linux/tools/testing/selftests/net/vrf_route_leaking.sh

#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (c) 2019 David Ahern <[email protected]>. All rights reserved.
# Copyright (c) 2020 Michael Jeanson <[email protected]>. All rights reserved.
#
# Requires CONFIG_NET_VRF, CONFIG_VETH, CONFIG_BRIDGE and CONFIG_NET_NS.
#
#
# Symmetric routing topology
#
#                     blue         red
# +----+              .253 +----+ .253              +----+
# | h1 |-------------------| r1 |-------------------| h2 |
# +----+ .1                +----+                .2 +----+
#         172.16.1/24                  172.16.2/24
#    2001:db8:16:1/64                  2001:db8:16:2/64
#
#
# Route from h1 to h2 and back goes through r1, incoming vrf blue has a route
# to the outgoing vrf red for the n2 network and red has a route back to n1.
# The red VRF interface has a MTU of 1400.
#
# The first test sends a ping with a ttl of 1 from h1 to h2 and parses the
# output of the command to check that a ttl expired error is received.
#
# The second test runs traceroute from h1 to h2 and parses the output to check
# for a hop on r1.
#
# The third test sends a ping with a packet size of 1450 from h1 to h2 and
# parses the output of the command to check that a fragmentation error is
# received.
#
#
# Asymmetric routing topology
#
# This topology represents a customer setup where the issue with icmp errors
# and VRF route leaking was initialy reported. The MTU test isn't done here
# because of the lack of a return route in the red VRF.
#
#                     blue         red
#                     .253 +----+ .253
#                     +----| r1 |----+
#                     |    +----+    |
# +----+              |              |              +----+
# | h1 |--------------+              +--------------| h2 |
# +----+ .1           |              |           .2 +----+
#         172.16.1/24 |    +----+    | 172.16.2/24
#    2001:db8:16:1/64 +----| r2 |----+ 2001:db8:16:2/64
#                     .254 +----+ .254
#
#
# Route from h1 to h2 goes through r1, incoming vrf blue has a route to the
# outgoing vrf red for the n2 network but red doesn't have a route back to n1.
# Route from h2 to h1 goes through r2.
#
# The objective is to check that the incoming vrf routing table is selected
# to send an ICMP error back to the source when the ttl of a packet reaches 1
# while it is forwarded between different vrfs.

source lib.sh
VERBOSE=0
PAUSE_ON_FAIL=no
DEFAULT_TTYPE=sym

H1_N1=172.16.1.0/24
H1_N1_6=2001:db8:16:1::/64

H1_N1_IP=172.16.1.1
R1_N1_IP=172.16.1.253
R2_N1_IP=172.16.1.254

H1_N1_IP6=2001:db8:16:1::1
R1_N1_IP6=2001:db8:16:1::253
R2_N1_IP6=2001:db8:16:1::254

H2_N2=172.16.2.0/24
H2_N2_6=2001:db8:16:2::/64

H2_N2_IP=172.16.2.2
R1_N2_IP=172.16.2.253
R2_N2_IP=172.16.2.254

H2_N2_IP6=2001:db8:16:2::2
R1_N2_IP6=2001:db8:16:2::253
R2_N2_IP6=2001:db8:16:2::254

################################################################################
# helpers

log_section()
{
	echo
	echo "###########################################################################"
	echo "$*"
	echo "###########################################################################"
	echo
}

log_test()
{
	local rc=$1
	local expected=$2
	local msg="$3"

	if [ "${rc}" -eq "${expected}" ]; then
		printf "TEST: %-60s  [ OK ]\n" "${msg}"
		nsuccess=$((nsuccess+1))
	else
		ret=1
		nfail=$((nfail+1))
		printf "TEST: %-60s  [FAIL]\n" "${msg}"
		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
			echo
			echo "hit enter to continue, 'q' to quit"
			read -r a
			[ "$a" = "q" ] && exit 1
		fi
	fi
}

run_cmd()
{
	local cmd="$*"
	local out
	local rc

	if [ "$VERBOSE" = "1" ]; then
		echo "COMMAND: $cmd"
	fi

	# shellcheck disable=SC2086
	out=$(eval $cmd 2>&1)
	rc=$?
	if [ "$VERBOSE" = "1" ] && [ -n "$out" ]; then
		echo "$out"
	fi

	[ "$VERBOSE" = "1" ] && echo

	return $rc
}

run_cmd_grep()
{
	local grep_pattern="$1"
	shift
	local cmd="$*"
	local out
	local rc

	if [ "$VERBOSE" = "1" ]; then
		echo "COMMAND: $cmd"
	fi

	# shellcheck disable=SC2086
	out=$(eval $cmd 2>&1)
	if [ "$VERBOSE" = "1" ] && [ -n "$out" ]; then
		echo "$out"
	fi

	echo "$out" | grep -q "$grep_pattern"
	rc=$?

