linux/tools/testing/selftests/net/vrf-xfrm-tests.sh

#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# Various combinations of VRF with xfrms and qdisc.

source lib.sh
PAUSE_ON_FAIL=no
VERBOSE=0
ret=0

HOST1_4=192.168.1.1
HOST2_4=192.168.1.2
HOST1_6=2001:db8:1::1
HOST2_6=2001:db8:1::2

XFRM1_4=10.0.1.1
XFRM2_4=10.0.1.2
XFRM1_6=fc00:1000::1
XFRM2_6=fc00:1000::2
IF_ID=123

VRF=red
TABLE=300

AUTH_1=0xd94fcfea65fddf21dc6e0d24a0253508
AUTH_2=0xdc6e0d24a0253508d94fcfea65fddf21
ENC_1=0xfc46c20f8048be9725930ff3fb07ac2a91f0347dffeacf62
ENC_2=0x3fb07ac2a91f0347dffeacf62fc46c20f8048be9725930ff
SPI_1=0x02122b77
SPI_2=0x2b770212

which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)

################################################################################
#
log_test()
{
	local rc=$1
	local expected=$2
	local msg="$3"

	if [ ${rc} -eq ${expected} ]; then
		printf "TEST: %-60s  [ OK ]\n" "${msg}"
		nsuccess=$((nsuccess+1))
	else
		ret=1
		nfail=$((nfail+1))
		printf "TEST: %-60s  [FAIL]\n" "${msg}"
		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
			echo
			echo "hit enter to continue, 'q' to quit"
			read a
			[ "$a" = "q" ] && exit 1
		fi
	fi
}

run_cmd_host1()
{
	local cmd="$*"
	local out
	local rc

	if [ "$VERBOSE" = "1" ]; then
		printf "    COMMAND: $cmd\n"
	fi

	out=$(eval ip netns exec $host1 $cmd 2>&1)
	rc=$?
	if [ "$VERBOSE" = "1" ]; then
		if [ -n "$out" ]; then
			echo
			echo "    $out"
		fi
		echo
	fi

	return $rc
}

################################################################################
# create namespaces for hosts and sws

create_vrf()
{
	local ns=$1
	local vrf=$2
	local table=$3

	if [ -n "${ns}" ]; then
		ns="-netns ${ns}"
	fi

	ip ${ns} link add ${vrf} type vrf table ${table}
	ip ${ns} link set ${vrf} up
	ip ${ns} route add vrf ${vrf} unreachable default metric 8192
	ip ${ns} -6 route add vrf ${vrf} unreachable default metric 8192

	ip ${ns} addr add 127.0.0.1/8 dev ${vrf}
	ip ${ns} -6 addr add ::1 dev ${vrf} nodad

	ip ${ns} ru del pref 0
	ip ${ns} ru add pref 32765 from all lookup local
	ip ${ns} -6 ru del pref 0
	ip ${ns} -6 ru add pref 32765 from all lookup local
}

create_ns()
{
	local ns=$1
	local addr=$2
	local addr6=$3

	[ -z "${addr}" ] && addr="-"
	[ -z "${addr6}" ] && addr6="-"

	if [ "${addr}" != "-" ]; then
		ip -netns ${ns} addr add dev lo ${addr}
	fi
	if [ "${addr6}" != "-" ]; then
		ip -netns ${ns} -6 addr add dev lo ${addr6}
	fi

	ip -netns ${ns} ro add unreachable default metric 8192
	ip -netns ${ns} -6 ro add unreachable default metric 8192

	ip netns exec ${ns} sysctl -qw net.ipv4.ip_forward=1
	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.keep_addr_on_down=1
	ip netns exec ${ns} sysctl -qw net.ipv6.conf.all.forwarding=1
	ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.forwarding=1
	ip netns exec ${ns} sysctl -qw net.ipv6.conf.default.accept_dad=0
}

# create veth pair to connect namespaces and apply addresses.
connect_ns()
{
	local ns1=$1
	local ns1_dev=$2
	local ns1_addr=$3
	local ns1_addr6=$4
	local ns2=$5
	local ns2_dev=$6
	local ns2_addr=$7
	local ns2_addr6=$8
	local ns1arg
	local ns2arg

	if [ -n "${ns1}" ]; then
		ns1arg="-netns ${ns1}"
	fi
	if [ -n "${ns2}" ]; then
		ns2arg="-netns ${ns2}"
	fi

	ip ${ns1arg} li add ${ns1_dev} type veth peer name tmp
	ip ${ns1arg} li set ${ns1_dev} up
	ip ${ns1arg} li set tmp netns ${ns2} name ${ns2_dev}
	ip ${ns2arg} li set ${ns2_dev} up

	if [ "${ns1_addr}" != "-" ]; then
		ip ${ns1arg} addr add dev ${ns1_dev} ${ns1_addr}
		ip ${ns2arg} addr add dev ${ns2_dev} ${ns2_addr}
	fi

	if [ "${ns1_addr6}" != "-" ]; then
		ip ${ns1arg} addr add dev ${ns1_dev} ${ns1_addr6} nodad
		ip ${ns2arg} addr add dev ${ns2_dev} ${ns2_addr6} nodad
	fi
}

