2 # SPDX-License-Identifier: GPL-2.0
4 # Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
6 # IPv4 and IPv6 functional tests focusing on VRF and routing lookups
7 # for various permutations:
8 # 1. icmp, tcp, udp and netfilter
9 # 2. client, server, no-server
10 # 3. global address on interface
11 # 4. global address on 'lo'
12 # 5. remote and local traffic
13 # 6. VRF and non-VRF permutations
18 # [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ]
21 # [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ]
24 # eth1: 172.16.1.1/24, 2001:db8:1::1/64
25 # lo: 127.0.0.1/8, ::1/128
26 # 172.16.2.1/32, 2001:db8:2::1/128
27 # red: 127.0.0.1/8, ::1/128
28 # 172.16.3.1/32, 2001:db8:3::1/128
31 # eth1: 172.16.1.2/24, 2001:db8:1::2/64
32 # lo2: 127.0.0.1/8, ::1/128
33 # 172.16.2.2/32, 2001:db8:2::2/128
35 # ns-A to ns-C connection - only for VRF and same config
38 # server / client nomenclature relative to ns-A
42 PATH=$PWD:$PWD/tools/testing/selftests/net:$PATH
63 NS_NET6=2001:db8:1::/120
67 NSA_LO_IP6=2001:db8:2::1
68 NSB_LO_IP6=2001:db8:2::2
70 # non-local addresses for freebind tests
74 # multicast and broadcast addresses
76 BCAST_IP=255.255.255.255
82 # set after namespace create
86 which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
88 # Check if FIPS mode is enabled
89 if [ -f /proc/sys/crypto/fips_enabled ]; then
90 fips_enabled=`cat /proc/sys/crypto/fips_enabled`
95 ################################################################################
105 [ "${VERBOSE}" = "1" ] && echo
107 if [ ${rc} -eq ${expected} ]; then
108 nsuccess=$((nsuccess+1))
109 printf "TEST: %-70s [ OK ]\n" "${msg}"
112 printf "TEST: %-70s [FAIL]\n" "${msg}"
113 echo " expected rc $expected; actual rc $rc"
114 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
116 echo "hit enter to continue, 'q' to quit"
118 [ "$ans" = "q" ] && exit 1
122 if [ "${PAUSE}" = "yes" ]; then
124 echo "hit enter to continue, 'q' to quit"
126 [ "$ans" = "q" ] && exit 1
140 astr=$(addr2str ${addr})
141 log_test $rc $expected "$msg - ${astr}"
147 echo "###########################################################################"
149 echo "###########################################################################"
156 echo "#################################################################"
163 # make sure we have no test instances running
166 if [ "${VERBOSE}" = "1" ]; then
168 echo "#######################################################"
174 if [ "${VERBOSE}" = "1" ]; then
183 if [ "${VERBOSE}" = "1" ]; then
191 killall nettest ping ping6 >/dev/null 2>&1
197 if [ "$VERBOSE" = "1" ]; then
198 echo "COMMAND: ${NSA_CMD} sysctl -q -w net.ipv4.ping_group_range='0 2147483647'"
201 ${NSA_CMD} sysctl -q -w net.ipv4.ping_group_range='0 2147483647'
209 if [ "$VERBOSE" = "1" ]; then
210 echo "COMMAND: ${cmd}"
215 if [ "$VERBOSE" = "1" -a -n "$out" ]; then
224 do_run_cmd ${NSA_CMD} $*
229 do_run_cmd ${NSB_CMD} $*
234 do_run_cmd ${NSC_CMD} $*
244 if [ $rc -ne 0 ]; then
245 # show user the command if not done so already
246 if [ "$VERBOSE" = "0" ]; then
247 echo "setup command: $cmd"
249 echo "failed. stopping tests"
250 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
252 echo "hit enter to continue"
266 if [ $rc -ne 0 ]; then
267 # show user the command if not done so already
268 if [ "$VERBOSE" = "0" ]; then
269 echo "setup command: $cmd"
271 echo "failed. stopping tests"
272 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
274 echo "hit enter to continue"
288 if [ $rc -ne 0 ]; then
289 # show user the command if not done so already
290 if [ "$VERBOSE" = "0" ]; then
291 echo "setup command: $cmd"
293 echo "failed. stopping tests"
294 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
296 echo "hit enter to continue"
303 # set sysctl values in NS-A
308 run_cmd sysctl -q -w $*
311 # get sysctl values in NS-A
314 ${NSA_CMD} sysctl -n $*
317 ################################################################################
323 127.0.0.1) echo "loopback";;
324 ::1) echo "IPv6 loopback";;
326 ${BCAST_IP}) echo "broadcast";;
327 ${MCAST_IP}) echo "multicast";;
329 ${NSA_IP}) echo "ns-A IP";;
330 ${NSA_IP6}) echo "ns-A IPv6";;
331 ${NSA_LO_IP}) echo "ns-A loopback IP";;
332 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";;
333 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";;
335 ${NSB_IP}) echo "ns-B IP";;
336 ${NSB_IP6}) echo "ns-B IPv6";;
337 ${NSB_LO_IP}) echo "ns-B loopback IP";;
338 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";;
339 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";;
341 ${NL_IP}) echo "nonlocal IP";;
342 ${NL_IP6}) echo "nonlocal IPv6";;
344 ${VRF_IP}) echo "VRF IP";;
345 ${VRF_IP6}) echo "VRF IPv6";;
347 ${MCAST}%*) echo "multicast IP";;
359 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \
361 for (i = 3; i <= NF; ++i) {
369 [ -z "$addr" ] && return 1
376 ################################################################################
377 # create namespaces and vrf
387 ip -netns ${ns} link add ${vrf} type vrf table ${table}
388 ip -netns ${ns} link set ${vrf} up
389 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192
390 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
392 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf}
393 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad
394 if [ "${addr}" != "-" ]; then
395 ip -netns ${ns} addr add dev ${vrf} ${addr}
397 if [ "${addr6}" != "-" ]; then
398 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6}
401 ip -netns ${ns} ru del pref 0
402 ip -netns ${ns} ru add pref 32765 from all lookup local
403 ip -netns ${ns} -6 ru del pref 0
404 ip -netns ${ns} -6 ru add pref 32765 from all lookup local
413 if [ "${addr}" != "-" ]; then
414 ip -netns ${ns} addr add dev lo ${addr}
416 if [ "${addr6}" != "-" ]; then
417 ip -netns ${ns} -6 addr add dev lo ${addr6}
420 ip -netns ${ns} ro add unreachable default metric 8192
421 ip -netns ${ns} -6 ro add unreachable default metric 8192
423 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
424 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
425 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
426 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
429 # create veth pair to connect namespaces and apply addresses.
441 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
442 ip -netns ${ns1} li set ${ns1_dev} up
443 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
444 ip -netns ${ns2} li set ${ns2_dev} up
446 if [ "${ns1_addr}" != "-" ]; then
447 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
448 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
451 if [ "${ns1_addr6}" != "-" ]; then
452 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
453 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
459 # explicit cleanups to check those code paths
460 ip netns | grep -q ${NSA}
461 if [ $? -eq 0 ]; then
462 ip -netns ${NSA} link delete ${VRF}
463 ip -netns ${NSA} ro flush table ${VRF_TABLE}
465 ip -netns ${NSA} addr flush dev ${NSA_DEV}
466 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV}
467 ip -netns ${NSA} link set dev ${NSA_DEV} down
468 ip -netns ${NSA} link del dev ${NSA_DEV}
470 ip netns pids ${NSA} | xargs kill 2>/dev/null
474 ip netns pids ${NSB} | xargs kill 2>/dev/null
475 ip netns pids ${NSC} | xargs kill 2>/dev/null
476 cleanup_ns ${NSB} ${NSC}
481 ip link del ${NSA_DEV2} >/dev/null 2>&1
482 ip netns pids ${NSC} | xargs kill 2>/dev/null
483 ip netns del ${NSC} >/dev/null 2>&1
488 # some VRF tests use ns-C which has the same config as
489 # ns-B but for a device NOT in the VRF
491 NSC_CMD="ip netns exec ${NSC}"
492 create_ns ${NSC} "-" "-"
493 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
494 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
501 # make sure we are starting with a clean slate
505 log_debug "Configuring network namespaces"
509 NSA_CMD="ip netns exec ${NSA}"
510 NSB_CMD="ip netns exec ${NSB}"
512 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128
513 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128
514 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \
515 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
517 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
518 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
520 # tell ns-A how to get to remote addresses of ns-B
521 if [ "${with_vrf}" = "yes" ]; then
522 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6}
524 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
525 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
526 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
528 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
529 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
531 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
532 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
536 # tell ns-B how to get to remote addresses of ns-A
537 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
538 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
547 # make sure we are starting with a clean slate
551 log_debug "Configuring network namespaces"
555 NSA_CMD="ip netns exec ${NSA}"
556 NSB_CMD="ip netns exec ${NSB}"
557 NSC_CMD="ip netns exec ${NSC}"
558 create_ns ${NSA} "-" "-"
559 create_ns ${NSB} "-" "-"
560 create_ns ${NSC} "-" "-"
561 connect_ns ${NSA} ${NSA_DEV} "-" "-" \
562 ${NSB} ${NSB_DEV} "-" "-"
563 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \
564 ${NSC} ${NSC_DEV} "-" "-"
566 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
567 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
568 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV})
570 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-"
571 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
572 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF}
579 ################################################################################
589 for a in ${NSB_IP} ${NSB_LO_IP}
592 run_cmd ping -c1 -w1 ${a}
593 log_test_addr ${a} $? 0 "ping out"
596 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
597 log_test_addr ${a} $? 0 "ping out, device bind"
600 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a}
601 log_test_addr ${a} $? 0 "ping out, address bind"
605 # out, but don't use gateway if peer is not on link
609 run_cmd ping -c 1 -w 1 -r ${a}
610 log_test_addr ${a} $? 0 "ping out (don't route), peer on link"
614 show_hint "Fails since peer is not on link"
615 run_cmd ping -c 1 -w 1 -r ${a}
616 log_test_addr ${a} $? 1 "ping out (don't route), peer not on link"
621 for a in ${NSA_IP} ${NSA_LO_IP}
624 run_cmd_nsb ping -c1 -w1 ${a}
625 log_test_addr ${a} $? 0 "ping in"
631 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
634 run_cmd ping -c1 -w1 ${a}
635 log_test_addr ${a} $? 0 "ping local"
639 # local traffic, socket bound to device
644 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
645 log_test_addr ${a} $? 0 "ping local, device bind"
647 # loopback addresses not reachable from device bind
648 # fails in a really weird way though because ipv4 special cases
649 # route lookups with oif set.
