2 # SPDX-License-Identifier: GPL-2.0
4 # Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
6 # IPv4 and IPv6 functional tests focusing on VRF and routing lookups
7 # for various permutations:
8 # 1. icmp, tcp, udp and netfilter
9 # 2. client, server, no-server
10 # 3. global address on interface
11 # 4. global address on 'lo'
12 # 5. remote and local traffic
13 # 6. VRF and non-VRF permutations
18 # [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ]
21 # [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ]
24 # eth1: 172.16.1.1/24, 2001:db8:1::1/64
25 # lo: 127.0.0.1/8, ::1/128
26 # 172.16.2.1/32, 2001:db8:2::1/128
27 # red: 127.0.0.1/8, ::1/128
28 # 172.16.3.1/32, 2001:db8:3::1/128
31 # eth1: 172.16.1.2/24, 2001:db8:1::2/64
32 # lo2: 127.0.0.1/8, ::1/128
33 # 172.16.2.2/32, 2001:db8:2::2/128
35 # server / client nomenclature relative to ns-A
56 NSA_LO_IP6=2001:db8:2::1
57 NSB_LO_IP6=2001:db8:2::2
60 # set after namespace create
67 NSA_CMD="ip netns exec ${NSA}"
68 NSB_CMD="ip netns exec ${NSB}"
70 which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
72 ################################################################################
81 [ "${VERBOSE}" = "1" ] && echo
83 if [ ${rc} -eq ${expected} ]; then
84 nsuccess=$((nsuccess+1))
85 printf "TEST: %-70s [ OK ]\n" "${msg}"
88 printf "TEST: %-70s [FAIL]\n" "${msg}"
89 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
91 echo "hit enter to continue, 'q' to quit"
93 [ "$a" = "q" ] && exit 1
97 if [ "${PAUSE}" = "yes" ]; then
99 echo "hit enter to continue, 'q' to quit"
101 [ "$a" = "q" ] && exit 1
115 astr=$(addr2str ${addr})
116 log_test $rc $expected "$msg - ${astr}"
122 echo "###########################################################################"
124 echo "###########################################################################"
131 echo "#################################################################"
138 # make sure we have no test instances running
141 if [ "${VERBOSE}" = "1" ]; then
143 echo "#######################################################"
149 if [ "${VERBOSE}" = "1" ]; then
158 if [ "${VERBOSE}" = "1" ]; then
166 killall nettest ping ping6 >/dev/null 2>&1
175 if [ "$VERBOSE" = "1" ]; then
176 echo "COMMAND: ${cmd}"
181 if [ "$VERBOSE" = "1" -a -n "$out" ]; then
190 do_run_cmd ${NSA_CMD} $*
195 do_run_cmd ${NSB_CMD} $*
205 if [ $rc -ne 0 ]; then
206 # show user the command if not done so already
207 if [ "$VERBOSE" = "0" ]; then
208 echo "setup command: $cmd"
210 echo "failed. stopping tests"
211 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
213 echo "hit enter to continue"
227 if [ $rc -ne 0 ]; then
228 # show user the command if not done so already
229 if [ "$VERBOSE" = "0" ]; then
230 echo "setup command: $cmd"
232 echo "failed. stopping tests"
233 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
235 echo "hit enter to continue"
242 # set sysctl values in NS-A
247 run_cmd sysctl -q -w $*
250 ################################################################################
256 127.0.0.1) echo "loopback";;
257 ::1) echo "IPv6 loopback";;
259 ${NSA_IP}) echo "ns-A IP";;
260 ${NSA_IP6}) echo "ns-A IPv6";;
261 ${NSA_LO_IP}) echo "ns-A loopback IP";;
262 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";;
263 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";;
265 ${NSB_IP}) echo "ns-B IP";;
266 ${NSB_IP6}) echo "ns-B IPv6";;
267 ${NSB_LO_IP}) echo "ns-B loopback IP";;
268 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";;
269 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";;
271 ${VRF_IP}) echo "VRF IP";;
272 ${VRF_IP6}) echo "VRF IPv6";;
274 ${MCAST}%*) echo "multicast IP";;
286 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \
288 for (i = 3; i <= NF; ++i) {
296 [ -z "$addr" ] && return 1
303 ################################################################################
304 # create namespaces and vrf
314 ip -netns ${ns} link add ${vrf} type vrf table ${table}
315 ip -netns ${ns} link set ${vrf} up
316 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192
317 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
319 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf}
320 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad
321 if [ "${addr}" != "-" ]; then
322 ip -netns ${ns} addr add dev ${vrf} ${addr}
324 if [ "${addr6}" != "-" ]; then
325 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6}
328 ip -netns ${ns} ru del pref 0
329 ip -netns ${ns} ru add pref 32765 from all lookup local
330 ip -netns ${ns} -6 ru del pref 0
331 ip -netns ${ns} -6 ru add pref 32765 from all lookup local
342 ip -netns ${ns} link set lo up
343 if [ "${addr}" != "-" ]; then
344 ip -netns ${ns} addr add dev lo ${addr}
346 if [ "${addr6}" != "-" ]; then
347 ip -netns ${ns} -6 addr add dev lo ${addr6}
350 ip -netns ${ns} ro add unreachable default metric 8192
351 ip -netns ${ns} -6 ro add unreachable default metric 8192
353 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
354 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
355 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
356 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
359 # create veth pair to connect namespaces and apply addresses.
371 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
372 ip -netns ${ns1} li set ${ns1_dev} up
373 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
374 ip -netns ${ns2} li set ${ns2_dev} up
376 if [ "${ns1_addr}" != "-" ]; then
377 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
378 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
381 if [ "${ns1_addr6}" != "-" ]; then
382 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
383 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
389 # explicit cleanups to check those code paths
390 ip netns | grep -q ${NSA}
391 if [ $? -eq 0 ]; then
392 ip -netns ${NSA} link delete ${VRF}
393 ip -netns ${NSA} ro flush table ${VRF_TABLE}
395 ip -netns ${NSA} addr flush dev ${NSA_DEV}
396 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV}
397 ip -netns ${NSA} link set dev ${NSA_DEV} down
398 ip -netns ${NSA} link del dev ${NSA_DEV}
410 # make sure we are starting with a clean slate
414 log_debug "Configuring network namespaces"
417 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128
418 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128
419 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \
420 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
422 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
423 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
425 # tell ns-A how to get to remote addresses of ns-B
426 if [ "${with_vrf}" = "yes" ]; then
427 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6}
429 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
430 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
431 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
433 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
434 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
436 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
437 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
441 # tell ns-B how to get to remote addresses of ns-A
442 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
443 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
450 ################################################################################
460 for a in ${NSB_IP} ${NSB_LO_IP}
463 run_cmd ping -c1 -w1 ${a}
464 log_test_addr ${a} $? 0 "ping out"
467 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
468 log_test_addr ${a} $? 0 "ping out, device bind"
471 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a}
472 log_test_addr ${a} $? 0 "ping out, address bind"
478 for a in ${NSA_IP} ${NSA_LO_IP}
481 run_cmd_nsb ping -c1 -w1 ${a}
482 log_test_addr ${a} $? 0 "ping in"
488 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
491 run_cmd ping -c1 -w1 ${a}
492 log_test_addr ${a} $? 0 "ping local"
496 # local traffic, socket bound to device
501 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
502 log_test_addr ${a} $? 0 "ping local, device bind"
504 # loopback addresses not reachable from device bind
505 # fails in a really weird way though because ipv4 special cases
506 # route lookups with oif set.
