1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40VERBOSE=0 41 42NSA_DEV=eth1 43NSA_DEV2=eth2 44NSB_DEV=eth1 45NSC_DEV=eth2 46VRF=red 47VRF_TABLE=1101 48 49# IPv4 config 50NSA_IP=172.16.1.1 51NSB_IP=172.16.1.2 52VRF_IP=172.16.3.1 53NS_NET=172.16.1.0/24 54 55# IPv6 config 56NSA_IP6=2001:db8:1::1 57NSB_IP6=2001:db8:1::2 58VRF_IP6=2001:db8:3::1 59NS_NET6=2001:db8:1::/120 60 61NSA_LO_IP=172.16.2.1 62NSB_LO_IP=172.16.2.2 63NSA_LO_IP6=2001:db8:2::1 64NSB_LO_IP6=2001:db8:2::2 65 66MD5_PW=abc123 67MD5_WRONG_PW=abc1234 68 69MCAST=ff02::1 70# set after namespace create 71NSA_LINKIP6= 72NSB_LINKIP6= 73 74NSA=ns-A 75NSB=ns-B 76NSC=ns-C 77 78NSA_CMD="ip netns exec ${NSA}" 79NSB_CMD="ip netns exec ${NSB}" 80NSC_CMD="ip netns exec ${NSC}" 81 82which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 83 84# Check if FIPS mode is enabled 85if [ -f /proc/sys/crypto/fips_enabled ]; then 86 fips_enabled=`cat /proc/sys/crypto/fips_enabled` 87else 88 fips_enabled=0 89fi 90 91################################################################################ 92# utilities 93 94log_test() 95{ 96 local rc=$1 97 local expected=$2 98 local msg="$3" 99 100 [ "${VERBOSE}" = "1" ] && echo 101 102 if [ ${rc} -eq ${expected} ]; then 103 nsuccess=$((nsuccess+1)) 104 printf "TEST: %-70s [ OK ]\n" "${msg}" 105 else 106 nfail=$((nfail+1)) 107 printf "TEST: %-70s [FAIL]\n" "${msg}" 108 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 109 echo 110 echo "hit enter to continue, 'q' to quit" 111 read a 112 [ "$a" = "q" ] && exit 1 113 fi 114 fi 115 116 if [ "${PAUSE}" = "yes" ]; then 117 echo 118 echo "hit enter to continue, 'q' to quit" 119 read a 120 [ "$a" = "q" ] && exit 1 121 fi 122 123 kill_procs 124} 125 126log_test_addr() 127{ 128 local addr=$1 129 local rc=$2 130 local expected=$3 131 local msg="$4" 132 local astr 133 134 astr=$(addr2str ${addr}) 135 log_test $rc $expected "$msg - ${astr}" 136} 137 138log_section() 139{ 140 echo 141 echo "###########################################################################" 142 echo "$*" 143 echo "###########################################################################" 144 echo 145} 146 147log_subsection() 148{ 149 echo 150 echo "#################################################################" 151 echo "$*" 152 echo 153} 154 155log_start() 156{ 157 # make sure we have no test instances running 158 kill_procs 159 160 if [ "${VERBOSE}" = "1" ]; then 161 echo 162 echo "#######################################################" 163 fi 164} 165 166log_debug() 167{ 168 if [ "${VERBOSE}" = "1" ]; then 169 echo 170 echo "$*" 171 echo 172 fi 173} 174 175show_hint() 176{ 177 if [ "${VERBOSE}" = "1" ]; then 178 echo "HINT: $*" 179 echo 180 fi 181} 182 183kill_procs() 184{ 185 killall nettest ping ping6 >/dev/null 2>&1 186 sleep 1 187} 188 189do_run_cmd() 190{ 191 local cmd="$*" 192 local out 193 194 if [ "$VERBOSE" = "1" ]; then 195 echo "COMMAND: ${cmd}" 196 fi 197 198 out=$($cmd 2>&1) 199 rc=$? 200 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 201 echo "$out" 202 fi 203 204 return $rc 205} 206 207run_cmd() 208{ 209 do_run_cmd ${NSA_CMD} $* 210} 211 212run_cmd_nsb() 213{ 214 do_run_cmd ${NSB_CMD} $* 215} 216 217run_cmd_nsc() 218{ 219 do_run_cmd ${NSC_CMD} $* 220} 221 222setup_cmd() 223{ 224 local cmd="$*" 225 local rc 226 227 run_cmd ${cmd} 228 rc=$? 229 if [ $rc -ne 0 ]; then 230 # show user the command if not done so already 231 if [ "$VERBOSE" = "0" ]; then 232 echo "setup command: $cmd" 233 fi 234 echo "failed. stopping tests" 235 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 236 echo 237 echo "hit enter to continue" 238 read a 239 fi 240 exit $rc 241 fi 242} 243 244setup_cmd_nsb() 245{ 246 local cmd="$*" 247 local rc 248 249 run_cmd_nsb ${cmd} 250 rc=$? 251 if [ $rc -ne 0 ]; then 252 # show user the command if not done so already 253 if [ "$VERBOSE" = "0" ]; then 254 echo "setup command: $cmd" 255 fi 256 echo "failed. stopping tests" 257 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 258 echo 259 echo "hit enter to continue" 260 read a 261 fi 262 exit $rc 263 fi 264} 265 266setup_cmd_nsc() 267{ 268 local cmd="$*" 269 local rc 270 271 run_cmd_nsc ${cmd} 272 rc=$? 273 if [ $rc -ne 0 ]; then 274 # show user the command if not done so already 275 if [ "$VERBOSE" = "0" ]; then 276 echo "setup command: $cmd" 277 fi 278 echo "failed. stopping tests" 279 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 280 echo 281 echo "hit enter to continue" 282 read a 283 fi 284 exit $rc 285 fi 286} 287 288# set sysctl values in NS-A 289set_sysctl() 290{ 291 echo "SYSCTL: $*" 292 echo 293 run_cmd sysctl -q -w $* 294} 295 296################################################################################ 297# Setup for tests 298 299addr2str() 300{ 301 case "$1" in 302 127.0.0.1) echo "loopback";; 303 ::1) echo "IPv6 loopback";; 304 305 ${NSA_IP}) echo "ns-A IP";; 306 ${NSA_IP6}) echo "ns-A IPv6";; 307 ${NSA_LO_IP}) echo "ns-A loopback IP";; 308 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 309 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 310 311 ${NSB_IP}) echo "ns-B IP";; 312 ${NSB_IP6}) echo "ns-B IPv6";; 313 ${NSB_LO_IP}) echo "ns-B loopback IP";; 314 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 315 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 316 317 ${VRF_IP}) echo "VRF IP";; 318 ${VRF_IP6}) echo "VRF IPv6";; 319 320 ${MCAST}%*) echo "multicast IP";; 321 322 *) echo "unknown";; 323 esac 324} 325 326get_linklocal() 327{ 328 local ns=$1 329 local dev=$2 330 local addr 331 332 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 333 awk '{ 334 for (i = 3; i <= NF; ++i) { 335 if ($i ~ /^fe80/) 336 print $i 337 } 338 }' 339 ) 340 addr=${addr/\/*} 341 342 [ -z "$addr" ] && return 1 343 344 echo $addr 345 346 return 0 347} 348 349################################################################################ 350# create namespaces and vrf 351 352create_vrf() 353{ 354 local ns=$1 355 local vrf=$2 356 local table=$3 357 local addr=$4 358 local addr6=$5 359 360 ip -netns ${ns} link add ${vrf} type vrf table ${table} 361 ip -netns ${ns} link set ${vrf} up 362 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 363 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 364 365 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 366 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 367 if [ "${addr}" != "-" ]; then 368 ip -netns ${ns} addr add dev ${vrf} ${addr} 369 fi 370 if [ "${addr6}" != "-" ]; then 371 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 372 fi 373 374 ip -netns ${ns} ru del pref 0 375 ip -netns ${ns} ru add pref 32765 from all lookup local 376 ip -netns ${ns} -6 ru del pref 0 377 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 378} 379 380create_ns() 381{ 382 local ns=$1 383 local addr=$2 384 local addr6=$3 385 386 ip netns add ${ns} 387 388 ip -netns ${ns} link set lo up 389 if [ "${addr}" != "-" ]; then 390 ip -netns ${ns} addr add dev lo ${addr} 391 fi 392 if [ "${addr6}" != "-" ]; then 393 ip -netns ${ns} -6 addr add dev lo ${addr6} 394 fi 395 396 ip -netns ${ns} ro add unreachable default metric 8192 397 ip -netns ${ns} -6 ro add unreachable default metric 8192 398 399 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 400 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 401 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 402 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 403} 404 405# create veth pair to connect namespaces and apply addresses. 406connect_ns() 407{ 408 local ns1=$1 409 local ns1_dev=$2 410 local ns1_addr=$3 411 local ns1_addr6=$4 412 local ns2=$5 413 local ns2_dev=$6 414 local ns2_addr=$7 415 local ns2_addr6=$8 416 417 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 418 ip -netns ${ns1} li set ${ns1_dev} up 419 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 420 ip -netns ${ns2} li set ${ns2_dev} up 421 422 if [ "${ns1_addr}" != "-" ]; then 423 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 424 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 425 fi 426 427 if [ "${ns1_addr6}" != "-" ]; then 428 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 429 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 430 fi 431} 432 433cleanup() 434{ 435 # explicit cleanups to check those code paths 436 ip netns | grep -q ${NSA} 437 if [ $? -eq 0 ]; then 438 ip -netns ${NSA} link delete ${VRF} 439 ip -netns ${NSA} ro flush table ${VRF_TABLE} 440 441 ip -netns ${NSA} addr flush dev ${NSA_DEV} 442 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 443 ip -netns ${NSA} link set dev ${NSA_DEV} down 444 ip -netns ${NSA} link del dev ${NSA_DEV} 445 446 ip netns pids ${NSA} | xargs kill 2>/dev/null 447 ip netns del ${NSA} 448 fi 449 450 ip netns pids ${NSB} | xargs kill 2>/dev/null 451 ip netns del ${NSB} 452 ip netns pids ${NSC} | xargs kill 2>/dev/null 453 ip netns del ${NSC} >/dev/null 2>&1 454} 455 456cleanup_vrf_dup() 457{ 458 ip link del ${NSA_DEV2} >/dev/null 2>&1 459 ip netns pids ${NSC} | xargs kill 2>/dev/null 460 ip netns del ${NSC} >/dev/null 2>&1 461} 462 463setup_vrf_dup() 464{ 465 # some VRF tests use ns-C which has the same config as 466 # ns-B but for a device NOT in the VRF 467 create_ns ${NSC} "-" "-" 468 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 469 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 470} 471 472setup() 473{ 474 local with_vrf=${1} 475 476 # make sure we are starting with a clean slate 477 kill_procs 478 cleanup 2>/dev/null 479 480 log_debug "Configuring network namespaces" 481 set -e 482 483 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 484 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 485 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 486 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 487 488 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 489 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 490 491 # tell ns-A how to get to remote addresses of ns-B 492 if [ "${with_vrf}" = "yes" ]; then 493 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 494 495 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 496 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 497 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 498 499 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 500 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 501 else 502 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 503 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 504 fi 505 506 507 # tell ns-B how to get to remote addresses of ns-A 508 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 509 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 510 511 set +e 512 513 sleep 1 514} 515 516setup_lla_only() 517{ 518 # make sure we are starting with a clean slate 519 kill_procs 520 cleanup 2>/dev/null 521 522 log_debug "Configuring network namespaces" 523 set -e 524 525 create_ns ${NSA} "-" "-" 526 create_ns ${NSB} "-" "-" 527 create_ns ${NSC} "-" "-" 528 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 529 ${NSB} ${NSB_DEV} "-" "-" 530 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 531 ${NSC} ${NSC_DEV} "-" "-" 532 533 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 534 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 535 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 536 537 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 538 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 539 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 540 541 set +e 542 543 sleep 1 544} 545 546################################################################################ 547# IPv4 548 549ipv4_ping_novrf() 550{ 551 local a 552 553 # 554 # out 555 # 556 for a in ${NSB_IP} ${NSB_LO_IP} 557 do 558 log_start 559 run_cmd ping -c1 -w1 ${a} 560 log_test_addr ${a} $? 0 "ping out" 561 562 log_start 563 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 564 log_test_addr ${a} $? 0 "ping out, device bind" 565 566 log_start 567 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 568 log_test_addr ${a} $? 0 "ping out, address bind" 569 done 570 571 # 572 # in 573 # 574 for a in ${NSA_IP} ${NSA_LO_IP} 575 do 576 log_start 577 run_cmd_nsb ping -c1 -w1 ${a} 578 log_test_addr ${a} $? 0 "ping in" 579 done 580 581 # 582 # local traffic 583 # 584 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 585 do 586 log_start 587 run_cmd ping -c1 -w1 ${a} 588 log_test_addr ${a} $? 0 "ping local" 589 done 590 591 # 592 # local traffic, socket bound to device 593 # 594 # address on device 595 a=${NSA_IP} 596 log_start 597 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 598 log_test_addr ${a} $? 0 "ping local, device bind" 599 600 # loopback addresses not reachable from device bind 601 # fails in a really weird way though because ipv4 special cases 602 # route lookups with oif set. 603 for a in ${NSA_LO_IP} 127.0.0.1 604 do 605 log_start 606 show_hint "Fails since address on loopback device is out of device scope" 607 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 608 log_test_addr ${a} $? 1 "ping local, device bind" 609 done 610 611 # 612 # ip rule blocks reachability to remote address 613 # 614 log_start 615 setup_cmd ip rule add pref 32765 from all lookup local 616 setup_cmd ip rule del pref 0 from all lookup local 617 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 618 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 619 620 a=${NSB_LO_IP} 621 run_cmd ping -c1 -w1 ${a} 622 log_test_addr ${a} $? 2 "ping out, blocked by rule" 623 624 # NOTE: ipv4 actually allows the lookup to fail and yet still create 625 # a viable rtable if the oif (e.g., bind to device) is set, so this 626 # case succeeds despite the rule 627 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 628 629 a=${NSA_LO_IP} 630 log_start 631 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 632 run_cmd_nsb ping -c1 -w1 ${a} 633 log_test_addr ${a} $? 