summaryrefslogtreecommitdiffstats
path: root/tools/testing/selftests/net/vrf_route_leaking.sh
blob: 23cf924754a531873a9b50b6d1e9307848984a80 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
#
# Copyright (c) 2019 David Ahern <dsahern@gmail.com>. All rights reserved.
# Copyright (c) 2020 Michael Jeanson <mjeanson@efficios.com>. All rights reserved.
#
# Requires CONFIG_NET_VRF, CONFIG_VETH, CONFIG_BRIDGE and CONFIG_NET_NS.
#
#
# Symmetric routing topology
#
#                     blue         red
# +----+              .253 +----+ .253              +----+
# | h1 |-------------------| r1 |-------------------| h2 |
# +----+ .1                +----+                .2 +----+
#         172.16.1/24                  172.16.2/24
#    2001:db8:16:1/64                  2001:db8:16:2/64
#
#
# Route from h1 to h2 and back goes through r1, incoming vrf blue has a route
# to the outgoing vrf red for the n2 network and red has a route back to n1.
# The red VRF interface has a MTU of 1400.
#
# The first test sends a ping with a ttl of 1 from h1 to h2 and parses the
# output of the command to check that a ttl expired error is received.
#
# The second test runs traceroute from h1 to h2 and parses the output to check
# for a hop on r1.
#
# The third test sends a ping with a packet size of 1450 from h1 to h2 and
# parses the output of the command to check that a fragmentation error is
# received.
#
#
# Asymmetric routing topology
#
# This topology represents a customer setup where the issue with icmp errors
# and VRF route leaking was initialy reported. The MTU test isn't done here
# because of the lack of a return route in the red VRF.
#
#                     blue         red
#                     .253 +----+ .253
#                     +----| r1 |----+
#                     |    +----+    |
# +----+              |              |              +----+
# | h1 |--------------+              +--------------| h2 |
# +----+ .1           |              |           .2 +----+
#         172.16.1/24 |    +----+    | 172.16.2/24
#    2001:db8:16:1/64 +----| r2 |----+ 2001:db8:16:2/64
#                     .254 +----+ .254
#
#
# Route from h1 to h2 goes through r1, incoming vrf blue has a route to the
# outgoing vrf red for the n2 network but red doesn't have a route back to n1.
# Route from h2 to h1 goes through r2.
#
# The objective is to check that the incoming vrf routing table is selected
# to send an ICMP error back to the source when the ttl of a packet reaches 1
# while it is forwarded between different vrfs.

VERBOSE=0
PAUSE_ON_FAIL=no
DEFAULT_TTYPE=sym

H1_N1=172.16.1.0/24
H1_N1_6=2001:db8:16:1::/64

H1_N1_IP=172.16.1.1
R1_N1_IP=172.16.1.253
R2_N1_IP=172.16.1.254

H1_N1_IP6=2001:db8:16:1::1
R1_N1_IP6=2001:db8:16:1::253
R2_N1_IP6=2001:db8:16:1::254

H2_N2=172.16.2.0/24
H2_N2_6=2001:db8:16:2::/64

H2_N2_IP=172.16.2.2
R1_N2_IP=172.16.2.253
R2_N2_IP=172.16.2.254

H2_N2_IP6=2001:db8:16:2::2
R1_N2_IP6=2001:db8:16:2::253
R2_N2_IP6=2001:db8:16:2::254

################################################################################
# helpers

log_section()
{
	echo
	echo "###########################################################################"
	echo "$*"
	echo "###########################################################################"
	echo
}

log_test()
{
	local rc=$1
	local expected=$2
	local msg="$3"

	if [ "${rc}" -eq "${expected}" ]; then
		printf "TEST: %-60s  [ OK ]\n" "${msg}"
		nsuccess=$((nsuccess+1))
	else
		ret=1
		nfail=$((nfail+1))
		printf "TEST: %-60s  [FAIL]\n" "${msg}"
		if [ "${PAUSE_ON_FAIL}" = "yes" ]; then
			echo
			echo "hit enter to continue, 'q' to quit"
			read -r a
			[ "$a" = "q" ] && exit 1
		fi
	fi
}

run_cmd()
{
	local cmd="$*"
	local out
	local rc

	if [ "$VERBOSE" = "1" ]; then
		echo "COMMAND: $cmd"
	fi

	# shellcheck disable=SC2086
	out=$(eval $cmd 2>&1)
	rc=$?
	if [ "$VERBOSE" = "1" ] && [ -n "$out" ]; then
		echo "$out"
	fi

