1#!/bin/bash 2# SPDX-License-Identifier: GPL-2.0 3 4# This test is for checking IPv4 and IPv6 FIB rules API 5 6source lib.sh 7ret=0 8PAUSE_ON_FAIL=${PAUSE_ON_FAIL:=no} 9 10RTABLE=100 11RTABLE_PEER=101 12RTABLE_VRF=102 13GW_IP4=192.51.100.2 14SRC_IP=192.51.100.3 15GW_IP6=2001:db8:1::2 16SRC_IP6=2001:db8:1::3 17 18DEV_ADDR=192.51.100.1 19DEV_ADDR6=2001:db8:1::1 20DEV=dummy0 21TESTS=" 22 fib_rule6 23 fib_rule4 24 fib_rule6_connect 25 fib_rule4_connect 26 fib_rule6_vrf 27 fib_rule4_vrf 28" 29 30SELFTEST_PATH="" 31 32log_test() 33{ 34 local rc=$1 35 local expected=$2 36 local msg="$3" 37 38 if [ ${rc} -eq ${expected} ]; then 39 nsuccess=$((nsuccess+1)) 40 printf " TEST: %-60s [ OK ]\n" "${msg}" 41 else 42 ret=1 43 nfail=$((nfail+1)) 44 printf " TEST: %-60s [FAIL]\n" "${msg}" 45 if [ "${PAUSE_ON_FAIL}" = "yes" ]; then 46 echo 47 echo "hit enter to continue, 'q' to quit" 48 read a 49 [ "$a" = "q" ] && exit 1 50 fi 51 fi 52} 53 54setup() 55{ 56 set -e 57 setup_ns testns 58 IP="ip -netns $testns" 59 60 $IP link add dummy0 type dummy 61 $IP link set dev dummy0 up 62 $IP address add $DEV_ADDR/24 dev dummy0 63 $IP -6 address add $DEV_ADDR6/64 dev dummy0 64 65 set +e 66} 67 68cleanup() 69{ 70 $IP link del dev dummy0 &> /dev/null 71 cleanup_ns $testns 72} 73 74setup_peer() 75{ 76 set -e 77 78 setup_ns peerns 79 IP_PEER="ip -netns $peerns" 80 $IP_PEER link set dev lo up 81 82 ip link add name veth0 netns $testns type veth \ 83 peer name veth1 netns $peerns 84 $IP link set dev veth0 up 85 $IP_PEER link set dev veth1 up 86 87 $IP address add 192.0.2.10 peer 192.0.2.11/32 dev veth0 88 $IP_PEER address add 192.0.2.11 peer 192.0.2.10/32 dev veth1 89 90 $IP address add 2001:db8::10 peer 2001:db8::11/128 dev veth0 nodad 91 $IP_PEER address add 2001:db8::11 peer 2001:db8::10/128 dev veth1 nodad 92 93 $IP_PEER address add 198.51.100.11/32 dev lo 94 $IP route add table $RTABLE_PEER 198.51.100.11/32 via 192.0.2.11 95 96 $IP_PEER address add 2001:db8::1:11/128 dev lo 97 $IP route add table $RTABLE_PEER 2001:db8::1:11/128 via 2001:db8::11 98 99 set +e 100} 101 102cleanup_peer() 103{ 104 $IP link del dev veth0 105 ip netns del $peerns 106} 107 108setup_vrf() 109{ 110 $IP link add name vrf0 up type vrf table $RTABLE_VRF 111 $IP link set dev $DEV master vrf0 112} 113 114cleanup_vrf() 115{ 116 $IP link del dev vrf0 117} 118 119fib_check_iproute_support() 120{ 121 ip rule help 2>&1 | grep -q $1 122 if [ $? -ne 0 ]; then 123 echo "SKIP: iproute2 iprule too old, missing $1 match" 124 return 1 125 fi 126 127 ip route get help 2>&1 | grep -q $2 128 if [ $? -ne 0 ]; then 129 echo "SKIP: iproute2 get route too old, missing $2 match" 130 return 1 131 fi 132 133 return 0 134} 135 136fib_rule6_del() 137{ 138 $IP -6 rule del $1 139 log_test $? 