1 "ping in, blocked by rule" 634 635 [ "$VERBOSE" = "1" ] && echo 636 setup_cmd ip rule del pref 32765 from all lookup local 637 setup_cmd ip rule add pref 0 from all lookup local 638 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 639 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 640 641 # 642 # route blocks reachability to remote address 643 # 644 log_start 645 setup_cmd ip route replace unreachable ${NSB_LO_IP} 646 setup_cmd ip route replace unreachable ${NSB_IP} 647 648 a=${NSB_LO_IP} 649 run_cmd ping -c1 -w1 ${a} 650 log_test_addr ${a} $? 2 "ping out, blocked by route" 651 652 # NOTE: ipv4 actually allows the lookup to fail and yet still create 653 # a viable rtable if the oif (e.g., bind to device) is set, so this 654 # case succeeds despite not having a route for the address 655 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 656 657 a=${NSA_LO_IP} 658 log_start 659 show_hint "Response is dropped (or arp request is ignored) due to ip route" 660 run_cmd_nsb ping -c1 -w1 ${a} 661 log_test_addr ${a} $? 1 "ping in, blocked by route" 662 663 # 664 # remove 'remote' routes; fallback to default 665 # 666 log_start 667 setup_cmd ip ro del ${NSB_LO_IP} 668 669 a=${NSB_LO_IP} 670 run_cmd ping -c1 -w1 ${a} 671 log_test_addr ${a} $? 2 "ping out, unreachable default route" 672 673 # NOTE: ipv4 actually allows the lookup to fail and yet still create 674 # a viable rtable if the oif (e.g., bind to device) is set, so this 675 # case succeeds despite not having a route for the address 676 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 677} 678 679ipv4_ping_vrf() 680{ 681 local a 682 683 # should default on; does not exist on older kernels 684 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 685 686 # 687 # out 688 # 689 for a in ${NSB_IP} ${NSB_LO_IP} 690 do 691 log_start 692 run_cmd ping -c1 -w1 -I ${VRF} ${a} 693 log_test_addr ${a} $? 0 "ping out, VRF bind" 694 695 log_start 696 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 697 log_test_addr ${a} $? 0 "ping out, device bind" 698 699 log_start 700 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 701 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 702 703 log_start 704 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 705 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 706 done 707 708 # 709 # in 710 # 711 for a in ${NSA_IP} ${VRF_IP} 712 do 713 log_start 714 run_cmd_nsb ping -c1 -w1 ${a} 715 log_test_addr ${a} $? 0 "ping in" 716 done 717 718 # 719 # local traffic, local address 720 # 721 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 722 do 723 log_start 724 show_hint "Source address should be ${a}" 725 run_cmd ping -c1 -w1 -I ${VRF} ${a} 726 log_test_addr ${a} $? 0 "ping local, VRF bind" 727 done 728 729 # 730 # local traffic, socket bound to device 731 # 732 # address on device 733 a=${NSA_IP} 734 log_start 735 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 736 log_test_addr ${a} $? 0 "ping local, device bind" 737 738 # vrf device is out of scope 739 for a in ${VRF_IP} 127.0.0.1 740 do 741 log_start 742 show_hint "Fails since address on vrf device is out of device scope" 743 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 744 log_test_addr ${a} $? 1 "ping local, device bind" 745 done 746 747 # 748 # ip rule blocks address 749 # 750 log_start 751 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 752 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 753 754 a=${NSB_LO_IP} 755 run_cmd ping -c1 -w1 -I ${VRF} ${a} 756 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 757 758 log_start 759 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 760 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 761 762 a=${NSA_LO_IP} 763 log_start 764 show_hint "Response lost due to ip rule" 765 run_cmd_nsb ping -c1 -w1 ${a} 766 log_test_addr ${a} $? 1 "ping in, blocked by rule" 767 768 [ "$VERBOSE" = "1" ] && echo 769 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 770 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 771 772 # 773 # remove 'remote' routes; fallback to default 774 # 775 log_start 776 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 777 778 a=${NSB_LO_IP} 779 run_cmd ping -c1 -w1 -I ${VRF} ${a} 780 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 781 782 log_start 783 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 784 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 785 786 a=${NSA_LO_IP} 787 log_start 788 show_hint "Response lost by unreachable route" 789 run_cmd_nsb ping -c1 -w1 ${a} 790 log_test_addr ${a} $? 1 "ping in, unreachable route" 791} 792 793ipv4_ping() 794{ 795 log_section "IPv4 ping" 796 797 log_subsection "No VRF" 798 setup 799 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 800 ipv4_ping_novrf 801 setup 802 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 803 ipv4_ping_novrf 804 setup 805 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 806 ipv4_ping_novrf 807 808 log_subsection "With VRF" 809 setup "yes" 810 ipv4_ping_vrf 811 setup "yes" 812 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 813 ipv4_ping_vrf 814} 815 816################################################################################ 817# IPv4 TCP 818 819# 820# MD5 tests without VRF 821# 822ipv4_tcp_md5_novrf() 823{ 824 # 825 # single address 826 # 827 828 # basic use case 829 log_start 830 run_cmd nettest -s -M ${MD5_PW} -r ${NSB_IP} & 831 sleep 1 832 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 833 log_test $? 0 "MD5: Single address config" 834 835 # client sends MD5, server not configured 836 log_start 837 show_hint "Should timeout due to MD5 mismatch" 838 run_cmd nettest -s & 839 sleep 1 840 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 841 log_test $? 2 "MD5: Server no config, client uses password" 842 843 # wrong password 844 log_start 845 show_hint "Should timeout since client uses wrong password" 846 run_cmd nettest -s -M ${MD5_PW} -r ${NSB_IP} & 847 sleep 1 848 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 849 log_test $? 2 "MD5: Client uses wrong password" 850 851 # client from different address 852 log_start 853 show_hint "Should timeout due to MD5 mismatch" 854 run_cmd nettest -s -M ${MD5_PW} -r ${NSB_LO_IP} & 855 sleep 1 856 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 857 log_test $? 2 "MD5: Client address does not match address configured with password" 858 859 # 860 # MD5 extension - prefix length 861 # 862 863 # client in prefix 864 log_start 865 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 866 sleep 1 867 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 868 log_test $? 0 "MD5: Prefix config" 869 870 # client in prefix, wrong password 871 log_start 872 show_hint "Should timeout since client uses wrong password" 873 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 874 sleep 1 875 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 876 log_test $? 2 "MD5: Prefix config, client uses wrong password" 877 878 # client outside of prefix 879 log_start 880 show_hint "Should timeout due to MD5 mismatch" 881 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 882 sleep 1 883 run_cmd_nsb nettest -l ${NSB_LO_IP} -r ${NSA_IP} -M ${MD5_PW} 884 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 885} 886 887# 888# MD5 tests with VRF 889# 890ipv4_tcp_md5() 891{ 892 # 893 # single address 894 # 895 896 # basic use case 897 log_start 898 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & 899 sleep 1 900 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 901 log_test $? 0 "MD5: VRF: Single address config" 902 903 # client sends MD5, server not configured 904 log_start 905 show_hint "Should timeout since server does not have MD5 auth" 906 run_cmd nettest -s -d ${VRF} & 907 sleep 1 908 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 909 log_test $? 2 "MD5: VRF: Server no config, client uses password" 910 911 # wrong password 912 log_start 913 show_hint "Should timeout since client uses wrong password" 914 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & 915 sleep 1 916 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 917 log_test $? 2 "MD5: VRF: Client uses wrong password" 918 919 # client from different address 920 log_start 921 show_hint "Should timeout since server config differs from client" 922 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_LO_IP} & 923 sleep 1 924 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 925 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 926 927 # 928 # MD5 extension - prefix length 929 # 930 931 # client in prefix 932 log_start 933 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & 934 sleep 1 935 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 936 log_test $? 0 "MD5: VRF: Prefix config" 937 938 # client in prefix, wrong password 939 log_start 940 show_hint "Should timeout since client uses wrong password" 941 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & 942 sleep 1 943 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 944 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 945 946 # client outside of prefix 947 log_start 948 show_hint "Should timeout since client address is outside of prefix" 949 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & 950 sleep 1 951 run_cmd_nsb nettest -l ${NSB_LO_IP} -r ${NSA_IP} -M ${MD5_PW} 952 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 953 954 # 955 # duplicate config between default VRF and a VRF 956 # 957 958 log_start 959 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & 960 run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} & 961 sleep 1 962 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 963 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 964 965 log_start 966 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & 967 run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} & 968 sleep 1 969 run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 970 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 971 972 log_start 973 show_hint "Should timeout since client in default VRF uses VRF password" 974 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & 975 run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} & 976 sleep 1 977 run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_PW} 978 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 979 980 log_start 981 show_hint "Should timeout since client in VRF uses default VRF password" 982 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & 983 run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} & 984 sleep 1 985 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 986 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 987 988 log_start 989 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & 990 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 991 sleep 1 992 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 993 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 994 995 log_start 996 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & 997 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 998 sleep 1 999 run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 1000 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 1001 1002 log_start 1003 show_hint "Should timeout since client in default VRF uses VRF password" 1004 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1005 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1006 sleep 1 1007 run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_PW} 1008 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1009 1010 log_start 1011 show_hint "Should timeout since client in VRF uses default VRF password" 1012 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1013 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1014 sleep 1 1015 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 1016 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1017 1018 # 1019 # negative tests 1020 # 1021 log_start 1022 run_cmd nettest -s -d ${NSA_DEV} -M ${MD5_PW} -r ${NSB_IP} 1023 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1024 1025 log_start 1026 run_cmd nettest -s -d ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1027 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1028 1029} 1030 1031ipv4_tcp_novrf() 1032{ 1033 local a 1034 1035 # 1036 # server tests 1037 # 1038 for a in ${NSA_IP} ${NSA_LO_IP} 1039 do 1040 log_start 1041 run_cmd nettest -s & 1042 sleep 1 1043 run_cmd_nsb nettest -r ${a} 1044 log_test_addr ${a} $? 0 "Global server" 1045 done 1046 1047 a=${NSA_IP} 1048 log_start 1049 run_cmd nettest -s -d ${NSA_DEV} & 1050 sleep 1 1051 run_cmd_nsb nettest -r ${a} 1052 log_test_addr ${a} $? 0 "Device server" 1053 1054 # verify TCP reset sent and received 1055 for a in ${NSA_IP} ${NSA_LO_IP} 1056 do 1057 log_start 1058 show_hint "Should fail 'Connection refused' since there is no server" 1059 run_cmd_nsb nettest -r ${a} 1060 log_test_addr ${a} $? 1 "No server" 1061 done 1062 1063 # 1064 # client 1065 # 1066 for a in ${NSB_IP} ${NSB_LO_IP} 1067 do 1068 log_start 1069 run_cmd_nsb nettest -s & 1070 sleep 1 1071 run_cmd nettest -r ${a} -0 ${NSA_IP} 1072 log_test_addr ${a} $? 0 "Client" 1073 1074 log_start 1075 run_cmd_nsb nettest -s & 1076 sleep 1 1077 run_cmd nettest -r ${a} -d ${NSA_DEV} 1078 log_test_addr ${a} $? 0 "Client, device bind" 1079 1080 log_start 1081 show_hint "Should fail 'Connection refused'" 1082 run_cmd nettest -r ${a} 1083 log_test_addr ${a} $? 