1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40source lib.sh 41VERBOSE=0 42 43NSA_DEV=eth1 44NSA_DEV2=eth2 45NSB_DEV=eth1 46NSC_DEV=eth2 47VRF=red 48VRF_TABLE=1101 49 50# IPv4 config 51NSA_IP=172.16.1.1 52NSB_IP=172.16.1.2 53VRF_IP=172.16.3.1 54NS_NET=172.16.1.0/24 55 56# IPv6 config 57NSA_IP6=2001:db8:1::1 58NSB_IP6=2001:db8:1::2 59VRF_IP6=2001:db8:3::1 60NS_NET6=2001:db8:1::/120 61 62NSA_LO_IP=172.16.2.1 63NSB_LO_IP=172.16.2.2 64NSA_LO_IP6=2001:db8:2::1 65NSB_LO_IP6=2001:db8:2::2 66 67# non-local addresses for freebind tests 68NL_IP=172.17.1.1 69NL_IP6=2001:db8:4::1 70 71# multicast and broadcast addresses 72MCAST_IP=224.0.0.1 73BCAST_IP=255.255.255.255 74 75MD5_PW=abc123 76MD5_WRONG_PW=abc1234 77 78MCAST=ff02::1 79# set after namespace create 80NSA_LINKIP6= 81NSB_LINKIP6= 82 83which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 84 85# Check if FIPS mode is enabled 86if [ -f /proc/sys/crypto/fips_enabled ]; then 87 fips_enabled=`cat /proc/sys/crypto/fips_enabled` 88else 89 fips_enabled=0 90fi 91 92################################################################################ 93# utilities 94 95log_test() 96{ 97 local rc=$1 98 local expected=$2 99 local msg="$3" 100 101 [ "${VERBOSE}" = "1" ] && echo 102 103 if [ ${rc} -eq ${expected} ]; then 104 nsuccess=$((nsuccess+1)) 105 printf "TEST: %-70s [ OK ]\n" "${msg}" 106 else 107 nfail=$((nfail+1)) 108 printf "TEST: %-70s [FAIL]\n" "${msg}" 109 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 110 echo 111 echo "hit enter to continue, 'q' to quit" 112 read a 113 [ "$a" = "q" ] && exit 1 114 fi 115 fi 116 117 if [ "${PAUSE}" = "yes" ]; then 118 echo 119 echo "hit enter to continue, 'q' to quit" 120 read a 121 [ "$a" = "q" ] && exit 1 122 fi 123 124 kill_procs 125} 126 127log_test_addr() 128{ 129 local addr=$1 130 local rc=$2 131 local expected=$3 132 local msg="$4" 133 local astr 134 135 astr=$(addr2str ${addr}) 136 log_test $rc $expected "$msg - ${astr}" 137} 138 139log_section() 140{ 141 echo 142 echo "###########################################################################" 143 echo "$*" 144 echo "###########################################################################" 145 echo 146} 147 148log_subsection() 149{ 150 echo 151 echo "#################################################################" 152 echo "$*" 153 echo 154} 155 156log_start() 157{ 158 # make sure we have no test instances running 159 kill_procs 160 161 if [ "${VERBOSE}" = "1" ]; then 162 echo 163 echo "#######################################################" 164 fi 165} 166 167log_debug() 168{ 169 if [ "${VERBOSE}" = "1" ]; then 170 echo 171 echo "$*" 172 echo 173 fi 174} 175 176show_hint() 177{ 178 if [ "${VERBOSE}" = "1" ]; then 179 echo "HINT: $*" 180 echo 181 fi 182} 183 184kill_procs() 185{ 186 killall nettest ping ping6 >/dev/null 2>&1 187 sleep 1 188} 189 190do_run_cmd() 191{ 192 local cmd="$*" 193 local out 194 195 if [ "$VERBOSE" = "1" ]; then 196 echo "COMMAND: ${cmd}" 197 fi 198 199 out=$($cmd 2>&1) 200 rc=$? 201 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 202 echo "$out" 203 fi 204 205 return $rc 206} 207 208run_cmd() 209{ 210 do_run_cmd ${NSA_CMD} $* 211} 212 213run_cmd_nsb() 214{ 215 do_run_cmd ${NSB_CMD} $* 216} 217 218run_cmd_nsc() 219{ 220 do_run_cmd ${NSC_CMD} $* 221} 222 223setup_cmd() 224{ 225 local cmd="$*" 226 local rc 227 228 run_cmd ${cmd} 229 rc=$? 230 if [ $rc -ne 0 ]; then 231 # show user the command if not done so already 232 if [ "$VERBOSE" = "0" ]; then 233 echo "setup command: $cmd" 234 fi 235 echo "failed. stopping tests" 236 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 237 echo 238 echo "hit enter to continue" 239 read a 240 fi 241 exit $rc 242 fi 243} 244 245setup_cmd_nsb() 246{ 247 local cmd="$*" 248 local rc 249 250 run_cmd_nsb ${cmd} 251 rc=$? 252 if [ $rc -ne 0 ]; then 253 # show user the command if not done so already 254 if [ "$VERBOSE" = "0" ]; then 255 echo "setup command: $cmd" 256 fi 257 echo "failed. stopping tests" 258 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 259 echo 260 echo "hit enter to continue" 261 read a 262 fi 263 exit $rc 264 fi 265} 266 267setup_cmd_nsc() 268{ 269 local cmd="$*" 270 local rc 271 272 run_cmd_nsc ${cmd} 273 rc=$? 274 if [ $rc -ne 0 ]; then 275 # show user the command if not done so already 276 if [ "$VERBOSE" = "0" ]; then 277 echo "setup command: $cmd" 278 fi 279 echo "failed. stopping tests" 280 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 281 echo 282 echo "hit enter to continue" 283 read a 284 fi 285 exit $rc 286 fi 287} 288 289# set sysctl values in NS-A 290set_sysctl() 291{ 292 echo "SYSCTL: $*" 293 echo 294 run_cmd sysctl -q -w $* 295} 296 297# get sysctl values in NS-A 298get_sysctl() 299{ 300 ${NSA_CMD} sysctl -n $* 301} 302 303################################################################################ 304# Setup for tests 305 306addr2str() 307{ 308 case "$1" in 309 127.0.0.1) echo "loopback";; 310 ::1) echo "IPv6 loopback";; 311 312 ${BCAST_IP}) echo "broadcast";; 313 ${MCAST_IP}) echo "multicast";; 314 315 ${NSA_IP}) echo "ns-A IP";; 316 ${NSA_IP6}) echo "ns-A IPv6";; 317 ${NSA_LO_IP}) echo "ns-A loopback IP";; 318 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 319 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 320 321 ${NSB_IP}) echo "ns-B IP";; 322 ${NSB_IP6}) echo "ns-B IPv6";; 323 ${NSB_LO_IP}) echo "ns-B loopback IP";; 324 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 325 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 326 327 ${NL_IP}) echo "nonlocal IP";; 328 ${NL_IP6}) echo "nonlocal IPv6";; 329 330 ${VRF_IP}) echo "VRF IP";; 331 ${VRF_IP6}) echo "VRF IPv6";; 332 333 ${MCAST}%*) echo "multicast IP";; 334 335 *) echo "unknown";; 336 esac 337} 338 339get_linklocal() 340{ 341 local ns=$1 342 local dev=$2 343 local addr 344 345 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 346 awk '{ 347 for (i = 3; i <= NF; ++i) { 348 if ($i ~ /^fe80/) 349 print $i 350 } 351 }' 352 ) 353 addr=${addr/\/*} 354 355 [ -z "$addr" ] && return 1 356 357 echo $addr 358 359 return 0 360} 361 362################################################################################ 363# create namespaces and vrf 364 365create_vrf() 366{ 367 local ns=$1 368 local vrf=$2 369 local table=$3 370 local addr=$4 371 local addr6=$5 372 373 ip -netns ${ns} link add ${vrf} type vrf table ${table} 374 ip -netns ${ns} link set ${vrf} up 375 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 376 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 377 378 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 379 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 380 if [ "${addr}" != "-" ]; then 381 ip -netns ${ns} addr add dev ${vrf} ${addr} 382 fi 383 if [ "${addr6}" != "-" ]; then 384 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 385 fi 386 387 ip -netns ${ns} ru del pref 0 388 ip -netns ${ns} ru add pref 32765 from all lookup local 389 ip -netns ${ns} -6 ru del pref 0 390 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 391} 392 393create_ns() 394{ 395 local ns=$1 396 local addr=$2 397 local addr6=$3 398 399 if [ "${addr}" != "-" ]; then 400 ip -netns ${ns} addr add dev lo ${addr} 401 fi 402 if [ "${addr6}" != "-" ]; then 403 ip -netns ${ns} -6 addr add dev lo ${addr6} 404 fi 405 406 ip -netns ${ns} ro add unreachable default metric 8192 407 ip -netns ${ns} -6 ro add unreachable default metric 8192 408 409 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 410 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 411 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 412 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 413} 414 415# create veth pair to connect namespaces and apply addresses. 416connect_ns() 417{ 418 local ns1=$1 419 local ns1_dev=$2 420 local ns1_addr=$3 421 local ns1_addr6=$4 422 local ns2=$5 423 local ns2_dev=$6 424 local ns2_addr=$7 425 local ns2_addr6=$8 426 427 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 428 ip -netns ${ns1} li set ${ns1_dev} up 429 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 430 ip -netns ${ns2} li set ${ns2_dev} up 431 432 if [ "${ns1_addr}" != "-" ]; then 433 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 434 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 435 fi 436 437 if [ "${ns1_addr6}" != "-" ]; then 438 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 439 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 440 fi 441} 442 443cleanup() 444{ 445 # explicit cleanups to check those code paths 446 ip netns | grep -q ${NSA} 447 if [ $? -eq 0 ]; then 448 ip -netns ${NSA} link delete ${VRF} 449 ip -netns ${NSA} ro flush table ${VRF_TABLE} 450 451 ip -netns ${NSA} addr flush dev ${NSA_DEV} 452 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 453 ip -netns ${NSA} link set dev ${NSA_DEV} down 454 ip -netns ${NSA} link del dev ${NSA_DEV} 455 456 ip netns pids ${NSA} | xargs kill 2>/dev/null 457 cleanup_ns ${NSA} 458 fi 459 460 ip netns pids ${NSB} | xargs kill 2>/dev/null 461 ip netns pids ${NSC} | xargs kill 2>/dev/null 462 cleanup_ns ${NSB} ${NSC} 463} 464 465cleanup_vrf_dup() 466{ 467 ip link del ${NSA_DEV2} >/dev/null 2>&1 468 ip netns pids ${NSC} | xargs kill 2>/dev/null 469 ip netns del ${NSC} >/dev/null 2>&1 470} 471 472setup_vrf_dup() 473{ 474 # some VRF tests use ns-C which has the same config as 475 # ns-B but for a device NOT in the VRF 476 setup_ns NSC 477 NSC_CMD="ip netns exec ${NSC}" 478 create_ns ${NSC} "-" "-" 479 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 480 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 481} 482 483setup() 484{ 485 local with_vrf=${1} 486 487 # make sure we are starting with a clean slate 488 kill_procs 489 cleanup 2>/dev/null 490 491 log_debug "Configuring network namespaces" 492 set -e 493 494 setup_ns NSA NSB 495 NSA_CMD="ip netns exec ${NSA}" 496 NSB_CMD="ip netns exec ${NSB}" 497 498 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 499 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 500 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 501 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 502 503 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 504 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 505 506 # tell ns-A how to get to remote addresses of ns-B 507 if [ "${with_vrf}" = "yes" ]; then 508 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 509 510 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 511 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 512 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 513 514 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 515 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 516 else 517 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 518 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 519 fi 520 521 522 # tell ns-B how to get to remote addresses of ns-A 523 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 524 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 525 526 set +e 527 528 sleep 1 529} 530 531setup_lla_only() 532{ 533 # make sure we are starting with a clean slate 534 kill_procs 535 cleanup 2>/dev/null 536 537 log_debug "Configuring network namespaces" 538 set -e 539 540 setup_ns NSA NSB NSC 541 NSA_CMD="ip netns exec ${NSA}" 542 NSB_CMD="ip netns exec ${NSB}" 543 NSC_CMD="ip netns exec ${NSC}" 544 create_ns ${NSA} "-" "-" 545 create_ns ${NSB} "-" "-" 546 create_ns ${NSC} "-" "-" 547 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 548 ${NSB} ${NSB_DEV} "-" "-" 549 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 550 ${NSC} ${NSC_DEV} "-" "-" 551 552 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 553 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 554 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 555 556 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 557 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 558 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 559 560 set +e 561 562 sleep 1 563} 564 565################################################################################ 566# IPv4 567 568ipv4_ping_novrf() 569{ 570 local a 571 572 # 573 # out 574 # 575 for a in ${NSB_IP} ${NSB_LO_IP} 576 do 577 log_start 578 run_cmd ping -c1 -w1 ${a} 579 log_test_addr ${a} $? 0 "ping out" 580 581 log_start 582 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 583 log_test_addr ${a} $? 0 "ping out, device bind" 584 585 log_start 586 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 587 log_test_addr ${a} $? 0 "ping out, address bind" 588 done 589 590 # 591 # out, but don't use gateway if peer is not on link 592 # 593 a=${NSB_IP} 594 log_start 595 run_cmd ping -c 1 -w 1 -r ${a} 596 log_test_addr ${a} $? 0 "ping out (don't route), peer on link" 597 598 a=${NSB_LO_IP} 599 log_start 600 show_hint "Fails since peer is not on link" 601 run_cmd ping -c 1 -w 1 -r ${a} 602 log_test_addr ${a} $? 1 "ping out (don't route), peer not on link" 603 604 # 605 # in 606 # 607 for a in ${NSA_IP} ${NSA_LO_IP} 608 do 609 log_start 610 run_cmd_nsb ping -c1 -w1 ${a} 611 log_test_addr ${a} $? 0 "ping in" 612 done 613 614 # 615 # local traffic 616 # 617 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 618 do 619 log_start 620 run_cmd ping -c1 -w1 ${a} 621 log_test_addr ${a} $? 0 "ping local" 622 done 623 624 # 625 # local traffic, socket bound to device 626 # 627 # address on device 628 a=${NSA_IP} 629 log_start 630 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 631 log_test_addr ${a} $? 0 "ping local, device bind" 632 633 # loopback addresses not reachable from device bind 634 # fails in a really weird way though because ipv4 special cases 635 # route lookups with oif set. 636 for a in ${NSA_LO_IP} 127.0.0.1 637 do 638 log_start 639 show_hint "Fails since address on loopback device is out of device scope" 640 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 641 log_test_addr ${a} $? 1 "ping local, device bind" 642 done 643 644 # 645 # ip rule blocks reachability to remote address 646 # 647 log_start 648 setup_cmd ip rule add pref 32765 from all lookup local 649 setup_cmd ip rule del pref 0 from all lookup local 650 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 651 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 652 653 a=${NSB_LO_IP} 654 run_cmd ping -c1 -w1 ${a} 655 log_test_addr ${a} $? 2 "ping out, blocked by rule" 656 657 # NOTE: ipv4 actually allows the lookup to fail and yet still create 658 # a viable rtable if the oif (e.g., bind to device) is set, so this 659 # case succeeds despite the rule 660 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 661 662 a=${NSA_LO_IP} 663 log_start 664 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 665 run_cmd_nsb ping -c1 -w1 ${a} 666 log_test_addr ${a} $? 