507 for a in ${NSA_LO_IP} 127.0.0.1
510 show_hint "Fails since address on loopback device is out of device scope"
511 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
512 log_test_addr ${a} $? 1 "ping local, device bind"
516 # ip rule blocks reachability to remote address
519 setup_cmd ip rule add pref 32765 from all lookup local
520 setup_cmd ip rule del pref 0 from all lookup local
521 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
522 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
525 run_cmd ping -c1 -w1 ${a}
526 log_test_addr ${a} $? 2 "ping out, blocked by rule"
528 # NOTE: ipv4 actually allows the lookup to fail and yet still create
529 # a viable rtable if the oif (e.g., bind to device) is set, so this
530 # case succeeds despite the rule
531 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
535 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule"
536 run_cmd_nsb ping -c1 -w1 ${a}
537 log_test_addr ${a} $? 1 "ping in, blocked by rule"
539 [ "$VERBOSE" = "1" ] && echo
540 setup_cmd ip rule del pref 32765 from all lookup local
541 setup_cmd ip rule add pref 0 from all lookup local
542 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
543 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
546 # route blocks reachability to remote address
549 setup_cmd ip route replace unreachable ${NSB_LO_IP}
550 setup_cmd ip route replace unreachable ${NSB_IP}
553 run_cmd ping -c1 -w1 ${a}
554 log_test_addr ${a} $? 2 "ping out, blocked by route"
556 # NOTE: ipv4 actually allows the lookup to fail and yet still create
557 # a viable rtable if the oif (e.g., bind to device) is set, so this
558 # case succeeds despite not having a route for the address
559 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
563 show_hint "Response is dropped (or arp request is ignored) due to ip route"
564 run_cmd_nsb ping -c1 -w1 ${a}
565 log_test_addr ${a} $? 1 "ping in, blocked by route"
568 # remove 'remote' routes; fallback to default
571 setup_cmd ip ro del ${NSB_LO_IP}
574 run_cmd ping -c1 -w1 ${a}
575 log_test_addr ${a} $? 2 "ping out, unreachable default route"
577 # NOTE: ipv4 actually allows the lookup to fail and yet still create
578 # a viable rtable if the oif (e.g., bind to device) is set, so this
579 # case succeeds despite not having a route for the address
580 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
587 # should default on; does not exist on older kernels
588 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
593 for a in ${NSB_IP} ${NSB_LO_IP}
596 run_cmd ping -c1 -w1 -I ${VRF} ${a}
597 log_test_addr ${a} $? 0 "ping out, VRF bind"
600 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
601 log_test_addr ${a} $? 0 "ping out, device bind"
604 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a}
605 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind"
608 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a}
609 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind"
615 for a in ${NSA_IP} ${VRF_IP}
618 run_cmd_nsb ping -c1 -w1 ${a}
619 log_test_addr ${a} $? 0 "ping in"
623 # local traffic, local address
625 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
628 show_hint "Source address should be ${a}"
629 run_cmd ping -c1 -w1 -I ${VRF} ${a}
630 log_test_addr ${a} $? 0 "ping local, VRF bind"
634 # local traffic, socket bound to device
639 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
640 log_test_addr ${a} $? 0 "ping local, device bind"
642 # vrf device is out of scope
643 for a in ${VRF_IP} 127.0.0.1
646 show_hint "Fails since address on vrf device is out of device scope"
647 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
648 log_test_addr ${a} $? 1 "ping local, device bind"
652 # ip rule blocks address
655 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
656 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
659 run_cmd ping -c1 -w1 -I ${VRF} ${a}
660 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule"
663 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
664 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
668 show_hint "Response lost due to ip rule"
669 run_cmd_nsb ping -c1 -w1 ${a}
670 log_test_addr ${a} $? 1 "ping in, blocked by rule"
672 [ "$VERBOSE" = "1" ] && echo
673 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
674 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
677 # remove 'remote' routes; fallback to default
680 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP}
683 run_cmd ping -c1 -w1 -I ${VRF} ${a}
684 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route"
687 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
688 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
692 show_hint "Response lost by unreachable route"
693 run_cmd_nsb ping -c1 -w1 ${a}
694 log_test_addr ${a} $? 1 "ping in, unreachable route"
699 log_section "IPv4 ping"
701 log_subsection "No VRF"
703 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
706 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
709 log_subsection "With VRF"
714 ################################################################################
724 for a in ${NSA_IP} ${NSA_LO_IP}
729 run_cmd_nsb nettest -r ${a}
730 log_test_addr ${a} $? 0 "Global server"
735 run_cmd nettest -s -d ${NSA_DEV} &
737 run_cmd_nsb nettest -r ${a}
738 log_test_addr ${a} $? 0 "Device server"
740 # verify TCP reset sent and received
741 for a in ${NSA_IP} ${NSA_LO_IP}
744 show_hint "Should fail 'Connection refused' since there is no server"
745 run_cmd_nsb nettest -r ${a}
746 log_test_addr ${a} $? 1 "No server"
752 for a in ${NSB_IP} ${NSB_LO_IP}
755 run_cmd_nsb nettest -s &
757 run_cmd nettest -r ${a} -0 ${NSA_IP}
758 log_test_addr ${a} $? 0 "Client"
761 run_cmd_nsb nettest -s &
763 run_cmd nettest -r ${a} -d ${NSA_DEV}
764 log_test_addr ${a} $? 0 "Client, device bind"
767 show_hint "Should fail 'Connection refused'"
768 run_cmd nettest -r ${a}
769 log_test_addr ${a} $? 1 "No server, unbound client"
772 show_hint "Should fail 'Connection refused'"
773 run_cmd nettest -r ${a} -d ${NSA_DEV}
774 log_test_addr ${a} $? 1 "No server, device client"
778 # local address tests
780 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
785 run_cmd nettest -r ${a} -0 ${a} -1 ${a}
786 log_test_addr ${a} $? 0 "Global server, local connection"
791 run_cmd nettest -s -d ${NSA_DEV} &
793 run_cmd nettest -r ${a} -0 ${a}
794 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
796 for a in ${NSA_LO_IP} 127.0.0.1
799 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
800 run_cmd nettest -s -d ${NSA_DEV} &
802 run_cmd nettest -r ${a}
803 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
810 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV}
811 log_test_addr ${a} $? 0 "Global server, device client, local connection"
813 for a in ${NSA_LO_IP} 127.0.0.1
816 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
819 run_cmd nettest -r ${a} -d ${NSA_DEV}
820 log_test_addr ${a} $? 1 "Global server, device client, local connection"
825 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
827 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a}
828 log_test_addr ${a} $? 0 "Device server, device client, local connection"
831 show_hint "Should fail 'Connection refused'"
832 run_cmd nettest -d ${NSA_DEV} -r ${a}
833 log_test_addr ${a} $? 1 "No server, device client, local conn"
840 # disable global server
841 log_subsection "Global server disabled"
843 set_sysctl net.ipv4.tcp_l3mdev_accept=0
848 for a in ${NSA_IP} ${VRF_IP}
851 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
854 run_cmd_nsb nettest -r ${a}
855 log_test_addr ${a} $? 1 "Global server"
858 run_cmd nettest -s -d ${VRF} -2 ${VRF} &
860 run_cmd_nsb nettest -r ${a}
861 log_test_addr ${a} $? 0 "VRF server"
864 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
866 run_cmd_nsb nettest -r ${a}
867 log_test_addr ${a} $? 0 "Device server"
869 # verify TCP reset received
871 show_hint "Should fail 'Connection refused' since there is no server"
872 run_cmd_nsb nettest -r ${a}
873 log_test_addr ${a} $? 1 "No server"
876 # local address tests
877 # (${VRF_IP} and 127.0.0.1 both timeout)
880 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
883 run_cmd nettest -r ${a} -d ${NSA_DEV}
884 log_test_addr ${a} $? 1 "Global server, local connection"
887 # enable VRF global server
889 log_subsection "VRF Global server enabled"
890 set_sysctl net.ipv4.tcp_l3mdev_accept=1
892 for a in ${NSA_IP} ${VRF_IP}
895 show_hint "client socket should be bound to VRF"
