xref: /linux/tools/testing/selftests/net/fcnal-test.sh (revision 8e07e0e3964ca4e23ce7b68e2096fe660a888942)
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3#
4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
5#
6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups
7# for various permutations:
8#   1. icmp, tcp, udp and netfilter
9#   2. client, server, no-server
10#   3. global address on interface
11#   4. global address on 'lo'
12#   5. remote and local traffic
13#   6. VRF and non-VRF permutations
14#
15# Setup:
16#                     ns-A     |     ns-B
17# No VRF case:
18#    [ lo ]         [ eth1 ]---|---[ eth1 ]      [ lo ]
19#                                                remote address
20# VRF case:
21#         [ red ]---[ eth1 ]---|---[ eth1 ]      [ lo ]
22#
23# ns-A:
24#     eth1: 172.16.1.1/24, 2001:db8:1::1/64
25#       lo: 127.0.0.1/8, ::1/128
26#           172.16.2.1/32, 2001:db8:2::1/128
27#      red: 127.0.0.1/8, ::1/128
28#           172.16.3.1/32, 2001:db8:3::1/128
29#
30# ns-B:
31#     eth1: 172.16.1.2/24, 2001:db8:1::2/64
32#      lo2: 127.0.0.1/8, ::1/128
33#           172.16.2.2/32, 2001:db8:2::2/128
34#
35# ns-A to ns-C connection - only for VRF and same config
36# as ns-A to ns-B
37#
38# server / client nomenclature relative to ns-A
39
40# Kselftest framework requirement - SKIP code is 4.
41ksft_skip=4
42
43VERBOSE=0
44
45NSA_DEV=eth1
46NSA_DEV2=eth2
47NSB_DEV=eth1
48NSC_DEV=eth2
49VRF=red
50VRF_TABLE=1101
51
52# IPv4 config
53NSA_IP=172.16.1.1
54NSB_IP=172.16.1.2
55VRF_IP=172.16.3.1
56NS_NET=172.16.1.0/24
57
58# IPv6 config
59NSA_IP6=2001:db8:1::1
60NSB_IP6=2001:db8:1::2
61VRF_IP6=2001:db8:3::1
62NS_NET6=2001:db8:1::/120
63
64NSA_LO_IP=172.16.2.1
65NSB_LO_IP=172.16.2.2
66NSA_LO_IP6=2001:db8:2::1
67NSB_LO_IP6=2001:db8:2::2
68
69# non-local addresses for freebind tests
70NL_IP=172.17.1.1
71NL_IP6=2001:db8:4::1
72
73# multicast and broadcast addresses
74MCAST_IP=224.0.0.1
75BCAST_IP=255.255.255.255
76
77MD5_PW=abc123
78MD5_WRONG_PW=abc1234
79
80MCAST=ff02::1
81# set after namespace create
82NSA_LINKIP6=
83NSB_LINKIP6=
84
85NSA=ns-A
86NSB=ns-B
87NSC=ns-C
88
89NSA_CMD="ip netns exec ${NSA}"
90NSB_CMD="ip netns exec ${NSB}"
91NSC_CMD="ip netns exec ${NSC}"
92
93which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
94
95# Check if FIPS mode is enabled
96if [ -f /proc/sys/crypto/fips_enabled ]; then
97	fips_enabled=`cat /proc/sys/crypto/fips_enabled`
98else
99	fips_enabled=0
100fi
101
102################################################################################
103# utilities
104
105log_test()
106{
107	local rc=$1
108	local expected=$2
109	local msg="$3"
110
111	[ "${VERBOSE}" = "1" ] && echo
112
113	if [ ${rc} -eq ${expected} ]; then
114		nsuccess=$((nsuccess+1))
115		printf "TEST: %-70s  [ OK ]\n" "${msg}"
116	else
117		nfail=$((nfail+1))
118		printf "TEST: %-70s  [FAIL]\n" "${msg}"
119		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
120			echo
121			echo "hit enter to continue, 'q' to quit"
122			read a
123			[ "$a" = "q" ] && exit 1
124		fi
125	fi
126
127	if [ "${PAUSE}" = "yes" ]; then
128		echo
129		echo "hit enter to continue, 'q' to quit"
130		read a
131		[ "$a" = "q" ] && exit 1
132	fi
133
134	kill_procs
135}
136
137log_test_addr()
138{
139	local addr=$1
140	local rc=$2
141	local expected=$3
142	local msg="$4"
143	local astr
144
145	astr=$(addr2str ${addr})
146	log_test $rc $expected "$msg - ${astr}"
147}
148
149log_section()
150{
151	echo
152	echo "###########################################################################"
153	echo "$*"
154	echo "###########################################################################"
155	echo
156}
157
158log_subsection()
159{
160	echo
161	echo "#################################################################"
162	echo "$*"
163	echo
164}
165
166log_start()
167{
168	# make sure we have no test instances running
169	kill_procs
170
171	if [ "${VERBOSE}" = "1" ]; then
172		echo
173		echo "#######################################################"
174	fi
175}
176
177log_debug()
178{
179	if [ "${VERBOSE}" = "1" ]; then
180		echo
181		echo "$*"
182		echo
183	fi
184}
185
186show_hint()
187{
188	if [ "${VERBOSE}" = "1" ]; then
189		echo "HINT: $*"
190		echo
191	fi
192}
193
194kill_procs()
195{
196	killall nettest ping ping6 >/dev/null 2>&1
197	sleep 1
198}
199
200do_run_cmd()
201{
202	local cmd="$*"
203	local out
204
205	if [ "$VERBOSE" = "1" ]; then
206		echo "COMMAND: ${cmd}"
207	fi
208
209	out=$($cmd 2>&1)
210	rc=$?
211	if [ "$VERBOSE" = "1" -a -n "$out" ]; then
212		echo "$out"
213	fi
214
215	return $rc
216}
217
218run_cmd()
219{
220	do_run_cmd ${NSA_CMD} $*
221}
222
223run_cmd_nsb()
224{
225	do_run_cmd ${NSB_CMD} $*
226}
227
228run_cmd_nsc()
229{
230	do_run_cmd ${NSC_CMD} $*
231}
232
233setup_cmd()
234{
235	local cmd="$*"
236	local rc
237
238	run_cmd ${cmd}
239	rc=$?
240	if [ $rc -ne 0 ]; then
241		# show user the command if not done so already
242		if [ "$VERBOSE" = "0" ]; then
243			echo "setup command: $cmd"
244		fi
245		echo "failed. stopping tests"
246		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
247			echo
248			echo "hit enter to continue"
249			read a
250		fi
251		exit $rc
252	fi
253}
254
255setup_cmd_nsb()
256{
257	local cmd="$*"
258	local rc
259
260	run_cmd_nsb ${cmd}
261	rc=$?
262	if [ $rc -ne 0 ]; then
263		# show user the command if not done so already
264		if [ "$VERBOSE" = "0" ]; then
265			echo "setup command: $cmd"
266		fi
267		echo "failed. stopping tests"
268		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
269			echo
270			echo "hit enter to continue"
271			read a
272		fi
273		exit $rc
274	fi
275}
276
277setup_cmd_nsc()
278{
279	local cmd="$*"
280	local rc
281
282	run_cmd_nsc ${cmd}
283	rc=$?
284	if [ $rc -ne 0 ]; then
285		# show user the command if not done so already
286		if [ "$VERBOSE" = "0" ]; then
287			echo "setup command: $cmd"
288		fi
289		echo "failed. stopping tests"
290		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
291			echo
292			echo "hit enter to continue"
293			read a
294		fi
295		exit $rc
296	fi
297}
298
299# set sysctl values in NS-A
300set_sysctl()
301{
302	echo "SYSCTL: $*"
303	echo
304	run_cmd sysctl -q -w $*
305}
306
307# get sysctl values in NS-A
308get_sysctl()
309{
310	${NSA_CMD} sysctl -n $*
311}
312
313################################################################################
314# Setup for tests
315
316addr2str()
317{
318	case "$1" in
319	127.0.0.1) echo "loopback";;
320	::1) echo "IPv6 loopback";;
321
322	${BCAST_IP}) echo "broadcast";;
323	${MCAST_IP}) echo "multicast";;
324
325	${NSA_IP})	echo "ns-A IP";;
326	${NSA_IP6})	echo "ns-A IPv6";;
327	${NSA_LO_IP})	echo "ns-A loopback IP";;
328	${NSA_LO_IP6})	echo "ns-A loopback IPv6";;
329	${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";;
330
331	${NSB_IP})	echo "ns-B IP";;
332	${NSB_IP6})	echo "ns-B IPv6";;
333	${NSB_LO_IP})	echo "ns-B loopback IP";;
334	${NSB_LO_IP6})	echo "ns-B loopback IPv6";;
335	${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";;
336
337	${NL_IP})       echo "nonlocal IP";;
338	${NL_IP6})      echo "nonlocal IPv6";;
339
340	${VRF_IP})	echo "VRF IP";;
341	${VRF_IP6})	echo "VRF IPv6";;
342
343	${MCAST}%*)	echo "multicast IP";;
344
345	*) echo "unknown";;
346	esac
347}
348
349get_linklocal()
350{
351	local ns=$1
352	local dev=$2
353	local addr
354
355	addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \
356	awk '{
357		for (i = 3; i <= NF; ++i) {
358			if ($i ~ /^fe80/)
359				print $i
360		}
361	}'
362	)
363	addr=${addr/\/*}
364
365	[ -z "$addr" ] && return 1
366
367	echo $addr
368
369	return 0
370}
371
372################################################################################
373# create namespaces and vrf
374
375create_vrf()
376{
377	local ns=$1
378	local vrf=$2
379	local table=$3
380	local addr=$4
381	local addr6=$5
382
383	ip -netns ${ns} link add ${vrf} type vrf table ${table}
384	ip -netns ${ns} link set ${vrf} up
385	ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192
386	ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
387
388	ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf}
389	ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad
390	if [ "${addr}" != "-" ]; then
391		ip -netns ${ns} addr add dev ${vrf} ${addr}
392	fi
393	if [ "${addr6}" != "-" ]; then
394		ip -netns ${ns} -6 addr add dev ${vrf} ${addr6}
395	fi
396
397	ip -netns ${ns} ru del pref 0
398	ip -netns ${ns} ru add pref 32765 from all lookup local
399	ip -netns ${ns} -6 ru del pref 0
400	ip -netns ${ns} -6 ru add pref 32765 from all lookup local
401}
402
403create_ns()
404{
405	local ns=$1
406	local addr=$2
407	local addr6=$3
408
409	ip netns add ${ns}
410
411	ip -netns ${ns} link set lo up
412	if [ "${addr}" != "-" ]; then
413		ip -netns ${ns} addr add dev lo ${addr}
414	fi
415	if [ "${addr6}" != "-" ]; then
416		ip -netns ${ns} -6 addr add dev lo ${addr6}
417	fi
418
419	ip -netns ${ns} ro add unreachable default metric 8192
420	ip -netns ${ns} -6 ro add unreachable default metric 8192
421
422	ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
423	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
424	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
425	ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
426}
427
428# create veth pair to connect namespaces and apply addresses.
429connect_ns()
430{
431	local ns1=$1
432	local ns1_dev=$2
433	local ns1_addr=$3
434	local ns1_addr6=$4
435	local ns2=$5
436	local ns2_dev=$6
437	local ns2_addr=$7
438	local ns2_addr6=$8
439
440	ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
441	ip -netns ${ns1} li set ${ns1_dev} up
442	ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
443	ip -netns ${ns2} li set ${ns2_dev} up
444
445	if [ "${ns1_addr}" != "-" ]; then
446		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
447		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
448	fi
449
450	if [ "${ns1_addr6}" != "-" ]; then
451		ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
452		ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
453	fi
454}
455
456cleanup()
457{
458	# explicit cleanups to check those code paths
459	ip netns | grep -q ${NSA}
460	if [ $? -eq 0 ]; then
461		ip -netns ${NSA} link delete ${VRF}
462		ip -netns ${NSA} ro flush table ${VRF_TABLE}
463
464		ip -netns ${NSA} addr flush dev ${NSA_DEV}
465		ip -netns ${NSA} -6 addr flush dev ${NSA_DEV}
466		ip -netns ${NSA} link set dev ${NSA_DEV} down
467		ip -netns ${NSA} link del dev ${NSA_DEV}
468
469		ip netns pids ${NSA} | xargs kill 2>/dev/null
470		ip netns del ${NSA}
471	fi
472
473	ip netns pids ${NSB} | xargs kill 2>/dev/null
474	ip netns del ${NSB}
475	ip netns pids ${NSC} | xargs kill 2>/dev/null
476	ip netns del ${NSC} >/dev/null 2>&1
477}
478
479cleanup_vrf_dup()
480{
481	ip link del ${NSA_DEV2} >/dev/null 2>&1
482	ip netns pids ${NSC} | xargs kill 2>/dev/null
483	ip netns del ${NSC} >/dev/null 2>&1
484}
485
486setup_vrf_dup()
487{
488	# some VRF tests use ns-C which has the same config as
489	# ns-B but for a device NOT in the VRF
490	create_ns ${NSC} "-" "-"
491	connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
492		   ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
493}
494
495setup()
496{
497	local with_vrf=${1}
498
499	# make sure we are starting with a clean slate
500	kill_procs
501	cleanup 2>/dev/null
502
503	log_debug "Configuring network namespaces"
504	set -e
505
506	create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128
507	create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128
508	connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \
509		   ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
510
511	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
512	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
513
514	# tell ns-A how to get to remote addresses of ns-B
515	if [ "${with_vrf}" = "yes" ]; then
516		create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6}
517
518		ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
519		ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
520		ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
521
522		ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
523		ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
524	else
525		ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
526		ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
527	fi
528
529
530	# tell ns-B how to get to remote addresses of ns-A
531	ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
532	ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
533
534	set +e
535
536	sleep 1
537}
538
539setup_lla_only()
540{
541	# make sure we are starting with a clean slate
542	kill_procs
543	cleanup 2>/dev/null
544
545	log_debug "Configuring network namespaces"
546	set -e
547
548	create_ns ${NSA} "-" "-"
549	create_ns ${NSB} "-" "-"
550	create_ns ${NSC} "-" "-"
551	connect_ns ${NSA} ${NSA_DEV} "-" "-" \
552		   ${NSB} ${NSB_DEV} "-" "-"
553	connect_ns ${NSA} ${NSA_DEV2} "-" "-" \
554		   ${NSC} ${NSC_DEV}  "-" "-"
555
556	NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
557	NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
558	NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV})
559
560	create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-"
561	ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
562	ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF}
563
564	set +e
565
566	sleep 1
567}
568
569################################################################################
570# IPv4
571
572ipv4_ping_novrf()
573{
574	local a
575
576	#
577	# out
578	#
579	for a in ${NSB_IP} ${NSB_LO_IP}
580	do
581		log_start
582		run_cmd ping -c1 -w1 ${a}
583		log_test_addr ${a} $? 0 "ping out"
584
585		log_start
586		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
587		log_test_addr ${a} $? 0 "ping out, device bind"
588
589		log_start
590		run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a}
591		log_test_addr ${a} $? 0 "ping out, address bind"
592	done
593
594	#
595	# out, but don't use gateway if peer is not on link
596	#
597	a=${NSB_IP}
598	log_start
599	run_cmd ping -c 1 -w 1 -r ${a}
600	log_test_addr ${a} $? 0 "ping out (don't route), peer on link"
601
602	a=${NSB_LO_IP}
603	log_start
604	show_hint "Fails since peer is not on link"
605	run_cmd ping -c 1 -w 1 -r ${a}
606	log_test_addr ${a} $? 1 "ping out (don't route), peer not on link"
607
608	#
609	# in
610	#
611	for a in ${NSA_IP} ${NSA_LO_IP}
612	do
613		log_start
614		run_cmd_nsb ping -c1 -w1 ${a}
615		log_test_addr ${a} $? 0 "ping in"
616	done
617
618	#
619	# local traffic
620	#
621	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
622	do
623		log_start
624		run_cmd ping -c1 -w1 ${a}
625		log_test_addr ${a} $? 0 "ping local"
626	done
627
628	#
629	# local traffic, socket bound to device
630	#
631	# address on device
632	a=${NSA_IP}
633	log_start
634	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
635	log_test_addr ${a} $? 0 "ping local, device bind"
636
637	# loopback addresses not reachable from device bind
638	# fails in a really weird way though because ipv4 special cases
639	# route lookups with oif set.
