension - prefix length 907 # 908 909 # client in prefix 910 log_start 911 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 912 sleep 1 913 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 914 log_test $? 0 "MD5: Prefix config" 915 916 # client in prefix, wrong password 917 log_start 918 show_hint "Should timeout since client uses wrong password" 919 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 920 sleep 1 921 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 922 log_test $? 2 "MD5: Prefix config, client uses wrong password" 923 924 # client outside of prefix 925 log_start 926 show_hint "Should timeout due to MD5 mismatch" 927 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 928 sleep 1 929 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 930 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 931} 932 933# 934# MD5 tests with VRF 935# 936ipv4_tcp_md5() 937{ 938 # 939 # single address 940 # 941 942 # basic use case 943 log_start 944 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 945 sleep 1 946 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 947 log_test $? 0 "MD5: VRF: Single address config" 948 949 # client sends MD5, server not configured 950 log_start 951 show_hint "Should timeout since server does not have MD5 auth" 952 run_cmd nettest -s -I ${VRF} & 953 sleep 1 954 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 955 log_test $? 2 "MD5: VRF: Server no config, client uses password" 956 957 # wrong password 958 log_start 959 show_hint "Should timeout since client uses wrong password" 960 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 961 sleep 1 962 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 963 log_test $? 2 "MD5: VRF: Client uses wrong password" 964 965 # client from different address 966 log_start 967 show_hint "Should timeout since server config differs from client" 968 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 969 sleep 1 970 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 971 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 972 973 # 974 # MD5 extension - prefix length 975 # 976 977 # client in prefix 978 log_start 979 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 980 sleep 1 981 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 982 log_test $? 0 "MD5: VRF: Prefix config" 983 984 # client in prefix, wrong password 985 log_start 986 show_hint "Should timeout since client uses wrong password" 987 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 988 sleep 1 989 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 990 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 991 992 # client outside of prefix 993 log_start 994 show_hint "Should timeout since client address is outside of prefix" 995 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 996 sleep 1 997 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 998 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 999 1000 # 1001 # duplicate config between default VRF and a VRF 1002 # 1003 1004 log_start 1005 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1006 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1007 sleep 1 1008 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1009 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 1010 1011 log_start 1012 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1013 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1014 sleep 1 1015 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1016 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 1017 1018 log_start 1019 show_hint "Should timeout since client in default VRF uses VRF password" 1020 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1021 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1022 sleep 1 1023 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1024 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 1025 1026 log_start 1027 show_hint "Should timeout since client in VRF uses default VRF password" 1028 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1029 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1030 sleep 1 1031 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1032 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 1033 1034 log_start 1035 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1036 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1037 sleep 1 1038 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1039 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 1040 1041 log_start 1042 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1043 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1044 sleep 1 1045 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1046 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 1047 1048 log_start 1049 show_hint "Should timeout since client in default VRF uses VRF password" 1050 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1051 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1052 sleep 1 1053 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1054 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1055 1056 log_start 1057 show_hint "Should timeout since client in VRF uses default VRF password" 1058 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1059 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1060 sleep 1 1061 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1062 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1063 1064 # 1065 # negative tests 1066 # 1067 log_start 1068 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1069 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1070 1071 log_start 1072 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1073 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1074 1075 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1076 test_ipv4_md5_vrf__global_server__bind_ifindex0 1077} 1078 1079test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1080{ 1081 log_start 1082 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1083 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1084 sleep 1 1085 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1086 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1087 1088 log_start 1089 show_hint "Binding both the socket and the key is not required but it works" 1090 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1091 sleep 1 1092 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1093 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1094} 1095 1096test_ipv4_md5_vrf__global_server__bind_ifindex0() 1097{ 1098 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1099 local old_tcp_l3mdev_accept 1100 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1101 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1102 1103 log_start 1104 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1105 sleep 1 1106 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1107 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1108 1109 log_start 1110 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1111 sleep 1 1112 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1113 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1114 log_start 1115 1116 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1117 sleep 1 1118 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1119 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1120 1121 log_start 1122 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1123 sleep 1 1124 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1125 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1126 1127 # restore value 1128 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1129} 1130 1131ipv4_tcp_dontroute() 1132{ 1133 local syncookies=$1 1134 local nsa_syncookies 1135 local nsb_syncookies 1136 local a 1137 1138 # 1139 # Link local connection tests (SO_DONTROUTE). 1140 # Connections should succeed only when the remote IP address is 1141 # on link (doesn't need to be routed through a gateway). 1142 # 1143 1144 nsa_syncookies=$(ip netns exec "${NSA}" sysctl -n net.ipv4.tcp_syncookies) 1145 nsb_syncookies=$(ip netns exec "${NSB}" sysctl -n net.ipv4.tcp_syncookies) 1146 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies} 1147 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies} 1148 1149 # Test with eth1 address (on link). 1150 1151 a=${NSB_IP} 1152 log_start 1153 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1154 log_test_addr ${a} $? 0 "SO_DONTROUTE client, syncookies=${syncookies}" 1155 1156 a=${NSB_IP} 1157 log_start 1158 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --server-dontroute 1159 log_test_addr ${a} $? 0 "SO_DONTROUTE server, syncookies=${syncookies}" 1160 1161 # Test with loopback address (routed). 1162 # 1163 # The client would use the eth1 address as source IP by default. 1164 # Therefore, we need to use the -c option here, to force the use of the 1165 # routed (loopback) address as source IP (so that the server will try 1166 # to respond to a routed address and not a link local one). 1167 1168 a=${NSB_LO_IP} 1169 log_start 1170 show_hint "Should fail 'Network is unreachable' since server is not on link" 1171 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --client-dontroute 1172 log_test_addr ${a} $? 1 "SO_DONTROUTE client, syncookies=${syncookies}" 1173 1174 a=${NSB_LO_IP} 1175 log_start 1176 show_hint "Should timeout since server cannot respond (client is not on link)" 1177 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --server-dontroute 1178 log_test_addr ${a} $? 2 "SO_DONTROUTE server, syncookies=${syncookies}" 1179 1180 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${nsb_syncookies} 1181 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${nsa_syncookies} 1182} 1183 1184ipv4_tcp_novrf() 1185{ 1186 local a 1187 1188 # 1189 # server tests 1190 # 1191 for a in ${NSA_IP} ${NSA_LO_IP} 1192 do 1193 log_start 1194 run_cmd nettest -s & 1195 sleep 1 1196 run_cmd_nsb nettest -r ${a} 1197 log_test_addr ${a} $? 0 "Global server" 1198 done 1199 1200 a=${NSA_IP} 1201 log_start 1202 run_cmd nettest -s -I ${NSA_DEV} & 1203 sleep 1 1204 run_cmd_nsb nettest -r ${a} 1205 log_test_addr ${a} $? 0 "Device server" 1206 1207 # verify TCP reset sent and received 1208 for a in ${NSA_IP} ${NSA_LO_IP} 1209 do 1210 log_start 1211 show_hint "Should fail 'Connection refused' since there is no server" 1212 run_cmd_nsb nettest -r ${a} 1213 log_test_addr ${a} $? 1 "No server" 1214 done 1215 1216 # 1217 # client 1218 # 1219 for a in ${NSB_IP} ${NSB_LO_IP} 1220 do 1221 log_start 1222 run_cmd_nsb nettest -s & 1223 sleep 1 1224 run_cmd nettest -r ${a} -0 ${NSA_IP} 1225 log_test_addr ${a} $? 0 "Client" 1226 1227 log_start 1228 run_cmd_nsb nettest -s & 1229 sleep 1 1230 run_cmd nettest -r ${a} -d ${NSA_DEV} 1231 log_test_addr ${a} $? 0 "Client, device bind" 1232 1233 log_start 1234 show_hint "Should fail 'Connection refused'" 1235 run_cmd nettest -r ${a} 1236 log_test_addr ${a} $? 1 "No server, unbound client" 1237 1238 log_start 1239 show_hint "Should fail 'Connection refused'" 1240 run_cmd nettest -r ${a} -d ${NSA_DEV} 1241 log_test_addr ${a} $? 1 "No server, device client" 1242 done 1243 1244 # 1245 # local address tests 1246 # 1247 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1248 do 1249 log_start 1250 run_cmd nettest -s & 1251 sleep 1 1252 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1253 log_test_addr ${a} $? 0 "Global server, local connection" 1254 done 1255 1256 a=${NSA_IP} 1257 log_start 1258 run_cmd nettest -s -I ${NSA_DEV} & 1259 sleep 1 1260 run_cmd nettest -r ${a} -0 ${a} 1261 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1262 1263 for a in ${NSA_LO_IP} 127.0.0.1 1264 do 1265 log_start 1266 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1267 run_cmd nettest -s -I ${NSA_DEV} & 1268 sleep 1 1269 run_cmd nettest -r ${a} 1270 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1271 done 1272 1273 a=${NSA_IP} 1274 log_start 1275 run_cmd nettest -s & 1276 sleep 1 1277 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1278 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1279 1280 for a in ${NSA_LO_IP} 127.0.0.1 1281 do 1282 log_start 1283 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1284 run_cmd nettest -s & 1285 sleep 1 1286 run_cmd nettest -r ${a} -d ${NSA_DEV} 1287 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1288 done 1289 1290 a=${NSA_IP} 1291 log_start 1292 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1293 sleep 1 1294 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1295 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1296 1297 log_start 1298 show_hint "Should fail 'Connection refused'" 1299 run_cmd nettest -d ${NSA_DEV} -r ${a} 1300 log_test_addr ${a} $? 