896 run_cmd nettest -s -2 ${VRF} &
898 run_cmd_nsb nettest -r ${a}
899 log_test_addr ${a} $? 0 "Global server"
902 show_hint "client socket should be bound to VRF"
903 run_cmd nettest -s -d ${VRF} -2 ${VRF} &
905 run_cmd_nsb nettest -r ${a}
906 log_test_addr ${a} $? 0 "VRF server"
908 # verify TCP reset received
910 show_hint "Should fail 'Connection refused'"
911 run_cmd_nsb nettest -r ${a}
912 log_test_addr ${a} $? 1 "No server"
917 show_hint "client socket should be bound to device"
918 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
920 run_cmd_nsb nettest -r ${a}
921 log_test_addr ${a} $? 0 "Device server"
923 # local address tests
924 for a in ${NSA_IP} ${VRF_IP}
927 show_hint "Should fail 'No route to host' since client is not bound to VRF"
928 run_cmd nettest -s -2 ${VRF} &
930 run_cmd nettest -r ${a}
931 log_test_addr ${a} $? 1 "Global server, local connection"
937 for a in ${NSB_IP} ${NSB_LO_IP}
940 run_cmd_nsb nettest -s &
942 run_cmd nettest -r ${a} -d ${VRF}
943 log_test_addr ${a} $? 0 "Client, VRF bind"
946 run_cmd_nsb nettest -s &
948 run_cmd nettest -r ${a} -d ${NSA_DEV}
949 log_test_addr ${a} $? 0 "Client, device bind"
952 show_hint "Should fail 'Connection refused'"
953 run_cmd nettest -r ${a} -d ${VRF}
954 log_test_addr ${a} $? 1 "No server, VRF client"
957 show_hint "Should fail 'Connection refused'"
958 run_cmd nettest -r ${a} -d ${NSA_DEV}
959 log_test_addr ${a} $? 1 "No server, device client"
962 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
965 run_cmd nettest -s -d ${VRF} -2 ${VRF} &
967 run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
968 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
973 run_cmd nettest -s -d ${VRF} -2 ${VRF} &
975 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
976 log_test_addr ${a} $? 0 "VRF server, device client, local connection"
979 show_hint "Should fail 'No route to host' since client is out of VRF scope"
980 run_cmd nettest -s -d ${VRF} &
982 run_cmd nettest -r ${a}
983 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
986 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
988 run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
989 log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
992 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
994 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
995 log_test_addr ${a} $? 0 "Device server, device client, local connection"
1000 log_section "IPv4/TCP"
1002 which nettest >/dev/null
1003 if [ $? -ne 0 ]; then
1004 log_error "nettest not found; skipping tests"
1008 log_subsection "No VRF"
1011 # tcp_l3mdev_accept should have no affect without VRF;
1012 # run tests with it enabled and disabled to verify
1013 log_subsection "tcp_l3mdev_accept disabled"
1014 set_sysctl net.ipv4.tcp_l3mdev_accept=0
1016 log_subsection "tcp_l3mdev_accept enabled"
1017 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1020 log_subsection "With VRF"
1025 ################################################################################
1035 for a in ${NSA_IP} ${NSA_LO_IP}
1038 run_cmd nettest -D -s -2 ${NSA_DEV} &
1040 run_cmd_nsb nettest -D -r ${a}
1041 log_test_addr ${a} $? 0 "Global server"
1044 show_hint "Should fail 'Connection refused' since there is no server"
1045 run_cmd_nsb nettest -D -r ${a}
1046 log_test_addr ${a} $? 1 "No server"
1051 run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
1053 run_cmd_nsb nettest -D -r ${a}
1054 log_test_addr ${a} $? 0 "Device server"
1059 for a in ${NSB_IP} ${NSB_LO_IP}
1062 run_cmd_nsb nettest -D -s &
1064 run_cmd nettest -D -r ${a} -0 ${NSA_IP}
1065 log_test_addr ${a} $? 0 "Client"
1068 run_cmd_nsb nettest -D -s &
1070 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP}
1071 log_test_addr ${a} $? 0 "Client, device bind"
1074 run_cmd_nsb nettest -D -s &
1076 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP}
1077 log_test_addr ${a} $? 0 "Client, device send via cmsg"
1080 run_cmd_nsb nettest -D -s &
1082 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
1083 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
1086 show_hint "Should fail 'Connection refused'"
1087 run_cmd nettest -D -r ${a}
1088 log_test_addr ${a} $? 1 "No server, unbound client"
1091 show_hint "Should fail 'Connection refused'"
1092 run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1093 log_test_addr ${a} $? 1 "No server, device client"
1097 # local address tests
1099 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1102 run_cmd nettest -D -s &
1104 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a}
1105 log_test_addr ${a} $? 0 "Global server, local connection"
1110 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1112 run_cmd nettest -D -r ${a}
1113 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1115 for a in ${NSA_LO_IP} 127.0.0.1
1118 show_hint "Should fail 'Connection refused' since address is out of device scope"
1119 run_cmd nettest -s -D -d ${NSA_DEV} &
1121 run_cmd nettest -D -r ${a}
1122 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1127 run_cmd nettest -s -D &
1129 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1130 log_test_addr ${a} $? 0 "Global server, device client, local connection"
1133 run_cmd nettest -s -D &
1135 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a}
1136 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
1139 run_cmd nettest -s -D &
1141 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
1142 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
1144 # IPv4 with device bind has really weird behavior - it overrides the
1145 # fib lookup, generates an rtable and tries to send the packet. This
1146 # causes failures for local traffic at different places
1147 for a in ${NSA_LO_IP} 127.0.0.1
1150 show_hint "Should fail since addresses on loopback are out of device scope"
1151 run_cmd nettest -D -s &
1153 run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1154 log_test_addr ${a} $? 2 "Global server, device client, local connection"
1157 show_hint "Should fail since addresses on loopback are out of device scope"
1158 run_cmd nettest -D -s &
1160 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C
1161 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
1164 show_hint "Should fail since addresses on loopback are out of device scope"
1165 run_cmd nettest -D -s &
1167 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
1168 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
1173 run_cmd nettest -D -s -d ${NSA_DEV} -2 ${NSA_DEV} &
1175 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a}
1176 log_test_addr ${a} $? 0 "Device server, device client, local conn"
1179 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1180 log_test_addr ${a} $? 2 "No server, device client, local conn"
1187 # disable global server
1188 log_subsection "Global server disabled"
1189 set_sysctl net.ipv4.udp_l3mdev_accept=0
1194 for a in ${NSA_IP} ${VRF_IP}
1197 show_hint "Fails because ingress is in a VRF and global server is disabled"
1198 run_cmd nettest -D -s &
1200 run_cmd_nsb nettest -D -r ${a}
1201 log_test_addr ${a} $? 1 "Global server"
1204 run_cmd nettest -D -d ${VRF} -s -2 ${NSA_DEV} &
1206 run_cmd_nsb nettest -D -r ${a}
1207 log_test_addr ${a} $? 0 "VRF server"
1210 run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
1212 run_cmd_nsb nettest -D -r ${a}
1213 log_test_addr ${a} $? 0 "Enslaved device server"
1216 show_hint "Should fail 'Connection refused' since there is no server"
1217 run_cmd_nsb nettest -D -r ${a}
1218 log_test_addr ${a} $? 1 "No server"
1221 show_hint "Should fail 'Connection refused' since global server is out of scope"
1222 run_cmd nettest -D -s &
1224 run_cmd nettest -D -d ${VRF} -r ${a}
1225 log_test_addr ${a} $? 1 "Global server, VRF client, local connection"
1230 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} &
1232 run_cmd nettest -D -d ${VRF} -r ${a}
1233 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1236 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} &
1238 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1239 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection"
1243 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1245 run_cmd nettest -D -d ${VRF} -r ${a}
1246 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1249 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1251 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1252 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1254 # enable global server
1255 log_subsection "Global server enabled"
