1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3# 4# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. 5# 6# IPv4 and IPv6 functional tests focusing on VRF and routing lookups 7# for various permutations: 8# 1. icmp, tcp, udp and netfilter 9# 2. client, server, no-server 10# 3. global address on interface 11# 4. global address on 'lo' 12# 5. remote and local traffic 13# 6. VRF and non-VRF permutations 14# 15# Setup: 16# ns-A | ns-B 17# No VRF case: 18# [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] 19# remote address 20# VRF case: 21# [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] 22# 23# ns-A: 24# eth1: 172.16.1.1/24, 2001:db8:1::1/64 25# lo: 127.0.0.1/8, ::1/128 26# 172.16.2.1/32, 2001:db8:2::1/128 27# red: 127.0.0.1/8, ::1/128 28# 172.16.3.1/32, 2001:db8:3::1/128 29# 30# ns-B: 31# eth1: 172.16.1.2/24, 2001:db8:1::2/64 32# lo2: 127.0.0.1/8, ::1/128 33# 172.16.2.2/32, 2001:db8:2::2/128 34# 35# ns-A to ns-C connection - only for VRF and same config 36# as ns-A to ns-B 37# 38# server / client nomenclature relative to ns-A 39 40VERBOSE=0 41 42NSA_DEV=eth1 43NSA_DEV2=eth2 44NSB_DEV=eth1 45NSC_DEV=eth2 46VRF=red 47VRF_TABLE=1101 48 49# IPv4 config 50NSA_IP=172.16.1.1 51NSB_IP=172.16.1.2 52VRF_IP=172.16.3.1 53NS_NET=172.16.1.0/24 54 55# IPv6 config 56NSA_IP6=2001:db8:1::1 57NSB_IP6=2001:db8:1::2 58VRF_IP6=2001:db8:3::1 59NS_NET6=2001:db8:1::/120 60 61NSA_LO_IP=172.16.2.1 62NSB_LO_IP=172.16.2.2 63NSA_LO_IP6=2001:db8:2::1 64NSB_LO_IP6=2001:db8:2::2 65 66MD5_PW=abc123 67MD5_WRONG_PW=abc1234 68 69MCAST=ff02::1 70# set after namespace create 71NSA_LINKIP6= 72NSB_LINKIP6= 73 74NSA=ns-A 75NSB=ns-B 76NSC=ns-C 77 78NSA_CMD="ip netns exec ${NSA}" 79NSB_CMD="ip netns exec ${NSB}" 80NSC_CMD="ip netns exec ${NSC}" 81 82which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) 83 84################################################################################ 85# utilities 86 87log_test() 88{ 89 local rc=$1 90 local expected=$2 91 local msg="$3" 92 93 [ "${VERBOSE}" = "1" ] && echo 94 95 if [ ${rc} -eq ${expected} ]; then 96 nsuccess=$((nsuccess+1)) 97 printf "TEST: %-70s [ OK ]\n" "${msg}" 98 else 99 nfail=$((nfail+1)) 100 printf "TEST: %-70s [FAIL]\n" "${msg}" 101 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 102 echo 103 echo "hit enter to continue, 'q' to quit" 104 read a 105 [ "$a" = "q" ] && exit 1 106 fi 107 fi 108 109 if [ "${PAUSE}" = "yes" ]; then 110 echo 111 echo "hit enter to continue, 'q' to quit" 112 read a 113 [ "$a" = "q" ] && exit 1 114 fi 115 116 kill_procs 117} 118 119log_test_addr() 120{ 121 local addr=$1 122 local rc=$2 123 local expected=$3 124 local msg="$4" 125 local astr 126 127 astr=$(addr2str ${addr}) 128 log_test $rc $expected "$msg - ${astr}" 129} 130 131log_section() 132{ 133 echo 134 echo "###########################################################################" 135 echo "$*" 136 echo "###########################################################################" 137 echo 138} 139 140log_subsection() 141{ 142 echo 143 echo "#################################################################" 144 echo "$*" 145 echo 146} 147 148log_start() 149{ 150 # make sure we have no test instances running 151 kill_procs 152 153 if [ "${VERBOSE}" = "1" ]; then 154 echo 155 echo "#######################################################" 156 fi 157} 158 159log_debug() 160{ 161 if [ "${VERBOSE}" = "1" ]; then 162 echo 163 echo "$*" 164 echo 165 fi 166} 167 168show_hint() 169{ 170 if [ "${VERBOSE}" = "1" ]; then 171 echo "HINT: $*" 172 echo 173 fi 174} 175 176kill_procs() 177{ 178 killall nettest ping ping6 >/dev/null 2>&1 179 sleep 1 180} 181 182do_run_cmd() 183{ 184 local cmd="$*" 185 local out 186 187 if [ "$VERBOSE" = "1" ]; then 188 echo "COMMAND: ${cmd}" 189 fi 190 191 out=$($cmd 2>&1) 192 rc=$? 193 if [ "$VERBOSE" = "1" -a -n "$out" ]; then 194 echo "$out" 195 fi 196 197 return $rc 198} 199 200run_cmd() 201{ 202 do_run_cmd ${NSA_CMD} $* 203} 204 205run_cmd_nsb() 206{ 207 do_run_cmd ${NSB_CMD} $* 208} 209 210run_cmd_nsc() 211{ 212 do_run_cmd ${NSC_CMD} $* 213} 214 215setup_cmd() 216{ 217 local cmd="$*" 218 local rc 219 220 run_cmd ${cmd} 221 rc=$? 222 if [ $rc -ne 0 ]; then 223 # show user the command if not done so already 224 if [ "$VERBOSE" = "0" ]; then 225 echo "setup command: $cmd" 226 fi 227 echo "failed. stopping tests" 228 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 229 echo 230 echo "hit enter to continue" 231 read a 232 fi 233 exit $rc 234 fi 235} 236 237setup_cmd_nsb() 238{ 239 local cmd="$*" 240 local rc 241 242 run_cmd_nsb ${cmd} 243 rc=$? 244 if [ $rc -ne 0 ]; then 245 # show user the command if not done so already 246 if [ "$VERBOSE" = "0" ]; then 247 echo "setup command: $cmd" 248 fi 249 echo "failed. stopping tests" 250 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 251 echo 252 echo "hit enter to continue" 253 read a 254 fi 255 exit $rc 256 fi 257} 258 259setup_cmd_nsc() 260{ 261 local cmd="$*" 262 local rc 263 264 run_cmd_nsc ${cmd} 265 rc=$? 266 if [ $rc -ne 0 ]; then 267 # show user the command if not done so already 268 if [ "$VERBOSE" = "0" ]; then 269 echo "setup command: $cmd" 270 fi 271 echo "failed. stopping tests" 272 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 273 echo 274 echo "hit enter to continue" 275 read a 276 fi 277 exit $rc 278 fi 279} 280 281# set sysctl values in NS-A 282set_sysctl() 283{ 284 echo "SYSCTL: $*" 285 echo 286 run_cmd sysctl -q -w $* 287} 288 289################################################################################ 290# Setup for tests 291 292addr2str() 293{ 294 case "$1" in 295 127.0.0.1) echo "loopback";; 296 ::1) echo "IPv6 loopback";; 297 298 ${NSA_IP}) echo "ns-A IP";; 299 ${NSA_IP6}) echo "ns-A IPv6";; 300 ${NSA_LO_IP}) echo "ns-A loopback IP";; 301 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; 302 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; 303 304 ${NSB_IP}) echo "ns-B IP";; 305 ${NSB_IP6}) echo "ns-B IPv6";; 306 ${NSB_LO_IP}) echo "ns-B loopback IP";; 307 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; 308 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; 309 310 ${VRF_IP}) echo "VRF IP";; 311 ${VRF_IP6}) echo "VRF IPv6";; 312 313 ${MCAST}%*) echo "multicast IP";; 314 315 *) echo "unknown";; 316 esac 317} 318 319get_linklocal() 320{ 321 local ns=$1 322 local dev=$2 323 local addr 324 325 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ 326 awk '{ 327 for (i = 3; i <= NF; ++i) { 328 if ($i ~ /^fe80/) 329 print $i 330 } 331 }' 332 ) 333 addr=${addr/\/*} 334 335 [ -z "$addr" ] && return 1 336 337 echo $addr 338 339 return 0 340} 341 342################################################################################ 343# create namespaces and vrf 344 345create_vrf() 346{ 347 local ns=$1 348 local vrf=$2 349 local table=$3 350 local addr=$4 351 local addr6=$5 352 353 ip -netns ${ns} link add ${vrf} type vrf table ${table} 354 ip -netns ${ns} link set ${vrf} up 355 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 356 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 357 358 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} 359 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad 360 if [ "${addr}" != "-" ]; then 361 ip -netns ${ns} addr add dev ${vrf} ${addr} 362 fi 363 if [ "${addr6}" != "-" ]; then 364 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} 365 fi 366 367 ip -netns ${ns} ru del pref 0 368 ip -netns ${ns} ru add pref 32765 from all lookup local 369 ip -netns ${ns} -6 ru del pref 0 370 ip -netns ${ns} -6 ru add pref 32765 from all lookup local 371} 372 373create_ns() 374{ 375 local ns=$1 376 local addr=$2 377 local addr6=$3 378 379 ip netns add ${ns} 380 381 ip -netns ${ns} link set lo up 382 if [ "${addr}" != "-" ]; then 383 ip -netns ${ns} addr add dev lo ${addr} 384 fi 385 if [ "${addr6}" != "-" ]; then 386 ip -netns ${ns} -6 addr add dev lo ${addr6} 387 fi 388 389 ip -netns ${ns} ro add unreachable default metric 8192 390 ip -netns ${ns} -6 ro add unreachable default metric 8192 391 392 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 393 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 394 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 395 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 396} 397 398# create veth pair to connect namespaces and apply addresses. 399connect_ns() 400{ 401 local ns1=$1 402 local ns1_dev=$2 403 local ns1_addr=$3 404 local ns1_addr6=$4 405 local ns2=$5 406 local ns2_dev=$6 407 local ns2_addr=$7 408 local ns2_addr6=$8 409 410 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp 411 ip -netns ${ns1} li set ${ns1_dev} up 412 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} 413 ip -netns ${ns2} li set ${ns2_dev} up 414 415 if [ "${ns1_addr}" != "-" ]; then 416 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} 417 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} 418 fi 419 420 if [ "${ns1_addr6}" != "-" ]; then 421 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} 422 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} 423 fi 424} 425 426cleanup() 427{ 428 # explicit cleanups to check those code paths 429 ip netns | grep -q ${NSA} 430 if [ $? -eq 0 ]; then 431 ip -netns ${NSA} link delete ${VRF} 432 ip -netns ${NSA} ro flush table ${VRF_TABLE} 433 434 ip -netns ${NSA} addr flush dev ${NSA_DEV} 435 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} 436 ip -netns ${NSA} link set dev ${NSA_DEV} down 437 ip -netns ${NSA} link del dev ${NSA_DEV} 438 439 ip netns pids ${NSA} | xargs kill 2>/dev/null 440 ip netns del ${NSA} 441 fi 442 443 ip netns pids ${NSB} | xargs kill 2>/dev/null 444 ip netns del ${NSB} 445 ip netns pids ${NSC} | xargs kill 2>/dev/null 446 ip netns del ${NSC} >/dev/null 2>&1 447} 448 449cleanup_vrf_dup() 450{ 451 ip link del ${NSA_DEV2} >/dev/null 2>&1 452 ip netns pids ${NSC} | xargs kill 2>/dev/null 453 ip netns del ${NSC} >/dev/null 2>&1 454} 455 456setup_vrf_dup() 457{ 458 # some VRF tests use ns-C which has the same config as 459 # ns-B but for a device NOT in the VRF 460 create_ns ${NSC} "-" "-" 461 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ 462 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 463} 464 465setup() 466{ 467 local with_vrf=${1} 468 469 # make sure we are starting with a clean slate 470 kill_procs 471 cleanup 2>/dev/null 472 473 log_debug "Configuring network namespaces" 474 set -e 475 476 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 477 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 478 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ 479 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 480 481 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 482 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 483 484 # tell ns-A how to get to remote addresses of ns-B 485 if [ "${with_vrf}" = "yes" ]; then 486 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} 487 488 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 489 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 490 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 491 492 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 493 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 494 else 495 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} 496 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} 497 fi 498 499 500 # tell ns-B how to get to remote addresses of ns-A 501 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} 502 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} 503 504 set +e 505 506 sleep 1 507} 508 509setup_lla_only() 510{ 511 # make sure we are starting with a clean slate 512 kill_procs 513 cleanup 2>/dev/null 514 515 log_debug "Configuring network namespaces" 516 set -e 517 518 create_ns ${NSA} "-" "-" 519 create_ns ${NSB} "-" "-" 520 create_ns ${NSC} "-" "-" 521 connect_ns ${NSA} ${NSA_DEV} "-" "-" \ 522 ${NSB} ${NSB_DEV} "-" "-" 523 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \ 524 ${NSC} ${NSC_DEV} "-" "-" 525 526 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) 527 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) 528 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV}) 529 530 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-" 531 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} 532 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF} 533 534 set +e 535 536 sleep 1 537} 538 539################################################################################ 540# IPv4 541 542ipv4_ping_novrf() 543{ 544 local a 545 546 # 547 # out 548 # 549 for a in ${NSB_IP} ${NSB_LO_IP} 550 do 551 log_start 552 run_cmd ping -c1 -w1 ${a} 553 log_test_addr ${a} $? 0 "ping out" 554 555 log_start 556 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 557 log_test_addr ${a} $? 0 "ping out, device bind" 558 559 log_start 560 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} 561 log_test_addr ${a} $? 0 "ping out, address bind" 562 done 563 564 # 565 # in 566 # 567 for a in ${NSA_IP} ${NSA_LO_IP} 568 do 569 log_start 570 run_cmd_nsb ping -c1 -w1 ${a} 571 log_test_addr ${a} $? 0 "ping in" 572 done 573 574 # 575 # local traffic 576 # 577 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 578 do 579 log_start 580 run_cmd ping -c1 -w1 ${a} 581 log_test_addr ${a} $? 0 "ping local" 582 done 583 584 # 585 # local traffic, socket bound to device 586 # 587 # address on device 588 a=${NSA_IP} 589 log_start 590 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 591 log_test_addr ${a} $? 0 "ping local, device bind" 592 593 # loopback addresses not reachable from device bind 594 # fails in a really weird way though because ipv4 special cases 595 # route lookups with oif set. 596 for a in ${NSA_LO_IP} 127.0.0.1 597 do 598 log_start 599 show_hint "Fails since address on loopback device is out of device scope" 600 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 601 log_test_addr ${a} $? 