1 "No server, unbound client" 1084 1085 log_start 1086 show_hint "Should fail 'Connection refused'" 1087 run_cmd nettest -r ${a} -d ${NSA_DEV} 1088 log_test_addr ${a} $? 1 "No server, device client" 1089 done 1090 1091 # 1092 # local address tests 1093 # 1094 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1095 do 1096 log_start 1097 run_cmd nettest -s & 1098 sleep 1 1099 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1100 log_test_addr ${a} $? 0 "Global server, local connection" 1101 done 1102 1103 a=${NSA_IP} 1104 log_start 1105 run_cmd nettest -s -d ${NSA_DEV} & 1106 sleep 1 1107 run_cmd nettest -r ${a} -0 ${a} 1108 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1109 1110 for a in ${NSA_LO_IP} 127.0.0.1 1111 do 1112 log_start 1113 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1114 run_cmd nettest -s -d ${NSA_DEV} & 1115 sleep 1 1116 run_cmd nettest -r ${a} 1117 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1118 done 1119 1120 a=${NSA_IP} 1121 log_start 1122 run_cmd nettest -s & 1123 sleep 1 1124 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1125 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1126 1127 for a in ${NSA_LO_IP} 127.0.0.1 1128 do 1129 log_start 1130 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1131 run_cmd nettest -s & 1132 sleep 1 1133 run_cmd nettest -r ${a} -d ${NSA_DEV} 1134 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1135 done 1136 1137 a=${NSA_IP} 1138 log_start 1139 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & 1140 sleep 1 1141 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1142 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1143 1144 log_start 1145 show_hint "Should fail 'Connection refused'" 1146 run_cmd nettest -d ${NSA_DEV} -r ${a} 1147 log_test_addr ${a} $? 1 "No server, device client, local conn" 1148 1149 [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf 1150} 1151 1152ipv4_tcp_vrf() 1153{ 1154 local a 1155 1156 # disable global server 1157 log_subsection "Global server disabled" 1158 1159 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1160 1161 # 1162 # server tests 1163 # 1164 for a in ${NSA_IP} ${VRF_IP} 1165 do 1166 log_start 1167 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1168 run_cmd nettest -s & 1169 sleep 1 1170 run_cmd_nsb nettest -r ${a} 1171 log_test_addr ${a} $? 1 "Global server" 1172 1173 log_start 1174 run_cmd nettest -s -d ${VRF} -2 ${VRF} & 1175 sleep 1 1176 run_cmd_nsb nettest -r ${a} 1177 log_test_addr ${a} $? 0 "VRF server" 1178 1179 log_start 1180 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & 1181 sleep 1 1182 run_cmd_nsb nettest -r ${a} 1183 log_test_addr ${a} $? 0 "Device server" 1184 1185 # verify TCP reset received 1186 log_start 1187 show_hint "Should fail 'Connection refused' since there is no server" 1188 run_cmd_nsb nettest -r ${a} 1189 log_test_addr ${a} $? 1 "No server" 1190 done 1191 1192 # local address tests 1193 # (${VRF_IP} and 127.0.0.1 both timeout) 1194 a=${NSA_IP} 1195 log_start 1196 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1197 run_cmd nettest -s & 1198 sleep 1 1199 run_cmd nettest -r ${a} -d ${NSA_DEV} 1200 log_test_addr ${a} $? 1 "Global server, local connection" 1201 1202 # run MD5 tests 1203 if [ "$fips_enabled" = "0" ]; then 1204 setup_vrf_dup 1205 ipv4_tcp_md5 1206 cleanup_vrf_dup 1207 fi 1208 1209 # 1210 # enable VRF global server 1211 # 1212 log_subsection "VRF Global server enabled" 1213 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1214 1215 for a in ${NSA_IP} ${VRF_IP} 1216 do 1217 log_start 1218 show_hint "client socket should be bound to VRF" 1219 run_cmd nettest -s -2 ${VRF} & 1220 sleep 1 1221 run_cmd_nsb nettest -r ${a} 1222 log_test_addr ${a} $? 0 "Global server" 1223 1224 log_start 1225 show_hint "client socket should be bound to VRF" 1226 run_cmd nettest -s -d ${VRF} -2 ${VRF} & 1227 sleep 1 1228 run_cmd_nsb nettest -r ${a} 1229 log_test_addr ${a} $? 0 "VRF server" 1230 1231 # verify TCP reset received 1232 log_start 1233 show_hint "Should fail 'Connection refused'" 1234 run_cmd_nsb nettest -r ${a} 1235 log_test_addr ${a} $? 1 "No server" 1236 done 1237 1238 a=${NSA_IP} 1239 log_start 1240 show_hint "client socket should be bound to device" 1241 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & 1242 sleep 1 1243 run_cmd_nsb nettest -r ${a} 1244 log_test_addr ${a} $? 0 "Device server" 1245 1246 # local address tests 1247 for a in ${NSA_IP} ${VRF_IP} 1248 do 1249 log_start 1250 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1251 run_cmd nettest -s -d ${VRF} & 1252 sleep 1 1253 run_cmd nettest -r ${a} 1254 log_test_addr ${a} $? 1 "Global server, local connection" 1255 done 1256 1257 # 1258 # client 1259 # 1260 for a in ${NSB_IP} ${NSB_LO_IP} 1261 do 1262 log_start 1263 run_cmd_nsb nettest -s & 1264 sleep 1 1265 run_cmd nettest -r ${a} -d ${VRF} 1266 log_test_addr ${a} $? 0 "Client, VRF bind" 1267 1268 log_start 1269 run_cmd_nsb nettest -s & 1270 sleep 1 1271 run_cmd nettest -r ${a} -d ${NSA_DEV} 1272 log_test_addr ${a} $? 0 "Client, device bind" 1273 1274 log_start 1275 show_hint "Should fail 'Connection refused'" 1276 run_cmd nettest -r ${a} -d ${VRF} 1277 log_test_addr ${a} $? 1 "No server, VRF client" 1278 1279 log_start 1280 show_hint "Should fail 'Connection refused'" 1281 run_cmd nettest -r ${a} -d ${NSA_DEV} 1282 log_test_addr ${a} $? 1 "No server, device client" 1283 done 1284 1285 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1286 do 1287 log_start 1288 run_cmd nettest -s -d ${VRF} -2 ${VRF} & 1289 sleep 1 1290 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1291 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1292 done 1293 1294 a=${NSA_IP} 1295 log_start 1296 run_cmd nettest -s -d ${VRF} -2 ${VRF} & 1297 sleep 1 1298 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1299 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1300 1301 log_start 1302 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1303 run_cmd nettest -s -d ${VRF} & 1304 sleep 1 1305 run_cmd nettest -r ${a} 1306 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1307 1308 log_start 1309 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & 1310 sleep 1 1311 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1312 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1313 1314 log_start 1315 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & 1316 sleep 1 1317 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1318 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1319} 1320 1321ipv4_tcp() 1322{ 1323 log_section "IPv4/TCP" 1324 log_subsection "No VRF" 1325 setup 1326 1327 # tcp_l3mdev_accept should have no affect without VRF; 1328 # run tests with it enabled and disabled to verify 1329 log_subsection "tcp_l3mdev_accept disabled" 1330 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1331 ipv4_tcp_novrf 1332 log_subsection "tcp_l3mdev_accept enabled" 1333 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1334 ipv4_tcp_novrf 1335 1336 log_subsection "With VRF" 1337 setup "yes" 1338 ipv4_tcp_vrf 1339} 1340 1341################################################################################ 1342# IPv4 UDP 1343 1344ipv4_udp_novrf() 1345{ 1346 local a 1347 1348 # 1349 # server tests 1350 # 1351 for a in ${NSA_IP} ${NSA_LO_IP} 1352 do 1353 log_start 1354 run_cmd nettest -D -s -2 ${NSA_DEV} & 1355 sleep 1 1356 run_cmd_nsb nettest -D -r ${a} 1357 log_test_addr ${a} $? 0 "Global server" 1358 1359 log_start 1360 show_hint "Should fail 'Connection refused' since there is no server" 1361 run_cmd_nsb nettest -D -r ${a} 1362 log_test_addr ${a} $? 1 "No server" 1363 done 1364 1365 a=${NSA_IP} 1366 log_start 1367 run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 1368 sleep 1 1369 run_cmd_nsb nettest -D -r ${a} 1370 log_test_addr ${a} $? 0 "Device server" 1371 1372 # 1373 # client 1374 # 1375 for a in ${NSB_IP} ${NSB_LO_IP} 1376 do 1377 log_start 1378 run_cmd_nsb nettest -D -s & 1379 sleep 1 1380 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1381 log_test_addr ${a} $? 0 "Client" 1382 1383 log_start 1384 run_cmd_nsb nettest -D -s & 1385 sleep 1 1386 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1387 log_test_addr ${a} $? 0 "Client, device bind" 1388 1389 log_start 1390 run_cmd_nsb nettest -D -s & 1391 sleep 1 1392 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1393 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1394 1395 log_start 1396 run_cmd_nsb nettest -D -s & 1397 sleep 1 1398 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1399 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1400 1401 log_start 1402 show_hint "Should fail 'Connection refused'" 1403 run_cmd nettest -D -r ${a} 1404 log_test_addr ${a} $? 1 "No server, unbound client" 1405 1406 log_start 1407 show_hint "Should fail 'Connection refused'" 1408 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1409 log_test_addr ${a} $? 1 "No server, device client" 1410 done 1411 1412 # 1413 # local address tests 1414 # 1415 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1416 do 1417 log_start 1418 run_cmd nettest -D -s & 1419 sleep 1 1420 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1421 log_test_addr ${a} $? 0 "Global server, local connection" 1422 done 1423 1424 a=${NSA_IP} 1425 log_start 1426 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & 1427 sleep 1 1428 run_cmd nettest -D -r ${a} 1429 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1430 1431 for a in ${NSA_LO_IP} 127.0.0.1 1432 do 1433 log_start 1434 show_hint "Should fail 'Connection refused' since address is out of device scope" 1435 run_cmd nettest -s -D -d ${NSA_DEV} & 1436 sleep 1 1437 run_cmd nettest -D -r ${a} 1438 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1439 done 1440 1441 a=${NSA_IP} 1442 log_start 1443 run_cmd nettest -s -D & 1444 sleep 1 1445 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1446 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1447 1448 log_start 1449 run_cmd nettest -s -D & 1450 sleep 1 1451 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1452 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1453 1454 log_start 1455 run_cmd nettest -s -D & 1456 sleep 1 1457 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1458 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1459 1460 # IPv4 with device bind has really weird behavior - it overrides the 1461 # fib lookup, generates an rtable and tries to send the packet. This 1462 # causes failures for local traffic at different places 1463 for a in ${NSA_LO_IP} 127.0.0.1 1464 do 1465 log_start 1466 show_hint "Should fail since addresses on loopback are out of device scope" 1467 run_cmd nettest -D -s & 1468 sleep 1 1469 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1470 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1471 1472 log_start 1473 show_hint "Should fail since addresses on loopback are out of device scope" 1474 run_cmd nettest -D -s & 1475 sleep 1 1476 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1477 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1478 1479 log_start 1480 show_hint "Should fail since addresses on loopback are out of device scope" 1481 run_cmd nettest -D -s & 1482 sleep 1 1483 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1484 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1485 done 1486 1487 a=${NSA_IP} 1488 log_start 1489 run_cmd nettest -D -s -d ${NSA_DEV} -2 ${NSA_DEV} & 1490 sleep 1 1491 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1492 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1493 1494 log_start 1495 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1496 log_test_addr ${a} $? 2 "No server, device client, local conn" 1497} 1498 1499ipv4_udp_vrf() 1500{ 1501 local a 1502 1503 # disable global server 1504 log_subsection "Global server disabled" 1505 set_sysctl net.ipv4.udp_l3mdev_accept=0 1506 1507 # 1508 # server tests 1509 # 1510 for a in ${NSA_IP} ${VRF_IP} 1511 do 1512 log_start 1513 show_hint "Fails because ingress is in a VRF and global server is disabled" 1514 run_cmd nettest -D -s & 1515 sleep 1 1516 run_cmd_nsb nettest -D -r ${a} 1517 log_test_addr ${a} $? 1 "Global server" 1518 1519 log_start 1520 run_cmd nettest -D -d ${VRF} -s -2 ${NSA_DEV} & 1521 sleep 1 1522 run_cmd_nsb nettest -D -r ${a} 1523 log_test_addr ${a} $? 0 "VRF server" 1524 1525 log_start 1526 run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 1527 sleep 1 1528 run_cmd_nsb nettest -D -r ${a} 1529 log_test_addr ${a} $? 0 "Enslaved device server" 1530 1531 log_start 1532 show_hint "Should fail 'Connection refused' since there is no server" 1533 run_cmd_nsb nettest -D -r ${a} 1534 log_test_addr ${a} $? 1 "No server" 1535 1536 log_start 1537 show_hint "Should fail 'Connection refused' since global server is out of scope" 1538 run_cmd nettest -D -s & 1539 sleep 1 1540 run_cmd nettest -D -d ${VRF} -r ${a} 1541 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1542 done 1543 1544 a=${NSA_IP} 1545 log_start 1546 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} & 1547 sleep 1 1548 run_cmd nettest -D -d ${VRF} -r ${a} 1549 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1550 1551 log_start 1552 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} & 1553 sleep 1 1554 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1555 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1556 1557 a=${NSA_IP} 1558 log_start 1559 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & 1560 sleep 1 1561 run_cmd nettest -D -d ${VRF} -r ${a} 1562 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1563 1564 log_start 1565 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & 1566 sleep 1 1567 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1568 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1569 1570 # enable global server 1571 log_subsection "Global server enabled" 1572 set_sysctl net.ipv4.udp_l3mdev_accept=1 1573 1574 # 1575 # server tests 1576 # 1577 for a in ${NSA_IP} ${VRF_IP} 1578 do 1579 log_start 1580 run_cmd nettest -D -s -2 ${NSA_DEV} & 1581 sleep 1 1582 run_cmd_nsb nettest -D -r ${a} 1583 log_test_addr ${a} $? 