1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40# Kselftest framework requirement - SKIP code is 4. 41ksft_skip=4 42 43VERBOSE=0 44 45NSA_DEV=eth1 46NSA_DEV2=eth2 47NSB_DEV=eth1 48NSC_DEV=eth2 49VRF=red 50VRF_TABLE=1101 51 52# IPv4 config 53NSA_IP=172.16.1.1 54NSB_IP=172.16.1.2 55VRF_IP=172.16.3.1 56NS_NET=172.16.1.0/24 57 58# IPv6 config 59NSA_IP6=2001:db8:1::1 60NSB_IP6=2001:db8:1::2 61VRF_IP6=2001:db8:3::1 62NS_NET6=2001:db8:1::/120 63 64NSA_LO_IP=172.16.2.1 65NSB_LO_IP=172.16.2.2 66NSA_LO_IP6=2001:db8:2::1 67NSB_LO_IP6=2001:db8:2::2 68 69MD5_PW=abc123 70MD5_WRONG_PW=abc1234 71 72MCAST=ff02::1 73# set after namespace create 74NSA_LINKIP6= 75NSB_LINKIP6= 76 77NSA=ns-A 78NSB=ns-B 79NSC=ns-C 80 81NSA_CMD="ip netns exec ${NSA}" 82NSB_CMD="ip netns exec ${NSB}" 83NSC_CMD="ip netns exec ${NSC}" 84 85which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 86 87################################################################################ 88# utilities 89 90log_test() 91{ 92 local rc=$1 93 local expected=$2 94 local msg="$3" 95 96 [ "${VERBOSE}" = "1" ] && echo 97 98 if [ ${rc} -eq ${expected} ]; then 99 nsuccess=$((nsuccess+1)) 100 printf "TEST: %-70s [ OK ]\n" "${msg}" 101 else 102 nfail=$((nfail+1)) 103 printf "TEST: %-70s [FAIL]\n" "${msg}" 104 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 105 echo 106 echo "hit enter to continue, 'q' to quit" 107 read a 108 [ "$a" = "q" ] && exit 1 109 fi 110 fi 111 112 if [ "${PAUSE}" = "yes" ]; then 113 echo 114 echo "hit enter to continue, 'q' to quit" 115 read a 116 [ "$a" = "q" ] && exit 1 117 fi 118 119 kill_procs 120} 121 122log_test_addr() 123{ 124 local addr=$1 125 local rc=$2 126 local expected=$3 127 local msg="$4" 128 local astr 129 130 astr=$(addr2str ${addr}) 131 log_test $rc $expected "$msg - ${astr}" 132} 133 134log_section() 135{ 136 echo 137 echo "###########################################################################" 138 echo "$*" 139 echo "###########################################################################" 140 echo 141} 142 143log_subsection() 144{ 145 echo 146 echo "#################################################################" 147 echo "$*" 148 echo 149} 150 151log_start() 152{ 153 # make sure we have no test instances running 154 kill_procs 155 156 if [ "${VERBOSE}" = "1" ]; then 157 echo 158 echo "#######################################################" 159 fi 160} 161 162log_debug() 163{ 164 if [ "${VERBOSE}" = "1" ]; then 165 echo 166 echo "$*" 167 echo 168 fi 169} 170 171show_hint() 172{ 173 if [ "${VERBOSE}" = "1" ]; then 174 echo "HINT: $*" 175 echo 176 fi 177} 178 179kill_procs() 180{ 181 killall nettest ping ping6 >/dev/null 2>&1 182 sleep 1 183} 184 185do_run_cmd() 186{ 187 local cmd="$*" 188 local out 189 190 if [ "$VERBOSE" = "1" ]; then 191 echo "COMMAND: ${cmd}" 192 fi 193 194 out=$($cmd 2>&1) 195 rc=$? 196 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 197 echo "$out" 198 fi 199 200 return $rc 201} 202 203run_cmd() 204{ 205 do_run_cmd ${NSA_CMD} $* 206} 207 208run_cmd_nsb() 209{ 210 do_run_cmd ${NSB_CMD} $* 211} 212 213run_cmd_nsc() 214{ 215 do_run_cmd ${NSC_CMD} $* 216} 217 218setup_cmd() 219{ 220 local cmd="$*" 221 local rc 222 223 run_cmd ${cmd} 224 rc=$? 225 if [ $rc -ne 0 ]; then 226 # show user the command if not done so already 227 if [ "$VERBOSE" = "0" ]; then 228 echo "setup command: $cmd" 229 fi 230 echo "failed. stopping tests" 231 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 232 echo 233 echo "hit enter to continue" 234 read a 235 fi 236 exit $rc 237 fi 238} 239 240setup_cmd_nsb() 241{ 242 local cmd="$*" 243 local rc 244 245 run_cmd_nsb ${cmd} 246 rc=$? 247 if [ $rc -ne 0 ]; then 248 # show user the command if not done so already 249 if [ "$VERBOSE" = "0" ]; then 250 echo "setup command: $cmd" 251 fi 252 echo "failed. stopping tests" 253 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 254 echo 255 echo "hit enter to continue" 256 read a 257 fi 258 exit $rc 259 fi 260} 261 262setup_cmd_nsc() 263{ 264 local cmd="$*" 265 local rc 266 267 run_cmd_nsc ${cmd} 268 rc=$? 269 if [ $rc -ne 0 ]; then 270 # show user the command if not done so already 271 if [ "$VERBOSE" = "0" ]; then 272 echo "setup command: $cmd" 273 fi 274 echo "failed. stopping tests" 275 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 276 echo 277 echo "hit enter to continue" 278 read a 279 fi 280 exit $rc 281 fi 282} 283 284# set sysctl values in NS-A 285set_sysctl() 286{ 287 echo "SYSCTL: $*" 288 echo 289 run_cmd sysctl -q -w $* 290} 291 292# get sysctl values in NS-A 293get_sysctl() 294{ 295 ${NSA_CMD} sysctl -n $* 296} 297 298################################################################################ 299# Setup for tests 300 301addr2str() 302{ 303 case "$1" in 304 127.0.0.1) echo "loopback";; 305 ::1) echo "IPv6 loopback";; 306 307 ${NSA_IP}) echo "ns-A IP";; 308 ${NSA_IP6}) echo "ns-A IPv6";; 309 ${NSA_LO_IP}) echo "ns-A loopback IP";; 310 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 311 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 312 313 ${NSB_IP}) echo "ns-B IP";; 314 ${NSB_IP6}) echo "ns-B IPv6";; 315 ${NSB_LO_IP}) echo "ns-B loopback IP";; 316 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 317 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 318 319 ${VRF_IP}) echo "VRF IP";; 320 ${VRF_IP6}) echo "VRF IPv6";; 321 322 ${MCAST}%*) echo "multicast IP";; 323 324 *) echo "unknown";; 325 esac 326} 327 328get_linklocal() 329{ 330 local ns=$1 331 local dev=$2 332 local addr 333 334 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 335 awk '{ 336 for (i = 3; i <= NF; ++i) { 337 if ($i ~ /^fe80/) 338 print $i 339 } 340 }' 341 ) 342 addr=${addr/\/*} 343 344 [ -z "$addr" ] && return 1 345 346 echo $addr 347 348 return 0 349} 350 351################################################################################ 352# create namespaces and vrf 353 354create_vrf() 355{ 356 local ns=$1 357 local vrf=$2 358 local table=$3 359 local addr=$4 360 local addr6=$5 361 362 ip -netns ${ns} link add ${vrf} type vrf table ${table} 363 ip -netns ${ns} link set ${vrf} up 364 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 365 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 366 367 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 368 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 369 if [ "${addr}" != "-" ]; then 370 ip -netns ${ns} addr add dev ${vrf} ${addr} 371 fi 372 if [ "${addr6}" != "-" ]; then 373 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 374 fi 375 376 ip -netns ${ns} ru del pref 0 377 ip -netns ${ns} ru add pref 32765 from all lookup local 378 ip -netns ${ns} -6 ru del pref 0 379 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 380} 381 382create_ns() 383{ 384 local ns=$1 385 local addr=$2 386 local addr6=$3 387 388 ip netns add ${ns} 389 390 ip -netns ${ns} link set lo up 391 if [ "${addr}" != "-" ]; then 392 ip -netns ${ns} addr add dev lo ${addr} 393 fi 394 if [ "${addr6}" != "-" ]; then 395 ip -netns ${ns} -6 addr add dev lo ${addr6} 396 fi 397 398 ip -netns ${ns} ro add unreachable default metric 8192 399 ip -netns ${ns} -6 ro add unreachable default metric 8192 400 401 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 402 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 403 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 404 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 405} 406 407# create veth pair to connect namespaces and apply addresses. 408connect_ns() 409{ 410 local ns1=$1 411 local ns1_dev=$2 412 local ns1_addr=$3 413 local ns1_addr6=$4 414 local ns2=$5 415 local ns2_dev=$6 416 local ns2_addr=$7 417 local ns2_addr6=$8 418 419 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 420 ip -netns ${ns1} li set ${ns1_dev} up 421 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 422 ip -netns ${ns2} li set ${ns2_dev} up 423 424 if [ "${ns1_addr}" != "-" ]; then 425 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 426 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 427 fi 428 429 if [ "${ns1_addr6}" != "-" ]; then 430 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 431 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 432 fi 433} 434 435cleanup() 436{ 437 # explicit cleanups to check those code paths 438 ip netns | grep -q ${NSA} 439 if [ $? -eq 0 ]; then 440 ip -netns ${NSA} link delete ${VRF} 441 ip -netns ${NSA} ro flush table ${VRF_TABLE} 442 443 ip -netns ${NSA} addr flush dev ${NSA_DEV} 444 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 445 ip -netns ${NSA} link set dev ${NSA_DEV} down 446 ip -netns ${NSA} link del dev ${NSA_DEV} 447 448 ip netns del ${NSA} 449 fi 450 451 ip netns del ${NSB} 452 ip netns del ${NSC} >/dev/null 2>&1 453} 454 455setup() 456{ 457 local with_vrf=${1} 458 459 # make sure we are starting with a clean slate 460 kill_procs 461 cleanup 2>/dev/null 462 463 log_debug "Configuring network namespaces" 464 set -e 465 466 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 467 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 468 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 469 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 470 471 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 472 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 473 474 # tell ns-A how to get to remote addresses of ns-B 475 if [ "${with_vrf}" = "yes" ]; then 476 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 477 478 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 479 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 480 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 481 482 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 483 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 484 485 # some VRF tests use ns-C which has the same config as 486 # ns-B but for a device NOT in the VRF 487 create_ns ${NSC} "-" "-" 488 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 489 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 490 else 491 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 492 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 493 fi 494 495 496 # tell ns-B how to get to remote addresses of ns-A 497 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 498 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 499 500 set +e 501 502 sleep 1 503} 504 505setup_lla_only() 506{ 507 # make sure we are starting with a clean slate 508 kill_procs 509 cleanup 2>/dev/null 510 511 log_debug "Configuring network namespaces" 512 set -e 513 514 create_ns ${NSA} "-" "-" 515 create_ns ${NSB} "-" "-" 516 create_ns ${NSC} "-" "-" 517 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 518 ${NSB} ${NSB_DEV} "-" "-" 519 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 520 ${NSC} ${NSC_DEV} "-" "-" 521 522 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 523 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 524 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 525 526 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 527 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 528 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 529 530 set +e 531 532 sleep 1 533} 534 535################################################################################ 536# IPv4 537 538ipv4_ping_novrf() 539{ 540 local a 541 542 # 543 # out 544 # 545 for a in ${NSB_IP} ${NSB_LO_IP} 546 do 547 log_start 548 run_cmd ping -c1 -w1 ${a} 549 log_test_addr ${a} $? 0 "ping out" 550 551 log_start 552 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 553 log_test_addr ${a} $? 0 "ping out, device bind" 554 555 log_start 556 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 557 log_test_addr ${a} $? 0 "ping out, address bind" 558 done 559 560 # 561 # in 562 # 563 for a in ${NSA_IP} ${NSA_LO_IP} 564 do 565 log_start 566 run_cmd_nsb ping -c1 -w1 ${a} 567 log_test_addr ${a} $? 0 "ping in" 568 done 569 570 # 571 # local traffic 572 # 573 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 574 do 575 log_start 576 run_cmd ping -c1 -w1 ${a} 577 log_test_addr ${a} $? 0 "ping local" 578 done 579 580 # 581 # local traffic, socket bound to device 582 # 583 # address on device 584 a=${NSA_IP} 585 log_start 586 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 587 log_test_addr ${a} $? 0 "ping local, device bind" 588 589 # loopback addresses not reachable from device bind 590 # fails in a really weird way though because ipv4 special cases 591 # route lookups with oif set. 592 for a in ${NSA_LO_IP} 127.0.0.1 593 do 594 log_start 595 show_hint "Fails since address on loopback device is out of device scope" 596 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 597 log_test_addr ${a} $? 1 "ping local, device bind" 598 done 599 600 # 601 # ip rule blocks reachability to remote address 602 # 603 log_start 604 setup_cmd ip rule add pref 32765 from all lookup local 605 setup_cmd ip rule del pref 0 from all lookup local 606 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 607 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 608 609 a=${NSB_LO_IP} 610 run_cmd ping -c1 -w1 ${a} 611 log_test_addr ${a} $? 2 "ping out, blocked by rule" 612 613 # NOTE: ipv4 actually allows the lookup to fail and yet still create 614 # a viable rtable if the oif (e.g., bind to device) is set, so this 615 # case succeeds despite the rule 616 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 617 618 a=${NSA_LO_IP} 619 log_start 620 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 621 run_cmd_nsb ping -c1 -w1 ${a} 622 log_test_addr ${a} $? 1 "ping in, blocked by rule" 623 624 [ "$VERBOSE" = "1" ] && echo 625 setup_cmd ip rule del pref 32765 from all lookup local 626 setup_cmd ip rule add pref 0 from all lookup local 627 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 628 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 629 630 # 631 # route blocks reachability to remote address 632 # 633 log_start 634 setup_cmd ip route replace unreachable ${NSB_LO_IP} 635 setup_cmd ip route replace unreachable ${NSB_IP} 636 637 a=${NSB_LO_IP} 638 run_cmd ping -c1 -w1 ${a} 639 log_test_addr ${a} $? 