	[ "$VERBOSE" = "1" ] && echo

	return $rc
}

run_cmd_grep()
{
	local grep_pattern="$1"
	shift
	local cmd="$*"
	local out
	local rc

	if [ "$VERBOSE" = "1" ]; then
		echo "COMMAND: $cmd"
	fi

	# shellcheck disable=SC2086
	out=$(eval $cmd 2>&1)
	if [ "$VERBOSE" = "1" ] && [ -n "$out" ]; then
		echo "$out"
	fi

	echo "$out" | grep -q "$grep_pattern"
	rc=$?

	[ "$VERBOSE" = "1" ] && echo

	return $rc
}

################################################################################
# setup and teardown

cleanup()
{
	local ns

	for ns in h1 h2 r1 r2; do
		ip netns del $ns 2>/dev/null
	done
}

setup_vrf()
{
	local ns=$1

	ip -netns "${ns}" rule del pref 0
	ip -netns "${ns}" rule add pref 32765 from all lookup local
	ip -netns "${ns}" -6 rule del pref 0
	ip -netns "${ns}" -6 rule add pref 32765 from all lookup local
}

create_vrf()
{
	local ns=$1
	local vrf=$2
	local table=$3

	ip -netns "${ns}" link add "${vrf}" type vrf table "${table}"
	ip -netns "${ns}" link set "${vrf}" up
	ip -netns "${ns}" route add vrf "${vrf}" unreachable default metric 8192
	ip -netns "${ns}" -6 route add vrf "${vrf}" unreachable default metric 8192

	ip -netns "${ns}" addr add 127.0.0.1/8 dev "${vrf}"
	ip -netns "${ns}" -6 addr add ::1 dev "${vrf}" nodad
}

setup_sym()
{
	local ns

	# make sure we are starting with a clean slate
	cleanup

	#
	# create nodes as namespaces
	#
	for ns in h1 h2 r1; do
		ip netns add $ns
		ip -netns $ns link set lo up

		case "${ns}" in
		h[12]) ip netns exec $ns sysctl -q -w net.ipv6.conf.all.forwarding=0
		       ip netns exec $ns sysctl -q -w net.ipv6.conf.all.keep_addr_on_down=1
			;;
		r1)    ip netns exec $ns sysctl -q -w net.ipv4.ip_forward=1
		       ip netns exec $ns sysctl -q -w net.ipv6.conf.all.forwarding=1
		esac
	done

	#
	# create interconnects
	#
	ip -netns h1 link add eth0 type veth peer name r1h1
	ip -netns h1 link set r1h1 netns r1 name eth0 up

	ip -netns h2 link add eth0 type veth peer name r1h2
	ip -netns h2 link set r1h2 netns r1 name eth1 up

	#
	# h1
	#
	ip -netns h1 addr add dev eth0 ${H1_N1_IP}/24
	ip -netns h1 -6 addr add dev eth0 ${H1_N1_IP6}/64 nodad
	ip -netns h1 link set eth0 up

	# h1 to h2 via r1
	ip -netns h1    route add ${H2_N2} via ${R1_N1_IP} dev eth0
	ip -netns h1 -6 route add ${H2_N2_6} via "${R1_N1_IP6}" dev eth0

	#
	# h2
	#
	ip -netns h2 addr add dev eth0 ${H2_N2_IP}/24
	ip -netns h2 -6 addr add dev eth0 ${H2_N2_IP6}/64 nodad
	ip -netns h2 link set eth0 up