1 "ping in, blocked by rule" 667 668 [ "$VERBOSE" = "1" ] && echo 669 setup_cmd ip rule del pref 32765 from all lookup local 670 setup_cmd ip rule add pref 0 from all lookup local 671 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 672 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 673 674 # 675 # route blocks reachability to remote address 676 # 677 log_start 678 setup_cmd ip route replace unreachable ${NSB_LO_IP} 679 setup_cmd ip route replace unreachable ${NSB_IP} 680 681 a=${NSB_LO_IP} 682 run_cmd ping -c1 -w1 ${a} 683 log_test_addr ${a} $? 2 "ping out, blocked by route" 684 685 # NOTE: ipv4 actually allows the lookup to fail and yet still create 686 # a viable rtable if the oif (e.g., bind to device) is set, so this 687 # case succeeds despite not having a route for the address 688 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 689 690 a=${NSA_LO_IP} 691 log_start 692 show_hint "Response is dropped (or arp request is ignored) due to ip route" 693 run_cmd_nsb ping -c1 -w1 ${a} 694 log_test_addr ${a} $? 1 "ping in, blocked by route" 695 696 # 697 # remove 'remote' routes; fallback to default 698 # 699 log_start 700 setup_cmd ip ro del ${NSB_LO_IP} 701 702 a=${NSB_LO_IP} 703 run_cmd ping -c1 -w1 ${a} 704 log_test_addr ${a} $? 2 "ping out, unreachable default route" 705 706 # NOTE: ipv4 actually allows the lookup to fail and yet still create 707 # a viable rtable if the oif (e.g., bind to device) is set, so this 708 # case succeeds despite not having a route for the address 709 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 710} 711 712ipv4_ping_vrf() 713{ 714 local a 715 716 # should default on; does not exist on older kernels 717 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 718 719 # 720 # out 721 # 722 for a in ${NSB_IP} ${NSB_LO_IP} 723 do 724 log_start 725 run_cmd ping -c1 -w1 -I ${VRF} ${a} 726 log_test_addr ${a} $? 0 "ping out, VRF bind" 727 728 log_start 729 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 730 log_test_addr ${a} $? 0 "ping out, device bind" 731 732 log_start 733 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 734 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 735 736 log_start 737 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 738 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 739 done 740 741 # 742 # in 743 # 744 for a in ${NSA_IP} ${VRF_IP} 745 do 746 log_start 747 run_cmd_nsb ping -c1 -w1 ${a} 748 log_test_addr ${a} $? 0 "ping in" 749 done 750 751 # 752 # local traffic, local address 753 # 754 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 755 do 756 log_start 757 show_hint "Source address should be ${a}" 758 run_cmd ping -c1 -w1 -I ${VRF} ${a} 759 log_test_addr ${a} $? 0 "ping local, VRF bind" 760 done 761 762 # 763 # local traffic, socket bound to device 764 # 765 # address on device 766 a=${NSA_IP} 767 log_start 768 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 769 log_test_addr ${a} $? 0 "ping local, device bind" 770 771 # vrf device is out of scope 772 for a in ${VRF_IP} 127.0.0.1 773 do 774 log_start 775 show_hint "Fails since address on vrf device is out of device scope" 776 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 777 log_test_addr ${a} $? 2 "ping local, device bind" 778 done 779 780 # 781 # ip rule blocks address 782 # 783 log_start 784 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 785 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 786 787 a=${NSB_LO_IP} 788 run_cmd ping -c1 -w1 -I ${VRF} ${a} 789 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 790 791 log_start 792 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 793 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 794 795 a=${NSA_LO_IP} 796 log_start 797 show_hint "Response lost due to ip rule" 798 run_cmd_nsb ping -c1 -w1 ${a} 799 log_test_addr ${a} $? 1 "ping in, blocked by rule" 800 801 [ "$VERBOSE" = "1" ] && echo 802 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 803 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 804 805 # 806 # remove 'remote' routes; fallback to default 807 # 808 log_start 809 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 810 811 a=${NSB_LO_IP} 812 run_cmd ping -c1 -w1 -I ${VRF} ${a} 813 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 814 815 log_start 816 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 817 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 818 819 a=${NSA_LO_IP} 820 log_start 821 show_hint "Response lost by unreachable route" 822 run_cmd_nsb ping -c1 -w1 ${a} 823 log_test_addr ${a} $? 1 "ping in, unreachable route" 824} 825 826ipv4_ping() 827{ 828 log_section "IPv4 ping" 829 830 log_subsection "No VRF" 831 setup 832 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 833 ipv4_ping_novrf 834 setup 835 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 836 ipv4_ping_novrf 837 setup 838 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 839 ipv4_ping_novrf 840 841 log_subsection "With VRF" 842 setup "yes" 843 ipv4_ping_vrf 844 setup "yes" 845 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 846 ipv4_ping_vrf 847} 848 849################################################################################ 850# IPv4 TCP 851 852# 853# MD5 tests without VRF 854# 855ipv4_tcp_md5_novrf() 856{ 857 # 858 # single address 859 # 860 861 # basic use case 862 log_start 863 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 864 sleep 1 865 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 866 log_test $? 0 "MD5: Single address config" 867 868 # client sends MD5, server not configured 869 log_start 870 show_hint "Should timeout due to MD5 mismatch" 871 run_cmd nettest -s & 872 sleep 1 873 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 874 log_test $? 2 "MD5: Server no config, client uses password" 875 876 # wrong password 877 log_start 878 show_hint "Should timeout since client uses wrong password" 879 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} & 880 sleep 1 881 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 882 log_test $? 2 "MD5: Client uses wrong password" 883 884 # client from different address 885 log_start 886 show_hint "Should timeout due to MD5 mismatch" 887 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} & 888 sleep 1 889 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 890 log_test $? 2 "MD5: Client address does not match address configured with password" 891 892 # 893 # MD5 extension - prefix length 894 # 895 896 # client in prefix 897 log_start 898 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 899 sleep 1 900 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 901 log_test $? 0 "MD5: Prefix config" 902 903 # client in prefix, wrong password 904 log_start 905 show_hint "Should timeout since client uses wrong password" 906 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 907 sleep 1 908 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 909 log_test $? 2 "MD5: Prefix config, client uses wrong password" 910 911 # client outside of prefix 912 log_start 913 show_hint "Should timeout due to MD5 mismatch" 914 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 915 sleep 1 916 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 917 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 918} 919 920# 921# MD5 tests with VRF 922# 923ipv4_tcp_md5() 924{ 925 # 926 # single address 927 # 928 929 # basic use case 930 log_start 931 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 932 sleep 1 933 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 934 log_test $? 0 "MD5: VRF: Single address config" 935 936 # client sends MD5, server not configured 937 log_start 938 show_hint "Should timeout since server does not have MD5 auth" 939 run_cmd nettest -s -I ${VRF} & 940 sleep 1 941 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 942 log_test $? 2 "MD5: VRF: Server no config, client uses password" 943 944 # wrong password 945 log_start 946 show_hint "Should timeout since client uses wrong password" 947 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 948 sleep 1 949 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 950 log_test $? 2 "MD5: VRF: Client uses wrong password" 951 952 # client from different address 953 log_start 954 show_hint "Should timeout since server config differs from client" 955 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} & 956 sleep 1 957 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 958 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 959 960 # 961 # MD5 extension - prefix length 962 # 963 964 # client in prefix 965 log_start 966 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 967 sleep 1 968 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 969 log_test $? 0 "MD5: VRF: Prefix config" 970 971 # client in prefix, wrong password 972 log_start 973 show_hint "Should timeout since client uses wrong password" 974 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 975 sleep 1 976 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 977 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 978 979 # client outside of prefix 980 log_start 981 show_hint "Should timeout since client address is outside of prefix" 982 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 983 sleep 1 984 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW} 985 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 986 987 # 988 # duplicate config between default VRF and a VRF 989 # 990 991 log_start 992 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 993 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 994 sleep 1 995 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 996 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 997 998 log_start 999 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1000 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1001 sleep 1 1002 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1003 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 1004 1005 log_start 1006 show_hint "Should timeout since client in default VRF uses VRF password" 1007 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1008 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1009 sleep 1 1010 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1011 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 1012 1013 log_start 1014 show_hint "Should timeout since client in VRF uses default VRF password" 1015 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} & 1016 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} & 1017 sleep 1 1018 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1019 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 1020 1021 log_start 1022 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1023 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1024 sleep 1 1025 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1026 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 1027 1028 log_start 1029 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1030 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1031 sleep 1 1032 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1033 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 1034 1035 log_start 1036 show_hint "Should timeout since client in default VRF uses VRF password" 1037 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1038 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1039 sleep 1 1040 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1041 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1042 1043 log_start 1044 show_hint "Should timeout since client in VRF uses default VRF password" 1045 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1046 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1047 sleep 1 1048 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW} 1049 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1050 1051 # 1052 # negative tests 1053 # 1054 log_start 1055 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP} 1056 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1057 1058 log_start 1059 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1060 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1061 1062 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex 1063 test_ipv4_md5_vrf__global_server__bind_ifindex0 1064} 1065 1066test_ipv4_md5_vrf__vrf_server__no_bind_ifindex() 1067{ 1068 log_start 1069 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX" 1070 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1071 sleep 1 1072 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1073 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection" 1074 1075 log_start 1076 show_hint "Binding both the socket and the key is not required but it works" 1077 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1078 sleep 1 1079 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1080 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection" 1081} 1082 1083test_ipv4_md5_vrf__global_server__bind_ifindex0() 1084{ 1085 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections 1086 local old_tcp_l3mdev_accept 1087 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept) 1088 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1089 1090 log_start 1091 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1092 sleep 1 1093 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1094 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection" 1095 1096 log_start 1097 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex & 1098 sleep 1 1099 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1100 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection" 1101 log_start 1102 1103 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1104 sleep 1 1105 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW} 1106 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection" 1107 1108 log_start 1109 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex & 1110 sleep 1 1111 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW} 1112 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection" 1113 1114 # restore value 1115 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept" 1116} 1117 1118ipv4_tcp_dontroute() 1119{ 1120 local syncookies=$1 1121 local nsa_syncookies 1122 local nsb_syncookies 1123 local a 1124 1125 # 1126 # Link local connection tests (SO_DONTROUTE). 1127 # Connections should succeed only when the remote IP address is 1128 # on link (doesn't need to be routed through a gateway). 1129 # 1130 1131 nsa_syncookies=$(ip netns exec "${NSA}" sysctl -n net.ipv4.tcp_syncookies) 1132 nsb_syncookies=$(ip netns exec "${NSB}" sysctl -n net.ipv4.tcp_syncookies) 1133 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies} 1134 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies} 1135 1136 # Test with eth1 address (on link). 1137 1138 a=${NSB_IP} 1139 log_start 1140 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1141 log_test_addr ${a} $? 0 "SO_DONTROUTE client, syncookies=${syncookies}" 1142 1143 a=${NSB_IP} 1144 log_start 1145 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --server-dontroute 1146 log_test_addr ${a} $? 