	[ "$VERBOSE" = "1" ] && echo

	return $rc
}

################################################################################
# setup and teardown

cleanup()
{
	cleanup_ns $h1 $h2 $r1 $r2
}

setup_vrf()
{
	local ns=$1

	ip -netns "${ns}" rule del pref 0
	ip -netns "${ns}" rule add pref 32765 from all lookup local
	ip -netns "${ns}" -6 rule del pref 0
	ip -netns "${ns}" -6 rule add pref 32765 from all lookup local
}

create_vrf()
{
	local ns=$1
	local vrf=$2
	local table=$3

	ip -netns "${ns}" link add "${vrf}" type vrf table "${table}"
	ip -netns "${ns}" link set "${vrf}" up
	ip -netns "${ns}" route add vrf "${vrf}" unreachable default metric 8192
	ip -netns "${ns}" -6 route add vrf "${vrf}" unreachable default metric 8192

	ip -netns "${ns}" addr add 127.0.0.1/8 dev "${vrf}"
	ip -netns "${ns}" -6 addr add ::1 dev "${vrf}" nodad
}

setup_sym()
{
	local ns

	# make sure we are starting with a clean slate
	cleanup

	#
	# create nodes as namespaces
	setup_ns h1 h2 r1
	for ns in $h1 $h2 $r1; do
		if echo $ns | grep -q h[12]-; then
			ip netns exec $ns sysctl -q -w net.ipv6.conf.all.forwarding=0
			ip netns exec $ns sysctl -q -w net.ipv6.conf.all.keep_addr_on_down=1
		else
			ip netns exec $ns sysctl -q -w net.ipv4.ip_forward=1
			ip netns exec $ns sysctl -q -w net.ipv6.conf.all.forwarding=1
		fi
	done

	#
	# create interconnects
	#
	ip -netns $h1 link add eth0 type veth peer name r1h1
	ip -netns $h1 link set r1h1 netns $r1 name eth0 up

	ip -netns $h2 link add eth0 type veth peer name r1h2
	ip -netns $h2 link set r1h2 netns $r1 name eth1 up

	#
	# h1
	#
	ip -netns $h1 addr add dev eth0 ${H1_N1_IP}/24
	ip -netns $h1 -6 addr add dev eth0 ${H1_N1_IP6}/64 nodad
	ip -netns $h1 link set eth0 up

	# h1 to h2 via r1
	ip -netns $h1    route add ${H2_N2} via ${R1_N1_IP} dev eth0
	ip -netns $h1 -6 route add ${H2_N2_6} via "${R1_N1_IP6}" dev eth0

	#
	# h2
	#
	ip -netns $h2 addr add dev eth0 ${H2_N2_IP}/24
	ip -netns $h2 -6 addr add dev eth0 ${H2_N2_IP6}/64 nodad
	ip -netns $h2 link set eth0 up

	# h2 to h1 via r1
	ip -netns $h2 route add default via ${R1_N2_IP} dev eth0
	ip -netns $h2 -6 route add default via ${R1_N2_IP6} dev eth0

	#
	# r1
	#
	setup_vrf $r1
	create_vrf $r1 blue 1101
	create_vrf $r1 red 1102
	ip -netns $r1 link set mtu 1400 dev eth1
	ip -netns $r1 link set eth0 vrf blue up
	ip -netns $r1 link set eth1 vrf red up
	ip -netns $r1 addr add dev eth0 ${R1_N1_IP}/24
	ip -netns $r1 -6 addr add dev eth0 ${R1_N1_IP6}/64 nodad
	ip -netns $r1 addr add dev eth1 ${R1_N2_IP}/24
	ip -netns $r1 -6 addr add dev eth1 ${R1_N2_IP6}/64 nodad

	# Route leak from blue to red
	ip -netns $r1 route add vrf blue ${H2_N2} dev red
	ip -netns $r1 -6 route add vrf blue ${H2_N2_6} dev red

	# Route leak from red to blue
	ip -netns $r1 route add vrf red ${H1_N1} dev blue
	ip -netns $r1 -6 route add vrf red ${H1_N1_6} dev blue