640	for a in ${NSA_LO_IP} 127.0.0.1
641	do
642		log_start
643		show_hint "Fails since address on loopback device is out of device scope"
644		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
645		log_test_addr ${a} $? 1 "ping local, device bind"
646	done
647
648	#
649	# ip rule blocks reachability to remote address
650	#
651	log_start
652	setup_cmd ip rule add pref 32765 from all lookup local
653	setup_cmd ip rule del pref 0 from all lookup local
654	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
655	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
656
657	a=${NSB_LO_IP}
658	run_cmd ping -c1 -w1 ${a}
659	log_test_addr ${a} $? 2 "ping out, blocked by rule"
660
661	# NOTE: ipv4 actually allows the lookup to fail and yet still create
662	# a viable rtable if the oif (e.g., bind to device) is set, so this
663	# case succeeds despite the rule
664	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
665
666	a=${NSA_LO_IP}
667	log_start
668	show_hint "Response generates ICMP (or arp request is ignored) due to ip rule"
669	run_cmd_nsb ping -c1 -w1 ${a}
670	log_test_addr ${a} $? 1 "ping in, blocked by rule"
671
672	[ "$VERBOSE" = "1" ] && echo
673	setup_cmd ip rule del pref 32765 from all lookup local
674	setup_cmd ip rule add pref 0 from all lookup local
675	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
676	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
677
678	#
679	# route blocks reachability to remote address
680	#
681	log_start
682	setup_cmd ip route replace unreachable ${NSB_LO_IP}
683	setup_cmd ip route replace unreachable ${NSB_IP}
684
685	a=${NSB_LO_IP}
686	run_cmd ping -c1 -w1 ${a}
687	log_test_addr ${a} $? 2 "ping out, blocked by route"
688
689	# NOTE: ipv4 actually allows the lookup to fail and yet still create
690	# a viable rtable if the oif (e.g., bind to device) is set, so this
691	# case succeeds despite not having a route for the address
692	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
693
694	a=${NSA_LO_IP}
695	log_start
696	show_hint "Response is dropped (or arp request is ignored) due to ip route"
697	run_cmd_nsb ping -c1 -w1 ${a}
698	log_test_addr ${a} $? 1 "ping in, blocked by route"
699
700	#
701	# remove 'remote' routes; fallback to default
702	#
703	log_start
704	setup_cmd ip ro del ${NSB_LO_IP}
705
706	a=${NSB_LO_IP}
707	run_cmd ping -c1 -w1 ${a}
708	log_test_addr ${a} $? 2 "ping out, unreachable default route"
709
710	# NOTE: ipv4 actually allows the lookup to fail and yet still create
711	# a viable rtable if the oif (e.g., bind to device) is set, so this
712	# case succeeds despite not having a route for the address
713	# run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
714}
715
716ipv4_ping_vrf()
717{
718	local a
719
720	# should default on; does not exist on older kernels
721	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
722
723	#
724	# out
725	#
726	for a in ${NSB_IP} ${NSB_LO_IP}
727	do
728		log_start
729		run_cmd ping -c1 -w1 -I ${VRF} ${a}
730		log_test_addr ${a} $? 0 "ping out, VRF bind"
731
732		log_start
733		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
734		log_test_addr ${a} $? 0 "ping out, device bind"
735
736		log_start
737		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a}
738		log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind"
739
740		log_start
741		run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a}
742		log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind"
743	done
744
745	#
746	# in
747	#
748	for a in ${NSA_IP} ${VRF_IP}
749	do
750		log_start
751		run_cmd_nsb ping -c1 -w1 ${a}
752		log_test_addr ${a} $? 0 "ping in"
753	done
754
755	#
756	# local traffic, local address
757	#
758	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
759	do
760		log_start
761		show_hint "Source address should be ${a}"
762		run_cmd ping -c1 -w1 -I ${VRF} ${a}
763		log_test_addr ${a} $? 0 "ping local, VRF bind"
764	done
765
766	#
767	# local traffic, socket bound to device
768	#
769	# address on device
770	a=${NSA_IP}
771	log_start
772	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
773	log_test_addr ${a} $? 0 "ping local, device bind"
774
775	# vrf device is out of scope
776	for a in ${VRF_IP} 127.0.0.1
777	do
778		log_start
779		show_hint "Fails since address on vrf device is out of device scope"
780		run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
781		log_test_addr ${a} $? 2 "ping local, device bind"
782	done
783
784	#
785	# ip rule blocks address
786	#
787	log_start
788	setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
789	setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
790
791	a=${NSB_LO_IP}
792	run_cmd ping -c1 -w1 -I ${VRF} ${a}
793	log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule"
794
795	log_start
796	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
797	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
798
799	a=${NSA_LO_IP}
800	log_start
801	show_hint "Response lost due to ip rule"
802	run_cmd_nsb ping -c1 -w1 ${a}
803	log_test_addr ${a} $? 1 "ping in, blocked by rule"
804
805	[ "$VERBOSE" = "1" ] && echo
806	setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
807	setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
808
809	#
810	# remove 'remote' routes; fallback to default
811	#
812	log_start
813	setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP}
814
815	a=${NSB_LO_IP}
816	run_cmd ping -c1 -w1 -I ${VRF} ${a}
817	log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route"
818
819	log_start
820	run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
821	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
822
823	a=${NSA_LO_IP}
824	log_start
825	show_hint "Response lost by unreachable route"
826	run_cmd_nsb ping -c1 -w1 ${a}
827	log_test_addr ${a} $? 1 "ping in, unreachable route"
828}
829
830ipv4_ping()
831{
832	log_section "IPv4 ping"
833
834	log_subsection "No VRF"
835	setup
836	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
837	ipv4_ping_novrf
838	setup
839	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
840	ipv4_ping_novrf
841	setup
842	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
843	ipv4_ping_novrf
844
845	log_subsection "With VRF"
846	setup "yes"
847	ipv4_ping_vrf
848	setup "yes"
849	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
850	ipv4_ping_vrf
851}
852
853################################################################################
854# IPv4 TCP
855
856#
857# MD5 tests without VRF
858#
859ipv4_tcp_md5_novrf()
860{
861	#
862	# single address
863	#
864
865	# basic use case
866	log_start
867	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
868	sleep 1
869	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
870	log_test $? 0 "MD5: Single address config"
871
872	# client sends MD5, server not configured
873	log_start
874	show_hint "Should timeout due to MD5 mismatch"
875	run_cmd nettest -s &
876	sleep 1
877	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
878	log_test $? 2 "MD5: Server no config, client uses password"
879
880	# wrong password
881	log_start
882	show_hint "Should timeout since client uses wrong password"
883	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
884	sleep 1
885	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
886	log_test $? 2 "MD5: Client uses wrong password"
887
888	# client from different address
889	log_start
890	show_hint "Should timeout due to MD5 mismatch"
891	run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} &
892	sleep 1
893	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
894	log_test $? 2 "MD5: Client address does not match address configured with password"
895
896	#
897	# MD5 extension - prefix length
898	#
899
900	# client in prefix
901	log_start
902	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
903	sleep 1
904	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
905	log_test $? 0 "MD5: Prefix config"
906
907	# client in prefix, wrong password
908	log_start
909	show_hint "Should timeout since client uses wrong password"
910	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
911	sleep 1
912	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
913	log_test $? 2 "MD5: Prefix config, client uses wrong password"
914
915	# client outside of prefix
916	log_start
917	show_hint "Should timeout due to MD5 mismatch"
918	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
919	sleep 1
920	run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
921	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
922}
923
924#
925# MD5 tests with VRF
926#
927ipv4_tcp_md5()
928{
929	#
930	# single address
931	#
932
933	# basic use case
934	log_start
935	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
936	sleep 1
937	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
938	log_test $? 0 "MD5: VRF: Single address config"
939
940	# client sends MD5, server not configured
941	log_start
942	show_hint "Should timeout since server does not have MD5 auth"
943	run_cmd nettest -s -I ${VRF} &
944	sleep 1
945	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
946	log_test $? 2 "MD5: VRF: Server no config, client uses password"
947
948	# wrong password
949	log_start
950	show_hint "Should timeout since client uses wrong password"
951	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
952	sleep 1
953	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
954	log_test $? 2 "MD5: VRF: Client uses wrong password"
955
956	# client from different address
957	log_start
958	show_hint "Should timeout since server config differs from client"
959	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} &
960	sleep 1
961	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
962	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
963
964	#
965	# MD5 extension - prefix length
966	#
967
968	# client in prefix
969	log_start
970	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
971	sleep 1
972	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
973	log_test $? 0 "MD5: VRF: Prefix config"
974
975	# client in prefix, wrong password
976	log_start
977	show_hint "Should timeout since client uses wrong password"
978	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
979	sleep 1
980	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
981	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
982
983	# client outside of prefix
984	log_start
985	show_hint "Should timeout since client address is outside of prefix"
986	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
987	sleep 1
988	run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
989	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
990
991	#
992	# duplicate config between default VRF and a VRF
993	#
994
995	log_start
996	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
997	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
998	sleep 1
999	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
1000	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
1001
1002	log_start
1003	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1004	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1005	sleep 1
1006	run_cmd_nsc nettest  -r ${NSA_IP} -X ${MD5_WRONG_PW}
1007	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
1008
1009	log_start
1010	show_hint "Should timeout since client in default VRF uses VRF password"
1011	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1012	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1013	sleep 1
1014	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1015	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
1016
1017	log_start
1018	show_hint "Should timeout since client in VRF uses default VRF password"
1019	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1020	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1021	sleep 1
1022	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1023	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
1024
1025	log_start
1026	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1027	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1028	sleep 1
1029	run_cmd_nsb nettest  -r ${NSA_IP} -X ${MD5_PW}
1030	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
1031
1032	log_start
1033	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1034	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1035	sleep 1
1036	run_cmd_nsc nettest  -r ${NSA_IP} -X ${MD5_WRONG_PW}
1037	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
1038
1039	log_start
1040	show_hint "Should timeout since client in default VRF uses VRF password"
1041	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1042	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1043	sleep 1
1044	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1045	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
1046
1047	log_start
1048	show_hint "Should timeout since client in VRF uses default VRF password"
1049	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1050	run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1051	sleep 1
1052	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1053	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
1054
1055	#
1056	# negative tests
1057	#
1058	log_start
1059	run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP}
1060	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
1061
1062	log_start
1063	run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET}
1064	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
1065
1066	test_ipv4_md5_vrf__vrf_server__no_bind_ifindex
1067	test_ipv4_md5_vrf__global_server__bind_ifindex0
1068}
1069
1070test_ipv4_md5_vrf__vrf_server__no_bind_ifindex()
1071{
1072	log_start
1073	show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX"
1074	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1075	sleep 1
1076	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1077	log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection"
1078
1079	log_start
1080	show_hint "Binding both the socket and the key is not required but it works"
1081	run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1082	sleep 1
1083	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1084	log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection"
1085}
1086
1087test_ipv4_md5_vrf__global_server__bind_ifindex0()
1088{
1089	# This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections
1090	local old_tcp_l3mdev_accept
1091	old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept)
1092	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1093
1094	log_start
1095	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1096	sleep 1
1097	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1098	log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection"
1099
1100	log_start
1101	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1102	sleep 1
1103	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1104	log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection"
1105	log_start
1106
1107	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1108	sleep 1
1109	run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1110	log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection"
1111
1112	log_start
1113	run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1114	sleep 1
1115	run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1116	log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection"
1117
1118	# restore value
1119	set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept"
1120}
1121
1122ipv4_tcp_dontroute()
1123{
1124	local syncookies=$1
1125	local nsa_syncookies
1126	local nsb_syncookies
1127	local a
1128
1129	#
1130	# Link local connection tests (SO_DONTROUTE).
1131	# Connections should succeed only when the remote IP address is
1132	# on link (doesn't need to be routed through a gateway).
1133	#
1134
1135	nsa_syncookies=$(ip netns exec "${NSA}" sysctl -n net.ipv4.tcp_syncookies)
1136	nsb_syncookies=$(ip netns exec "${NSB}" sysctl -n net.ipv4.tcp_syncookies)
1137	ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies}
1138	ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies}
1139
1140	# Test with eth1 address (on link).
1141
1142	a=${NSB_IP}
1143	log_start
1144	do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1145	log_test_addr ${a} $? 0 "SO_DONTROUTE client, syncookies=${syncookies}"
1146
1147	a=${NSB_IP}
1148	log_start
1149	do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --server-dontroute
1150	log_test_addr ${a} $? 0 "SO_DONTROUTE server, syncookies=${syncookies}"
1151
1152	# Test with loopback address (routed).
