2 # SPDX-License-Identifier: GPL-2.0
4 # Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
6 # IPv4 and IPv6 functional tests focusing on VRF and routing lookups
7 # for various permutations:
8 # 1. icmp, tcp, udp and netfilter
9 # 2. client, server, no-server
10 # 3. global address on interface
11 # 4. global address on 'lo'
12 # 5. remote and local traffic
13 # 6. VRF and non-VRF permutations
18 # [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ]
21 # [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ]
24 # eth1: 172.16.1.1/24, 2001:db8:1::1/64
25 # lo: 127.0.0.1/8, ::1/128
26 # 172.16.2.1/32, 2001:db8:2::1/128
27 # red: 127.0.0.1/8, ::1/128
28 # 172.16.3.1/32, 2001:db8:3::1/128
31 # eth1: 172.16.1.2/24, 2001:db8:1::2/64
32 # lo2: 127.0.0.1/8, ::1/128
33 # 172.16.2.2/32, 2001:db8:2::2/128
35 # ns-A to ns-C connection - only for VRF and same config
38 # server / client nomenclature relative to ns-A
59 NS_NET6=2001:db8:1::/120
63 NSA_LO_IP6=2001:db8:2::1
64 NSB_LO_IP6=2001:db8:2::2
70 # set after namespace create
78 NSA_CMD="ip netns exec ${NSA}"
79 NSB_CMD="ip netns exec ${NSB}"
80 NSC_CMD="ip netns exec ${NSC}"
82 which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
84 ################################################################################
93 [ "${VERBOSE}" = "1" ] && echo
95 if [ ${rc} -eq ${expected} ]; then
96 nsuccess=$((nsuccess+1))
97 printf "TEST: %-70s [ OK ]\n" "${msg}"
100 printf "TEST: %-70s [FAIL]\n" "${msg}"
101 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
103 echo "hit enter to continue, 'q' to quit"
105 [ "$a" = "q" ] && exit 1
109 if [ "${PAUSE}" = "yes" ]; then
111 echo "hit enter to continue, 'q' to quit"
113 [ "$a" = "q" ] && exit 1
127 astr=$(addr2str ${addr})
128 log_test $rc $expected "$msg - ${astr}"
134 echo "###########################################################################"
136 echo "###########################################################################"
143 echo "#################################################################"
150 # make sure we have no test instances running
153 if [ "${VERBOSE}" = "1" ]; then
155 echo "#######################################################"
161 if [ "${VERBOSE}" = "1" ]; then
170 if [ "${VERBOSE}" = "1" ]; then
178 killall nettest ping ping6 >/dev/null 2>&1
187 if [ "$VERBOSE" = "1" ]; then
188 echo "COMMAND: ${cmd}"
193 if [ "$VERBOSE" = "1" -a -n "$out" ]; then
202 do_run_cmd ${NSA_CMD} $*
207 do_run_cmd ${NSB_CMD} $*
212 do_run_cmd ${NSC_CMD} $*
222 if [ $rc -ne 0 ]; then
223 # show user the command if not done so already
224 if [ "$VERBOSE" = "0" ]; then
225 echo "setup command: $cmd"
227 echo "failed. stopping tests"
228 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
230 echo "hit enter to continue"
244 if [ $rc -ne 0 ]; then
245 # show user the command if not done so already
246 if [ "$VERBOSE" = "0" ]; then
247 echo "setup command: $cmd"
249 echo "failed. stopping tests"
250 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
252 echo "hit enter to continue"
259 # set sysctl values in NS-A
264 run_cmd sysctl -q -w $*
267 ################################################################################
273 127.0.0.1) echo "loopback";;
274 ::1) echo "IPv6 loopback";;
276 ${NSA_IP}) echo "ns-A IP";;
277 ${NSA_IP6}) echo "ns-A IPv6";;
278 ${NSA_LO_IP}) echo "ns-A loopback IP";;
279 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";;
280 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";;
282 ${NSB_IP}) echo "ns-B IP";;
283 ${NSB_IP6}) echo "ns-B IPv6";;
284 ${NSB_LO_IP}) echo "ns-B loopback IP";;
285 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";;
286 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";;
288 ${VRF_IP}) echo "VRF IP";;
289 ${VRF_IP6}) echo "VRF IPv6";;
291 ${MCAST}%*) echo "multicast IP";;
303 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \
305 for (i = 3; i <= NF; ++i) {
313 [ -z "$addr" ] && return 1
320 ################################################################################
321 # create namespaces and vrf
331 ip -netns ${ns} link add ${vrf} type vrf table ${table}
332 ip -netns ${ns} link set ${vrf} up
333 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192
334 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
336 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf}
337 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad
338 if [ "${addr}" != "-" ]; then
339 ip -netns ${ns} addr add dev ${vrf} ${addr}
341 if [ "${addr6}" != "-" ]; then
342 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6}
345 ip -netns ${ns} ru del pref 0
346 ip -netns ${ns} ru add pref 32765 from all lookup local
347 ip -netns ${ns} -6 ru del pref 0
348 ip -netns ${ns} -6 ru add pref 32765 from all lookup local
359 ip -netns ${ns} link set lo up
360 if [ "${addr}" != "-" ]; then
361 ip -netns ${ns} addr add dev lo ${addr}
363 if [ "${addr6}" != "-" ]; then
364 ip -netns ${ns} -6 addr add dev lo ${addr6}
367 ip -netns ${ns} ro add unreachable default metric 8192
368 ip -netns ${ns} -6 ro add unreachable default metric 8192
370 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
371 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
372 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
373 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
376 # create veth pair to connect namespaces and apply addresses.
388 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
389 ip -netns ${ns1} li set ${ns1_dev} up
390 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
391 ip -netns ${ns2} li set ${ns2_dev} up
393 if [ "${ns1_addr}" != "-" ]; then
394 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
395 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
398 if [ "${ns1_addr6}" != "-" ]; then
399 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
400 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
406 # explicit cleanups to check those code paths
407 ip netns | grep -q ${NSA}
408 if [ $? -eq 0 ]; then
409 ip -netns ${NSA} link delete ${VRF}
410 ip -netns ${NSA} ro flush table ${VRF_TABLE}
412 ip -netns ${NSA} addr flush dev ${NSA_DEV}
413 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV}
414 ip -netns ${NSA} link set dev ${NSA_DEV} down
415 ip -netns ${NSA} link del dev ${NSA_DEV}
421 ip netns del ${NSC} >/dev/null 2>&1
428 # make sure we are starting with a clean slate
432 log_debug "Configuring network namespaces"
435 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128
436 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128
437 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \
438 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
440 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
441 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
443 # tell ns-A how to get to remote addresses of ns-B
444 if [ "${with_vrf}" = "yes" ]; then
445 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6}
447 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
448 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
449 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
451 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
452 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
454 # some VRF tests use ns-C which has the same config as
455 # ns-B but for a device NOT in the VRF
456 create_ns ${NSC} "-" "-"
457 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
458 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
460 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
461 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
465 # tell ns-B how to get to remote addresses of ns-A
466 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
467 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
474 ################################################################################
484 for a in ${NSB_IP} ${NSB_LO_IP}
487 run_cmd ping -c1 -w1 ${a}
488 log_test_addr ${a} $? 0 "ping out"
491 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
492 log_test_addr ${a} $? 0 "ping out, device bind"
495 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a}
496 log_test_addr ${a} $? 0 "ping out, address bind"
502 for a in ${NSA_IP} ${NSA_LO_IP}
505 run_cmd_nsb ping -c1 -w1 ${a}
506 log_test_addr ${a} $? 0 "ping in"
512 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
515 run_cmd ping -c1 -w1 ${a}
516 log_test_addr ${a} $? 0 "ping local"
520 # local traffic, socket bound to device
525 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
526 log_test_addr ${a} $? 0 "ping local, device bind"
528 # loopback addresses not reachable from device bind
529 # fails in a really weird way though because ipv4 special cases
530 # route lookups with oif set.