1 "No server, device client, local conn" 1301 1302 [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf 1303 1304 ipv4_tcp_dontroute 0 1305 ipv4_tcp_dontroute 2 1306} 1307 1308ipv4_tcp_vrf() 1309{ 1310 local a 1311 1312 # disable global server 1313 log_subsection "Global server disabled" 1314 1315 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1316 1317 # 1318 # server tests 1319 # 1320 for a in ${NSA_IP} ${VRF_IP} 1321 do 1322 log_start 1323 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1324 run_cmd nettest -s & 1325 sleep 1 1326 run_cmd_nsb nettest -r ${a} 1327 log_test_addr ${a} $? 1 "Global server" 1328 1329 log_start 1330 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1331 sleep 1 1332 run_cmd_nsb nettest -r ${a} 1333 log_test_addr ${a} $? 0 "VRF server" 1334 1335 log_start 1336 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1337 sleep 1 1338 run_cmd_nsb nettest -r ${a} 1339 log_test_addr ${a} $? 0 "Device server" 1340 1341 # verify TCP reset received 1342 log_start 1343 show_hint "Should fail 'Connection refused' since there is no server" 1344 run_cmd_nsb nettest -r ${a} 1345 log_test_addr ${a} $? 1 "No server" 1346 done 1347 1348 # local address tests 1349 # (${VRF_IP} and 127.0.0.1 both timeout) 1350 a=${NSA_IP} 1351 log_start 1352 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1353 run_cmd nettest -s & 1354 sleep 1 1355 run_cmd nettest -r ${a} -d ${NSA_DEV} 1356 log_test_addr ${a} $? 1 "Global server, local connection" 1357 1358 # run MD5 tests 1359 if [ "$fips_enabled" = "0" ]; then 1360 setup_vrf_dup 1361 ipv4_tcp_md5 1362 cleanup_vrf_dup 1363 fi 1364 1365 # 1366 # enable VRF global server 1367 # 1368 log_subsection "VRF Global server enabled" 1369 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1370 1371 for a in ${NSA_IP} ${VRF_IP} 1372 do 1373 log_start 1374 show_hint "client socket should be bound to VRF" 1375 run_cmd nettest -s -3 ${VRF} & 1376 sleep 1 1377 run_cmd_nsb nettest -r ${a} 1378 log_test_addr ${a} $? 0 "Global server" 1379 1380 log_start 1381 show_hint "client socket should be bound to VRF" 1382 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1383 sleep 1 1384 run_cmd_nsb nettest -r ${a} 1385 log_test_addr ${a} $? 0 "VRF server" 1386 1387 # verify TCP reset received 1388 log_start 1389 show_hint "Should fail 'Connection refused'" 1390 run_cmd_nsb nettest -r ${a} 1391 log_test_addr ${a} $? 1 "No server" 1392 done 1393 1394 a=${NSA_IP} 1395 log_start 1396 show_hint "client socket should be bound to device" 1397 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1398 sleep 1 1399 run_cmd_nsb nettest -r ${a} 1400 log_test_addr ${a} $? 0 "Device server" 1401 1402 # local address tests 1403 for a in ${NSA_IP} ${VRF_IP} 1404 do 1405 log_start 1406 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1407 run_cmd nettest -s -I ${VRF} & 1408 sleep 1 1409 run_cmd nettest -r ${a} 1410 log_test_addr ${a} $? 1 "Global server, local connection" 1411 done 1412 1413 # 1414 # client 1415 # 1416 for a in ${NSB_IP} ${NSB_LO_IP} 1417 do 1418 log_start 1419 run_cmd_nsb nettest -s & 1420 sleep 1 1421 run_cmd nettest -r ${a} -d ${VRF} 1422 log_test_addr ${a} $? 0 "Client, VRF bind" 1423 1424 log_start 1425 run_cmd_nsb nettest -s & 1426 sleep 1 1427 run_cmd nettest -r ${a} -d ${NSA_DEV} 1428 log_test_addr ${a} $? 0 "Client, device bind" 1429 1430 log_start 1431 show_hint "Should fail 'Connection refused'" 1432 run_cmd nettest -r ${a} -d ${VRF} 1433 log_test_addr ${a} $? 1 "No server, VRF client" 1434 1435 log_start 1436 show_hint "Should fail 'Connection refused'" 1437 run_cmd nettest -r ${a} -d ${NSA_DEV} 1438 log_test_addr ${a} $? 1 "No server, device client" 1439 done 1440 1441 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1442 do 1443 log_start 1444 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1445 sleep 1 1446 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1447 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1448 done 1449 1450 a=${NSA_IP} 1451 log_start 1452 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1453 sleep 1 1454 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1455 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1456 1457 log_start 1458 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1459 run_cmd nettest -s -I ${VRF} & 1460 sleep 1 1461 run_cmd nettest -r ${a} 1462 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1463 1464 log_start 1465 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1466 sleep 1 1467 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1468 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1469 1470 log_start 1471 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1472 sleep 1 1473 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1474 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1475} 1476 1477ipv4_tcp() 1478{ 1479 log_section "IPv4/TCP" 1480 log_subsection "No VRF" 1481 setup 1482 1483 # tcp_l3mdev_accept should have no affect without VRF; 1484 # run tests with it enabled and disabled to verify 1485 log_subsection "tcp_l3mdev_accept disabled" 1486 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1487 ipv4_tcp_novrf 1488 log_subsection "tcp_l3mdev_accept enabled" 1489 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1490 ipv4_tcp_novrf 1491 1492 log_subsection "With VRF" 1493 setup "yes" 1494 ipv4_tcp_vrf 1495} 1496 1497################################################################################ 1498# IPv4 UDP 1499 1500ipv4_udp_novrf() 1501{ 1502 local a 1503 1504 # 1505 # server tests 1506 # 1507 for a in ${NSA_IP} ${NSA_LO_IP} 1508 do 1509 log_start 1510 run_cmd nettest -D -s -3 ${NSA_DEV} & 1511 sleep 1 1512 run_cmd_nsb nettest -D -r ${a} 1513 log_test_addr ${a} $? 0 "Global server" 1514 1515 log_start 1516 show_hint "Should fail 'Connection refused' since there is no server" 1517 run_cmd_nsb nettest -D -r ${a} 1518 log_test_addr ${a} $? 1 "No server" 1519 done 1520 1521 a=${NSA_IP} 1522 log_start 1523 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1524 sleep 1 1525 run_cmd_nsb nettest -D -r ${a} 1526 log_test_addr ${a} $? 0 "Device server" 1527 1528 # 1529 # client 1530 # 1531 for a in ${NSB_IP} ${NSB_LO_IP} 1532 do 1533 log_start 1534 run_cmd_nsb nettest -D -s & 1535 sleep 1 1536 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1537 log_test_addr ${a} $? 0 "Client" 1538 1539 log_start 1540 run_cmd_nsb nettest -D -s & 1541 sleep 1 1542 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1543 log_test_addr ${a} $? 0 "Client, device bind" 1544 1545 log_start 1546 run_cmd_nsb nettest -D -s & 1547 sleep 1 1548 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1549 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1550 1551 log_start 1552 run_cmd_nsb nettest -D -s & 1553 sleep 1 1554 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1555 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1556 1557 log_start 1558 run_cmd_nsb nettest -D -s & 1559 sleep 1 1560 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U 1561 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()" 1562 1563 1564 log_start 1565 show_hint "Should fail 'Connection refused'" 1566 run_cmd nettest -D -r ${a} 1567 log_test_addr ${a} $? 1 "No server, unbound client" 1568 1569 log_start 1570 show_hint "Should fail 'Connection refused'" 1571 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1572 log_test_addr ${a} $? 1 "No server, device client" 1573 done 1574 1575 # 1576 # local address tests 1577 # 1578 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1579 do 1580 log_start 1581 run_cmd nettest -D -s & 1582 sleep 1 1583 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1584 log_test_addr ${a} $? 0 "Global server, local connection" 1585 done 1586 1587 a=${NSA_IP} 1588 log_start 1589 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1590 sleep 1 1591 run_cmd nettest -D -r ${a} 1592 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1593 1594 for a in ${NSA_LO_IP} 127.0.0.1 1595 do 1596 log_start 1597 show_hint "Should fail 'Connection refused' since address is out of device scope" 1598 run_cmd nettest -s -D -I ${NSA_DEV} & 1599 sleep 1 1600 run_cmd nettest -D -r ${a} 1601 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1602 done 1603 1604 a=${NSA_IP} 1605 log_start 1606 run_cmd nettest -s -D & 1607 sleep 1 1608 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1609 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1610 1611 log_start 1612 run_cmd nettest -s -D & 1613 sleep 1 1614 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1615 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1616 1617 log_start 1618 run_cmd nettest -s -D & 1619 sleep 1 1620 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1621 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1622 1623 log_start 1624 run_cmd nettest -s -D & 1625 sleep 1 1626 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U 1627 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1628 1629 1630 # IPv4 with device bind has really weird behavior - it overrides the 1631 # fib lookup, generates an rtable and tries to send the packet. This 1632 # causes failures for local traffic at different places 1633 for a in ${NSA_LO_IP} 127.0.0.1 1634 do 1635 log_start 1636 show_hint "Should fail since addresses on loopback are out of device scope" 1637 run_cmd nettest -D -s & 1638 sleep 1 1639 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1640 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1641 1642 log_start 1643 show_hint "Should fail since addresses on loopback are out of device scope" 1644 run_cmd nettest -D -s & 1645 sleep 1 1646 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1647 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1648 1649 log_start 1650 show_hint "Should fail since addresses on loopback are out of device scope" 1651 run_cmd nettest -D -s & 1652 sleep 1 1653 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1654 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1655 1656 log_start 1657 show_hint "Should fail since addresses on loopback are out of device scope" 1658 run_cmd nettest -D -s & 1659 sleep 1 1660 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U 1661 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1662 1663 1664 done 1665 1666 a=${NSA_IP} 1667 log_start 1668 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1669 sleep 1 1670 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1671 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1672 1673 log_start 1674 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1675 log_test_addr ${a} $? 2 "No server, device client, local conn" 1676 1677 # 1678 # Link local connection tests (SO_DONTROUTE). 1679 # Connections should succeed only when the remote IP address is 1680 # on link (doesn't need to be routed through a gateway). 1681 # 1682 1683 a=${NSB_IP} 1684 log_start 1685 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1686 log_test_addr ${a} $? 0 "SO_DONTROUTE client" 1687 1688 a=${NSB_LO_IP} 1689 log_start 1690 show_hint "Should fail 'Network is unreachable' since server is not on link" 1691 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1692 log_test_addr ${a} $? 1 "SO_DONTROUTE client" 1693} 1694 1695ipv4_udp_vrf() 1696{ 1697 local a 1698 1699 # disable global server 1700 log_subsection "Global server disabled" 1701 set_sysctl net.ipv4.udp_l3mdev_accept=0 1702 1703 # 1704 # server tests 1705 # 1706 for a in ${NSA_IP} ${VRF_IP} 1707 do 1708 log_start 1709 show_hint "Fails because ingress is in a VRF and global server is disabled" 1710 run_cmd nettest -D -s & 1711 sleep 1 1712 run_cmd_nsb nettest -D -r ${a} 1713 log_test_addr ${a} $? 