2 "ping out, blocked by route" 640 641 # NOTE: ipv4 actually allows the lookup to fail and yet still create 642 # a viable rtable if the oif (e.g., bind to device) is set, so this 643 # case succeeds despite not having a route for the address 644 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 645 646 a=${NSA_LO_IP} 647 log_start 648 show_hint "Response is dropped (or arp request is ignored) due to ip route" 649 run_cmd_nsb ping -c1 -w1 ${a} 650 log_test_addr ${a} $? 1 "ping in, blocked by route" 651 652 # 653 # remove 'remote' routes; fallback to default 654 # 655 log_start 656 setup_cmd ip ro del ${NSB_LO_IP} 657 658 a=${NSB_LO_IP} 659 run_cmd ping -c1 -w1 ${a} 660 log_test_addr ${a} $? 2 "ping out, unreachable default route" 661 662 # NOTE: ipv4 actually allows the lookup to fail and yet still create 663 # a viable rtable if the oif (e.g., bind to device) is set, so this 664 # case succeeds despite not having a route for the address 665 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 666} 667 668ipv4_ping_vrf() 669{ 670 local a 671 672 # should default on; does not exist on older kernels 673 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 674 675 # 676 # out 677 # 678 for a in ${NSB_IP} ${NSB_LO_IP} 679 do 680 log_start 681 run_cmd ping -c1 -w1 -I ${VRF} ${a} 682 log_test_addr ${a} $? 0 "ping out, VRF bind" 683 684 log_start 685 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 686 log_test_addr ${a} $? 0 "ping out, device bind" 687 688 log_start 689 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 690 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 691 692 log_start 693 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 694 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 695 done 696 697 # 698 # in 699 # 700 for a in ${NSA_IP} ${VRF_IP} 701 do 702 log_start 703 run_cmd_nsb ping -c1 -w1 ${a} 704 log_test_addr ${a} $? 0 "ping in" 705 done 706 707 # 708 # local traffic, local address 709 # 710 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 711 do 712 log_start 713 show_hint "Source address should be ${a}" 714 run_cmd ping -c1 -w1 -I ${VRF} ${a} 715 log_test_addr ${a} $? 0 "ping local, VRF bind" 716 done 717 718 # 719 # local traffic, socket bound to device 720 # 721 # address on device 722 a=${NSA_IP} 723 log_start 724 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 725 log_test_addr ${a} $? 0 "ping local, device bind" 726 727 # vrf device is out of scope 728 for a in ${VRF_IP} 127.0.0.1 729 do 730 log_start 731 show_hint "Fails since address on vrf device is out of device scope" 732 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 733 log_test_addr ${a} $? 1 "ping local, device bind" 734 done 735 736 # 737 # ip rule blocks address 738 # 739 log_start 740 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 741 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 742 743 a=${NSB_LO_IP} 744 run_cmd ping -c1 -w1 -I ${VRF} ${a} 745 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 746 747 log_start 748 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 749 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 750 751 a=${NSA_LO_IP} 752 log_start 753 show_hint "Response lost due to ip rule" 754 run_cmd_nsb ping -c1 -w1 ${a} 755 log_test_addr ${a} $? 1 "ping in, blocked by rule" 756 757 [ "$VERBOSE" = "1" ] && echo 758 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 759 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 760 761 # 762 # remove 'remote' routes; fallback to default 763 # 764 log_start 765 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 766 767 a=${NSB_LO_IP} 768 run_cmd ping -c1 -w1 -I ${VRF} ${a} 769 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 770 771 log_start 772 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 773 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 774 775 a=${NSA_LO_IP} 776 log_start 777 show_hint "Response lost by unreachable route" 778 run_cmd_nsb ping -c1 -w1 ${a} 779 log_test_addr ${a} $? 1 "ping in, unreachable route" 780} 781 782ipv4_ping() 783{ 784 log_section "IPv4 ping" 785 786 log_subsection "No VRF" 787 setup 788 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 789 ipv4_ping_novrf 790 setup 791 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 792 ipv4_ping_novrf 793 794 log_subsection "With VRF" 795 setup "yes" 796 ipv4_ping_vrf 797} 798 799################################################################################ 800# IPv4 TCP 801 802# 803# MD5 tests without VRF 804# 805ipv4_tcp_md5_novrf() 806{ 807 # 808 # single address 809 # 810 811 # basic use case 812 log_start 813 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 814 sleep 1 815 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 816 log_test $? 0 "MD5: Single address config" 817 818 # client sends MD5, server not configured 819 log_start 820 show_hint "Should timeout due to MD5 mismatch" 821 run_cmd nettest -s & 822 sleep 1 823 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 824 log_test $? 2 "MD5: Server no config, client uses password" 825 826 # wrong password 827 log_start 828 show_hint "Should timeout since client uses wrong password" 829 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 830 sleep 1 831 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 832 log_test $? 2 "MD5: Client uses wrong password" 833 834 # client from different address 835 log_start 836 show_hint "Should timeout due to MD5 mismatch" 837 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 838 sleep 1 839 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 840 log_test $? 2 "MD5: Client address does not match address configured with password" 841 842 # 843 # MD5 extension - prefix length 844 # 845 846 # client in prefix 847 log_start 848 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 849 sleep 1 850 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 851 log_test $? 0 "MD5: Prefix config" 852 853 # client in prefix, wrong password 854 log_start 855 show_hint "Should timeout since client uses wrong password" 856 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 857 sleep 1 858 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 859 log_test $? 2 "MD5: Prefix config, client uses wrong password" 860 861 # client outside of prefix 862 log_start 863 show_hint "Should timeout due to MD5 mismatch" 864 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 865 sleep 1 866 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 867 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 868} 869 870# 871# MD5 tests with VRF 872# 873ipv4_tcp_md5() 874{ 875 # 876 # single address 877 # 878 879 # basic use case 880 log_start 881 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 882 sleep 1 883 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 884 log_test $? 0 "MD5: VRF: Single address config" 885 886 # client sends MD5, server not configured 887 log_start 888 show_hint "Should timeout since server does not have MD5 auth" 889 run_cmd nettest -s -I ${VRF} & 890 sleep 1 891 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 892 log_test $? 2 "MD5: VRF: Server no config, client uses password" 893 894 # wrong password 895 log_start 896 show_hint "Should timeout since client uses wrong password" 897 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 898 sleep 1 899 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 900 log_test $? 2 "MD5: VRF: Client uses wrong password" 901 902 # client from different address 903 log_start 904 show_hint "Should timeout since server config differs from client" 905 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 906 sleep 1 907 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 908 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 909 910 # 911 # MD5 extension - prefix length 912 # 913 914 # client in prefix 915 log_start 916 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 917 sleep 1 918 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 919 log_test $? 0 "MD5: VRF: Prefix config" 920 921 # client in prefix, wrong password 922 log_start 923 show_hint "Should timeout since client uses wrong password" 924 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 925 sleep 1 926 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 927 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 928 929 # client outside of prefix 930 log_start 931 show_hint "Should timeout since client address is outside of prefix" 932 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 933 sleep 1 934 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 935 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 936 937 # 938 # duplicate config between default VRF and a VRF 939 # 940 941 log_start 942 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 943 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 944 sleep 1 945 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 946 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 947 948 log_start 949 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 950 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 951 sleep 1 952 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 953 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 954 955 log_start 956 show_hint "Should timeout since client in default VRF uses VRF password" 957 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 958 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 959 sleep 1 960 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 961 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 962 963 log_start 964 show_hint "Should timeout since client in VRF uses default VRF password" 965 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 966 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 967 sleep 1 968 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 969 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 970 971 log_start 972 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 973 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 974 sleep 1 975 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 976 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 977 978 log_start 979 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 980 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 981 sleep 1 982 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 983 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 984 985 log_start 986 show_hint "Should timeout since client in default VRF uses VRF password" 987 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 988 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 989 sleep 1 990 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 991 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 992 993 log_start 994 show_hint "Should timeout since client in VRF uses default VRF password" 995 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 996 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 997 sleep 1 998 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 999 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1000 1001 # 1002 # negative tests 1003 # 1004 log_start 1005 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1006 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1007 1008 log_start 1009 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1010 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1011 1012 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1013 test_ipv4_md5_vrf__global_server__bind_ifindex0 1014} 1015 1016test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1017{ 1018 log_start 1019 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1020 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1021 sleep 1 1022 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1023 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1024 1025 log_start 1026 show_hint "Binding both the socket and the key is not required but it works" 1027 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1028 sleep 1 1029 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1030 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1031} 1032 1033test_ipv4_md5_vrf__global_server__bind_ifindex0() 1034{ 1035 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1036 local old_tcp_l3mdev_accept 1037 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1038 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1039 1040 log_start 1041 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1042 sleep 1 1043 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1044 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1045 1046 log_start 1047 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1048 sleep 1 1049 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1050 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1051 log_start 1052 1053 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1054 sleep 1 1055 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1056 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1057 1058 log_start 1059 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1060 sleep 1 1061 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1062 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1063 1064 # restore value 1065 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1066} 1067 1068ipv4_tcp_novrf() 1069{ 1070 local a 1071 1072 # 1073 # server tests 1074 # 1075 for a in ${NSA_IP} ${NSA_LO_IP} 1076 do 1077 log_start 1078 run_cmd nettest -s & 1079 sleep 1 1080 run_cmd_nsb nettest -r ${a} 1081 log_test_addr ${a} $? 