531 for a in ${NSA_LO_IP} 127.0.0.1
534 show_hint "Fails since address on loopback device is out of device scope"
535 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
536 log_test_addr ${a} $? 1 "ping local, device bind"
540 # ip rule blocks reachability to remote address
543 setup_cmd ip rule add pref 32765 from all lookup local
544 setup_cmd ip rule del pref 0 from all lookup local
545 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
546 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
549 run_cmd ping -c1 -w1 ${a}
550 log_test_addr ${a} $? 2 "ping out, blocked by rule"
552 # NOTE: ipv4 actually allows the lookup to fail and yet still create
553 # a viable rtable if the oif (e.g., bind to device) is set, so this
554 # case succeeds despite the rule
555 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
559 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule"
560 run_cmd_nsb ping -c1 -w1 ${a}
561 log_test_addr ${a} $? 1 "ping in, blocked by rule"
563 [ "$VERBOSE" = "1" ] && echo
564 setup_cmd ip rule del pref 32765 from all lookup local
565 setup_cmd ip rule add pref 0 from all lookup local
566 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
567 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
570 # route blocks reachability to remote address
573 setup_cmd ip route replace unreachable ${NSB_LO_IP}
574 setup_cmd ip route replace unreachable ${NSB_IP}
577 run_cmd ping -c1 -w1 ${a}
578 log_test_addr ${a} $? 2 "ping out, blocked by route"
580 # NOTE: ipv4 actually allows the lookup to fail and yet still create
581 # a viable rtable if the oif (e.g., bind to device) is set, so this
582 # case succeeds despite not having a route for the address
583 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
587 show_hint "Response is dropped (or arp request is ignored) due to ip route"
588 run_cmd_nsb ping -c1 -w1 ${a}
589 log_test_addr ${a} $? 1 "ping in, blocked by route"
592 # remove 'remote' routes; fallback to default
595 setup_cmd ip ro del ${NSB_LO_IP}
598 run_cmd ping -c1 -w1 ${a}
599 log_test_addr ${a} $? 2 "ping out, unreachable default route"
601 # NOTE: ipv4 actually allows the lookup to fail and yet still create
602 # a viable rtable if the oif (e.g., bind to device) is set, so this
603 # case succeeds despite not having a route for the address
604 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
611 # should default on; does not exist on older kernels
612 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
617 for a in ${NSB_IP} ${NSB_LO_IP}
620 run_cmd ping -c1 -w1 -I ${VRF} ${a}
621 log_test_addr ${a} $? 0 "ping out, VRF bind"
624 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
625 log_test_addr ${a} $? 0 "ping out, device bind"
628 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a}
629 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind"
632 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a}
633 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind"
639 for a in ${NSA_IP} ${VRF_IP}
642 run_cmd_nsb ping -c1 -w1 ${a}
643 log_test_addr ${a} $? 0 "ping in"
647 # local traffic, local address
649 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
652 show_hint "Source address should be ${a}"
653 run_cmd ping -c1 -w1 -I ${VRF} ${a}
654 log_test_addr ${a} $? 0 "ping local, VRF bind"
658 # local traffic, socket bound to device
663 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
664 log_test_addr ${a} $? 0 "ping local, device bind"
666 # vrf device is out of scope
667 for a in ${VRF_IP} 127.0.0.1
670 show_hint "Fails since address on vrf device is out of device scope"
671 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
672 log_test_addr ${a} $? 1 "ping local, device bind"
676 # ip rule blocks address
679 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
680 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
683 run_cmd ping -c1 -w1 -I ${VRF} ${a}
684 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule"
687 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
688 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
692 show_hint "Response lost due to ip rule"
693 run_cmd_nsb ping -c1 -w1 ${a}
694 log_test_addr ${a} $? 1 "ping in, blocked by rule"
696 [ "$VERBOSE" = "1" ] && echo
697 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
698 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
701 # remove 'remote' routes; fallback to default
704 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP}
707 run_cmd ping -c1 -w1 -I ${VRF} ${a}
708 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route"
711 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
712 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
716 show_hint "Response lost by unreachable route"
717 run_cmd_nsb ping -c1 -w1 ${a}
718 log_test_addr ${a} $? 1 "ping in, unreachable route"
723 log_section "IPv4 ping"
725 log_subsection "No VRF"
727 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
730 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
733 log_subsection "With VRF"
738 ################################################################################
742 # MD5 tests without VRF
752 run_cmd nettest -s -M ${MD5_PW} -r ${NSB_IP} &
754 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
755 log_test $? 0 "MD5: Single address config"
757 # client sends MD5, server not configured
759 show_hint "Should timeout due to MD5 mismatch"
762 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
763 log_test $? 2 "MD5: Server no config, client uses password"
767 show_hint "Should timeout since client uses wrong password"
768 run_cmd nettest -s -M ${MD5_PW} -r ${NSB_IP} &
770 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW}
771 log_test $? 2 "MD5: Client uses wrong password"
773 # client from different address
775 show_hint "Should timeout due to MD5 mismatch"
776 run_cmd nettest -s -M ${MD5_PW} -r ${NSB_LO_IP} &
778 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
779 log_test $? 2 "MD5: Client address does not match address configured with password"
782 # MD5 extension - prefix length
787 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
789 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
790 log_test $? 0 "MD5: Prefix config"
792 # client in prefix, wrong password
794 show_hint "Should timeout since client uses wrong password"
795 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
797 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW}
798 log_test $? 2 "MD5: Prefix config, client uses wrong password"
800 # client outside of prefix
802 show_hint "Should timeout due to MD5 mismatch"
803 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
805 run_cmd_nsb nettest -l ${NSB_LO_IP} -r ${NSA_IP} -M ${MD5_PW}
806 log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
820 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} &
822 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
823 log_test $? 0 "MD5: VRF: Single address config"
825 # client sends MD5, server not configured
827 show_hint "Should timeout since server does not have MD5 auth"
828 run_cmd nettest -s -d ${VRF} &
830 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
831 log_test $? 2 "MD5: VRF: Server no config, client uses password"
835 show_hint "Should timeout since client uses wrong password"
836 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} &
838 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW}
839 log_test $? 2 "MD5: VRF: Client uses wrong password"
841 # client from different address
843 show_hint "Should timeout since server config differs from client"
844 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_LO_IP} &
846 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
847 log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
850 # MD5 extension - prefix length
855 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} &
857 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
858 log_test $? 0 "MD5: VRF: Prefix config"
860 # client in prefix, wrong password
862 show_hint "Should timeout since client uses wrong password"
863 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} &
865 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW}
866 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
868 # client outside of prefix
870 show_hint "Should timeout since client address is outside of prefix"
871 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} &
873 run_cmd_nsb nettest -l ${NSB_LO_IP} -r ${NSA_IP} -M ${MD5_PW}
874 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
877 # duplicate config between default VRF and a VRF
881 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} &
882 run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} &
884 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
885 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
888 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} &
889 run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} &
891 run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_WRONG_PW}
892 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
895 show_hint "Should timeout since client in default VRF uses VRF password"
896 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} &
897 run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} &
899 run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_PW}
900 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
903 show_hint "Should timeout since client in VRF uses default VRF password"
904 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP} &
905 run_cmd nettest -s -M ${MD5_WRONG_PW} -r ${NSB_IP} &
907 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW}
908 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
911 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} &
912 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
914 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_PW}
915 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
918 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} &
919 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
921 run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_WRONG_PW}
922 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
925 show_hint "Should timeout since client in default VRF uses VRF password"
926 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} &
927 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
929 run_cmd_nsc nettest -r ${NSA_IP} -M ${MD5_PW}
930 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
933 show_hint "Should timeout since client in VRF uses default VRF password"
934 run_cmd nettest -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET} &
935 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
937 run_cmd_nsb nettest -r ${NSA_IP} -M ${MD5_WRONG_PW}