650 for a in ${NSA_LO_IP} 127.0.0.1
653 show_hint "Fails since address on loopback device is out of device scope"
654 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
655 log_test_addr ${a} $? 1 "ping local, device bind"
659 # ip rule blocks reachability to remote address
662 setup_cmd ip rule add pref 32765 from all lookup local
663 setup_cmd ip rule del pref 0 from all lookup local
664 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
665 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
668 run_cmd ping -c1 -w1 ${a}
669 log_test_addr ${a} $? 2 "ping out, blocked by rule"
671 # NOTE: ipv4 actually allows the lookup to fail and yet still create
672 # a viable rtable if the oif (e.g., bind to device) is set, so this
673 # case succeeds despite the rule
674 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
678 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule"
679 run_cmd_nsb ping -c1 -w1 ${a}
680 log_test_addr ${a} $? 1 "ping in, blocked by rule"
682 [ "$VERBOSE" = "1" ] && echo
683 setup_cmd ip rule del pref 32765 from all lookup local
684 setup_cmd ip rule add pref 0 from all lookup local
685 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
686 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
689 # route blocks reachability to remote address
692 setup_cmd ip route replace unreachable ${NSB_LO_IP}
693 setup_cmd ip route replace unreachable ${NSB_IP}
696 run_cmd ping -c1 -w1 ${a}
697 log_test_addr ${a} $? 2 "ping out, blocked by route"
699 # NOTE: ipv4 actually allows the lookup to fail and yet still create
700 # a viable rtable if the oif (e.g., bind to device) is set, so this
701 # case succeeds despite not having a route for the address
702 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
706 show_hint "Response is dropped (or arp request is ignored) due to ip route"
707 run_cmd_nsb ping -c1 -w1 ${a}
708 log_test_addr ${a} $? 1 "ping in, blocked by route"
711 # remove 'remote' routes; fallback to default
714 setup_cmd ip ro del ${NSB_LO_IP}
717 run_cmd ping -c1 -w1 ${a}
718 log_test_addr ${a} $? 2 "ping out, unreachable default route"
720 # NOTE: ipv4 actually allows the lookup to fail and yet still create
721 # a viable rtable if the oif (e.g., bind to device) is set, so this
722 # case succeeds despite not having a route for the address
723 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
730 # should default on; does not exist on older kernels
731 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
736 for a in ${NSB_IP} ${NSB_LO_IP}
739 run_cmd ping -c1 -w1 -I ${VRF} ${a}
740 log_test_addr ${a} $? 0 "ping out, VRF bind"
743 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
744 log_test_addr ${a} $? 0 "ping out, device bind"
747 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a}
748 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind"
751 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a}
752 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind"
758 for a in ${NSA_IP} ${VRF_IP}
761 run_cmd_nsb ping -c1 -w1 ${a}
762 log_test_addr ${a} $? 0 "ping in"
766 # local traffic, local address
768 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
771 show_hint "Source address should be ${a}"
772 run_cmd ping -c1 -w1 -I ${VRF} ${a}
773 log_test_addr ${a} $? 0 "ping local, VRF bind"
777 # local traffic, socket bound to device
782 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
783 log_test_addr ${a} $? 0 "ping local, device bind"
785 # vrf device is out of scope
786 for a in ${VRF_IP} 127.0.0.1
789 show_hint "Fails since address on vrf device is out of device scope"
790 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
791 log_test_addr ${a} $? 2 "ping local, device bind"
795 # ip rule blocks address
798 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
799 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
802 run_cmd ping -c1 -w1 -I ${VRF} ${a}
803 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule"
806 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
807 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
811 show_hint "Response lost due to ip rule"
812 run_cmd_nsb ping -c1 -w1 ${a}
813 log_test_addr ${a} $? 1 "ping in, blocked by rule"
815 [ "$VERBOSE" = "1" ] && echo
816 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
817 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
820 # remove 'remote' routes; fallback to default
823 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP}
826 run_cmd ping -c1 -w1 -I ${VRF} ${a}
827 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route"
830 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
831 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
835 show_hint "Response lost by unreachable route"
836 run_cmd_nsb ping -c1 -w1 ${a}
837 log_test_addr ${a} $? 1 "ping in, unreachable route"
842 log_section "IPv4 ping"
844 log_subsection "No VRF"
846 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
849 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
855 log_subsection "With VRF"
863 ################################################################################
867 # MD5 tests without VRF
877 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
879 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
880 log_test $? 0 "MD5: Single address config"
882 # client sends MD5, server not configured
884 show_hint "Should timeout due to MD5 mismatch"
887 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
888 log_test $? 2 "MD5: Server no config, client uses password"
892 show_hint "Should timeout since client uses wrong password"
893 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
895 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
896 log_test $? 2 "MD5: Client uses wrong password"
898 # client from different address
900 show_hint "Should timeout due to MD5 mismatch"
901 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} &
903 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
904 log_test $? 2 "MD5: Client address does not match address configured with password"
907 # MD5 extension - prefix length
912 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
914 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
915 log_test $? 0 "MD5: Prefix config"
917 # client in prefix, wrong password
919 show_hint "Should timeout since client uses wrong password"
920 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
922 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
923 log_test $? 2 "MD5: Prefix config, client uses wrong password"
925 # client outside of prefix
927 show_hint "Should timeout due to MD5 mismatch"
928 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
930 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
931 log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
945 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
947 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
948 log_test $? 0 "MD5: VRF: Single address config"
950 # client sends MD5, server not configured
952 show_hint "Should timeout since server does not have MD5 auth"
953 run_cmd nettest -s -I ${VRF} &
955 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
956 log_test $? 2 "MD5: VRF: Server no config, client uses password"
960 show_hint "Should timeout since client uses wrong password"
961 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
963 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
964 log_test $? 2 "MD5: VRF: Client uses wrong password"
966 # client from different address
968 show_hint "Should timeout since server config differs from client"
969 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} &
971 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
972 log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
975 # MD5 extension - prefix length
980 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
982 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
983 log_test $? 0 "MD5: VRF: Prefix config"
985 # client in prefix, wrong password
987 show_hint "Should timeout since client uses wrong password"
988 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
990 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
991 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
993 # client outside of prefix
995 show_hint "Should timeout since client address is outside of prefix"
996 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
998 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
999 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
1002 # duplicate config between default VRF and a VRF
1006 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1007 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1009 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1010 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
1013 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1014 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1016 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1017 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
1020 show_hint "Should timeout since client in default VRF uses VRF password"
1021 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1022 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1024 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1025 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
1028 show_hint "Should timeout since client in VRF uses default VRF password"
1029 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
1030 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
1032 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1033 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
1036 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1037 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1039 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1040 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
1043 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1044 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1046 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1047 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
1050 show_hint "Should timeout since client in default VRF uses VRF password"
1051 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1052 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1054 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1055 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
1058 show_hint "Should timeout since client in VRF uses default VRF password"
1059 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1060 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1062 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1063 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
1069 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP}
1070 log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
1073 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET}
1074 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
1076 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex
1077 test_ipv4_md5_vrf__global_server__bind_ifindex0
1080 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex()
1083 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX"
1084 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1086 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1087 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection"
1090 show_hint "Binding both the socket and the key is not required but it works"
1091 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1093 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1094 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection"
1097 test_ipv4_md5_vrf__global_server__bind_ifindex0()
1099 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections
1100 local old_tcp_l3mdev_accept
1101 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept)
1102 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1105 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1107 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1108 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection"
1111 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1113 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1114 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection"
1117 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1119 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1120 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection"
1123 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1125 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1126 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection"
1129 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept"
1132 ipv4_tcp_dontroute()
1135 local nsa_syncookies
1136 local nsb_syncookies
1140 # Link local connection tests (SO_DONTROUTE).
1141 # Connections should succeed only when the remote IP address is
1142 # on link (doesn't need to be routed through a gateway).
1145 nsa_syncookies=$(ip netns exec "${NSA}" sysctl -n net.ipv4.tcp_syncookies)
1146 nsb_syncookies=$(ip netns exec "${NSB}" sysctl -n net.ipv4.tcp_syncookies)
1147 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies}
1148 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${syncookies}
1150 # Test with eth1 address (on link).
1154 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1155 log_test_addr ${a} $? 0 "SO_DONTROUTE client, syncookies=${syncookies}"
1159 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -r ${a} --server-dontroute
1160 log_test_addr ${a} $? 0 "SO_DONTROUTE server, syncookies=${syncookies}"
1162 # Test with loopback address (routed).
1164 # The client would use the eth1 address as source IP by default.
1165 # Therefore, we need to use the -c option here, to force the use of the
1166 # routed (loopback) address as source IP (so that the server will try
1167 # to respond to a routed address and not a link local one).