1 "Global server" 1714 1715 log_start 1716 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1717 sleep 1 1718 run_cmd_nsb nettest -D -r ${a} 1719 log_test_addr ${a} $? 0 "VRF server" 1720 1721 log_start 1722 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1723 sleep 1 1724 run_cmd_nsb nettest -D -r ${a} 1725 log_test_addr ${a} $? 0 "Enslaved device server" 1726 1727 log_start 1728 show_hint "Should fail 'Connection refused' since there is no server" 1729 run_cmd_nsb nettest -D -r ${a} 1730 log_test_addr ${a} $? 1 "No server" 1731 1732 log_start 1733 show_hint "Should fail 'Connection refused' since global server is out of scope" 1734 run_cmd nettest -D -s & 1735 sleep 1 1736 run_cmd nettest -D -d ${VRF} -r ${a} 1737 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1738 done 1739 1740 a=${NSA_IP} 1741 log_start 1742 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1743 sleep 1 1744 run_cmd nettest -D -d ${VRF} -r ${a} 1745 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1746 1747 log_start 1748 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1749 sleep 1 1750 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1751 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1752 1753 a=${NSA_IP} 1754 log_start 1755 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1756 sleep 1 1757 run_cmd nettest -D -d ${VRF} -r ${a} 1758 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1759 1760 log_start 1761 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1762 sleep 1 1763 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1764 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1765 1766 # enable global server 1767 log_subsection "Global server enabled" 1768 set_sysctl net.ipv4.udp_l3mdev_accept=1 1769 1770 # 1771 # server tests 1772 # 1773 for a in ${NSA_IP} ${VRF_IP} 1774 do 1775 log_start 1776 run_cmd nettest -D -s -3 ${NSA_DEV} & 1777 sleep 1 1778 run_cmd_nsb nettest -D -r ${a} 1779 log_test_addr ${a} $? 0 "Global server" 1780 1781 log_start 1782 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1783 sleep 1 1784 run_cmd_nsb nettest -D -r ${a} 1785 log_test_addr ${a} $? 0 "VRF server" 1786 1787 log_start 1788 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1789 sleep 1 1790 run_cmd_nsb nettest -D -r ${a} 1791 log_test_addr ${a} $? 0 "Enslaved device server" 1792 1793 log_start 1794 show_hint "Should fail 'Connection refused'" 1795 run_cmd_nsb nettest -D -r ${a} 1796 log_test_addr ${a} $? 1 "No server" 1797 done 1798 1799 # 1800 # client tests 1801 # 1802 log_start 1803 run_cmd_nsb nettest -D -s & 1804 sleep 1 1805 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1806 log_test $? 0 "VRF client" 1807 1808 log_start 1809 run_cmd_nsb nettest -D -s & 1810 sleep 1 1811 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1812 log_test $? 0 "Enslaved device client" 1813 1814 # negative test - should fail 1815 log_start 1816 show_hint "Should fail 'Connection refused'" 1817 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1818 log_test $? 1 "No server, VRF client" 1819 1820 log_start 1821 show_hint "Should fail 'Connection refused'" 1822 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1823 log_test $? 1 "No server, enslaved device client" 1824 1825 # 1826 # local address tests 1827 # 1828 a=${NSA_IP} 1829 log_start 1830 run_cmd nettest -D -s -3 ${NSA_DEV} & 1831 sleep 1 1832 run_cmd nettest -D -d ${VRF} -r ${a} 1833 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1834 1835 log_start 1836 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1837 sleep 1 1838 run_cmd nettest -D -d ${VRF} -r ${a} 1839 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1840 1841 log_start 1842 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1843 sleep 1 1844 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1845 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1846 1847 log_start 1848 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1849 sleep 1 1850 run_cmd nettest -D -d ${VRF} -r ${a} 1851 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1852 1853 log_start 1854 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1855 sleep 1 1856 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1857 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1858 1859 for a in ${VRF_IP} 127.0.0.1 1860 do 1861 log_start 1862 run_cmd nettest -D -s -3 ${VRF} & 1863 sleep 1 1864 run_cmd nettest -D -d ${VRF} -r ${a} 1865 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1866 done 1867 1868 for a in ${VRF_IP} 127.0.0.1 1869 do 1870 log_start 1871 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1872 sleep 1 1873 run_cmd nettest -D -d ${VRF} -r ${a} 1874 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1875 done 1876 1877 # negative test - should fail 1878 # verifies ECONNREFUSED 1879 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1880 do 1881 log_start 1882 show_hint "Should fail 'Connection refused'" 1883 run_cmd nettest -D -d ${VRF} -r ${a} 1884 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1885 done 1886} 1887 1888ipv4_udp() 1889{ 1890 log_section "IPv4/UDP" 1891 log_subsection "No VRF" 1892 1893 setup 1894 1895 # udp_l3mdev_accept should have no affect without VRF; 1896 # run tests with it enabled and disabled to verify 1897 log_subsection "udp_l3mdev_accept disabled" 1898 set_sysctl net.ipv4.udp_l3mdev_accept=0 1899 ipv4_udp_novrf 1900 log_subsection "udp_l3mdev_accept enabled" 1901 set_sysctl net.ipv4.udp_l3mdev_accept=1 1902 ipv4_udp_novrf 1903 1904 log_subsection "With VRF" 1905 setup "yes" 1906 ipv4_udp_vrf 1907} 1908 1909################################################################################ 1910# IPv4 address bind 1911# 1912# verifies ability or inability to bind to an address / device 1913 1914ipv4_addr_bind_novrf() 1915{ 1916 # 1917 # raw socket 1918 # 1919 for a in ${NSA_IP} ${NSA_LO_IP} 1920 do 1921 log_start 1922 run_cmd nettest -s -R -P icmp -l ${a} -b 1923 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1924 1925 log_start 1926 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1927 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1928 done 1929 1930 # 1931 # tests for nonlocal bind 1932 # 1933 a=${NL_IP} 1934 log_start 1935 run_cmd nettest -s -R -f -l ${a} -b 1936 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 1937 1938 log_start 1939 run_cmd nettest -s -f -l ${a} -b 1940 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address" 1941 1942 log_start 1943 run_cmd nettest -s -D -P icmp -f -l ${a} -b 1944 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address" 1945 1946 # 1947 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1948 # 1949 a=${BCAST_IP} 1950 log_start 1951 run_cmd nettest -s -D -P icmp -l ${a} -b 1952 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address" 1953 1954 a=${MCAST_IP} 1955 log_start 1956 run_cmd nettest -s -D -P icmp -l ${a} -b 1957 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address" 1958 1959 # 1960 # tcp sockets 1961 # 1962 a=${NSA_IP} 1963 log_start 1964 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1965 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1966 1967 log_start 1968 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1969 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1970 1971 # Sadly, the kernel allows binding a socket to a device and then 1972 # binding to an address not on the device. The only restriction 1973 # is that the address is valid in the L3 domain. So this test 1974 # passes when it really should not 1975 #a=${NSA_LO_IP} 1976 #log_start 1977 #show_hint "Should fail with 'Cannot assign requested address'" 1978 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1979 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1980} 1981 1982ipv4_addr_bind_vrf() 1983{ 1984 # 1985 # raw socket 1986 # 1987 for a in ${NSA_IP} ${VRF_IP} 1988 do 1989 log_start 1990 show_hint "Socket not bound to VRF, but address is in VRF" 1991 run_cmd nettest -s -R -P icmp -l ${a} -b 1992 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1993 1994 log_start 1995 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1996 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1997 log_start 1998 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1999 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 2000 done 2001 2002 a=${NSA_LO_IP} 2003 log_start 2004 show_hint "Address on loopback is out of VRF scope" 2005 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 2006 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 2007 2008 # 2009 # tests for nonlocal bind 2010 # 2011 a=${NL_IP} 2012 log_start 2013 run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b 2014 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 2015 2016 log_start 2017 run_cmd nettest -s -f -l ${a} -I ${VRF} -b 2018 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind" 2019 2020 log_start 2021 run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b 2022 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind" 2023 2024 # 2025 # check that ICMP sockets cannot bind to broadcast and multicast addresses 2026 # 2027 a=${BCAST_IP} 2028 log_start 2029 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 2030 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind" 2031 2032 a=${MCAST_IP} 2033 log_start 2034 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 2035 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind" 2036 2037 # 2038 # tcp sockets 2039 # 2040 for a in ${NSA_IP} ${VRF_IP} 2041 do 2042 log_start 2043 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 2044 log_test_addr ${a} $? 0 "TCP socket bind to local address" 2045 2046 log_start 2047 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 2048 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 2049 done 2050 2051 a=${NSA_LO_IP} 2052 log_start 2053 show_hint "Address on loopback out of scope for VRF" 2054 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 2055 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 2056 2057 log_start 2058 show_hint "Address on loopback out of scope for device in VRF" 2059 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 2060 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 2061} 2062 2063ipv4_addr_bind() 2064{ 2065 log_section "IPv4 address binds" 2066 2067 log_subsection "No VRF" 2068 setup 2069 set_ping_group 2070 ipv4_addr_bind_novrf 2071 2072 log_subsection "With VRF" 2073 setup "yes" 2074 set_ping_group 2075 ipv4_addr_bind_vrf 2076} 2077 2078################################################################################ 2079# IPv4 runtime tests 2080 2081ipv4_rt() 2082{ 2083 local desc="$1" 2084 local varg="$2" 2085 local with_vrf="yes" 2086 local a 2087 2088 # 2089 # server tests 2090 # 2091 for a in ${NSA_IP} ${VRF_IP} 2092 do 2093 log_start 2094 run_cmd nettest ${varg} -s & 2095 sleep 1 2096 run_cmd_nsb nettest ${varg} -r ${a} & 2097 sleep 3 2098 run_cmd ip link del ${VRF} 2099 sleep 1 2100 log_test_addr ${a} 0 0 "${desc}, global server" 2101 2102 setup ${with_vrf} 2103 done 2104 2105 for a in ${NSA_IP} ${VRF_IP} 2106 do 2107 log_start 2108 run_cmd nettest ${varg} -s -I ${VRF} & 2109 sleep 1 2110 run_cmd_nsb nettest ${varg} -r ${a} & 2111 sleep 3 2112 run_cmd ip link del ${VRF} 2113 sleep 1 2114 log_test_addr ${a} 0 0 "${desc}, VRF server" 2115 2116 setup ${with_vrf} 2117 done 2118 2119 a=${NSA_IP} 2120 log_start 2121 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 2122 sleep 1 2123 run_cmd_nsb nettest ${varg} -r ${a} & 2124 sleep 3 2125 run_cmd ip link del ${VRF} 2126 sleep 1 2127 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 2128 2129 setup ${with_vrf} 2130 2131 # 2132 # client test 2133 # 2134 log_start 2135 run_cmd_nsb nettest ${varg} -s & 2136 sleep 1 2137 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 2138 sleep 3 2139 run_cmd ip link del ${VRF} 2140 sleep 1 2141 log_test_addr ${a} 0 0 "${desc}, VRF client" 2142 2143 setup ${with_vrf} 2144 2145 log_start 2146 run_cmd_nsb nettest ${varg} -s & 2147 sleep 1 2148 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 2149 sleep 3 2150 run_cmd ip link del ${VRF} 2151 sleep 1 2152 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 2153 2154 setup ${with_vrf} 2155 2156 # 2157 # local address tests 2158 # 2159 for a in ${NSA_IP} ${VRF_IP} 2160 do 2161 