blob: 63c3eaec8d30e737e085eaef1a2c448f7b9af45f [file] [log] [blame]
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
# This test is for checking IPv4 and IPv6 FIB rules API
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
ret=0
PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no}
IP="ip -netns testns"
IP_PEER="ip -netns peerns"
RTABLE=100
RTABLE_PEER=101
GW_IP4=192.51.100.2
SRC_IP=192.51.100.3
GW_IP6=2001:db8:1::2
SRC_IP6=2001:db8:1::3
DEV_ADDR=192.51.100.1
DEV_ADDR6=2001:db8:1::1
DEV=dummy0
TESTS="fib_rule6 fib_rule4 fib_rule6_connect fib_rule4_connect"
SELFTEST_PATH=""
log_test()
{
local rc=$1
local expected=$2
local msg="$3"
if [ ${rc} -eq ${expected} ]; then
nsuccess=$((nsuccess+1))
printf "\n TEST: %-50s [ OK ]\n" "${msg}"
else
ret=1
nfail=$((nfail+1))
printf "\n TEST: %-50s [FAIL]\n" "${msg}"
if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
echo
echo "hit enter to continue, 'q' to quit"
read a
[ "$a" = "q" ] && exit 1
fi
fi
}
log_section()
{
echo
echo "######################################################################"
echo "TEST SECTION: $*"
echo "######################################################################"
}
check_nettest()
{
if which nettest > /dev/null 2>&1; then
return 0
fi
# Add the selftest directory to PATH if not already done
if [ "${SELFTEST_PATH}" = "" ]; then
SELFTEST_PATH="$(dirname $0)"
PATH="${PATH}:${SELFTEST_PATH}"
# Now retry with the new path
if which nettest > /dev/null 2>&1; then
return 0
fi
if [ "${ret}" -eq 0 ]; then
ret="${ksft_skip}"
fi
echo "nettest not found (try 'make -C ${SELFTEST_PATH} nettest')"
fi
return 1
}
setup()
{
set -e
ip netns add testns
$IP link set dev lo up
$IP link add dummy0 type dummy
$IP link set dev dummy0 up
$IP address add $DEV_ADDR/24 dev dummy0
$IP -6 address add $DEV_ADDR6/64 dev dummy0
set +e
}
cleanup()
{
$IP link del dev dummy0 &> /dev/null
ip netns del testns
}
setup_peer()
{
set -e
ip netns add peerns
$IP_PEER link set dev lo up
ip link add name veth0 netns testns type veth \
peer name veth1 netns peerns
$IP link set dev veth0 up
$IP_PEER link set dev veth1 up
$IP address add 192.0.2.10 peer 192.0.2.11/32 dev veth0
$IP_PEER address add 192.0.2.11 peer 192.0.2.10/32 dev veth1
$IP address add 2001:db8::10 peer 2001:db8::11/128 dev veth0 nodad
$IP_PEER address add 2001:db8::11 peer 2001:db8::10/128 dev veth1 nodad
$IP_PEER address add 198.51.100.11/32 dev lo
$IP route add table $RTABLE_PEER 198.51.100.11/32 via 192.0.2.11
$IP_PEER address add 2001:db8::1:11/128 dev lo
$IP route add table $RTABLE_PEER 2001:db8::1:11/128 via 2001:db8::11
set +e
}
cleanup_peer()
{
$IP link del dev veth0
ip netns del peerns
}
fib_check_iproute_support()
{
ip rule help 2>&1 | grep -q $1
if [ $? -ne 0 ]; then
echo "SKIP: iproute2 iprule too old, missing $1 match"
return 1
fi
ip route get help 2>&1 | grep -q $2
if [ $? -ne 0 ]; then
echo "SKIP: iproute2 get route too old, missing $2 match"
return 1
fi
return 0
}
fib_rule6_del()
{
$IP -6 rule del $1
log_test $? 0 "rule6 del $1"
}
fib_rule6_del_by_pref()
{
pref=$($IP -6 rule show $1 table $RTABLE | cut -d ":" -f 1)
$IP -6 rule del pref $pref
}
fib_rule6_test_match_n_redirect()
{
local match="$1"
local getmatch="$2"
local description="$3"
$IP -6 rule add $match table $RTABLE
$IP -6 route get $GW_IP6 $getmatch | grep -q "table $RTABLE"
log_test $? 0 "rule6 check: $description"
fib_rule6_del_by_pref "$match"
log_test $? 0 "rule6 del by pref: $description"
}
fib_rule6_test_reject()
{
local match="$1"
local rc
$IP -6 rule add $match table $RTABLE 2>/dev/null
rc=$?