1171 show_hint "Should fail 'Network is unreachable' since server is not on link"
1172 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --client-dontroute
1173 log_test_addr ${a} $? 1 "SO_DONTROUTE client, syncookies=${syncookies}"
1177 show_hint "Should timeout since server cannot respond (client is not on link)"
1178 do_run_cmd nettest -B -N "${NSA}" -O "${NSB}" -c "${NSA_LO_IP}" -r ${a} --server-dontroute
1179 log_test_addr ${a} $? 2 "SO_DONTROUTE server, syncookies=${syncookies}"
1181 ip netns exec "${NSB}" sysctl -wq net.ipv4.tcp_syncookies=${nsb_syncookies}
1182 ip netns exec "${NSA}" sysctl -wq net.ipv4.tcp_syncookies=${nsa_syncookies}
1192 for a in ${NSA_IP} ${NSA_LO_IP}
1195 run_cmd nettest -s &
1197 run_cmd_nsb nettest -r ${a}
1198 log_test_addr ${a} $? 0 "Global server"
1203 run_cmd nettest -s -I ${NSA_DEV} &
1205 run_cmd_nsb nettest -r ${a}
1206 log_test_addr ${a} $? 0 "Device server"
1208 # verify TCP reset sent and received
1209 for a in ${NSA_IP} ${NSA_LO_IP}
1212 show_hint "Should fail 'Connection refused' since there is no server"
1213 run_cmd_nsb nettest -r ${a}
1214 log_test_addr ${a} $? 1 "No server"
1220 for a in ${NSB_IP} ${NSB_LO_IP}
1223 run_cmd_nsb nettest -s &
1225 run_cmd nettest -r ${a} -0 ${NSA_IP}
1226 log_test_addr ${a} $? 0 "Client"
1229 run_cmd_nsb nettest -s &
1231 run_cmd nettest -r ${a} -d ${NSA_DEV}
1232 log_test_addr ${a} $? 0 "Client, device bind"
1235 show_hint "Should fail 'Connection refused'"
1236 run_cmd nettest -r ${a}
1237 log_test_addr ${a} $? 1 "No server, unbound client"
1240 show_hint "Should fail 'Connection refused'"
1241 run_cmd nettest -r ${a} -d ${NSA_DEV}
1242 log_test_addr ${a} $? 1 "No server, device client"
1246 # local address tests
1248 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1251 run_cmd nettest -s &
1253 run_cmd nettest -r ${a} -0 ${a} -1 ${a}
1254 log_test_addr ${a} $? 0 "Global server, local connection"
1259 run_cmd nettest -s -I ${NSA_DEV} &
1261 run_cmd nettest -r ${a} -0 ${a}
1262 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1264 for a in ${NSA_LO_IP} 127.0.0.1
1267 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
1268 run_cmd nettest -s -I ${NSA_DEV} &
1270 run_cmd nettest -r ${a}
1271 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1276 run_cmd nettest -s &
1278 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV}
1279 log_test_addr ${a} $? 0 "Global server, device client, local connection"
1281 for a in ${NSA_LO_IP} 127.0.0.1
1284 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
1285 run_cmd nettest -s &
1287 run_cmd nettest -r ${a} -d ${NSA_DEV}
1288 log_test_addr ${a} $? 1 "Global server, device client, local connection"
1293 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1295 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a}
1296 log_test_addr ${a} $? 0 "Device server, device client, local connection"
1299 show_hint "Should fail 'Connection refused'"
1300 run_cmd nettest -d ${NSA_DEV} -r ${a}
1301 log_test_addr ${a} $? 1 "No server, device client, local conn"
1303 [ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf
1305 ipv4_tcp_dontroute 0
1306 ipv4_tcp_dontroute 2
1313 # disable global server
1314 log_subsection "Global server disabled"
1316 set_sysctl net.ipv4.tcp_l3mdev_accept=0
1321 for a in ${NSA_IP} ${VRF_IP}
1324 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1325 run_cmd nettest -s &
1327 run_cmd_nsb nettest -r ${a}
1328 log_test_addr ${a} $? 1 "Global server"
1331 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1333 run_cmd_nsb nettest -r ${a}
1334 log_test_addr ${a} $? 0 "VRF server"
1337 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1339 run_cmd_nsb nettest -r ${a}
1340 log_test_addr ${a} $? 0 "Device server"
1342 # verify TCP reset received
1344 show_hint "Should fail 'Connection refused' since there is no server"
1345 run_cmd_nsb nettest -r ${a}
1346 log_test_addr ${a} $? 1 "No server"
1349 # local address tests
1350 # (${VRF_IP} and 127.0.0.1 both timeout)
1353 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1354 run_cmd nettest -s &
1356 run_cmd nettest -r ${a} -d ${NSA_DEV}
1357 log_test_addr ${a} $? 1 "Global server, local connection"
1360 if [ "$fips_enabled" = "0" ]; then
1367 # enable VRF global server
1369 log_subsection "VRF Global server enabled"
1370 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1372 for a in ${NSA_IP} ${VRF_IP}
1375 show_hint "client socket should be bound to VRF"
1376 run_cmd nettest -s -3 ${VRF} &
1378 run_cmd_nsb nettest -r ${a}
1379 log_test_addr ${a} $? 0 "Global server"
1382 show_hint "client socket should be bound to VRF"
1383 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1385 run_cmd_nsb nettest -r ${a}
1386 log_test_addr ${a} $? 0 "VRF server"
1388 # verify TCP reset received
1390 show_hint "Should fail 'Connection refused'"
1391 run_cmd_nsb nettest -r ${a}
1392 log_test_addr ${a} $? 1 "No server"
1397 show_hint "client socket should be bound to device"
1398 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1400 run_cmd_nsb nettest -r ${a}
1401 log_test_addr ${a} $? 0 "Device server"
1403 # local address tests
1404 for a in ${NSA_IP} ${VRF_IP}
1407 show_hint "Should fail 'Connection refused' since client is not bound to VRF"
1408 run_cmd nettest -s -I ${VRF} &
1410 run_cmd nettest -r ${a}
1411 log_test_addr ${a} $? 1 "Global server, local connection"
1417 for a in ${NSB_IP} ${NSB_LO_IP}
1420 run_cmd_nsb nettest -s &
1422 run_cmd nettest -r ${a} -d ${VRF}
1423 log_test_addr ${a} $? 0 "Client, VRF bind"
1426 run_cmd_nsb nettest -s &
1428 run_cmd nettest -r ${a} -d ${NSA_DEV}
1429 log_test_addr ${a} $? 0 "Client, device bind"
1432 show_hint "Should fail 'Connection refused'"
1433 run_cmd nettest -r ${a} -d ${VRF}
1434 log_test_addr ${a} $? 1 "No server, VRF client"
1437 show_hint "Should fail 'Connection refused'"
1438 run_cmd nettest -r ${a} -d ${NSA_DEV}
1439 log_test_addr ${a} $? 1 "No server, device client"
1442 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1445 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1447 run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1448 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
1453 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1455 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1456 log_test_addr ${a} $? 0 "VRF server, device client, local connection"
1459 show_hint "Should fail 'No route to host' since client is out of VRF scope"
1460 run_cmd nettest -s -I ${VRF} &
1462 run_cmd nettest -r ${a}
1463 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
1466 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1468 run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1469 log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
1472 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1474 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1475 log_test_addr ${a} $? 0 "Device server, device client, local connection"
1480 log_section "IPv4/TCP"
1481 log_subsection "No VRF"
1484 # tcp_l3mdev_accept should have no affect without VRF;
1485 # run tests with it enabled and disabled to verify
1486 log_subsection "tcp_l3mdev_accept disabled"
1487 set_sysctl net.ipv4.tcp_l3mdev_accept=0
1489 log_subsection "tcp_l3mdev_accept enabled"
1490 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1493 log_subsection "With VRF"
1498 ################################################################################
1508 for a in ${NSA_IP} ${NSA_LO_IP}
1511 run_cmd nettest -D -s -3 ${NSA_DEV} &
1513 run_cmd_nsb nettest -D -r ${a}
1514 log_test_addr ${a} $? 0 "Global server"
1517 show_hint "Should fail 'Connection refused' since there is no server"
1518 run_cmd_nsb nettest -D -r ${a}
1519 log_test_addr ${a} $? 1 "No server"
1524 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1526 run_cmd_nsb nettest -D -r ${a}
1527 log_test_addr ${a} $? 0 "Device server"
1532 for a in ${NSB_IP} ${NSB_LO_IP}
1535 run_cmd_nsb nettest -D -s &
1537 run_cmd nettest -D -r ${a} -0 ${NSA_IP}
1538 log_test_addr ${a} $? 0 "Client"
1541 run_cmd_nsb nettest -D -s &
1543 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP}
1544 log_test_addr ${a} $? 0 "Client, device bind"
1547 run_cmd_nsb nettest -D -s &
1549 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP}
1550 log_test_addr ${a} $? 0 "Client, device send via cmsg"
1553 run_cmd_nsb nettest -D -s &
1555 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
1556 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
1559 run_cmd_nsb nettest -D -s &
1561 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP} -U
1562 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF, with connect()"
1566 show_hint "Should fail 'Connection refused'"
1567 run_cmd nettest -D -r ${a}
1568 log_test_addr ${a} $? 1 "No server, unbound client"
1571 show_hint "Should fail 'Connection refused'"
1572 run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1573 log_test_addr ${a} $? 1 "No server, device client"
1577 # local address tests
1579 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1582 run_cmd nettest -D -s &
1584 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a}
1585 log_test_addr ${a} $? 0 "Global server, local connection"
1590 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1592 run_cmd nettest -D -r ${a}
1593 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1595 for a in ${NSA_LO_IP} 127.0.0.1
1598 show_hint "Should fail 'Connection refused' since address is out of device scope"
1599 run_cmd nettest -s -D -I ${NSA_DEV} &
1601 run_cmd nettest -D -r ${a}
1602 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1607 run_cmd nettest -s -D &
1609 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1610 log_test_addr ${a} $? 0 "Global server, device client, local connection"
1613 run_cmd nettest -s -D &
1615 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a}
1616 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
1619 run_cmd nettest -s -D &
1621 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
1622 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
1625 run_cmd nettest -s -D &
1627 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a} -U
1628 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
1631 # IPv4 with device bind has really weird behavior - it overrides the
1632 # fib lookup, generates an rtable and tries to send the packet. This
1633 # causes failures for local traffic at different places
1634 for a in ${NSA_LO_IP} 127.0.0.1
1637 show_hint "Should fail since addresses on loopback are out of device scope"
1638 run_cmd nettest -D -s &
1640 run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1641 log_test_addr ${a} $? 2 "Global server, device client, local connection"
1644 show_hint "Should fail since addresses on loopback are out of device scope"
1645 run_cmd nettest -D -s &
1647 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C
1648 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
1651 show_hint "Should fail since addresses on loopback are out of device scope"
1652 run_cmd nettest -D -s &
1654 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
1655 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
1658 show_hint "Should fail since addresses on loopback are out of device scope"
1659 run_cmd nettest -D -s &
1661 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -U
1662 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
1669 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1671 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a}
1672 log_test_addr ${a} $? 0 "Device server, device client, local conn"
1675 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1676 log_test_addr ${a} $? 2 "No server, device client, local conn"
1679 # Link local connection tests (SO_DONTROUTE).
