]>
Commit | Line | Data |
---|---|---|
6f9d5cac DA |
1 | #!/bin/bash |
2 | # SPDX-License-Identifier: GPL-2.0 | |
3 | # | |
4 | # Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved. | |
5 | # | |
6 | # IPv4 and IPv6 functional tests focusing on VRF and routing lookups | |
7 | # for various permutations: | |
8 | # 1. icmp, tcp, udp and netfilter | |
9 | # 2. client, server, no-server | |
10 | # 3. global address on interface | |
11 | # 4. global address on 'lo' | |
12 | # 5. remote and local traffic | |
13 | # 6. VRF and non-VRF permutations | |
14 | # | |
15 | # Setup: | |
16 | # ns-A | ns-B | |
17 | # No VRF case: | |
18 | # [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ] | |
19 | # remote address | |
20 | # VRF case: | |
21 | # [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ] | |
22 | # | |
23 | # ns-A: | |
24 | # eth1: 172.16.1.1/24, 2001:db8:1::1/64 | |
25 | # lo: 127.0.0.1/8, ::1/128 | |
26 | # 172.16.2.1/32, 2001:db8:2::1/128 | |
27 | # red: 127.0.0.1/8, ::1/128 | |
28 | # 172.16.3.1/32, 2001:db8:3::1/128 | |
29 | # | |
30 | # ns-B: | |
31 | # eth1: 172.16.1.2/24, 2001:db8:1::2/64 | |
32 | # lo2: 127.0.0.1/8, ::1/128 | |
33 | # 172.16.2.2/32, 2001:db8:2::2/128 | |
34 | # | |
5cad8bce DA |
35 | # ns-A to ns-C connection - only for VRF and same config |
36 | # as ns-A to ns-B | |
37 | # | |
6f9d5cac DA |
38 | # server / client nomenclature relative to ns-A |
39 | ||
40 | VERBOSE=0 | |
41 | ||
42 | NSA_DEV=eth1 | |
5cad8bce | 43 | NSA_DEV2=eth2 |
6f9d5cac | 44 | NSB_DEV=eth1 |
5cad8bce | 45 | NSC_DEV=eth2 |
6f9d5cac DA |
46 | VRF=red |
47 | VRF_TABLE=1101 | |
48 | ||
49 | # IPv4 config | |
50 | NSA_IP=172.16.1.1 | |
51 | NSB_IP=172.16.1.2 | |
52 | VRF_IP=172.16.3.1 | |
f0bee1eb | 53 | NS_NET=172.16.1.0/24 |
6f9d5cac DA |
54 | |
55 | # IPv6 config | |
56 | NSA_IP6=2001:db8:1::1 | |
57 | NSB_IP6=2001:db8:1::2 | |
58 | VRF_IP6=2001:db8:3::1 | |
f0bee1eb | 59 | NS_NET6=2001:db8:1::/120 |
6f9d5cac DA |
60 | |
61 | NSA_LO_IP=172.16.2.1 | |
62 | NSB_LO_IP=172.16.2.2 | |
63 | NSA_LO_IP6=2001:db8:2::1 | |
64 | NSB_LO_IP6=2001:db8:2::2 | |
65 | ||
f0bee1eb DA |
66 | MD5_PW=abc123 |
67 | MD5_WRONG_PW=abc1234 | |
68 | ||
6f9d5cac DA |
69 | MCAST=ff02::1 |
70 | # set after namespace create | |
71 | NSA_LINKIP6= | |
72 | NSB_LINKIP6= | |
73 | ||
74 | NSA=ns-A | |
75 | NSB=ns-B | |
5cad8bce | 76 | NSC=ns-C |
6f9d5cac DA |
77 | |
78 | NSA_CMD="ip netns exec ${NSA}" | |
79 | NSB_CMD="ip netns exec ${NSB}" | |
5cad8bce | 80 | NSC_CMD="ip netns exec ${NSC}" |
6f9d5cac DA |
81 | |
82 | which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping) | |
83 | ||
84 | ################################################################################ | |
85 | # utilities | |
86 | ||
87 | log_test() | |
88 | { | |
89 | local rc=$1 | |
90 | local expected=$2 | |
91 | local msg="$3" | |
92 | ||
93 | [ "${VERBOSE}" = "1" ] && echo | |
94 | ||
95 | if [ ${rc} -eq ${expected} ]; then | |
96 | nsuccess=$((nsuccess+1)) | |
97 | printf "TEST: %-70s [ OK ]\n" "${msg}" | |
98 | else | |
99 | nfail=$((nfail+1)) | |
100 | printf "TEST: %-70s [FAIL]\n" "${msg}" | |
101 | if [ "${PAUSE_ON_FAIL}" = "yes" ]; then | |
102 | echo | |
103 | echo "hit enter to continue, 'q' to quit" | |
104 | read a | |
105 | [ "$a" = "q" ] && exit 1 | |
106 | fi | |
107 | fi | |
108 | ||
109 | if [ "${PAUSE}" = "yes" ]; then | |
110 | echo | |
111 | echo "hit enter to continue, 'q' to quit" | |
112 | read a | |
113 | [ "$a" = "q" ] && exit 1 | |
114 | fi | |
115 | ||
116 | kill_procs | |
117 | } | |
118 | ||
119 | log_test_addr() | |
120 | { | |
121 | local addr=$1 | |
122 | local rc=$2 | |
123 | local expected=$3 | |
124 | local msg="$4" | |
125 | local astr | |
126 | ||
127 | astr=$(addr2str ${addr}) | |
128 | log_test $rc $expected "$msg - ${astr}" | |
129 | } | |
130 | ||
131 | log_section() | |
132 | { | |
133 | echo | |
134 | echo "###########################################################################" | |
135 | echo "$*" | |
136 | echo "###########################################################################" | |
137 | echo | |
138 | } | |
139 | ||
140 | log_subsection() | |
141 | { | |
142 | echo | |
143 | echo "#################################################################" | |
144 | echo "$*" | |
145 | echo | |
146 | } | |
147 | ||
148 | log_start() | |
149 | { | |
150 | # make sure we have no test instances running | |
151 | kill_procs | |
152 | ||
153 | if [ "${VERBOSE}" = "1" ]; then | |
154 | echo | |
155 | echo "#######################################################" | |
156 | fi | |
157 | } | |
158 | ||
159 | log_debug() | |
160 | { | |
161 | if [ "${VERBOSE}" = "1" ]; then | |
162 | echo | |
163 | echo "$*" | |
164 | echo | |
165 | fi | |
166 | } | |
167 | ||
168 | show_hint() | |
169 | { | |
170 | if [ "${VERBOSE}" = "1" ]; then | |
171 | echo "HINT: $*" | |
172 | echo | |
173 | fi | |
174 | } | |
175 | ||
176 | kill_procs() | |
177 | { | |
178 | killall nettest ping ping6 >/dev/null 2>&1 | |
179 | sleep 1 | |
180 | } | |
181 | ||
182 | do_run_cmd() | |
183 | { | |
184 | local cmd="$*" | |
185 | local out | |
186 | ||
187 | if [ "$VERBOSE" = "1" ]; then | |
188 | echo "COMMAND: ${cmd}" | |
189 | fi | |
190 | ||
191 | out=$($cmd 2>&1) | |
192 | rc=$? | |
193 | if [ "$VERBOSE" = "1" -a -n "$out" ]; then | |
194 | echo "$out" | |
195 | fi | |
196 | ||
197 | return $rc | |
198 | } | |
199 | ||
200 | run_cmd() | |
201 | { | |
202 | do_run_cmd ${NSA_CMD} $* | |
203 | } | |
204 | ||
205 | run_cmd_nsb() | |
206 | { | |
207 | do_run_cmd ${NSB_CMD} $* | |
208 | } | |
209 | ||
5cad8bce DA |
210 | run_cmd_nsc() |
211 | { | |
212 | do_run_cmd ${NSC_CMD} $* | |
213 | } | |
214 | ||
6f9d5cac DA |
215 | setup_cmd() |
216 | { | |
217 | local cmd="$*" | |
218 | local rc | |
219 | ||
220 | run_cmd ${cmd} | |
221 | rc=$? | |
222 | if [ $rc -ne 0 ]; then | |
223 | # show user the command if not done so already | |
224 | if [ "$VERBOSE" = "0" ]; then | |
225 | echo "setup command: $cmd" | |
226 | fi | |
227 | echo "failed. stopping tests" | |
228 | if [ "${PAUSE_ON_FAIL}" = "yes" ]; then | |
229 | echo | |
230 | echo "hit enter to continue" | |
231 | read a | |
232 | fi | |
233 | exit $rc | |
234 | fi | |
235 | } | |
236 | ||
237 | setup_cmd_nsb() | |
238 | { | |
239 | local cmd="$*" | |
240 | local rc | |
241 | ||
242 | run_cmd_nsb ${cmd} | |
243 | rc=$? | |
244 | if [ $rc -ne 0 ]; then | |
245 | # show user the command if not done so already | |
246 | if [ "$VERBOSE" = "0" ]; then | |
247 | echo "setup command: $cmd" | |
248 | fi | |
249 | echo "failed. stopping tests" | |
250 | if [ "${PAUSE_ON_FAIL}" = "yes" ]; then | |
251 | echo | |
252 | echo "hit enter to continue" | |
253 | read a | |
254 | fi | |
255 | exit $rc | |
256 | fi | |
257 | } | |
258 | ||
259 | # set sysctl values in NS-A | |
260 | set_sysctl() | |
261 | { | |
262 | echo "SYSCTL: $*" | |
263 | echo | |
264 | run_cmd sysctl -q -w $* | |
265 | } | |
266 | ||
267 | ################################################################################ | |
268 | # Setup for tests | |
269 | ||
270 | addr2str() | |
271 | { | |
272 | case "$1" in | |
273 | 127.0.0.1) echo "loopback";; | |
274 | ::1) echo "IPv6 loopback";; | |
275 | ||
276 | ${NSA_IP}) echo "ns-A IP";; | |
277 | ${NSA_IP6}) echo "ns-A IPv6";; | |
278 | ${NSA_LO_IP}) echo "ns-A loopback IP";; | |
279 | ${NSA_LO_IP6}) echo "ns-A loopback IPv6";; | |
280 | ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";; | |
281 | ||
282 | ${NSB_IP}) echo "ns-B IP";; | |
283 | ${NSB_IP6}) echo "ns-B IPv6";; | |
284 | ${NSB_LO_IP}) echo "ns-B loopback IP";; | |
285 | ${NSB_LO_IP6}) echo "ns-B loopback IPv6";; | |
286 | ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";; | |
287 | ||
288 | ${VRF_IP}) echo "VRF IP";; | |
289 | ${VRF_IP6}) echo "VRF IPv6";; | |
290 | ||
291 | ${MCAST}%*) echo "multicast IP";; | |
292 | ||
293 | *) echo "unknown";; | |
294 | esac | |
295 | } | |
296 | ||
297 | get_linklocal() | |
298 | { | |
299 | local ns=$1 | |
300 | local dev=$2 | |
301 | local addr | |
302 | ||
303 | addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \ | |
304 | awk '{ | |
305 | for (i = 3; i <= NF; ++i) { | |
306 | if ($i ~ /^fe80/) | |
307 | print $i | |
308 | } | |
309 | }' | |
310 | ) | |
311 | addr=${addr/\/*} | |
312 | ||
313 | [ -z "$addr" ] && return 1 | |
314 | ||
315 | echo $addr | |
316 | ||
317 | return 0 | |
318 | } | |
319 | ||
320 | ################################################################################ | |
321 | # create namespaces and vrf | |
322 | ||
323 | create_vrf() | |
324 | { | |
325 | local ns=$1 | |
326 | local vrf=$2 | |
327 | local table=$3 | |
328 | local addr=$4 | |
329 | local addr6=$5 | |
330 | ||
331 | ip -netns ${ns} link add ${vrf} type vrf table ${table} | |
332 | ip -netns ${ns} link set ${vrf} up | |
333 | ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192 | |
334 | ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192 | |
335 | ||
336 | ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf} | |
337 | ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad | |
338 | if [ "${addr}" != "-" ]; then | |
339 | ip -netns ${ns} addr add dev ${vrf} ${addr} | |
340 | fi | |
341 | if [ "${addr6}" != "-" ]; then | |
342 | ip -netns ${ns} -6 addr add dev ${vrf} ${addr6} | |
343 | fi | |
344 | ||
345 | ip -netns ${ns} ru del pref 0 | |
346 | ip -netns ${ns} ru add pref 32765 from all lookup local | |
347 | ip -netns ${ns} -6 ru del pref 0 | |
348 | ip -netns ${ns} -6 ru add pref 32765 from all lookup local | |
349 | } | |
350 | ||
351 | create_ns() | |
352 | { | |
353 | local ns=$1 | |
354 | local addr=$2 | |
355 | local addr6=$3 | |
356 | ||
357 | ip netns add ${ns} | |
358 | ||
359 | ip -netns ${ns} link set lo up | |
360 | if [ "${addr}" != "-" ]; then | |
361 | ip -netns ${ns} addr add dev lo ${addr} | |
362 | fi | |
363 | if [ "${addr6}" != "-" ]; then | |
364 | ip -netns ${ns} -6 addr add dev lo ${addr6} | |
365 | fi | |
366 | ||
367 | ip -netns ${ns} ro add unreachable default metric 8192 | |
368 | ip -netns ${ns} -6 ro add unreachable default metric 8192 | |
369 | ||
370 | ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1 | |
371 | ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1 | |
372 | ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1 | |
373 | ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1 | |
374 | } | |
375 | ||
376 | # create veth pair to connect namespaces and apply addresses. | |
377 | connect_ns() | |
378 | { | |
379 | local ns1=$1 | |
380 | local ns1_dev=$2 | |
381 | local ns1_addr=$3 | |
382 | local ns1_addr6=$4 | |
383 | local ns2=$5 | |
384 | local ns2_dev=$6 | |
385 | local ns2_addr=$7 | |
386 | local ns2_addr6=$8 | |
387 | ||
388 | ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp | |
389 | ip -netns ${ns1} li set ${ns1_dev} up | |
390 | ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev} | |
391 | ip -netns ${ns2} li set ${ns2_dev} up | |
392 | ||
393 | if [ "${ns1_addr}" != "-" ]; then | |
394 | ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr} | |
395 | ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr} | |
396 | fi | |
397 | ||
398 | if [ "${ns1_addr6}" != "-" ]; then | |
399 | ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6} | |
400 | ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6} | |
401 | fi | |
402 | } | |
403 | ||
404 | cleanup() | |
405 | { | |
406 | # explicit cleanups to check those code paths | |
407 | ip netns | grep -q ${NSA} | |
408 | if [ $? -eq 0 ]; then | |
409 | ip -netns ${NSA} link delete ${VRF} | |
410 | ip -netns ${NSA} ro flush table ${VRF_TABLE} | |
411 | ||
412 | ip -netns ${NSA} addr flush dev ${NSA_DEV} | |
413 | ip -netns ${NSA} -6 addr flush dev ${NSA_DEV} | |
414 | ip -netns ${NSA} link set dev ${NSA_DEV} down | |
415 | ip -netns ${NSA} link del dev ${NSA_DEV} | |
416 | ||
417 | ip netns del ${NSA} | |
418 | fi | |
419 | ||
420 | ip netns del ${NSB} | |
5cad8bce | 421 | ip netns del ${NSC} >/dev/null 2>&1 |
6f9d5cac DA |
422 | } |
423 | ||
424 | setup() | |
425 | { | |
426 | local with_vrf=${1} | |
427 | ||
428 | # make sure we are starting with a clean slate | |
429 | kill_procs | |
430 | cleanup 2>/dev/null | |
431 | ||
432 | log_debug "Configuring network namespaces" | |
433 | set -e | |
434 | ||
435 | create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128 | |
436 | create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128 | |
437 | connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \ | |
438 | ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 | |
439 | ||
440 | NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV}) | |
441 | NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV}) | |
442 | ||
443 | # tell ns-A how to get to remote addresses of ns-B | |
444 | if [ "${with_vrf}" = "yes" ]; then | |
445 | create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6} | |
446 | ||
447 | ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF} | |
448 | ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} | |
449 | ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} | |
450 | ||
451 | ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV} | |
452 | ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} | |
5cad8bce DA |
453 | |
454 | # some VRF tests use ns-C which has the same config as | |
455 | # ns-B but for a device NOT in the VRF | |
456 | create_ns ${NSC} "-" "-" | |
457 | connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \ | |
458 | ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64 | |
6f9d5cac DA |
459 | else |
460 | ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV} | |
461 | ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV} | |
462 | fi | |
463 | ||
464 | ||
465 | # tell ns-B how to get to remote addresses of ns-A | |
466 | ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV} | |
467 | ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV} | |
468 | ||
469 | set +e | |
470 | ||
471 | sleep 1 | |
472 | } | |
473 | ||
c032dd8c DA |
474 | ################################################################################ |
475 | # IPv4 | |
476 | ||
477 | ipv4_ping_novrf() | |
478 | { | |
479 | local a | |
480 | ||
481 | # | |
482 | # out | |
483 | # | |
484 | for a in ${NSB_IP} ${NSB_LO_IP} | |
485 | do | |
486 | log_start | |
487 | run_cmd ping -c1 -w1 ${a} | |
488 | log_test_addr ${a} $? 0 "ping out" | |
489 | ||
490 | log_start | |
491 | run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} | |
492 | log_test_addr ${a} $? 0 "ping out, device bind" | |
493 | ||
494 | log_start | |
495 | run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a} | |
496 | log_test_addr ${a} $? 0 "ping out, address bind" | |
497 | done | |
498 | ||
499 | # | |
500 | # in | |
501 | # | |
502 | for a in ${NSA_IP} ${NSA_LO_IP} | |
503 | do | |
504 | log_start | |
505 | run_cmd_nsb ping -c1 -w1 ${a} | |
506 | log_test_addr ${a} $? 0 "ping in" | |
507 | done | |
508 | ||
509 | # | |
510 | # local traffic | |
511 | # | |
512 | for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 | |
513 | do | |
514 | log_start | |
515 | run_cmd ping -c1 -w1 ${a} | |
516 | log_test_addr ${a} $? 0 "ping local" | |
517 | done | |
518 | ||
519 | # | |
520 | # local traffic, socket bound to device | |
521 | # | |
522 | # address on device | |
523 | a=${NSA_IP} | |
524 | log_start | |
525 | run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} | |
526 | log_test_addr ${a} $? 0 "ping local, device bind" | |
527 | ||
528 | # loopback addresses not reachable from device bind | |
529 | # fails in a really weird way though because ipv4 special cases | |
530 | # route lookups with oif set. | |
531 | for a in ${NSA_LO_IP} 127.0.0.1 | |
532 | do | |
533 | log_start | |
534 | show_hint "Fails since address on loopback device is out of device scope" | |
535 | run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} | |
536 | log_test_addr ${a} $? 1 "ping local, device bind" | |
537 | done | |
538 | ||
539 | # | |
540 | # ip rule blocks reachability to remote address | |
541 | # | |
542 | log_start | |
543 | setup_cmd ip rule add pref 32765 from all lookup local | |
544 | setup_cmd ip rule del pref 0 from all lookup local | |
545 | setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit | |
546 | setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit | |
547 | ||
548 | a=${NSB_LO_IP} | |
549 | run_cmd ping -c1 -w1 ${a} | |
550 | log_test_addr ${a} $? 2 "ping out, blocked by rule" | |
551 | ||
552 | # NOTE: ipv4 actually allows the lookup to fail and yet still create | |