	# h2 to h1 via r1
	ip -netns h2 route add default via ${R1_N2_IP} dev eth0
	ip -netns h2 -6 route add default via ${R1_N2_IP6} dev eth0

	#
	# r1
	#
	setup_vrf r1
	create_vrf r1 blue 1101
	create_vrf r1 red 1102
	ip -netns r1 link set mtu 1400 dev eth1
	ip -netns r1 link set eth0 vrf blue up
	ip -netns r1 link set eth1 vrf red up
	ip -netns r1 addr add dev eth0 ${R1_N1_IP}/24
	ip -netns r1 -6 addr add dev eth0 ${R1_N1_IP6}/64 nodad
	ip -netns r1 addr add dev eth1 ${R1_N2_IP}/24
	ip -netns r1 -6 addr add dev eth1 ${R1_N2_IP6}/64 nodad

	# Route leak from blue to red
	ip -netns r1 route add vrf blue ${H2_N2} dev red
	ip -netns r1 -6 route add vrf blue ${H2_N2_6} dev red

	# Route leak from red to blue
	ip -netns r1 route add vrf red ${H1_N1} dev blue
	ip -netns r1 -6 route add vrf red ${H1_N1_6} dev blue


	# Wait for ip config to settle
	sleep 2
}

setup_asym()
{
	local ns

	# make sure we are starting with a clean slate
	cleanup

	#
	# create nodes as namespaces
	#
	for ns in h1 h2 r1 r2; do
		ip netns add $ns
		ip -netns $ns link set lo up

		case "${ns}" in
		h[12]) ip netns exec $ns sysctl -q -w net.ipv6.conf.all.forwarding=0
		       ip netns exec $ns sysctl -q -w net.ipv6.conf.all.keep_addr_on_down=1
			;;
		r[12]) ip netns exec $ns sysctl -q -w net.ipv4.ip_forward=1
		       ip netns exec $ns sysctl -q -w net.ipv6.conf.all.forwarding=1
		esac
	done

	#
	# create interconnects
	#
	ip -netns h1 link add eth0 type veth peer name r1h1
	ip -netns h1 link set r1h1 netns r1 name eth0 up

	ip -netns h1 link add eth1 type veth peer name r2h1
	ip -netns h1 link set r2h1 netns r2 name eth0 up

	ip -netns h2 link add eth0 type veth peer name r1h2
	ip -netns h2 link set r1h2 netns r1 name eth1 up

	ip -netns h2 link add eth1 type veth peer name r2h2
	ip -netns h2 link set r2h2 netns r2 name eth1 up

	#
	# h1
	#
	ip -netns h1 link add br0 type bridge
	ip -netns h1 link set br0 up
	ip -netns h1 addr add dev br0 ${H1_N1_IP}/24
	ip -netns h1 -6 addr add dev br0 ${H1_N1_IP6}/64 nodad
	ip -netns h1 link set eth0 master br0 up
	ip -netns h1 link set eth1 master br0 up

	# h1 to h2 via r1
	ip -netns h1    route add ${H2_N2} via ${R1_N1_IP} dev br0
	ip -netns h1 -6 route add ${H2_N2_6} via "${R1_N1_IP6}" dev br0

	#
	# h2
	#
	ip -netns h2 link add br0 type bridge
	ip -netns h2 link set br0 up
	ip -netns h2 addr add dev br0 ${H2_N2_IP}/24
	ip -netns h2 -6 addr add dev br0 ${H2_N2_IP6}/64 nodad
	ip -netns h2 link set eth0 master br0 up
	ip -netns h2 link set eth1 master br0 up

	# h2 to h1 via r2
	ip -netns h2 route add default via ${R2_N2_IP} dev br0
	ip -netns h2 -6 route add default via ${R2_N2_IP6} dev br0