0 "Global server" 1584 1585 log_start 1586 run_cmd nettest -D -d ${VRF} -s -2 ${NSA_DEV} & 1587 sleep 1 1588 run_cmd_nsb nettest -D -r ${a} 1589 log_test_addr ${a} $? 0 "VRF server" 1590 1591 log_start 1592 run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 1593 sleep 1 1594 run_cmd_nsb nettest -D -r ${a} 1595 log_test_addr ${a} $? 0 "Enslaved device server" 1596 1597 log_start 1598 show_hint "Should fail 'Connection refused'" 1599 run_cmd_nsb nettest -D -r ${a} 1600 log_test_addr ${a} $? 1 "No server" 1601 done 1602 1603 # 1604 # client tests 1605 # 1606 log_start 1607 run_cmd_nsb nettest -D -s & 1608 sleep 1 1609 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1610 log_test $? 0 "VRF client" 1611 1612 log_start 1613 run_cmd_nsb nettest -D -s & 1614 sleep 1 1615 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1616 log_test $? 0 "Enslaved device client" 1617 1618 # negative test - should fail 1619 log_start 1620 show_hint "Should fail 'Connection refused'" 1621 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1622 log_test $? 1 "No server, VRF client" 1623 1624 log_start 1625 show_hint "Should fail 'Connection refused'" 1626 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1627 log_test $? 1 "No server, enslaved device client" 1628 1629 # 1630 # local address tests 1631 # 1632 a=${NSA_IP} 1633 log_start 1634 run_cmd nettest -D -s -2 ${NSA_DEV} & 1635 sleep 1 1636 run_cmd nettest -D -d ${VRF} -r ${a} 1637 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1638 1639 log_start 1640 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} & 1641 sleep 1 1642 run_cmd nettest -D -d ${VRF} -r ${a} 1643 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1644 1645 log_start 1646 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} & 1647 sleep 1 1648 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1649 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1650 1651 log_start 1652 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & 1653 sleep 1 1654 run_cmd nettest -D -d ${VRF} -r ${a} 1655 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1656 1657 log_start 1658 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & 1659 sleep 1 1660 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1661 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1662 1663 for a in ${VRF_IP} 127.0.0.1 1664 do 1665 log_start 1666 run_cmd nettest -D -s -2 ${VRF} & 1667 sleep 1 1668 run_cmd nettest -D -d ${VRF} -r ${a} 1669 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1670 done 1671 1672 for a in ${VRF_IP} 127.0.0.1 1673 do 1674 log_start 1675 run_cmd nettest -s -D -d ${VRF} -2 ${VRF} & 1676 sleep 1 1677 run_cmd nettest -D -d ${VRF} -r ${a} 1678 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1679 done 1680 1681 # negative test - should fail 1682 # verifies ECONNREFUSED 1683 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1684 do 1685 log_start 1686 show_hint "Should fail 'Connection refused'" 1687 run_cmd nettest -D -d ${VRF} -r ${a} 1688 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1689 done 1690} 1691 1692ipv4_udp() 1693{ 1694 log_section "IPv4/UDP" 1695 log_subsection "No VRF" 1696 1697 setup 1698 1699 # udp_l3mdev_accept should have no affect without VRF; 1700 # run tests with it enabled and disabled to verify 1701 log_subsection "udp_l3mdev_accept disabled" 1702 set_sysctl net.ipv4.udp_l3mdev_accept=0 1703 ipv4_udp_novrf 1704 log_subsection "udp_l3mdev_accept enabled" 1705 set_sysctl net.ipv4.udp_l3mdev_accept=1 1706 ipv4_udp_novrf 1707 1708 log_subsection "With VRF" 1709 setup "yes" 1710 ipv4_udp_vrf 1711} 1712 1713################################################################################ 1714# IPv4 address bind 1715# 1716# verifies ability or inability to bind to an address / device 1717 1718ipv4_addr_bind_novrf() 1719{ 1720 # 1721 # raw socket 1722 # 1723 for a in ${NSA_IP} ${NSA_LO_IP} 1724 do 1725 log_start 1726 run_cmd nettest -s -R -P icmp -l ${a} -b 1727 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1728 1729 log_start 1730 run_cmd nettest -s -R -P icmp -l ${a} -d ${NSA_DEV} -b 1731 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1732 done 1733 1734 # 1735 # tcp sockets 1736 # 1737 a=${NSA_IP} 1738 log_start 1739 run_cmd nettest -l ${a} -r ${NSB_IP} -t1 -b 1740 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1741 1742 log_start 1743 run_cmd nettest -l ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1744 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1745 1746 # Sadly, the kernel allows binding a socket to a device and then 1747 # binding to an address not on the device. The only restriction 1748 # is that the address is valid in the L3 domain. So this test 1749 # passes when it really should not 1750 #a=${NSA_LO_IP} 1751 #log_start 1752 #show_hint "Should fail with 'Cannot assign requested address'" 1753 #run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b 1754 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1755} 1756 1757ipv4_addr_bind_vrf() 1758{ 1759 # 1760 # raw socket 1761 # 1762 for a in ${NSA_IP} ${VRF_IP} 1763 do 1764 log_start 1765 show_hint "Socket not bound to VRF, but address is in VRF" 1766 run_cmd nettest -s -R -P icmp -l ${a} -b 1767 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1768 1769 log_start 1770 run_cmd nettest -s -R -P icmp -l ${a} -d ${NSA_DEV} -b 1771 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1772 log_start 1773 run_cmd nettest -s -R -P icmp -l ${a} -d ${VRF} -b 1774 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1775 done 1776 1777 a=${NSA_LO_IP} 1778 log_start 1779 show_hint "Address on loopback is out of VRF scope" 1780 run_cmd nettest -s -R -P icmp -l ${a} -d ${VRF} -b 1781 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1782 1783 # 1784 # tcp sockets 1785 # 1786 for a in ${NSA_IP} ${VRF_IP} 1787 do 1788 log_start 1789 run_cmd nettest -s -l ${a} -d ${VRF} -t1 -b 1790 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1791 1792 log_start 1793 run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b 1794 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1795 done 1796 1797 a=${NSA_LO_IP} 1798 log_start 1799 show_hint "Address on loopback out of scope for VRF" 1800 run_cmd nettest -s -l ${a} -d ${VRF} -t1 -b 1801 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 1802 1803 log_start 1804 show_hint "Address on loopback out of scope for device in VRF" 1805 run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b 1806 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 1807} 1808 1809ipv4_addr_bind() 1810{ 1811 log_section "IPv4 address binds" 1812 1813 log_subsection "No VRF" 1814 setup 1815 ipv4_addr_bind_novrf 1816 1817 log_subsection "With VRF" 1818 setup "yes" 1819 ipv4_addr_bind_vrf 1820} 1821 1822################################################################################ 1823# IPv4 runtime tests 1824 1825ipv4_rt() 1826{ 1827 local desc="$1" 1828 local varg="$2" 1829 local with_vrf="yes" 1830 local a 1831 1832 # 1833 # server tests 1834 # 1835 for a in ${NSA_IP} ${VRF_IP} 1836 do 1837 log_start 1838 run_cmd nettest ${varg} -s & 1839 sleep 1 1840 run_cmd_nsb nettest ${varg} -r ${a} & 1841 sleep 3 1842 run_cmd ip link del ${VRF} 1843 sleep 1 1844 log_test_addr ${a} 0 0 "${desc}, global server" 1845 1846 setup ${with_vrf} 1847 done 1848 1849 for a in ${NSA_IP} ${VRF_IP} 1850 do 1851 log_start 1852 run_cmd nettest ${varg} -s -d ${VRF} & 1853 sleep 1 1854 run_cmd_nsb nettest ${varg} -r ${a} & 1855 sleep 3 1856 run_cmd ip link del ${VRF} 1857 sleep 1 1858 log_test_addr ${a} 0 0 "${desc}, VRF server" 1859 1860 setup ${with_vrf} 1861 done 1862 1863 a=${NSA_IP} 1864 log_start 1865 run_cmd nettest ${varg} -s -d ${NSA_DEV} & 1866 sleep 1 1867 run_cmd_nsb nettest ${varg} -r ${a} & 1868 sleep 3 1869 run_cmd ip link del ${VRF} 1870 sleep 1 1871 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 1872 1873 setup ${with_vrf} 1874 1875 # 1876 # client test 1877 # 1878 log_start 1879 run_cmd_nsb nettest ${varg} -s & 1880 sleep 1 1881 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 1882 sleep 3 1883 run_cmd ip link del ${VRF} 1884 sleep 1 1885 log_test_addr ${a} 0 0 "${desc}, VRF client" 1886 1887 setup ${with_vrf} 1888 1889 log_start 1890 run_cmd_nsb nettest ${varg} -s & 1891 sleep 1 1892 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 1893 sleep 3 1894 run_cmd ip link del ${VRF} 1895 sleep 1 1896 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 1897 1898 setup ${with_vrf} 1899 1900 # 1901 # local address tests 1902 # 1903 for a in ${NSA_IP} ${VRF_IP} 1904 do 1905 log_start 1906 run_cmd nettest ${varg} -s & 1907 sleep 1 1908 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1909 sleep 3 1910 run_cmd ip link del ${VRF} 1911 sleep 1 1912 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 1913 1914 setup ${with_vrf} 1915 done 1916 1917 for a in ${NSA_IP} ${VRF_IP} 1918 do 1919 log_start 1920 run_cmd nettest ${varg} -d ${VRF} -s & 1921 sleep 1 1922 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1923 sleep 3 1924 run_cmd ip link del ${VRF} 1925 sleep 1 1926 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 1927 1928 setup ${with_vrf} 1929 done 1930 1931 a=${NSA_IP} 1932 log_start 1933 run_cmd nettest ${varg} -s & 1934 sleep 1 1935 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1936 sleep 3 1937 run_cmd ip link del ${VRF} 1938 sleep 1 1939 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 1940 1941 setup ${with_vrf} 1942 1943 log_start 1944 run_cmd nettest ${varg} -d ${VRF} -s & 1945 sleep 1 1946 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1947 sleep 3 1948 run_cmd ip link del ${VRF} 1949 sleep 1 1950 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 1951 1952 setup ${with_vrf} 1953 1954 log_start 1955 run_cmd nettest ${varg} -d ${NSA_DEV} -s & 1956 sleep 1 1957 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1958 sleep 3 1959 run_cmd ip link del ${VRF} 1960 sleep 1 1961 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 1962} 1963 1964ipv4_ping_rt() 1965{ 1966 local with_vrf="yes" 1967 local a 1968 1969 for a in ${NSA_IP} ${VRF_IP} 1970 do 1971 log_start 1972 run_cmd_nsb ping -f ${a} & 1973 sleep 3 1974 run_cmd ip link del ${VRF} 1975 sleep 1 1976 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 1977 1978 setup ${with_vrf} 1979 done 1980 1981 a=${NSB_IP} 1982 log_start 1983 run_cmd ping -f -I ${VRF} ${a} & 1984 sleep 3 1985 run_cmd ip link del ${VRF} 1986 sleep 1 1987 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 1988} 1989 1990ipv4_runtime() 1991{ 1992 log_section "Run time tests - ipv4" 1993 1994 setup "yes" 1995 ipv4_ping_rt 1996 1997 setup "yes" 1998 ipv4_rt "TCP active socket" "-n -1" 1999 2000 setup "yes" 2001 ipv4_rt "TCP passive socket" "-i" 2002} 2003 2004################################################################################ 2005# IPv6 2006 2007ipv6_ping_novrf() 2008{ 2009 local a 2010 2011 # should not have an impact, but make a known state 2012 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2013 2014 # 2015 # out 2016 # 2017 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2018 do 2019 log_start 2020 run_cmd ${ping6} -c1 -w1 ${a} 2021 log_test_addr ${a} $? 0 "ping out" 2022 done 2023 2024 for a in ${NSB_IP6} ${NSB_LO_IP6} 2025 do 2026 log_start 2027 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2028 log_test_addr ${a} $? 0 "ping out, device bind" 2029 2030 log_start 2031 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2032 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2033 done 2034 2035 # 2036 # in 2037 # 2038 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2039 do 2040 log_start 2041 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2042 log_test_addr ${a} $? 0 "ping in" 2043 done 2044 2045 # 2046 # local traffic, local address 2047 # 2048 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2049 do 2050 log_start 2051 run_cmd ${ping6} -c1 -w1 ${a} 2052 log_test_addr ${a} $? 0 "ping local, no bind" 2053 done 2054 2055 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2056 do 2057 log_start 2058 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2059 log_test_addr ${a} $? 0 "ping local, device bind" 2060 done 2061 2062 for a in ${NSA_LO_IP6} ::1 2063 do 2064 log_start 2065 show_hint "Fails since address on loopback is out of device scope" 2066 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2067 log_test_addr ${a} $? 2 "ping local, device bind" 2068 done 2069 2070 # 2071 # ip rule blocks address 2072 # 2073 log_start 2074 setup_cmd ip -6 rule add pref 32765 from all lookup local 2075 setup_cmd ip -6 rule del pref 0 from all lookup local 2076 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2077 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2078 2079 a=${NSB_LO_IP6} 2080 run_cmd ${ping6} -c1 -w1 ${a} 2081 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2082 2083 log_start 2084 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2085 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2086 2087 a=${NSA_LO_IP6} 2088 log_start 2089 show_hint "Response lost due to ip rule" 2090 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2091 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2092 2093 setup_cmd ip -6 rule add pref 0 from all lookup local 2094 setup_cmd ip -6 rule del pref 32765 from all lookup local 2095 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2096 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2097 2098 # 2099 # route blocks reachability to remote address 2100 # 2101 log_start 2102 setup_cmd ip -6 route del ${NSB_LO_IP6} 2103 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2104 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2105 2106 a=${NSB_LO_IP6} 2107 run_cmd ${ping6} -c1 -w1 ${a} 2108 log_test_addr ${a} $? 