################################################################################

cleanup()
{
	cleanup_ns $host1 $host2
}

setup()
{
	setup_ns host1 host2
	create_ns "$host1"
	create_ns "$host2"

	connect_ns "$host1" eth0 ${HOST1_4}/24 ${HOST1_6}/64 \
	           "$host2" eth0 ${HOST2_4}/24 ${HOST2_6}/64

	create_vrf "$host1" ${VRF} ${TABLE}
	ip -netns $host1 link set dev eth0 master ${VRF}
}

cleanup_xfrm()
{
	for ns in $host1 $host2
	do
		for x in state policy
		do
			ip -netns ${ns} xfrm ${x} flush
			ip -6 -netns ${ns} xfrm ${x} flush
		done
	done
}

setup_xfrm()
{
	local h1_4=$1
	local h2_4=$2
	local h1_6=$3
	local h2_6=$4
	local devarg="$5"

	#
	# policy
	#

	# host1 - IPv4 out
	ip -netns $host1 xfrm policy add \
	  src ${h1_4} dst ${h2_4} ${devarg} dir out \
	  tmpl src ${HOST1_4} dst ${HOST2_4} proto esp mode tunnel

	# host2 - IPv4 in
	ip -netns $host2 xfrm policy add \
	  src ${h1_4} dst ${h2_4} dir in \
	  tmpl src ${HOST1_4} dst ${HOST2_4} proto esp mode tunnel

	# host1 - IPv4 in
	ip -netns $host1 xfrm policy add \
	  src ${h2_4} dst ${h1_4} ${devarg} dir in \
	  tmpl src ${HOST2_4} dst ${HOST1_4} proto esp mode tunnel

	# host2 - IPv4 out
	ip -netns $host2 xfrm policy add \
	  src ${h2_4} dst ${h1_4} dir out \
	  tmpl src ${HOST2_4} dst ${HOST1_4} proto esp mode tunnel


	# host1 - IPv6 out
	ip -6 -netns $host1 xfrm policy add \
	  src ${h1_6} dst ${h2_6} ${devarg} dir out \
	  tmpl src ${HOST1_6} dst ${HOST2_6} proto esp mode tunnel

	# host2 - IPv6 in
	ip -6 -netns $host2 xfrm policy add \
	  src ${h1_6} dst ${h2_6} dir in \
	  tmpl src ${HOST1_6} dst ${HOST2_6} proto esp mode tunnel

	# host1 - IPv6 in
	ip -6 -netns $host1 xfrm policy add \
	  src ${h2_6} dst ${h1_6} ${devarg} dir in \
	  tmpl src ${HOST2_6} dst ${HOST1_6} proto esp mode tunnel

	# host2 - IPv6 out
	ip -6 -netns $host2 xfrm policy add \
	  src ${h2_6} dst ${h1_6} dir out \
	  tmpl src ${HOST2_6} dst ${HOST1_6} proto esp mode tunnel

	#
	# state
	#
	ip -netns $host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
	    proto esp spi ${SPI_1} reqid 0 mode tunnel \
	    replay-window 4 replay-oseq 0x4 \
	    auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
	    enc 'cbc(aes)' ${ENC_1} \
	    sel src ${h1_4} dst ${h2_4} ${devarg}

	ip -netns $host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
	    proto esp spi ${SPI_1} reqid 0 mode tunnel \
	    replay-window 4 replay-oseq 0x4 \
	    auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
	    enc 'cbc(aes)' ${ENC_1} \
	    sel src ${h1_4} dst ${h2_4}


	ip -netns $host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
	    proto esp spi ${SPI_2} reqid 0 mode tunnel \
	    replay-window 4 replay-oseq 0x4 \
	    auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
	    enc 'cbc(aes)' ${ENC_2} \
	    sel src ${h2_4} dst ${h1_4} ${devarg}

	ip -netns $host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
	    proto esp spi ${SPI_2} reqid 0 mode tunnel \
	    replay-window 4 replay-oseq 0x4 \
	    auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
	    enc 'cbc(aes)' ${ENC_2} \
	    sel src ${h2_4} dst ${h1_4}


	ip -6 -netns $host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
	    proto esp spi ${SPI_1} reqid 0 mode tunnel \
	    replay-window 4 replay-oseq 0x4 \
	    auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
	    enc 'cbc(aes)' ${ENC_1} \
	    sel src ${h1_6} dst ${h2_6} ${devarg}

