2 # SPDX-License-Identifier: GPL-2.0
4 # Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
6 # IPv4 and IPv6 functional tests focusing on VRF and routing lookups
7 # for various permutations:
8 # 1. icmp, tcp, udp and netfilter
9 # 2. client, server, no-server
10 # 3. global address on interface
11 # 4. global address on 'lo'
12 # 5. remote and local traffic
13 # 6. VRF and non-VRF permutations
18 # [ lo ] [ eth1 ]---|---[ eth1 ] [ lo ]
21 # [ red ]---[ eth1 ]---|---[ eth1 ] [ lo ]
24 # eth1: 172.16.1.1/24, 2001:db8:1::1/64
25 # lo: 127.0.0.1/8, ::1/128
26 # 172.16.2.1/32, 2001:db8:2::1/128
27 # red: 127.0.0.1/8, ::1/128
28 # 172.16.3.1/32, 2001:db8:3::1/128
31 # eth1: 172.16.1.2/24, 2001:db8:1::2/64
32 # lo2: 127.0.0.1/8, ::1/128
33 # 172.16.2.2/32, 2001:db8:2::2/128
35 # ns-A to ns-C connection - only for VRF and same config
38 # server / client nomenclature relative to ns-A
40 # Kselftest framework requirement - SKIP code is 4.
62 NS_NET6=2001:db8:1::/120
66 NSA_LO_IP6=2001:db8:2::1
67 NSB_LO_IP6=2001:db8:2::2
69 # non-local addresses for freebind tests
77 # set after namespace create
85 NSA_CMD="ip netns exec ${NSA}"
86 NSB_CMD="ip netns exec ${NSB}"
87 NSC_CMD="ip netns exec ${NSC}"
89 which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
91 ################################################################################
100 [ "${VERBOSE}" = "1" ] && echo
102 if [ ${rc} -eq ${expected} ]; then
103 nsuccess=$((nsuccess+1))
104 printf "TEST: %-70s [ OK ]\n" "${msg}"
107 printf "TEST: %-70s [FAIL]\n" "${msg}"
108 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
110 echo "hit enter to continue, 'q' to quit"
112 [ "$a" = "q" ] && exit 1
116 if [ "${PAUSE}" = "yes" ]; then
118 echo "hit enter to continue, 'q' to quit"
120 [ "$a" = "q" ] && exit 1
134 astr=$(addr2str ${addr})
135 log_test $rc $expected "$msg - ${astr}"
141 echo "###########################################################################"
143 echo "###########################################################################"
150 echo "#################################################################"
157 # make sure we have no test instances running
160 if [ "${VERBOSE}" = "1" ]; then
162 echo "#######################################################"
168 if [ "${VERBOSE}" = "1" ]; then
177 if [ "${VERBOSE}" = "1" ]; then
185 killall nettest ping ping6 >/dev/null 2>&1
194 if [ "$VERBOSE" = "1" ]; then
195 echo "COMMAND: ${cmd}"
200 if [ "$VERBOSE" = "1" -a -n "$out" ]; then
209 do_run_cmd ${NSA_CMD} $*
214 do_run_cmd ${NSB_CMD} $*
219 do_run_cmd ${NSC_CMD} $*
229 if [ $rc -ne 0 ]; then
230 # show user the command if not done so already
231 if [ "$VERBOSE" = "0" ]; then
232 echo "setup command: $cmd"
234 echo "failed. stopping tests"
235 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
237 echo "hit enter to continue"
251 if [ $rc -ne 0 ]; then
252 # show user the command if not done so already
253 if [ "$VERBOSE" = "0" ]; then
254 echo "setup command: $cmd"
256 echo "failed. stopping tests"
257 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
259 echo "hit enter to continue"
273 if [ $rc -ne 0 ]; then
274 # show user the command if not done so already
275 if [ "$VERBOSE" = "0" ]; then
276 echo "setup command: $cmd"
278 echo "failed. stopping tests"
279 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
281 echo "hit enter to continue"
288 # set sysctl values in NS-A
293 run_cmd sysctl -q -w $*
296 # get sysctl values in NS-A
299 ${NSA_CMD} sysctl -n $*
302 ################################################################################
308 127.0.0.1) echo "loopback";;
309 ::1) echo "IPv6 loopback";;
311 ${NSA_IP}) echo "ns-A IP";;
312 ${NSA_IP6}) echo "ns-A IPv6";;
313 ${NSA_LO_IP}) echo "ns-A loopback IP";;
314 ${NSA_LO_IP6}) echo "ns-A loopback IPv6";;
315 ${NSA_LINKIP6}|${NSA_LINKIP6}%*) echo "ns-A IPv6 LLA";;
317 ${NSB_IP}) echo "ns-B IP";;
318 ${NSB_IP6}) echo "ns-B IPv6";;
319 ${NSB_LO_IP}) echo "ns-B loopback IP";;
320 ${NSB_LO_IP6}) echo "ns-B loopback IPv6";;
321 ${NSB_LINKIP6}|${NSB_LINKIP6}%*) echo "ns-B IPv6 LLA";;
323 ${NL_IP}) echo "nonlocal IP";;
324 ${NL_IP6}) echo "nonlocal IPv6";;
326 ${VRF_IP}) echo "VRF IP";;
327 ${VRF_IP6}) echo "VRF IPv6";;
329 ${MCAST}%*) echo "multicast IP";;
341 addr=$(ip -netns ${ns} -6 -br addr show dev ${dev} | \
343 for (i = 3; i <= NF; ++i) {
351 [ -z "$addr" ] && return 1
358 ################################################################################
359 # create namespaces and vrf
369 ip -netns ${ns} link add ${vrf} type vrf table ${table}
370 ip -netns ${ns} link set ${vrf} up
371 ip -netns ${ns} route add vrf ${vrf} unreachable default metric 8192
372 ip -netns ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
374 ip -netns ${ns} addr add 127.0.0.1/8 dev ${vrf}
375 ip -netns ${ns} -6 addr add ::1 dev ${vrf} nodad
376 if [ "${addr}" != "-" ]; then
377 ip -netns ${ns} addr add dev ${vrf} ${addr}
379 if [ "${addr6}" != "-" ]; then
380 ip -netns ${ns} -6 addr add dev ${vrf} ${addr6}
383 ip -netns ${ns} ru del pref 0
384 ip -netns ${ns} ru add pref 32765 from all lookup local
385 ip -netns ${ns} -6 ru del pref 0
386 ip -netns ${ns} -6 ru add pref 32765 from all lookup local
397 ip -netns ${ns} link set lo up
398 if [ "${addr}" != "-" ]; then
399 ip -netns ${ns} addr add dev lo ${addr}
401 if [ "${addr6}" != "-" ]; then
402 ip -netns ${ns} -6 addr add dev lo ${addr6}
405 ip -netns ${ns} ro add unreachable default metric 8192
406 ip -netns ${ns} -6 ro add unreachable default metric 8192
408 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
409 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
410 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
411 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
414 # create veth pair to connect namespaces and apply addresses.
426 ip -netns ${ns1} li add ${ns1_dev} type veth peer name tmp
427 ip -netns ${ns1} li set ${ns1_dev} up
428 ip -netns ${ns1} li set tmp netns ${ns2} name ${ns2_dev}
429 ip -netns ${ns2} li set ${ns2_dev} up
431 if [ "${ns1_addr}" != "-" ]; then
432 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr}
433 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr}
436 if [ "${ns1_addr6}" != "-" ]; then
437 ip -netns ${ns1} addr add dev ${ns1_dev} ${ns1_addr6}
438 ip -netns ${ns2} addr add dev ${ns2_dev} ${ns2_addr6}
444 # explicit cleanups to check those code paths
445 ip netns | grep -q ${NSA}
446 if [ $? -eq 0 ]; then
447 ip -netns ${NSA} link delete ${VRF}
448 ip -netns ${NSA} ro flush table ${VRF_TABLE}
450 ip -netns ${NSA} addr flush dev ${NSA_DEV}
451 ip -netns ${NSA} -6 addr flush dev ${NSA_DEV}
452 ip -netns ${NSA} link set dev ${NSA_DEV} down
453 ip -netns ${NSA} link del dev ${NSA_DEV}
455 ip netns pids ${NSA} | xargs kill 2>/dev/null
459 ip netns pids ${NSB} | xargs kill 2>/dev/null
461 ip netns pids ${NSC} | xargs kill 2>/dev/null
462 ip netns del ${NSC} >/dev/null 2>&1
467 ip link del ${NSA_DEV2} >/dev/null 2>&1
468 ip netns pids ${NSC} | xargs kill 2>/dev/null
469 ip netns del ${NSC} >/dev/null 2>&1
474 # some VRF tests use ns-C which has the same config as
475 # ns-B but for a device NOT in the VRF
476 create_ns ${NSC} "-" "-"
477 connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
478 ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
485 # make sure we are starting with a clean slate
489 log_debug "Configuring network namespaces"
492 create_ns ${NSA} ${NSA_LO_IP}/32 ${NSA_LO_IP6}/128
493 create_ns ${NSB} ${NSB_LO_IP}/32 ${NSB_LO_IP6}/128
494 connect_ns ${NSA} ${NSA_DEV} ${NSA_IP}/24 ${NSA_IP6}/64 \
495 ${NSB} ${NSB_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
497 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
498 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
500 # tell ns-A how to get to remote addresses of ns-B
501 if [ "${with_vrf}" = "yes" ]; then
502 create_vrf ${NSA} ${VRF} ${VRF_TABLE} ${VRF_IP} ${VRF_IP6}
504 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
505 ip -netns ${NSA} ro add vrf ${VRF} ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
506 ip -netns ${NSA} -6 ro add vrf ${VRF} ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
508 ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
509 ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
511 ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
512 ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
516 # tell ns-B how to get to remote addresses of ns-A
517 ip -netns ${NSB} ro add ${NSA_LO_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
518 ip -netns ${NSB} ro add ${NSA_LO_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
527 # make sure we are starting with a clean slate
531 log_debug "Configuring network namespaces"
534 create_ns ${NSA} "-" "-"
535 create_ns ${NSB} "-" "-"
536 create_ns ${NSC} "-" "-"
537 connect_ns ${NSA} ${NSA_DEV} "-" "-" \
538 ${NSB} ${NSB_DEV} "-" "-"
539 connect_ns ${NSA} ${NSA_DEV2} "-" "-" \
540 ${NSC} ${NSC_DEV} "-" "-"
542 NSA_LINKIP6=$(get_linklocal ${NSA} ${NSA_DEV})
543 NSB_LINKIP6=$(get_linklocal ${NSB} ${NSB_DEV})
544 NSC_LINKIP6=$(get_linklocal ${NSC} ${NSC_DEV})
546 create_vrf ${NSA} ${VRF} ${VRF_TABLE} "-" "-"
547 ip -netns ${NSA} link set dev ${NSA_DEV} vrf ${VRF}
548 ip -netns ${NSA} link set dev ${NSA_DEV2} vrf ${VRF}
555 ################################################################################
565 for a in ${NSB_IP} ${NSB_LO_IP}
568 run_cmd ping -c1 -w1 ${a}
569 log_test_addr ${a} $? 0 "ping out"
572 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
573 log_test_addr ${a} $? 0 "ping out, device bind"
576 run_cmd ping -c1 -w1 -I ${NSA_LO_IP} ${a}
577 log_test_addr ${a} $? 0 "ping out, address bind"
583 for a in ${NSA_IP} ${NSA_LO_IP}
586 run_cmd_nsb ping -c1 -w1 ${a}
587 log_test_addr ${a} $? 0 "ping in"
593 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
596 run_cmd ping -c1 -w1 ${a}
597 log_test_addr ${a} $? 0 "ping local"
601 # local traffic, socket bound to device
606 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
607 log_test_addr ${a} $? 0 "ping local, device bind"
609 # loopback addresses not reachable from device bind
610 # fails in a really weird way though because ipv4 special cases
611 # route lookups with oif set.