1680 # Connections should succeed only when the remote IP address is
1681 # on link (doesn't need to be routed through a gateway).
1686 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1687 log_test_addr ${a} $? 0 "SO_DONTROUTE client"
1691 show_hint "Should fail 'Network is unreachable' since server is not on link"
1692 do_run_cmd nettest -B -D -N "${NSA}" -O "${NSB}" -r ${a} --client-dontroute
1693 log_test_addr ${a} $? 1 "SO_DONTROUTE client"
1700 # disable global server
1701 log_subsection "Global server disabled"
1702 set_sysctl net.ipv4.udp_l3mdev_accept=0
1707 for a in ${NSA_IP} ${VRF_IP}
1710 show_hint "Fails because ingress is in a VRF and global server is disabled"
1711 run_cmd nettest -D -s &
1713 run_cmd_nsb nettest -D -r ${a}
1714 log_test_addr ${a} $? 1 "Global server"
1717 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1719 run_cmd_nsb nettest -D -r ${a}
1720 log_test_addr ${a} $? 0 "VRF server"
1723 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1725 run_cmd_nsb nettest -D -r ${a}
1726 log_test_addr ${a} $? 0 "Enslaved device server"
1729 show_hint "Should fail 'Connection refused' since there is no server"
1730 run_cmd_nsb nettest -D -r ${a}
1731 log_test_addr ${a} $? 1 "No server"
1734 show_hint "Should fail 'Connection refused' since global server is out of scope"
1735 run_cmd nettest -D -s &
1737 run_cmd nettest -D -d ${VRF} -r ${a}
1738 log_test_addr ${a} $? 1 "Global server, VRF client, local connection"
1743 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1745 run_cmd nettest -D -d ${VRF} -r ${a}
1746 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1749 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1751 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1752 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection"
1756 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1758 run_cmd nettest -D -d ${VRF} -r ${a}
1759 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1762 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1764 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1765 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1767 # enable global server
1768 log_subsection "Global server enabled"
1769 set_sysctl net.ipv4.udp_l3mdev_accept=1
1774 for a in ${NSA_IP} ${VRF_IP}
1777 run_cmd nettest -D -s -3 ${NSA_DEV} &
1779 run_cmd_nsb nettest -D -r ${a}
1780 log_test_addr ${a} $? 0 "Global server"
1783 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1785 run_cmd_nsb nettest -D -r ${a}
1786 log_test_addr ${a} $? 0 "VRF server"
1789 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1791 run_cmd_nsb nettest -D -r ${a}
1792 log_test_addr ${a} $? 0 "Enslaved device server"
1795 show_hint "Should fail 'Connection refused'"
1796 run_cmd_nsb nettest -D -r ${a}
1797 log_test_addr ${a} $? 1 "No server"
1804 run_cmd_nsb nettest -D -s &
1806 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP}
1807 log_test $? 0 "VRF client"
1810 run_cmd_nsb nettest -D -s &
1812 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP}
1813 log_test $? 0 "Enslaved device client"
1815 # negative test - should fail
1817 show_hint "Should fail 'Connection refused'"
1818 run_cmd nettest -D -d ${VRF} -r ${NSB_IP}
1819 log_test $? 1 "No server, VRF client"
1822 show_hint "Should fail 'Connection refused'"
1823 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP}
1824 log_test $? 1 "No server, enslaved device client"
1827 # local address tests
1831 run_cmd nettest -D -s -3 ${NSA_DEV} &
1833 run_cmd nettest -D -d ${VRF} -r ${a}
1834 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1837 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1839 run_cmd nettest -D -d ${VRF} -r ${a}
1840 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1843 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1845 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1846 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
1849 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1851 run_cmd nettest -D -d ${VRF} -r ${a}
1852 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1855 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1857 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1858 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1860 for a in ${VRF_IP} 127.0.0.1
1863 run_cmd nettest -D -s -3 ${VRF} &
1865 run_cmd nettest -D -d ${VRF} -r ${a}
1866 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1869 for a in ${VRF_IP} 127.0.0.1
1872 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} &
1874 run_cmd nettest -D -d ${VRF} -r ${a}
1875 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1878 # negative test - should fail
1879 # verifies ECONNREFUSED
1880 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1883 show_hint "Should fail 'Connection refused'"
1884 run_cmd nettest -D -d ${VRF} -r ${a}
1885 log_test_addr ${a} $? 1 "No server, VRF client, local conn"
1891 log_section "IPv4/UDP"
1892 log_subsection "No VRF"
1896 # udp_l3mdev_accept should have no affect without VRF;
1897 # run tests with it enabled and disabled to verify
1898 log_subsection "udp_l3mdev_accept disabled"
1899 set_sysctl net.ipv4.udp_l3mdev_accept=0
1901 log_subsection "udp_l3mdev_accept enabled"
1902 set_sysctl net.ipv4.udp_l3mdev_accept=1
1905 log_subsection "With VRF"
1910 ################################################################################
1913 # verifies ability or inability to bind to an address / device
1915 ipv4_addr_bind_novrf()
1920 for a in ${NSA_IP} ${NSA_LO_IP}
1923 run_cmd nettest -s -R -P icmp -l ${a} -b
1924 log_test_addr ${a} $? 0 "Raw socket bind to local address"
1927 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1928 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1932 # tests for nonlocal bind
1936 run_cmd nettest -s -R -f -l ${a} -b
1937 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
1940 run_cmd nettest -s -f -l ${a} -b
1941 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address"
1944 run_cmd nettest -s -D -P icmp -f -l ${a} -b
1945 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address"
1948 # check that ICMP sockets cannot bind to broadcast and multicast addresses
1952 run_cmd nettest -s -D -P icmp -l ${a} -b
1953 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address"
1957 run_cmd nettest -s -D -P icmp -l ${a} -b
1958 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address"
1965 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b
1966 log_test_addr ${a} $? 0 "TCP socket bind to local address"
1969 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b
1970 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1972 # Sadly, the kernel allows binding a socket to a device and then
1973 # binding to an address not on the device. The only restriction
1974 # is that the address is valid in the L3 domain. So this test
1975 # passes when it really should not
1978 #show_hint "Should fail with 'Cannot assign requested address'"
1979 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1980 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
1983 ipv4_addr_bind_vrf()
1988 for a in ${NSA_IP} ${VRF_IP}
1991 show_hint "Socket not bound to VRF, but address is in VRF"
1992 run_cmd nettest -s -R -P icmp -l ${a} -b
1993 log_test_addr ${a} $? 1 "Raw socket bind to local address"
1996 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1997 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1999 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
2000 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind"
2005 show_hint "Address on loopback is out of VRF scope"
2006 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
2007 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind"
2010 # tests for nonlocal bind
2014 run_cmd nettest -s -R -f -l ${a} -I ${VRF} -b
2015 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
2018 run_cmd nettest -s -f -l ${a} -I ${VRF} -b
2019 log_test_addr ${a} $? 0 "TCP socket bind to nonlocal address after VRF bind"
2022 run_cmd nettest -s -D -P icmp -f -l ${a} -I ${VRF} -b
2023 log_test_addr ${a} $? 0 "ICMP socket bind to nonlocal address after VRF bind"
2026 # check that ICMP sockets cannot bind to broadcast and multicast addresses
2030 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
2031 log_test_addr ${a} $? 1 "ICMP socket bind to broadcast address after VRF bind"
2035 run_cmd nettest -s -D -P icmp -l ${a} -I ${VRF} -b
2036 log_test_addr ${a} $? 1 "ICMP socket bind to multicast address after VRF bind"
2041 for a in ${NSA_IP} ${VRF_IP}
2044 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
2045 log_test_addr ${a} $? 0 "TCP socket bind to local address"
2048 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
2049 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
2054 show_hint "Address on loopback out of scope for VRF"
2055 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
2056 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
2059 show_hint "Address on loopback out of scope for device in VRF"
2060 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
2061 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
2066 log_section "IPv4 address binds"
2068 log_subsection "No VRF"
2071 ipv4_addr_bind_novrf
2073 log_subsection "With VRF"
2079 ################################################################################
2080 # IPv4 runtime tests
2086 local with_vrf="yes"
2092 for a in ${NSA_IP} ${VRF_IP}
2095 run_cmd nettest ${varg} -s &
2097 run_cmd_nsb nettest ${varg} -r ${a} &
2099 run_cmd ip link del ${VRF}
2101 log_test_addr ${a} 0 0 "${desc}, global server"
2106 for a in ${NSA_IP} ${VRF_IP}
2109 run_cmd nettest ${varg} -s -I ${VRF} &
2111 run_cmd_nsb nettest ${varg} -r ${a} &
2113 run_cmd ip link del ${VRF}
2115 log_test_addr ${a} 0 0 "${desc}, VRF server"
2122 run_cmd nettest ${varg} -s -I ${NSA_DEV} &
2124 run_cmd_nsb nettest ${varg} -r ${a} &
2126 run_cmd ip link del ${VRF}
2128 log_test_addr ${a} 0 0 "${desc}, enslaved device server"
2136 run_cmd_nsb nettest ${varg} -s &
2138 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} &
2140 run_cmd ip link del ${VRF}
2142 log_test_addr ${a} 0 0 "${desc}, VRF client"
2147 run_cmd_nsb nettest ${varg} -s &
2149 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} &
2151 run_cmd ip link del ${VRF}
2153 log_test_addr ${a} 0 0 "${desc}, enslaved device client"
2158 # local address tests
2160 for a in ${NSA_IP} ${VRF_IP}
2163 run_cmd nettest ${varg} -s &
2165 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2167 run_cmd ip link del ${VRF}
2169 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local"
2174 for a in ${NSA_IP} ${VRF_IP}
2177 run_cmd nettest ${varg} -I ${VRF} -s &
2179 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
2181 run_cmd ip link del ${VRF}
2183 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local"
2191 run_cmd nettest ${varg} -s &
2193 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2195 run_cmd ip link del ${VRF}
2197 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local"
2202 run_cmd nettest ${varg} -I ${VRF} -s &
2204 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2206 run_cmd ip link del ${VRF}
2208 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local"
2213 run_cmd nettest ${varg} -I ${NSA_DEV} -s &
2215 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2217 run_cmd ip link del ${VRF}
2219 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local"
2224 local with_vrf="yes"
2227 for a in ${NSA_IP} ${VRF_IP}
2230 run_cmd_nsb ping -f ${a} &
2232 run_cmd ip link del ${VRF}
2234 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
2241 run_cmd ping -f -I ${VRF} ${a} &
2243 run_cmd ip link del ${VRF}
2245 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
2250 log_section "Run time tests - ipv4"
2256 ipv4_rt "TCP active socket" "-n -1"
2259 ipv4_rt "TCP passive socket" "-i"
