| #!/bin/bash |
| # SPDX-License-Identifier: GPL-2.0 |
| |
| # This test is designed for testing the new VRF strict_mode functionality. |
| |
| ret=0 |
| |
| # identifies the "init" network namespace which is often called root network |
| # namespace. |
| INIT_NETNS_NAME="init" |
| |
| PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no} |
| |
| log_test() |
| { |
| local rc=$1 |
| local expected=$2 |
| local msg="$3" |
| |
| if [ ${rc} -eq ${expected} ]; then |
| nsuccess=$((nsuccess+1)) |
| printf "\n TEST: %-60s [ OK ]\n" "${msg}" |
| else |
| ret=1 |
| nfail=$((nfail+1)) |
| printf "\n TEST: %-60s [FAIL]\n" "${msg}" |
| if [ "${PAUSE_ON_FAIL}" = "yes" ]; then |
| echo |
| echo "hit enter to continue, 'q' to quit" |
| read a |
| [ "$a" = "q" ] && exit 1 |
| fi |
| fi |
| } |
| |
| print_log_test_results() |
| { |
| if [ "$TESTS" != "none" ]; then |
| printf "\nTests passed: %3d\n" ${nsuccess} |
| printf "Tests failed: %3d\n" ${nfail} |
| fi |
| } |
| |
| log_section() |
| { |
| echo |
| echo "################################################################################" |
| echo "TEST SECTION: $*" |
| echo "################################################################################" |
| } |
| |
| ip_expand_args() |
| { |
| local nsname=$1 |
| local nsarg="" |
| |
| if [ "${nsname}" != "${INIT_NETNS_NAME}" ]; then |
| nsarg="-netns ${nsname}" |
| fi |
| |
| echo "${nsarg}" |
| } |
| |
| vrf_count() |
| { |
| local nsname=$1 |
| local nsarg="$(ip_expand_args ${nsname})" |
| |
| ip ${nsarg} -o link show type vrf | wc -l |
| } |
| |
| count_vrf_by_table_id() |
| { |
| local nsname=$1 |
| local tableid=$2 |
| local nsarg="$(ip_expand_args ${nsname})" |
| |
| ip ${nsarg} -d -o link show type vrf | grep "table ${tableid}" | wc -l |
| } |
| |
| add_vrf() |
| { |
| local nsname=$1 |
| local vrfname=$2 |
| local vrftable=$3 |
| local nsarg="$(ip_expand_args ${nsname})" |
| |
| ip ${nsarg} link add ${vrfname} type vrf table ${vrftable} &>/dev/null |
| } |
| |
| add_vrf_and_check() |
| { |
| local nsname=$1 |
| local vrfname=$2 |
| local vrftable=$3 |
| local cnt |
| local rc |
| |
| add_vrf ${nsname} ${vrfname} ${vrftable}; rc=$? |
| |
| cnt=$(count_vrf_by_table_id ${nsname} ${vrftable}) |
| |
| log_test ${rc} 0 "${nsname}: add vrf ${vrfname}, ${cnt} vrfs for table ${vrftable}" |
| } |
| |
| add_vrf_and_check_fail() |
| { |
| local nsname=$1 |
| local vrfname=$2 |
| local vrftable=$3 |
| local cnt |
| local rc |
| |
| add_vrf ${nsname} ${vrfname} ${vrftable}; rc=$? |
| |
| cnt=$(count_vrf_by_table_id ${nsname} ${vrftable}) |
| |
| log_test ${rc} 2 "${nsname}: CANNOT add vrf ${vrfname}, ${cnt} vrfs for table ${vrftable}" |
| } |
| |
| del_vrf_and_check() |
| { |
| local nsname=$1 |
| local vrfname=$2 |
| local nsarg="$(ip_expand_args ${nsname})" |
| |
| ip ${nsarg} link del ${vrfname} |
| log_test $? 0 "${nsname}: remove vrf ${vrfname}" |
| } |
| |
| config_vrf_and_check() |
| { |
| local nsname=$1 |