log_test $rc 2 "rule6 check: $match"
if [ $rc -eq 0 ]; then
$IP -6 rule del $match table $RTABLE
fi
}
fib_rule6_test()
{
local getmatch
local match
local cnt
# setup the fib rule redirect route
$IP -6 route add table $RTABLE default via $GW_IP6 dev $DEV onlink
match="oif $DEV"
fib_rule6_test_match_n_redirect "$match" "$match" "oif redirect to table"
match="from $SRC_IP6 iif $DEV"
fib_rule6_test_match_n_redirect "$match" "$match" "iif redirect to table"
# Reject dsfield (tos) options which have ECN bits set
for cnt in $(seq 1 3); do
match="dsfield $cnt"
fib_rule6_test_reject "$match"
done
# Don't take ECN bits into account when matching on dsfield
match="tos 0x10"
for cnt in "0x10" "0x11" "0x12" "0x13"; do
# Using option 'tos' instead of 'dsfield' as old iproute2
# versions don't support 'dsfield' in ip rule show.
getmatch="tos $cnt"
fib_rule6_test_match_n_redirect "$match" "$getmatch" \
"$getmatch redirect to table"
done
match="fwmark 0x64"
getmatch="mark 0x64"
fib_rule6_test_match_n_redirect "$match" "$getmatch" "fwmark redirect to table"
fib_check_iproute_support "uidrange" "uid"
if [ $? -eq 0 ]; then
match="uidrange 100-100"
getmatch="uid 100"
fib_rule6_test_match_n_redirect "$match" "$getmatch" "uid redirect to table"
fi
fib_check_iproute_support "sport" "sport"
if [ $? -eq 0 ]; then
match="sport 666 dport 777"
fib_rule6_test_match_n_redirect "$match" "$match" "sport and dport redirect to table"
fi
fib_check_iproute_support "ipproto" "ipproto"
if [ $? -eq 0 ]; then
match="ipproto tcp"
fib_rule6_test_match_n_redirect "$match" "$match" "ipproto match"
fi
fib_check_iproute_support "ipproto" "ipproto"
if [ $? -eq 0 ]; then
match="ipproto ipv6-icmp"
fib_rule6_test_match_n_redirect "$match" "$match" "ipproto ipv6-icmp match"
fi
}
# Verify that the IPV6_TCLASS option of UDPv6 and TCPv6 sockets is properly
# taken into account when connecting the socket and when sending packets.
fib_rule6_connect_test()
{
local dsfield
if ! check_nettest; then
echo "SKIP: Could not run test without nettest tool"
return
fi
setup_peer
$IP -6 rule add dsfield 0x04 table $RTABLE_PEER
# Combine the base DS Field value (0x04) with all possible ECN values
# (Not-ECT: 0, ECT(1): 1, ECT(0): 2, CE: 3).
# The ECN bits shouldn't influence the result of the test.
for dsfield in 0x04 0x05 0x06 0x07; do
nettest -q -6 -B -t 5 -N testns -O peerns -U -D \
-Q "${dsfield}" -l 2001:db8::1:11 -r 2001:db8::1:11
log_test $? 0 "rule6 dsfield udp connect (dsfield ${dsfield})"
nettest -q -6 -B -t 5 -N testns -O peerns -Q "${dsfield}" \
-l 2001:db8::1:11 -r 2001:db8::1:11
log_test $? 0 "rule6 dsfield tcp connect (dsfield ${dsfield})"
done
$IP -6 rule del dsfield 0x04 table $RTABLE_PEER
cleanup_peer
}
fib_rule4_del()
{
$IP rule del $1
log_test $? 0 "del $1"
}
fib_rule4_del_by_pref()
{
pref=$($IP rule show $1 table $RTABLE | cut -d ":" -f 1)
$IP rule del pref $pref
}
fib_rule4_test_match_n_redirect()
{
local match="$1"
local getmatch="$2"
local description="$3"
$IP rule add $match table $RTABLE
$IP route get $GW_IP4 $getmatch | grep -q "table $RTABLE"
log_test $? 0 "rule4 check: $description"
fib_rule4_del_by_pref "$match"
log_test $? 0 "rule4 del by pref: $description"
}
fib_rule4_test_reject()
{
local match="$1"
local rc
$IP rule add $match table $RTABLE 2>/dev/null
rc=$?
