search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
WIP FPC-III support
[linux/fpc-iii.git] / tools / testing / selftests / net / vrf-xfrm-tests.sh
blob184da81f554ff6a6396b8efb0cc245d8dc0ddd42
1 #!/bin/bash
2 # SPDX-License-Identifier: GPL-2.0
3 #
4 # Various combinations of VRF with xfrms and qdisc.
5
6 # Kselftest framework requirement - SKIP code is 4.
7 ksft_skip=4
8
9 PAUSE_ON_FAIL=no
10 VERBOSE=0
11 ret=0
12
13 HOST1_4=192.168.1.1
14 HOST2_4=192.168.1.2
15 HOST1_6=2001:db8:1::1
16 HOST2_6=2001:db8:1::2
17
18 XFRM1_4=10.0.1.1
19 XFRM2_4=10.0.1.2
20 XFRM1_6=fc00:1000::1
21 XFRM2_6=fc00:1000::2
22 IF_ID=123
23
24 VRF=red
25 TABLE=300
26
27 AUTH_1=0xd94fcfea65fddf21dc6e0d24a0253508
28 AUTH_2=0xdc6e0d24a0253508d94fcfea65fddf21
29 ENC_1=0xfc46c20f8048be9725930ff3fb07ac2a91f0347dffeacf62
30 ENC_2=0x3fb07ac2a91f0347dffeacf62fc46c20f8048be9725930ff
31 SPI_1=0x02122b77
32 SPI_2=0x2b770212
33
34 which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
35
36 ################################################################################
37 #
38 log_test()
39 {
40 local rc=$1
41 local expected=$2
42 local msg="$3"
43
44 if [ ${rc} -eq ${expected} ]; then
45 printf "TEST: %-60s [ OK ]\n" "${msg}"
46 nsuccess=$((nsuccess+1))
47 else
48 ret=1
49 nfail=$((nfail+1))
50 printf "TEST: %-60s [FAIL]\n" "${msg}"
51 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
52 echo
53 echo "hit enter to continue, 'q' to quit"
54 read a
55 [ "$a" = "q" ] && exit 1
56 fi
57 fi
58 }
59
60 run_cmd_host1()
61 {
62 local cmd="$*"
63 local out
64 local rc
65
66 if [ "$VERBOSE" = "1" ]; then
67 printf " COMMAND: $cmd\n"
68 fi
69
70 out=$(eval ip netns exec host1 $cmd 2>&1)
71 rc=$?
72 if [ "$VERBOSE" = "1" ]; then
73 if [ -n "$out" ]; then
74 echo
75 echo " $out"
76 fi
77 echo
78 fi
79
80 return $rc
81 }
82
83 ################################################################################
84 # create namespaces for hosts and sws
85
86 create_vrf()
87 {
88 local ns=$1
89 local vrf=$2
90 local table=$3
91
92 if [ -n "${ns}" ]; then
93 ns="-netns ${ns}"
94 fi
95
96 ip ${ns} link add ${vrf} type vrf table ${table}
97 ip ${ns} link set ${vrf} up
98 ip ${ns} route add vrf ${vrf} unreachable default metric 8192
99 ip ${ns} -6 route add vrf ${vrf} unreachable default metric 8192
100
101 ip ${ns} addr add 127.0.0.1/8 dev ${vrf}
102 ip ${ns} -6 addr add ::1 dev ${vrf} nodad
103
104 ip ${ns} ru del pref 0
105 ip ${ns} ru add pref 32765 from all lookup local
106 ip ${ns} -6 ru del pref 0
107 ip ${ns} -6 ru add pref 32765 from all lookup local
108 }
109
110 create_ns()
111 {
112 local ns=$1
113 local addr=$2
114 local addr6=$3
115
116 [ -z "${addr}" ] && addr="-"
117 [ -z "${addr6}" ] && addr6="-"
118
119 ip netns add ${ns}
120
121 ip -netns ${ns} link set lo up
122 if [ "${addr}" != "-" ]; then
123 ip -netns ${ns} addr add dev lo ${addr}
124 fi
125 if [ "${addr6}" != "-" ]; then
126 ip -netns ${ns} -6 addr add dev lo ${addr6}
127 fi
128
129 ip -netns ${ns} ro add unreachable default metric 8192
130 ip -netns ${ns} -6 ro add unreachable default metric 8192
131
132 ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
133 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
134 ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
135 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
136 ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.accept_dad=0
137 }
138
139 # create veth pair to connect namespaces and apply addresses.