log_start 2162 run_cmd nettest ${varg} -s & 2163 sleep 1 2164 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2165 sleep 3 2166 run_cmd ip link del ${VRF} 2167 sleep 1 2168 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 2169 2170 setup ${with_vrf} 2171 done 2172 2173 for a in ${NSA_IP} ${VRF_IP} 2174 do 2175 log_start 2176 run_cmd nettest ${varg} -I ${VRF} -s & 2177 sleep 1 2178 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2179 sleep 3 2180 run_cmd ip link del ${VRF} 2181 sleep 1 2182 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 2183 2184 setup ${with_vrf} 2185 done 2186 2187 a=${NSA_IP} 2188 log_start 2189 2190 run_cmd nettest ${varg} -s & 2191 sleep 1 2192 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2193 sleep 3 2194 run_cmd ip link del ${VRF} 2195 sleep 1 2196 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 2197 2198 setup ${with_vrf} 2199 2200 log_start 2201 run_cmd nettest ${varg} -I ${VRF} -s & 2202 sleep 1 2203 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2204 sleep 3 2205 run_cmd ip link del ${VRF} 2206 sleep 1 2207 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 2208 2209 setup ${with_vrf} 2210 2211 log_start 2212 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2213 sleep 1 2214 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2215 sleep 3 2216 run_cmd ip link del ${VRF} 2217 sleep 1 2218 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2219} 2220 2221ipv4_ping_rt() 2222{ 2223 local with_vrf="yes" 2224 local a 2225 2226 for a in ${NSA_IP} ${VRF_IP} 2227 do 2228 log_start 2229 run_cmd_nsb ping -f ${a} & 2230 sleep 3 2231 run_cmd ip link del ${VRF} 2232 sleep 1 2233 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2234 2235 setup ${with_vrf} 2236 done 2237 2238 a=${NSB_IP} 2239 log_start 2240 run_cmd ping -f -I ${VRF} ${a} & 2241 sleep 3 2242 run_cmd ip link del ${VRF} 2243 sleep 1 2244 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2245} 2246 2247ipv4_runtime() 2248{ 2249 log_section "Run time tests - ipv4" 2250 2251 setup "yes" 2252 ipv4_ping_rt 2253 2254 setup "yes" 2255 ipv4_rt "TCP active socket" "-n -1" 2256 2257 setup "yes" 2258 ipv4_rt "TCP passive socket" "-i" 2259} 2260 2261################################################################################ 2262# IPv6 2263 2264ipv6_ping_novrf() 2265{ 2266 local a 2267 2268 # should not have an impact, but make a known state 2269 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2270 2271 # 2272 # out 2273 # 2274 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2275 do 2276 log_start 2277 run_cmd ${ping6} -c1 -w1 ${a} 2278 log_test_addr ${a} $? 0 "ping out" 2279 done 2280 2281 for a in ${NSB_IP6} ${NSB_LO_IP6} 2282 do 2283 log_start 2284 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2285 log_test_addr ${a} $? 0 "ping out, device bind" 2286 2287 log_start 2288 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2289 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2290 done 2291 2292 # 2293 # in 2294 # 2295 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2296 do 2297 log_start 2298 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2299 log_test_addr ${a} $? 0 "ping in" 2300 done 2301 2302 # 2303 # local traffic, local address 2304 # 2305 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2306 do 2307 log_start 2308 run_cmd ${ping6} -c1 -w1 ${a} 2309 log_test_addr ${a} $? 0 "ping local, no bind" 2310 done 2311 2312 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2313 do 2314 log_start 2315 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2316 log_test_addr ${a} $? 0 "ping local, device bind" 2317 done 2318 2319 for a in ${NSA_LO_IP6} ::1 2320 do 2321 log_start 2322 show_hint "Fails since address on loopback is out of device scope" 2323 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2324 log_test_addr ${a} $? 2 "ping local, device bind" 2325 done 2326 2327 # 2328 # ip rule blocks address 2329 # 2330 log_start 2331 setup_cmd ip -6 rule add pref 32765 from all lookup local 2332 setup_cmd ip -6 rule del pref 0 from all lookup local 2333 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2334 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2335 2336 a=${NSB_LO_IP6} 2337 run_cmd ${ping6} -c1 -w1 ${a} 2338 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2339 2340 log_start 2341 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2342 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2343 2344 a=${NSA_LO_IP6} 2345 log_start 2346 show_hint "Response lost due to ip rule" 2347 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2348 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2349 2350 setup_cmd ip -6 rule add pref 0 from all lookup local 2351 setup_cmd ip -6 rule del pref 32765 from all lookup local 2352 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2353 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2354 2355 # 2356 # route blocks reachability to remote address 2357 # 2358 log_start 2359 setup_cmd ip -6 route del ${NSB_LO_IP6} 2360 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2361 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2362 2363 a=${NSB_LO_IP6} 2364 run_cmd ${ping6} -c1 -w1 ${a} 2365 log_test_addr ${a} $? 2 "ping out, blocked by route" 2366 2367 log_start 2368 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2369 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2370 2371 a=${NSA_LO_IP6} 2372 log_start 2373 show_hint "Response lost due to ip route" 2374 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2375 log_test_addr ${a} $? 1 "ping in, blocked by route" 2376 2377 2378 # 2379 # remove 'remote' routes; fallback to default 2380 # 2381 log_start 2382 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2383 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2384 2385 a=${NSB_LO_IP6} 2386 run_cmd ${ping6} -c1 -w1 ${a} 2387 log_test_addr ${a} $? 2 "ping out, unreachable route" 2388 2389 log_start 2390 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2391 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2392} 2393 2394ipv6_ping_vrf() 2395{ 2396 local a 2397 2398 # should default on; does not exist on older kernels 2399 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2400 2401 # 2402 # out 2403 # 2404 for a in ${NSB_IP6} ${NSB_LO_IP6} 2405 do 2406 log_start 2407 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2408 log_test_addr ${a} $? 0 "ping out, VRF bind" 2409 done 2410 2411 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2412 do 2413 log_start 2414 show_hint "Fails since VRF device does not support linklocal or multicast" 2415 run_cmd ${ping6} -c1 -w1 ${a} 2416 log_test_addr ${a} $? 1 "ping out, VRF bind" 2417 done 2418 2419 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2420 do 2421 log_start 2422 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2423 log_test_addr ${a} $? 0 "ping out, device bind" 2424 done 2425 2426 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2427 do 2428 log_start 2429 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2430 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2431 done 2432 2433 # 2434 # in 2435 # 2436 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2437 do 2438 log_start 2439 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2440 log_test_addr ${a} $? 0 "ping in" 2441 done 2442 2443 a=${NSA_LO_IP6} 2444 log_start 2445 show_hint "Fails since loopback address is out of VRF scope" 2446 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2447 log_test_addr ${a} $? 1 "ping in" 2448 2449 # 2450 # local traffic, local address 2451 # 2452 for a in ${NSA_IP6} ${VRF_IP6} ::1 2453 do 2454 log_start 2455 show_hint "Source address should be ${a}" 2456 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2457 log_test_addr ${a} $? 0 "ping local, VRF bind" 2458 done 2459 2460 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2461 do 2462 log_start 2463 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2464 log_test_addr ${a} $? 0 "ping local, device bind" 2465 done 2466 2467 # LLA to GUA - remove ipv6 global addresses from ns-B 2468 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2469 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2470 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2471 2472 for a in ${NSA_IP6} ${VRF_IP6} 2473 do 2474 log_start 2475 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2476 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2477 done 2478 2479 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2480 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2481 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2482 2483 # 2484 # ip rule blocks address 2485 # 2486 log_start 2487 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2488 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2489 2490 a=${NSB_LO_IP6} 2491 run_cmd ${ping6} -c1 -w1 ${a} 2492 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2493 2494 log_start 2495 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2496 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2497 2498 a=${NSA_LO_IP6} 2499 log_start 2500 show_hint "Response lost due to ip rule" 2501 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2502 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2503 2504 log_start 2505 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2506 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2507 2508 # 2509 # remove 'remote' routes; fallback to default 2510 # 2511 log_start 2512 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2513 2514 a=${NSB_LO_IP6} 2515 run_cmd ${ping6} -c1 -w1 ${a} 2516 log_test_addr ${a} $? 2 "ping out, unreachable route" 2517 2518 log_start 2519 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2520 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2521 2522 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2523 a=${NSA_LO_IP6} 2524 log_start 2525 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2526 log_test_addr ${a} $? 2 "ping in, unreachable route" 2527} 2528 2529ipv6_ping() 2530{ 2531 log_section "IPv6 ping" 2532 2533 log_subsection "No VRF" 2534 setup 2535 ipv6_ping_novrf 2536 setup 2537 set_ping_group 2538 ipv6_ping_novrf 2539 2540 log_subsection "With VRF" 2541 setup "yes" 2542 ipv6_ping_vrf 2543 setup "yes" 2544 set_ping_group 2545 ipv6_ping_vrf 2546} 2547 2548################################################################################ 2549# IPv6 TCP 2550 2551# 2552# MD5 tests without VRF 2553# 2554ipv6_tcp_md5_novrf() 2555{ 2556 # 2557 # single address 2558 # 2559 2560 # basic use case 2561 log_start 2562 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2563 sleep 1 2564 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2565 log_test $? 0 "MD5: Single address config" 2566 2567 # client sends MD5, server not configured 2568 log_start 2569 show_hint "Should timeout due to MD5 mismatch" 2570 run_cmd nettest -6 -s & 2571 sleep 1 2572 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2573 log_test $? 2 "MD5: Server no config, client uses password" 2574 2575 # wrong password 2576 log_start 2577 show_hint "Should timeout since client uses wrong password" 2578 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2579 sleep 1 2580 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2581 log_test $? 2 "MD5: Client uses wrong password" 2582 2583 # client from different address 2584 log_start 2585 show_hint "Should timeout due to MD5 mismatch" 2586 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2587 sleep 1 2588 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2589 log_test $? 2 "MD5: Client address does not match address configured with password" 2590 2591 # 2592 # MD5 extension - prefix length 2593 # 2594 2595 # client in prefix 2596 log_start 2597 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2598 sleep 1 2599 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2600 log_test $? 