1153	#
1154	# The client would use the eth1 address as source IP by default.
1155	# Therefore, we need to use the -c option here, to force the use of the
1156	# routed (loopback) address as source IP (so that the server will try
1157	# to respond to a routed address and not a link local one).
1158
1159	a=${NSB_LO_IP}
1160	log_start
1161	show_hint "Should fail 'Network is unreachable' since server is not on link"
1162	do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --client-dontroute
1163	log_test_addr ${a} $? 1 "SO_DONTROUTE client, syncookies=${syncookies}"
1164
1165	a=${NSB_LO_IP}
1166	log_start
1167	show_hint "Should timeout since server cannot respond (client is not on link)"
1168	do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --server-dontroute
1169	log_test_addr ${a} $? 2 "SO_DONTROUTE server, syncookies=${syncookies}"
1170
1171	ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${nsb_syncookies}
1172	ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${nsa_syncookies}
1173}
1174
1175ipv4_tcp_novrf()
1176{
1177	local a
1178
1179	#
1180	# server tests
1181	#
1182	for a in ${NSA_IP} ${NSA_LO_IP}
1183	do
1184		log_start
1185		run_cmd nettest -s &
1186		sleep 1
1187		run_cmd_nsb nettest -r ${a}
1188		log_test_addr ${a} $? 0 "Global server"
1189	done
1190
1191	a=${NSA_IP}
1192	log_start
1193	run_cmd nettest -s -I ${NSA_DEV} &
1194	sleep 1
1195	run_cmd_nsb nettest -r ${a}
1196	log_test_addr ${a} $? 0 "Device server"
1197
1198	# verify TCP reset sent and received
1199	for a in ${NSA_IP} ${NSA_LO_IP}
1200	do
1201		log_start
1202		show_hint "Should fail 'Connection refused' since there is no server"
1203		run_cmd_nsb nettest -r ${a}
1204		log_test_addr ${a} $? 1 "No server"
1205	done
1206
1207	#
1208	# client
1209	#
1210	for a in ${NSB_IP} ${NSB_LO_IP}
1211	do
1212		log_start
1213		run_cmd_nsb nettest -s &
1214		sleep 1
1215		run_cmd nettest -r ${a} -0 ${NSA_IP}
1216		log_test_addr ${a} $? 0 "Client"
1217
1218		log_start
1219		run_cmd_nsb nettest -s &
1220		sleep 1
1221		run_cmd nettest -r ${a} -d ${NSA_DEV}
1222		log_test_addr ${a} $? 0 "Client, device bind"
1223
1224		log_start
1225		show_hint "Should fail 'Connection refused'"
1226		run_cmd nettest -r ${a}
1227		log_test_addr ${a} $? 1 "No server, unbound client"
1228
1229		log_start
1230		show_hint "Should fail 'Connection refused'"
1231		run_cmd nettest -r ${a} -d ${NSA_DEV}
1232		log_test_addr ${a} $? 1 "No server, device client"
1233	done
1234
1235	#
1236	# local address tests
1237	#
1238	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1239	do
1240		log_start
1241		run_cmd nettest -s &
1242		sleep 1
1243		run_cmd nettest -r ${a} -0 ${a} -1 ${a}
1244		log_test_addr ${a} $? 0 "Global server, local connection"
1245	done
1246
1247	a=${NSA_IP}
1248	log_start
1249	run_cmd nettest -s -I ${NSA_DEV} &
1250	sleep 1
1251	run_cmd nettest -r ${a} -0 ${a}
1252	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1253
1254	for a in ${NSA_LO_IP} 127.0.0.1
1255	do
1256		log_start
1257		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
1258		run_cmd nettest -s -I ${NSA_DEV} &
1259		sleep 1
1260		run_cmd nettest -r ${a}
1261		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1262	done
1263
1264	a=${NSA_IP}
1265	log_start
1266	run_cmd nettest -s &
1267	sleep 1
1268	run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV}
1269	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1270
1271	for a in ${NSA_LO_IP} 127.0.0.1
1272	do
1273		log_start
1274		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
1275		run_cmd nettest -s &
1276		sleep 1
1277		run_cmd nettest -r ${a} -d ${NSA_DEV}
1278		log_test_addr ${a} $? 1 "Global server, device client, local connection"
1279	done
1280
1281	a=${NSA_IP}
1282	log_start
1283	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1284	sleep 1
1285	run_cmd nettest  -d ${NSA_DEV} -r ${a} -0 ${a}
1286	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1287
1288	log_start
1289	show_hint "Should fail 'Connection refused'"
1290	run_cmd nettest -d ${NSA_DEV} -r ${a}
1291	log_test_addr ${a} $? 1 "No server, device client, local conn"
1292
1293	[ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf
1294
1295	ipv4_tcp_dontroute 0
1296	ipv4_tcp_dontroute 2
1297}
1298
1299ipv4_tcp_vrf()
1300{
1301	local a
1302
1303	# disable global server
1304	log_subsection "Global server disabled"
1305
1306	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1307
1308	#
1309	# server tests
1310	#
1311	for a in ${NSA_IP} ${VRF_IP}
1312	do
1313		log_start
1314		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1315		run_cmd nettest -s &
1316		sleep 1
1317		run_cmd_nsb nettest -r ${a}
1318		log_test_addr ${a} $? 1 "Global server"
1319
1320		log_start
1321		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1322		sleep 1
1323		run_cmd_nsb nettest -r ${a}
1324		log_test_addr ${a} $? 0 "VRF server"
1325
1326		log_start
1327		run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1328		sleep 1
1329		run_cmd_nsb nettest -r ${a}
1330		log_test_addr ${a} $? 0 "Device server"
1331
1332		# verify TCP reset received
1333		log_start
1334		show_hint "Should fail 'Connection refused' since there is no server"
1335		run_cmd_nsb nettest -r ${a}
1336		log_test_addr ${a} $? 1 "No server"
1337	done
1338
1339	# local address tests
1340	# (${VRF_IP} and 127.0.0.1 both timeout)
1341	a=${NSA_IP}
1342	log_start
1343	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1344	run_cmd nettest -s &
1345	sleep 1
1346	run_cmd nettest -r ${a} -d ${NSA_DEV}
1347	log_test_addr ${a} $? 1 "Global server, local connection"
1348
1349	# run MD5 tests
1350	if [ "$fips_enabled" = "0" ]; then
1351		setup_vrf_dup
1352		ipv4_tcp_md5
1353		cleanup_vrf_dup
1354	fi
1355
1356	#
1357	# enable VRF global server
1358	#
1359	log_subsection "VRF Global server enabled"
1360	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1361
1362	for a in ${NSA_IP} ${VRF_IP}
1363	do
1364		log_start
1365		show_hint "client socket should be bound to VRF"
1366		run_cmd nettest -s -3 ${VRF} &
1367		sleep 1
1368		run_cmd_nsb nettest -r ${a}
1369		log_test_addr ${a} $? 0 "Global server"
1370
1371		log_start
1372		show_hint "client socket should be bound to VRF"
1373		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1374		sleep 1
1375		run_cmd_nsb nettest -r ${a}
1376		log_test_addr ${a} $? 0 "VRF server"
1377
1378		# verify TCP reset received
1379		log_start
1380		show_hint "Should fail 'Connection refused'"
1381		run_cmd_nsb nettest -r ${a}
1382		log_test_addr ${a} $? 1 "No server"
1383	done
1384
1385	a=${NSA_IP}
1386	log_start
1387	show_hint "client socket should be bound to device"
1388	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1389	sleep 1
1390	run_cmd_nsb nettest -r ${a}
1391	log_test_addr ${a} $? 0 "Device server"
1392
1393	# local address tests
1394	for a in ${NSA_IP} ${VRF_IP}
1395	do
1396		log_start
1397		show_hint "Should fail 'Connection refused' since client is not bound to VRF"
1398		run_cmd nettest -s -I ${VRF} &
1399		sleep 1
1400		run_cmd nettest -r ${a}
1401		log_test_addr ${a} $? 1 "Global server, local connection"
1402	done
1403
1404	#
1405	# client
1406	#
1407	for a in ${NSB_IP} ${NSB_LO_IP}
1408	do
1409		log_start
1410		run_cmd_nsb nettest -s &
1411		sleep 1
1412		run_cmd nettest -r ${a} -d ${VRF}
1413		log_test_addr ${a} $? 0 "Client, VRF bind"
1414
1415		log_start
1416		run_cmd_nsb nettest -s &
1417		sleep 1
1418		run_cmd nettest -r ${a} -d ${NSA_DEV}
1419		log_test_addr ${a} $? 0 "Client, device bind"
1420
1421		log_start
1422		show_hint "Should fail 'Connection refused'"
1423		run_cmd nettest -r ${a} -d ${VRF}
1424		log_test_addr ${a} $? 1 "No server, VRF client"
1425
1426		log_start
1427		show_hint "Should fail 'Connection refused'"
1428		run_cmd nettest -r ${a} -d ${NSA_DEV}
1429		log_test_addr ${a} $? 1 "No server, device client"
1430	done
1431
1432	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1433	do
1434		log_start
1435		run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1436		sleep 1
1437		run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1438		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
1439	done
1440
1441	a=${NSA_IP}
1442	log_start
1443	run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1444	sleep 1
1445	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1446	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
1447
1448	log_start
1449	show_hint "Should fail 'No route to host' since client is out of VRF scope"
1450	run_cmd nettest -s -I ${VRF} &
1451	sleep 1
1452	run_cmd nettest -r ${a}
1453	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
1454
1455	log_start
1456	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1457	sleep 1
1458	run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1459	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
1460
1461	log_start
1462	run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1463	sleep 1
1464	run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1465	log_test_addr ${a} $? 0 "Device server, device client, local connection"
1466}
1467
1468ipv4_tcp()
1469{
1470	log_section "IPv4/TCP"
1471	log_subsection "No VRF"
1472	setup
1473
1474	# tcp_l3mdev_accept should have no affect without VRF;
1475	# run tests with it enabled and disabled to verify
1476	log_subsection "tcp_l3mdev_accept disabled"
1477	set_sysctl net.ipv4.tcp_l3mdev_accept=0
1478	ipv4_tcp_novrf
1479	log_subsection "tcp_l3mdev_accept enabled"
1480	set_sysctl net.ipv4.tcp_l3mdev_accept=1
1481	ipv4_tcp_novrf
1482
1483	log_subsection "With VRF"
1484	setup "yes"
1485	ipv4_tcp_vrf
1486}
1487
1488################################################################################
1489# IPv4 UDP
1490
1491ipv4_udp_novrf()
1492{
1493	local a
1494
1495	#
1496	# server tests
1497	#
1498	for a in ${NSA_IP} ${NSA_LO_IP}
1499	do
1500		log_start
1501		run_cmd nettest -D -s -3 ${NSA_DEV} &
1502		sleep 1
1503		run_cmd_nsb nettest -D -r ${a}
1504		log_test_addr ${a} $? 0 "Global server"
1505
1506		log_start
1507		show_hint "Should fail 'Connection refused' since there is no server"
1508		run_cmd_nsb nettest -D -r ${a}
1509		log_test_addr ${a} $? 1 "No server"
1510	done
1511
1512	a=${NSA_IP}
1513	log_start
1514	run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1515	sleep 1
1516	run_cmd_nsb nettest -D -r ${a}
1517	log_test_addr ${a} $? 0 "Device server"
1518
1519	#
1520	# client
1521	#
1522	for a in ${NSB_IP} ${NSB_LO_IP}
1523	do
1524		log_start
1525		run_cmd_nsb nettest -D -s &
1526		sleep 1
1527		run_cmd nettest -D -r ${a} -0 ${NSA_IP}
1528		log_test_addr ${a} $? 0 "Client"
1529
1530		log_start
1531		run_cmd_nsb nettest -D -s &
1532		sleep 1
1533		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP}
1534		log_test_addr ${a} $? 0 "Client, device bind"
1535
1536		log_start
1537		run_cmd_nsb nettest -D -s &
1538		sleep 1
1539		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP}
1540		log_test_addr ${a} $? 0 "Client, device send via cmsg"
1541
1542		log_start
1543		run_cmd_nsb nettest -D -s &
1544		sleep 1
1545		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
1546		log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
1547
1548		log_start
1549		run_cmd_nsb nettest -D -s &
1550		sleep 1
1551		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U
1552		log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()"
1553
1554
1555		log_start
1556		show_hint "Should fail 'Connection refused'"
1557		run_cmd nettest -D -r ${a}
1558		log_test_addr ${a} $? 1 "No server, unbound client"
1559
1560		log_start
1561		show_hint "Should fail 'Connection refused'"
1562		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1563		log_test_addr ${a} $? 1 "No server, device client"
1564	done
1565
1566	#
1567	# local address tests
1568	#
1569	for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1570	do
1571		log_start
1572		run_cmd nettest -D -s &
1573		sleep 1
1574		run_cmd nettest -D -r ${a} -0 ${a} -1 ${a}
1575		log_test_addr ${a} $? 0 "Global server, local connection"
1576	done
1577
1578	a=${NSA_IP}
1579	log_start
1580	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1581	sleep 1
1582	run_cmd nettest -D -r ${a}
1583	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1584
1585	for a in ${NSA_LO_IP} 127.0.0.1
1586	do
1587		log_start
1588		show_hint "Should fail 'Connection refused' since address is out of device scope"
1589		run_cmd nettest -s -D -I ${NSA_DEV} &
1590		sleep 1
1591		run_cmd nettest -D -r ${a}
1592		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1593	done
1594
1595	a=${NSA_IP}
1596	log_start
1597	run_cmd nettest -s -D &
1598	sleep 1
1599	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1600	log_test_addr ${a} $? 0 "Global server, device client, local connection"
1601
1602	log_start
1603	run_cmd nettest -s -D &
1604	sleep 1
1605	run_cmd nettest -D -d ${NSA_DEV} -C -r ${a}
1606	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
1607
1608	log_start
1609	run_cmd nettest -s -D &
1610	sleep 1
1611	run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
1612	log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
1613
1614	log_start
1615	run_cmd nettest -s -D &
1616	sleep 1
1617	run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U
1618	log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
1619
1620
1621	# IPv4 with device bind has really weird behavior - it overrides the
1622	# fib lookup, generates an rtable and tries to send the packet. This
1623	# causes failures for local traffic at different places
1624	for a in ${NSA_LO_IP} 127.0.0.1
1625	do
1626		log_start
1627		show_hint "Should fail since addresses on loopback are out of device scope"
1628		run_cmd nettest -D -s &
1629		sleep 1
1630		run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1631		log_test_addr ${a} $? 2 "Global server, device client, local connection"
1632
1633		log_start
1634		show_hint "Should fail since addresses on loopback are out of device scope"
1635		run_cmd nettest -D -s &
1636		sleep 1
1637		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C
1638		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
1639
1640		log_start
1641		show_hint "Should fail since addresses on loopback are out of device scope"
1642		run_cmd nettest -D -s &
1643		sleep 1
1644		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
1645		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
1646
1647		log_start
1648		show_hint "Should fail since addresses on loopback are out of device scope"
1649		run_cmd nettest -D -s &
1650		sleep 1
1651		run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U
1652		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
1653
1654
1655	done
1656
1657	a=${NSA_IP}
1658	log_start
1659	run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1660	sleep 1
1661	run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a}
1662	log_test_addr ${a} $? 0 "Device server, device client, local conn"
1663
1664	log_start
1665	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1666	log_test_addr ${a} $? 2 "No server, device client, local conn"
1667
1668	#
1669	# Link local connection tests (SO_DONTROUTE).