2262 ################################################################################
2269 # should not have an impact, but make a known state
2270 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
2275 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2278 run_cmd ${ping6} -c1 -w1 ${a}
2279 log_test_addr ${a} $? 0 "ping out"
2282 for a in ${NSB_IP6} ${NSB_LO_IP6}
2285 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2286 log_test_addr ${a} $? 0 "ping out, device bind"
2289 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a}
2290 log_test_addr ${a} $? 0 "ping out, loopback address bind"
2296 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2299 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2300 log_test_addr ${a} $? 0 "ping in"
2304 # local traffic, local address
2306 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2309 run_cmd ${ping6} -c1 -w1 ${a}
2310 log_test_addr ${a} $? 0 "ping local, no bind"
2313 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2316 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2317 log_test_addr ${a} $? 0 "ping local, device bind"
2320 for a in ${NSA_LO_IP6} ::1
2323 show_hint "Fails since address on loopback is out of device scope"
2324 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2325 log_test_addr ${a} $? 2 "ping local, device bind"
2329 # ip rule blocks address
2332 setup_cmd ip -6 rule add pref 32765 from all lookup local
2333 setup_cmd ip -6 rule del pref 0 from all lookup local
2334 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2335 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2338 run_cmd ${ping6} -c1 -w1 ${a}
2339 log_test_addr ${a} $? 2 "ping out, blocked by rule"
2342 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2343 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2347 show_hint "Response lost due to ip rule"
2348 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2349 log_test_addr ${a} $? 1 "ping in, blocked by rule"
2351 setup_cmd ip -6 rule add pref 0 from all lookup local
2352 setup_cmd ip -6 rule del pref 32765 from all lookup local
2353 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2354 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2357 # route blocks reachability to remote address
2360 setup_cmd ip -6 route del ${NSB_LO_IP6}
2361 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10
2362 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10
2365 run_cmd ${ping6} -c1 -w1 ${a}
2366 log_test_addr ${a} $? 2 "ping out, blocked by route"
2369 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2370 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route"
2374 show_hint "Response lost due to ip route"
2375 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2376 log_test_addr ${a} $? 1 "ping in, blocked by route"
2380 # remove 'remote' routes; fallback to default
2383 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6}
2384 setup_cmd ip -6 ro del unreachable ${NSB_IP6}
2387 run_cmd ${ping6} -c1 -w1 ${a}
2388 log_test_addr ${a} $? 2 "ping out, unreachable route"
2391 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2392 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2399 # should default on; does not exist on older kernels
2400 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
2405 for a in ${NSB_IP6} ${NSB_LO_IP6}
2408 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2409 log_test_addr ${a} $? 0 "ping out, VRF bind"
2412 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF}
2415 show_hint "Fails since VRF device does not support linklocal or multicast"
2416 run_cmd ${ping6} -c1 -w1 ${a}
2417 log_test_addr ${a} $? 1 "ping out, VRF bind"
2420 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2423 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2424 log_test_addr ${a} $? 0 "ping out, device bind"
2427 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2430 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a}
2431 log_test_addr ${a} $? 0 "ping out, vrf device+address bind"
2437 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2440 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2441 log_test_addr ${a} $? 0 "ping in"
2446 show_hint "Fails since loopback address is out of VRF scope"
2447 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2448 log_test_addr ${a} $? 1 "ping in"
2451 # local traffic, local address
2453 for a in ${NSA_IP6} ${VRF_IP6} ::1
2456 show_hint "Source address should be ${a}"
2457 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2458 log_test_addr ${a} $? 0 "ping local, VRF bind"
2461 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2464 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2465 log_test_addr ${a} $? 0 "ping local, device bind"
2468 # LLA to GUA - remove ipv6 global addresses from ns-B
2469 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2470 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo
2471 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2473 for a in ${NSA_IP6} ${VRF_IP6}
2476 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
2477 log_test_addr ${a} $? 0 "ping in, LLA to GUA"
2480 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2481 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV}
2482 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo
2485 # ip rule blocks address
2488 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2489 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2492 run_cmd ${ping6} -c1 -w1 ${a}
2493 log_test_addr ${a} $? 2 "ping out, blocked by rule"
2496 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2497 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2501 show_hint "Response lost due to ip rule"
2502 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2503 log_test_addr ${a} $? 1 "ping in, blocked by rule"
2506 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2507 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2510 # remove 'remote' routes; fallback to default
2513 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF}
2516 run_cmd ${ping6} -c1 -w1 ${a}
2517 log_test_addr ${a} $? 2 "ping out, unreachable route"
2520 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2521 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2523 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6}
2526 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2527 log_test_addr ${a} $? 2 "ping in, unreachable route"
2532 log_section "IPv6 ping"
2534 log_subsection "No VRF"
2541 log_subsection "With VRF"
2549 ################################################################################
2553 # MD5 tests without VRF
2555 ipv6_tcp_md5_novrf()
2563 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2565 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2566 log_test $? 0 "MD5: Single address config"
2568 # client sends MD5, server not configured
2570 show_hint "Should timeout due to MD5 mismatch"
2571 run_cmd nettest -6 -s &
2573 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2574 log_test $? 2 "MD5: Server no config, client uses password"
2578 show_hint "Should timeout since client uses wrong password"
2579 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2581 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2582 log_test $? 2 "MD5: Client uses wrong password"
2584 # client from different address
2586 show_hint "Should timeout due to MD5 mismatch"
2587 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} &
2589 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2590 log_test $? 2 "MD5: Client address does not match address configured with password"
2593 # MD5 extension - prefix length
2598 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2600 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2601 log_test $? 0 "MD5: Prefix config"
2603 # client in prefix, wrong password
2605 show_hint "Should timeout since client uses wrong password"
2606 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2608 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2609 log_test $? 2 "MD5: Prefix config, client uses wrong password"
2611 # client outside of prefix
2613 show_hint "Should timeout due to MD5 mismatch"
2614 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2616 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2617 log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
2621 # MD5 tests with VRF
2631 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2633 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2634 log_test $? 0 "MD5: VRF: Single address config"
2636 # client sends MD5, server not configured
2638 show_hint "Should timeout since server does not have MD5 auth"
2639 run_cmd nettest -6 -s -I ${VRF} &
2641 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2642 log_test $? 2 "MD5: VRF: Server no config, client uses password"
2646 show_hint "Should timeout since client uses wrong password"
2647 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2649 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2650 log_test $? 2 "MD5: VRF: Client uses wrong password"
2652 # client from different address
2654 show_hint "Should timeout since server config differs from client"
2655 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} &
2657 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2658 log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
2661 # MD5 extension - prefix length
2666 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2668 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2669 log_test $? 0 "MD5: VRF: Prefix config"
2671 # client in prefix, wrong password
2673 show_hint "Should timeout since client uses wrong password"
2674 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2676 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2677 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
2679 # client outside of prefix
2681 show_hint "Should timeout since client address is outside of prefix"
2682 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2684 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2685 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
2688 # duplicate config between default VRF and a VRF
2692 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2693 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2695 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2696 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
2699 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2700 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2702 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2703 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
2706 show_hint "Should timeout since client in default VRF uses VRF password"
2707 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2708 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2710 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2711 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
2714 show_hint "Should timeout since client in VRF uses default VRF password"
2715 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2716 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2718 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2719 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
2722 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2723 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2725 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2726 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
2729 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2730 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2732 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2733 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
2736 show_hint "Should timeout since client in default VRF uses VRF password"