	#
	# r1
	#
	setup_vrf r1
	create_vrf r1 blue 1101
	create_vrf r1 red 1102
	ip -netns r1 link set mtu 1400 dev eth1
	ip -netns r1 link set eth0 vrf blue up
	ip -netns r1 link set eth1 vrf red up
	ip -netns r1 addr add dev eth0 ${R1_N1_IP}/24
	ip -netns r1 -6 addr add dev eth0 ${R1_N1_IP6}/64 nodad
	ip -netns r1 addr add dev eth1 ${R1_N2_IP}/24
	ip -netns r1 -6 addr add dev eth1 ${R1_N2_IP6}/64 nodad

	# Route leak from blue to red
	ip -netns r1 route add vrf blue ${H2_N2} dev red
	ip -netns r1 -6 route add vrf blue ${H2_N2_6} dev red

	# No route leak from red to blue

	#
	# r2
	#
	ip -netns r2 addr add dev eth0 ${R2_N1_IP}/24
	ip -netns r2 -6 addr add dev eth0 ${R2_N1_IP6}/64 nodad
	ip -netns r2 addr add dev eth1 ${R2_N2_IP}/24
	ip -netns r2 -6 addr add dev eth1 ${R2_N2_IP6}/64 nodad

	# Wait for ip config to settle
	sleep 2
}

check_connectivity()
{
	ip netns exec h1 ping -c1 -w1 ${H2_N2_IP} >/dev/null 2>&1
	log_test $? 0 "Basic IPv4 connectivity"
	return $?
}

check_connectivity6()
{
	ip netns exec h1 "${ping6}" -c1 -w1 ${H2_N2_IP6} >/dev/null 2>&1
	log_test $? 0 "Basic IPv6 connectivity"
	return $?
}

check_traceroute()
{
	if [ ! -x "$(command -v traceroute)" ]; then
		echo "SKIP: Could not run IPV4 test without traceroute"
		return 1
	fi
}

check_traceroute6()
{
	if [ ! -x "$(command -v traceroute6)" ]; then
		echo "SKIP: Could not run IPV6 test without traceroute6"
		return 1
	fi
}

ipv4_traceroute()
{
	local ttype="$1"

	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"

	log_section "IPv4 ($ttype route): VRF ICMP error route lookup traceroute"

	check_traceroute || return

	setup_"$ttype"

	check_connectivity || return

	run_cmd_grep "${R1_N1_IP}" ip netns exec h1 traceroute ${H2_N2_IP}
	log_test $? 0 "Traceroute reports a hop on r1"
}

ipv4_traceroute_asym()
{
	ipv4_traceroute asym
}

ipv6_traceroute()
{
	local ttype="$1"

	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"

	log_section "IPv6 ($ttype route): VRF ICMP error route lookup traceroute"

	check_traceroute6 || return

	setup_"$ttype"

	check_connectivity6 || return

	run_cmd_grep "${R1_N1_IP6}" ip netns exec h1 traceroute6 ${H2_N2_IP6}
	log_test $? 0 "Traceroute6 reports a hop on r1"
}

ipv6_traceroute_asym()
{
	ipv6_traceroute asym
}

ipv4_ping_ttl()
{
	local ttype="$1"

	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"

	log_section "IPv4 ($ttype route): VRF ICMP ttl error route lookup ping"

	setup_"$ttype"

	check_connectivity || return

	run_cmd_grep "Time to live exceeded" ip netns exec h1 ping -t1 -c1 -W2 ${H2_N2_IP}
	log_test $? 0 "Ping received ICMP ttl exceeded"
}

ipv4_ping_ttl_asym()
{
	ipv4_ping_ttl asym
}

ipv4_ping_frag()
{
	local ttype="$1"

	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"

	log_section "IPv4 ($ttype route): VRF ICMP fragmentation error route lookup ping"

	setup_"$ttype"

	check_connectivity || return

	run_cmd_grep "Frag needed" ip netns exec h1 ping -s 1450 -Mdo -c1 -W2 ${H2_N2_IP}
	log_test $? 0 "Ping received ICMP Frag needed"
}

ipv4_ping_frag_asym()
{
	ipv4_ping_frag asym
}

ipv6_ping_ttl()
{
	local ttype="$1"