1 "ping local, device bind" 602 done 603 604 # 605 # ip rule blocks reachability to remote address 606 # 607 log_start 608 setup_cmd ip rule add pref 32765 from all lookup local 609 setup_cmd ip rule del pref 0 from all lookup local 610 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 611 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 612 613 a=${NSB_LO_IP} 614 run_cmd ping -c1 -w1 ${a} 615 log_test_addr ${a} $? 2 "ping out, blocked by rule" 616 617 # NOTE: ipv4 actually allows the lookup to fail and yet still create 618 # a viable rtable if the oif (e.g., bind to device) is set, so this 619 # case succeeds despite the rule 620 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 621 622 a=${NSA_LO_IP} 623 log_start 624 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" 625 run_cmd_nsb ping -c1 -w1 ${a} 626 log_test_addr ${a} $? 1 "ping in, blocked by rule" 627 628 [ "$VERBOSE" = "1" ] && echo 629 setup_cmd ip rule del pref 32765 from all lookup local 630 setup_cmd ip rule add pref 0 from all lookup local 631 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 632 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 633 634 # 635 # route blocks reachability to remote address 636 # 637 log_start 638 setup_cmd ip route replace unreachable ${NSB_LO_IP} 639 setup_cmd ip route replace unreachable ${NSB_IP} 640 641 a=${NSB_LO_IP} 642 run_cmd ping -c1 -w1 ${a} 643 log_test_addr ${a} $? 2 "ping out, blocked by route" 644 645 # NOTE: ipv4 actually allows the lookup to fail and yet still create 646 # a viable rtable if the oif (e.g., bind to device) is set, so this 647 # case succeeds despite not having a route for the address 648 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 649 650 a=${NSA_LO_IP} 651 log_start 652 show_hint "Response is dropped (or arp request is ignored) due to ip route" 653 run_cmd_nsb ping -c1 -w1 ${a} 654 log_test_addr ${a} $? 1 "ping in, blocked by route" 655 656 # 657 # remove 'remote' routes; fallback to default 658 # 659 log_start 660 setup_cmd ip ro del ${NSB_LO_IP} 661 662 a=${NSB_LO_IP} 663 run_cmd ping -c1 -w1 ${a} 664 log_test_addr ${a} $? 2 "ping out, unreachable default route" 665 666 # NOTE: ipv4 actually allows the lookup to fail and yet still create 667 # a viable rtable if the oif (e.g., bind to device) is set, so this 668 # case succeeds despite not having a route for the address 669 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 670} 671 672ipv4_ping_vrf() 673{ 674 local a 675 676 # should default on; does not exist on older kernels 677 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 678 679 # 680 # out 681 # 682 for a in ${NSB_IP} ${NSB_LO_IP} 683 do 684 log_start 685 run_cmd ping -c1 -w1 -I ${VRF} ${a} 686 log_test_addr ${a} $? 0 "ping out, VRF bind" 687 688 log_start 689 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 690 log_test_addr ${a} $? 0 "ping out, device bind" 691 692 log_start 693 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} 694 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" 695 696 log_start 697 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} 698 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" 699 done 700 701 # 702 # in 703 # 704 for a in ${NSA_IP} ${VRF_IP} 705 do 706 log_start 707 run_cmd_nsb ping -c1 -w1 ${a} 708 log_test_addr ${a} $? 0 "ping in" 709 done 710 711 # 712 # local traffic, local address 713 # 714 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 715 do 716 log_start 717 show_hint "Source address should be ${a}" 718 run_cmd ping -c1 -w1 -I ${VRF} ${a} 719 log_test_addr ${a} $? 0 "ping local, VRF bind" 720 done 721 722 # 723 # local traffic, socket bound to device 724 # 725 # address on device 726 a=${NSA_IP} 727 log_start 728 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 729 log_test_addr ${a} $? 0 "ping local, device bind" 730 731 # vrf device is out of scope 732 for a in ${VRF_IP} 127.0.0.1 733 do 734 log_start 735 show_hint "Fails since address on vrf device is out of device scope" 736 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 737 log_test_addr ${a} $? 1 "ping local, device bind" 738 done 739 740 # 741 # ip rule blocks address 742 # 743 log_start 744 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit 745 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit 746 747 a=${NSB_LO_IP} 748 run_cmd ping -c1 -w1 -I ${VRF} ${a} 749 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" 750 751 log_start 752 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 753 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 754 755 a=${NSA_LO_IP} 756 log_start 757 show_hint "Response lost due to ip rule" 758 run_cmd_nsb ping -c1 -w1 ${a} 759 log_test_addr ${a} $? 1 "ping in, blocked by rule" 760 761 [ "$VERBOSE" = "1" ] && echo 762 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit 763 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit 764 765 # 766 # remove 'remote' routes; fallback to default 767 # 768 log_start 769 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} 770 771 a=${NSB_LO_IP} 772 run_cmd ping -c1 -w1 -I ${VRF} ${a} 773 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" 774 775 log_start 776 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} 777 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 778 779 a=${NSA_LO_IP} 780 log_start 781 show_hint "Response lost by unreachable route" 782 run_cmd_nsb ping -c1 -w1 ${a} 783 log_test_addr ${a} $? 1 "ping in, unreachable route" 784} 785 786ipv4_ping() 787{ 788 log_section "IPv4 ping" 789 790 log_subsection "No VRF" 791 setup 792 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 793 ipv4_ping_novrf 794 setup 795 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 796 ipv4_ping_novrf 797 setup 798 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 799 ipv4_ping_novrf 800 801 log_subsection "With VRF" 802 setup "yes" 803 ipv4_ping_vrf 804 setup "yes" 805 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 806 ipv4_ping_vrf 807} 808 809################################################################################ 810# IPv4 TCP 811 812# 813# MD5 tests without VRF 814# 815ipv4_tcp_md5_novrf() 816{ 817 # 818 # single address 819 # 820 821 # basic use case 822 log_start 823 run_cmd nettest -s -M ${MD5_PW} -r ${NSB_IP} & 824 sleep 1 825 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 826 log_test $? 0 "MD5: Single address config" 827 828 # client sends MD5, server not configured 829 log_start 830 show_hint "Should timeout due to MD5 mismatch" 831 run_cmd nettest -s & 832 sleep 1 833 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 834 log_test $? 2 "MD5: Server no config, client uses password" 835 836 # wrong password 837 log_start 838 show_hint "Should timeout since client uses wrong password" 839 run_cmd nettest -s -M ${MD5_PW} -r ${NSB_IP} & 840 sleep 1 841 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 842 log_test $? 2 "MD5: Client uses wrong password" 843 844 # client from different address 845 log_start 846 show_hint "Should timeout due to MD5 mismatch" 847 run_cmd nettest -s -M ${MD5_PW} -r ${NSB_LO_IP} & 848 sleep 1 849 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 850 log_test $? 2 "MD5: Client address does not match address configured with password" 851 852 # 853 # MD5 extension - prefix length 854 # 855 856 # client in prefix 857 log_start 858 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 859 sleep 1 860 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 861 log_test $? 0 "MD5: Prefix config" 862 863 # client in prefix, wrong password 864 log_start 865 show_hint "Should timeout since client uses wrong password" 866 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 867 sleep 1 868 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 869 log_test $? 2 "MD5: Prefix config, client uses wrong password" 870 871 # client outside of prefix 872 log_start 873 show_hint "Should timeout due to MD5 mismatch" 874 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & 875 sleep 1 876 run_cmd_nsb nettest -l ${NSB_LO_IP} -r ${NSA_IP} -M ${MD5_PW} 877 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 878} 879 880# 881# MD5 tests with VRF 882# 883ipv4_tcp_md5() 884{ 885 # 886 # single address 887 # 888 889 # basic use case 890 log_start 891 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & 892 sleep 1 893 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 894 log_test $? 0 "MD5: VRF: Single address config" 895 896 # client sends MD5, server not configured 897 log_start 898 show_hint "Should timeout since server does not have MD5 auth" 899 run_cmd nettest -s -d ${VRF} & 900 sleep 1 901 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 902 log_test $? 2 "MD5: VRF: Server no config, client uses password" 903 904 # wrong password 905 log_start 906 show_hint "Should timeout since client uses wrong password" 907 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & 908 sleep 1 909 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 910 log_test $? 2 "MD5: VRF: Client uses wrong password" 911 912 # client from different address 913 log_start 914 show_hint "Should timeout since server config differs from client" 915 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_LO_IP} & 916 sleep 1 917 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 918 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 919 920 # 921 # MD5 extension - prefix length 922 # 923 924 # client in prefix 925 log_start 926 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & 927 sleep 1 928 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 929 log_test $? 0 "MD5: VRF: Prefix config" 930 931 # client in prefix, wrong password 932 log_start 933 show_hint "Should timeout since client uses wrong password" 934 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & 935 sleep 1 936 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 937 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 938 939 # client outside of prefix 940 log_start 941 show_hint "Should timeout since client address is outside of prefix" 942 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & 943 sleep 1 944 run_cmd_nsb nettest -l ${NSB_LO_IP} -r ${NSA_IP} -M ${MD5_PW} 945 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 946 947 # 948 # duplicate config between default VRF and a VRF 949 # 950 951 log_start 952 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & 953 run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} & 954 sleep 1 955 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 956 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 957 958 log_start 959 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & 960 run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} & 961 sleep 1 962 run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 963 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 964 965 log_start 966 show_hint "Should timeout since client in default VRF uses VRF password" 967 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & 968 run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} & 969 sleep 1 970 run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_PW} 971 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 972 973 log_start 974 show_hint "Should timeout since client in VRF uses default VRF password" 975 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & 976 run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} & 977 sleep 1 978 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 979 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 980 981 log_start 982 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & 983 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 984 sleep 1 985 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} 986 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 987 988 log_start 989 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & 990 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 991 sleep 1 992 run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 993 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 994 995 log_start 996 show_hint "Should timeout since client in default VRF uses VRF password" 997 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & 998 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 999 sleep 1 1000 run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_PW} 1001 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 1002 1003 log_start 1004 show_hint "Should timeout since client in VRF uses default VRF password" 1005 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & 1006 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & 1007 sleep 1 1008 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} 1009 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 1010 1011 # 1012 # negative tests 1013 # 1014 log_start 1015 run_cmd nettest -s -d ${NSA_DEV} -M ${MD5_PW} -r ${NSB_IP} 1016 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 1017 1018 log_start 1019 run_cmd nettest -s -d ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} 1020 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 1021 1022} 1023 1024ipv4_tcp_novrf() 1025{ 1026 local a 1027 1028 # 1029 # server tests 1030 # 1031 for a in ${NSA_IP} ${NSA_LO_IP} 1032 do 1033 log_start 1034 run_cmd nettest -s & 1035 sleep 1 1036 run_cmd_nsb nettest -r ${a} 1037 log_test_addr ${a} $? 0 "Global server" 1038 done 1039 1040 a=${NSA_IP} 1041 log_start 1042 run_cmd nettest -s -d ${NSA_DEV} & 1043 sleep 1 1044 run_cmd_nsb nettest -r ${a} 1045 log_test_addr ${a} $? 0 "Device server" 1046 1047 # verify TCP reset sent and received 1048 for a in ${NSA_IP} ${NSA_LO_IP} 1049 do 1050 log_start 1051 show_hint "Should fail 'Connection refused' since there is no server" 1052 run_cmd_nsb nettest -r ${a} 1053 log_test_addr ${a} $? 