2737 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2738 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2740 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2741 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
2744 show_hint "Should timeout since client in VRF uses default VRF password"
2745 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2746 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2748 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2749 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
2755 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6}
2756 log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
2759 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6}
2760 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
2771 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2774 run_cmd nettest -6 -s &
2776 run_cmd_nsb nettest -6 -r ${a}
2777 log_test_addr ${a} $? 0 "Global server"
2780 # verify TCP reset received
2781 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2784 show_hint "Should fail 'Connection refused'"
2785 run_cmd_nsb nettest -6 -r ${a}
2786 log_test_addr ${a} $? 1 "No server"
2792 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2795 run_cmd_nsb nettest -6 -s &
2797 run_cmd nettest -6 -r ${a}
2798 log_test_addr ${a} $? 0 "Client"
2801 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2804 run_cmd_nsb nettest -6 -s &
2806 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2807 log_test_addr ${a} $? 0 "Client, device bind"
2810 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2813 show_hint "Should fail 'Connection refused'"
2814 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2815 log_test_addr ${a} $? 1 "No server, device client"
2819 # local address tests
2821 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2824 run_cmd nettest -6 -s &
2826 run_cmd nettest -6 -r ${a}
2827 log_test_addr ${a} $? 0 "Global server, local connection"
2832 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2834 run_cmd nettest -6 -r ${a} -0 ${a}
2835 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2837 for a in ${NSA_LO_IP6} ::1
2840 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2841 run_cmd nettest -6 -s -I ${NSA_DEV} &
2843 run_cmd nettest -6 -r ${a}
2844 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
2849 run_cmd nettest -6 -s &
2851 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2852 log_test_addr ${a} $? 0 "Global server, device client, local connection"
2854 for a in ${NSA_LO_IP6} ::1
2857 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2858 run_cmd nettest -6 -s &
2860 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2861 log_test_addr ${a} $? 1 "Global server, device client, local connection"
2864 for a in ${NSA_IP6} ${NSA_LINKIP6}
2867 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2869 run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2870 log_test_addr ${a} $? 0 "Device server, device client, local conn"
2873 for a in ${NSA_IP6} ${NSA_LINKIP6}
2876 show_hint "Should fail 'Connection refused'"
2877 run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2878 log_test_addr ${a} $? 1 "No server, device client, local conn"
2881 [ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf
2888 # disable global server
2889 log_subsection "Global server disabled"
2891 set_sysctl net.ipv4.tcp_l3mdev_accept=0
2896 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2899 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2900 run_cmd nettest -6 -s &
2902 run_cmd_nsb nettest -6 -r ${a}
2903 log_test_addr ${a} $? 1 "Global server"
2906 for a in ${NSA_IP6} ${VRF_IP6}
2909 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2911 run_cmd_nsb nettest -6 -r ${a}
2912 log_test_addr ${a} $? 0 "VRF server"
2915 # link local is always bound to ingress device
2916 a=${NSA_LINKIP6}%${NSB_DEV}
2918 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2920 run_cmd_nsb nettest -6 -r ${a}
2921 log_test_addr ${a} $? 0 "VRF server"
2923 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2926 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2928 run_cmd_nsb nettest -6 -r ${a}
2929 log_test_addr ${a} $? 0 "Device server"
2932 # verify TCP reset received
2933 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2936 show_hint "Should fail 'Connection refused'"
2937 run_cmd_nsb nettest -6 -r ${a}
2938 log_test_addr ${a} $? 1 "No server"
2941 # local address tests
2944 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2945 run_cmd nettest -6 -s &
2947 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2948 log_test_addr ${a} $? 1 "Global server, local connection"
2951 if [ "$fips_enabled" = "0" ]; then
2958 # enable VRF global server
2960 log_subsection "VRF Global server enabled"
2961 set_sysctl net.ipv4.tcp_l3mdev_accept=1
2963 for a in ${NSA_IP6} ${VRF_IP6}
2966 run_cmd nettest -6 -s -3 ${VRF} &
2968 run_cmd_nsb nettest -6 -r ${a}
2969 log_test_addr ${a} $? 0 "Global server"
2972 for a in ${NSA_IP6} ${VRF_IP6}
2975 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2977 run_cmd_nsb nettest -6 -r ${a}
2978 log_test_addr ${a} $? 0 "VRF server"
2981 # For LLA, child socket is bound to device
2982 a=${NSA_LINKIP6}%${NSB_DEV}
2984 run_cmd nettest -6 -s -3 ${NSA_DEV} &
2986 run_cmd_nsb nettest -6 -r ${a}
2987 log_test_addr ${a} $? 0 "Global server"
2990 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2992 run_cmd_nsb nettest -6 -r ${a}
2993 log_test_addr ${a} $? 0 "VRF server"
2995 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2998 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3000 run_cmd_nsb nettest -6 -r ${a}
3001 log_test_addr ${a} $? 0 "Device server"
3004 # verify TCP reset received
3005 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3008 show_hint "Should fail 'Connection refused'"
3009 run_cmd_nsb nettest -6 -r ${a}
3010 log_test_addr ${a} $? 1 "No server"
3013 # local address tests
3014 for a in ${NSA_IP6} ${VRF_IP6}
3017 show_hint "Fails 'Connection refused' since client is not in VRF"
3018 run_cmd nettest -6 -s -I ${VRF} &
3020 run_cmd nettest -6 -r ${a}
3021 log_test_addr ${a} $? 1 "Global server, local connection"
3028 for a in ${NSB_IP6} ${NSB_LO_IP6}
3031 run_cmd_nsb nettest -6 -s &
3033 run_cmd nettest -6 -r ${a} -d ${VRF}
3034 log_test_addr ${a} $? 0 "Client, VRF bind"
3039 show_hint "Fails since VRF device does not allow linklocal addresses"
3040 run_cmd_nsb nettest -6 -s &
3042 run_cmd nettest -6 -r ${a} -d ${VRF}
3043 log_test_addr ${a} $? 1 "Client, VRF bind"
3045 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
3048 run_cmd_nsb nettest -6 -s &
3050 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
3051 log_test_addr ${a} $? 0 "Client, device bind"
3054 for a in ${NSB_IP6} ${NSB_LO_IP6}
3057 show_hint "Should fail 'Connection refused'"
3058 run_cmd nettest -6 -r ${a} -d ${VRF}
3059 log_test_addr ${a} $? 1 "No server, VRF client"
3062 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
3065 show_hint "Should fail 'Connection refused'"
3066 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
3067 log_test_addr ${a} $? 1 "No server, device client"
3070 for a in ${NSA_IP6} ${VRF_IP6} ::1
3073 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
3075 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
3076 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
3081 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
3083 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
3084 log_test_addr ${a} $? 0 "VRF server, device client, local connection"
3088 show_hint "Should fail since unbound client is out of VRF scope"
3089 run_cmd nettest -6 -s -I ${VRF} &
3091 run_cmd nettest -6 -r ${a}
3092 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
3095 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3097 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
3098 log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
3100 for a in ${NSA_IP6} ${NSA_LINKIP6}
3103 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3105 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
3106 log_test_addr ${a} $? 0 "Device server, device client, local connection"
3112 log_section "IPv6/TCP"
3113 log_subsection "No VRF"
3116 # tcp_l3mdev_accept should have no affect without VRF;
3117 # run tests with it enabled and disabled to verify
3118 log_subsection "tcp_l3mdev_accept disabled"
3119 set_sysctl net.ipv4.tcp_l3mdev_accept=0
3121 log_subsection "tcp_l3mdev_accept enabled"
3122 set_sysctl net.ipv4.tcp_l3mdev_accept=1
3125 log_subsection "With VRF"
3130 ################################################################################
3140 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3143 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3145 run_cmd_nsb nettest -6 -D -r ${a}
3146 log_test_addr ${a} $? 0 "Global server"
3149 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3151 run_cmd_nsb nettest -6 -D -r ${a}
3152 log_test_addr ${a} $? 0 "Device server"
3157 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3159 run_cmd_nsb nettest -6 -D -r ${a}
3160 log_test_addr ${a} $? 0 "Global server"
3162 # should fail since loopback address is out of scope for a device
3163 # bound server, but it does not - hence this is more documenting
3166 #show_hint "Should fail since loopback address is out of scope"
3167 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3169 #run_cmd_nsb nettest -6 -D -r ${a}
3170 #log_test_addr ${a} $? 1 "Device server"
3172 # negative test - should fail
3173 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
3176 show_hint "Should fail 'Connection refused' since there is no server"
3177 run_cmd_nsb nettest -6 -D -r ${a}
3178 log_test_addr ${a} $? 1 "No server"
3184 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
3187 run_cmd_nsb nettest -6 -D -s &
3189 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6}
3190 log_test_addr ${a} $? 0 "Client"
3193 run_cmd_nsb nettest -6 -D -s &
3195 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6}
3196 log_test_addr ${a} $? 0 "Client, device bind"
3199 run_cmd_nsb nettest -6 -D -s &
3201 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6}
3202 log_test_addr ${a} $? 0 "Client, device send via cmsg"
3205 run_cmd_nsb nettest -6 -D -s &
3207 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6}
3208 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF"
3211 show_hint "Should fail 'Connection refused'"
3212 run_cmd nettest -6 -D -r ${a}
3213 log_test_addr ${a} $? 1 "No server, unbound client"
3216 show_hint "Should fail 'Connection refused'"
3217 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3218 log_test_addr ${a} $? 1 "No server, device client"
3222 # local address tests
3224 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
3227 run_cmd nettest -6 -D -s &
3229 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a}
3230 log_test_addr ${a} $? 0 "Global server, local connection"
3235 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
3237 run_cmd nettest -6 -D -r ${a}
3238 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
3240 for a in ${NSA_LO_IP6} ::1
3243 show_hint "Should fail 'Connection refused' since address is out of device scope"
3244 run_cmd nettest -6 -s -D -I ${NSA_DEV} &
3246 run_cmd nettest -6 -D -r ${a}
3247 log_test_addr ${a} $? 1 "Device server, local connection"
3252 run_cmd nettest -6 -s -D &
3254 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3255 log_test_addr ${a} $? 0 "Global server, device client, local connection"
3258 run_cmd nettest -6 -s -D &
3260 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a}
3261 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
3264 run_cmd nettest -6 -s -D &
3266 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a}
3267 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection"
3269 for a in ${NSA_LO_IP6} ::1
3272 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3273 run_cmd nettest -6 -D -s &