1670	# Connections should succeed only when the remote IP address is
1671	# on link (doesn't need to be routed through a gateway).
1672	#
1673
1674	a=${NSB_IP}
1675	log_start
1676	do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1677	log_test_addr ${a} $? 0 "SO_DONTROUTE client"
1678
1679	a=${NSB_LO_IP}
1680	log_start
1681	show_hint "Should fail 'Network is unreachable' since server is not on link"
1682	do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1683	log_test_addr ${a} $? 1 "SO_DONTROUTE client"
1684}
1685
1686ipv4_udp_vrf()
1687{
1688	local a
1689
1690	# disable global server
1691	log_subsection "Global server disabled"
1692	set_sysctl net.ipv4.udp_l3mdev_accept=0
1693
1694	#
1695	# server tests
1696	#
1697	for a in ${NSA_IP} ${VRF_IP}
1698	do
1699		log_start
1700		show_hint "Fails because ingress is in a VRF and global server is disabled"
1701		run_cmd nettest -D -s &
1702		sleep 1
1703		run_cmd_nsb nettest -D -r ${a}
1704		log_test_addr ${a} $? 1 "Global server"
1705
1706		log_start
1707		run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1708		sleep 1
1709		run_cmd_nsb nettest -D -r ${a}
1710		log_test_addr ${a} $? 0 "VRF server"
1711
1712		log_start
1713		run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1714		sleep 1
1715		run_cmd_nsb nettest -D -r ${a}
1716		log_test_addr ${a} $? 0 "Enslaved device server"
1717
1718		log_start
1719		show_hint "Should fail 'Connection refused' since there is no server"
1720		run_cmd_nsb nettest -D -r ${a}
1721		log_test_addr ${a} $? 1 "No server"
1722
1723		log_start
1724		show_hint "Should fail 'Connection refused' since global server is out of scope"
1725		run_cmd nettest -D -s &
1726		sleep 1
1727		run_cmd nettest -D -d ${VRF} -r ${a}
1728		log_test_addr ${a} $? 1 "Global server, VRF client, local connection"
1729	done
1730
1731	a=${NSA_IP}
1732	log_start
1733	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1734	sleep 1
1735	run_cmd nettest -D -d ${VRF} -r ${a}
1736	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1737
1738	log_start
1739	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1740	sleep 1
1741	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1742	log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection"
1743
1744	a=${NSA_IP}
1745	log_start
1746	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1747	sleep 1
1748	run_cmd nettest -D -d ${VRF} -r ${a}
1749	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1750
1751	log_start
1752	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1753	sleep 1
1754	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1755	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1756
1757	# enable global server
1758	log_subsection "Global server enabled"
1759	set_sysctl net.ipv4.udp_l3mdev_accept=1
1760
1761	#
1762	# server tests
1763	#
1764	for a in ${NSA_IP} ${VRF_IP}
1765	do
1766		log_start
1767		run_cmd nettest -D -s -3 ${NSA_DEV} &
1768		sleep 1
1769		run_cmd_nsb nettest -D -r ${a}
1770		log_test_addr ${a} $? 0 "Global server"
1771
1772		log_start
1773		run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1774		sleep 1
1775		run_cmd_nsb nettest -D -r ${a}
1776		log_test_addr ${a} $? 0 "VRF server"
1777
1778		log_start
1779		run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1780		sleep 1
1781		run_cmd_nsb nettest -D -r ${a}
1782		log_test_addr ${a} $? 0 "Enslaved device server"
1783
1784		log_start
1785		show_hint "Should fail 'Connection refused'"
1786		run_cmd_nsb nettest -D -r ${a}
1787		log_test_addr ${a} $? 1 "No server"
1788	done
1789
1790	#
1791	# client tests
1792	#
1793	log_start
1794	run_cmd_nsb nettest -D -s &
1795	sleep 1
1796	run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP}
1797	log_test $? 0 "VRF client"
1798
1799	log_start
1800	run_cmd_nsb nettest -D -s &
1801	sleep 1
1802	run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP}
1803	log_test $? 0 "Enslaved device client"
1804
1805	# negative test - should fail
1806	log_start
1807	show_hint "Should fail 'Connection refused'"
1808	run_cmd nettest -D -d ${VRF} -r ${NSB_IP}
1809	log_test $? 1 "No server, VRF client"
1810
1811	log_start
1812	show_hint "Should fail 'Connection refused'"
1813	run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP}
1814	log_test $? 1 "No server, enslaved device client"
1815
1816	#
1817	# local address tests
1818	#
1819	a=${NSA_IP}
1820	log_start
1821	run_cmd nettest -D -s -3 ${NSA_DEV} &
1822	sleep 1
1823	run_cmd nettest -D -d ${VRF} -r ${a}
1824	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1825
1826	log_start
1827	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1828	sleep 1
1829	run_cmd nettest -D -d ${VRF} -r ${a}
1830	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1831
1832	log_start
1833	run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1834	sleep 1
1835	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1836	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
1837
1838	log_start
1839	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1840	sleep 1
1841	run_cmd nettest -D -d ${VRF} -r ${a}
1842	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1843
1844	log_start
1845	run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1846	sleep 1
1847	run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1848	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1849
1850	for a in ${VRF_IP} 127.0.0.1
1851	do
1852		log_start
1853		run_cmd nettest -D -s -3 ${VRF} &
1854		sleep 1
1855		run_cmd nettest -D -d ${VRF} -r ${a}
1856		log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1857	done
1858
1859	for a in ${VRF_IP} 127.0.0.1
1860	do
1861		log_start
1862		run_cmd nettest -s -D -I ${VRF} -3 ${VRF} &
1863		sleep 1
1864		run_cmd nettest -D -d ${VRF} -r ${a}
1865		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1866	done
1867
1868	# negative test - should fail
1869	# verifies ECONNREFUSED
1870	for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1871	do
1872		log_start
1873		show_hint "Should fail 'Connection refused'"
1874		run_cmd nettest -D -d ${VRF} -r ${a}
1875		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
1876	done
1877}
1878
1879ipv4_udp()
1880{
1881	log_section "IPv4/UDP"
1882	log_subsection "No VRF"
1883
1884	setup
1885
1886	# udp_l3mdev_accept should have no affect without VRF;
1887	# run tests with it enabled and disabled to verify
1888	log_subsection "udp_l3mdev_accept disabled"
1889	set_sysctl net.ipv4.udp_l3mdev_accept=0
1890	ipv4_udp_novrf
1891	log_subsection "udp_l3mdev_accept enabled"
1892	set_sysctl net.ipv4.udp_l3mdev_accept=1
1893	ipv4_udp_novrf
1894
1895	log_subsection "With VRF"
1896	setup "yes"
1897	ipv4_udp_vrf
1898}
1899
1900################################################################################
1901# IPv4 address bind
1902#
1903# verifies ability or inability to bind to an address / device
1904
1905ipv4_addr_bind_novrf()
1906{
1907	#
1908	# raw socket
1909	#
1910	for a in ${NSA_IP} ${NSA_LO_IP}
1911	do
1912		log_start
1913		run_cmd nettest -s -R -P icmp -l ${a} -b
1914		log_test_addr ${a} $? 0 "Raw socket bind to local address"
1915
1916		log_start
1917		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1918		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1919	done
1920
1921	#
1922	# tests for nonlocal bind
1923	#
1924	a=${NL_IP}
1925	log_start
1926	run_cmd nettest -s -R -f -l ${a} -b
1927	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
1928
1929	log_start
1930	run_cmd nettest -s -f -l ${a} -b
1931	log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address"
1932
1933	log_start
1934	run_cmd nettest -s -D -P icmp -f -l ${a} -b
1935	log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address"
1936
1937	#
1938	# check that ICMP sockets cannot bind to broadcast and multicast addresses
1939	#
1940	a=${BCAST_IP}
1941	log_start
1942	run_cmd nettest -s -D -P icmp -l ${a} -b
1943	log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address"
1944
1945	a=${MCAST_IP}
1946	log_start
1947	run_cmd nettest -s -D -P icmp -l ${a} -b
1948	log_test_addr ${a} $? 1 "ICMP socket bind to multicast address"
1949
1950	#
1951	# tcp sockets
1952	#
1953	a=${NSA_IP}
1954	log_start
1955	run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b
1956	log_test_addr ${a} $? 0 "TCP socket bind to local address"
1957
1958	log_start
1959	run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b
1960	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1961
1962	# Sadly, the kernel allows binding a socket to a device and then
1963	# binding to an address not on the device. The only restriction
1964	# is that the address is valid in the L3 domain. So this test
1965	# passes when it really should not
1966	#a=${NSA_LO_IP}
1967	#log_start
1968	#show_hint "Should fail with 'Cannot assign requested address'"
1969	#run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1970	#log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
1971}
1972
1973ipv4_addr_bind_vrf()
1974{
1975	#
1976	# raw socket
1977	#
1978	for a in ${NSA_IP} ${VRF_IP}
1979	do
1980		log_start
1981		show_hint "Socket not bound to VRF, but address is in VRF"
1982		run_cmd nettest -s -R -P icmp -l ${a} -b
1983		log_test_addr ${a} $? 1 "Raw socket bind to local address"
1984
1985		log_start
1986		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1987		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1988		log_start
1989		run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1990		log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind"
1991	done
1992
1993	a=${NSA_LO_IP}
1994	log_start
1995	show_hint "Address on loopback is out of VRF scope"
1996	run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1997	log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind"
1998
1999	#
2000	# tests for nonlocal bind
2001	#
2002	a=${NL_IP}
2003	log_start
2004	run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b
2005	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
2006
2007	log_start
2008	run_cmd nettest -s -f -l ${a} -I ${VRF} -b
2009	log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind"
2010
2011	log_start
2012	run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b
2013	log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind"
2014
2015	#
2016	# check that ICMP sockets cannot bind to broadcast and multicast addresses
2017	#
2018	a=${BCAST_IP}
2019	log_start
2020	run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
2021	log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind"
2022
2023	a=${MCAST_IP}
2024	log_start
2025	run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
2026	log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind"
2027
2028	#
2029	# tcp sockets
2030	#
2031	for a in ${NSA_IP} ${VRF_IP}
2032	do
2033		log_start
2034		run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
2035		log_test_addr ${a} $? 0 "TCP socket bind to local address"
2036
2037		log_start
2038		run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
2039		log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
2040	done
2041
2042	a=${NSA_LO_IP}
2043	log_start
2044	show_hint "Address on loopback out of scope for VRF"
2045	run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
2046	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
2047
2048	log_start
2049	show_hint "Address on loopback out of scope for device in VRF"
2050	run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
2051	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
2052}
2053
2054ipv4_addr_bind()
2055{
2056	log_section "IPv4 address binds"
2057
2058	log_subsection "No VRF"
2059	setup
2060	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
2061	ipv4_addr_bind_novrf
2062
2063	log_subsection "With VRF"
2064	setup "yes"
2065	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
2066	ipv4_addr_bind_vrf
2067}
2068
2069################################################################################
2070# IPv4 runtime tests
2071
2072ipv4_rt()
2073{
2074	local desc="$1"
2075	local varg="$2"
2076	local with_vrf="yes"
2077	local a
2078
2079	#
2080	# server tests
2081	#
2082	for a in ${NSA_IP} ${VRF_IP}
2083	do
2084		log_start
2085		run_cmd nettest ${varg} -s &
2086		sleep 1
2087		run_cmd_nsb nettest ${varg} -r ${a} &
2088		sleep 3
2089		run_cmd ip link del ${VRF}
2090		sleep 1
2091		log_test_addr ${a} 0 0 "${desc}, global server"
2092
2093		setup ${with_vrf}
2094	done
2095
2096	for a in ${NSA_IP} ${VRF_IP}
2097	do
2098		log_start
2099		run_cmd nettest ${varg} -s -I ${VRF} &
2100		sleep 1
2101		run_cmd_nsb nettest ${varg} -r ${a} &
2102		sleep 3
2103		run_cmd ip link del ${VRF}
2104		sleep 1
2105		log_test_addr ${a} 0 0 "${desc}, VRF server"
2106
2107		setup ${with_vrf}
2108	done
2109
2110	a=${NSA_IP}
2111	log_start
2112	run_cmd nettest ${varg} -s -I ${NSA_DEV} &
2113	sleep 1
2114	run_cmd_nsb nettest ${varg} -r ${a} &
2115	sleep 3
2116	run_cmd ip link del ${VRF}
2117	sleep 1
2118	log_test_addr ${a} 0 0 "${desc}, enslaved device server"
2119
2120	setup ${with_vrf}
2121
2122	#
2123	# client test
2124	#
2125	log_start
2126	run_cmd_nsb nettest ${varg} -s &
2127	sleep 1
2128	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} &
2129	sleep 3
2130	run_cmd ip link del ${VRF}
2131	sleep 1
2132	log_test_addr ${a} 0 0 "${desc}, VRF client"
2133
2134	setup ${with_vrf}
2135
2136	log_start
2137	run_cmd_nsb nettest ${varg} -s &
2138	sleep 1
2139	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} &
2140	sleep 3
2141	run_cmd ip link del ${VRF}
2142	sleep 1
2143	log_test_addr ${a} 0 0 "${desc}, enslaved device client"
2144
2145	setup ${with_vrf}
2146
2147	#
2148	# local address tests
2149	#
2150	for a in ${NSA_IP} ${VRF_IP}
2151	do
2152		log_start
2153		run_cmd nettest ${varg} -s &
2154		sleep 1
2155		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2156		sleep 3
2157		run_cmd ip link del ${VRF}
2158		sleep 1
2159		log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local"
2160
2161		setup ${with_vrf}
2162	done
2163
2164	for a in ${NSA_IP} ${VRF_IP}
2165	do
2166		log_start
2167		run_cmd nettest ${varg} -I ${VRF} -s &
2168		sleep 1
2169		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2170		sleep 3
2171		run_cmd ip link del ${VRF}
2172		sleep 1