0 "Global server" 1082 done 1083 1084 a=${NSA_IP} 1085 log_start 1086 run_cmd nettest -s -I ${NSA_DEV} & 1087 sleep 1 1088 run_cmd_nsb nettest -r ${a} 1089 log_test_addr ${a} $? 0 "Device server" 1090 1091 # verify TCP reset sent and received 1092 for a in ${NSA_IP} ${NSA_LO_IP} 1093 do 1094 log_start 1095 show_hint "Should fail 'Connection refused' since there is no server" 1096 run_cmd_nsb nettest -r ${a} 1097 log_test_addr ${a} $? 1 "No server" 1098 done 1099 1100 # 1101 # client 1102 # 1103 for a in ${NSB_IP} ${NSB_LO_IP} 1104 do 1105 log_start 1106 run_cmd_nsb nettest -s & 1107 sleep 1 1108 run_cmd nettest -r ${a} -0 ${NSA_IP} 1109 log_test_addr ${a} $? 0 "Client" 1110 1111 log_start 1112 run_cmd_nsb nettest -s & 1113 sleep 1 1114 run_cmd nettest -r ${a} -d ${NSA_DEV} 1115 log_test_addr ${a} $? 0 "Client, device bind" 1116 1117 log_start 1118 show_hint "Should fail 'Connection refused'" 1119 run_cmd nettest -r ${a} 1120 log_test_addr ${a} $? 1 "No server, unbound client" 1121 1122 log_start 1123 show_hint "Should fail 'Connection refused'" 1124 run_cmd nettest -r ${a} -d ${NSA_DEV} 1125 log_test_addr ${a} $? 1 "No server, device client" 1126 done 1127 1128 # 1129 # local address tests 1130 # 1131 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1132 do 1133 log_start 1134 run_cmd nettest -s & 1135 sleep 1 1136 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1137 log_test_addr ${a} $? 0 "Global server, local connection" 1138 done 1139 1140 a=${NSA_IP} 1141 log_start 1142 run_cmd nettest -s -I ${NSA_DEV} & 1143 sleep 1 1144 run_cmd nettest -r ${a} -0 ${a} 1145 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1146 1147 for a in ${NSA_LO_IP} 127.0.0.1 1148 do 1149 log_start 1150 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1151 run_cmd nettest -s -I ${NSA_DEV} & 1152 sleep 1 1153 run_cmd nettest -r ${a} 1154 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1155 done 1156 1157 a=${NSA_IP} 1158 log_start 1159 run_cmd nettest -s & 1160 sleep 1 1161 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1162 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1163 1164 for a in ${NSA_LO_IP} 127.0.0.1 1165 do 1166 log_start 1167 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1168 run_cmd nettest -s & 1169 sleep 1 1170 run_cmd nettest -r ${a} -d ${NSA_DEV} 1171 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1172 done 1173 1174 a=${NSA_IP} 1175 log_start 1176 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1177 sleep 1 1178 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1179 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1180 1181 log_start 1182 show_hint "Should fail 'Connection refused'" 1183 run_cmd nettest -d ${NSA_DEV} -r ${a} 1184 log_test_addr ${a} $? 1 "No server, device client, local conn" 1185 1186 ipv4_tcp_md5_novrf 1187} 1188 1189ipv4_tcp_vrf() 1190{ 1191 local a 1192 1193 # disable global server 1194 log_subsection "Global server disabled" 1195 1196 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1197 1198 # 1199 # server tests 1200 # 1201 for a in ${NSA_IP} ${VRF_IP} 1202 do 1203 log_start 1204 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1205 run_cmd nettest -s & 1206 sleep 1 1207 run_cmd_nsb nettest -r ${a} 1208 log_test_addr ${a} $? 1 "Global server" 1209 1210 log_start 1211 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1212 sleep 1 1213 run_cmd_nsb nettest -r ${a} 1214 log_test_addr ${a} $? 0 "VRF server" 1215 1216 log_start 1217 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1218 sleep 1 1219 run_cmd_nsb nettest -r ${a} 1220 log_test_addr ${a} $? 0 "Device server" 1221 1222 # verify TCP reset received 1223 log_start 1224 show_hint "Should fail 'Connection refused' since there is no server" 1225 run_cmd_nsb nettest -r ${a} 1226 log_test_addr ${a} $? 1 "No server" 1227 done 1228 1229 # local address tests 1230 # (${VRF_IP} and 127.0.0.1 both timeout) 1231 a=${NSA_IP} 1232 log_start 1233 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1234 run_cmd nettest -s & 1235 sleep 1 1236 run_cmd nettest -r ${a} -d ${NSA_DEV} 1237 log_test_addr ${a} $? 1 "Global server, local connection" 1238 1239 # run MD5 tests 1240 ipv4_tcp_md5 1241 1242 # 1243 # enable VRF global server 1244 # 1245 log_subsection "VRF Global server enabled" 1246 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1247 1248 for a in ${NSA_IP} ${VRF_IP} 1249 do 1250 log_start 1251 show_hint "client socket should be bound to VRF" 1252 run_cmd nettest -s -3 ${VRF} & 1253 sleep 1 1254 run_cmd_nsb nettest -r ${a} 1255 log_test_addr ${a} $? 0 "Global server" 1256 1257 log_start 1258 show_hint "client socket should be bound to VRF" 1259 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1260 sleep 1 1261 run_cmd_nsb nettest -r ${a} 1262 log_test_addr ${a} $? 0 "VRF server" 1263 1264 # verify TCP reset received 1265 log_start 1266 show_hint "Should fail 'Connection refused'" 1267 run_cmd_nsb nettest -r ${a} 1268 log_test_addr ${a} $? 1 "No server" 1269 done 1270 1271 a=${NSA_IP} 1272 log_start 1273 show_hint "client socket should be bound to device" 1274 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1275 sleep 1 1276 run_cmd_nsb nettest -r ${a} 1277 log_test_addr ${a} $? 0 "Device server" 1278 1279 # local address tests 1280 for a in ${NSA_IP} ${VRF_IP} 1281 do 1282 log_start 1283 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1284 run_cmd nettest -s -I ${VRF} & 1285 sleep 1 1286 run_cmd nettest -r ${a} 1287 log_test_addr ${a} $? 1 "Global server, local connection" 1288 done 1289 1290 # 1291 # client 1292 # 1293 for a in ${NSB_IP} ${NSB_LO_IP} 1294 do 1295 log_start 1296 run_cmd_nsb nettest -s & 1297 sleep 1 1298 run_cmd nettest -r ${a} -d ${VRF} 1299 log_test_addr ${a} $? 0 "Client, VRF bind" 1300 1301 log_start 1302 run_cmd_nsb nettest -s & 1303 sleep 1 1304 run_cmd nettest -r ${a} -d ${NSA_DEV} 1305 log_test_addr ${a} $? 0 "Client, device bind" 1306 1307 log_start 1308 show_hint "Should fail 'Connection refused'" 1309 run_cmd nettest -r ${a} -d ${VRF} 1310 log_test_addr ${a} $? 1 "No server, VRF client" 1311 1312 log_start 1313 show_hint "Should fail 'Connection refused'" 1314 run_cmd nettest -r ${a} -d ${NSA_DEV} 1315 log_test_addr ${a} $? 1 "No server, device client" 1316 done 1317 1318 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1319 do 1320 log_start 1321 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1322 sleep 1 1323 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1324 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1325 done 1326 1327 a=${NSA_IP} 1328 log_start 1329 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1330 sleep 1 1331 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1332 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1333 1334 log_start 1335 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1336 run_cmd nettest -s -I ${VRF} & 1337 sleep 1 1338 run_cmd nettest -r ${a} 1339 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1340 1341 log_start 1342 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1343 sleep 1 1344 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1345 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1346 1347 log_start 1348 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1349 sleep 1 1350 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1351 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1352} 1353 1354ipv4_tcp() 1355{ 1356 log_section "IPv4/TCP" 1357 log_subsection "No VRF" 1358 setup 1359 1360 # tcp_l3mdev_accept should have no affect without VRF; 1361 # run tests with it enabled and disabled to verify 1362 log_subsection "tcp_l3mdev_accept disabled" 1363 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1364 ipv4_tcp_novrf 1365 log_subsection "tcp_l3mdev_accept enabled" 1366 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1367 ipv4_tcp_novrf 1368 1369 log_subsection "With VRF" 1370 setup "yes" 1371 ipv4_tcp_vrf 1372} 1373 1374################################################################################ 1375# IPv4 UDP 1376 1377ipv4_udp_novrf() 1378{ 1379 local a 1380 1381 # 1382 # server tests 1383 # 1384 for a in ${NSA_IP} ${NSA_LO_IP} 1385 do 1386 log_start 1387 run_cmd nettest -D -s -3 ${NSA_DEV} & 1388 sleep 1 1389 run_cmd_nsb nettest -D -r ${a} 1390 log_test_addr ${a} $? 0 "Global server" 1391 1392 log_start 1393 show_hint "Should fail 'Connection refused' since there is no server" 1394 run_cmd_nsb nettest -D -r ${a} 1395 log_test_addr ${a} $? 1 "No server" 1396 done 1397 1398 a=${NSA_IP} 1399 log_start 1400 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1401 sleep 1 1402 run_cmd_nsb nettest -D -r ${a} 1403 log_test_addr ${a} $? 0 "Device server" 1404 1405 # 1406 # client 1407 # 1408 for a in ${NSB_IP} ${NSB_LO_IP} 1409 do 1410 log_start 1411 run_cmd_nsb nettest -D -s & 1412 sleep 1 1413 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1414 log_test_addr ${a} $? 0 "Client" 1415 1416 log_start 1417 run_cmd_nsb nettest -D -s & 1418 sleep 1 1419 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1420 log_test_addr ${a} $? 0 "Client, device bind" 1421 1422 log_start 1423 run_cmd_nsb nettest -D -s & 1424 sleep 1 1425 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1426 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1427 1428 log_start 1429 run_cmd_nsb nettest -D -s & 1430 sleep 1 1431 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1432 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1433 1434 log_start 1435 show_hint "Should fail 'Connection refused'" 1436 run_cmd nettest -D -r ${a} 1437 log_test_addr ${a} $? 1 "No server, unbound client" 1438 1439 log_start 1440 show_hint "Should fail 'Connection refused'" 1441 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1442 log_test_addr ${a} $? 1 "No server, device client" 1443 done 1444 1445 # 1446 # local address tests 1447 # 1448 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1449 do 1450 log_start 1451 run_cmd nettest -D -s & 1452 sleep 1 1453 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1454 log_test_addr ${a} $? 0 "Global server, local connection" 1455 done 1456 1457 a=${NSA_IP} 1458 log_start 1459 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1460 sleep 1 1461 run_cmd nettest -D -r ${a} 1462 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1463 1464 for a in ${NSA_LO_IP} 127.0.0.1 1465 do 1466 log_start 1467 show_hint "Should fail 'Connection refused' since address is out of device scope" 1468 run_cmd nettest -s -D -I ${NSA_DEV} & 1469 sleep 1 1470 run_cmd nettest -D -r ${a} 1471 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1472 done 1473 1474 a=${NSA_IP} 1475 log_start 1476 run_cmd nettest -s -D & 1477 sleep 1 1478 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1479 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1480 1481 log_start 1482 run_cmd nettest -s -D & 1483 sleep 1 1484 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1485 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1486 1487 log_start 1488 run_cmd nettest -s -D & 1489 sleep 1 1490 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1491 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1492 1493 # IPv4 with device bind has really weird behavior - it overrides the 1494 # fib lookup, generates an rtable and tries to send the packet. This 1495 # causes failures for local traffic at different places 1496 for a in ${NSA_LO_IP} 127.0.0.1 1497 do 1498 log_start 1499 show_hint "Should fail since addresses on loopback are out of device scope" 1500 run_cmd nettest -D -s & 1501 sleep 1 1502 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1503 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1504 1505 log_start 1506 show_hint "Should fail since addresses on loopback are out of device scope" 1507 run_cmd nettest -D -s & 1508 sleep 1 1509 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1510 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1511 1512 log_start 1513 show_hint "Should fail since addresses on loopback are out of device scope" 1514 run_cmd nettest -D -s & 1515 sleep 1 1516 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1517 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1518 done 1519 1520 a=${NSA_IP} 1521 log_start 1522 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1523 sleep 1 1524 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1525 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1526 1527 log_start 1528 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1529 log_test_addr ${a} $? 2 "No server, device client, local conn" 1530} 1531 1532ipv4_udp_vrf() 1533{ 1534 local a 1535 1536 # disable global server 1537 log_subsection "Global server disabled" 1538 set_sysctl net.ipv4.udp_l3mdev_accept=0 1539 1540 # 1541 # server tests 1542 # 1543 for a in ${NSA_IP} ${VRF_IP} 1544 do 1545 log_start 1546 show_hint "Fails because ingress is in a VRF and global server is disabled" 1547 run_cmd nettest -D -s & 1548 sleep 1 1549 run_cmd_nsb nettest -D -r ${a} 1550 log_test_addr ${a} $? 1 "Global server" 1551 1552 log_start 1553 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1554 sleep 1 1555 run_cmd_nsb nettest -D -r ${a} 1556 log_test_addr ${a} $? 0 "VRF server" 1557 1558 log_start 1559 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1560 sleep 1 1561 run_cmd_nsb nettest -D -r ${a} 1562 log_test_addr ${a} $? 0 "Enslaved device server" 1563 1564 log_start 1565 show_hint "Should fail 'Connection refused' since there is no server" 1566 run_cmd_nsb nettest -D -r ${a} 1567 log_test_addr ${a} $? 