0 "SO_DONTROUTE server, syncookies=${syncookies}" 1147 1148 # Test with loopback address (routed). 1149 # 1150 # The client would use the eth1 address as source IP by default. 1151 # Therefore, we need to use the -c option here, to force the use of the 1152 # routed (loopback) address as source IP (so that the server will try 1153 # to respond to a routed address and not a link local one). 1154 1155 a=${NSB_LO_IP} 1156 log_start 1157 show_hint "Should fail 'Network is unreachable' since server is not on link" 1158 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --client-dontroute 1159 log_test_addr ${a} $? 1 "SO_DONTROUTE client, syncookies=${syncookies}" 1160 1161 a=${NSB_LO_IP} 1162 log_start 1163 show_hint "Should timeout since server cannot respond (client is not on link)" 1164 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --server-dontroute 1165 log_test_addr ${a} $? 2 "SO_DONTROUTE server, syncookies=${syncookies}" 1166 1167 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${nsb_syncookies} 1168 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${nsa_syncookies} 1169} 1170 1171ipv4_tcp_novrf() 1172{ 1173 local a 1174 1175 # 1176 # server tests 1177 # 1178 for a in ${NSA_IP} ${NSA_LO_IP} 1179 do 1180 log_start 1181 run_cmd nettest -s & 1182 sleep 1 1183 run_cmd_nsb nettest -r ${a} 1184 log_test_addr ${a} $? 0 "Global server" 1185 done 1186 1187 a=${NSA_IP} 1188 log_start 1189 run_cmd nettest -s -I ${NSA_DEV} & 1190 sleep 1 1191 run_cmd_nsb nettest -r ${a} 1192 log_test_addr ${a} $? 0 "Device server" 1193 1194 # verify TCP reset sent and received 1195 for a in ${NSA_IP} ${NSA_LO_IP} 1196 do 1197 log_start 1198 show_hint "Should fail 'Connection refused' since there is no server" 1199 run_cmd_nsb nettest -r ${a} 1200 log_test_addr ${a} $? 1 "No server" 1201 done 1202 1203 # 1204 # client 1205 # 1206 for a in ${NSB_IP} ${NSB_LO_IP} 1207 do 1208 log_start 1209 run_cmd_nsb nettest -s & 1210 sleep 1 1211 run_cmd nettest -r ${a} -0 ${NSA_IP} 1212 log_test_addr ${a} $? 0 "Client" 1213 1214 log_start 1215 run_cmd_nsb nettest -s & 1216 sleep 1 1217 run_cmd nettest -r ${a} -d ${NSA_DEV} 1218 log_test_addr ${a} $? 0 "Client, device bind" 1219 1220 log_start 1221 show_hint "Should fail 'Connection refused'" 1222 run_cmd nettest -r ${a} 1223 log_test_addr ${a} $? 1 "No server, unbound client" 1224 1225 log_start 1226 show_hint "Should fail 'Connection refused'" 1227 run_cmd nettest -r ${a} -d ${NSA_DEV} 1228 log_test_addr ${a} $? 1 "No server, device client" 1229 done 1230 1231 # 1232 # local address tests 1233 # 1234 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1235 do 1236 log_start 1237 run_cmd nettest -s & 1238 sleep 1 1239 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1240 log_test_addr ${a} $? 0 "Global server, local connection" 1241 done 1242 1243 a=${NSA_IP} 1244 log_start 1245 run_cmd nettest -s -I ${NSA_DEV} & 1246 sleep 1 1247 run_cmd nettest -r ${a} -0 ${a} 1248 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1249 1250 for a in ${NSA_LO_IP} 127.0.0.1 1251 do 1252 log_start 1253 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1254 run_cmd nettest -s -I ${NSA_DEV} & 1255 sleep 1 1256 run_cmd nettest -r ${a} 1257 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1258 done 1259 1260 a=${NSA_IP} 1261 log_start 1262 run_cmd nettest -s & 1263 sleep 1 1264 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1265 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1266 1267 for a in ${NSA_LO_IP} 127.0.0.1 1268 do 1269 log_start 1270 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1271 run_cmd nettest -s & 1272 sleep 1 1273 run_cmd nettest -r ${a} -d ${NSA_DEV} 1274 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1275 done 1276 1277 a=${NSA_IP} 1278 log_start 1279 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1280 sleep 1 1281 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1282 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1283 1284 log_start 1285 show_hint "Should fail 'Connection refused'" 1286 run_cmd nettest -d ${NSA_DEV} -r ${a} 1287 log_test_addr ${a} $? 1 "No server, device client, local conn" 1288 1289 [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf 1290 1291 ipv4_tcp_dontroute 0 1292 ipv4_tcp_dontroute 2 1293} 1294 1295ipv4_tcp_vrf() 1296{ 1297 local a 1298 1299 # disable global server 1300 log_subsection "Global server disabled" 1301 1302 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1303 1304 # 1305 # server tests 1306 # 1307 for a in ${NSA_IP} ${VRF_IP} 1308 do 1309 log_start 1310 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1311 run_cmd nettest -s & 1312 sleep 1 1313 run_cmd_nsb nettest -r ${a} 1314 log_test_addr ${a} $? 1 "Global server" 1315 1316 log_start 1317 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1318 sleep 1 1319 run_cmd_nsb nettest -r ${a} 1320 log_test_addr ${a} $? 0 "VRF server" 1321 1322 log_start 1323 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1324 sleep 1 1325 run_cmd_nsb nettest -r ${a} 1326 log_test_addr ${a} $? 0 "Device server" 1327 1328 # verify TCP reset received 1329 log_start 1330 show_hint "Should fail 'Connection refused' since there is no server" 1331 run_cmd_nsb nettest -r ${a} 1332 log_test_addr ${a} $? 1 "No server" 1333 done 1334 1335 # local address tests 1336 # (${VRF_IP} and 127.0.0.1 both timeout) 1337 a=${NSA_IP} 1338 log_start 1339 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1340 run_cmd nettest -s & 1341 sleep 1 1342 run_cmd nettest -r ${a} -d ${NSA_DEV} 1343 log_test_addr ${a} $? 1 "Global server, local connection" 1344 1345 # run MD5 tests 1346 if [ "$fips_enabled" = "0" ]; then 1347 setup_vrf_dup 1348 ipv4_tcp_md5 1349 cleanup_vrf_dup 1350 fi 1351 1352 # 1353 # enable VRF global server 1354 # 1355 log_subsection "VRF Global server enabled" 1356 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1357 1358 for a in ${NSA_IP} ${VRF_IP} 1359 do 1360 log_start 1361 show_hint "client socket should be bound to VRF" 1362 run_cmd nettest -s -3 ${VRF} & 1363 sleep 1 1364 run_cmd_nsb nettest -r ${a} 1365 log_test_addr ${a} $? 0 "Global server" 1366 1367 log_start 1368 show_hint "client socket should be bound to VRF" 1369 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1370 sleep 1 1371 run_cmd_nsb nettest -r ${a} 1372 log_test_addr ${a} $? 0 "VRF server" 1373 1374 # verify TCP reset received 1375 log_start 1376 show_hint "Should fail 'Connection refused'" 1377 run_cmd_nsb nettest -r ${a} 1378 log_test_addr ${a} $? 1 "No server" 1379 done 1380 1381 a=${NSA_IP} 1382 log_start 1383 show_hint "client socket should be bound to device" 1384 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1385 sleep 1 1386 run_cmd_nsb nettest -r ${a} 1387 log_test_addr ${a} $? 0 "Device server" 1388 1389 # local address tests 1390 for a in ${NSA_IP} ${VRF_IP} 1391 do 1392 log_start 1393 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1394 run_cmd nettest -s -I ${VRF} & 1395 sleep 1 1396 run_cmd nettest -r ${a} 1397 log_test_addr ${a} $? 1 "Global server, local connection" 1398 done 1399 1400 # 1401 # client 1402 # 1403 for a in ${NSB_IP} ${NSB_LO_IP} 1404 do 1405 log_start 1406 run_cmd_nsb nettest -s & 1407 sleep 1 1408 run_cmd nettest -r ${a} -d ${VRF} 1409 log_test_addr ${a} $? 0 "Client, VRF bind" 1410 1411 log_start 1412 run_cmd_nsb nettest -s & 1413 sleep 1 1414 run_cmd nettest -r ${a} -d ${NSA_DEV} 1415 log_test_addr ${a} $? 0 "Client, device bind" 1416 1417 log_start 1418 show_hint "Should fail 'Connection refused'" 1419 run_cmd nettest -r ${a} -d ${VRF} 1420 log_test_addr ${a} $? 1 "No server, VRF client" 1421 1422 log_start 1423 show_hint "Should fail 'Connection refused'" 1424 run_cmd nettest -r ${a} -d ${NSA_DEV} 1425 log_test_addr ${a} $? 1 "No server, device client" 1426 done 1427 1428 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1429 do 1430 log_start 1431 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1432 sleep 1 1433 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1434 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1435 done 1436 1437 a=${NSA_IP} 1438 log_start 1439 run_cmd nettest -s -I ${VRF} -3 ${VRF} & 1440 sleep 1 1441 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1442 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1443 1444 log_start 1445 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1446 run_cmd nettest -s -I ${VRF} & 1447 sleep 1 1448 run_cmd nettest -r ${a} 1449 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1450 1451 log_start 1452 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1453 sleep 1 1454 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1455 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1456 1457 log_start 1458 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1459 sleep 1 1460 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1461 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1462} 1463 1464ipv4_tcp() 1465{ 1466 log_section "IPv4/TCP" 1467 log_subsection "No VRF" 1468 setup 1469 1470 # tcp_l3mdev_accept should have no affect without VRF; 1471 # run tests with it enabled and disabled to verify 1472 log_subsection "tcp_l3mdev_accept disabled" 1473 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1474 ipv4_tcp_novrf 1475 log_subsection "tcp_l3mdev_accept enabled" 1476 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1477 ipv4_tcp_novrf 1478 1479 log_subsection "With VRF" 1480 setup "yes" 1481 ipv4_tcp_vrf 1482} 1483 1484################################################################################ 1485# IPv4 UDP 1486 1487ipv4_udp_novrf() 1488{ 1489 local a 1490 1491 # 1492 # server tests 1493 # 1494 for a in ${NSA_IP} ${NSA_LO_IP} 1495 do 1496 log_start 1497 run_cmd nettest -D -s -3 ${NSA_DEV} & 1498 sleep 1 1499 run_cmd_nsb nettest -D -r ${a} 1500 log_test_addr ${a} $? 0 "Global server" 1501 1502 log_start 1503 show_hint "Should fail 'Connection refused' since there is no server" 1504 run_cmd_nsb nettest -D -r ${a} 1505 log_test_addr ${a} $? 1 "No server" 1506 done 1507 1508 a=${NSA_IP} 1509 log_start 1510 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1511 sleep 1 1512 run_cmd_nsb nettest -D -r ${a} 1513 log_test_addr ${a} $? 0 "Device server" 1514 1515 # 1516 # client 1517 # 1518 for a in ${NSB_IP} ${NSB_LO_IP} 1519 do 1520 log_start 1521 run_cmd_nsb nettest -D -s & 1522 sleep 1 1523 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1524 log_test_addr ${a} $? 0 "Client" 1525 1526 log_start 1527 run_cmd_nsb nettest -D -s & 1528 sleep 1 1529 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1530 log_test_addr ${a} $? 0 "Client, device bind" 1531 1532 log_start 1533 run_cmd_nsb nettest -D -s & 1534 sleep 1 1535 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1536 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1537 1538 log_start 1539 run_cmd_nsb nettest -D -s & 1540 sleep 1 1541 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1542 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1543 1544 log_start 1545 run_cmd_nsb nettest -D -s & 1546 sleep 1 1547 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U 1548 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()" 1549 1550 1551 log_start 1552 show_hint "Should fail 'Connection refused'" 1553 run_cmd nettest -D -r ${a} 1554 log_test_addr ${a} $? 1 "No server, unbound client" 1555 1556 log_start 1557 show_hint "Should fail 'Connection refused'" 1558 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1559 log_test_addr ${a} $? 1 "No server, device client" 1560 done 1561 1562 # 1563 # local address tests 1564 # 1565 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1566 do 1567 log_start 1568 run_cmd nettest -D -s & 1569 sleep 1 1570 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1571 log_test_addr ${a} $? 0 "Global server, local connection" 1572 done 1573 1574 a=${NSA_IP} 1575 log_start 1576 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1577 sleep 1 1578 run_cmd nettest -D -r ${a} 1579 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1580 1581 for a in ${NSA_LO_IP} 127.0.0.1 1582 do 1583 log_start 1584 show_hint "Should fail 'Connection refused' since address is out of device scope" 1585 run_cmd nettest -s -D -I ${NSA_DEV} & 1586 sleep 1 1587 run_cmd nettest -D -r ${a} 1588 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1589 done 1590 1591 a=${NSA_IP} 1592 log_start 1593 run_cmd nettest -s -D & 1594 sleep 1 1595 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1596 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1597 1598 log_start 1599 run_cmd nettest -s -D & 1600 sleep 1 1601 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1602 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1603 1604 log_start 1605 run_cmd nettest -s -D & 1606 sleep 1 1607 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1608 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1609 1610 log_start 1611 run_cmd nettest -s -D & 1612 sleep 1 1613 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U 1614 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1615 1616 1617 # IPv4 with device bind has really weird behavior - it overrides the 1618 # fib lookup, generates an rtable and tries to send the packet. This 1619 # causes failures for local traffic at different places 1620 for a in ${NSA_LO_IP} 127.0.0.1 1621 do 1622 log_start 1623 show_hint "Should fail since addresses on loopback are out of device scope" 1624 run_cmd nettest -D -s & 1625 sleep 1 1626 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1627 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1628 1629 log_start 1630 show_hint "Should fail since addresses on loopback are out of device scope" 1631 run_cmd nettest -D -s & 1632 sleep 1 1633 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1634 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1635 1636 log_start 1637 show_hint "Should fail since addresses on loopback are out of device scope" 1638 run_cmd nettest -D -s & 1639 sleep 1 1640 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1641 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1642 1643 log_start 1644 show_hint "Should fail since addresses on loopback are out of device scope" 1645 run_cmd nettest -D -s & 1646 sleep 1 1647 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U 1648 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 1649 1650 1651 done 1652 1653 a=${NSA_IP} 1654 log_start 1655 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 1656 sleep 1 1657 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1658 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1659 1660 log_start 1661 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1662 log_test_addr ${a} $? 2 "No server, device client, local conn" 1663 1664 # 1665 # Link local connection tests (SO_DONTROUTE). 1666 # Connections should succeed only when the remote IP address is 1667 # on link (doesn't need to be routed through a gateway). 