xref: /linux/tools/testing/selftests/net/fib_rule_tests.sh (revision e31fd36da9c41f9f664e51a35860e9f606e81ef4) 
1#!/bin/bash
2# SPDX-License-Identifier: GPL-2.0
3
4# This test is for checking IPv4 and IPv6 FIB rules API
5
6source lib.sh
7ret=0
8PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no}
9
10RTABLE=100
11RTABLE_PEER=101
12RTABLE_VRF=102
13GW_IP4=192.51.100.2
14SRC_IP=192.51.100.3
15GW_IP6=2001:db8:1::2
16SRC_IP6=2001:db8:1::3
17
18DEV_ADDR=192.51.100.1
19DEV_ADDR6=2001:db8:1::1
20DEV=dummy0
21TESTS="
22	fib_rule6
23	fib_rule4
24	fib_rule6_connect
25	fib_rule4_connect
26	fib_rule6_vrf
27	fib_rule4_vrf
28"
29
30SELFTEST_PATH=""
31
32log_test()
33{
34	local rc=$1
35	local expected=$2
36	local msg="$3"
37
38	if [ ${rc} -eq ${expected} ]; then
39		nsuccess=$((nsuccess+1))
40		printf "    TEST: %-60s  [ OK ]\n" "${msg}"
41	else
42		ret=1
43		nfail=$((nfail+1))
44		printf "    TEST: %-60s  [FAIL]\n" "${msg}"
45		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
46			echo
47			echo "hit enter to continue, 'q' to quit"
48			read a
49			[ "$a" = "q" ] && exit 1
50		fi
51	fi
52}
53
54setup()
55{
56	set -e
57	setup_ns testns
58	IP="ip -netns $testns"
59
60	$IP link add dummy0 type dummy
61	$IP link set dev dummy0 up
62	$IP address add $DEV_ADDR/24 dev dummy0
63	$IP -6 address add $DEV_ADDR6/64 dev dummy0
64
65	set +e
66}
67
68cleanup()
69{
70	$IP link del dev dummy0 &> /dev/null
71	cleanup_ns $testns
72}
73
74setup_peer()
75{
76	set -e
77
78	setup_ns peerns
79	IP_PEER="ip -netns $peerns"
80	$IP_PEER link set dev lo up
81
82	ip link add name veth0 netns $testns type veth \
83		peer name veth1 netns $peerns
84	$IP link set dev veth0 up
85	$IP_PEER link set dev veth1 up
86
87	$IP address add 192.0.2.10 peer 192.0.2.11/32 dev veth0
88	$IP_PEER address add 192.0.2.11 peer 192.0.2.10/32 dev veth1
89
90	$IP address add 2001:db8::10 peer 2001:db8::11/128 dev veth0 nodad
91	$IP_PEER address add 2001:db8::11 peer 2001:db8::10/128 dev veth1 nodad
92
93	$IP_PEER address add 198.51.100.11/32 dev lo
94	$IP route add table $RTABLE_PEER 198.51.100.11/32 via 192.0.2.11
95
96	$IP_PEER address add 2001:db8::1:11/128 dev lo
97	$IP route add table $RTABLE_PEER 2001:db8::1:11/128 via 2001:db8::11
98
99	set +e
100}
101
102cleanup_peer()
103{
104	$IP link del dev veth0
105	ip netns del $peerns
106}
107
108setup_vrf()
109{
110	$IP link add name vrf0 up type vrf table $RTABLE_VRF
111	$IP link set dev $DEV master vrf0
112}
113
114cleanup_vrf()
115{
116	$IP link del dev vrf0
117}
118
119fib_check_iproute_support()
120{
121	ip rule help 2>&1 | grep -q $1
122	if [ $? -ne 0 ]; then
123		echo "SKIP: iproute2 iprule too old, missing $1 match"
124		return 1
125	fi
126
127	ip route get help 2>&1 | grep -q $2
128	if [ $? -ne 0 ]; then
129		echo "SKIP: iproute2 get route too old, missing $2 match"
130		return 1
131	fi
132
133	return 0
134}
135
136fib_rule6_del()
137{
138	$IP -6 rule del $1
139	log_test $? 0 "rule6 del $1"
140}
141
142fib_rule6_del_by_pref()
143{
144	pref=$($IP -6 rule show $1 table $RTABLE | cut -d ":" -f 1)
145	$IP -6 rule del pref $pref
146}
147
148fib_rule6_test_match_n_redirect()
149{
150	local match="$1"
151	local getmatch="$2"
152	local getnomatch="$3"
153	local description="$4"
154	local nomatch_description="$5"
155
156	$IP -6 rule add $match table $RTABLE
157	$IP -6 route get $GW_IP6 $getmatch | grep -q "table $RTABLE"
158	log_test $? 0 "rule6 check: $description"
159
160	$IP -6 route get $GW_IP6 $getnomatch 2>&1 | grep -q "table $RTABLE"
161	log_test $? 1 "rule6 check: $nomatch_description"
162
163	fib_rule6_del_by_pref "$match"
164	log_test $? 0 "rule6 del by pref: $description"
165}
166
167fib_rule6_test_reject()
168{
169	local match="$1"
170	local rc
171
172	$IP -6 rule add $match table $RTABLE 2>/dev/null
173	rc=$?