1 "No server" 1054 done 1055 1056 # 1057 # client 1058 # 1059 for a in ${NSB_IP} ${NSB_LO_IP} 1060 do 1061 log_start 1062 run_cmd_nsb nettest -s & 1063 sleep 1 1064 run_cmd nettest -r ${a} -0 ${NSA_IP} 1065 log_test_addr ${a} $? 0 "Client" 1066 1067 log_start 1068 run_cmd_nsb nettest -s & 1069 sleep 1 1070 run_cmd nettest -r ${a} -d ${NSA_DEV} 1071 log_test_addr ${a} $? 0 "Client, device bind" 1072 1073 log_start 1074 show_hint "Should fail 'Connection refused'" 1075 run_cmd nettest -r ${a} 1076 log_test_addr ${a} $? 1 "No server, unbound client" 1077 1078 log_start 1079 show_hint "Should fail 'Connection refused'" 1080 run_cmd nettest -r ${a} -d ${NSA_DEV} 1081 log_test_addr ${a} $? 1 "No server, device client" 1082 done 1083 1084 # 1085 # local address tests 1086 # 1087 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1088 do 1089 log_start 1090 run_cmd nettest -s & 1091 sleep 1 1092 run_cmd nettest -r ${a} -0 ${a} -1 ${a} 1093 log_test_addr ${a} $? 0 "Global server, local connection" 1094 done 1095 1096 a=${NSA_IP} 1097 log_start 1098 run_cmd nettest -s -d ${NSA_DEV} & 1099 sleep 1 1100 run_cmd nettest -r ${a} -0 ${a} 1101 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1102 1103 for a in ${NSA_LO_IP} 127.0.0.1 1104 do 1105 log_start 1106 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 1107 run_cmd nettest -s -d ${NSA_DEV} & 1108 sleep 1 1109 run_cmd nettest -r ${a} 1110 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1111 done 1112 1113 a=${NSA_IP} 1114 log_start 1115 run_cmd nettest -s & 1116 sleep 1 1117 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} 1118 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1119 1120 for a in ${NSA_LO_IP} 127.0.0.1 1121 do 1122 log_start 1123 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 1124 run_cmd nettest -s & 1125 sleep 1 1126 run_cmd nettest -r ${a} -d ${NSA_DEV} 1127 log_test_addr ${a} $? 1 "Global server, device client, local connection" 1128 done 1129 1130 a=${NSA_IP} 1131 log_start 1132 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & 1133 sleep 1 1134 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} 1135 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1136 1137 log_start 1138 show_hint "Should fail 'Connection refused'" 1139 run_cmd nettest -d ${NSA_DEV} -r ${a} 1140 log_test_addr ${a} $? 1 "No server, device client, local conn" 1141 1142 ipv4_tcp_md5_novrf 1143} 1144 1145ipv4_tcp_vrf() 1146{ 1147 local a 1148 1149 # disable global server 1150 log_subsection "Global server disabled" 1151 1152 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1153 1154 # 1155 # server tests 1156 # 1157 for a in ${NSA_IP} ${VRF_IP} 1158 do 1159 log_start 1160 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1161 run_cmd nettest -s & 1162 sleep 1 1163 run_cmd_nsb nettest -r ${a} 1164 log_test_addr ${a} $? 1 "Global server" 1165 1166 log_start 1167 run_cmd nettest -s -d ${VRF} -2 ${VRF} & 1168 sleep 1 1169 run_cmd_nsb nettest -r ${a} 1170 log_test_addr ${a} $? 0 "VRF server" 1171 1172 log_start 1173 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & 1174 sleep 1 1175 run_cmd_nsb nettest -r ${a} 1176 log_test_addr ${a} $? 0 "Device server" 1177 1178 # verify TCP reset received 1179 log_start 1180 show_hint "Should fail 'Connection refused' since there is no server" 1181 run_cmd_nsb nettest -r ${a} 1182 log_test_addr ${a} $? 1 "No server" 1183 done 1184 1185 # local address tests 1186 # (${VRF_IP} and 127.0.0.1 both timeout) 1187 a=${NSA_IP} 1188 log_start 1189 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 1190 run_cmd nettest -s & 1191 sleep 1 1192 run_cmd nettest -r ${a} -d ${NSA_DEV} 1193 log_test_addr ${a} $? 1 "Global server, local connection" 1194 1195 # run MD5 tests 1196 setup_vrf_dup 1197 ipv4_tcp_md5 1198 cleanup_vrf_dup 1199 1200 # 1201 # enable VRF global server 1202 # 1203 log_subsection "VRF Global server enabled" 1204 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1205 1206 for a in ${NSA_IP} ${VRF_IP} 1207 do 1208 log_start 1209 show_hint "client socket should be bound to VRF" 1210 run_cmd nettest -s -2 ${VRF} & 1211 sleep 1 1212 run_cmd_nsb nettest -r ${a} 1213 log_test_addr ${a} $? 0 "Global server" 1214 1215 log_start 1216 show_hint "client socket should be bound to VRF" 1217 run_cmd nettest -s -d ${VRF} -2 ${VRF} & 1218 sleep 1 1219 run_cmd_nsb nettest -r ${a} 1220 log_test_addr ${a} $? 0 "VRF server" 1221 1222 # verify TCP reset received 1223 log_start 1224 show_hint "Should fail 'Connection refused'" 1225 run_cmd_nsb nettest -r ${a} 1226 log_test_addr ${a} $? 1 "No server" 1227 done 1228 1229 a=${NSA_IP} 1230 log_start 1231 show_hint "client socket should be bound to device" 1232 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & 1233 sleep 1 1234 run_cmd_nsb nettest -r ${a} 1235 log_test_addr ${a} $? 0 "Device server" 1236 1237 # local address tests 1238 for a in ${NSA_IP} ${VRF_IP} 1239 do 1240 log_start 1241 show_hint "Should fail 'Connection refused' since client is not bound to VRF" 1242 run_cmd nettest -s -d ${VRF} & 1243 sleep 1 1244 run_cmd nettest -r ${a} 1245 log_test_addr ${a} $? 1 "Global server, local connection" 1246 done 1247 1248 # 1249 # client 1250 # 1251 for a in ${NSB_IP} ${NSB_LO_IP} 1252 do 1253 log_start 1254 run_cmd_nsb nettest -s & 1255 sleep 1 1256 run_cmd nettest -r ${a} -d ${VRF} 1257 log_test_addr ${a} $? 0 "Client, VRF bind" 1258 1259 log_start 1260 run_cmd_nsb nettest -s & 1261 sleep 1 1262 run_cmd nettest -r ${a} -d ${NSA_DEV} 1263 log_test_addr ${a} $? 0 "Client, device bind" 1264 1265 log_start 1266 show_hint "Should fail 'Connection refused'" 1267 run_cmd nettest -r ${a} -d ${VRF} 1268 log_test_addr ${a} $? 1 "No server, VRF client" 1269 1270 log_start 1271 show_hint "Should fail 'Connection refused'" 1272 run_cmd nettest -r ${a} -d ${NSA_DEV} 1273 log_test_addr ${a} $? 1 "No server, device client" 1274 done 1275 1276 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1277 do 1278 log_start 1279 run_cmd nettest -s -d ${VRF} -2 ${VRF} & 1280 sleep 1 1281 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1282 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 1283 done 1284 1285 a=${NSA_IP} 1286 log_start 1287 run_cmd nettest -s -d ${VRF} -2 ${VRF} & 1288 sleep 1 1289 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1290 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 1291 1292 log_start 1293 show_hint "Should fail 'No route to host' since client is out of VRF scope" 1294 run_cmd nettest -s -d ${VRF} & 1295 sleep 1 1296 run_cmd nettest -r ${a} 1297 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 1298 1299 log_start 1300 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & 1301 sleep 1 1302 run_cmd nettest -r ${a} -d ${VRF} -0 ${a} 1303 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 1304 1305 log_start 1306 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & 1307 sleep 1 1308 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} 1309 log_test_addr ${a} $? 0 "Device server, device client, local connection" 1310} 1311 1312ipv4_tcp() 1313{ 1314 log_section "IPv4/TCP" 1315 log_subsection "No VRF" 1316 setup 1317 1318 # tcp_l3mdev_accept should have no affect without VRF; 1319 # run tests with it enabled and disabled to verify 1320 log_subsection "tcp_l3mdev_accept disabled" 1321 set_sysctl net.ipv4.tcp_l3mdev_accept=0 1322 ipv4_tcp_novrf 1323 log_subsection "tcp_l3mdev_accept enabled" 1324 set_sysctl net.ipv4.tcp_l3mdev_accept=1 1325 ipv4_tcp_novrf 1326 1327 log_subsection "With VRF" 1328 setup "yes" 1329 ipv4_tcp_vrf 1330} 1331 1332################################################################################ 1333# IPv4 UDP 1334 1335ipv4_udp_novrf() 1336{ 1337 local a 1338 1339 # 1340 # server tests 1341 # 1342 for a in ${NSA_IP} ${NSA_LO_IP} 1343 do 1344 log_start 1345 run_cmd nettest -D -s -2 ${NSA_DEV} & 1346 sleep 1 1347 run_cmd_nsb nettest -D -r ${a} 1348 log_test_addr ${a} $? 0 "Global server" 1349 1350 log_start 1351 show_hint "Should fail 'Connection refused' since there is no server" 1352 run_cmd_nsb nettest -D -r ${a} 1353 log_test_addr ${a} $? 1 "No server" 1354 done 1355 1356 a=${NSA_IP} 1357 log_start 1358 run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 1359 sleep 1 1360 run_cmd_nsb nettest -D -r ${a} 1361 log_test_addr ${a} $? 0 "Device server" 1362 1363 # 1364 # client 1365 # 1366 for a in ${NSB_IP} ${NSB_LO_IP} 1367 do 1368 log_start 1369 run_cmd_nsb nettest -D -s & 1370 sleep 1 1371 run_cmd nettest -D -r ${a} -0 ${NSA_IP} 1372 log_test_addr ${a} $? 0 "Client" 1373 1374 log_start 1375 run_cmd_nsb nettest -D -s & 1376 sleep 1 1377 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} 1378 log_test_addr ${a} $? 0 "Client, device bind" 1379 1380 log_start 1381 run_cmd_nsb nettest -D -s & 1382 sleep 1 1383 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} 1384 log_test_addr ${a} $? 0 "Client, device send via cmsg" 1385 1386 log_start 1387 run_cmd_nsb nettest -D -s & 1388 sleep 1 1389 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} 1390 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" 1391 1392 log_start 1393 show_hint "Should fail 'Connection refused'" 1394 run_cmd nettest -D -r ${a} 1395 log_test_addr ${a} $? 1 "No server, unbound client" 1396 1397 log_start 1398 show_hint "Should fail 'Connection refused'" 1399 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1400 log_test_addr ${a} $? 1 "No server, device client" 1401 done 1402 1403 # 1404 # local address tests 1405 # 1406 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 1407 do 1408 log_start 1409 run_cmd nettest -D -s & 1410 sleep 1 1411 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} 1412 log_test_addr ${a} $? 0 "Global server, local connection" 1413 done 1414 1415 a=${NSA_IP} 1416 log_start 1417 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & 1418 sleep 1 1419 run_cmd nettest -D -r ${a} 1420 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 1421 1422 for a in ${NSA_LO_IP} 127.0.0.1 1423 do 1424 log_start 1425 show_hint "Should fail 'Connection refused' since address is out of device scope" 1426 run_cmd nettest -s -D -d ${NSA_DEV} & 1427 sleep 1 1428 run_cmd nettest -D -r ${a} 1429 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 1430 done 1431 1432 a=${NSA_IP} 1433 log_start 1434 run_cmd nettest -s -D & 1435 sleep 1 1436 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1437 log_test_addr ${a} $? 0 "Global server, device client, local connection" 1438 1439 log_start 1440 run_cmd nettest -s -D & 1441 sleep 1 1442 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} 1443 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 1444 1445 log_start 1446 run_cmd nettest -s -D & 1447 sleep 1 1448 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} 1449 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" 1450 1451 # IPv4 with device bind has really weird behavior - it overrides the 1452 # fib lookup, generates an rtable and tries to send the packet. This 1453 # causes failures for local traffic at different places 1454 for a in ${NSA_LO_IP} 127.0.0.1 1455 do 1456 log_start 1457 show_hint "Should fail since addresses on loopback are out of device scope" 1458 run_cmd nettest -D -s & 1459 sleep 1 1460 run_cmd nettest -D -r ${a} -d ${NSA_DEV} 1461 log_test_addr ${a} $? 2 "Global server, device client, local connection" 1462 1463 log_start 1464 show_hint "Should fail since addresses on loopback are out of device scope" 1465 run_cmd nettest -D -s & 1466 sleep 1 1467 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C 1468 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 1469 1470 log_start 1471 show_hint "Should fail since addresses on loopback are out of device scope" 1472 run_cmd nettest -D -s & 1473 sleep 1 1474 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S 1475 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 1476 done 1477 1478 a=${NSA_IP} 1479 log_start 1480 run_cmd nettest -D -s -d ${NSA_DEV} -2 ${NSA_DEV} & 1481 sleep 1 1482 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} 1483 log_test_addr ${a} $? 0 "Device server, device client, local conn" 1484 1485 log_start 1486 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1487 log_test_addr ${a} $? 2 "No server, device client, local conn" 1488} 1489 1490ipv4_udp_vrf() 1491{ 1492 local a 1493 1494 # disable global server 1495 log_subsection "Global server disabled" 1496 set_sysctl net.ipv4.udp_l3mdev_accept=0 1497 1498 # 1499 # server tests 1500 # 1501 for a in ${NSA_IP} ${VRF_IP} 1502 do 1503 log_start 1504 show_hint "Fails because ingress is in a VRF and global server is disabled" 1505 run_cmd nettest -D -s & 1506 sleep 1 1507 run_cmd_nsb nettest -D -r ${a} 1508 log_test_addr ${a} $? 1 "Global server" 1509 1510 log_start 1511 run_cmd nettest -D -d ${VRF} -s -2 ${NSA_DEV} & 1512 sleep 1 1513 run_cmd_nsb nettest -D -r ${a} 1514 log_test_addr ${a} $? 0 "VRF server" 1515 1516 log_start 1517 run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 1518 sleep 1 1519 run_cmd_nsb nettest -D -r ${a} 1520 log_test_addr ${a} $? 0 "Enslaved device server" 1521 1522 log_start 1523 show_hint "Should fail 'Connection refused' since there is no server" 1524 run_cmd_nsb nettest -D -r ${a} 1525 log_test_addr ${a} $? 1 "No server" 1526 1527 log_start 1528 show_hint "Should fail 'Connection refused' since global server is out of scope" 1529 run_cmd nettest -D -s & 1530 sleep 1 1531 run_cmd nettest -D -d ${VRF} -r ${a} 1532 log_test_addr ${a} $? 