1668 # 1669 1670 a=${NSB_IP} 1671 log_start 1672 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1673 log_test_addr ${a} $? 0 "SO_DONTROUTE client" 1674 1675 a=${NSB_LO_IP} 1676 log_start 1677 show_hint "Should fail 'Network is unreachable' since server is not on link" 1678 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute 1679 log_test_addr ${a} $? 1 "SO_DONTROUTE client" 1680} 1681 1682ipv4_udp_vrf() 1683{ 1684 local a 1685 1686 # disable global server 1687 log_subsection "Global server disabled" 1688 set_sysctl net.ipv4.udp_l3mdev_accept=0 1689 1690 # 1691 # server tests 1692 # 1693 for a in ${NSA_IP} ${VRF_IP} 1694 do 1695 log_start 1696 show_hint "Fails because ingress is in a VRF and global server is disabled" 1697 run_cmd nettest -D -s & 1698 sleep 1 1699 run_cmd_nsb nettest -D -r ${a} 1700 log_test_addr ${a} $? 1 "Global server" 1701 1702 log_start 1703 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1704 sleep 1 1705 run_cmd_nsb nettest -D -r ${a} 1706 log_test_addr ${a} $? 0 "VRF server" 1707 1708 log_start 1709 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1710 sleep 1 1711 run_cmd_nsb nettest -D -r ${a} 1712 log_test_addr ${a} $? 0 "Enslaved device server" 1713 1714 log_start 1715 show_hint "Should fail 'Connection refused' since there is no server" 1716 run_cmd_nsb nettest -D -r ${a} 1717 log_test_addr ${a} $? 1 "No server" 1718 1719 log_start 1720 show_hint "Should fail 'Connection refused' since global server is out of scope" 1721 run_cmd nettest -D -s & 1722 sleep 1 1723 run_cmd nettest -D -d ${VRF} -r ${a} 1724 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1725 done 1726 1727 a=${NSA_IP} 1728 log_start 1729 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1730 sleep 1 1731 run_cmd nettest -D -d ${VRF} -r ${a} 1732 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1733 1734 log_start 1735 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1736 sleep 1 1737 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1738 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1739 1740 a=${NSA_IP} 1741 log_start 1742 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1743 sleep 1 1744 run_cmd nettest -D -d ${VRF} -r ${a} 1745 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1746 1747 log_start 1748 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1749 sleep 1 1750 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1751 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1752 1753 # enable global server 1754 log_subsection "Global server enabled" 1755 set_sysctl net.ipv4.udp_l3mdev_accept=1 1756 1757 # 1758 # server tests 1759 # 1760 for a in ${NSA_IP} ${VRF_IP} 1761 do 1762 log_start 1763 run_cmd nettest -D -s -3 ${NSA_DEV} & 1764 sleep 1 1765 run_cmd_nsb nettest -D -r ${a} 1766 log_test_addr ${a} $? 0 "Global server" 1767 1768 log_start 1769 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} & 1770 sleep 1 1771 run_cmd_nsb nettest -D -r ${a} 1772 log_test_addr ${a} $? 0 "VRF server" 1773 1774 log_start 1775 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 1776 sleep 1 1777 run_cmd_nsb nettest -D -r ${a} 1778 log_test_addr ${a} $? 0 "Enslaved device server" 1779 1780 log_start 1781 show_hint "Should fail 'Connection refused'" 1782 run_cmd_nsb nettest -D -r ${a} 1783 log_test_addr ${a} $? 1 "No server" 1784 done 1785 1786 # 1787 # client tests 1788 # 1789 log_start 1790 run_cmd_nsb nettest -D -s & 1791 sleep 1 1792 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1793 log_test $? 0 "VRF client" 1794 1795 log_start 1796 run_cmd_nsb nettest -D -s & 1797 sleep 1 1798 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1799 log_test $? 0 "Enslaved device client" 1800 1801 # negative test - should fail 1802 log_start 1803 show_hint "Should fail 'Connection refused'" 1804 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1805 log_test $? 1 "No server, VRF client" 1806 1807 log_start 1808 show_hint "Should fail 'Connection refused'" 1809 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1810 log_test $? 1 "No server, enslaved device client" 1811 1812 # 1813 # local address tests 1814 # 1815 a=${NSA_IP} 1816 log_start 1817 run_cmd nettest -D -s -3 ${NSA_DEV} & 1818 sleep 1 1819 run_cmd nettest -D -d ${VRF} -r ${a} 1820 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1821 1822 log_start 1823 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1824 sleep 1 1825 run_cmd nettest -D -d ${VRF} -r ${a} 1826 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1827 1828 log_start 1829 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} & 1830 sleep 1 1831 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1832 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1833 1834 log_start 1835 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1836 sleep 1 1837 run_cmd nettest -D -d ${VRF} -r ${a} 1838 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1839 1840 log_start 1841 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 1842 sleep 1 1843 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1844 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1845 1846 for a in ${VRF_IP} 127.0.0.1 1847 do 1848 log_start 1849 run_cmd nettest -D -s -3 ${VRF} & 1850 sleep 1 1851 run_cmd nettest -D -d ${VRF} -r ${a} 1852 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1853 done 1854 1855 for a in ${VRF_IP} 127.0.0.1 1856 do 1857 log_start 1858 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} & 1859 sleep 1 1860 run_cmd nettest -D -d ${VRF} -r ${a} 1861 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1862 done 1863 1864 # negative test - should fail 1865 # verifies ECONNREFUSED 1866 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1867 do 1868 log_start 1869 show_hint "Should fail 'Connection refused'" 1870 run_cmd nettest -D -d ${VRF} -r ${a} 1871 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1872 done 1873} 1874 1875ipv4_udp() 1876{ 1877 log_section "IPv4/UDP" 1878 log_subsection "No VRF" 1879 1880 setup 1881 1882 # udp_l3mdev_accept should have no affect without VRF; 1883 # run tests with it enabled and disabled to verify 1884 log_subsection "udp_l3mdev_accept disabled" 1885 set_sysctl net.ipv4.udp_l3mdev_accept=0 1886 ipv4_udp_novrf 1887 log_subsection "udp_l3mdev_accept enabled" 1888 set_sysctl net.ipv4.udp_l3mdev_accept=1 1889 ipv4_udp_novrf 1890 1891 log_subsection "With VRF" 1892 setup "yes" 1893 ipv4_udp_vrf 1894} 1895 1896################################################################################ 1897# IPv4 address bind 1898# 1899# verifies ability or inability to bind to an address / device 1900 1901ipv4_addr_bind_novrf() 1902{ 1903 # 1904 # raw socket 1905 # 1906 for a in ${NSA_IP} ${NSA_LO_IP} 1907 do 1908 log_start 1909 run_cmd nettest -s -R -P icmp -l ${a} -b 1910 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1911 1912 log_start 1913 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1914 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1915 done 1916 1917 # 1918 # tests for nonlocal bind 1919 # 1920 a=${NL_IP} 1921 log_start 1922 run_cmd nettest -s -R -f -l ${a} -b 1923 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 1924 1925 log_start 1926 run_cmd nettest -s -f -l ${a} -b 1927 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address" 1928 1929 log_start 1930 run_cmd nettest -s -D -P icmp -f -l ${a} -b 1931 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address" 1932 1933 # 1934 # check that ICMP sockets cannot bind to broadcast and multicast addresses 1935 # 1936 a=${BCAST_IP} 1937 log_start 1938 run_cmd nettest -s -D -P icmp -l ${a} -b 1939 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address" 1940 1941 a=${MCAST_IP} 1942 log_start 1943 run_cmd nettest -s -D -P icmp -l ${a} -b 1944 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address" 1945 1946 # 1947 # tcp sockets 1948 # 1949 a=${NSA_IP} 1950 log_start 1951 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b 1952 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1953 1954 log_start 1955 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1956 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1957 1958 # Sadly, the kernel allows binding a socket to a device and then 1959 # binding to an address not on the device. The only restriction 1960 # is that the address is valid in the L3 domain. So this test 1961 # passes when it really should not 1962 #a=${NSA_LO_IP} 1963 #log_start 1964 #show_hint "Should fail with 'Cannot assign requested address'" 1965 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 1966 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1967} 1968 1969ipv4_addr_bind_vrf() 1970{ 1971 # 1972 # raw socket 1973 # 1974 for a in ${NSA_IP} ${VRF_IP} 1975 do 1976 log_start 1977 show_hint "Socket not bound to VRF, but address is in VRF" 1978 run_cmd nettest -s -R -P icmp -l ${a} -b 1979 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1980 1981 log_start 1982 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b 1983 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1984 log_start 1985 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1986 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1987 done 1988 1989 a=${NSA_LO_IP} 1990 log_start 1991 show_hint "Address on loopback is out of VRF scope" 1992 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b 1993 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1994 1995 # 1996 # tests for nonlocal bind 1997 # 1998 a=${NL_IP} 1999 log_start 2000 run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b 2001 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 2002 2003 log_start 2004 run_cmd nettest -s -f -l ${a} -I ${VRF} -b 2005 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind" 2006 2007 log_start 2008 run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b 2009 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind" 2010 2011 # 2012 # check that ICMP sockets cannot bind to broadcast and multicast addresses 2013 # 2014 a=${BCAST_IP} 2015 log_start 2016 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 2017 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind" 2018 2019 a=${MCAST_IP} 2020 log_start 2021 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b 2022 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind" 2023 2024 # 2025 # tcp sockets 2026 # 2027 for a in ${NSA_IP} ${VRF_IP} 2028 do 2029 log_start 2030 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 2031 log_test_addr ${a} $? 0 "TCP socket bind to local address" 2032 2033 log_start 2034 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 2035 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 2036 done 2037 2038 a=${NSA_LO_IP} 2039 log_start 2040 show_hint "Address on loopback out of scope for VRF" 2041 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b 2042 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 2043 2044 log_start 2045 show_hint "Address on loopback out of scope for device in VRF" 2046 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b 2047 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 2048} 2049 2050ipv4_addr_bind() 2051{ 2052 log_section "IPv4 address binds" 2053 2054 log_subsection "No VRF" 2055 setup 2056 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2057 ipv4_addr_bind_novrf 2058 2059 log_subsection "With VRF" 2060 setup "yes" 2061 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2062 ipv4_addr_bind_vrf 2063} 2064 2065################################################################################ 2066# IPv4 runtime tests 2067 2068ipv4_rt() 2069{ 2070 local desc="$1" 2071 local varg="$2" 2072 local with_vrf="yes" 2073 local a 2074 2075 # 2076 # server tests 2077 # 2078 for a in ${NSA_IP} ${VRF_IP} 2079 do 2080 log_start 2081 run_cmd nettest ${varg} -s & 2082 sleep 1 2083 run_cmd_nsb nettest ${varg} -r ${a} & 2084 sleep 3 2085 run_cmd ip link del ${VRF} 2086 sleep 1 2087 log_test_addr ${a} 0 0 "${desc}, global server" 2088 2089 setup ${with_vrf} 2090 done 2091 2092 for a in ${NSA_IP} ${VRF_IP} 2093 do 2094 log_start 2095 run_cmd nettest ${varg} -s -I ${VRF} & 2096 sleep 1 2097 run_cmd_nsb nettest ${varg} -r ${a} & 2098 sleep 3 2099 run_cmd ip link del ${VRF} 2100 sleep 1 2101 log_test_addr ${a} 0 0 "${desc}, VRF server" 2102 2103 setup ${with_vrf} 2104 done 2105 2106 a=${NSA_IP} 2107 log_start 2108 run_cmd nettest ${varg} -s -I ${NSA_DEV} & 2109 sleep 1 2110 run_cmd_nsb nettest ${varg} -r ${a} & 2111 sleep 3 2112 run_cmd ip link del ${VRF} 2113 sleep 1 2114 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 2115 2116 setup ${with_vrf} 2117 2118 # 2119 # client test 2120 # 2121 log_start 2122 run_cmd_nsb nettest ${varg} -s & 2123 sleep 1 2124 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 2125 sleep 3 2126 run_cmd ip link del ${VRF} 2127 sleep 1 2128 log_test_addr ${a} 0 0 "${desc}, VRF client" 2129 2130 setup ${with_vrf} 2131 2132 log_start 2133 run_cmd_nsb nettest ${varg} -s & 2134 sleep 1 2135 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 2136 sleep 3 2137 run_cmd ip link del ${VRF} 2138 sleep 1 2139 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 2140 2141 setup ${with_vrf} 2142 2143 # 2144 # local address tests 2145 # 2146 for a in ${NSA_IP} ${VRF_IP} 2147 do 2148 log_start 2149 run_cmd nettest ${varg} -s & 2150 sleep 1 2151 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2152 sleep 3 2153 run_cmd ip link del ${VRF} 2154 sleep 1 2155 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 2156 2157 setup ${with_vrf} 2158 done 2159 2160 for a in ${NSA_IP} ${VRF_IP} 2161 do 2162 log_start 2163 run_cmd nettest ${varg} -I ${VRF} -s & 2164 sleep 1 2165 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 2166 sleep 3 2167 run_cmd ip link del ${VRF} 2168 sleep 1 2169 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 2170 2171 setup ${with_vrf} 2172 done 2173 2174 a=${NSA_IP} 2175 log_start 2176 2177 run_cmd nettest ${varg} -s & 2178 sleep 1 2179 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2180 sleep 3 2181 run_cmd ip link del ${VRF} 2182 sleep 1 2183 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 2184 2185 setup ${with_vrf} 2186 2187 log_start 2188 run_cmd nettest ${varg} -I ${VRF} -s & 2189 sleep 1 2190 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2191 sleep 3 2192 run_cmd ip link del ${VRF} 2193 sleep 1 2194 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 2195 2196 setup ${with_vrf} 2197 2198 log_start 2199 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 2200 sleep 1 2201 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 2202 sleep 3 2203 run_cmd ip link del ${VRF} 2204 sleep 1 2205 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 2206} 2207 2208ipv4_ping_rt() 2209{ 2210 local with_vrf="yes" 2211 local a 2212 2213 for a in ${NSA_IP} ${VRF_IP} 2214 do 2215 log_start 2216 run_cmd_nsb ping -f ${a} & 2217 sleep 3 2218 run_cmd ip link del ${VRF} 2219 sleep 1 2220 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 2221 2222 setup ${with_vrf} 2223 done 2224 2225 a=${NSB_IP} 2226 log_start 2227 run_cmd ping -f -I ${VRF} ${a} & 2228 sleep 3 2229 run_cmd ip link del ${VRF} 2230 sleep 1 2231 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 2232} 2233 2234ipv4_runtime() 2235{ 2236 log_section "Run time tests - ipv4" 2237 2238 setup "yes" 2239 ipv4_ping_rt 2240 2241 setup "yes" 2242 ipv4_rt "TCP active socket" "-n -1" 2243 2244 setup "yes" 2245 ipv4_rt "TCP passive socket" "-i" 2246} 2247 2248################################################################################ 2249# IPv6 2250 2251ipv6_ping_novrf() 2252{ 2253 local a 2254 2255 # should not have an impact, but make a known state 2256 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2257 2258 # 2259 # out 2260 # 2261 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2262 do 2263 log_start 2264 run_cmd ${ping6} -c1 -w1 ${a} 2265 log_test_addr ${a} $? 