| local addr=$2 |
| local vrfname=$3 |
| local nsarg="$(ip_expand_args ${nsname})" |
| |
| ip ${nsarg} link set dev ${vrfname} up && \ |
| ip ${nsarg} addr add ${addr} dev ${vrfname} |
| log_test $? 0 "${nsname}: vrf ${vrfname} up, addr ${addr}" |
| } |
| |
| read_strict_mode() |
| { |
| local nsname=$1 |
| local rval |
| local rc=0 |
| local nsexec="" |
| |
| if [ "${nsname}" != "${INIT_NETNS_NAME}" ]; then |
| # a custom network namespace is provided |
| nsexec="ip netns exec ${nsname}" |
| fi |
| |
| rval="$(${nsexec} bash -c "cat /proc/sys/net/vrf/strict_mode" | \ |
| grep -E "^[0-1]$")" &> /dev/null |
| if [ $? -ne 0 ]; then |
| # set errors |
| rval=255 |
| rc=1 |
| fi |
| |
| # on success, rval can be only 0 or 1; on error, rval is equal to 255 |
| echo ${rval} |
| return ${rc} |
| } |
| |
| read_strict_mode_compare_and_check() |
| { |
| local nsname=$1 |
| local expected=$2 |
| local res |
| |
| res="$(read_strict_mode ${nsname})" |
| log_test ${res} ${expected} "${nsname}: check strict_mode=${res}" |
| } |
| |
| set_strict_mode() |
| { |
| local nsname=$1 |
| local val=$2 |
| local nsexec="" |
| |
| if [ "${nsname}" != "${INIT_NETNS_NAME}" ]; then |
| # a custom network namespace is provided |
| nsexec="ip netns exec ${nsname}" |
| fi |
| |
| ${nsexec} bash -c "echo ${val} >/proc/sys/net/vrf/strict_mode" &>/dev/null |
| } |
| |
| enable_strict_mode() |
| { |
| local nsname=$1 |
| |
| set_strict_mode ${nsname} 1 |
| } |
| |
| disable_strict_mode() |
| { |
| local nsname=$1 |
| |
| set_strict_mode ${nsname} 0 |
| } |
| |
| disable_strict_mode_and_check() |
| { |
| local nsname=$1 |
| |
| disable_strict_mode ${nsname} |
| log_test $? 0 "${nsname}: disable strict_mode (=0)" |
| } |
| |
| enable_strict_mode_and_check() |
| { |
| local nsname=$1 |
| |
| enable_strict_mode ${nsname} |
| log_test $? 0 "${nsname}: enable strict_mode (=1)" |
| } |
| |
| enable_strict_mode_and_check_fail() |
| { |
| local nsname=$1 |
| |
| enable_strict_mode ${nsname} |
| log_test $? 1 "${nsname}: CANNOT enable strict_mode" |
| } |
| |
| strict_mode_check_default() |
| { |
| local nsname=$1 |
| local strictmode |
| local vrfcnt |
| |
| vrfcnt=$(vrf_count ${nsname}) |
| strictmode=$(read_strict_mode ${nsname}) |
| log_test ${strictmode} 0 "${nsname}: strict_mode=0 by default, ${vrfcnt} vrfs" |
| } |
| |
| setup() |
| { |
| modprobe vrf |
| |
| ip netns add testns |
| ip netns exec testns ip link set lo up |
| } |
| |
| cleanup() |
| { |
| ip netns del testns 2>/dev/null |
| |
| ip link del vrf100 2>/dev/null |
| ip link del vrf101 2>/dev/null |
| ip link del vrf102 2>/dev/null |
| |
| echo 0 >/proc/sys/net/vrf/strict_mode 2>/dev/null |
| } |
| |
| vrf_strict_mode_tests_init() |
| { |
| vrf_strict_mode_check_support init |
| |
| strict_mode_check_default init |
| |
| add_vrf_and_check init vrf100 100 |
| config_vrf_and_check init 172.16.100.1/24 vrf100 |
| |
| enable_strict_mode_and_check init |
| |
| add_vrf_and_check_fail init vrf101 100 |