	# Wait for ip config to settle
	sleep 2
}

setup_asym()
{
	local ns

	# make sure we are starting with a clean slate
	cleanup

	#
	# create nodes as namespaces
	setup_ns h1 h2 r1 r2
	for ns in $h1 $h2 $r1 $r2; do
		if echo $ns | grep -q h[12]-; then
			ip netns exec $ns sysctl -q -w net.ipv6.conf.all.forwarding=0
			ip netns exec $ns sysctl -q -w net.ipv6.conf.all.keep_addr_on_down=1
		else
			ip netns exec $ns sysctl -q -w net.ipv4.ip_forward=1
			ip netns exec $ns sysctl -q -w net.ipv6.conf.all.forwarding=1
		fi
	done

	#
	# create interconnects
	#
	ip -netns $h1 link add eth0 type veth peer name r1h1
	ip -netns $h1 link set r1h1 netns $r1 name eth0 up

	ip -netns $h1 link add eth1 type veth peer name r2h1
	ip -netns $h1 link set r2h1 netns $r2 name eth0 up

	ip -netns $h2 link add eth0 type veth peer name r1h2
	ip -netns $h2 link set r1h2 netns $r1 name eth1 up

	ip -netns $h2 link add eth1 type veth peer name r2h2
	ip -netns $h2 link set r2h2 netns $r2 name eth1 up

	#
	# h1
	#
	ip -netns $h1 link add br0 type bridge
	ip -netns $h1 link set br0 up
	ip -netns $h1 addr add dev br0 ${H1_N1_IP}/24
	ip -netns $h1 -6 addr add dev br0 ${H1_N1_IP6}/64 nodad
	ip -netns $h1 link set eth0 master br0 up
	ip -netns $h1 link set eth1 master br0 up

	# h1 to h2 via r1
	ip -netns $h1    route add ${H2_N2} via ${R1_N1_IP} dev br0
	ip -netns $h1 -6 route add ${H2_N2_6} via "${R1_N1_IP6}" dev br0

	#
	# h2
	#
	ip -netns $h2 link add br0 type bridge
	ip -netns $h2 link set br0 up
	ip -netns $h2 addr add dev br0 ${H2_N2_IP}/24
	ip -netns $h2 -6 addr add dev br0 ${H2_N2_IP6}/64 nodad
	ip -netns $h2 link set eth0 master br0 up
	ip -netns $h2 link set eth1 master br0 up

	# h2 to h1 via r2
	ip -netns $h2 route add default via ${R2_N2_IP} dev br0
	ip -netns $h2 -6 route add default via ${R2_N2_IP6} dev br0

	#
	# r1
	#
	setup_vrf $r1
	create_vrf $r1 blue 1101
	create_vrf $r1 red 1102
	ip -netns $r1 link set mtu 1400 dev eth1
	ip -netns $r1 link set eth0 vrf blue up
	ip -netns $r1 link set eth1 vrf red up
	ip -netns $r1 addr add dev eth0 ${R1_N1_IP}/24
	ip -netns $r1 -6 addr add dev eth0 ${R1_N1_IP6}/64 nodad
	ip -netns $r1 addr add dev eth1 ${R1_N2_IP}/24
	ip -netns $r1 -6 addr add dev eth1 ${R1_N2_IP6}/64 nodad

	# Route leak from blue to red
	ip -netns $r1 route add vrf blue ${H2_N2} dev red
	ip -netns $r1 -6 route add vrf blue ${H2_N2_6} dev red

	# No route leak from red to blue

	#
	# r2
	#
	ip -netns $r2 addr add dev eth0 ${R2_N1_IP}/24
	ip -netns $r2 -6 addr add dev eth0 ${R2_N1_IP6}/64 nodad
	ip -netns $r2 addr add dev eth1 ${R2_N2_IP}/24
	ip -netns $r2 -6 addr add dev eth1 ${R2_N2_IP6}/64 nodad

	# Wait for ip config to settle
	sleep 2
}

check_connectivity()
{
	ip netns exec $h1 ping -c1 -w1 ${H2_N2_IP} >/dev/null 2>&1
	log_test $? 0 "Basic IPv4 connectivity"
	return $?
}

check_connectivity6()
{
	ip netns exec $h1 "${ping6}" -c1 -w1 ${H2_N2_IP6} >/dev/null 2>&1
	log_test $? 0 "Basic IPv6 connectivity"
	return $?
}

check_traceroute()
{
	if [ ! -x "$(command -v traceroute)" ]; then
		echo "SKIP: Could not run IPV4 test without traceroute"
		return 1
	fi
}

check_traceroute6()
{
	if [ ! -x "$(command -v traceroute6)" ]; then
		echo "SKIP: Could not run IPV6 test without traceroute6"
		return 1
	fi
}

ipv4_traceroute()
{
	local ttype="$1"