2 "ping out, blocked by route" 2109 2110 log_start 2111 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2112 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2113 2114 a=${NSA_LO_IP6} 2115 log_start 2116 show_hint "Response lost due to ip route" 2117 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2118 log_test_addr ${a} $? 1 "ping in, blocked by route" 2119 2120 2121 # 2122 # remove 'remote' routes; fallback to default 2123 # 2124 log_start 2125 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2126 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2127 2128 a=${NSB_LO_IP6} 2129 run_cmd ${ping6} -c1 -w1 ${a} 2130 log_test_addr ${a} $? 2 "ping out, unreachable route" 2131 2132 log_start 2133 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2134 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2135} 2136 2137ipv6_ping_vrf() 2138{ 2139 local a 2140 2141 # should default on; does not exist on older kernels 2142 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2143 2144 # 2145 # out 2146 # 2147 for a in ${NSB_IP6} ${NSB_LO_IP6} 2148 do 2149 log_start 2150 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2151 log_test_addr ${a} $? 0 "ping out, VRF bind" 2152 done 2153 2154 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2155 do 2156 log_start 2157 show_hint "Fails since VRF device does not support linklocal or multicast" 2158 run_cmd ${ping6} -c1 -w1 ${a} 2159 log_test_addr ${a} $? 1 "ping out, VRF bind" 2160 done 2161 2162 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2163 do 2164 log_start 2165 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2166 log_test_addr ${a} $? 0 "ping out, device bind" 2167 done 2168 2169 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2170 do 2171 log_start 2172 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2173 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2174 done 2175 2176 # 2177 # in 2178 # 2179 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2180 do 2181 log_start 2182 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2183 log_test_addr ${a} $? 0 "ping in" 2184 done 2185 2186 a=${NSA_LO_IP6} 2187 log_start 2188 show_hint "Fails since loopback address is out of VRF scope" 2189 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2190 log_test_addr ${a} $? 1 "ping in" 2191 2192 # 2193 # local traffic, local address 2194 # 2195 for a in ${NSA_IP6} ${VRF_IP6} ::1 2196 do 2197 log_start 2198 show_hint "Source address should be ${a}" 2199 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2200 log_test_addr ${a} $? 0 "ping local, VRF bind" 2201 done 2202 2203 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2204 do 2205 log_start 2206 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2207 log_test_addr ${a} $? 0 "ping local, device bind" 2208 done 2209 2210 # LLA to GUA - remove ipv6 global addresses from ns-B 2211 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2212 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2213 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2214 2215 for a in ${NSA_IP6} ${VRF_IP6} 2216 do 2217 log_start 2218 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2219 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2220 done 2221 2222 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2223 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2224 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2225 2226 # 2227 # ip rule blocks address 2228 # 2229 log_start 2230 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2231 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2232 2233 a=${NSB_LO_IP6} 2234 run_cmd ${ping6} -c1 -w1 ${a} 2235 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2236 2237 log_start 2238 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2239 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2240 2241 a=${NSA_LO_IP6} 2242 log_start 2243 show_hint "Response lost due to ip rule" 2244 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2245 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2246 2247 log_start 2248 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2249 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2250 2251 # 2252 # remove 'remote' routes; fallback to default 2253 # 2254 log_start 2255 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2256 2257 a=${NSB_LO_IP6} 2258 run_cmd ${ping6} -c1 -w1 ${a} 2259 log_test_addr ${a} $? 2 "ping out, unreachable route" 2260 2261 log_start 2262 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2263 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2264 2265 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2266 a=${NSA_LO_IP6} 2267 log_start 2268 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2269 log_test_addr ${a} $? 2 "ping in, unreachable route" 2270} 2271 2272ipv6_ping() 2273{ 2274 log_section "IPv6 ping" 2275 2276 log_subsection "No VRF" 2277 setup 2278 ipv6_ping_novrf 2279 setup 2280 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2281 ipv6_ping_novrf 2282 2283 log_subsection "With VRF" 2284 setup "yes" 2285 ipv6_ping_vrf 2286 setup "yes" 2287 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2288 ipv6_ping_vrf 2289} 2290 2291################################################################################ 2292# IPv6 TCP 2293 2294# 2295# MD5 tests without VRF 2296# 2297ipv6_tcp_md5_novrf() 2298{ 2299 # 2300 # single address 2301 # 2302 2303 # basic use case 2304 log_start 2305 run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_IP6} & 2306 sleep 1 2307 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2308 log_test $? 0 "MD5: Single address config" 2309 2310 # client sends MD5, server not configured 2311 log_start 2312 show_hint "Should timeout due to MD5 mismatch" 2313 run_cmd nettest -6 -s & 2314 sleep 1 2315 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2316 log_test $? 2 "MD5: Server no config, client uses password" 2317 2318 # wrong password 2319 log_start 2320 show_hint "Should timeout since client uses wrong password" 2321 run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_IP6} & 2322 sleep 1 2323 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2324 log_test $? 2 "MD5: Client uses wrong password" 2325 2326 # client from different address 2327 log_start 2328 show_hint "Should timeout due to MD5 mismatch" 2329 run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_LO_IP6} & 2330 sleep 1 2331 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2332 log_test $? 2 "MD5: Client address does not match address configured with password" 2333 2334 # 2335 # MD5 extension - prefix length 2336 # 2337 2338 # client in prefix 2339 log_start 2340 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2341 sleep 1 2342 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2343 log_test $? 0 "MD5: Prefix config" 2344 2345 # client in prefix, wrong password 2346 log_start 2347 show_hint "Should timeout since client uses wrong password" 2348 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2349 sleep 1 2350 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2351 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2352 2353 # client outside of prefix 2354 log_start 2355 show_hint "Should timeout due to MD5 mismatch" 2356 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2357 sleep 1 2358 run_cmd_nsb nettest -6 -l ${NSB_LO_IP6} -r ${NSA_IP6} -M ${MD5_PW} 2359 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2360} 2361 2362# 2363# MD5 tests with VRF 2364# 2365ipv6_tcp_md5() 2366{ 2367 # 2368 # single address 2369 # 2370 2371 # basic use case 2372 log_start 2373 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & 2374 sleep 1 2375 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2376 log_test $? 0 "MD5: VRF: Single address config" 2377 2378 # client sends MD5, server not configured 2379 log_start 2380 show_hint "Should timeout since server does not have MD5 auth" 2381 run_cmd nettest -6 -s -d ${VRF} & 2382 sleep 1 2383 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2384 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2385 2386 # wrong password 2387 log_start 2388 show_hint "Should timeout since client uses wrong password" 2389 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & 2390 sleep 1 2391 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2392 log_test $? 2 "MD5: VRF: Client uses wrong password" 2393 2394 # client from different address 2395 log_start 2396 show_hint "Should timeout since server config differs from client" 2397 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_LO_IP6} & 2398 sleep 1 2399 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2400 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2401 2402 # 2403 # MD5 extension - prefix length 2404 # 2405 2406 # client in prefix 2407 log_start 2408 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2409 sleep 1 2410 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2411 log_test $? 0 "MD5: VRF: Prefix config" 2412 2413 # client in prefix, wrong password 2414 log_start 2415 show_hint "Should timeout since client uses wrong password" 2416 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2417 sleep 1 2418 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2419 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2420 2421 # client outside of prefix 2422 log_start 2423 show_hint "Should timeout since client address is outside of prefix" 2424 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2425 sleep 1 2426 run_cmd_nsb nettest -6 -l ${NSB_LO_IP6} -r ${NSA_IP6} -M ${MD5_PW} 2427 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2428 2429 # 2430 # duplicate config between default VRF and a VRF 2431 # 2432 2433 log_start 2434 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & 2435 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} & 2436 sleep 1 2437 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2438 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2439 2440 log_start 2441 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & 2442 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} & 2443 sleep 1 2444 run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2445 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2446 2447 log_start 2448 show_hint "Should timeout since client in default VRF uses VRF password" 2449 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & 2450 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} & 2451 sleep 1 2452 run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2453 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2454 2455 log_start 2456 show_hint "Should timeout since client in VRF uses default VRF password" 2457 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & 2458 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} & 2459 sleep 1 2460 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2461 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2462 2463 log_start 2464 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2465 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2466 sleep 1 2467 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2468 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2469 2470 log_start 2471 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2472 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2473 sleep 1 2474 run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2475 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2476 2477 log_start 2478 show_hint "Should timeout since client in default VRF uses VRF password" 2479 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2480 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2481 sleep 1 2482 run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2483 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2484 2485 log_start 2486 show_hint "Should timeout since client in VRF uses default VRF password" 2487 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2488 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2489 sleep 1 2490 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2491 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2492 2493 # 2494 # negative tests 2495 # 2496 log_start 2497 run_cmd nettest -6 -s -d ${NSA_DEV} -M ${MD5_PW} -r ${NSB_IP6} 2498 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2499 2500 log_start 2501 run_cmd nettest -6 -s -d ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2502 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2503 2504} 2505 2506ipv6_tcp_novrf() 2507{ 2508 local a 2509 2510 # 2511 # server tests 2512 # 2513 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2514 do 2515 log_start 2516 run_cmd nettest -6 -s & 2517 sleep 1 2518 run_cmd_nsb nettest -6 -r ${a} 2519 log_test_addr ${a} $? 0 "Global server" 2520 done 2521 2522 # verify TCP reset received 2523 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2524 do 2525 log_start 2526 show_hint "Should fail 'Connection refused'" 2527 run_cmd_nsb nettest -6 -r ${a} 2528 log_test_addr ${a} $? 1 "No server" 2529 done 2530 2531 # 2532 # client 2533 # 2534 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2535 do 2536 log_start 2537 run_cmd_nsb nettest -6 -s & 2538 sleep 1 2539 run_cmd nettest -6 -r ${a} 2540 log_test_addr ${a} $? 