140 connect_ns()
141 {
142 local ns1=$1
143 local ns1_dev=$2
144 local ns1_addr=$3
145 local ns1_addr6=$4
146 local ns2=$5
147 local ns2_dev=$6
148 local ns2_addr=$7
149 local ns2_addr6=$8
150 local ns1arg
151 local ns2arg
152
153 if [ -n "${ns1}" ]; then
154 ns1arg="-netns ${ns1}"
155 fi
156 if [ -n "${ns2}" ]; then
157 ns2arg="-netns ${ns2}"
158 fi
159
160 ip ${ns1arg} li add ${ns1_dev} type veth peer name tmp
161 ip ${ns1arg} li set ${ns1_dev} up
162 ip ${ns1arg} li set tmp netns ${ns2} name ${ns2_dev}
163 ip ${ns2arg} li set ${ns2_dev} up
164
165 if [ "${ns1_addr}" != "-" ]; then
166 ip ${ns1arg} addr add dev ${ns1_dev} ${ns1_addr}
167 ip ${ns2arg} addr add dev ${ns2_dev} ${ns2_addr}
168 fi
169
170 if [ "${ns1_addr6}" != "-" ]; then
171 ip ${ns1arg} addr add dev ${ns1_dev} ${ns1_addr6} nodad
172 ip ${ns2arg} addr add dev ${ns2_dev} ${ns2_addr6} nodad
173 fi
174 }
175
176 ################################################################################
177
178 cleanup()
179 {
180 ip netns del host1
181 ip netns del host2
182 }
183
184 setup()
185 {
186 create_ns "host1"
187 create_ns "host2"
188
189 connect_ns "host1" eth0 ${HOST1_4}/24 ${HOST1_6}/64 \
190 "host2" eth0 ${HOST2_4}/24 ${HOST2_6}/64
191
192 create_vrf "host1" ${VRF} ${TABLE}
193 ip -netns host1 link set dev eth0 master ${VRF}
194 }
195
196 cleanup_xfrm()
197 {
198 for ns in host1 host2
199 do
200 for x in state policy
201 do
202 ip -netns ${ns} xfrm ${x} flush
203 ip -6 -netns ${ns} xfrm ${x} flush
204 done
205 done
206 }
207
208 setup_xfrm()
209 {
210 local h1_4=$1
211 local h2_4=$2
212 local h1_6=$3
213 local h2_6=$4
214 local devarg="$5"
215
216 #
217 # policy
218 #
219
220 # host1 - IPv4 out
221 ip -netns host1 xfrm policy add \
222 src ${h1_4} dst ${h2_4} ${devarg} dir out \
223 tmpl src ${HOST1_4} dst ${HOST2_4} proto esp mode tunnel
224
225 # host2 - IPv4 in
226 ip -netns host2 xfrm policy add \
227 src ${h1_4} dst ${h2_4} dir in \
228 tmpl src ${HOST1_4} dst ${HOST2_4} proto esp mode tunnel
229
230 # host1 - IPv4 in
231 ip -netns host1 xfrm policy add \
232 src ${h2_4} dst ${h1_4} ${devarg} dir in \
233 tmpl src ${HOST2_4} dst ${HOST1_4} proto esp mode tunnel
234
235 # host2 - IPv4 out
236 ip -netns host2 xfrm policy add \
237 src ${h2_4} dst ${h1_4} dir out \
238 tmpl src ${HOST2_4} dst ${HOST1_4} proto esp mode tunnel
239
240
241 # host1 - IPv6 out
242 ip -6 -netns host1 xfrm policy add \
243 src ${h1_6} dst ${h2_6} ${devarg} dir out \
244 tmpl src ${HOST1_6} dst ${HOST2_6} proto esp mode tunnel
245
246 # host2 - IPv6 in
247 ip -6 -netns host2 xfrm policy add \
248 src ${h1_6} dst ${h2_6} dir in \
249 tmpl src ${HOST1_6} dst ${HOST2_6} proto esp mode tunnel
250
251 # host1 - IPv6 in
252 ip -6 -netns host1 xfrm policy add \
253 src ${h2_6} dst ${h1_6} ${devarg} dir in \
254 tmpl src ${HOST2_6} dst ${HOST1_6} proto esp mode tunnel
255
256 # host2 - IPv6 out
257 ip -6 -netns host2 xfrm policy add \
258 src ${h2_6} dst ${h1_6} dir out \
259 tmpl src ${HOST2_6} dst ${HOST1_6} proto esp mode tunnel