0 "rule6 del $1" 140} 141 142fib_rule6_del_by_pref() 143{ 144 pref=$($IP -6 rule show $1 table $RTABLE | cut -d ":" -f 1) 145 $IP -6 rule del pref $pref 146} 147 148fib_rule6_test_match_n_redirect() 149{ 150 local match="$1" 151 local getmatch="$2" 152 local getnomatch="$3" 153 local description="$4" 154 local nomatch_description="$5" 155 156 $IP -6 rule add $match table $RTABLE 157 $IP -6 route get $GW_IP6 $getmatch | grep -q "table $RTABLE" 158 log_test $? 0 "rule6 check: $description" 159 160 $IP -6 route get $GW_IP6 $getnomatch 2>&1 | grep -q "table $RTABLE" 161 log_test $? 1 "rule6 check: $nomatch_description" 162 163 fib_rule6_del_by_pref "$match" 164 log_test $? 0 "rule6 del by pref: $description" 165} 166 167fib_rule6_test_reject() 168{ 169 local match="$1" 170 local rc 171 172 $IP -6 rule add $match table $RTABLE 2>/dev/null 173 rc=$? 174 log_test $rc 2 "rule6 check: $match" 175 176 if [ $rc -eq 0 ]; then 177 $IP -6 rule del $match table $RTABLE 178 fi 179} 180 181fib_rule6_test() 182{ 183 local ext_name=$1; shift 184 local getnomatch 185 local getmatch 186 local match 187 local cnt 188 189 echo 190 echo "IPv6 FIB rule tests $ext_name" 191 192 # setup the fib rule redirect route 193 $IP -6 route add table $RTABLE default via $GW_IP6 dev $DEV onlink 194 195 match="oif $DEV" 196 getnomatch="oif lo" 197 fib_rule6_test_match_n_redirect "$match" "$match" "$getnomatch" \ 198 "oif redirect to table" "oif no redirect to table" 199 200 match="from $SRC_IP6 iif $DEV" 201 getnomatch="from $SRC_IP6 iif lo" 202 fib_rule6_test_match_n_redirect "$match" "$match" "$getnomatch" \ 203 "iif redirect to table" "iif no redirect to table" 204 205 # Reject dsfield (tos) options which have ECN bits set 206 for cnt in $(seq 1 3); do 207 match="dsfield $cnt" 208 fib_rule6_test_reject "$match" 209 done 210 211 # Don't take ECN bits into account when matching on dsfield 212 match="tos 0x10" 213 for cnt in "0x10" "0x11" "0x12" "0x13"; do 214 # Using option 'tos' instead of 'dsfield' as old iproute2 215 # versions don't support 'dsfield' in ip rule show. 216 getmatch="tos $cnt" 217 getnomatch="tos 0x20" 218 fib_rule6_test_match_n_redirect "$match" "$getmatch" \ 219 "$getnomatch" "$getmatch redirect to table" \ 220 "$getnomatch no redirect to table" 221 done 222 223 # Re-test TOS matching, but with input routes since they are handled 224 # differently from output routes. 225 match="tos 0x10" 226 for cnt in "0x10" "0x11" "0x12" "0x13"; do 227 getmatch="tos $cnt" 228 getnomatch="tos 0x20" 229 fib_rule6_test_match_n_redirect "$match" \ 230 "from $SRC_IP6 iif $DEV $getmatch" \ 231 "from $SRC_IP6 iif $DEV $getnomatch" \ 232 "iif $getmatch redirect to table" \ 233 "iif $getnomatch no redirect to table" 234 done 235 236 match="fwmark 0x64" 237 getmatch="mark 0x64" 238 getnomatch="mark 0x63" 239 fib_rule6_test_match_n_redirect "$match" "$getmatch" "$getnomatch" \ 240 "fwmark redirect to table" "fwmark no redirect to table" 241 242 fib_check_iproute_support "uidrange" "uid" 243 if [ $? -eq 0 ]; then 244 match="uidrange 100-100" 245 getmatch="uid 100" 246 getnomatch="uid 101" 247 fib_rule6_test_match_n_redirect "$match" "$getmatch" \ 248 "$getnomatch" "uid redirect to table" \ 249 "uid no redirect to table" 250 fi 251 252 fib_check_iproute_support "sport" "sport" 253 if [ $? -eq 0 ]; then 254 match="sport 666 dport 777" 255 getnomatch="sport 667 dport 778" 256 fib_rule6_test_match_n_redirect "$match" "$match" \ 257 "$getnomatch" "sport and dport redirect to table" \ 258 "sport and dport no redirect to table" 259 260 match="sport 100-200 dport 300-400" 261 getmatch="sport 100 dport 400" 262 getnomatch="sport 100 dport 401" 263 fib_rule6_test_match_n_redirect "$match" "$getmatch" \ 264 "$getnomatch" \ 265 "sport and dport range redirect to table" \ 266 "sport and dport range no redirect to table" 267 fi 268 269 ip rule help 2>&1 | grep sport | grep -q MASK 270 if [ $? -eq 0 ]; then 271 match="sport 0x0f00/0xff00 dport 0x000f/0x00ff" 272 getmatch="sport 0x0f11 dport 0x220f" 273 getnomatch="sport 0x1f11 dport 0x221f" 274 fib_rule6_test_match_n_redirect "$match" "$getmatch" \ 275 "$getnomatch" "sport and dport masked redirect to table" \ 276 "sport and dport masked no redirect to table" 277 fi 278 279 fib_check_iproute_support "ipproto" "ipproto" 280 if [ $? -eq 0 ]; then 281 match="ipproto tcp" 282 getnomatch="ipproto udp" 283 fib_rule6_test_match_n_redirect "$match" "$match" \ 284 "$getnomatch" "ipproto tcp match" "ipproto udp no match" 285 fi 286 287 fib_check_iproute_support "ipproto" "ipproto" 288 if [ $? -eq 0 ]; then 289 match="ipproto ipv6-icmp" 290 getnomatch="ipproto tcp" 291 fib_rule6_test_match_n_redirect "$match" "$match" \ 292 "$getnomatch" "ipproto ipv6-icmp match" \ 293 "ipproto ipv6-tcp no match" 294 fi 295 296 fib_check_iproute_support "dscp" "tos" 297 if [ $? -eq 0 ]; then 298 match="dscp 0x3f" 299 getmatch="tos 0xfc" 300 getnomatch="tos 0xf4" 301 fib_rule6_test_match_n_redirect "$match" "$getmatch" \ 302 "$getnomatch" "dscp redirect to table" \ 303 "dscp no redirect to table" 304 305 match="dscp 0x3f" 306 getmatch="from $SRC_IP6 iif $DEV tos 0xfc" 307 getnomatch="from $SRC_IP6 iif $DEV tos 0xf4" 308 fib_rule6_test_match_n_redirect "$match" "$getmatch" \ 309 "$getnomatch" "iif dscp redirect to table" \ 310 "iif dscp no redirect to table" 311 fi 312 313 ip rule help 2>&1 | grep -q "DSCP\[/MASK\]" 314 if [ $? -eq 0 ]; then 315 match="dscp 0x0f/0x0f" 316 tosmatch=$(printf 0x"%x" $((0x1f << 2))) 317 tosnomatch=$(printf 0x"%x" $((0x1e << 2))) 318 getmatch="tos $tosmatch" 319 getnomatch="tos $tosnomatch" 320 fib_rule6_test_match_n_redirect "$match" "$getmatch" \ 321 "$getnomatch" "dscp masked redirect to table" \ 322 "dscp masked no redirect to table" 323 324 match="dscp 0x0f/0x0f" 325 getmatch="from $SRC_IP6 iif $DEV tos $tosmatch" 326 getnomatch="from $SRC_IP6 iif $DEV tos $tosnomatch" 327 fib_rule6_test_match_n_redirect "$match" "$getmatch" \ 328 "$getnomatch" "iif dscp masked redirect to table" \ 329 "iif dscp masked no redirect to table" 330 fi 331 332 fib_check_iproute_support "flowlabel" "flowlabel" 333 if [ $? -eq 0 ]; then 334 