0 "Client" 2541 done 2542 2543 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2544 do 2545 log_start 2546 run_cmd_nsb nettest -6 -s & 2547 sleep 1 2548 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2549 log_test_addr ${a} $? 0 "Client, device bind" 2550 done 2551 2552 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2553 do 2554 log_start 2555 show_hint "Should fail 'Connection refused'" 2556 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2557 log_test_addr ${a} $? 1 "No server, device client" 2558 done 2559 2560 # 2561 # local address tests 2562 # 2563 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2564 do 2565 log_start 2566 run_cmd nettest -6 -s & 2567 sleep 1 2568 run_cmd nettest -6 -r ${a} 2569 log_test_addr ${a} $? 0 "Global server, local connection" 2570 done 2571 2572 a=${NSA_IP6} 2573 log_start 2574 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & 2575 sleep 1 2576 run_cmd nettest -6 -r ${a} -0 ${a} 2577 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2578 2579 for a in ${NSA_LO_IP6} ::1 2580 do 2581 log_start 2582 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2583 run_cmd nettest -6 -s -d ${NSA_DEV} & 2584 sleep 1 2585 run_cmd nettest -6 -r ${a} 2586 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2587 done 2588 2589 a=${NSA_IP6} 2590 log_start 2591 run_cmd nettest -6 -s & 2592 sleep 1 2593 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2594 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2595 2596 for a in ${NSA_LO_IP6} ::1 2597 do 2598 log_start 2599 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2600 run_cmd nettest -6 -s & 2601 sleep 1 2602 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2603 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2604 done 2605 2606 for a in ${NSA_IP6} ${NSA_LINKIP6} 2607 do 2608 log_start 2609 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & 2610 sleep 1 2611 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2612 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2613 done 2614 2615 for a in ${NSA_IP6} ${NSA_LINKIP6} 2616 do 2617 log_start 2618 show_hint "Should fail 'Connection refused'" 2619 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2620 log_test_addr ${a} $? 1 "No server, device client, local conn" 2621 done 2622 2623 [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf 2624} 2625 2626ipv6_tcp_vrf() 2627{ 2628 local a 2629 2630 # disable global server 2631 log_subsection "Global server disabled" 2632 2633 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2634 2635 # 2636 # server tests 2637 # 2638 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2639 do 2640 log_start 2641 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2642 run_cmd nettest -6 -s & 2643 sleep 1 2644 run_cmd_nsb nettest -6 -r ${a} 2645 log_test_addr ${a} $? 1 "Global server" 2646 done 2647 2648 for a in ${NSA_IP6} ${VRF_IP6} 2649 do 2650 log_start 2651 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} & 2652 sleep 1 2653 run_cmd_nsb nettest -6 -r ${a} 2654 log_test_addr ${a} $? 0 "VRF server" 2655 done 2656 2657 # link local is always bound to ingress device 2658 a=${NSA_LINKIP6}%${NSB_DEV} 2659 log_start 2660 run_cmd nettest -6 -s -d ${VRF} -2 ${NSA_DEV} & 2661 sleep 1 2662 run_cmd_nsb nettest -6 -r ${a} 2663 log_test_addr ${a} $? 0 "VRF server" 2664 2665 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2666 do 2667 log_start 2668 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & 2669 sleep 1 2670 run_cmd_nsb nettest -6 -r ${a} 2671 log_test_addr ${a} $? 0 "Device server" 2672 done 2673 2674 # verify TCP reset received 2675 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2676 do 2677 log_start 2678 show_hint "Should fail 'Connection refused'" 2679 run_cmd_nsb nettest -6 -r ${a} 2680 log_test_addr ${a} $? 1 "No server" 2681 done 2682 2683 # local address tests 2684 a=${NSA_IP6} 2685 log_start 2686 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2687 run_cmd nettest -6 -s & 2688 sleep 1 2689 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2690 log_test_addr ${a} $? 1 "Global server, local connection" 2691 2692 # run MD5 tests 2693 if [ "$fips_enabled" = "0" ]; then 2694 setup_vrf_dup 2695 ipv6_tcp_md5 2696 cleanup_vrf_dup 2697 fi 2698 2699 # 2700 # enable VRF global server 2701 # 2702 log_subsection "VRF Global server enabled" 2703 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2704 2705 for a in ${NSA_IP6} ${VRF_IP6} 2706 do 2707 log_start 2708 run_cmd nettest -6 -s -2 ${VRF} & 2709 sleep 1 2710 run_cmd_nsb nettest -6 -r ${a} 2711 log_test_addr ${a} $? 0 "Global server" 2712 done 2713 2714 for a in ${NSA_IP6} ${VRF_IP6} 2715 do 2716 log_start 2717 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} & 2718 sleep 1 2719 run_cmd_nsb nettest -6 -r ${a} 2720 log_test_addr ${a} $? 0 "VRF server" 2721 done 2722 2723 # For LLA, child socket is bound to device 2724 a=${NSA_LINKIP6}%${NSB_DEV} 2725 log_start 2726 run_cmd nettest -6 -s -2 ${NSA_DEV} & 2727 sleep 1 2728 run_cmd_nsb nettest -6 -r ${a} 2729 log_test_addr ${a} $? 0 "Global server" 2730 2731 log_start 2732 run_cmd nettest -6 -s -d ${VRF} -2 ${NSA_DEV} & 2733 sleep 1 2734 run_cmd_nsb nettest -6 -r ${a} 2735 log_test_addr ${a} $? 0 "VRF server" 2736 2737 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2738 do 2739 log_start 2740 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & 2741 sleep 1 2742 run_cmd_nsb nettest -6 -r ${a} 2743 log_test_addr ${a} $? 0 "Device server" 2744 done 2745 2746 # verify TCP reset received 2747 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2748 do 2749 log_start 2750 show_hint "Should fail 'Connection refused'" 2751 run_cmd_nsb nettest -6 -r ${a} 2752 log_test_addr ${a} $? 1 "No server" 2753 done 2754 2755 # local address tests 2756 for a in ${NSA_IP6} ${VRF_IP6} 2757 do 2758 log_start 2759 show_hint "Fails 'Connection refused' since client is not in VRF" 2760 run_cmd nettest -6 -s -d ${VRF} & 2761 sleep 1 2762 run_cmd nettest -6 -r ${a} 2763 log_test_addr ${a} $? 1 "Global server, local connection" 2764 done 2765 2766 2767 # 2768 # client 2769 # 2770 for a in ${NSB_IP6} ${NSB_LO_IP6} 2771 do 2772 log_start 2773 run_cmd_nsb nettest -6 -s & 2774 sleep 1 2775 run_cmd nettest -6 -r ${a} -d ${VRF} 2776 log_test_addr ${a} $? 0 "Client, VRF bind" 2777 done 2778 2779 a=${NSB_LINKIP6} 2780 log_start 2781 show_hint "Fails since VRF device does not allow linklocal addresses" 2782 run_cmd_nsb nettest -6 -s & 2783 sleep 1 2784 run_cmd nettest -6 -r ${a} -d ${VRF} 2785 log_test_addr ${a} $? 1 "Client, VRF bind" 2786 2787 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2788 do 2789 log_start 2790 run_cmd_nsb nettest -6 -s & 2791 sleep 1 2792 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2793 log_test_addr ${a} $? 0 "Client, device bind" 2794 done 2795 2796 for a in ${NSB_IP6} ${NSB_LO_IP6} 2797 do 2798 log_start 2799 show_hint "Should fail 'Connection refused'" 2800 run_cmd nettest -6 -r ${a} -d ${VRF} 2801 log_test_addr ${a} $? 1 "No server, VRF client" 2802 done 2803 2804 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2805 do 2806 log_start 2807 show_hint "Should fail 'Connection refused'" 2808 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2809 log_test_addr ${a} $? 1 "No server, device client" 2810 done 2811 2812 for a in ${NSA_IP6} ${VRF_IP6} ::1 2813 do 2814 log_start 2815 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} & 2816 sleep 1 2817 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2818 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 2819 done 2820 2821 a=${NSA_IP6} 2822 log_start 2823 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} & 2824 sleep 1 2825 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2826 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 2827 2828 a=${NSA_IP6} 2829 log_start 2830 show_hint "Should fail since unbound client is out of VRF scope" 2831 run_cmd nettest -6 -s -d ${VRF} & 2832 sleep 1 2833 run_cmd nettest -6 -r ${a} 2834 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 2835 2836 log_start 2837 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & 2838 sleep 1 2839 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2840 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 2841 2842 for a in ${NSA_IP6} ${NSA_LINKIP6} 2843 do 2844 log_start 2845 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & 2846 sleep 1 2847 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2848 log_test_addr ${a} $? 0 "Device server, device client, local connection" 2849 done 2850} 2851 2852ipv6_tcp() 2853{ 2854 log_section "IPv6/TCP" 2855 log_subsection "No VRF" 2856 setup 2857 2858 # tcp_l3mdev_accept should have no affect without VRF; 2859 # run tests with it enabled and disabled to verify 2860 log_subsection "tcp_l3mdev_accept disabled" 2861 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2862 ipv6_tcp_novrf 2863 log_subsection "tcp_l3mdev_accept enabled" 2864 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2865 ipv6_tcp_novrf 2866 2867 log_subsection "With VRF" 2868 setup "yes" 2869 ipv6_tcp_vrf 2870} 2871 2872################################################################################ 2873# IPv6 UDP 2874 2875ipv6_udp_novrf() 2876{ 2877 local a 2878 2879 # 2880 # server tests 2881 # 2882 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2883 do 2884 log_start 2885 run_cmd nettest -6 -D -s -2 ${NSA_DEV} & 2886 sleep 1 2887 run_cmd_nsb nettest -6 -D -r ${a} 2888 log_test_addr ${a} $? 0 "Global server" 2889 2890 log_start 2891 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 2892 sleep 1 2893 run_cmd_nsb nettest -6 -D -r ${a} 2894 log_test_addr ${a} $? 0 "Device server" 2895 done 2896 2897 a=${NSA_LO_IP6} 2898 log_start 2899 run_cmd nettest -6 -D -s -2 ${NSA_DEV} & 2900 sleep 1 2901 run_cmd_nsb nettest -6 -D -r ${a} 2902 log_test_addr ${a} $? 0 "Global server" 2903 2904 # should fail since loopback address is out of scope for a device 2905 # bound server, but it does not - hence this is more documenting 2906 # behavior. 2907 #log_start 2908 #show_hint "Should fail since loopback address is out of scope" 2909 #run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 2910 #sleep 1 2911 #run_cmd_nsb nettest -6 -D -r ${a} 2912 #log_test_addr ${a} $? 1 "Device server" 2913 2914 # negative test - should fail 2915 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2916 do 2917 log_start 2918 show_hint "Should fail 'Connection refused' since there is no server" 2919 run_cmd_nsb nettest -6 -D -r ${a} 2920 log_test_addr ${a} $? 1 "No server" 2921 done 2922 2923 # 2924 # client 2925 # 2926 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2927 do 2928 log_start 2929 run_cmd_nsb nettest -6 -D -s & 2930 sleep 1 2931 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 2932 log_test_addr ${a} $? 0 "Client" 2933 2934 log_start 2935 run_cmd_nsb nettest -6 -D -s & 2936 sleep 1 2937 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 2938 log_test_addr ${a} $? 0 "Client, device bind" 2939 2940 log_start 2941 run_cmd_nsb nettest -6 -D -s & 2942 sleep 1 2943 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 2944 log_test_addr ${a} $? 0 "Client, device send via cmsg" 2945 2946 log_start 2947 run_cmd_nsb nettest -6 -D -s & 2948 sleep 1 2949 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 2950 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 2951 2952 log_start 2953 show_hint "Should fail 'Connection refused'" 2954 run_cmd nettest -6 -D -r ${a} 2955 log_test_addr ${a} $? 1 "No server, unbound client" 2956 2957 log_start 2958 show_hint "Should fail 'Connection refused'" 2959 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 2960 log_test_addr ${a} $? 1 "No server, device client" 2961 done 2962 2963 # 2964 # local address tests 2965 # 2966 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2967 do 2968 log_start 2969 run_cmd nettest -6 -D -s & 2970 sleep 1 2971 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 2972 log_test_addr ${a} $? 0 "Global server, local connection" 2973 done 2974 2975 a=${NSA_IP6} 2976 log_start 2977 run_cmd nettest -6 -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & 2978 sleep 1 2979 run_cmd nettest -6 -D -r ${a} 2980 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2981 2982 for a in ${NSA_LO_IP6} ::1 2983 do 2984 log_start 2985 show_hint "Should fail 'Connection refused' since address is out of device scope" 2986 run_cmd nettest -6 -s -D -d ${NSA_DEV} & 2987 sleep 1 2988 run_cmd nettest -6 -D -r ${a} 2989 log_test_addr ${a} $? 1 "Device server, local connection" 2990 done 2991 2992 a=${NSA_IP6} 2993 log_start 2994 run_cmd nettest -6 -s -D & 2995 sleep 1 2996 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 2997 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2998 2999 log_start 3000 run_cmd nettest -6 -s -D & 3001 sleep 1 3002 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 3003 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 3004 3005 log_start 3006 run_cmd nettest -6 -s -D & 3007 sleep 1 3008 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 3009 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 3010 3011 for a in ${NSA_LO_IP6} ::1 3012 do 3013 log_start 3014 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3015 run_cmd nettest -6 -D -s & 3016 sleep 1 3017 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3018 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3019 3020 log_start 3021 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3022 run_cmd nettest -6 -D -s & 3023 sleep 1 3024 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3025 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3026 3027 log_start 3028 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3029 run_cmd nettest -6 -D -s & 3030 sleep 1 3031 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3032 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3033 done 3034 3035 a=${NSA_IP6} 3036 log_start 3037 run_cmd nettest -6 -D -s -d ${NSA_DEV} -2 ${NSA_DEV} & 3038 sleep 1 3039 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3040 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3041 3042 log_start 3043 show_hint "Should fail 'Connection refused'" 3044 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3045 log_test_addr ${a} $? 