1 "No server" 1568 1569 log_start 1570 show_hint "Should fail 'Connection refused' since global server is out of scope" 1571 run_cmd nettest -D -s & 1572 sleep 1 1573 run_cmd nettest -D -d ${VRF} -r ${a} 1574 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1575 done 1576 1577 a=${NSA_IP} 1578 log_start 1579 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1580 sleep 1 1581 run_cmd nettest -D -d ${VRF} -r ${a} 1582 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1583 1584 log_start 1585 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1586 sleep 1 1587 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1588 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1589 1590 a=${NSA_IP} 1591 log_start 1592 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1593 sleep 1 1594 run_cmd nettest -D -d ${VRF} -r ${a} 1595 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1596 1597 log_start 1598 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1599 sleep 1 1600 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1601 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1602 1603 # enable global server 1604 log_subsection "Global server enabled" 1605 set_sysctl net.ipv4.udp_l3mdev_accept=1 1606 1607 # 1608 # server tests 1609 # 1610 for a in ${NSA_IP} ${VRF_IP} 1611 do 1612 log_start 1613 run_cmd nettest -D -s -3 ${NSA_DEV} & 1614 sleep 1 1615 run_cmd_nsb nettest -D -r ${a} 1616 log_test_addr ${a} $? 0 "Global server" 1617 1618 log_start 1619 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1620 sleep 1 1621 run_cmd_nsb nettest -D -r ${a} 1622 log_test_addr ${a} $? 0 "VRF server" 1623 1624 log_start 1625 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1626 sleep 1 1627 run_cmd_nsb nettest -D -r ${a} 1628 log_test_addr ${a} $? 0 "Enslaved device server" 1629 1630 log_start 1631 show_hint "Should fail 'Connection refused'" 1632 run_cmd_nsb nettest -D -r ${a} 1633 log_test_addr ${a} $? 1 "No server" 1634 done 1635 1636 # 1637 # client tests 1638 # 1639 log_start 1640 run_cmd_nsb nettest -D -s & 1641 sleep 1 1642 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1643 log_test $? 0 "VRF client" 1644 1645 log_start 1646 run_cmd_nsb nettest -D -s & 1647 sleep 1 1648 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1649 log_test $? 0 "Enslaved device client" 1650 1651 # negative test - should fail 1652 log_start 1653 show_hint "Should fail 'Connection refused'" 1654 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1655 log_test $? 1 "No server, VRF client" 1656 1657 log_start 1658 show_hint "Should fail 'Connection refused'" 1659 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1660 log_test $? 1 "No server, enslaved device client" 1661 1662 # 1663 # local address tests 1664 # 1665 a=${NSA_IP} 1666 log_start 1667 run_cmd nettest -D -s -3 ${NSA_DEV} & 1668 sleep 1 1669 run_cmd nettest -D -d ${VRF} -r ${a} 1670 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1671 1672 log_start 1673 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1674 sleep 1 1675 run_cmd nettest -D -d ${VRF} -r ${a} 1676 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1677 1678 log_start 1679 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1680 sleep 1 1681 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1682 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1683 1684 log_start 1685 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1686 sleep 1 1687 run_cmd nettest -D -d ${VRF} -r ${a} 1688 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1689 1690 log_start 1691 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1692 sleep 1 1693 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1694 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1695 1696 for a in ${VRF_IP} 127.0.0.1 1697 do 1698 log_start 1699 run_cmd nettest -D -s -3 ${VRF} & 1700 sleep 1 1701 run_cmd nettest -D -d ${VRF} -r ${a} 1702 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1703 done 1704 1705 for a in ${VRF_IP} 127.0.0.1 1706 do 1707 log_start 1708 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1709 sleep 1 1710 run_cmd nettest -D -d ${VRF} -r ${a} 1711 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1712 done 1713 1714 # negative test - should fail 1715 # verifies ECONNREFUSED 1716 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1717 do 1718 log_start 1719 show_hint "Should fail 'Connection refused'" 1720 run_cmd nettest -D -d ${VRF} -r ${a} 1721 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1722 done 1723} 1724 1725ipv4_udp() 1726{ 1727 log_section "IPv4/UDP" 1728 log_subsection "No VRF" 1729 1730 setup 1731 1732 # udp_l3mdev_accept should have no affect without VRF; 1733 # run tests with it enabled and disabled to verify 1734 log_subsection "udp_l3mdev_accept disabled" 1735 set_sysctl net.ipv4.udp_l3mdev_accept=0 1736 ipv4_udp_novrf 1737 log_subsection "udp_l3mdev_accept enabled" 1738 set_sysctl net.ipv4.udp_l3mdev_accept=1 1739 ipv4_udp_novrf 1740 1741 log_subsection "With VRF" 1742 setup "yes" 1743 ipv4_udp_vrf 1744} 1745 1746################################################################################ 1747# IPv4 address bind 1748# 1749# verifies ability or inability to bind to an address / device 1750 1751ipv4_addr_bind_novrf() 1752{ 1753 # 1754 # raw socket 1755 # 1756 for a in ${NSA_IP} ${NSA_LO_IP} 1757 do 1758 log_start 1759 run_cmd nettest -s -R -P icmp -l ${a} -b 1760 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1761 1762 log_start 1763 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1764 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1765 done 1766 1767 # 1768 # tcp sockets 1769 # 1770 a=${NSA_IP} 1771 log_start 1772 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1773 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1774 1775 log_start 1776 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1777 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1778 1779 # Sadly, the kernel allows binding a socket to a device and then 1780 # binding to an address not on the device. The only restriction 1781 # is that the address is valid in the L3 domain. So this test 1782 # passes when it really should not 1783 #a=${NSA_LO_IP} 1784 #log_start 1785 #show_hint "Should fail with 'Cannot assign requested address'" 1786 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1787 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1788} 1789 1790ipv4_addr_bind_vrf() 1791{ 1792 # 1793 # raw socket 1794 # 1795 for a in ${NSA_IP} ${VRF_IP} 1796 do 1797 log_start 1798 run_cmd nettest -s -R -P icmp -l ${a} -b 1799 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1800 1801 log_start 1802 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1803 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1804 log_start 1805 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1806 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1807 done 1808 1809 a=${NSA_LO_IP} 1810 log_start 1811 show_hint "Address on loopback is out of VRF scope" 1812 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1813 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1814 1815 # 1816 # tcp sockets 1817 # 1818 for a in ${NSA_IP} ${VRF_IP} 1819 do 1820 log_start 1821 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1822 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1823 1824 log_start 1825 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1826 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1827 done 1828 1829 a=${NSA_LO_IP} 1830 log_start 1831 show_hint "Address on loopback out of scope for VRF" 1832 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 1833 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 1834 1835 log_start 1836 show_hint "Address on loopback out of scope for device in VRF" 1837 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1838 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 1839} 1840 1841ipv4_addr_bind() 1842{ 1843 log_section "IPv4 address binds" 1844 1845 log_subsection "No VRF" 1846 setup 1847 ipv4_addr_bind_novrf 1848 1849 log_subsection "With VRF" 1850 setup "yes" 1851 ipv4_addr_bind_vrf 1852} 1853 1854################################################################################ 1855# IPv4 runtime tests 1856 1857ipv4_rt() 1858{ 1859 local desc="$1" 1860 local varg="$2" 1861 local with_vrf="yes" 1862 local a 1863 1864 # 1865 # server tests 1866 # 1867 for a in ${NSA_IP} ${VRF_IP} 1868 do 1869 log_start 1870 run_cmd nettest ${varg} -s & 1871 sleep 1 1872 run_cmd_nsb nettest ${varg} -r ${a} & 1873 sleep 3 1874 run_cmd ip link del ${VRF} 1875 sleep 1 1876 log_test_addr ${a} 0 0 "${desc}, global server" 1877 1878 setup ${with_vrf} 1879 done 1880 1881 for a in ${NSA_IP} ${VRF_IP} 1882 do 1883 log_start 1884 run_cmd nettest ${varg} -s -I ${VRF} & 1885 sleep 1 1886 run_cmd_nsb nettest ${varg} -r ${a} & 1887 sleep 3 1888 run_cmd ip link del ${VRF} 1889 sleep 1 1890 log_test_addr ${a} 0 0 "${desc}, VRF server" 1891 1892 setup ${with_vrf} 1893 done 1894 1895 a=${NSA_IP} 1896 log_start 1897 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 1898 sleep 1 1899 run_cmd_nsb nettest ${varg} -r ${a} & 1900 sleep 3 1901 run_cmd ip link del ${VRF} 1902 sleep 1 1903 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 1904 1905 setup ${with_vrf} 1906 1907 # 1908 # client test 1909 # 1910 log_start 1911 run_cmd_nsb nettest ${varg} -s & 1912 sleep 1 1913 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 1914 sleep 3 1915 run_cmd ip link del ${VRF} 1916 sleep 1 1917 log_test_addr ${a} 0 0 "${desc}, VRF client" 1918 1919 setup ${with_vrf} 1920 1921 log_start 1922 run_cmd_nsb nettest ${varg} -s & 1923 sleep 1 1924 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 1925 sleep 3 1926 run_cmd ip link del ${VRF} 1927 sleep 1 1928 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 1929 1930 setup ${with_vrf} 1931 1932 # 1933 # local address tests 1934 # 1935 for a in ${NSA_IP} ${VRF_IP} 1936 do 1937 log_start 1938 run_cmd nettest ${varg} -s & 1939 sleep 1 1940 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1941 sleep 3 1942 run_cmd ip link del ${VRF} 1943 sleep 1 1944 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 1945 1946 setup ${with_vrf} 1947 done 1948 1949 for a in ${NSA_IP} ${VRF_IP} 1950 do 1951 log_start 1952 run_cmd nettest ${varg} -I ${VRF} -s & 1953 sleep 1 1954 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1955 sleep 3 1956 run_cmd ip link del ${VRF} 1957 sleep 1 1958 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 1959 1960 setup ${with_vrf} 1961 done 1962 1963 a=${NSA_IP} 1964 log_start 1965 run_cmd nettest ${varg} -s & 1966 sleep 1 1967 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1968 sleep 3 1969 run_cmd ip link del ${VRF} 1970 sleep 1 1971 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 1972 1973 setup ${with_vrf} 1974 1975 log_start 1976 run_cmd nettest ${varg} -I ${VRF} -s & 1977 sleep 1 1978 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1979 sleep 3 1980 run_cmd ip link del ${VRF} 1981 sleep 1 1982 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 1983 1984 setup ${with_vrf} 1985 1986 log_start 1987 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 1988 sleep 1 1989 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1990 sleep 3 1991 run_cmd ip link del ${VRF} 1992 sleep 1 1993 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 1994} 1995 1996ipv4_ping_rt() 1997{ 1998 local with_vrf="yes" 1999 local a 2000 2001 for a in ${NSA_IP} ${VRF_IP} 2002 do 2003 log_start 2004 run_cmd_nsb ping -f ${a} & 2005 sleep 3 2006 run_cmd ip link del ${VRF} 2007 sleep 1 2008 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2009 2010 setup ${with_vrf} 2011 done 2012 2013 a=${NSB_IP} 2014 log_start 2015 run_cmd ping -f -I ${VRF} ${a} & 2016 sleep 3 2017 run_cmd ip link del ${VRF} 2018 sleep 1 2019 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2020} 2021 2022ipv4_runtime() 2023{ 2024 log_section "Run time tests - ipv4" 2025 2026 setup "yes" 2027 ipv4_ping_rt 2028 2029 setup "yes" 2030 ipv4_rt "TCP active socket" "-n -1" 2031 2032 setup "yes" 2033 ipv4_rt "TCP passive socket" "-i" 2034} 2035 2036################################################################################ 2037# IPv6 2038 2039ipv6_ping_novrf() 2040{ 2041 local a 2042 2043 # should not have an impact, but make a known state 2044 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2045 2046 # 2047 # out 2048 # 2049 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2050 do 2051 log_start 2052 run_cmd ${ping6} -c1 -w1 ${a} 2053 log_test_addr ${a} $? 0 "ping out" 2054 done 2055 2056 for a in ${NSB_IP6} ${NSB_LO_IP6} 2057 do 2058 log_start 2059 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2060 log_test_addr ${a} $? 0 "ping out, device bind" 2061 2062 log_start 2063 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2064 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2065 done 2066 2067 # 2068 # in 2069 # 2070 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2071 do 2072 log_start 2073 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2074 log_test_addr ${a} $? 0 "ping in" 2075 done 2076 2077 # 2078 # local traffic, local address 2079 # 2080 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2081 do 2082 log_start 2083 run_cmd ${ping6} -c1 -w1 ${a} 2084 log_test_addr ${a} $? 0 "ping local, no bind" 2085 done 2086 2087 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2088 do 2089 log_start 2090 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2091 log_test_addr ${a} $? 0 "ping local, device bind" 2092 done 2093 2094 for a in ${NSA_LO_IP6} ::1 2095 do 2096 log_start 2097 show_hint "Fails since address on loopback is out of device scope" 2098 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2099 log_test_addr ${a} $? 