553 | # a viable rtable if the oif (e.g., bind to device) is set, so this | |
554 | # case succeeds despite the rule | |
555 | # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} | |
556 | ||
557 | a=${NSA_LO_IP} | |
558 | log_start | |
559 | show_hint "Response generates ICMP (or arp request is ignored) due to ip rule" | |
560 | run_cmd_nsb ping -c1 -w1 ${a} | |
561 | log_test_addr ${a} $? 1 "ping in, blocked by rule" | |
562 | ||
563 | [ "$VERBOSE" = "1" ] && echo | |
564 | setup_cmd ip rule del pref 32765 from all lookup local | |
565 | setup_cmd ip rule add pref 0 from all lookup local | |
566 | setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit | |
567 | setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit | |
568 | ||
569 | # | |
570 | # route blocks reachability to remote address | |
571 | # | |
572 | log_start | |
573 | setup_cmd ip route replace unreachable ${NSB_LO_IP} | |
574 | setup_cmd ip route replace unreachable ${NSB_IP} | |
575 | ||
576 | a=${NSB_LO_IP} | |
577 | run_cmd ping -c1 -w1 ${a} | |
578 | log_test_addr ${a} $? 2 "ping out, blocked by route" | |
579 | ||
580 | # NOTE: ipv4 actually allows the lookup to fail and yet still create | |
581 | # a viable rtable if the oif (e.g., bind to device) is set, so this | |
582 | # case succeeds despite not having a route for the address | |
583 | # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} | |
584 | ||
585 | a=${NSA_LO_IP} | |
586 | log_start | |
587 | show_hint "Response is dropped (or arp request is ignored) due to ip route" | |
588 | run_cmd_nsb ping -c1 -w1 ${a} | |
589 | log_test_addr ${a} $? 1 "ping in, blocked by route" | |
590 | ||
591 | # | |
592 | # remove 'remote' routes; fallback to default | |
593 | # | |
594 | log_start | |
595 | setup_cmd ip ro del ${NSB_LO_IP} | |
596 | ||
597 | a=${NSB_LO_IP} | |
598 | run_cmd ping -c1 -w1 ${a} | |
599 | log_test_addr ${a} $? 2 "ping out, unreachable default route" | |
600 | ||
601 | # NOTE: ipv4 actually allows the lookup to fail and yet still create | |
602 | # a viable rtable if the oif (e.g., bind to device) is set, so this | |
603 | # case succeeds despite not having a route for the address | |
604 | # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} | |
605 | } | |
606 | ||
607 | ipv4_ping_vrf() | |
608 | { | |
609 | local a | |
610 | ||
611 | # should default on; does not exist on older kernels | |
612 | set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null | |
613 | ||
614 | # | |
615 | # out | |
616 | # | |
617 | for a in ${NSB_IP} ${NSB_LO_IP} | |
618 | do | |
619 | log_start | |
620 | run_cmd ping -c1 -w1 -I ${VRF} ${a} | |
621 | log_test_addr ${a} $? 0 "ping out, VRF bind" | |
622 | ||
623 | log_start | |
624 | run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} | |
625 | log_test_addr ${a} $? 0 "ping out, device bind" | |
626 | ||
627 | log_start | |
628 | run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a} | |
629 | log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind" | |
630 | ||
631 | log_start | |
632 | run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a} | |
633 | log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind" | |
634 | done | |
635 | ||
636 | # | |
637 | # in | |
638 | # | |
639 | for a in ${NSA_IP} ${VRF_IP} | |
640 | do | |
641 | log_start | |
642 | run_cmd_nsb ping -c1 -w1 ${a} | |
643 | log_test_addr ${a} $? 0 "ping in" | |
644 | done | |
645 | ||
646 | # | |
647 | # local traffic, local address | |
648 | # | |
649 | for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 | |
650 | do | |
651 | log_start | |
652 | show_hint "Source address should be ${a}" | |
653 | run_cmd ping -c1 -w1 -I ${VRF} ${a} | |
654 | log_test_addr ${a} $? 0 "ping local, VRF bind" | |
655 | done | |
656 | ||
657 | # | |
658 | # local traffic, socket bound to device | |
659 | # | |
660 | # address on device | |
661 | a=${NSA_IP} | |
662 | log_start | |
663 | run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} | |
664 | log_test_addr ${a} $? 0 "ping local, device bind" | |
665 | ||
666 | # vrf device is out of scope | |
667 | for a in ${VRF_IP} 127.0.0.1 | |
668 | do | |
669 | log_start | |
670 | show_hint "Fails since address on vrf device is out of device scope" | |
671 | run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} | |
672 | log_test_addr ${a} $? 1 "ping local, device bind" | |
673 | done | |
674 | ||
675 | # | |
676 | # ip rule blocks address | |
677 | # | |
678 | log_start | |
679 | setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit | |
680 | setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit | |
681 | ||
682 | a=${NSB_LO_IP} | |
683 | run_cmd ping -c1 -w1 -I ${VRF} ${a} | |
684 | log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule" | |
685 | ||
686 | log_start | |
687 | run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} | |
688 | log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" | |
689 | ||
690 | a=${NSA_LO_IP} | |
691 | log_start | |
692 | show_hint "Response lost due to ip rule" | |
693 | run_cmd_nsb ping -c1 -w1 ${a} | |
694 | log_test_addr ${a} $? 1 "ping in, blocked by rule" | |
695 | ||
696 | [ "$VERBOSE" = "1" ] && echo | |
697 | setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit | |
698 | setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit | |
699 | ||
700 | # | |
701 | # remove 'remote' routes; fallback to default | |
702 | # | |
703 | log_start | |
704 | setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP} | |
705 | ||
706 | a=${NSB_LO_IP} | |
707 | run_cmd ping -c1 -w1 -I ${VRF} ${a} | |
708 | log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route" | |
709 | ||
710 | log_start | |
711 | run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a} | |
712 | log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" | |
713 | ||
714 | a=${NSA_LO_IP} | |
715 | log_start | |
716 | show_hint "Response lost by unreachable route" | |
717 | run_cmd_nsb ping -c1 -w1 ${a} | |
718 | log_test_addr ${a} $? 1 "ping in, unreachable route" | |
719 | } | |
720 | ||
721 | ipv4_ping() | |
722 | { | |
723 | log_section "IPv4 ping" | |
724 | ||
725 | log_subsection "No VRF" | |
726 | setup | |
727 | set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null | |
728 | ipv4_ping_novrf | |
729 | setup | |
730 | set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null | |
731 | ipv4_ping_novrf | |
732 | ||
733 | log_subsection "With VRF" | |
734 | setup "yes" | |
735 | ipv4_ping_vrf | |
736 | } | |
737 | ||
bbd7c764 DA |
738 | ################################################################################ |
739 | # IPv4 TCP | |
740 | ||
f0bee1eb DA |
741 | # |
742 | # MD5 tests without VRF | |
743 | # | |
744 | ipv4_tcp_md5_novrf() | |
745 | { | |
746 | # | |
747 | # single address | |
748 | # | |
749 | ||
750 | # basic use case | |
751 | log_start | |
752 | run_cmd nettest -s -M ${MD5_PW} -r ${NSB_IP} & | |
753 | sleep 1 | |
754 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} | |
755 | log_test $? 0 "MD5: Single address config" | |
756 | ||
757 | # client sends MD5, server not configured | |
758 | log_start | |
759 | show_hint "Should timeout due to MD5 mismatch" | |
760 | run_cmd nettest -s & | |
761 | sleep 1 | |
762 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} | |
763 | log_test $? 2 "MD5: Server no config, client uses password" | |
764 | ||
765 | # wrong password | |
766 | log_start | |
767 | show_hint "Should timeout since client uses wrong password" | |
768 | run_cmd nettest -s -M ${MD5_PW} -r ${NSB_IP} & | |
769 | sleep 1 | |
770 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} | |
771 | log_test $? 2 "MD5: Client uses wrong password" | |
772 | ||
773 | # client from different address | |
774 | log_start | |
775 | show_hint "Should timeout due to MD5 mismatch" | |
776 | run_cmd nettest -s -M ${MD5_PW} -r ${NSB_LO_IP} & | |
777 | sleep 1 | |
778 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} | |
779 | log_test $? 2 "MD5: Client address does not match address configured with password" | |
780 | ||
781 | # | |
782 | # MD5 extension - prefix length | |
783 | # | |
784 | ||
785 | # client in prefix | |
786 | log_start | |
787 | run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & | |
788 | sleep 1 | |
789 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} | |
790 | log_test $? 0 "MD5: Prefix config" | |
791 | ||
792 | # client in prefix, wrong password | |
793 | log_start | |
794 | show_hint "Should timeout since client uses wrong password" | |
795 | run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & | |
796 | sleep 1 | |
797 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} | |
798 | log_test $? 2 "MD5: Prefix config, client uses wrong password" | |
799 | ||
800 | # client outside of prefix | |
801 | log_start | |
802 | show_hint "Should timeout due to MD5 mismatch" | |
803 | run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} & | |
804 | sleep 1 | |
805 | run_cmd_nsb nettest -l ${NSB_LO_IP} -r ${NSA_IP} -M ${MD5_PW} | |
806 | log_test $? 2 "MD5: Prefix config, client address not in configured prefix" | |
807 | } | |
808 | ||
5cad8bce DA |
809 | # |
810 | # MD5 tests with VRF | |
811 | # | |
812 | ipv4_tcp_md5() | |
813 | { | |
814 | # | |
815 | # single address | |
816 | # | |
817 | ||
818 | # basic use case | |
819 | log_start | |
820 | run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & | |
821 | sleep 1 | |
822 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} | |
823 | log_test $? 0 "MD5: VRF: Single address config" | |
824 | ||
825 | # client sends MD5, server not configured | |
826 | log_start | |
827 | show_hint "Should timeout since server does not have MD5 auth" | |
828 | run_cmd nettest -s -d ${VRF} & | |
829 | sleep 1 | |
830 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} | |
831 | log_test $? 2 "MD5: VRF: Server no config, client uses password" | |
832 | ||
833 | # wrong password | |
834 | log_start | |
835 | show_hint "Should timeout since client uses wrong password" | |
836 | run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & | |
837 | sleep 1 | |
838 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} | |
839 | log_test $? 2 "MD5: VRF: Client uses wrong password" | |
840 | ||
841 | # client from different address | |
842 | log_start | |
843 | show_hint "Should timeout since server config differs from client" | |
844 | run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_LO_IP} & | |
845 | sleep 1 | |
846 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} | |
847 | log_test $? 2 "MD5: VRF: Client address does not match address configured with password" | |
848 | ||
849 | # | |
850 | # MD5 extension - prefix length | |
851 | # | |
852 | ||
853 | # client in prefix | |
854 | log_start | |
855 | run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & | |
856 | sleep 1 | |
857 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} | |
858 | log_test $? 0 "MD5: VRF: Prefix config" | |
859 | ||
860 | # client in prefix, wrong password | |
861 | log_start | |
862 | show_hint "Should timeout since client uses wrong password" | |
863 | run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & | |
864 | sleep 1 | |
865 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} | |
866 | log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" | |
867 | ||
868 | # client outside of prefix | |
869 | log_start | |
870 | show_hint "Should timeout since client address is outside of prefix" | |
871 | run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & | |
872 | sleep 1 | |
873 | run_cmd_nsb nettest -l ${NSB_LO_IP} -r ${NSA_IP} -M ${MD5_PW} | |
874 | log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" | |
875 | ||
876 | # | |
877 | # duplicate config between default VRF and a VRF | |
878 | # | |
879 | ||
880 | log_start | |
881 | run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & | |
882 | run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} & | |
883 | sleep 1 | |
884 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} | |
885 | log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" | |
886 | ||
887 | log_start | |
888 | run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & | |
889 | run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} & | |
890 | sleep 1 | |
891 | run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} | |
892 | log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" | |
893 | ||
894 | log_start | |
895 | show_hint "Should timeout since client in default VRF uses VRF password" | |
896 | run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & | |
897 | run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} & | |
898 | sleep 1 | |
899 | run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_PW} | |
900 | log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" | |
901 | ||
902 | log_start | |
903 | show_hint "Should timeout since client in VRF uses default VRF password" | |
904 | run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} & | |
905 | run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} & | |
906 | sleep 1 | |
907 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} | |
908 | log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" | |
909 | ||
910 | log_start | |
911 | run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & | |
912 | run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & | |
913 | sleep 1 | |
914 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW} | |
915 | log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" | |
916 | ||
917 | log_start | |
918 | run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & | |
919 | run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & | |
920 | sleep 1 | |
921 | run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} | |
922 | log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" | |
923 | ||
924 | log_start | |
925 | show_hint "Should timeout since client in default VRF uses VRF password" | |
926 | run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & | |
927 | run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & | |
928 | sleep 1 | |
929 | run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_PW} | |
930 | log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" | |
931 | ||
932 | log_start | |
933 | show_hint "Should timeout since client in VRF uses default VRF password" | |
934 | run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} & | |
935 | run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} & | |
936 | sleep 1 | |
937 | run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW} | |
938 | log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" | |
939 | ||
940 | # | |
941 | # negative tests | |
942 | # | |
943 | log_start | |
944 | run_cmd nettest -s -d ${NSA_DEV} -M ${MD5_PW} -r ${NSB_IP} | |
945 | log_test $? 1 "MD5: VRF: Device must be a VRF - single address" | |
946 | ||
947 | log_start | |
948 | run_cmd nettest -s -d ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET} | |
949 | log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" | |
950 | ||
951 | } | |
952 | ||
bbd7c764 DA |
953 | ipv4_tcp_novrf() |
954 | { | |
955 | local a | |
956 | ||
957 | # | |
958 | # server tests | |
959 | # | |
960 | for a in ${NSA_IP} ${NSA_LO_IP} | |
961 | do | |
962 | log_start | |
963 | run_cmd nettest -s & | |
964 | sleep 1 | |
965 | run_cmd_nsb nettest -r ${a} | |
966 | log_test_addr ${a} $? 0 "Global server" | |
967 | done | |
968 | ||
969 | a=${NSA_IP} | |
970 | log_start | |
971 | run_cmd nettest -s -d ${NSA_DEV} & | |
972 | sleep 1 | |
973 | run_cmd_nsb nettest -r ${a} | |
974 | log_test_addr ${a} $? 0 "Device server" | |
975 | ||
976 | # verify TCP reset sent and received | |
977 | for a in ${NSA_IP} ${NSA_LO_IP} | |
978 | do | |
979 | log_start | |
980 | show_hint "Should fail 'Connection refused' since there is no server" | |
981 | run_cmd_nsb nettest -r ${a} | |
982 | log_test_addr ${a} $? 1 "No server" | |
983 | done | |
984 | ||
985 | # | |
986 | # client | |
987 | # | |
988 | for a in ${NSB_IP} ${NSB_LO_IP} | |
989 | do | |
990 | log_start | |
991 | run_cmd_nsb nettest -s & | |
992 | sleep 1 | |
993 | run_cmd nettest -r ${a} -0 ${NSA_IP} | |
994 | log_test_addr ${a} $? 0 "Client" | |
995 | ||
996 | log_start | |
997 | run_cmd_nsb nettest -s & | |
998 | sleep 1 | |
999 | run_cmd nettest -r ${a} -d ${NSA_DEV} | |
1000 | log_test_addr ${a} $? 0 "Client, device bind" | |
1001 | ||
1002 | log_start | |
1003 | show_hint "Should fail 'Connection refused'" | |
1004 | run_cmd nettest -r ${a} | |
1005 | log_test_addr ${a} $? 1 "No server, unbound client" | |