1 "Global server, VRF client, local connection" 1533 done 1534 1535 a=${NSA_IP} 1536 log_start 1537 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} & 1538 sleep 1 1539 run_cmd nettest -D -d ${VRF} -r ${a} 1540 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1541 1542 log_start 1543 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} & 1544 sleep 1 1545 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1546 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" 1547 1548 a=${NSA_IP} 1549 log_start 1550 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & 1551 sleep 1 1552 run_cmd nettest -D -d ${VRF} -r ${a} 1553 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1554 1555 log_start 1556 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & 1557 sleep 1 1558 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1559 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1560 1561 # enable global server 1562 log_subsection "Global server enabled" 1563 set_sysctl net.ipv4.udp_l3mdev_accept=1 1564 1565 # 1566 # server tests 1567 # 1568 for a in ${NSA_IP} ${VRF_IP} 1569 do 1570 log_start 1571 run_cmd nettest -D -s -2 ${NSA_DEV} & 1572 sleep 1 1573 run_cmd_nsb nettest -D -r ${a} 1574 log_test_addr ${a} $? 0 "Global server" 1575 1576 log_start 1577 run_cmd nettest -D -d ${VRF} -s -2 ${NSA_DEV} & 1578 sleep 1 1579 run_cmd_nsb nettest -D -r ${a} 1580 log_test_addr ${a} $? 0 "VRF server" 1581 1582 log_start 1583 run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 1584 sleep 1 1585 run_cmd_nsb nettest -D -r ${a} 1586 log_test_addr ${a} $? 0 "Enslaved device server" 1587 1588 log_start 1589 show_hint "Should fail 'Connection refused'" 1590 run_cmd_nsb nettest -D -r ${a} 1591 log_test_addr ${a} $? 1 "No server" 1592 done 1593 1594 # 1595 # client tests 1596 # 1597 log_start 1598 run_cmd_nsb nettest -D -s & 1599 sleep 1 1600 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} 1601 log_test $? 0 "VRF client" 1602 1603 log_start 1604 run_cmd_nsb nettest -D -s & 1605 sleep 1 1606 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} 1607 log_test $? 0 "Enslaved device client" 1608 1609 # negative test - should fail 1610 log_start 1611 show_hint "Should fail 'Connection refused'" 1612 run_cmd nettest -D -d ${VRF} -r ${NSB_IP} 1613 log_test $? 1 "No server, VRF client" 1614 1615 log_start 1616 show_hint "Should fail 'Connection refused'" 1617 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} 1618 log_test $? 1 "No server, enslaved device client" 1619 1620 # 1621 # local address tests 1622 # 1623 a=${NSA_IP} 1624 log_start 1625 run_cmd nettest -D -s -2 ${NSA_DEV} & 1626 sleep 1 1627 run_cmd nettest -D -d ${VRF} -r ${a} 1628 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1629 1630 log_start 1631 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} & 1632 sleep 1 1633 run_cmd nettest -D -d ${VRF} -r ${a} 1634 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1635 1636 log_start 1637 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} & 1638 sleep 1 1639 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1640 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 1641 1642 log_start 1643 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & 1644 sleep 1 1645 run_cmd nettest -D -d ${VRF} -r ${a} 1646 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 1647 1648 log_start 1649 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & 1650 sleep 1 1651 run_cmd nettest -D -d ${NSA_DEV} -r ${a} 1652 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 1653 1654 for a in ${VRF_IP} 127.0.0.1 1655 do 1656 log_start 1657 run_cmd nettest -D -s -2 ${VRF} & 1658 sleep 1 1659 run_cmd nettest -D -d ${VRF} -r ${a} 1660 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 1661 done 1662 1663 for a in ${VRF_IP} 127.0.0.1 1664 do 1665 log_start 1666 run_cmd nettest -s -D -d ${VRF} -2 ${VRF} & 1667 sleep 1 1668 run_cmd nettest -D -d ${VRF} -r ${a} 1669 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 1670 done 1671 1672 # negative test - should fail 1673 # verifies ECONNREFUSED 1674 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 1675 do 1676 log_start 1677 show_hint "Should fail 'Connection refused'" 1678 run_cmd nettest -D -d ${VRF} -r ${a} 1679 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 1680 done 1681} 1682 1683ipv4_udp() 1684{ 1685 log_section "IPv4/UDP" 1686 log_subsection "No VRF" 1687 1688 setup 1689 1690 # udp_l3mdev_accept should have no affect without VRF; 1691 # run tests with it enabled and disabled to verify 1692 log_subsection "udp_l3mdev_accept disabled" 1693 set_sysctl net.ipv4.udp_l3mdev_accept=0 1694 ipv4_udp_novrf 1695 log_subsection "udp_l3mdev_accept enabled" 1696 set_sysctl net.ipv4.udp_l3mdev_accept=1 1697 ipv4_udp_novrf 1698 1699 log_subsection "With VRF" 1700 setup "yes" 1701 ipv4_udp_vrf 1702} 1703 1704################################################################################ 1705# IPv4 address bind 1706# 1707# verifies ability or inability to bind to an address / device 1708 1709ipv4_addr_bind_novrf() 1710{ 1711 # 1712 # raw socket 1713 # 1714 for a in ${NSA_IP} ${NSA_LO_IP} 1715 do 1716 log_start 1717 run_cmd nettest -s -R -P icmp -l ${a} -b 1718 log_test_addr ${a} $? 0 "Raw socket bind to local address" 1719 1720 log_start 1721 run_cmd nettest -s -R -P icmp -l ${a} -d ${NSA_DEV} -b 1722 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1723 done 1724 1725 # 1726 # tcp sockets 1727 # 1728 a=${NSA_IP} 1729 log_start 1730 run_cmd nettest -l ${a} -r ${NSB_IP} -t1 -b 1731 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1732 1733 log_start 1734 run_cmd nettest -l ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b 1735 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1736 1737 # Sadly, the kernel allows binding a socket to a device and then 1738 # binding to an address not on the device. The only restriction 1739 # is that the address is valid in the L3 domain. So this test 1740 # passes when it really should not 1741 #a=${NSA_LO_IP} 1742 #log_start 1743 #show_hint "Should fail with 'Cannot assign requested address'" 1744 #run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b 1745 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" 1746} 1747 1748ipv4_addr_bind_vrf() 1749{ 1750 # 1751 # raw socket 1752 # 1753 for a in ${NSA_IP} ${VRF_IP} 1754 do 1755 log_start 1756 show_hint "Socket not bound to VRF, but address is in VRF" 1757 run_cmd nettest -s -R -P icmp -l ${a} -b 1758 log_test_addr ${a} $? 1 "Raw socket bind to local address" 1759 1760 log_start 1761 run_cmd nettest -s -R -P icmp -l ${a} -d ${NSA_DEV} -b 1762 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 1763 log_start 1764 run_cmd nettest -s -R -P icmp -l ${a} -d ${VRF} -b 1765 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" 1766 done 1767 1768 a=${NSA_LO_IP} 1769 log_start 1770 show_hint "Address on loopback is out of VRF scope" 1771 run_cmd nettest -s -R -P icmp -l ${a} -d ${VRF} -b 1772 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" 1773 1774 # 1775 # tcp sockets 1776 # 1777 for a in ${NSA_IP} ${VRF_IP} 1778 do 1779 log_start 1780 run_cmd nettest -s -l ${a} -d ${VRF} -t1 -b 1781 log_test_addr ${a} $? 0 "TCP socket bind to local address" 1782 1783 log_start 1784 run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b 1785 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 1786 done 1787 1788 a=${NSA_LO_IP} 1789 log_start 1790 show_hint "Address on loopback out of scope for VRF" 1791 run_cmd nettest -s -l ${a} -d ${VRF} -t1 -b 1792 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 1793 1794 log_start 1795 show_hint "Address on loopback out of scope for device in VRF" 1796 run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b 1797 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 1798} 1799 1800ipv4_addr_bind() 1801{ 1802 log_section "IPv4 address binds" 1803 1804 log_subsection "No VRF" 1805 setup 1806 ipv4_addr_bind_novrf 1807 1808 log_subsection "With VRF" 1809 setup "yes" 1810 ipv4_addr_bind_vrf 1811} 1812 1813################################################################################ 1814# IPv4 runtime tests 1815 1816ipv4_rt() 1817{ 1818 local desc="$1" 1819 local varg="$2" 1820 local with_vrf="yes" 1821 local a 1822 1823 # 1824 # server tests 1825 # 1826 for a in ${NSA_IP} ${VRF_IP} 1827 do 1828 log_start 1829 run_cmd nettest ${varg} -s & 1830 sleep 1 1831 run_cmd_nsb nettest ${varg} -r ${a} & 1832 sleep 3 1833 run_cmd ip link del ${VRF} 1834 sleep 1 1835 log_test_addr ${a} 0 0 "${desc}, global server" 1836 1837 setup ${with_vrf} 1838 done 1839 1840 for a in ${NSA_IP} ${VRF_IP} 1841 do 1842 log_start 1843 run_cmd nettest ${varg} -s -d ${VRF} & 1844 sleep 1 1845 run_cmd_nsb nettest ${varg} -r ${a} & 1846 sleep 3 1847 run_cmd ip link del ${VRF} 1848 sleep 1 1849 log_test_addr ${a} 0 0 "${desc}, VRF server" 1850 1851 setup ${with_vrf} 1852 done 1853 1854 a=${NSA_IP} 1855 log_start 1856 run_cmd nettest ${varg} -s -d ${NSA_DEV} & 1857 sleep 1 1858 run_cmd_nsb nettest ${varg} -r ${a} & 1859 sleep 3 1860 run_cmd ip link del ${VRF} 1861 sleep 1 1862 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 1863 1864 setup ${with_vrf} 1865 1866 # 1867 # client test 1868 # 1869 log_start 1870 run_cmd_nsb nettest ${varg} -s & 1871 sleep 1 1872 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & 1873 sleep 3 1874 run_cmd ip link del ${VRF} 1875 sleep 1 1876 log_test_addr ${a} 0 0 "${desc}, VRF client" 1877 1878 setup ${with_vrf} 1879 1880 log_start 1881 run_cmd_nsb nettest ${varg} -s & 1882 sleep 1 1883 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & 1884 sleep 3 1885 run_cmd ip link del ${VRF} 1886 sleep 1 1887 log_test_addr ${a} 0 0 "${desc}, enslaved device client" 1888 1889 setup ${with_vrf} 1890 1891 # 1892 # local address tests 1893 # 1894 for a in ${NSA_IP} ${VRF_IP} 1895 do 1896 log_start 1897 run_cmd nettest ${varg} -s & 1898 sleep 1 1899 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1900 sleep 3 1901 run_cmd ip link del ${VRF} 1902 sleep 1 1903 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" 1904 1905 setup ${with_vrf} 1906 done 1907 1908 for a in ${NSA_IP} ${VRF_IP} 1909 do 1910 log_start 1911 run_cmd nettest ${varg} -d ${VRF} -s & 1912 sleep 1 1913 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 1914 sleep 3 1915 run_cmd ip link del ${VRF} 1916 sleep 1 1917 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" 1918 1919 setup ${with_vrf} 1920 done 1921 1922 a=${NSA_IP} 1923 log_start 1924 run_cmd nettest ${varg} -s & 1925 sleep 1 1926 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1927 sleep 3 1928 run_cmd ip link del ${VRF} 1929 sleep 1 1930 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" 1931 1932 setup ${with_vrf} 1933 1934 log_start 1935 run_cmd nettest ${varg} -d ${VRF} -s & 1936 sleep 1 1937 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1938 sleep 3 1939 run_cmd ip link del ${VRF} 1940 sleep 1 1941 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" 1942 1943 setup ${with_vrf} 1944 1945 log_start 1946 run_cmd nettest ${varg} -d ${NSA_DEV} -s & 1947 sleep 1 1948 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 1949 sleep 3 1950 run_cmd ip link del ${VRF} 1951 sleep 1 1952 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" 1953} 1954 1955ipv4_ping_rt() 1956{ 1957 local with_vrf="yes" 1958 local a 1959 1960 for a in ${NSA_IP} ${VRF_IP} 1961 do 1962 log_start 1963 run_cmd_nsb ping -f ${a} & 1964 sleep 3 1965 run_cmd ip link del ${VRF} 1966 sleep 1 1967 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 1968 1969 setup ${with_vrf} 1970 done 1971 1972 a=${NSB_IP} 1973 log_start 1974 run_cmd ping -f -I ${VRF} ${a} & 1975 sleep 3 1976 run_cmd ip link del ${VRF} 1977 sleep 1 1978 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 1979} 1980 1981ipv4_runtime() 1982{ 1983 log_section "Run time tests - ipv4" 1984 1985 setup "yes" 1986 ipv4_ping_rt 1987 1988 setup "yes" 1989 ipv4_rt "TCP active socket" "-n -1" 1990 1991 setup "yes" 1992 ipv4_rt "TCP passive socket" "-i" 1993} 1994 1995################################################################################ 1996# IPv6 1997 1998ipv6_ping_novrf() 1999{ 2000 local a 2001 2002 # should not have an impact, but make a known state 2003 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null 2004 2005 # 2006 # out 2007 # 2008 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2009 do 2010 log_start 2011 run_cmd ${ping6} -c1 -w1 ${a} 2012 log_test_addr ${a} $? 0 "ping out" 2013 done 2014 2015 for a in ${NSB_IP6} ${NSB_LO_IP6} 2016 do 2017 log_start 2018 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2019 log_test_addr ${a} $? 0 "ping out, device bind" 2020 2021 log_start 2022 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} 2023 log_test_addr ${a} $? 0 "ping out, loopback address bind" 2024 done 2025 2026 # 2027 # in 2028 # 2029 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2030 do 2031 log_start 2032 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2033 log_test_addr ${a} $? 0 "ping in" 2034 done 2035 2036 # 2037 # local traffic, local address 2038 # 2039 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2040 do 2041 log_start 2042 run_cmd ${ping6} -c1 -w1 ${a} 2043 log_test_addr ${a} $? 0 "ping local, no bind" 2044 done 2045 2046 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2047 do 2048 log_start 2049 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2050 log_test_addr ${a} $? 0 "ping local, device bind" 2051 done 2052 2053 for a in ${NSA_LO_IP6} ::1 2054 do 2055 log_start 2056 show_hint "Fails since address on loopback is out of device scope" 2057 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2058 log_test_addr ${a} $? 2 "ping local, device bind" 2059 done 2060 2061 # 2062 # ip rule blocks address 2063 # 2064 log_start 2065 setup_cmd ip -6 rule add pref 32765 from all lookup local 2066 setup_cmd ip -6 rule del pref 0 from all lookup local 2067 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2068 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2069 2070 a=${NSB_LO_IP6} 2071 run_cmd ${ping6} -c1 -w1 ${a} 2072 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2073 2074 log_start 2075 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2076 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2077 2078 a=${NSA_LO_IP6} 2079 log_start 2080 show_hint "Response lost due to ip rule" 2081 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2082 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2083 2084 setup_cmd ip -6 rule add pref 0 from all lookup local 2085 setup_cmd ip -6 rule del pref 32765 from all lookup local 2086 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2087 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2088 2089 # 2090 # route blocks reachability to remote address 2091 # 2092 log_start 2093 setup_cmd ip -6 route del ${NSB_LO_IP6} 2094 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 2095 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 2096 2097 a=${NSB_LO_IP6} 2098 run_cmd ${ping6} -c1 -w1 ${a} 2099 log_test_addr ${a} $? 