938 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
944 run_cmd nettest -s -d ${NSA_DEV} -M ${MD5_PW} -r ${NSB_IP}
945 log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
948 run_cmd nettest -s -d ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET}
949 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
960 for a in ${NSA_IP} ${NSA_LO_IP}
965 run_cmd_nsb nettest -r ${a}
966 log_test_addr ${a} $? 0 "Global server"
971 run_cmd nettest -s -d ${NSA_DEV} &
973 run_cmd_nsb nettest -r ${a}
974 log_test_addr ${a} $? 0 "Device server"
976 # verify TCP reset sent and received
977 for a in ${NSA_IP} ${NSA_LO_IP}
980 show_hint "Should fail 'Connection refused' since there is no server"
981 run_cmd_nsb nettest -r ${a}
982 log_test_addr ${a} $? 1 "No server"
988 for a in ${NSB_IP} ${NSB_LO_IP}
991 run_cmd_nsb nettest -s &
993 run_cmd nettest -r ${a} -0 ${NSA_IP}
994 log_test_addr ${a} $? 0 "Client"
997 run_cmd_nsb nettest -s &
999 run_cmd nettest -r ${a} -d ${NSA_DEV}
1000 log_test_addr ${a} $? 0 "Client, device bind"
1003 show_hint "Should fail 'Connection refused'"
1004 run_cmd nettest -r ${a}
1005 log_test_addr ${a} $? 1 "No server, unbound client"
1008 show_hint "Should fail 'Connection refused'"
1009 run_cmd nettest -r ${a} -d ${NSA_DEV}
1010 log_test_addr ${a} $? 1 "No server, device client"
1014 # local address tests
1016 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1019 run_cmd nettest -s &
1021 run_cmd nettest -r ${a} -0 ${a} -1 ${a}
1022 log_test_addr ${a} $? 0 "Global server, local connection"
1027 run_cmd nettest -s -d ${NSA_DEV} &
1029 run_cmd nettest -r ${a} -0 ${a}
1030 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1032 for a in ${NSA_LO_IP} 127.0.0.1
1035 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
1036 run_cmd nettest -s -d ${NSA_DEV} &
1038 run_cmd nettest -r ${a}
1039 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1044 run_cmd nettest -s &
1046 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV}
1047 log_test_addr ${a} $? 0 "Global server, device client, local connection"
1049 for a in ${NSA_LO_IP} 127.0.0.1
1052 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
1053 run_cmd nettest -s &
1055 run_cmd nettest -r ${a} -d ${NSA_DEV}
1056 log_test_addr ${a} $? 1 "Global server, device client, local connection"
1061 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
1063 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a}
1064 log_test_addr ${a} $? 0 "Device server, device client, local connection"
1067 show_hint "Should fail 'Connection refused'"
1068 run_cmd nettest -d ${NSA_DEV} -r ${a}
1069 log_test_addr ${a} $? 1 "No server, device client, local conn"
1078 # disable global server
1079 log_subsection "Global server disabled"
1081 set_sysctl net.ipv4.tcp_l3mdev_accept=0
1086 for a in ${NSA_IP} ${VRF_IP}
1089 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1090 run_cmd nettest -s &
1092 run_cmd_nsb nettest -r ${a}
1093 log_test_addr ${a} $? 1 "Global server"
1096 run_cmd nettest -s -d ${VRF} -2 ${VRF} &
1098 run_cmd_nsb nettest -r ${a}
1099 log_test_addr ${a} $? 0 "VRF server"
1102 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
1104 run_cmd_nsb nettest -r ${a}
1105 log_test_addr ${a} $? 0 "Device server"
1107 # verify TCP reset received
1109 show_hint "Should fail 'Connection refused' since there is no server"
1110 run_cmd_nsb nettest -r ${a}
1111 log_test_addr ${a} $? 1 "No server"
1114 # local address tests
1115 # (${VRF_IP} and 127.0.0.1 both timeout)
1118 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1119 run_cmd nettest -s &
1121 run_cmd nettest -r ${a} -d ${NSA_DEV}
1122 log_test_addr ${a} $? 1 "Global server, local connection"
1128 # enable VRF global server
1130 log_subsection "VRF Global server enabled"
1131 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1133 for a in ${NSA_IP} ${VRF_IP}
1136 show_hint "client socket should be bound to VRF"
1137 run_cmd nettest -s -2 ${VRF} &
1139 run_cmd_nsb nettest -r ${a}
1140 log_test_addr ${a} $? 0 "Global server"
1143 show_hint "client socket should be bound to VRF"
1144 run_cmd nettest -s -d ${VRF} -2 ${VRF} &
1146 run_cmd_nsb nettest -r ${a}
1147 log_test_addr ${a} $? 0 "VRF server"
1149 # verify TCP reset received
1151 show_hint "Should fail 'Connection refused'"
1152 run_cmd_nsb nettest -r ${a}
1153 log_test_addr ${a} $? 1 "No server"
1158 show_hint "client socket should be bound to device"
1159 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
1161 run_cmd_nsb nettest -r ${a}
1162 log_test_addr ${a} $? 0 "Device server"
1164 # local address tests
1165 for a in ${NSA_IP} ${VRF_IP}
1168 show_hint "Should fail 'Connection refused' since client is not bound to VRF"
1169 run_cmd nettest -s -d ${VRF} &
1171 run_cmd nettest -r ${a}
1172 log_test_addr ${a} $? 1 "Global server, local connection"
1178 for a in ${NSB_IP} ${NSB_LO_IP}
1181 run_cmd_nsb nettest -s &
1183 run_cmd nettest -r ${a} -d ${VRF}
1184 log_test_addr ${a} $? 0 "Client, VRF bind"
1187 run_cmd_nsb nettest -s &
1189 run_cmd nettest -r ${a} -d ${NSA_DEV}
1190 log_test_addr ${a} $? 0 "Client, device bind"
1193 show_hint "Should fail 'Connection refused'"
1194 run_cmd nettest -r ${a} -d ${VRF}
1195 log_test_addr ${a} $? 1 "No server, VRF client"
1198 show_hint "Should fail 'Connection refused'"
1199 run_cmd nettest -r ${a} -d ${NSA_DEV}
1200 log_test_addr ${a} $? 1 "No server, device client"
1203 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1206 run_cmd nettest -s -d ${VRF} -2 ${VRF} &
1208 run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1209 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
1214 run_cmd nettest -s -d ${VRF} -2 ${VRF} &
1216 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1217 log_test_addr ${a} $? 0 "VRF server, device client, local connection"
1220 show_hint "Should fail 'No route to host' since client is out of VRF scope"
1221 run_cmd nettest -s -d ${VRF} &
1223 run_cmd nettest -r ${a}
1224 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
1227 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
1229 run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1230 log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
1233 run_cmd nettest -s -d ${NSA_DEV} -2 ${NSA_DEV} &
1235 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1236 log_test_addr ${a} $? 0 "Device server, device client, local connection"
1241 log_section "IPv4/TCP"
1242 log_subsection "No VRF"
1245 # tcp_l3mdev_accept should have no affect without VRF;
1246 # run tests with it enabled and disabled to verify
1247 log_subsection "tcp_l3mdev_accept disabled"
1248 set_sysctl net.ipv4.tcp_l3mdev_accept=0
1250 log_subsection "tcp_l3mdev_accept enabled"
1251 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1254 log_subsection "With VRF"
1259 ################################################################################
1269 for a in ${NSA_IP} ${NSA_LO_IP}
1272 run_cmd nettest -D -s -2 ${NSA_DEV} &
1274 run_cmd_nsb nettest -D -r ${a}
1275 log_test_addr ${a} $? 0 "Global server"
1278 show_hint "Should fail 'Connection refused' since there is no server"
1279 run_cmd_nsb nettest -D -r ${a}
1280 log_test_addr ${a} $? 1 "No server"
1285 run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
1287 run_cmd_nsb nettest -D -r ${a}
1288 log_test_addr ${a} $? 0 "Device server"
1293 for a in ${NSB_IP} ${NSB_LO_IP}
1296 run_cmd_nsb nettest -D -s &
1298 run_cmd nettest -D -r ${a} -0 ${NSA_IP}
1299 log_test_addr ${a} $? 0 "Client"
1302 run_cmd_nsb nettest -D -s &
1304 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP}
1305 log_test_addr ${a} $? 0 "Client, device bind"
1308 run_cmd_nsb nettest -D -s &
1310 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP}
1311 log_test_addr ${a} $? 0 "Client, device send via cmsg"
1314 run_cmd_nsb nettest -D -s &
1316 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
1317 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
1320 show_hint "Should fail 'Connection refused'"
1321 run_cmd nettest -D -r ${a}
1322 log_test_addr ${a} $? 1 "No server, unbound client"
1325 show_hint "Should fail 'Connection refused'"
1326 run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1327 log_test_addr ${a} $? 1 "No server, device client"
1331 # local address tests
1333 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1336 run_cmd nettest -D -s &
1338 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a}
1339 log_test_addr ${a} $? 0 "Global server, local connection"
1344 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1346 run_cmd nettest -D -r ${a}
1347 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1349 for a in ${NSA_LO_IP} 127.0.0.1
1352 show_hint "Should fail 'Connection refused' since address is out of device scope"
1353 run_cmd nettest -s -D -d ${NSA_DEV} &
1355 run_cmd nettest -D -r ${a}
1356 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1361 run_cmd nettest -s -D &
1363 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1364 log_test_addr ${a} $? 0 "Global server, device client, local connection"
1367 run_cmd nettest -s -D &
1369 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a}
1370 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
1373 run_cmd nettest -s -D &
1375 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
1376 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
1378 # IPv4 with device bind has really weird behavior - it overrides the
1379 # fib lookup, generates an rtable and tries to send the packet. This
1380 # causes failures for local traffic at different places
1381 for a in ${NSA_LO_IP} 127.0.0.1
1384 show_hint "Should fail since addresses on loopback are out of device scope"
1385 run_cmd nettest -D -s &
1387 run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1388 log_test_addr ${a} $? 2 "Global server, device client, local connection"
1391 show_hint "Should fail since addresses on loopback are out of device scope"
1392 run_cmd nettest -D -s &
1394 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C
1395 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
1398 show_hint "Should fail since addresses on loopback are out of device scope"
1399 run_cmd nettest -D -s &
1401 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
1402 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
1407 run_cmd nettest -D -s -d ${NSA_DEV} -2 ${NSA_DEV} &
1409 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a}
1410 log_test_addr ${a} $? 0 "Device server, device client, local conn"
1413 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1414 log_test_addr ${a} $? 2 "No server, device client, local conn"
1421 # disable global server
1422 log_subsection "Global server disabled"
1423 set_sysctl net.ipv4.udp_l3mdev_accept=0
1428 for a in ${NSA_IP} ${VRF_IP}
1431 show_hint "Fails because ingress is in a VRF and global server is disabled"