2173		log_test_addr ${a} 0 0 "${desc}, VRF server and client, local"
2174
2175		setup ${with_vrf}
2176	done
2177
2178	a=${NSA_IP}
2179	log_start
2180
2181	run_cmd nettest ${varg} -s &
2182	sleep 1
2183	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2184	sleep 3
2185	run_cmd ip link del ${VRF}
2186	sleep 1
2187	log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local"
2188
2189	setup ${with_vrf}
2190
2191	log_start
2192	run_cmd nettest ${varg} -I ${VRF} -s &
2193	sleep 1
2194	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2195	sleep 3
2196	run_cmd ip link del ${VRF}
2197	sleep 1
2198	log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local"
2199
2200	setup ${with_vrf}
2201
2202	log_start
2203	run_cmd nettest ${varg} -I ${NSA_DEV} -s &
2204	sleep 1
2205	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2206	sleep 3
2207	run_cmd ip link del ${VRF}
2208	sleep 1
2209	log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local"
2210}
2211
2212ipv4_ping_rt()
2213{
2214	local with_vrf="yes"
2215	local a
2216
2217	for a in ${NSA_IP} ${VRF_IP}
2218	do
2219		log_start
2220		run_cmd_nsb ping -f ${a} &
2221		sleep 3
2222		run_cmd ip link del ${VRF}
2223		sleep 1
2224		log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
2225
2226		setup ${with_vrf}
2227	done
2228
2229	a=${NSB_IP}
2230	log_start
2231	run_cmd ping -f -I ${VRF} ${a} &
2232	sleep 3
2233	run_cmd ip link del ${VRF}
2234	sleep 1
2235	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
2236}
2237
2238ipv4_runtime()
2239{
2240	log_section "Run time tests - ipv4"
2241
2242	setup "yes"
2243	ipv4_ping_rt
2244
2245	setup "yes"
2246	ipv4_rt "TCP active socket"  "-n -1"
2247
2248	setup "yes"
2249	ipv4_rt "TCP passive socket" "-i"
2250}
2251
2252################################################################################
2253# IPv6
2254
2255ipv6_ping_novrf()
2256{
2257	local a
2258
2259	# should not have an impact, but make a known state
2260	set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
2261
2262	#
2263	# out
2264	#
2265	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2266	do
2267		log_start
2268		run_cmd ${ping6} -c1 -w1 ${a}
2269		log_test_addr ${a} $? 0 "ping out"
2270	done
2271
2272	for a in ${NSB_IP6} ${NSB_LO_IP6}
2273	do
2274		log_start
2275		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2276		log_test_addr ${a} $? 0 "ping out, device bind"
2277
2278		log_start
2279		run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a}
2280		log_test_addr ${a} $? 0 "ping out, loopback address bind"
2281	done
2282
2283	#
2284	# in
2285	#
2286	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2287	do
2288		log_start
2289		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2290		log_test_addr ${a} $? 0 "ping in"
2291	done
2292
2293	#
2294	# local traffic, local address
2295	#
2296	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2297	do
2298		log_start
2299		run_cmd ${ping6} -c1 -w1 ${a}
2300		log_test_addr ${a} $? 0 "ping local, no bind"
2301	done
2302
2303	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2304	do
2305		log_start
2306		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2307		log_test_addr ${a} $? 0 "ping local, device bind"
2308	done
2309
2310	for a in ${NSA_LO_IP6} ::1
2311	do
2312		log_start
2313		show_hint "Fails since address on loopback is out of device scope"
2314		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2315		log_test_addr ${a} $? 2 "ping local, device bind"
2316	done
2317
2318	#
2319	# ip rule blocks address
2320	#
2321	log_start
2322	setup_cmd ip -6 rule add pref 32765 from all lookup local
2323	setup_cmd ip -6 rule del pref 0 from all lookup local
2324	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2325	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2326
2327	a=${NSB_LO_IP6}
2328	run_cmd ${ping6} -c1 -w1 ${a}
2329	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2330
2331	log_start
2332	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2333	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2334
2335	a=${NSA_LO_IP6}
2336	log_start
2337	show_hint "Response lost due to ip rule"
2338	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2339	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2340
2341	setup_cmd ip -6 rule add pref 0 from all lookup local
2342	setup_cmd ip -6 rule del pref 32765 from all lookup local
2343	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2344	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2345
2346	#
2347	# route blocks reachability to remote address
2348	#
2349	log_start
2350	setup_cmd ip -6 route del ${NSB_LO_IP6}
2351	setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10
2352	setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10
2353
2354	a=${NSB_LO_IP6}
2355	run_cmd ${ping6} -c1 -w1 ${a}
2356	log_test_addr ${a} $? 2 "ping out, blocked by route"
2357
2358	log_start
2359	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2360	log_test_addr ${a} $? 2 "ping out, device bind, blocked by route"
2361
2362	a=${NSA_LO_IP6}
2363	log_start
2364	show_hint "Response lost due to ip route"
2365	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2366	log_test_addr ${a} $? 1 "ping in, blocked by route"
2367
2368
2369	#
2370	# remove 'remote' routes; fallback to default
2371	#
2372	log_start
2373	setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6}
2374	setup_cmd ip -6 ro del unreachable ${NSB_IP6}
2375
2376	a=${NSB_LO_IP6}
2377	run_cmd ${ping6} -c1 -w1 ${a}
2378	log_test_addr ${a} $? 2 "ping out, unreachable route"
2379
2380	log_start
2381	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2382	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2383}
2384
2385ipv6_ping_vrf()
2386{
2387	local a
2388
2389	# should default on; does not exist on older kernels
2390	set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
2391
2392	#
2393	# out
2394	#
2395	for a in ${NSB_IP6} ${NSB_LO_IP6}
2396	do
2397		log_start
2398		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2399		log_test_addr ${a} $? 0 "ping out, VRF bind"
2400	done
2401
2402	for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF}
2403	do
2404		log_start
2405		show_hint "Fails since VRF device does not support linklocal or multicast"
2406		run_cmd ${ping6} -c1 -w1 ${a}
2407		log_test_addr ${a} $? 1 "ping out, VRF bind"
2408	done
2409
2410	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2411	do
2412		log_start
2413		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2414		log_test_addr ${a} $? 0 "ping out, device bind"
2415	done
2416
2417	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2418	do
2419		log_start
2420		run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a}
2421		log_test_addr ${a} $? 0 "ping out, vrf device+address bind"
2422	done
2423
2424	#
2425	# in
2426	#
2427	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2428	do
2429		log_start
2430		run_cmd_nsb ${ping6} -c1 -w1 ${a}
2431		log_test_addr ${a} $? 0 "ping in"
2432	done
2433
2434	a=${NSA_LO_IP6}
2435	log_start
2436	show_hint "Fails since loopback address is out of VRF scope"
2437	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2438	log_test_addr ${a} $? 1 "ping in"
2439
2440	#
2441	# local traffic, local address
2442	#
2443	for a in ${NSA_IP6} ${VRF_IP6} ::1
2444	do
2445		log_start
2446		show_hint "Source address should be ${a}"
2447		run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2448		log_test_addr ${a} $? 0 "ping local, VRF bind"
2449	done
2450
2451	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2452	do
2453		log_start
2454		run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2455		log_test_addr ${a} $? 0 "ping local, device bind"
2456	done
2457
2458	# LLA to GUA - remove ipv6 global addresses from ns-B
2459	setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2460	setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo
2461	setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2462
2463	for a in ${NSA_IP6} ${VRF_IP6}
2464	do
2465		log_start
2466		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
2467		log_test_addr ${a} $? 0 "ping in, LLA to GUA"
2468	done
2469
2470	setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2471	setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV}
2472	setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo
2473
2474	#
2475	# ip rule blocks address
2476	#
2477	log_start
2478	setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2479	setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2480
2481	a=${NSB_LO_IP6}
2482	run_cmd ${ping6} -c1 -w1 ${a}
2483	log_test_addr ${a} $? 2 "ping out, blocked by rule"
2484
2485	log_start
2486	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2487	log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2488
2489	a=${NSA_LO_IP6}
2490	log_start
2491	show_hint "Response lost due to ip rule"
2492	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2493	log_test_addr ${a} $? 1 "ping in, blocked by rule"
2494
2495	log_start
2496	setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2497	setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2498
2499	#
2500	# remove 'remote' routes; fallback to default
2501	#
2502	log_start
2503	setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF}
2504
2505	a=${NSB_LO_IP6}
2506	run_cmd ${ping6} -c1 -w1 ${a}
2507	log_test_addr ${a} $? 2 "ping out, unreachable route"
2508
2509	log_start
2510	run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2511	log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2512
2513	ip -netns ${NSB} -6 ro del ${NSA_LO_IP6}
2514	a=${NSA_LO_IP6}
2515	log_start
2516	run_cmd_nsb ${ping6} -c1 -w1 ${a}
2517	log_test_addr ${a} $? 2 "ping in, unreachable route"
2518}
2519
2520ipv6_ping()
2521{
2522	log_section "IPv6 ping"
2523
2524	log_subsection "No VRF"
2525	setup
2526	ipv6_ping_novrf
2527	setup
2528	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
2529	ipv6_ping_novrf
2530
2531	log_subsection "With VRF"
2532	setup "yes"
2533	ipv6_ping_vrf
2534	setup "yes"
2535	set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null
2536	ipv6_ping_vrf
2537}
2538
2539################################################################################
2540# IPv6 TCP
2541
2542#
2543# MD5 tests without VRF
2544#
2545ipv6_tcp_md5_novrf()
2546{
2547	#
2548	# single address
2549	#
2550
2551	# basic use case
2552	log_start
2553	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2554	sleep 1
2555	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2556	log_test $? 0 "MD5: Single address config"
2557
2558	# client sends MD5, server not configured
2559	log_start
2560	show_hint "Should timeout due to MD5 mismatch"
2561	run_cmd nettest -6 -s &
2562	sleep 1
2563	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2564	log_test $? 2 "MD5: Server no config, client uses password"
2565
2566	# wrong password
2567	log_start
2568	show_hint "Should timeout since client uses wrong password"
2569	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2570	sleep 1
2571	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2572	log_test $? 2 "MD5: Client uses wrong password"
2573
2574	# client from different address
2575	log_start
2576	show_hint "Should timeout due to MD5 mismatch"
2577	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} &
2578	sleep 1
2579	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2580	log_test $? 2 "MD5: Client address does not match address configured with password"
2581
2582	#
2583	# MD5 extension - prefix length
2584	#
2585
2586	# client in prefix
2587	log_start
2588	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2589	sleep 1
2590	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2591	log_test $? 0 "MD5: Prefix config"
2592
2593	# client in prefix, wrong password
2594	log_start
2595	show_hint "Should timeout since client uses wrong password"
2596	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2597	sleep 1
2598	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2599	log_test $? 2 "MD5: Prefix config, client uses wrong password"
2600
2601	# client outside of prefix
2602	log_start
2603	show_hint "Should timeout due to MD5 mismatch"
2604	run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2605	sleep 1
2606	run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2607	log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
2608}
2609
2610#
2611# MD5 tests with VRF
2612#
2613ipv6_tcp_md5()
2614{
2615	#
2616	# single address
2617	#
2618
2619	# basic use case
2620	log_start
2621	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2622	sleep 1
2623	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2624	log_test $? 0 "MD5: VRF: Single address config"
2625
2626	# client sends MD5, server not configured
2627	log_start
2628	show_hint "Should timeout since server does not have MD5 auth"
2629	run_cmd nettest -6 -s -I ${VRF} &
2630	sleep 1
2631	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2632	log_test $? 2 "MD5: VRF: Server no config, client uses password"
2633
2634	# wrong password
2635	log_start
2636	show_hint "Should timeout since client uses wrong password"
2637	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2638	sleep 1
2639	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2640	log_test $? 2 "MD5: VRF: Client uses wrong password"
2641
2642	# client from different address
2643	log_start
2644	show_hint "Should timeout since server config differs from client"
2645	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} &
2646	sleep 1
2647	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2648	log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
2649
2650	#
2651	# MD5 extension - prefix length
2652	#
2653
2654	# client in prefix
2655	log_start
2656	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2657	sleep 1
2658	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2659	log_test $? 0 "MD5: VRF: Prefix config"
2660
2661	# client in prefix, wrong password
2662	log_start
2663	show_hint "Should timeout since client uses wrong password"
2664	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2665	sleep 1
2666	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2667	log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
2668
2669	# client outside of prefix
2670	log_start