174	log_test $rc 2 "rule6 check: $match"
175
176	if [ $rc -eq 0 ]; then
177		$IP -6 rule del $match table $RTABLE
178	fi
179}
180
181fib_rule6_test()
182{
183	local ext_name=$1; shift
184	local getnomatch
185	local getmatch
186	local match
187	local cnt
188
189	echo
190	echo "IPv6 FIB rule tests $ext_name"
191
192	# setup the fib rule redirect route
193	$IP -6 route add table $RTABLE default via $GW_IP6 dev $DEV onlink
194
195	match="oif $DEV"
196	getnomatch="oif lo"
197	fib_rule6_test_match_n_redirect "$match" "$match" "$getnomatch" \
198		"oif redirect to table" "oif no redirect to table"
199
200	match="from $SRC_IP6 iif $DEV"
201	getnomatch="from $SRC_IP6 iif lo"
202	fib_rule6_test_match_n_redirect "$match" "$match" "$getnomatch" \
203		"iif redirect to table" "iif no redirect to table"
204
205	# Reject dsfield (tos) options which have ECN bits set
206	for cnt in $(seq 1 3); do
207		match="dsfield $cnt"
208		fib_rule6_test_reject "$match"
209	done
210
211	# Don't take ECN bits into account when matching on dsfield
212	match="tos 0x10"
213	for cnt in "0x10" "0x11" "0x12" "0x13"; do
214		# Using option 'tos' instead of 'dsfield' as old iproute2
215		# versions don't support 'dsfield' in ip rule show.
216		getmatch="tos $cnt"
217		getnomatch="tos 0x20"
218		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
219			"$getnomatch" "$getmatch redirect to table" \
220			"$getnomatch no redirect to table"
221	done
222
223	# Re-test TOS matching, but with input routes since they are handled
224	# differently from output routes.
225	match="tos 0x10"
226	for cnt in "0x10" "0x11" "0x12" "0x13"; do
227		getmatch="tos $cnt"
228		getnomatch="tos 0x20"
229		fib_rule6_test_match_n_redirect "$match" \
230			"from $SRC_IP6 iif $DEV $getmatch" \
231			"from $SRC_IP6 iif $DEV $getnomatch" \
232			"iif $getmatch redirect to table" \
233			"iif $getnomatch no redirect to table"
234	done
235
236	match="fwmark 0x64"
237	getmatch="mark 0x64"
238	getnomatch="mark 0x63"
239	fib_rule6_test_match_n_redirect "$match" "$getmatch" "$getnomatch" \
240		"fwmark redirect to table" "fwmark no redirect to table"
241
242	fib_check_iproute_support "uidrange" "uid"
243	if [ $? -eq 0 ]; then
244		match="uidrange 100-100"
245		getmatch="uid 100"
246		getnomatch="uid 101"
247		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
248			"$getnomatch" "uid redirect to table" \
249			"uid no redirect to table"
250	fi
251
252	fib_check_iproute_support "sport" "sport"
253	if [ $? -eq 0 ]; then
254		match="sport 666 dport 777"
255		getnomatch="sport 667 dport 778"
256		fib_rule6_test_match_n_redirect "$match" "$match" \
257			"$getnomatch" "sport and dport redirect to table" \
258			"sport and dport no redirect to table"
259
260		match="sport 100-200 dport 300-400"
261		getmatch="sport 100 dport 400"
262		getnomatch="sport 100 dport 401"
263		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
264			"$getnomatch" \
265			"sport and dport range redirect to table" \
266			"sport and dport range no redirect to table"
267	fi
268
269	ip rule help 2>&1 | grep sport | grep -q MASK
270	if [ $? -eq 0 ]; then
271		match="sport 0x0f00/0xff00 dport 0x000f/0x00ff"
272		getmatch="sport 0x0f11 dport 0x220f"
273		getnomatch="sport 0x1f11 dport 0x221f"
274		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
275			"$getnomatch" "sport and dport masked redirect to table" \