1006 | ||
1007 | log_start | |
1008 | show_hint "Should fail 'Connection refused'" | |
1009 | run_cmd nettest -r ${a} -d ${NSA_DEV} | |
1010 | log_test_addr ${a} $? 1 "No server, device client" | |
1011 | done | |
1012 | ||
1013 | # | |
1014 | # local address tests | |
1015 | # | |
1016 | for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 | |
1017 | do | |
1018 | log_start | |
1019 | run_cmd nettest -s & | |
1020 | sleep 1 | |
1021 | run_cmd nettest -r ${a} -0 ${a} -1 ${a} | |
1022 | log_test_addr ${a} $? 0 "Global server, local connection" | |
1023 | done | |
1024 | ||
1025 | a=${NSA_IP} | |
1026 | log_start | |
1027 | run_cmd nettest -s -d ${NSA_DEV} & | |
1028 | sleep 1 | |
1029 | run_cmd nettest -r ${a} -0 ${a} | |
1030 | log_test_addr ${a} $? 0 "Device server, unbound client, local connection" | |
1031 | ||
1032 | for a in ${NSA_LO_IP} 127.0.0.1 | |
1033 | do | |
1034 | log_start | |
1035 | show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" | |
1036 | run_cmd nettest -s -d ${NSA_DEV} & | |
1037 | sleep 1 | |
1038 | run_cmd nettest -r ${a} | |
1039 | log_test_addr ${a} $? 1 "Device server, unbound client, local connection" | |
1040 | done | |
1041 | ||
1042 | a=${NSA_IP} | |
1043 | log_start | |
1044 | run_cmd nettest -s & | |
1045 | sleep 1 | |
1046 | run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV} | |
1047 | log_test_addr ${a} $? 0 "Global server, device client, local connection" | |
1048 | ||
1049 | for a in ${NSA_LO_IP} 127.0.0.1 | |
1050 | do | |
1051 | log_start | |
1052 | show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" | |
1053 | run_cmd nettest -s & | |
1054 | sleep 1 | |
1055 | run_cmd nettest -r ${a} -d ${NSA_DEV} | |
1056 | log_test_addr ${a} $? 1 "Global server, device client, local connection" | |
1057 | done | |
1058 | ||
1059 | a=${NSA_IP} | |
1060 | log_start | |
1061 | run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & | |
1062 | sleep 1 | |
1063 | run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a} | |
1064 | log_test_addr ${a} $? 0 "Device server, device client, local connection" | |
1065 | ||
1066 | log_start | |
1067 | show_hint "Should fail 'Connection refused'" | |
1068 | run_cmd nettest -d ${NSA_DEV} -r ${a} | |
1069 | log_test_addr ${a} $? 1 "No server, device client, local conn" | |
f0bee1eb DA |
1070 | |
1071 | ipv4_tcp_md5_novrf | |
bbd7c764 DA |
1072 | } |
1073 | ||
1074 | ipv4_tcp_vrf() | |
1075 | { | |
1076 | local a | |
1077 | ||
1078 | # disable global server | |
1079 | log_subsection "Global server disabled" | |
1080 | ||
1081 | set_sysctl net.ipv4.tcp_l3mdev_accept=0 | |
1082 | ||
1083 | # | |
1084 | # server tests | |
1085 | # | |
1086 | for a in ${NSA_IP} ${VRF_IP} | |
1087 | do | |
1088 | log_start | |
1089 | show_hint "Should fail 'Connection refused' since global server with VRF is disabled" | |
1090 | run_cmd nettest -s & | |
1091 | sleep 1 | |
1092 | run_cmd_nsb nettest -r ${a} | |
1093 | log_test_addr ${a} $? 1 "Global server" | |
1094 | ||
1095 | log_start | |
1096 | run_cmd nettest -s -d ${VRF} -2 ${VRF} & | |
1097 | sleep 1 | |
1098 | run_cmd_nsb nettest -r ${a} | |
1099 | log_test_addr ${a} $? 0 "VRF server" | |
1100 | ||
1101 | log_start | |
1102 | run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & | |
1103 | sleep 1 | |
1104 | run_cmd_nsb nettest -r ${a} | |
1105 | log_test_addr ${a} $? 0 "Device server" | |
1106 | ||
1107 | # verify TCP reset received | |
1108 | log_start | |
1109 | show_hint "Should fail 'Connection refused' since there is no server" | |
1110 | run_cmd_nsb nettest -r ${a} | |
1111 | log_test_addr ${a} $? 1 "No server" | |
1112 | done | |
1113 | ||
1114 | # local address tests | |
1115 | # (${VRF_IP} and 127.0.0.1 both timeout) | |
1116 | a=${NSA_IP} | |
1117 | log_start | |
1118 | show_hint "Should fail 'Connection refused' since global server with VRF is disabled" | |
1119 | run_cmd nettest -s & | |
1120 | sleep 1 | |
1121 | run_cmd nettest -r ${a} -d ${NSA_DEV} | |
1122 | log_test_addr ${a} $? 1 "Global server, local connection" | |
1123 | ||
5cad8bce DA |
1124 | # run MD5 tests |
1125 | ipv4_tcp_md5 | |
1126 | ||
bbd7c764 DA |
1127 | # |
1128 | # enable VRF global server | |
1129 | # | |
1130 | log_subsection "VRF Global server enabled" | |
1131 | set_sysctl net.ipv4.tcp_l3mdev_accept=1 | |
1132 | ||
1133 | for a in ${NSA_IP} ${VRF_IP} | |
1134 | do | |
1135 | log_start | |
1136 | show_hint "client socket should be bound to VRF" | |
1137 | run_cmd nettest -s -2 ${VRF} & | |
1138 | sleep 1 | |
1139 | run_cmd_nsb nettest -r ${a} | |
1140 | log_test_addr ${a} $? 0 "Global server" | |
1141 | ||
1142 | log_start | |
1143 | show_hint "client socket should be bound to VRF" | |
1144 | run_cmd nettest -s -d ${VRF} -2 ${VRF} & | |
1145 | sleep 1 | |
1146 | run_cmd_nsb nettest -r ${a} | |
1147 | log_test_addr ${a} $? 0 "VRF server" | |
1148 | ||
1149 | # verify TCP reset received | |
1150 | log_start | |
1151 | show_hint "Should fail 'Connection refused'" | |
1152 | run_cmd_nsb nettest -r ${a} | |
1153 | log_test_addr ${a} $? 1 "No server" | |
1154 | done | |
1155 | ||
1156 | a=${NSA_IP} | |
1157 | log_start | |
1158 | show_hint "client socket should be bound to device" | |
1159 | run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & | |
1160 | sleep 1 | |
1161 | run_cmd_nsb nettest -r ${a} | |
1162 | log_test_addr ${a} $? 0 "Device server" | |
1163 | ||
1164 | # local address tests | |
1165 | for a in ${NSA_IP} ${VRF_IP} | |
1166 | do | |
1167 | log_start | |
1168 | show_hint "Should fail 'No route to host' since client is not bound to VRF" | |
1169 | run_cmd nettest -s -2 ${VRF} & | |
1170 | sleep 1 | |
1171 | run_cmd nettest -r ${a} | |
1172 | log_test_addr ${a} $? 1 "Global server, local connection" | |
1173 | done | |
1174 | ||
1175 | # | |
1176 | # client | |
1177 | # | |
1178 | for a in ${NSB_IP} ${NSB_LO_IP} | |
1179 | do | |
1180 | log_start | |
1181 | run_cmd_nsb nettest -s & | |
1182 | sleep 1 | |
1183 | run_cmd nettest -r ${a} -d ${VRF} | |
1184 | log_test_addr ${a} $? 0 "Client, VRF bind" | |
1185 | ||
1186 | log_start | |
1187 | run_cmd_nsb nettest -s & | |
1188 | sleep 1 | |
1189 | run_cmd nettest -r ${a} -d ${NSA_DEV} | |
1190 | log_test_addr ${a} $? 0 "Client, device bind" | |
1191 | ||
1192 | log_start | |
1193 | show_hint "Should fail 'Connection refused'" | |
1194 | run_cmd nettest -r ${a} -d ${VRF} | |
1195 | log_test_addr ${a} $? 1 "No server, VRF client" | |
1196 | ||
1197 | log_start | |
1198 | show_hint "Should fail 'Connection refused'" | |
1199 | run_cmd nettest -r ${a} -d ${NSA_DEV} | |
1200 | log_test_addr ${a} $? 1 "No server, device client" | |
1201 | done | |
1202 | ||
1203 | for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 | |
1204 | do | |
1205 | log_start | |
1206 | run_cmd nettest -s -d ${VRF} -2 ${VRF} & | |
1207 | sleep 1 | |
1208 | run_cmd nettest -r ${a} -d ${VRF} -0 ${a} | |
1209 | log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" | |
1210 | done | |
1211 | ||
1212 | a=${NSA_IP} | |
1213 | log_start | |
1214 | run_cmd nettest -s -d ${VRF} -2 ${VRF} & | |
1215 | sleep 1 | |
1216 | run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} | |
1217 | log_test_addr ${a} $? 0 "VRF server, device client, local connection" | |
1218 | ||
1219 | log_start | |
1220 | show_hint "Should fail 'No route to host' since client is out of VRF scope" | |
1221 | run_cmd nettest -s -d ${VRF} & | |
1222 | sleep 1 | |
1223 | run_cmd nettest -r ${a} | |
1224 | log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" | |
1225 | ||
1226 | log_start | |
1227 | run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & | |
1228 | sleep 1 | |
1229 | run_cmd nettest -r ${a} -d ${VRF} -0 ${a} | |
1230 | log_test_addr ${a} $? 0 "Device server, VRF client, local connection" | |
1231 | ||
1232 | log_start | |
1233 | run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} & | |
1234 | sleep 1 | |
1235 | run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a} | |
1236 | log_test_addr ${a} $? 0 "Device server, device client, local connection" | |
1237 | } | |
1238 | ||
1239 | ipv4_tcp() | |
1240 | { | |
1241 | log_section "IPv4/TCP" | |
bbd7c764 DA |
1242 | log_subsection "No VRF" |
1243 | setup | |
1244 | ||
1245 | # tcp_l3mdev_accept should have no affect without VRF; | |
1246 | # run tests with it enabled and disabled to verify | |
1247 | log_subsection "tcp_l3mdev_accept disabled" | |
1248 | set_sysctl net.ipv4.tcp_l3mdev_accept=0 | |
1249 | ipv4_tcp_novrf | |
1250 | log_subsection "tcp_l3mdev_accept enabled" | |
1251 | set_sysctl net.ipv4.tcp_l3mdev_accept=1 | |
1252 | ipv4_tcp_novrf | |
1253 | ||
1254 | log_subsection "With VRF" | |
1255 | setup "yes" | |
1256 | ipv4_tcp_vrf | |
1257 | } | |
1258 | ||
a4368be9 DA |
1259 | ################################################################################ |
1260 | # IPv4 UDP | |
1261 | ||
1262 | ipv4_udp_novrf() | |
1263 | { | |
1264 | local a | |
1265 | ||
1266 | # | |
1267 | # server tests | |
1268 | # | |
1269 | for a in ${NSA_IP} ${NSA_LO_IP} | |
1270 | do | |
1271 | log_start | |
1272 | run_cmd nettest -D -s -2 ${NSA_DEV} & | |
1273 | sleep 1 | |
1274 | run_cmd_nsb nettest -D -r ${a} | |
1275 | log_test_addr ${a} $? 0 "Global server" | |
1276 | ||
1277 | log_start | |
1278 | show_hint "Should fail 'Connection refused' since there is no server" | |
1279 | run_cmd_nsb nettest -D -r ${a} | |
1280 | log_test_addr ${a} $? 1 "No server" | |
1281 | done | |
1282 | ||
1283 | a=${NSA_IP} | |
1284 | log_start | |
1285 | run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & | |
1286 | sleep 1 | |
1287 | run_cmd_nsb nettest -D -r ${a} | |
1288 | log_test_addr ${a} $? 0 "Device server" | |
1289 | ||
1290 | # | |
1291 | # client | |
1292 | # | |
1293 | for a in ${NSB_IP} ${NSB_LO_IP} | |
1294 | do | |
1295 | log_start | |
1296 | run_cmd_nsb nettest -D -s & | |
1297 | sleep 1 | |
1298 | run_cmd nettest -D -r ${a} -0 ${NSA_IP} | |
1299 | log_test_addr ${a} $? 0 "Client" | |
1300 | ||
1301 | log_start | |
1302 | run_cmd_nsb nettest -D -s & | |
1303 | sleep 1 | |
1304 | run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP} | |
1305 | log_test_addr ${a} $? 0 "Client, device bind" | |
1306 | ||
1307 | log_start | |
1308 | run_cmd_nsb nettest -D -s & | |
1309 | sleep 1 | |
1310 | run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP} | |
1311 | log_test_addr ${a} $? 0 "Client, device send via cmsg" | |
1312 | ||
1313 | log_start | |
1314 | run_cmd_nsb nettest -D -s & | |
1315 | sleep 1 | |
1316 | run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} | |
1317 | log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF" | |
1318 | ||
1319 | log_start | |
1320 | show_hint "Should fail 'Connection refused'" | |
1321 | run_cmd nettest -D -r ${a} | |
1322 | log_test_addr ${a} $? 1 "No server, unbound client" | |
1323 | ||
1324 | log_start | |
1325 | show_hint "Should fail 'Connection refused'" | |
1326 | run_cmd nettest -D -r ${a} -d ${NSA_DEV} | |
1327 | log_test_addr ${a} $? 1 "No server, device client" | |
1328 | done | |
1329 | ||
1330 | # | |
1331 | # local address tests | |
1332 | # | |
1333 | for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1 | |
1334 | do | |
1335 | log_start | |
1336 | run_cmd nettest -D -s & | |
1337 | sleep 1 | |
1338 | run_cmd nettest -D -r ${a} -0 ${a} -1 ${a} | |
1339 | log_test_addr ${a} $? 0 "Global server, local connection" | |
1340 | done | |
1341 | ||
1342 | a=${NSA_IP} | |
1343 | log_start | |
1344 | run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & | |
1345 | sleep 1 | |
1346 | run_cmd nettest -D -r ${a} | |
1347 | log_test_addr ${a} $? 0 "Device server, unbound client, local connection" | |
1348 | ||
1349 | for a in ${NSA_LO_IP} 127.0.0.1 | |
1350 | do | |
1351 | log_start | |
1352 | show_hint "Should fail 'Connection refused' since address is out of device scope" | |
1353 | run_cmd nettest -s -D -d ${NSA_DEV} & | |
1354 | sleep 1 | |
1355 | run_cmd nettest -D -r ${a} | |
1356 | log_test_addr ${a} $? 1 "Device server, unbound client, local connection" | |
1357 | done | |
1358 | ||
1359 | a=${NSA_IP} | |
1360 | log_start | |
1361 | run_cmd nettest -s -D & | |
1362 | sleep 1 | |
1363 | run_cmd nettest -D -d ${NSA_DEV} -r ${a} | |
1364 | log_test_addr ${a} $? 0 "Global server, device client, local connection" | |
1365 | ||
1366 | log_start | |
1367 | run_cmd nettest -s -D & | |
1368 | sleep 1 | |
1369 | run_cmd nettest -D -d ${NSA_DEV} -C -r ${a} | |
1370 | log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" | |
1371 | ||
1372 | log_start | |
1373 | run_cmd nettest -s -D & | |
1374 | sleep 1 | |
1375 | run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} | |
1376 | log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection" | |
1377 | ||
1378 | # IPv4 with device bind has really weird behavior - it overrides the | |
1379 | # fib lookup, generates an rtable and tries to send the packet. This | |
1380 | # causes failures for local traffic at different places | |
1381 | for a in ${NSA_LO_IP} 127.0.0.1 | |
1382 | do | |
1383 | log_start | |
1384 | show_hint "Should fail since addresses on loopback are out of device scope" | |
1385 | run_cmd nettest -D -s & | |
1386 | sleep 1 | |
1387 | run_cmd nettest -D -r ${a} -d ${NSA_DEV} | |
1388 | log_test_addr ${a} $? 2 "Global server, device client, local connection" | |
1389 | ||
1390 | log_start | |
1391 | show_hint "Should fail since addresses on loopback are out of device scope" | |
1392 | run_cmd nettest -D -s & | |
1393 | sleep 1 | |
1394 | run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C | |
1395 | log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" | |
1396 | ||
1397 | log_start | |
1398 | show_hint "Should fail since addresses on loopback are out of device scope" | |
1399 | run_cmd nettest -D -s & | |
1400 | sleep 1 | |
1401 | run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S | |
1402 | log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" | |
1403 | done | |
1404 | ||
1405 | a=${NSA_IP} | |
1406 | log_start | |
1407 | run_cmd nettest -D -s -d ${NSA_DEV} -2 ${NSA_DEV} & | |
1408 | sleep 1 | |
1409 | run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a} | |
1410 | log_test_addr ${a} $? 0 "Device server, device client, local conn" | |
1411 | ||
1412 | log_start | |
1413 | run_cmd nettest -D -d ${NSA_DEV} -r ${a} | |
1414 | log_test_addr ${a} $? 2 "No server, device client, local conn" | |
1415 | } | |
1416 | ||
1417 | ipv4_udp_vrf() | |
1418 | { | |
1419 | local a | |
1420 | ||
1421 | # disable global server | |
1422 | log_subsection "Global server disabled" | |
1423 | set_sysctl net.ipv4.udp_l3mdev_accept=0 | |
1424 | ||
1425 | # | |
1426 | # server tests | |
1427 | # | |
1428 | for a in ${NSA_IP} ${VRF_IP} | |
1429 | do | |
1430 | log_start | |
1431 | show_hint "Fails because ingress is in a VRF and global server is disabled" | |
1432 | run_cmd nettest -D -s & | |
1433 | sleep 1 | |
1434 | run_cmd_nsb nettest -D -r ${a} | |
1435 | log_test_addr ${a} $? 1 "Global server" | |
1436 | ||
1437 | log_start | |
1438 | run_cmd nettest -D -d ${VRF} -s -2 ${NSA_DEV} & | |
1439 | sleep 1 | |
1440 | run_cmd_nsb nettest -D -r ${a} | |
1441 | log_test_addr ${a} $? 0 "VRF server" | |
1442 | ||
1443 | log_start | |
1444 | run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & | |
1445 | sleep 1 | |
1446 | run_cmd_nsb nettest -D -r ${a} | |
1447 | log_test_addr ${a} $? 0 "Enslaved device server" | |
1448 | ||
1449 | log_start | |
1450 | show_hint "Should fail 'Connection refused' since there is no server" | |
1451 | run_cmd_nsb nettest -D -r ${a} | |
1452 | log_test_addr ${a} $? 1 "No server" | |
1453 | ||
1454 | log_start | |
1455 | show_hint "Should fail 'Connection refused' since global server is out of scope" | |
1456 | run_cmd nettest -D -s & | |
1457 | sleep 1 | |
1458 | run_cmd nettest -D -d ${VRF} -r ${a} | |
1459 | log_test_addr ${a} $? 1 "Global server, VRF client, local connection" | |
1460 | done | |
1461 | ||
1462 | a=${NSA_IP} | |
1463 | log_start | |
1464 | run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} & | |
1465 | sleep 1 | |
1466 | run_cmd nettest -D -d ${VRF} -r ${a} | |
1467 | log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" | |
1468 | ||
1469 | log_start | |
1470 | run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} & | |
1471 | sleep 1 | |
1472 | run_cmd nettest -D -d ${NSA_DEV} -r ${a} | |
1473 | log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection" | |
1474 | ||
1475 | a=${NSA_IP} | |
1476 | log_start | |
1477 | run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & | |
1478 | sleep 1 | |
1479 | run_cmd nettest -D -d ${VRF} -r ${a} | |
1480 | log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" | |
1481 | ||
1482 | log_start | |
1483 | run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & | |
1484 | sleep 1 | |
1485 | run_cmd nettest -D -d ${NSA_DEV} -r ${a} | |
1486 | log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" | |
1487 | ||
1488 | # enable global server | |
1489 | log_subsection "Global server enabled" | |
1490 | set_sysctl net.ipv4.udp_l3mdev_accept=1 | |
1491 | ||
1492 | # | |
1493 | # server tests | |
1494 | # | |
1495 | for a in ${NSA_IP} ${VRF_IP} | |
1496 | do | |
1497 | log_start | |
1498 | run_cmd nettest -D -s -2 ${NSA_DEV} & | |
1499 | sleep 1 | |
1500 | run_cmd_nsb nettest -D -r ${a} | |
1501 | log_test_addr ${a} $? 0 "Global server" | |
1502 | ||
1503 | log_start | |
1504 | run_cmd nettest -D -d ${VRF} -s -2 ${NSA_DEV} & | |
1505 | sleep 1 | |
1506 | run_cmd_nsb nettest -D -r ${a} | |
1507 | log_test_addr ${a} $? 0 "VRF server" | |
1508 | ||
1509 | log_start | |
1510 | run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & | |
1511 | sleep 1 | |
1512 | run_cmd_nsb nettest -D -r ${a} | |
1513 | log_test_addr ${a} $? 0 "Enslaved device server" | |
1514 | ||
1515 | log_start | |
1516 | show_hint "Should fail 'Connection refused'" | |
1517 | run_cmd_nsb nettest -D -r ${a} | |
1518 | log_test_addr ${a} $? 1 "No server" | |
1519 | done | |
1520 | ||
1521 | # | |
1522 | # client tests | |
1523 | # | |
1524 | log_start | |
1525 | run_cmd_nsb nettest -D -s & | |
1526 | sleep 1 | |
1527 | run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP} | |
1528 | log_test $? 0 "VRF client" | |
1529 | ||
1530 | log_start | |
1531 | run_cmd_nsb nettest -D -s & | |
1532 | sleep 1 | |
1533 | run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP} | |
1534 | log_test $? 0 "Enslaved device client" | |
1535 | ||
1536 | # negative test - should fail | |
1537 | log_start | |
1538 | show_hint "Should fail 'Connection refused'" | |
1539 | run_cmd nettest -D -d ${VRF} -r ${NSB_IP} | |
1540 | log_test $? 1 "No server, VRF client" | |
1541 | ||
1542 | log_start | |
1543 | show_hint "Should fail 'Connection refused'" | |
1544 | run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP} | |
1545 | log_test $? 1 "No server, enslaved device client" | |
1546 | ||
1547 | # | |
1548 | # local address tests | |
1549 | # | |
1550 | a=${NSA_IP} | |
1551 | log_start | |
1552 | run_cmd nettest -D -s -2 ${NSA_DEV} & | |
1553 | sleep 1 | |
1554 | run_cmd nettest -D -d ${VRF} -r ${a} | |
1555 | log_test_addr ${a} $? 0 "Global server, VRF client, local conn" | |
1556 | ||
1557 | log_start | |
1558 | run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} & | |
1559 | sleep 1 | |
1560 | run_cmd nettest -D -d ${VRF} -r ${a} | |
1561 | log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" | |
1562 | ||
1563 | log_start | |
1564 | run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} & | |
1565 | sleep 1 | |
1566 | run_cmd nettest -D -d ${NSA_DEV} -r ${a} | |
1567 | log_test_addr ${a} $? 0 "VRF server, device client, local conn" | |
1568 | ||
1569 | log_start | |
1570 | run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & | |
1571 | sleep 1 | |
1572 | run_cmd nettest -D -d ${VRF} -r ${a} | |
1573 | log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" | |
1574 | ||
1575 | log_start | |
1576 | run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & | |
1577 | sleep 1 | |
1578 | run_cmd nettest -D -d ${NSA_DEV} -r ${a} | |
1579 | log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" | |
1580 | ||
1581 | for a in ${VRF_IP} 127.0.0.1 | |
1582 | do | |
1583 | log_start | |
1584 | run_cmd nettest -D -s -2 ${VRF} & | |
1585 | sleep 1 | |
1586 | run_cmd nettest -D -d ${VRF} -r ${a} | |
1587 | log_test_addr ${a} $? 0 "Global server, VRF client, local conn" | |
1588 | done | |
1589 | ||
1590 | for a in ${VRF_IP} 127.0.0.1 | |
1591 | do | |
1592 | log_start | |
1593 | run_cmd nettest -s -D -d ${VRF} -2 ${VRF} & | |
1594 | sleep 1 | |
1595 | run_cmd nettest -D -d ${VRF} -r ${a} | |
1596 | log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" | |
1597 | done | |
1598 | ||
1599 | # negative test - should fail | |
1600 | # verifies ECONNREFUSED | |
1601 | for a in ${NSA_IP} ${VRF_IP} 127.0.0.1 | |
1602 | do | |
1603 | log_start | |
1604 | show_hint "Should fail 'Connection refused'" | |
1605 | run_cmd nettest -D -d ${VRF} -r ${a} | |
1606 | log_test_addr ${a} $? 1 "No server, VRF client, local conn" | |
1607 | done | |
1608 | } | |
1609 | ||
1610 | ipv4_udp() | |
1611 | { | |
a4368be9 DA |
1612 | log_section "IPv4/UDP" |
1613 | log_subsection "No VRF" | |
1614 | ||
1615 | setup | |
1616 | ||
1617 | # udp_l3mdev_accept should have no affect without VRF; | |
1618 | # run tests with it enabled and disabled to verify | |
1619 | log_subsection "udp_l3mdev_accept disabled" | |
1620 | set_sysctl net.ipv4.udp_l3mdev_accept=0 | |
1621 | ipv4_udp_novrf | |
1622 | log_subsection "udp_l3mdev_accept enabled" | |
1623 | set_sysctl net.ipv4.udp_l3mdev_accept=1 | |
1624 | ipv4_udp_novrf | |
1625 | ||
1626 | log_subsection "With VRF" | |
1627 | setup "yes" | |
1628 | ipv4_udp_vrf | |
1629 | } | |
1630 | ||
75b2b2b3 DA |
1631 | ################################################################################ |
1632 | # IPv4 address bind | |
1633 | # | |
1634 | # verifies ability or inability to bind to an address / device | |
1635 | ||
1636 | ipv4_addr_bind_novrf() | |
1637 | { | |
1638 | # | |
1639 | # raw socket | |
1640 | # | |
1641 | for a in ${NSA_IP} ${NSA_LO_IP} | |
1642 | do | |
1643 | log_start | |
1644 | run_cmd nettest -s -R -P icmp -l ${a} -b | |
1645 | log_test_addr ${a} $? 0 "Raw socket bind to local address" | |
1646 | ||
1647 | log_start | |
1648 | run_cmd nettest -s -R -P icmp -l ${a} -d ${NSA_DEV} -b | |
1649 | log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" | |
1650 | done | |
1651 | ||
1652 | # | |
1653 | # tcp sockets | |
1654 | # | |
1655 | a=${NSA_IP} | |
1656 | log_start | |
1657 | run_cmd nettest -l ${a} -r ${NSB_IP} -t1 -b | |
1658 | log_test_addr ${a} $? 0 "TCP socket bind to local address" | |
1659 | ||
1660 | log_start | |
1661 | run_cmd nettest -l ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b | |
1662 | log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" | |
1663 | ||
1664 | # Sadly, the kernel allows binding a socket to a device and then | |
1665 | # binding to an address not on the device. The only restriction | |
1666 | # is that the address is valid in the L3 domain. So this test | |
1667 | # passes when it really should not | |
1668 | #a=${NSA_LO_IP} | |
1669 | #log_start | |
1670 | #show_hint "Should fail with 'Cannot assign requested address'" | |
1671 | #run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b | |
1672 | #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" | |
1673 | } | |
1674 | ||
1675 | ipv4_addr_bind_vrf() | |
1676 | { | |
1677 | # | |
1678 | # raw socket | |
1679 | # | |
1680 | for a in ${NSA_IP} ${VRF_IP} | |
1681 | do | |
1682 | log_start | |
1683 | run_cmd nettest -s -R -P icmp -l ${a} -b | |
1684 | log_test_addr ${a} $? 0 "Raw socket bind to local address" | |
1685 | ||
1686 | log_start | |
1687 | run_cmd nettest -s -R -P icmp -l ${a} -d ${NSA_DEV} -b | |
1688 | log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" | |
1689 | log_start | |
1690 | run_cmd nettest -s -R -P icmp -l ${a} -d ${VRF} -b | |
1691 | log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind" | |
1692 | done | |
1693 | ||
1694 | a=${NSA_LO_IP} | |
1695 | log_start | |
1696 | show_hint "Address on loopback is out of VRF scope" | |
1697 | run_cmd nettest -s -R -P icmp -l ${a} -d ${VRF} -b | |
1698 | log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind" | |
1699 | ||
1700 | # | |
1701 | # tcp sockets | |
1702 | # | |
1703 | for a in ${NSA_IP} ${VRF_IP} | |
1704 | do | |
1705 | log_start | |
1706 | run_cmd nettest -s -l ${a} -d ${VRF} -t1 -b | |
1707 | log_test_addr ${a} $? 0 "TCP socket bind to local address" | |
1708 | ||
1709 | log_start | |
1710 | run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b | |
1711 | log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" | |
1712 | done | |
1713 | ||
1714 | a=${NSA_LO_IP} | |
1715 | log_start | |
1716 | show_hint "Address on loopback out of scope for VRF" | |
1717 | run_cmd nettest -s -l ${a} -d ${VRF} -t1 -b | |
1718 | log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" | |
1719 | ||
1720 | log_start | |
1721 | show_hint "Address on loopback out of scope for device in VRF" | |
1722 | run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b | |
1723 | log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" | |
1724 | } | |
1725 | ||
1726 | ipv4_addr_bind() | |
1727 | { | |
1728 | log_section "IPv4 address binds" | |
1729 | ||
1730 | log_subsection "No VRF" | |
1731 | setup | |
1732 | ipv4_addr_bind_novrf | |
1733 | ||
1734 | log_subsection "With VRF" | |
1735 | setup "yes" | |
1736 | ipv4_addr_bind_vrf | |
1737 | } | |
1738 | ||
0113f726 DA |
1739 | ################################################################################ |
1740 | # IPv4 runtime tests | |
1741 | ||
1742 | ipv4_rt() | |
1743 | { | |
1744 | local desc="$1" | |
1745 | local varg="$2" | |
1746 | local with_vrf="yes" | |
1747 | local a | |
1748 | ||
1749 | # | |
1750 | # server tests | |
1751 | # | |
1752 | for a in ${NSA_IP} ${VRF_IP} | |
1753 | do | |
1754 | log_start | |
1755 | run_cmd nettest ${varg} -s & | |
1756 | sleep 1 | |
1757 | run_cmd_nsb nettest ${varg} -r ${a} & | |
1758 | sleep 3 | |
1759 | run_cmd ip link del ${VRF} | |
1760 | sleep 1 | |
1761 | log_test_addr ${a} 0 0 "${desc}, global server" | |
1762 | ||
1763 | setup ${with_vrf} | |
1764 | done | |
1765 | ||
1766 | for a in ${NSA_IP} ${VRF_IP} | |
1767 | do | |
1768 | log_start | |
1769 | run_cmd nettest ${varg} -s -d ${VRF} & | |
1770 | sleep 1 | |
1771 | run_cmd_nsb nettest ${varg} -r ${a} & | |
1772 | sleep 3 | |
1773 | run_cmd ip link del ${VRF} | |
1774 | sleep 1 | |
1775 | log_test_addr ${a} 0 0 "${desc}, VRF server" | |
1776 | ||
1777 | setup ${with_vrf} | |
1778 | done | |
1779 | ||
1780 | a=${NSA_IP} | |
1781 | log_start | |
1782 | run_cmd nettest ${varg} -s -d ${NSA_DEV} & | |
1783 | sleep 1 | |
1784 | run_cmd_nsb nettest ${varg} -r ${a} & | |
1785 | sleep 3 | |
1786 | run_cmd ip link del ${VRF} | |
1787 | sleep 1 | |
1788 | log_test_addr ${a} 0 0 "${desc}, enslaved device server" | |
1789 | ||
1790 | setup ${with_vrf} | |
1791 | ||
1792 | # | |
1793 | # client test | |
1794 | # | |
1795 | log_start | |
1796 | run_cmd_nsb nettest ${varg} -s & | |
1797 | sleep 1 | |
1798 | run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} & | |
1799 | sleep 3 | |
1800 | run_cmd ip link del ${VRF} | |
1801 | sleep 1 | |
1802 | log_test_addr ${a} 0 0 "${desc}, VRF client" | |
1803 | ||
1804 | setup ${with_vrf} | |
1805 | ||
1806 | log_start | |
1807 | run_cmd_nsb nettest ${varg} -s & | |
1808 | sleep 1 | |
1809 | run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} & | |
1810 | sleep 3 | |
1811 | run_cmd ip link del ${VRF} | |
1812 | sleep 1 | |
1813 | log_test_addr ${a} 0 0 "${desc}, enslaved device client" | |
1814 | ||
1815 | setup ${with_vrf} | |
1816 | ||
1817 | # | |
1818 | # local address tests | |
1819 | # | |
1820 | for a in ${NSA_IP} ${VRF_IP} | |
1821 | do | |
1822 | log_start | |
1823 | run_cmd nettest ${varg} -s & | |
1824 | sleep 1 | |
1825 | run_cmd nettest ${varg} -d ${VRF} -r ${a} & | |
1826 | sleep 3 | |
1827 | run_cmd ip link del ${VRF} | |
1828 | sleep 1 | |
1829 | log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local" | |
1830 | ||
1831 | setup ${with_vrf} | |
1832 | done | |
1833 | ||
1834 | for a in ${NSA_IP} ${VRF_IP} | |
1835 | do | |
1836 | log_start | |
1837 | run_cmd nettest ${varg} -d ${VRF} -s & | |
1838 | sleep 1 | |
1839 | run_cmd nettest ${varg} -d ${VRF} -r ${a} & | |
1840 | sleep 3 | |
1841 | run_cmd ip link del ${VRF} | |
1842 | sleep 1 | |
1843 | log_test_addr ${a} 0 0 "${desc}, VRF server and client, local" | |
1844 | ||
1845 | setup ${with_vrf} | |
1846 | done | |
1847 | ||
1848 | a=${NSA_IP} | |
1849 | log_start | |
1850 | run_cmd nettest ${varg} -s & | |
1851 | sleep 1 | |
1852 | run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & | |
1853 | sleep 3 | |
1854 | run_cmd ip link del ${VRF} | |
1855 | sleep 1 | |
1856 | log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local" | |
1857 | ||
1858 | setup ${with_vrf} | |
1859 | ||
1860 | log_start | |
1861 | run_cmd nettest ${varg} -d ${VRF} -s & | |
1862 | sleep 1 | |
1863 | run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & | |
1864 | sleep 3 | |
1865 | run_cmd ip link del ${VRF} | |
1866 | sleep 1 | |
1867 | log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local" | |
1868 | ||
1869 | setup ${with_vrf} | |
1870 | ||
1871 | log_start | |
1872 | run_cmd nettest ${varg} -d ${NSA_DEV} -s & | |
1873 | sleep 1 | |
1874 | run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & | |
1875 | sleep 3 | |
1876 | run_cmd ip link del ${VRF} | |
1877 | sleep 1 | |
1878 | log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local" | |
1879 | } | |
1880 | ||
1881 | ipv4_ping_rt() | |
1882 | { | |
1883 | local with_vrf="yes" | |
1884 | local a | |
1885 | ||
1886 | for a in ${NSA_IP} ${VRF_IP} | |
1887 | do | |
1888 | log_start | |
1889 | run_cmd_nsb ping -f ${a} & | |
1890 | sleep 3 | |
1891 | run_cmd ip link del ${VRF} | |
1892 | sleep 1 | |
1893 | log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" | |
1894 | ||
1895 | setup ${with_vrf} | |
1896 | done | |
1897 | ||
1898 | a=${NSB_IP} | |
1899 | log_start | |
1900 | run_cmd ping -f -I ${VRF} ${a} & | |
1901 | sleep 3 | |
1902 | run_cmd ip link del ${VRF} | |
1903 | sleep 1 | |
1904 | log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" | |
1905 | } | |
1906 | ||
1907 | ipv4_runtime() | |
1908 | { | |
1909 | log_section "Run time tests - ipv4" | |
1910 | ||
1911 | setup "yes" | |
1912 | ipv4_ping_rt | |
1913 | ||
1914 | setup "yes" | |
1915 | ipv4_rt "TCP active socket" "-n -1" | |
1916 | ||
1917 | setup "yes" | |
1918 | ipv4_rt "TCP passive socket" "-i" | |
1919 | } | |
1920 | ||
c0644e71 DA |
1921 | ################################################################################ |
1922 | # IPv6 | |
1923 | ||
1924 | ipv6_ping_novrf() | |
1925 | { | |
1926 | local a | |
1927 | ||
1928 | # should not have an impact, but make a known state | |
1929 | set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null | |
1930 | ||
1931 | # | |
1932 | # out | |
1933 | # | |
1934 | for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} | |
1935 | do | |
1936 | log_start | |
1937 | run_cmd ${ping6} -c1 -w1 ${a} | |
1938 | log_test_addr ${a} $? 0 "ping out" | |
1939 | done | |
1940 | ||
1941 | for a in ${NSB_IP6} ${NSB_LO_IP6} | |
1942 | do | |
1943 | log_start | |
1944 | run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} | |
1945 | log_test_addr ${a} $? 0 "ping out, device bind" | |
1946 | ||
1947 | log_start | |
1948 | run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a} | |
1949 | log_test_addr ${a} $? 0 "ping out, loopback address bind" | |
1950 | done | |
1951 | ||
1952 | # | |
1953 | # in | |
1954 | # | |
1955 | for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} | |
1956 | do | |
1957 | log_start | |
1958 | run_cmd_nsb ${ping6} -c1 -w1 ${a} | |
1959 | log_test_addr ${a} $? 0 "ping in" | |
1960 | done | |
1961 | ||
1962 | # | |
1963 | # local traffic, local address | |
1964 | # | |
1965 | for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} | |
1966 | do | |
1967 | log_start | |
1968 | run_cmd ${ping6} -c1 -w1 ${a} | |
1969 | log_test_addr ${a} $? 0 "ping local, no bind" | |
1970 | done | |
1971 | ||
1972 | for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} | |
1973 | do | |
1974 | log_start | |
1975 | run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} | |
1976 | log_test_addr ${a} $? 0 "ping local, device bind" | |
1977 | done | |
1978 | ||
1979 | for a in ${NSA_LO_IP6} ::1 | |
1980 | do | |
1981 | log_start | |
1982 | show_hint "Fails since address on loopback is out of device scope" | |
1983 | run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} | |
1984 | log_test_addr ${a} $? 2 "ping local, device bind" | |
1985 | done | |
1986 | ||
1987 | # | |
1988 | # ip rule blocks address | |
1989 | # | |
1990 | log_start | |
1991 | setup_cmd ip -6 rule add pref 32765 from all lookup local | |
1992 | setup_cmd ip -6 rule del pref 0 from all lookup local | |