0 "ping out" 2266 done 2267 2268 for a in ${NSB_IP6} ${NSB_LO_IP6} 2269 do 2270 log_start 2271 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2272 log_test_addr ${a} $? 0 "ping out, device bind" 2273 2274 log_start 2275 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2276 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2277 done 2278 2279 # 2280 # in 2281 # 2282 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2283 do 2284 log_start 2285 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2286 log_test_addr ${a} $? 0 "ping in" 2287 done 2288 2289 # 2290 # local traffic, local address 2291 # 2292 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2293 do 2294 log_start 2295 run_cmd ${ping6} -c1 -w1 ${a} 2296 log_test_addr ${a} $? 0 "ping local, no bind" 2297 done 2298 2299 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2300 do 2301 log_start 2302 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2303 log_test_addr ${a} $? 0 "ping local, device bind" 2304 done 2305 2306 for a in ${NSA_LO_IP6} ::1 2307 do 2308 log_start 2309 show_hint "Fails since address on loopback is out of device scope" 2310 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2311 log_test_addr ${a} $? 2 "ping local, device bind" 2312 done 2313 2314 # 2315 # ip rule blocks address 2316 # 2317 log_start 2318 setup_cmd ip -6 rule add pref 32765 from all lookup local 2319 setup_cmd ip -6 rule del pref 0 from all lookup local 2320 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2321 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2322 2323 a=${NSB_LO_IP6} 2324 run_cmd ${ping6} -c1 -w1 ${a} 2325 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2326 2327 log_start 2328 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2329 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2330 2331 a=${NSA_LO_IP6} 2332 log_start 2333 show_hint "Response lost due to ip rule" 2334 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2335 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2336 2337 setup_cmd ip -6 rule add pref 0 from all lookup local 2338 setup_cmd ip -6 rule del pref 32765 from all lookup local 2339 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2340 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2341 2342 # 2343 # route blocks reachability to remote address 2344 # 2345 log_start 2346 setup_cmd ip -6 route del ${NSB_LO_IP6} 2347 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2348 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2349 2350 a=${NSB_LO_IP6} 2351 run_cmd ${ping6} -c1 -w1 ${a} 2352 log_test_addr ${a} $? 2 "ping out, blocked by route" 2353 2354 log_start 2355 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2356 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2357 2358 a=${NSA_LO_IP6} 2359 log_start 2360 show_hint "Response lost due to ip route" 2361 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2362 log_test_addr ${a} $? 1 "ping in, blocked by route" 2363 2364 2365 # 2366 # remove 'remote' routes; fallback to default 2367 # 2368 log_start 2369 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2370 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2371 2372 a=${NSB_LO_IP6} 2373 run_cmd ${ping6} -c1 -w1 ${a} 2374 log_test_addr ${a} $? 2 "ping out, unreachable route" 2375 2376 log_start 2377 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2378 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2379} 2380 2381ipv6_ping_vrf() 2382{ 2383 local a 2384 2385 # should default on; does not exist on older kernels 2386 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2387 2388 # 2389 # out 2390 # 2391 for a in ${NSB_IP6} ${NSB_LO_IP6} 2392 do 2393 log_start 2394 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2395 log_test_addr ${a} $? 0 "ping out, VRF bind" 2396 done 2397 2398 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2399 do 2400 log_start 2401 show_hint "Fails since VRF device does not support linklocal or multicast" 2402 run_cmd ${ping6} -c1 -w1 ${a} 2403 log_test_addr ${a} $? 1 "ping out, VRF bind" 2404 done 2405 2406 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2407 do 2408 log_start 2409 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2410 log_test_addr ${a} $? 0 "ping out, device bind" 2411 done 2412 2413 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2414 do 2415 log_start 2416 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2417 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2418 done 2419 2420 # 2421 # in 2422 # 2423 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2424 do 2425 log_start 2426 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2427 log_test_addr ${a} $? 0 "ping in" 2428 done 2429 2430 a=${NSA_LO_IP6} 2431 log_start 2432 show_hint "Fails since loopback address is out of VRF scope" 2433 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2434 log_test_addr ${a} $? 1 "ping in" 2435 2436 # 2437 # local traffic, local address 2438 # 2439 for a in ${NSA_IP6} ${VRF_IP6} ::1 2440 do 2441 log_start 2442 show_hint "Source address should be ${a}" 2443 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2444 log_test_addr ${a} $? 0 "ping local, VRF bind" 2445 done 2446 2447 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2448 do 2449 log_start 2450 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2451 log_test_addr ${a} $? 0 "ping local, device bind" 2452 done 2453 2454 # LLA to GUA - remove ipv6 global addresses from ns-B 2455 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2456 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2457 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2458 2459 for a in ${NSA_IP6} ${VRF_IP6} 2460 do 2461 log_start 2462 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2463 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2464 done 2465 2466 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2467 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2468 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2469 2470 # 2471 # ip rule blocks address 2472 # 2473 log_start 2474 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2475 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2476 2477 a=${NSB_LO_IP6} 2478 run_cmd ${ping6} -c1 -w1 ${a} 2479 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2480 2481 log_start 2482 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2483 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2484 2485 a=${NSA_LO_IP6} 2486 log_start 2487 show_hint "Response lost due to ip rule" 2488 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2489 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2490 2491 log_start 2492 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2493 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2494 2495 # 2496 # remove 'remote' routes; fallback to default 2497 # 2498 log_start 2499 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2500 2501 a=${NSB_LO_IP6} 2502 run_cmd ${ping6} -c1 -w1 ${a} 2503 log_test_addr ${a} $? 2 "ping out, unreachable route" 2504 2505 log_start 2506 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2507 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2508 2509 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2510 a=${NSA_LO_IP6} 2511 log_start 2512 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2513 log_test_addr ${a} $? 2 "ping in, unreachable route" 2514} 2515 2516ipv6_ping() 2517{ 2518 log_section "IPv6 ping" 2519 2520 log_subsection "No VRF" 2521 setup 2522 ipv6_ping_novrf 2523 setup 2524 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2525 ipv6_ping_novrf 2526 2527 log_subsection "With VRF" 2528 setup "yes" 2529 ipv6_ping_vrf 2530 setup "yes" 2531 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2532 ipv6_ping_vrf 2533} 2534 2535################################################################################ 2536# IPv6 TCP 2537 2538# 2539# MD5 tests without VRF 2540# 2541ipv6_tcp_md5_novrf() 2542{ 2543 # 2544 # single address 2545 # 2546 2547 # basic use case 2548 log_start 2549 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2550 sleep 1 2551 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2552 log_test $? 0 "MD5: Single address config" 2553 2554 # client sends MD5, server not configured 2555 log_start 2556 show_hint "Should timeout due to MD5 mismatch" 2557 run_cmd nettest -6 -s & 2558 sleep 1 2559 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2560 log_test $? 2 "MD5: Server no config, client uses password" 2561 2562 # wrong password 2563 log_start 2564 show_hint "Should timeout since client uses wrong password" 2565 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} & 2566 sleep 1 2567 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2568 log_test $? 2 "MD5: Client uses wrong password" 2569 2570 # client from different address 2571 log_start 2572 show_hint "Should timeout due to MD5 mismatch" 2573 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} & 2574 sleep 1 2575 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2576 log_test $? 2 "MD5: Client address does not match address configured with password" 2577 2578 # 2579 # MD5 extension - prefix length 2580 # 2581 2582 # client in prefix 2583 log_start 2584 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2585 sleep 1 2586 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2587 log_test $? 0 "MD5: Prefix config" 2588 2589 # client in prefix, wrong password 2590 log_start 2591 show_hint "Should timeout since client uses wrong password" 2592 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2593 sleep 1 2594 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2595 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2596 2597 # client outside of prefix 2598 log_start 2599 show_hint "Should timeout due to MD5 mismatch" 2600 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2601 sleep 1 2602 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2603 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2604} 2605 2606# 2607# MD5 tests with VRF 2608# 2609ipv6_tcp_md5() 2610{ 2611 # 2612 # single address 2613 # 2614 2615 # basic use case 2616 log_start 2617 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2618 sleep 1 2619 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2620 log_test $? 0 "MD5: VRF: Single address config" 2621 2622 # client sends MD5, server not configured 2623 log_start 2624 show_hint "Should timeout since server does not have MD5 auth" 2625 run_cmd nettest -6 -s -I ${VRF} & 2626 sleep 1 2627 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2628 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2629 2630 # wrong password 2631 log_start 2632 show_hint "Should timeout since client uses wrong password" 2633 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2634 sleep 1 2635 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2636 log_test $? 2 "MD5: VRF: Client uses wrong password" 2637 2638 # client from different address 2639 log_start 2640 show_hint "Should timeout since server config differs from client" 2641 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} & 2642 sleep 1 2643 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2644 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2645 2646 # 2647 # MD5 extension - prefix length 2648 # 2649 2650 # client in prefix 2651 log_start 2652 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2653 sleep 1 2654 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2655 log_test $? 0 "MD5: VRF: Prefix config" 2656 2657 # client in prefix, wrong password 2658 log_start 2659 show_hint "Should timeout since client uses wrong password" 2660 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2661 sleep 1 2662 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2663 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2664 2665 # client outside of prefix 2666 log_start 2667 show_hint "Should timeout since client address is outside of prefix" 2668 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2669 sleep 1 2670 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW} 2671 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2672 2673 # 2674 # duplicate config between default VRF and a VRF 2675 # 2676 2677 log_start 2678 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2679 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2680 sleep 1 2681 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2682 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2683 2684 log_start 2685 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2686 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2687 sleep 1 2688 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2689 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2690 2691 log_start 2692 show_hint "Should timeout since client in default VRF uses VRF password" 2693 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2694 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2695 sleep 1 2696 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2697 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2698 2699 log_start 2700 show_hint "Should timeout since client in VRF uses default VRF password" 2701 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} & 2702 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} & 2703 sleep 1 2704 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2705 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2706 2707 log_start 2708 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2709 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2710 sleep 1 2711 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2712 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2713 2714 log_start 2715 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2716 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2717 sleep 1 2718 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2719 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2720 2721 log_start 2722 show_hint "Should timeout since client in default VRF uses VRF password" 2723 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2724 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2725 sleep 1 2726 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW} 2727 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2728 2729 log_start 2730 show_hint "Should timeout since client in VRF uses default VRF password" 2731 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2732 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2733 sleep 1 2734 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW} 2735 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2736 2737 # 2738 # negative tests 2739 # 2740 log_start 2741 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6} 2742 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2743 2744 log_start 2745 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2746 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2747 2748} 2749 2750ipv6_tcp_novrf() 2751{ 2752 local a 2753 2754 # 2755 # server tests 2756 # 2757 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2758 do 2759 log_start 2760 run_cmd nettest -6 -s & 2761 sleep 1 2762 run_cmd_nsb nettest -6 -r ${a} 2763 log_test_addr ${a} $? 