276			"sport and dport masked no redirect to table"
277	fi
278
279	fib_check_iproute_support "ipproto" "ipproto"
280	if [ $? -eq 0 ]; then
281		match="ipproto tcp"
282		getnomatch="ipproto udp"
283		fib_rule6_test_match_n_redirect "$match" "$match" \
284			"$getnomatch" "ipproto tcp match" "ipproto udp no match"
285	fi
286
287	fib_check_iproute_support "ipproto" "ipproto"
288	if [ $? -eq 0 ]; then
289		match="ipproto ipv6-icmp"
290		getnomatch="ipproto tcp"
291		fib_rule6_test_match_n_redirect "$match" "$match" \
292			"$getnomatch" "ipproto ipv6-icmp match" \
293			"ipproto ipv6-tcp no match"
294	fi
295
296	fib_check_iproute_support "dscp" "tos"
297	if [ $? -eq 0 ]; then
298		match="dscp 0x3f"
299		getmatch="tos 0xfc"
300		getnomatch="tos 0xf4"
301		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
302			"$getnomatch" "dscp redirect to table" \
303			"dscp no redirect to table"
304
305		match="dscp 0x3f"
306		getmatch="from $SRC_IP6 iif $DEV tos 0xfc"
307		getnomatch="from $SRC_IP6 iif $DEV tos 0xf4"
308		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
309			"$getnomatch" "iif dscp redirect to table" \
310			"iif dscp no redirect to table"
311	fi
312
313	ip rule help 2>&1 | grep -q "DSCP\[/MASK\]"
314	if [ $? -eq 0 ]; then
315		match="dscp 0x0f/0x0f"
316		tosmatch=$(printf 0x"%x" $((0x1f << 2)))
317		tosnomatch=$(printf 0x"%x" $((0x1e << 2)))
318		getmatch="tos $tosmatch"
319		getnomatch="tos $tosnomatch"
320		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
321			"$getnomatch" "dscp masked redirect to table" \
322			"dscp masked no redirect to table"
323
324		match="dscp 0x0f/0x0f"
325		getmatch="from $SRC_IP6 iif $DEV tos $tosmatch"
326		getnomatch="from $SRC_IP6 iif $DEV tos $tosnomatch"
327		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
328			"$getnomatch" "iif dscp masked redirect to table" \
329			"iif dscp masked no redirect to table"
330	fi
331
332	fib_check_iproute_support "flowlabel" "flowlabel"
333	if [ $? -eq 0 ]; then
334		match="flowlabel 0xfffff"
335		getmatch="flowlabel 0xfffff"
336		getnomatch="flowlabel 0xf"
337		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
338			"$getnomatch" "flowlabel redirect to table" \
339			"flowlabel no redirect to table"
340
341		match="flowlabel 0xfffff"
342		getmatch="from $SRC_IP6 iif $DEV flowlabel 0xfffff"
343		getnomatch="from $SRC_IP6 iif $DEV flowlabel 0xf"
344		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
345			"$getnomatch" "iif flowlabel redirect to table" \
346			"iif flowlabel no redirect to table"
347
348		match="flowlabel 0x08000/0x08000"
349		getmatch="flowlabel 0xfffff"
350		getnomatch="flowlabel 0xf7fff"
351		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
352			"$getnomatch" "flowlabel masked redirect to table" \
353			"flowlabel masked no redirect to table"
354
355		match="flowlabel 0x08000/0x08000"
356		getmatch="from $SRC_IP6 iif $DEV flowlabel 0xfffff"
357		getnomatch="from $SRC_IP6 iif $DEV flowlabel 0xf7fff"
358		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
359			"$getnomatch" "iif flowlabel masked redirect to table" \
360			"iif flowlabel masked no redirect to table"
361	fi
362}
363
364fib_rule6_vrf_test()
365{
366	setup_vrf
367	fib_rule6_test "- with VRF"
368	cleanup_vrf
369}
370
371# Verify that the IPV6_TCLASS option of UDPv6 and TCPv6 sockets is properly
372# taken into account when connecting the socket and when sending packets.