612 for a in ${NSA_LO_IP} 127.0.0.1
615 show_hint "Fails since address on loopback device is out of device scope"
616 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
617 log_test_addr ${a} $? 1 "ping local, device bind"
621 # ip rule blocks reachability to remote address
624 setup_cmd ip rule add pref 32765 from all lookup local
625 setup_cmd ip rule del pref 0 from all lookup local
626 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
627 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
630 run_cmd ping -c1 -w1 ${a}
631 log_test_addr ${a} $? 2 "ping out, blocked by rule"
633 # NOTE: ipv4 actually allows the lookup to fail and yet still create
634 # a viable rtable if the oif (e.g., bind to device) is set, so this
635 # case succeeds despite the rule
636 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
640 show_hint "Response generates ICMP (or arp request is ignored) due to ip rule"
641 run_cmd_nsb ping -c1 -w1 ${a}
642 log_test_addr ${a} $? 1 "ping in, blocked by rule"
644 [ "$VERBOSE" = "1" ] && echo
645 setup_cmd ip rule del pref 32765 from all lookup local
646 setup_cmd ip rule add pref 0 from all lookup local
647 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
648 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
651 # route blocks reachability to remote address
654 setup_cmd ip route replace unreachable ${NSB_LO_IP}
655 setup_cmd ip route replace unreachable ${NSB_IP}
658 run_cmd ping -c1 -w1 ${a}
659 log_test_addr ${a} $? 2 "ping out, blocked by route"
661 # NOTE: ipv4 actually allows the lookup to fail and yet still create
662 # a viable rtable if the oif (e.g., bind to device) is set, so this
663 # case succeeds despite not having a route for the address
664 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
668 show_hint "Response is dropped (or arp request is ignored) due to ip route"
669 run_cmd_nsb ping -c1 -w1 ${a}
670 log_test_addr ${a} $? 1 "ping in, blocked by route"
673 # remove 'remote' routes; fallback to default
676 setup_cmd ip ro del ${NSB_LO_IP}
679 run_cmd ping -c1 -w1 ${a}
680 log_test_addr ${a} $? 2 "ping out, unreachable default route"
682 # NOTE: ipv4 actually allows the lookup to fail and yet still create
683 # a viable rtable if the oif (e.g., bind to device) is set, so this
684 # case succeeds despite not having a route for the address
685 # run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
692 # should default on; does not exist on older kernels
693 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
698 for a in ${NSB_IP} ${NSB_LO_IP}
701 run_cmd ping -c1 -w1 -I ${VRF} ${a}
702 log_test_addr ${a} $? 0 "ping out, VRF bind"
705 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
706 log_test_addr ${a} $? 0 "ping out, device bind"
709 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${NSA_IP} ${a}
710 log_test_addr ${a} $? 0 "ping out, vrf device + dev address bind"
713 run_cmd ip vrf exec ${VRF} ping -c1 -w1 -I ${VRF_IP} ${a}
714 log_test_addr ${a} $? 0 "ping out, vrf device + vrf address bind"
720 for a in ${NSA_IP} ${VRF_IP}
723 run_cmd_nsb ping -c1 -w1 ${a}
724 log_test_addr ${a} $? 0 "ping in"
728 # local traffic, local address
730 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
733 show_hint "Source address should be ${a}"
734 run_cmd ping -c1 -w1 -I ${VRF} ${a}
735 log_test_addr ${a} $? 0 "ping local, VRF bind"
739 # local traffic, socket bound to device
744 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
745 log_test_addr ${a} $? 0 "ping local, device bind"
747 # vrf device is out of scope
748 for a in ${VRF_IP} 127.0.0.1
751 show_hint "Fails since address on vrf device is out of device scope"
752 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
753 log_test_addr ${a} $? 1 "ping local, device bind"
757 # ip rule blocks address
760 setup_cmd ip rule add pref 50 to ${NSB_LO_IP} prohibit
761 setup_cmd ip rule add pref 51 from ${NSB_IP} prohibit
764 run_cmd ping -c1 -w1 -I ${VRF} ${a}
765 log_test_addr ${a} $? 2 "ping out, vrf bind, blocked by rule"
768 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
769 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
773 show_hint "Response lost due to ip rule"
774 run_cmd_nsb ping -c1 -w1 ${a}
775 log_test_addr ${a} $? 1 "ping in, blocked by rule"
777 [ "$VERBOSE" = "1" ] && echo
778 setup_cmd ip rule del pref 50 to ${NSB_LO_IP} prohibit
779 setup_cmd ip rule del pref 51 from ${NSB_IP} prohibit
782 # remove 'remote' routes; fallback to default
785 setup_cmd ip ro del vrf ${VRF} ${NSB_LO_IP}
788 run_cmd ping -c1 -w1 -I ${VRF} ${a}
789 log_test_addr ${a} $? 2 "ping out, vrf bind, unreachable route"
792 run_cmd ping -c1 -w1 -I ${NSA_DEV} ${a}
793 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
797 show_hint "Response lost by unreachable route"
798 run_cmd_nsb ping -c1 -w1 ${a}
799 log_test_addr ${a} $? 1 "ping in, unreachable route"
804 log_section "IPv4 ping"
806 log_subsection "No VRF"
808 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
811 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
814 log_subsection "With VRF"
819 ################################################################################
823 # MD5 tests without VRF
833 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
835 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
836 log_test $? 0 "MD5: Single address config"
838 # client sends MD5, server not configured
840 show_hint "Should timeout due to MD5 mismatch"
843 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
844 log_test $? 2 "MD5: Server no config, client uses password"
848 show_hint "Should timeout since client uses wrong password"
849 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_IP} &
851 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
852 log_test $? 2 "MD5: Client uses wrong password"
854 # client from different address
856 show_hint "Should timeout due to MD5 mismatch"
857 run_cmd nettest -s -M ${MD5_PW} -m ${NSB_LO_IP} &
859 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
860 log_test $? 2 "MD5: Client address does not match address configured with password"
863 # MD5 extension - prefix length
868 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
870 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
871 log_test $? 0 "MD5: Prefix config"
873 # client in prefix, wrong password
875 show_hint "Should timeout since client uses wrong password"
876 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
878 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
879 log_test $? 2 "MD5: Prefix config, client uses wrong password"
881 # client outside of prefix
883 show_hint "Should timeout due to MD5 mismatch"
884 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} &
886 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
887 log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
901 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
903 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
904 log_test $? 0 "MD5: VRF: Single address config"
906 # client sends MD5, server not configured
908 show_hint "Should timeout since server does not have MD5 auth"
909 run_cmd nettest -s -I ${VRF} &
911 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
912 log_test $? 2 "MD5: VRF: Server no config, client uses password"
916 show_hint "Should timeout since client uses wrong password"
917 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
919 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
920 log_test $? 2 "MD5: VRF: Client uses wrong password"
922 # client from different address
924 show_hint "Should timeout since server config differs from client"
925 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP} &
927 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
928 log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
931 # MD5 extension - prefix length
936 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
938 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
939 log_test $? 0 "MD5: VRF: Prefix config"
941 # client in prefix, wrong password
943 show_hint "Should timeout since client uses wrong password"
944 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
946 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
947 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
949 # client outside of prefix
951 show_hint "Should timeout since client address is outside of prefix"
952 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
954 run_cmd_nsb nettest -c ${NSB_LO_IP} -r ${NSA_IP} -X ${MD5_PW}
955 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
958 # duplicate config between default VRF and a VRF
962 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
963 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
965 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
966 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
969 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
970 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
972 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
973 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
976 show_hint "Should timeout since client in default VRF uses VRF password"
977 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
978 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
980 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
981 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
984 show_hint "Should timeout since client in VRF uses default VRF password"
985 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP} &
986 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NSB_IP} &
988 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
989 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
992 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
993 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
995 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
996 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
999 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1000 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1002 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1003 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
1006 show_hint "Should timeout since client in default VRF uses VRF password"
1007 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1008 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1010 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1011 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
1014 show_hint "Should timeout since client in VRF uses default VRF password"
1015 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} &
1016 run_cmd nettest -s -M ${MD5_WRONG_PW} -m ${NS_NET} &
1018 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_WRONG_PW}
1019 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
1025 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP}
1026 log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
1029 run_cmd nettest -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET}
1030 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
1032 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex
1033 test_ipv4_md5_vrf__global_server__bind_ifindex0
1036 test_ipv4_md5_vrf__vrf_server__no_bind_ifindex()
1039 show_hint "Simulates applications using VRF without TCP_MD5SIG_FLAG_IFINDEX"
1040 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1042 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1043 log_test $? 0 "MD5: VRF: VRF-bound server, unbound key accepts connection"
1046 show_hint "Binding both the socket and the key is not required but it works"
1047 run_cmd nettest -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1049 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1050 log_test $? 0 "MD5: VRF: VRF-bound server, bound key accepts connection"
1053 test_ipv4_md5_vrf__global_server__bind_ifindex0()
1055 # This particular test needs tcp_l3mdev_accept=1 for Global server to accept VRF connections
1056 local old_tcp_l3mdev_accept
1057 old_tcp_l3mdev_accept=$(get_sysctl net.ipv4.tcp_l3mdev_accept)
1058 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1061 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1063 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1064 log_test $? 2 "MD5: VRF: Global server, Key bound to ifindex=0 rejects VRF connection"
1067 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --force-bind-key-ifindex &