2 "ping local, device bind" 2100 done 2101 2102 # 2103 # ip rule blocks address 2104 # 2105 log_start 2106 setup_cmd ip -6 rule add pref 32765 from all lookup local 2107 setup_cmd ip -6 rule del pref 0 from all lookup local 2108 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2109 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2110 2111 a=${NSB_LO_IP6} 2112 run_cmd ${ping6} -c1 -w1 ${a} 2113 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2114 2115 log_start 2116 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2117 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2118 2119 a=${NSA_LO_IP6} 2120 log_start 2121 show_hint "Response lost due to ip rule" 2122 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2123 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2124 2125 setup_cmd ip -6 rule add pref 0 from all lookup local 2126 setup_cmd ip -6 rule del pref 32765 from all lookup local 2127 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2128 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2129 2130 # 2131 # route blocks reachability to remote address 2132 # 2133 log_start 2134 setup_cmd ip -6 route del ${NSB_LO_IP6} 2135 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2136 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2137 2138 a=${NSB_LO_IP6} 2139 run_cmd ${ping6} -c1 -w1 ${a} 2140 log_test_addr ${a} $? 2 "ping out, blocked by route" 2141 2142 log_start 2143 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2144 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2145 2146 a=${NSA_LO_IP6} 2147 log_start 2148 show_hint "Response lost due to ip route" 2149 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2150 log_test_addr ${a} $? 1 "ping in, blocked by route" 2151 2152 2153 # 2154 # remove 'remote' routes; fallback to default 2155 # 2156 log_start 2157 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2158 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2159 2160 a=${NSB_LO_IP6} 2161 run_cmd ${ping6} -c1 -w1 ${a} 2162 log_test_addr ${a} $? 2 "ping out, unreachable route" 2163 2164 log_start 2165 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2166 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2167} 2168 2169ipv6_ping_vrf() 2170{ 2171 local a 2172 2173 # should default on; does not exist on older kernels 2174 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2175 2176 # 2177 # out 2178 # 2179 for a in ${NSB_IP6} ${NSB_LO_IP6} 2180 do 2181 log_start 2182 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2183 log_test_addr ${a} $? 0 "ping out, VRF bind" 2184 done 2185 2186 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2187 do 2188 log_start 2189 show_hint "Fails since VRF device does not support linklocal or multicast" 2190 run_cmd ${ping6} -c1 -w1 ${a} 2191 log_test_addr ${a} $? 2 "ping out, VRF bind" 2192 done 2193 2194 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2195 do 2196 log_start 2197 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2198 log_test_addr ${a} $? 0 "ping out, device bind" 2199 done 2200 2201 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2202 do 2203 log_start 2204 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2205 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2206 done 2207 2208 # 2209 # in 2210 # 2211 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2212 do 2213 log_start 2214 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2215 log_test_addr ${a} $? 0 "ping in" 2216 done 2217 2218 a=${NSA_LO_IP6} 2219 log_start 2220 show_hint "Fails since loopback address is out of VRF scope" 2221 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2222 log_test_addr ${a} $? 1 "ping in" 2223 2224 # 2225 # local traffic, local address 2226 # 2227 for a in ${NSA_IP6} ${VRF_IP6} ::1 2228 do 2229 log_start 2230 show_hint "Source address should be ${a}" 2231 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2232 log_test_addr ${a} $? 0 "ping local, VRF bind" 2233 done 2234 2235 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2236 do 2237 log_start 2238 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2239 log_test_addr ${a} $? 0 "ping local, device bind" 2240 done 2241 2242 # LLA to GUA - remove ipv6 global addresses from ns-B 2243 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2244 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2245 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2246 2247 for a in ${NSA_IP6} ${VRF_IP6} 2248 do 2249 log_start 2250 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2251 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2252 done 2253 2254 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2255 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2256 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2257 2258 # 2259 # ip rule blocks address 2260 # 2261 log_start 2262 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2263 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2264 2265 a=${NSB_LO_IP6} 2266 run_cmd ${ping6} -c1 -w1 ${a} 2267 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2268 2269 log_start 2270 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2271 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2272 2273 a=${NSA_LO_IP6} 2274 log_start 2275 show_hint "Response lost due to ip rule" 2276 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2277 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2278 2279 log_start 2280 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2281 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2282 2283 # 2284 # remove 'remote' routes; fallback to default 2285 # 2286 log_start 2287 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2288 2289 a=${NSB_LO_IP6} 2290 run_cmd ${ping6} -c1 -w1 ${a} 2291 log_test_addr ${a} $? 2 "ping out, unreachable route" 2292 2293 log_start 2294 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2295 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2296 2297 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2298 a=${NSA_LO_IP6} 2299 log_start 2300 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2301 log_test_addr ${a} $? 2 "ping in, unreachable route" 2302} 2303 2304ipv6_ping() 2305{ 2306 log_section "IPv6 ping" 2307 2308 log_subsection "No VRF" 2309 setup 2310 ipv6_ping_novrf 2311 2312 log_subsection "With VRF" 2313 setup "yes" 2314 ipv6_ping_vrf 2315} 2316 2317################################################################################ 2318# IPv6 TCP 2319 2320# 2321# MD5 tests without VRF 2322# 2323ipv6_tcp_md5_novrf() 2324{ 2325 # 2326 # single address 2327 # 2328 2329 # basic use case 2330 log_start 2331 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2332 sleep 1 2333 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2334 log_test $? 0 "MD5: Single address config" 2335 2336 # client sends MD5, server not configured 2337 log_start 2338 show_hint "Should timeout due to MD5 mismatch" 2339 run_cmd nettest -6 -s & 2340 sleep 1 2341 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2342 log_test $? 2 "MD5: Server no config, client uses password" 2343 2344 # wrong password 2345 log_start 2346 show_hint "Should timeout since client uses wrong password" 2347 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2348 sleep 1 2349 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2350 log_test $? 2 "MD5: Client uses wrong password" 2351 2352 # client from different address 2353 log_start 2354 show_hint "Should timeout due to MD5 mismatch" 2355 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2356 sleep 1 2357 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2358 log_test $? 2 "MD5: Client address does not match address configured with password" 2359 2360 # 2361 # MD5 extension - prefix length 2362 # 2363 2364 # client in prefix 2365 log_start 2366 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2367 sleep 1 2368 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2369 log_test $? 0 "MD5: Prefix config" 2370 2371 # client in prefix, wrong password 2372 log_start 2373 show_hint "Should timeout since client uses wrong password" 2374 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2375 sleep 1 2376 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2377 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2378 2379 # client outside of prefix 2380 log_start 2381 show_hint "Should timeout due to MD5 mismatch" 2382 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2383 sleep 1 2384 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2385 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2386} 2387 2388# 2389# MD5 tests with VRF 2390# 2391ipv6_tcp_md5() 2392{ 2393 # 2394 # single address 2395 # 2396 2397 # basic use case 2398 log_start 2399 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2400 sleep 1 2401 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2402 log_test $? 0 "MD5: VRF: Single address config" 2403 2404 # client sends MD5, server not configured 2405 log_start 2406 show_hint "Should timeout since server does not have MD5 auth" 2407 run_cmd nettest -6 -s -I ${VRF} & 2408 sleep 1 2409 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2410 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2411 2412 # wrong password 2413 log_start 2414 show_hint "Should timeout since client uses wrong password" 2415 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2416 sleep 1 2417 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2418 log_test $? 2 "MD5: VRF: Client uses wrong password" 2419 2420 # client from different address 2421 log_start 2422 show_hint "Should timeout since server config differs from client" 2423 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2424 sleep 1 2425 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2426 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2427 2428 # 2429 # MD5 extension - prefix length 2430 # 2431 2432 # client in prefix 2433 log_start 2434 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2435 sleep 1 2436 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2437 log_test $? 0 "MD5: VRF: Prefix config" 2438 2439 # client in prefix, wrong password 2440 log_start 2441 show_hint "Should timeout since client uses wrong password" 2442 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2443 sleep 1 2444 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2445 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2446 2447 # client outside of prefix 2448 log_start 2449 show_hint "Should timeout since client address is outside of prefix" 2450 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2451 sleep 1 2452 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2453 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2454 2455 # 2456 # duplicate config between default VRF and a VRF 2457 # 2458 2459 log_start 2460 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2461 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2462 sleep 1 2463 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2464 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2465 2466 log_start 2467 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2468 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2469 sleep 1 2470 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2471 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2472 2473 log_start 2474 show_hint "Should timeout since client in default VRF uses VRF password" 2475 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2476 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2477 sleep 1 2478 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2479 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2480 2481 log_start 2482 show_hint "Should timeout since client in VRF uses default VRF password" 2483 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2484 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2485 sleep 1 2486 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2487 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2488 2489 log_start 2490 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2491 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2492 sleep 1 2493 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2494 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2495 2496 log_start 2497 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2498 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2499 sleep 1 2500 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2501 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2502 2503 log_start 2504 show_hint "Should timeout since client in default VRF uses VRF password" 2505 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2506 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2507 sleep 1 2508 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2509 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2510 2511 log_start 2512 show_hint "Should timeout since client in VRF uses default VRF password" 2513 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2514 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2515 sleep 1 2516 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2517 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2518 2519 # 2520 # negative tests 2521 # 2522 log_start 2523 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2524 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2525 2526 log_start 2527 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2528 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2529 2530} 2531 2532ipv6_tcp_novrf() 2533{ 2534 local a 2535 2536 # 2537 # server tests 2538 # 2539 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2540 do 2541 log_start 2542 run_cmd nettest -6 -s & 2543 sleep 1 2544 run_cmd_nsb nettest -6 -r ${a} 2545 log_test_addr ${a} $? 0 "Global server" 2546 done 2547 2548 # verify TCP reset received 2549 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2550 do 2551 log_start 2552 show_hint "Should fail 'Connection refused'" 2553 run_cmd_nsb nettest -6 -r ${a} 2554 log_test_addr ${a} $? 1 "No server" 2555 done 2556 2557 # 2558 # client 2559 # 2560 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2561 do 2562 log_start 2563 run_cmd_nsb nettest -6 -s & 2564 sleep 1 2565 run_cmd nettest -6 -r ${a} 2566 log_test_addr ${a} $? 