1993 | setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit | |
1994 | setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit | |
1995 | ||
1996 | a=${NSB_LO_IP6} | |
1997 | run_cmd ${ping6} -c1 -w1 ${a} | |
1998 | log_test_addr ${a} $? 2 "ping out, blocked by rule" | |
1999 | ||
2000 | log_start | |
2001 | run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} | |
2002 | log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" | |
2003 | ||
2004 | a=${NSA_LO_IP6} | |
2005 | log_start | |
2006 | show_hint "Response lost due to ip rule" | |
2007 | run_cmd_nsb ${ping6} -c1 -w1 ${a} | |
2008 | log_test_addr ${a} $? 1 "ping in, blocked by rule" | |
2009 | ||
2010 | setup_cmd ip -6 rule add pref 0 from all lookup local | |
2011 | setup_cmd ip -6 rule del pref 32765 from all lookup local | |
2012 | setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit | |
2013 | setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit | |
2014 | ||
2015 | # | |
2016 | # route blocks reachability to remote address | |
2017 | # | |
2018 | log_start | |
2019 | setup_cmd ip -6 route del ${NSB_LO_IP6} | |
2020 | setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10 | |
2021 | setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10 | |
2022 | ||
2023 | a=${NSB_LO_IP6} | |
2024 | run_cmd ${ping6} -c1 -w1 ${a} | |
2025 | log_test_addr ${a} $? 2 "ping out, blocked by route" | |
2026 | ||
2027 | log_start | |
2028 | run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} | |
2029 | log_test_addr ${a} $? 2 "ping out, device bind, blocked by route" | |
2030 | ||
2031 | a=${NSA_LO_IP6} | |
2032 | log_start | |
2033 | show_hint "Response lost due to ip route" | |
2034 | run_cmd_nsb ${ping6} -c1 -w1 ${a} | |
2035 | log_test_addr ${a} $? 1 "ping in, blocked by route" | |
2036 | ||
2037 | ||
2038 | # | |
2039 | # remove 'remote' routes; fallback to default | |
2040 | # | |
2041 | log_start | |
2042 | setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6} | |
2043 | setup_cmd ip -6 ro del unreachable ${NSB_IP6} | |
2044 | ||
2045 | a=${NSB_LO_IP6} | |
2046 | run_cmd ${ping6} -c1 -w1 ${a} | |
2047 | log_test_addr ${a} $? 2 "ping out, unreachable route" | |
2048 | ||
2049 | log_start | |
2050 | run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} | |
2051 | log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" | |
2052 | } | |
2053 | ||
2054 | ipv6_ping_vrf() | |
2055 | { | |
2056 | local a | |
2057 | ||
2058 | # should default on; does not exist on older kernels | |
2059 | set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null | |
2060 | ||
2061 | # | |
2062 | # out | |
2063 | # | |
2064 | for a in ${NSB_IP6} ${NSB_LO_IP6} | |
2065 | do | |
2066 | log_start | |
2067 | run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} | |
2068 | log_test_addr ${a} $? 0 "ping out, VRF bind" | |
2069 | done | |
2070 | ||
2071 | for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF} | |
2072 | do | |
2073 | log_start | |
2074 | show_hint "Fails since VRF device does not support linklocal or multicast" | |
2075 | run_cmd ${ping6} -c1 -w1 ${a} | |
2076 | log_test_addr ${a} $? 2 "ping out, VRF bind" | |
2077 | done | |
2078 | ||
2079 | for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} | |
2080 | do | |
2081 | log_start | |
2082 | run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} | |
2083 | log_test_addr ${a} $? 0 "ping out, device bind" | |
2084 | done | |
2085 | ||
2086 | for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} | |
2087 | do | |
2088 | log_start | |
2089 | run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a} | |
2090 | log_test_addr ${a} $? 0 "ping out, vrf device+address bind" | |
2091 | done | |
2092 | ||
2093 | # | |
2094 | # in | |
2095 | # | |
2096 | for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV} | |
2097 | do | |
2098 | log_start | |
2099 | run_cmd_nsb ${ping6} -c1 -w1 ${a} | |
2100 | log_test_addr ${a} $? 0 "ping in" | |
2101 | done | |
2102 | ||
2103 | a=${NSA_LO_IP6} | |
2104 | log_start | |
2105 | show_hint "Fails since loopback address is out of VRF scope" | |
2106 | run_cmd_nsb ${ping6} -c1 -w1 ${a} | |
2107 | log_test_addr ${a} $? 1 "ping in" | |
2108 | ||
2109 | # | |
2110 | # local traffic, local address | |
2111 | # | |
2112 | for a in ${NSA_IP6} ${VRF_IP6} ::1 | |
2113 | do | |
2114 | log_start | |
2115 | show_hint "Source address should be ${a}" | |
2116 | run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a} | |
2117 | log_test_addr ${a} $? 0 "ping local, VRF bind" | |
2118 | done | |
2119 | ||
2120 | for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV} | |
2121 | do | |
2122 | log_start | |
2123 | run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} | |
2124 | log_test_addr ${a} $? 0 "ping local, device bind" | |
2125 | done | |
2126 | ||
2127 | # LLA to GUA - remove ipv6 global addresses from ns-B | |
2128 | setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} | |
2129 | setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo | |
2130 | setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} | |
2131 | ||
2132 | for a in ${NSA_IP6} ${VRF_IP6} | |
2133 | do | |
2134 | log_start | |
2135 | run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} | |
2136 | log_test_addr ${a} $? 0 "ping in, LLA to GUA" | |
2137 | done | |
2138 | ||
2139 | setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV} | |
2140 | setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} | |
2141 | setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo | |
2142 | ||
2143 | # | |
2144 | # ip rule blocks address | |
2145 | # | |
2146 | log_start | |
2147 | setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit | |
2148 | setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit | |
2149 | ||
2150 | a=${NSB_LO_IP6} | |
2151 | run_cmd ${ping6} -c1 -w1 ${a} | |
2152 | log_test_addr ${a} $? 2 "ping out, blocked by rule" | |
2153 | ||
2154 | log_start | |
2155 | run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} | |
2156 | log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule" | |
2157 | ||
2158 | a=${NSA_LO_IP6} | |
2159 | log_start | |
2160 | show_hint "Response lost due to ip rule" | |
2161 | run_cmd_nsb ${ping6} -c1 -w1 ${a} | |
2162 | log_test_addr ${a} $? 1 "ping in, blocked by rule" | |
2163 | ||
2164 | log_start | |
2165 | setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit | |
2166 | setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit | |
2167 | ||
2168 | # | |
2169 | # remove 'remote' routes; fallback to default | |
2170 | # | |
2171 | log_start | |
2172 | setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF} | |
2173 | ||
2174 | a=${NSB_LO_IP6} | |
2175 | run_cmd ${ping6} -c1 -w1 ${a} | |
2176 | log_test_addr ${a} $? 2 "ping out, unreachable route" | |
2177 | ||
2178 | log_start | |
2179 | run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a} | |
2180 | log_test_addr ${a} $? 2 "ping out, device bind, unreachable route" | |
2181 | ||
2182 | ip -netns ${NSB} -6 ro del ${NSA_LO_IP6} | |
2183 | a=${NSA_LO_IP6} | |
2184 | log_start | |
2185 | run_cmd_nsb ${ping6} -c1 -w1 ${a} | |
2186 | log_test_addr ${a} $? 2 "ping in, unreachable route" | |
2187 | } | |
2188 | ||
2189 | ipv6_ping() | |
2190 | { | |
2191 | log_section "IPv6 ping" | |
2192 | ||
2193 | log_subsection "No VRF" | |
2194 | setup | |
2195 | ipv6_ping_novrf | |
2196 | ||
2197 | log_subsection "With VRF" | |
2198 | setup "yes" | |
2199 | ipv6_ping_vrf | |
2200 | } | |
2201 | ||
a071bbf2 DA |
2202 | ################################################################################ |
2203 | # IPv6 TCP | |
2204 | ||
f0bee1eb DA |
2205 | # |
2206 | # MD5 tests without VRF | |
2207 | # | |
2208 | ipv6_tcp_md5_novrf() | |
2209 | { | |
2210 | # | |
2211 | # single address | |
2212 | # | |
2213 | ||
2214 | # basic use case | |
2215 | log_start | |
2216 | run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_IP6} & | |
2217 | sleep 1 | |
2218 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} | |
2219 | log_test $? 0 "MD5: Single address config" | |
2220 | ||
2221 | # client sends MD5, server not configured | |
2222 | log_start | |
2223 | show_hint "Should timeout due to MD5 mismatch" | |
2224 | run_cmd nettest -6 -s & | |
2225 | sleep 1 | |
2226 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} | |
2227 | log_test $? 2 "MD5: Server no config, client uses password" | |
2228 | ||
2229 | # wrong password | |
2230 | log_start | |
2231 | show_hint "Should timeout since client uses wrong password" | |
2232 | run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_IP6} & | |
2233 | sleep 1 | |
2234 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} | |
2235 | log_test $? 2 "MD5: Client uses wrong password" | |
2236 | ||
2237 | # client from different address | |
2238 | log_start | |
2239 | show_hint "Should timeout due to MD5 mismatch" | |
2240 | run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_LO_IP6} & | |
2241 | sleep 1 | |
2242 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} | |
2243 | log_test $? 2 "MD5: Client address does not match address configured with password" | |
2244 | ||
2245 | # | |
2246 | # MD5 extension - prefix length | |
2247 | # | |
2248 | ||
2249 | # client in prefix | |
2250 | log_start | |
2251 | run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & | |
2252 | sleep 1 | |
2253 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} | |
2254 | log_test $? 0 "MD5: Prefix config" | |
2255 | ||
2256 | # client in prefix, wrong password | |
2257 | log_start | |
2258 | show_hint "Should timeout since client uses wrong password" | |
2259 | run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & | |
2260 | sleep 1 | |
2261 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} | |
2262 | log_test $? 2 "MD5: Prefix config, client uses wrong password" | |
2263 | ||
2264 | # client outside of prefix | |
2265 | log_start | |
2266 | show_hint "Should timeout due to MD5 mismatch" | |
2267 | run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} & | |
2268 | sleep 1 | |
2269 | run_cmd_nsb nettest -6 -l ${NSB_LO_IP6} -r ${NSA_IP6} -M ${MD5_PW} | |
2270 | log_test $? 2 "MD5: Prefix config, client address not in configured prefix" | |
2271 | } | |
2272 | ||
5cad8bce DA |
2273 | # |
2274 | # MD5 tests with VRF | |
2275 | # | |
2276 | ipv6_tcp_md5() | |
2277 | { | |
2278 | # | |
2279 | # single address | |
2280 | # | |
2281 | ||
2282 | # basic use case | |
2283 | log_start | |
2284 | run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & | |
2285 | sleep 1 | |
2286 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} | |
2287 | log_test $? 0 "MD5: VRF: Single address config" | |
2288 | ||
2289 | # client sends MD5, server not configured | |
2290 | log_start | |
2291 | show_hint "Should timeout since server does not have MD5 auth" | |
2292 | run_cmd nettest -6 -s -d ${VRF} & | |
2293 | sleep 1 | |
2294 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} | |
2295 | log_test $? 2 "MD5: VRF: Server no config, client uses password" | |
2296 | ||
2297 | # wrong password | |
2298 | log_start | |
2299 | show_hint "Should timeout since client uses wrong password" | |
2300 | run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & | |
2301 | sleep 1 | |
2302 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} | |
2303 | log_test $? 2 "MD5: VRF: Client uses wrong password" | |
2304 | ||
2305 | # client from different address | |
2306 | log_start | |
2307 | show_hint "Should timeout since server config differs from client" | |
2308 | run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_LO_IP6} & | |
2309 | sleep 1 | |
2310 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} | |
2311 | log_test $? 2 "MD5: VRF: Client address does not match address configured with password" | |
2312 | ||
2313 | # | |
2314 | # MD5 extension - prefix length | |
2315 | # | |
2316 | ||
2317 | # client in prefix | |
2318 | log_start | |
2319 | run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & | |
2320 | sleep 1 | |
2321 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} | |
2322 | log_test $? 0 "MD5: VRF: Prefix config" | |
2323 | ||
2324 | # client in prefix, wrong password | |
2325 | log_start | |
2326 | show_hint "Should timeout since client uses wrong password" | |
2327 | run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & | |
2328 | sleep 1 | |
2329 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} | |
2330 | log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password" | |
2331 | ||
2332 | # client outside of prefix | |
2333 | log_start | |
2334 | show_hint "Should timeout since client address is outside of prefix" | |
2335 | run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & | |
2336 | sleep 1 | |
2337 | run_cmd_nsb nettest -6 -l ${NSB_LO_IP6} -r ${NSA_IP6} -M ${MD5_PW} | |
2338 | log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix" | |
2339 | ||
2340 | # | |
2341 | # duplicate config between default VRF and a VRF | |
2342 | # | |
2343 | ||
2344 | log_start | |
2345 | run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & | |
2346 | run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} & | |
2347 | sleep 1 | |
2348 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} | |
2349 | log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF" | |
2350 | ||
2351 | log_start | |
2352 | run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & | |
2353 | run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} & | |
2354 | sleep 1 | |
2355 | run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} | |
2356 | log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF" | |
2357 | ||
2358 | log_start | |
2359 | show_hint "Should timeout since client in default VRF uses VRF password" | |
2360 | run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & | |
2361 | run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} & | |
2362 | sleep 1 | |
2363 | run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_PW} | |
2364 | log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw" | |
2365 | ||
2366 | log_start | |
2367 | show_hint "Should timeout since client in VRF uses default VRF password" | |
2368 | run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} & | |
2369 | run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} & | |
2370 | sleep 1 | |
2371 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} | |
2372 | log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw" | |
2373 | ||
2374 | log_start | |
2375 | run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & | |
2376 | run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & | |
2377 | sleep 1 | |
2378 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW} | |
2379 | log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF" | |
2380 | ||
2381 | log_start | |
2382 | run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & | |
2383 | run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & | |
2384 | sleep 1 | |
2385 | run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} | |
2386 | log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF" | |
2387 | ||
2388 | log_start | |
2389 | show_hint "Should timeout since client in default VRF uses VRF password" | |
2390 | run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & | |
2391 | run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & | |
2392 | sleep 1 | |
2393 | run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_PW} | |
2394 | log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw" | |
2395 | ||
2396 | log_start | |
2397 | show_hint "Should timeout since client in VRF uses default VRF password" | |
2398 | run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} & | |
2399 | run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} & | |
2400 | sleep 1 | |
2401 | run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW} | |
2402 | log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw" | |
2403 | ||
2404 | # | |
2405 | # negative tests | |
2406 | # | |
2407 | log_start | |
2408 | run_cmd nettest -6 -s -d ${NSA_DEV} -M ${MD5_PW} -r ${NSB_IP6} | |
2409 | log_test $? 1 "MD5: VRF: Device must be a VRF - single address" | |
2410 | ||
2411 | log_start | |
2412 | run_cmd nettest -6 -s -d ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6} | |
2413 | log_test $? 1 "MD5: VRF: Device must be a VRF - prefix" | |
2414 | ||
2415 | } | |
2416 | ||
a071bbf2 DA |
2417 | ipv6_tcp_novrf() |
2418 | { | |
2419 | local a | |
2420 | ||
2421 | # | |
2422 | # server tests | |
2423 | # | |