3275 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3276 log_test_addr ${a} $? 1 "Global server, device client, local connection"
3279 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3280 run_cmd nettest -6 -D -s &
3282 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C
3283 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
3286 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3287 run_cmd nettest -6 -D -s &
3289 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
3290 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
3293 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3294 run_cmd nettest -6 -D -s &
3296 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -U
3297 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection, with connect()"
3302 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3304 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a}
3305 log_test_addr ${a} $? 0 "Device server, device client, local conn"
3308 show_hint "Should fail 'Connection refused'"
3309 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3310 log_test_addr ${a} $? 1 "No server, device client, local conn"
3313 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3314 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3316 run_cmd nettest -6 -s -D &
3318 run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3319 log_test $? 0 "UDP in - LLA to GUA"
3321 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3322 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3329 # disable global server
3330 log_subsection "Global server disabled"
3331 set_sysctl net.ipv4.udp_l3mdev_accept=0
3336 for a in ${NSA_IP6} ${VRF_IP6}
3339 show_hint "Should fail 'Connection refused' since global server is disabled"
3340 run_cmd nettest -6 -D -s &
3342 run_cmd_nsb nettest -6 -D -r ${a}
3343 log_test_addr ${a} $? 1 "Global server"
3346 for a in ${NSA_IP6} ${VRF_IP6}
3349 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3351 run_cmd_nsb nettest -6 -D -r ${a}
3352 log_test_addr ${a} $? 0 "VRF server"
3355 for a in ${NSA_IP6} ${VRF_IP6}
3358 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3360 run_cmd_nsb nettest -6 -D -r ${a}
3361 log_test_addr ${a} $? 0 "Enslaved device server"
3364 # negative test - should fail
3365 for a in ${NSA_IP6} ${VRF_IP6}
3368 show_hint "Should fail 'Connection refused' since there is no server"
3369 run_cmd_nsb nettest -6 -D -r ${a}
3370 log_test_addr ${a} $? 1 "No server"
3374 # local address tests
3376 for a in ${NSA_IP6} ${VRF_IP6}
3379 show_hint "Should fail 'Connection refused' since global server is disabled"
3380 run_cmd nettest -6 -D -s &
3382 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3383 log_test_addr ${a} $? 1 "Global server, VRF client, local conn"
3386 for a in ${NSA_IP6} ${VRF_IP6}
3389 run_cmd nettest -6 -D -I ${VRF} -s &
3391 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3392 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3397 show_hint "Should fail 'Connection refused' since global server is disabled"
3398 run_cmd nettest -6 -D -s &
3400 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3401 log_test_addr ${a} $? 1 "Global server, device client, local conn"
3404 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3406 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3407 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3410 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3412 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3413 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
3416 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3418 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3419 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
3421 # disable global server
3422 log_subsection "Global server enabled"
3423 set_sysctl net.ipv4.udp_l3mdev_accept=1
3428 for a in ${NSA_IP6} ${VRF_IP6}
3431 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3433 run_cmd_nsb nettest -6 -D -r ${a}
3434 log_test_addr ${a} $? 0 "Global server"
3437 for a in ${NSA_IP6} ${VRF_IP6}
3440 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3442 run_cmd_nsb nettest -6 -D -r ${a}
3443 log_test_addr ${a} $? 0 "VRF server"
3446 for a in ${NSA_IP6} ${VRF_IP6}
3449 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3451 run_cmd_nsb nettest -6 -D -r ${a}
3452 log_test_addr ${a} $? 0 "Enslaved device server"
3455 # negative test - should fail
3456 for a in ${NSA_IP6} ${VRF_IP6}
3459 run_cmd_nsb nettest -6 -D -r ${a}
3460 log_test_addr ${a} $? 1 "No server"
3467 run_cmd_nsb nettest -6 -D -s &
3469 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3470 log_test $? 0 "VRF client"
3472 # negative test - should fail
3474 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3475 log_test $? 1 "No server, VRF client"
3478 run_cmd_nsb nettest -6 -D -s &
3480 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3481 log_test $? 0 "Enslaved device client"
3483 # negative test - should fail
3485 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3486 log_test $? 1 "No server, enslaved device client"
3489 # local address tests
3493 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3495 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3496 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3499 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3501 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3502 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3507 run_cmd nettest -6 -D -s -3 ${VRF} &
3509 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3510 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3513 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} &
3515 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3516 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3518 # negative test - should fail
3519 for a in ${NSA_IP6} ${VRF_IP6}
3522 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3523 log_test_addr ${a} $? 1 "No server, VRF client, local conn"
3526 # device to global IP
3529 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3531 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3532 log_test_addr ${a} $? 0 "Global server, device client, local conn"
3535 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3537 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3538 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3541 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3543 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3544 log_test_addr ${a} $? 0 "Device server, VRF client, local conn"
3547 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3549 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3550 log_test_addr ${a} $? 0 "Device server, device client, local conn"
3553 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3554 log_test_addr ${a} $? 1 "No server, device client, local conn"
3557 # link local addresses
3559 run_cmd nettest -6 -D -s &
3561 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3562 log_test $? 0 "Global server, linklocal IP"
3565 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3566 log_test $? 1 "No server, linklocal IP"
3570 run_cmd_nsb nettest -6 -D -s &
3572 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3573 log_test $? 0 "Enslaved device client, linklocal IP"
3576 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3577 log_test $? 1 "No server, device client, peer linklocal IP"
3581 run_cmd nettest -6 -D -s &
3583 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3584 log_test $? 0 "Enslaved device client, local conn - linklocal IP"
3587 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3588 log_test $? 1 "No server, device client, local conn - linklocal IP"
3591 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3592 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3594 run_cmd nettest -6 -s -D &
3596 run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3597 log_test $? 0 "UDP in - LLA to GUA"
3599 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3600 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3605 # should not matter, but set to known state
3606 set_sysctl net.ipv4.udp_early_demux=1
3608 log_section "IPv6/UDP"
3609 log_subsection "No VRF"
3612 # udp_l3mdev_accept should have no affect without VRF;
3613 # run tests with it enabled and disabled to verify
3614 log_subsection "udp_l3mdev_accept disabled"
3615 set_sysctl net.ipv4.udp_l3mdev_accept=0
3617 log_subsection "udp_l3mdev_accept enabled"
3618 set_sysctl net.ipv4.udp_l3mdev_accept=1
3621 log_subsection "With VRF"
3626 ################################################################################
3629 ipv6_addr_bind_novrf()
3634 for a in ${NSA_IP6} ${NSA_LO_IP6}
3637 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b
3638 log_test_addr ${a} $? 0 "Raw socket bind to local address"
3641 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3642 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3646 # raw socket with nonlocal bind
3650 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b
3651 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
3658 run_cmd nettest -6 -s -l ${a} -t1 -b
3659 log_test_addr ${a} $? 0 "TCP socket bind to local address"
3662 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3663 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
3665 # Sadly, the kernel allows binding a socket to a device and then
3666 # binding to an address not on the device. So this test passes
3667 # when it really should not
3670 show_hint "Tecnically should fail since address is not on device but kernel allows"
3671 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3672 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address"
3675 ipv6_addr_bind_vrf()
3680 for a in ${NSA_IP6} ${VRF_IP6}
3683 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3684 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind"
3687 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3688 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3693 show_hint "Address on loopback is out of VRF scope"
3694 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3695 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind"
3698 # raw socket with nonlocal bind
3702 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b
3703 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
3708 # address on enslaved device is valid for the VRF or device in a VRF
3709 for a in ${NSA_IP6} ${VRF_IP6}
3712 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3713 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind"
3718 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3719 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
3721 # Sadly, the kernel allows binding a socket to a device and then
3722 # binding to an address not on the device. The only restriction
3723 # is that the address is valid in the L3 domain. So this test
3724 # passes when it really should not
3727 show_hint "Tecnically should fail since address is not on device but kernel allows"
3728 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3729 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind"
3733 show_hint "Address on loopback out of scope for VRF"
3734 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3735 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
3738 show_hint "Address on loopback out of scope for device in VRF"
3739 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3740 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
3746 log_section "IPv6 address binds"
3748 log_subsection "No VRF"
3750 ipv6_addr_bind_novrf
3752 log_subsection "With VRF"
3757 ################################################################################
3758 # IPv6 runtime tests
3764 local with_vrf="yes"
3770 for a in ${NSA_IP6} ${VRF_IP6}
3773 run_cmd nettest ${varg} -s &
3775 run_cmd_nsb nettest ${varg} -r ${a} &