2 "ping out, blocked by route" 2100 2101 log_start 2102 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2103 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" 2104 2105 a=${NSA_LO_IP6} 2106 log_start 2107 show_hint "Response lost due to ip route" 2108 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2109 log_test_addr ${a} $? 1 "ping in, blocked by route" 2110 2111 2112 # 2113 # remove 'remote' routes; fallback to default 2114 # 2115 log_start 2116 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} 2117 setup_cmd ip -6 ro del unreachable ${NSB_IP6} 2118 2119 a=${NSB_LO_IP6} 2120 run_cmd ${ping6} -c1 -w1 ${a} 2121 log_test_addr ${a} $? 2 "ping out, unreachable route" 2122 2123 log_start 2124 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2125 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2126} 2127 2128ipv6_ping_vrf() 2129{ 2130 local a 2131 2132 # should default on; does not exist on older kernels 2133 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null 2134 2135 # 2136 # out 2137 # 2138 for a in ${NSB_IP6} ${NSB_LO_IP6} 2139 do 2140 log_start 2141 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2142 log_test_addr ${a} $? 0 "ping out, VRF bind" 2143 done 2144 2145 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} 2146 do 2147 log_start 2148 show_hint "Fails since VRF device does not support linklocal or multicast" 2149 run_cmd ${ping6} -c1 -w1 ${a} 2150 log_test_addr ${a} $? 1 "ping out, VRF bind" 2151 done 2152 2153 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2154 do 2155 log_start 2156 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2157 log_test_addr ${a} $? 0 "ping out, device bind" 2158 done 2159 2160 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2161 do 2162 log_start 2163 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} 2164 log_test_addr ${a} $? 0 "ping out, vrf device+address bind" 2165 done 2166 2167 # 2168 # in 2169 # 2170 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} 2171 do 2172 log_start 2173 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2174 log_test_addr ${a} $? 0 "ping in" 2175 done 2176 2177 a=${NSA_LO_IP6} 2178 log_start 2179 show_hint "Fails since loopback address is out of VRF scope" 2180 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2181 log_test_addr ${a} $? 1 "ping in" 2182 2183 # 2184 # local traffic, local address 2185 # 2186 for a in ${NSA_IP6} ${VRF_IP6} ::1 2187 do 2188 log_start 2189 show_hint "Source address should be ${a}" 2190 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} 2191 log_test_addr ${a} $? 0 "ping local, VRF bind" 2192 done 2193 2194 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} 2195 do 2196 log_start 2197 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2198 log_test_addr ${a} $? 0 "ping local, device bind" 2199 done 2200 2201 # LLA to GUA - remove ipv6 global addresses from ns-B 2202 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 2203 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo 2204 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2205 2206 for a in ${NSA_IP6} ${VRF_IP6} 2207 do 2208 log_start 2209 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 2210 log_test_addr ${a} $? 0 "ping in, LLA to GUA" 2211 done 2212 2213 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} 2214 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} 2215 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo 2216 2217 # 2218 # ip rule blocks address 2219 # 2220 log_start 2221 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit 2222 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit 2223 2224 a=${NSB_LO_IP6} 2225 run_cmd ${ping6} -c1 -w1 ${a} 2226 log_test_addr ${a} $? 2 "ping out, blocked by rule" 2227 2228 log_start 2229 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2230 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" 2231 2232 a=${NSA_LO_IP6} 2233 log_start 2234 show_hint "Response lost due to ip rule" 2235 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2236 log_test_addr ${a} $? 1 "ping in, blocked by rule" 2237 2238 log_start 2239 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit 2240 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit 2241 2242 # 2243 # remove 'remote' routes; fallback to default 2244 # 2245 log_start 2246 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} 2247 2248 a=${NSB_LO_IP6} 2249 run_cmd ${ping6} -c1 -w1 ${a} 2250 log_test_addr ${a} $? 2 "ping out, unreachable route" 2251 2252 log_start 2253 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} 2254 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" 2255 2256 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} 2257 a=${NSA_LO_IP6} 2258 log_start 2259 run_cmd_nsb ${ping6} -c1 -w1 ${a} 2260 log_test_addr ${a} $? 2 "ping in, unreachable route" 2261} 2262 2263ipv6_ping() 2264{ 2265 log_section "IPv6 ping" 2266 2267 log_subsection "No VRF" 2268 setup 2269 ipv6_ping_novrf 2270 setup 2271 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2272 ipv6_ping_novrf 2273 2274 log_subsection "With VRF" 2275 setup "yes" 2276 ipv6_ping_vrf 2277 setup "yes" 2278 set_sysctl net.ipv4.ping_group_range='0 2147483647' 2>/dev/null 2279 ipv6_ping_vrf 2280} 2281 2282################################################################################ 2283# IPv6 TCP 2284 2285# 2286# MD5 tests without VRF 2287# 2288ipv6_tcp_md5_novrf() 2289{ 2290 # 2291 # single address 2292 # 2293 2294 # basic use case 2295 log_start 2296 run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_IP6} & 2297 sleep 1 2298 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2299 log_test $? 0 "MD5: Single address config" 2300 2301 # client sends MD5, server not configured 2302 log_start 2303 show_hint "Should timeout due to MD5 mismatch" 2304 run_cmd nettest -6 -s & 2305 sleep 1 2306 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2307 log_test $? 2 "MD5: Server no config, client uses password" 2308 2309 # wrong password 2310 log_start 2311 show_hint "Should timeout since client uses wrong password" 2312 run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_IP6} & 2313 sleep 1 2314 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2315 log_test $? 2 "MD5: Client uses wrong password" 2316 2317 # client from different address 2318 log_start 2319 show_hint "Should timeout due to MD5 mismatch" 2320 run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_LO_IP6} & 2321 sleep 1 2322 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2323 log_test $? 2 "MD5: Client address does not match address configured with password" 2324 2325 # 2326 # MD5 extension - prefix length 2327 # 2328 2329 # client in prefix 2330 log_start 2331 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2332 sleep 1 2333 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2334 log_test $? 0 "MD5: Prefix config" 2335 2336 # client in prefix, wrong password 2337 log_start 2338 show_hint "Should timeout since client uses wrong password" 2339 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2340 sleep 1 2341 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2342 log_test $? 2 "MD5: Prefix config, client uses wrong password" 2343 2344 # client outside of prefix 2345 log_start 2346 show_hint "Should timeout due to MD5 mismatch" 2347 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & 2348 sleep 1 2349 run_cmd_nsb nettest -6 -l ${NSB_LO_IP6} -r ${NSA_IP6} -M ${MD5_PW} 2350 log_test $? 2 "MD5: Prefix config, client address not in configured prefix" 2351} 2352 2353# 2354# MD5 tests with VRF 2355# 2356ipv6_tcp_md5() 2357{ 2358 # 2359 # single address 2360 # 2361 2362 # basic use case 2363 log_start 2364 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & 2365 sleep 1 2366 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2367 log_test $? 0 "MD5: VRF: Single address config" 2368 2369 # client sends MD5, server not configured 2370 log_start 2371 show_hint "Should timeout since server does not have MD5 auth" 2372 run_cmd nettest -6 -s -d ${VRF} & 2373 sleep 1 2374 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2375 log_test $? 2 "MD5: VRF: Server no config, client uses password" 2376 2377 # wrong password 2378 log_start 2379 show_hint "Should timeout since client uses wrong password" 2380 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & 2381 sleep 1 2382 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2383 log_test $? 2 "MD5: VRF: Client uses wrong password" 2384 2385 # client from different address 2386 log_start 2387 show_hint "Should timeout since server config differs from client" 2388 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_LO_IP6} & 2389 sleep 1 2390 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2391 log_test $? 2 "MD5: VRF: Client address does not match address configured with password" 2392 2393 # 2394 # MD5 extension - prefix length 2395 # 2396 2397 # client in prefix 2398 log_start 2399 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2400 sleep 1 2401 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2402 log_test $? 0 "MD5: VRF: Prefix config" 2403 2404 # client in prefix, wrong password 2405 log_start 2406 show_hint "Should timeout since client uses wrong password" 2407 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2408 sleep 1 2409 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2410 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" 2411 2412 # client outside of prefix 2413 log_start 2414 show_hint "Should timeout since client address is outside of prefix" 2415 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2416 sleep 1 2417 run_cmd_nsb nettest -6 -l ${NSB_LO_IP6} -r ${NSA_IP6} -M ${MD5_PW} 2418 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" 2419 2420 # 2421 # duplicate config between default VRF and a VRF 2422 # 2423 2424 log_start 2425 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & 2426 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} & 2427 sleep 1 2428 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2429 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" 2430 2431 log_start 2432 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & 2433 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} & 2434 sleep 1 2435 run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2436 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" 2437 2438 log_start 2439 show_hint "Should timeout since client in default VRF uses VRF password" 2440 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & 2441 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} & 2442 sleep 1 2443 run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2444 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" 2445 2446 log_start 2447 show_hint "Should timeout since client in VRF uses default VRF password" 2448 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & 2449 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} & 2450 sleep 1 2451 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2452 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" 2453 2454 log_start 2455 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2456 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2457 sleep 1 2458 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2459 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" 2460 2461 log_start 2462 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2463 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2464 sleep 1 2465 run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2466 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" 2467 2468 log_start 2469 show_hint "Should timeout since client in default VRF uses VRF password" 2470 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2471 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2472 sleep 1 2473 run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_PW} 2474 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" 2475 2476 log_start 2477 show_hint "Should timeout since client in VRF uses default VRF password" 2478 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & 2479 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & 2480 sleep 1 2481 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} 2482 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" 2483 2484 # 2485 # negative tests 2486 # 2487 log_start 2488 run_cmd nettest -6 -s -d ${NSA_DEV} -M ${MD5_PW} -r ${NSB_IP6} 2489 log_test $? 1 "MD5: VRF: Device must be a VRF - single address" 2490 2491 log_start 2492 run_cmd nettest -6 -s -d ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} 2493 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" 2494 2495} 2496 2497ipv6_tcp_novrf() 2498{ 2499 local a 2500 2501 # 2502 # server tests 2503 # 2504 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2505 do 2506 log_start 2507 run_cmd nettest -6 -s & 2508 sleep 1 2509 run_cmd_nsb nettest -6 -r ${a} 2510 log_test_addr ${a} $? 0 "Global server" 2511 done 2512 2513 # verify TCP reset received 2514 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2515 do 2516 log_start 2517 show_hint "Should fail 'Connection refused'" 2518 run_cmd_nsb nettest -6 -r ${a} 2519 log_test_addr ${a} $? 