1432 run_cmd nettest -D -s &
1434 run_cmd_nsb nettest -D -r ${a}
1435 log_test_addr ${a} $? 1 "Global server"
1438 run_cmd nettest -D -d ${VRF} -s -2 ${NSA_DEV} &
1440 run_cmd_nsb nettest -D -r ${a}
1441 log_test_addr ${a} $? 0 "VRF server"
1444 run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
1446 run_cmd_nsb nettest -D -r ${a}
1447 log_test_addr ${a} $? 0 "Enslaved device server"
1450 show_hint "Should fail 'Connection refused' since there is no server"
1451 run_cmd_nsb nettest -D -r ${a}
1452 log_test_addr ${a} $? 1 "No server"
1455 show_hint "Should fail 'Connection refused' since global server is out of scope"
1456 run_cmd nettest -D -s &
1458 run_cmd nettest -D -d ${VRF} -r ${a}
1459 log_test_addr ${a} $? 1 "Global server, VRF client, local connection"
1464 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} &
1466 run_cmd nettest -D -d ${VRF} -r ${a}
1467 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1470 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} &
1472 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1473 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection"
1477 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1479 run_cmd nettest -D -d ${VRF} -r ${a}
1480 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1483 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1485 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1486 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1488 # enable global server
1489 log_subsection "Global server enabled"
1490 set_sysctl net.ipv4.udp_l3mdev_accept=1
1495 for a in ${NSA_IP} ${VRF_IP}
1498 run_cmd nettest -D -s -2 ${NSA_DEV} &
1500 run_cmd_nsb nettest -D -r ${a}
1501 log_test_addr ${a} $? 0 "Global server"
1504 run_cmd nettest -D -d ${VRF} -s -2 ${NSA_DEV} &
1506 run_cmd_nsb nettest -D -r ${a}
1507 log_test_addr ${a} $? 0 "VRF server"
1510 run_cmd nettest -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
1512 run_cmd_nsb nettest -D -r ${a}
1513 log_test_addr ${a} $? 0 "Enslaved device server"
1516 show_hint "Should fail 'Connection refused'"
1517 run_cmd_nsb nettest -D -r ${a}
1518 log_test_addr ${a} $? 1 "No server"
1525 run_cmd_nsb nettest -D -s &
1527 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP}
1528 log_test $? 0 "VRF client"
1531 run_cmd_nsb nettest -D -s &
1533 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP}
1534 log_test $? 0 "Enslaved device client"
1536 # negative test - should fail
1538 show_hint "Should fail 'Connection refused'"
1539 run_cmd nettest -D -d ${VRF} -r ${NSB_IP}
1540 log_test $? 1 "No server, VRF client"
1543 show_hint "Should fail 'Connection refused'"
1544 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP}
1545 log_test $? 1 "No server, enslaved device client"
1548 # local address tests
1552 run_cmd nettest -D -s -2 ${NSA_DEV} &
1554 run_cmd nettest -D -d ${VRF} -r ${a}
1555 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1558 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} &
1560 run_cmd nettest -D -d ${VRF} -r ${a}
1561 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1564 run_cmd nettest -s -D -d ${VRF} -2 ${NSA_DEV} &
1566 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1567 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
1570 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1572 run_cmd nettest -D -d ${VRF} -r ${a}
1573 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1576 run_cmd nettest -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
1578 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1579 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1581 for a in ${VRF_IP} 127.0.0.1
1584 run_cmd nettest -D -s -2 ${VRF} &
1586 run_cmd nettest -D -d ${VRF} -r ${a}
1587 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1590 for a in ${VRF_IP} 127.0.0.1
1593 run_cmd nettest -s -D -d ${VRF} -2 ${VRF} &
1595 run_cmd nettest -D -d ${VRF} -r ${a}
1596 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1599 # negative test - should fail
1600 # verifies ECONNREFUSED
1601 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1604 show_hint "Should fail 'Connection refused'"
1605 run_cmd nettest -D -d ${VRF} -r ${a}
1606 log_test_addr ${a} $? 1 "No server, VRF client, local conn"
1612 log_section "IPv4/UDP"
1613 log_subsection "No VRF"
1617 # udp_l3mdev_accept should have no affect without VRF;
1618 # run tests with it enabled and disabled to verify
1619 log_subsection "udp_l3mdev_accept disabled"
1620 set_sysctl net.ipv4.udp_l3mdev_accept=0
1622 log_subsection "udp_l3mdev_accept enabled"
1623 set_sysctl net.ipv4.udp_l3mdev_accept=1
1626 log_subsection "With VRF"
1631 ################################################################################
1634 # verifies ability or inability to bind to an address / device
1636 ipv4_addr_bind_novrf()
1641 for a in ${NSA_IP} ${NSA_LO_IP}
1644 run_cmd nettest -s -R -P icmp -l ${a} -b
1645 log_test_addr ${a} $? 0 "Raw socket bind to local address"
1648 run_cmd nettest -s -R -P icmp -l ${a} -d ${NSA_DEV} -b
1649 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1657 run_cmd nettest -l ${a} -r ${NSB_IP} -t1 -b
1658 log_test_addr ${a} $? 0 "TCP socket bind to local address"
1661 run_cmd nettest -l ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b
1662 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1664 # Sadly, the kernel allows binding a socket to a device and then
1665 # binding to an address not on the device. The only restriction
1666 # is that the address is valid in the L3 domain. So this test
1667 # passes when it really should not
1670 #show_hint "Should fail with 'Cannot assign requested address'"
1671 #run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b
1672 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
1675 ipv4_addr_bind_vrf()
1680 for a in ${NSA_IP} ${VRF_IP}
1683 run_cmd nettest -s -R -P icmp -l ${a} -b
1684 log_test_addr ${a} $? 0 "Raw socket bind to local address"
1687 run_cmd nettest -s -R -P icmp -l ${a} -d ${NSA_DEV} -b
1688 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1690 run_cmd nettest -s -R -P icmp -l ${a} -d ${VRF} -b
1691 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind"
1696 show_hint "Address on loopback is out of VRF scope"
1697 run_cmd nettest -s -R -P icmp -l ${a} -d ${VRF} -b
1698 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind"
1703 for a in ${NSA_IP} ${VRF_IP}
1706 run_cmd nettest -s -l ${a} -d ${VRF} -t1 -b
1707 log_test_addr ${a} $? 0 "TCP socket bind to local address"
1710 run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b
1711 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1716 show_hint "Address on loopback out of scope for VRF"
1717 run_cmd nettest -s -l ${a} -d ${VRF} -t1 -b
1718 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
1721 show_hint "Address on loopback out of scope for device in VRF"
1722 run_cmd nettest -s -l ${a} -d ${NSA_DEV} -t1 -b
1723 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
1728 log_section "IPv4 address binds"
1730 log_subsection "No VRF"
1732 ipv4_addr_bind_novrf
1734 log_subsection "With VRF"
1739 ################################################################################
1740 # IPv4 runtime tests
1746 local with_vrf="yes"
1752 for a in ${NSA_IP} ${VRF_IP}
1755 run_cmd nettest ${varg} -s &
1757 run_cmd_nsb nettest ${varg} -r ${a} &
1759 run_cmd ip link del ${VRF}
1761 log_test_addr ${a} 0 0 "${desc}, global server"
1766 for a in ${NSA_IP} ${VRF_IP}
1769 run_cmd nettest ${varg} -s -d ${VRF} &
1771 run_cmd_nsb nettest ${varg} -r ${a} &
1773 run_cmd ip link del ${VRF}
1775 log_test_addr ${a} 0 0 "${desc}, VRF server"
1782 run_cmd nettest ${varg} -s -d ${NSA_DEV} &
1784 run_cmd_nsb nettest ${varg} -r ${a} &
1786 run_cmd ip link del ${VRF}
1788 log_test_addr ${a} 0 0 "${desc}, enslaved device server"
1796 run_cmd_nsb nettest ${varg} -s &
1798 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} &
1800 run_cmd ip link del ${VRF}
1802 log_test_addr ${a} 0 0 "${desc}, VRF client"
1807 run_cmd_nsb nettest ${varg} -s &
1809 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} &
1811 run_cmd ip link del ${VRF}
1813 log_test_addr ${a} 0 0 "${desc}, enslaved device client"
1818 # local address tests
1820 for a in ${NSA_IP} ${VRF_IP}
1823 run_cmd nettest ${varg} -s &
1825 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
1827 run_cmd ip link del ${VRF}
1829 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local"
1834 for a in ${NSA_IP} ${VRF_IP}
1837 run_cmd nettest ${varg} -d ${VRF} -s &
1839 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
1841 run_cmd ip link del ${VRF}
1843 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local"
1850 run_cmd nettest ${varg} -s &
1852 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
1854 run_cmd ip link del ${VRF}
1856 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local"
1861 run_cmd nettest ${varg} -d ${VRF} -s &
1863 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
1865 run_cmd ip link del ${VRF}
1867 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local"
1872 run_cmd nettest ${varg} -d ${NSA_DEV} -s &
1874 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
1876 run_cmd ip link del ${VRF}
1878 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local"
1883 local with_vrf="yes"
1886 for a in ${NSA_IP} ${VRF_IP}
1889 run_cmd_nsb ping -f ${a} &
1891 run_cmd ip link del ${VRF}
1893 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
1900 run_cmd ping -f -I ${VRF} ${a} &
1902 run_cmd ip link del ${VRF}
1904 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
1909 log_section "Run time tests - ipv4"
1915 ipv4_rt "TCP active socket" "-n -1"
1918 ipv4_rt "TCP passive socket" "-i"
1921 ################################################################################
1928 # should not have an impact, but make a known state
1929 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
1934 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
1937 run_cmd ${ping6} -c1 -w1 ${a}
1938 log_test_addr ${a} $? 0 "ping out"
1941 for a in ${NSB_IP6} ${NSB_LO_IP6}
1944 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1945 log_test_addr ${a} $? 0 "ping out, device bind"
1948 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a}
1949 log_test_addr ${a} $? 0 "ping out, loopback address bind"
1955 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
1958 run_cmd_nsb ${ping6} -c1 -w1 ${a}
1959 log_test_addr ${a} $? 0 "ping in"
1963 # local traffic, local address
1965 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
1968 run_cmd ${ping6} -c1 -w1 ${a}
1969 log_test_addr ${a} $? 0 "ping local, no bind"
1972 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
1975 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1976 log_test_addr ${a} $? 0 "ping local, device bind"