1069 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1070 log_test $? 0 "MD5: VRF: Global server, key bound to ifindex=0 accepts non-VRF connection"
1073 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1075 run_cmd_nsb nettest -r ${NSA_IP} -X ${MD5_PW}
1076 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts VRF connection"
1079 run_cmd nettest -s -M ${MD5_PW} -m ${NS_NET} --no-bind-key-ifindex &
1081 run_cmd_nsc nettest -r ${NSA_IP} -X ${MD5_PW}
1082 log_test $? 0 "MD5: VRF: Global server, key not bound to ifindex accepts non-VRF connection"
1085 set_sysctl net.ipv4.tcp_l3mdev_accept="$old_tcp_l3mdev_accept"
1095 for a in ${NSA_IP} ${NSA_LO_IP}
1098 run_cmd nettest -s &
1100 run_cmd_nsb nettest -r ${a}
1101 log_test_addr ${a} $? 0 "Global server"
1106 run_cmd nettest -s -I ${NSA_DEV} &
1108 run_cmd_nsb nettest -r ${a}
1109 log_test_addr ${a} $? 0 "Device server"
1111 # verify TCP reset sent and received
1112 for a in ${NSA_IP} ${NSA_LO_IP}
1115 show_hint "Should fail 'Connection refused' since there is no server"
1116 run_cmd_nsb nettest -r ${a}
1117 log_test_addr ${a} $? 1 "No server"
1123 for a in ${NSB_IP} ${NSB_LO_IP}
1126 run_cmd_nsb nettest -s &
1128 run_cmd nettest -r ${a} -0 ${NSA_IP}
1129 log_test_addr ${a} $? 0 "Client"
1132 run_cmd_nsb nettest -s &
1134 run_cmd nettest -r ${a} -d ${NSA_DEV}
1135 log_test_addr ${a} $? 0 "Client, device bind"
1138 show_hint "Should fail 'Connection refused'"
1139 run_cmd nettest -r ${a}
1140 log_test_addr ${a} $? 1 "No server, unbound client"
1143 show_hint "Should fail 'Connection refused'"
1144 run_cmd nettest -r ${a} -d ${NSA_DEV}
1145 log_test_addr ${a} $? 1 "No server, device client"
1149 # local address tests
1151 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1154 run_cmd nettest -s &
1156 run_cmd nettest -r ${a} -0 ${a} -1 ${a}
1157 log_test_addr ${a} $? 0 "Global server, local connection"
1162 run_cmd nettest -s -I ${NSA_DEV} &
1164 run_cmd nettest -r ${a} -0 ${a}
1165 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1167 for a in ${NSA_LO_IP} 127.0.0.1
1170 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
1171 run_cmd nettest -s -I ${NSA_DEV} &
1173 run_cmd nettest -r ${a}
1174 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1179 run_cmd nettest -s &
1181 run_cmd nettest -r ${a} -0 ${a} -d ${NSA_DEV}
1182 log_test_addr ${a} $? 0 "Global server, device client, local connection"
1184 for a in ${NSA_LO_IP} 127.0.0.1
1187 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
1188 run_cmd nettest -s &
1190 run_cmd nettest -r ${a} -d ${NSA_DEV}
1191 log_test_addr ${a} $? 1 "Global server, device client, local connection"
1196 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1198 run_cmd nettest -d ${NSA_DEV} -r ${a} -0 ${a}
1199 log_test_addr ${a} $? 0 "Device server, device client, local connection"
1202 show_hint "Should fail 'Connection refused'"
1203 run_cmd nettest -d ${NSA_DEV} -r ${a}
1204 log_test_addr ${a} $? 1 "No server, device client, local conn"
1213 # disable global server
1214 log_subsection "Global server disabled"
1216 set_sysctl net.ipv4.tcp_l3mdev_accept=0
1221 for a in ${NSA_IP} ${VRF_IP}
1224 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1225 run_cmd nettest -s &
1227 run_cmd_nsb nettest -r ${a}
1228 log_test_addr ${a} $? 1 "Global server"
1231 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1233 run_cmd_nsb nettest -r ${a}
1234 log_test_addr ${a} $? 0 "VRF server"
1237 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1239 run_cmd_nsb nettest -r ${a}
1240 log_test_addr ${a} $? 0 "Device server"
1242 # verify TCP reset received
1244 show_hint "Should fail 'Connection refused' since there is no server"
1245 run_cmd_nsb nettest -r ${a}
1246 log_test_addr ${a} $? 1 "No server"
1249 # local address tests
1250 # (${VRF_IP} and 127.0.0.1 both timeout)
1253 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
1254 run_cmd nettest -s &
1256 run_cmd nettest -r ${a} -d ${NSA_DEV}
1257 log_test_addr ${a} $? 1 "Global server, local connection"
1265 # enable VRF global server
1267 log_subsection "VRF Global server enabled"
1268 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1270 for a in ${NSA_IP} ${VRF_IP}
1273 show_hint "client socket should be bound to VRF"
1274 run_cmd nettest -s -3 ${VRF} &
1276 run_cmd_nsb nettest -r ${a}
1277 log_test_addr ${a} $? 0 "Global server"
1280 show_hint "client socket should be bound to VRF"
1281 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1283 run_cmd_nsb nettest -r ${a}
1284 log_test_addr ${a} $? 0 "VRF server"
1286 # verify TCP reset received
1288 show_hint "Should fail 'Connection refused'"
1289 run_cmd_nsb nettest -r ${a}
1290 log_test_addr ${a} $? 1 "No server"
1295 show_hint "client socket should be bound to device"
1296 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1298 run_cmd_nsb nettest -r ${a}
1299 log_test_addr ${a} $? 0 "Device server"
1301 # local address tests
1302 for a in ${NSA_IP} ${VRF_IP}
1305 show_hint "Should fail 'Connection refused' since client is not bound to VRF"
1306 run_cmd nettest -s -I ${VRF} &
1308 run_cmd nettest -r ${a}
1309 log_test_addr ${a} $? 1 "Global server, local connection"
1315 for a in ${NSB_IP} ${NSB_LO_IP}
1318 run_cmd_nsb nettest -s &
1320 run_cmd nettest -r ${a} -d ${VRF}
1321 log_test_addr ${a} $? 0 "Client, VRF bind"
1324 run_cmd_nsb nettest -s &
1326 run_cmd nettest -r ${a} -d ${NSA_DEV}
1327 log_test_addr ${a} $? 0 "Client, device bind"
1330 show_hint "Should fail 'Connection refused'"
1331 run_cmd nettest -r ${a} -d ${VRF}
1332 log_test_addr ${a} $? 1 "No server, VRF client"
1335 show_hint "Should fail 'Connection refused'"
1336 run_cmd nettest -r ${a} -d ${NSA_DEV}
1337 log_test_addr ${a} $? 1 "No server, device client"
1340 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1343 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1345 run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1346 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
1351 run_cmd nettest -s -I ${VRF} -3 ${VRF} &
1353 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1354 log_test_addr ${a} $? 0 "VRF server, device client, local connection"
1357 show_hint "Should fail 'No route to host' since client is out of VRF scope"
1358 run_cmd nettest -s -I ${VRF} &
1360 run_cmd nettest -r ${a}
1361 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
1364 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1366 run_cmd nettest -r ${a} -d ${VRF} -0 ${a}
1367 log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
1370 run_cmd nettest -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1372 run_cmd nettest -r ${a} -d ${NSA_DEV} -0 ${a}
1373 log_test_addr ${a} $? 0 "Device server, device client, local connection"
1378 log_section "IPv4/TCP"
1379 log_subsection "No VRF"
1382 # tcp_l3mdev_accept should have no affect without VRF;
1383 # run tests with it enabled and disabled to verify
1384 log_subsection "tcp_l3mdev_accept disabled"
1385 set_sysctl net.ipv4.tcp_l3mdev_accept=0
1387 log_subsection "tcp_l3mdev_accept enabled"
1388 set_sysctl net.ipv4.tcp_l3mdev_accept=1
1391 log_subsection "With VRF"
1396 ################################################################################
1406 for a in ${NSA_IP} ${NSA_LO_IP}
1409 run_cmd nettest -D -s -3 ${NSA_DEV} &
1411 run_cmd_nsb nettest -D -r ${a}
1412 log_test_addr ${a} $? 0 "Global server"
1415 show_hint "Should fail 'Connection refused' since there is no server"
1416 run_cmd_nsb nettest -D -r ${a}
1417 log_test_addr ${a} $? 1 "No server"
1422 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1424 run_cmd_nsb nettest -D -r ${a}
1425 log_test_addr ${a} $? 0 "Device server"
1430 for a in ${NSB_IP} ${NSB_LO_IP}
1433 run_cmd_nsb nettest -D -s &
1435 run_cmd nettest -D -r ${a} -0 ${NSA_IP}
1436 log_test_addr ${a} $? 0 "Client"
1439 run_cmd_nsb nettest -D -s &
1441 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP}
1442 log_test_addr ${a} $? 0 "Client, device bind"
1445 run_cmd_nsb nettest -D -s &
1447 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP}
1448 log_test_addr ${a} $? 0 "Client, device send via cmsg"
1451 run_cmd_nsb nettest -D -s &
1453 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP}
1454 log_test_addr ${a} $? 0 "Client, device bind via IP_UNICAST_IF"
1457 show_hint "Should fail 'Connection refused'"
1458 run_cmd nettest -D -r ${a}
1459 log_test_addr ${a} $? 1 "No server, unbound client"
1462 show_hint "Should fail 'Connection refused'"
1463 run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1464 log_test_addr ${a} $? 1 "No server, device client"
1468 # local address tests
1470 for a in ${NSA_IP} ${NSA_LO_IP} 127.0.0.1
1473 run_cmd nettest -D -s &
1475 run_cmd nettest -D -r ${a} -0 ${a} -1 ${a}
1476 log_test_addr ${a} $? 0 "Global server, local connection"
1481 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1483 run_cmd nettest -D -r ${a}
1484 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
1486 for a in ${NSA_LO_IP} 127.0.0.1
1489 show_hint "Should fail 'Connection refused' since address is out of device scope"
1490 run_cmd nettest -s -D -I ${NSA_DEV} &
1492 run_cmd nettest -D -r ${a}
1493 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
1498 run_cmd nettest -s -D &
1500 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1501 log_test_addr ${a} $? 0 "Global server, device client, local connection"
1504 run_cmd nettest -s -D &
1506 run_cmd nettest -D -d ${NSA_DEV} -C -r ${a}
1507 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
1510 run_cmd nettest -s -D &
1512 run_cmd nettest -D -d ${NSA_DEV} -S -r ${a}
1513 log_test_addr ${a} $? 0 "Global server, device client via IP_UNICAST_IF, local connection"
1515 # IPv4 with device bind has really weird behavior - it overrides the
1516 # fib lookup, generates an rtable and tries to send the packet. This
1517 # causes failures for local traffic at different places
1518 for a in ${NSA_LO_IP} 127.0.0.1
1521 show_hint "Should fail since addresses on loopback are out of device scope"
1522 run_cmd nettest -D -s &
1524 run_cmd nettest -D -r ${a} -d ${NSA_DEV}
1525 log_test_addr ${a} $? 2 "Global server, device client, local connection"
1528 show_hint "Should fail since addresses on loopback are out of device scope"
1529 run_cmd nettest -D -s &
1531 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -C
1532 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
1535 show_hint "Should fail since addresses on loopback are out of device scope"
1536 run_cmd nettest -D -s &
1538 run_cmd nettest -D -r ${a} -d ${NSA_DEV} -S
1539 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
1544 run_cmd nettest -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
1546 run_cmd nettest -D -d ${NSA_DEV} -r ${a} -0 ${a}
1547 log_test_addr ${a} $? 0 "Device server, device client, local conn"
1550 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1551 log_test_addr ${a} $? 2 "No server, device client, local conn"
1558 # disable global server
1559 log_subsection "Global server disabled"
1560 set_sysctl net.ipv4.udp_l3mdev_accept=0
1565 for a in ${NSA_IP} ${VRF_IP}
1568 show_hint "Fails because ingress is in a VRF and global server is disabled"
1569 run_cmd nettest -D -s &
1571 run_cmd_nsb nettest -D -r ${a}
1572 log_test_addr ${a} $? 1 "Global server"
1575 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1577 run_cmd_nsb nettest -D -r ${a}
1578 log_test_addr ${a} $? 0 "VRF server"
1581 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1583 run_cmd_nsb nettest -D -r ${a}
1584 log_test_addr ${a} $? 0 "Enslaved device server"
1587 show_hint "Should fail 'Connection refused' since there is no server"
1588 run_cmd_nsb nettest -D -r ${a}
1589 log_test_addr ${a} $? 1 "No server"
1592 show_hint "Should fail 'Connection refused' since global server is out of scope"
1593 run_cmd nettest -D -s &
1595 run_cmd nettest -D -d ${VRF} -r ${a}
1596 log_test_addr ${a} $? 1 "Global server, VRF client, local connection"
1601 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1603 run_cmd nettest -D -d ${VRF} -r ${a}
1604 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1607 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1609 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1610 log_test_addr ${a} $? 0 "VRF server, enslaved device client, local connection"
1614 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1616 run_cmd nettest -D -d ${VRF} -r ${a}