1 "No server" 2520 done 2521 2522 # 2523 # client 2524 # 2525 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2526 do 2527 log_start 2528 run_cmd_nsb nettest -6 -s & 2529 sleep 1 2530 run_cmd nettest -6 -r ${a} 2531 log_test_addr ${a} $? 0 "Client" 2532 done 2533 2534 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2535 do 2536 log_start 2537 run_cmd_nsb nettest -6 -s & 2538 sleep 1 2539 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2540 log_test_addr ${a} $? 0 "Client, device bind" 2541 done 2542 2543 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2544 do 2545 log_start 2546 show_hint "Should fail 'Connection refused'" 2547 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2548 log_test_addr ${a} $? 1 "No server, device client" 2549 done 2550 2551 # 2552 # local address tests 2553 # 2554 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2555 do 2556 log_start 2557 run_cmd nettest -6 -s & 2558 sleep 1 2559 run_cmd nettest -6 -r ${a} 2560 log_test_addr ${a} $? 0 "Global server, local connection" 2561 done 2562 2563 a=${NSA_IP6} 2564 log_start 2565 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & 2566 sleep 1 2567 run_cmd nettest -6 -r ${a} -0 ${a} 2568 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2569 2570 for a in ${NSA_LO_IP6} ::1 2571 do 2572 log_start 2573 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2574 run_cmd nettest -6 -s -d ${NSA_DEV} & 2575 sleep 1 2576 run_cmd nettest -6 -r ${a} 2577 log_test_addr ${a} $? 1 "Device server, unbound client, local connection" 2578 done 2579 2580 a=${NSA_IP6} 2581 log_start 2582 run_cmd nettest -6 -s & 2583 sleep 1 2584 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2585 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2586 2587 for a in ${NSA_LO_IP6} ::1 2588 do 2589 log_start 2590 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" 2591 run_cmd nettest -6 -s & 2592 sleep 1 2593 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2594 log_test_addr ${a} $? 1 "Global server, device client, local connection" 2595 done 2596 2597 for a in ${NSA_IP6} ${NSA_LINKIP6} 2598 do 2599 log_start 2600 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & 2601 sleep 1 2602 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2603 log_test_addr ${a} $? 0 "Device server, device client, local conn" 2604 done 2605 2606 for a in ${NSA_IP6} ${NSA_LINKIP6} 2607 do 2608 log_start 2609 show_hint "Should fail 'Connection refused'" 2610 run_cmd nettest -6 -d ${NSA_DEV} -r ${a} 2611 log_test_addr ${a} $? 1 "No server, device client, local conn" 2612 done 2613 2614 ipv6_tcp_md5_novrf 2615} 2616 2617ipv6_tcp_vrf() 2618{ 2619 local a 2620 2621 # disable global server 2622 log_subsection "Global server disabled" 2623 2624 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2625 2626 # 2627 # server tests 2628 # 2629 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2630 do 2631 log_start 2632 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2633 run_cmd nettest -6 -s & 2634 sleep 1 2635 run_cmd_nsb nettest -6 -r ${a} 2636 log_test_addr ${a} $? 1 "Global server" 2637 done 2638 2639 for a in ${NSA_IP6} ${VRF_IP6} 2640 do 2641 log_start 2642 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} & 2643 sleep 1 2644 run_cmd_nsb nettest -6 -r ${a} 2645 log_test_addr ${a} $? 0 "VRF server" 2646 done 2647 2648 # link local is always bound to ingress device 2649 a=${NSA_LINKIP6}%${NSB_DEV} 2650 log_start 2651 run_cmd nettest -6 -s -d ${VRF} -2 ${NSA_DEV} & 2652 sleep 1 2653 run_cmd_nsb nettest -6 -r ${a} 2654 log_test_addr ${a} $? 0 "VRF server" 2655 2656 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2657 do 2658 log_start 2659 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & 2660 sleep 1 2661 run_cmd_nsb nettest -6 -r ${a} 2662 log_test_addr ${a} $? 0 "Device server" 2663 done 2664 2665 # verify TCP reset received 2666 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2667 do 2668 log_start 2669 show_hint "Should fail 'Connection refused'" 2670 run_cmd_nsb nettest -6 -r ${a} 2671 log_test_addr ${a} $? 1 "No server" 2672 done 2673 2674 # local address tests 2675 a=${NSA_IP6} 2676 log_start 2677 show_hint "Should fail 'Connection refused' since global server with VRF is disabled" 2678 run_cmd nettest -6 -s & 2679 sleep 1 2680 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2681 log_test_addr ${a} $? 1 "Global server, local connection" 2682 2683 # run MD5 tests 2684 setup_vrf_dup 2685 ipv6_tcp_md5 2686 cleanup_vrf_dup 2687 2688 # 2689 # enable VRF global server 2690 # 2691 log_subsection "VRF Global server enabled" 2692 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2693 2694 for a in ${NSA_IP6} ${VRF_IP6} 2695 do 2696 log_start 2697 run_cmd nettest -6 -s -2 ${VRF} & 2698 sleep 1 2699 run_cmd_nsb nettest -6 -r ${a} 2700 log_test_addr ${a} $? 0 "Global server" 2701 done 2702 2703 for a in ${NSA_IP6} ${VRF_IP6} 2704 do 2705 log_start 2706 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} & 2707 sleep 1 2708 run_cmd_nsb nettest -6 -r ${a} 2709 log_test_addr ${a} $? 0 "VRF server" 2710 done 2711 2712 # For LLA, child socket is bound to device 2713 a=${NSA_LINKIP6}%${NSB_DEV} 2714 log_start 2715 run_cmd nettest -6 -s -2 ${NSA_DEV} & 2716 sleep 1 2717 run_cmd_nsb nettest -6 -r ${a} 2718 log_test_addr ${a} $? 0 "Global server" 2719 2720 log_start 2721 run_cmd nettest -6 -s -d ${VRF} -2 ${NSA_DEV} & 2722 sleep 1 2723 run_cmd_nsb nettest -6 -r ${a} 2724 log_test_addr ${a} $? 0 "VRF server" 2725 2726 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2727 do 2728 log_start 2729 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & 2730 sleep 1 2731 run_cmd_nsb nettest -6 -r ${a} 2732 log_test_addr ${a} $? 0 "Device server" 2733 done 2734 2735 # verify TCP reset received 2736 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2737 do 2738 log_start 2739 show_hint "Should fail 'Connection refused'" 2740 run_cmd_nsb nettest -6 -r ${a} 2741 log_test_addr ${a} $? 1 "No server" 2742 done 2743 2744 # local address tests 2745 for a in ${NSA_IP6} ${VRF_IP6} 2746 do 2747 log_start 2748 show_hint "Fails 'Connection refused' since client is not in VRF" 2749 run_cmd nettest -6 -s -d ${VRF} & 2750 sleep 1 2751 run_cmd nettest -6 -r ${a} 2752 log_test_addr ${a} $? 1 "Global server, local connection" 2753 done 2754 2755 2756 # 2757 # client 2758 # 2759 for a in ${NSB_IP6} ${NSB_LO_IP6} 2760 do 2761 log_start 2762 run_cmd_nsb nettest -6 -s & 2763 sleep 1 2764 run_cmd nettest -6 -r ${a} -d ${VRF} 2765 log_test_addr ${a} $? 0 "Client, VRF bind" 2766 done 2767 2768 a=${NSB_LINKIP6} 2769 log_start 2770 show_hint "Fails since VRF device does not allow linklocal addresses" 2771 run_cmd_nsb nettest -6 -s & 2772 sleep 1 2773 run_cmd nettest -6 -r ${a} -d ${VRF} 2774 log_test_addr ${a} $? 1 "Client, VRF bind" 2775 2776 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2777 do 2778 log_start 2779 run_cmd_nsb nettest -6 -s & 2780 sleep 1 2781 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2782 log_test_addr ${a} $? 0 "Client, device bind" 2783 done 2784 2785 for a in ${NSB_IP6} ${NSB_LO_IP6} 2786 do 2787 log_start 2788 show_hint "Should fail 'Connection refused'" 2789 run_cmd nettest -6 -r ${a} -d ${VRF} 2790 log_test_addr ${a} $? 1 "No server, VRF client" 2791 done 2792 2793 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} 2794 do 2795 log_start 2796 show_hint "Should fail 'Connection refused'" 2797 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} 2798 log_test_addr ${a} $? 1 "No server, device client" 2799 done 2800 2801 for a in ${NSA_IP6} ${VRF_IP6} ::1 2802 do 2803 log_start 2804 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} & 2805 sleep 1 2806 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2807 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" 2808 done 2809 2810 a=${NSA_IP6} 2811 log_start 2812 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} & 2813 sleep 1 2814 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2815 log_test_addr ${a} $? 0 "VRF server, device client, local connection" 2816 2817 a=${NSA_IP6} 2818 log_start 2819 show_hint "Should fail since unbound client is out of VRF scope" 2820 run_cmd nettest -6 -s -d ${VRF} & 2821 sleep 1 2822 run_cmd nettest -6 -r ${a} 2823 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" 2824 2825 log_start 2826 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & 2827 sleep 1 2828 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} 2829 log_test_addr ${a} $? 0 "Device server, VRF client, local connection" 2830 2831 for a in ${NSA_IP6} ${NSA_LINKIP6} 2832 do 2833 log_start 2834 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & 2835 sleep 1 2836 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} 2837 log_test_addr ${a} $? 0 "Device server, device client, local connection" 2838 done 2839} 2840 2841ipv6_tcp() 2842{ 2843 log_section "IPv6/TCP" 2844 log_subsection "No VRF" 2845 setup 2846 2847 # tcp_l3mdev_accept should have no affect without VRF; 2848 # run tests with it enabled and disabled to verify 2849 log_subsection "tcp_l3mdev_accept disabled" 2850 set_sysctl net.ipv4.tcp_l3mdev_accept=0 2851 ipv6_tcp_novrf 2852 log_subsection "tcp_l3mdev_accept enabled" 2853 set_sysctl net.ipv4.tcp_l3mdev_accept=1 2854 ipv6_tcp_novrf 2855 2856 log_subsection "With VRF" 2857 setup "yes" 2858 ipv6_tcp_vrf 2859} 2860 2861################################################################################ 2862# IPv6 UDP 2863 2864ipv6_udp_novrf() 2865{ 2866 local a 2867 2868 # 2869 # server tests 2870 # 2871 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2872 do 2873 log_start 2874 run_cmd nettest -6 -D -s -2 ${NSA_DEV} & 2875 sleep 1 2876 run_cmd_nsb nettest -6 -D -r ${a} 2877 log_test_addr ${a} $? 0 "Global server" 2878 2879 log_start 2880 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 2881 sleep 1 2882 run_cmd_nsb nettest -6 -D -r ${a} 2883 log_test_addr ${a} $? 0 "Device server" 2884 done 2885 2886 a=${NSA_LO_IP6} 2887 log_start 2888 run_cmd nettest -6 -D -s -2 ${NSA_DEV} & 2889 sleep 1 2890 run_cmd_nsb nettest -6 -D -r ${a} 2891 log_test_addr ${a} $? 0 "Global server" 2892 2893 # should fail since loopback address is out of scope for a device 2894 # bound server, but it does not - hence this is more documenting 2895 # behavior. 2896 #log_start 2897 #show_hint "Should fail since loopback address is out of scope" 2898 #run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 2899 #sleep 1 2900 #run_cmd_nsb nettest -6 -D -r ${a} 2901 #log_test_addr ${a} $? 1 "Device server" 2902 2903 # negative test - should fail 2904 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} 2905 do 2906 log_start 2907 show_hint "Should fail 'Connection refused' since there is no server" 2908 run_cmd_nsb nettest -6 -D -r ${a} 2909 log_test_addr ${a} $? 1 "No server" 2910 done 2911 2912 # 2913 # client 2914 # 2915 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} 2916 do 2917 log_start 2918 run_cmd_nsb nettest -6 -D -s & 2919 sleep 1 2920 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} 2921 log_test_addr ${a} $? 0 "Client" 2922 2923 log_start 2924 run_cmd_nsb nettest -6 -D -s & 2925 sleep 1 2926 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} 2927 log_test_addr ${a} $? 0 "Client, device bind" 2928 2929 log_start 2930 run_cmd_nsb nettest -6 -D -s & 2931 sleep 1 2932 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} 2933 log_test_addr ${a} $? 0 "Client, device send via cmsg" 2934 2935 log_start 2936 run_cmd_nsb nettest -6 -D -s & 2937 sleep 1 2938 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} 2939 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" 2940 2941 log_start 2942 show_hint "Should fail 'Connection refused'" 2943 run_cmd nettest -6 -D -r ${a} 2944 log_test_addr ${a} $? 1 "No server, unbound client" 2945 2946 log_start 2947 show_hint "Should fail 'Connection refused'" 2948 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 2949 log_test_addr ${a} $? 1 "No server, device client" 2950 done 2951 2952 # 2953 # local address tests 2954 # 2955 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 2956 do 2957 log_start 2958 run_cmd nettest -6 -D -s & 2959 sleep 1 2960 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} 2961 log_test_addr ${a} $? 0 "Global server, local connection" 2962 done 2963 2964 a=${NSA_IP6} 2965 log_start 2966 run_cmd nettest -6 -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & 2967 sleep 1 2968 run_cmd nettest -6 -D -r ${a} 2969 log_test_addr ${a} $? 0 "Device server, unbound client, local connection" 2970 2971 for a in ${NSA_LO_IP6} ::1 2972 do 2973 log_start 2974 show_hint "Should fail 'Connection refused' since address is out of device scope" 2975 run_cmd nettest -6 -s -D -d ${NSA_DEV} & 2976 sleep 1 2977 run_cmd nettest -6 -D -r ${a} 2978 log_test_addr ${a} $? 1 "Device server, local connection" 2979 done 2980 2981 a=${NSA_IP6} 2982 log_start 2983 run_cmd nettest -6 -s -D & 2984 sleep 1 2985 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 2986 log_test_addr ${a} $? 0 "Global server, device client, local connection" 2987 2988 log_start 2989 run_cmd nettest -6 -s -D & 2990 sleep 1 2991 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} 2992 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" 2993 2994 log_start 2995 run_cmd nettest -6 -s -D & 2996 sleep 1 2997 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} 2998 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" 2999 3000 for a in ${NSA_LO_IP6} ::1 3001 do 3002 log_start 3003 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3004 run_cmd nettest -6 -D -s & 3005 sleep 1 3006 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} 3007 log_test_addr ${a} $? 