0 "MD5: Prefix config" 2601 2602 # client in prefix, wrong password 2603 log_start 2604 show_hint "Should timeout since client uses wrong password" 2605 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2606 sleep 1 2607 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2608 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2609 2610 # client outside of prefix 2611 log_start 2612 show_hint "Should timeout due to MD5 mismatch" 2613 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2614 sleep 1 2615 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2616 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2617} 2618 2619# 2620# MD5 tests with VRF 2621# 2622ipv6_tcp_md5() 2623{ 2624 # 2625 # single address 2626 # 2627 2628 # basic use case 2629 log_start 2630 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2631 sleep 1 2632 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2633 log_test $? 0 "MD5: VRF: Single address config" 2634 2635 # client sends MD5, server not configured 2636 log_start 2637 show_hint "Should timeout since server does not have MD5 auth" 2638 run_cmd nettest -6 -s -I ${VRF} & 2639 sleep 1 2640 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2641 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2642 2643 # wrong password 2644 log_start 2645 show_hint "Should timeout since client uses wrong password" 2646 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2647 sleep 1 2648 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2649 log_test $? 2 "MD5: VRF: Client uses wrong password" 2650 2651 # client from different address 2652 log_start 2653 show_hint "Should timeout since server config differs from client" 2654 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2655 sleep 1 2656 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2657 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2658 2659 # 2660 # MD5 extension - prefix length 2661 # 2662 2663 # client in prefix 2664 log_start 2665 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2666 sleep 1 2667 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2668 log_test $? 0 "MD5: VRF: Prefix config" 2669 2670 # client in prefix, wrong password 2671 log_start 2672 show_hint "Should timeout since client uses wrong password" 2673 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2674 sleep 1 2675 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2676 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2677 2678 # client outside of prefix 2679 log_start 2680 show_hint "Should timeout since client address is outside of prefix" 2681 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2682 sleep 1 2683 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2684 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2685 2686 # 2687 # duplicate config between default VRF and a VRF 2688 # 2689 2690 log_start 2691 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2692 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2693 sleep 1 2694 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2695 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2696 2697 log_start 2698 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2699 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2700 sleep 1 2701 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2702 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2703 2704 log_start 2705 show_hint "Should timeout since client in default VRF uses VRF password" 2706 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2707 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2708 sleep 1 2709 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2710 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2711 2712 log_start 2713 show_hint "Should timeout since client in VRF uses default VRF password" 2714 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2715 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2716 sleep 1 2717 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2718 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2719 2720 log_start 2721 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2722 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2723 sleep 1 2724 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2725 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2726 2727 log_start 2728 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2729 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2730 sleep 1 2731 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2732 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2733 2734 log_start 2735 show_hint "Should timeout since client in default VRF uses VRF password" 2736 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2737 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2738 sleep 1 2739 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2740 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2741 2742 log_start 2743 show_hint "Should timeout since client in VRF uses default VRF password" 2744 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2745 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2746 sleep 1 2747 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2748 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2749 2750 # 2751 # negative tests 2752 # 2753 log_start 2754 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2755 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2756 2757 log_start 2758 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2759 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2760 2761} 2762 2763ipv6_tcp_novrf() 2764{ 2765 local a 2766 2767 # 2768 # server tests 2769 # 2770 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2771 do 2772 log_start 2773 run_cmd nettest -6 -s & 2774 sleep 1 2775 run_cmd_nsb nettest -6 -r ${a} 2776 log_test_addr ${a} $? 0 "Global server" 2777 done 2778 2779 # verify TCP reset received 2780 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2781 do 2782 log_start 2783 show_hint "Should fail 'Connection refused'" 2784 run_cmd_nsb nettest -6 -r ${a} 2785 log_test_addr ${a} $? 1 "No server" 2786 done 2787 2788 # 2789 # client 2790 # 2791 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2792 do 2793 log_start 2794 run_cmd_nsb nettest -6 -s & 2795 sleep 1 2796 run_cmd nettest -6 -r ${a} 2797 log_test_addr ${a} $? 0 "Client" 2798 done 2799 2800 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2801 do 2802 log_start 2803 run_cmd_nsb nettest -6 -s & 2804 sleep 1 2805 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2806 log_test_addr ${a} $? 0 "Client, device bind" 2807 done 2808 2809 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2810 do 2811 log_start 2812 show_hint "Should fail 'Connection refused'" 2813 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2814 log_test_addr ${a} $? 1 "No server, device client" 2815 done 2816 2817 # 2818 # local address tests 2819 # 2820 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2821 do 2822 log_start 2823 run_cmd nettest -6 -s & 2824 sleep 1 2825 run_cmd nettest -6 -r ${a} 2826 log_test_addr ${a} $? 0 "Global server, local connection" 2827 done 2828 2829 a=${NSA_IP6} 2830 log_start 2831 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2832 sleep 1 2833 run_cmd nettest -6 -r ${a} -0 ${a} 2834 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2835 2836 for a in ${NSA_LO_IP6} ::1 2837 do 2838 log_start 2839 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2840 run_cmd nettest -6 -s -I ${NSA_DEV} & 2841 sleep 1 2842 run_cmd nettest -6 -r ${a} 2843 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2844 done 2845 2846 a=${NSA_IP6} 2847 log_start 2848 run_cmd nettest -6 -s & 2849 sleep 1 2850 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2851 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2852 2853 for a in ${NSA_LO_IP6} ::1 2854 do 2855 log_start 2856 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2857 run_cmd nettest -6 -s & 2858 sleep 1 2859 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2860 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2861 done 2862 2863 for a in ${NSA_IP6} ${NSA_LINKIP6} 2864 do 2865 log_start 2866 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2867 sleep 1 2868 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2869 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2870 done 2871 2872 for a in ${NSA_IP6} ${NSA_LINKIP6} 2873 do 2874 log_start 2875 show_hint "Should fail 'Connection refused'" 2876 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2877 log_test_addr ${a} $? 1 "No server, device client, local conn" 2878 done 2879 2880 [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf 2881} 2882 2883ipv6_tcp_vrf() 2884{ 2885 local a 2886 2887 # disable global server 2888 log_subsection "Global server disabled" 2889 2890 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2891 2892 # 2893 # server tests 2894 # 2895 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2896 do 2897 log_start 2898 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2899 run_cmd nettest -6 -s & 2900 sleep 1 2901 run_cmd_nsb nettest -6 -r ${a} 2902 log_test_addr ${a} $? 1 "Global server" 2903 done 2904 2905 for a in ${NSA_IP6} ${VRF_IP6} 2906 do 2907 log_start 2908 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2909 sleep 1 2910 run_cmd_nsb nettest -6 -r ${a} 2911 log_test_addr ${a} $? 0 "VRF server" 2912 done 2913 2914 # link local is always bound to ingress device 2915 a=${NSA_LINKIP6}%${NSB_DEV} 2916 log_start 2917 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2918 sleep 1 2919 run_cmd_nsb nettest -6 -r ${a} 2920 log_test_addr ${a} $? 0 "VRF server" 2921 2922 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2923 do 2924 log_start 2925 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2926 sleep 1 2927 run_cmd_nsb nettest -6 -r ${a} 2928 log_test_addr ${a} $? 0 "Device server" 2929 done 2930 2931 # verify TCP reset received 2932 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2933 do 2934 log_start 2935 show_hint "Should fail 'Connection refused'" 2936 run_cmd_nsb nettest -6 -r ${a} 2937 log_test_addr ${a} $? 1 "No server" 2938 done 2939 2940 # local address tests 2941 a=${NSA_IP6} 2942 log_start 2943 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2944 run_cmd nettest -6 -s & 2945 sleep 1 2946 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2947 log_test_addr ${a} $? 1 "Global server, local connection" 2948 2949 # run MD5 tests 2950 if [ "$fips_enabled" = "0" ]; then 2951 setup_vrf_dup 2952 ipv6_tcp_md5 2953 cleanup_vrf_dup 2954 fi 2955 2956 # 2957 # enable VRF global server 2958 # 2959 log_subsection "VRF Global server enabled" 2960 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2961 2962 for a in ${NSA_IP6} ${VRF_IP6} 2963 do 2964 log_start 2965 run_cmd nettest -6 -s -3 ${VRF} & 2966 sleep 1 2967 run_cmd_nsb nettest -6 -r ${a} 2968 log_test_addr ${a} $? 0 "Global server" 2969 done 2970 2971 for a in ${NSA_IP6} ${VRF_IP6} 2972 do 2973 log_start 2974 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2975 sleep 1 2976 run_cmd_nsb nettest -6 -r ${a} 2977 log_test_addr ${a} $? 0 "VRF server" 2978 done 2979 2980 # For LLA, child socket is bound to device 2981 a=${NSA_LINKIP6}%${NSB_DEV} 2982 log_start 2983 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2984 sleep 1 2985 run_cmd_nsb nettest -6 -r ${a} 2986 log_test_addr ${a} $? 0 "Global server" 2987 2988 log_start 2989 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2990 sleep 1 2991 run_cmd_nsb nettest -6 -r ${a} 2992 log_test_addr ${a} $? 0 "VRF server" 2993 2994 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2995 do 2996 log_start 2997 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2998 sleep 1 2999 run_cmd_nsb nettest -6 -r ${a} 3000 log_test_addr ${a} $? 0 "Device server" 3001 done 3002 3003 # verify TCP reset received 3004 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3005 do 3006 log_start 3007 show_hint "Should fail 'Connection refused'" 3008 run_cmd_nsb nettest -6 -r ${a} 3009 log_test_addr ${a} $? 1 "No server" 3010 done 3011 3012 # local address tests 3013 for a in ${NSA_IP6} ${VRF_IP6} 3014 do 3015 log_start 3016 show_hint "Fails 'Connection refused' since client is not in VRF" 3017 run_cmd nettest -6 -s -I ${VRF} & 3018 sleep 1 3019 run_cmd nettest -6 -r ${a} 3020 log_test_addr ${a} $? 1 "Global server, local connection" 3021 done 3022 3023 3024 # 3025 # client 3026 # 3027 for a in ${NSB_IP6} ${NSB_LO_IP6} 3028 do 3029 log_start 3030 run_cmd_nsb nettest -6 -s & 3031 sleep 1 3032 run_cmd nettest -6 -r ${a} -d ${VRF} 3033 log_test_addr ${a} $? 