	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"

	log_section "IPv6 ($ttype route): VRF ICMP ttl error route lookup ping"

	setup_"$ttype"

	check_connectivity6 || return

	run_cmd_grep "Time exceeded: Hop limit" ip netns exec h1 "${ping6}" -t1 -c1 -W2 ${H2_N2_IP6}
	log_test $? 0 "Ping received ICMP Hop limit"
}

ipv6_ping_ttl_asym()
{
	ipv6_ping_ttl asym
}

ipv6_ping_frag()
{
	local ttype="$1"

	[ "x$ttype" = "x" ] && ttype="$DEFAULT_TTYPE"

	log_section "IPv6 ($ttype route): VRF ICMP fragmentation error route lookup ping"

	setup_"$ttype"

	check_connectivity6 || return

	run_cmd_grep "Packet too big" ip netns exec h1 "${ping6}" -s 1450 -Mdo -c1 -W2 ${H2_N2_IP6}
	log_test $? 0 "Ping received ICMP Packet too big"
}

ipv6_ping_frag_asym()
{
	ipv6_ping_frag asym
}

################################################################################
# usage

usage()
{
        cat <<EOF
usage: ${0##*/} OPTS

	-4          Run IPv4 tests only
	-6          Run IPv6 tests only
        -t TEST     Run only TEST
	-p          Pause on fail
	-v          verbose mode (show commands and output)
EOF
}

################################################################################
# main

# Some systems don't have a ping6 binary anymore
command -v ping6 > /dev/null 2>&1 && ping6=$(command -v ping6) || ping6=$(command -v ping)

TESTS_IPV4="ipv4_ping_ttl ipv4_traceroute ipv4_ping_frag ipv4_ping_ttl_asym ipv4_traceroute_asym"
TESTS_IPV6="ipv6_ping_ttl ipv6_traceroute ipv6_ping_frag ipv6_ping_ttl_asym ipv6_traceroute_asym"

ret=0
nsuccess=0
nfail=0

while getopts :46t:pvh o
do
	case $o in
		4) TESTS=ipv4;;
		6) TESTS=ipv6;;
		t) TESTS=$OPTARG;;
		p) PAUSE_ON_FAIL=yes;;
		v) VERBOSE=1;;
		h) usage; exit 0;;
		*) usage; exit 1;;
	esac
done

#
# show user test config
#
if [ -z "$TESTS" ]; then
        TESTS="$TESTS_IPV4 $TESTS_IPV6"
elif [ "$TESTS" = "ipv4" ]; then
        TESTS="$TESTS_IPV4"
elif [ "$TESTS" = "ipv6" ]; then
        TESTS="$TESTS_IPV6"
fi

for t in $TESTS
do
	case $t in
	ipv4_ping_ttl|ping)              ipv4_ping_ttl;;&
	ipv4_ping_ttl_asym|ping)         ipv4_ping_ttl_asym;;&
	ipv4_traceroute|traceroute)      ipv4_traceroute;;&
	ipv4_traceroute_asym|traceroute) ipv4_traceroute_asym;;&
	ipv4_ping_frag|ping)             ipv4_ping_frag;;&

	ipv6_ping_ttl|ping)              ipv6_ping_ttl;;&
	ipv6_ping_ttl_asym|ping)         ipv6_ping_ttl_asym;;&
	ipv6_traceroute|traceroute)      ipv6_traceroute;;&
	ipv6_traceroute_asym|traceroute) ipv6_traceroute_asym;;&
	ipv6_ping_frag|ping)             ipv6_ping_frag;;&

	# setup namespaces and config, but do not run any tests
	setup_sym|setup)                 setup_sym; exit 0;;
	setup_asym)                      setup_asym; exit 0;;

	help)                       echo "Test names: $TESTS"; exit 0;;
	esac
done

cleanup

printf "\nTests passed: %3d\n" ${nsuccess}
printf "Tests failed: %3d\n"   ${nfail}

exit $ret