match="flowlabel 0xfffff" 335 getmatch="flowlabel 0xfffff" 336 getnomatch="flowlabel 0xf" 337 fib_rule6_test_match_n_redirect "$match" "$getmatch" \ 338 "$getnomatch" "flowlabel redirect to table" \ 339 "flowlabel no redirect to table" 340 341 match="flowlabel 0xfffff" 342 getmatch="from $SRC_IP6 iif $DEV flowlabel 0xfffff" 343 getnomatch="from $SRC_IP6 iif $DEV flowlabel 0xf" 344 fib_rule6_test_match_n_redirect "$match" "$getmatch" \ 345 "$getnomatch" "iif flowlabel redirect to table" \ 346 "iif flowlabel no redirect to table" 347 348 match="flowlabel 0x08000/0x08000" 349 getmatch="flowlabel 0xfffff" 350 getnomatch="flowlabel 0xf7fff" 351 fib_rule6_test_match_n_redirect "$match" "$getmatch" \ 352 "$getnomatch" "flowlabel masked redirect to table" \ 353 "flowlabel masked no redirect to table" 354 355 match="flowlabel 0x08000/0x08000" 356 getmatch="from $SRC_IP6 iif $DEV flowlabel 0xfffff" 357 getnomatch="from $SRC_IP6 iif $DEV flowlabel 0xf7fff" 358 fib_rule6_test_match_n_redirect "$match" "$getmatch" \ 359 "$getnomatch" "iif flowlabel masked redirect to table" \ 360 "iif flowlabel masked no redirect to table" 361 fi 362 363 $IP link show dev $DEV | grep -q vrf0 364 if [ $? -eq 0 ]; then 365 match="oif vrf0" 366 getmatch="oif $DEV" 367 getnomatch="oif lo" 368 fib_rule6_test_match_n_redirect "$match" "$getmatch" \ 369 "$getnomatch" "VRF oif redirect to table" \ 370 "VRF oif no redirect to table" 371 372 match="from $SRC_IP6 iif vrf0" 373 getmatch="from $SRC_IP6 iif $DEV" 374 getnomatch="from $SRC_IP6 iif lo" 375 fib_rule6_test_match_n_redirect "$match" "$getmatch" \ 376 "$getnomatch" "VRF iif redirect to table" \ 377 "VRF iif no redirect to table" 378 fi 379} 380 381fib_rule6_vrf_test() 382{ 383 setup_vrf 384 fib_rule6_test "- with VRF" 385 cleanup_vrf 386} 387 388# Verify that the IPV6_TCLASS option of UDPv6 and TCPv6 sockets is properly 389# taken into account when connecting the socket and when sending packets. 390fib_rule6_connect_test() 391{ 392 local dsfield 393 394 echo 395 echo "IPv6 FIB rule connect tests" 396 397 setup_peer 398 $IP -6 rule add dsfield 0x04 table $RTABLE_PEER 399 400 # Combine the base DS Field value (0x04) with all possible ECN values 401 # (Not-ECT: 0, ECT(1): 1, ECT(0): 2, CE: 3). 402 # The ECN bits shouldn't influence the result of the test. 403 for dsfield in 0x04 0x05 0x06 0x07; do 404 nettest -q -6 -B -t 5 -N $testns -O $peerns -U -D \ 405 -Q "${dsfield}" -l 2001:db8::1:11 -r 2001:db8::1:11 406 log_test $? 0 "rule6 dsfield udp connect (dsfield ${dsfield})" 407 408 nettest -q -6 -B -t 5 -N $testns -O $peerns -Q "${dsfield}" \ 409 -l 2001:db8::1:11 -r 2001:db8::1:11 410 log_test $? 0 "rule6 dsfield tcp connect (dsfield ${dsfield})" 411 done 412 413 # Check that UDP and TCP connections fail when using a DS Field that 414 # does not match the previously configured FIB rule. 415 nettest -q -6 -B -t 5 -N $testns -O $peerns -U -D \ 416 -Q 0x20 -l 2001:db8::1:11 -r 2001:db8::1:11 417 log_test $? 