1256 set_sysctl net.ipv4.udp_l3mdev_accept=1
1261 for a in ${NSA_IP} ${VRF_IP}
1264 run_cmd nettest -D -s -2 ${NSA_DEV} &
1266 run_cmd_nsb nettest -D -r ${a}
1267 log_test_addr ${a} $? 0 "Global server"
1270 run_cmd nettest -D -d ${VRF} -s -2 ${NSA_DEV} &
1272 run_cmd_nsb nettest -D -r ${a}
1273 log_test_addr ${a} $? 0 "VRF server"
1276 run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
1278 run_cmd_nsb nettest -D -r ${a}
1279 log_test_addr ${a} $? 0 "Enslaved device server"
1282 show_hint "Should fail 'Connection refused'"
1283 run_cmd_nsb nettest -D -r ${a}
1284 log_test_addr ${a} $? 1 "No server"
1291 run_cmd_nsb nettest -D -s &
1293 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP}
1294 log_test $? 0 "VRF client"
1297 run_cmd_nsb nettest -D -s &
1299 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP}
1300 log_test $? 0 "Enslaved device client"
1302 # negative test - should fail
1304 show_hint "Should fail 'Connection refused'"
1305 run_cmd nettest -D -d ${VRF} -r ${NSB_IP}
1306 log_test $? 1 "No server, VRF client"
1309 show_hint "Should fail 'Connection refused'"
1310 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP}
1311 log_test $? 1 "No server, enslaved device client"
1314 # local address tests
1318 run_cmd nettest -D -s -2 ${NSA_DEV} &
1320 run_cmd nettest -D -d ${VRF} -r ${a}
1321 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1324 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} &
1326 run_cmd nettest -D -d ${VRF} -r ${a}
1327 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1330 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} &
1332 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1333 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
1336 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1338 run_cmd nettest -D -d ${VRF} -r ${a}
1339 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1342 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1344 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1345 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1347 for a in ${VRF_IP} 127.0.0.1
1350 run_cmd nettest -D -s -2 ${VRF} &
1352 run_cmd nettest -D -d ${VRF} -r ${a}
1353 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1356 for a in ${VRF_IP} 127.0.0.1
1359 run_cmd nettest -s -D -d ${VRF} -2 ${VRF} &
1361 run_cmd nettest -D -d ${VRF} -r ${a}
1362 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1365 # negative test - should fail
1366 # verifies ECONNREFUSED
1367 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1370 show_hint "Should fail 'Connection refused'"
1371 run_cmd nettest -D -d ${VRF} -r ${a}
1372 log_test_addr ${a} $? 1 "No server, VRF client, local conn"
1378 which nettest >/dev/null
1379 if [ $? -ne 0 ]; then
1380 log_error "nettest not found; skipping tests"
1384 log_section "IPv4/UDP"
1385 log_subsection "No VRF"
1389 # udp_l3mdev_accept should have no affect without VRF;
1390 # run tests with it enabled and disabled to verify
1391 log_subsection "udp_l3mdev_accept disabled"
1392 set_sysctl net.ipv4.udp_l3mdev_accept=0
1394 log_subsection "udp_l3mdev_accept enabled"
1395 set_sysctl net.ipv4.udp_l3mdev_accept=1
1398 log_subsection "With VRF"
1403 ################################################################################
1406 # verifies ability or inability to bind to an address / device
1408 ipv4_addr_bind_novrf()
1413 for a in ${NSA_IP} ${NSA_LO_IP}
1416 run_cmd nettest -s -R -P icmp -l ${a} -b
1417 log_test_addr ${a} $? 0 "Raw socket bind to local address"
1420 run_cmd nettest -s -R -P icmp -l ${a} -d ${NSA_DEV} -b
1421 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1429 run_cmd nettest -l ${a} -r ${NSB_IP} -t1 -b
1430 log_test_addr ${a} $? 0 "TCP socket bind to local address"
1433 run_cmd nettest -l ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b
1434 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1436 # Sadly, the kernel allows binding a socket to a device and then
1437 # binding to an address not on the device. The only restriction
1438 # is that the address is valid in the L3 domain. So this test
1439 # passes when it really should not
1442 #show_hint "Should fail with 'Cannot assign requested address'"
1443 #run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b
1444 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
1447 ipv4_addr_bind_vrf()
1452 for a in ${NSA_IP} ${VRF_IP}
1455 run_cmd nettest -s -R -P icmp -l ${a} -b
1456 log_test_addr ${a} $? 0 "Raw socket bind to local address"
1459 run_cmd nettest -s -R -P icmp -l ${a} -d ${NSA_DEV} -b
1460 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1462 run_cmd nettest -s -R -P icmp -l ${a} -d ${VRF} -b
1463 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind"
1468 show_hint "Address on loopback is out of VRF scope"
1469 run_cmd nettest -s -R -P icmp -l ${a} -d ${VRF} -b
1470 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind"
1475 for a in ${NSA_IP} ${VRF_IP}
1478 run_cmd nettest -s -l ${a} -d ${VRF} -t1 -b
1479 log_test_addr ${a} $? 0 "TCP socket bind to local address"
1482 run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b
1483 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1488 show_hint "Address on loopback out of scope for VRF"
1489 run_cmd nettest -s -l ${a} -d ${VRF} -t1 -b
1490 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
1493 show_hint "Address on loopback out of scope for device in VRF"
1494 run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b
1495 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
1500 log_section "IPv4 address binds"
1502 log_subsection "No VRF"
1504 ipv4_addr_bind_novrf
1506 log_subsection "With VRF"
1511 ################################################################################
1512 # IPv4 runtime tests
1518 local with_vrf="yes"
1524 for a in ${NSA_IP} ${VRF_IP}
1527 run_cmd nettest ${varg} -s &
1529 run_cmd_nsb nettest ${varg} -r ${a} &
1531 run_cmd ip link del ${VRF}
1533 log_test_addr ${a} 0 0 "${desc}, global server"
1538 for a in ${NSA_IP} ${VRF_IP}
1541 run_cmd nettest ${varg} -s -d ${VRF} &
1543 run_cmd_nsb nettest ${varg} -r ${a} &
1545 run_cmd ip link del ${VRF}
1547 log_test_addr ${a} 0 0 "${desc}, VRF server"
1554 run_cmd nettest ${varg} -s -d ${NSA_DEV} &
1556 run_cmd_nsb nettest ${varg} -r ${a} &
1558 run_cmd ip link del ${VRF}
1560 log_test_addr ${a} 0 0 "${desc}, enslaved device server"
1568 run_cmd_nsb nettest ${varg} -s &
1570 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} &
1572 run_cmd ip link del ${VRF}
1574 log_test_addr ${a} 0 0 "${desc}, VRF client"
1579 run_cmd_nsb nettest ${varg} -s &
1581 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} &
1583 run_cmd ip link del ${VRF}
1585 log_test_addr ${a} 0 0 "${desc}, enslaved device client"
1590 # local address tests
1592 for a in ${NSA_IP} ${VRF_IP}
1595 run_cmd nettest ${varg} -s &
1597 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
1599 run_cmd ip link del ${VRF}
1601 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local"
1606 for a in ${NSA_IP} ${VRF_IP}
1609 run_cmd nettest ${varg} -d ${VRF} -s &
1611 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
1613 run_cmd ip link del ${VRF}
1615 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local"
1622 run_cmd nettest ${varg} -s &
1624 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
1626 run_cmd ip link del ${VRF}
1628 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local"
1633 run_cmd nettest ${varg} -d ${VRF} -s &
1635 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
1637 run_cmd ip link del ${VRF}
1639 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local"
1644 run_cmd nettest ${varg} -d ${NSA_DEV} -s &
1646 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
1648 run_cmd ip link del ${VRF}
1650 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local"
1655 local with_vrf="yes"
1658 for a in ${NSA_IP} ${VRF_IP}
1661 run_cmd_nsb ping -f ${a} &
1663 run_cmd ip link del ${VRF}
1665 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
1672 run_cmd ping -f -I ${VRF} ${a} &
1674 run_cmd ip link del ${VRF}
1676 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
1681 log_section "Run time tests - ipv4"
1687 ipv4_rt "TCP active socket" "-n -1"
1690 ipv4_rt "TCP passive socket" "-i"
1693 ################################################################################
1700 # should not have an impact, but make a known state
1701 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
1706 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