373fib_rule6_connect_test()
374{
375	local dsfield
376
377	echo
378	echo "IPv6 FIB rule connect tests"
379
380	setup_peer
381	$IP -6 rule add dsfield 0x04 table $RTABLE_PEER
382
383	# Combine the base DS Field value (0x04) with all possible ECN values
384	# (Not-ECT: 0, ECT(1): 1, ECT(0): 2, CE: 3).
385	# The ECN bits shouldn't influence the result of the test.
386	for dsfield in 0x04 0x05 0x06 0x07; do
387		nettest -q -6 -B -t 5 -N $testns -O $peerns -U -D \
388			-Q "${dsfield}" -l 2001:db8::1:11 -r 2001:db8::1:11
389		log_test $? 0 "rule6 dsfield udp connect (dsfield ${dsfield})"
390
391		nettest -q -6 -B -t 5 -N $testns -O $peerns -Q "${dsfield}" \
392			-l 2001:db8::1:11 -r 2001:db8::1:11
393		log_test $? 0 "rule6 dsfield tcp connect (dsfield ${dsfield})"
394	done
395
396	# Check that UDP and TCP connections fail when using a DS Field that
397	# does not match the previously configured FIB rule.
398	nettest -q -6 -B -t 5 -N $testns -O $peerns -U -D \
399		-Q 0x20 -l 2001:db8::1:11 -r 2001:db8::1:11
400	log_test $? 1 "rule6 dsfield udp no connect (dsfield 0x20)"
401
402	nettest -q -6 -B -t 5 -N $testns -O $peerns -Q 0x20 \
403		-l 2001:db8::1:11 -r 2001:db8::1:11
404	log_test $? 1 "rule6 dsfield tcp no connect (dsfield 0x20)"
405
406	$IP -6 rule del dsfield 0x04 table $RTABLE_PEER
407
408	ip rule help 2>&1 | grep -q dscp
409	if [ $? -ne 0 ]; then
410		echo "SKIP: iproute2 iprule too old, missing dscp match"
411		cleanup_peer
412		return
413	fi
414
415	$IP -6 rule add dscp 0x3f table $RTABLE_PEER
416
417	nettest -q -6 -B -t 5 -N $testns -O $peerns -U -D -Q 0xfc \
418		-l 2001:db8::1:11 -r 2001:db8::1:11
419	log_test $? 0 "rule6 dscp udp connect"
420
421	nettest -q -6 -B -t 5 -N $testns -O $peerns -Q 0xfc \
422		-l 2001:db8::1:11 -r 2001:db8::1:11
423	log_test $? 0 "rule6 dscp tcp connect"
424
425	nettest -q -6 -B -t 5 -N $testns -O $peerns -U -D -Q 0xf4 \
426		-l 2001:db8::1:11 -r 2001:db8::1:11
427	log_test $? 1 "rule6 dscp udp no connect"
428
429	nettest -q -6 -B -t 5 -N $testns -O $peerns -Q 0xf4 \
430		-l 2001:db8::1:11 -r 2001:db8::1:11
431	log_test $? 1 "rule6 dscp tcp no connect"
432
433	$IP -6 rule del dscp 0x3f table $RTABLE_PEER
434
435	cleanup_peer
436}
437
438fib_rule4_del()
439{
440	$IP rule del $1
441	log_test $? 0 "del $1"
442}
443
444fib_rule4_del_by_pref()
445{
446	pref=$($IP rule show $1 table $RTABLE | cut -d ":" -f 1)
447	$IP rule del pref $pref
448}
449
450fib_rule4_test_match_n_redirect()
451{
452	local match="$1"
453	local getmatch="$2"
454	local getnomatch="$3"
455	local description="$4"
456	local nomatch_description="$5"
457
458	$IP rule add $match table $RTABLE
459	$IP route get $GW_IP4 $getmatch | grep -q "table $RTABLE"
460	log_test $? 0 "rule4 check: $description"
461
462	$IP route get $GW_IP4 $getnomatch 2>&1 | grep -q "table $RTABLE"
463	log_test $? 1 "rule4 check: $nomatch_description"
464
465	fib_rule4_del_by_pref "$match"
466	log_test $? 0 "rule4 del by pref: $description"
467}
468
469fib_rule4_test_reject()
470{
471	local match="$1"
472	local rc
473
474	$IP rule add $match table $RTABLE 2>/dev/null
475	rc=$?