	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"

	log_section "IPv4 ($ttype route): VRF ICMP error route lookup traceroute"

	check_traceroute || return

	setup_"$ttype"

	check_connectivity || return

	run_cmd_grep "${R1_N1_IP}" ip netns exec $h1 traceroute ${H2_N2_IP}
	log_test $? 0 "Traceroute reports a hop on r1"
}

ipv4_traceroute_asym()
{
	ipv4_traceroute asym
}

ipv6_traceroute()
{
	local ttype="$1"

	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"

	log_section "IPv6 ($ttype route): VRF ICMP error route lookup traceroute"

	check_traceroute6 || return

	setup_"$ttype"

	check_connectivity6 || return

	run_cmd_grep "${R1_N1_IP6}" ip netns exec $h1 traceroute6 ${H2_N2_IP6}
	log_test $? 0 "Traceroute6 reports a hop on r1"
}

ipv6_traceroute_asym()
{
	ipv6_traceroute asym
}

ipv4_ping_ttl()
{
	local ttype="$1"

	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"

	log_section "IPv4 ($ttype route): VRF ICMP ttl error route lookup ping"

	setup_"$ttype"

	check_connectivity || return

	run_cmd_grep "Time to live exceeded" ip netns exec $h1 ping -t1 -c1 -W2 ${H2_N2_IP}
	log_test $? 0 "Ping received ICMP ttl exceeded"
}

ipv4_ping_ttl_asym()
{
	ipv4_ping_ttl asym
}

ipv4_ping_frag()
{
	local ttype="$1"

	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"

	log_section "IPv4 ($ttype route): VRF ICMP fragmentation error route lookup ping"

	setup_"$ttype"

	check_connectivity || return

	run_cmd_grep "Frag needed" ip netns exec $h1 ping -s 1450 -Mdo -c1 -W2 ${H2_N2_IP}
	log_test $? 0 "Ping received ICMP Frag needed"
}

ipv4_ping_frag_asym()
{
	ipv4_ping_frag asym
}

ipv6_ping_ttl()
{
	local ttype="$1"

	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"

	log_section "IPv6 ($ttype route): VRF ICMP ttl error route lookup ping"

	setup_"$ttype"

	check_connectivity6 || return

	run_cmd_grep "Time exceeded: Hop limit" ip netns exec $h1 "${ping6}" -t1 -c1 -W2 ${H2_N2_IP6}
	log_test $? 0 "Ping received ICMP Hop limit"
}

ipv6_ping_ttl_asym()
{
	ipv6_ping_ttl asym
}

ipv6_ping_frag()
{
	local ttype="$1"

	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"

	log_section "IPv6 ($ttype route): VRF ICMP fragmentation error route lookup ping"

	setup_"$ttype"

	check_connectivity6 || return

	run_cmd_grep "Packet too big" ip netns exec $h1 "${ping6}" -s 1450 -Mdo -c1 -W2 ${H2_N2_IP6}
	log_test $? 0 "Ping received ICMP Packet too big"
}

ipv6_ping_frag_asym()
{
	ipv6_ping_frag asym
}

ipv4_ping_local()
{
	log_section "IPv4 (sym route): VRF ICMP local error route lookup ping"

	setup_sym

	check_connectivity || return

	run_cmd ip netns exec $r1 ip vrf exec blue ping -c1 -w1 ${H2_N2_IP}
	log_test $? 0 "VRF ICMP local IPv4"
}

ipv4_tcp_local()
{
	log_section "IPv4 (sym route): VRF tcp local connection"

	setup_sym

	check_connectivity || return

	run_cmd nettest -s -O "$h2" -l ${H2_N2_IP} -I eth0 -3 eth0 &
	sleep 1
	run_cmd nettest -N "$r1" -d blue -r ${H2_N2_IP}
	log_test $? 0 "VRF tcp local connection IPv4"
}

ipv4_udp_local()
{
	log_section "IPv4 (sym route): VRF udp local connection"

	setup_sym

	check_connectivity || return

	run_cmd nettest -s -D -O "$h2" -l ${H2_N2_IP} -I eth0 -3 eth0 &
	sleep 1
	run_cmd nettest -D -N "$r1" -d blue -r ${H2_N2_IP}
	log_test $? 0 "VRF udp local connection IPv4"
}

ipv6_ping_local()
{
	log_section "IPv6 (sym route): VRF ICMP local error route lookup ping"