0 "Global server" 2764 done 2765 2766 # verify TCP reset received 2767 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2768 do 2769 log_start 2770 show_hint "Should fail 'Connection refused'" 2771 run_cmd_nsb nettest -6 -r ${a} 2772 log_test_addr ${a} $? 1 "No server" 2773 done 2774 2775 # 2776 # client 2777 # 2778 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2779 do 2780 log_start 2781 run_cmd_nsb nettest -6 -s & 2782 sleep 1 2783 run_cmd nettest -6 -r ${a} 2784 log_test_addr ${a} $? 0 "Client" 2785 done 2786 2787 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2788 do 2789 log_start 2790 run_cmd_nsb nettest -6 -s & 2791 sleep 1 2792 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2793 log_test_addr ${a} $? 0 "Client, device bind" 2794 done 2795 2796 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2797 do 2798 log_start 2799 show_hint "Should fail 'Connection refused'" 2800 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2801 log_test_addr ${a} $? 1 "No server, device client" 2802 done 2803 2804 # 2805 # local address tests 2806 # 2807 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2808 do 2809 log_start 2810 run_cmd nettest -6 -s & 2811 sleep 1 2812 run_cmd nettest -6 -r ${a} 2813 log_test_addr ${a} $? 0 "Global server, local connection" 2814 done 2815 2816 a=${NSA_IP6} 2817 log_start 2818 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2819 sleep 1 2820 run_cmd nettest -6 -r ${a} -0 ${a} 2821 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2822 2823 for a in ${NSA_LO_IP6} ::1 2824 do 2825 log_start 2826 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2827 run_cmd nettest -6 -s -I ${NSA_DEV} & 2828 sleep 1 2829 run_cmd nettest -6 -r ${a} 2830 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2831 done 2832 2833 a=${NSA_IP6} 2834 log_start 2835 run_cmd nettest -6 -s & 2836 sleep 1 2837 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2838 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2839 2840 for a in ${NSA_LO_IP6} ::1 2841 do 2842 log_start 2843 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2844 run_cmd nettest -6 -s & 2845 sleep 1 2846 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2847 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2848 done 2849 2850 for a in ${NSA_IP6} ${NSA_LINKIP6} 2851 do 2852 log_start 2853 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2854 sleep 1 2855 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2856 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2857 done 2858 2859 for a in ${NSA_IP6} ${NSA_LINKIP6} 2860 do 2861 log_start 2862 show_hint "Should fail 'Connection refused'" 2863 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2864 log_test_addr ${a} $? 1 "No server, device client, local conn" 2865 done 2866 2867 [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf 2868} 2869 2870ipv6_tcp_vrf() 2871{ 2872 local a 2873 2874 # disable global server 2875 log_subsection "Global server disabled" 2876 2877 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2878 2879 # 2880 # server tests 2881 # 2882 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2883 do 2884 log_start 2885 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2886 run_cmd nettest -6 -s & 2887 sleep 1 2888 run_cmd_nsb nettest -6 -r ${a} 2889 log_test_addr ${a} $? 1 "Global server" 2890 done 2891 2892 for a in ${NSA_IP6} ${VRF_IP6} 2893 do 2894 log_start 2895 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2896 sleep 1 2897 run_cmd_nsb nettest -6 -r ${a} 2898 log_test_addr ${a} $? 0 "VRF server" 2899 done 2900 2901 # link local is always bound to ingress device 2902 a=${NSA_LINKIP6}%${NSB_DEV} 2903 log_start 2904 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2905 sleep 1 2906 run_cmd_nsb nettest -6 -r ${a} 2907 log_test_addr ${a} $? 0 "VRF server" 2908 2909 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2910 do 2911 log_start 2912 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2913 sleep 1 2914 run_cmd_nsb nettest -6 -r ${a} 2915 log_test_addr ${a} $? 0 "Device server" 2916 done 2917 2918 # verify TCP reset received 2919 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2920 do 2921 log_start 2922 show_hint "Should fail 'Connection refused'" 2923 run_cmd_nsb nettest -6 -r ${a} 2924 log_test_addr ${a} $? 1 "No server" 2925 done 2926 2927 # local address tests 2928 a=${NSA_IP6} 2929 log_start 2930 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2931 run_cmd nettest -6 -s & 2932 sleep 1 2933 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2934 log_test_addr ${a} $? 1 "Global server, local connection" 2935 2936 # run MD5 tests 2937 if [ "$fips_enabled" = "0" ]; then 2938 setup_vrf_dup 2939 ipv6_tcp_md5 2940 cleanup_vrf_dup 2941 fi 2942 2943 # 2944 # enable VRF global server 2945 # 2946 log_subsection "VRF Global server enabled" 2947 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2948 2949 for a in ${NSA_IP6} ${VRF_IP6} 2950 do 2951 log_start 2952 run_cmd nettest -6 -s -3 ${VRF} & 2953 sleep 1 2954 run_cmd_nsb nettest -6 -r ${a} 2955 log_test_addr ${a} $? 0 "Global server" 2956 done 2957 2958 for a in ${NSA_IP6} ${VRF_IP6} 2959 do 2960 log_start 2961 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 2962 sleep 1 2963 run_cmd_nsb nettest -6 -r ${a} 2964 log_test_addr ${a} $? 0 "VRF server" 2965 done 2966 2967 # For LLA, child socket is bound to device 2968 a=${NSA_LINKIP6}%${NSB_DEV} 2969 log_start 2970 run_cmd nettest -6 -s -3 ${NSA_DEV} & 2971 sleep 1 2972 run_cmd_nsb nettest -6 -r ${a} 2973 log_test_addr ${a} $? 0 "Global server" 2974 2975 log_start 2976 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} & 2977 sleep 1 2978 run_cmd_nsb nettest -6 -r ${a} 2979 log_test_addr ${a} $? 0 "VRF server" 2980 2981 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2982 do 2983 log_start 2984 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 2985 sleep 1 2986 run_cmd_nsb nettest -6 -r ${a} 2987 log_test_addr ${a} $? 0 "Device server" 2988 done 2989 2990 # verify TCP reset received 2991 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2992 do 2993 log_start 2994 show_hint "Should fail 'Connection refused'" 2995 run_cmd_nsb nettest -6 -r ${a} 2996 log_test_addr ${a} $? 1 "No server" 2997 done 2998 2999 # local address tests 3000 for a in ${NSA_IP6} ${VRF_IP6} 3001 do 3002 log_start 3003 show_hint "Fails 'Connection refused' since client is not in VRF" 3004 run_cmd nettest -6 -s -I ${VRF} & 3005 sleep 1 3006 run_cmd nettest -6 -r ${a} 3007 log_test_addr ${a} $? 1 "Global server, local connection" 3008 done 3009 3010 3011 # 3012 # client 3013 # 3014 for a in ${NSB_IP6} ${NSB_LO_IP6} 3015 do 3016 log_start 3017 run_cmd_nsb nettest -6 -s & 3018 sleep 1 3019 run_cmd nettest -6 -r ${a} -d ${VRF} 3020 log_test_addr ${a} $? 0 "Client, VRF bind" 3021 done 3022 3023 a=${NSB_LINKIP6} 3024 log_start 3025 show_hint "Fails since VRF device does not allow linklocal addresses" 3026 run_cmd_nsb nettest -6 -s & 3027 sleep 1 3028 run_cmd nettest -6 -r ${a} -d ${VRF} 3029 log_test_addr ${a} $? 1 "Client, VRF bind" 3030 3031 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 3032 do 3033 log_start 3034 run_cmd_nsb nettest -6 -s & 3035 sleep 1 3036 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 3037 log_test_addr ${a} $? 0 "Client, device bind" 3038 done 3039 3040 for a in ${NSB_IP6} ${NSB_LO_IP6} 3041 do 3042 log_start 3043 show_hint "Should fail 'Connection refused'" 3044 run_cmd nettest -6 -r ${a} -d ${VRF} 3045 log_test_addr ${a} $? 1 "No server, VRF client" 3046 done 3047 3048 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 3049 do 3050 log_start 3051 show_hint "Should fail 'Connection refused'" 3052 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 3053 log_test_addr ${a} $? 1 "No server, device client" 3054 done 3055 3056 for a in ${NSA_IP6} ${VRF_IP6} ::1 3057 do 3058 log_start 3059 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 3060 sleep 1 3061 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3062 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 3063 done 3064 3065 a=${NSA_IP6} 3066 log_start 3067 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} & 3068 sleep 1 3069 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3070 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 3071 3072 a=${NSA_IP6} 3073 log_start 3074 show_hint "Should fail since unbound client is out of VRF scope" 3075 run_cmd nettest -6 -s -I ${VRF} & 3076 sleep 1 3077 run_cmd nettest -6 -r ${a} 3078 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 3079 3080 log_start 3081 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3082 sleep 1 3083 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 3084 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 3085 3086 for a in ${NSA_IP6} ${NSA_LINKIP6} 3087 do 3088 log_start 3089 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3090 sleep 1 3091 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 3092 log_test_addr ${a} $? 0 "Device server, device client, local connection" 3093 done 3094} 3095 3096ipv6_tcp() 3097{ 3098 log_section "IPv6/TCP" 3099 log_subsection "No VRF" 3100 setup 3101 3102 # tcp_l3mdev_accept should have no affect without VRF; 3103 # run tests with it enabled and disabled to verify 3104 log_subsection "tcp_l3mdev_accept disabled" 3105 set_sysctl net.ipv4.tcp_l3mdev_accept=0 3106 ipv6_tcp_novrf 3107 log_subsection "tcp_l3mdev_accept enabled" 3108 set_sysctl net.ipv4.tcp_l3mdev_accept=1 3109 ipv6_tcp_novrf 3110 3111 log_subsection "With VRF" 3112 setup "yes" 3113 ipv6_tcp_vrf 3114} 3115 3116################################################################################ 3117# IPv6 UDP 3118 3119ipv6_udp_novrf() 3120{ 3121 local a 3122 3123 # 3124 # server tests 3125 # 3126 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3127 do 3128 log_start 3129 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3130 sleep 1 3131 run_cmd_nsb nettest -6 -D -r ${a} 3132 log_test_addr ${a} $? 0 "Global server" 3133 3134 log_start 3135 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3136 sleep 1 3137 run_cmd_nsb nettest -6 -D -r ${a} 3138 log_test_addr ${a} $? 0 "Device server" 3139 done 3140 3141 a=${NSA_LO_IP6} 3142 log_start 3143 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3144 sleep 1 3145 run_cmd_nsb nettest -6 -D -r ${a} 3146 log_test_addr ${a} $? 0 "Global server" 3147 3148 # should fail since loopback address is out of scope for a device 3149 # bound server, but it does not - hence this is more documenting 3150 # behavior. 3151 #log_start 3152 #show_hint "Should fail since loopback address is out of scope" 3153 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3154 #sleep 1 3155 #run_cmd_nsb nettest -6 -D -r ${a} 3156 #log_test_addr ${a} $? 1 "Device server" 3157 3158 # negative test - should fail 3159 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 3160 do 3161 log_start 3162 show_hint "Should fail 'Connection refused' since there is no server" 3163 run_cmd_nsb nettest -6 -D -r ${a} 3164 log_test_addr ${a} $? 1 "No server" 3165 done 3166 3167 # 3168 # client 3169 # 3170 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 3171 do 3172 log_start 3173 run_cmd_nsb nettest -6 -D -s & 3174 sleep 1 3175 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 3176 log_test_addr ${a} $? 0 "Client" 3177 3178 log_start 3179 run_cmd_nsb nettest -6 -D -s & 3180 sleep 1 3181 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 3182 log_test_addr ${a} $? 0 "Client, device bind" 3183 3184 log_start 3185 run_cmd_nsb nettest -6 -D -s & 3186 sleep 1 3187 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 3188 log_test_addr ${a} $? 0 "Client, device send via cmsg" 3189 3190 log_start 3191 run_cmd_nsb nettest -6 -D -s & 3192 sleep 1 3193 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 3194 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 3195 3196 log_start 3197 show_hint "Should fail 'Connection refused'" 3198 run_cmd nettest -6 -D -r ${a} 3199 log_test_addr ${a} $? 1 "No server, unbound client" 3200 3201 log_start 3202 show_hint "Should fail 'Connection refused'" 3203 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3204 log_test_addr ${a} $? 1 "No server, device client" 3205 done 3206 3207 # 3208 # local address tests 3209 # 3210 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 3211 do 3212 log_start 3213 run_cmd nettest -6 -D -s & 3214 sleep 1 3215 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 3216 log_test_addr ${a} $? 0 "Global server, local connection" 3217 done 3218 3219 a=${NSA_IP6} 3220 log_start 3221 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} & 3222 sleep 1 3223 run_cmd nettest -6 -D -r ${a} 3224 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 3225 3226 for a in ${NSA_LO_IP6} ::1 3227 do 3228 log_start 3229 show_hint "Should fail 'Connection refused' since address is out of device scope" 3230 run_cmd nettest -6 -s -D -I ${NSA_DEV} & 3231 sleep 1 3232 run_cmd nettest -6 -D -r ${a} 3233 log_test_addr ${a} $? 1 "Device server, local connection" 3234 done 3235 3236 a=${NSA_IP6} 3237 log_start 3238 run_cmd nettest -6 -s -D & 3239 sleep 1 3240 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3241 log_test_addr ${a} $? 