476	log_test $rc 2 "rule4 check: $match"
477
478	if [ $rc -eq 0 ]; then
479		$IP rule del $match table $RTABLE
480	fi
481}
482
483fib_rule4_test()
484{
485	local ext_name=$1; shift
486	local getnomatch
487	local getmatch
488	local match
489	local cnt
490
491	echo
492	echo "IPv4 FIB rule tests $ext_name"
493
494	# setup the fib rule redirect route
495	$IP route add table $RTABLE default via $GW_IP4 dev $DEV onlink
496
497	match="oif $DEV"
498	getnomatch="oif lo"
499	fib_rule4_test_match_n_redirect "$match" "$match" "$getnomatch" \
500		"oif redirect to table" "oif no redirect to table"
501
502	# Enable forwarding and disable rp_filter as all the addresses are in
503	# the same subnet and egress device == ingress device.
504	ip netns exec $testns sysctl -qw net.ipv4.ip_forward=1
505	ip netns exec $testns sysctl -qw net.ipv4.conf.$DEV.rp_filter=0
506	match="from $SRC_IP iif $DEV"
507	getnomatch="from $SRC_IP iif lo"
508	fib_rule4_test_match_n_redirect "$match" "$match" "$getnomatch" \
509		"iif redirect to table" "iif no redirect to table"
510
511	# Reject dsfield (tos) options which have ECN bits set
512	for cnt in $(seq 1 3); do
513		match="dsfield $cnt"
514		fib_rule4_test_reject "$match"
515	done
516
517	# Don't take ECN bits into account when matching on dsfield
518	match="tos 0x10"
519	for cnt in "0x10" "0x11" "0x12" "0x13"; do
520		# Using option 'tos' instead of 'dsfield' as old iproute2
521		# versions don't support 'dsfield' in ip rule show.
522		getmatch="tos $cnt"
523		getnomatch="tos 0x20"
524		fib_rule4_test_match_n_redirect "$match" "$getmatch" \
525			"$getnomatch" "$getmatch redirect to table" \
526			"$getnomatch no redirect to table"
527	done
528
529	# Re-test TOS matching, but with input routes since they are handled
530	# differently from output routes.
531	match="tos 0x10"
532	for cnt in "0x10" "0x11" "0x12" "0x13"; do
533		getmatch="tos $cnt"
534		getnomatch="tos 0x20"
535		fib_rule4_test_match_n_redirect "$match" \
536			"from $SRC_IP iif $DEV $getmatch" \
537			"from $SRC_IP iif $DEV $getnomatch" \
538			"iif $getmatch redirect to table" \
539			"iif $getnomatch no redirect to table"
540	done
541
542	match="fwmark 0x64"
543	getmatch="mark 0x64"
544	getnomatch="mark 0x63"
545	fib_rule4_test_match_n_redirect "$match" "$getmatch" "$getnomatch" \
546		"fwmark redirect to table" "fwmark no redirect to table"
547
548	fib_check_iproute_support "uidrange" "uid"
549	if [ $? -eq 0 ]; then
550		match="uidrange 100-100"
551		getmatch="uid 100"
552		getnomatch="uid 101"
553		fib_rule4_test_match_n_redirect "$match" "$getmatch" \
554			"$getnomatch" "uid redirect to table" \
555			"uid no redirect to table"
556	fi
557
558	fib_check_iproute_support "sport" "sport"
559	if [ $? -eq 0 ]; then
560		match="sport 666 dport 777"
561		getnomatch="sport 667 dport 778"
562		fib_rule4_test_match_n_redirect "$match" "$match" \
563			"$getnomatch" "sport and dport redirect to table" \
564			"sport and dport no redirect to table"
565
566		match="sport 100-200 dport 300-400"
567		getmatch="sport 100 dport 400"