	setup_sym

	check_connectivity6 || return

	run_cmd ip netns exec $r1 ip vrf exec blue ${ping6} -c1 -w1 ${H2_N2_IP6}
	log_test $? 0 "VRF ICMP local IPv6"
}

ipv6_tcp_local()
{
	log_section "IPv6 (sym route): VRF tcp local connection"

	setup_sym

	check_connectivity6 || return

	run_cmd nettest -s -6 -O "$h2" -l ${H2_N2_IP6} -I eth0 -3 eth0 &
	sleep 1
	run_cmd nettest -6 -N "$r1" -d blue -r ${H2_N2_IP6}
	log_test $? 0 "VRF tcp local connection IPv6"
}

ipv6_udp_local()
{
	log_section "IPv6 (sym route): VRF udp local connection"

	setup_sym

	check_connectivity6 || return

	run_cmd nettest -s -6 -D -O "$h2" -l ${H2_N2_IP6} -I eth0 -3 eth0 &
	sleep 1
	run_cmd nettest -6 -D -N "$r1" -d blue -r ${H2_N2_IP6}
	log_test $? 0 "VRF udp local connection IPv6"
}

################################################################################
# usage

usage()
{
        cat <<EOF
usage: ${0##*/} OPTS

	-4          Run IPv4 tests only
	-6          Run IPv6 tests only
        -t TEST     Run only TEST
	-p          Pause on fail
	-v          verbose mode (show commands and output)
EOF
}

################################################################################
# main

# Some systems don't have a ping6 binary anymore
command -v ping6 > /dev/null 2>&1 && ping6=$(command -v ping6) || ping6=$(command -v ping)

check_gen_prog "nettest"

TESTS_IPV4="ipv4_ping_ttl ipv4_traceroute ipv4_ping_frag ipv4_ping_local ipv4_tcp_local
ipv4_udp_local ipv4_ping_ttl_asym ipv4_traceroute_asym"
TESTS_IPV6="ipv6_ping_ttl ipv6_traceroute ipv6_ping_local ipv6_tcp_local ipv6_udp_local
ipv6_ping_ttl_asym ipv6_traceroute_asym"

ret=0
nsuccess=0
nfail=0

while getopts :46t:pvh o
do
	case $o in
		4) TESTS=ipv4;;
		6) TESTS=ipv6;;
		t) TESTS=$OPTARG;;
		p) PAUSE_ON_FAIL=yes;;
		v) VERBOSE=1;;
		h) usage; exit 0;;
		*) usage; exit 1;;
	esac
done

#
# show user test config
#
if [ -z "$TESTS" ]; then
        TESTS="$TESTS_IPV4 $TESTS_IPV6"
elif [ "$TESTS" = "ipv4" ]; then
        TESTS="$TESTS_IPV4"
elif [ "$TESTS" = "ipv6" ]; then
        TESTS="$TESTS_IPV6"
fi

for t in $TESTS
do
	case $t in
	ipv4_ping_ttl|ping)              ipv4_ping_ttl;;&
	ipv4_ping_ttl_asym|ping)         ipv4_ping_ttl_asym;;&
	ipv4_traceroute|traceroute)      ipv4_traceroute;;&
	ipv4_traceroute_asym|traceroute) ipv4_traceroute_asym;;&
	ipv4_ping_frag|ping)             ipv4_ping_frag;;&
	ipv4_ping_local|ping)            ipv4_ping_local;;&
	ipv4_tcp_local)                  ipv4_tcp_local;;&
	ipv4_udp_local)                  ipv4_udp_local;;&

	ipv6_ping_ttl|ping)              ipv6_ping_ttl;;&
	ipv6_ping_ttl_asym|ping)         ipv6_ping_ttl_asym;;&
	ipv6_traceroute|traceroute)      ipv6_traceroute;;&
	ipv6_traceroute_asym|traceroute) ipv6_traceroute_asym;;&
	ipv6_ping_frag|ping)             ipv6_ping_frag;;&
	ipv6_ping_local|ping)            ipv6_ping_local;;&
	ipv6_tcp_local)                  ipv6_tcp_local;;&
	ipv6_udp_local)                  ipv6_udp_local;;&

	# setup namespaces and config, but do not run any tests
	setup_sym|setup)                 setup_sym; exit 0;;
	setup_asym)                      setup_asym; exit 0;;

	help)                       echo "Test names: $TESTS"; exit 0;;
	esac
done

cleanup

printf "\nTests passed: %3d\n" ${nsuccess}
printf "Tests failed: %3d\n"   ${nfail}

exit $ret