1 "rule6 dsfield udp no connect (dsfield 0x20)" 418 419 nettest -q -6 -B -t 5 -N $testns -O $peerns -Q 0x20 \ 420 -l 2001:db8::1:11 -r 2001:db8::1:11 421 log_test $? 1 "rule6 dsfield tcp no connect (dsfield 0x20)" 422 423 $IP -6 rule del dsfield 0x04 table $RTABLE_PEER 424 425 ip rule help 2>&1 | grep -q dscp 426 if [ $? -ne 0 ]; then 427 echo "SKIP: iproute2 iprule too old, missing dscp match" 428 cleanup_peer 429 return 430 fi 431 432 $IP -6 rule add dscp 0x3f table $RTABLE_PEER 433 434 nettest -q -6 -B -t 5 -N $testns -O $peerns -U -D -Q 0xfc \ 435 -l 2001:db8::1:11 -r 2001:db8::1:11 436 log_test $? 0 "rule6 dscp udp connect" 437 438 nettest -q -6 -B -t 5 -N $testns -O $peerns -Q 0xfc \ 439 -l 2001:db8::1:11 -r 2001:db8::1:11 440 log_test $? 0 "rule6 dscp tcp connect" 441 442 nettest -q -6 -B -t 5 -N $testns -O $peerns -U -D -Q 0xf4 \ 443 -l 2001:db8::1:11 -r 2001:db8::1:11 444 log_test $? 1 "rule6 dscp udp no connect" 445 446 nettest -q -6 -B -t 5 -N $testns -O $peerns -Q 0xf4 \ 447 -l 2001:db8::1:11 -r 2001:db8::1:11 448 log_test $? 1 "rule6 dscp tcp no connect" 449 450 $IP -6 rule del dscp 0x3f table $RTABLE_PEER 451 452 cleanup_peer 453} 454 455fib_rule4_del() 456{ 457 $IP rule del $1 458 log_test $? 0 "del $1" 459} 460 461fib_rule4_del_by_pref() 462{ 463 pref=$($IP rule show $1 table $RTABLE | cut -d ":" -f 1) 464 $IP rule del pref $pref 465} 466 467fib_rule4_test_match_n_redirect() 468{ 469 local match="$1" 470 local getmatch="$2" 471 local getnomatch="$3" 472 local description="$4" 473 local nomatch_description="$5" 474 475 $IP rule add $match table $RTABLE 476 $IP route get $GW_IP4 $getmatch | grep -q "table $RTABLE" 477 log_test $? 0 "rule4 check: $description" 478 479 $IP route get $GW_IP4 $getnomatch 2>&1 | grep -q "table $RTABLE" 480 log_test $? 1 "rule4 check: $nomatch_description" 481 482 fib_rule4_del_by_pref "$match" 483 log_test $? 0 "rule4 del by pref: $description" 484} 485 486fib_rule4_test_reject() 487{ 488 local match="$1" 489 local rc 490 491 $IP rule add $match table $RTABLE 2>/dev/null 492 rc=$? 493 log_test $rc 2 "rule4 check: $match" 494 495 if [ $rc -eq 0 ]; then 496 $IP rule del $match table $RTABLE 497 fi 498} 499 500fib_rule4_test() 501{ 502 local ext_name=$1; shift 503 local getnomatch 504 local getmatch 505 local match 506 local cnt 507 508 echo 509 echo "IPv4 FIB rule tests $ext_name" 510 511 # setup the fib rule redirect route 512 $IP route add table $RTABLE default via $GW_IP4 dev $DEV onlink 513 514 match="oif $DEV" 515 getnomatch="oif lo" 516 fib_rule4_test_match_n_redirect "$match" "$match" "$getnomatch" \ 517 "oif redirect to table" "oif no redirect to table" 518 519 # Enable forwarding and disable rp_filter as all the addresses are in 520 # the same subnet and egress device == ingress device. 521 ip netns exec $testns sysctl -qw net.ipv4.ip_forward=1 522 ip netns exec $testns sysctl -qw net.ipv4.conf.