3777 run_cmd ip link del ${VRF}
3779 log_test_addr ${a} 0 0 "${desc}, global server"
3784 for a in ${NSA_IP6} ${VRF_IP6}
3787 run_cmd nettest ${varg} -I ${VRF} -s &
3789 run_cmd_nsb nettest ${varg} -r ${a} &
3791 run_cmd ip link del ${VRF}
3793 log_test_addr ${a} 0 0 "${desc}, VRF server"
3798 for a in ${NSA_IP6} ${VRF_IP6}
3801 run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3803 run_cmd_nsb nettest ${varg} -r ${a} &
3805 run_cmd ip link del ${VRF}
3807 log_test_addr ${a} 0 0 "${desc}, enslaved device server"
3816 run_cmd_nsb nettest ${varg} -s &
3818 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} &
3820 run_cmd ip link del ${VRF}
3822 log_test 0 0 "${desc}, VRF client"
3827 run_cmd_nsb nettest ${varg} -s &
3829 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} &
3831 run_cmd ip link del ${VRF}
3833 log_test 0 0 "${desc}, enslaved device client"
3839 # local address tests
3841 for a in ${NSA_IP6} ${VRF_IP6}
3844 run_cmd nettest ${varg} -s &
3846 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3848 run_cmd ip link del ${VRF}
3850 log_test_addr ${a} 0 0 "${desc}, global server, VRF client"
3855 for a in ${NSA_IP6} ${VRF_IP6}
3858 run_cmd nettest ${varg} -I ${VRF} -s &
3860 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3862 run_cmd ip link del ${VRF}
3864 log_test_addr ${a} 0 0 "${desc}, VRF server and client"
3871 run_cmd nettest ${varg} -s &
3873 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3875 run_cmd ip link del ${VRF}
3877 log_test_addr ${a} 0 0 "${desc}, global server, device client"
3882 run_cmd nettest ${varg} -I ${VRF} -s &
3884 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3886 run_cmd ip link del ${VRF}
3888 log_test_addr ${a} 0 0 "${desc}, VRF server, device client"
3893 run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3895 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3897 run_cmd ip link del ${VRF}
3899 log_test_addr ${a} 0 0 "${desc}, device server, device client"
3904 local with_vrf="yes"
3909 run_cmd_nsb ${ping6} -f ${a} &
3911 run_cmd ip link del ${VRF}
3913 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
3918 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} &
3920 run_cmd ip link del ${VRF}
3922 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
3927 log_section "Run time tests - ipv6"
3933 ipv6_rt "TCP active socket" "-n -1"
3936 ipv6_rt "TCP passive socket" "-i"
3939 ipv6_rt "UDP active socket" "-D -n -1"
3942 ################################################################################
3943 # netfilter blocking connections
3945 netfilter_tcp_reset()
3949 for a in ${NSA_IP} ${VRF_IP}
3952 run_cmd nettest -s &
3954 run_cmd_nsb nettest -r ${a}
3955 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3965 [ "${stype}" = "UDP" ] && arg="-D"
3967 for a in ${NSA_IP} ${VRF_IP}
3970 run_cmd nettest ${arg} -s &
3972 run_cmd_nsb nettest ${arg} -r ${a}
3973 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3979 log_section "IPv4 Netfilter"
3980 log_subsection "TCP reset"
3983 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3988 log_subsection "ICMP unreachable"
3992 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3993 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3995 netfilter_icmp "TCP"
3996 netfilter_icmp "UDP"
4002 netfilter_tcp6_reset()
4006 for a in ${NSA_IP6} ${VRF_IP6}
4009 run_cmd nettest -6 -s &
4011 run_cmd_nsb nettest -6 -r ${a}
4012 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
4022 [ "${stype}" = "UDP" ] && arg="$arg -D"
4024 for a in ${NSA_IP6} ${VRF_IP6}
4027 run_cmd nettest -6 -s ${arg} &
4029 run_cmd_nsb nettest -6 ${arg} -r ${a}
4030 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
4036 log_section "IPv6 Netfilter"
4037 log_subsection "TCP reset"
4040 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
4042 netfilter_tcp6_reset
4044 log_subsection "ICMP unreachable"
4047 run_cmd ip6tables -F
4048 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
4049 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
4051 netfilter_icmp6 "TCP"
4052 netfilter_icmp6 "UDP"
4058 ################################################################################
4059 # specific use cases
4062 # ns-A device enslaved to bridge. Verify traffic with and without
4063 # br_netfilter module loaded. Repeat with SVI on bridge.
4068 setup_cmd ip link set ${NSA_DEV} down
4069 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24
4070 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64
4072 setup_cmd ip link add br0 type bridge
4073 setup_cmd ip addr add dev br0 ${NSA_IP}/24
4074 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad
4076 setup_cmd ip li set ${NSA_DEV} master br0
4077 setup_cmd ip li set ${NSA_DEV} up
4078 setup_cmd ip li set br0 up
4079 setup_cmd ip li set br0 vrf ${VRF}
4081 rmmod br_netfilter 2>/dev/null
4084 run_cmd ip neigh flush all
4085 run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
4086 log_test $? 0 "Bridge into VRF - IPv4 ping out"
4088 run_cmd ip neigh flush all
4089 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
4090 log_test $? 0 "Bridge into VRF - IPv6 ping out"
4092 run_cmd ip neigh flush all
4093 run_cmd_nsb ping -c1 -w1 ${NSA_IP}
4094 log_test $? 0 "Bridge into VRF - IPv4 ping in"
4096 run_cmd ip neigh flush all
4097 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
4098 log_test $? 0 "Bridge into VRF - IPv6 ping in"
4100 modprobe br_netfilter
4101 if [ $? -eq 0 ]; then
4102 run_cmd ip neigh flush all
4103 run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
4104 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out"
4106 run_cmd ip neigh flush all
4107 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
4108 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out"
4110 run_cmd ip neigh flush all
4111 run_cmd_nsb ping -c1 -w1 ${NSA_IP}
4112 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in"
4114 run_cmd ip neigh flush all
4115 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
4116 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in"
4119 setup_cmd ip li set br0 nomaster
4120 setup_cmd ip li add br0.100 link br0 type vlan id 100
4121 setup_cmd ip li set br0.100 vrf ${VRF} up
4122 setup_cmd ip addr add dev br0.100 172.16.101.1/24
4123 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad
4125 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100
4126 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24
4127 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad
4128 setup_cmd_nsb ip li set vlan100 up
4131 rmmod br_netfilter 2>/dev/null
4133 run_cmd ip neigh flush all
4134 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
4135 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out"
4137 run_cmd ip neigh flush all
4138 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4139 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out"
4141 run_cmd ip neigh flush all
4142 run_cmd_nsb ping -c1 -w1 172.16.101.1
4143 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4145 run_cmd ip neigh flush all
4146 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4147 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4149 modprobe br_netfilter
4150 if [ $? -eq 0 ]; then
4151 run_cmd ip neigh flush all
4152 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
4153 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out"
4155 run_cmd ip neigh flush all
4156 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
4157 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out"
4159 run_cmd ip neigh flush all
4160 run_cmd_nsb ping -c1 -w1 172.16.101.1
4161 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
4163 run_cmd ip neigh flush all
4164 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
4165 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
4168 setup_cmd ip li del br0 2>/dev/null
4169 setup_cmd_nsb ip li del vlan100 2>/dev/null
4173 # ns-A device is connected to both ns-B and ns-C on a single VRF but only has
4174 # LLA on the interfaces
4175 use_case_ping_lla_multi()
4178 # only want reply from ns-A
4179 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4180 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
4183 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4184 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B"
4186 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4187 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C"
4189 # cycle/flap the first ns-A interface
4190 setup_cmd ip link set ${NSA_DEV} down
4191 setup_cmd ip link set ${NSA_DEV} up
4195 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4196 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B"
4197 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4198 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C"
4200 # cycle/flap the second ns-A interface
4201 setup_cmd ip link set ${NSA_DEV2} down
4202 setup_cmd ip link set ${NSA_DEV2} up
4206 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4207 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B"
4208 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4209 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C"
4212 # Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully
4213 # established with ns-B.
4214 use_case_snat_on_vrf()
4220 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4221 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4223 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} &
4225 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port}
4226 log_test $? 0 "IPv4 TCP connection over VRF with SNAT"
4228 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} &
4230 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port}
4231 log_test $? 0 "IPv6 TCP connection over VRF with SNAT"
4234 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4235 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4240 log_section "Use cases"
4241 log_subsection "Device enslaved to bridge"
4243 log_subsection "Ping LLA with multiple interfaces"
4244 use_case_ping_lla_multi
4245 log_subsection "SNAT on VRF"
4246 use_case_snat_on_vrf
4249 ################################################################################
4255 usage: ${0##*/} OPTS
4259 -t <test> Test name/set to run
4261 -P Pause after each test
4265 $TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER
4269 ################################################################################
4272 TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter"
4273 TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter"
4274 TESTS_OTHER="use_cases"
4279 while getopts :46t:pPvh o
4285 p) PAUSE_ON_FAIL=yes;;
4293 # make sure we don't pause twice
4294 [ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no
4297 # show user test config
4299 if [ -z "$TESTS" ]; then
4300 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER"
4301 elif [ "$TESTS" = "ipv4" ]; then
4303 elif [ "$TESTS" = "ipv6" ]; then
4307 # nettest can be run from PATH or from same directory as this selftest
4308 if ! which nettest >/dev/null; then
4310 if ! which nettest >/dev/null; then
4311 echo "'nettest' command not found; skipping tests"
4317 declare -i nsuccess=0
4322 ipv4_ping|ping) ipv4_ping;;
4323 ipv4_tcp|tcp) ipv4_tcp;;
4324 ipv4_udp|udp) ipv4_udp;;
4325 ipv4_bind|bind) ipv4_addr_bind;;
4326 ipv4_runtime) ipv4_runtime;;
4327 ipv4_netfilter) ipv4_netfilter;;
4329 ipv6_ping|ping6) ipv6_ping;;
4330 ipv6_tcp|tcp6) ipv6_tcp;;
4331 ipv6_udp|udp6) ipv6_udp;;
4332 ipv6_bind|bind6) ipv6_addr_bind;;
4333 ipv6_runtime) ipv6_runtime;;
4334 ipv6_netfilter) ipv6_netfilter;;
4336 use_cases) use_cases;;
4338 # setup namespaces and config, but do not run any tests
4339 setup) setup; exit 0;;
4340 vrf_setup) setup "yes"; exit 0;;
4346 printf "\nTests passed: %3d\n" ${nsuccess}
4347 printf "Tests failed: %3d\n" ${nfail}
4349 if [ $nfail -ne 0 ]; then
4351 elif [ $nsuccess -eq 0 ]; then