0 "Client" 2567 done 2568 2569 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2570 do 2571 log_start 2572 run_cmd_nsb nettest -6 -s & 2573 sleep 1 2574 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2575 log_test_addr ${a} $? 0 "Client, device bind" 2576 done 2577 2578 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2579 do 2580 log_start 2581 show_hint "Should fail 'Connection refused'" 2582 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2583 log_test_addr ${a} $? 1 "No server, device client" 2584 done 2585 2586 # 2587 # local address tests 2588 # 2589 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2590 do 2591 log_start 2592 run_cmd nettest -6 -s & 2593 sleep 1 2594 run_cmd nettest -6 -r ${a} 2595 log_test_addr ${a} $? 0 "Global server, local connection" 2596 done 2597 2598 a=${NSA_IP6} 2599 log_start 2600 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2601 sleep 1 2602 run_cmd nettest -6 -r ${a} -0 ${a} 2603 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2604 2605 for a in ${NSA_LO_IP6} ::1 2606 do 2607 log_start 2608 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2609 run_cmd nettest -6 -s -I ${NSA_DEV} & 2610 sleep 1 2611 run_cmd nettest -6 -r ${a} 2612 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2613 done 2614 2615 a=${NSA_IP6} 2616 log_start 2617 run_cmd nettest -6 -s & 2618 sleep 1 2619 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2620 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2621 2622 for a in ${NSA_LO_IP6} ::1 2623 do 2624 log_start 2625 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2626 run_cmd nettest -6 -s & 2627 sleep 1 2628 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2629 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2630 done 2631 2632 for a in ${NSA_IP6} ${NSA_LINKIP6} 2633 do 2634 log_start 2635 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2636 sleep 1 2637 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2638 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2639 done 2640 2641 for a in ${NSA_IP6} ${NSA_LINKIP6} 2642 do 2643 log_start 2644 show_hint "Should fail 'Connection refused'" 2645 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2646 log_test_addr ${a} $? 1 "No server, device client, local conn" 2647 done 2648 2649 ipv6_tcp_md5_novrf 2650} 2651 2652ipv6_tcp_vrf() 2653{ 2654 local a 2655 2656 # disable global server 2657 log_subsection "Global server disabled" 2658 2659 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2660 2661 # 2662 # server tests 2663 # 2664 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2665 do 2666 log_start 2667 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2668 run_cmd nettest -6 -s & 2669 sleep 1 2670 run_cmd_nsb nettest -6 -r ${a} 2671 log_test_addr ${a} $? 1 "Global server" 2672 done 2673 2674 for a in ${NSA_IP6} ${VRF_IP6} 2675 do 2676 log_start 2677 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2678 sleep 1 2679 run_cmd_nsb nettest -6 -r ${a} 2680 log_test_addr ${a} $? 0 "VRF server" 2681 done 2682 2683 # link local is always bound to ingress device 2684 a=${NSA_LINKIP6}%${NSB_DEV} 2685 log_start 2686 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2687 sleep 1 2688 run_cmd_nsb nettest -6 -r ${a} 2689 log_test_addr ${a} $? 0 "VRF server" 2690 2691 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2692 do 2693 log_start 2694 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2695 sleep 1 2696 run_cmd_nsb nettest -6 -r ${a} 2697 log_test_addr ${a} $? 0 "Device server" 2698 done 2699 2700 # verify TCP reset received 2701 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2702 do 2703 log_start 2704 show_hint "Should fail 'Connection refused'" 2705 run_cmd_nsb nettest -6 -r ${a} 2706 log_test_addr ${a} $? 1 "No server" 2707 done 2708 2709 # local address tests 2710 a=${NSA_IP6} 2711 log_start 2712 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2713 run_cmd nettest -6 -s & 2714 sleep 1 2715 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2716 log_test_addr ${a} $? 1 "Global server, local connection" 2717 2718 # run MD5 tests 2719 ipv6_tcp_md5 2720 2721 # 2722 # enable VRF global server 2723 # 2724 log_subsection "VRF Global server enabled" 2725 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2726 2727 for a in ${NSA_IP6} ${VRF_IP6} 2728 do 2729 log_start 2730 run_cmd nettest -6 -s -3 ${VRF} & 2731 sleep 1 2732 run_cmd_nsb nettest -6 -r ${a} 2733 log_test_addr ${a} $? 0 "Global server" 2734 done 2735 2736 for a in ${NSA_IP6} ${VRF_IP6} 2737 do 2738 log_start 2739 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2740 sleep 1 2741 run_cmd_nsb nettest -6 -r ${a} 2742 log_test_addr ${a} $? 0 "VRF server" 2743 done 2744 2745 # For LLA, child socket is bound to device 2746 a=${NSA_LINKIP6}%${NSB_DEV} 2747 log_start 2748 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2749 sleep 1 2750 run_cmd_nsb nettest -6 -r ${a} 2751 log_test_addr ${a} $? 0 "Global server" 2752 2753 log_start 2754 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2755 sleep 1 2756 run_cmd_nsb nettest -6 -r ${a} 2757 log_test_addr ${a} $? 0 "VRF server" 2758 2759 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2760 do 2761 log_start 2762 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2763 sleep 1 2764 run_cmd_nsb nettest -6 -r ${a} 2765 log_test_addr ${a} $? 0 "Device server" 2766 done 2767 2768 # verify TCP reset received 2769 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2770 do 2771 log_start 2772 show_hint "Should fail 'Connection refused'" 2773 run_cmd_nsb nettest -6 -r ${a} 2774 log_test_addr ${a} $? 1 "No server" 2775 done 2776 2777 # local address tests 2778 for a in ${NSA_IP6} ${VRF_IP6} 2779 do 2780 log_start 2781 show_hint "Fails 'Connection refused' since client is not in VRF" 2782 run_cmd nettest -6 -s -I ${VRF} & 2783 sleep 1 2784 run_cmd nettest -6 -r ${a} 2785 log_test_addr ${a} $? 1 "Global server, local connection" 2786 done 2787 2788 2789 # 2790 # client 2791 # 2792 for a in ${NSB_IP6} ${NSB_LO_IP6} 2793 do 2794 log_start 2795 run_cmd_nsb nettest -6 -s & 2796 sleep 1 2797 run_cmd nettest -6 -r ${a} -d ${VRF} 2798 log_test_addr ${a} $? 0 "Client, VRF bind" 2799 done 2800 2801 a=${NSB_LINKIP6} 2802 log_start 2803 show_hint "Fails since VRF device does not allow linklocal addresses" 2804 run_cmd_nsb nettest -6 -s & 2805 sleep 1 2806 run_cmd nettest -6 -r ${a} -d ${VRF} 2807 log_test_addr ${a} $? 1 "Client, VRF bind" 2808 2809 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2810 do 2811 log_start 2812 run_cmd_nsb nettest -6 -s & 2813 sleep 1 2814 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2815 log_test_addr ${a} $? 0 "Client, device bind" 2816 done 2817 2818 for a in ${NSB_IP6} ${NSB_LO_IP6} 2819 do 2820 log_start 2821 show_hint "Should fail 'Connection refused'" 2822 run_cmd nettest -6 -r ${a} -d ${VRF} 2823 log_test_addr ${a} $? 1 "No server, VRF client" 2824 done 2825 2826 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2827 do 2828 log_start 2829 show_hint "Should fail 'Connection refused'" 2830 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2831 log_test_addr ${a} $? 1 "No server, device client" 2832 done 2833 2834 for a in ${NSA_IP6} ${VRF_IP6} ::1 2835 do 2836 log_start 2837 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2838 sleep 1 2839 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2840 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 2841 done 2842 2843 a=${NSA_IP6} 2844 log_start 2845 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2846 sleep 1 2847 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2848 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 2849 2850 a=${NSA_IP6} 2851 log_start 2852 show_hint "Should fail since unbound client is out of VRF scope" 2853 run_cmd nettest -6 -s -I ${VRF} & 2854 sleep 1 2855 run_cmd nettest -6 -r ${a} 2856 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 2857 2858 log_start 2859 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2860 sleep 1 2861 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2862 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 2863 2864 for a in ${NSA_IP6} ${NSA_LINKIP6} 2865 do 2866 log_start 2867 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2868 sleep 1 2869 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2870 log_test_addr ${a} $? 0 "Device server, device client, local connection" 2871 done 2872} 2873 2874ipv6_tcp() 2875{ 2876 log_section "IPv6/TCP" 2877 log_subsection "No VRF" 2878 setup 2879 2880 # tcp_l3mdev_accept should have no affect without VRF; 2881 # run tests with it enabled and disabled to verify 2882 log_subsection "tcp_l3mdev_accept disabled" 2883 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2884 ipv6_tcp_novrf 2885 log_subsection "tcp_l3mdev_accept enabled" 2886 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2887 ipv6_tcp_novrf 2888 2889 log_subsection "With VRF" 2890 setup "yes" 2891 ipv6_tcp_vrf 2892} 2893 2894################################################################################ 2895# IPv6 UDP 2896 2897ipv6_udp_novrf() 2898{ 2899 local a 2900 2901 # 2902 # server tests 2903 # 2904 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2905 do 2906 log_start 2907 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2908 sleep 1 2909 run_cmd_nsb nettest -6 -D -r ${a} 2910 log_test_addr ${a} $? 0 "Global server" 2911 2912 log_start 2913 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 2914 sleep 1 2915 run_cmd_nsb nettest -6 -D -r ${a} 2916 log_test_addr ${a} $? 0 "Device server" 2917 done 2918 2919 a=${NSA_LO_IP6} 2920 log_start 2921 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 2922 sleep 1 2923 run_cmd_nsb nettest -6 -D -r ${a} 2924 log_test_addr ${a} $? 0 "Global server" 2925 2926 # should fail since loopback address is out of scope for a device 2927 # bound server, but it does not - hence this is more documenting 2928 # behavior. 2929 #log_start 2930 #show_hint "Should fail since loopback address is out of scope" 2931 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 2932 #sleep 1 2933 #run_cmd_nsb nettest -6 -D -r ${a} 2934 #log_test_addr ${a} $? 1 "Device server" 2935 2936 # negative test - should fail 2937 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2938 do 2939 log_start 2940 show_hint "Should fail 'Connection refused' since there is no server" 2941 run_cmd_nsb nettest -6 -D -r ${a} 2942 log_test_addr ${a} $? 1 "No server" 2943 done 2944 2945 # 2946 # client 2947 # 2948 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2949 do 2950 log_start 2951 run_cmd_nsb nettest -6 -D -s & 2952 sleep 1 2953 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 2954 log_test_addr ${a} $? 0 "Client" 2955 2956 log_start 2957 run_cmd_nsb nettest -6 -D -s & 2958 sleep 1 2959 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 2960 log_test_addr ${a} $? 0 "Client, device bind" 2961 2962 log_start 2963 run_cmd_nsb nettest -6 -D -s & 2964 sleep 1 2965 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 2966 log_test_addr ${a} $? 0 "Client, device send via cmsg" 2967 2968 log_start 2969 run_cmd_nsb nettest -6 -D -s & 2970 sleep 1 2971 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 2972 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 2973 2974 log_start 2975 show_hint "Should fail 'Connection refused'" 2976 run_cmd nettest -6 -D -r ${a} 2977 log_test_addr ${a} $? 1 "No server, unbound client" 2978 2979 log_start 2980 show_hint "Should fail 'Connection refused'" 2981 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 2982 log_test_addr ${a} $? 1 "No server, device client" 2983 done 2984 2985 # 2986 # local address tests 2987 # 2988 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2989 do 2990 log_start 2991 run_cmd nettest -6 -D -s & 2992 sleep 1 2993 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 2994 log_test_addr ${a} $? 0 "Global server, local connection" 2995 done 2996 2997 a=${NSA_IP6} 2998 log_start 2999 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3000 sleep 1 3001 run_cmd nettest -6 -D -r ${a} 3002 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3003 3004 for a in ${NSA_LO_IP6} ::1 3005 do 3006 log_start 3007 show_hint "Should fail 'Connection refused' since address is out of device scope" 3008 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3009 sleep 1 3010 run_cmd nettest -6 -D -r ${a} 3011 log_test_addr ${a} $? 1 "Device server, local connection" 3012 done 3013 3014 a=${NSA_IP6} 3015 log_start 3016 run_cmd nettest -6 -s -D & 3017 sleep 1 3018 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3019 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3020 3021 log_start 3022 run_cmd nettest -6 -s -D & 3023 sleep 1 3024 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3025 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3026 3027 log_start 3028 run_cmd nettest -6 -s -D & 3029 sleep 1 3030 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3031 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3032 3033 for a in ${NSA_LO_IP6} ::1 3034 do 3035 log_start 3036 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3037 run_cmd nettest -6 -D -s & 3038 sleep 1 3039 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3040 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3041 3042 log_start 3043 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3044 run_cmd nettest -6 -D -s & 3045 sleep 1 3046 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3047 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3048 3049 log_start 3050 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3051 run_cmd nettest -6 -D -s & 3052 sleep 1 3053 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3054 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3055 done 3056 3057 a=${NSA_IP6} 3058 log_start 3059 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3060 sleep 1 3061 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3062 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3063 3064 log_start 3065 show_hint "Should fail 'Connection refused'" 3066 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3067 log_test_addr ${a} $? 