0 "Client, VRF bind" 3034 done 3035 3036 a=${NSB_LINKIP6} 3037 log_start 3038 show_hint "Fails since VRF device does not allow linklocal addresses" 3039 run_cmd_nsb nettest -6 -s & 3040 sleep 1 3041 run_cmd nettest -6 -r ${a} -d ${VRF} 3042 log_test_addr ${a} $? 1 "Client, VRF bind" 3043 3044 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 3045 do 3046 log_start 3047 run_cmd_nsb nettest -6 -s & 3048 sleep 1 3049 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 3050 log_test_addr ${a} $? 0 "Client, device bind" 3051 done 3052 3053 for a in ${NSB_IP6} ${NSB_LO_IP6} 3054 do 3055 log_start 3056 show_hint "Should fail 'Connection refused'" 3057 run_cmd nettest -6 -r ${a} -d ${VRF} 3058 log_test_addr ${a} $? 1 "No server, VRF client" 3059 done 3060 3061 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 3062 do 3063 log_start 3064 show_hint "Should fail 'Connection refused'" 3065 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 3066 log_test_addr ${a} $? 1 "No server, device client" 3067 done 3068 3069 for a in ${NSA_IP6} ${VRF_IP6} ::1 3070 do 3071 log_start 3072 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 3073 sleep 1 3074 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3075 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 3076 done 3077 3078 a=${NSA_IP6} 3079 log_start 3080 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 3081 sleep 1 3082 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3083 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 3084 3085 a=${NSA_IP6} 3086 log_start 3087 show_hint "Should fail since unbound client is out of VRF scope" 3088 run_cmd nettest -6 -s -I ${VRF} & 3089 sleep 1 3090 run_cmd nettest -6 -r ${a} 3091 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 3092 3093 log_start 3094 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3095 sleep 1 3096 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3097 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 3098 3099 for a in ${NSA_IP6} ${NSA_LINKIP6} 3100 do 3101 log_start 3102 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3103 sleep 1 3104 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3105 log_test_addr ${a} $? 0 "Device server, device client, local connection" 3106 done 3107} 3108 3109ipv6_tcp() 3110{ 3111 log_section "IPv6/TCP" 3112 log_subsection "No VRF" 3113 setup 3114 3115 # tcp_l3mdev_accept should have no affect without VRF; 3116 # run tests with it enabled and disabled to verify 3117 log_subsection "tcp_l3mdev_accept disabled" 3118 set_sysctl net.ipv4.tcp_l3mdev_accept=0 3119 ipv6_tcp_novrf 3120 log_subsection "tcp_l3mdev_accept enabled" 3121 set_sysctl net.ipv4.tcp_l3mdev_accept=1 3122 ipv6_tcp_novrf 3123 3124 log_subsection "With VRF" 3125 setup "yes" 3126 ipv6_tcp_vrf 3127} 3128 3129################################################################################ 3130# IPv6 UDP 3131 3132ipv6_udp_novrf() 3133{ 3134 local a 3135 3136 # 3137 # server tests 3138 # 3139 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3140 do 3141 log_start 3142 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3143 sleep 1 3144 run_cmd_nsb nettest -6 -D -r ${a} 3145 log_test_addr ${a} $? 0 "Global server" 3146 3147 log_start 3148 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3149 sleep 1 3150 run_cmd_nsb nettest -6 -D -r ${a} 3151 log_test_addr ${a} $? 0 "Device server" 3152 done 3153 3154 a=${NSA_LO_IP6} 3155 log_start 3156 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3157 sleep 1 3158 run_cmd_nsb nettest -6 -D -r ${a} 3159 log_test_addr ${a} $? 0 "Global server" 3160 3161 # should fail since loopback address is out of scope for a device 3162 # bound server, but it does not - hence this is more documenting 3163 # behavior. 3164 #log_start 3165 #show_hint "Should fail since loopback address is out of scope" 3166 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3167 #sleep 1 3168 #run_cmd_nsb nettest -6 -D -r ${a} 3169 #log_test_addr ${a} $? 1 "Device server" 3170 3171 # negative test - should fail 3172 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3173 do 3174 log_start 3175 show_hint "Should fail 'Connection refused' since there is no server" 3176 run_cmd_nsb nettest -6 -D -r ${a} 3177 log_test_addr ${a} $? 1 "No server" 3178 done 3179 3180 # 3181 # client 3182 # 3183 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 3184 do 3185 log_start 3186 run_cmd_nsb nettest -6 -D -s & 3187 sleep 1 3188 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 3189 log_test_addr ${a} $? 0 "Client" 3190 3191 log_start 3192 run_cmd_nsb nettest -6 -D -s & 3193 sleep 1 3194 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 3195 log_test_addr ${a} $? 0 "Client, device bind" 3196 3197 log_start 3198 run_cmd_nsb nettest -6 -D -s & 3199 sleep 1 3200 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 3201 log_test_addr ${a} $? 0 "Client, device send via cmsg" 3202 3203 log_start 3204 run_cmd_nsb nettest -6 -D -s & 3205 sleep 1 3206 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 3207 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 3208 3209 log_start 3210 show_hint "Should fail 'Connection refused'" 3211 run_cmd nettest -6 -D -r ${a} 3212 log_test_addr ${a} $? 1 "No server, unbound client" 3213 3214 log_start 3215 show_hint "Should fail 'Connection refused'" 3216 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3217 log_test_addr ${a} $? 1 "No server, device client" 3218 done 3219 3220 # 3221 # local address tests 3222 # 3223 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3224 do 3225 log_start 3226 run_cmd nettest -6 -D -s & 3227 sleep 1 3228 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3229 log_test_addr ${a} $? 0 "Global server, local connection" 3230 done 3231 3232 a=${NSA_IP6} 3233 log_start 3234 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3235 sleep 1 3236 run_cmd nettest -6 -D -r ${a} 3237 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3238 3239 for a in ${NSA_LO_IP6} ::1 3240 do 3241 log_start 3242 show_hint "Should fail 'Connection refused' since address is out of device scope" 3243 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3244 sleep 1 3245 run_cmd nettest -6 -D -r ${a} 3246 log_test_addr ${a} $? 1 "Device server, local connection" 3247 done 3248 3249 a=${NSA_IP6} 3250 log_start 3251 run_cmd nettest -6 -s -D & 3252 sleep 1 3253 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3254 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3255 3256 log_start 3257 run_cmd nettest -6 -s -D & 3258 sleep 1 3259 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3260 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3261 3262 log_start 3263 run_cmd nettest -6 -s -D & 3264 sleep 1 3265 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3266 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3267 3268 for a in ${NSA_LO_IP6} ::1 3269 do 3270 log_start 3271 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3272 run_cmd nettest -6 -D -s & 3273 sleep 1 3274 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3275 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3276 3277 log_start 3278 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3279 run_cmd nettest -6 -D -s & 3280 sleep 1 3281 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3282 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3283 3284 log_start 3285 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3286 run_cmd nettest -6 -D -s & 3287 sleep 1 3288 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3289 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3290 3291 log_start 3292 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3293 run_cmd nettest -6 -D -s & 3294 sleep 1 3295 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U 3296 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 3297 done 3298 3299 a=${NSA_IP6} 3300 log_start 3301 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3302 sleep 1 3303 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3304 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3305 3306 log_start 3307 show_hint "Should fail 'Connection refused'" 3308 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3309 log_test_addr ${a} $? 1 "No server, device client, local conn" 3310 3311 # LLA to GUA 3312 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3313 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3314 log_start 3315 run_cmd nettest -6 -s -D & 3316 sleep 1 3317 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3318 log_test $? 0 "UDP in - LLA to GUA" 3319 3320 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3321 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3322} 3323 3324ipv6_udp_vrf() 3325{ 3326 local a 3327 3328 # disable global server 3329 log_subsection "Global server disabled" 3330 set_sysctl net.ipv4.udp_l3mdev_accept=0 3331 3332 # 3333 # server tests 3334 # 3335 for a in ${NSA_IP6} ${VRF_IP6} 3336 do 3337 log_start 3338 show_hint "Should fail 'Connection refused' since global server is disabled" 3339 run_cmd nettest -6 -D -s & 3340 sleep 1 3341 run_cmd_nsb nettest -6 -D -r ${a} 3342 log_test_addr ${a} $? 1 "Global server" 3343 done 3344 3345 for a in ${NSA_IP6} ${VRF_IP6} 3346 do 3347 log_start 3348 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3349 sleep 1 3350 run_cmd_nsb nettest -6 -D -r ${a} 3351 log_test_addr ${a} $? 0 "VRF server" 3352 done 3353 3354 for a in ${NSA_IP6} ${VRF_IP6} 3355 do 3356 log_start 3357 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3358 sleep 1 3359 run_cmd_nsb nettest -6 -D -r ${a} 3360 log_test_addr ${a} $? 0 "Enslaved device server" 3361 done 3362 3363 # negative test - should fail 3364 for a in ${NSA_IP6} ${VRF_IP6} 3365 do 3366 log_start 3367 show_hint "Should fail 'Connection refused' since there is no server" 3368 run_cmd_nsb nettest -6 -D -r ${a} 3369 log_test_addr ${a} $? 1 "No server" 3370 done 3371 3372 # 3373 # local address tests 3374 # 3375 for a in ${NSA_IP6} ${VRF_IP6} 3376 do 3377 log_start 3378 show_hint "Should fail 'Connection refused' since global server is disabled" 3379 run_cmd nettest -6 -D -s & 3380 sleep 1 3381 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3382 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3383 done 3384 3385 for a in ${NSA_IP6} ${VRF_IP6} 3386 do 3387 log_start 3388 run_cmd nettest -6 -D -I ${VRF} -s & 3389 sleep 1 3390 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3391 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3392 done 3393 3394 a=${NSA_IP6} 3395 log_start 3396 show_hint "Should fail 'Connection refused' since global server is disabled" 3397 run_cmd nettest -6 -D -s & 3398 sleep 1 3399 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3400 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3401 3402 log_start 3403 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3404 sleep 1 3405 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3406 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3407 3408 log_start 3409 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3410 sleep 1 3411 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3412 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3413 3414 log_start 3415 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3416 sleep 1 3417 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3418 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3419 3420 # disable global server 3421 log_subsection "Global server enabled" 3422 set_sysctl net.ipv4.udp_l3mdev_accept=1 3423 3424 # 3425 # server tests 3426 # 3427 for a in ${NSA_IP6} ${VRF_IP6} 3428 do 3429 log_start 3430 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3431 sleep 1 3432 run_cmd_nsb nettest -6 -D -r ${a} 3433 log_test_addr ${a} $? 0 "Global server" 3434 done 3435 3436 for a in ${NSA_IP6} ${VRF_IP6} 3437 do 3438 log_start 3439 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3440 sleep 1 3441 run_cmd_nsb nettest -6 -D -r ${a} 3442 log_test_addr ${a} $? 0 "VRF server" 3443 done 3444 3445 for a in ${NSA_IP6} ${VRF_IP6} 3446 do 3447 log_start 3448 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3449 sleep 1 3450 run_cmd_nsb nettest -6 -D -r ${a} 3451 log_test_addr ${a} $? 