1617 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1620 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1622 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1623 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1625 # enable global server
1626 log_subsection "Global server enabled"
1627 set_sysctl net.ipv4.udp_l3mdev_accept=1
1632 for a in ${NSA_IP} ${VRF_IP}
1635 run_cmd nettest -D -s -3 ${NSA_DEV} &
1637 run_cmd_nsb nettest -D -r ${a}
1638 log_test_addr ${a} $? 0 "Global server"
1641 run_cmd nettest -D -I ${VRF} -s -3 ${NSA_DEV} &
1643 run_cmd_nsb nettest -D -r ${a}
1644 log_test_addr ${a} $? 0 "VRF server"
1647 run_cmd nettest -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
1649 run_cmd_nsb nettest -D -r ${a}
1650 log_test_addr ${a} $? 0 "Enslaved device server"
1653 show_hint "Should fail 'Connection refused'"
1654 run_cmd_nsb nettest -D -r ${a}
1655 log_test_addr ${a} $? 1 "No server"
1662 run_cmd_nsb nettest -D -s &
1664 run_cmd nettest -d ${VRF} -D -r ${NSB_IP} -1 ${NSA_IP}
1665 log_test $? 0 "VRF client"
1668 run_cmd_nsb nettest -D -s &
1670 run_cmd nettest -d ${NSA_DEV} -D -r ${NSB_IP} -1 ${NSA_IP}
1671 log_test $? 0 "Enslaved device client"
1673 # negative test - should fail
1675 show_hint "Should fail 'Connection refused'"
1676 run_cmd nettest -D -d ${VRF} -r ${NSB_IP}
1677 log_test $? 1 "No server, VRF client"
1680 show_hint "Should fail 'Connection refused'"
1681 run_cmd nettest -D -d ${NSA_DEV} -r ${NSB_IP}
1682 log_test $? 1 "No server, enslaved device client"
1685 # local address tests
1689 run_cmd nettest -D -s -3 ${NSA_DEV} &
1691 run_cmd nettest -D -d ${VRF} -r ${a}
1692 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1695 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1697 run_cmd nettest -D -d ${VRF} -r ${a}
1698 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1701 run_cmd nettest -s -D -I ${VRF} -3 ${NSA_DEV} &
1703 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1704 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
1707 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1709 run_cmd nettest -D -d ${VRF} -r ${a}
1710 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
1713 run_cmd nettest -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
1715 run_cmd nettest -D -d ${NSA_DEV} -r ${a}
1716 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
1718 for a in ${VRF_IP} 127.0.0.1
1721 run_cmd nettest -D -s -3 ${VRF} &
1723 run_cmd nettest -D -d ${VRF} -r ${a}
1724 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
1727 for a in ${VRF_IP} 127.0.0.1
1730 run_cmd nettest -s -D -I ${VRF} -3 ${VRF} &
1732 run_cmd nettest -D -d ${VRF} -r ${a}
1733 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
1736 # negative test - should fail
1737 # verifies ECONNREFUSED
1738 for a in ${NSA_IP} ${VRF_IP} 127.0.0.1
1741 show_hint "Should fail 'Connection refused'"
1742 run_cmd nettest -D -d ${VRF} -r ${a}
1743 log_test_addr ${a} $? 1 "No server, VRF client, local conn"
1749 log_section "IPv4/UDP"
1750 log_subsection "No VRF"
1754 # udp_l3mdev_accept should have no affect without VRF;
1755 # run tests with it enabled and disabled to verify
1756 log_subsection "udp_l3mdev_accept disabled"
1757 set_sysctl net.ipv4.udp_l3mdev_accept=0
1759 log_subsection "udp_l3mdev_accept enabled"
1760 set_sysctl net.ipv4.udp_l3mdev_accept=1
1763 log_subsection "With VRF"
1768 ################################################################################
1771 # verifies ability or inability to bind to an address / device
1773 ipv4_addr_bind_novrf()
1778 for a in ${NSA_IP} ${NSA_LO_IP}
1781 run_cmd nettest -s -R -P icmp -l ${a} -b
1782 log_test_addr ${a} $? 0 "Raw socket bind to local address"
1785 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1786 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1790 # raw socket with nonlocal bind
1794 run_cmd nettest -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b
1795 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after device bind"
1802 run_cmd nettest -c ${a} -r ${NSB_IP} -t1 -b
1803 log_test_addr ${a} $? 0 "TCP socket bind to local address"
1806 run_cmd nettest -c ${a} -r ${NSB_IP} -d ${NSA_DEV} -t1 -b
1807 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1809 # Sadly, the kernel allows binding a socket to a device and then
1810 # binding to an address not on the device. The only restriction
1811 # is that the address is valid in the L3 domain. So this test
1812 # passes when it really should not
1815 #show_hint "Should fail with 'Cannot assign requested address'"
1816 #run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1817 #log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
1820 ipv4_addr_bind_vrf()
1825 for a in ${NSA_IP} ${VRF_IP}
1828 show_hint "Socket not bound to VRF, but address is in VRF"
1829 run_cmd nettest -s -R -P icmp -l ${a} -b
1830 log_test_addr ${a} $? 1 "Raw socket bind to local address"
1833 run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
1834 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
1836 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1837 log_test_addr ${a} $? 0 "Raw socket bind to local address after VRF bind"
1842 show_hint "Address on loopback is out of VRF scope"
1843 run_cmd nettest -s -R -P icmp -l ${a} -I ${VRF} -b
1844 log_test_addr ${a} $? 1 "Raw socket bind to out of scope address after VRF bind"
1847 # raw socket with nonlocal bind
1851 run_cmd nettest -s -R -P icmp -f -l ${a} -I ${VRF} -b
1852 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
1857 for a in ${NSA_IP} ${VRF_IP}
1860 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
1861 log_test_addr ${a} $? 0 "TCP socket bind to local address"
1864 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1865 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
1870 show_hint "Address on loopback out of scope for VRF"
1871 run_cmd nettest -s -l ${a} -I ${VRF} -t1 -b
1872 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
1875 show_hint "Address on loopback out of scope for device in VRF"
1876 run_cmd nettest -s -l ${a} -I ${NSA_DEV} -t1 -b
1877 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
1882 log_section "IPv4 address binds"
1884 log_subsection "No VRF"
1886 ipv4_addr_bind_novrf
1888 log_subsection "With VRF"
1893 ################################################################################
1894 # IPv4 runtime tests
1900 local with_vrf="yes"
1906 for a in ${NSA_IP} ${VRF_IP}
1909 run_cmd nettest ${varg} -s &
1911 run_cmd_nsb nettest ${varg} -r ${a} &
1913 run_cmd ip link del ${VRF}
1915 log_test_addr ${a} 0 0 "${desc}, global server"
1920 for a in ${NSA_IP} ${VRF_IP}
1923 run_cmd nettest ${varg} -s -I ${VRF} &
1925 run_cmd_nsb nettest ${varg} -r ${a} &
1927 run_cmd ip link del ${VRF}
1929 log_test_addr ${a} 0 0 "${desc}, VRF server"
1936 run_cmd nettest ${varg} -s -I ${NSA_DEV} &
1938 run_cmd_nsb nettest ${varg} -r ${a} &
1940 run_cmd ip link del ${VRF}
1942 log_test_addr ${a} 0 0 "${desc}, enslaved device server"
1950 run_cmd_nsb nettest ${varg} -s &
1952 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP} &
1954 run_cmd ip link del ${VRF}
1956 log_test_addr ${a} 0 0 "${desc}, VRF client"
1961 run_cmd_nsb nettest ${varg} -s &
1963 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP} &
1965 run_cmd ip link del ${VRF}
1967 log_test_addr ${a} 0 0 "${desc}, enslaved device client"
1972 # local address tests
1974 for a in ${NSA_IP} ${VRF_IP}
1977 run_cmd nettest ${varg} -s &
1979 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
1981 run_cmd ip link del ${VRF}
1983 log_test_addr ${a} 0 0 "${desc}, global server, VRF client, local"
1988 for a in ${NSA_IP} ${VRF_IP}
1991 run_cmd nettest ${varg} -I ${VRF} -s &
1993 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
1995 run_cmd ip link del ${VRF}
1997 log_test_addr ${a} 0 0 "${desc}, VRF server and client, local"
2005 run_cmd nettest ${varg} -s &
2007 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2009 run_cmd ip link del ${VRF}
2011 log_test_addr ${a} 0 0 "${desc}, global server, enslaved device client, local"
2016 run_cmd nettest ${varg} -I ${VRF} -s &
2018 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2020 run_cmd ip link del ${VRF}
2022 log_test_addr ${a} 0 0 "${desc}, VRF server, enslaved device client, local"
2027 run_cmd nettest ${varg} -I ${NSA_DEV} -s &
2029 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
2031 run_cmd ip link del ${VRF}
2033 log_test_addr ${a} 0 0 "${desc}, enslaved device server and client, local"
2038 local with_vrf="yes"
2041 for a in ${NSA_IP} ${VRF_IP}
2044 run_cmd_nsb ping -f ${a} &
2046 run_cmd ip link del ${VRF}
2048 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
2055 run_cmd ping -f -I ${VRF} ${a} &
2057 run_cmd ip link del ${VRF}
2059 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
2064 log_section "Run time tests - ipv4"
2070 ipv4_rt "TCP active socket" "-n -1"
2073 ipv4_rt "TCP passive socket" "-i"
2076 ################################################################################
2083 # should not have an impact, but make a known state
2084 set_sysctl net.ipv4.raw_l3mdev_accept=0 2>/dev/null
2089 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2092 run_cmd ${ping6} -c1 -w1 ${a}
2093 log_test_addr ${a} $? 0 "ping out"
2096 for a in ${NSB_IP6} ${NSB_LO_IP6}
2099 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2100 log_test_addr ${a} $? 0 "ping out, device bind"
2103 run_cmd ${ping6} -c1 -w1 -I ${NSA_LO_IP6} ${a}
2104 log_test_addr ${a} $? 0 "ping out, loopback address bind"
2110 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2113 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2114 log_test_addr ${a} $? 0 "ping in"
2118 # local traffic, local address
2120 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1 ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2123 run_cmd ${ping6} -c1 -w1 ${a}
2124 log_test_addr ${a} $? 0 "ping local, no bind"
2127 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2130 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2131 log_test_addr ${a} $? 0 "ping local, device bind"
2134 for a in ${NSA_LO_IP6} ::1
2137 show_hint "Fails since address on loopback is out of device scope"
2138 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2139 log_test_addr ${a} $? 2 "ping local, device bind"
2143 # ip rule blocks address
2146 setup_cmd ip -6 rule add pref 32765 from all lookup local
2147 setup_cmd ip -6 rule del pref 0 from all lookup local
2148 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2149 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2152 run_cmd ${ping6} -c1 -w1 ${a}
2153 log_test_addr ${a} $? 2 "ping out, blocked by rule"
2156 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2157 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2161 show_hint "Response lost due to ip rule"
2162 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2163 log_test_addr ${a} $? 1 "ping in, blocked by rule"
2165 setup_cmd ip -6 rule add pref 0 from all lookup local
2166 setup_cmd ip -6 rule del pref 32765 from all lookup local
2167 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2168 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2171 # route blocks reachability to remote address
2174 setup_cmd ip -6 route del ${NSB_LO_IP6}
2175 setup_cmd ip -6 route add unreachable ${NSB_LO_IP6} metric 10
2176 setup_cmd ip -6 route add unreachable ${NSB_IP6} metric 10
2179 run_cmd ${ping6} -c1 -w1 ${a}
2180 log_test_addr ${a} $? 2 "ping out, blocked by route"
2183 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2184 log_test_addr ${a} $? 2 "ping out, device bind, blocked by route"
2188 show_hint "Response lost due to ip route"
2189 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2190 log_test_addr ${a} $? 1 "ping in, blocked by route"
2194 # remove 'remote' routes; fallback to default
2197 setup_cmd ip -6 ro del unreachable ${NSB_LO_IP6}
2198 setup_cmd ip -6 ro del unreachable ${NSB_IP6}
2201 run_cmd ${ping6} -c1 -w1 ${a}
2202 log_test_addr ${a} $? 2 "ping out, unreachable route"
2205 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2206 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2213 # should default on; does not exist on older kernels
2214 set_sysctl net.ipv4.raw_l3mdev_accept=1 2>/dev/null
2219 for a in ${NSB_IP6} ${NSB_LO_IP6}
2222 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2223 log_test_addr ${a} $? 0 "ping out, VRF bind"
2226 for a in ${NSB_LINKIP6}%${VRF} ${MCAST}%${VRF}