| |
| disable_strict_mode_and_check init |
| |
| add_vrf_and_check init vrf101 100 |
| config_vrf_and_check init 172.16.101.1/24 vrf101 |
| |
| enable_strict_mode_and_check_fail init |
| |
| del_vrf_and_check init vrf101 |
| |
| enable_strict_mode_and_check init |
| |
| add_vrf_and_check init vrf102 102 |
| config_vrf_and_check init 172.16.102.1/24 vrf102 |
| |
| # the strict_modle is enabled in the init |
| } |
| |
| vrf_strict_mode_tests_testns() |
| { |
| vrf_strict_mode_check_support testns |
| |
| strict_mode_check_default testns |
| |
| enable_strict_mode_and_check testns |
| |
| add_vrf_and_check testns vrf100 100 |
| config_vrf_and_check testns 10.0.100.1/24 vrf100 |
| |
| add_vrf_and_check_fail testns vrf101 100 |
| |
| add_vrf_and_check_fail testns vrf102 100 |
| |
| add_vrf_and_check testns vrf200 200 |
| |
| disable_strict_mode_and_check testns |
| |
| add_vrf_and_check testns vrf101 100 |
| |
| add_vrf_and_check testns vrf102 100 |
| |
| #the strict_mode is disabled in the testns |
| } |
| |
| vrf_strict_mode_tests_mix() |
| { |
| read_strict_mode_compare_and_check init 1 |
| |
| read_strict_mode_compare_and_check testns 0 |
| |
| del_vrf_and_check testns vrf101 |
| |
| del_vrf_and_check testns vrf102 |
| |
| disable_strict_mode_and_check init |
| |
| enable_strict_mode_and_check testns |
| |
| enable_strict_mode_and_check init |
| enable_strict_mode_and_check init |
| |
| disable_strict_mode_and_check testns |
| disable_strict_mode_and_check testns |
| |
| read_strict_mode_compare_and_check init 1 |
| |
| read_strict_mode_compare_and_check testns 0 |
| } |
| |
| vrf_strict_mode_tests() |
| { |
| log_section "VRF strict_mode test on init network namespace" |
| vrf_strict_mode_tests_init |
| |
| log_section "VRF strict_mode test on testns network namespace" |
| vrf_strict_mode_tests_testns |
| |
| log_section "VRF strict_mode test mixing init and testns network namespaces" |
| vrf_strict_mode_tests_mix |
| } |
| |
| vrf_strict_mode_check_support() |
| { |
| local nsname=$1 |
| local output |
| local rc |
| |
| output="$(lsmod | grep '^vrf' | awk '{print $1}')" |
| if [ -z "${output}" ]; then |
| modinfo vrf || return $? |
| fi |
| |
| # we do not care about the value of the strict_mode; we only check if |
| # the strict_mode parameter is available or not. |
| read_strict_mode ${nsname} &>/dev/null; rc=$? |
| log_test ${rc} 0 "${nsname}: net.vrf.strict_mode is available" |
| |
| return ${rc} |
| } |
| |
| if [ "$(id -u)" -ne 0 ];then |
| echo "SKIP: Need root privileges" |
| exit 0 |
| fi |
| |
| if [ ! -x "$(command -v ip)" ]; then |
| echo "SKIP: Could not run test without ip tool" |
| exit 0 |
| fi |
| |
| modprobe vrf &>/dev/null |
| if [ ! -e /proc/sys/net/vrf/strict_mode ]; then |
| echo "SKIP: vrf sysctl does not exist" |
| exit 0 |
| fi |
| |
| cleanup &> /dev/null |
| |
| setup |
| vrf_strict_mode_tests |
| cleanup |
| |
| print_log_test_results |
| |
| exit $ret |