1709 run_cmd ${ping6} -c1 -w1 ${a}
1710 log_test_addr ${a} $? 0 "ping out"
1713 for a in ${NSB_IP6} ${NSB_LO_IP6}
1716 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1717 log_test_addr ${a} $? 0 "ping out, device bind"
1720 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a}
1721 log_test_addr ${a} $? 0 "ping out, loopback address bind"
1727 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
1730 run_cmd_nsb ${ping6} -c1 -w1 ${a}
1731 log_test_addr ${a} $? 0 "ping in"
1735 # local traffic, local address
1737 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
1740 run_cmd ${ping6} -c1 -w1 ${a}
1741 log_test_addr ${a} $? 0 "ping local, no bind"
1744 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
1747 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1748 log_test_addr ${a} $? 0 "ping local, device bind"
1751 for a in ${NSA_LO_IP6} ::1
1754 show_hint "Fails since address on loopback is out of device scope"
1755 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1756 log_test_addr ${a} $? 2 "ping local, device bind"
1760 # ip rule blocks address
1763 setup_cmd ip -6 rule add pref 32765 from all lookup local
1764 setup_cmd ip -6 rule del pref 0 from all lookup local
1765 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
1766 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
1769 run_cmd ${ping6} -c1 -w1 ${a}
1770 log_test_addr ${a} $? 2 "ping out, blocked by rule"
1773 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1774 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
1778 show_hint "Response lost due to ip rule"
1779 run_cmd_nsb ${ping6} -c1 -w1 ${a}
1780 log_test_addr ${a} $? 1 "ping in, blocked by rule"
1782 setup_cmd ip -6 rule add pref 0 from all lookup local
1783 setup_cmd ip -6 rule del pref 32765 from all lookup local
1784 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
1785 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
1788 # route blocks reachability to remote address
1791 setup_cmd ip -6 route del ${NSB_LO_IP6}
1792 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10
1793 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10
1796 run_cmd ${ping6} -c1 -w1 ${a}
1797 log_test_addr ${a} $? 2 "ping out, blocked by route"
1800 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1801 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route"
1805 show_hint "Response lost due to ip route"
1806 run_cmd_nsb ${ping6} -c1 -w1 ${a}
1807 log_test_addr ${a} $? 1 "ping in, blocked by route"
1811 # remove 'remote' routes; fallback to default
1814 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6}
1815 setup_cmd ip -6 ro del unreachable ${NSB_IP6}
1818 run_cmd ${ping6} -c1 -w1 ${a}
1819 log_test_addr ${a} $? 2 "ping out, unreachable route"
1822 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1823 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
1830 # should default on; does not exist on older kernels
1831 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
1836 for a in ${NSB_IP6} ${NSB_LO_IP6}
1839 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
1840 log_test_addr ${a} $? 0 "ping out, VRF bind"
1843 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF}
1846 show_hint "Fails since VRF device does not support linklocal or multicast"
1847 run_cmd ${ping6} -c1 -w1 ${a}
1848 log_test_addr ${a} $? 2 "ping out, VRF bind"
1851 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
1854 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1855 log_test_addr ${a} $? 0 "ping out, device bind"
1858 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
1861 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a}
1862 log_test_addr ${a} $? 0 "ping out, vrf device+address bind"
1868 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
1871 run_cmd_nsb ${ping6} -c1 -w1 ${a}
1872 log_test_addr ${a} $? 0 "ping in"
1877 show_hint "Fails since loopback address is out of VRF scope"
1878 run_cmd_nsb ${ping6} -c1 -w1 ${a}
1879 log_test_addr ${a} $? 1 "ping in"
1882 # local traffic, local address
1884 for a in ${NSA_IP6} ${VRF_IP6} ::1
1887 show_hint "Source address should be ${a}"
1888 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
1889 log_test_addr ${a} $? 0 "ping local, VRF bind"
1892 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
1895 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1896 log_test_addr ${a} $? 0 "ping local, device bind"
1899 # LLA to GUA - remove ipv6 global addresses from ns-B
1900 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
1901 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo
1902 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
1904 for a in ${NSA_IP6} ${VRF_IP6}
1907 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
1908 log_test_addr ${a} $? 0 "ping in, LLA to GUA"
1911 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
1912 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV}
1913 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo
1916 # ip rule blocks address
1919 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
1920 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
1923 run_cmd ${ping6} -c1 -w1 ${a}
1924 log_test_addr ${a} $? 2 "ping out, blocked by rule"
1927 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1928 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
1932 show_hint "Response lost due to ip rule"
1933 run_cmd_nsb ${ping6} -c1 -w1 ${a}
1934 log_test_addr ${a} $? 1 "ping in, blocked by rule"
1937 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
1938 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
1941 # remove 'remote' routes; fallback to default
1944 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF}
1947 run_cmd ${ping6} -c1 -w1 ${a}
1948 log_test_addr ${a} $? 2 "ping out, unreachable route"
1951 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1952 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
1954 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6}
1957 run_cmd_nsb ${ping6} -c1 -w1 ${a}
1958 log_test_addr ${a} $? 2 "ping in, unreachable route"
1963 log_section "IPv6 ping"
1965 log_subsection "No VRF"
1969 log_subsection "With VRF"
1974 ################################################################################
1984 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
1987 run_cmd nettest -6 -s &
1989 run_cmd_nsb nettest -6 -r ${a}
1990 log_test_addr ${a} $? 0 "Global server"
1993 # verify TCP reset received
1994 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
1997 show_hint "Should fail 'Connection refused'"
1998 run_cmd_nsb nettest -6 -r ${a}
1999 log_test_addr ${a} $? 1 "No server"
2005 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2008 run_cmd_nsb nettest -6 -s &
2010 run_cmd nettest -6 -r ${a}
2011 log_test_addr ${a} $? 0 "Client"
2014 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2017 run_cmd_nsb nettest -6 -s &
2019 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2020 log_test_addr ${a} $? 0 "Client, device bind"
2023 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2026 show_hint "Should fail 'Connection refused'"
2027 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2028 log_test_addr ${a} $? 1 "No server, device client"
2032 # local address tests
2034 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2037 run_cmd nettest -6 -s &
2039 run_cmd nettest -6 -r ${a}
2040 log_test_addr ${a} $? 0 "Global server, local connection"
2045 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2047 run_cmd nettest -6 -r ${a} -0 ${a}
2048 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2050 for a in ${NSA_LO_IP6} ::1
2053 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2054 run_cmd nettest -6 -s -d ${NSA_DEV} &
2056 run_cmd nettest -6 -r ${a}
2057 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
2062 run_cmd nettest -6 -s &
2064 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2065 log_test_addr ${a} $? 0 "Global server, device client, local connection"
2067 for a in ${NSA_LO_IP6} ::1
2070 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2071 run_cmd nettest -6 -s &
2073 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2074 log_test_addr ${a} $? 1 "Global server, device client, local connection"
2077 for a in ${NSA_IP6} ${NSA_LINKIP6}
2080 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2082 run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2083 log_test_addr ${a} $? 0 "Device server, device client, local conn"
2086 for a in ${NSA_IP6} ${NSA_LINKIP6}