1979 for a in ${NSA_LO_IP6} ::1
1982 show_hint "Fails since address on loopback is out of device scope"
1983 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
1984 log_test_addr ${a} $? 2 "ping local, device bind"
1988 # ip rule blocks address
1991 setup_cmd ip -6 rule add pref 32765 from all lookup local
1992 setup_cmd ip -6 rule del pref 0 from all lookup local
1993 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
1994 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
1997 run_cmd ${ping6} -c1 -w1 ${a}
1998 log_test_addr ${a} $? 2 "ping out, blocked by rule"
2001 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2002 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2006 show_hint "Response lost due to ip rule"
2007 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2008 log_test_addr ${a} $? 1 "ping in, blocked by rule"
2010 setup_cmd ip -6 rule add pref 0 from all lookup local
2011 setup_cmd ip -6 rule del pref 32765 from all lookup local
2012 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2013 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2016 # route blocks reachability to remote address
2019 setup_cmd ip -6 route del ${NSB_LO_IP6}
2020 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10
2021 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10
2024 run_cmd ${ping6} -c1 -w1 ${a}
2025 log_test_addr ${a} $? 2 "ping out, blocked by route"
2028 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2029 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route"
2033 show_hint "Response lost due to ip route"
2034 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2035 log_test_addr ${a} $? 1 "ping in, blocked by route"
2039 # remove 'remote' routes; fallback to default
2042 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6}
2043 setup_cmd ip -6 ro del unreachable ${NSB_IP6}
2046 run_cmd ${ping6} -c1 -w1 ${a}
2047 log_test_addr ${a} $? 2 "ping out, unreachable route"
2050 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2051 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2058 # should default on; does not exist on older kernels
2059 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
2064 for a in ${NSB_IP6} ${NSB_LO_IP6}
2067 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2068 log_test_addr ${a} $? 0 "ping out, VRF bind"
2071 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF}
2074 show_hint "Fails since VRF device does not support linklocal or multicast"
2075 run_cmd ${ping6} -c1 -w1 ${a}
2076 log_test_addr ${a} $? 2 "ping out, VRF bind"
2079 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2082 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2083 log_test_addr ${a} $? 0 "ping out, device bind"
2086 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2089 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a}
2090 log_test_addr ${a} $? 0 "ping out, vrf device+address bind"
2096 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2099 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2100 log_test_addr ${a} $? 0 "ping in"
2105 show_hint "Fails since loopback address is out of VRF scope"
2106 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2107 log_test_addr ${a} $? 1 "ping in"
2110 # local traffic, local address
2112 for a in ${NSA_IP6} ${VRF_IP6} ::1
2115 show_hint "Source address should be ${a}"
2116 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2117 log_test_addr ${a} $? 0 "ping local, VRF bind"
2120 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2123 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2124 log_test_addr ${a} $? 0 "ping local, device bind"
2127 # LLA to GUA - remove ipv6 global addresses from ns-B
2128 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2129 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo
2130 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2132 for a in ${NSA_IP6} ${VRF_IP6}
2135 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
2136 log_test_addr ${a} $? 0 "ping in, LLA to GUA"
2139 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2140 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV}
2141 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo
2144 # ip rule blocks address
2147 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2148 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2151 run_cmd ${ping6} -c1 -w1 ${a}
2152 log_test_addr ${a} $? 2 "ping out, blocked by rule"
2155 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2156 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2160 show_hint "Response lost due to ip rule"
2161 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2162 log_test_addr ${a} $? 1 "ping in, blocked by rule"
2165 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2166 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2169 # remove 'remote' routes; fallback to default
2172 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF}
2175 run_cmd ${ping6} -c1 -w1 ${a}
2176 log_test_addr ${a} $? 2 "ping out, unreachable route"
2179 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2180 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2182 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6}
2185 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2186 log_test_addr ${a} $? 2 "ping in, unreachable route"
2191 log_section "IPv6 ping"
2193 log_subsection "No VRF"
2197 log_subsection "With VRF"
2202 ################################################################################
2206 # MD5 tests without VRF
2208 ipv6_tcp_md5_novrf()
2216 run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_IP6} &
2218 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2219 log_test $? 0 "MD5: Single address config"
2221 # client sends MD5, server not configured
2223 show_hint "Should timeout due to MD5 mismatch"
2224 run_cmd nettest -6 -s &
2226 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2227 log_test $? 2 "MD5: Server no config, client uses password"
2231 show_hint "Should timeout since client uses wrong password"
2232 run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_IP6} &
2234 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2235 log_test $? 2 "MD5: Client uses wrong password"
2237 # client from different address
2239 show_hint "Should timeout due to MD5 mismatch"
2240 run_cmd nettest -6 -s -M ${MD5_PW} -r ${NSB_LO_IP6} &
2242 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2243 log_test $? 2 "MD5: Client address does not match address configured with password"
2246 # MD5 extension - prefix length
2251 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2253 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2254 log_test $? 0 "MD5: Prefix config"
2256 # client in prefix, wrong password
2258 show_hint "Should timeout since client uses wrong password"
2259 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2261 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2262 log_test $? 2 "MD5: Prefix config, client uses wrong password"
2264 # client outside of prefix
2266 show_hint "Should timeout due to MD5 mismatch"
2267 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2269 run_cmd_nsb nettest -6 -l ${NSB_LO_IP6} -r ${NSA_IP6} -M ${MD5_PW}
2270 log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
2274 # MD5 tests with VRF
2284 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} &
2286 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2287 log_test $? 0 "MD5: VRF: Single address config"
2289 # client sends MD5, server not configured
2291 show_hint "Should timeout since server does not have MD5 auth"
2292 run_cmd nettest -6 -s -d ${VRF} &
2294 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2295 log_test $? 2 "MD5: VRF: Server no config, client uses password"
2299 show_hint "Should timeout since client uses wrong password"
2300 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} &
2302 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2303 log_test $? 2 "MD5: VRF: Client uses wrong password"
2305 # client from different address
2307 show_hint "Should timeout since server config differs from client"
2308 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_LO_IP6} &
2310 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2311 log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
2314 # MD5 extension - prefix length
2319 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2321 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2322 log_test $? 0 "MD5: VRF: Prefix config"
2324 # client in prefix, wrong password
2326 show_hint "Should timeout since client uses wrong password"
2327 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2329 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2330 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
2332 # client outside of prefix
2334 show_hint "Should timeout since client address is outside of prefix"
2335 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2337 run_cmd_nsb nettest -6 -l ${NSB_LO_IP6} -r ${NSA_IP6} -M ${MD5_PW}
2338 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
2341 # duplicate config between default VRF and a VRF
2345 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} &
2346 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} &
2348 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2349 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
2352 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} &
2353 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} &
2355 run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2356 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
2359 show_hint "Should timeout since client in default VRF uses VRF password"
2360 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} &
2361 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} &
2363 run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2364 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
2367 show_hint "Should timeout since client in VRF uses default VRF password"
2368 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -r ${NSB_IP6} &
2369 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -r ${NSB_IP6} &
2371 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2372 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
2375 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2376 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2378 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2379 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
2382 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2383 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2385 run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2386 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
2389 show_hint "Should timeout since client in default VRF uses VRF password"