$DEV.rp_filter=0 523 match="from $SRC_IP iif $DEV" 524 getnomatch="from $SRC_IP iif lo" 525 fib_rule4_test_match_n_redirect "$match" "$match" "$getnomatch" \ 526 "iif redirect to table" "iif no redirect to table" 527 528 # Reject dsfield (tos) options which have ECN bits set 529 for cnt in $(seq 1 3); do 530 match="dsfield $cnt" 531 fib_rule4_test_reject "$match" 532 done 533 534 # Don't take ECN bits into account when matching on dsfield 535 match="tos 0x10" 536 for cnt in "0x10" "0x11" "0x12" "0x13"; do 537 # Using option 'tos' instead of 'dsfield' as old iproute2 538 # versions don't support 'dsfield' in ip rule show. 539 getmatch="tos $cnt" 540 getnomatch="tos 0x20" 541 fib_rule4_test_match_n_redirect "$match" "$getmatch" \ 542 "$getnomatch" "$getmatch redirect to table" \ 543 "$getnomatch no redirect to table" 544 done 545 546 # Re-test TOS matching, but with input routes since they are handled 547 # differently from output routes. 548 match="tos 0x10" 549 for cnt in "0x10" "0x11" "0x12" "0x13"; do 550 getmatch="tos $cnt" 551 getnomatch="tos 0x20" 552 fib_rule4_test_match_n_redirect "$match" \ 553 "from $SRC_IP iif $DEV $getmatch" \ 554 "from $SRC_IP iif $DEV $getnomatch" \ 555 "iif $getmatch redirect to table" \ 556 "iif $getnomatch no redirect to table" 557 done 558 559 match="fwmark 0x64" 560 getmatch="mark 0x64" 561 getnomatch="mark 0x63" 562 fib_rule4_test_match_n_redirect "$match" "$getmatch" "$getnomatch" \ 563 "fwmark redirect to table" "fwmark no redirect to table" 564 565 fib_check_iproute_support "uidrange" "uid" 566 if [ $? -eq 0 ]; then 567 match="uidrange 100-100" 568 getmatch="uid 100" 569 getnomatch="uid 101" 570 fib_rule4_test_match_n_redirect "$match" "$getmatch" \ 571 "$getnomatch" "uid redirect to table" \ 572 "uid no redirect to table" 573 fi 574 575 fib_check_iproute_support "sport" "sport" 576 if [ $? -eq 0 ]; then 577 match="sport 666 dport 777" 578 getnomatch="sport 667 dport 778" 579 fib_rule4_test_match_n_redirect "$match" "$match" \ 580 "$getnomatch" "sport and dport redirect to table" \ 581 "sport and dport no redirect to table" 582 583 match="sport 100-200 dport 300-400" 584 getmatch="sport 100 dport 400" 585 getnomatch="sport 100 dport 401" 586 fib_rule4_test_match_n_redirect "$match" "$getmatch" \ 587 "$getnomatch" \ 588 "sport and dport range redirect to table" \ 589 "sport and dport range no redirect to table" 590 fi 591 592 ip rule help 2>&1 | grep sport | grep -q MASK 593 if [ $? -eq 0 ]; then 594 match="sport 0x0f00/0xff00 dport 0x000f/0x00ff" 595 getmatch="sport 0x0f11 dport 0x220f" 596 getnomatch="sport 0x1f11 dport 0x221f" 597 fib_rule4_test_match_n_redirect "$match" "$getmatch" \ 598 "$getnomatch" "sport and dport masked redirect to table" \ 599 "sport and dport masked no redirect to table" 600 fi 601 602 fib_check_iproute_support "ipproto" "ipproto" 603 if [ $? -eq 0 ]; then 604 match="ipproto tcp" 605 getnomatch="ipproto udp" 606 fib_rule4_test_match_n_redirect "$match" "$match" \ 607 "$getnomatch" "ipproto tcp match" \ 