2089 show_hint "Should fail 'Connection refused'"
2090 run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2091 log_test_addr ${a} $? 1 "No server, device client, local conn"
2099 # disable global server
2100 log_subsection "Global server disabled"
2102 set_sysctl net.ipv4.tcp_l3mdev_accept=0
2107 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2110 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2111 run_cmd nettest -6 -s &
2113 run_cmd_nsb nettest -6 -r ${a}
2114 log_test_addr ${a} $? 1 "Global server"
2117 for a in ${NSA_IP6} ${VRF_IP6}
2120 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} &
2122 run_cmd_nsb nettest -6 -r ${a}
2123 log_test_addr ${a} $? 0 "VRF server"
2126 # link local is always bound to ingress device
2127 a=${NSA_LINKIP6}%${NSB_DEV}
2129 run_cmd nettest -6 -s -d ${VRF} -2 ${NSA_DEV} &
2131 run_cmd_nsb nettest -6 -r ${a}
2132 log_test_addr ${a} $? 0 "VRF server"
2134 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2137 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2139 run_cmd_nsb nettest -6 -r ${a}
2140 log_test_addr ${a} $? 0 "Device server"
2143 # verify TCP reset received
2144 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2147 show_hint "Should fail 'Connection refused'"
2148 run_cmd_nsb nettest -6 -r ${a}
2149 log_test_addr ${a} $? 1 "No server"
2152 # local address tests
2155 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2156 run_cmd nettest -6 -s &
2158 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2159 log_test_addr ${a} $? 1 "Global server, local connection"
2162 # enable VRF global server
2164 log_subsection "VRF Global server enabled"
2165 set_sysctl net.ipv4.tcp_l3mdev_accept=1
2167 for a in ${NSA_IP6} ${VRF_IP6}
2170 run_cmd nettest -6 -s -2 ${VRF} &
2172 run_cmd_nsb nettest -6 -r ${a}
2173 log_test_addr ${a} $? 0 "Global server"
2176 for a in ${NSA_IP6} ${VRF_IP6}
2179 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} &
2181 run_cmd_nsb nettest -6 -r ${a}
2182 log_test_addr ${a} $? 0 "VRF server"
2185 # For LLA, child socket is bound to device
2186 a=${NSA_LINKIP6}%${NSB_DEV}
2188 run_cmd nettest -6 -s -2 ${NSA_DEV} &
2190 run_cmd_nsb nettest -6 -r ${a}
2191 log_test_addr ${a} $? 0 "Global server"
2194 run_cmd nettest -6 -s -d ${VRF} -2 ${NSA_DEV} &
2196 run_cmd_nsb nettest -6 -r ${a}
2197 log_test_addr ${a} $? 0 "VRF server"
2199 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2202 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2204 run_cmd_nsb nettest -6 -r ${a}
2205 log_test_addr ${a} $? 0 "Device server"
2208 # verify TCP reset received
2209 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2212 show_hint "Should fail 'Connection refused'"
2213 run_cmd_nsb nettest -6 -r ${a}
2214 log_test_addr ${a} $? 1 "No server"
2217 # local address tests
2218 for a in ${NSA_IP6} ${VRF_IP6}
2221 show_hint "Fails 'No route to host' since client is not in VRF"
2222 run_cmd nettest -6 -s -2 ${VRF} &
2224 run_cmd nettest -6 -r ${a}
2225 log_test_addr ${a} $? 1 "Global server, local connection"
2232 for a in ${NSB_IP6} ${NSB_LO_IP6}
2235 run_cmd_nsb nettest -6 -s &
2237 run_cmd nettest -6 -r ${a} -d ${VRF}
2238 log_test_addr ${a} $? 0 "Client, VRF bind"
2243 show_hint "Fails since VRF device does not allow linklocal addresses"
2244 run_cmd_nsb nettest -6 -s &
2246 run_cmd nettest -6 -r ${a} -d ${VRF}
2247 log_test_addr ${a} $? 1 "Client, VRF bind"
2249 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2252 run_cmd_nsb nettest -6 -s &
2254 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2255 log_test_addr ${a} $? 0 "Client, device bind"
2258 for a in ${NSB_IP6} ${NSB_LO_IP6}
2261 show_hint "Should fail 'Connection refused'"
2262 run_cmd nettest -6 -r ${a} -d ${VRF}
2263 log_test_addr ${a} $? 1 "No server, VRF client"
2266 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2269 show_hint "Should fail 'Connection refused'"
2270 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2271 log_test_addr ${a} $? 1 "No server, device client"
2274 for a in ${NSA_IP6} ${VRF_IP6} ::1
2277 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} &
2279 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2280 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
2285 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} &
2287 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2288 log_test_addr ${a} $? 0 "VRF server, device client, local connection"
2292 show_hint "Should fail since unbound client is out of VRF scope"
2293 run_cmd nettest -6 -s -d ${VRF} &
2295 run_cmd nettest -6 -r ${a}
2296 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
2299 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2301 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2302 log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
2304 for a in ${NSA_IP6} ${NSA_LINKIP6}
2307 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2309 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2310 log_test_addr ${a} $? 0 "Device server, device client, local connection"
2316 log_section "IPv6/TCP"
2318 which nettest >/dev/null
2319 if [ $? -ne 0 ]; then
2320 log_error "nettest not found; skipping tests"
2324 log_subsection "No VRF"
2327 # tcp_l3mdev_accept should have no affect without VRF;
2328 # run tests with it enabled and disabled to verify
2329 log_subsection "tcp_l3mdev_accept disabled"
2330 set_sysctl net.ipv4.tcp_l3mdev_accept=0
2332 log_subsection "tcp_l3mdev_accept enabled"
2333 set_sysctl net.ipv4.tcp_l3mdev_accept=1
2336 log_subsection "With VRF"
2341 ################################################################################
2351 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2354 run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
2356 run_cmd_nsb nettest -6 -D -r ${a}
2357 log_test_addr ${a} $? 0 "Global server"
2360 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
2362 run_cmd_nsb nettest -6 -D -r ${a}
2363 log_test_addr ${a} $? 0 "Device server"
2368 run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
2370 run_cmd_nsb nettest -6 -D -r ${a}
2371 log_test_addr ${a} $? 0 "Global server"
2373 # should fail since loopback address is out of scope for a device
2374 # bound server, but it does not - hence this is more documenting
2377 #show_hint "Should fail since loopback address is out of scope"
2378 #run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
2380 #run_cmd_nsb nettest -6 -D -r ${a}
2381 #log_test_addr ${a} $? 1 "Device server"
2383 # negative test - should fail
2384 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2387 show_hint "Should fail 'Connection refused' since there is no server"
2388 run_cmd_nsb nettest -6 -D -r ${a}
2389 log_test_addr ${a} $? 1 "No server"
2395 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2398 run_cmd_nsb nettest -6 -D -s &
2400 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6}
2401 log_test_addr ${a} $? 0 "Client"
2404 run_cmd_nsb nettest -6 -D -s &
2406 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6}
2407 log_test_addr ${a} $? 0 "Client, device bind"
2410 run_cmd_nsb nettest -6 -D -s &
2412 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6}
2413 log_test_addr ${a} $? 0 "Client, device send via cmsg"
2416 run_cmd_nsb nettest -6 -D -s &
2418 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6}
2419 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF"
2422 show_hint "Should fail 'Connection refused'"
2423 run_cmd nettest -6 -D -r ${a}
2424 log_test_addr ${a} $? 1 "No server, unbound client"
2427 show_hint "Should fail 'Connection refused'"
2428 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
2429 log_test_addr ${a} $? 1 "No server, device client"
2433 # local address tests
2435 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2438 run_cmd nettest -6 -D -s &
2440 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a}
2441 log_test_addr ${a} $? 0 "Global server, local connection"
2446 run_cmd nettest -6 -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
2448 run_cmd nettest -6 -D -r ${a}
2449 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2451 for a in ${NSA_LO_IP6} ::1
2454 show_hint "Should fail 'Connection refused' since address is out of device scope"
2455 run_cmd nettest -6 -s -D -d ${NSA_DEV} &
2457 run_cmd nettest -6 -D -r ${a}
2458 log_test_addr ${a} $? 1 "Device server, local connection"
2463 run_cmd nettest -6 -s -D &
2465 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
2466 log_test_addr ${a} $? 0 "Global server, device client, local connection"