1 "No server, device client, local conn" 3046 3047 # LLA to GUA 3048 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3049 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3050 log_start 3051 run_cmd nettest -6 -s -D & 3052 sleep 1 3053 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3054 log_test $? 0 "UDP in - LLA to GUA" 3055 3056 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3057 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3058} 3059 3060ipv6_udp_vrf() 3061{ 3062 local a 3063 3064 # disable global server 3065 log_subsection "Global server disabled" 3066 set_sysctl net.ipv4.udp_l3mdev_accept=0 3067 3068 # 3069 # server tests 3070 # 3071 for a in ${NSA_IP6} ${VRF_IP6} 3072 do 3073 log_start 3074 show_hint "Should fail 'Connection refused' since global server is disabled" 3075 run_cmd nettest -6 -D -s & 3076 sleep 1 3077 run_cmd_nsb nettest -6 -D -r ${a} 3078 log_test_addr ${a} $? 1 "Global server" 3079 done 3080 3081 for a in ${NSA_IP6} ${VRF_IP6} 3082 do 3083 log_start 3084 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & 3085 sleep 1 3086 run_cmd_nsb nettest -6 -D -r ${a} 3087 log_test_addr ${a} $? 0 "VRF server" 3088 done 3089 3090 for a in ${NSA_IP6} ${VRF_IP6} 3091 do 3092 log_start 3093 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 3094 sleep 1 3095 run_cmd_nsb nettest -6 -D -r ${a} 3096 log_test_addr ${a} $? 0 "Enslaved device server" 3097 done 3098 3099 # negative test - should fail 3100 for a in ${NSA_IP6} ${VRF_IP6} 3101 do 3102 log_start 3103 show_hint "Should fail 'Connection refused' since there is no server" 3104 run_cmd_nsb nettest -6 -D -r ${a} 3105 log_test_addr ${a} $? 1 "No server" 3106 done 3107 3108 # 3109 # local address tests 3110 # 3111 for a in ${NSA_IP6} ${VRF_IP6} 3112 do 3113 log_start 3114 show_hint "Should fail 'Connection refused' since global server is disabled" 3115 run_cmd nettest -6 -D -s & 3116 sleep 1 3117 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3118 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3119 done 3120 3121 for a in ${NSA_IP6} ${VRF_IP6} 3122 do 3123 log_start 3124 run_cmd nettest -6 -D -d ${VRF} -s & 3125 sleep 1 3126 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3127 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3128 done 3129 3130 a=${NSA_IP6} 3131 log_start 3132 show_hint "Should fail 'Connection refused' since global server is disabled" 3133 run_cmd nettest -6 -D -s & 3134 sleep 1 3135 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3136 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3137 3138 log_start 3139 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & 3140 sleep 1 3141 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3142 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3143 3144 log_start 3145 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 3146 sleep 1 3147 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3148 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3149 3150 log_start 3151 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 3152 sleep 1 3153 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3154 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3155 3156 # disable global server 3157 log_subsection "Global server enabled" 3158 set_sysctl net.ipv4.udp_l3mdev_accept=1 3159 3160 # 3161 # server tests 3162 # 3163 for a in ${NSA_IP6} ${VRF_IP6} 3164 do 3165 log_start 3166 run_cmd nettest -6 -D -s -2 ${NSA_DEV} & 3167 sleep 1 3168 run_cmd_nsb nettest -6 -D -r ${a} 3169 log_test_addr ${a} $? 0 "Global server" 3170 done 3171 3172 for a in ${NSA_IP6} ${VRF_IP6} 3173 do 3174 log_start 3175 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & 3176 sleep 1 3177 run_cmd_nsb nettest -6 -D -r ${a} 3178 log_test_addr ${a} $? 0 "VRF server" 3179 done 3180 3181 for a in ${NSA_IP6} ${VRF_IP6} 3182 do 3183 log_start 3184 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 3185 sleep 1 3186 run_cmd_nsb nettest -6 -D -r ${a} 3187 log_test_addr ${a} $? 0 "Enslaved device server" 3188 done 3189 3190 # negative test - should fail 3191 for a in ${NSA_IP6} ${VRF_IP6} 3192 do 3193 log_start 3194 run_cmd_nsb nettest -6 -D -r ${a} 3195 log_test_addr ${a} $? 1 "No server" 3196 done 3197 3198 # 3199 # client tests 3200 # 3201 log_start 3202 run_cmd_nsb nettest -6 -D -s & 3203 sleep 1 3204 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3205 log_test $? 0 "VRF client" 3206 3207 # negative test - should fail 3208 log_start 3209 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3210 log_test $? 1 "No server, VRF client" 3211 3212 log_start 3213 run_cmd_nsb nettest -6 -D -s & 3214 sleep 1 3215 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3216 log_test $? 0 "Enslaved device client" 3217 3218 # negative test - should fail 3219 log_start 3220 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3221 log_test $? 1 "No server, enslaved device client" 3222 3223 # 3224 # local address tests 3225 # 3226 a=${NSA_IP6} 3227 log_start 3228 run_cmd nettest -6 -D -s -2 ${NSA_DEV} & 3229 sleep 1 3230 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3231 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3232 3233 #log_start 3234 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & 3235 sleep 1 3236 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3237 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3238 3239 3240 a=${VRF_IP6} 3241 log_start 3242 run_cmd nettest -6 -D -s -2 ${VRF} & 3243 sleep 1 3244 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3245 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3246 3247 log_start 3248 run_cmd nettest -6 -D -d ${VRF} -s -2 ${VRF} & 3249 sleep 1 3250 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3251 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3252 3253 # negative test - should fail 3254 for a in ${NSA_IP6} ${VRF_IP6} 3255 do 3256 log_start 3257 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3258 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3259 done 3260 3261 # device to global IP 3262 a=${NSA_IP6} 3263 log_start 3264 run_cmd nettest -6 -D -s -2 ${NSA_DEV} & 3265 sleep 1 3266 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3267 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3268 3269 log_start 3270 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & 3271 sleep 1 3272 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3273 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3274 3275 log_start 3276 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 3277 sleep 1 3278 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3279 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3280 3281 log_start 3282 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 3283 sleep 1 3284 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3285 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3286 3287 log_start 3288 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3289 log_test_addr ${a} $? 1 "No server, device client, local conn" 3290 3291 3292 # link local addresses 3293 log_start 3294 run_cmd nettest -6 -D -s & 3295 sleep 1 3296 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3297 log_test $? 0 "Global server, linklocal IP" 3298 3299 log_start 3300 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3301 log_test $? 1 "No server, linklocal IP" 3302 3303 3304 log_start 3305 run_cmd_nsb nettest -6 -D -s & 3306 sleep 1 3307 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3308 log_test $? 0 "Enslaved device client, linklocal IP" 3309 3310 log_start 3311 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3312 log_test $? 1 "No server, device client, peer linklocal IP" 3313 3314 3315 log_start 3316 run_cmd nettest -6 -D -s & 3317 sleep 1 3318 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3319 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3320 3321 log_start 3322 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3323 log_test $? 1 "No server, device client, local conn - linklocal IP" 3324 3325 # LLA to GUA 3326 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3327 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3328 log_start 3329 run_cmd nettest -6 -s -D & 3330 sleep 1 3331 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3332 log_test $? 0 "UDP in - LLA to GUA" 3333 3334 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3335 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3336} 3337 3338ipv6_udp() 3339{ 3340 # should not matter, but set to known state 3341 set_sysctl net.ipv4.udp_early_demux=1 3342 3343 log_section "IPv6/UDP" 3344 log_subsection "No VRF" 3345 setup 3346 3347 # udp_l3mdev_accept should have no affect without VRF; 3348 # run tests with it enabled and disabled to verify 3349 log_subsection "udp_l3mdev_accept disabled" 3350 set_sysctl net.ipv4.udp_l3mdev_accept=0 3351 ipv6_udp_novrf 3352 log_subsection "udp_l3mdev_accept enabled" 3353 set_sysctl net.ipv4.udp_l3mdev_accept=1 3354 ipv6_udp_novrf 3355 3356 log_subsection "With VRF" 3357 setup "yes" 3358 ipv6_udp_vrf 3359} 3360 3361################################################################################ 3362# IPv6 address bind 3363 3364ipv6_addr_bind_novrf() 3365{ 3366 # 3367 # raw socket 3368 # 3369 for a in ${NSA_IP6} ${NSA_LO_IP6} 3370 do 3371 log_start 3372 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3373 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3374 3375 log_start 3376 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${NSA_DEV} -b 3377 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3378 done 3379 3380 # 3381 # tcp sockets 3382 # 3383 a=${NSA_IP6} 3384 log_start 3385 run_cmd nettest -6 -s -l ${a} -t1 -b 3386 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3387 3388 log_start 3389 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b 3390 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3391 3392 # Sadly, the kernel allows binding a socket to a device and then 3393 # binding to an address not on the device. So this test passes 3394 # when it really should not 3395 a=${NSA_LO_IP6} 3396 log_start 3397 show_hint "Tecnically should fail since address is not on device but kernel allows" 3398 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3399 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3400} 3401 3402ipv6_addr_bind_vrf() 3403{ 3404 # 3405 # raw socket 3406 # 3407 for a in ${NSA_IP6} ${VRF_IP6} 3408 do 3409 log_start 3410 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${VRF} -b 3411 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3412 3413 log_start 3414 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${NSA_DEV} -b 3415 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3416 done 3417 3418 a=${NSA_LO_IP6} 3419 log_start 3420 show_hint "Address on loopback is out of VRF scope" 3421 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${VRF} -b 3422 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3423 3424 # 3425 # tcp sockets 3426 # 3427 # address on enslaved device is valid for the VRF or device in a VRF 3428 for a in ${NSA_IP6} ${VRF_IP6} 3429 do 3430 log_start 3431 run_cmd nettest -6 -s -l ${a} -d ${VRF} -t1 -b 3432 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3433 done 3434 3435 a=${NSA_IP6} 3436 log_start 3437 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b 3438 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3439 3440 # Sadly, the kernel allows binding a socket to a device and then 3441 # binding to an address not on the device. The only restriction 3442 # is that the address is valid in the L3 domain. So this test 3443 # passes when it really should not 3444 a=${VRF_IP6} 3445 log_start 3446 show_hint "Tecnically should fail since address is not on device but kernel allows" 3447 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3448 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3449 3450 a=${NSA_LO_IP6} 3451 log_start 3452 show_hint "Address on loopback out of scope for VRF" 3453 run_cmd nettest -6 -s -l ${a} -d ${VRF} -t1 -b 3454 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3455 3456 log_start 3457 show_hint "Address on loopback out of scope for device in VRF" 3458 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b 3459 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3460 3461} 3462 3463ipv6_addr_bind() 3464{ 3465 log_section "IPv6 address binds" 3466 3467 log_subsection "No VRF" 3468 setup 3469 ipv6_addr_bind_novrf 3470 3471 log_subsection "With VRF" 3472 setup "yes" 3473 ipv6_addr_bind_vrf 3474} 3475 3476################################################################################ 3477# IPv6 runtime tests 3478 3479ipv6_rt() 3480{ 3481 local desc="$1" 3482 local varg="-6 $2" 3483 local with_vrf="yes" 3484 local a 3485 3486 # 3487 # server tests 3488 # 3489 for a in ${NSA_IP6} ${VRF_IP6} 3490 do 3491 log_start 3492 run_cmd nettest ${varg} -s & 3493 sleep 1 3494 run_cmd_nsb nettest ${varg} -r ${a} & 3495 sleep 3 3496 run_cmd ip link del ${VRF} 3497 sleep 1 3498 log_test_addr ${a} 0 0 "${desc}, global server" 3499 3500 setup ${with_vrf} 3501 done 3502 3503 for a in ${NSA_IP6} ${VRF_IP6} 3504 do 3505 log_start 