0 "Enslaved device server" 3452 done 3453 3454 # negative test - should fail 3455 for a in ${NSA_IP6} ${VRF_IP6} 3456 do 3457 log_start 3458 run_cmd_nsb nettest -6 -D -r ${a} 3459 log_test_addr ${a} $? 1 "No server" 3460 done 3461 3462 # 3463 # client tests 3464 # 3465 log_start 3466 run_cmd_nsb nettest -6 -D -s & 3467 sleep 1 3468 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3469 log_test $? 0 "VRF client" 3470 3471 # negative test - should fail 3472 log_start 3473 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3474 log_test $? 1 "No server, VRF client" 3475 3476 log_start 3477 run_cmd_nsb nettest -6 -D -s & 3478 sleep 1 3479 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3480 log_test $? 0 "Enslaved device client" 3481 3482 # negative test - should fail 3483 log_start 3484 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3485 log_test $? 1 "No server, enslaved device client" 3486 3487 # 3488 # local address tests 3489 # 3490 a=${NSA_IP6} 3491 log_start 3492 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3493 sleep 1 3494 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3495 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3496 3497 #log_start 3498 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3499 sleep 1 3500 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3501 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3502 3503 3504 a=${VRF_IP6} 3505 log_start 3506 run_cmd nettest -6 -D -s -3 ${VRF} & 3507 sleep 1 3508 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3509 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3510 3511 log_start 3512 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3513 sleep 1 3514 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3515 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3516 3517 # negative test - should fail 3518 for a in ${NSA_IP6} ${VRF_IP6} 3519 do 3520 log_start 3521 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3522 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3523 done 3524 3525 # device to global IP 3526 a=${NSA_IP6} 3527 log_start 3528 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3529 sleep 1 3530 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3531 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3532 3533 log_start 3534 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3535 sleep 1 3536 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3537 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3538 3539 log_start 3540 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3541 sleep 1 3542 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3543 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3544 3545 log_start 3546 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3547 sleep 1 3548 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3549 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3550 3551 log_start 3552 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3553 log_test_addr ${a} $? 1 "No server, device client, local conn" 3554 3555 3556 # link local addresses 3557 log_start 3558 run_cmd nettest -6 -D -s & 3559 sleep 1 3560 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3561 log_test $? 0 "Global server, linklocal IP" 3562 3563 log_start 3564 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3565 log_test $? 1 "No server, linklocal IP" 3566 3567 3568 log_start 3569 run_cmd_nsb nettest -6 -D -s & 3570 sleep 1 3571 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3572 log_test $? 0 "Enslaved device client, linklocal IP" 3573 3574 log_start 3575 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3576 log_test $? 1 "No server, device client, peer linklocal IP" 3577 3578 3579 log_start 3580 run_cmd nettest -6 -D -s & 3581 sleep 1 3582 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3583 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3584 3585 log_start 3586 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3587 log_test $? 1 "No server, device client, local conn - linklocal IP" 3588 3589 # LLA to GUA 3590 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3591 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3592 log_start 3593 run_cmd nettest -6 -s -D & 3594 sleep 1 3595 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3596 log_test $? 0 "UDP in - LLA to GUA" 3597 3598 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3599 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3600} 3601 3602ipv6_udp() 3603{ 3604 # should not matter, but set to known state 3605 set_sysctl net.ipv4.udp_early_demux=1 3606 3607 log_section "IPv6/UDP" 3608 log_subsection "No VRF" 3609 setup 3610 3611 # udp_l3mdev_accept should have no affect without VRF; 3612 # run tests with it enabled and disabled to verify 3613 log_subsection "udp_l3mdev_accept disabled" 3614 set_sysctl net.ipv4.udp_l3mdev_accept=0 3615 ipv6_udp_novrf 3616 log_subsection "udp_l3mdev_accept enabled" 3617 set_sysctl net.ipv4.udp_l3mdev_accept=1 3618 ipv6_udp_novrf 3619 3620 log_subsection "With VRF" 3621 setup "yes" 3622 ipv6_udp_vrf 3623} 3624 3625################################################################################ 3626# IPv6 address bind 3627 3628ipv6_addr_bind_novrf() 3629{ 3630 # 3631 # raw socket 3632 # 3633 for a in ${NSA_IP6} ${NSA_LO_IP6} 3634 do 3635 log_start 3636 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3637 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3638 3639 log_start 3640 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3641 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3642 done 3643 3644 # 3645 # raw socket with nonlocal bind 3646 # 3647 a=${NL_IP6} 3648 log_start 3649 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 3650 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 3651 3652 # 3653 # tcp sockets 3654 # 3655 a=${NSA_IP6} 3656 log_start 3657 run_cmd nettest -6 -s -l ${a} -t1 -b 3658 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3659 3660 log_start 3661 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3662 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3663 3664 # Sadly, the kernel allows binding a socket to a device and then 3665 # binding to an address not on the device. So this test passes 3666 # when it really should not 3667 a=${NSA_LO_IP6} 3668 log_start 3669 show_hint "Tecnically should fail since address is not on device but kernel allows" 3670 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3671 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3672} 3673 3674ipv6_addr_bind_vrf() 3675{ 3676 # 3677 # raw socket 3678 # 3679 for a in ${NSA_IP6} ${VRF_IP6} 3680 do 3681 log_start 3682 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3683 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3684 3685 log_start 3686 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3687 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3688 done 3689 3690 a=${NSA_LO_IP6} 3691 log_start 3692 show_hint "Address on loopback is out of VRF scope" 3693 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3694 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3695 3696 # 3697 # raw socket with nonlocal bind 3698 # 3699 a=${NL_IP6} 3700 log_start 3701 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b 3702 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 3703 3704 # 3705 # tcp sockets 3706 # 3707 # address on enslaved device is valid for the VRF or device in a VRF 3708 for a in ${NSA_IP6} ${VRF_IP6} 3709 do 3710 log_start 3711 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3712 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3713 done 3714 3715 a=${NSA_IP6} 3716 log_start 3717 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3718 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3719 3720 # Sadly, the kernel allows binding a socket to a device and then 3721 # binding to an address not on the device. The only restriction 3722 # is that the address is valid in the L3 domain. So this test 3723 # passes when it really should not 3724 a=${VRF_IP6} 3725 log_start 3726 show_hint "Tecnically should fail since address is not on device but kernel allows" 3727 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3728 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3729 3730 a=${NSA_LO_IP6} 3731 log_start 3732 show_hint "Address on loopback out of scope for VRF" 3733 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3734 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3735 3736 log_start 3737 show_hint "Address on loopback out of scope for device in VRF" 3738 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3739 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3740 3741} 3742 3743ipv6_addr_bind() 3744{ 3745 log_section "IPv6 address binds" 3746 3747 log_subsection "No VRF" 3748 setup 3749 ipv6_addr_bind_novrf 3750 3751 log_subsection "With VRF" 3752 setup "yes" 3753 ipv6_addr_bind_vrf 3754} 3755 3756################################################################################ 3757# IPv6 runtime tests 3758 3759ipv6_rt() 3760{ 3761 local desc="$1" 3762 local varg="-6 $2" 3763 local with_vrf="yes" 3764 local a 3765 3766 # 3767 # server tests 3768 # 3769 for a in ${NSA_IP6} ${VRF_IP6} 3770 do 3771 log_start 3772 run_cmd nettest ${varg} -s & 3773 sleep 1 3774 run_cmd_nsb nettest ${varg} -r ${a} & 3775 sleep 3 3776 run_cmd ip link del ${VRF} 3777 sleep 1 3778 log_test_addr ${a} 0 0 "${desc}, global server" 3779 3780 setup ${with_vrf} 3781 done 3782 3783 for a in ${NSA_IP6} ${VRF_IP6} 3784 do 3785 log_start 3786 run_cmd nettest ${varg} -I ${VRF} -s & 3787 sleep 1 3788 run_cmd_nsb nettest ${varg} -r ${a} & 3789 sleep 3 3790 run_cmd ip link del ${VRF} 3791 sleep 1 3792 log_test_addr ${a} 0 0 "${desc}, VRF server" 3793 3794 setup ${with_vrf} 3795 done 3796 3797 for a in ${NSA_IP6} ${VRF_IP6} 3798 do 3799 log_start 3800 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3801 sleep 1 3802 run_cmd_nsb nettest ${varg} -r ${a} & 3803 sleep 3 3804 run_cmd ip link del ${VRF} 3805 sleep 1 3806 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3807 3808 setup ${with_vrf} 3809 done 3810 3811 # 3812 # client test 3813 # 3814 log_start 3815 run_cmd_nsb nettest ${varg} -s & 3816 sleep 1 3817 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3818 sleep 3 3819 run_cmd ip link del ${VRF} 3820 sleep 1 3821 log_test 0 0 "${desc}, VRF client" 3822 3823 setup ${with_vrf} 3824 3825 log_start 3826 run_cmd_nsb nettest ${varg} -s & 3827 sleep 1 3828 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3829 sleep 3 3830 run_cmd ip link del ${VRF} 3831 sleep 1 3832 log_test 0 0 "${desc}, enslaved device client" 3833 3834 setup ${with_vrf} 3835 3836 3837 # 3838 # local address tests 3839 # 3840 for a in ${NSA_IP6} ${VRF_IP6} 3841 do 3842 log_start 3843 run_cmd nettest ${varg} -s & 3844 sleep 1 3845 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3846 sleep 3 3847 run_cmd ip link del ${VRF} 3848 sleep 1 3849 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3850 3851 setup ${with_vrf} 3852 done 3853 3854 for a in ${NSA_IP6} ${VRF_IP6} 3855 do 3856 log_start 3857 run_cmd nettest ${varg} -I ${VRF} -s & 3858 sleep 1 3859 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3860 sleep 3 3861 run_cmd ip link del ${VRF} 3862 sleep 1 3863 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3864 3865 setup ${with_vrf} 3866 done 3867 3868 a=${NSA_IP6} 3869 log_start 3870 run_cmd nettest ${varg} -s & 3871 sleep 1 3872 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3873 sleep 3 3874 run_cmd ip link del ${VRF} 3875 sleep 1 3876 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3877 3878 setup ${with_vrf} 3879 3880 log_start 3881 run_cmd nettest ${varg} -I ${VRF} -s & 3882 sleep 1 3883 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3884 sleep 3 3885 run_cmd ip link del ${VRF} 3886 sleep 1 3887 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3888 3889 setup ${with_vrf} 3890 3891 log_start 3892 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3893 sleep 1 3894 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3895 sleep 3 3896 run_cmd ip link del ${VRF} 3897 sleep 1 3898 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3899} 3900 