2229 show_hint "Fails since VRF device does not support linklocal or multicast"
2230 run_cmd ${ping6} -c1 -w1 ${a}
2231 log_test_addr ${a} $? 1 "ping out, VRF bind"
2234 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2237 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2238 log_test_addr ${a} $? 0 "ping out, device bind"
2241 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2244 run_cmd ip vrf exec ${VRF} ${ping6} -c1 -w1 -I ${VRF_IP6} ${a}
2245 log_test_addr ${a} $? 0 "ping out, vrf device+address bind"
2251 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV} ${MCAST}%${NSB_DEV}
2254 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2255 log_test_addr ${a} $? 0 "ping in"
2260 show_hint "Fails since loopback address is out of VRF scope"
2261 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2262 log_test_addr ${a} $? 1 "ping in"
2265 # local traffic, local address
2267 for a in ${NSA_IP6} ${VRF_IP6} ::1
2270 show_hint "Source address should be ${a}"
2271 run_cmd ${ping6} -c1 -w1 -I ${VRF} ${a}
2272 log_test_addr ${a} $? 0 "ping local, VRF bind"
2275 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
2278 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2279 log_test_addr ${a} $? 0 "ping local, device bind"
2282 # LLA to GUA - remove ipv6 global addresses from ns-B
2283 setup_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
2284 setup_cmd_nsb ip -6 addr del ${NSB_LO_IP6}/128 dev lo
2285 setup_cmd_nsb ip -6 ro add ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2287 for a in ${NSA_IP6} ${VRF_IP6}
2290 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
2291 log_test_addr ${a} $? 0 "ping in, LLA to GUA"
2294 setup_cmd_nsb ip -6 ro del ${NSA_IP6}/128 via ${NSA_LINKIP6} dev ${NSB_DEV}
2295 setup_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV}
2296 setup_cmd_nsb ip -6 addr add ${NSB_LO_IP6}/128 dev lo
2299 # ip rule blocks address
2302 setup_cmd ip -6 rule add pref 50 to ${NSB_LO_IP6} prohibit
2303 setup_cmd ip -6 rule add pref 51 from ${NSB_IP6} prohibit
2306 run_cmd ${ping6} -c1 -w1 ${a}
2307 log_test_addr ${a} $? 2 "ping out, blocked by rule"
2310 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2311 log_test_addr ${a} $? 2 "ping out, device bind, blocked by rule"
2315 show_hint "Response lost due to ip rule"
2316 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2317 log_test_addr ${a} $? 1 "ping in, blocked by rule"
2320 setup_cmd ip -6 rule del pref 50 to ${NSB_LO_IP6} prohibit
2321 setup_cmd ip -6 rule del pref 51 from ${NSB_IP6} prohibit
2324 # remove 'remote' routes; fallback to default
2327 setup_cmd ip -6 ro del ${NSB_LO_IP6} vrf ${VRF}
2330 run_cmd ${ping6} -c1 -w1 ${a}
2331 log_test_addr ${a} $? 2 "ping out, unreachable route"
2334 run_cmd ${ping6} -c1 -w1 -I ${NSA_DEV} ${a}
2335 log_test_addr ${a} $? 2 "ping out, device bind, unreachable route"
2337 ip -netns ${NSB} -6 ro del ${NSA_LO_IP6}
2340 run_cmd_nsb ${ping6} -c1 -w1 ${a}
2341 log_test_addr ${a} $? 2 "ping in, unreachable route"
2346 log_section "IPv6 ping"
2348 log_subsection "No VRF"
2352 log_subsection "With VRF"
2357 ################################################################################
2361 # MD5 tests without VRF
2363 ipv6_tcp_md5_novrf()
2371 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2373 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2374 log_test $? 0 "MD5: Single address config"
2376 # client sends MD5, server not configured
2378 show_hint "Should timeout due to MD5 mismatch"
2379 run_cmd nettest -6 -s &
2381 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2382 log_test $? 2 "MD5: Server no config, client uses password"
2386 show_hint "Should timeout since client uses wrong password"
2387 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_IP6} &
2389 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2390 log_test $? 2 "MD5: Client uses wrong password"
2392 # client from different address
2394 show_hint "Should timeout due to MD5 mismatch"
2395 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NSB_LO_IP6} &
2397 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2398 log_test $? 2 "MD5: Client address does not match address configured with password"
2401 # MD5 extension - prefix length
2406 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2408 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2409 log_test $? 0 "MD5: Prefix config"
2411 # client in prefix, wrong password
2413 show_hint "Should timeout since client uses wrong password"
2414 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2416 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2417 log_test $? 2 "MD5: Prefix config, client uses wrong password"
2419 # client outside of prefix
2421 show_hint "Should timeout due to MD5 mismatch"
2422 run_cmd nettest -6 -s -M ${MD5_PW} -m ${NS_NET6} &
2424 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2425 log_test $? 2 "MD5: Prefix config, client address not in configured prefix"
2429 # MD5 tests with VRF
2439 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2441 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2442 log_test $? 0 "MD5: VRF: Single address config"
2444 # client sends MD5, server not configured
2446 show_hint "Should timeout since server does not have MD5 auth"
2447 run_cmd nettest -6 -s -I ${VRF} &
2449 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2450 log_test $? 2 "MD5: VRF: Server no config, client uses password"
2454 show_hint "Should timeout since client uses wrong password"
2455 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2457 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2458 log_test $? 2 "MD5: VRF: Client uses wrong password"
2460 # client from different address
2462 show_hint "Should timeout since server config differs from client"
2463 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_LO_IP6} &
2465 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2466 log_test $? 2 "MD5: VRF: Client address does not match address configured with password"
2469 # MD5 extension - prefix length
2474 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2476 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2477 log_test $? 0 "MD5: VRF: Prefix config"
2479 # client in prefix, wrong password
2481 show_hint "Should timeout since client uses wrong password"
2482 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2484 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2485 log_test $? 2 "MD5: VRF: Prefix config, client uses wrong password"
2487 # client outside of prefix
2489 show_hint "Should timeout since client address is outside of prefix"
2490 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2492 run_cmd_nsb nettest -6 -c ${NSB_LO_IP6} -r ${NSA_IP6} -X ${MD5_PW}
2493 log_test $? 2 "MD5: VRF: Prefix config, client address not in configured prefix"
2496 # duplicate config between default VRF and a VRF
2500 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2501 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2503 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2504 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF"
2507 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2508 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2510 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2511 log_test $? 0 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF"
2514 show_hint "Should timeout since client in default VRF uses VRF password"
2515 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2516 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2518 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2519 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in default VRF with VRF pw"
2522 show_hint "Should timeout since client in VRF uses default VRF password"
2523 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NSB_IP6} &
2524 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NSB_IP6} &
2526 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2527 log_test $? 2 "MD5: VRF: Single address config in default VRF and VRF, conn in VRF with default VRF pw"
2530 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2531 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2533 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2534 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF"
2537 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2538 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2540 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2541 log_test $? 0 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF"
2544 show_hint "Should timeout since client in default VRF uses VRF password"
2545 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2546 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2548 run_cmd_nsc nettest -6 -r ${NSA_IP6} -X ${MD5_PW}
2549 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in default VRF with VRF pw"
2552 show_hint "Should timeout since client in VRF uses default VRF password"
2553 run_cmd nettest -6 -s -I ${VRF} -M ${MD5_PW} -m ${NS_NET6} &
2554 run_cmd nettest -6 -s -M ${MD5_WRONG_PW} -m ${NS_NET6} &
2556 run_cmd_nsb nettest -6 -r ${NSA_IP6} -X ${MD5_WRONG_PW}
2557 log_test $? 2 "MD5: VRF: Prefix config in default VRF and VRF, conn in VRF with default VRF pw"
2563 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NSB_IP6}
2564 log_test $? 1 "MD5: VRF: Device must be a VRF - single address"
2567 run_cmd nettest -6 -s -I ${NSA_DEV} -M ${MD5_PW} -m ${NS_NET6}
2568 log_test $? 1 "MD5: VRF: Device must be a VRF - prefix"
2579 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2582 run_cmd nettest -6 -s &
2584 run_cmd_nsb nettest -6 -r ${a}
2585 log_test_addr ${a} $? 0 "Global server"
2588 # verify TCP reset received
2589 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2592 show_hint "Should fail 'Connection refused'"
2593 run_cmd_nsb nettest -6 -r ${a}
2594 log_test_addr ${a} $? 1 "No server"
2600 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2603 run_cmd_nsb nettest -6 -s &
2605 run_cmd nettest -6 -r ${a}
2606 log_test_addr ${a} $? 0 "Client"
2609 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2612 run_cmd_nsb nettest -6 -s &
2614 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2615 log_test_addr ${a} $? 0 "Client, device bind"
2618 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2621 show_hint "Should fail 'Connection refused'"
2622 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2623 log_test_addr ${a} $? 1 "No server, device client"
2627 # local address tests
2629 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
2632 run_cmd nettest -6 -s &
2634 run_cmd nettest -6 -r ${a}
2635 log_test_addr ${a} $? 0 "Global server, local connection"
2640 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2642 run_cmd nettest -6 -r ${a} -0 ${a}
2643 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
2645 for a in ${NSA_LO_IP6} ::1
2648 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2649 run_cmd nettest -6 -s -I ${NSA_DEV} &
2651 run_cmd nettest -6 -r ${a}
2652 log_test_addr ${a} $? 1 "Device server, unbound client, local connection"
2657 run_cmd nettest -6 -s &
2659 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2660 log_test_addr ${a} $? 0 "Global server, device client, local connection"
2662 for a in ${NSA_LO_IP6} ::1
2665 show_hint "Should fail 'Connection refused' since addresses on loopback are out of device scope"
2666 run_cmd nettest -6 -s &
2668 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2669 log_test_addr ${a} $? 1 "Global server, device client, local connection"
2672 for a in ${NSA_IP6} ${NSA_LINKIP6}
2675 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2677 run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2678 log_test_addr ${a} $? 0 "Device server, device client, local conn"
2681 for a in ${NSA_IP6} ${NSA_LINKIP6}
2684 show_hint "Should fail 'Connection refused'"
2685 run_cmd nettest -6 -d ${NSA_DEV} -r ${a}
2686 log_test_addr ${a} $? 1 "No server, device client, local conn"
2696 # disable global server
2697 log_subsection "Global server disabled"
2699 set_sysctl net.ipv4.tcp_l3mdev_accept=0
2704 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2707 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2708 run_cmd nettest -6 -s &
2710 run_cmd_nsb nettest -6 -r ${a}
2711 log_test_addr ${a} $? 1 "Global server"
2714 for a in ${NSA_IP6} ${VRF_IP6}
2717 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2719 run_cmd_nsb nettest -6 -r ${a}