3506 run_cmd nettest ${varg} -d ${VRF} -s & 3507 sleep 1 3508 run_cmd_nsb nettest ${varg} -r ${a} & 3509 sleep 3 3510 run_cmd ip link del ${VRF} 3511 sleep 1 3512 log_test_addr ${a} 0 0 "${desc}, VRF server" 3513 3514 setup ${with_vrf} 3515 done 3516 3517 for a in ${NSA_IP6} ${VRF_IP6} 3518 do 3519 log_start 3520 run_cmd nettest ${varg} -d ${NSA_DEV} -s & 3521 sleep 1 3522 run_cmd_nsb nettest ${varg} -r ${a} & 3523 sleep 3 3524 run_cmd ip link del ${VRF} 3525 sleep 1 3526 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3527 3528 setup ${with_vrf} 3529 done 3530 3531 # 3532 # client test 3533 # 3534 log_start 3535 run_cmd_nsb nettest ${varg} -s & 3536 sleep 1 3537 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3538 sleep 3 3539 run_cmd ip link del ${VRF} 3540 sleep 1 3541 log_test 0 0 "${desc}, VRF client" 3542 3543 setup ${with_vrf} 3544 3545 log_start 3546 run_cmd_nsb nettest ${varg} -s & 3547 sleep 1 3548 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3549 sleep 3 3550 run_cmd ip link del ${VRF} 3551 sleep 1 3552 log_test 0 0 "${desc}, enslaved device client" 3553 3554 setup ${with_vrf} 3555 3556 3557 # 3558 # local address tests 3559 # 3560 for a in ${NSA_IP6} ${VRF_IP6} 3561 do 3562 log_start 3563 run_cmd nettest ${varg} -s & 3564 sleep 1 3565 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3566 sleep 3 3567 run_cmd ip link del ${VRF} 3568 sleep 1 3569 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3570 3571 setup ${with_vrf} 3572 done 3573 3574 for a in ${NSA_IP6} ${VRF_IP6} 3575 do 3576 log_start 3577 run_cmd nettest ${varg} -d ${VRF} -s & 3578 sleep 1 3579 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3580 sleep 3 3581 run_cmd ip link del ${VRF} 3582 sleep 1 3583 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3584 3585 setup ${with_vrf} 3586 done 3587 3588 a=${NSA_IP6} 3589 log_start 3590 run_cmd nettest ${varg} -s & 3591 sleep 1 3592 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3593 sleep 3 3594 run_cmd ip link del ${VRF} 3595 sleep 1 3596 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3597 3598 setup ${with_vrf} 3599 3600 log_start 3601 run_cmd nettest ${varg} -d ${VRF} -s & 3602 sleep 1 3603 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3604 sleep 3 3605 run_cmd ip link del ${VRF} 3606 sleep 1 3607 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3608 3609 setup ${with_vrf} 3610 3611 log_start 3612 run_cmd nettest ${varg} -d ${NSA_DEV} -s & 3613 sleep 1 3614 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3615 sleep 3 3616 run_cmd ip link del ${VRF} 3617 sleep 1 3618 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3619} 3620 3621ipv6_ping_rt() 3622{ 3623 local with_vrf="yes" 3624 local a 3625 3626 a=${NSA_IP6} 3627 log_start 3628 run_cmd_nsb ${ping6} -f ${a} & 3629 sleep 3 3630 run_cmd ip link del ${VRF} 3631 sleep 1 3632 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3633 3634 setup ${with_vrf} 3635 3636 log_start 3637 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3638 sleep 1 3639 run_cmd ip link del ${VRF} 3640 sleep 1 3641 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3642} 3643 3644ipv6_runtime() 3645{ 3646 log_section "Run time tests - ipv6" 3647 3648 setup "yes" 3649 ipv6_ping_rt 3650 3651 setup "yes" 3652 ipv6_rt "TCP active socket" "-n -1" 3653 3654 setup "yes" 3655 ipv6_rt "TCP passive socket" "-i" 3656 3657 setup "yes" 3658 ipv6_rt "UDP active socket" "-D -n -1" 3659} 3660 3661################################################################################ 3662# netfilter blocking connections 3663 3664netfilter_tcp_reset() 3665{ 3666 local a 3667 3668 for a in ${NSA_IP} ${VRF_IP} 3669 do 3670 log_start 3671 run_cmd nettest -s & 3672 sleep 1 3673 run_cmd_nsb nettest -r ${a} 3674 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3675 done 3676} 3677 3678netfilter_icmp() 3679{ 3680 local stype="$1" 3681 local arg 3682 local a 3683 3684 [ "${stype}" = "UDP" ] && arg="-D" 3685 3686 for a in ${NSA_IP} ${VRF_IP} 3687 do 3688 log_start 3689 run_cmd nettest ${arg} -s & 3690 sleep 1 3691 run_cmd_nsb nettest ${arg} -r ${a} 3692 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3693 done 3694} 3695 3696ipv4_netfilter() 3697{ 3698 log_section "IPv4 Netfilter" 3699 log_subsection "TCP reset" 3700 3701 setup "yes" 3702 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3703 3704 netfilter_tcp_reset 3705 3706 log_start 3707 log_subsection "ICMP unreachable" 3708 3709 log_start 3710 run_cmd iptables -F 3711 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3712 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3713 3714 netfilter_icmp "TCP" 3715 netfilter_icmp "UDP" 3716 3717 log_start 3718 iptables -F 3719} 3720 3721netfilter_tcp6_reset() 3722{ 3723 local a 3724 3725 for a in ${NSA_IP6} ${VRF_IP6} 3726 do 3727 log_start 3728 run_cmd nettest -6 -s & 3729 sleep 1 3730 run_cmd_nsb nettest -6 -r ${a} 3731 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3732 done 3733} 3734 3735netfilter_icmp6() 3736{ 3737 local stype="$1" 3738 local arg 3739 local a 3740 3741 [ "${stype}" = "UDP" ] && arg="$arg -D" 3742 3743 for a in ${NSA_IP6} ${VRF_IP6} 3744 do 3745 log_start 3746 run_cmd nettest -6 -s ${arg} & 3747 sleep 1 3748 run_cmd_nsb nettest -6 ${arg} -r ${a} 3749 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3750 done 3751} 3752 3753ipv6_netfilter() 3754{ 3755 log_section "IPv6 Netfilter" 3756 log_subsection "TCP reset" 3757 3758 setup "yes" 3759 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3760 3761 netfilter_tcp6_reset 3762 3763 log_subsection "ICMP unreachable" 3764 3765 log_start 3766 run_cmd ip6tables -F 3767 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3768 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3769 3770 netfilter_icmp6 "TCP" 3771 netfilter_icmp6 "UDP" 3772 3773 log_start 3774 ip6tables -F 3775} 3776 3777################################################################################ 3778# specific use cases 3779 3780# VRF only. 3781# ns-A device enslaved to bridge. Verify traffic with and without 3782# br_netfilter module loaded. Repeat with SVI on bridge. 3783use_case_br() 3784{ 3785 setup "yes" 3786 3787 setup_cmd ip link set ${NSA_DEV} down 3788 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 3789 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 3790 3791 setup_cmd ip link add br0 type bridge 3792 setup_cmd ip addr add dev br0 ${NSA_IP}/24 3793 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 3794 3795 setup_cmd ip li set ${NSA_DEV} master br0 3796 setup_cmd ip li set ${NSA_DEV} up 3797 setup_cmd ip li set br0 up 3798 setup_cmd ip li set br0 vrf ${VRF} 3799 3800 rmmod br_netfilter 2>/dev/null 3801 sleep 5 # DAD 3802 3803 run_cmd ip neigh flush all 3804 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3805 log_test $? 0 "Bridge into VRF - IPv4 ping out" 3806 3807 run_cmd ip neigh flush all 3808 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3809 log_test $? 0 "Bridge into VRF - IPv6 ping out" 3810 3811 run_cmd ip neigh flush all 3812 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3813 log_test $? 0 "Bridge into VRF - IPv4 ping in" 3814 3815 run_cmd ip neigh flush all 3816 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3817 log_test $? 0 "Bridge into VRF - IPv6 ping in" 3818 3819 modprobe br_netfilter 3820 if [ $? -eq 0 ]; then 3821 run_cmd ip neigh flush all 3822 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3823 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 3824 3825 run_cmd ip neigh flush all 3826 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3827 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 3828 3829 run_cmd ip neigh flush all 3830 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3831 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 3832 3833 run_cmd ip neigh flush all 3834 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3835 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 3836 fi 3837 3838 setup_cmd ip li set br0 nomaster 3839 setup_cmd ip li add br0.100 link br0 type vlan id 100 3840 setup_cmd ip li set br0.100 vrf ${VRF} up 3841 setup_cmd ip addr add dev br0.100 172.16.101.1/24 3842 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 3843 3844 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 3845 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 3846 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 3847 setup_cmd_nsb ip li set vlan100 up 3848 sleep 1 3849 3850 rmmod br_netfilter 2>/dev/null 3851 3852 run_cmd ip neigh flush all 3853 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3854 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 3855 3856 run_cmd ip neigh flush all 3857 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3858 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 3859 3860 run_cmd ip neigh flush all 3861 run_cmd_nsb ping -c1 -w1 172.16.101.1 3862 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3863 3864 run_cmd ip neigh flush all 3865 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3866 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3867 3868 modprobe br_netfilter 3869 if [ $? -eq 0 ]; then 3870 run_cmd ip neigh flush all 3871 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3872 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 3873 3874 run_cmd ip neigh flush all 3875 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3876 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 3877 3878 run_cmd ip neigh flush all 3879 run_cmd_nsb ping -c1 -w1 172.16.101.1 3880 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3881 3882 run_cmd ip neigh flush all 3883 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3884 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3885 fi 3886 3887 setup_cmd ip li del br0 2>/dev/null 3888 setup_cmd_nsb ip li del vlan100 2>/dev/null 3889} 3890 3891# VRF only. 3892# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 3893# LLA on the interfaces 3894use_case_ping_lla_multi() 3895{ 3896 setup_lla_only 3897 # only want reply from ns-A 3898 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3899 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3900 3901 log_start 3902 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3903 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 3904 3905 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3906 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 3907 3908 # cycle/flap the first ns-A interface 3909 setup_cmd ip link set ${NSA_DEV} down 3910 setup_cmd ip link set ${NSA_DEV} up 3911 sleep 1 3912 3913 log_start 3914 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3915 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 3916 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3917 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 3918 3919 # cycle/flap the second ns-A interface 3920 setup_cmd ip link set ${NSA_DEV2} down 3921 setup_cmd ip link set ${NSA_DEV2} up 3922 sleep 1 3923 3924 log_start 3925 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3926 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 3927 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3928 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 3929} 3930 3931use_cases() 3932{ 3933 log_section "Use cases" 3934 log_subsection "Device enslaved to bridge" 3935 use_case_br 3936 log_subsection "Ping LLA with multiple interfaces" 3937 use_case_ping_lla_multi 3938} 3939 3940################################################################################ 3941# usage 3942 3943usage() 3944{ 3945 cat <<EOF 3946usage: ${0##*/} OPTS 3947 3948 -4 IPv4 tests only 3949 -6 IPv6 tests only 3950 -t <test> Test name/set to run 3951 -p Pause on fail 3952 -P Pause after each test 3953 -v Be verbose 3954EOF 3955} 3956 3957################################################################################ 3958# main 3959 3960TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 3961TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 3962TESTS_OTHER="use_cases" 3963 3964PAUSE_ON_FAIL=no 3965PAUSE=no 3966 3967while getopts :46t:pPvh o 3968do 3969 case $o in 3970 4) TESTS=ipv4;; 3971 6) TESTS=ipv6;; 3972 t) TESTS=$OPTARG;; 3973 p) PAUSE_ON_FAIL=yes;; 3974 P) PAUSE=yes;; 3975 v) VERBOSE=1;; 3976 h) usage; exit 0;; 3977 *) usage; exit 1;; 3978 esac 3979done 3980 3981# make sure we don't pause twice 3982[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 3983 3984# 3985# show user test config 3986# 3987if [ -z "$TESTS" ]; then 3988 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 3989elif [ "$TESTS" = "ipv4" ]; then 3990 TESTS="$TESTS_IPV4" 3991elif [ "$TESTS" = "ipv6" ]; then 3992 TESTS="$TESTS_IPV6" 3993fi 3994 3995which nettest >/dev/null 3996if [ $? -ne 0 ]; then 3997 echo "'nettest' command not found; skipping tests" 3998 exit 0 3999fi 4000 4001declare -i nfail=0 4002declare -i nsuccess=0 4003 4004for t in $TESTS 4005do 4006 case $t in 4007 ipv4_ping|ping) ipv4_ping;; 4008 ipv4_tcp|tcp) ipv4_tcp;; 4009 ipv4_udp|udp) ipv4_udp;; 4010 ipv4_bind|bind) ipv4_addr_bind;; 4011 ipv4_runtime) ipv4_runtime;; 4012 ipv4_netfilter) ipv4_netfilter;; 4013 4014 ipv6_ping|ping6) ipv6_ping;; 4015 ipv6_tcp|tcp6) ipv6_tcp;; 4016 ipv6_udp|udp6) ipv6_udp;; 4017 ipv6_bind|bind6) ipv6_addr_bind;; 4018 ipv6_runtime) ipv6_runtime;; 4019 ipv6_netfilter) ipv6_netfilter;; 4020 4021 use_cases) use_cases;; 4022 4023 # setup namespaces and config, but do not run any tests 4024 setup) setup; exit 0;; 4025 vrf_setup) setup "yes"; exit 0;; 4026 4027 help) echo "Test names: $TESTS"; exit 0;; 4028 esac 4029done 4030 4031cleanup 2>/dev/null 4032 4033printf "\nTests passed: %3d\n" ${nsuccess} 4034printf "Tests failed: %3d\n" ${nfail} 4035