2469 run_cmd nettest -6 -s -D &
2471 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a}
2472 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
2475 run_cmd nettest -6 -s -D &
2477 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a}
2478 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection"
2480 for a in ${NSA_LO_IP6} ::1
2483 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
2484 run_cmd nettest -6 -D -s &
2486 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
2487 log_test_addr ${a} $? 1 "Global server, device client, local connection"
2490 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
2491 run_cmd nettest -6 -D -s &
2493 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C
2494 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
2497 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
2498 run_cmd nettest -6 -D -s &
2500 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
2501 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
2506 run_cmd nettest -6 -D -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2508 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a}
2509 log_test_addr ${a} $? 0 "Device server, device client, local conn"
2512 show_hint "Should fail 'Connection refused'"
2513 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
2514 log_test_addr ${a} $? 1 "No server, device client, local conn"
2517 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2518 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
2520 run_cmd nettest -6 -s -D &
2522 run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
2523 log_test $? 0 "UDP in - LLA to GUA"
2525 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
2526 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
2533 # disable global server
2534 log_subsection "Global server disabled"
2535 set_sysctl net.ipv4.udp_l3mdev_accept=0
2540 for a in ${NSA_IP6} ${VRF_IP6}
2543 show_hint "Should fail 'Connection refused' since global server is disabled"
2544 run_cmd nettest -6 -D -s &
2546 run_cmd_nsb nettest -6 -D -r ${a}
2547 log_test_addr ${a} $? 1 "Global server"
2550 for a in ${NSA_IP6} ${VRF_IP6}
2553 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
2555 run_cmd_nsb nettest -6 -D -r ${a}
2556 log_test_addr ${a} $? 0 "VRF server"
2559 for a in ${NSA_IP6} ${VRF_IP6}
2562 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
2564 run_cmd_nsb nettest -6 -D -r ${a}
2565 log_test_addr ${a} $? 0 "Enslaved device server"
2568 # negative test - should fail
2569 for a in ${NSA_IP6} ${VRF_IP6}
2572 show_hint "Should fail 'Connection refused' since there is no server"
2573 run_cmd_nsb nettest -6 -D -r ${a}
2574 log_test_addr ${a} $? 1 "No server"
2578 # local address tests
2580 for a in ${NSA_IP6} ${VRF_IP6}
2583 show_hint "Should fail 'Connection refused' since global server is disabled"
2584 run_cmd nettest -6 -D -s &
2586 run_cmd nettest -6 -D -d ${VRF} -r ${a}
2587 log_test_addr ${a} $? 1 "Global server, VRF client, local conn"
2590 for a in ${NSA_IP6} ${VRF_IP6}
2593 run_cmd nettest -6 -D -d ${VRF} -s &
2595 run_cmd nettest -6 -D -d ${VRF} -r ${a}
2596 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
2601 show_hint "Should fail 'Connection refused' since global server is disabled"
2602 run_cmd nettest -6 -D -s &
2604 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
2605 log_test_addr ${a} $? 1 "Global server, device client, local conn"
2608 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
2610 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
2611 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
2614 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
2616 run_cmd nettest -6 -D -d ${VRF} -r ${a}
2617 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
2620 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
2622 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
2623 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
2625 # disable global server
2626 log_subsection "Global server enabled"
2627 set_sysctl net.ipv4.udp_l3mdev_accept=1
2632 for a in ${NSA_IP6} ${VRF_IP6}
2635 run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
2637 run_cmd_nsb nettest -6 -D -r ${a}
2638 log_test_addr ${a} $? 0 "Global server"
2641 for a in ${NSA_IP6} ${VRF_IP6}
2644 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
2646 run_cmd_nsb nettest -6 -D -r ${a}
2647 log_test_addr ${a} $? 0 "VRF server"
2650 for a in ${NSA_IP6} ${VRF_IP6}
2653 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
2655 run_cmd_nsb nettest -6 -D -r ${a}
2656 log_test_addr ${a} $? 0 "Enslaved device server"
2659 # negative test - should fail
2660 for a in ${NSA_IP6} ${VRF_IP6}
2663 run_cmd_nsb nettest -6 -D -r ${a}
2664 log_test_addr ${a} $? 1 "No server"
2671 run_cmd_nsb nettest -6 -D -s &
2673 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
2674 log_test $? 0 "VRF client"
2676 # negative test - should fail
2678 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
2679 log_test $? 1 "No server, VRF client"
2682 run_cmd_nsb nettest -6 -D -s &
2684 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
2685 log_test $? 0 "Enslaved device client"
2687 # negative test - should fail
2689 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
2690 log_test $? 1 "No server, enslaved device client"
2693 # local address tests
2697 run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
2699 run_cmd nettest -6 -D -d ${VRF} -r ${a}
2700 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
2703 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
2705 run_cmd nettest -6 -D -d ${VRF} -r ${a}
2706 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
2711 run_cmd nettest -6 -D -s -2 ${VRF} &
2713 run_cmd nettest -6 -D -d ${VRF} -r ${a}
2714 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
2717 run_cmd nettest -6 -D -d ${VRF} -s -2 ${VRF} &
2719 run_cmd nettest -6 -D -d ${VRF} -r ${a}
2720 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
2722 # negative test - should fail
2723 for a in ${NSA_IP6} ${VRF_IP6}
2726 run_cmd nettest -6 -D -d ${VRF} -r ${a}
2727 log_test_addr ${a} $? 1 "No server, VRF client, local conn"
2730 # device to global IP
2733 run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
2735 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
2736 log_test_addr ${a} $? 0 "Global server, device client, local conn"
2739 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
2741 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
2742 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
2745 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
2747 run_cmd nettest -6 -D -d ${VRF} -r ${a}
2748 log_test_addr ${a} $? 0 "Device server, VRF client, local conn"
2751 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
2753 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
2754 log_test_addr ${a} $? 0 "Device server, device client, local conn"
2757 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
2758 log_test_addr ${a} $? 1 "No server, device client, local conn"
2761 # link local addresses
2763 run_cmd nettest -6 -D -s &
2765 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
2766 log_test $? 0 "Global server, linklocal IP"
2769 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
2770 log_test $? 1 "No server, linklocal IP"
2774 run_cmd_nsb nettest -6 -D -s &
2776 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
2777 log_test $? 0 "Enslaved device client, linklocal IP"
2780 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
2781 log_test $? 1 "No server, device client, peer linklocal IP"
2785 run_cmd nettest -6 -D -s &
2787 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
2788 log_test $? 0 "Enslaved device client, local conn - linklocal IP"
2791 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
2792 log_test $? 1 "No server, device client, local conn - linklocal IP"
2795 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2796 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
2798 run_cmd nettest -6 -s -D &
2800 run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
2801 log_test $? 0 "UDP in - LLA to GUA"
2803 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
2804 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
2809 # should not matter, but set to known state
2810 set_sysctl net.ipv4.udp_early_demux=1
2812 log_section "IPv6/UDP"
2813 log_subsection "No VRF"
2816 # udp_l3mdev_accept should have no affect without VRF;
2817 # run tests with it enabled and disabled to verify
2818 log_subsection "udp_l3mdev_accept disabled"