2671	show_hint "Should timeout since client address is outside of prefix"
2672	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2673	sleep 1
2674	run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2675	log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
2676
2677	#
2678	# duplicate config between default VRF and a VRF
2679	#
2680
2681	log_start
2682	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2683	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2684	sleep 1
2685	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2686	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
2687
2688	log_start
2689	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2690	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2691	sleep 1
2692	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2693	log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
2694
2695	log_start
2696	show_hint "Should timeout since client in default VRF uses VRF password"
2697	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2698	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2699	sleep 1
2700	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2701	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
2702
2703	log_start
2704	show_hint "Should timeout since client in VRF uses default VRF password"
2705	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2706	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2707	sleep 1
2708	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2709	log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
2710
2711	log_start
2712	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2713	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2714	sleep 1
2715	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2716	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
2717
2718	log_start
2719	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2720	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2721	sleep 1
2722	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2723	log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
2724
2725	log_start
2726	show_hint "Should timeout since client in default VRF uses VRF password"
2727	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2728	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2729	sleep 1
2730	run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2731	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
2732
2733	log_start
2734	show_hint "Should timeout since client in VRF uses default VRF password"
2735	run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2736	run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2737	sleep 1
2738	run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2739	log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
2740
2741	#
2742	# negative tests
2743	#
2744	log_start
2745	run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6}
2746	log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
2747
2748	log_start
2749	run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6}
2750	log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
2751
2752}
2753
2754ipv6_tcp_novrf()
2755{
2756	local a
2757
2758	#
2759	# server tests
2760	#
2761	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2762	do
2763		log_start
2764		run_cmd nettest -6 -s &
2765		sleep 1
2766		run_cmd_nsb nettest -6 -r ${a}
2767		log_test_addr ${a} $? 0 "Global server"
2768	done
2769
2770	# verify TCP reset received
2771	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2772	do
2773		log_start
2774		show_hint "Should fail 'Connection refused'"
2775		run_cmd_nsb nettest -6 -r ${a}
2776		log_test_addr ${a} $? 1 "No server"
2777	done
2778
2779	#
2780	# client
2781	#
2782	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2783	do
2784		log_start
2785		run_cmd_nsb nettest -6 -s &
2786		sleep 1
2787		run_cmd nettest -6 -r ${a}
2788		log_test_addr ${a} $? 0 "Client"
2789	done
2790
2791	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2792	do
2793		log_start
2794		run_cmd_nsb nettest -6 -s &
2795		sleep 1
2796		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2797		log_test_addr ${a} $? 0 "Client, device bind"
2798	done
2799
2800	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2801	do
2802		log_start
2803		show_hint "Should fail 'Connection refused'"
2804		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2805		log_test_addr ${a} $? 1 "No server, device client"
2806	done
2807
2808	#
2809	# local address tests
2810	#
2811	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2812	do
2813		log_start
2814		run_cmd nettest -6 -s &
2815		sleep 1
2816		run_cmd nettest -6 -r ${a}
2817		log_test_addr ${a} $? 0 "Global server, local connection"
2818	done
2819
2820	a=${NSA_IP6}
2821	log_start
2822	run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2823	sleep 1
2824	run_cmd nettest -6 -r ${a} -0 ${a}
2825	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2826
2827	for a in ${NSA_LO_IP6} ::1
2828	do
2829		log_start
2830		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2831		run_cmd nettest -6 -s -I ${NSA_DEV} &
2832		sleep 1
2833		run_cmd nettest -6 -r ${a}
2834		log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
2835	done
2836
2837	a=${NSA_IP6}
2838	log_start
2839	run_cmd nettest -6 -s &
2840	sleep 1
2841	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2842	log_test_addr ${a} $? 0 "Global server, device client, local connection"
2843
2844	for a in ${NSA_LO_IP6} ::1
2845	do
2846		log_start
2847		show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2848		run_cmd nettest -6 -s &
2849		sleep 1
2850		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2851		log_test_addr ${a} $? 1 "Global server, device client, local connection"
2852	done
2853
2854	for a in ${NSA_IP6} ${NSA_LINKIP6}
2855	do
2856		log_start
2857		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2858		sleep 1
2859		run_cmd nettest -6  -d ${NSA_DEV} -r ${a}
2860		log_test_addr ${a} $? 0 "Device server, device client, local conn"
2861	done
2862
2863	for a in ${NSA_IP6} ${NSA_LINKIP6}
2864	do
2865		log_start
2866		show_hint "Should fail 'Connection refused'"
2867		run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2868		log_test_addr ${a} $? 1 "No server, device client, local conn"
2869	done
2870
2871	[ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf
2872}
2873
2874ipv6_tcp_vrf()
2875{
2876	local a
2877
2878	# disable global server
2879	log_subsection "Global server disabled"
2880
2881	set_sysctl net.ipv4.tcp_l3mdev_accept=0
2882
2883	#
2884	# server tests
2885	#
2886	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2887	do
2888		log_start
2889		show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2890		run_cmd nettest -6 -s &
2891		sleep 1
2892		run_cmd_nsb nettest -6 -r ${a}
2893		log_test_addr ${a} $? 1 "Global server"
2894	done
2895
2896	for a in ${NSA_IP6} ${VRF_IP6}
2897	do
2898		log_start
2899		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2900		sleep 1
2901		run_cmd_nsb nettest -6 -r ${a}
2902		log_test_addr ${a} $? 0 "VRF server"
2903	done
2904
2905	# link local is always bound to ingress device
2906	a=${NSA_LINKIP6}%${NSB_DEV}
2907	log_start
2908	run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2909	sleep 1
2910	run_cmd_nsb nettest -6 -r ${a}
2911	log_test_addr ${a} $? 0 "VRF server"
2912
2913	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2914	do
2915		log_start
2916		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2917		sleep 1
2918		run_cmd_nsb nettest -6 -r ${a}
2919		log_test_addr ${a} $? 0 "Device server"
2920	done
2921
2922	# verify TCP reset received
2923	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2924	do
2925		log_start
2926		show_hint "Should fail 'Connection refused'"
2927		run_cmd_nsb nettest -6 -r ${a}
2928		log_test_addr ${a} $? 1 "No server"
2929	done
2930
2931	# local address tests
2932	a=${NSA_IP6}
2933	log_start
2934	show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2935	run_cmd nettest -6 -s &
2936	sleep 1
2937	run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2938	log_test_addr ${a} $? 1 "Global server, local connection"
2939
2940	# run MD5 tests
2941	if [ "$fips_enabled" = "0" ]; then
2942		setup_vrf_dup
2943		ipv6_tcp_md5
2944		cleanup_vrf_dup
2945	fi
2946
2947	#
2948	# enable VRF global server
2949	#
2950	log_subsection "VRF Global server enabled"
2951	set_sysctl net.ipv4.tcp_l3mdev_accept=1
2952
2953	for a in ${NSA_IP6} ${VRF_IP6}
2954	do
2955		log_start
2956		run_cmd nettest -6 -s -3 ${VRF} &
2957		sleep 1
2958		run_cmd_nsb nettest -6 -r ${a}
2959		log_test_addr ${a} $? 0 "Global server"
2960	done
2961
2962	for a in ${NSA_IP6} ${VRF_IP6}
2963	do
2964		log_start
2965		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2966		sleep 1
2967		run_cmd_nsb nettest -6 -r ${a}
2968		log_test_addr ${a} $? 0 "VRF server"
2969	done
2970
2971	# For LLA, child socket is bound to device
2972	a=${NSA_LINKIP6}%${NSB_DEV}
2973	log_start
2974	run_cmd nettest -6 -s -3 ${NSA_DEV} &
2975	sleep 1
2976	run_cmd_nsb nettest -6 -r ${a}
2977	log_test_addr ${a} $? 0 "Global server"
2978
2979	log_start
2980	run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2981	sleep 1
2982	run_cmd_nsb nettest -6 -r ${a}
2983	log_test_addr ${a} $? 0 "VRF server"
2984
2985	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2986	do
2987		log_start
2988		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2989		sleep 1
2990		run_cmd_nsb nettest -6 -r ${a}
2991		log_test_addr ${a} $? 0 "Device server"
2992	done
2993
2994	# verify TCP reset received
2995	for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2996	do
2997		log_start
2998		show_hint "Should fail 'Connection refused'"
2999		run_cmd_nsb nettest -6 -r ${a}
3000		log_test_addr ${a} $? 1 "No server"
3001	done
3002
3003	# local address tests
3004	for a in ${NSA_IP6} ${VRF_IP6}
3005	do
3006		log_start
3007		show_hint "Fails 'Connection refused' since client is not in VRF"
3008		run_cmd nettest -6 -s -I ${VRF} &
3009		sleep 1
3010		run_cmd nettest -6 -r ${a}
3011		log_test_addr ${a} $? 1 "Global server, local connection"
3012	done
3013
3014
3015	#
3016	# client
3017	#
3018	for a in ${NSB_IP6} ${NSB_LO_IP6}
3019	do
3020		log_start
3021		run_cmd_nsb nettest -6 -s &
3022		sleep 1
3023		run_cmd nettest -6 -r ${a} -d ${VRF}
3024		log_test_addr ${a} $? 0 "Client, VRF bind"
3025	done
3026
3027	a=${NSB_LINKIP6}
3028	log_start
3029	show_hint "Fails since VRF device does not allow linklocal addresses"
3030	run_cmd_nsb nettest -6 -s &
3031	sleep 1
3032	run_cmd nettest -6 -r ${a} -d ${VRF}
3033	log_test_addr ${a} $? 1 "Client, VRF bind"
3034
3035	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
3036	do
3037		log_start
3038		run_cmd_nsb nettest -6 -s &
3039		sleep 1
3040		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
3041		log_test_addr ${a} $? 0 "Client, device bind"
3042	done
3043
3044	for a in ${NSB_IP6} ${NSB_LO_IP6}
3045	do
3046		log_start
3047		show_hint "Should fail 'Connection refused'"
3048		run_cmd nettest -6 -r ${a} -d ${VRF}
3049		log_test_addr ${a} $? 1 "No server, VRF client"
3050	done
3051
3052	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
3053	do
3054		log_start
3055		show_hint "Should fail 'Connection refused'"
3056		run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
3057		log_test_addr ${a} $? 1 "No server, device client"
3058	done
3059
3060	for a in ${NSA_IP6} ${VRF_IP6} ::1
3061	do
3062		log_start
3063		run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
3064		sleep 1
3065		run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
3066		log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
3067	done
3068
3069	a=${NSA_IP6}
3070	log_start
3071	run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
3072	sleep 1
3073	run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
3074	log_test_addr ${a} $? 0 "VRF server, device client, local connection"
3075
3076	a=${NSA_IP6}
3077	log_start
3078	show_hint "Should fail since unbound client is out of VRF scope"
3079	run_cmd nettest -6 -s -I ${VRF} &
3080	sleep 1
3081	run_cmd nettest -6 -r ${a}
3082	log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
3083
3084	log_start
3085	run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3086	sleep 1
3087	run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
3088	log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
3089
3090	for a in ${NSA_IP6} ${NSA_LINKIP6}
3091	do
3092		log_start
3093		run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3094		sleep 1
3095		run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
3096		log_test_addr ${a} $? 0 "Device server, device client, local connection"
3097	done
3098}
3099
3100ipv6_tcp()
3101{
3102	log_section "IPv6/TCP"
3103	log_subsection "No VRF"
3104	setup
3105
3106	# tcp_l3mdev_accept should have no affect without VRF;
3107	# run tests with it enabled and disabled to verify
3108	log_subsection "tcp_l3mdev_accept disabled"
3109	set_sysctl net.ipv4.tcp_l3mdev_accept=0
3110	ipv6_tcp_novrf
3111	log_subsection "tcp_l3mdev_accept enabled"
3112	set_sysctl net.ipv4.tcp_l3mdev_accept=1
3113	ipv6_tcp_novrf
3114
3115	log_subsection "With VRF"
3116	setup "yes"
3117	ipv6_tcp_vrf
3118}
3119
3120################################################################################
3121# IPv6 UDP
3122
3123ipv6_udp_novrf()
3124{
3125	local a
3126
3127	#
3128	# server tests
3129	#
3130	for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3131	do
3132		log_start
3133		run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3134		sleep 1
3135		run_cmd_nsb nettest -6 -D -r ${a}
3136		log_test_addr ${a} $? 0 "Global server"
3137
3138		log_start
3139		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3140		sleep 1
3141		run_cmd_nsb nettest -6 -D -r ${a}
3142		log_test_addr ${a} $? 0 "Device server"
3143	done
3144
3145	a=${NSA_LO_IP6}
3146	log_start
3147	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3148	sleep 1
3149	run_cmd_nsb nettest -6 -D -r ${a}
3150	log_test_addr ${a} $? 0 "Global server"
3151
3152	# should fail since loopback address is out of scope for a device
3153	# bound server, but it does not - hence this is more documenting
3154	# behavior.