1 "Global server, device client, local connection" 3008 3009 log_start 3010 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3011 run_cmd nettest -6 -D -s & 3012 sleep 1 3013 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C 3014 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" 3015 3016 log_start 3017 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" 3018 run_cmd nettest -6 -D -s & 3019 sleep 1 3020 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S 3021 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" 3022 done 3023 3024 a=${NSA_IP6} 3025 log_start 3026 run_cmd nettest -6 -D -s -d ${NSA_DEV} -2 ${NSA_DEV} & 3027 sleep 1 3028 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} 3029 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3030 3031 log_start 3032 show_hint "Should fail 'Connection refused'" 3033 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3034 log_test_addr ${a} $? 1 "No server, device client, local conn" 3035 3036 # LLA to GUA 3037 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3038 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3039 log_start 3040 run_cmd nettest -6 -s -D & 3041 sleep 1 3042 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3043 log_test $? 0 "UDP in - LLA to GUA" 3044 3045 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3046 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3047} 3048 3049ipv6_udp_vrf() 3050{ 3051 local a 3052 3053 # disable global server 3054 log_subsection "Global server disabled" 3055 set_sysctl net.ipv4.udp_l3mdev_accept=0 3056 3057 # 3058 # server tests 3059 # 3060 for a in ${NSA_IP6} ${VRF_IP6} 3061 do 3062 log_start 3063 show_hint "Should fail 'Connection refused' since global server is disabled" 3064 run_cmd nettest -6 -D -s & 3065 sleep 1 3066 run_cmd_nsb nettest -6 -D -r ${a} 3067 log_test_addr ${a} $? 1 "Global server" 3068 done 3069 3070 for a in ${NSA_IP6} ${VRF_IP6} 3071 do 3072 log_start 3073 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & 3074 sleep 1 3075 run_cmd_nsb nettest -6 -D -r ${a} 3076 log_test_addr ${a} $? 0 "VRF server" 3077 done 3078 3079 for a in ${NSA_IP6} ${VRF_IP6} 3080 do 3081 log_start 3082 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 3083 sleep 1 3084 run_cmd_nsb nettest -6 -D -r ${a} 3085 log_test_addr ${a} $? 0 "Enslaved device server" 3086 done 3087 3088 # negative test - should fail 3089 for a in ${NSA_IP6} ${VRF_IP6} 3090 do 3091 log_start 3092 show_hint "Should fail 'Connection refused' since there is no server" 3093 run_cmd_nsb nettest -6 -D -r ${a} 3094 log_test_addr ${a} $? 1 "No server" 3095 done 3096 3097 # 3098 # local address tests 3099 # 3100 for a in ${NSA_IP6} ${VRF_IP6} 3101 do 3102 log_start 3103 show_hint "Should fail 'Connection refused' since global server is disabled" 3104 run_cmd nettest -6 -D -s & 3105 sleep 1 3106 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3107 log_test_addr ${a} $? 1 "Global server, VRF client, local conn" 3108 done 3109 3110 for a in ${NSA_IP6} ${VRF_IP6} 3111 do 3112 log_start 3113 run_cmd nettest -6 -D -d ${VRF} -s & 3114 sleep 1 3115 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3116 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3117 done 3118 3119 a=${NSA_IP6} 3120 log_start 3121 show_hint "Should fail 'Connection refused' since global server is disabled" 3122 run_cmd nettest -6 -D -s & 3123 sleep 1 3124 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3125 log_test_addr ${a} $? 1 "Global server, device client, local conn" 3126 3127 log_start 3128 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & 3129 sleep 1 3130 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3131 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3132 3133 log_start 3134 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 3135 sleep 1 3136 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3137 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" 3138 3139 log_start 3140 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 3141 sleep 1 3142 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3143 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" 3144 3145 # disable global server 3146 log_subsection "Global server enabled" 3147 set_sysctl net.ipv4.udp_l3mdev_accept=1 3148 3149 # 3150 # server tests 3151 # 3152 for a in ${NSA_IP6} ${VRF_IP6} 3153 do 3154 log_start 3155 run_cmd nettest -6 -D -s -2 ${NSA_DEV} & 3156 sleep 1 3157 run_cmd_nsb nettest -6 -D -r ${a} 3158 log_test_addr ${a} $? 0 "Global server" 3159 done 3160 3161 for a in ${NSA_IP6} ${VRF_IP6} 3162 do 3163 log_start 3164 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & 3165 sleep 1 3166 run_cmd_nsb nettest -6 -D -r ${a} 3167 log_test_addr ${a} $? 0 "VRF server" 3168 done 3169 3170 for a in ${NSA_IP6} ${VRF_IP6} 3171 do 3172 log_start 3173 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 3174 sleep 1 3175 run_cmd_nsb nettest -6 -D -r ${a} 3176 log_test_addr ${a} $? 0 "Enslaved device server" 3177 done 3178 3179 # negative test - should fail 3180 for a in ${NSA_IP6} ${VRF_IP6} 3181 do 3182 log_start 3183 run_cmd_nsb nettest -6 -D -r ${a} 3184 log_test_addr ${a} $? 1 "No server" 3185 done 3186 3187 # 3188 # client tests 3189 # 3190 log_start 3191 run_cmd_nsb nettest -6 -D -s & 3192 sleep 1 3193 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3194 log_test $? 0 "VRF client" 3195 3196 # negative test - should fail 3197 log_start 3198 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} 3199 log_test $? 1 "No server, VRF client" 3200 3201 log_start 3202 run_cmd_nsb nettest -6 -D -s & 3203 sleep 1 3204 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3205 log_test $? 0 "Enslaved device client" 3206 3207 # negative test - should fail 3208 log_start 3209 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} 3210 log_test $? 1 "No server, enslaved device client" 3211 3212 # 3213 # local address tests 3214 # 3215 a=${NSA_IP6} 3216 log_start 3217 run_cmd nettest -6 -D -s -2 ${NSA_DEV} & 3218 sleep 1 3219 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3220 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3221 3222 #log_start 3223 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & 3224 sleep 1 3225 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3226 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3227 3228 3229 a=${VRF_IP6} 3230 log_start 3231 run_cmd nettest -6 -D -s -2 ${VRF} & 3232 sleep 1 3233 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3234 log_test_addr ${a} $? 0 "Global server, VRF client, local conn" 3235 3236 log_start 3237 run_cmd nettest -6 -D -d ${VRF} -s -2 ${VRF} & 3238 sleep 1 3239 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3240 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" 3241 3242 # negative test - should fail 3243 for a in ${NSA_IP6} ${VRF_IP6} 3244 do 3245 log_start 3246 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3247 log_test_addr ${a} $? 1 "No server, VRF client, local conn" 3248 done 3249 3250 # device to global IP 3251 a=${NSA_IP6} 3252 log_start 3253 run_cmd nettest -6 -D -s -2 ${NSA_DEV} & 3254 sleep 1 3255 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3256 log_test_addr ${a} $? 0 "Global server, device client, local conn" 3257 3258 log_start 3259 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & 3260 sleep 1 3261 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3262 log_test_addr ${a} $? 0 "VRF server, device client, local conn" 3263 3264 log_start 3265 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 3266 sleep 1 3267 run_cmd nettest -6 -D -d ${VRF} -r ${a} 3268 log_test_addr ${a} $? 0 "Device server, VRF client, local conn" 3269 3270 log_start 3271 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & 3272 sleep 1 3273 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3274 log_test_addr ${a} $? 0 "Device server, device client, local conn" 3275 3276 log_start 3277 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} 3278 log_test_addr ${a} $? 1 "No server, device client, local conn" 3279 3280 3281 # link local addresses 3282 log_start 3283 run_cmd nettest -6 -D -s & 3284 sleep 1 3285 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3286 log_test $? 0 "Global server, linklocal IP" 3287 3288 log_start 3289 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} 3290 log_test $? 1 "No server, linklocal IP" 3291 3292 3293 log_start 3294 run_cmd_nsb nettest -6 -D -s & 3295 sleep 1 3296 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3297 log_test $? 0 "Enslaved device client, linklocal IP" 3298 3299 log_start 3300 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} 3301 log_test $? 1 "No server, device client, peer linklocal IP" 3302 3303 3304 log_start 3305 run_cmd nettest -6 -D -s & 3306 sleep 1 3307 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3308 log_test $? 0 "Enslaved device client, local conn - linklocal IP" 3309 3310 log_start 3311 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} 3312 log_test $? 1 "No server, device client, local conn - linklocal IP" 3313 3314 # LLA to GUA 3315 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} 3316 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} 3317 log_start 3318 run_cmd nettest -6 -s -D & 3319 sleep 1 3320 run_cmd_nsb nettest -6 -D -r ${NSA_IP6} 3321 log_test $? 0 "UDP in - LLA to GUA" 3322 3323 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} 3324 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad 3325} 3326 3327ipv6_udp() 3328{ 3329 # should not matter, but set to known state 3330 set_sysctl net.ipv4.udp_early_demux=1 3331 3332 log_section "IPv6/UDP" 3333 log_subsection "No VRF" 3334 setup 3335 3336 # udp_l3mdev_accept should have no affect without VRF; 3337 # run tests with it enabled and disabled to verify 3338 log_subsection "udp_l3mdev_accept disabled" 3339 set_sysctl net.ipv4.udp_l3mdev_accept=0 3340 ipv6_udp_novrf 3341 log_subsection "udp_l3mdev_accept enabled" 3342 set_sysctl net.ipv4.udp_l3mdev_accept=1 3343 ipv6_udp_novrf 3344 3345 log_subsection "With VRF" 3346 setup "yes" 3347 ipv6_udp_vrf 3348} 3349 3350################################################################################ 3351# IPv6 address bind 3352 3353ipv6_addr_bind_novrf() 3354{ 3355 # 3356 # raw socket 3357 # 3358 for a in ${NSA_IP6} ${NSA_LO_IP6} 3359 do 3360 log_start 3361 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b 3362 log_test_addr ${a} $? 0 "Raw socket bind to local address" 3363 3364 log_start 3365 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${NSA_DEV} -b 3366 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3367 done 3368 3369 # 3370 # tcp sockets 3371 # 3372 a=${NSA_IP6} 3373 log_start 3374 run_cmd nettest -6 -s -l ${a} -t1 -b 3375 log_test_addr ${a} $? 0 "TCP socket bind to local address" 3376 3377 log_start 3378 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b 3379 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" 3380 3381 # Sadly, the kernel allows binding a socket to a device and then 3382 # binding to an address not on the device. So this test passes 3383 # when it really should not 3384 a=${NSA_LO_IP6} 3385 log_start 3386 show_hint "Tecnically should fail since address is not on device but kernel allows" 3387 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3388 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address" 3389} 3390 3391ipv6_addr_bind_vrf() 3392{ 3393 # 3394 # raw socket 3395 # 3396 for a in ${NSA_IP6} ${VRF_IP6} 3397 do 3398 log_start 3399 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${VRF} -b 3400 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" 3401 3402 log_start 3403 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${NSA_DEV} -b 3404 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" 3405 done 3406 3407 a=${NSA_LO_IP6} 3408 log_start 3409 show_hint "Address on loopback is out of VRF scope" 3410 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${VRF} -b 3411 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" 3412 3413 # 3414 # tcp sockets 3415 # 3416 # address on enslaved device is valid for the VRF or device in a VRF 3417 for a in ${NSA_IP6} ${VRF_IP6} 3418 do 3419 log_start 3420 run_cmd nettest -6 -s -l ${a} -d ${VRF} -t1 -b 3421 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" 3422 done 3423 3424 a=${NSA_IP6} 3425 log_start 3426 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b 3427 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" 3428 3429 # Sadly, the kernel allows binding a socket to a device and then 3430 # binding to an address not on the device. The only restriction 3431 # is that the address is valid in the L3 domain. So this test 3432 # passes when it really should not 3433 a=${VRF_IP6} 3434 log_start 3435 show_hint "Tecnically should fail since address is not on device but kernel allows" 3436 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b 3437 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind" 3438 3439 a=${NSA_LO_IP6} 3440 log_start 3441 show_hint "Address on loopback out of scope for VRF" 3442 run_cmd nettest -6 -s -l ${a} -d ${VRF} -t1 -b 3443 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" 3444 3445 log_start 3446 show_hint "Address on loopback out of scope for device in VRF" 3447 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b 3448 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" 3449 3450} 3451 3452ipv6_addr_bind() 3453{ 3454 log_section "IPv6 address binds" 3455 3456 log_subsection "No VRF" 3457 setup 3458 ipv6_addr_bind_novrf 3459 3460 log_subsection "With VRF" 3461 setup "yes" 3462 ipv6_addr_bind_vrf 3463} 3464 3465################################################################################ 3466# IPv6 runtime tests 3467 3468ipv6_rt() 3469{ 3470 local desc="$1" 3471 local varg="-6 $2" 3472 local with_vrf="yes" 3473 local a 3474 3475 # 3476 # server tests 3477 # 3478 for a in ${NSA_IP6} ${VRF_IP6} 3479 do 3480 log_start 3481 run_cmd nettest ${varg} -s & 3482 sleep 1 3483 run_cmd_nsb nettest ${varg} -r ${a} & 3484 sleep 3 3485 run_cmd ip link del ${VRF} 3486 sleep 1 3487 log_test_addr ${a} 0 0 "${desc}, global server" 3488 3489 setup ${with_vrf} 