2819 set_sysctl net.ipv4.udp_l3mdev_accept=0
2821 log_subsection "udp_l3mdev_accept enabled"
2822 set_sysctl net.ipv4.udp_l3mdev_accept=1
2825 log_subsection "With VRF"
2830 ################################################################################
2833 ipv6_addr_bind_novrf()
2838 for a in ${NSA_IP6} ${NSA_LO_IP6}
2841 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b
2842 log_test_addr ${a} $? 0 "Raw socket bind to local address"
2845 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${NSA_DEV} -b
2846 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
2854 run_cmd nettest -6 -s -l ${a} -t1 -b
2855 log_test_addr ${a} $? 0 "TCP socket bind to local address"
2858 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
2859 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
2863 show_hint "Should fail with 'Cannot assign requested address'"
2864 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
2865 log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
2868 ipv6_addr_bind_vrf()
2873 for a in ${NSA_IP6} ${VRF_IP6}
2876 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${VRF} -b
2877 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind"
2880 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${NSA_DEV} -b
2881 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
2886 show_hint "Address on loopback is out of VRF scope"
2887 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${VRF} -b
2888 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind"
2893 # address on enslaved device is valid for the VRF or device in a VRF
2894 for a in ${NSA_IP6} ${VRF_IP6}
2897 run_cmd nettest -6 -s -l ${a} -d ${VRF} -t1 -b
2898 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind"
2903 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
2904 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
2908 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
2909 log_test_addr ${a} $? 1 "TCP socket bind to VRF address with device bind"
2913 show_hint "Address on loopback out of scope for VRF"
2914 run_cmd nettest -6 -s -l ${a} -d ${VRF} -t1 -b
2915 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
2918 show_hint "Address on loopback out of scope for device in VRF"
2919 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
2920 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
2926 log_section "IPv6 address binds"
2928 log_subsection "No VRF"
2930 ipv6_addr_bind_novrf
2932 log_subsection "With VRF"
2937 ################################################################################
2938 # IPv6 runtime tests
2944 local with_vrf="yes"
2950 for a in ${NSA_IP6} ${VRF_IP6}
2953 run_cmd nettest ${varg} -s &
2955 run_cmd_nsb nettest ${varg} -r ${a} &
2957 run_cmd ip link del ${VRF}
2959 log_test_addr ${a} 0 0 "${desc}, global server"
2964 for a in ${NSA_IP6} ${VRF_IP6}
2967 run_cmd nettest ${varg} -d ${VRF} -s &
2969 run_cmd_nsb nettest ${varg} -r ${a} &
2971 run_cmd ip link del ${VRF}
2973 log_test_addr ${a} 0 0 "${desc}, VRF server"
2978 for a in ${NSA_IP6} ${VRF_IP6}
2981 run_cmd nettest ${varg} -d ${NSA_DEV} -s &
2983 run_cmd_nsb nettest ${varg} -r ${a} &
2985 run_cmd ip link del ${VRF}
2987 log_test_addr ${a} 0 0 "${desc}, enslaved device server"
2996 run_cmd_nsb nettest ${varg} -s &
2998 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} &
3000 run_cmd ip link del ${VRF}
3002 log_test 0 0 "${desc}, VRF client"
3007 run_cmd_nsb nettest ${varg} -s &
3009 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} &
3011 run_cmd ip link del ${VRF}
3013 log_test 0 0 "${desc}, enslaved device client"
3019 # local address tests
3021 for a in ${NSA_IP6} ${VRF_IP6}
3024 run_cmd nettest ${varg} -s &
3026 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3028 run_cmd ip link del ${VRF}
3030 log_test_addr ${a} 0 0 "${desc}, global server, VRF client"
3035 for a in ${NSA_IP6} ${VRF_IP6}
3038 run_cmd nettest ${varg} -d ${VRF} -s &
3040 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3042 run_cmd ip link del ${VRF}
3044 log_test_addr ${a} 0 0 "${desc}, VRF server and client"
3051 run_cmd nettest ${varg} -s &
3053 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3055 run_cmd ip link del ${VRF}
3057 log_test_addr ${a} 0 0 "${desc}, global server, device client"
3062 run_cmd nettest ${varg} -d ${VRF} -s &
3064 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3066 run_cmd ip link del ${VRF}
3068 log_test_addr ${a} 0 0 "${desc}, VRF server, device client"
3073 run_cmd nettest ${varg} -d ${NSA_DEV} -s &
3075 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3077 run_cmd ip link del ${VRF}
3079 log_test_addr ${a} 0 0 "${desc}, device server, device client"
3084 local with_vrf="yes"
3089 run_cmd_nsb ${ping6} -f ${a} &
3091 run_cmd ip link del ${VRF}
3093 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
3098 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} &
3100 run_cmd ip link del ${VRF}
3102 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
3107 log_section "Run time tests - ipv6"
3113 ipv6_rt "TCP active socket" "-n -1"
3116 ipv6_rt "TCP passive socket" "-i"
3119 ipv6_rt "UDP active socket" "-D -n -1"
3122 ################################################################################
3123 # netfilter blocking connections
3125 netfilter_tcp_reset()
3129 for a in ${NSA_IP} ${VRF_IP}
3132 run_cmd nettest -s &
3134 run_cmd_nsb nettest -r ${a}
3135 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3145 [ "${stype}" = "UDP" ] && arg="-D"
3147 for a in ${NSA_IP} ${VRF_IP}
3150 run_cmd nettest ${arg} -s &
3152 run_cmd_nsb nettest ${arg} -r ${a}
3153 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3159 which nettest >/dev/null
3160 if [ $? -ne 0 ]; then
3161 log_error "nettest not found; skipping tests"
3165 log_section "IPv4 Netfilter"
3166 log_subsection "TCP reset"
3169 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3174 log_subsection "ICMP unreachable"
3178 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3179 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3181 netfilter_icmp "TCP"
3182 netfilter_icmp "UDP"
3188 netfilter_tcp6_reset()
3192 for a in ${NSA_IP6} ${VRF_IP6}
3195 run_cmd nettest -6 -s &
3197 run_cmd_nsb nettest -6 -r ${a}
3198 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3208 [ "${stype}" = "UDP" ] && arg="$arg -D"
3210 for a in ${NSA_IP6} ${VRF_IP6}
3213 run_cmd nettest -6 -s ${arg} &
3215 run_cmd_nsb nettest -6 ${arg} -r ${a}
3216 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3222 which nettest >/dev/null
3223 if [ $? -ne 0 ]; then
3224 log_error "nettest not found; skipping tests"
3228 log_section "IPv6 Netfilter"
3229 log_subsection "TCP reset"
3232 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3234 netfilter_tcp6_reset
3236 log_subsection "ICMP unreachable"
3239 run_cmd ip6tables -F
3240 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3241 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3243 netfilter_icmp6 "TCP"
3244 netfilter_icmp6 "UDP"
3250 ################################################################################
3256 usage: ${0##*/} OPTS
3260 -t <test> Test name/set to run
3262 -P Pause after each test
3267 ################################################################################
3270 TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_addr_bind ipv4_runtime ipv4_netfilter"
3271 TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_addr_bind ipv6_runtime ipv6_netfilter"
3275 while getopts :46t:pPvh o
3281 p) PAUSE_ON_FAIL=yes;;
3289 # make sure we don't pause twice
3290 [ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no
3293 # show user test config
3295 if [ -z "$TESTS" ]; then
3296 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER"
3297 elif [ "$TESTS" = "ipv4" ]; then
3299 elif [ "$TESTS" = "ipv6" ]; then
3304 declare -i nsuccess=0
3309 ipv4_ping|ping) ipv4_ping;;
3310 ipv4_tcp|tcp) ipv4_tcp;;
3311 ipv4_udp|udp) ipv4_udp;;
3312 ipv4_bind|bind) ipv4_addr_bind;;
3313 ipv4_runtime) ipv4_runtime;;
3314 ipv4_netfilter) ipv4_netfilter;;
3316 ipv6_ping|ping6) ipv6_ping;;
3317 ipv6_tcp|tcp6) ipv6_tcp;;
3318 ipv6_udp|udp6) ipv6_udp;;
3319 ipv6_bind|bind6) ipv6_addr_bind;;
3320 ipv6_runtime) ipv6_runtime;;
3321 ipv6_netfilter) ipv6_netfilter;;
3323 # setup namespaces and config, but do not run any tests
3324 setup) setup; exit 0;;
3325 vrf_setup) setup "yes"; exit 0;;
3327 help) echo "Test names: $TESTS"; exit 0;;
3333 printf "\nTests passed: %3d\n" ${nsuccess}
3334 printf "Tests failed: %3d\n" ${nfail}