0 "Global server, device client, local connection" 3242 3243 log_start 3244 run_cmd nettest -6 -s -D & 3245 sleep 1 3246 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3247 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3248 3249 log_start 3250 run_cmd nettest -6 -s -D & 3251 sleep 1 3252 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3253 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3254 3255 for a in ${NSA_LO_IP6} ::1 3256 do 3257 log_start 3258 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3259 run_cmd nettest -6 -D -s & 3260 sleep 1 3261 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3262 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3263 3264 log_start 3265 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3266 run_cmd nettest -6 -D -s & 3267 sleep 1 3268 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3269 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3270 3271 log_start 3272 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3273 run_cmd nettest -6 -D -s & 3274 sleep 1 3275 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3276 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3277 3278 log_start 3279 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3280 run_cmd nettest -6 -D -s & 3281 sleep 1 3282 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U 3283 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()" 3284 done 3285 3286 a=${NSA_IP6} 3287 log_start 3288 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} & 3289 sleep 1 3290 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3291 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3292 3293 log_start 3294 show_hint "Should fail 'Connection refused'" 3295 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3296 log_test_addr ${a} $? 1 "No server, device client, local conn" 3297 3298 # LLA to GUA 3299 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3300 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3301 log_start 3302 run_cmd nettest -6 -s -D & 3303 sleep 1 3304 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3305 log_test $? 0 "UDP in - LLA to GUA" 3306 3307 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3308 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3309} 3310 3311ipv6_udp_vrf() 3312{ 3313 local a 3314 3315 # disable global server 3316 log_subsection "Global server disabled" 3317 set_sysctl net.ipv4.udp_l3mdev_accept=0 3318 3319 # 3320 # server tests 3321 # 3322 for a in ${NSA_IP6} ${VRF_IP6} 3323 do 3324 log_start 3325 show_hint "Should fail 'Connection refused' since global server is disabled" 3326 run_cmd nettest -6 -D -s & 3327 sleep 1 3328 run_cmd_nsb nettest -6 -D -r ${a} 3329 log_test_addr ${a} $? 1 "Global server" 3330 done 3331 3332 for a in ${NSA_IP6} ${VRF_IP6} 3333 do 3334 log_start 3335 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3336 sleep 1 3337 run_cmd_nsb nettest -6 -D -r ${a} 3338 log_test_addr ${a} $? 0 "VRF server" 3339 done 3340 3341 for a in ${NSA_IP6} ${VRF_IP6} 3342 do 3343 log_start 3344 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3345 sleep 1 3346 run_cmd_nsb nettest -6 -D -r ${a} 3347 log_test_addr ${a} $? 0 "Enslaved device server" 3348 done 3349 3350 # negative test - should fail 3351 for a in ${NSA_IP6} ${VRF_IP6} 3352 do 3353 log_start 3354 show_hint "Should fail 'Connection refused' since there is no server" 3355 run_cmd_nsb nettest -6 -D -r ${a} 3356 log_test_addr ${a} $? 1 "No server" 3357 done 3358 3359 # 3360 # local address tests 3361 # 3362 for a in ${NSA_IP6} ${VRF_IP6} 3363 do 3364 log_start 3365 show_hint "Should fail 'Connection refused' since global server is disabled" 3366 run_cmd nettest -6 -D -s & 3367 sleep 1 3368 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3369 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3370 done 3371 3372 for a in ${NSA_IP6} ${VRF_IP6} 3373 do 3374 log_start 3375 run_cmd nettest -6 -D -I ${VRF} -s & 3376 sleep 1 3377 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3378 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3379 done 3380 3381 a=${NSA_IP6} 3382 log_start 3383 show_hint "Should fail 'Connection refused' since global server is disabled" 3384 run_cmd nettest -6 -D -s & 3385 sleep 1 3386 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3387 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3388 3389 log_start 3390 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3391 sleep 1 3392 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3393 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3394 3395 log_start 3396 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3397 sleep 1 3398 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3399 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3400 3401 log_start 3402 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3403 sleep 1 3404 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3405 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3406 3407 # disable global server 3408 log_subsection "Global server enabled" 3409 set_sysctl net.ipv4.udp_l3mdev_accept=1 3410 3411 # 3412 # server tests 3413 # 3414 for a in ${NSA_IP6} ${VRF_IP6} 3415 do 3416 log_start 3417 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3418 sleep 1 3419 run_cmd_nsb nettest -6 -D -r ${a} 3420 log_test_addr ${a} $? 0 "Global server" 3421 done 3422 3423 for a in ${NSA_IP6} ${VRF_IP6} 3424 do 3425 log_start 3426 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3427 sleep 1 3428 run_cmd_nsb nettest -6 -D -r ${a} 3429 log_test_addr ${a} $? 0 "VRF server" 3430 done 3431 3432 for a in ${NSA_IP6} ${VRF_IP6} 3433 do 3434 log_start 3435 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3436 sleep 1 3437 run_cmd_nsb nettest -6 -D -r ${a} 3438 log_test_addr ${a} $? 0 "Enslaved device server" 3439 done 3440 3441 # negative test - should fail 3442 for a in ${NSA_IP6} ${VRF_IP6} 3443 do 3444 log_start 3445 run_cmd_nsb nettest -6 -D -r ${a} 3446 log_test_addr ${a} $? 1 "No server" 3447 done 3448 3449 # 3450 # client tests 3451 # 3452 log_start 3453 run_cmd_nsb nettest -6 -D -s & 3454 sleep 1 3455 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3456 log_test $? 0 "VRF client" 3457 3458 # negative test - should fail 3459 log_start 3460 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3461 log_test $? 1 "No server, VRF client" 3462 3463 log_start 3464 run_cmd_nsb nettest -6 -D -s & 3465 sleep 1 3466 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3467 log_test $? 0 "Enslaved device client" 3468 3469 # negative test - should fail 3470 log_start 3471 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3472 log_test $? 1 "No server, enslaved device client" 3473 3474 # 3475 # local address tests 3476 # 3477 a=${NSA_IP6} 3478 log_start 3479 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3480 sleep 1 3481 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3482 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3483 3484 #log_start 3485 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3486 sleep 1 3487 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3488 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3489 3490 3491 a=${VRF_IP6} 3492 log_start 3493 run_cmd nettest -6 -D -s -3 ${VRF} & 3494 sleep 1 3495 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3496 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3497 3498 log_start 3499 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} & 3500 sleep 1 3501 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3502 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3503 3504 # negative test - should fail 3505 for a in ${NSA_IP6} ${VRF_IP6} 3506 do 3507 log_start 3508 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3509 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3510 done 3511 3512 # device to global IP 3513 a=${NSA_IP6} 3514 log_start 3515 run_cmd nettest -6 -D -s -3 ${NSA_DEV} & 3516 sleep 1 3517 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3518 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3519 3520 log_start 3521 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} & 3522 sleep 1 3523 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3524 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3525 3526 log_start 3527 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3528 sleep 1 3529 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3530 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3531 3532 log_start 3533 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} & 3534 sleep 1 3535 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3536 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3537 3538 log_start 3539 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3540 log_test_addr ${a} $? 1 "No server, device client, local conn" 3541 3542 3543 # link local addresses 3544 log_start 3545 run_cmd nettest -6 -D -s & 3546 sleep 1 3547 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3548 log_test $? 0 "Global server, linklocal IP" 3549 3550 log_start 3551 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3552 log_test $? 1 "No server, linklocal IP" 3553 3554 3555 log_start 3556 run_cmd_nsb nettest -6 -D -s & 3557 sleep 1 3558 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3559 log_test $? 0 "Enslaved device client, linklocal IP" 3560 3561 log_start 3562 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3563 log_test $? 1 "No server, device client, peer linklocal IP" 3564 3565 3566 log_start 3567 run_cmd nettest -6 -D -s & 3568 sleep 1 3569 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3570 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3571 3572 log_start 3573 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3574 log_test $? 1 "No server, device client, local conn - linklocal IP" 3575 3576 # LLA to GUA 3577 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3578 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3579 log_start 3580 run_cmd nettest -6 -s -D & 3581 sleep 1 3582 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3583 log_test $? 0 "UDP in - LLA to GUA" 3584 3585 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3586 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3587} 3588 3589ipv6_udp() 3590{ 3591 # should not matter, but set to known state 3592 set_sysctl net.ipv4.udp_early_demux=1 3593 3594 log_section "IPv6/UDP" 3595 log_subsection "No VRF" 3596 setup 3597 3598 # udp_l3mdev_accept should have no affect without VRF; 3599 # run tests with it enabled and disabled to verify 3600 log_subsection "udp_l3mdev_accept disabled" 3601 set_sysctl net.ipv4.udp_l3mdev_accept=0 3602 ipv6_udp_novrf 3603 log_subsection "udp_l3mdev_accept enabled" 3604 set_sysctl net.ipv4.udp_l3mdev_accept=1 3605 ipv6_udp_novrf 3606 3607 log_subsection "With VRF" 3608 setup "yes" 3609 ipv6_udp_vrf 3610} 3611 3612################################################################################ 3613# IPv6 address bind 3614 3615ipv6_addr_bind_novrf() 3616{ 3617 # 3618 # raw socket 3619 # 3620 for a in ${NSA_IP6} ${NSA_LO_IP6} 3621 do 3622 log_start 3623 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3624 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3625 3626 log_start 3627 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3628 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3629 done 3630 3631 # 3632 # raw socket with nonlocal bind 3633 # 3634 a=${NL_IP6} 3635 log_start 3636 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b 3637 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address" 3638 3639 # 3640 # tcp sockets 3641 # 3642 a=${NSA_IP6} 3643 log_start 3644 run_cmd nettest -6 -s -l ${a} -t1 -b 3645 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3646 3647 log_start 3648 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3649 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3650 3651 # Sadly, the kernel allows binding a socket to a device and then 3652 # binding to an address not on the device. So this test passes 3653 # when it really should not 3654 a=${NSA_LO_IP6} 3655 log_start 3656 show_hint "Tecnically should fail since address is not on device but kernel allows" 3657 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3658 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3659} 3660 3661ipv6_addr_bind_vrf() 3662{ 3663 # 3664 # raw socket 3665 # 3666 for a in ${NSA_IP6} ${VRF_IP6} 3667 do 3668 log_start 3669 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3670 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3671 3672 log_start 3673 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b 3674 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3675 done 3676 3677 a=${NSA_LO_IP6} 3678 log_start 3679 show_hint "Address on loopback is out of VRF scope" 3680 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b 3681 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3682 3683 # 3684 # raw socket with nonlocal bind 3685 # 3686 a=${NL_IP6} 3687 log_start 3688 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b 3689 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind" 3690 3691 # 3692 # tcp sockets 3693 # 3694 # address on enslaved device is valid for the VRF or device in a VRF 3695 for a in ${NSA_IP6} ${VRF_IP6} 3696 do 3697 log_start 3698 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3699 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3700 done 3701 3702 a=${NSA_IP6} 3703 log_start 3704 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3705 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3706 3707 # Sadly, the kernel allows binding a socket to a device and then 3708 # binding to an address not on the device. The only restriction 3709 # is that the address is valid in the L3 domain. So this test 3710 # passes when it really should not 3711 a=${VRF_IP6} 3712 log_start 3713 show_hint "Tecnically should fail since address is not on device but kernel allows" 3714 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3715 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3716 3717 a=${NSA_LO_IP6} 3718 log_start 3719 show_hint "Address on loopback out of scope for VRF" 3720 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b 3721 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3722 3723 log_start 3724 show_hint "Address on loopback out of scope for device in VRF" 3725 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3726 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3727 3728} 3729 3730ipv6_addr_bind() 3731{ 3732 log_section "IPv6 address binds" 3733 3734 log_subsection "No VRF" 3735 setup 3736 ipv6_addr_bind_novrf 3737 3738 log_subsection "With VRF" 3739 setup "yes" 3740 ipv6_addr_bind_vrf 3741} 3742 3743################################################################################ 3744# IPv6 runtime tests 3745 3746ipv6_rt() 3747{ 3748 local desc="$1" 3749 local varg="-6 $2" 3750 local with_vrf="yes" 3751 local a 3752 3753 # 3754 # server tests 3755 # 3756 for a in ${NSA_IP6} ${VRF_IP6} 3757 do 3758 log_start 3759 run_cmd nettest ${varg} -s & 3760 sleep 1 3761 run_cmd_nsb nettest ${varg} -r ${a} & 3762 sleep 3 3763 run_cmd ip link del ${VRF} 3764 sleep 1 3765 log_test_addr ${a} 0 0 "${desc}, global server" 3766 3767 setup ${with_vrf} 3768 done 3769 3770 for a in ${NSA_IP6} ${VRF_IP6} 3771 do 3772 log_start 3773 run_cmd