2390 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2391 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2393 run_cmd_nsc nettest -6 -r ${NSA_IP6} -M ${MD5_PW}
2394 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
2397 show_hint "Should timeout since client in VRF uses default VRF password"
2398 run_cmd nettest -6 -s -d ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2399 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2401 run_cmd_nsb nettest -6 -r ${NSA_IP6} -M ${MD5_WRONG_PW}
2402 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
2408 run_cmd nettest -6 -s -d ${NSA_DEV} -M ${MD5_PW} -r ${NSB_IP6}
2409 log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
2412 run_cmd nettest -6 -s -d ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6}
2413 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
2424 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2427 run_cmd nettest -6 -s &
2429 run_cmd_nsb nettest -6 -r ${a}
2430 log_test_addr ${a} $? 0 "Global server"
2433 # verify TCP reset received
2434 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2437 show_hint "Should fail 'Connection refused'"
2438 run_cmd_nsb nettest -6 -r ${a}
2439 log_test_addr ${a} $? 1 "No server"
2445 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2448 run_cmd_nsb nettest -6 -s &
2450 run_cmd nettest -6 -r ${a}
2451 log_test_addr ${a} $? 0 "Client"
2454 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2457 run_cmd_nsb nettest -6 -s &
2459 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2460 log_test_addr ${a} $? 0 "Client, device bind"
2463 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2466 show_hint "Should fail 'Connection refused'"
2467 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2468 log_test_addr ${a} $? 1 "No server, device client"
2472 # local address tests
2474 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2477 run_cmd nettest -6 -s &
2479 run_cmd nettest -6 -r ${a}
2480 log_test_addr ${a} $? 0 "Global server, local connection"
2485 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2487 run_cmd nettest -6 -r ${a} -0 ${a}
2488 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2490 for a in ${NSA_LO_IP6} ::1
2493 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2494 run_cmd nettest -6 -s -d ${NSA_DEV} &
2496 run_cmd nettest -6 -r ${a}
2497 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
2502 run_cmd nettest -6 -s &
2504 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2505 log_test_addr ${a} $? 0 "Global server, device client, local connection"
2507 for a in ${NSA_LO_IP6} ::1
2510 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2511 run_cmd nettest -6 -s &
2513 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2514 log_test_addr ${a} $? 1 "Global server, device client, local connection"
2517 for a in ${NSA_IP6} ${NSA_LINKIP6}
2520 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2522 run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2523 log_test_addr ${a} $? 0 "Device server, device client, local conn"
2526 for a in ${NSA_IP6} ${NSA_LINKIP6}
2529 show_hint "Should fail 'Connection refused'"
2530 run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2531 log_test_addr ${a} $? 1 "No server, device client, local conn"
2541 # disable global server
2542 log_subsection "Global server disabled"
2544 set_sysctl net.ipv4.tcp_l3mdev_accept=0
2549 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2552 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2553 run_cmd nettest -6 -s &
2555 run_cmd_nsb nettest -6 -r ${a}
2556 log_test_addr ${a} $? 1 "Global server"
2559 for a in ${NSA_IP6} ${VRF_IP6}
2562 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} &
2564 run_cmd_nsb nettest -6 -r ${a}
2565 log_test_addr ${a} $? 0 "VRF server"
2568 # link local is always bound to ingress device
2569 a=${NSA_LINKIP6}%${NSB_DEV}
2571 run_cmd nettest -6 -s -d ${VRF} -2 ${NSA_DEV} &
2573 run_cmd_nsb nettest -6 -r ${a}
2574 log_test_addr ${a} $? 0 "VRF server"
2576 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2579 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2581 run_cmd_nsb nettest -6 -r ${a}
2582 log_test_addr ${a} $? 0 "Device server"
2585 # verify TCP reset received
2586 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2589 show_hint "Should fail 'Connection refused'"
2590 run_cmd_nsb nettest -6 -r ${a}
2591 log_test_addr ${a} $? 1 "No server"
2594 # local address tests
2597 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2598 run_cmd nettest -6 -s &
2600 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2601 log_test_addr ${a} $? 1 "Global server, local connection"
2607 # enable VRF global server
2609 log_subsection "VRF Global server enabled"
2610 set_sysctl net.ipv4.tcp_l3mdev_accept=1
2612 for a in ${NSA_IP6} ${VRF_IP6}
2615 run_cmd nettest -6 -s -2 ${VRF} &
2617 run_cmd_nsb nettest -6 -r ${a}
2618 log_test_addr ${a} $? 0 "Global server"
2621 for a in ${NSA_IP6} ${VRF_IP6}
2624 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} &
2626 run_cmd_nsb nettest -6 -r ${a}
2627 log_test_addr ${a} $? 0 "VRF server"
2630 # For LLA, child socket is bound to device
2631 a=${NSA_LINKIP6}%${NSB_DEV}
2633 run_cmd nettest -6 -s -2 ${NSA_DEV} &
2635 run_cmd_nsb nettest -6 -r ${a}
2636 log_test_addr ${a} $? 0 "Global server"
2639 run_cmd nettest -6 -s -d ${VRF} -2 ${NSA_DEV} &
2641 run_cmd_nsb nettest -6 -r ${a}
2642 log_test_addr ${a} $? 0 "VRF server"
2644 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2647 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2649 run_cmd_nsb nettest -6 -r ${a}
2650 log_test_addr ${a} $? 0 "Device server"
2653 # verify TCP reset received
2654 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2657 show_hint "Should fail 'Connection refused'"
2658 run_cmd_nsb nettest -6 -r ${a}
2659 log_test_addr ${a} $? 1 "No server"
2662 # local address tests
2663 for a in ${NSA_IP6} ${VRF_IP6}
2666 show_hint "Fails 'Connection refused' since client is not in VRF"
2667 run_cmd nettest -6 -s -d ${VRF} &
2669 run_cmd nettest -6 -r ${a}
2670 log_test_addr ${a} $? 1 "Global server, local connection"
2677 for a in ${NSB_IP6} ${NSB_LO_IP6}
2680 run_cmd_nsb nettest -6 -s &
2682 run_cmd nettest -6 -r ${a} -d ${VRF}
2683 log_test_addr ${a} $? 0 "Client, VRF bind"
2688 show_hint "Fails since VRF device does not allow linklocal addresses"
2689 run_cmd_nsb nettest -6 -s &
2691 run_cmd nettest -6 -r ${a} -d ${VRF}
2692 log_test_addr ${a} $? 1 "Client, VRF bind"
2694 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2697 run_cmd_nsb nettest -6 -s &
2699 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2700 log_test_addr ${a} $? 0 "Client, device bind"
2703 for a in ${NSB_IP6} ${NSB_LO_IP6}
2706 show_hint "Should fail 'Connection refused'"
2707 run_cmd nettest -6 -r ${a} -d ${VRF}
2708 log_test_addr ${a} $? 1 "No server, VRF client"
2711 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2714 show_hint "Should fail 'Connection refused'"
2715 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2716 log_test_addr ${a} $? 1 "No server, device client"
2719 for a in ${NSA_IP6} ${VRF_IP6} ::1
2722 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} &
2724 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2725 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
2730 run_cmd nettest -6 -s -d ${VRF} -2 ${VRF} &
2732 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2733 log_test_addr ${a} $? 0 "VRF server, device client, local connection"
2737 show_hint "Should fail since unbound client is out of VRF scope"
2738 run_cmd nettest -6 -s -d ${VRF} &
2740 run_cmd nettest -6 -r ${a}
2741 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
2744 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2746 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2747 log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
2749 for a in ${NSA_IP6} ${NSA_LINKIP6}
2752 run_cmd nettest -6 -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2754 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2755 log_test_addr ${a} $? 0 "Device server, device client, local connection"
2761 log_section "IPv6/TCP"
2762 log_subsection "No VRF"
2765 # tcp_l3mdev_accept should have no affect without VRF;
2766 # run tests with it enabled and disabled to verify
2767 log_subsection "tcp_l3mdev_accept disabled"
2768 set_sysctl net.ipv4.tcp_l3mdev_accept=0
2770 log_subsection "tcp_l3mdev_accept enabled"
2771 set_sysctl net.ipv4.tcp_l3mdev_accept=1
2774 log_subsection "With VRF"
2779 ################################################################################
2789 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2792 run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
2794 run_cmd_nsb nettest -6 -D -r ${a}
2795 log_test_addr ${a} $? 0 "Global server"
2798 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
2800 run_cmd_nsb nettest -6 -D -r ${a}
2801 log_test_addr ${a} $? 0 "Device server"
2806 run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
2808 run_cmd_nsb nettest -6 -D -r ${a}
2809 log_test_addr ${a} $? 0 "Global server"
2811 # should fail since loopback address is out of scope for a device
2812 # bound server, but it does not - hence this is more documenting
2815 #show_hint "Should fail since loopback address is out of scope"
2816 #run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
2818 #run_cmd_nsb nettest -6 -D -r ${a}
2819 #log_test_addr ${a} $? 1 "Device server"
2821 # negative test - should fail
2822 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2825 show_hint "Should fail 'Connection refused' since there is no server"
2826 run_cmd_nsb nettest -6 -D -r ${a}
2827 log_test_addr ${a} $? 1 "No server"
2833 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2836 run_cmd_nsb nettest -6 -D -s &
2838 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6}
2839 log_test_addr ${a} $? 0 "Client"
2842 run_cmd_nsb nettest -6 -D -s &
2844 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6}
2845 log_test_addr ${a} $? 0 "Client, device bind"
2848 run_cmd_nsb nettest -6 -D -s &
2850 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6}
2851 log_test_addr ${a} $? 0 "Client, device send via cmsg"
2854 run_cmd_nsb nettest -6 -D -s &
2856 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6}
2857 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF"
2860 show_hint "Should fail 'Connection refused'"
2861 run_cmd nettest -6 -D -r ${a}
2862 log_test_addr ${a} $? 1 "No server, unbound client"
2865 show_hint "Should fail 'Connection refused'"
2866 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
2867 log_test_addr ${a} $? 1 "No server, device client"
2871 # local address tests
2873 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2876 run_cmd nettest -6 -D -s &