2424 | for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} | |
2425 | do | |
2426 | log_start | |
2427 | run_cmd nettest -6 -s & | |
2428 | sleep 1 | |
2429 | run_cmd_nsb nettest -6 -r ${a} | |
2430 | log_test_addr ${a} $? 0 "Global server" | |
2431 | done | |
2432 | ||
2433 | # verify TCP reset received | |
2434 | for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} | |
2435 | do | |
2436 | log_start | |
2437 | show_hint "Should fail 'Connection refused'" | |
2438 | run_cmd_nsb nettest -6 -r ${a} | |
2439 | log_test_addr ${a} $? 1 "No server" | |
2440 | done | |
2441 | ||
2442 | # | |
2443 | # client | |
2444 | # | |
2445 | for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} | |
2446 | do | |
2447 | log_start | |
2448 | run_cmd_nsb nettest -6 -s & | |
2449 | sleep 1 | |
2450 | run_cmd nettest -6 -r ${a} | |
2451 | log_test_addr ${a} $? 0 "Client" | |
2452 | done | |
2453 | ||
2454 | for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} | |
2455 | do | |
2456 | log_start | |
2457 | run_cmd_nsb nettest -6 -s & | |
2458 | sleep 1 | |
2459 | run_cmd nettest -6 -r ${a} -d ${NSA_DEV} | |
2460 | log_test_addr ${a} $? 0 "Client, device bind" | |
2461 | done | |
2462 | ||
2463 | for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} | |
2464 | do | |
2465 | log_start | |
2466 | show_hint "Should fail 'Connection refused'" | |
2467 | run_cmd nettest -6 -r ${a} -d ${NSA_DEV} | |
2468 | log_test_addr ${a} $? 1 "No server, device client" | |
2469 | done | |
2470 | ||
2471 | # | |
2472 | # local address tests | |
2473 | # | |
2474 | for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 | |
2475 | do | |
2476 | log_start | |
2477 | run_cmd nettest -6 -s & | |
2478 | sleep 1 | |
2479 | run_cmd nettest -6 -r ${a} | |
2480 | log_test_addr ${a} $? 0 "Global server, local connection" | |
2481 | done | |
2482 | ||
2483 | a=${NSA_IP6} | |
2484 | log_start | |
2485 | run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & | |
2486 | sleep 1 | |
2487 | run_cmd nettest -6 -r ${a} -0 ${a} | |
2488 | log_test_addr ${a} $? 0 "Device server, unbound client, local connection" | |
2489 | ||
2490 | for a in ${NSA_LO_IP6} ::1 | |
2491 | do | |
2492 | log_start | |
2493 | show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" | |
2494 | run_cmd nettest -6 -s -d ${NSA_DEV} & | |
2495 | sleep 1 | |
2496 | run_cmd nettest -6 -r ${a} | |
2497 | log_test_addr ${a} $? 1 "Device server, unbound client, local connection" | |
2498 | done | |
2499 | ||
2500 | a=${NSA_IP6} | |
2501 | log_start | |
2502 | run_cmd nettest -6 -s & | |
2503 | sleep 1 | |
2504 | run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} | |
2505 | log_test_addr ${a} $? 0 "Global server, device client, local connection" | |
2506 | ||
2507 | for a in ${NSA_LO_IP6} ::1 | |
2508 | do | |
2509 | log_start | |
2510 | show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope" | |
2511 | run_cmd nettest -6 -s & | |
2512 | sleep 1 | |
2513 | run_cmd nettest -6 -r ${a} -d ${NSA_DEV} | |
2514 | log_test_addr ${a} $? 1 "Global server, device client, local connection" | |
2515 | done | |
2516 | ||
2517 | for a in ${NSA_IP6} ${NSA_LINKIP6} | |
2518 | do | |
2519 | log_start | |
2520 | run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & | |
2521 | sleep 1 | |
2522 | run_cmd nettest -6 -d ${NSA_DEV} -r ${a} | |
2523 | log_test_addr ${a} $? 0 "Device server, device client, local conn" | |
2524 | done | |
2525 | ||
2526 | for a in ${NSA_IP6} ${NSA_LINKIP6} | |
2527 | do | |
2528 | log_start | |
2529 | show_hint "Should fail 'Connection refused'" | |
2530 | run_cmd nettest -6 -d ${NSA_DEV} -r ${a} | |
2531 | log_test_addr ${a} $? 1 "No server, device client, local conn" | |
2532 | done | |
f0bee1eb DA |
2533 | |
2534 | ipv6_tcp_md5_novrf | |
a071bbf2 DA |
2535 | } |
2536 | ||
2537 | ipv6_tcp_vrf() | |
2538 | { | |
2539 | local a | |
2540 | ||
2541 | # disable global server | |
2542 | log_subsection "Global server disabled" | |
2543 | ||
2544 | set_sysctl net.ipv4.tcp_l3mdev_accept=0 | |
2545 | ||
2546 | # | |
2547 | # server tests | |
2548 | # | |
2549 | for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} | |
2550 | do | |
2551 | log_start | |
2552 | show_hint "Should fail 'Connection refused' since global server with VRF is disabled" | |
2553 | run_cmd nettest -6 -s & | |
2554 | sleep 1 | |
2555 | run_cmd_nsb nettest -6 -r ${a} | |
2556 | log_test_addr ${a} $? 1 "Global server" | |
2557 | done | |
2558 | ||
2559 | for a in ${NSA_IP6} ${VRF_IP6} | |
2560 | do | |
2561 | log_start | |
2562 | run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} & | |
2563 | sleep 1 | |
2564 | run_cmd_nsb nettest -6 -r ${a} | |
2565 | log_test_addr ${a} $? 0 "VRF server" | |
2566 | done | |
2567 | ||
2568 | # link local is always bound to ingress device | |
2569 | a=${NSA_LINKIP6}%${NSB_DEV} | |
2570 | log_start | |
2571 | run_cmd nettest -6 -s -d ${VRF} -2 ${NSA_DEV} & | |
2572 | sleep 1 | |
2573 | run_cmd_nsb nettest -6 -r ${a} | |
2574 | log_test_addr ${a} $? 0 "VRF server" | |
2575 | ||
2576 | for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} | |
2577 | do | |
2578 | log_start | |
2579 | run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & | |
2580 | sleep 1 | |
2581 | run_cmd_nsb nettest -6 -r ${a} | |
2582 | log_test_addr ${a} $? 0 "Device server" | |
2583 | done | |
2584 | ||
2585 | # verify TCP reset received | |
2586 | for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} | |
2587 | do | |
2588 | log_start | |
2589 | show_hint "Should fail 'Connection refused'" | |
2590 | run_cmd_nsb nettest -6 -r ${a} | |
2591 | log_test_addr ${a} $? 1 "No server" | |
2592 | done | |
2593 | ||
2594 | # local address tests | |
2595 | a=${NSA_IP6} | |
2596 | log_start | |
2597 | show_hint "Should fail 'Connection refused' since global server with VRF is disabled" | |
2598 | run_cmd nettest -6 -s & | |
2599 | sleep 1 | |
2600 | run_cmd nettest -6 -r ${a} -d ${NSA_DEV} | |
2601 | log_test_addr ${a} $? 1 "Global server, local connection" | |
2602 | ||
5cad8bce DA |
2603 | # run MD5 tests |
2604 | ipv6_tcp_md5 | |
2605 | ||
a071bbf2 DA |
2606 | # |
2607 | # enable VRF global server | |
2608 | # | |
2609 | log_subsection "VRF Global server enabled" | |
2610 | set_sysctl net.ipv4.tcp_l3mdev_accept=1 | |
2611 | ||
2612 | for a in ${NSA_IP6} ${VRF_IP6} | |
2613 | do | |
2614 | log_start | |
2615 | run_cmd nettest -6 -s -2 ${VRF} & | |
2616 | sleep 1 | |
2617 | run_cmd_nsb nettest -6 -r ${a} | |
2618 | log_test_addr ${a} $? 0 "Global server" | |
2619 | done | |
2620 | ||
2621 | for a in ${NSA_IP6} ${VRF_IP6} | |
2622 | do | |
2623 | log_start | |
2624 | run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} & | |
2625 | sleep 1 | |
2626 | run_cmd_nsb nettest -6 -r ${a} | |
2627 | log_test_addr ${a} $? 0 "VRF server" | |
2628 | done | |
2629 | ||
2630 | # For LLA, child socket is bound to device | |
2631 | a=${NSA_LINKIP6}%${NSB_DEV} | |
2632 | log_start | |
2633 | run_cmd nettest -6 -s -2 ${NSA_DEV} & | |
2634 | sleep 1 | |
2635 | run_cmd_nsb nettest -6 -r ${a} | |
2636 | log_test_addr ${a} $? 0 "Global server" | |
2637 | ||
2638 | log_start | |
2639 | run_cmd nettest -6 -s -d ${VRF} -2 ${NSA_DEV} & | |
2640 | sleep 1 | |
2641 | run_cmd_nsb nettest -6 -r ${a} | |
2642 | log_test_addr ${a} $? 0 "VRF server" | |
2643 | ||
2644 | for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} | |
2645 | do | |
2646 | log_start | |
2647 | run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & | |
2648 | sleep 1 | |
2649 | run_cmd_nsb nettest -6 -r ${a} | |
2650 | log_test_addr ${a} $? 0 "Device server" | |
2651 | done | |
2652 | ||
2653 | # verify TCP reset received | |
2654 | for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} | |
2655 | do | |
2656 | log_start | |
2657 | show_hint "Should fail 'Connection refused'" | |
2658 | run_cmd_nsb nettest -6 -r ${a} | |
2659 | log_test_addr ${a} $? 1 "No server" | |
2660 | done | |
2661 | ||
2662 | # local address tests | |
2663 | for a in ${NSA_IP6} ${VRF_IP6} | |
2664 | do | |
2665 | log_start | |
2666 | show_hint "Fails 'No route to host' since client is not in VRF" | |
2667 | run_cmd nettest -6 -s -2 ${VRF} & | |
2668 | sleep 1 | |
2669 | run_cmd nettest -6 -r ${a} | |
2670 | log_test_addr ${a} $? 1 "Global server, local connection" | |
2671 | done | |
2672 | ||
2673 | ||
2674 | # | |
2675 | # client | |
2676 | # | |
2677 | for a in ${NSB_IP6} ${NSB_LO_IP6} | |
2678 | do | |
2679 | log_start | |
2680 | run_cmd_nsb nettest -6 -s & | |
2681 | sleep 1 | |
2682 | run_cmd nettest -6 -r ${a} -d ${VRF} | |
2683 | log_test_addr ${a} $? 0 "Client, VRF bind" | |
2684 | done | |
2685 | ||
2686 | a=${NSB_LINKIP6} | |
2687 | log_start | |
2688 | show_hint "Fails since VRF device does not allow linklocal addresses" | |
2689 | run_cmd_nsb nettest -6 -s & | |
2690 | sleep 1 | |
2691 | run_cmd nettest -6 -r ${a} -d ${VRF} | |
2692 | log_test_addr ${a} $? 1 "Client, VRF bind" | |
2693 | ||
2694 | for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} | |
2695 | do | |
2696 | log_start | |
2697 | run_cmd_nsb nettest -6 -s & | |
2698 | sleep 1 | |
2699 | run_cmd nettest -6 -r ${a} -d ${NSA_DEV} | |
2700 | log_test_addr ${a} $? 0 "Client, device bind" | |
2701 | done | |
2702 | ||
2703 | for a in ${NSB_IP6} ${NSB_LO_IP6} | |
2704 | do | |
2705 | log_start | |
2706 | show_hint "Should fail 'Connection refused'" | |
2707 | run_cmd nettest -6 -r ${a} -d ${VRF} | |
2708 | log_test_addr ${a} $? 1 "No server, VRF client" | |
2709 | done | |
2710 | ||
2711 | for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6} | |
2712 | do | |
2713 | log_start | |
2714 | show_hint "Should fail 'Connection refused'" | |
2715 | run_cmd nettest -6 -r ${a} -d ${NSA_DEV} | |
2716 | log_test_addr ${a} $? 1 "No server, device client" | |
2717 | done | |
2718 | ||
2719 | for a in ${NSA_IP6} ${VRF_IP6} ::1 | |
2720 | do | |
2721 | log_start | |
2722 | run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} & | |
2723 | sleep 1 | |
2724 | run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} | |
2725 | log_test_addr ${a} $? 0 "VRF server, VRF client, local connection" | |
2726 | done | |
2727 | ||
2728 | a=${NSA_IP6} | |
2729 | log_start | |
2730 | run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} & | |
2731 | sleep 1 | |
2732 | run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} | |
2733 | log_test_addr ${a} $? 0 "VRF server, device client, local connection" | |
2734 | ||
2735 | a=${NSA_IP6} | |
2736 | log_start | |
2737 | show_hint "Should fail since unbound client is out of VRF scope" | |
2738 | run_cmd nettest -6 -s -d ${VRF} & | |
2739 | sleep 1 | |
2740 | run_cmd nettest -6 -r ${a} | |
2741 | log_test_addr ${a} $? 1 "VRF server, unbound client, local connection" | |
2742 | ||
2743 | log_start | |
2744 | run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & | |
2745 | sleep 1 | |
2746 | run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a} | |
2747 | log_test_addr ${a} $? 0 "Device server, VRF client, local connection" | |
2748 | ||
2749 | for a in ${NSA_IP6} ${NSA_LINKIP6} | |
2750 | do | |
2751 | log_start | |
2752 | run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} & | |
2753 | sleep 1 | |
2754 | run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a} | |
2755 | log_test_addr ${a} $? 0 "Device server, device client, local connection" | |
2756 | done | |
2757 | } | |
2758 | ||
2759 | ipv6_tcp() | |
2760 | { | |
2761 | log_section "IPv6/TCP" | |
a071bbf2 DA |
2762 | log_subsection "No VRF" |
2763 | setup | |
2764 | ||
2765 | # tcp_l3mdev_accept should have no affect without VRF; | |
2766 | # run tests with it enabled and disabled to verify | |
2767 | log_subsection "tcp_l3mdev_accept disabled" | |
2768 | set_sysctl net.ipv4.tcp_l3mdev_accept=0 | |
2769 | ipv6_tcp_novrf | |
2770 | log_subsection "tcp_l3mdev_accept enabled" | |
2771 | set_sysctl net.ipv4.tcp_l3mdev_accept=1 | |
2772 | ipv6_tcp_novrf | |
2773 | ||
2774 | log_subsection "With VRF" | |
2775 | setup "yes" | |
2776 | ipv6_tcp_vrf | |
2777 | } | |
2778 | ||
6abdb651 DA |
2779 | ################################################################################ |
2780 | # IPv6 UDP | |
2781 | ||
2782 | ipv6_udp_novrf() | |
2783 | { | |
2784 | local a | |
2785 | ||
2786 | # | |
2787 | # server tests | |
2788 | # | |
2789 | for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV} | |
2790 | do | |
2791 | log_start | |
2792 | run_cmd nettest -6 -D -s -2 ${NSA_DEV} & | |
2793 | sleep 1 | |
2794 | run_cmd_nsb nettest -6 -D -r ${a} | |
2795 | log_test_addr ${a} $? 0 "Global server" | |
2796 | ||
2797 | log_start | |
2798 | run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & | |
2799 | sleep 1 | |
2800 | run_cmd_nsb nettest -6 -D -r ${a} | |
2801 | log_test_addr ${a} $? 0 "Device server" | |
2802 | done | |
2803 | ||
2804 | a=${NSA_LO_IP6} | |
2805 | log_start | |
2806 | run_cmd nettest -6 -D -s -2 ${NSA_DEV} & | |
2807 | sleep 1 | |
2808 | run_cmd_nsb nettest -6 -D -r ${a} | |
2809 | log_test_addr ${a} $? 0 "Global server" | |
2810 | ||
2811 | # should fail since loopback address is out of scope for a device | |
2812 | # bound server, but it does not - hence this is more documenting | |
2813 | # behavior. | |
2814 | #log_start | |
2815 | #show_hint "Should fail since loopback address is out of scope" | |
2816 | #run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & | |
2817 | #sleep 1 | |
2818 | #run_cmd_nsb nettest -6 -D -r ${a} | |
2819 | #log_test_addr ${a} $? 1 "Device server" | |
2820 | ||
2821 | # negative test - should fail | |
2822 | for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} | |
2823 | do | |
2824 | log_start | |
2825 | show_hint "Should fail 'Connection refused' since there is no server" | |
2826 | run_cmd_nsb nettest -6 -D -r ${a} | |
2827 | log_test_addr ${a} $? 1 "No server" | |
2828 | done | |
2829 | ||
2830 | # | |
2831 | # client | |
2832 | # | |
2833 | for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} | |
2834 | do | |
2835 | log_start | |
2836 | run_cmd_nsb nettest -6 -D -s & | |
2837 | sleep 1 | |
2838 | run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6} | |
2839 | log_test_addr ${a} $? 0 "Client" | |
2840 | ||
2841 | log_start | |
2842 | run_cmd_nsb nettest -6 -D -s & | |
2843 | sleep 1 | |
2844 | run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6} | |
2845 | log_test_addr ${a} $? 0 "Client, device bind" | |
2846 | ||
2847 | log_start | |
2848 | run_cmd_nsb nettest -6 -D -s & | |
2849 | sleep 1 | |
2850 | run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6} | |
2851 | log_test_addr ${a} $? 0 "Client, device send via cmsg" | |
2852 | ||
2853 | log_start | |
2854 | run_cmd_nsb nettest -6 -D -s & | |
2855 | sleep 1 | |
2856 | run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6} | |
2857 | log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF" | |
2858 | ||
2859 | log_start | |
2860 | show_hint "Should fail 'Connection refused'" | |
2861 | run_cmd nettest -6 -D -r ${a} | |
2862 | log_test_addr ${a} $? 1 "No server, unbound client" | |
2863 | ||
2864 | log_start | |
2865 | show_hint "Should fail 'Connection refused'" | |
2866 | run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} | |
2867 | log_test_addr ${a} $? 1 "No server, device client" | |
2868 | done | |
2869 | ||
2870 | # | |
2871 | # local address tests | |
2872 | # | |
2873 | for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 | |
2874 | do | |
2875 | log_start | |
2876 | run_cmd nettest -6 -D -s & | |
2877 | sleep 1 | |
2878 | run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a} | |
2879 | log_test_addr ${a} $? 0 "Global server, local connection" | |
2880 | done | |
2881 | ||
2882 | a=${NSA_IP6} | |
2883 | log_start | |
2884 | run_cmd nettest -6 -s -D -d ${NSA_DEV} -2 ${NSA_DEV} & | |
2885 | sleep 1 | |
2886 | run_cmd nettest -6 -D -r ${a} | |
2887 | log_test_addr ${a} $? 0 "Device server, unbound client, local connection" | |
2888 | ||
2889 | for a in ${NSA_LO_IP6} ::1 | |
2890 | do | |
2891 | log_start | |
2892 | show_hint "Should fail 'Connection refused' since address is out of device scope" | |
2893 | run_cmd nettest -6 -s -D -d ${NSA_DEV} & | |
2894 | sleep 1 | |
2895 | run_cmd nettest -6 -D -r ${a} | |
2896 | log_test_addr ${a} $? 1 "Device server, local connection" | |
2897 | done | |
2898 | ||
2899 | a=${NSA_IP6} | |
2900 | log_start | |
2901 | run_cmd nettest -6 -s -D & | |
2902 | sleep 1 | |
2903 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} | |
2904 | log_test_addr ${a} $? 0 "Global server, device client, local connection" | |
2905 | ||
2906 | log_start | |
2907 | run_cmd nettest -6 -s -D & | |