2720 log_test_addr ${a} $? 0 "VRF server"
2723 # link local is always bound to ingress device
2724 a=${NSA_LINKIP6}%${NSB_DEV}
2726 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2728 run_cmd_nsb nettest -6 -r ${a}
2729 log_test_addr ${a} $? 0 "VRF server"
2731 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2734 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2736 run_cmd_nsb nettest -6 -r ${a}
2737 log_test_addr ${a} $? 0 "Device server"
2740 # verify TCP reset received
2741 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2744 show_hint "Should fail 'Connection refused'"
2745 run_cmd_nsb nettest -6 -r ${a}
2746 log_test_addr ${a} $? 1 "No server"
2749 # local address tests
2752 show_hint "Should fail 'Connection refused' since global server with VRF is disabled"
2753 run_cmd nettest -6 -s &
2755 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2756 log_test_addr ${a} $? 1 "Global server, local connection"
2764 # enable VRF global server
2766 log_subsection "VRF Global server enabled"
2767 set_sysctl net.ipv4.tcp_l3mdev_accept=1
2769 for a in ${NSA_IP6} ${VRF_IP6}
2772 run_cmd nettest -6 -s -3 ${VRF} &
2774 run_cmd_nsb nettest -6 -r ${a}
2775 log_test_addr ${a} $? 0 "Global server"
2778 for a in ${NSA_IP6} ${VRF_IP6}
2781 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2783 run_cmd_nsb nettest -6 -r ${a}
2784 log_test_addr ${a} $? 0 "VRF server"
2787 # For LLA, child socket is bound to device
2788 a=${NSA_LINKIP6}%${NSB_DEV}
2790 run_cmd nettest -6 -s -3 ${NSA_DEV} &
2792 run_cmd_nsb nettest -6 -r ${a}
2793 log_test_addr ${a} $? 0 "Global server"
2796 run_cmd nettest -6 -s -I ${VRF} -3 ${NSA_DEV} &
2798 run_cmd_nsb nettest -6 -r ${a}
2799 log_test_addr ${a} $? 0 "VRF server"
2801 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2804 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2806 run_cmd_nsb nettest -6 -r ${a}
2807 log_test_addr ${a} $? 0 "Device server"
2810 # verify TCP reset received
2811 for a in ${NSA_IP6} ${VRF_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2814 show_hint "Should fail 'Connection refused'"
2815 run_cmd_nsb nettest -6 -r ${a}
2816 log_test_addr ${a} $? 1 "No server"
2819 # local address tests
2820 for a in ${NSA_IP6} ${VRF_IP6}
2823 show_hint "Fails 'Connection refused' since client is not in VRF"
2824 run_cmd nettest -6 -s -I ${VRF} &
2826 run_cmd nettest -6 -r ${a}
2827 log_test_addr ${a} $? 1 "Global server, local connection"
2834 for a in ${NSB_IP6} ${NSB_LO_IP6}
2837 run_cmd_nsb nettest -6 -s &
2839 run_cmd nettest -6 -r ${a} -d ${VRF}
2840 log_test_addr ${a} $? 0 "Client, VRF bind"
2845 show_hint "Fails since VRF device does not allow linklocal addresses"
2846 run_cmd_nsb nettest -6 -s &
2848 run_cmd nettest -6 -r ${a} -d ${VRF}
2849 log_test_addr ${a} $? 1 "Client, VRF bind"
2851 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2854 run_cmd_nsb nettest -6 -s &
2856 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2857 log_test_addr ${a} $? 0 "Client, device bind"
2860 for a in ${NSB_IP6} ${NSB_LO_IP6}
2863 show_hint "Should fail 'Connection refused'"
2864 run_cmd nettest -6 -r ${a} -d ${VRF}
2865 log_test_addr ${a} $? 1 "No server, VRF client"
2868 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}
2871 show_hint "Should fail 'Connection refused'"
2872 run_cmd nettest -6 -r ${a} -d ${NSA_DEV}
2873 log_test_addr ${a} $? 1 "No server, device client"
2876 for a in ${NSA_IP6} ${VRF_IP6} ::1
2879 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2881 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2882 log_test_addr ${a} $? 0 "VRF server, VRF client, local connection"
2887 run_cmd nettest -6 -s -I ${VRF} -3 ${VRF} &
2889 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2890 log_test_addr ${a} $? 0 "VRF server, device client, local connection"
2894 show_hint "Should fail since unbound client is out of VRF scope"
2895 run_cmd nettest -6 -s -I ${VRF} &
2897 run_cmd nettest -6 -r ${a}
2898 log_test_addr ${a} $? 1 "VRF server, unbound client, local connection"
2901 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2903 run_cmd nettest -6 -r ${a} -d ${VRF} -0 ${a}
2904 log_test_addr ${a} $? 0 "Device server, VRF client, local connection"
2906 for a in ${NSA_IP6} ${NSA_LINKIP6}
2909 run_cmd nettest -6 -s -I ${NSA_DEV} -3 ${NSA_DEV} &
2911 run_cmd nettest -6 -r ${a} -d ${NSA_DEV} -0 ${a}
2912 log_test_addr ${a} $? 0 "Device server, device client, local connection"
2918 log_section "IPv6/TCP"
2919 log_subsection "No VRF"
2922 # tcp_l3mdev_accept should have no affect without VRF;
2923 # run tests with it enabled and disabled to verify
2924 log_subsection "tcp_l3mdev_accept disabled"
2925 set_sysctl net.ipv4.tcp_l3mdev_accept=0
2927 log_subsection "tcp_l3mdev_accept enabled"
2928 set_sysctl net.ipv4.tcp_l3mdev_accept=1
2931 log_subsection "With VRF"
2936 ################################################################################
2946 for a in ${NSA_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2949 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
2951 run_cmd_nsb nettest -6 -D -r ${a}
2952 log_test_addr ${a} $? 0 "Global server"
2955 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
2957 run_cmd_nsb nettest -6 -D -r ${a}
2958 log_test_addr ${a} $? 0 "Device server"
2963 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
2965 run_cmd_nsb nettest -6 -D -r ${a}
2966 log_test_addr ${a} $? 0 "Global server"
2968 # should fail since loopback address is out of scope for a device
2969 # bound server, but it does not - hence this is more documenting
2972 #show_hint "Should fail since loopback address is out of scope"
2973 #run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
2975 #run_cmd_nsb nettest -6 -D -r ${a}
2976 #log_test_addr ${a} $? 1 "Device server"
2978 # negative test - should fail
2979 for a in ${NSA_IP6} ${NSA_LO_IP6} ${NSA_LINKIP6}%${NSB_DEV}
2982 show_hint "Should fail 'Connection refused' since there is no server"
2983 run_cmd_nsb nettest -6 -D -r ${a}
2984 log_test_addr ${a} $? 1 "No server"
2990 for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV}
2993 run_cmd_nsb nettest -6 -D -s &
2995 run_cmd nettest -6 -D -r ${a} -0 ${NSA_IP6}
2996 log_test_addr ${a} $? 0 "Client"
2999 run_cmd_nsb nettest -6 -D -s &
3001 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -0 ${NSA_IP6}
3002 log_test_addr ${a} $? 0 "Client, device bind"
3005 run_cmd_nsb nettest -6 -D -s &
3007 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C -0 ${NSA_IP6}
3008 log_test_addr ${a} $? 0 "Client, device send via cmsg"
3011 run_cmd_nsb nettest -6 -D -s &
3013 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S -0 ${NSA_IP6}
3014 log_test_addr ${a} $? 0 "Client, device bind via IPV6_UNICAST_IF"
3017 show_hint "Should fail 'Connection refused'"
3018 run_cmd nettest -6 -D -r ${a}
3019 log_test_addr ${a} $? 1 "No server, unbound client"
3022 show_hint "Should fail 'Connection refused'"
3023 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3024 log_test_addr ${a} $? 1 "No server, device client"
3028 # local address tests
3030 for a in ${NSA_IP6} ${NSA_LO_IP6} ::1
3033 run_cmd nettest -6 -D -s &
3035 run_cmd nettest -6 -D -r ${a} -0 ${a} -1 ${a}
3036 log_test_addr ${a} $? 0 "Global server, local connection"
3041 run_cmd nettest -6 -s -D -I ${NSA_DEV} -3 ${NSA_DEV} &
3043 run_cmd nettest -6 -D -r ${a}
3044 log_test_addr ${a} $? 0 "Device server, unbound client, local connection"
3046 for a in ${NSA_LO_IP6} ::1
3049 show_hint "Should fail 'Connection refused' since address is out of device scope"
3050 run_cmd nettest -6 -s -D -I ${NSA_DEV} &
3052 run_cmd nettest -6 -D -r ${a}
3053 log_test_addr ${a} $? 1 "Device server, local connection"
3058 run_cmd nettest -6 -s -D &
3060 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3061 log_test_addr ${a} $? 0 "Global server, device client, local connection"
3064 run_cmd nettest -6 -s -D &
3066 run_cmd nettest -6 -D -d ${NSA_DEV} -C -r ${a}
3067 log_test_addr ${a} $? 0 "Global server, device send via cmsg, local connection"
3070 run_cmd nettest -6 -s -D &
3072 run_cmd nettest -6 -D -d ${NSA_DEV} -S -r ${a}
3073 log_test_addr ${a} $? 0 "Global server, device client via IPV6_UNICAST_IF, local connection"
3075 for a in ${NSA_LO_IP6} ::1
3078 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3079 run_cmd nettest -6 -D -s &
3081 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV}
3082 log_test_addr ${a} $? 1 "Global server, device client, local connection"
3085 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3086 run_cmd nettest -6 -D -s &
3088 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -C
3089 log_test_addr ${a} $? 1 "Global server, device send via cmsg, local connection"
3092 show_hint "Should fail 'No route to host' since addresses on loopback are out of device scope"
3093 run_cmd nettest -6 -D -s &
3095 run_cmd nettest -6 -D -r ${a} -d ${NSA_DEV} -S
3096 log_test_addr ${a} $? 1 "Global server, device client via IP_UNICAST_IF, local connection"
3101 run_cmd nettest -6 -D -s -I ${NSA_DEV} -3 ${NSA_DEV} &
3103 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a} -0 ${a}
3104 log_test_addr ${a} $? 0 "Device server, device client, local conn"
3107 show_hint "Should fail 'Connection refused'"
3108 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3109 log_test_addr ${a} $? 1 "No server, device client, local conn"
3112 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3113 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3115 run_cmd nettest -6 -s -D &
3117 run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3118 log_test $? 0 "UDP in - LLA to GUA"
3120 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3121 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3128 # disable global server
3129 log_subsection "Global server disabled"
3130 set_sysctl net.ipv4.udp_l3mdev_accept=0
3135 for a in ${NSA_IP6} ${VRF_IP6}
3138 show_hint "Should fail 'Connection refused' since global server is disabled"
3139 run_cmd nettest -6 -D -s &
3141 run_cmd_nsb nettest -6 -D -r ${a}
3142 log_test_addr ${a} $? 1 "Global server"
3145 for a in ${NSA_IP6} ${VRF_IP6}
3148 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3150 run_cmd_nsb nettest -6 -D -r ${a}
3151 log_test_addr ${a} $? 0 "VRF server"
3154 for a in ${NSA_IP6} ${VRF_IP6}
3157 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3159 run_cmd_nsb nettest -6 -D -r ${a}
3160 log_test_addr ${a} $? 0 "Enslaved device server"
3163 # negative test - should fail
3164 for a in ${NSA_IP6} ${VRF_IP6}
3167 show_hint "Should fail 'Connection refused' since there is no server"
3168 run_cmd_nsb nettest -6 -D -r ${a}
3169 log_test_addr ${a} $? 1 "No server"
3173 # local address tests
3175 for a in ${NSA_IP6} ${VRF_IP6}
3178 show_hint "Should fail 'Connection refused' since global server is disabled"
3179 run_cmd nettest -6 -D -s &
3181 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3182 log_test_addr ${a} $? 1 "Global server, VRF client, local conn"
3185 for a in ${NSA_IP6} ${VRF_IP6}
3188 run_cmd nettest -6 -D -I ${VRF} -s &
3190 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3191 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3196 show_hint "Should fail 'Connection refused' since global server is disabled"
3197 run_cmd nettest -6 -D -s &
3199 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3200 log_test_addr ${a} $? 1 "Global server, device client, local conn"
3203 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3205 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3206 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3209 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3211 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3212 log_test_addr ${a} $? 0 "Enslaved device server, VRF client, local conn"
3215 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3217 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3218 log_test_addr ${a} $? 0 "Enslaved device server, device client, local conn"
3220 # disable global server
3221 log_subsection "Global server enabled"
3222 set_sysctl net.ipv4.udp_l3mdev_accept=1
3227 for a in ${NSA_IP6} ${VRF_IP6}
3230 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3232 run_cmd_nsb nettest -6 -D -r ${a}
3233 log_test_addr ${a} $? 0 "Global server"
3236 for a in ${NSA_IP6} ${VRF_IP6}
3239 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3241 run_cmd_nsb nettest -6 -D -r ${a}