1 "No server, device client, local conn" 3068 3069 # LLA to GUA 3070 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3071 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3072 log_start 3073 run_cmd nettest -6 -s -D & 3074 sleep 1 3075 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3076 log_test $? 0 "UDP in - LLA to GUA" 3077 3078 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3079 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3080} 3081 3082ipv6_udp_vrf() 3083{ 3084 local a 3085 3086 # disable global server 3087 log_subsection "Global server disabled" 3088 set_sysctl net.ipv4.udp_l3mdev_accept=0 3089 3090 # 3091 # server tests 3092 # 3093 for a in ${NSA_IP6} ${VRF_IP6} 3094 do 3095 log_start 3096 show_hint "Should fail 'Connection refused' since global server is disabled" 3097 run_cmd nettest -6 -D -s & 3098 sleep 1 3099 run_cmd_nsb nettest -6 -D -r ${a} 3100 log_test_addr ${a} $? 1 "Global server" 3101 done 3102 3103 for a in ${NSA_IP6} ${VRF_IP6} 3104 do 3105 log_start 3106 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3107 sleep 1 3108 run_cmd_nsb nettest -6 -D -r ${a} 3109 log_test_addr ${a} $? 0 "VRF server" 3110 done 3111 3112 for a in ${NSA_IP6} ${VRF_IP6} 3113 do 3114 log_start 3115 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3116 sleep 1 3117 run_cmd_nsb nettest -6 -D -r ${a} 3118 log_test_addr ${a} $? 0 "Enslaved device server" 3119 done 3120 3121 # negative test - should fail 3122 for a in ${NSA_IP6} ${VRF_IP6} 3123 do 3124 log_start 3125 show_hint "Should fail 'Connection refused' since there is no server" 3126 run_cmd_nsb nettest -6 -D -r ${a} 3127 log_test_addr ${a} $? 1 "No server" 3128 done 3129 3130 # 3131 # local address tests 3132 # 3133 for a in ${NSA_IP6} ${VRF_IP6} 3134 do 3135 log_start 3136 show_hint "Should fail 'Connection refused' since global server is disabled" 3137 run_cmd nettest -6 -D -s & 3138 sleep 1 3139 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3140 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3141 done 3142 3143 for a in ${NSA_IP6} ${VRF_IP6} 3144 do 3145 log_start 3146 run_cmd nettest -6 -D -I ${VRF} -s & 3147 sleep 1 3148 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3149 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3150 done 3151 3152 a=${NSA_IP6} 3153 log_start 3154 show_hint "Should fail 'Connection refused' since global server is disabled" 3155 run_cmd nettest -6 -D -s & 3156 sleep 1 3157 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3158 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3159 3160 log_start 3161 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3162 sleep 1 3163 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3164 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3165 3166 log_start 3167 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3168 sleep 1 3169 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3170 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3171 3172 log_start 3173 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3174 sleep 1 3175 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3176 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3177 3178 # disable global server 3179 log_subsection "Global server enabled" 3180 set_sysctl net.ipv4.udp_l3mdev_accept=1 3181 3182 # 3183 # server tests 3184 # 3185 for a in ${NSA_IP6} ${VRF_IP6} 3186 do 3187 log_start 3188 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3189 sleep 1 3190 run_cmd_nsb nettest -6 -D -r ${a} 3191 log_test_addr ${a} $? 0 "Global server" 3192 done 3193 3194 for a in ${NSA_IP6} ${VRF_IP6} 3195 do 3196 log_start 3197 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3198 sleep 1 3199 run_cmd_nsb nettest -6 -D -r ${a} 3200 log_test_addr ${a} $? 0 "VRF server" 3201 done 3202 3203 for a in ${NSA_IP6} ${VRF_IP6} 3204 do 3205 log_start 3206 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3207 sleep 1 3208 run_cmd_nsb nettest -6 -D -r ${a} 3209 log_test_addr ${a} $? 0 "Enslaved device server" 3210 done 3211 3212 # negative test - should fail 3213 for a in ${NSA_IP6} ${VRF_IP6} 3214 do 3215 log_start 3216 run_cmd_nsb nettest -6 -D -r ${a} 3217 log_test_addr ${a} $? 1 "No server" 3218 done 3219 3220 # 3221 # client tests 3222 # 3223 log_start 3224 run_cmd_nsb nettest -6 -D -s & 3225 sleep 1 3226 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3227 log_test $? 0 "VRF client" 3228 3229 # negative test - should fail 3230 log_start 3231 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3232 log_test $? 1 "No server, VRF client" 3233 3234 log_start 3235 run_cmd_nsb nettest -6 -D -s & 3236 sleep 1 3237 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3238 log_test $? 0 "Enslaved device client" 3239 3240 # negative test - should fail 3241 log_start 3242 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3243 log_test $? 1 "No server, enslaved device client" 3244 3245 # 3246 # local address tests 3247 # 3248 a=${NSA_IP6} 3249 log_start 3250 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3251 sleep 1 3252 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3253 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3254 3255 #log_start 3256 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3257 sleep 1 3258 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3259 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3260 3261 3262 a=${VRF_IP6} 3263 log_start 3264 run_cmd nettest -6 -D -s -3 ${VRF} & 3265 sleep 1 3266 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3267 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3268 3269 log_start 3270 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3271 sleep 1 3272 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3273 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3274 3275 # negative test - should fail 3276 for a in ${NSA_IP6} ${VRF_IP6} 3277 do 3278 log_start 3279 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3280 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3281 done 3282 3283 # device to global IP 3284 a=${NSA_IP6} 3285 log_start 3286 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3287 sleep 1 3288 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3289 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3290 3291 log_start 3292 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3293 sleep 1 3294 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3295 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3296 3297 log_start 3298 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3299 sleep 1 3300 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3301 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3302 3303 log_start 3304 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3305 sleep 1 3306 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3307 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3308 3309 log_start 3310 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3311 log_test_addr ${a} $? 1 "No server, device client, local conn" 3312 3313 3314 # link local addresses 3315 log_start 3316 run_cmd nettest -6 -D -s & 3317 sleep 1 3318 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3319 log_test $? 0 "Global server, linklocal IP" 3320 3321 log_start 3322 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3323 log_test $? 1 "No server, linklocal IP" 3324 3325 3326 log_start 3327 run_cmd_nsb nettest -6 -D -s & 3328 sleep 1 3329 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3330 log_test $? 0 "Enslaved device client, linklocal IP" 3331 3332 log_start 3333 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3334 log_test $? 1 "No server, device client, peer linklocal IP" 3335 3336 3337 log_start 3338 run_cmd nettest -6 -D -s & 3339 sleep 1 3340 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3341 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3342 3343 log_start 3344 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3345 log_test $? 1 "No server, device client, local conn - linklocal IP" 3346 3347 # LLA to GUA 3348 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3349 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3350 log_start 3351 run_cmd nettest -6 -s -D & 3352 sleep 1 3353 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3354 log_test $? 0 "UDP in - LLA to GUA" 3355 3356 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3357 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3358} 3359 3360ipv6_udp() 3361{ 3362 # should not matter, but set to known state 3363 set_sysctl net.ipv4.udp_early_demux=1 3364 3365 log_section "IPv6/UDP" 3366 log_subsection "No VRF" 3367 setup 3368 3369 # udp_l3mdev_accept should have no affect without VRF; 3370 # run tests with it enabled and disabled to verify 3371 log_subsection "udp_l3mdev_accept disabled" 3372 set_sysctl net.ipv4.udp_l3mdev_accept=0 3373 ipv6_udp_novrf 3374 log_subsection "udp_l3mdev_accept enabled" 3375 set_sysctl net.ipv4.udp_l3mdev_accept=1 3376 ipv6_udp_novrf 3377 3378 log_subsection "With VRF" 3379 setup "yes" 3380 ipv6_udp_vrf 3381} 3382 3383################################################################################ 3384# IPv6 address bind 3385 3386ipv6_addr_bind_novrf() 3387{ 3388 # 3389 # raw socket 3390 # 3391 for a in ${NSA_IP6} ${NSA_LO_IP6} 3392 do 3393 log_start 3394 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3395 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3396 3397 log_start 3398 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3399 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3400 done 3401 3402 # 3403 # tcp sockets 3404 # 3405 a=${NSA_IP6} 3406 log_start 3407 run_cmd nettest -6 -s -l ${a} -t1 -b 3408 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3409 3410 log_start 3411 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3412 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3413 3414 a=${NSA_LO_IP6} 3415 log_start 3416 show_hint "Should fail with 'Cannot assign requested address'" 3417 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3418 log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 3419} 3420 3421ipv6_addr_bind_vrf() 3422{ 3423 # 3424 # raw socket 3425 # 3426 for a in ${NSA_IP6} ${VRF_IP6} 3427 do 3428 log_start 3429 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3430 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3431 3432 log_start 3433 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3434 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3435 done 3436 3437 a=${NSA_LO_IP6} 3438 log_start 3439 show_hint "Address on loopback is out of VRF scope" 3440 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3441 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3442 3443 # 3444 # tcp sockets 3445 # 3446 # address on enslaved device is valid for the VRF or device in a VRF 3447 for a in ${NSA_IP6} ${VRF_IP6} 3448 do 3449 log_start 3450 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3451 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3452 done 3453 3454 a=${NSA_IP6} 3455 log_start 3456 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3457 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3458 3459 a=${VRF_IP6} 3460 log_start 3461 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3462 log_test_addr ${a} $? 1 "TCP socket bind to VRF address with device bind" 3463 3464 a=${NSA_LO_IP6} 3465 log_start 3466 show_hint "Address on loopback out of scope for VRF" 3467 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3468 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3469 3470 log_start 3471 show_hint "Address on loopback out of scope for device in VRF" 3472 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3473 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3474 3475} 3476 3477ipv6_addr_bind() 3478{ 3479 log_section "IPv6 address binds" 3480 3481 log_subsection "No VRF" 3482 setup 3483 ipv6_addr_bind_novrf 3484 3485 log_subsection "With VRF" 3486 setup "yes" 3487 ipv6_addr_bind_vrf 3488} 3489 3490################################################################################ 3491# IPv6 runtime tests 3492 3493ipv6_rt() 3494{ 3495 local desc="$1" 3496 local varg="-6 $2" 3497 local with_vrf="yes" 3498 local a 3499 3500 # 3501 # server tests 3502 # 3503 for a in ${NSA_IP6} ${VRF_IP6} 3504 do 3505 log_start 3506 run_cmd nettest ${varg} -s & 3507 sleep 1 3508 run_cmd_nsb nettest ${varg} -r ${a} & 3509 sleep 3 3510 run_cmd ip link del ${VRF} 3511 sleep 1 3512 log_test_addr ${a} 0 0 "${desc}, global server" 3513 3514 setup ${with_vrf} 3515 done 3516 3517 for a in ${NSA_IP6} ${VRF_IP6} 3518 do 3519 log_start 3520 run_cmd nettest ${varg} -I ${VRF} -s & 3521 sleep 1 3522 run_cmd_nsb nettest ${varg} -r ${a} & 3523 sleep 3 3524 run_cmd ip link del ${VRF} 3525 sleep 1 3526 log_test_addr ${a} 0 0 "${desc}, VRF server" 3527 3528 setup ${with_vrf} 3529 done 3530 3531 for a in ${NSA_IP6} ${VRF_IP6} 3532 do 3533 log_start 3534 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3535 sleep 1 3536 run_cmd_nsb nettest ${varg} -r ${a} & 3537 sleep 3 3538 run_cmd ip link del ${VRF} 3539 sleep 1 3540 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3541 3542 setup ${with_vrf} 3543 done 3544 3545 # 3546 # client test 3547 # 3548 log_start 3549 run_cmd_nsb nettest ${varg} -s & 3550 sleep 1 3551 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3552 sleep 3 3553 run_cmd ip link del ${VRF} 3554 sleep 1 3555 log_test 0 0 "${desc}, VRF client" 3556 3557 