3155	#log_start
3156	#show_hint "Should fail since loopback address is out of scope"
3157	#run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3158	#sleep 1
3159	#run_cmd_nsb nettest -6 -D -r ${a}
3160	#log_test_addr ${a} $? 1 "Device server"
3161
3162	# negative test - should fail
3163	for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3164	do
3165		log_start
3166		show_hint "Should fail 'Connection refused' since there is no server"
3167		run_cmd_nsb nettest -6 -D -r ${a}
3168		log_test_addr ${a} $? 1 "No server"
3169	done
3170
3171	#
3172	# client
3173	#
3174	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
3175	do
3176		log_start
3177		run_cmd_nsb nettest -6 -D -s &
3178		sleep 1
3179		run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6}
3180		log_test_addr ${a} $? 0 "Client"
3181
3182		log_start
3183		run_cmd_nsb nettest -6 -D -s &
3184		sleep 1
3185		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6}
3186		log_test_addr ${a} $? 0 "Client, device bind"
3187
3188		log_start
3189		run_cmd_nsb nettest -6 -D -s &
3190		sleep 1
3191		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6}
3192		log_test_addr ${a} $? 0 "Client, device send via cmsg"
3193
3194		log_start
3195		run_cmd_nsb nettest -6 -D -s &
3196		sleep 1
3197		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6}
3198		log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF"
3199
3200		log_start
3201		show_hint "Should fail 'Connection refused'"
3202		run_cmd nettest -6 -D -r ${a}
3203		log_test_addr ${a} $? 1 "No server, unbound client"
3204
3205		log_start
3206		show_hint "Should fail 'Connection refused'"
3207		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3208		log_test_addr ${a} $? 1 "No server, device client"
3209	done
3210
3211	#
3212	# local address tests
3213	#
3214	for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
3215	do
3216		log_start
3217		run_cmd nettest -6 -D -s &
3218		sleep 1
3219		run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a}
3220		log_test_addr ${a} $? 0 "Global server, local connection"
3221	done
3222
3223	a=${NSA_IP6}
3224	log_start
3225	run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
3226	sleep 1
3227	run_cmd nettest -6 -D -r ${a}
3228	log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
3229
3230	for a in ${NSA_LO_IP6} ::1
3231	do
3232		log_start
3233		show_hint "Should fail 'Connection refused' since address is out of device scope"
3234		run_cmd nettest -6 -s -D -I ${NSA_DEV} &
3235		sleep 1
3236		run_cmd nettest -6 -D -r ${a}
3237		log_test_addr ${a} $? 1 "Device server, local connection"
3238	done
3239
3240	a=${NSA_IP6}
3241	log_start
3242	run_cmd nettest -6 -s -D &
3243	sleep 1
3244	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3245	log_test_addr ${a} $? 0 "Global server, device client, local connection"
3246
3247	log_start
3248	run_cmd nettest -6 -s -D &
3249	sleep 1
3250	run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a}
3251	log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
3252
3253	log_start
3254	run_cmd nettest -6 -s -D &
3255	sleep 1
3256	run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a}
3257	log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection"
3258
3259	for a in ${NSA_LO_IP6} ::1
3260	do
3261		log_start
3262		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3263		run_cmd nettest -6 -D -s &
3264		sleep 1
3265		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3266		log_test_addr ${a} $? 1 "Global server, device client, local connection"
3267
3268		log_start
3269		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3270		run_cmd nettest -6 -D -s &
3271		sleep 1
3272		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C
3273		log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
3274
3275		log_start
3276		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3277		run_cmd nettest -6 -D -s &
3278		sleep 1
3279		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
3280		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
3281
3282		log_start
3283		show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3284		run_cmd nettest -6 -D -s &
3285		sleep 1
3286		run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U
3287		log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
3288	done
3289
3290	a=${NSA_IP6}
3291	log_start
3292	run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3293	sleep 1
3294	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a}
3295	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3296
3297	log_start
3298	show_hint "Should fail 'Connection refused'"
3299	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3300	log_test_addr ${a} $? 1 "No server, device client, local conn"
3301
3302	# LLA to GUA
3303	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3304	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3305	log_start
3306	run_cmd nettest -6 -s -D &
3307	sleep 1
3308	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3309	log_test $? 0 "UDP in - LLA to GUA"
3310
3311	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3312	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3313}
3314
3315ipv6_udp_vrf()
3316{
3317	local a
3318
3319	# disable global server
3320	log_subsection "Global server disabled"
3321	set_sysctl net.ipv4.udp_l3mdev_accept=0
3322
3323	#
3324	# server tests
3325	#
3326	for a in ${NSA_IP6} ${VRF_IP6}
3327	do
3328		log_start
3329		show_hint "Should fail 'Connection refused' since global server is disabled"
3330		run_cmd nettest -6 -D -s &
3331		sleep 1
3332		run_cmd_nsb nettest -6 -D -r ${a}
3333		log_test_addr ${a} $? 1 "Global server"
3334	done
3335
3336	for a in ${NSA_IP6} ${VRF_IP6}
3337	do
3338		log_start
3339		run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3340		sleep 1
3341		run_cmd_nsb nettest -6 -D -r ${a}
3342		log_test_addr ${a} $? 0 "VRF server"
3343	done
3344
3345	for a in ${NSA_IP6} ${VRF_IP6}
3346	do
3347		log_start
3348		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3349		sleep 1
3350		run_cmd_nsb nettest -6 -D -r ${a}
3351		log_test_addr ${a} $? 0 "Enslaved device server"
3352	done
3353
3354	# negative test - should fail
3355	for a in ${NSA_IP6} ${VRF_IP6}
3356	do
3357		log_start
3358		show_hint "Should fail 'Connection refused' since there is no server"
3359		run_cmd_nsb nettest -6 -D -r ${a}
3360		log_test_addr ${a} $? 1 "No server"
3361	done
3362
3363	#
3364	# local address tests
3365	#
3366	for a in ${NSA_IP6} ${VRF_IP6}
3367	do
3368		log_start
3369		show_hint "Should fail 'Connection refused' since global server is disabled"
3370		run_cmd nettest -6 -D -s &
3371		sleep 1
3372		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3373		log_test_addr ${a} $? 1 "Global server, VRF client, local conn"
3374	done
3375
3376	for a in ${NSA_IP6} ${VRF_IP6}
3377	do
3378		log_start
3379		run_cmd nettest -6 -D -I ${VRF} -s &
3380		sleep 1
3381		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3382		log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3383	done
3384
3385	a=${NSA_IP6}
3386	log_start
3387	show_hint "Should fail 'Connection refused' since global server is disabled"
3388	run_cmd nettest -6 -D -s &
3389	sleep 1
3390	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3391	log_test_addr ${a} $? 1 "Global server, device client, local conn"
3392
3393	log_start
3394	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3395	sleep 1
3396	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3397	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3398
3399	log_start
3400	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3401	sleep 1
3402	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3403	log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
3404
3405	log_start
3406	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3407	sleep 1
3408	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3409	log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
3410
3411	# disable global server
3412	log_subsection "Global server enabled"
3413	set_sysctl net.ipv4.udp_l3mdev_accept=1
3414
3415	#
3416	# server tests
3417	#
3418	for a in ${NSA_IP6} ${VRF_IP6}
3419	do
3420		log_start
3421		run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3422		sleep 1
3423		run_cmd_nsb nettest -6 -D -r ${a}
3424		log_test_addr ${a} $? 0 "Global server"
3425	done
3426
3427	for a in ${NSA_IP6} ${VRF_IP6}
3428	do
3429		log_start
3430		run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3431		sleep 1
3432		run_cmd_nsb nettest -6 -D -r ${a}
3433		log_test_addr ${a} $? 0 "VRF server"
3434	done
3435
3436	for a in ${NSA_IP6} ${VRF_IP6}
3437	do
3438		log_start
3439		run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3440		sleep 1
3441		run_cmd_nsb nettest -6 -D -r ${a}
3442		log_test_addr ${a} $? 0 "Enslaved device server"
3443	done
3444
3445	# negative test - should fail
3446	for a in ${NSA_IP6} ${VRF_IP6}
3447	do
3448		log_start
3449		run_cmd_nsb nettest -6 -D -r ${a}
3450		log_test_addr ${a} $? 1 "No server"
3451	done
3452
3453	#
3454	# client tests
3455	#
3456	log_start
3457	run_cmd_nsb nettest -6 -D -s &
3458	sleep 1
3459	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3460	log_test $? 0 "VRF client"
3461
3462	# negative test - should fail
3463	log_start
3464	run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3465	log_test $? 1 "No server, VRF client"
3466
3467	log_start
3468	run_cmd_nsb nettest -6 -D -s &
3469	sleep 1
3470	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3471	log_test $? 0 "Enslaved device client"
3472
3473	# negative test - should fail
3474	log_start
3475	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3476	log_test $? 1 "No server, enslaved device client"
3477
3478	#
3479	# local address tests
3480	#
3481	a=${NSA_IP6}
3482	log_start
3483	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3484	sleep 1
3485	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3486	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3487
3488	#log_start
3489	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3490	sleep 1
3491	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3492	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3493
3494
3495	a=${VRF_IP6}
3496	log_start
3497	run_cmd nettest -6 -D -s -3 ${VRF} &
3498	sleep 1
3499	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3500	log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3501
3502	log_start
3503	run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} &
3504	sleep 1
3505	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3506	log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3507
3508	# negative test - should fail
3509	for a in ${NSA_IP6} ${VRF_IP6}
3510	do
3511		log_start
3512		run_cmd nettest -6 -D -d ${VRF} -r ${a}
3513		log_test_addr ${a} $? 1 "No server, VRF client, local conn"
3514	done
3515
3516	# device to global IP
3517	a=${NSA_IP6}
3518	log_start
3519	run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3520	sleep 1
3521	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3522	log_test_addr ${a} $? 0 "Global server, device client, local conn"
3523
3524	log_start
3525	run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3526	sleep 1
3527	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3528	log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3529
3530	log_start
3531	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3532	sleep 1
3533	run_cmd nettest -6 -D -d ${VRF} -r ${a}
3534	log_test_addr ${a} $? 0 "Device server, VRF client, local conn"
3535
3536	log_start
3537	run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3538	sleep 1
3539	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3540	log_test_addr ${a} $? 0 "Device server, device client, local conn"
3541
3542	log_start
3543	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3544	log_test_addr ${a} $? 1 "No server, device client, local conn"
3545
3546
3547	# link local addresses
3548	log_start
3549	run_cmd nettest -6 -D -s &
3550	sleep 1
3551	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3552	log_test $? 0 "Global server, linklocal IP"
3553
3554	log_start
3555	run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3556	log_test $? 1 "No server, linklocal IP"
3557
3558
3559	log_start
3560	run_cmd_nsb nettest -6 -D -s &
3561	sleep 1
3562	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3563	log_test $? 0 "Enslaved device client, linklocal IP"
3564
3565	log_start
3566	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3567	log_test $? 1 "No server, device client, peer linklocal IP"
3568
3569
3570	log_start
3571	run_cmd nettest -6 -D -s &
3572	sleep 1
3573	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3574	log_test $? 0 "Enslaved device client, local conn - linklocal IP"
3575
3576	log_start
3577	run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3578	log_test $? 1 "No server, device client, local conn  - linklocal IP"
3579
3580	# LLA to GUA
3581	run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3582	run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3583	log_start
3584	run_cmd nettest -6 -s -D &
3585	sleep 1
3586	run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3587	log_test $? 0 "UDP in - LLA to GUA"
3588
3589	run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3590	run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3591}
3592
3593ipv6_udp()
3594{
3595        # should not matter, but set to known state
3596        set_sysctl net.ipv4.udp_early_demux=1
3597
3598        log_section "IPv6/UDP"
3599        log_subsection "No VRF"
3600        setup
3601
3602        # udp_l3mdev_accept should have no affect without VRF;
3603        # run tests with it enabled and disabled to verify
3604        log_subsection "udp_l3mdev_accept disabled"
3605        set_sysctl net.ipv4.udp_l3mdev_accept=0
3606        ipv6_udp_novrf
3607        log_subsection "udp_l3mdev_accept enabled"
3608        set_sysctl net.ipv4.udp_l3mdev_accept=1
3609        ipv6_udp_novrf
3610
3611        log_subsection "With VRF"
3612        setup "yes"
3613        ipv6_udp_vrf
3614}
3615
3616################################################################################
3617# IPv6 address bind
3618
3619ipv6_addr_bind_novrf()
3620{
3621	#
3622	# raw socket
3623	#
3624	for a in ${NSA_IP6} ${NSA_LO_IP6}
3625	do
3626		log_start
3627		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b
3628		log_test_addr ${a} $? 0 "Raw socket bind to local address"
3629
3630		log_start
3631		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3632		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3633	done
3634
3635	#
3636	# raw socket with nonlocal bind
3637	#
3638	a=${NL_IP6}
3639	log_start
3640	run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b
3641	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
3642
3643	#
3644	# tcp sockets
3645	#
3646	a=${NSA_IP6}
3647	log_start
3648	run_cmd nettest -6 -s -l ${a} -t1 -b
3649	log_test_addr ${a} $? 0 "TCP socket bind to local address"
3650
3651	log_start
3652	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3653	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
3654
3655	# Sadly, the kernel allows binding a socket to a device and then
3656	# binding to an address not on the device. So this test passes
3657	# when it really should not
3658	a=${NSA_LO_IP6}
3659	log_start
3660	show_hint "Tecnically should fail since address is not on device but kernel allows"
3661	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3662	log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address"
3663}
3664
3665ipv6_addr_bind_vrf()
3666{
3667	#
3668	# raw socket
3669	#
3670	for a in ${NSA_IP6} ${VRF_IP6}
3671	do
3672		log_start
3673		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3674		log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind"
3675
3676		log_start
3677		run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3678		log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3679	done
3680
3681	a=${NSA_LO_IP6}
3682	log_start
3683	show_hint "Address on loopback is out of VRF scope"
3684	run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3685	log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind"
3686
3687	#
3688	# raw socket with nonlocal bind
3689	#
3690	a=${NL_IP6}
3691	log_start
3692	run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b
3693	log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
3694
3695	#
3696	# tcp sockets
3697	#
3698	# address on enslaved device is valid for the VRF or device in a VRF
3699	for a in ${NSA_IP6} ${VRF_IP6}
3700	do
3701		log_start
3702		run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3703		log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind"
3704	done
3705
3706	a=${NSA_IP6}
3707	log_start
3708	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3709	log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
3710
3711	# Sadly, the kernel allows binding a socket to a device and then
3712	# binding to an address not on the device. The only restriction
3713	# is that the address is valid in the L3 domain. So this test