2908 | sleep 1 | |
2909 | run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a} | |
2910 | log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection" | |
2911 | ||
2912 | log_start | |
2913 | run_cmd nettest -6 -s -D & | |
2914 | sleep 1 | |
2915 | run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a} | |
2916 | log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection" | |
2917 | ||
2918 | for a in ${NSA_LO_IP6} ::1 | |
2919 | do | |
2920 | log_start | |
2921 | show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" | |
2922 | run_cmd nettest -6 -D -s & | |
2923 | sleep 1 | |
2924 | run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} | |
2925 | log_test_addr ${a} $? 1 "Global server, device client, local connection" | |
2926 | ||
2927 | log_start | |
2928 | show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" | |
2929 | run_cmd nettest -6 -D -s & | |
2930 | sleep 1 | |
2931 | run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C | |
2932 | log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection" | |
2933 | ||
2934 | log_start | |
2935 | show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope" | |
2936 | run_cmd nettest -6 -D -s & | |
2937 | sleep 1 | |
2938 | run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S | |
2939 | log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection" | |
2940 | done | |
2941 | ||
2942 | a=${NSA_IP6} | |
2943 | log_start | |
2944 | run_cmd nettest -6 -D -s -d ${NSA_DEV} -2 ${NSA_DEV} & | |
2945 | sleep 1 | |
2946 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a} | |
2947 | log_test_addr ${a} $? 0 "Device server, device client, local conn" | |
2948 | ||
2949 | log_start | |
2950 | show_hint "Should fail 'Connection refused'" | |
2951 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} | |
2952 | log_test_addr ${a} $? 1 "No server, device client, local conn" | |
2953 | ||
2954 | # LLA to GUA | |
2955 | run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} | |
2956 | run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} | |
2957 | log_start | |
2958 | run_cmd nettest -6 -s -D & | |
2959 | sleep 1 | |
2960 | run_cmd_nsb nettest -6 -D -r ${NSA_IP6} | |
2961 | log_test $? 0 "UDP in - LLA to GUA" | |
2962 | ||
2963 | run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} | |
2964 | run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad | |
2965 | } | |
2966 | ||
2967 | ipv6_udp_vrf() | |
2968 | { | |
2969 | local a | |
2970 | ||
2971 | # disable global server | |
2972 | log_subsection "Global server disabled" | |
2973 | set_sysctl net.ipv4.udp_l3mdev_accept=0 | |
2974 | ||
2975 | # | |
2976 | # server tests | |
2977 | # | |
2978 | for a in ${NSA_IP6} ${VRF_IP6} | |
2979 | do | |
2980 | log_start | |
2981 | show_hint "Should fail 'Connection refused' since global server is disabled" | |
2982 | run_cmd nettest -6 -D -s & | |
2983 | sleep 1 | |
2984 | run_cmd_nsb nettest -6 -D -r ${a} | |
2985 | log_test_addr ${a} $? 1 "Global server" | |
2986 | done | |
2987 | ||
2988 | for a in ${NSA_IP6} ${VRF_IP6} | |
2989 | do | |
2990 | log_start | |
2991 | run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & | |
2992 | sleep 1 | |
2993 | run_cmd_nsb nettest -6 -D -r ${a} | |
2994 | log_test_addr ${a} $? 0 "VRF server" | |
2995 | done | |
2996 | ||
2997 | for a in ${NSA_IP6} ${VRF_IP6} | |
2998 | do | |
2999 | log_start | |
3000 | run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & | |
3001 | sleep 1 | |
3002 | run_cmd_nsb nettest -6 -D -r ${a} | |
3003 | log_test_addr ${a} $? 0 "Enslaved device server" | |
3004 | done | |
3005 | ||
3006 | # negative test - should fail | |
3007 | for a in ${NSA_IP6} ${VRF_IP6} | |
3008 | do | |
3009 | log_start | |
3010 | show_hint "Should fail 'Connection refused' since there is no server" | |
3011 | run_cmd_nsb nettest -6 -D -r ${a} | |
3012 | log_test_addr ${a} $? 1 "No server" | |
3013 | done | |
3014 | ||
3015 | # | |
3016 | # local address tests | |
3017 | # | |
3018 | for a in ${NSA_IP6} ${VRF_IP6} | |
3019 | do | |
3020 | log_start | |
3021 | show_hint "Should fail 'Connection refused' since global server is disabled" | |
3022 | run_cmd nettest -6 -D -s & | |
3023 | sleep 1 | |
3024 | run_cmd nettest -6 -D -d ${VRF} -r ${a} | |
3025 | log_test_addr ${a} $? 1 "Global server, VRF client, local conn" | |
3026 | done | |
3027 | ||
3028 | for a in ${NSA_IP6} ${VRF_IP6} | |
3029 | do | |
3030 | log_start | |
3031 | run_cmd nettest -6 -D -d ${VRF} -s & | |
3032 | sleep 1 | |
3033 | run_cmd nettest -6 -D -d ${VRF} -r ${a} | |
3034 | log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" | |
3035 | done | |
3036 | ||
3037 | a=${NSA_IP6} | |
3038 | log_start | |
3039 | show_hint "Should fail 'Connection refused' since global server is disabled" | |
3040 | run_cmd nettest -6 -D -s & | |
3041 | sleep 1 | |
3042 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} | |
3043 | log_test_addr ${a} $? 1 "Global server, device client, local conn" | |
3044 | ||
3045 | log_start | |
3046 | run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & | |
3047 | sleep 1 | |
3048 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} | |
3049 | log_test_addr ${a} $? 0 "VRF server, device client, local conn" | |
3050 | ||
3051 | log_start | |
3052 | run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & | |
3053 | sleep 1 | |
3054 | run_cmd nettest -6 -D -d ${VRF} -r ${a} | |
3055 | log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn" | |
3056 | ||
3057 | log_start | |
3058 | run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & | |
3059 | sleep 1 | |
3060 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} | |
3061 | log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn" | |
3062 | ||
3063 | # disable global server | |
3064 | log_subsection "Global server enabled" | |
3065 | set_sysctl net.ipv4.udp_l3mdev_accept=1 | |
3066 | ||
3067 | # | |
3068 | # server tests | |
3069 | # | |
3070 | for a in ${NSA_IP6} ${VRF_IP6} | |
3071 | do | |
3072 | log_start | |
3073 | run_cmd nettest -6 -D -s -2 ${NSA_DEV} & | |
3074 | sleep 1 | |
3075 | run_cmd_nsb nettest -6 -D -r ${a} | |
3076 | log_test_addr ${a} $? 0 "Global server" | |
3077 | done | |
3078 | ||
3079 | for a in ${NSA_IP6} ${VRF_IP6} | |
3080 | do | |
3081 | log_start | |
3082 | run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & | |
3083 | sleep 1 | |
3084 | run_cmd_nsb nettest -6 -D -r ${a} | |
3085 | log_test_addr ${a} $? 0 "VRF server" | |
3086 | done | |
3087 | ||
3088 | for a in ${NSA_IP6} ${VRF_IP6} | |
3089 | do | |
3090 | log_start | |
3091 | run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & | |
3092 | sleep 1 | |
3093 | run_cmd_nsb nettest -6 -D -r ${a} | |
3094 | log_test_addr ${a} $? 0 "Enslaved device server" | |
3095 | done | |
3096 | ||
3097 | # negative test - should fail | |
3098 | for a in ${NSA_IP6} ${VRF_IP6} | |
3099 | do | |
3100 | log_start | |
3101 | run_cmd_nsb nettest -6 -D -r ${a} | |
3102 | log_test_addr ${a} $? 1 "No server" | |
3103 | done | |
3104 | ||
3105 | # | |
3106 | # client tests | |
3107 | # | |
3108 | log_start | |
3109 | run_cmd_nsb nettest -6 -D -s & | |
3110 | sleep 1 | |
3111 | run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} | |
3112 | log_test $? 0 "VRF client" | |
3113 | ||
3114 | # negative test - should fail | |
3115 | log_start | |
3116 | run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6} | |
3117 | log_test $? 1 "No server, VRF client" | |
3118 | ||
3119 | log_start | |
3120 | run_cmd_nsb nettest -6 -D -s & | |
3121 | sleep 1 | |
3122 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} | |
3123 | log_test $? 0 "Enslaved device client" | |
3124 | ||
3125 | # negative test - should fail | |
3126 | log_start | |
3127 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6} | |
3128 | log_test $? 1 "No server, enslaved device client" | |
3129 | ||
3130 | # | |
3131 | # local address tests | |
3132 | # | |
3133 | a=${NSA_IP6} | |
3134 | log_start | |
3135 | run_cmd nettest -6 -D -s -2 ${NSA_DEV} & | |
3136 | sleep 1 | |
3137 | run_cmd nettest -6 -D -d ${VRF} -r ${a} | |
3138 | log_test_addr ${a} $? 0 "Global server, VRF client, local conn" | |
3139 | ||
3140 | #log_start | |
3141 | run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & | |
3142 | sleep 1 | |
3143 | run_cmd nettest -6 -D -d ${VRF} -r ${a} | |
3144 | log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" | |
3145 | ||
3146 | ||
3147 | a=${VRF_IP6} | |
3148 | log_start | |
3149 | run_cmd nettest -6 -D -s -2 ${VRF} & | |
3150 | sleep 1 | |
3151 | run_cmd nettest -6 -D -d ${VRF} -r ${a} | |
3152 | log_test_addr ${a} $? 0 "Global server, VRF client, local conn" | |
3153 | ||
3154 | log_start | |
3155 | run_cmd nettest -6 -D -d ${VRF} -s -2 ${VRF} & | |
3156 | sleep 1 | |
3157 | run_cmd nettest -6 -D -d ${VRF} -r ${a} | |
3158 | log_test_addr ${a} $? 0 "VRF server, VRF client, local conn" | |
3159 | ||
3160 | # negative test - should fail | |
3161 | for a in ${NSA_IP6} ${VRF_IP6} | |
3162 | do | |
3163 | log_start | |
3164 | run_cmd nettest -6 -D -d ${VRF} -r ${a} | |
3165 | log_test_addr ${a} $? 1 "No server, VRF client, local conn" | |
3166 | done | |
3167 | ||
3168 | # device to global IP | |
3169 | a=${NSA_IP6} | |
3170 | log_start | |
3171 | run_cmd nettest -6 -D -s -2 ${NSA_DEV} & | |
3172 | sleep 1 | |
3173 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} | |
3174 | log_test_addr ${a} $? 0 "Global server, device client, local conn" | |
3175 | ||
3176 | log_start | |
3177 | run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} & | |
3178 | sleep 1 | |
3179 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} | |
3180 | log_test_addr ${a} $? 0 "VRF server, device client, local conn" | |
3181 | ||
3182 | log_start | |
3183 | run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & | |
3184 | sleep 1 | |
3185 | run_cmd nettest -6 -D -d ${VRF} -r ${a} | |
3186 | log_test_addr ${a} $? 0 "Device server, VRF client, local conn" | |
3187 | ||
3188 | log_start | |
3189 | run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} & | |
3190 | sleep 1 | |
3191 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} | |
3192 | log_test_addr ${a} $? 0 "Device server, device client, local conn" | |
3193 | ||
3194 | log_start | |
3195 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} | |
3196 | log_test_addr ${a} $? 1 "No server, device client, local conn" | |
3197 | ||
3198 | ||
3199 | # link local addresses | |
3200 | log_start | |
3201 | run_cmd nettest -6 -D -s & | |
3202 | sleep 1 | |
3203 | run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} | |
3204 | log_test $? 0 "Global server, linklocal IP" | |
3205 | ||
3206 | log_start | |
3207 | run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6} | |
3208 | log_test $? 1 "No server, linklocal IP" | |
3209 | ||
3210 | ||
3211 | log_start | |
3212 | run_cmd_nsb nettest -6 -D -s & | |
3213 | sleep 1 | |
3214 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} | |
3215 | log_test $? 0 "Enslaved device client, linklocal IP" | |
3216 | ||
3217 | log_start | |
3218 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6} | |
3219 | log_test $? 1 "No server, device client, peer linklocal IP" | |
3220 | ||
3221 | ||
3222 | log_start | |
3223 | run_cmd nettest -6 -D -s & | |
3224 | sleep 1 | |
3225 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} | |
3226 | log_test $? 0 "Enslaved device client, local conn - linklocal IP" | |
3227 | ||
3228 | log_start | |
3229 | run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6} | |
3230 | log_test $? 1 "No server, device client, local conn - linklocal IP" | |
3231 | ||
3232 | # LLA to GUA | |
3233 | run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV} | |
3234 | run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV} | |
3235 | log_start | |
3236 | run_cmd nettest -6 -s -D & | |
3237 | sleep 1 | |
3238 | run_cmd_nsb nettest -6 -D -r ${NSA_IP6} | |
3239 | log_test $? 0 "UDP in - LLA to GUA" | |
3240 | ||
3241 | run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV} | |
3242 | run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad | |
3243 | } | |
3244 | ||
3245 | ipv6_udp() | |
3246 | { | |
3247 | # should not matter, but set to known state | |
3248 | set_sysctl net.ipv4.udp_early_demux=1 | |
3249 | ||
3250 | log_section "IPv6/UDP" | |
3251 | log_subsection "No VRF" | |
3252 | setup | |
3253 | ||
3254 | # udp_l3mdev_accept should have no affect without VRF; | |
3255 | # run tests with it enabled and disabled to verify | |
3256 | log_subsection "udp_l3mdev_accept disabled" | |
3257 | set_sysctl net.ipv4.udp_l3mdev_accept=0 | |
3258 | ipv6_udp_novrf | |
3259 | log_subsection "udp_l3mdev_accept enabled" | |
3260 | set_sysctl net.ipv4.udp_l3mdev_accept=1 | |
3261 | ipv6_udp_novrf | |
3262 | ||
3263 | log_subsection "With VRF" | |
3264 | setup "yes" | |
3265 | ipv6_udp_vrf | |
3266 | } | |
3267 | ||
34d0302a DA |
3268 | ################################################################################ |
3269 | # IPv6 address bind | |
3270 | ||
3271 | ipv6_addr_bind_novrf() | |
3272 | { | |
3273 | # | |
3274 | # raw socket | |
3275 | # | |
3276 | for a in ${NSA_IP6} ${NSA_LO_IP6} | |
3277 | do | |
3278 | log_start | |
3279 | run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b | |
3280 | log_test_addr ${a} $? 0 "Raw socket bind to local address" | |
3281 | ||
3282 | log_start | |
3283 | run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${NSA_DEV} -b | |
3284 | log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" | |
3285 | done | |
3286 | ||
3287 | # | |
3288 | # tcp sockets | |
3289 | # | |
3290 | a=${NSA_IP6} | |
3291 | log_start | |
3292 | run_cmd nettest -6 -s -l ${a} -t1 -b | |
3293 | log_test_addr ${a} $? 0 "TCP socket bind to local address" | |
3294 | ||
3295 | log_start | |
3296 | run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b | |
3297 | log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind" | |
3298 | ||
3299 | a=${NSA_LO_IP6} | |
3300 | log_start | |
3301 | show_hint "Should fail with 'Cannot assign requested address'" | |
3302 | run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b | |
3303 | log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address" | |
3304 | } | |
3305 | ||
3306 | ipv6_addr_bind_vrf() | |
3307 | { | |
3308 | # | |
3309 | # raw socket | |
3310 | # | |
3311 | for a in ${NSA_IP6} ${VRF_IP6} | |
3312 | do | |
3313 | log_start | |
3314 | run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${VRF} -b | |
3315 | log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind" | |
3316 | ||
3317 | log_start | |
3318 | run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${NSA_DEV} -b | |
3319 | log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind" | |
3320 | done | |
3321 | ||
3322 | a=${NSA_LO_IP6} | |
3323 | log_start | |
3324 | show_hint "Address on loopback is out of VRF scope" | |
3325 | run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${VRF} -b | |
3326 | log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind" | |
3327 | ||
3328 | # | |
3329 | # tcp sockets | |
3330 | # | |
3331 | # address on enslaved device is valid for the VRF or device in a VRF | |
3332 | for a in ${NSA_IP6} ${VRF_IP6} | |
3333 | do | |
3334 | log_start | |
3335 | run_cmd nettest -6 -s -l ${a} -d ${VRF} -t1 -b | |
3336 | log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind" | |
3337 | done | |
3338 | ||
3339 | a=${NSA_IP6} | |
3340 | log_start | |
3341 | run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b | |
3342 | log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind" | |
3343 | ||
3344 | a=${VRF_IP6} | |
3345 | log_start | |
3346 | run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b | |
3347 | log_test_addr ${a} $? 1 "TCP socket bind to VRF address with device bind" | |
3348 | ||
3349 | a=${NSA_LO_IP6} | |
3350 | log_start | |
3351 | show_hint "Address on loopback out of scope for VRF" | |
3352 | run_cmd nettest -6 -s -l ${a} -d ${VRF} -t1 -b | |
3353 | log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF" | |
3354 | ||
3355 | log_start | |
3356 | show_hint "Address on loopback out of scope for device in VRF" | |
3357 | run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b | |
3358 | log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind" | |
3359 | ||
3360 | } | |
3361 | ||
3362 | ipv6_addr_bind() | |
3363 | { | |
3364 | log_section "IPv6 address binds" | |
3365 | ||
3366 | log_subsection "No VRF" | |
3367 | setup | |
3368 | ipv6_addr_bind_novrf | |
3369 | ||
3370 | log_subsection "With VRF" | |