260
261 #
262 # state
263 #
264 ip -netns host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
265 proto esp spi ${SPI_1} reqid 0 mode tunnel \
266 replay-window 4 replay-oseq 0x4 \
267 auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
268 enc 'cbc(des3_ede)' ${ENC_1} \
269 sel src ${h1_4} dst ${h2_4} ${devarg}
270
271 ip -netns host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
272 proto esp spi ${SPI_1} reqid 0 mode tunnel \
273 replay-window 4 replay-oseq 0x4 \
274 auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
275 enc 'cbc(des3_ede)' ${ENC_1} \
276 sel src ${h1_4} dst ${h2_4}
277
278
279 ip -netns host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
280 proto esp spi ${SPI_2} reqid 0 mode tunnel \
281 replay-window 4 replay-oseq 0x4 \
282 auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
283 enc 'cbc(des3_ede)' ${ENC_2} \
284 sel src ${h2_4} dst ${h1_4} ${devarg}
285
286 ip -netns host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
287 proto esp spi ${SPI_2} reqid 0 mode tunnel \
288 replay-window 4 replay-oseq 0x4 \
289 auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
290 enc 'cbc(des3_ede)' ${ENC_2} \
291 sel src ${h2_4} dst ${h1_4}
292
293
294 ip -6 -netns host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
295 proto esp spi ${SPI_1} reqid 0 mode tunnel \
296 replay-window 4 replay-oseq 0x4 \
297 auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
298 enc 'cbc(des3_ede)' ${ENC_1} \
299 sel src ${h1_6} dst ${h2_6} ${devarg}
300
301 ip -6 -netns host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
302 proto esp spi ${SPI_1} reqid 0 mode tunnel \
303 replay-window 4 replay-oseq 0x4 \
304 auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
305 enc 'cbc(des3_ede)' ${ENC_1} \
306 sel src ${h1_6} dst ${h2_6}
307
308
309 ip -6 -netns host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
310 proto esp spi ${SPI_2} reqid 0 mode tunnel \
311 replay-window 4 replay-oseq 0x4 \
312 auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
313 enc 'cbc(des3_ede)' ${ENC_2} \
314 sel src ${h2_6} dst ${h1_6} ${devarg}
315
316 ip -6 -netns host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
317 proto esp spi ${SPI_2} reqid 0 mode tunnel \
318 replay-window 4 replay-oseq 0x4 \
319 auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
320 enc 'cbc(des3_ede)' ${ENC_2} \
321 sel src ${h2_6} dst ${h1_6}
322 }
323
324 cleanup_xfrm_dev()
325 {
326 ip -netns host1 li del xfrm0
327 ip -netns host2 addr del ${XFRM2_4}/24 dev eth0
328 ip -netns host2 addr del ${XFRM2_6}/64 dev eth0
329 }
330
331 setup_xfrm_dev()
332 {
333 local vrfarg="vrf ${VRF}"
334
335 ip -netns host1 li add type xfrm dev eth0 if_id ${IF_ID}
336 ip -netns host1 li set xfrm0 ${vrfarg} up
337 ip -netns host1 addr add ${XFRM1_4}/24 dev xfrm0
338 ip -netns host1 addr add ${XFRM1_6}/64 dev xfrm0
339
340 ip -netns host2 addr add ${XFRM2_4}/24 dev eth0
341 ip -netns host2 addr add ${XFRM2_6}/64 dev eth0