2878 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a}
2879 log_test_addr ${a} $? 0 "Global server, local connection"
2884 run_cmd nettest -6 -s -D -d ${NSA_DEV} -2 ${NSA_DEV} &
2886 run_cmd nettest -6 -D -r ${a}
2887 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2889 for a in ${NSA_LO_IP6} ::1
2892 show_hint "Should fail 'Connection refused' since address is out of device scope"
2893 run_cmd nettest -6 -s -D -d ${NSA_DEV} &
2895 run_cmd nettest -6 -D -r ${a}
2896 log_test_addr ${a} $? 1 "Device server, local connection"
2901 run_cmd nettest -6 -s -D &
2903 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
2904 log_test_addr ${a} $? 0 "Global server, device client, local connection"
2907 run_cmd nettest -6 -s -D &
2909 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a}
2910 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
2913 run_cmd nettest -6 -s -D &
2915 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a}
2916 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection"
2918 for a in ${NSA_LO_IP6} ::1
2921 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
2922 run_cmd nettest -6 -D -s &
2924 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
2925 log_test_addr ${a} $? 1 "Global server, device client, local connection"
2928 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
2929 run_cmd nettest -6 -D -s &
2931 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C
2932 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
2935 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
2936 run_cmd nettest -6 -D -s &
2938 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
2939 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
2944 run_cmd nettest -6 -D -s -d ${NSA_DEV} -2 ${NSA_DEV} &
2946 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a}
2947 log_test_addr ${a} $? 0 "Device server, device client, local conn"
2950 show_hint "Should fail 'Connection refused'"
2951 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
2952 log_test_addr ${a} $? 1 "No server, device client, local conn"
2955 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2956 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
2958 run_cmd nettest -6 -s -D &
2960 run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
2961 log_test $? 0 "UDP in - LLA to GUA"
2963 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
2964 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
2971 # disable global server
2972 log_subsection "Global server disabled"
2973 set_sysctl net.ipv4.udp_l3mdev_accept=0
2978 for a in ${NSA_IP6} ${VRF_IP6}
2981 show_hint "Should fail 'Connection refused' since global server is disabled"
2982 run_cmd nettest -6 -D -s &
2984 run_cmd_nsb nettest -6 -D -r ${a}
2985 log_test_addr ${a} $? 1 "Global server"
2988 for a in ${NSA_IP6} ${VRF_IP6}
2991 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
2993 run_cmd_nsb nettest -6 -D -r ${a}
2994 log_test_addr ${a} $? 0 "VRF server"
2997 for a in ${NSA_IP6} ${VRF_IP6}
3000 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
3002 run_cmd_nsb nettest -6 -D -r ${a}
3003 log_test_addr ${a} $? 0 "Enslaved device server"
3006 # negative test - should fail
3007 for a in ${NSA_IP6} ${VRF_IP6}
3010 show_hint "Should fail 'Connection refused' since there is no server"
3011 run_cmd_nsb nettest -6 -D -r ${a}
3012 log_test_addr ${a} $? 1 "No server"
3016 # local address tests
3018 for a in ${NSA_IP6} ${VRF_IP6}
3021 show_hint "Should fail 'Connection refused' since global server is disabled"
3022 run_cmd nettest -6 -D -s &
3024 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3025 log_test_addr ${a} $? 1 "Global server, VRF client, local conn"
3028 for a in ${NSA_IP6} ${VRF_IP6}
3031 run_cmd nettest -6 -D -d ${VRF} -s &
3033 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3034 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3039 show_hint "Should fail 'Connection refused' since global server is disabled"
3040 run_cmd nettest -6 -D -s &
3042 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3043 log_test_addr ${a} $? 1 "Global server, device client, local conn"
3046 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
3048 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3049 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3052 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
3054 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3055 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
3058 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
3060 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3061 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
3063 # disable global server
3064 log_subsection "Global server enabled"
3065 set_sysctl net.ipv4.udp_l3mdev_accept=1
3070 for a in ${NSA_IP6} ${VRF_IP6}
3073 run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
3075 run_cmd_nsb nettest -6 -D -r ${a}
3076 log_test_addr ${a} $? 0 "Global server"
3079 for a in ${NSA_IP6} ${VRF_IP6}
3082 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
3084 run_cmd_nsb nettest -6 -D -r ${a}
3085 log_test_addr ${a} $? 0 "VRF server"
3088 for a in ${NSA_IP6} ${VRF_IP6}
3091 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
3093 run_cmd_nsb nettest -6 -D -r ${a}
3094 log_test_addr ${a} $? 0 "Enslaved device server"
3097 # negative test - should fail
3098 for a in ${NSA_IP6} ${VRF_IP6}
3101 run_cmd_nsb nettest -6 -D -r ${a}
3102 log_test_addr ${a} $? 1 "No server"
3109 run_cmd_nsb nettest -6 -D -s &
3111 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3112 log_test $? 0 "VRF client"
3114 # negative test - should fail
3116 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3117 log_test $? 1 "No server, VRF client"
3120 run_cmd_nsb nettest -6 -D -s &
3122 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3123 log_test $? 0 "Enslaved device client"
3125 # negative test - should fail
3127 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3128 log_test $? 1 "No server, enslaved device client"
3131 # local address tests
3135 run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
3137 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3138 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3141 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
3143 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3144 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3149 run_cmd nettest -6 -D -s -2 ${VRF} &
3151 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3152 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3155 run_cmd nettest -6 -D -d ${VRF} -s -2 ${VRF} &
3157 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3158 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3160 # negative test - should fail
3161 for a in ${NSA_IP6} ${VRF_IP6}
3164 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3165 log_test_addr ${a} $? 1 "No server, VRF client, local conn"
3168 # device to global IP
3171 run_cmd nettest -6 -D -s -2 ${NSA_DEV} &
3173 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3174 log_test_addr ${a} $? 0 "Global server, device client, local conn"
3177 run_cmd nettest -6 -D -d ${VRF} -s -2 ${NSA_DEV} &
3179 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3180 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3183 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
3185 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3186 log_test_addr ${a} $? 0 "Device server, VRF client, local conn"
3189 run_cmd nettest -6 -D -d ${NSA_DEV} -s -2 ${NSA_DEV} &
3191 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3192 log_test_addr ${a} $? 0 "Device server, device client, local conn"
3195 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3196 log_test_addr ${a} $? 1 "No server, device client, local conn"
3199 # link local addresses
3201 run_cmd nettest -6 -D -s &
3203 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3204 log_test $? 0 "Global server, linklocal IP"
3207 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3208 log_test $? 1 "No server, linklocal IP"
3212 run_cmd_nsb nettest -6 -D -s &
3214 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3215 log_test $? 0 "Enslaved device client, linklocal IP"
3218 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3219 log_test $? 1 "No server, device client, peer linklocal IP"
3223 run_cmd nettest -6 -D -s &
3225 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3226 log_test $? 0 "Enslaved device client, local conn - linklocal IP"
3229 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3230 log_test $? 1 "No server, device client, local conn - linklocal IP"
3233 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3234 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3236 run_cmd nettest -6 -s -D &
3238 run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3239 log_test $? 0 "UDP in - LLA to GUA"
3241 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3242 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3247 # should not matter, but set to known state
3248 set_sysctl net.ipv4.udp_early_demux=1
3250 log_section "IPv6/UDP"
3251 log_subsection "No VRF"
3254 # udp_l3mdev_accept should have no affect without VRF;
3255 # run tests with it enabled and disabled to verify
3256 log_subsection "udp_l3mdev_accept disabled"
3257 set_sysctl net.ipv4.udp_l3mdev_accept=0
3259 log_subsection "udp_l3mdev_accept enabled"
3260 set_sysctl net.ipv4.udp_l3mdev_accept=1
3263 log_subsection "With VRF"
3268 ################################################################################
3271 ipv6_addr_bind_novrf()
3276 for a in ${NSA_IP6} ${NSA_LO_IP6}
3279 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b
3280 log_test_addr ${a} $? 0 "Raw socket bind to local address"
3283 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${NSA_DEV} -b
3284 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3292 run_cmd nettest -6 -s -l ${a} -t1 -b
3293 log_test_addr ${a} $? 0 "TCP socket bind to local address"
3296 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
3297 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
3301 show_hint "Should fail with 'Cannot assign requested address'"
3302 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
3303 log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
3306 ipv6_addr_bind_vrf()
3311 for a in ${NSA_IP6} ${VRF_IP6}
3314 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${VRF} -b
3315 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind"
3318 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${NSA_DEV} -b
3319 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3324 show_hint "Address on loopback is out of VRF scope"
3325 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -d ${VRF} -b
3326 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind"