3371 | setup "yes" | |
3372 | ipv6_addr_bind_vrf | |
3373 | } | |
3374 | ||
4cd12f61 DA |
3375 | ################################################################################ |
3376 | # IPv6 runtime tests | |
3377 | ||
3378 | ipv6_rt() | |
3379 | { | |
3380 | local desc="$1" | |
3381 | local varg="-6 $2" | |
3382 | local with_vrf="yes" | |
3383 | local a | |
3384 | ||
3385 | # | |
3386 | # server tests | |
3387 | # | |
3388 | for a in ${NSA_IP6} ${VRF_IP6} | |
3389 | do | |
3390 | log_start | |
3391 | run_cmd nettest ${varg} -s & | |
3392 | sleep 1 | |
3393 | run_cmd_nsb nettest ${varg} -r ${a} & | |
3394 | sleep 3 | |
3395 | run_cmd ip link del ${VRF} | |
3396 | sleep 1 | |
3397 | log_test_addr ${a} 0 0 "${desc}, global server" | |
3398 | ||
3399 | setup ${with_vrf} | |
3400 | done | |
3401 | ||
3402 | for a in ${NSA_IP6} ${VRF_IP6} | |
3403 | do | |
3404 | log_start | |
3405 | run_cmd nettest ${varg} -d ${VRF} -s & | |
3406 | sleep 1 | |
3407 | run_cmd_nsb nettest ${varg} -r ${a} & | |
3408 | sleep 3 | |
3409 | run_cmd ip link del ${VRF} | |
3410 | sleep 1 | |
3411 | log_test_addr ${a} 0 0 "${desc}, VRF server" | |
3412 | ||
3413 | setup ${with_vrf} | |
3414 | done | |
3415 | ||
3416 | for a in ${NSA_IP6} ${VRF_IP6} | |
3417 | do | |
3418 | log_start | |
3419 | run_cmd nettest ${varg} -d ${NSA_DEV} -s & | |
3420 | sleep 1 | |
3421 | run_cmd_nsb nettest ${varg} -r ${a} & | |
3422 | sleep 3 | |
3423 | run_cmd ip link del ${VRF} | |
3424 | sleep 1 | |
3425 | log_test_addr ${a} 0 0 "${desc}, enslaved device server" | |
3426 | ||
3427 | setup ${with_vrf} | |
3428 | done | |
3429 | ||
3430 | # | |
3431 | # client test | |
3432 | # | |
3433 | log_start | |
3434 | run_cmd_nsb nettest ${varg} -s & | |
3435 | sleep 1 | |
3436 | run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} & | |
3437 | sleep 3 | |
3438 | run_cmd ip link del ${VRF} | |
3439 | sleep 1 | |
3440 | log_test 0 0 "${desc}, VRF client" | |
3441 | ||
3442 | setup ${with_vrf} | |
3443 | ||
3444 | log_start | |
3445 | run_cmd_nsb nettest ${varg} -s & | |
3446 | sleep 1 | |
3447 | run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} & | |
3448 | sleep 3 | |
3449 | run_cmd ip link del ${VRF} | |
3450 | sleep 1 | |
3451 | log_test 0 0 "${desc}, enslaved device client" | |
3452 | ||
3453 | setup ${with_vrf} | |
3454 | ||
3455 | ||
3456 | # | |
3457 | # local address tests | |
3458 | # | |
3459 | for a in ${NSA_IP6} ${VRF_IP6} | |
3460 | do | |
3461 | log_start | |
3462 | run_cmd nettest ${varg} -s & | |
3463 | sleep 1 | |
3464 | run_cmd nettest ${varg} -d ${VRF} -r ${a} & | |
3465 | sleep 3 | |
3466 | run_cmd ip link del ${VRF} | |
3467 | sleep 1 | |
3468 | log_test_addr ${a} 0 0 "${desc}, global server, VRF client" | |
3469 | ||
3470 | setup ${with_vrf} | |
3471 | done | |
3472 | ||
3473 | for a in ${NSA_IP6} ${VRF_IP6} | |
3474 | do | |
3475 | log_start | |
3476 | run_cmd nettest ${varg} -d ${VRF} -s & | |
3477 | sleep 1 | |
3478 | run_cmd nettest ${varg} -d ${VRF} -r ${a} & | |
3479 | sleep 3 | |
3480 | run_cmd ip link del ${VRF} | |
3481 | sleep 1 | |
3482 | log_test_addr ${a} 0 0 "${desc}, VRF server and client" | |
3483 | ||
3484 | setup ${with_vrf} | |
3485 | done | |
3486 | ||
3487 | a=${NSA_IP6} | |
3488 | log_start | |
3489 | run_cmd nettest ${varg} -s & | |
3490 | sleep 1 | |
3491 | run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & | |
3492 | sleep 3 | |
3493 | run_cmd ip link del ${VRF} | |
3494 | sleep 1 | |
3495 | log_test_addr ${a} 0 0 "${desc}, global server, device client" | |
3496 | ||
3497 | setup ${with_vrf} | |
3498 | ||
3499 | log_start | |
3500 | run_cmd nettest ${varg} -d ${VRF} -s & | |
3501 | sleep 1 | |
3502 | run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & | |
3503 | sleep 3 | |
3504 | run_cmd ip link del ${VRF} | |
3505 | sleep 1 | |
3506 | log_test_addr ${a} 0 0 "${desc}, VRF server, device client" | |
3507 | ||
3508 | setup ${with_vrf} | |
3509 | ||
3510 | log_start | |
3511 | run_cmd nettest ${varg} -d ${NSA_DEV} -s & | |
3512 | sleep 1 | |
3513 | run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} & | |
3514 | sleep 3 | |
3515 | run_cmd ip link del ${VRF} | |
3516 | sleep 1 | |
3517 | log_test_addr ${a} 0 0 "${desc}, device server, device client" | |
3518 | } | |
3519 | ||
3520 | ipv6_ping_rt() | |
3521 | { | |
3522 | local with_vrf="yes" | |
3523 | local a | |
3524 | ||
3525 | a=${NSA_IP6} | |
3526 | log_start | |
3527 | run_cmd_nsb ${ping6} -f ${a} & | |
3528 | sleep 3 | |
3529 | run_cmd ip link del ${VRF} | |
3530 | sleep 1 | |
3531 | log_test_addr ${a} 0 0 "Device delete with active traffic - ping in" | |
3532 | ||
3533 | setup ${with_vrf} | |
3534 | ||
3535 | log_start | |
3536 | run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} & | |
3537 | sleep 1 | |
3538 | run_cmd ip link del ${VRF} | |
3539 | sleep 1 | |
3540 | log_test_addr ${a} 0 0 "Device delete with active traffic - ping out" | |
3541 | } | |
3542 | ||
3543 | ipv6_runtime() | |
3544 | { | |
3545 | log_section "Run time tests - ipv6" | |
3546 | ||
3547 | setup "yes" | |
3548 | ipv6_ping_rt | |
3549 | ||
3550 | setup "yes" | |
3551 | ipv6_rt "TCP active socket" "-n -1" | |
3552 | ||
3553 | setup "yes" | |
3554 | ipv6_rt "TCP passive socket" "-i" | |
3555 | ||
3556 | setup "yes" | |
3557 | ipv6_rt "UDP active socket" "-D -n -1" | |
3558 | } | |
3559 | ||
88f2b360 DA |
3560 | ################################################################################ |
3561 | # netfilter blocking connections | |
3562 | ||
3563 | netfilter_tcp_reset() | |
3564 | { | |
3565 | local a | |
3566 | ||
3567 | for a in ${NSA_IP} ${VRF_IP} | |
3568 | do | |
3569 | log_start | |
3570 | run_cmd nettest -s & | |
3571 | sleep 1 | |
3572 | run_cmd_nsb nettest -r ${a} | |
3573 | log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" | |
3574 | done | |
3575 | } | |
3576 | ||
3577 | netfilter_icmp() | |
3578 | { | |
3579 | local stype="$1" | |
3580 | local arg | |
3581 | local a | |
3582 | ||
3583 | [ "${stype}" = "UDP" ] && arg="-D" | |
3584 | ||
3585 | for a in ${NSA_IP} ${VRF_IP} | |
3586 | do | |
3587 | log_start | |
3588 | run_cmd nettest ${arg} -s & | |
3589 | sleep 1 | |
3590 | run_cmd_nsb nettest ${arg} -r ${a} | |
3591 | log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" | |
3592 | done | |
3593 | } | |
3594 | ||
3595 | ipv4_netfilter() | |
3596 | { | |
88f2b360 DA |
3597 | log_section "IPv4 Netfilter" |
3598 | log_subsection "TCP reset" | |
3599 | ||
3600 | setup "yes" | |
3601 | run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset | |
3602 | ||
3603 | netfilter_tcp_reset | |
3604 | ||
3605 | log_start | |
3606 | log_subsection "ICMP unreachable" | |
3607 | ||
3608 | log_start | |
3609 | run_cmd iptables -F | |
3610 | run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable | |
3611 | run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable | |
3612 | ||
3613 | netfilter_icmp "TCP" | |
3614 | netfilter_icmp "UDP" | |
3615 | ||
3616 | log_start | |
3617 | iptables -F | |
3618 | } | |
3619 | ||
db6641ee DA |
3620 | netfilter_tcp6_reset() |
3621 | { | |
3622 | local a | |
3623 | ||
3624 | for a in ${NSA_IP6} ${VRF_IP6} | |
3625 | do | |
3626 | log_start | |
3627 | run_cmd nettest -6 -s & | |
3628 | sleep 1 | |
3629 | run_cmd_nsb nettest -6 -r ${a} | |
3630 | log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx" | |
3631 | done | |
3632 | } | |
3633 | ||
3634 | netfilter_icmp6() | |
3635 | { | |
3636 | local stype="$1" | |
3637 | local arg | |
3638 | local a | |
3639 | ||
3640 | [ "${stype}" = "UDP" ] && arg="$arg -D" | |
3641 | ||
3642 | for a in ${NSA_IP6} ${VRF_IP6} | |
3643 | do | |
3644 | log_start | |
3645 | run_cmd nettest -6 -s ${arg} & | |
3646 | sleep 1 | |
3647 | run_cmd_nsb nettest -6 ${arg} -r ${a} | |
3648 | log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach" | |
3649 | done | |
3650 | } | |
3651 | ||
3652 | ipv6_netfilter() | |
3653 | { | |
db6641ee DA |
3654 | log_section "IPv6 Netfilter" |
3655 | log_subsection "TCP reset" | |
3656 | ||
3657 | setup "yes" | |
3658 | run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset | |
3659 | ||
3660 | netfilter_tcp6_reset | |
3661 | ||
3662 | log_subsection "ICMP unreachable" | |
3663 | ||
3664 | log_start | |
3665 | run_cmd ip6tables -F | |
3666 | run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable | |
3667 | run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable | |
3668 | ||
3669 | netfilter_icmp6 "TCP" | |
3670 | netfilter_icmp6 "UDP" | |
3671 | ||
3672 | log_start | |
3673 | ip6tables -F | |
3674 | } | |
3675 | ||
56eba15d DA |
3676 | ################################################################################ |
3677 | # specific use cases | |
3678 | ||
3679 | # VRF only. | |
3680 | # ns-A device enslaved to bridge. Verify traffic with and without | |
3681 | # br_netfilter module loaded. Repeat with SVI on bridge. | |
3682 | use_case_br() | |
3683 | { | |
3684 | setup "yes" | |
3685 | ||
3686 | setup_cmd ip link set ${NSA_DEV} down | |
3687 | setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24 | |
3688 | setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64 | |
3689 | ||
3690 | setup_cmd ip link add br0 type bridge | |
3691 | setup_cmd ip addr add dev br0 ${NSA_IP}/24 | |
3692 | setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad | |
3693 | ||
3694 | setup_cmd ip li set ${NSA_DEV} master br0 | |
3695 | setup_cmd ip li set ${NSA_DEV} up | |
3696 | setup_cmd ip li set br0 up | |
3697 | setup_cmd ip li set br0 vrf ${VRF} | |
3698 | ||
3699 | rmmod br_netfilter 2>/dev/null | |
3700 | sleep 5 # DAD | |
3701 | ||
3702 | run_cmd ip neigh flush all | |
3703 | run_cmd ping -c1 -w1 -I br0 ${NSB_IP} | |
3704 | log_test $? 0 "Bridge into VRF - IPv4 ping out" | |
3705 | ||
3706 | run_cmd ip neigh flush all | |
3707 | run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} | |
3708 | log_test $? 0 "Bridge into VRF - IPv6 ping out" | |
3709 | ||
3710 | run_cmd ip neigh flush all | |
3711 | run_cmd_nsb ping -c1 -w1 ${NSA_IP} | |
3712 | log_test $? 0 "Bridge into VRF - IPv4 ping in" | |
3713 | ||
3714 | run_cmd ip neigh flush all | |
3715 | run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} | |
3716 | log_test $? 0 "Bridge into VRF - IPv6 ping in" | |
3717 | ||
3718 | modprobe br_netfilter | |
3719 | if [ $? -eq 0 ]; then | |
3720 | run_cmd ip neigh flush all | |
3721 | run_cmd ping -c1 -w1 -I br0 ${NSB_IP} | |
3722 | log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out" | |
3723 | ||
3724 | run_cmd ip neigh flush all | |
3725 | run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6} | |
3726 | log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out" | |
3727 | ||
3728 | run_cmd ip neigh flush all | |
3729 | run_cmd_nsb ping -c1 -w1 ${NSA_IP} | |
3730 | log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in" | |
3731 | ||
3732 | run_cmd ip neigh flush all | |
3733 | run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6} | |
3734 | log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in" | |
3735 | fi | |
3736 | ||
3737 | setup_cmd ip li set br0 nomaster | |
3738 | setup_cmd ip li add br0.100 link br0 type vlan id 100 | |
3739 | setup_cmd ip li set br0.100 vrf ${VRF} up | |
3740 | setup_cmd ip addr add dev br0.100 172.16.101.1/24 | |
3741 | setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad | |
3742 | ||
3743 | setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100 | |
3744 | setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24 | |
3745 | setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad | |
3746 | setup_cmd_nsb ip li set vlan100 up | |
3747 | sleep 1 | |
3748 | ||
3749 | rmmod br_netfilter 2>/dev/null | |
3750 | ||
3751 | run_cmd ip neigh flush all | |
3752 | run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 | |
3753 | log_test $? 0 "Bridge vlan into VRF - IPv4 ping out" | |
3754 | ||
3755 | run_cmd ip neigh flush all | |
3756 | run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 | |
3757 | log_test $? 0 "Bridge vlan into VRF - IPv6 ping out" | |
3758 | ||
3759 | run_cmd ip neigh flush all | |
3760 | run_cmd_nsb ping -c1 -w1 172.16.101.1 | |
3761 | log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" | |
3762 | ||
3763 | run_cmd ip neigh flush all | |
3764 | run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 | |
3765 | log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" | |
3766 | ||
3767 | modprobe br_netfilter | |
3768 | if [ $? -eq 0 ]; then | |
3769 | run_cmd ip neigh flush all | |
3770 | run_cmd ping -c1 -w1 -I br0.100 172.16.101.2 | |
3771 | log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out" | |
3772 | ||
3773 | run_cmd ip neigh flush all | |
3774 | run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2 | |
3775 | log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out" | |
3776 | ||
3777 | run_cmd ip neigh flush all | |
3778 | run_cmd_nsb ping -c1 -w1 172.16.101.1 | |
3779 | log_test $? 0 "Bridge vlan into VRF - IPv4 ping in" | |
3780 | ||
3781 | run_cmd ip neigh flush all | |
3782 | run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1 | |
3783 | log_test $? 0 "Bridge vlan into VRF - IPv6 ping in" | |
3784 | fi | |
3785 | ||
3786 | setup_cmd ip li del br0 2>/dev/null | |
3787 | setup_cmd_nsb ip li del vlan100 2>/dev/null | |
3788 | } | |
3789 | ||
3790 | use_cases() | |
3791 | { | |
3792 | log_section "Use cases" | |
3793 | use_case_br | |
3794 | } | |
3795 | ||
6f9d5cac DA |
3796 | ################################################################################ |
3797 | # usage | |
3798 | ||
3799 | usage() | |
3800 | { | |
3801 | cat <<EOF | |
3802 | usage: ${0##*/} OPTS | |
3803 | ||
3804 | -4 IPv4 tests only | |
3805 | -6 IPv6 tests only | |
3806 | -t <test> Test name/set to run | |
3807 | -p Pause on fail | |
3808 | -P Pause after each test | |
3809 | -v Be verbose | |
3810 | EOF | |
3811 | } | |
3812 | ||
3813 | ################################################################################ | |
3814 | # main | |
3815 | ||
88f2b360 | 3816 | TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_addr_bind ipv4_runtime ipv4_netfilter" |
db6641ee | 3817 | TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_addr_bind ipv6_runtime ipv6_netfilter" |
56eba15d DA |
3818 | TESTS_OTHER="use_cases" |
3819 | ||
6f9d5cac DA |
3820 | PAUSE_ON_FAIL=no |
3821 | PAUSE=no | |
3822 | ||
3823 | while getopts :46t:pPvh o | |
3824 | do | |
3825 | case $o in | |
3826 | 4) TESTS=ipv4;; | |
3827 | 6) TESTS=ipv6;; | |
3828 | t) TESTS=$OPTARG;; | |
3829 | p) PAUSE_ON_FAIL=yes;; | |
3830 | P) PAUSE=yes;; | |
3831 | v) VERBOSE=1;; | |
3832 | h) usage; exit 0;; | |
3833 | *) usage; exit 1;; | |
3834 | esac | |
3835 | done | |
3836 | ||
3837 | # make sure we don't pause twice | |
3838 | [ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no | |
3839 | ||
3840 | # | |
3841 | # show user test config | |
3842 | # | |
3843 | if [ -z "$TESTS" ]; then | |
3844 | TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER" | |
3845 | elif [ "$TESTS" = "ipv4" ]; then | |
3846 | TESTS="$TESTS_IPV4" | |
3847 | elif [ "$TESTS" = "ipv6" ]; then | |
3848 | TESTS="$TESTS_IPV6" | |
3849 | fi | |
3850 | ||
f887427b DA |
3851 | which nettest >/dev/null |
3852 | if [ $? -ne 0 ]; then | |
3853 | echo "'nettest' command not found; skipping tests" | |
3854 | exit 0 | |
3855 | fi | |
3856 | ||
6f9d5cac DA |
3857 | declare -i nfail=0 |
3858 | declare -i nsuccess=0 | |
3859 | ||
3860 | for t in $TESTS | |
3861 | do | |
3862 | case $t in | |
c032dd8c | 3863 | ipv4_ping|ping) ipv4_ping;; |
bbd7c764 | 3864 | ipv4_tcp|tcp) ipv4_tcp;; |
a4368be9 | 3865 | ipv4_udp|udp) ipv4_udp;; |
75b2b2b3 | 3866 | ipv4_bind|bind) ipv4_addr_bind;; |
0113f726 | 3867 | ipv4_runtime) ipv4_runtime;; |
88f2b360 | 3868 | ipv4_netfilter) ipv4_netfilter;; |
bbd7c764 | 3869 | |
c0644e71 | 3870 | ipv6_ping|ping6) ipv6_ping;; |
a071bbf2 | 3871 | ipv6_tcp|tcp6) ipv6_tcp;; |
6abdb651 | 3872 | ipv6_udp|udp6) ipv6_udp;; |
34d0302a | 3873 | ipv6_bind|bind6) ipv6_addr_bind;; |
4cd12f61 | 3874 | ipv6_runtime) ipv6_runtime;; |
db6641ee | 3875 | ipv6_netfilter) ipv6_netfilter;; |
c032dd8c | 3876 | |
56eba15d DA |
3877 | use_cases) use_cases;; |
3878 | ||
6f9d5cac DA |
3879 | # setup namespaces and config, but do not run any tests |
3880 | setup) setup; exit 0;; | |
3881 | vrf_setup) setup "yes"; exit 0;; | |
3882 | ||
3883 | help) echo "Test names: $TESTS"; exit 0;; | |
3884 | esac | |
3885 | done | |
3886 | ||
3887 | cleanup 2>/dev/null | |
3888 | ||
3889 | printf "\nTests passed: %3d\n" ${nsuccess} | |
3890 | printf "Tests failed: %3d\n" ${nfail} |