3490 done 3491 3492 for a in ${NSA_IP6} ${VRF_IP6} 3493 do 3494 log_start 3495 run_cmd nettest ${varg} -d ${VRF} -s & 3496 sleep 1 3497 run_cmd_nsb nettest ${varg} -r ${a} & 3498 sleep 3 3499 run_cmd ip link del ${VRF} 3500 sleep 1 3501 log_test_addr ${a} 0 0 "${desc}, VRF server" 3502 3503 setup ${with_vrf} 3504 done 3505 3506 for a in ${NSA_IP6} ${VRF_IP6} 3507 do 3508 log_start 3509 run_cmd nettest ${varg} -d ${NSA_DEV} -s & 3510 sleep 1 3511 run_cmd_nsb nettest ${varg} -r ${a} & 3512 sleep 3 3513 run_cmd ip link del ${VRF} 3514 sleep 1 3515 log_test_addr ${a} 0 0 "${desc}, enslaved device server" 3516 3517 setup ${with_vrf} 3518 done 3519 3520 # 3521 # client test 3522 # 3523 log_start 3524 run_cmd_nsb nettest ${varg} -s & 3525 sleep 1 3526 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & 3527 sleep 3 3528 run_cmd ip link del ${VRF} 3529 sleep 1 3530 log_test 0 0 "${desc}, VRF client" 3531 3532 setup ${with_vrf} 3533 3534 log_start 3535 run_cmd_nsb nettest ${varg} -s & 3536 sleep 1 3537 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & 3538 sleep 3 3539 run_cmd ip link del ${VRF} 3540 sleep 1 3541 log_test 0 0 "${desc}, enslaved device client" 3542 3543 setup ${with_vrf} 3544 3545 3546 # 3547 # local address tests 3548 # 3549 for a in ${NSA_IP6} ${VRF_IP6} 3550 do 3551 log_start 3552 run_cmd nettest ${varg} -s & 3553 sleep 1 3554 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3555 sleep 3 3556 run_cmd ip link del ${VRF} 3557 sleep 1 3558 log_test_addr ${a} 0 0 "${desc}, global server, VRF client" 3559 3560 setup ${with_vrf} 3561 done 3562 3563 for a in ${NSA_IP6} ${VRF_IP6} 3564 do 3565 log_start 3566 run_cmd nettest ${varg} -d ${VRF} -s & 3567 sleep 1 3568 run_cmd nettest ${varg} -d ${VRF} -r ${a} & 3569 sleep 3 3570 run_cmd ip link del ${VRF} 3571 sleep 1 3572 log_test_addr ${a} 0 0 "${desc}, VRF server and client" 3573 3574 setup ${with_vrf} 3575 done 3576 3577 a=${NSA_IP6} 3578 log_start 3579 run_cmd nettest ${varg} -s & 3580 sleep 1 3581 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3582 sleep 3 3583 run_cmd ip link del ${VRF} 3584 sleep 1 3585 log_test_addr ${a} 0 0 "${desc}, global server, device client" 3586 3587 setup ${with_vrf} 3588 3589 log_start 3590 run_cmd nettest ${varg} -d ${VRF} -s & 3591 sleep 1 3592 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3593 sleep 3 3594 run_cmd ip link del ${VRF} 3595 sleep 1 3596 log_test_addr ${a} 0 0 "${desc}, VRF server, device client" 3597 3598 setup ${with_vrf} 3599 3600 log_start 3601 run_cmd nettest ${varg} -d ${NSA_DEV} -s & 3602 sleep 1 3603 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & 3604 sleep 3 3605 run_cmd ip link del ${VRF} 3606 sleep 1 3607 log_test_addr ${a} 0 0 "${desc}, device server, device client" 3608} 3609 3610ipv6_ping_rt() 3611{ 3612 local with_vrf="yes" 3613 local a 3614 3615 a=${NSA_IP6} 3616 log_start 3617 run_cmd_nsb ${ping6} -f ${a} & 3618 sleep 3 3619 run_cmd ip link del ${VRF} 3620 sleep 1 3621 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" 3622 3623 setup ${with_vrf} 3624 3625 log_start 3626 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & 3627 sleep 1 3628 run_cmd ip link del ${VRF} 3629 sleep 1 3630 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" 3631} 3632 3633ipv6_runtime() 3634{ 3635 log_section "Run time tests - ipv6" 3636 3637 setup "yes" 3638 ipv6_ping_rt 3639 3640 setup "yes" 3641 ipv6_rt "TCP active socket" "-n -1" 3642 3643 setup "yes" 3644 ipv6_rt "TCP passive socket" "-i" 3645 3646 setup "yes" 3647 ipv6_rt "UDP active socket" "-D -n -1" 3648} 3649 3650################################################################################ 3651# netfilter blocking connections 3652 3653netfilter_tcp_reset() 3654{ 3655 local a 3656 3657 for a in ${NSA_IP} ${VRF_IP} 3658 do 3659 log_start 3660 run_cmd nettest -s & 3661 sleep 1 3662 run_cmd_nsb nettest -r ${a} 3663 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3664 done 3665} 3666 3667netfilter_icmp() 3668{ 3669 local stype="$1" 3670 local arg 3671 local a 3672 3673 [ "${stype}" = "UDP" ] && arg="-D" 3674 3675 for a in ${NSA_IP} ${VRF_IP} 3676 do 3677 log_start 3678 run_cmd nettest ${arg} -s & 3679 sleep 1 3680 run_cmd_nsb nettest ${arg} -r ${a} 3681 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3682 done 3683} 3684 3685ipv4_netfilter() 3686{ 3687 log_section "IPv4 Netfilter" 3688 log_subsection "TCP reset" 3689 3690 setup "yes" 3691 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3692 3693 netfilter_tcp_reset 3694 3695 log_start 3696 log_subsection "ICMP unreachable" 3697 3698 log_start 3699 run_cmd iptables -F 3700 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3701 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable 3702 3703 netfilter_icmp "TCP" 3704 netfilter_icmp "UDP" 3705 3706 log_start 3707 iptables -F 3708} 3709 3710netfilter_tcp6_reset() 3711{ 3712 local a 3713 3714 for a in ${NSA_IP6} ${VRF_IP6} 3715 do 3716 log_start 3717 run_cmd nettest -6 -s & 3718 sleep 1 3719 run_cmd_nsb nettest -6 -r ${a} 3720 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" 3721 done 3722} 3723 3724netfilter_icmp6() 3725{ 3726 local stype="$1" 3727 local arg 3728 local a 3729 3730 [ "${stype}" = "UDP" ] && arg="$arg -D" 3731 3732 for a in ${NSA_IP6} ${VRF_IP6} 3733 do 3734 log_start 3735 run_cmd nettest -6 -s ${arg} & 3736 sleep 1 3737 run_cmd_nsb nettest -6 ${arg} -r ${a} 3738 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" 3739 done 3740} 3741 3742ipv6_netfilter() 3743{ 3744 log_section "IPv6 Netfilter" 3745 log_subsection "TCP reset" 3746 3747 setup "yes" 3748 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset 3749 3750 netfilter_tcp6_reset 3751 3752 log_subsection "ICMP unreachable" 3753 3754 log_start 3755 run_cmd ip6tables -F 3756 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3757 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable 3758 3759 netfilter_icmp6 "TCP" 3760 netfilter_icmp6 "UDP" 3761 3762 log_start 3763 ip6tables -F 3764} 3765 3766################################################################################ 3767# specific use cases 3768 3769# VRF only. 3770# ns-A device enslaved to bridge. Verify traffic with and without 3771# br_netfilter module loaded. Repeat with SVI on bridge. 3772use_case_br() 3773{ 3774 setup "yes" 3775 3776 setup_cmd ip link set ${NSA_DEV} down 3777 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 3778 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 3779 3780 setup_cmd ip link add br0 type bridge 3781 setup_cmd ip addr add dev br0 ${NSA_IP}/24 3782 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad 3783 3784 setup_cmd ip li set ${NSA_DEV} master br0 3785 setup_cmd ip li set ${NSA_DEV} up 3786 setup_cmd ip li set br0 up 3787 setup_cmd ip li set br0 vrf ${VRF} 3788 3789 rmmod br_netfilter 2>/dev/null 3790 sleep 5 # DAD 3791 3792 run_cmd ip neigh flush all 3793 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3794 log_test $? 0 "Bridge into VRF - IPv4 ping out" 3795 3796 run_cmd ip neigh flush all 3797 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3798 log_test $? 0 "Bridge into VRF - IPv6 ping out" 3799 3800 run_cmd ip neigh flush all 3801 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3802 log_test $? 0 "Bridge into VRF - IPv4 ping in" 3803 3804 run_cmd ip neigh flush all 3805 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3806 log_test $? 0 "Bridge into VRF - IPv6 ping in" 3807 3808 modprobe br_netfilter 3809 if [ $? -eq 0 ]; then 3810 run_cmd ip neigh flush all 3811 run_cmd ping -c1 -w1 -I br0 ${NSB_IP} 3812 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" 3813 3814 run_cmd ip neigh flush all 3815 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} 3816 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" 3817 3818 run_cmd ip neigh flush all 3819 run_cmd_nsb ping -c1 -w1 ${NSA_IP} 3820 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" 3821 3822 run_cmd ip neigh flush all 3823 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} 3824 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" 3825 fi 3826 3827 setup_cmd ip li set br0 nomaster 3828 setup_cmd ip li add br0.100 link br0 type vlan id 100 3829 setup_cmd ip li set br0.100 vrf ${VRF} up 3830 setup_cmd ip addr add dev br0.100 172.16.101.1/24 3831 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad 3832 3833 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 3834 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 3835 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad 3836 setup_cmd_nsb ip li set vlan100 up 3837 sleep 1 3838 3839 rmmod br_netfilter 2>/dev/null 3840 3841 run_cmd ip neigh flush all 3842 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3843 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" 3844 3845 run_cmd ip neigh flush all 3846 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3847 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" 3848 3849 run_cmd ip neigh flush all 3850 run_cmd_nsb ping -c1 -w1 172.16.101.1 3851 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3852 3853 run_cmd ip neigh flush all 3854 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3855 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3856 3857 modprobe br_netfilter 3858 if [ $? -eq 0 ]; then 3859 run_cmd ip neigh flush all 3860 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 3861 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" 3862 3863 run_cmd ip neigh flush all 3864 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 3865 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" 3866 3867 run_cmd ip neigh flush all 3868 run_cmd_nsb ping -c1 -w1 172.16.101.1 3869 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" 3870 3871 run_cmd ip neigh flush all 3872 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 3873 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" 3874 fi 3875 3876 setup_cmd ip li del br0 2>/dev/null 3877 setup_cmd_nsb ip li del vlan100 2>/dev/null 3878} 3879 3880# VRF only. 3881# ns-A device is connected to both ns-B and ns-C on a single VRF but only has 3882# LLA on the interfaces 3883use_case_ping_lla_multi() 3884{ 3885 setup_lla_only 3886 # only want reply from ns-A 3887 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3888 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1 3889 3890 log_start 3891 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3892 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B" 3893 3894 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3895 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C" 3896 3897 # cycle/flap the first ns-A interface 3898 setup_cmd ip link set ${NSA_DEV} down 3899 setup_cmd ip link set ${NSA_DEV} up 3900 sleep 1 3901 3902 log_start 3903 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3904 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B" 3905 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3906 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C" 3907 3908 # cycle/flap the second ns-A interface 3909 setup_cmd ip link set ${NSA_DEV2} down 3910 setup_cmd ip link set ${NSA_DEV2} up 3911 sleep 1 3912 3913 log_start 3914 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV} 3915 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B" 3916 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV} 3917 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C" 3918} 3919 3920use_cases() 3921{ 3922 log_section "Use cases" 3923 log_subsection "Device enslaved to bridge" 3924 use_case_br 3925 log_subsection "Ping LLA with multiple interfaces" 3926 use_case_ping_lla_multi 3927} 3928 3929################################################################################ 3930# usage 3931 3932usage() 3933{ 3934 cat <<EOF 3935usage: ${0##*/} OPTS 3936 3937 -4 IPv4 tests only 3938 -6 IPv6 tests only 3939 -t <test> Test name/set to run 3940 -p Pause on fail 3941 -P Pause after each test 3942 -v Be verbose 3943EOF 3944} 3945 3946################################################################################ 3947# main 3948 3949TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter" 3950TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter" 3951TESTS_OTHER="use_cases" 3952 3953PAUSE_ON_FAIL=no 3954PAUSE=no 3955 3956while getopts :46t:pPvh o 3957do 3958 case $o in 3959 4) TESTS=ipv4;; 3960 6) TESTS=ipv6;; 3961 t) TESTS=$OPTARG;; 3962 p) PAUSE_ON_FAIL=yes;; 3963 P) PAUSE=yes;; 3964 v) VERBOSE=1;; 3965 h) usage; exit 0;; 3966 *) usage; exit 1;; 3967 esac 3968done 3969 3970# make sure we don't pause twice 3971[ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no 3972 3973# 3974# show user test config 3975# 3976if [ -z "$TESTS" ]; then 3977 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" 3978elif [ "$TESTS" = "ipv4" ]; then 3979 TESTS="$TESTS_IPV4" 3980elif [ "$TESTS" = "ipv6" ]; then 3981 TESTS="$TESTS_IPV6" 3982fi 3983 3984which nettest >/dev/null 3985if [ $? -ne 0 ]; then 3986 echo "'nettest' command not found; skipping tests" 3987 exit 0 3988fi 3989 3990declare -i nfail=0 3991declare -i nsuccess=0 3992 3993for t in $TESTS 3994do 3995 case $t in 3996 ipv4_ping|ping) ipv4_ping;; 3997 ipv4_tcp|tcp) ipv4_tcp;; 3998 ipv4_udp|udp) ipv4_udp;; 3999 ipv4_bind|bind) ipv4_addr_bind;; 4000 ipv4_runtime) ipv4_runtime;; 4001 ipv4_netfilter) ipv4_netfilter;; 4002 4003 ipv6_ping|ping6) ipv6_ping;; 4004 ipv6_tcp|tcp6) ipv6_tcp;; 4005 ipv6_udp|udp6) ipv6_udp;; 4006 ipv6_bind|bind6) ipv6_addr_bind;; 4007 ipv6_runtime) ipv6_runtime;; 4008 ipv6_netfilter) ipv6_netfilter;; 4009 4010 use_cases) use_cases;; 4011 4012 # setup namespaces and config, but do not run any tests 4013 setup) setup; exit 0;; 4014 vrf_setup) setup "yes"; exit 0;; 4015 4016 help) echo "Test names: $TESTS"; exit 0;; 4017 esac 4018done 4019 4020cleanup 2>/dev/null 4021 4022printf "\nTests passed: %3d\n" ${nsuccess} 4023printf "Tests failed: %3d\n" ${nfail} 4024