568		getnomatch="sport 100 dport 401"
569		fib_rule4_test_match_n_redirect "$match" "$getmatch" \
570			"$getnomatch" \
571			"sport and dport range redirect to table" \
572			"sport and dport range no redirect to table"
573	fi
574
575	ip rule help 2>&1 | grep sport | grep -q MASK
576	if [ $? -eq 0 ]; then
577		match="sport 0x0f00/0xff00 dport 0x000f/0x00ff"
578		getmatch="sport 0x0f11 dport 0x220f"
579		getnomatch="sport 0x1f11 dport 0x221f"
580		fib_rule4_test_match_n_redirect "$match" "$getmatch" \
581			"$getnomatch" "sport and dport masked redirect to table" \
582			"sport and dport masked no redirect to table"
583	fi
584
585	fib_check_iproute_support "ipproto" "ipproto"
586	if [ $? -eq 0 ]; then
587		match="ipproto tcp"
588		getnomatch="ipproto udp"
589		fib_rule4_test_match_n_redirect "$match" "$match" \
590			"$getnomatch" "ipproto tcp match" \
591			"ipproto udp no match"
592	fi
593
594	fib_check_iproute_support "ipproto" "ipproto"
595	if [ $? -eq 0 ]; then
596		match="ipproto icmp"
597		getnomatch="ipproto tcp"
598		fib_rule4_test_match_n_redirect "$match" "$match" \
599			"$getnomatch" "ipproto icmp match" \
600			"ipproto tcp no match"
601	fi
602
603	fib_check_iproute_support "dscp" "tos"
604	if [ $? -eq 0 ]; then
605		match="dscp 0x3f"
606		getmatch="tos 0xfc"
607		getnomatch="tos 0xf4"
608		fib_rule4_test_match_n_redirect "$match" "$getmatch" \
609			"$getnomatch" "dscp redirect to table" \
610			"dscp no redirect to table"
611
612		match="dscp 0x3f"
613		getmatch="from $SRC_IP iif $DEV tos 0xfc"
614		getnomatch="from $SRC_IP iif $DEV tos 0xf4"
615		fib_rule4_test_match_n_redirect "$match" "$getmatch" \
616			"$getnomatch" "iif dscp redirect to table" \
617			"iif dscp no redirect to table"
618	fi
619
620	ip rule help 2>&1 | grep -q "DSCP\[/MASK\]"
621	if [ $? -eq 0 ]; then
622		match="dscp 0x0f/0x0f"
623		tosmatch=$(printf 0x"%x" $((0x1f << 2)))
624		tosnomatch=$(printf 0x"%x" $((0x1e << 2)))
625		getmatch="tos $tosmatch"
626		getnomatch="tos $tosnomatch"
627		fib_rule4_test_match_n_redirect "$match" "$getmatch" \
628			"$getnomatch" "dscp masked redirect to table" \
629			"dscp masked no redirect to table"
630
631		match="dscp 0x0f/0x0f"
632		getmatch="from $SRC_IP iif $DEV tos $tosmatch"
633		getnomatch="from $SRC_IP iif $DEV tos $tosnomatch"
634		fib_rule4_test_match_n_redirect "$match" "$getmatch" \
635			"$getnomatch" "iif dscp masked redirect to table" \
636			"iif dscp masked no redirect to table"
637	fi
638}
639
640fib_rule4_vrf_test()
641{
642	setup_vrf
643	fib_rule4_test "- with VRF"
644	cleanup_vrf
645}
646
647# Verify that the IP_TOS option of UDPv4 and TCPv4 sockets is properly taken
648# into account when connecting the socket and when sending packets.
649fib_rule4_connect_test()
650{
651	local dsfield
652
653	echo
654	echo "IPv4 FIB rule connect tests"
655
656	setup_peer
657	$IP -4 rule add dsfield 0x04 table $RTABLE_PEER
658
659	# Combine the base DS Field value (0x04) with all possible ECN values
660	# (Not-ECT: 0, ECT(1): 1, ECT(0): 2, CE: 3).
661	# The ECN bits shouldn't influence the result of the test.