608 "ipproto udp no match" 609 fi 610 611 fib_check_iproute_support "ipproto" "ipproto" 612 if [ $? -eq 0 ]; then 613 match="ipproto icmp" 614 getnomatch="ipproto tcp" 615 fib_rule4_test_match_n_redirect "$match" "$match" \ 616 "$getnomatch" "ipproto icmp match" \ 617 "ipproto tcp no match" 618 fi 619 620 fib_check_iproute_support "dscp" "tos" 621 if [ $? -eq 0 ]; then 622 match="dscp 0x3f" 623 getmatch="tos 0xfc" 624 getnomatch="tos 0xf4" 625 fib_rule4_test_match_n_redirect "$match" "$getmatch" \ 626 "$getnomatch" "dscp redirect to table" \ 627 "dscp no redirect to table" 628 629 match="dscp 0x3f" 630 getmatch="from $SRC_IP iif $DEV tos 0xfc" 631 getnomatch="from $SRC_IP iif $DEV tos 0xf4" 632 fib_rule4_test_match_n_redirect "$match" "$getmatch" \ 633 "$getnomatch" "iif dscp redirect to table" \ 634 "iif dscp no redirect to table" 635 fi 636 637 ip rule help 2>&1 | grep -q "DSCP\[/MASK\]" 638 if [ $? -eq 0 ]; then 639 match="dscp 0x0f/0x0f" 640 tosmatch=$(printf 0x"%x" $((0x1f << 2))) 641 tosnomatch=$(printf 0x"%x" $((0x1e << 2))) 642 getmatch="tos $tosmatch" 643 getnomatch="tos $tosnomatch" 644 fib_rule4_test_match_n_redirect "$match" "$getmatch" \ 645 "$getnomatch" "dscp masked redirect to table" \ 646 "dscp masked no redirect to table" 647 648 match="dscp 0x0f/0x0f" 649 getmatch="from $SRC_IP iif $DEV tos $tosmatch" 650 getnomatch="from $SRC_IP iif $DEV tos $tosnomatch" 651 fib_rule4_test_match_n_redirect "$match" "$getmatch" \ 652 "$getnomatch" "iif dscp masked redirect to table" \ 653 "iif dscp masked no redirect to table" 654 fi 655 656 $IP link show dev $DEV | grep -q vrf0 657 if [ $? -eq 0 ]; then 658 match="oif vrf0" 659 getmatch="oif $DEV" 660 getnomatch="oif lo" 661 fib_rule4_test_match_n_redirect "$match" "$getmatch" \ 662 "$getnomatch" "VRF oif redirect to table" \ 663 "VRF oif no redirect to table" 664 665 match="from $SRC_IP iif vrf0" 666 getmatch="from $SRC_IP iif $DEV" 667 getnomatch="from $SRC_IP iif lo" 668 fib_rule4_test_match_n_redirect "$match" "$getmatch" \ 669 "$getnomatch" "VRF iif redirect to table" \ 670 "VRF iif no redirect to table" 671 fi 672} 673 674fib_rule4_vrf_test() 675{ 676 setup_vrf 677 fib_rule4_test "- with VRF" 678 cleanup_vrf 679} 680 681# Verify that the IP_TOS option of UDPv4 and TCPv4 sockets is properly taken 682# into account when connecting the socket and when sending packets. 683fib_rule4_connect_test() 684{ 685 local dsfield 686 687 echo 688 echo "IPv4 FIB rule connect tests" 689 690 setup_peer 691 $IP -4 rule add dsfield 0x04 table $RTABLE_PEER 692 693 # Combine the base DS Field value (0x04) with all possible ECN values 694 # (Not-ECT: 0, ECT(1): 1, ECT(0): 2, CE: 3). 695 # The ECN bits shouldn't influence the result of the test. 696 for dsfield in 0x04 0x05 0x06 0x07; do 697 nettest -q -B -t 5 -N $testns -O $peerns -D -U -Q "${dsfield}" \ 698 -l 198.51.100.11 -r 198.51.100.11 699 log_test $? 