setup ${with_vrf} 3558 3559 log_start 3560 run_cmd_nsb nettest ${varg} -s & 3561 sleep 1 3562 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3563 sleep 3 3564 run_cmd ip link del ${VRF} 3565 sleep 1 3566 log_test 0 0 "${desc}, enslaved device client" 3567 3568 setup ${with_vrf} 3569 3570 3571 # 3572 # local address tests 3573 # 3574 for a in ${NSA_IP6} ${VRF_IP6} 3575 do 3576 log_start 3577 run_cmd nettest ${varg} -s & 3578 sleep 1 3579 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3580 sleep 3 3581 run_cmd ip link del ${VRF} 3582 sleep 1 3583 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3584 3585 setup ${with_vrf} 3586 done 3587 3588 for a in ${NSA_IP6} ${VRF_IP6} 3589 do 3590 log_start 3591 run_cmd nettest ${varg} -I ${VRF} -s & 3592 sleep 1 3593 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3594 sleep 3 3595 run_cmd ip link del ${VRF} 3596 sleep 1 3597 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3598 3599 setup ${with_vrf} 3600 done 3601 3602 a=${NSA_IP6} 3603 log_start 3604 run_cmd nettest ${varg} -s & 3605 sleep 1 3606 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3607 sleep 3 3608 run_cmd ip link del ${VRF} 3609 sleep 1 3610 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3611 3612 setup ${with_vrf} 3613 3614 log_start 3615 run_cmd nettest ${varg} -I ${VRF} -s & 3616 sleep 1 3617 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3618 sleep 3 3619 run_cmd ip link del ${VRF} 3620 sleep 1 3621 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3622 3623 setup ${with_vrf} 3624 3625 log_start 3626 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3627 sleep 1 3628 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3629 sleep 3 3630 run_cmd ip link del ${VRF} 3631 sleep 1 3632 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3633} 3634 3635ipv6_ping_rt() 3636{ 3637 local with_vrf="yes" 3638 local a 3639 3640 a=${NSA_IP6} 3641 log_start 3642 run_cmd_nsb ${ping6} -f ${a} & 3643 sleep 3 3644 run_cmd ip link del ${VRF} 3645 sleep 1 3646 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3647 3648 setup ${with_vrf} 3649 3650 log_start 3651 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3652 sleep 1 3653 run_cmd ip link del ${VRF} 3654 sleep 1 3655 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3656} 3657 3658ipv6_runtime() 3659{ 3660 log_section "Run time tests - ipv6" 3661 3662 setup "yes" 3663 ipv6_ping_rt 3664 3665 setup "yes" 3666 ipv6_rt "TCP active socket" "-n -1" 3667 3668 setup "yes" 3669 ipv6_rt "TCP passive socket" "-i" 3670 3671 setup "yes" 3672 ipv6_rt "UDP active socket" "-D -n -1" 3673} 3674 3675################################################################################ 3676# netfilter blocking connections 3677 3678netfilter_tcp_reset() 3679{ 3680 local a 3681 3682 for a in ${NSA_IP} ${VRF_IP} 3683 do 3684 log_start 3685 run_cmd nettest -s & 3686 sleep 1 3687 run_cmd_nsb nettest -r ${a} 3688 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3689 done 3690} 3691 3692netfilter_icmp() 3693{ 3694 local stype="$1" 3695 local arg 3696 local a 3697 3698 [ "${stype}" = "UDP" ] && arg="-D" 3699 3700 for a in ${NSA_IP} ${VRF_IP} 3701 do 3702 log_start 3703 run_cmd nettest ${arg} -s & 3704 sleep 1 3705 run_cmd_nsb nettest ${arg} -r ${a} 3706 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3707 done 3708} 3709 3710ipv4_netfilter() 3711{ 3712 log_section "IPv4 Netfilter" 3713 log_subsection "TCP reset" 3714 3715 setup "yes" 3716 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3717 3718 netfilter_tcp_reset 3719 3720 log_start 3721 log_subsection "ICMP unreachable" 3722 3723 log_start 3724 run_cmd iptables -F 3725 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3726 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3727 3728 netfilter_icmp "TCP" 3729 netfilter_icmp "UDP" 3730 3731 log_start 3732 iptables -F 3733} 3734 3735netfilter_tcp6_reset() 3736{ 3737 local a 3738 3739 for a in ${NSA_IP6} ${VRF_IP6} 3740 do 3741 log_start 3742 run_cmd nettest -6 -s & 3743 sleep 1 3744 run_cmd_nsb nettest -6 -r ${a} 3745 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3746 done 3747} 3748 3749netfilter_icmp6() 3750{ 3751 local stype="$1" 3752 local arg 3753 local a 3754 3755 [ "${stype}" = "UDP" ] && arg="$arg -D" 3756 3757 for a in ${NSA_IP6} ${VRF_IP6} 3758 do 3759 log_start 3760 run_cmd nettest -6 -s ${arg} & 3761 sleep 1 3762 run_cmd_nsb nettest -6 ${arg} -r ${a} 3763 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3764 done 3765} 3766 3767ipv6_netfilter() 3768{ 3769 log_section "IPv6 Netfilter" 3770 log_subsection "TCP reset" 3771 3772 setup "yes" 3773 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3774 3775 netfilter_tcp6_reset 3776 3777 log_subsection "ICMP unreachable" 3778 3779 log_start 3780 run_cmd ip6tables -F 3781 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3782 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3783 3784 netfilter_icmp6 "TCP" 3785 netfilter_icmp6 "UDP" 3786 3787 log_start 3788 ip6tables -F 3789} 3790 3791################################################################################ 3792# specific use cases 3793 3794# VRF only. 3795# ns-A device enslaved to bridge. Verify traffic with and without 3796# br_netfilter module loaded. Repeat with SVI on bridge. 3797use_case_br() 3798{ 3799 setup "yes" 3800 3801 setup_cmd ip link set ${NSA_DEV} down 3802 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 3803 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 3804 3805 setup_cmd ip link add br0 type bridge 3806 setup_cmd ip addr add dev br0 ${NSA_IP}/24 3807 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 3808 3809 setup_cmd ip li set ${NSA_DEV} master br0 3810 setup_cmd ip li set ${NSA_DEV} up 3811 setup_cmd ip li set br0 up 3812 setup_cmd ip li set br0 vrf ${VRF} 3813 3814 rmmod br_netfilter 2>/dev/null 3815 sleep 5 # DAD 3816 3817 run_cmd ip neigh flush all 3818 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3819 log_test $? 0 "Bridge into VRF - IPv4 ping out" 3820 3821 run_cmd ip neigh flush all 3822 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3823 log_test $? 0 "Bridge into VRF - IPv6 ping out" 3824 3825 run_cmd ip neigh flush all 3826 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3827 log_test $? 0 "Bridge into VRF - IPv4 ping in" 3828 3829 run_cmd ip neigh flush all 3830 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3831 log_test $? 0 "Bridge into VRF - IPv6 ping in" 3832 3833 modprobe br_netfilter 3834 if [ $? -eq 0 ]; then 3835 run_cmd ip neigh flush all 3836 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3837 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 3838 3839 run_cmd ip neigh flush all 3840 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3841 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 3842 3843 run_cmd ip neigh flush all 3844 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3845 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 3846 3847 run_cmd ip neigh flush all 3848 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3849 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 3850 fi 3851 3852 setup_cmd ip li set br0 nomaster 3853 setup_cmd ip li add br0.100 link br0 type vlan id 100 3854 setup_cmd ip li set br0.100 vrf ${VRF} up 3855 setup_cmd ip addr add dev br0.100 172.16.101.1/24 3856 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 3857 3858 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 3859 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 3860 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 3861 setup_cmd_nsb ip li set vlan100 up 3862 sleep 1 3863 3864 rmmod br_netfilter 2>/dev/null 3865 3866 run_cmd ip neigh flush all 3867 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3868 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 3869 3870 run_cmd ip neigh flush all 3871 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3872 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 3873 3874 run_cmd ip neigh flush all 3875 run_cmd_nsb ping -c1 -w1 172.16.101.1 3876 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3877 3878 run_cmd ip neigh flush all 3879 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3880 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3881 3882 modprobe br_netfilter 3883 if [ $? -eq 0 ]; then 3884 run_cmd ip neigh flush all 3885 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3886 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 3887 3888 run_cmd ip neigh flush all 3889 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3890 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 3891 3892 run_cmd ip neigh flush all 3893 run_cmd_nsb ping -c1 -w1 172.16.101.1 3894 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3895 3896 run_cmd ip neigh flush all 3897 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3898 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3899 fi 3900 3901 setup_cmd ip li del br0 2>/dev/null 3902 setup_cmd_nsb ip li del vlan100 2>/dev/null 3903} 3904 3905# VRF only. 3906# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 3907# LLA on the interfaces 3908use_case_ping_lla_multi() 3909{ 3910 setup_lla_only 3911 # only want reply from ns-A 3912 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3913 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3914 3915 log_start 3916 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3917 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 3918 3919 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3920 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 3921 3922 # cycle/flap the first ns-A interface 3923 setup_cmd ip link set ${NSA_DEV} down 3924 setup_cmd ip link set ${NSA_DEV} up 3925 sleep 1 3926 3927 log_start 3928 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3929 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 3930 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3931 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 3932 3933 # cycle/flap the second ns-A interface 3934 setup_cmd ip link set ${NSA_DEV2} down 3935 setup_cmd ip link set ${NSA_DEV2} up 3936 sleep 1 3937 3938 log_start 3939 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3940 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 3941 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3942 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 3943} 3944 3945# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 3946# established with ns-B. 3947use_case_snat_on_vrf() 3948{ 3949 setup "yes" 3950 3951 local port="12345" 3952 3953 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 3954 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 3955 3956 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 3957 sleep 1 3958 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 3959 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 3960 3961 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 3962 sleep 1 3963 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 3964 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 3965 3966 # Cleanup 3967 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 3968 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 3969} 3970 3971use_cases() 3972{ 3973 log_section "Use cases" 3974 log_subsection "Device enslaved to bridge" 3975 use_case_br 3976 log_subsection "Ping LLA with multiple interfaces" 3977 use_case_ping_lla_multi 3978 log_subsection "SNAT on VRF" 3979 use_case_snat_on_vrf 3980} 3981 3982################################################################################ 3983# usage 3984 3985usage() 3986{ 3987 cat <<EOF 3988usage: ${0##*/} OPTS 3989 3990 -4 IPv4 tests only 3991 -6 IPv6 tests only 3992 -t <test> Test name/set to run 3993 -p Pause on fail 3994 -P Pause after each test 3995 -v Be verbose 3996EOF 3997} 3998 3999################################################################################ 4000# main 4001 4002TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_addr_bind ipv4_runtime ipv4_netfilter" 4003TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_addr_bind ipv6_runtime ipv6_netfilter" 4004TESTS_OTHER="use_cases" 4005 4006PAUSE_ON_FAIL=no 4007PAUSE=no 4008 4009while getopts :46t:pPvh o 4010do 4011 case $o in 4012 4) TESTS=ipv4;; 4013 6) TESTS=ipv6;; 4014 t) TESTS=$OPTARG;; 4015 p) PAUSE_ON_FAIL=yes;; 4016 P) PAUSE=yes;; 4017 v) VERBOSE=1;; 4018 h) usage; exit 0;; 4019 *) usage; exit 1;; 4020 esac 4021done 4022 4023# make sure we don't pause twice 4024[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4025 4026# 4027# show user test config 4028# 4029if [ -z "$TESTS" ]; then 4030 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4031elif [ "$TESTS" = "ipv4" ]; then 4032 TESTS="$TESTS_IPV4" 4033elif [ "$TESTS" = "ipv6" ]; then 4034 TESTS="$TESTS_IPV6" 4035fi 4036 4037which nettest >/dev/null 4038if [ $? -ne 0 ]; then 4039 echo "'nettest' command not found; skipping tests" 4040 exit $ksft_skip 4041fi 4042 4043declare -i nfail=0 4044declare -i nsuccess=0 4045 4046for t in $TESTS 4047do 4048 case $t in 4049 ipv4_ping|ping) ipv4_ping;; 4050 ipv4_tcp|tcp) ipv4_tcp;; 4051 ipv4_udp|udp) ipv4_udp;; 4052 ipv4_bind|bind) ipv4_addr_bind;; 4053 ipv4_runtime) ipv4_runtime;; 4054 ipv4_netfilter) ipv4_netfilter;; 4055 4056 ipv6_ping|ping6) ipv6_ping;; 4057 ipv6_tcp|tcp6) ipv6_tcp;; 4058 ipv6_udp|udp6) ipv6_udp;; 4059 ipv6_bind|bind6) ipv6_addr_bind;; 4060 ipv6_runtime) ipv6_runtime;; 4061 ipv6_netfilter) ipv6_netfilter;; 4062 4063 use_cases) use_cases;; 4064 4065 # setup namespaces and config, but do not run any tests 4066 setup) setup; exit 0;; 4067 vrf_setup) setup "yes"; exit 0;; 4068 4069 help) echo "Test names: $TESTS"; exit 0;; 4070 esac 4071done 4072 4073cleanup 2>/dev/null 4074 4075printf "\nTests passed: %3d\n" ${nsuccess} 4076printf "Tests failed: %3d\n" ${nfail} 4077