3331 # address on enslaved device is valid for the VRF or device in a VRF
3332 for a in ${NSA_IP6} ${VRF_IP6}
3335 run_cmd nettest -6 -s -l ${a} -d ${VRF} -t1 -b
3336 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind"
3341 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
3342 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
3346 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
3347 log_test_addr ${a} $? 1 "TCP socket bind to VRF address with device bind"
3351 show_hint "Address on loopback out of scope for VRF"
3352 run_cmd nettest -6 -s -l ${a} -d ${VRF} -t1 -b
3353 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
3356 show_hint "Address on loopback out of scope for device in VRF"
3357 run_cmd nettest -6 -s -l ${a} -d ${NSA_DEV} -t1 -b
3358 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
3364 log_section "IPv6 address binds"
3366 log_subsection "No VRF"
3368 ipv6_addr_bind_novrf
3370 log_subsection "With VRF"
3375 ################################################################################
3376 # IPv6 runtime tests
3382 local with_vrf="yes"
3388 for a in ${NSA_IP6} ${VRF_IP6}
3391 run_cmd nettest ${varg} -s &
3393 run_cmd_nsb nettest ${varg} -r ${a} &
3395 run_cmd ip link del ${VRF}
3397 log_test_addr ${a} 0 0 "${desc}, global server"
3402 for a in ${NSA_IP6} ${VRF_IP6}
3405 run_cmd nettest ${varg} -d ${VRF} -s &
3407 run_cmd_nsb nettest ${varg} -r ${a} &
3409 run_cmd ip link del ${VRF}
3411 log_test_addr ${a} 0 0 "${desc}, VRF server"
3416 for a in ${NSA_IP6} ${VRF_IP6}
3419 run_cmd nettest ${varg} -d ${NSA_DEV} -s &
3421 run_cmd_nsb nettest ${varg} -r ${a} &
3423 run_cmd ip link del ${VRF}
3425 log_test_addr ${a} 0 0 "${desc}, enslaved device server"
3434 run_cmd_nsb nettest ${varg} -s &
3436 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} &
3438 run_cmd ip link del ${VRF}
3440 log_test 0 0 "${desc}, VRF client"
3445 run_cmd_nsb nettest ${varg} -s &
3447 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} &
3449 run_cmd ip link del ${VRF}
3451 log_test 0 0 "${desc}, enslaved device client"
3457 # local address tests
3459 for a in ${NSA_IP6} ${VRF_IP6}
3462 run_cmd nettest ${varg} -s &
3464 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3466 run_cmd ip link del ${VRF}
3468 log_test_addr ${a} 0 0 "${desc}, global server, VRF client"
3473 for a in ${NSA_IP6} ${VRF_IP6}
3476 run_cmd nettest ${varg} -d ${VRF} -s &
3478 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3480 run_cmd ip link del ${VRF}
3482 log_test_addr ${a} 0 0 "${desc}, VRF server and client"
3489 run_cmd nettest ${varg} -s &
3491 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3493 run_cmd ip link del ${VRF}
3495 log_test_addr ${a} 0 0 "${desc}, global server, device client"
3500 run_cmd nettest ${varg} -d ${VRF} -s &
3502 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3504 run_cmd ip link del ${VRF}
3506 log_test_addr ${a} 0 0 "${desc}, VRF server, device client"
3511 run_cmd nettest ${varg} -d ${NSA_DEV} -s &
3513 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3515 run_cmd ip link del ${VRF}
3517 log_test_addr ${a} 0 0 "${desc}, device server, device client"
3522 local with_vrf="yes"
3527 run_cmd_nsb ${ping6} -f ${a} &
3529 run_cmd ip link del ${VRF}
3531 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
3536 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} &
3538 run_cmd ip link del ${VRF}
3540 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
3545 log_section "Run time tests - ipv6"
3551 ipv6_rt "TCP active socket" "-n -1"
3554 ipv6_rt "TCP passive socket" "-i"
3557 ipv6_rt "UDP active socket" "-D -n -1"
3560 ################################################################################
3561 # netfilter blocking connections
3563 netfilter_tcp_reset()
3567 for a in ${NSA_IP} ${VRF_IP}
3570 run_cmd nettest -s &
3572 run_cmd_nsb nettest -r ${a}
3573 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3583 [ "${stype}" = "UDP" ] && arg="-D"
3585 for a in ${NSA_IP} ${VRF_IP}
3588 run_cmd nettest ${arg} -s &
3590 run_cmd_nsb nettest ${arg} -r ${a}
3591 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3597 log_section "IPv4 Netfilter"
3598 log_subsection "TCP reset"
3601 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3606 log_subsection "ICMP unreachable"
3610 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3611 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3613 netfilter_icmp "TCP"
3614 netfilter_icmp "UDP"
3620 netfilter_tcp6_reset()
3624 for a in ${NSA_IP6} ${VRF_IP6}
3627 run_cmd nettest -6 -s &
3629 run_cmd_nsb nettest -6 -r ${a}
3630 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3640 [ "${stype}" = "UDP" ] && arg="$arg -D"
3642 for a in ${NSA_IP6} ${VRF_IP6}
3645 run_cmd nettest -6 -s ${arg} &
3647 run_cmd_nsb nettest -6 ${arg} -r ${a}
3648 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3654 log_section "IPv6 Netfilter"
3655 log_subsection "TCP reset"
3658 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3660 netfilter_tcp6_reset
3662 log_subsection "ICMP unreachable"
3665 run_cmd ip6tables -F
3666 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3667 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3669 netfilter_icmp6 "TCP"
3670 netfilter_icmp6 "UDP"
3676 ################################################################################
3677 # specific use cases
3680 # ns-A device enslaved to bridge. Verify traffic with and without
3681 # br_netfilter module loaded. Repeat with SVI on bridge.
3686 setup_cmd ip link set ${NSA_DEV} down
3687 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24
3688 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64
3690 setup_cmd ip link add br0 type bridge
3691 setup_cmd ip addr add dev br0 ${NSA_IP}/24
3692 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad
3694 setup_cmd ip li set ${NSA_DEV} master br0
3695 setup_cmd ip li set ${NSA_DEV} up
3696 setup_cmd ip li set br0 up
3697 setup_cmd ip li set br0 vrf ${VRF}
3699 rmmod br_netfilter 2>/dev/null
3702 run_cmd ip neigh flush all
3703 run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3704 log_test $? 0 "Bridge into VRF - IPv4 ping out"
3706 run_cmd ip neigh flush all
3707 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3708 log_test $? 0 "Bridge into VRF - IPv6 ping out"
3710 run_cmd ip neigh flush all
3711 run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3712 log_test $? 0 "Bridge into VRF - IPv4 ping in"
3714 run_cmd ip neigh flush all
3715 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3716 log_test $? 0 "Bridge into VRF - IPv6 ping in"
3718 modprobe br_netfilter
3719 if [ $? -eq 0 ]; then
3720 run_cmd ip neigh flush all
3721 run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3722 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out"
3724 run_cmd ip neigh flush all
3725 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3726 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out"
3728 run_cmd ip neigh flush all
3729 run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3730 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in"
3732 run_cmd ip neigh flush all
3733 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3734 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in"
3737 setup_cmd ip li set br0 nomaster
3738 setup_cmd ip li add br0.100 link br0 type vlan id 100
3739 setup_cmd ip li set br0.100 vrf ${VRF} up
3740 setup_cmd ip addr add dev br0.100 172.16.101.1/24
3741 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad
3743 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100
3744 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24
3745 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad
3746 setup_cmd_nsb ip li set vlan100 up
3749 rmmod br_netfilter 2>/dev/null
3751 run_cmd ip neigh flush all
3752 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
3753 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out"
3755 run_cmd ip neigh flush all
3756 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
3757 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out"
3759 run_cmd ip neigh flush all
3760 run_cmd_nsb ping -c1 -w1 172.16.101.1
3761 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
3763 run_cmd ip neigh flush all
3764 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
3765 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
3767 modprobe br_netfilter
3768 if [ $? -eq 0 ]; then
3769 run_cmd ip neigh flush all
3770 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
3771 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out"
3773 run_cmd ip neigh flush all
3774 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
3775 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out"
3777 run_cmd ip neigh flush all
3778 run_cmd_nsb ping -c1 -w1 172.16.101.1
3779 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
3781 run_cmd ip neigh flush all
3782 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
3783 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
3786 setup_cmd ip li del br0 2>/dev/null
3787 setup_cmd_nsb ip li del vlan100 2>/dev/null
3792 log_section "Use cases"
3796 ################################################################################
3802 usage: ${0##*/} OPTS
3806 -t <test> Test name/set to run
3808 -P Pause after each test
3813 ################################################################################
3816 TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_addr_bind ipv4_runtime ipv4_netfilter"
3817 TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_addr_bind ipv6_runtime ipv6_netfilter"
3818 TESTS_OTHER="use_cases"
3823 while getopts :46t:pPvh o
3829 p) PAUSE_ON_FAIL=yes;;
3837 # make sure we don't pause twice
3838 [ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no
3841 # show user test config
3843 if [ -z "$TESTS" ]; then
3844 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER"
3845 elif [ "$TESTS" = "ipv4" ]; then
3847 elif [ "$TESTS" = "ipv6" ]; then
3851 which nettest >/dev/null
3852 if [ $? -ne 0 ]; then
3853 echo "'nettest' command not found; skipping tests"
3858 declare -i nsuccess=0
3863 ipv4_ping|ping) ipv4_ping;;
3864 ipv4_tcp|tcp) ipv4_tcp;;
3865 ipv4_udp|udp) ipv4_udp;;
3866 ipv4_bind|bind) ipv4_addr_bind;;
3867 ipv4_runtime) ipv4_runtime;;
3868 ipv4_netfilter) ipv4_netfilter;;
3870 ipv6_ping|ping6) ipv6_ping;;
3871 ipv6_tcp|tcp6) ipv6_tcp;;
3872 ipv6_udp|udp6) ipv6_udp;;
3873 ipv6_bind|bind6) ipv6_addr_bind;;
3874 ipv6_runtime) ipv6_runtime;;
3875 ipv6_netfilter) ipv6_netfilter;;
3877 use_cases) use_cases;;
3879 # setup namespaces and config, but do not run any tests
3880 setup) setup; exit 0;;
3881 vrf_setup) setup "yes"; exit 0;;
3883 help) echo "Test names: $TESTS"; exit 0;;
3889 printf "\nTests passed: %3d\n" ${nsuccess}
3890 printf "Tests failed: %3d\n" ${nfail}