3714	# passes when it really should not
3715	a=${VRF_IP6}
3716	log_start
3717	show_hint "Tecnically should fail since address is not on device but kernel allows"
3718	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3719	log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind"
3720
3721	a=${NSA_LO_IP6}
3722	log_start
3723	show_hint "Address on loopback out of scope for VRF"
3724	run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3725	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
3726
3727	log_start
3728	show_hint "Address on loopback out of scope for device in VRF"
3729	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3730	log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
3731
3732}
3733
3734ipv6_addr_bind()
3735{
3736	log_section "IPv6 address binds"
3737
3738	log_subsection "No VRF"
3739	setup
3740	ipv6_addr_bind_novrf
3741
3742	log_subsection "With VRF"
3743	setup "yes"
3744	ipv6_addr_bind_vrf
3745}
3746
3747################################################################################
3748# IPv6 runtime tests
3749
3750ipv6_rt()
3751{
3752	local desc="$1"
3753	local varg="-6 $2"
3754	local with_vrf="yes"
3755	local a
3756
3757	#
3758	# server tests
3759	#
3760	for a in ${NSA_IP6} ${VRF_IP6}
3761	do
3762		log_start
3763		run_cmd nettest ${varg} -s &
3764		sleep 1
3765		run_cmd_nsb nettest ${varg} -r ${a} &
3766		sleep 3
3767		run_cmd ip link del ${VRF}
3768		sleep 1
3769		log_test_addr ${a} 0 0 "${desc}, global server"
3770
3771		setup ${with_vrf}
3772	done
3773
3774	for a in ${NSA_IP6} ${VRF_IP6}
3775	do
3776		log_start
3777		run_cmd nettest ${varg} -I ${VRF} -s &
3778		sleep 1
3779		run_cmd_nsb nettest ${varg} -r ${a} &
3780		sleep 3
3781		run_cmd ip link del ${VRF}
3782		sleep 1
3783		log_test_addr ${a} 0 0 "${desc}, VRF server"
3784
3785		setup ${with_vrf}
3786	done
3787
3788	for a in ${NSA_IP6} ${VRF_IP6}
3789	do
3790		log_start
3791		run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3792		sleep 1
3793		run_cmd_nsb nettest ${varg} -r ${a} &
3794		sleep 3
3795		run_cmd ip link del ${VRF}
3796		sleep 1
3797		log_test_addr ${a} 0 0 "${desc}, enslaved device server"
3798
3799		setup ${with_vrf}
3800	done
3801
3802	#
3803	# client test
3804	#
3805	log_start
3806	run_cmd_nsb nettest ${varg} -s &
3807	sleep 1
3808	run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} &
3809	sleep 3
3810	run_cmd ip link del ${VRF}
3811	sleep 1
3812	log_test  0 0 "${desc}, VRF client"
3813
3814	setup ${with_vrf}
3815
3816	log_start
3817	run_cmd_nsb nettest ${varg} -s &
3818	sleep 1
3819	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} &
3820	sleep 3
3821	run_cmd ip link del ${VRF}
3822	sleep 1
3823	log_test  0 0 "${desc}, enslaved device client"
3824
3825	setup ${with_vrf}
3826
3827
3828	#
3829	# local address tests
3830	#
3831	for a in ${NSA_IP6} ${VRF_IP6}
3832	do
3833		log_start
3834		run_cmd nettest ${varg} -s &
3835		sleep 1
3836		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3837		sleep 3
3838		run_cmd ip link del ${VRF}
3839		sleep 1
3840		log_test_addr ${a} 0 0 "${desc}, global server, VRF client"
3841
3842		setup ${with_vrf}
3843	done
3844
3845	for a in ${NSA_IP6} ${VRF_IP6}
3846	do
3847		log_start
3848		run_cmd nettest ${varg} -I ${VRF} -s &
3849		sleep 1
3850		run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3851		sleep 3
3852		run_cmd ip link del ${VRF}
3853		sleep 1
3854		log_test_addr ${a} 0 0 "${desc}, VRF server and client"
3855
3856		setup ${with_vrf}
3857	done
3858
3859	a=${NSA_IP6}
3860	log_start
3861	run_cmd nettest ${varg} -s &
3862	sleep 1
3863	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3864	sleep 3
3865	run_cmd ip link del ${VRF}
3866	sleep 1
3867	log_test_addr ${a} 0 0 "${desc}, global server, device client"
3868
3869	setup ${with_vrf}
3870
3871	log_start
3872	run_cmd nettest ${varg} -I ${VRF} -s &
3873	sleep 1
3874	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3875	sleep 3
3876	run_cmd ip link del ${VRF}
3877	sleep 1
3878	log_test_addr ${a} 0 0 "${desc}, VRF server, device client"
3879
3880	setup ${with_vrf}
3881
3882	log_start
3883	run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3884	sleep 1
3885	run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3886	sleep 3
3887	run_cmd ip link del ${VRF}
3888	sleep 1
3889	log_test_addr ${a} 0 0 "${desc}, device server, device client"
3890}
3891
3892ipv6_ping_rt()
3893{
3894	local with_vrf="yes"
3895	local a
3896
3897	a=${NSA_IP6}
3898	log_start
3899	run_cmd_nsb ${ping6} -f ${a} &
3900	sleep 3
3901	run_cmd ip link del ${VRF}
3902	sleep 1
3903	log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
3904
3905	setup ${with_vrf}
3906
3907	log_start
3908	run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} &
3909	sleep 1
3910	run_cmd ip link del ${VRF}
3911	sleep 1
3912	log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
3913}
3914
3915ipv6_runtime()
3916{
3917	log_section "Run time tests - ipv6"
3918
3919	setup "yes"
3920	ipv6_ping_rt
3921
3922	setup "yes"
3923	ipv6_rt "TCP active socket"  "-n -1"
3924
3925	setup "yes"
3926	ipv6_rt "TCP passive socket" "-i"
3927
3928	setup "yes"
3929	ipv6_rt "UDP active socket"  "-D -n -1"
3930}
3931
3932################################################################################
3933# netfilter blocking connections
3934
3935netfilter_tcp_reset()
3936{
3937	local a
3938
3939	for a in ${NSA_IP} ${VRF_IP}
3940	do
3941		log_start
3942		run_cmd nettest -s &
3943		sleep 1
3944		run_cmd_nsb nettest -r ${a}
3945		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3946	done
3947}
3948
3949netfilter_icmp()
3950{
3951	local stype="$1"
3952	local arg
3953	local a
3954
3955	[ "${stype}" = "UDP" ] && arg="-D"
3956
3957	for a in ${NSA_IP} ${VRF_IP}
3958	do
3959		log_start
3960		run_cmd nettest ${arg} -s &
3961		sleep 1
3962		run_cmd_nsb nettest ${arg} -r ${a}
3963		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3964	done
3965}
3966
3967ipv4_netfilter()
3968{
3969	log_section "IPv4 Netfilter"
3970	log_subsection "TCP reset"
3971
3972	setup "yes"
3973	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3974
3975	netfilter_tcp_reset
3976
3977	log_start
3978	log_subsection "ICMP unreachable"
3979
3980	log_start
3981	run_cmd iptables -F
3982	run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3983	run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3984
3985	netfilter_icmp "TCP"
3986	netfilter_icmp "UDP"
3987
3988	log_start
3989	iptables -F
3990}
3991
3992netfilter_tcp6_reset()
3993{
3994	local a
3995
3996	for a in ${NSA_IP6} ${VRF_IP6}
3997	do
3998		log_start
3999		run_cmd nettest -6 -s &
4000		sleep 1
4001		run_cmd_nsb nettest -6 -r ${a}
4002		log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
4003	done
4004}
4005
4006netfilter_icmp6()
4007{
4008	local stype="$1"
4009	local arg
4010	local a
4011
4012	[ "${stype}" = "UDP" ] && arg="$arg -D"
4013
4014	for a in ${NSA_IP6} ${VRF_IP6}
4015	do
4016		log_start
4017		run_cmd nettest -6 -s ${arg} &
4018		sleep 1
4019		run_cmd_nsb nettest -6 ${arg} -r ${a}
4020		log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
4021	done
4022}
4023
4024ipv6_netfilter()
4025{
4026	log_section "IPv6 Netfilter"
4027	log_subsection "TCP reset"
4028
4029	setup "yes"
4030	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
4031
4032	netfilter_tcp6_reset
4033
4034	log_subsection "ICMP unreachable"
4035
4036	log_start
4037	run_cmd ip6tables -F
4038	run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
4039	run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
4040
4041	netfilter_icmp6 "TCP"
4042	netfilter_icmp6 "UDP"
4043
4044	log_start
4045	ip6tables -F
4046}
4047
4048################################################################################
4049# specific use cases
4050
4051# VRF only.
4052# ns-A device enslaved to bridge. Verify traffic with and without
4053# br_netfilter module loaded. Repeat with SVI on bridge.
4054use_case_br()
4055{
4056	setup "yes"
4057
4058	setup_cmd ip link set ${NSA_DEV} down
4059	setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24
4060	setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64
4061
4062	setup_cmd ip link add br0 type bridge
4063	setup_cmd ip addr add dev br0 ${NSA_IP}/24
4064	setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad
4065
4066	setup_cmd ip li set ${NSA_DEV} master br0
4067	setup_cmd ip li set ${NSA_DEV} up
4068	setup_cmd ip li set br0 up
4069	setup_cmd ip li set br0 vrf ${VRF}
4070
4071	rmmod br_netfilter 2>/dev/null
4072	sleep 5 # DAD
4073
4074	run_cmd ip neigh flush all
4075	run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
4076	log_test $? 0 "Bridge into VRF - IPv4 ping out"
4077
4078	run_cmd ip neigh flush all
4079	run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
4080	log_test $? 0 "Bridge into VRF - IPv6 ping out"
4081
4082	run_cmd ip neigh flush all
4083	run_cmd_nsb ping -c1 -w1 ${NSA_IP}
4084	log_test $? 0 "Bridge into VRF - IPv4 ping in"
4085
4086	run_cmd ip neigh flush all
4087	run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
4088	log_test $? 0 "Bridge into VRF - IPv6 ping in"
4089
4090	modprobe br_netfilter
4091	if [ $? -eq 0 ]; then
4092		run_cmd ip neigh flush all
4093		run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
4094		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out"
4095
4096		run_cmd ip neigh flush all
4097		run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
4098		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out"
4099
4100		run_cmd ip neigh flush all
4101		run_cmd_nsb ping -c1 -w1 ${NSA_IP}
4102		log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in"
4103
4104		run_cmd ip neigh flush all
4105		run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
4106		log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in"
4107	fi
4108
4109	setup_cmd ip li set br0 nomaster
4110	setup_cmd ip li add br0.100 link br0 type vlan id 100
4111	setup_cmd ip li set br0.100 vrf ${VRF} up
4112	setup_cmd ip    addr add dev br0.100 172.16.101.1/24
4113	setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad
4114
4115	setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100
4116	setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24
4117	setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad
4118	setup_cmd_nsb ip li set vlan100 up
4119	sleep 1
4120
4121	rmmod br_netfilter 2>/dev/null
4122
4123	run_cmd ip neigh flush all
4124	run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
4125	log_test $? 0 "Bridge vlan into VRF - IPv4 ping out"
4126
4127	run_cmd ip neigh flush all
4128	run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4129	log_test $? 0 "Bridge vlan into VRF - IPv6 ping out"
4130
4131	run_cmd ip neigh flush all
4132	run_cmd_nsb ping -c1 -w1 172.16.101.1
4133	log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4134
4135	run_cmd ip neigh flush all
4136	run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4137	log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4138
4139	modprobe br_netfilter
4140	if [ $? -eq 0 ]; then
4141		run_cmd ip neigh flush all
4142		run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
4143		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out"
4144
4145		run_cmd ip neigh flush all
4146		run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4147		log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out"
4148
4149		run_cmd ip neigh flush all
4150		run_cmd_nsb ping -c1 -w1 172.16.101.1
4151		log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4152
4153		run_cmd ip neigh flush all
4154		run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4155		log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4156	fi
4157
4158	setup_cmd ip li del br0 2>/dev/null
4159	setup_cmd_nsb ip li del vlan100 2>/dev/null
4160}
4161
4162# VRF only.
4163# ns-A device is connected to both ns-B and ns-C on a single VRF but only has
4164# LLA on the interfaces
4165use_case_ping_lla_multi()
4166{
4167	setup_lla_only
4168	# only want reply from ns-A
4169	setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4170	setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4171
4172	log_start
4173	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4174	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B"
4175
4176	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4177	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C"
4178
4179	# cycle/flap the first ns-A interface
4180	setup_cmd ip link set ${NSA_DEV} down
4181	setup_cmd ip link set ${NSA_DEV} up
4182	sleep 1
4183
4184	log_start
4185	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4186	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B"
4187	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4188	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C"
4189
4190	# cycle/flap the second ns-A interface
4191	setup_cmd ip link set ${NSA_DEV2} down
4192	setup_cmd ip link set ${NSA_DEV2} up
4193	sleep 1
4194
4195	log_start
4196	run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4197	log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B"
4198	run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4199	log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C"
4200}
4201
4202# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully
4203# established with ns-B.
4204use_case_snat_on_vrf()
4205{
4206	setup "yes"
4207
4208	local port="12345"
4209
4210	run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4211	run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4212
4213	run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} &
4214	sleep 1
4215	run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port}
4216	log_test $? 0 "IPv4 TCP connection over VRF with SNAT"
4217
4218	run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} &
4219	sleep 1
4220	run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port}
4221	log_test $? 0 "IPv6 TCP connection over VRF with SNAT"
4222
4223	# Cleanup
4224	run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4225	run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4226}
4227
4228use_cases()
4229{
4230	log_section "Use cases"
4231	log_subsection "Device enslaved to bridge"
4232	use_case_br
4233	log_subsection "Ping LLA with multiple interfaces"
4234	use_case_ping_lla_multi
4235	log_subsection "SNAT on VRF"
4236	use_case_snat_on_vrf
4237}
4238
4239################################################################################
4240# usage
4241
4242usage()
4243{
4244	cat <<EOF
4245usage: ${0##*/} OPTS
4246
4247	-4          IPv4 tests only
4248	-6          IPv6 tests only
4249	-t <test>   Test name/set to run
4250	-p          Pause on fail
4251	-P          Pause after each test
4252	-v          Be verbose
4253
4254Tests:
4255	$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER
4256EOF
4257}
4258
4259################################################################################
4260# main
4261
4262TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter"
4263TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter"
4264TESTS_OTHER="use_cases"
4265
4266PAUSE_ON_FAIL=no
4267PAUSE=no
4268
4269while getopts :46t:pPvh o
4270do
4271	case $o in
4272		4) TESTS=ipv4;;
4273		6) TESTS=ipv6;;
4274		t) TESTS=$OPTARG;;
4275		p) PAUSE_ON_FAIL=yes;;
4276		P) PAUSE=yes;;
4277		v) VERBOSE=1;;
4278		h) usage; exit 0;;
4279		*) usage; exit 1;;
4280	esac
4281done
4282
4283# make sure we don't pause twice
4284[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no
4285
4286#
4287# show user test config
4288#
4289if [ -z "$TESTS" ]; then
4290	TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER"
4291elif [ "$TESTS" = "ipv4" ]; then
4292	TESTS="$TESTS_IPV4"
4293elif [ "$TESTS" = "ipv6" ]; then
4294	TESTS="$TESTS_IPV6"
4295fi
4296
4297# nettest can be run from PATH or from same directory as this selftest
4298if ! which nettest >/dev/null; then
4299	PATH=$PWD:$PATH
4300	if ! which nettest >/dev/null; then
4301		echo "'nettest' command not found; skipping tests"
4302		exit $ksft_skip
4303	fi
4304fi
4305
4306declare -i nfail=0
4307declare -i nsuccess=0
4308
4309for t in $TESTS
4310do
4311	case $t in
4312	ipv4_ping|ping)  ipv4_ping;;
4313	ipv4_tcp|tcp)    ipv4_tcp;;
4314	ipv4_udp|udp)    ipv4_udp;;
4315	ipv4_bind|bind)  ipv4_addr_bind;;
4316	ipv4_runtime)    ipv4_runtime;;
4317	ipv4_netfilter)  ipv4_netfilter;;
4318
4319	ipv6_ping|ping6) ipv6_ping;;
4320	ipv6_tcp|tcp6)   ipv6_tcp;;
4321	ipv6_udp|udp6)   ipv6_udp;;
4322	ipv6_bind|bind6) ipv6_addr_bind;;
4323	ipv6_runtime)    ipv6_runtime;;
4324	ipv6_netfilter)  ipv6_netfilter;;
4325
4326	use_cases)       use_cases;;
4327
4328	# setup namespaces and config, but do not run any tests
4329	setup)		 setup; exit 0;;
4330	vrf_setup)	 setup "yes"; exit 0;;
4331	esac
4332done
4333
4334cleanup 2>/dev/null
4335
4336printf "\nTests passed: %3d\n" ${nsuccess}
4337printf "Tests failed: %3d\n"   ${nfail}
4338
4339if [ $nfail -ne 0 ]; then
4340	exit 1 # KSFT_FAIL
4341elif [ $nsuccess -eq 0 ]; then
4342	exit $ksft_skip
4343fi
4344
4345exit 0 # KSFT_PASS
4346