3242 log_test_addr ${a} $? 0 "VRF server"
3245 for a in ${NSA_IP6} ${VRF_IP6}
3248 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3250 run_cmd_nsb nettest -6 -D -r ${a}
3251 log_test_addr ${a} $? 0 "Enslaved device server"
3254 # negative test - should fail
3255 for a in ${NSA_IP6} ${VRF_IP6}
3258 run_cmd_nsb nettest -6 -D -r ${a}
3259 log_test_addr ${a} $? 1 "No server"
3266 run_cmd_nsb nettest -6 -D -s &
3268 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3269 log_test $? 0 "VRF client"
3271 # negative test - should fail
3273 run_cmd nettest -6 -D -d ${VRF} -r ${NSB_IP6}
3274 log_test $? 1 "No server, VRF client"
3277 run_cmd_nsb nettest -6 -D -s &
3279 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3280 log_test $? 0 "Enslaved device client"
3282 # negative test - should fail
3284 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_IP6}
3285 log_test $? 1 "No server, enslaved device client"
3288 # local address tests
3292 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3294 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3295 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3298 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3300 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3301 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3306 run_cmd nettest -6 -D -s -3 ${VRF} &
3308 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3309 log_test_addr ${a} $? 0 "Global server, VRF client, local conn"
3312 run_cmd nettest -6 -D -I ${VRF} -s -3 ${VRF} &
3314 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3315 log_test_addr ${a} $? 0 "VRF server, VRF client, local conn"
3317 # negative test - should fail
3318 for a in ${NSA_IP6} ${VRF_IP6}
3321 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3322 log_test_addr ${a} $? 1 "No server, VRF client, local conn"
3325 # device to global IP
3328 run_cmd nettest -6 -D -s -3 ${NSA_DEV} &
3330 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3331 log_test_addr ${a} $? 0 "Global server, device client, local conn"
3334 run_cmd nettest -6 -D -I ${VRF} -s -3 ${NSA_DEV} &
3336 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3337 log_test_addr ${a} $? 0 "VRF server, device client, local conn"
3340 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3342 run_cmd nettest -6 -D -d ${VRF} -r ${a}
3343 log_test_addr ${a} $? 0 "Device server, VRF client, local conn"
3346 run_cmd nettest -6 -D -I ${NSA_DEV} -s -3 ${NSA_DEV} &
3348 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3349 log_test_addr ${a} $? 0 "Device server, device client, local conn"
3352 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${a}
3353 log_test_addr ${a} $? 1 "No server, device client, local conn"
3356 # link local addresses
3358 run_cmd nettest -6 -D -s &
3360 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3361 log_test $? 0 "Global server, linklocal IP"
3364 run_cmd_nsb nettest -6 -D -d ${NSB_DEV} -r ${NSA_LINKIP6}
3365 log_test $? 1 "No server, linklocal IP"
3369 run_cmd_nsb nettest -6 -D -s &
3371 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3372 log_test $? 0 "Enslaved device client, linklocal IP"
3375 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSB_LINKIP6}
3376 log_test $? 1 "No server, device client, peer linklocal IP"
3380 run_cmd nettest -6 -D -s &
3382 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3383 log_test $? 0 "Enslaved device client, local conn - linklocal IP"
3386 run_cmd nettest -6 -D -d ${NSA_DEV} -r ${NSA_LINKIP6}
3387 log_test $? 1 "No server, device client, local conn - linklocal IP"
3390 run_cmd_nsb ip -6 addr del ${NSB_IP6}/64 dev ${NSB_DEV}
3391 run_cmd_nsb ip -6 ro add ${NSA_IP6}/128 dev ${NSB_DEV}
3393 run_cmd nettest -6 -s -D &
3395 run_cmd_nsb nettest -6 -D -r ${NSA_IP6}
3396 log_test $? 0 "UDP in - LLA to GUA"
3398 run_cmd_nsb ip -6 ro del ${NSA_IP6}/128 dev ${NSB_DEV}
3399 run_cmd_nsb ip -6 addr add ${NSB_IP6}/64 dev ${NSB_DEV} nodad
3404 # should not matter, but set to known state
3405 set_sysctl net.ipv4.udp_early_demux=1
3407 log_section "IPv6/UDP"
3408 log_subsection "No VRF"
3411 # udp_l3mdev_accept should have no affect without VRF;
3412 # run tests with it enabled and disabled to verify
3413 log_subsection "udp_l3mdev_accept disabled"
3414 set_sysctl net.ipv4.udp_l3mdev_accept=0
3416 log_subsection "udp_l3mdev_accept enabled"
3417 set_sysctl net.ipv4.udp_l3mdev_accept=1
3420 log_subsection "With VRF"
3425 ################################################################################
3428 ipv6_addr_bind_novrf()
3433 for a in ${NSA_IP6} ${NSA_LO_IP6}
3436 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -b
3437 log_test_addr ${a} $? 0 "Raw socket bind to local address"
3440 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3441 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3445 # raw socket with nonlocal bind
3449 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${NSA_DEV} -b
3450 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address"
3457 run_cmd nettest -6 -s -l ${a} -t1 -b
3458 log_test_addr ${a} $? 0 "TCP socket bind to local address"
3461 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3462 log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
3464 # Sadly, the kernel allows binding a socket to a device and then
3465 # binding to an address not on the device. So this test passes
3466 # when it really should not
3469 show_hint "Tecnically should fail since address is not on device but kernel allows"
3470 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3471 log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address"
3474 ipv6_addr_bind_vrf()
3479 for a in ${NSA_IP6} ${VRF_IP6}
3482 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3483 log_test_addr ${a} $? 0 "Raw socket bind to local address after vrf bind"
3486 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${NSA_DEV} -b
3487 log_test_addr ${a} $? 0 "Raw socket bind to local address after device bind"
3492 show_hint "Address on loopback is out of VRF scope"
3493 run_cmd nettest -6 -s -R -P ipv6-icmp -l ${a} -I ${VRF} -b
3494 log_test_addr ${a} $? 1 "Raw socket bind to invalid local address after vrf bind"
3497 # raw socket with nonlocal bind
3501 run_cmd nettest -6 -s -R -P icmp -f -l ${a} -I ${VRF} -b
3502 log_test_addr ${a} $? 0 "Raw socket bind to nonlocal address after VRF bind"
3507 # address on enslaved device is valid for the VRF or device in a VRF
3508 for a in ${NSA_IP6} ${VRF_IP6}
3511 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3512 log_test_addr ${a} $? 0 "TCP socket bind to local address with VRF bind"
3517 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3518 log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
3520 # Sadly, the kernel allows binding a socket to a device and then
3521 # binding to an address not on the device. The only restriction
3522 # is that the address is valid in the L3 domain. So this test
3523 # passes when it really should not
3526 show_hint "Tecnically should fail since address is not on device but kernel allows"
3527 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3528 log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind"
3532 show_hint "Address on loopback out of scope for VRF"
3533 run_cmd nettest -6 -s -l ${a} -I ${VRF} -t1 -b
3534 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for VRF"
3537 show_hint "Address on loopback out of scope for device in VRF"
3538 run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
3539 log_test_addr ${a} $? 1 "TCP socket bind to invalid local address for device bind"
3545 log_section "IPv6 address binds"
3547 log_subsection "No VRF"
3549 ipv6_addr_bind_novrf
3551 log_subsection "With VRF"
3556 ################################################################################
3557 # IPv6 runtime tests
3563 local with_vrf="yes"
3569 for a in ${NSA_IP6} ${VRF_IP6}
3572 run_cmd nettest ${varg} -s &
3574 run_cmd_nsb nettest ${varg} -r ${a} &
3576 run_cmd ip link del ${VRF}
3578 log_test_addr ${a} 0 0 "${desc}, global server"
3583 for a in ${NSA_IP6} ${VRF_IP6}
3586 run_cmd nettest ${varg} -I ${VRF} -s &
3588 run_cmd_nsb nettest ${varg} -r ${a} &
3590 run_cmd ip link del ${VRF}
3592 log_test_addr ${a} 0 0 "${desc}, VRF server"
3597 for a in ${NSA_IP6} ${VRF_IP6}
3600 run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3602 run_cmd_nsb nettest ${varg} -r ${a} &
3604 run_cmd ip link del ${VRF}
3606 log_test_addr ${a} 0 0 "${desc}, enslaved device server"
3615 run_cmd_nsb nettest ${varg} -s &
3617 run_cmd nettest ${varg} -d ${VRF} -r ${NSB_IP6} &
3619 run_cmd ip link del ${VRF}
3621 log_test 0 0 "${desc}, VRF client"
3626 run_cmd_nsb nettest ${varg} -s &
3628 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${NSB_IP6} &
3630 run_cmd ip link del ${VRF}
3632 log_test 0 0 "${desc}, enslaved device client"
3638 # local address tests
3640 for a in ${NSA_IP6} ${VRF_IP6}
3643 run_cmd nettest ${varg} -s &
3645 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3647 run_cmd ip link del ${VRF}
3649 log_test_addr ${a} 0 0 "${desc}, global server, VRF client"
3654 for a in ${NSA_IP6} ${VRF_IP6}
3657 run_cmd nettest ${varg} -I ${VRF} -s &
3659 run_cmd nettest ${varg} -d ${VRF} -r ${a} &
3661 run_cmd ip link del ${VRF}
3663 log_test_addr ${a} 0 0 "${desc}, VRF server and client"
3670 run_cmd nettest ${varg} -s &
3672 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3674 run_cmd ip link del ${VRF}
3676 log_test_addr ${a} 0 0 "${desc}, global server, device client"
3681 run_cmd nettest ${varg} -I ${VRF} -s &
3683 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3685 run_cmd ip link del ${VRF}
3687 log_test_addr ${a} 0 0 "${desc}, VRF server, device client"
3692 run_cmd nettest ${varg} -I ${NSA_DEV} -s &
3694 run_cmd nettest ${varg} -d ${NSA_DEV} -r ${a} &
3696 run_cmd ip link del ${VRF}
3698 log_test_addr ${a} 0 0 "${desc}, device server, device client"
3703 local with_vrf="yes"
3708 run_cmd_nsb ${ping6} -f ${a} &
3710 run_cmd ip link del ${VRF}
3712 log_test_addr ${a} 0 0 "Device delete with active traffic - ping in"
3717 run_cmd ${ping6} -f ${NSB_IP6} -I ${VRF} &
3719 run_cmd ip link del ${VRF}
3721 log_test_addr ${a} 0 0 "Device delete with active traffic - ping out"
3726 log_section "Run time tests - ipv6"
3732 ipv6_rt "TCP active socket" "-n -1"
3735 ipv6_rt "TCP passive socket" "-i"
3738 ipv6_rt "UDP active socket" "-D -n -1"
3741 ################################################################################
3742 # netfilter blocking connections
3744 netfilter_tcp_reset()
3748 for a in ${NSA_IP} ${VRF_IP}
3751 run_cmd nettest -s &
3753 run_cmd_nsb nettest -r ${a}
3754 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3764 [ "${stype}" = "UDP" ] && arg="-D"
3766 for a in ${NSA_IP} ${VRF_IP}
3769 run_cmd nettest ${arg} -s &
3771 run_cmd_nsb nettest ${arg} -r ${a}
3772 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3778 log_section "IPv4 Netfilter"
3779 log_subsection "TCP reset"
3782 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3787 log_subsection "ICMP unreachable"
3791 run_cmd iptables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3792 run_cmd iptables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp-port-unreachable
3794 netfilter_icmp "TCP"
3795 netfilter_icmp "UDP"
3801 netfilter_tcp6_reset()
3805 for a in ${NSA_IP6} ${VRF_IP6}
3808 run_cmd nettest -6 -s &
3810 run_cmd_nsb nettest -6 -r ${a}
3811 log_test_addr ${a} $? 1 "Global server, reject with TCP-reset on Rx"
3821 [ "${stype}" = "UDP" ] && arg="$arg -D"
3823 for a in ${NSA_IP6} ${VRF_IP6}
3826 run_cmd nettest -6 -s ${arg} &
3828 run_cmd_nsb nettest -6 ${arg} -r ${a}
3829 log_test_addr ${a} $? 1 "Global ${stype} server, Rx reject icmp-port-unreach"
3835 log_section "IPv6 Netfilter"
3836 log_subsection "TCP reset"
3839 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with tcp-reset
3841 netfilter_tcp6_reset
3843 log_subsection "ICMP unreachable"
3846 run_cmd ip6tables -F
3847 run_cmd ip6tables -A INPUT -p tcp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3848 run_cmd ip6tables -A INPUT -p udp --dport 12345 -j REJECT --reject-with icmp6-port-unreachable
3850 netfilter_icmp6 "TCP"
3851 netfilter_icmp6 "UDP"
3857 ################################################################################
3858 # specific use cases
3861 # ns-A device enslaved to bridge. Verify traffic with and without
3862 # br_netfilter module loaded. Repeat with SVI on bridge.