342
343 setup_xfrm ${XFRM1_4} ${XFRM2_4} ${XFRM1_6} ${XFRM2_6} "if_id ${IF_ID}"
344 }
345
346 run_tests()
347 {
348 cleanup_xfrm
349
350 # no IPsec
351 run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${HOST2_4}
352 log_test $? 0 "IPv4 no xfrm policy"
353 run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${HOST2_6}
354 log_test $? 0 "IPv6 no xfrm policy"
355
356 # xfrm without VRF in sel
357 setup_xfrm ${HOST1_4} ${HOST2_4} ${HOST1_6} ${HOST2_6}
358 run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${HOST2_4}
359 log_test $? 0 "IPv4 xfrm policy based on address"
360 run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${HOST2_6}
361 log_test $? 0 "IPv6 xfrm policy based on address"
362 cleanup_xfrm
363
364 # xfrm with VRF in sel
365 # Known failure: ipv4 resets the flow oif after the lookup. Fix is
366 # not straightforward.
367 # setup_xfrm ${HOST1_4} ${HOST2_4} ${HOST1_6} ${HOST2_6} "dev ${VRF}"
368 # run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${HOST2_4}
369 # log_test $? 0 "IPv4 xfrm policy with VRF in selector"
370 run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${HOST2_6}
371 log_test $? 0 "IPv6 xfrm policy with VRF in selector"
372 cleanup_xfrm
373
374 # xfrm with enslaved device in sel
375 # Known failures: combined with the above, __xfrm{4,6}_selector_match
376 # needs to consider both l3mdev and enslaved device index.
377 # setup_xfrm ${HOST1_4} ${HOST2_4} ${HOST1_6} ${HOST2_6} "dev eth0"
378 # run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${HOST2_4}
379 # log_test $? 0 "IPv4 xfrm policy with enslaved device in selector"
380 # run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${HOST2_6}
381 # log_test $? 0 "IPv6 xfrm policy with enslaved device in selector"
382 # cleanup_xfrm
383
384 # xfrm device
385 setup_xfrm_dev
386 run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${XFRM2_4}
387 log_test $? 0 "IPv4 xfrm policy with xfrm device"
388 run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${XFRM2_6}
389 log_test $? 0 "IPv6 xfrm policy with xfrm device"
390 cleanup_xfrm_dev
391 }
392
393 ################################################################################
394 # usage
395
396 usage()
397 {
398 cat <<EOF
399 usage: ${0##*/} OPTS
400
401 -p Pause on fail
402 -v verbose mode (show commands and output)
403
404 done
405 EOF
406 }
407
408 ################################################################################
409 # main
410
411 while getopts :pv o
412 do
413 case $o in
414 p) PAUSE_ON_FAIL=yes;;
415 v) VERBOSE=$(($VERBOSE + 1));;
416 h) usage; exit 0;;
417 *) usage; exit 1;;
418 esac
419 done
420
421 cleanup 2>/dev/null
422 setup
423
424 echo
425 echo "No qdisc on VRF device"
426 run_tests
427
428 run_cmd_host1 tc qdisc add dev ${VRF} root netem delay 100ms
429 echo
430 echo "netem qdisc on VRF device"
431 run_tests
432
433 printf "\nTests passed: %3d\n" ${nsuccess}
434 printf "Tests failed: %3d\n" ${nfail}
435
436 exit $ret
Linux with added FPC-III support