nettest ${varg} -I ${VRF} -s & 3774 sleep 1 3775 run_cmd_nsb nettest ${varg} -r ${a} & 3776 sleep 3 3777 run_cmd ip link del ${VRF} 3778 sleep 1 3779 log_test_addr ${a} 0 0 "${desc}, VRF server" 3780 3781 setup ${with_vrf} 3782 done 3783 3784 for a in ${NSA_IP6} ${VRF_IP6} 3785 do 3786 log_start 3787 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3788 sleep 1 3789 run_cmd_nsb nettest ${varg} -r ${a} & 3790 sleep 3 3791 run_cmd ip link del ${VRF} 3792 sleep 1 3793 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3794 3795 setup ${with_vrf} 3796 done 3797 3798 # 3799 # client test 3800 # 3801 log_start 3802 run_cmd_nsb nettest ${varg} -s & 3803 sleep 1 3804 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3805 sleep 3 3806 run_cmd ip link del ${VRF} 3807 sleep 1 3808 log_test 0 0 "${desc}, VRF client" 3809 3810 setup ${with_vrf} 3811 3812 log_start 3813 run_cmd_nsb nettest ${varg} -s & 3814 sleep 1 3815 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3816 sleep 3 3817 run_cmd ip link del ${VRF} 3818 sleep 1 3819 log_test 0 0 "${desc}, enslaved device client" 3820 3821 setup ${with_vrf} 3822 3823 3824 # 3825 # local address tests 3826 # 3827 for a in ${NSA_IP6} ${VRF_IP6} 3828 do 3829 log_start 3830 run_cmd nettest ${varg} -s & 3831 sleep 1 3832 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3833 sleep 3 3834 run_cmd ip link del ${VRF} 3835 sleep 1 3836 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3837 3838 setup ${with_vrf} 3839 done 3840 3841 for a in ${NSA_IP6} ${VRF_IP6} 3842 do 3843 log_start 3844 run_cmd nettest ${varg} -I ${VRF} -s & 3845 sleep 1 3846 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3847 sleep 3 3848 run_cmd ip link del ${VRF} 3849 sleep 1 3850 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3851 3852 setup ${with_vrf} 3853 done 3854 3855 a=${NSA_IP6} 3856 log_start 3857 run_cmd nettest ${varg} -s & 3858 sleep 1 3859 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3860 sleep 3 3861 run_cmd ip link del ${VRF} 3862 sleep 1 3863 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3864 3865 setup ${with_vrf} 3866 3867 log_start 3868 run_cmd nettest ${varg} -I ${VRF} -s & 3869 sleep 1 3870 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3871 sleep 3 3872 run_cmd ip link del ${VRF} 3873 sleep 1 3874 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3875 3876 setup ${with_vrf} 3877 3878 log_start 3879 run_cmd nettest ${varg} -I ${NSA_DEV} -s & 3880 sleep 1 3881 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3882 sleep 3 3883 run_cmd ip link del ${VRF} 3884 sleep 1 3885 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3886} 3887 3888ipv6_ping_rt() 3889{ 3890 local with_vrf="yes" 3891 local a 3892 3893 a=${NSA_IP6} 3894 log_start 3895 run_cmd_nsb ${ping6} -f ${a} & 3896 sleep 3 3897 run_cmd ip link del ${VRF} 3898 sleep 1 3899 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3900 3901 setup ${with_vrf} 3902 3903 log_start 3904 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3905 sleep 1 3906 run_cmd ip link del ${VRF} 3907 sleep 1 3908 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3909} 3910 3911ipv6_runtime() 3912{ 3913 log_section "Run time tests - ipv6" 3914 3915 setup "yes" 3916 ipv6_ping_rt 3917 3918 setup "yes" 3919 ipv6_rt "TCP active socket" "-n -1" 3920 3921 setup "yes" 3922 ipv6_rt "TCP passive socket" "-i" 3923 3924 setup "yes" 3925 ipv6_rt "UDP active socket" "-D -n -1" 3926} 3927 3928################################################################################ 3929# netfilter blocking connections 3930 3931netfilter_tcp_reset() 3932{ 3933 local a 3934 3935 for a in ${NSA_IP} ${VRF_IP} 3936 do 3937 log_start 3938 run_cmd nettest -s & 3939 sleep 1 3940 run_cmd_nsb nettest -r ${a} 3941 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3942 done 3943} 3944 3945netfilter_icmp() 3946{ 3947 local stype="$1" 3948 local arg 3949 local a 3950 3951 [ "${stype}" = "UDP" ] && arg="-D" 3952 3953 for a in ${NSA_IP} ${VRF_IP} 3954 do 3955 log_start 3956 run_cmd nettest ${arg} -s & 3957 sleep 1 3958 run_cmd_nsb nettest ${arg} -r ${a} 3959 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3960 done 3961} 3962 3963ipv4_netfilter() 3964{ 3965 log_section "IPv4 Netfilter" 3966 log_subsection "TCP reset" 3967 3968 setup "yes" 3969 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3970 3971 netfilter_tcp_reset 3972 3973 log_start 3974 log_subsection "ICMP unreachable" 3975 3976 log_start 3977 run_cmd iptables -F 3978 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3979 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3980 3981 netfilter_icmp "TCP" 3982 netfilter_icmp "UDP" 3983 3984 log_start 3985 iptables -F 3986} 3987 3988netfilter_tcp6_reset() 3989{ 3990 local a 3991 3992 for a in ${NSA_IP6} ${VRF_IP6} 3993 do 3994 log_start 3995 run_cmd nettest -6 -s & 3996 sleep 1 3997 run_cmd_nsb nettest -6 -r ${a} 3998 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3999 done 4000} 4001 4002netfilter_icmp6() 4003{ 4004 local stype="$1" 4005 local arg 4006 local a 4007 4008 [ "${stype}" = "UDP" ] && arg="$arg -D" 4009 4010 for a in ${NSA_IP6} ${VRF_IP6} 4011 do 4012 log_start 4013 run_cmd nettest -6 -s ${arg} & 4014 sleep 1 4015 run_cmd_nsb nettest -6 ${arg} -r ${a} 4016 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 4017 done 4018} 4019 4020ipv6_netfilter() 4021{ 4022 log_section "IPv6 Netfilter" 4023 log_subsection "TCP reset" 4024 4025 setup "yes" 4026 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 4027 4028 netfilter_tcp6_reset 4029 4030 log_subsection "ICMP unreachable" 4031 4032 log_start 4033 run_cmd ip6tables -F 4034 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 4035 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 4036 4037 netfilter_icmp6 "TCP" 4038 netfilter_icmp6 "UDP" 4039 4040 log_start 4041 ip6tables -F 4042} 4043 4044################################################################################ 4045# specific use cases 4046 4047# VRF only. 4048# ns-A device enslaved to bridge. Verify traffic with and without 4049# br_netfilter module loaded. Repeat with SVI on bridge. 4050use_case_br() 4051{ 4052 setup "yes" 4053 4054 setup_cmd ip link set ${NSA_DEV} down 4055 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 4056 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 4057 4058 setup_cmd ip link add br0 type bridge 4059 setup_cmd ip addr add dev br0 ${NSA_IP}/24 4060 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 4061 4062 setup_cmd ip li set ${NSA_DEV} master br0 4063 setup_cmd ip li set ${NSA_DEV} up 4064 setup_cmd ip li set br0 up 4065 setup_cmd ip li set br0 vrf ${VRF} 4066 4067 rmmod br_netfilter 2>/dev/null 4068 sleep 5 # DAD 4069 4070 run_cmd ip neigh flush all 4071 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4072 log_test $? 0 "Bridge into VRF - IPv4 ping out" 4073 4074 run_cmd ip neigh flush all 4075 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4076 log_test $? 0 "Bridge into VRF - IPv6 ping out" 4077 4078 run_cmd ip neigh flush all 4079 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4080 log_test $? 0 "Bridge into VRF - IPv4 ping in" 4081 4082 run_cmd ip neigh flush all 4083 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4084 log_test $? 0 "Bridge into VRF - IPv6 ping in" 4085 4086 modprobe br_netfilter 4087 if [ $? -eq 0 ]; then 4088 run_cmd ip neigh flush all 4089 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 4090 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 4091 4092 run_cmd ip neigh flush all 4093 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 4094 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 4095 4096 run_cmd ip neigh flush all 4097 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 4098 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 4099 4100 run_cmd ip neigh flush all 4101 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 4102 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 4103 fi 4104 4105 setup_cmd ip li set br0 nomaster 4106 setup_cmd ip li add br0.100 link br0 type vlan id 100 4107 setup_cmd ip li set br0.100 vrf ${VRF} up 4108 setup_cmd ip addr add dev br0.100 172.16.101.1/24 4109 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 4110 4111 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 4112 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 4113 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 4114 setup_cmd_nsb ip li set vlan100 up 4115 sleep 1 4116 4117 rmmod br_netfilter 2>/dev/null 4118 4119 run_cmd ip neigh flush all 4120 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4121 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 4122 4123 run_cmd ip neigh flush all 4124 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4125 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 4126 4127 run_cmd ip neigh flush all 4128 run_cmd_nsb ping -c1 -w1 172.16.101.1 4129 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4130 4131 run_cmd ip neigh flush all 4132 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4133 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4134 4135 modprobe br_netfilter 4136 if [ $? -eq 0 ]; then 4137 run_cmd ip neigh flush all 4138 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 4139 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 4140 4141 run_cmd ip neigh flush all 4142 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 4143 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 4144 4145 run_cmd ip neigh flush all 4146 run_cmd_nsb ping -c1 -w1 172.16.101.1 4147 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 4148 4149 run_cmd ip neigh flush all 4150 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 4151 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 4152 fi 4153 4154 setup_cmd ip li del br0 2>/dev/null 4155 setup_cmd_nsb ip li del vlan100 2>/dev/null 4156} 4157 4158# VRF only. 4159# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 4160# LLA on the interfaces 4161use_case_ping_lla_multi() 4162{ 4163 setup_lla_only 4164 # only want reply from ns-A 4165 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4166 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 4167 4168 log_start 4169 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4170 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 4171 4172 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4173 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 4174 4175 # cycle/flap the first ns-A interface 4176 setup_cmd ip link set ${NSA_DEV} down 4177 setup_cmd ip link set ${NSA_DEV} up 4178 sleep 1 4179 4180 log_start 4181 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4182 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 4183 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4184 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 4185 4186 # cycle/flap the second ns-A interface 4187 setup_cmd ip link set ${NSA_DEV2} down 4188 setup_cmd ip link set ${NSA_DEV2} up 4189 sleep 1 4190 4191 log_start 4192 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 4193 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 4194 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 4195 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 4196} 4197 4198# Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully 4199# established with ns-B. 4200use_case_snat_on_vrf() 4201{ 4202 setup "yes" 4203 4204 local port="12345" 4205 4206 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4207 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4208 4209 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} & 4210 sleep 1 4211 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port} 4212 log_test $? 0 "IPv4 TCP connection over VRF with SNAT" 4213 4214 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} & 4215 sleep 1 4216 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port} 4217 log_test $? 0 "IPv6 TCP connection over VRF with SNAT" 4218 4219 # Cleanup 4220 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF} 4221 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF} 4222} 4223 4224use_cases() 4225{ 4226 log_section "Use cases" 4227 log_subsection "Device enslaved to bridge" 4228 use_case_br 4229 log_subsection "Ping LLA with multiple interfaces" 4230 use_case_ping_lla_multi 4231 log_subsection "SNAT on VRF" 4232 use_case_snat_on_vrf 4233} 4234 4235################################################################################ 4236# usage 4237 4238usage() 4239{ 4240 cat <<EOF 4241usage: ${0##*/} OPTS 4242 4243 -4 IPv4 tests only 4244 -6 IPv6 tests only 4245 -t <test> Test name/set to run 4246 -p Pause on fail 4247 -P Pause after each test 4248 -v Be verbose 4249 4250Tests: 4251 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER 4252EOF 4253} 4254 4255################################################################################ 4256# main 4257 4258TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 4259TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 4260TESTS_OTHER="use_cases" 4261 4262PAUSE_ON_FAIL=no 4263PAUSE=no 4264 4265while getopts :46t:pPvh o 4266do 4267 case $o in 4268 4) TESTS=ipv4;; 4269 6) TESTS=ipv6;; 4270 t) TESTS=$OPTARG;; 4271 p) PAUSE_ON_FAIL=yes;; 4272 P) PAUSE=yes;; 4273 v) VERBOSE=1;; 4274 h) usage; exit 0;; 4275 *) usage; exit 1;; 4276 esac 4277done 4278 4279# make sure we don't pause twice 4280[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 4281 4282# 4283# show user test config 4284# 4285if [ -z "$TESTS" ]; then 4286 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 4287elif [ "$TESTS" = "ipv4" ]; then 4288 TESTS="$TESTS_IPV4" 4289elif [ "$TESTS" = "ipv6" ]; then 4290 TESTS="$TESTS_IPV6" 4291fi 4292 4293# nettest can be run from PATH or from same directory as this selftest 4294if ! which nettest >/dev/null; then 4295 PATH=$PWD:$PATH 4296 if ! which nettest >/dev/null; then 4297 echo "'nettest' command not found; skipping tests" 4298 exit $ksft_skip 4299 fi 4300fi 4301 4302declare -i nfail=0 4303declare -i nsuccess=0 4304 4305for t in $TESTS 4306do 4307 case $t in 4308 ipv4_ping|ping) ipv4_ping;; 4309 ipv4_tcp|tcp) ipv4_tcp;; 4310 ipv4_udp|udp) ipv4_udp;; 4311 ipv4_bind|bind) ipv4_addr_bind;; 4312 ipv4_runtime) ipv4_runtime;; 4313 ipv4_netfilter) ipv4_netfilter;; 4314 4315 ipv6_ping|ping6) ipv6_ping;; 4316 ipv6_tcp|tcp6) ipv6_tcp;; 4317 ipv6_udp|udp6) ipv6_udp;; 4318 ipv6_bind|bind6) ipv6_addr_bind;; 4319 ipv6_runtime) ipv6_runtime;; 4320 ipv6_netfilter) ipv6_netfilter;; 4321 4322 use_cases) use_cases;; 4323 4324 # setup namespaces and config, but do not run any tests 4325 setup) setup; exit 0;; 4326 vrf_setup) setup "yes"; exit 0;; 4327 esac 4328done 4329 4330cleanup 2>/dev/null 4331 4332printf "\nTests passed: %3d\n" ${nsuccess} 4333printf "Tests failed: %3d\n" ${nfail} 4334 4335if [ $nfail -ne 0 ]; then 4336 exit 1 # KSFT_FAIL 4337elif [ $nsuccess -eq 0 ]; then 4338 exit $ksft_skip 4339fi 4340 4341exit 0 # KSFT_PASS 4342