3867 setup_cmd ip link set ${NSA_DEV} down
3868 setup_cmd ip addr del dev ${NSA_DEV} ${NSA_IP}/24
3869 setup_cmd ip -6 addr del dev ${NSA_DEV} ${NSA_IP6}/64
3871 setup_cmd ip link add br0 type bridge
3872 setup_cmd ip addr add dev br0 ${NSA_IP}/24
3873 setup_cmd ip -6 addr add dev br0 ${NSA_IP6}/64 nodad
3875 setup_cmd ip li set ${NSA_DEV} master br0
3876 setup_cmd ip li set ${NSA_DEV} up
3877 setup_cmd ip li set br0 up
3878 setup_cmd ip li set br0 vrf ${VRF}
3880 rmmod br_netfilter 2>/dev/null
3883 run_cmd ip neigh flush all
3884 run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3885 log_test $? 0 "Bridge into VRF - IPv4 ping out"
3887 run_cmd ip neigh flush all
3888 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3889 log_test $? 0 "Bridge into VRF - IPv6 ping out"
3891 run_cmd ip neigh flush all
3892 run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3893 log_test $? 0 "Bridge into VRF - IPv4 ping in"
3895 run_cmd ip neigh flush all
3896 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3897 log_test $? 0 "Bridge into VRF - IPv6 ping in"
3899 modprobe br_netfilter
3900 if [ $? -eq 0 ]; then
3901 run_cmd ip neigh flush all
3902 run_cmd ping -c1 -w1 -I br0 ${NSB_IP}
3903 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping out"
3905 run_cmd ip neigh flush all
3906 run_cmd ${ping6} -c1 -w1 -I br0 ${NSB_IP6}
3907 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping out"
3909 run_cmd ip neigh flush all
3910 run_cmd_nsb ping -c1 -w1 ${NSA_IP}
3911 log_test $? 0 "Bridge into VRF with br_netfilter - IPv4 ping in"
3913 run_cmd ip neigh flush all
3914 run_cmd_nsb ${ping6} -c1 -w1 ${NSA_IP6}
3915 log_test $? 0 "Bridge into VRF with br_netfilter - IPv6 ping in"
3918 setup_cmd ip li set br0 nomaster
3919 setup_cmd ip li add br0.100 link br0 type vlan id 100
3920 setup_cmd ip li set br0.100 vrf ${VRF} up
3921 setup_cmd ip addr add dev br0.100 172.16.101.1/24
3922 setup_cmd ip -6 addr add dev br0.100 2001:db8:101::1/64 nodad
3924 setup_cmd_nsb ip li add vlan100 link ${NSB_DEV} type vlan id 100
3925 setup_cmd_nsb ip addr add dev vlan100 172.16.101.2/24
3926 setup_cmd_nsb ip -6 addr add dev vlan100 2001:db8:101::2/64 nodad
3927 setup_cmd_nsb ip li set vlan100 up
3930 rmmod br_netfilter 2>/dev/null
3932 run_cmd ip neigh flush all
3933 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
3934 log_test $? 0 "Bridge vlan into VRF - IPv4 ping out"
3936 run_cmd ip neigh flush all
3937 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
3938 log_test $? 0 "Bridge vlan into VRF - IPv6 ping out"
3940 run_cmd ip neigh flush all
3941 run_cmd_nsb ping -c1 -w1 172.16.101.1
3942 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
3944 run_cmd ip neigh flush all
3945 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
3946 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
3948 modprobe br_netfilter
3949 if [ $? -eq 0 ]; then
3950 run_cmd ip neigh flush all
3951 run_cmd ping -c1 -w1 -I br0.100 172.16.101.2
3952 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv4 ping out"
3954 run_cmd ip neigh flush all
3955 run_cmd ${ping6} -c1 -w1 -I br0.100 2001:db8:101::2
3956 log_test $? 0 "Bridge vlan into VRF with br_netfilter - IPv6 ping out"
3958 run_cmd ip neigh flush all
3959 run_cmd_nsb ping -c1 -w1 172.16.101.1
3960 log_test $? 0 "Bridge vlan into VRF - IPv4 ping in"
3962 run_cmd ip neigh flush all
3963 run_cmd_nsb ${ping6} -c1 -w1 2001:db8:101::1
3964 log_test $? 0 "Bridge vlan into VRF - IPv6 ping in"
3967 setup_cmd ip li del br0 2>/dev/null
3968 setup_cmd_nsb ip li del vlan100 2>/dev/null
3972 # ns-A device is connected to both ns-B and ns-C on a single VRF but only has
3973 # LLA on the interfaces
3974 use_case_ping_lla_multi()
3977 # only want reply from ns-A
3978 setup_cmd_nsb sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
3979 setup_cmd_nsc sysctl -qw net.ipv6.icmp.echo_ignore_multicast=1
3982 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
3983 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Pre cycle, ping out ns-B"
3985 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
3986 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Pre cycle, ping out ns-C"
3988 # cycle/flap the first ns-A interface
3989 setup_cmd ip link set ${NSA_DEV} down
3990 setup_cmd ip link set ${NSA_DEV} up
3994 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
3995 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-B"
3996 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
3997 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV}, ping out ns-C"
3999 # cycle/flap the second ns-A interface
4000 setup_cmd ip link set ${NSA_DEV2} down
4001 setup_cmd ip link set ${NSA_DEV2} up
4005 run_cmd_nsb ping -c1 -w1 ${MCAST}%${NSB_DEV}
4006 log_test_addr ${MCAST}%${NSB_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-B"
4007 run_cmd_nsc ping -c1 -w1 ${MCAST}%${NSC_DEV}
4008 log_test_addr ${MCAST}%${NSC_DEV} $? 0 "Post cycle ${NSA} ${NSA_DEV2}, ping out ns-C"
4011 # Perform IPv{4,6} SNAT on ns-A, and verify TCP connection is successfully
4012 # established with ns-B.
4013 use_case_snat_on_vrf()
4019 run_cmd iptables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4020 run_cmd ip6tables -t nat -A POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4022 run_cmd_nsb nettest -s -l ${NSB_IP} -p ${port} &
4024 run_cmd nettest -d ${VRF} -r ${NSB_IP} -p ${port}
4025 log_test $? 0 "IPv4 TCP connection over VRF with SNAT"
4027 run_cmd_nsb nettest -6 -s -l ${NSB_IP6} -p ${port} &
4029 run_cmd nettest -6 -d ${VRF} -r ${NSB_IP6} -p ${port}
4030 log_test $? 0 "IPv6 TCP connection over VRF with SNAT"
4033 run_cmd iptables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP} -o ${VRF}
4034 run_cmd ip6tables -t nat -D POSTROUTING -p tcp -m tcp --dport ${port} -j SNAT --to-source ${NSA_LO_IP6} -o ${VRF}
4039 log_section "Use cases"
4040 log_subsection "Device enslaved to bridge"
4042 log_subsection "Ping LLA with multiple interfaces"
4043 use_case_ping_lla_multi
4044 log_subsection "SNAT on VRF"
4045 use_case_snat_on_vrf
4048 ################################################################################
4054 usage: ${0##*/} OPTS
4058 -t <test> Test name/set to run
4060 -P Pause after each test
4065 ################################################################################
4068 TESTS_IPV4="ipv4_ping ipv4_tcp ipv4_udp ipv4_bind ipv4_runtime ipv4_netfilter"
4069 TESTS_IPV6="ipv6_ping ipv6_tcp ipv6_udp ipv6_bind ipv6_runtime ipv6_netfilter"
4070 TESTS_OTHER="use_cases"
4075 while getopts :46t:pPvh o
4081 p) PAUSE_ON_FAIL=yes;;
4089 # make sure we don't pause twice
4090 [ "${PAUSE}" = "yes" ] && PAUSE_ON_FAIL=no
4093 # show user test config
4095 if [ -z "$TESTS" ]; then
4096 TESTS="$TESTS_IPV4 $TESTS_IPV6 $TESTS_OTHER"
4097 elif [ "$TESTS" = "ipv4" ]; then
4099 elif [ "$TESTS" = "ipv6" ]; then
4103 which nettest >/dev/null
4104 if [ $? -ne 0 ]; then
4105 echo "'nettest' command not found; skipping tests"
4110 declare -i nsuccess=0
4115 ipv4_ping|ping) ipv4_ping;;
4116 ipv4_tcp|tcp) ipv4_tcp;;
4117 ipv4_udp|udp) ipv4_udp;;
4118 ipv4_bind|bind) ipv4_addr_bind;;
4119 ipv4_runtime) ipv4_runtime;;
4120 ipv4_netfilter) ipv4_netfilter;;
4122 ipv6_ping|ping6) ipv6_ping;;
4123 ipv6_tcp|tcp6) ipv6_tcp;;
4124 ipv6_udp|udp6) ipv6_udp;;
4125 ipv6_bind|bind6) ipv6_addr_bind;;
4126 ipv6_runtime) ipv6_runtime;;
4127 ipv6_netfilter) ipv6_netfilter;;
4129 use_cases) use_cases;;
4131 # setup namespaces and config, but do not run any tests
4132 setup) setup; exit 0;;
4133 vrf_setup) setup "yes"; exit 0;;
4139 printf "\nTests passed: %3d\n" ${nsuccess}
4140 printf "Tests failed: %3d\n" ${nfail}
4142 if [ $nfail -ne 0 ]; then
4144 elif [ $nsuccess -eq 0 ]; then