	ip -6 -netns $host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
	    proto esp spi ${SPI_1} reqid 0 mode tunnel \
	    replay-window 4 replay-oseq 0x4 \
	    auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
	    enc 'cbc(aes)' ${ENC_1} \
	    sel src ${h1_6} dst ${h2_6}


	ip -6 -netns $host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
	    proto esp spi ${SPI_2} reqid 0 mode tunnel \
	    replay-window 4 replay-oseq 0x4 \
	    auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
	    enc 'cbc(aes)' ${ENC_2} \
	    sel src ${h2_6} dst ${h1_6} ${devarg}

	ip -6 -netns $host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
	    proto esp spi ${SPI_2} reqid 0 mode tunnel \
	    replay-window 4 replay-oseq 0x4 \
	    auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
	    enc 'cbc(aes)' ${ENC_2} \
	    sel src ${h2_6} dst ${h1_6}
}

cleanup_xfrm_dev()
{
	ip -netns $host1 li del xfrm0
	ip -netns $host2 addr del ${XFRM2_4}/24 dev eth0
	ip -netns $host2 addr del ${XFRM2_6}/64 dev eth0
}

setup_xfrm_dev()
{
	local vrfarg="vrf ${VRF}"

	ip -netns $host1 li add type xfrm dev eth0 if_id ${IF_ID}
	ip -netns $host1 li set xfrm0 ${vrfarg} up
	ip -netns $host1 addr add ${XFRM1_4}/24 dev xfrm0
	ip -netns $host1 addr add ${XFRM1_6}/64 dev xfrm0

	ip -netns $host2 addr add ${XFRM2_4}/24 dev eth0
	ip -netns $host2 addr add ${XFRM2_6}/64 dev eth0

	setup_xfrm ${XFRM1_4} ${XFRM2_4} ${XFRM1_6} ${XFRM2_6} "if_id ${IF_ID}"
}

run_tests()
{
	cleanup_xfrm

	# no IPsec
	run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${HOST2_4}
	log_test $? 0 "IPv4 no xfrm policy"
	run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${HOST2_6}
	log_test $? 0 "IPv6 no xfrm policy"

	# xfrm without VRF in sel
	setup_xfrm ${HOST1_4} ${HOST2_4} ${HOST1_6} ${HOST2_6}
	run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${HOST2_4}
	log_test $? 0 "IPv4 xfrm policy based on address"
	run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${HOST2_6}
	log_test $? 0 "IPv6 xfrm policy based on address"
	cleanup_xfrm

	# xfrm with VRF in sel
	# Known failure: ipv4 resets the flow oif after the lookup. Fix is
	# not straightforward.
	# setup_xfrm ${HOST1_4} ${HOST2_4} ${HOST1_6} ${HOST2_6} "dev ${VRF}"
	# run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${HOST2_4}
	# log_test $? 0 "IPv4 xfrm policy with VRF in selector"
	run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${HOST2_6}
	log_test $? 0 "IPv6 xfrm policy with VRF in selector"
	cleanup_xfrm

	# xfrm with enslaved device in sel
	# Known failures: combined with the above, __xfrm{4,6}_selector_match
	# needs to consider both l3mdev and enslaved device index.
	# setup_xfrm ${HOST1_4} ${HOST2_4} ${HOST1_6} ${HOST2_6} "dev eth0"
	# run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${HOST2_4}
	# log_test $? 0 "IPv4 xfrm policy with enslaved device in selector"
	# run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${HOST2_6}
	# log_test $? 0 "IPv6 xfrm policy with enslaved device in selector"
	# cleanup_xfrm

	# xfrm device
	setup_xfrm_dev
	run_cmd_host1 ip vrf exec ${VRF} ping -c1 -w1 ${XFRM2_4}
	log_test $? 0 "IPv4 xfrm policy with xfrm device"
	run_cmd_host1 ip vrf exec ${VRF} ${ping6} -c1 -w1 ${XFRM2_6}
	log_test $? 0 "IPv6 xfrm policy with xfrm device"
	cleanup_xfrm_dev
}

################################################################################
# usage

usage()
{
        cat <<EOF
usage: ${0##*/} OPTS

        -p          Pause on fail
        -v          verbose mode (show commands and output)

done
EOF
}

################################################################################
# main

while getopts :pv o
do
	case $o in
		p) PAUSE_ON_FAIL=yes;;
		v) VERBOSE=$(($VERBOSE + 1));;
		h) usage; exit 0;;
		*) usage; exit 1;;
	esac
done

cleanup 2>/dev/null
setup

echo
echo "No qdisc on VRF device"
run_tests

run_cmd_host1 tc qdisc add dev ${VRF} root netem delay 100ms
echo
echo "netem qdisc on VRF device"
run_tests

printf "\nTests passed: %3d\n" ${nsuccess}
printf "Tests failed: %3d\n"   ${nfail}

exit $ret