662	for dsfield in 0x04 0x05 0x06 0x07; do
663		nettest -q -B -t 5 -N $testns -O $peerns -D -U -Q "${dsfield}" \
664			-l 198.51.100.11 -r 198.51.100.11
665		log_test $? 0 "rule4 dsfield udp connect (dsfield ${dsfield})"
666
667		nettest -q -B -t 5 -N $testns -O $peerns -Q "${dsfield}" \
668			-l 198.51.100.11 -r 198.51.100.11
669		log_test $? 0 "rule4 dsfield tcp connect (dsfield ${dsfield})"
670	done
671
672	# Check that UDP and TCP connections fail when using a DS Field that
673	# does not match the previously configured FIB rule.
674	nettest -q -B -t 5 -N $testns -O $peerns -D -U -Q 0x20 \
675		-l 198.51.100.11 -r 198.51.100.11
676	log_test $? 1 "rule4 dsfield udp no connect (dsfield 0x20)"
677
678	nettest -q -B -t 5 -N $testns -O $peerns -Q 0x20 \
679		-l 198.51.100.11 -r 198.51.100.11
680	log_test $? 1 "rule4 dsfield tcp no connect (dsfield 0x20)"
681
682	$IP -4 rule del dsfield 0x04 table $RTABLE_PEER
683
684	ip rule help 2>&1 | grep -q dscp
685	if [ $? -ne 0 ]; then
686		echo "SKIP: iproute2 iprule too old, missing dscp match"
687		cleanup_peer
688		return
689	fi
690
691	$IP -4 rule add dscp 0x3f table $RTABLE_PEER
692
693	nettest -q -B -t 5 -N $testns -O $peerns -D -U -Q 0xfc \
694		-l 198.51.100.11 -r 198.51.100.11
695	log_test $? 0 "rule4 dscp udp connect"
696
697	nettest -q -B -t 5 -N $testns -O $peerns -Q 0xfc \
698		-l 198.51.100.11 -r 198.51.100.11
699	log_test $? 0 "rule4 dscp tcp connect"
700
701	nettest -q -B -t 5 -N $testns -O $peerns -D -U -Q 0xf4 \
702		-l 198.51.100.11 -r 198.51.100.11
703	log_test $? 1 "rule4 dscp udp no connect"
704
705	nettest -q -B -t 5 -N $testns -O $peerns -Q 0xf4 \
706		-l 198.51.100.11 -r 198.51.100.11
707	log_test $? 1 "rule4 dscp tcp no connect"
708
709	$IP -4 rule del dscp 0x3f table $RTABLE_PEER
710
711	cleanup_peer
712}
713################################################################################
714# usage
715
716usage()
717{
718	cat <<EOF
719usage: ${0##*/} OPTS
720
721        -t <test>   Test(s) to run (default: all)
722                    (options: $TESTS)
723EOF
724}
725
726################################################################################
727# main
728
729while getopts ":t:h" opt; do
730	case $opt in
731		t) TESTS=$OPTARG;;
732		h) usage; exit 0;;
733		*) usage; exit 1;;
734	esac
735done
736
737if [ "$(id -u)" -ne 0 ];then
738	echo "SKIP: Need root privileges"
739	exit $ksft_skip
740fi
741
742if [ ! -x "$(command -v ip)" ]; then
743	echo "SKIP: Could not run test without ip tool"
744	exit $ksft_skip
745fi
746
747check_gen_prog "nettest"
748
749# start clean
750cleanup &> /dev/null
751setup
752for t in $TESTS
753do
754	case $t in
755	fib_rule6_test|fib_rule6)		fib_rule6_test;;
756	fib_rule4_test|fib_rule4)		fib_rule4_test;;
757	fib_rule6_connect_test|fib_rule6_connect)	fib_rule6_connect_test;;
758	fib_rule4_connect_test|fib_rule4_connect)	fib_rule4_connect_test;;
759	fib_rule6_vrf_test|fib_rule6_vrf)	fib_rule6_vrf_test;;
760	fib_rule4_vrf_test|fib_rule4_vrf)	fib_rule4_vrf_test;;
761
762	help) echo "Test names: $TESTS"; exit 0;;
763
764	esac
765done
766cleanup
767
768if [ "$TESTS" != "none" ]; then
769	printf "\nTests passed: %3d\n" ${nsuccess}
770	printf "Tests failed: %3d\n"   ${nfail}
771fi
772
773exit $ret
774