0 "rule4 dsfield udp connect (dsfield ${dsfield})" 700 701 nettest -q -B -t 5 -N $testns -O $peerns -Q "${dsfield}" \ 702 -l 198.51.100.11 -r 198.51.100.11 703 log_test $? 0 "rule4 dsfield tcp connect (dsfield ${dsfield})" 704 done 705 706 # Check that UDP and TCP connections fail when using a DS Field that 707 # does not match the previously configured FIB rule. 708 nettest -q -B -t 5 -N $testns -O $peerns -D -U -Q 0x20 \ 709 -l 198.51.100.11 -r 198.51.100.11 710 log_test $? 1 "rule4 dsfield udp no connect (dsfield 0x20)" 711 712 nettest -q -B -t 5 -N $testns -O $peerns -Q 0x20 \ 713 -l 198.51.100.11 -r 198.51.100.11 714 log_test $? 1 "rule4 dsfield tcp no connect (dsfield 0x20)" 715 716 $IP -4 rule del dsfield 0x04 table $RTABLE_PEER 717 718 ip rule help 2>&1 | grep -q dscp 719 if [ $? -ne 0 ]; then 720 echo "SKIP: iproute2 iprule too old, missing dscp match" 721 cleanup_peer 722 return 723 fi 724 725 $IP -4 rule add dscp 0x3f table $RTABLE_PEER 726 727 nettest -q -B -t 5 -N $testns -O $peerns -D -U -Q 0xfc \ 728 -l 198.51.100.11 -r 198.51.100.11 729 log_test $? 0 "rule4 dscp udp connect" 730 731 nettest -q -B -t 5 -N $testns -O $peerns -Q 0xfc \ 732 -l 198.51.100.11 -r 198.51.100.11 733 log_test $? 0 "rule4 dscp tcp connect" 734 735 nettest -q -B -t 5 -N $testns -O $peerns -D -U -Q 0xf4 \ 736 -l 198.51.100.11 -r 198.51.100.11 737 log_test $? 1 "rule4 dscp udp no connect" 738 739 nettest -q -B -t 5 -N $testns -O $peerns -Q 0xf4 \ 740 -l 198.51.100.11 -r 198.51.100.11 741 log_test $? 1 "rule4 dscp tcp no connect" 742 743 $IP -4 rule del dscp 0x3f table $RTABLE_PEER 744 745 cleanup_peer 746} 747################################################################################ 748# usage 749 750usage() 751{ 752 cat <<EOF 753usage: ${0##*/} OPTS 754 755 -t <test> Test(s) to run (default: all) 756 (options: $TESTS) 757EOF 758} 759 760################################################################################ 761# main 762 763while getopts ":t:h" opt; do 764 case $opt in 765 t) TESTS=$OPTARG;; 766 h) usage; exit 0;; 767 *) usage; exit 1;; 768 esac 769done 770 771if [ "$(id -u)" -ne 0 ];then 772 echo "SKIP: Need root privileges" 773 exit $ksft_skip 774fi 775 776if [ ! -x "$(command -v ip)" ]; then 777 echo "SKIP: Could not run test without ip tool" 778 exit $ksft_skip 779fi 780 781check_gen_prog "nettest" 782 783# start clean 784cleanup &> /dev/null 785setup 786for t in $TESTS 787do 788 case $t in 789 fib_rule6_test|fib_rule6) fib_rule6_test;; 790 fib_rule4_test|fib_rule4) fib_rule4_test;; 791 fib_rule6_connect_test|fib_rule6_connect) fib_rule6_connect_test;; 792 fib_rule4_connect_test|fib_rule4_connect) fib_rule4_connect_test;; 793 fib_rule6_vrf_test|fib_rule6_vrf) fib_rule6_vrf_test;; 794 fib_rule4_vrf_test|fib_rule4_vrf) fib_rule4_vrf_test;; 795 796 help) echo "Test names: $TESTS"; exit 0;; 797 798 esac 799done 800cleanup 801 802if [ "$TESTS" != "none" ]; then 803 printf "\nTests passed: %3d\n" ${nsuccess} 804 printf "Tests failed: %3d\n" ${nfail} 805fi 806 807exit $ret 808