log_test $rc 2 "rule4 check: $match"
if [ $rc -eq 0 ]; then
$IP rule del $match table $RTABLE
fi
}
fib_rule4_test()
{
local getmatch
local match
local cnt
# setup the fib rule redirect route
$IP route add table $RTABLE default via $GW_IP4 dev $DEV onlink
match="oif $DEV"
fib_rule4_test_match_n_redirect "$match" "$match" "oif redirect to table"
# need enable forwarding and disable rp_filter temporarily as all the
# addresses are in the same subnet and egress device == ingress device.
ip netns exec testns sysctl -qw net.ipv4.ip_forward=1
ip netns exec testns sysctl -qw net.ipv4.conf.$DEV.rp_filter=0
match="from $SRC_IP iif $DEV"
fib_rule4_test_match_n_redirect "$match" "$match" "iif redirect to table"
ip netns exec testns sysctl -qw net.ipv4.ip_forward=0
# Reject dsfield (tos) options which have ECN bits set
for cnt in $(seq 1 3); do
match="dsfield $cnt"
fib_rule4_test_reject "$match"
done
# Don't take ECN bits into account when matching on dsfield
match="tos 0x10"
for cnt in "0x10" "0x11" "0x12" "0x13"; do
# Using option 'tos' instead of 'dsfield' as old iproute2
# versions don't support 'dsfield' in ip rule show.
getmatch="tos $cnt"
fib_rule4_test_match_n_redirect "$match" "$getmatch" \
"$getmatch redirect to table"
done
match="fwmark 0x64"
getmatch="mark 0x64"
fib_rule4_test_match_n_redirect "$match" "$getmatch" "fwmark redirect to table"
fib_check_iproute_support "uidrange" "uid"
if [ $? -eq 0 ]; then
match="uidrange 100-100"
getmatch="uid 100"
fib_rule4_test_match_n_redirect "$match" "$getmatch" "uid redirect to table"
fi
fib_check_iproute_support "sport" "sport"
if [ $? -eq 0 ]; then
match="sport 666 dport 777"
fib_rule4_test_match_n_redirect "$match" "$match" "sport and dport redirect to table"
fi
fib_check_iproute_support "ipproto" "ipproto"
if [ $? -eq 0 ]; then
match="ipproto tcp"
fib_rule4_test_match_n_redirect "$match" "$match" "ipproto tcp match"
fi
fib_check_iproute_support "ipproto" "ipproto"
if [ $? -eq 0 ]; then
match="ipproto icmp"
fib_rule4_test_match_n_redirect "$match" "$match" "ipproto icmp match"
fi
}
# Verify that the IP_TOS option of UDPv4 and TCPv4 sockets is properly taken
# into account when connecting the socket and when sending packets.
fib_rule4_connect_test()
{
local dsfield
if ! check_nettest; then
echo "SKIP: Could not run test without nettest tool"
return
fi
setup_peer
$IP -4 rule add dsfield 0x04 table $RTABLE_PEER
# Combine the base DS Field value (0x04) with all possible ECN values
# (Not-ECT: 0, ECT(1): 1, ECT(0): 2, CE: 3).
# The ECN bits shouldn't influence the result of the test.
for dsfield in 0x04 0x05 0x06 0x07; do
nettest -q -B -t 5 -N testns -O peerns -D -U -Q "${dsfield}" \
-l 198.51.100.11 -r 198.51.100.11
log_test $? 0 "rule4 dsfield udp connect (dsfield ${dsfield})"
nettest -q -B -t 5 -N testns -O peerns -Q "${dsfield}" \
-l 198.51.100.11 -r 198.51.100.11
log_test $? 0 "rule4 dsfield tcp connect (dsfield ${dsfield})"
done
$IP -4 rule del dsfield 0x04 table $RTABLE_PEER
cleanup_peer
}
run_fibrule_tests()
{
log_section "IPv4 fib rule"
fib_rule4_test
log_section "IPv6 fib rule"
fib_rule6_test
}
################################################################################
# usage
usage()
{
cat <<EOF
usage: ${0##*/} OPTS
-t <test> Test(s) to run (default: all)
(options: $TESTS)
EOF
}
################################################################################
# main
while getopts ":t:h" opt; do
case $opt in
t) TESTS=$OPTARG;;
h) usage; exit 0;;
*) usage; exit 1;;
esac
done
if [ "$(id -u)" -ne 0 ];then
echo "SKIP: Need root privileges"
exit $ksft_skip
fi
if [ ! -x "$(command -v ip)" ]; then
echo "SKIP: Could not run test without ip tool"
exit $ksft_skip
fi
# start clean
cleanup &> /dev/null
setup
for t in $TESTS
do
case $t in
fib_rule6_test|fib_rule6) fib_rule6_test;;
fib_rule4_test|fib_rule4) fib_rule4_test;;
fib_rule6_connect_test|fib_rule6_connect) fib_rule6_connect_test;;
fib_rule4_connect_test|fib_rule4_connect) fib_rule4_connect_test;;
help) echo "Test names: $TESTS"; exit 0;;
esac
done
cleanup
if [ "$TESTS" != "none" ]; then
printf "\nTests passed: %3d\n" ${nsuccess}
printf "Tests failed: %3d\n" ${nfail}
fi
exit $ret