3901ipv6_ping_rt() 3902{ 3903 local with_vrf="yes" 3904 local a 3905 3906 a=${NSA_IP6} 3907 log_start 3908 run_cmd_nsb ${ping6} -f ${a} & 3909 sleep 3 3910 run_cmd ip link del ${VRF} 3911 sleep 1 3912 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3913 3914 setup ${with_vrf} 3915 3916 log_start 3917 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3918 sleep 1 3919 run_cmd ip link del ${VRF} 3920 sleep 1 3921 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3922} 3923 3924ipv6_runtime() 3925{ 3926 log_section "Run time tests - ipv6" 3927 3928 setup "yes" 3929 ipv6_ping_rt 3930 3931 setup "yes" 3932 ipv6_rt "TCP active socket" "-n -1" 3933 3934 setup "yes" 3935 ipv6_rt "TCP passive socket" "-i" 3936 3937 setup "yes" 3938 ipv6_rt "UDP active socket" "-D -n -1" 3939} 3940 3941################################################################################ 3942# netfilter blocking connections 3943 3944netfilter_tcp_reset() 3945{ 3946 local a 3947 3948 for a in ${NSA_IP} ${VRF_IP} 3949 do 3950 log_start 3951 run_cmd nettest -s & 3952 sleep 1 3953 run_cmd_nsb nettest -r ${a} 3954 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3955 done 3956} 3957 3958netfilter_icmp() 3959{ 3960 local stype="$1" 3961 local arg 3962 local a 3963 3964 [ "${stype}" = "UDP" ] && arg="-D" 3965 3966 for a in ${NSA_IP} ${VRF_IP} 3967 do 3968 log_start 3969 run_cmd nettest ${arg} -s & 3970 sleep 1 3971 run_cmd_nsb nettest ${arg} -r ${a} 3972 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3973 done 3974} 3975 3976ipv4_netfilter() 3977{ 3978 log_section "IPv4 Netfilter" 3979 log_subsection "TCP reset" 3980 3981 setup "yes" 3982 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3983 3984 netfilter_tcp_reset 3985 3986 log_start 3987 log_subsection "ICMP unreachable" 3988 3989 log_start 3990 run_cmd iptables -F 3991 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3992 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3993 3994 netfilter_icmp "TCP" 3995 netfilter_icmp "UDP" 3996 3997 log_start 3998 iptables -F 3999} 4000 4001netfilter_tcp6_reset() 4002{ 4003 local a 4004 4005 for a in ${NSA_IP6} ${VRF_IP6} 4006 do 4007 log_start 4008 run_cmd nettest -6 -s & 4009 sleep 1 4010 run_cmd_nsb nettest -6 -r ${a} 4011 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 4012 done 4013} 4014 4015netfilter_icmp6() 4016{ 4017 local stype="$1" 4018 local arg 4019 local a 4020 4021 [ "${stype}" = "UDP" ] && arg="$arg -D" 4022 4023 for a in ${NSA_IP6} ${VRF_IP6} 4024 do 4025 log_start 4026 run_cmd nettest -6 -s ${arg} & 4027 sleep 1 4028 run_cmd_nsb nettest -6 ${arg} -r ${a} 4029 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 4030 done 4031} 4032 4033ipv6_netfilter() 4034{ 4035 log_section "IPv6 Netfilter" 4036 log_subsection "TCP reset" 4037 4038 setup "yes" 4039 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 4040 4041 netfilter_tcp6_reset 4042 4043 log_subsection "ICMP unreachable" 4044 4045 log_start 4046 run_cmd ip6tables -F 4047 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 4048 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 4049 4050 netfilter_icmp6 "TCP" 4051 netfilter_icmp6 "UDP" 4052 4053 log_start 4054 ip6tables -F 4055} 4056 4057################################################################################ 4058# specific use cases 4059 4060# VRF only. 4061# ns-A device enslaved to bridge. Verify traffic with and without 4062# br_netfilter module loaded. Repeat with SVI on bridge. 4063use_case_br() 4064{ 4065 setup "yes" 4066 4067 setup_cmd ip link set ${NSA_DEV} down 4068 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 4069 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 4070 4071 setup_cmd ip link add br0 type bridge 4072 setup_cmd ip addr add dev br0 ${NSA_IP}/24 4073 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 4074 4075 setup_cmd ip li set ${NSA_DEV} master br0 4076 setup_cmd ip li set ${NSA_DEV} up 4077 setup_cmd ip li set br0 up 4078 setup_cmd ip li set br0 vrf ${VRF} 4079 4080 rmmod br_netfilter 2>/dev/null 4081 sleep 5 # DAD 4082 4083 run_cmd ip neigh flush all 4084 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4085 log_test $? 0 "Bridge into VRF - IPv4 ping out" 4086 4087 run_cmd ip neigh flush all 4088 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4089 log_test $? 0 "Bridge into VRF - IPv6 ping out" 4090 4091 run_cmd ip neigh flush all 4092 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4093 log_test $? 0 "Bridge into VRF - IPv4 ping in" 4094 4095 run_cmd ip neigh flush all 4096 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4097 log_test $? 0 "Bridge into VRF - IPv6 ping in" 4098 4099 modprobe br_netfilter 4100 if [ $? -eq 0 ]; then 4101 run_cmd ip neigh flush all 4102 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4103 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 4104 4105 run_cmd ip neigh flush all 4106 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4107 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 4108 4109 run_cmd ip neigh flush all 4110 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4111 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 4112 4113 run_cmd ip neigh flush all 4114 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4115 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 4116 fi 4117 4118 setup_cmd ip li set br0 nomaster 4119 setup_cmd ip li add br0.100 link br0 type vlan id 100 4120 setup_cmd ip li set br0.100 vrf ${VRF} up 4121 setup_cmd ip addr add dev br0.100 172.16.101.1/24 4122 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 4123 4124 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 4125 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 4126 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 4127 setup_cmd_nsb ip li set vlan100 up 4128 sleep 1 4129 4130 rmmod br_netfilter 2>/dev/null 4131 4132 run_cmd ip neigh flush all 4133 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4134 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 4135 4136 run_cmd ip neigh flush all 4137 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4138 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 4139 4140 run_cmd ip neigh flush all 4141 run_cmd_nsb ping -c1 -w1 172.16.101.1 4142 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4143 4144 run_cmd ip neigh flush all 4145 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4146 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4147 4148 modprobe br_netfilter 4149 if [ $? -eq 0 ]; then 4150 run_cmd ip neigh flush all 4151 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4152 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 4153 4154 run_cmd ip neigh flush all 4155 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4156 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 4157 4158 run_cmd ip neigh flush all 4159 run_cmd_nsb ping -c1 -w1 172.16.101.1 4160 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4161 4162 run_cmd ip neigh flush all 4163 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4164 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4165 fi 4166 4167 setup_cmd ip li del br0 2>/dev/null 4168 setup_cmd_nsb ip li del vlan100 2>/dev/null 4169} 4170 4171# VRF only. 4172# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 4173# LLA on the interfaces 4174use_case_ping_lla_multi() 4175{ 4176 setup_lla_only 4177 # only want reply from ns-A 4178 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4179 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4180 4181 log_start 4182 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4183 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 4184 4185 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4186 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 4187 4188 # cycle/flap the first ns-A interface 4189 setup_cmd ip link set ${NSA_DEV} down 4190 setup_cmd ip link set ${NSA_DEV} up 4191 sleep 1 4192 4193 log_start 4194 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4195 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 4196 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4197 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 4198 4199 # cycle/flap the second ns-A interface 4200 setup_cmd ip link set ${NSA_DEV2} down 4201 setup_cmd ip link set ${NSA_DEV2} up 4202 sleep 1 4203 4204 log_start 4205 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4206 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 4207 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4208 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 4209} 4210 4211# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 4212# established with ns-B. 4213use_case_snat_on_vrf() 4214{ 4215 setup "yes" 4216 4217 local port="12345" 4218 4219 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4220 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4221 4222 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 4223 sleep 1 4224 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 4225 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 4226 4227 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 4228 sleep 1 4229 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 4230 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 4231 4232 # Cleanup 4233 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4234 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4235} 4236 4237use_cases() 4238{ 4239 log_section "Use cases" 4240 log_subsection "Device enslaved to bridge" 4241 use_case_br 4242 log_subsection "Ping LLA with multiple interfaces" 4243 use_case_ping_lla_multi 4244 log_subsection "SNAT on VRF" 4245 use_case_snat_on_vrf 4246} 4247 4248################################################################################ 4249# usage 4250 4251usage() 4252{ 4253 cat <<EOF 4254usage: ${0##*/} OPTS 4255 4256 -4 IPv4 tests only 4257 -6 IPv6 tests only 4258 -t <test> Test name/set to run 4259 -p Pause on fail 4260 -P Pause after each test 4261 -v Be verbose 4262 4263Tests: 4264 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER 4265EOF 4266} 4267 4268################################################################################ 4269# main 4270 4271TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4272TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4273TESTS_OTHER="use_cases" 4274 4275PAUSE_ON_FAIL=no 4276PAUSE=no 4277 4278while getopts :46t:pPvh o 4279do 4280 case $o in 4281 4) TESTS=ipv4;; 4282 6) TESTS=ipv6;; 4283 t) TESTS=$OPTARG;; 4284 p) PAUSE_ON_FAIL=yes;; 4285 P) PAUSE=yes;; 4286 v) VERBOSE=1;; 4287 h) usage; exit 0;; 4288 *) usage; exit 1;; 4289 esac 4290done 4291 4292# make sure we don't pause twice 4293[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4294 4295# 4296# show user test config 4297# 4298if [ -z "$TESTS" ]; then 4299 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4300elif [ "$TESTS" = "ipv4" ]; then 4301 TESTS="$TESTS_IPV4" 4302elif [ "$TESTS" = "ipv6" ]; then 4303 TESTS="$TESTS_IPV6" 4304fi 4305 4306# nettest can be run from PATH or from same directory as this selftest 4307if ! which nettest >/dev/null; then 4308 PATH=$PWD:$PATH 4309 if ! which nettest >/dev/null; then 4310 echo "'nettest' command not found; skipping tests" 4311 exit $ksft_skip 4312 fi 4313fi 4314 4315declare -i nfail=0 4316declare -i nsuccess=0 4317 4318for t in $TESTS 4319do 4320 case $t in 4321 ipv4_ping|ping) ipv4_ping;; 4322 ipv4_tcp|tcp) ipv4_tcp;; 4323 ipv4_udp|udp) ipv4_udp;; 4324 ipv4_bind|bind) ipv4_addr_bind;; 4325 ipv4_runtime) ipv4_runtime;; 4326 ipv4_netfilter) ipv4_netfilter;; 4327 4328 ipv6_ping|ping6) ipv6_ping;; 4329 ipv6_tcp|tcp6) ipv6_tcp;; 4330 ipv6_udp|udp6) ipv6_udp;; 4331 ipv6_bind|bind6) ipv6_addr_bind;; 4332 ipv6_runtime) ipv6_runtime;; 4333 ipv6_netfilter) ipv6_netfilter;; 4334 4335 use_cases) use_cases;; 4336 4337 # setup namespaces and config, but do not run any tests 4338 setup) setup; exit 0;; 4339 vrf_setup) setup "yes"; exit 0;; 4340 esac 4341done 4342 4343cleanup 2>/dev/null 4344 4345printf "\nTests passed: %3d\n" ${nsuccess} 4346printf "Tests failed: %3d\n" ${nfail} 4347 4348if [ $nfail -ne 0 ]; then 4349 exit 1 # KSFT_FAIL 4350elif [ $nsuccess -eq 0 ]; then 4351 exit $ksft_skip 4352fi 4353 4354exit 0 # KSFT_PASS 4355